JP2005099980A - Service provision method, service provision program, host device, and service provision device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To realize cancellation of a first identification state by an appropriate trigger, make it unnecessary to repeat identification of sign on and make it unnecessary to define a term of validity of the first identification state. <P>SOLUTION: A service provision system is characterized in that it performs procedures including; a procedure in which a host device 12 establishes connection with a user terminal 11 and registers connection information to a user information storage 13; a procedure in which a host device 12 identifies the user terminal 11 or a user from the connection information in corporation with the user information storage 13; a procedure in which a service provision device 14 decides a service provision method or propriety of service provision based on the identification of the user or the user terminal 11; and a procedure in which the host device 12 detects disconnection when connection between the user terminal 11 and the host system 12 is lost and notifies that identification of the user ID becomes invalid to the user information storage 13. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a service providing method, a service providing program, a service use program, a host device, and a service providing device.

  In recent years, with the spread of the Internet, a method of providing services such as video distribution online via the Internet has been actively performed. For example, when providing a service to a specific partner, it is necessary to specify the user terminal used when receiving the service. Therefore, the service providing apparatus uses a method in which a user terminal permitted to provide a service is registered in advance in the service providing apparatus, and the service is provided only for access from the registered user terminal.

  Therefore, it is necessary for the service providing apparatus to determine whether or not to provide the service based on information registered in advance for the user terminal that has accessed. Conventionally, a method has been adopted in which a service providing apparatus verifies a set of user ID and password typed in from a user terminal, but when performing multiple authentications on the same user terminal, The time required for authentication also increases, and as a result, the processing efficiency of the service providing apparatus decreases.

Therefore, a technique for utilizing the result of the first authentication authenticated between the predetermined user terminal and the first service providing apparatus for authentication between the predetermined user terminal and the second service providing apparatus, It has been proposed (see, for example, Patent Document 1). The generic name of these technologies is called single sign-on, and the result of the first authentication can be applied to the second and subsequent authentications, so the time and effort of the second and subsequent authentications can be reduced compared to the first authentication. The effect is obtained.
JP 2002-335239 A (paragraph [0023])

  However, in the conventional single sign-on method, it is not possible to define a trigger for clearly invalidating the first authentication state once authenticated. For this reason, the length of time for which the first authentication state is considered valid is determined in advance, the expiration date of the first authentication state is set based on this length, and when the expiration date of the first authentication state expires, 2 Measures were taken that the second authentication failed. Specifically, in Patent Document 1, an authentication server holds the expiration date of the first authentication, and a method of determining whether or not the second authentication is possible based on the information is used. Also, in general authentication in WWW, there is a method of embedding the validity period of the first authentication in the cookie generated by the first authentication and determining whether or not the second authentication is possible based on the information. It has been. Therefore, in order to make the second authentication successful for a long time, it is necessary to repeat the first authentication in order to extend the validity period of the first authentication. For this reason, a user's effort will increase.

  Therefore, in the present invention, it is possible to invalidate the first authentication state at an appropriate timing, making it unnecessary to set the valid time of the first authentication state and making it unnecessary to repeatedly perform sign-on authentication. The purpose is to do.

First, a service providing method according to claim 1 is a user terminal used when using a service provided via a communication network;
A host device for establishing a connection with the user terminal and holding the connection;
A user information storage device for storing a user ID for identifying the user terminal or a user who uses the user terminal, and connection information (S) relating to a connection between the user terminal and the host device;
A service providing method using a service providing system configured including a service providing apparatus that provides the service to the user terminal,
A procedure in which the host device establishes a connection with the user terminal and registers information related to the connection between the user terminal and the host device in the user information storage device;
A procedure in which the host device identifies the user terminal or the user from information related to the connection between the user terminal and the host device in cooperation with the user information storage device;
A procedure in which the service providing apparatus determines a service providing method or service providing availability based on the identification of the user or the user terminal; and
Including means for detecting the disconnection when the host device loses the connection between the user terminal and the host device and notifying the user information storage device that the authentication of the user ID is invalid It is characterized by performing.

Next, a service providing method according to claim 2 is a user terminal used when using a service provided via a communication network;
A host device for establishing a connection with the user terminal and holding the connection;
A user information storage device for storing a user ID for identifying the user terminal or a user who uses the user terminal, and connection information (S) relating to a connection between the user terminal and the host device;
A service providing method using a service providing system configured including a service providing apparatus that provides the service to the user terminal,
A procedure for the host device to authenticate the user terminal or user;
A procedure for the host device to establish a connection with the user terminal;
The connection information (S) set by establishment of communication between the host device and the terminal device from the user terminal, or user verification information (information generated based on the connection information (S)). Receiving a service request including T);
A procedure in which the host device refers to storage information in the user information storage device and identifies a user ID of the transmission source of the service request from the connection information (S) or the user verification information (T);
A procedure in which the host device transmits a service request including the identified user ID;
A procedure in which the service providing apparatus determines whether to provide a service or a service providing method based on a user ID included in the service request;
Including means for detecting the disconnection when the host device loses the connection between the user terminal and the host device and notifying the user information storage device that the authentication of the user ID is invalid It is characterized by performing.

The service providing method according to claim 3 is the service providing method according to claim 2, wherein the user verification information (T) includes data included in the service request and the connection information by a signature generation function. A first signature generated at the user terminal with (S) as an argument;
The service request transmitted from the user terminal includes the user ID;
The host device acquires connection information (S) corresponding to a user ID included in the service request from the user information storage device, and uses the connection information (S) and data included in the received service request as an argument. The user verification information (V) is generated by the signature generation function, and the generated user verification information (V) is compared with the user verification information (T) as the first signature. Regard the user ID included in the service request as the user ID of the sender of the service request;
It is characterized by.

Further, the service providing method according to claim 4 is the service providing method according to claim 2 or claim 3, wherein the procedure for specifying the user ID stores a condition for executing the specification of the user ID. Is acquired from the above, the acquired conditions are compared with the conditions set in the service request, and executed when they match,
It is characterized by.

Further, the service providing method according to claim 5 is the service providing method according to any one of claims 2 to 4, wherein the procedure for specifying the user ID is:
This is executed when the user terminal receives information characterizing the service request to be transmitted before transmitting the service request, compares the service request received thereafter with the information characterizing the received service request, and matches. ,
It is characterized by.

A service providing method according to claim 6 is the service providing method according to any one of claims 2 to 5, wherein the host device transfers the service request to the service providing device. In the procedure,
The host device generates a second signature by the host device and includes it in the service request;
The service providing apparatus that has received the service request verifies the second signature, and verifies the validity of the service provision request based on a verification result;
It is characterized by.

The service providing method according to claim 7 is the service providing method according to claim 6, wherein the host device assigns the second signature to a secret key of the host device or an operator of the host device. Generated by
The service providing apparatus verifies the second signature using a public key of the host apparatus;
It is characterized by.

The service providing method according to claim 8 is the service providing method according to claim 6, wherein the host device identifies an authentication device that authenticates the user terminal and a user and transfers a service request. A request transfer device,
Between the user terminal and the service request transfer device, provided with a connection device for connection control to enable communication with the user terminal,
Monitoring the state of connection between the host device and the user terminal, and blocking communication between the user terminal that has not established a connection and the service request transfer device;
When the host device authenticates the user terminal and establishes a connection with the user terminal, the user terminal and the service request transfer device are configured to enable communication between the user terminal and the service request transfer device. Controlling the connection device connected between
It is characterized by.

Furthermore, the service providing method according to claim 9 is a user terminal used when using a service provided via a communication network;
A host device for establishing a connection with the user terminal and holding the connection;
A user information storage device for storing a user ID for identifying the user terminal or a user who uses the user terminal, and connection information (S) relating to a connection between the user terminal and the host device;
A service providing method using a service providing system configured including a service providing apparatus that provides the service to the user terminal,
A procedure for the host device to authenticate the user terminal or user;
A procedure for the host device to establish a connection with the user terminal;
User verification which is the connection information (S) set by communication establishment between the host device and the user terminal, or information generated based on the connection information (S), transmitted by the user terminal. A procedure for receiving an ID notification request including information (T) and an address of the service providing device;
A procedure in which the host device refers to stored information in the user information storage device and identifies a user ID of a transmission source of the ID notification request;
A procedure in which the host device transmits an ID notification including the identified user ID to an address of a service providing device indicated by the ID notification request;
The service providing apparatus receives the ID notification and determines whether to provide a service or a service providing method based on a user ID included in the ID notification;
Including means for detecting the disconnection when the host device loses the connection between the user terminal and the host device and notifying the user information storage device that the authentication of the user ID is invalid It is characterized by performing.

The service providing method according to claim 10 is the service providing method according to claim 9, wherein the user verification information (T) includes data included in the service request and the connection information by a signature generation function. (S) is the first signature generated at the user terminal as an argument, the ID notification request transmitted from the user terminal includes the user ID,
The host device acquires connection information (S) corresponding to the user ID included in the ID notification request from the user information storage device, and includes the connection information (S) and data included in the received ID notification request. When the user verification information (V) is generated by a signature generation function using as an argument, and the generated user verification information (V) is compared with the user verification information (T) as the first signature and they match. The user ID included in the ID notification request is regarded as the user ID of the sender of the service request,
It is characterized by.

The service providing method according to claim 11 is the service providing method according to claim 9, wherein the user terminal encrypts information related to a service request by a method that can be decrypted by the service providing device. , Included in the ID notification request,
The host device includes information on the service request included in the received ID notification request in the ID notification,
The service providing apparatus that has received the ID notification decrypts information related to the service request included in the ID notification request;
It is characterized by.

The service providing method according to claim 12 is the service providing method according to claim 9, wherein the user terminal can perform signature verification by the service providing apparatus on data included in the ID notification request. A third signature is generated and included in the ID notification request,
The host device includes the third signature included in the received ID notification request in the ID notification,
The service providing apparatus that has received the ID notification verifies whether the third signature is correct, and verifies the validity of the ID notification based on the verification result;
It is characterized by.

Furthermore, the service providing method according to claim 13 is the service providing method according to claim 11, wherein the user terminal transmits the service request before the procedure of receiving the ID notification request, A user terminal and the service providing device generate and share a key (K);
The service providing apparatus stores the key (K) in a storage unit,
In the procedure of transmitting the ID notification request, the user terminal encrypts information related to the service request using the key (K),
The service providing apparatus decrypts information related to the service request using the stored key (K);
It is characterized by.

Further, the service providing method according to claim 14 is the service providing method according to claim 12, wherein the user terminal transmits the service request before the procedure of receiving the ID notification request, The user terminal and the service providing device generate and share the key (K);
The service providing apparatus stores the key (K) in a storage unit,
The user terminal generates the third signature using the key (K) in the procedure of transmitting the ID notification request,
The service providing apparatus verifies the third signature using the stored key (K);
It is characterized by.

The service providing method according to claim 15 is the service providing method according to claim 9, wherein in the procedure of notifying the ID, the host device generates a second signature by the host device, Included in the ID notification,
The service providing apparatus that has received the ID notification verifies the second signature, and verifies the validity of the ID notification based on the verification result;
It is characterized by.

The service providing method according to claim 16 is the service providing method according to claim 15, wherein the host device transmits the second signature to a secret of an operator with the host device or the host layer. Generated by the key,
The service providing apparatus verifies the second signature using a public key of the host apparatus;
It is characterized by.

Furthermore, the service providing method according to claim 17 is the service providing method according to claim 9, wherein the host device includes an authentication device that authenticates the user terminal and an ID notification device that performs ID notification processing. Configured,
Communication with the ID notification device with a user terminal that has not established a connection with the host device is blocked,
When the host device authenticates the user terminal device and establishes a connection with the user terminal device, the host device controls the transfer device so that communication between the user terminal and the ID notification is possible.
It is characterized by.

A service providing method according to claim 18 is a user terminal used when using a service provided via a communication network;
A host device for establishing a connection with the user terminal and holding the connection;
A user information storage device for storing a user ID for identifying the user terminal or a user who uses the user terminal, and connection information (S) relating to a connection between the user terminal and the host device;
A service providing method using a service providing system configured including a service providing apparatus that provides the service to the user terminal,
A procedure in which the host device establishes a connection with the user terminal and registers information related to the connection between the user terminal and the host device in the user information storage device;
A procedure in which the service providing device identifies the user terminal or the user from information related to the connection between the user terminal and the host device in cooperation with the user information storage device;
A procedure in which the service providing apparatus determines a service providing method or service providing availability based on the identification of the user or the user terminal; and
Including means for detecting the disconnection when the host device loses the connection between the user terminal and the host device and notifying the user information storage device that the authentication of the user ID is invalid It is characterized by performing.

The service providing method according to claim 19 is a user terminal used when using a service provided via a communication network;
A host device for establishing a connection with the user terminal and holding the connection;
A user information storage device for storing a user ID for identifying the user terminal or a user who uses the user terminal, and connection information (S) relating to a connection between the user terminal and the host device;
A service providing method using a service providing system configured including a service providing apparatus that provides the service to the user terminal,
A procedure for the host device to authenticate the user terminal or user;
A procedure for the host device to establish a connection with the user terminal;
User verification information, which is information generated based on the connection information (S) or the connection information (S), which is set by the service providing apparatus by establishing communication between the host terminal and the user terminal from the user terminal Receiving a service request including (T);
The service providing device refers to the stored information in the user information storage device, and specifies the user ID of the transmission source of the service request from the connection information (S) or the user verification information (T);
A procedure in which the service providing apparatus determines whether to provide a service or a service providing method based on the identified user ID;
Including means for detecting the disconnection when the host device loses the connection between the user terminal and the host device and notifying the user information storage device that the authentication of the user ID is invalid It is characterized by performing.

The service providing method according to claim 20 is the service providing method according to claim 19, wherein the user verification information (T) includes data included in the service request and the connection information by a signature generation function. (S) as an argument is a first signature generated at the user terminal, the service request transmitted from the user terminal includes the user ID, A signature generation function that acquires connection information (S) corresponding to a user ID included in the service request from the user information storage device, and uses the connection information (S) and data included in the received service request as arguments. The user verification information (V) is generated by comparing the generated user verification information (V) with the user verification information (T) as the first signature. The user ID included in the service request be regarded as user ID of the sender of the service request if that,
It is characterized by.

Furthermore, the service providing method according to claim 21 is the service providing method according to claim 19, wherein the service providing device refers to the stored information in the user information storage device and identifies a user ID. The user information storage device generates a second signature by the user information storage device and includes it in a message for notifying the user ID or connection information (S), and the user ID or connection information. The service providing apparatus that has received the message for notifying (S) verifies the second signature, and verifies the validity of the service provision request based on the verification result.

A service providing method according to claim 22 is the service providing method according to claim 21, wherein the user information storage device receives the second signature from the user information storage device or the user information storage device. The service providing device verifies the second signature using the public key of the user information storage device.

The service providing method according to claim 23 is a user terminal used when using a service provided via a communication network;
A host device for establishing a connection with the user terminal and holding the connection;
A user information storage device for storing a user ID for identifying the user terminal or a user who uses the user terminal, and connection information (S) relating to a connection between the user terminal and the host device;
A service providing method using a service providing system configured including a service providing apparatus that provides the service to the user terminal,
A procedure for the host device to authenticate the user terminal or user;
A procedure for the host device to establish a connection with the user terminal;
User verification information, which is information generated based on the connection information (S) or the connection information (S), which is set by the service providing apparatus by establishing communication between the host terminal and the user terminal from the user terminal A procedure of receiving an ID notification request including (T);
The service providing device refers to the stored information in the user information storage device, and specifies the user ID of the transmission source of the ID notification request from the connection information (S) or the user verification information (T);
A procedure in which the service providing apparatus determines whether to provide a service or a service providing method based on the identified user ID;
Including means for detecting the disconnection when the host device loses the connection between the user terminal and the host device and notifying the user information storage device that the authentication of the user ID is invalid It is characterized by performing.

Further, the service providing method according to claim 24 is the service providing method according to claim 23, wherein the user verification information (T) includes the data included in the ID notification request and the connection by a signature generation function. The first signature generated by the user terminal with the information (S) as an argument; the ID notification request transmitted from the user terminal includes the user ID; and the service providing apparatus Obtains connection information (S) corresponding to the user ID included in the ID notification request from the user information storage device, and uses the connection information (S) and data included in the received ID notification request as arguments. The user verification information (V) is generated by the signature generation function, and the generated user verification information (V) is compared with the user verification information (T) as the first signature. The user ID included in the ID notification request be regarded as user ID of the sender of the service request if that,
It is characterized by.

Furthermore, the service providing method according to claim 25 is the service providing method according to claim 23, wherein the service providing device refers to the stored information in the user information storage device and identifies a user ID. The user information storage device generates a second signature by the user information storage device and includes it in a message for notifying the user ID or connection information (S), and the user ID or connection information. The service providing apparatus that has received the message for notifying (S) verifies the second signature, and verifies the validity of the service providing apparatus based on the verification result.

A service providing method according to claim 26 is the service providing method according to claim 25, wherein the user information storage device receives the second signature from the user information storage device or the user information storage device. The service providing device verifies the second signature using the public key of the user information storage device.

A service utilization program according to claim 27 is a service utilization program used in the service provision method according to any one of claims 1 to 26, wherein the service provision program is a user terminal. Session holding means for holding a connection between the user terminal and the host device established as a result of authentication,
A service utilization means for transmitting a service request;
Authentication client means for authenticating with the host device,
It is made to function as.

A service use program according to claim 28 is a service use program used in the service providing method according to any one of claims 1 to 26,
It functions as a means for transmitting an ID notification request to the host device.

Furthermore, the service utilization program of Claim 29 is a service provision program used for the service provision method of any one of Claim 1 thru | or 26, Comprising: The said service provision program is the said host. A user ID specifying means for specifying a user ID from information related to connection with a user terminal;
Session registration means for registering in the user information storage device information characterizing the connection between the user terminal and the host device established as a result of authentication;
An authentication means for authenticating the user terminal;
Session holding means for holding a connection with the user terminal;
It is made to function as.

  A service providing program according to claim 30 is a service providing program used in the service providing method according to any one of claims 18 to 26, wherein the service providing program is the host. Session registration means for registering information that characterizes the connection between the user terminal and the host apparatus established as a result of authentication in the user information storage device, authentication means for authenticating the user terminal, and connection between the user terminal It is characterized by functioning as a session holding means for holding.

A service providing program according to claim 31 is a service providing program used in the service providing method according to any one of claims 1 to 26, wherein the service providing program is the service providing program. Service providing means for providing a service based on a user ID included in the service request;
Service providing method determining means for determining a service providing method based on a user ID included in the service request;
It is made to function as.

  A service providing program according to claim 32 is a service providing program used in the service providing method according to any one of claims 18 to 26, wherein the service providing program is the service providing program. User ID specifying means for specifying a user ID from information related to connection with a user terminal, service providing means for providing a service based on a user ID included in the service request, and a user ID included in the service request It is made to function as a service provision method determination means for determining a service provision method based on the above.

The host device according to claim 33 is a host device used in the service providing method according to any one of claims 1 to 26, wherein the host device is information based on session information. A user ID specifying means for specifying the user ID from:
Session registration means for registering in the user information storage device information characterizing the connection between the user terminal and the host device established as a result of authentication;
An authentication means for authenticating the user terminal;
Session holding means for holding a connection with the user terminal;
It is characterized by having.

  A host device according to claim 34 is a host device used in the service providing method according to any one of claims 18 to 26, and the host device is established as a result of authentication. Session registration means for registering information characterizing the connection between the user terminal and the host device in the user information storage device, authentication means for authenticating the user terminal, and session holding means for holding the connection with the user terminal, It is characterized by having.

  A host device according to claim 35 is a host device used in the service providing method according to any one of claims 2 to 7, wherein the host device is a relay device other than the destination terminal. A function of transferring a message to a device is provided.

  A host device according to claim 36 is a host device used in the service providing method according to any one of claims 9 to 16, wherein the host device is a relay other than a destination terminal. A function of transferring a message to a device is provided.

  Furthermore, the host device according to claim 37 is a host device used in the service providing method according to any one of claims 9 to 16, wherein the host device has an instant message transfer function. It is characterized by providing.

A service providing apparatus according to claim 38 is a service providing apparatus used in the service providing method according to any one of claims 1 to 26, wherein the service providing apparatus is a service request. Service providing means for providing a service based on the user ID included in
Service providing method determining means for determining a service providing method based on a user ID included in the service request;
It is characterized by having.

  The service providing apparatus according to claim 39 is a service providing apparatus used in the service providing method according to any one of claims 18 to 26, wherein the service providing apparatus is a user terminal. User ID specifying means for specifying a user ID from information related to connection, service providing means for providing a service based on the user ID included in the service request, and providing a service based on the user ID included in the service request Service providing method determining means for determining a method.

  According to the inventions of claims 1 to 39, the connection is established and maintained between the user terminal and the host device, and the authentication state in the first authentication is only while the connection is established. It becomes effective. That is, when the connection is disconnected, the first authentication state can be invalidated. This eliminates the need to determine the valid time of the first authentication state in advance. This eliminates the need for repeated sign-on authentication.

  Further, according to the inventions according to claims 3, 10, 20, and 24, the connection information is transferred on the communication path except when the connection information is notified when the user terminal is connected. Therefore, it is possible to prevent a third party from intercepting the connection information and impersonating a user corresponding to the connection information.

  Further, according to the inventions of claims 4 and 5, the user ID is not specified for all messages, but only for a service that requires a guaranteed calling user ID. Thus, it is possible to reduce the load on the host device.

  According to the invention described in claim 6, claim 7, claim 15, or claim 16, the service providing apparatus verifies the signature, so that the sender address of the message is which apparatus (or which contractor). ) Or whether it has been altered by an intermediate transfer device.

  Further, according to the inventions of claims 8 and 17, a user terminal that is not authenticated cannot connect to the service request transfer device or the ID notification device, and the service from the unauthorized user A security attack on the request transfer device or the ID notification device can be avoided.

  According to the invention of claim 11, when the ID notification message is transferred from the host device to the service providing device via a plurality of SIP servers, the ID notification message is intercepted and altered on the transfer path of the message. Can be prevented.

  According to the twelfth aspect of the present invention, even if an unauthorized act of rewriting the sender address of the ID notification request message and transferring the ID notification request message is performed, the service providing apparatus can detect the unauthorized act.

  Furthermore, according to the invention of Claim 13 and Claim 14, the communication path for message relay from a user terminal to a service provision apparatus can be protected safely.

  According to the inventions of claims 21, 22, 25, and 26, by verifying the signature of the user information storage device for the message for notifying the user ID or connection information It is possible to confirm which device (or which contractor) has verified the user ID or the connection information in the service request, and whether the device has been tampered with in the route.

  Furthermore, according to the invention described in claims 35 and 36, a plurality of host devices can be provided by enabling a message (service request message, ID notification message, etc.) to be transferred via a plurality of relay devices. Thus, it can be installed near the access network of each user terminal. As a result, there is an advantage that the communication path between the user terminal and the host device can be shortened, and the possibility that an unauthorized user can act illegally can be reduced. Also, since the load is distributed by a plurality of host devices, it is possible to construct a larger scale service platform.

  According to the invention of claim 37, there is an advantage that the speed of ID notification is increased by using an apparatus having an instant message transfer function as a host apparatus and transmitting the ID notification request and ID notification by an instant message. Occur.

  According to the present invention, the connection is established and maintained between the user terminal and the host device, and the authentication state in the first authentication is valid only while the connection is established. That is, when the connection is disconnected, the first authentication state can be invalidated. This eliminates the need to determine the valid time of the first authentication state in advance. This eliminates the need for repeated sign-on authentication.

  A first embodiment of the present invention will be described below with reference to the configuration diagram of FIG. 1 and the flowchart of FIG.

  FIG. 1 shows an embodiment in which the present invention is implemented using a SIP server as the host device 12. The service providing apparatus 14 is an apparatus that provides services to clients based on the SIP protocol. Specific examples of the provided service include a content distribution service, an information search service, a presence service, an instant message service, and the like. As another example of the service, a service that issues and transmits an ID certificate to the user terminal 11 is also conceivable.

  The user terminal 11 and the service providing apparatus 14 are connected to the SIP server as a client for the SIP server. Here, the connection means “to generate a state in which continuous communication is possible between devices” and does not necessarily mean to generate a transfer layer connection such as a TCP connection. For example, in the embodiment described later, the SIP client and the SIP server transmit and receive messages using UDP, but generate an access session ID as an identifier between the SIP client and the SIP server in order to recognize continuity of communication. In such an embodiment, generating this access session ID corresponds to connecting. The SIP server receives a message from a connected SIP client, and forwards the message to another SIP client indicated by the destination of the message or another SIP server on the transfer path to the other SIP client. Means (SIP message relay means 112).

The host device 12 is the first SIP server 30 in FIG. 1, and the user terminal 11 is connected to the first SIP server 30. The first SIP server 30 includes means (authentication means 118) for authenticating the user of the user terminal 11 when connected to the user terminal 11.
In addition, for the connection established with the user terminal 11, the host device 12 associates the access session ID assigned to the connection with the user ID of the user associated with the connection and registers it in the session information DB 130. Is provided.
Further, the host device 12 includes a session holding unit 102. The session holding unit 102 periodically transmits a status confirmation message to the connected user terminal 11 and receives a response from the user terminal 11. When the user terminal 11 that does not transmit a response is detected, the information on the session is deleted from the session information DB 130.
Further, the host device 12 includes a user ID specifying unit 114. The user ID specifying unit 114 is a unit that specifies the user ID of the sender of the SIP message based on the session ID or signature added to the SIP message for the SIP message received from the user terminal 11.
Furthermore, the host device 12 includes a user ID specification necessity determination unit 120 that determines whether or not to specify a user ID.

  The user terminal 11 serves as a client for the first SIP server 30 as a means for authentication by the SIP server (authentication client means 106), a means for establishing and holding a connection with the first SIP server 30 (session holding means 102), Means (SIP message sending / receiving means 108) for sending / receiving messages to / from the first SIP server 30 are provided. Further, the user terminal 11 includes means (service utilization means 104) for transmitting a service request to the service providing apparatus 14 using the SIP protocol and receiving a response to the request.

  The service providing apparatus 14 includes a means (service providing means 132) that receives a service request from the user terminal 11 using the SIP protocol and provides a service or returns a response indicating whether or not the service can be provided as a response to the request. Further, the service providing apparatus 14 includes means (SIP message transmitting / receiving means 108) interconnecting with the second SIP server 46 and transmitting / receiving a message to / from the second SIP server 46. Further, the service providing apparatus 14 may include means for interconnecting with the third SIP server 48 (see FIG. 2) and transmitting / receiving messages to / from the third SIP server 48. Furthermore, the service providing apparatus 14 includes service providing method determining means 134 that extracts the user ID of the service requester from the received SIP message and determines whether or not to provide the service for the service request.

  Here, “R” in FIG. 1 indicates a router, which is a device that relays data flowing on a network to another network. In other configuration diagrams, the router is similarly denoted as “R”.

  The first SIP server 30 and the second SIP server 46 relay messages to each other.

  The user information storage device 13 includes a user management DB 128, and the user management DB 128 stores the user ID of the user and the password of the user terminal 11 for each user of the network. Further, the user information storage device 13 has, for the user terminal 11 connected to the first SIP server 30, a user ID corresponding to the user terminal 11 and an access session ID assigned for connection with the user terminal 11. A session information DB 130 for storing the correspondence relationship is provided.

  An embodiment in which the user management DB 128 stores the ID and authentication key of the device assigned to the user terminal 11 of the user for each user is also conceivable.

  In the present embodiment, the access session ID corresponds to “information relating to the connection between the user terminal 11 and the host device 12”.

  Next, the operation sequence of the system in this embodiment will be described (see FIG. 2).

  The user terminal 11 connects to the first SIP server 30 immediately after startup. This procedure will be described. First, the user terminal 11 generates a connection request including a user ID and a password in the format of a REGISTER message based on the SIP protocol, and transmits this connection request to the first SIP server 30 (Step 110A). The first SIP server 30 that has received this connection request first obtains a user ID and password from the connection request and makes an authentication decision (Step 120A, Step 130A). That is, a password corresponding to the user ID stored in the user management DB 128 of the user information storage device 13 is acquired, and the password stored in the user management DB 128 matches the password acquired from the connection request. If they match, the user ID is regarded as correct (Step 140A). If the user ID is deemed correct, the first SIP server 30 generates an access session ID for the connection request by a random number (Step 140A), and associates the generated access session ID with the user ID, Register in the user management DB 128 (Step 150A). Then, the first SIP server 30 transmits a response including the access session ID to the user terminal 11 (Step 160A).

  As described above, the user ID authentication method may not be a method of transmitting a password. In another embodiment, in Step 110A, the user terminal 11 transmits a value generated by a one-way function from the transmission message and the password as a signature to the transmission message and transmits it, and in Step 140A, the first SIP server 30 receives it. A scheme is also conceivable in which a signature is generated from the message and the password corresponding to the user ID in the user management DB 128 by the same function, and this signature is compared with the signature added to the received message. In another embodiment, the user terminal 11 signs a transmission message with its own private key, and the SIP server verifies the received message with the user's public key to determine the validity of the user ID.

  In another embodiment, public key cryptography is used to transmit the access session ID from the first SIP server 30 to the user terminal 11. That is, in Step 160A, when the first SIP server 30 includes the access session ID in the response, the access session ID is encrypted with the public key of the user terminal 11, and the user terminal 11 is encrypted. The access session ID is decrypted with the secret key corresponding to the public key to obtain the access session ID.

  As another embodiment, instead of transmitting and receiving a message by UDP, in the procedure from Step 110A to Step 160A, a connection based on TLS is established between the user terminal 11 and the first SIP server 30, and the subsequent user terminal 11 and the first SIP server 30 can be used to implement message transmission / reception using this TLS connection. In this case, the first SIP server 30 uses the TCP port number assigned to the TLS connection as the access session ID.

  A procedure when the user terminal 11 uses a service by the service providing apparatus 14 will be described.

  The user terminal 11 transmits a service request including the SIP / URI corresponding to the requested service based on the SIP protocol to the service providing apparatus 14 via the first SIP server 30 (Step 210A). The host device 12 (first SIP server 30) that has received the service request transmits an access session ID to the user information storage device 13 when the received message matches a condition to be described later (Step 220A). The user information storage device 13 refers to the user management DB 128, acquires the user ID corresponding to the access session ID, and returns this user ID to the first SIP server 30 (Step 230A). In this procedure, the first SIP server 30 specifies the user ID of the sender of the received SIP message, and transfers this user ID as the sender address of the message. (Step 240A).

  In another embodiment, the user ID is specified by a signature verification algorithm using a one-way function. That is, a certain one-way function is shared between the user terminal 11 and the first SIP server 30. Here, examples of one-way functions that can be used include SHA-1 and MD5. Further, the SIP message includes the user ID of the user terminal 11. Instead of adding the access session ID to the SIP message, the user terminal 11 obtains the value of the one-way function using the content data of the SIP message and the access session ID as arguments, and uses this value as a signature for the message (hereinafter referred to as “signature”). As the first signature). The first SIP server 30 transmits the user ID in the received SIP message to the user information storage device 13. The user information storage device 13 acquires an access session ID corresponding to the received user ID from the user management DB 128 and returns it to the first SIP server 30. The first SIP server 30 obtains the value of the one-way function using the content data of the received SIP message and the access session ID returned from the user information storage device 13 as arguments, and the signature obtained by the obtained value is received. Is determined. If they match, it is determined that the user ID included in the SIP message is the correct user ID corresponding to the SIP message. In this case, when the user terminal 11 is connected, the access session ID is not transferred on the communication path except when the first SIP server 30 notifies the access session ID. Can be intercepted and impersonation of the user corresponding to the access session ID can be prevented.

  Instead of the first SIP server 30 receiving the access session ID from the user information storage device 13, the first SIP server 30 receives the user ID, the content data of the SIP message, and the received signature data as the user information storage device. 13, the user information storage device 13 verifies whether the signature is valid, and transmits the verified result to the first SIP server 30.

  The first SIP server 30 holds a “destination URI, SIP method” pair in advance as a condition for determining whether or not a user ID should be acquired when a SIP message is received. As a result, instead of acquiring user IDs for all SIP messages, it is possible to selectively perform processing only for services that require guaranteed calling user IDs. The load on the server 30 can be reduced. In the case of performing in this embodiment, the service providing apparatus 14 performs the above processing in the first SIP server 30 in order to identify the message whose ID is guaranteed by the first SIP server 30 and the message that is not so. In this case, it is necessary for the first SIP server 30 to give information to that effect and transfer it to the service providing apparatus 14. As the information to be added, a method using a signature is more desirable, but other methods may be used when the network between the first SIP server 30 and the service providing device 14 can be trusted.

  In addition, as a condition for determining whether or not the first SIP server 30 should acquire the user ID when receiving the SIP message, the user ID is sent to Step 210A immediately before the user terminal 11 transmits the service request (Step 210A). There may also be a method of giving an instruction to acquire. Specifically, in Step 200A, an ID specifying condition setting request including “source IP address, destination URI, SIP method, hash value of BODY part of service request message” as information characterizing the service request message transmitted in Step 210A Is transmitted to the first SIP server 30. The first SIP server 30 stores the condition “destination URI, SIP method, hash value of the BODY part of the service request message”, and checks whether the condition is satisfied for the received message thereafter. In such a case, Step 220A and Step 230A are performed, and the stored conditions are deleted. If the first SIP server 30 does not receive a message that satisfies the condition for a certain period of time, the stored condition is deleted. This makes it possible to selectively process only a message that requires a guaranteed calling user ID, instead of acquiring a user ID for all SIP messages. 30 loads can be reduced. In the case of performing in this embodiment, the first SIP server 30 performs the above-described processing in order to identify the message for which ID is guaranteed by the first SIP server 30 and the message that is not so in the service providing apparatus 14. In this case, it is necessary for the first SIP server 30 to give information indicating that and transfer it to the service providing apparatus 14. As the information to be added, a method using a signature is more desirable, but other methods may be used when the network between the first SIP server 30 and the service providing device 14 can be trusted.

  In another embodiment, when the first SIP server 30 transmits a service request in Step 240A, an electronic signature by the first SIP server 30 is added. Specifically, an electronic signature based on a public key algorithm is performed, and the first SIP server 30 includes at least a sender address by using a secret key corresponding to the device (or an operator of the device). A signature (third signature) for some data in the service request is generated and added to the service request. The service providing device 14 verifies the third signature with the public key corresponding to the secret key, and the device (or which vendor) verifies the sender address of the message is altered by the SIP server in the middle. You can check if it is not.

  Note that when the service request message is transferred from the first SIP server 30 to the service providing apparatus 14, instead of being directly transmitted from the first SIP server 30 to the service providing apparatus 14, some SIP servers (For example, it may be transferred via the second SIP server 46).

When the SIP / URI domain included in the received SIP message indicates itself, the service providing apparatus 14 that has received the service request acquires a user ID that is a sender address of the message, and based on the user ID Service provision availability determination or service provision based on the user ID is performed (Step 250A, Step 260A). When only the service provision availability determination is performed, it is common to use the session set by the SIP message such as the service request message or the service provision availability determination message to provide the service thereafter. (Step 270A).
When the SIP URI included in the received SIP message does not indicate itself, the message is transferred to the subsequent third SIP server 48 as a normal SIP proxy operation, and the subsequent SIP server 48 The device determines whether or not to provide a service based on the user ID or provides a service based on the user ID, and returns a response to the user via the first SIP server 30 (Step 310A, Step 320A).

  If the first SIP server 30 fails to check the status of the user terminal 11 periodically, the first SIP server 30 determines that the connection has been disconnected (Step 400A), and the first SIP server 30 detects the access session ID from which the disconnection has been detected. Is transmitted to the user information storage device 13 (Step 410A). The user information storage device 13 deletes the received access session ID (Step 420A), and when a service request for the access session ID is received thereafter, an authentication failure is returned.

  Note that the user information storage device 13 stores the address of the service providing device that has previously identified the user ID in Step 220A with respect to the access session ID, and returns the address group to the first SIP server 30 in Step 420A. The first SIP server 30 may notify each service providing apparatus 14 corresponding to the address group that the authentication state has become invalid.

  A feature of the present embodiment is that a service request message is transmitted via several relay devices by using, as the host device 12, a device having a function of transferring a message via a relay device other than the destination terminal, such as a SIP server. However, it is possible to be transferred to the service providing apparatus 14. In a star type system configuration in which the host device 12 transmits and receives messages to and from all user terminals 11 and the service providing device 14, there is a restriction that the host device 12 needs to be installed at the center of the wide area network. By making it possible to transfer a service request message via a plurality of relay devices, a plurality of host devices 12 can be installed near the access network of each user terminal 11. As a result, there is an advantage that the communication path between the user terminal 11 and the host device 12 can be shortened, and the possibility that an unauthorized user can act illegally can be reduced. Further, since the load is distributed by the plurality of host devices 12, a larger-scale service platform can be constructed. As another embodiment that realizes such a feature, a host server 12 that uses a mail server can be considered.

  The first embodiment of the present invention has been described above. Next, a second embodiment of the present invention will be described with reference to the configuration diagrams of FIGS. 3 and 6 and the flowcharts of FIGS. 4 and 5.

  FIG. 3 shows an embodiment in which the present invention is implemented using the access session management device 32 as the host device 12. The service providing device 14 is a device that provides services to clients based on the HTTP protocol. As a specific example of the provided service, a content providing service, an information search service, and the like can be considered. Further, as an example of another service, a service that issues and transmits an ID certificate to the user terminal 11 is also conceivable. Also, application to electronic mail communication by SMTP is conceivable.

The layer 2 switch 42 has a function of transferring a packet from one port to another according to the MAC address. Further, the layer 2 switch 42 permits the packet transfer between the ports for each combination of the two ports of the switch according to the designation from the outside (when the designation is ON) or blocks the packet forwarding (the designation is not specified). (When OFF). In addition, between the port to which the user terminal 11 is connected and the port to which the IP network is connected, the port is normally turned off, and only the port to which the access session management device 32 is connected is turned on. After the layer 2 switch 42 and the access session management device 32 cooperate to authenticate the user terminal 11 using an authentication method such as IEEE802.1x, the port is connected to the port to which the IP network is connected. It can be connected.
Further, it is assumed that control is performed at the time of authentication so that a user terminal 11 having the same MAC address (one of which is a MAC address) cannot be connected to a plurality of ports in a specific layer 2 switch 42. To do. As a result, if a packet having the MAC address of the user terminal 11 after authentication passes through the specific layer 2 switch 42 permitted to be used by the user terminal 11 in the authentication, the user terminal 11 that sent the packet It can be guaranteed that the user terminal 11 has confirmed the identity by the authentication.

  The layer 2 switch 42 does not necessarily have to be a port into which a line is physically inserted, and may terminate a logical line or a wireless communication link.

The access session management device 32 establishes a function for authenticating the user terminal 11 in cooperation with the user information storage device 13 (authentication means 118), a connection state between the authenticated user terminal 11 and the layer 2 switch 42, and connection. While the state continues, a function (session (session) for controlling the layer 2 switch 42 so that the port connected to the user terminal 11 and the port connected to the IP network are turned on. Holding means 102). In order to maintain and confirm the connection state, it is desirable to provide means for periodically authenticating the user from the access session management device 32 via the layer 2 switch 42. When a user terminal 11 that does not perform regular authentication normally is detected, the session information is deleted from the session information DB 130 described later, and a packet between the user terminal 11 and the port to which the IP network is connected Block transfer (turn off). Further, the access session management device 32 relates, for a connection established with the user terminal 11, the identifier of the layer 2 switch 42 assigned to the connection, the MAC address of the user terminal 11, and the user ID of the user related to the connection. In addition, a session registration unit 116 for registering in the session information DB 130 is provided.
Further, the access session management device 32 includes a user ID specifying unit 114. The user ID specifying unit 114 is a unit that specifies the user ID of the sender of the service request message based on the session ID or signature added to the service request for the service request message received from the user terminal 11.
Furthermore, the access session management device 32 includes service request transfer means 122 that transfers a service request message to which the specified user ID is assigned.

  The layer 2 switch 42 includes a user ID specification necessity determination unit 120 that determines whether or not to specify a user ID.

  As a client for the access session management device 32, the user terminal 11 is a means for receiving authentication by the access session management device 32 (authentication client means 106), a means for establishing and holding a connection with the layer 2 switch 42 and the access session management device 32 ( Session holding means 102) and means for transmitting a service request message to the service providing apparatus 14 (service request means 108). Further, the user terminal 11 includes means (service utilization means 104) for receiving a response from the service providing apparatus 14 to the service request message.

  The service providing apparatus 14 receives a service request from the user terminal 11 by HTTP (service request receiving means 136), provides a service as a response to the request, or returns a response indicating whether the service can be provided (service provision) Means 132). Furthermore, the service providing apparatus 14 includes service providing method determining means 134 that extracts the user ID of the service requester from the received service request message and determines whether or not to provide the service for the service request.

  The user information storage device 13 includes a user management DB 128, and the user management DB 128 stores the user ID of the user and the password of the user terminal 11 for each user of the network. Further, the user information storage device 13 has the user ID corresponding to the user terminal 11, the identifier of the layer 2 switch 42 to which the user terminal 11 is connected, and the MAC address of the user terminal 11 for the user terminal 11 that is establishing the connection. The session information DB 130 for storing the correspondence relationship is provided.

  In the present embodiment, the host device 12 includes the access session management device 32, and the connection state established between the layer 2 switch 42 and the user terminal 11 that cooperates with the access session management device 32 is the user terminal 11. This corresponds to connection with the host device 12.

  Next, the operation sequence of the system in this embodiment will be described. (Fig. 4)

The user terminal 11 establishes a connection with the layer 2 switch 42 immediately after activation or triggered by application activation. This procedure will be described. First, the user terminal 11 transmits a connection establishment request including a user ID and a password to the access session management apparatus 32 through the layer 2 switch 42 (Step 110B).
Receiving this connection establishment request, the access session management device 32 transfers the user ID included in the connection establishment request to the user information storage device 13 (Step 120B). The user information storage device 13 returns the password corresponding to the user ID stored in its own user management DB 128 to the access session management device 32 (Step 130B). The access session management device 32 compares the password received from the user terminal 11 with the password returned from the user information storage device 13, and if they match, the user ID is considered correct and the authentication is successful (Step 140B). When the authentication is successful, the user ID, the MAC address of the user terminal 11 given to the message received from the user terminal 11, and the identifier of the layer 2 switch 42 through which the message passes are associated with the user ID. The user information storage device 13 is requested to store it in the session information DB 130 (Step 150B). Here, the identifier of the layer 2 switch 42 may be an explicit identifier such as the name of the layer 2 switch 42 that can be acquired by the RADIUS protocol at the time of authentication. Further, it is possible to guarantee that a message received from a specific physical port of the access session management device 32 is a specific layer 2 switch 42 by connecting the access session management device 32 and the layer 2 switch 42 in a point-to-point manner. In such a case, a means of using the identifier of the receiving port may be used. Thereafter, the access session management device 32 responds the authentication result to the layer 2 switch 42 via the access session management device 32, and turns on the port of the layer 2 switch 42 when the user ID is considered correct. Is instructed (Step 160B). When the authentication is successful, the layer 2 switch 42 turns on the port (Step 170B) and transmits a response to the user terminal 11 (Step 180B).

  During the connection state establishment, the user terminal 11, the layer 2 switch 42, and the access session management device 32 exchange control messages related to the connection. For example, the access session management device 32 periodically issues an authentication request to the user terminal 11 via the layer 2 switch 42 as defined in IEEE 802.1x, and the access session management device 32 Repeat the authentication process periodically.

  A procedure when the user terminal 11 uses a service by the service providing apparatus 14 will be described.

The user terminal 11 transmits a service request including a URL corresponding to the requested service based on the HTTP protocol to the service providing apparatus 14 via the layer 2 switch 42 (Step 210B).
Upon receiving the service request message, the layer 2 switch 42 determines that the message should be transferred to the access session management device 32 under some condition, and transfers the message (“some condition” will be described later). Upon receiving the message, the access session management device 32 transfers the identifier of the layer 2 switch 42 of the layer 2 switch 42 through which the message has passed and the MAC address of the user terminal 11 included in the message to the user information storage device 13. (Step 220B). The user information storage device 13 searches the session information DB 130 using the received identifier of the layer 2 switch 42 and the MAC address of the user terminal 11 as keys, and specifies the user ID (Step 230B). As described above, in this embodiment, the network access information transmitted from the user is only the MAC address, and the connection by the spoofed MAC address is impossible in the layer 2 switch 42. No countermeasure against spoofing is required, there is no need to have a special means for ensuring the security of the network access information shown in the features of the first embodiment, and both the function and load of the terminal can be reduced.
The user information storage device 13 responds the retrieved user ID to the access session management device 32 (Step 240B), and the access session management device 32 loads the user ID on the service request received at Step 210B and sets the layer 2 switch 42. Then, the data is transferred to the service providing device 14 (Step 250B). Here, the access session management device 32 may always relay the subsequent message exchange regarding the service using the source IP address of the service request transmitted in Step 250B as the IP address of the user terminal 11 (the latter sequence diagram). , Shown in FIG.

As conditions for determining whether or not the layer 2 switch 42 should transfer the message to the access session management device 32 in order to obtain the user ID when receiving the message, the protocol, the destination address of the message, the keyword of the specific part of the message ”And the like. As a result, it is possible to selectively process only a service that requires a guaranteed calling user ID, instead of acquiring a user ID for all messages passing through the layer 2 switch 42. Thus, the load on the layer 2 switch 42 and the access session management device 32 can be reduced.
In this embodiment, in order to identify the message that guarantees the calling user ID and the message that is not so in the service providing apparatus 14, the access session management apparatus 32 and the user information storage apparatus 13 perform the above process. When implemented, it is necessary for the access session management device 32 to give information indicating that fact and transfer it to the service providing device 14. As the information to be added, a method using a signature is more preferable, but other methods may be used when the network between the access session management device 32 and the service providing device 14 can be trusted.

In addition, as a condition for determining whether or not the message should be transferred to the access session management device 32 in order for the layer 2 switch 42 to acquire the user ID when receiving the message, immediately before the user terminal 11 transmits the service request Step 210B, There may be a method of giving an instruction to acquire the user ID to Step 210B. Specifically, in Step 200B, as information characterizing the service request message transmitted in Step 210B, from “source IP address, message destination address, hash value of Body part of service request message, keyword of specific part of message” and the like An ID specifying condition setting request including the configured condition is transmitted to the layer 2 switch 42.
The layer 2 switch 42 stores the condition, and checks whether or not the condition is satisfied with respect to the subsequently received message. If the condition is satisfied, Step 220B and Step 230B are performed, and the stored condition is deleted. If the layer 2 switch 42 has not received a message that satisfies the above condition for a certain period of time, the stored condition is deleted. This makes it possible to selectively process only messages that require a guaranteed calling user ID, instead of acquiring user IDs for all messages. The load on the session management device 32 and the user information storage device 13 can be reduced. In the case of performing in this embodiment, when the access session management device 32 performs the above process in order to identify the message that guarantees the calling user ID and the message that is not so in the service providing device 14, that fact is indicated. It is necessary for the access session management device 32 to assign the meaning information and transfer it to the service providing device 14. As the information to be added, a method using a signature is more preferable, but other methods may be used when the network between the access session management device 32 and the service providing device 14 can be trusted.
The service providing apparatus 14 that has received the service request acquires the user ID included in the message, makes a service provision availability determination based on the user ID (Step 260B), and provides a service or responds with a service provision availability determination. (Step 270B).

  Further, a proxy device may be installed between the layer 2 switch 42 and the service providing device 14, and the proxy device may relay the service request of Step 250B. In this case, there is a risk that the service request is tampered with an unauthorized proxy device in the middle. In order to prevent this, in another embodiment, the access session management device 32 transmits the service request message with the signature added at Step 250B. In Step 260B, the service providing apparatus 14 verifies the signature with the public key of the host apparatus 12, and confirms the validity of the service request and the user ID in the message. As a result, the service providing device 14 may confirm which host device 12 (which operator) has authenticated the user terminal 11 and confirm that the identified user ID has not been tampered with. It becomes possible.

  If the access session management device 32 fails to check the status of the user terminal 11 periodically, it is determined that the connection has been disconnected (Step 400B), and the access session management device 32 has given the access session ID that detected the disconnection. An authentication state deletion request is transmitted to the user information storage device 13 (Step 410B). The user information storage device 13 deletes the received access session ID (Step 420B), and when a service request for the access session ID is received thereafter, an authentication failure is returned.

  The user information storage device 13 stores the address of the service providing device 14 that has previously identified the user ID in Step 230B for the access session ID, and returns the address group to the access session management device 32 in Step 420B. Then, the access session management device 32 may notify each service providing device 14 corresponding to the address group that the authentication state has become invalid.

In the above description, the MAC address of the user terminal 11 is used for user identification. However, the physical port number of the layer 2 switch 42 assigned to the user at the time of authentication may be used for user identification.
In this case, the “physical port number that the user is trying to connect” notified from the layer 2 switch 42 in Step 110B is stored in the user information storage device 13 in Step 130B. Thereafter, in Step 220B, the layer 2 switch 42 notifies the user information storage device 13 of the physical port number that received the service request message of Step 210B. In Step 230B, the user ID is specified by the layer 2 identifier and the physical port number. As another form, an “access session ID” as in the fourth embodiment may be used.

  In addition, when different VLAN-IDs are assigned to different physical ports of the layer 2 switch 42 using VLAN defined by IEEE802.1Q or the like as layer 2, an Ethernet header is used instead of the physical port itself. The physical port that has passed through may be identified using the VLAN-ID described in the above. However, in this case, the user information storage device 13 also needs to be accommodated in the VLAN.

  In another embodiment, the access session management device 32 is divided into a session holding device 34 that processes connection requests and a service request transfer device 36 that processes service requests, each connected to the layer 2 switch 42 at a different port. (See FIG. 6). In a normal state, an arbitrary MAC address is transferred only to a port to which each port and the session holding device 34 are connected. In Step 170B, the MAC address of the authenticated user terminal 11 is determined. Between the port to which the user terminal 11 is connected and the port to which the service request transfer device 36 is connected, and between the port to which the user terminal 11 is connected and the port to which the IP network is connected Is allowed. Accordingly, even if a terminal of a user who attempts fraud transmits a service request using the MAC address of another terminal, the service request can be prevented from being transferred to the service request transfer device 36.

  Note that, as one implementation method for controlling communication for each port, as shown in FIG. 6C, the user terminal 11 is assigned to VLAN-A to which the port to the session holding device 34 belongs before authentication. The service request transfer apparatus and the port to the IP network can be incorporated into the VLAN-B to which the service request transfer apparatus and the IP network belong. Further, it is possible to control the layer 2 switch 42 in such a manner without necessarily using a VLAN.

  The second embodiment of the present invention has been described above. Next, a third embodiment of the present invention will be described with reference to the configuration diagram of FIG. 7 and the flowchart of FIG.

  FIG. 7 shows an embodiment in which the present invention is implemented using a SIP server as the host device 12. The service providing device 14 is a device that provides services to clients based on the HTTP protocol. As specific examples of the provided services, a content distribution service, an information search service, and the like are conceivable. As another example of the service, a service that issues and transmits an ID certificate to the user terminal 11 is also conceivable.

  The user terminal 11 and the service providing apparatus 14 are connected to the SIP server as a client for the SIP server. Here, the connection means “to generate a state in which continuous communication is possible between devices” and does not necessarily mean to generate a transfer layer connection such as a TCP connection. For example, in the embodiment described later, the SIP client and the SIP server transmit and receive messages using UDP, but generate an access session ID as an identifier between the SIP client and the SIP server in order to recognize continuity of communication. In such an embodiment, generating this access session ID corresponds to connecting. The SIP server receives a message from a connected SIP client, and transfers the message to another SIP client indicated by the destination of the message or to another SIP server on the transfer path to the other SIP client. Means (SIP message relay means 124).

The host device 12 is the first SIP server 30 in FIG. 7, and the user terminal 11 is connected to the first SIP server 30. The first SIP server 30 includes means (authentication means 118) for authenticating the user of the user terminal 11 when connected to the user terminal 11.
In addition, the host device 12 includes a session registration unit 116 that associates an access session ID assigned to the connection with the user terminal 11 and registers the user ID of the user related to the connection in session information. .
Further, the host device 12 includes a session holding unit 102. The session holding unit 102 periodically receives a status confirmation message from the user terminal 11 for the connected user terminal 11. When the user terminal 11 that does not transmit a response is detected, the information on the session is deleted from the session information DB 130.
Further, the host device 12 includes a user ID specifying unit 114. The user ID specifying unit 114 is a unit that specifies the user ID of the sender of the SIP message based on the session ID or signature added to the SIP message for the SIP message received from the user terminal 11.

  As a client for the first SIP server 30, the user terminal 11 is a means for receiving authentication by the SIP server (authentication client means 106), and a means for establishing and holding a connection with the first SIP server 30 (session holding means 102). ), Means for transmitting / receiving a message to / from the first SIP server 30 (SIP message transmitting / receiving means 110). Further, the user terminal 11 includes means (service utilization means 104) for transmitting a service request to the service providing apparatus 14 using the HTTP protocol and receiving a response to the request.

  The service providing apparatus 14 includes means (service providing means 132) that receives a service request from the user terminal 11 using the HTTP protocol and provides a service as a response to the request. Further, the service providing apparatus 14 includes means (SIP message transmission / reception means 138) for transmitting / receiving a message to / from the second SIP server 46 as a client for the second SIP server 46. Furthermore, the service providing apparatus 14 includes service providing method determining means 134 that extracts the user ID of the service requester from the received SIP message and determines whether or not to provide the service for the service request.

  The first SIP server 30 and the second SIP server 46 relay messages to each other.

  The user information storage device 13 includes a user management DB 128, and the user management DB 128 stores the user ID of the user and the password of the user terminal 11 for each user of the network. Further, the user information storage device 13 has, for the user terminal 11 connected to the first SIP server 30, a user ID corresponding to the user terminal 11 and an access session ID assigned for connection with the user terminal 11. A session information DB 130 for storing the correspondence relationship is provided.

  An embodiment in which the user management DB 128 stores the ID and authentication key of the device assigned to the user terminal 11 of the user for each user is also conceivable.

  In the present invention, the access session ID corresponds to “information relating to the connection between the user terminal 11 and the host device 12”.

  Next, an operation sequence of the system in the present embodiment will be described (see FIG. 8).

  The user terminal 11 connects to the first SIP server 30 immediately after startup. This procedure will be described. First, the user terminal 11 generates a connection request including a user ID and a password in the format of a REGISTER message based on the SIP protocol, and transmits this connection request to the first SIP server 30 (Step 110D). The first SIP server 30 that has received this connection request first obtains a user ID and password from the connection request, and makes an authentication decision (Step 120D, Step 130D). That is, a password corresponding to the user ID stored in the user management DB 128 of the user information storage device 13 is acquired, and the password stored in the user management DB 128 matches the password acquired from the connection request. If they match, the user ID is regarded as correct (Step 140D). If the user ID is deemed correct, the first SIP server 30 generates an access session ID for the connection request with a random number (Step 140D), and associates the generated access session ID with the user ID, Register in the session information DB 130 (Step 150D). Then, the first SIP server 30 transmits a response including the access session ID to the user terminal 11 (Step 160D).

  As described above, the user ID authentication method may not be a method of transmitting a password. In another embodiment, in Step 110D, the user terminal 11 transmits a value generated by a one-way function from the transmission message and the password as a signature to the transmission message and transmits it, and in Step 140D, the first SIP server 30 receives it. A scheme is also conceivable in which a signature is generated from the message and the password corresponding to the user ID in the user management DB 128 by the same function, and this signature is compared with the signature added to the received message. In another embodiment, the user terminal 11 signs a transmission message with its own private key, and the SIP server verifies the received message with the user's public key to determine the validity of the user ID.

  In another embodiment, public key cryptography is used to transmit the access session ID from the first SIP server 30 to the user terminal 11. That is, in Step 160D, when the first SIP server 30 includes the access session ID in the response, the access session ID is encrypted with the public key of the user terminal 11, and the user terminal 11 is encrypted. The access session ID is decrypted with the secret key corresponding to the public key to obtain the access session ID.

  As another embodiment, instead of sending and receiving a message by UDP, in the procedure from Step 110D to Step 160D, a connection based on TLS is established between the user terminal 11 and the first SIP server 30, and the subsequent user terminal 11 and the first SIP server 30 can be used to implement message transmission / reception using this TLS connection. In this case, the first SIP server 30 uses the TCP port number assigned to the TLS connection as the access session ID.

  A procedure when the user terminal 11 uses a service by the service providing apparatus 14 will be described.

  The user terminal 11 transmits a service request including a URL corresponding to the requested service to the service providing apparatus 14 based on the HTTP protocol (Step 210D). The service providing apparatus 14 that has received the service request transmits a script including a step of causing the user terminal 11 to transmit an ID notification request to the host apparatus 12 as a response to the user terminal 11 (Step 230D). At this time, the service providing apparatus 14 generates a service request ID for uniquely identifying the service request on the service providing apparatus 14, and further generates a challenge key based on a random number algorithm (Step 220D). The key and the address of the service providing apparatus 14 are included in the script. Here, the address of the service providing apparatus 14 is the SIP / URI of the apparatus, and indicates an address for sending a SIP message to the apparatus. Further, the service providing apparatus 14 stores the correspondence between the generated service request ID and the challenge key.

  The user terminal 11 that has received the response executes the script. That is, the MESSAGE message including the service request ID, the challenge key, and the access session ID and destined for the address of the service providing device 14 is used as the ID notification request message as the host device 12 (first SIP server 30). ) (Step 310D). The MESSAGE message is one of messages transmitted and received between the SIP client and the SIP server.

  The host device 12 (first SIP server 30) that has received the MESSAGE message transmits the access session ID to the user information storage device 13 (Step 320D). The user information storage device 13 refers to the session information DB 130, acquires the user ID corresponding to the access session ID, and returns this user ID to the first SIP server 30 (Step 330D). The first SIP server 30 transfers the received user ID as the address of the sender of the MESSAGE message (Step 340D). This transferred MESSAGE message serves as an ID notification message.

In another embodiment, the user ID is specified by a signature verification algorithm using a one-way function. That is, a predetermined one-way function is shared between the user terminal 11 and the host device 12. Here, examples of one-way functions that can be used include SHA-1 and MD5. Further, the SIP message includes the user ID of the user terminal 11. Instead of adding the access session ID to the SIP message, the user terminal 11 obtains the value of the one-way function using the content data of the SIP message and the access session ID as arguments, and obtains this value as a signature (hereinafter referred to as “signature”). As the first signature).
In Step 320D, the first SIP server 30 transmits the user ID of the received SIP message to the user information storage device 13 and inquires about the access session ID corresponding to the user ID.
In Step 330D, the user information storage device 13 refers to the session information DB 130, acquires the corresponding access session ID, transmits it, and responds. The first SIP server 30 obtains the value of the one-way function using the content data of the received SIP message and the access session ID as arguments, and determines whether the obtained value matches the received signature. If they match, the user ID included in the SIP message is regarded as a valid user ID. In this case, when the user terminal 11 is connected, the access session ID is not transferred on the communication path except when the first SIP server 30 notifies the access session ID. Eavesdropping can be prevented from impersonating a user corresponding to the access session ID.

  Instead of the first SIP server 30 receiving the access session ID from the user information storage device 13, the first SIP server 30 receives the user ID, the content data of the SIP message, and the received signature data as the user information storage device. 13, the user information storage device 13 verifies whether the signature is valid, and transmits the verified result to the first SIP server 30.

  In addition, when the MESSAGE message is transferred from the first SIP server 30 to the service providing apparatus 14, instead of being directly transmitted from the first SIP server 30 to the service providing apparatus 14, several SIP servers ( For example, it may be transferred via the second SIP server 46).

  The service providing apparatus 14 that has received the ID notification acquires a service request ID, a challenge key, and a user ID that is a sender address of the message included in the received MESSAGE message. Next, it is determined whether the challenge key corresponding to the service request ID stored in Step 220D matches the challenge key included in the received MESSAGE message. If they match, it is the sender address of the MESSAGE message. The user ID is stored in association with the service request ID (Step 350D). Then, a MESSAGE message destined for the user ID is transmitted as an ID notification response (Step 360D). This ID notification response is transferred to the user terminal 11 via the SIP server (Step 370D). The content data of the ID notification response is arbitrary.

  The user terminal 11 that has received the ID notification response transmits a service request including the URL of the requested service, the service request ID, and the challenge key to the service providing apparatus 14 (Step 410D).

  The service providing apparatus 14 that has received the service request acquires a user ID and a challenge key corresponding to the stored service request ID, and determines whether or not the stored challenge key matches the challenge key received in Step 410D. To do. If they match, based on the user ID, whether to provide a service is determined or a service is provided based on the user ID (Step 420D, Step 430D).

  If the first SIP server 30 fails to check the status of the user terminal 11 periodically, the first SIP server 30 determines that the connection has been disconnected (Step 500D), and the first SIP server 30 sets the access session ID that detected the disconnection. The granted authentication state deletion request is transmitted to the user information storage device 13 (Step 510D). The user information storage device 13 deletes the received access session ID (Step 520D), and thereafter, when a service request for the access session ID is received, returns an authentication failure.

  Note that the user information storage device 13 stores the address of the service providing device that previously specified the user ID for the access session ID in Step 320D, and returns the address group to the first SIP server 30 in Step 520D. The first SIP server 30 may notify each service providing apparatus corresponding to the address group that the authentication state has become invalid.

  A feature of the present embodiment is that an ID notification message is transmitted through several relay devices by using, as the host device 12, a device having a function of transferring a message via a relay device other than the destination terminal, such as a SIP server. However, it is possible to be transferred to the service providing apparatus 14. In a star type system configuration in which the host device 12 transmits and receives messages to and from all user terminals 11 and the service providing device 14, there is a restriction that the host device 12 needs to be installed at the center of the wide area network. By making it possible to transfer the ID notification message via a plurality of relay devices, a plurality of host devices 12 can be installed near the access network of each user terminal 11. As a result, there is an advantage that the communication path between the user terminal 11 and the host device 12 can be shortened, and the possibility that an unauthorized user can act illegally can be reduced. Further, since the load is distributed by the plurality of host devices 12, a larger-scale service platform can be constructed. As another embodiment that realizes such a feature, a host server 12 that uses a mail server can be considered.

  Another feature is that a device having an instant message transfer function such as a SIP server is used as the host device 12. Instant message transfer means (1) that it is not necessary to generate a different connection for each message destination (that is, connectionless message transfer) (2) message arrival notification to the destination terminal to the message server This means message transfer having two technical characteristics that are performed when the message arrives. By using a device having an instant message transfer function as the host device 12 and transmitting an ID notification request and ID notification by an instant message, an advantage of speeding up ID notification occurs.

  By the way, the present invention also assumes that the ID notification message is transferred from the first SIP server 30 to the service providing apparatus 14 via a plurality of SIP servers. There is a possibility that a person who attempts fraud on this message transfer path intercepts and falsifies the ID notification message. In other words, in the above embodiment, it is necessary to safely protect the communication path for relaying the SIP message from the first SIP server 30 to the service providing apparatus 14. As another embodiment, a mode in which the user terminal 11 and the service providing apparatus 14 share a secret key to prevent interception and falsification of messages related to ID notification from Step 310D to Step 370D is also conceivable. This embodiment will be described. In Step 220D, the service providing apparatus 14 generates a secret key with a service request ID and a challenge key, and stores the secret key with a service request ID and a challenge key. In Step 230D, the service providing apparatus 14 transmits the secret key in addition to the service request ID, the challenge key, and the address of the service providing apparatus 14. In Step 310D, the user terminal 11 encrypts the challenge key with the secret key. At this time, a signature (second signature) is generated by a one-way function having the encrypted challenge key, service request ID, user ID, and secret key as arguments, and this signature is used as an ID notification request. Include. In Step 350D, the service providing apparatus 14 acquires a service request and an encrypted challenge key from the received ID notification, acquires a secret key corresponding to the service request ID stored in Step 220D, and acquires the secret key. The challenge key encrypted by the above is decrypted, and it is determined whether the challenge key obtained as a result matches the challenge key stored in Step 220D. If they do not match, the ID notification response in Step 360D is not made. Since the challenge key in the ID notification message is encrypted, even if a third party intercepts the ID notification request message, the service request of Step 410D cannot be transmitted based on the intercepted message. Further, the ID notification message performs an illegal act of rewriting the sender address of the ID notification request message and transferring the ID notification request message by adding a second signature associated with the user ID of the user terminal 11. However, the service providing device 14 can detect this fraud. As another embodiment of this method, a form in which the challenge key also serves as a secret key is possible. In this case, in Step 310D, the user terminal 11 does not include the challenge key in the ID notification request, but instead uses the one-way function with the challenge key, the service request ID, and the user ID as arguments. Signature) is generated, and the second signature and the service request ID are included in the ID notification request. In Step 350D, the service providing apparatus 14 extracts the service request ID from the received ID notification request, obtains a challenge key corresponding to the service request ID stored in Step 220D, and obtains the challenge key and the service request ID in the message. A signature is created based on the value of a one-way function having the user ID as an argument, and it is determined whether this signature matches the second signature in the ID notification. If they do not match, it is assumed that the message has been tampered in the middle or that it is an ID notification based on the ID notification request issued by the user terminal 11 that does not have the correct challenge key, and the ID notification response is not transmitted.

  In another embodiment, when the first SIP server 30 transmits an ID notification message in Step 340D, an electronic signature by the first SIP server 30 is added. Specifically, an electronic signature based on a public key algorithm is performed, and the first SIP server 30 includes at least a sender address by using a secret key corresponding to the device (or an operator of the device). A signature (third signature) for a part of data in the ID notification message is generated and added to the ID notification message. The service providing device 14 verifies the third signature with the public key corresponding to the secret key, and the device (or which vendor) verifies the sender address of the message is altered by the SIP server in the middle. You can check if it is not.

In another embodiment of the present invention, instead of executing Step 210D to Step 230D, the user terminal 11 uses another method for SIP of the service providing apparatus 14.
The URL is acquired in advance, and ID notification from Step 310D to Step 370D is performed. In this case, the service request ID is generated by the user terminal 11. Alternatively, Step 360D and Step 370D may be omitted, and the user terminal 11 may transmit the Step 410D service request after a certain period of time has elapsed after transmitting the Step 310D ID notification request.

  The third embodiment of the present invention has been described above. Next, a fourth embodiment of the present invention will be described with reference to the configuration diagram of FIG. 9 and the flowchart of FIG.

  FIG. 9 shows an embodiment in which the present invention is implemented using an access session management server 38 as the host device 12.

  The service providing apparatus 14 includes means (service providing means 132) for providing a service to a client based on the HTTP protocol. As a specific example of the provided service, a content providing service, an information search service, and the like can be considered. Further, as an example of another service, a service that issues and transmits an ID certificate to the user terminal 11 is also conceivable. Further, the service providing apparatus 14 extracts a user ID of the service requester from the means for receiving the ID notification (ID notification receiving means 138) and the received ID notification, and determines whether or not to provide the service for the service request. Service providing method determining means 134 for determining.

  The layer 2 switch 42 has a function of transferring a packet from one port to another according to the MAC address. Further, the layer 2 switch 42 forwards the packet transfer between the ports for each combination of the two ports of the switch according to the designation from the outside (when the designation is ON) or blocks the packet forwarding (if the designation is (When OFF). Also, the port to which the user terminal 11 is connected and the port to which the IP network is connected are normally in an OFF state, and the port to which the access session management server 38 is connected is all other ports. And normally ON.

  The layer 2 switch 42 does not necessarily have to be a port into which a line is physically inserted, and may terminate a logical line or a wireless communication link.

The access session management server 38 authenticates the user terminal 11 (authentication unit 118), establishes a connection state called an access session with the authenticated user terminal 11, and holds the connection state (session holding unit 102). When the access session continues, the layer 2 switch 42 is controlled so that the port between the port to which the user terminal 11 is connected and the port to which the IP network is connected is turned on. Means (connection control means 126).
Further, the access session management device 32 registers the established access session in the session information DB 130 by associating the access session ID, which is an identifier assigned to the access session, with the user ID of the user related to the access session. Session registration means 116 is provided.
The session holding unit 102 periodically receives a status confirmation message from the user terminal 11 that has established an access session. When the user terminal 11 that does not transmit the status confirmation message is detected, the session holding unit 102 deletes the access session ID of the access session with the user terminal 11 from the session information DB 130, and the user terminal 11 and the IP network are connected. Blocks packet transfer with the connected port (turns it off).
Further, the access session management server 38 includes a user ID specifying unit 114 and an ID notification unit 124. The ID notification unit 124 receives an ID notification request from the user terminal 11 and transmits an ID notification including the user ID of the user terminal 11 to the service providing apparatus 14. The user ID specifying unit 114 specifies the user ID of the sender of the ID notification request.
As shown in the figure, the access session management server 38 includes an ID including a session holding device 34 including an authentication unit 118, a session registration unit 116, and a session holding unit 102, a user ID specifying unit 114, and an ID notification unit 124. The notification device 40 and the two devices can also be used.

  The user information storage device 13 includes a user management DB 128 and a session information DB 130. The user management DB 128 stores the user ID of the user and the password of the user terminal 11 for each user on the network. The session information DB 130 stores a correspondence relationship between a user ID corresponding to the user terminal 11 and an access session ID that identifies the access session established by the user terminal 11 for the user terminal 11 that is establishing the access session.

  In this embodiment, the access session management device 32 corresponds to the host device 12, and an access session established between the user terminal 11 and the access session management server 38 is connected to the user terminal 11 and the host device 12. Equivalent to.

  Next, an operation sequence of the system in this embodiment will be described (see FIG. 10).

  The user terminal 11 establishes an access session with the access session management server 38 immediately after activation or triggered by application activation. This procedure will be described. First, the user terminal 11 generates a session establishment request including a user ID and a password, and transmits this session establishment request to the access session management server 38 (Step 110E). The access session management server 38 that has received this session establishment request first obtains the user ID and password from the session establishment request, and makes an authentication decision (Step 120E, Step 130E). That is, a password corresponding to the user ID stored in the user management DB 128 of the user information storage device 13 is acquired, and the password stored in the management DB matches the password acquired from the session establishment request. If they match, the user ID is regarded as correct (Step 140E). If the user ID is deemed correct, the access session management server 38 generates an access session ID using a random number algorithm (Step 140E), and associates the generated access session ID with the user ID in the session information DB 130. Register (Step 150E). In Step 150E, the access session management server 38 sends a control signal to the layer 2 switch 42 so as to turn on the port between the port to which the user terminal 11 is connected and the port to which the IP network is connected. Send. When generating an access session ID, the access session ID is not duplicated with respect to an already established access session. Then, the access session management server 38 transmits a response including the access session ID to the user terminal 11 (Step 160E).

  During the establishment of the access session, the user terminal 11 and the access session management server 38 exchange control messages regarding the access session while identifying the access session by the access session ID. For example, the user terminal 11 periodically transmits a status notification message indicating that its own device is still operating to the access session management server 38.

  A procedure when the user terminal 11 uses a service by the service providing apparatus 14 will be described.

  The user terminal 11 transmits a service request including a URL corresponding to the service requested based on the HTTP protocol to the service providing apparatus 14 (Step 210E). The service providing apparatus 14 that has received the service request transmits a script including a step of causing the user terminal 11 to transmit an ID notification request to the host apparatus 12 as a response to the user terminal 11 (Step 230E). At this time, the service providing device 14 generates a service request ID for uniquely identifying the service request on the service providing device 14, and further generates a challenge key based on a random number algorithm (Step 220E). The key and the address of the service providing apparatus 14 are included in the script. Here, the address of the service providing apparatus 14 is an IP address and a port number for the apparatus to receive the ID notification. Further, the service providing apparatus 14 stores the correspondence between the generated service request ID and the challenge key.

  The user terminal 11 that has received the response executes the script. That is, an ID notification request message including the access session ID, the service request ID, the challenge key, and the address of the service providing device 14 is transmitted to the access session management server 38 (Step 310E).

  Receiving the ID notification request, the host device 12 (access session management server 38) transmits an ID notification to the address of the service providing device 14 included in this message (Step 340E). At this time, the host device 12 obtains an access session ID from the ID notification request, transmits the access session ID to the user information storage device 13 (Step 320E), and receives the user ID from the user information storage device 13 as a response thereto. The user ID is included in the ID notification. In Step 330E, the user information storage device 13 acquires the user ID corresponding to the access session ID from the session information DB 130, and transmits it to the host device 12. The host device 12 enters the user ID, the service request ID in the ID notification request message, and the challenge key in the ID notification.

If wireless communication is used between the user terminal 11 and the layer 2 switch 42, the ID notification request of Step 310E may be intercepted by another user terminal 11. In order to prevent this terminal from intercepting and preventing other terminals from impersonating, in another embodiment, instead of including the access session ID in the ID notification request, the signature generated from the access session ID is included. And In this form, the user terminal 11 uses the signature (first step) as a value of a one-way function with the data D1 consisting of its user ID, the service request ID and the challenge key, and the access session ID as arguments in Step 310E. 1 signature), and this signature is included in the ID notification request. In Step 320E, the access session management server 38 sends the user ID included in the ID notification request to the user information storage device 13 to inquire the corresponding access session ID, and the user information storage device 13 accesses the user ID corresponding to the user ID. The session ID is acquired from the session information DB 130, and the access session ID is transmitted to the access session management server 38 in Step 330E. The access session management server 38 obtains a signature as a value of a one-way function having the data D1 and the access session ID as arguments, and determines whether this signature matches the signature received at Step 310E. If they match, the access session management server 38 specifies that the user ID included in the ID notification request is valid. If they do not match, the access session management server 38 assumes that the user ID included in the ID notification request is invalid, and does not perform processing for the ID notification request.
Instead of the access session management server 38 receiving the access session ID from the user information storage device 13, the access session management server 38 transmits D1 and the received signature data to the user information storage device 13, and the user information storage device A configuration is also possible in which 13 verifies whether the signature is valid and transmits the verification result to the access session management server 38.

  The service providing apparatus 14 that has received the ID notification acquires a service request ID, a challenge key, and a user ID of the message included in the message. Next, it is determined whether the challenge key corresponding to the service request ID stored in Step 220E matches the challenge key included in the received ID notification. If they match, the user ID included in the ID notification is determined. Is stored in association with the service request ID (Step 350E). Then, an ID notification response is transmitted to the host device 12. The content data of the ID notification response is arbitrary. The host device 12 that has received the ID notification response returns an ID notification response to the user terminal 11 that has transmitted the ID notification request (Step 360E).

  The TCP protocol is used for message transmission / reception from Step 310E to Step 360E. That is, at Step 310E, the user terminal 11 generates a TCP connection (connection 1) with the access session management server 38, and at Step 340E, the access session management server 38 establishes a TCP connection (connection 2) with the service providing device 14. Is generated. Connection 2 is used to transmit the ID notification response in Step 350E. Connection 1 is used to transmit the ID notification response in Step 360E. However, it is also possible to realize using UDP instead of using TCP connection.

  Note that a proxy device may be installed between the access session management server 38 and the service providing device 14 so that the proxy device relays the ID notification of Step 340E and the ID notification response of Step 350E. In this case, there is a risk that an unauthorized proxy device is interposed in the middle, and the ID notification message is falsified or intercepted. In order to prevent this, in another embodiment, instead of including the challenge key in the ID notification request and ID notification, a signature generated using the challenge key as an argument is included. That is, the data composed of the service request ID, the caller ID (user ID), and the data that changes for each message such as the call time is set as D. The value of the one-way function having the challenge key as an argument is added as a signature to the ID notification message. In Step 340E, the access session management server 38 includes the ID notification message data (D) and the signature in the ID notification. In Step 350E, the service providing apparatus 14 acquires the service request ID from the ID notification, acquires a challenge key corresponding to the service request ID stored in Step 220E, and includes the challenge key and the ID notification message in the ID notification. The signature is obtained by a one-way function having the data D as an argument, and it is determined whether the signature and the signature included in the ID notification match. If the two signatures do not match, an ID notification response indicating that the ID notification is regarded as invalid is transmitted in Step 360E. In this method, since the challenge key is not transmitted, even if another device intercepts the ID notification on the way, the device cannot transmit the service request. When the ID notification is falsified by another device, the service providing device 14 can detect the falsification.

  In another embodiment, in Step 340E, the host device 12 (access session management server 38) transmits the ID notification message with the signature generated by the secret key of the device. The service providing apparatus 14 verifies the signature with the public key of the host apparatus 12 in Step 350E, and confirms the validity of the ID notification. As a result, the service providing apparatus 14 can confirm which host apparatus 12 (which provider) has authenticated the user terminal 11.

  Receiving the ID notification response, the user terminal 11 transmits a service request including the URL of the requested service, the service request ID, and the challenge key to the service providing apparatus 14 (Step 410E).

  The service providing apparatus 14 that has received the service request acquires a user ID and a challenge key corresponding to the stored service request ID, and determines whether the stored challenge key matches the challenge key received in Step 410E. If they match, it is determined whether or not the service can be provided based on the user ID, or the service is provided based on the user ID (Step 420E, Step 430E).

  If the access session management device 32 fails to check the status of the user terminal 11 periodically, it is determined that the connection has been disconnected (Step 500E), and the access session management device 32 has given the access session ID that detected the disconnection. An authentication state deletion request is transmitted to the user information storage device 13 (Step 510E). The user information storage device 13 deletes the received access session ID (Step 520E), and thereafter, when a service request for the access session ID is received, returns an authentication failure.

  Note that the user information storage device 13 stores the address of the service providing device that previously specified the user ID for the access session ID at Step 320E, and returns the address group to the access session management device 32 at Step 520E. The access session management device 32 may notify each service providing device corresponding to the address group that the authentication state has become invalid.

  Another embodiment uses a MAC address used by the user terminal 11 as information regarding the connection between the user terminal 11 and the access session management server 38 instead of the access session ID. In this form, in Step 150E, the access session management server 38 registers the MAC address of the user terminal 11 in the session information DB 130 in association with the user ID. In Step 320E, the access session management server 38 transmits the MAC address to the user information storage device 13. In step 330E, the user information storage device 13 transmits the user ID stored in association with the MAC address. In such an embodiment, it is desirable that the layer 2 switch 42 can specify which MAC address is transferred for each port combination. In this case, normally, an arbitrary MAC address is transferred only between each port and the port to which the access session management server 38 is connected. In Step 150E, the MAC address of the authenticated user terminal 11 is allowed to be transferred between the port to which the user terminal 11 is connected and the port to which the IP network is connected. As a result, it is possible to prevent a terminal of a user who attempts fraud from transmitting a packet to the IP network using a packet of the MAC address of another terminal.

  The fourth embodiment of the present invention has been described above. Next, a fifth embodiment of the present invention will be described with reference to the configuration diagram of FIG. 11 and the flowchart of FIG.

  FIG. 11 shows an embodiment in which the present invention is implemented using the access session management device 32 as the host device 12. The service providing device 14 is a device that provides services to clients based on the HTTP protocol. As specific examples of the provided services, a content distribution service, an information search service, and the like are conceivable. As another example of the service, a service that issues and transmits an ID certificate to the user terminal 11 is also conceivable. Also, application to electronic mail communication by SMTP is conceivable.

  The user terminal 11 is connected to a wireless LAN access point (hereinafter referred to as “wireless access point 44”) in cooperation with the access session management device 32, and is connected to the IP network via the wireless access point 44. Here, the connection between the user terminal 11 and the wireless access point 44 is performed by means such as periodically confirming the connection state from the access session management device 32 to the user terminal 11, and the wireless access point 44 and the access session management. It is assumed that the device 32 can maintain and manage the connection state at all times. Specifically, it is possible to adopt an IEEE 802.1x authentication method and periodically re-authenticate from the wireless access point 44 to the user terminal 11.

The host device 12 includes the access session management device 32 in FIG. 11, and the user terminal 11 establishes a connection with the wireless access point 44 in cooperation with the access session management device 32.
The wireless access point 44 includes means for receiving a data frame from a connected user terminal 11 and transferring the message to another network device indicated by the destination (MAC address) of the data frame. The access session management device 32 includes means (authentication means 118) that authenticates the user of the user terminal 11 when connected to the user terminal 11 in cooperation with the user information storage device 13.
In addition, a connection state between the authenticated user terminal 11 and the wireless access point 44 is established and a shared key to be used in subsequent communication is generated, and the user terminal 11 is connected while the connection state continues. A function (session holding unit 102) that controls the wireless access point 44 so that the port and the port to which the IP network is connected are turned on. Further, in order to maintain and confirm the connection state, it is desirable to provide means for periodically authenticating the user from the access session management device 32 via the wireless access point 44. When a user terminal 11 that does not perform regular authentication normally is detected, the session information is deleted from the session information DB 130 described later, and a packet between the user terminal 11 and the port to which the IP network is connected Block transfer (turn off). In addition, the access session management device 32 associates the common key assigned to the connection with the user terminal 11 and registers the user ID of the user related to the connection in the session information DB 130. 116.
The user management DB 128 of the user information storage device 13 stores the user ID of the user and the password of the user terminal 11 for each user of the network. Furthermore, the user information storage device 13 includes a session information DB 130 that stores a correspondence relationship between a user ID corresponding to the user terminal 11 and a shared key used by the user terminal 11 for the user terminal 11 that is establishing a connection. .

  As a client for the wireless access point 44 and the user information storage device 13, the user terminal 11 is a unit (authentication client unit 106) that performs authentication performed in cooperation between the wireless access point 44 and the user information storage device 13. Means (session holding means 102) for maintaining the connection and transmitting and receiving data frames with the wireless access point 44 are provided. Further, the user terminal 11 includes means for transmitting a service request to the service providing apparatus 14 by the HTTP protocol (service request means 108) and means for receiving a response to the request (service utilization means 104).

  The service providing apparatus 14 includes means for receiving a service request from the user terminal 11 using the HTTP protocol (service request receiving means 136), and means for providing a service as a response to the request (service providing means 132). In addition, based on the information in the service request, the user information storage device 13 is provided with means for specifying a user ID (user ID specifying means 114). Furthermore, the service providing apparatus 14 includes service providing method determining means 134 that extracts the user ID of the service requester from the received service request message and determines whether or not to provide the service for the service request.

  In the present invention, the shared key corresponds to “information relating to the connection between the user terminal 11 and the host device 12”.

  Next, the operation sequence of the system in this embodiment will be described (see FIG. 12).

  The user terminal 11 connects to the wireless access point 44 immediately after activation. This procedure will be described. First, the user terminal 11 generates an authentication request including a user ID and a password by an authentication method based on IEEE 802.1x, and transmits this authentication request to the wireless access point 44. Upon receiving this authentication request, the wireless access point 44 transfers the authentication request to the access session management device 32 and requests authentication (Step 110F). The access session management device 32 requested to authenticate acquires the password corresponding to the user ID stored in the user information storage device 13 based on the received user ID (Step 120F, Step 130F) and stores this password. If the two passwords match the password obtained from the authentication request, the user ID is regarded as correct (Step 140F). If the user ID is deemed correct, the access session management device 32 generates a shared key that the user will use for encrypted communication with the wireless access point 44 thereafter (Step 140F), and sends the authentication result and the shared key to the wireless access point 44. Is responded (Step 150F). Then, the wireless access point 44 transmits a response including the shared key to the user terminal 11 (Step 150F).

  As described above, the user ID authentication method may not be a method of transmitting a password. In another embodiment, an authentication method such as EAP-TLS using a stronger public key certificate is performed.

  Further, as another embodiment, instead of using a shared key, when the user terminal 11 connects to the wireless access point 44, an IP address or a random value issued from the access session management device 32, or a user terminal There is also a form in which 11 terminal IDs and MAC addresses are used instead of the shared key. In this case, the session information DB 130 of the user information storage device 13 uses the device ID, MAC address, IP address, random value, etc. assigned to the user terminal 11 of the user as information for identifying the user ID for each user. Remember.

  A procedure when the user terminal 11 uses a service provided by the service providing apparatus 14 will be described.

Based on the HTTP protocol, the user terminal 11 transmits a service request including the URL and the shared key corresponding to the requested service, or the URL, the user ID, and the first signature to the service providing apparatus 14 (Step 210F). . Specifically, when the service request button and the service request button on the Web screen in which the script is embedded are clicked, the shared key stored in the user terminal 11 is read and set to a predetermined position in the HTTP message. Then, an HTTP message is transmitted.
The service providing apparatus 14 that has received the service request transmits the shared key to the user information storage apparatus 13 (Step 220F). The user information storage device 13 refers to the user management DB 128, acquires the user ID corresponding to the shared key (Step 230F), and returns this user ID to the service providing device 14 (Step 240F). In this procedure, the service providing apparatus 14 specifies the user ID of the sender of the received HTTP message, and determines whether the service can be provided based on the user ID or provides the service based on the user ID (Step 250F, Step 260F).

  In another embodiment, the shared key information is transmitted to the service providing apparatus 14 by a signature verification algorithm using a one-way function using the shared key, instead of transmitting the shared key to the service providing apparatus 14. That is, a certain one-way function is shared between the user terminal 11 and the service providing apparatus 14. Here, examples of one-way functions that can be used include SHA-1 and MD5. In addition, the HTTP message includes the user ID of the user terminal 11. Instead of adding the shared key to the HTTP message, the user terminal 11 obtains the value of the one-way function using the content data of the HTTP message and the shared key as arguments, and uses this value as a signature for the message (hereinafter referred to as the first message). As signature). The service providing device 14 transmits the user ID in the received HTTP message to the user information storage device 13. The user information storage device 13 acquires a shared key corresponding to the received user ID from the user management DB 128 and returns it to the service providing device 14. The service providing apparatus 14 obtains the value of the one-way function using the content data of the HTTP message received from the user terminal 11 and the shared key received from the user terminal 11 as arguments, and the obtained value is received from the user terminal 11. It is determined whether the signature matches. If they match, the user ID included in the HTTP message is the user ID corresponding to the HTTP message. In this case, the shared key is not transferred on the communication path except when the wireless access point 44 and the access session management device 32 notify the shared key when the user terminal 11 is connected. Eavesdropping can be prevented from impersonating a user corresponding to the shared key.

  Instead of the service providing device 14 receiving the shared key from the user information storage device 13, the service providing device 14 transmits the user ID, HTTP content data, and the received signature data to the user information storage device 13. A form in which the information storage device 13 verifies whether the signature is valid and transmits the verification result to the service providing device 14 is also possible.

  In another embodiment, when the user information storage device 13 transmits an ID notification in Step 240F, an electronic signature by the user information storage device 13 is added. Specifically, an electronic signature based on a public key algorithm is performed, and the user information storage device 13 is requesting a service including at least a user ID using a secret key corresponding to the device (or an operator of the device). A signature (second signature) for a part of the data is generated, and it can be confirmed by which device (or which supplier) the user ID of the message has been verified and whether the user ID has been tampered with by a device on the way.

  Note that if the access session management device 32 fails to check the status of the user terminal 11 periodically, the access session management device 32 determines that the connection has been disconnected (Step 400F), and the access session management device 32 determines the access session ID that detected the disconnection. The granted authentication state deletion request is transmitted to the user information storage device 13 (Step 410F). The user information storage device 13 deletes the received access session ID (Step 420F), and when a service request for the access session ID is received thereafter, an authentication failure is returned.

  Also, the user information storage device 13 stores the address of the service providing device 14 that has previously identified the user ID in Step 230F with respect to the access session ID, and returns the address group to the access session management device 32 in Step 420F. The access session management device 32 may notify each service providing device 14 corresponding to the address group that the authentication state has become invalid.

  In the present embodiment, the service providing apparatus 14 provides the service to the user terminal 11 using HTTP. However, the case where the service is provided using SIP in the same procedure can be easily realized. Specifically, when the service request of Step 210F is a SIP REGISTER or a service request message, and Step 260F is a response thereto, it is possible to provide a service by SIP in the same procedure.

  The fifth embodiment of the present invention has been described above. Next, a sixth embodiment of the present invention will be described with reference to the configuration diagram of FIG. 13 and the flowchart of FIG.

  In the configuration of the system shown in FIG. 13, parts different from the fifth embodiment will be described.

  The service providing apparatus 14 further includes a session information receiving unit 140 that instructs the user terminal 11 to transmit information based on the session information and receives the information.

  The user terminal 11 further includes a session information transmission unit 112 that transmits information based on session information based on an instruction from the service providing apparatus 14.

  The procedure up to Step 150 is the same as that of the fifth embodiment. That is, Step 110F of the fifth embodiment corresponds to Step 110G of the present embodiment, and the same correspondence is performed from Step 120 to Step 150.

  Hereinafter, a sequence (Step 210G and after) when using the service will be described.

  A procedure when the user terminal 11 uses a service provided by the service providing apparatus 14 will be described (see FIG. 14).

The user terminal 11 designates the URL of the service providing apparatus 14 using the HTTP protocol, and transmits a service request (Step 210G). The service providing apparatus 14 randomly generates and stores a challenge key corresponding to the service request (Step 220G), and includes a challenge key, an address of the service providing apparatus 14, and a script for the user terminal 11. A network access information notification request is transmitted as an HTTP response (Step 230G).
When the user terminal 11 operates the Web page responded at Step 230G, the script and the URL corresponding to the requested service and the challenge key and the shared key, or the URL and the user ID and the challenge key The network access information notification including the signature of 1 (described later) is transmitted to the service providing apparatus 14 (Step 240G). Specifically, when the send button on the Web screen received by the Step 230G in which the send button and the script are embedded is clicked, the script reads the shared key stored in the user terminal 11, and the HTTP message has a predetermined HTTP message. Set to location and send network access information notification in HTTP message.
The service providing apparatus 14 that has received the network access information notification confirms whether there is the same challenge key as that stored, and if there is the same one, erases the stored challenge key (Step 250G). Thereby, a replay attack in which the challenge key is wiretapped and transmitted again can be prevented.
Subsequently, the service providing apparatus 14 acquires the user ID of the message from the shared key or the first signature added to the received network access information notification by the same method as in the fifth embodiment (Step 260G, Step 270G, (Step 280G), this user ID is recognized as the sender address of the message, and service provision is determined based on the user ID, or service provision is performed based on the user ID (Step 290G, Step 300G).

  In another embodiment, the shared key information is transmitted to the service providing apparatus 14 by a signature verification algorithm using a one-way function using the shared key, instead of transmitting the shared key to the service providing apparatus 14. That is, a certain one-way function is shared between the user terminal 11 and the user information storage device 13. Here, examples of one-way functions that can be used include SHA-1 and MD5. In addition, the HTTP message includes the user ID of the user terminal 11. Instead of adding the shared key to the HTTP message, the user terminal 11 obtains the value of the one-way function using the content data of the HTTP message and the shared key as arguments, and uses this value as a signature for the message (hereinafter referred to as the first message). As signature). The service providing device 14 transmits the user ID in the received HTTP message to the user information storage device 13. The user information storage device 13 acquires a shared key corresponding to the received user ID from the user management DB 128 and returns it to the service providing device 14. The service providing device 14 obtains the value of the one-way function using the content data of the HTTP message received from the user and the shared key received from the user information storage device 13 as arguments, and the obtained value is obtained from the user terminal 11. Determine if it matches the received signature. If they match, it is determined that the user ID included in the HTTP message is the user ID corresponding to the HTTP message. In this case, if a secure communication path for performing encryption between the user information storage device 13 and the service providing device 14 is used, the wireless access point 44 and the access session management device 32 notify the shared key when the user terminal 11 is connected. Except for the time, since the shared key is not transferred on the communication path, it is possible to prevent a third party from intercepting the shared key and impersonating the user corresponding to the shared key.

  Instead of the service providing device 14 receiving the access session ID from the user information storage device 13, the service providing device 14 transmits the user ID, the HTTP content data, and the received signature data to the user information storage device 13. A form in which the user information storage device 13 verifies whether the signature is valid and transmits the verification result to the service providing device 14 is also possible.

  Further, as another embodiment, instead of using a shared key, when the user terminal 11 connects to the wireless access point 44, an IP address or a random value issued from the access session management device 32, or a user terminal There is also a form in which 11 terminal IDs and MAC addresses are used instead of the shared key. In this case, the session information DB 130 of the user information storage device 13 uses the device ID, MAC address, IP address, random value, etc. assigned to the user terminal 11 of the user as information for identifying the user ID for each user. Remember.

  In another embodiment, when the user information storage device 13 transmits an ID notification in Step 240G, an electronic signature by the user information storage device 13 is added. Specifically, an electronic signature based on a public key algorithm is performed, and the user information storage device 13 uses a secret key corresponding to the device (or the operator of the device) to include a service request including at least a sender address. Generate a signature (second signature) for some data in the message, and check which device (or which vendor) verifies the sender address of the message and whether it has been tampered with by a device on the way it can.

  If the access session management device 32 fails to check the status of the user terminal 11 periodically, the access session management device 32 determines that the connection has been disconnected (Step 400G), and the access session management device 32 has given the access session ID that detected the disconnection. An authentication state deletion request is transmitted to the user information storage device 13 (Step 410G). The user information storage device 13 deletes the received access session ID (Step 420G), and when a service request for the access session ID is received thereafter, an authentication failure is returned.

  Note that the user information storage device 13 stores the address of the service providing device 14 that has previously identified the user ID for the access session ID at Step 270G, and returns the address group to the access session management device 32 at Step 420G. The access session management device 32 may notify each service providing device 14 corresponding to the address group that the authentication state has become invalid.

  In the present embodiment, the service providing apparatus 14 provides the service to the user terminal 11 using HTTP. However, it is possible to easily implement the case where the service is provided using SIP in the same procedure. Specifically, when the service request of Step 210G is a SIP REGISTER or a service request message, and Step 300G is a response to the request, the service can be provided by SIP in the same procedure.

  The sixth embodiment of the present invention has been described above. Next, a seventh embodiment of the present invention will be described with reference to the configuration diagram of FIG. 15 and the flowchart of FIG.

FIG. 15 illustrates an embodiment in which the present invention is implemented using the home gateway 50 configured by integrating the access session management device 32, the user information storage device 13, and the layer 2 switch 42 of the fourth embodiment as a host device 12. ing. The home gateway 50 connects the user home network and an external IP network.
Also, the certificate issuing device 52 and the home gateway 50 authenticate the home gateway 50 when the certificate issuing device 52 is activated and confirm the signature key of the home gateway 50, or the certificate issuing device 52 is the home gateway. It is assumed that a trust relationship is established in advance so that the certificate issuing device 52 can trust the data with the signature of the home gateway 50, such as trusting the issuing authority of 50 public key certificates. And
The certificate issuing device 52 is a device that issues a certificate based on a certificate issuing request from a user, and can be applied as an IDP (Identity Provider) standardized by the Liberty Alliance Project.

The operation procedure of this embodiment will be described with reference to FIG.
First, the user terminal 11 establishes an access session with the access session management server 38 (see FIG. 9) in the home gateway 50 when the user terminal 11 connects to the user home network immediately after starting or when the application starts. Establish. First, the user terminal 11 generates a session establishment request including a user ID and a password, and transmits this session establishment request to the access session management server 38 (Step 110H). The access session management server 38 that has received this session establishment request first obtains a user ID and password from the session establishment request, and makes an authentication decision (Step 120H, Step 130H). That is, the password corresponding to the user ID stored in the user management DB 128 of the user information storage device 13 is acquired, and the password stored in the user management DB 128 matches the password acquired from the session establishment request. If they match, the user ID is regarded as correct (Step 140H). If the user ID is deemed correct, the access session management server 38 generates an IP address to be paid out to the user terminal 11 (Step 140H), and registers the generated IP address in the session information DB 130 in relation to the user ID. (Step 150H). Then, the access session management server 38 transmits a response including the IP address to the user terminal 11 (Step 160H). Here, an example in which an IP address is used as an access session ID for identifying the connection between the user terminal 11 and the host device 12 is described. Other information such as may be used as the access session ID.

Next, a procedure for issuing a certificate will be described.
The user terminal 11 transmits a certificate issuance request to the certificate issuance apparatus 52 using HTTP (Step 210H). Upon receiving the certificate issuance request (Step 210H), the certificate issuance apparatus 52 transmits an ID notification request including the address of the certificate issuance apparatus 52 to the user terminal 11 using HTTP (Step 220H). Here, the ID notification request message is configured as an HTTP message instructing the message to be redirected to the access session management device 32. Receiving the ID notification request (Step 220H), the user terminal 11 transfers the message to the access session management device 32 in accordance with the redirection instruction to the access session management device 32 in the ID notification request (Step 230H, Step 240H).
If only the host name representing the access session management device 32 is written in the ID notification request received by the user terminal 11 from the certificate issuing device 52, the user terminal 11 sends the access session to the DNS server on the home gateway 50. A procedure may be used in which an IP address is searched from the host name of the management device 32 and an ID notification request message is transferred to the IP address.
At this time, the host name of the access session management device 32 included in the ID notification request by the certificate issuing device 52 is always the same regardless of the home gateway 50 in which the access session management device 32 is included. When the DNS on the home gateway 50 to which each user terminal 11 is connected requests the host name resolution, the DNS on each home gateway 50 corresponds to the IP corresponding to the name of the access session management device 32. The IP address of each home gateway 50 is returned as an address. As a result, the certificate issuing device 52 transmits a message via the user terminal 11 to the access session management device 32 in the home gateway 50 to which each user is connected without knowing the IP addresses of all the home gateways 50 in advance. It becomes possible to do.

  The access session management device 32 that has received the ID notification request extracts the originating IP address from the IP packet that has carried the ID notification request, and transmits the IP address to the user information storage device 13 (Step 250H). The storage device 13 returns the user ID corresponding to the IP address to the access session management device 32 (Step 260H). The access session management device 32 sends out an ID notification message including the user ID acquired in Step 260H and the signature of the access session management device 32 (Step 270H). The ID notification message is configured as an HTTP message that instructs the certificate issuing device 52 to perform helidirection. The user terminal 11 that has received the ID notification message (Step 270H) transfers the message to the certificate issuing device 52 in accordance with the redirection instruction to the certificate issuing device 52 in the ID notification message (Step 280H, Step 290H).

  Upon receiving the ID notification message, the certificate issuing device 52 verifies the signature included in the ID notification message, confirms that the HGW is trusted in advance, and then sets the user ID included in the message. Based on the certificate (Step 300H), the certificate is returned to the user terminal 11 (Step 310H).

  If the access session management device 32 fails to check the status of the user terminal 11 periodically, the access session management device 32 determines that the connection has been disconnected (Step 400H), and the access session management device 32 has given the access session ID that detected the disconnection. An authentication state deletion request is transmitted to the user information storage device 13 (Step 410H). The user information storage device 13 deletes the received access session ID (Step 420H), and when a service request for the access session ID is received thereafter, an authentication failure is returned.

  Note that the user information storage device 13 stores the address of the service providing device that previously specified the user ID for the access session ID at Step 250H, and returns the address group to the access session management device 32 at Step 420H. The access session management device 32 may notify each service providing device corresponding to the address group that the authentication state has become invalid.

  The seventh embodiment of the present invention has been described above.

  Each device constituting the present invention includes an arithmetic device (such as a CPU), a communication device (such as a network interface), and a storage device (such as an HDD), and includes an input device (such as a keyboard) and an output. A device (such as a display) may be included. In addition, each apparatus which comprises this invention is the user terminal 11, the host apparatus 12, the user information storage device 13, the service provision apparatus 14, the 1st SIP server 30, the access session management apparatus 32, the session holding | maintenance apparatus 34, service, for example A request transfer device 36, an access session management server 38, an ID notification device 40, a layer 2 switch 42, a wireless access point 44, a second SIP server 46, and a third SIP server 48.

  Each processing unit constituting the present invention is realized as a program stored in a storage device (HDD or the like) and executed by an arithmetic device (CPU or the like), for example. Each processing means constituting the present invention includes, for example, session holding means 102, service using means 104, authentication client means 106, service request means 108, ID notification request means 110, session information transmission means 112, user ID specifying means. 114, session registration means 116, authentication means 118, user ID identification necessity determination means 120, service request transfer means 122, ID notification means 124, connection control means 126, service provision means 132, service provision method determination means 134, service request A receiving unit 136, an ID notification receiving unit 138, and a session information receiving unit 140.

  Further, each database (DB) constituting the present invention is realized as data having a specific structure stored in a storage device (HDD or the like) and a program for accessing the data. In addition, each database (DB) which comprises this invention is user management DB128 and session information DB130, for example.

It is a block diagram of the service provision system which concerns on 1st Embodiment of this invention. It is a flowchart of the service provision system which concerns on 1st Embodiment of this invention. It is a block diagram of the service provision system which concerns on 2nd Embodiment of this invention. It is a flowchart of the service provision system which concerns on 2nd Embodiment of this invention. It is a flowchart of the service provision system which concerns on 2nd Embodiment of this invention. It is a block diagram of the host apparatus which concerns on 2nd Embodiment of this invention. It is a block diagram of the service provision system which concerns on 3rd Embodiment of this invention. It is a flowchart of the service provision system which concerns on 3rd Embodiment of this invention. It is a block diagram of the service provision system which concerns on 4th Embodiment of this invention. It is a flowchart of the service provision system which concerns on 4th Embodiment of this invention. It is a block diagram of the service provision system which concerns on 5th Embodiment of this invention. It is a flowchart of the service provision system which concerns on 5th Embodiment of this invention. It is a block diagram of the service provision system which concerns on 6th Embodiment of this invention. It is a flowchart of the service provision system which concerns on 6th Embodiment of this invention. It is a block diagram of the service provision system which concerns on 7th Embodiment of this invention. It is a flowchart of the service provision system which concerns on 7th Embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 11 User terminal 12 Host apparatus 13 User information storage apparatus 14 Service provision apparatus 36 Service request transfer apparatus 40 ID notification apparatus 102 Session holding means 104 Service utilization means 106 Authentication client means 108 Service request means 110 ID notification request means 112 Session information transmission means 114 User ID identification unit 116 Session registration unit 118 Authentication unit 120 User ID identification necessity determination unit 122 Service request transfer unit 124 ID notification unit 126 Connection control unit 128 User management DB
130 Session information DB
132 Service providing means 134 Service providing method determining means 136 Service request receiving means 138 ID notification receiving means 140 Session information receiving means

Claims (39)

A user terminal used when using a service provided via a communication network;
A host device for establishing a connection with the user terminal and holding the connection;
A user information storage device for storing a user ID for identifying the user terminal or a user who uses the user terminal, and connection information (S) relating to a connection between the user terminal and the host device;
A service providing method using a service providing system configured including a service providing apparatus that provides the service to the user terminal,
A procedure in which the host device establishes a connection with the user terminal and registers information related to the connection between the user terminal and the host device in the user information storage device;
A procedure in which the host device identifies the user terminal or the user from information related to the connection between the user terminal and the host device in cooperation with the user information storage device;
A procedure in which the service providing apparatus determines a service providing method or service providing availability based on the identification of the user or the user terminal; and
Including means for detecting the disconnection when the host device loses the connection between the user terminal and the host device and notifying the user information storage device that the authentication of the user ID is invalid A service providing method that is executed. A user terminal used when using a service provided via a communication network;
A host device for establishing a connection with the user terminal and holding the connection;
A user information storage device for storing a user ID for identifying the user terminal or a user who uses the user terminal, and connection information (S) relating to a connection between the user terminal and the host device;
A service providing method using a service providing system configured including a service providing apparatus that provides the service to the user terminal,
A procedure for the host device to authenticate the user terminal or user;
A procedure for the host device to establish a connection with the user terminal;
The connection information (S) set by establishment of communication between the host device and the terminal device from the user terminal, or user verification information (information generated based on the connection information (S)). Receiving a service request including T);
A procedure in which the host device refers to storage information in the user information storage device and identifies a user ID of the transmission source of the service request from the connection information (S) or the user verification information (T);
A procedure in which the host device transmits a service request including the identified user ID;
A procedure in which the service providing apparatus determines whether to provide a service or a service providing method based on a user ID included in the service request;
Including means for detecting the disconnection when the host device loses the connection between the user terminal and the host device and notifying the user information storage device that the authentication of the user ID is invalid A service providing method that is executed. The user verification information (T) is a first signature generated by the user terminal by using a signature generation function with the data included in the service request and the connection information (S) as arguments.
The service request transmitted from the user terminal includes the user ID;
The host device acquires connection information (S) corresponding to a user ID included in the service request from the user information storage device, and uses the connection information (S) and data included in the received service request as an argument. The user verification information (V) is generated by the signature generation function, and the generated user verification information (V) is compared with the user verification information (T) as the first signature. Regard the user ID included in the service request as the user ID of the sender of the service request;
The service providing method according to claim 2. The procedure for specifying the user ID is executed when a condition for executing the specification of the user ID is acquired from the storage means, the acquired condition is compared with the condition set in the service request, and the conditions are matched. ,
The service providing method according to claim 2, wherein: The procedure for specifying the user ID is as follows:
This is executed when the user terminal receives information characterizing the service request to be transmitted before transmitting the service request, compares the service request received thereafter with the information characterizing the received service request, and matches. ,
The service providing method according to any one of claims 2 to 4, wherein: In the procedure in which the host device transfers the service request to the service providing device,
The host device generates a second signature by the host device and includes it in the service request;
The service providing apparatus that has received the service request verifies the second signature, and verifies the validity of the service provision request based on a verification result;
The service providing method according to any one of claims 2 to 5, wherein: The host device generates the second signature with the secret key of the host device or the operator of the host device,
The service providing apparatus verifies the second signature using a public key of the host apparatus;
The service providing method according to claim 6. The host device includes an authentication device that authenticates the user terminal and a service request transfer device that identifies a user and transfers a service request,
Between the user terminal and the service request transfer device, provided with a connection device for connection control to enable communication with the user terminal,
Monitoring the state of connection between the host device and the user terminal, and blocking communication between the user terminal that has not established a connection and the service request transfer device;
When the host device authenticates the user terminal and establishes a connection with the user terminal, the user terminal and the service request transfer device are configured to enable communication between the user terminal and the service request transfer device. Controlling the connection device connected between
The service providing method according to claim 6. A user terminal used when using a service provided via a communication network;
A host device for establishing a connection with the user terminal and holding the connection;
A user information storage device for storing a user ID for identifying the user terminal or a user who uses the user terminal, and connection information (S) relating to a connection between the user terminal and the host device;
A service providing method using a service providing system configured including a service providing apparatus that provides the service to the user terminal,
A procedure for the host device to authenticate the user terminal or user;
A procedure for the host device to establish a connection with the user terminal;
User verification which is the connection information (S) set by communication establishment between the host device and the user terminal, or information generated based on the connection information (S), transmitted by the user terminal. A procedure for receiving an ID notification request including information (T) and an address of the service providing device;
A procedure in which the host device refers to stored information in the user information storage device and identifies a user ID of a transmission source of the ID notification request;
A procedure in which the host device transmits an ID notification including the identified user ID to an address of a service providing device indicated by the ID notification request;
The service providing apparatus receives the ID notification and determines whether to provide a service or a service providing method based on a user ID included in the ID notification;
Including means for detecting the disconnection when the host device loses the connection between the user terminal and the host device and notifying the user information storage device that the authentication of the user ID is invalid A service providing method that is executed. The user verification information (T) is transmitted from the user terminal that is a first signature generated by the user terminal by using the signature generation function and the data included in the service request and the connection information (S) as arguments. The ID notification request includes the user ID,
The host device acquires connection information (S) corresponding to the user ID included in the ID notification request from the user information storage device, and includes the connection information (S) and data included in the received ID notification request. When the user verification information (V) is generated by a signature generation function using as an argument, and the generated user verification information (V) is compared with the user verification information (T) as the first signature and they match. The user ID included in the ID notification request is regarded as the user ID of the sender of the service request,
The service providing method according to claim 9. The user terminal encrypts information related to a service request by a method that can be decrypted by the service providing apparatus, and includes the ID in the ID notification request.
The host device includes information on the service request included in the received ID notification request in the ID notification,
The service providing apparatus that has received the ID notification decrypts information related to the service request included in the ID notification request;
The service providing method according to claim 9. The user terminal generates a third signature that enables signature verification by the service providing apparatus for data included in the ID notification request, and includes the third signature in the ID notification request.
The host device includes the third signature included in the received ID notification request in the ID notification,
The service providing apparatus that has received the ID notification verifies whether the third signature is correct, and verifies the validity of the ID notification based on the verification result;
The service providing method according to claim 9. Before the procedure of receiving the ID notification request, the user terminal transmits the service request, and the user terminal and the service providing device generate and share a key (K),
The service providing apparatus stores the key (K) in a storage unit,
In the procedure of transmitting the ID notification request, the user terminal encrypts information related to the service request using the key (K),
The service providing apparatus decrypts information related to the service request using the stored key (K);
The service providing method according to claim 11. Before the procedure of receiving the ID notification request, the user terminal transmits the service request, and the user terminal and the service providing device generate and share a key (K),
The service providing apparatus stores the key (K) in a storage unit,
The user terminal generates the third signature using the key (K) in the procedure of transmitting the ID notification request,
The service providing apparatus verifies the third signature using the stored key (K);
The service providing method according to claim 12. In the procedure of notifying the ID, the host device generates a second signature by the host device and includes the second signature in the ID notification.
The service providing apparatus that has received the ID notification verifies the second signature, and verifies the validity of the ID notification based on the verification result;
The service providing method according to claim 9. The host device generates the second signature from a secret key of an operator with the host device or the host layer,
The service providing apparatus verifies the second signature using a public key of the host apparatus;
The service providing method according to claim 15. The host device includes an authentication device that authenticates the user terminal and an ID notification device that performs ID notification processing.
Communication with the ID notification device with a user terminal that has not established a connection with the host device is blocked,
When the host device authenticates the user terminal device and establishes a connection with the user terminal device, the host device controls the transfer device so that communication between the user terminal and the ID notification is possible.
The service providing method according to claim 9. A user terminal used when using a service provided via a communication network;
A host device for establishing a connection with the user terminal and holding the connection;
A user information storage device for storing a user ID for identifying the user terminal or a user who uses the user terminal, and connection information (S) relating to a connection between the user terminal and the host device;
A service providing method using a service providing system configured including a service providing apparatus that provides the service to the user terminal,
A procedure in which the host device establishes a connection with the user terminal and registers information related to the connection between the user terminal and the host device in the user information storage device;
A procedure in which the service providing device identifies the user terminal or the user from information related to the connection between the user terminal and the host device in cooperation with the user information storage device;
A procedure in which the service providing apparatus determines a service providing method or service providing availability based on the identification of the user or the user terminal; and
Including means for detecting the disconnection when the host device loses the connection between the user terminal and the host device and notifying the user information storage device that the authentication of the user ID is invalid A service providing method that is executed. A user terminal used when using a service provided via a communication network;
A host device for establishing a connection with the user terminal and holding the connection;
A user information storage device for storing a user ID for identifying the user terminal or a user who uses the user terminal, and connection information (S) relating to a connection between the user terminal and the host device;
A service providing method using a service providing system configured including a service providing apparatus that provides the service to the user terminal,
A procedure for the host device to authenticate the user terminal or user;
A procedure for the host device to establish a connection with the user terminal;
User verification information, which is information generated based on the connection information (S) or the connection information (S), which is set by the service providing apparatus by establishing communication between the host terminal and the user terminal from the user terminal Receiving a service request including (T);
The service providing device refers to the stored information in the user information storage device, and specifies the user ID of the transmission source of the service request from the connection information (S) or the user verification information (T);
A procedure in which the service providing apparatus determines whether to provide a service or a service providing method based on the identified user ID;
Including means for detecting the disconnection when the host device loses the connection between the user terminal and the host device and notifying the user information storage device that the authentication of the user ID is invalid A service providing method that is executed. The user verification information (T) is a first signature generated by the user terminal using the signature generation function and the data included in the service request and the connection information (S) as arguments, and is transmitted from the user terminal. The service request includes the user ID, the service providing device acquires connection information (S) corresponding to the user ID included in the service request from the user information storage device; User verification information (V) is generated by a signature generation function having the connection information (S) and data included in the received service request as arguments, and the generated user verification information (V) and the first signature are generated. And the user ID included in the service request is regarded as the user ID of the sender of the service request when they match. Succoth,
The service providing method according to claim 19. In the procedure in which the service providing device refers to the stored information in the user information storage device and identifies the user ID, the user information storage device generates a second signature by the user information storage device and generates a user ID, or The service providing apparatus that includes the message for notifying the connection information (S) and receiving the message for notifying the user ID or the connection information (S) verifies the second signature, 20. The service providing method according to claim 19, wherein the validity of the service providing request is verified based on a verification result. The user information storage device generates the second signature from the user information storage device or a private key of an operator of the user information storage device, and the service providing device uses the public key of the user information storage device. 22. The service providing method according to claim 21, wherein the second signature received is verified. A user terminal used when using a service provided via a communication network;
A host device for establishing a connection with the user terminal and holding the connection;
A user information storage device for storing a user ID for identifying the user terminal or a user who uses the user terminal, and connection information (S) relating to a connection between the user terminal and the host device;
A service providing method using a service providing system configured including a service providing apparatus that provides the service to the user terminal,
A procedure for the host device to authenticate the user terminal or user;
A procedure for the host device to establish a connection with the user terminal;
User verification information, which is information generated based on the connection information (S) or the connection information (S), which is set by the service providing apparatus by establishing communication between the host terminal and the user terminal from the user terminal A procedure of receiving an ID notification request including (T);
The service providing device refers to the stored information in the user information storage device, and specifies the user ID of the transmission source of the ID notification request from the connection information (S) or the user verification information (T);
A procedure in which the service providing apparatus determines whether to provide a service or a service providing method based on the identified user ID;
Including means for detecting the disconnection when the host device loses the connection between the user terminal and the host device and notifying the user information storage device that the authentication of the user ID is invalid A service providing method that is executed. The user verification information (T) is a first signature generated by the user terminal by using a signature generation function with the data included in the ID notification request and the connection information (S) as arguments. The transmitted ID notification request includes the user ID, and the service providing apparatus obtains connection information (S) corresponding to the user ID included in the ID notification request from the user information storage device. Obtaining and generating user verification information (V) by a signature generation function using as arguments the connection information (S) and the data included in the received ID notification request, and the generated user verification information (V) The user verification information (T) as the first signature is compared, and if they match, the user ID included in the ID notification request is regarded as the user ID of the sender of the service request. Succoth,
The service providing method according to claim 23. In the procedure in which the service providing device refers to the stored information in the user information storage device to identify the user ID, the user information storage device generates a second signature by the user information storage device and generates a user ID, or The service providing apparatus that includes the message for notifying the connection information (S) and receiving the message for notifying the user ID or the connection information (S) verifies the second signature, 24. The service providing method according to claim 23, wherein validity of the service providing apparatus is verified based on a verification result. The user information storage device generates the second signature from the user information storage device or a private key of an operator of the user information storage device, and the service providing device uses the public key of the user information storage device. 26. The service providing method according to claim 25, wherein the second signature received is verified. 27. A service use program used in the service providing method according to claim 1, wherein the service providing program includes: a user terminal established as a result of authentication; a host device; Session holding means for holding a connection between,
A service utilization means for transmitting a service request;
Authentication client means for authenticating with the host device,
Service use program to function as A service use program used in the service providing method according to any one of claims 1 to 26,
A service utilization program for causing a function to transmit an ID notification request to a host device. 27. A service providing program for use in the service providing method according to claim 1, wherein the service providing program uses the host device to identify a user ID from information related to connection with a user terminal. A user ID specifying means for specifying
Session registration means for registering in the user information storage device information characterizing the connection between the user terminal and the host device established as a result of authentication;
An authentication means for authenticating the user terminal;
Session holding means for holding a connection with the user terminal;
Service provision program to function as.   27. A service providing program used in the service providing method according to claim 18, wherein the service providing program includes a user terminal and a host device established as a result of authentication of the host device. Service for functioning as session registration means for registering information characterizing the connection to the user information storage device, authentication means for authenticating the user terminal, and session holding means for holding the connection with the user terminal Offer program. 27. A service providing program used in the service providing method according to claim 1, wherein the service providing program uses the service providing apparatus based on a user ID included in a service request. Service providing means for providing services to
Service providing method determining means for determining a service providing method based on a user ID included in the service request;
Service provision program to function as.   27. A service providing program for use in the service providing method according to claim 18, wherein the service providing program uses the information related to connection with a user terminal as a user. User ID specifying means for specifying ID, service providing means for providing service based on user ID included in service request, and service providing method for determining service providing method based on user ID included in service request A service providing program for functioning as a determination means. 27. A host device used in the service providing method according to any one of claims 1 to 26, wherein the host device includes user ID specifying means for specifying a user ID from information based on session information. ,
Session registration means for registering in the user information storage device information characterizing the connection between the user terminal and the host device established as a result of authentication;
An authentication means for authenticating the user terminal;
Session holding means for holding a connection with the user terminal;
A host device characterized by comprising:   27. A host device used in the service providing method according to claim 18, wherein the host device characterizes a connection between a user terminal established as a result of authentication and the host device. A host device comprising: session registration means for registering information in a user information storage device; authentication means for authenticating a user terminal; and session holding means for holding a connection with the user terminal.   The host device used in the service providing method according to claim 2, wherein the host device has a function of transferring a message to a relay device other than the destination terminal. A host device.   17. The host device used in the service providing method according to claim 9, wherein the host device has a function of transferring a message to a relay device other than the destination terminal. A host device.   The host device used in the service providing method according to claim 9, wherein the host device has an instant message transfer function. 27. A service providing apparatus used in the service providing method according to claim 1, wherein the service providing apparatus provides a service based on a user ID included in a service request. Providing means;
Service providing method determining means for determining a service providing method based on a user ID included in the service request;
A service providing apparatus comprising:   27. A service providing apparatus used in the service providing method according to claim 18, wherein the service providing apparatus specifies a user ID from information related to connection with a user terminal. ID specifying means, service providing means for providing a service based on a user ID included in the service request, and service providing method determining means for determining a service providing method based on the user ID included in the service request A service providing apparatus characterized by that.

Images