WO2022004894A1 - Transmission source terminal, communication system, communication method, and program - Google Patents

Transmission source terminal, communication system, communication method, and program Download PDF

Info

Publication number
WO2022004894A1
WO2022004894A1 PCT/JP2021/025226 JP2021025226W WO2022004894A1 WO 2022004894 A1 WO2022004894 A1 WO 2022004894A1 JP 2021025226 W JP2021025226 W JP 2021025226W WO 2022004894 A1 WO2022004894 A1 WO 2022004894A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
connection
peer
destination
network
Prior art date
Application number
PCT/JP2021/025226
Other languages
French (fr)
Japanese (ja)
Inventor
重明 白水
Original Assignee
株式会社Gdi
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社Gdi filed Critical 株式会社Gdi
Priority to JP2022522009A priority Critical patent/JP7128565B2/en
Publication of WO2022004894A1 publication Critical patent/WO2022004894A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/22Arrangements for preventing the taking of data from a data transmission channel without authorisation

Definitions

  • the present invention relates to a source terminal, a communication system, a communication method, and a program, and particularly to a source terminal, a communication system, a communication method, and a program capable of realizing efficient communication.
  • peers By becoming a group owner that operates as an access point, one of a plurality of communication devices (peers) in an equal state connected to each other, instead of a specific server computer, becomes a communication device (peer) in the group.
  • peer-to-peer a communication method called peer-to-peer that enables communication between each other (see, for example, Patent Document 1).
  • the specification of Patent Document 1 the scope of claims, and the entire drawing shall be incorporated into this specification as a reference.
  • the present invention has been made to solve the above problems, and an object of the present invention is to provide a source terminal, a communication system, a communication method, and a program capable of realizing efficient communication.
  • the source terminal (2-1) is connected via the network (N), and a plurality of communications communicating in a peer-to-peer manner.
  • the communication terminal (2-1) that is the source of data among the terminals (2-m) and supports the establishment of a connection path between the communication terminals (2-m).
  • the connection route is directly connected to the destination terminal (2-2) which is the communication terminal (2-m) which is the transmission destination of the data.
  • the source terminal (2-1) After the establishment of the first connection path (R0), the source terminal (2-1) supports the support terminal (2-11) to establish the second connection path (R4 to R6).
  • the second connection path (R4 to R6) may be established by requesting via (N).
  • the source terminal (2-1) connects to the relay terminal (2-12, 2-13) via the network (N), and the transmission is made.
  • the second connection path (R4 to R6) may be established by requesting the connection with the destination terminal (2-2) via the network (N).
  • the communication terminal (2-m) connected via the first connection path (R0) is the transmission destination.
  • the reliability of being a terminal (2-2) is calculated, and the connection with the destination terminal (2-2) is made to the relay terminal (2-) on condition that the reliability is less than a predetermined threshold value. 12, 2-13) may be requested via the network (N).
  • the source terminal (2-1) is a connection request requesting a connection with the destination terminal (2-2), and includes the first connection request identification information for specifying the connection request.
  • the first connection request identification transmitted via the network (N) to the support terminal (2-11) and transmitted from the destination terminal (2-2) via the network (N).
  • the first connection request identification information received from the destination terminal (2-2) uses the connection information of the destination terminal (2-2) on condition that it matches the first connection request identification information transmitted to the support terminal (2-11).
  • the first connection path (R0) may be established by connecting to and via the network (N).
  • the source terminal (2-1) After establishing the first connection path (R0), the source terminal (2-1) connects to the relay terminal (2-12, 2-13) via the network (N), and the first connection terminal (2-1) is connected to the relay terminal (2-12, 2-13) via the network (N).
  • the second connection path (R4 to R6) is established by transmitting the connection request including the second connection request identification information different from the first connection request identification information via the network (N). May be good.
  • the source terminal (2-1) has the right to connect to the destination terminal (2-2) and the support terminal issuance information issued by the support terminal (2-11).
  • the connection request identification information may be generated, and the second connection request identification information may be generated from the right and the relay terminal issuance information issued by the relay terminal (2-12, 2-13). ..
  • the source terminal (2-1) registers the user of the source terminal (2-1) as the disposal right holder of the connection request table (5) for registering the first connection request identification information, and the first connection request identification information is registered. 1 After the connection route (R0) is established, the disposal right of the connection request table (5) can be changed by changing the disposal right holder of the connection request table (5) to the user of the support terminal (2-11). It may be transferred to the user of the support terminal (2-11).
  • the communication system (1) is a communication system including a plurality of communication terminals (2-m) connected via a network (N) and communicating in a peer-to-peer system.
  • the source terminal (2-1) which is the source of data among the plurality of communication terminals (2-m)
  • the destination terminal (2-2) which is the communication terminal (2-m)
  • the second connection route (2-2) which is the connection route for connecting to the destination terminal (2-2) via a relay terminal (2-4 to 2-6, 2-12, 2-13) different from 11). It is characterized by establishing R4 to R6, R12, R13).
  • the source terminal (2-1) is a destination terminal (2-2) transmitted from the destination terminal (2-2) via the network (N).
  • the connection information table (6) for registering the connection information of the destination terminal (2-2) is generated, and the above
  • the support terminal (2-11) is requested to support the establishment of the second connection route (R4 to R6) via the network (N), and the destination terminal (2-2) and the relay terminal (2-) are requested.
  • the relay terminal (2-4 to 2) transmitted from the support terminal (2-11) via the network (N).
  • the second connection path (R4 to R6) is used.
  • the support terminal (2-11) includes a first storage unit (22-11) that stores the connection information of the relay terminal (2-4 to 2-6), and the source terminal.
  • Connection with the destination terminal (2-2) in response to a request from (2-1) to support the establishment of the second connection path (R4 to R6) via the network (N). Is requested to the relay terminal (2-4 to 2-6) via the network (N), and the transmission destination terminal (2-2) and the relay terminal (2-4 to 2-6) are described.
  • connection information of the relay terminal (2-4 to 2-6) is transmitted to the source terminal (2-1) via the network (N), and the above is described.
  • the relay terminal (2-4 to 2-6) responds to the request for connection from the support terminal (2-11) to the destination terminal (2-2) via the network (N).
  • the connection information of the destination terminal (2-2) is acquired from the connection information table (6), and the connection information of the destination terminal (2-2) is used to obtain the connection information of the destination terminal (2-2).
  • the network (N) is
  • the source terminal (2-1) uses the source identification information for identifying the source terminal (2-1) and the destination terminal (2-2).
  • the source identification information and the destination identification information include a second storage unit (22-1) for storing the destination identification information for identification.
  • the connection information table (6) for registering the connection information of the destination terminal (2-2) in association with each other is generated, and the source identification information and the destination identification information are stored in the network ( By transmitting to the support terminal (2-11) via N), the support terminal (2-11) is requested to support the establishment of the second connection route (R4 to R6), and the support terminal (2-11) is requested.
  • the 2-11) responds to receiving the source identification information and the destination identification information transmitted from the source terminal (2-1) via the network (N).
  • the destination terminal (2-2) By transmitting the source identification information and the destination identification information to the relay terminal (2-4 to 2-6) via the network (N), the destination terminal (2-2)
  • the relay terminal (2-4 to 2-6) is requested to connect to the relay terminal (2-4 to 2-6), and the relay terminal (2-4 to 2-6) is connected to the support terminal (2-11) via the network (N).
  • the received source identification information and the destination identification information are each in the connection information table.
  • the destination terminal is used with the connection information of the destination terminal (2-2) on condition that the source identification information registered in (6) and the destination identification information match. (2-2) may be connected via the network (N).
  • the source terminal (2-1) is a second storage unit (22-) that stores connection information necessary for connection with the relay terminal (2-12, 2-13). 1) is included, and the connection information of the relay terminal (2-12, 2-13) is used to connect to the relay terminal (2-12, 2-13) via the network (N), and the transmission is performed.
  • the relay terminal (2-12, 2-13) is requested to connect to the destination terminal (2-2) via the network (N), and the relay terminal (2-12, 2-13) is said.
  • the network (N) from the source terminal (2-1) includes a fourth storage unit (2-12, 2-13) that stores connection information necessary for connecting to the destination terminal (2-2). In response to a request for connection to the destination terminal (2-2) via And the second connection path (R12, R13) may be established by connecting via the network (N).
  • the source terminal (2-1) is the communication terminal (2-1) connected via the first connection path (R0) after the establishment of the first connection path (R0).
  • the connection may be requested to the relay terminal (2-12, 2-13) via the network (N).
  • the relay terminal (2-12, 2-13) includes a first relay terminal (2-12) and a second relay terminal (2-13), and the transmission is made.
  • the original terminal (2-1) is connected to the first connection after establishing a second connection path (R12) to be connected to the destination terminal (2-2) via the first relay terminal (2-12).
  • the reliability that the communication terminal (2-m) connected via the route (R0) and the second connection route (R12) is the destination terminal (2-2) is calculated, and the reliability is calculated. Is requested to the second relay terminal (2-13) via the network (N) to connect to the destination terminal (2-2) on condition that is less than the predetermined threshold. You may.
  • the communication method according to the third aspect of the present invention is a communication method according to a third aspect of the present invention with a data source among a plurality of communication terminals (2-m) connected via a network (N) and communicating by a peer-to-peer method.
  • a support terminal (2-m) that is a communication method using a source terminal (2-1) and is a communication terminal (2-m) that supports the establishment of a connection path between the communication terminals (2-m).
  • the first connection route (R0) which is the connection route directly connected to the transmission destination terminal (2-2), which is the communication terminal (2-m) to which the data is transmitted, is established.
  • the relay terminal After the establishment of the first connection path (R0), the relay terminal (2-4 to 2-6, 2-12) different from the support terminal (2-11) among the communication terminals (2-m), It is characterized in that a second connection route (R4 to R6, R12, R13), which is the connection route for connecting to the transmission destination terminal (2-2) via 2-13), is established.
  • the program according to the fourth aspect of the present invention is connected via a network (N) and is a source of data among a plurality of communication terminals (2-m) that communicate in a peer-to-peer manner.
  • the present invention it is possible to provide a source terminal, a communication system, a communication method, and a program capable of realizing efficient communication.
  • FIG. 1 It is a figure which shows the configuration example of the three-point authentication system which concerns on this embodiment. It is a block diagram which shows the configuration example of a communication terminal. It is a conceptual diagram of the P2P type network which concerns on this embodiment. It is a figure which shows the configuration example of a seed table.
  • (A) is a diagram showing a configuration example of a token table before using a token
  • (b) is a diagram showing a configuration example of a token table after using a token according to the present embodiment.
  • the present invention was invented based on the following technical ideas.
  • the present inventor has invented a communication system that logically establishes a plurality of connection paths on an overlay network in which a logical layer exists in a peer-to-peer system.
  • layer 2 data link layer
  • lower communication standards such as LTE (Long Term Evolution) and Wi-Fi (Wireless Fidelity).
  • peerers communication terminals constituting the (P2P) type network by software without depending on hardware. Therefore, the present inventor has invented a multi-factor three-point authentication routing system according to the present invention in order to solve such a problem and realize efficient communication.
  • FIG. 1 is a block diagram showing a configuration example of a three-point authentication system according to this embodiment.
  • the three-point authentication system 1 includes a plurality of communication terminals 2-m (m is a natural number).
  • the plurality of communication terminals 2-m are connected to each other so as to be able to communicate with each other via a network N such as the Internet, and communicate by a peer-to-peer method.
  • a communication terminal that communicates by a common procedure is called a peer.
  • the communication terminal 2-m for understanding the procedure of the present invention is a peer, and a plurality of communication terminals 2-m (peers) constitute a peer-to-peer (P2P) type network.
  • P2P peer-to-peer
  • the three-point authentication system 1 uses a distributed ledger technology such as a block chain composed of a plurality of communication terminals (peers) 2-m on the network N and a distributed hash table (DHT) to obtain data.
  • a distributed ledger technology such as a block chain composed of a plurality of communication terminals (peers) 2-m on the network N and a distributed hash table (DHT) to obtain data.
  • a shared ledger 20 for distributed management is provided.
  • the communication terminal (peer) 2-m is a CPU (Central Processing Unit) having an IP (Internet Protocol) communication function for, for example, a general-purpose personal computer, a general-purpose server computer, a tablet computer, a smartphone, and a digital home electric appliance. It consists of equipped smart devices and the like.
  • CPU Central Processing Unit
  • IP Internet Protocol
  • FIG. 2 is a block diagram showing a configuration example of a communication terminal.
  • the communication terminal (peer) 2-m includes a communication unit 21-m, a storage unit 22-m, and a control unit 23-m, respectively, which are via a bus or the like. Be connected.
  • the communication unit 21-m is composed of, for example, a wireless communication device or the like.
  • the communication unit 21-m transmits / receives data to / from another communication terminal (peer) 2-m via the network N by the P2P communication method.
  • the storage unit 22-m is composed of, for example, a non-volatile memory such as a general-purpose flash memory.
  • the storage unit 22-m holds (stores) a user ID (Identification) for identifying a user of the communication terminal (peer) 2-m.
  • the user ID is composed of, for example, 32 bytes of binary data.
  • the control unit 23-m is composed of, for example, a CPU, a ROM (ReadOnlyMemory), a RAM (RandomAccessMemory), and the like.
  • the CPU uses the RAM as a work memory, and controls various operations of the communication terminal (peer) 2-m by appropriately executing a program or the like stored in the ROM and the storage unit 22.
  • FIG. 3 is a conceptual diagram of a P2P type network according to this embodiment.
  • the communication terminal (peer) 2-m includes a communication terminal (hereinafter referred to as "source peer (source terminal)”) 2-1 that is a source of data and data transmission.
  • a seed issuing peer that issues a seed that is the right to connect to the destination communication terminal (hereinafter referred to as “destination peer (destination terminal)”) 2-2 and the destination terminal 2-2 (hereinafter referred to as “destination peer”).
  • a communication terminal having an authentication function, a connection function, and a routing function between the source peer 2-1 and the destination peer 2-2 hereeinafter referred to as “seed issuing peer" (hereinafter, "authentication peer (support terminal)").
  • relay peer Three communication terminals that relay data communication between 2-11, source peer 2-1 and destination peer 2-2 (hereinafter referred to as“ relay peer (relay terminal) ”) 2 -4 to 2-6 and so on.
  • the number of relay peers is not limited to "3" and is arbitrary.
  • the source peer 2-1 is a user ID of the source peer 2-1 (source identification information for identifying the source peer 2-1) and a user ID of the destination peer 2-2 (destination peer 2-). Destination identification information for identifying 2), connection information such as the IP address required to connect to the source peer 2-1 and the authentication peer that is the parent (group owner) of the connection group to which the user belongs, which will be described later.
  • the connection information necessary for connecting to 2-11 is stored (stored) in the storage unit (second storage unit) 22-1.
  • the source peer 2-1 does not hold the connection information of the destination peer 2-2 in the storage unit 22-1.
  • the source peer 2-1 authenticates the destination peer 2-2 from the seed purchased and issued from the seed issuing peer 2-3, and the source peer 2-1 and the destination peer 2 -Generate tokens (first and second connection request identification information) for improving the validity and efficiency of connection and routing with -2.
  • the "first and second connection request identification information" according to the present invention is not limited to the token itself, but is the authentication of the communication terminal 2-m and the connection path between the communication terminals 2-m. Any digital data that can be used for establishment and multiplexing is arbitrary, and may be, for example, a hash value of a token.
  • the source peer 2-1 uses the token to authenticate the destination peer 2-2, and establishes and multiplexes a plurality of connection routes with the destination peer 2-2 to multiplex the destination peer 2. -Data can be efficiently communicated with -2.
  • the destination peer 2-2 has connection information such as the user IDs of the source peer 2-1 and the destination peer 2-2, the IP address necessary for connecting to the destination peer 2-2, and the connection to which the user belongs.
  • the connection information required for connection with the authentication peer 2-11, which is the parent (group owner) of the group, is stored (stored) in the storage unit (third storage unit) 22-2.
  • the destination peer 2-2 does not hold the connection information of the source peer 2-1 in the storage unit 22-2.
  • the seed issuing peer 2-3 provides a seed table for registering information regarding the seed issued by the seed issuing peer 2-3 in the storage unit 23-2.
  • FIG. 4 is a diagram showing a configuration example of a seed table.
  • the seed table 4 is encrypted by using the hash value of the seed and the dedicated encryption key (hereinafter referred to as “seed-only key”) for each seed issued by the seed issuing peer 2-3.
  • seed-only key the dedicated encryption key
  • the converted seed (hereinafter referred to as “encrypted seed”) and the expiration date of the seed are registered in association with each other.
  • the authentication peer 2-11 shown in FIG. 3 is a connection group to which the communication terminals (peers) 2-m such as the source peer 2-1 and the destination peer 2-2 and the relay peers 2-4 to 2-6 belong. Is the parent (group owner) of this connection group.
  • the authentication peer 2-11 authenticates the communication terminal (peer) 2-m belonging to its own connection group, and supports the establishment of a connection route between the communication terminals (peer) 2-m.
  • the authentication peer 2-11 stores (first storage) a graph database that registers (stores) the user ID of the communication terminal (peer) 2-m belonging to its own connection group and the connection information in association with each other. ) Prepare for 2-11.
  • the control unit 23-11 of the authentication peer 2-11 occasionally sends a heartbeat to the communication terminal (peer) 2-m belonging to its own connection group, and the communication terminal (peer) belonging to its own connection group. Acquire the 2-m user ID and connection information and register them in the graph database. With such a graph database, the authentication peer 2-11 maintains and manages the graph relationship that the communication terminal (peer) 2-m belongs to the connection group of the authentication peer 2-11. Further, the graph database stores the reliability and connectivity evaluation of the communication terminal (peer) 2-m belonging to the connection group of the authentication peer 2-11.
  • the source peer 2-1 and the destination peer 2-2, and the relay peers 2-4 to 2-6 all belong to the connection group of the authentication peer 2-11.
  • the source peer 2-1 belongs to the connection group of the authentication peer 2-11
  • the destination peer 2-2 is the authentication peer 2-11. It maintains and manages the graph relationship that it belongs to the connection group and (3) the relay peers 2-4 to 2-6 belong to the connection group of the authentication peer 2-11.
  • the graph database included in the storage unit (first storage unit) 2-11 according to the present embodiment includes the source peer 2-1 and the destination peer 2-2, and the relay peers 2-4 to 2-6. The user ID of the user and the connection information are registered (stored) in association with each other.
  • the relay peers 2-4 to 2-6 store their own user IDs and the connection information necessary for connecting to the authentication peer 2-11, which is the parent (group owner) of the connection group to which they belong. Hold (remember) at 22-6. On the other hand, the relay peers 2-4 to 2-6 do not hold the connection information of the source peer 2-1 and the destination peer 2-2 in the storage units 22-4 to 22-6.
  • the shared ledger 20 shown in FIG. 1 is a mechanism for proving the authenticity that the seed is issued to an appropriate source peer 2-1 or a user, rather than simply consisting of one server computer. , Resistant to accidents.
  • the shared ledger 20 multiplexes the token table (connection request table) for registering information about the token generated by the source peer 2-1 and the route between the source peer 2-1 and the destination peer 2-2. It is provided with a connection information table used when the operation is performed.
  • FIG. 5A is a diagram showing a configuration example of a token table before using a token
  • FIG. 5B is a diagram showing a configuration example of a token table after using a token according to the present embodiment.
  • the token table 5 shows the token, the hash value of the seed used as the basis for generating the token, the expiration date of the seed, and the user of the issuer of the token.
  • the ID (“user ID of source peer 2-1” in this embodiment) and the user ID of the current disposal right holder in the token table 5 are registered in association with each other.
  • the disposal right of the token table 5 means the right to edit or delete the data of the token table 5.
  • the direct route (first) shown in FIG. 3 in which the source peer 2-1 directly connects the source peer 2-1 and the destination peer 2-2 using a token As shown in FIG. 5 (a), the direct route (first) shown in FIG. 3 in which the source peer 2-1 directly connects the source peer 2-1 and the destination peer 2-2 using a token. Before the connection route) R0 is established, the user ID of the source peer 2-1 which is the issuer of the token is registered in the token table 5 as the user ID of the disposal right holder of the token table 5.
  • the direct route R0 is established as the user ID of the disposal right holder of the token table 5.
  • the user ID of the contributing authentication peer 2-11 is registered in the token table 5.
  • FIG. 6 is a diagram showing a configuration example of the connection information table.
  • the connection information table 6 contains a token, a user ID of a communication terminal (peer) 2-m (“source peer 2-1” in the present embodiment) that is a source of data, and data.
  • the user ID and connection information of the communication terminal (peer) 2-m (“destination peer 2-2” in this embodiment) to be the destination of the call are registered in association with each other.
  • the three-point authentication system 1 executes the seed issuance process.
  • FIG. 7 is a flowchart showing the details of the seed issuance process.
  • the control unit 23-1 of the source peer 2-1 makes a seed issuance request from the communication unit 21-1 via the network N to the seed issuance peer. It is transmitted to 2-3 (step S701).
  • the seed issuance request includes the user ID of the source peer 2-1 and the like.
  • the control unit 23-3 of the seed issuing peer 2-3 responds to the communication unit 21-3 receiving the seed issuing request transmitted from the source peer 2-1 via the network N (step S702). , Issuing a seed and a seed-only key (step S703).
  • control unit 23-3 of the seed issuing peer 2-3 calculates the hash value of the seed (step S704).
  • control unit 23-3 of the seed issuing peer 2-3 uses the seed-only key to encrypt the seed and generate an encrypted seed (step S705).
  • control unit 23-3 of the seed issuing peer 2-3 generates a seed table 4 in the storage unit 22-3 to register the hash value of the seed and the encrypted seed in association with each other (step S706).
  • control unit 23-3 of the seed issuing peer 2-3 transmits the hash value of the seed and the seed-dedicated key from the communication unit 21-3 to the source peer 2-1 via the network N (step S707).
  • the control unit 23-1 of the source peer 2-1 receives the hash value of the seed and the seed-only key transmitted from the seed issuing peer 2-3 via the network N in the communication unit 21-1 (step S708). ), After saving in the storage unit 22-1 (step S709), the seed issuance process is terminated.
  • the three-point authentication system 1 executes the three-point authentication process (communication method). ..
  • the control unit 23-1 of the source peer 2-1 uses the connection information of the authentication peer 2-11 stored in the storage unit 22-1 to be used. It is communicably connected to the authentication peer 2-11 via the network N (step S801 shown in FIG. 8).
  • the control unit 23-1 of the source peer 2-1 authenticates the first connection inquiry asking whether the connection with the destination peer 2-2 is possible from the communication unit 21-1 via the network N. It is transmitted to peer 2-11 (step S802).
  • the first connection inquiry includes the user IDs of the source peer 2-1 and the destination peer 2-2.
  • the control unit 23-11 of the authentication peer 2-11 responds to the reception of the first connection inquiry transmitted from the source peer 2-1 via the network N by the communication unit 21-11 (step S803). , Whether or not the destination peer 2-2 can be authenticated is determined based on whether or not the user ID of the destination peer 2-2 included in the first connection inquiry is registered in the graph database (step S804).
  • step S804 When the control unit 23-11 of the authentication peer 2-11 determines that the user ID of the destination peer 2-2 is not registered in the graph database and the authentication of the destination peer 2-2 is impossible (step). S804; No), by transmitting the first connection inquiry from the communication unit 21-11 to another authentication peer via the network N, the authentication of the destination peer 2-2 is outsourced to the other authentication peer (step S805). ). The other authentication peer performs the same processing as the authentication peer 2-11 in response to receiving the authentication inquiry transmitted from the authentication peer 2-11 via the network N by the communication unit.
  • Step S804 when the control unit 23-11 of the authentication peer 2-11 determines that the user ID of the destination peer 2-2 is registered in the graph database and the destination peer 2-2 can be authenticated (). Step S804; Yes), the authentication serial ID (support terminal issuance information) is issued (step S806).
  • the control unit 23-11 of the authentication peer 2-11 makes a second connection inquiry asking whether or not the connection with the source peer 2-1 is possible from the communication unit 21-11 via the network N, and the user ID. It is transmitted to the destination peer 2-2 specified from (step S807 shown in FIG. 9).
  • the second connection inquiry includes an authentication serial ID and the like.
  • the control unit 23-2 of the destination peer 2-2 responds to the reception of the second connection inquiry transmitted from the authentication peer 2-11 via the network N by the communication unit 21-2 (step S808).
  • the answer as to whether or not the connection with the source peer 2-1 is possible (hereinafter referred to as "the answer as to whether or not the second connection is possible") is transmitted from the communication unit 21-2 to the authentication peer 2-11 via the network N. (Step S809).
  • the answer as to whether or not the connection with the source peer 2-1 is possible includes the authentication serial ID and the like.
  • the control unit 23-11 of the authentication peer 2-11 gives a second connection response that the connection with the source peer 2-1 transmitted from the destination peer 2-2 via the network N is possible.
  • the destination peer 2-2 is used as an answer as to whether or not the connection with the destination peer 2-2 is possible (hereinafter referred to as "first connection answer").
  • the first connection answer that the connection with is possible is transmitted from the communication unit 21-11 to the source peer 2-1 via the network N (step S811).
  • the first connection response includes an authentication serial ID and the like.
  • the control unit 23-1 of the source peer 2-1 gives the first connection response that the connection with the destination peer 2-2 transmitted from the authentication peer 2-11 via the network N is possible in the communication unit 21-.
  • the encrypted seed corresponding to the hash value of the seed stored in the storage unit 22-1 and the expiration date of the seed are set from the communication unit 21-1 to the network N. Obtained from the seed table 4 of the seed issuing peer 2-3 via the seed table 4 (step S813).
  • control unit 23-1 of the source peer 2-1 uses the seed-only key to decrypt the seed issued by the seed issuing peer 2-3 from the encrypted seed acquired from the seed issuing peer 2-3. (Step S814 shown in FIG. 10).
  • control unit 23-1 of the source peer 2-1 issues (generates) a token consisting of a hash value of the seed and the authentication serial ID from the seed and the authentication serial ID (step S815).
  • the token is attached to a communication packet when communicating data with the authentication peer 2-11.
  • the control unit 23-1 of the source peer 2-1 includes the token, the hash value of the seed used as the base when the token is generated, and the user ID of the source peer 2-1 as the issuer of the token.
  • the token table 5 shown in FIG. 5A which registers the expiration date of the seed and the user ID of the source peer 2-1 as the disposal right holder of the token table 5 in association with each other, is registered from the communication unit 21-1. Generated in the shared ledger 20 via the network N (step S816).
  • the control unit 23-1 of the source peer 2-1 transmits a connection request requesting a connection with the destination peer 2-2 from the communication unit 21-1 to the authentication peer 2-11 via the network N.
  • the connection request includes the hash value of the token and the seed.
  • the token included in the connection request becomes the connection request identification information for specifying the connection request.
  • the source peer 2-1 directly connects the source peer 2-1 and the destination peer 2-2 to the authentication peer 2-11 as shown in FIG. 3 (first connection route). Request support for the establishment of R0 via network N.
  • the control unit 23-11 of the authentication peer 2-11 responds to the reception of the connection request transmitted from the source peer 2-1 via the network N by the communication unit 21-11 (step S818), and connects.
  • the user ID of the issuer of the token corresponding to the hash value of the seed included in the request and the expiration date of the seed are acquired from the communication unit 21-11 via the network N from the token table 5 of the shared ledger 20 (step S819). ..
  • control unit 23-11 of the authentication peer 2-11 determines whether or not the user ID of the issuer of the token matches the user ID of the sender peer 2-1 included in the authentication inquiry, and within the expiration date of the seed. By determining whether or not it is, the authenticity of the token included in the connection request is confirmed (step S820).
  • the control unit 23-11 of the authentication peer 2-11 uses the connection information of the destination peer 2-2 stored in the storage unit 22-11 to connect the destination peer 2-2 and the network N.
  • the alternative route (secondary route) R11 shown in FIG. 3 via the authentication peer 2-11 is established by connecting to the communication via the communication peer (step S821).
  • control unit 23-11 of the authentication peer 2-11 transmits the token and the connection information of the source peer 2-1 from the communication unit 21-11 to the source peer 2-2 via the network N (FIG. 11). Step S822).
  • the control unit 23-2 of the destination peer 2-2 receives the token transmitted from the authentication peer 2-11 via the network N and the connection information of the source peer 2-1 in the communication unit 21-2. In response (step S823), using the connection information of the source peer 2-1, the token and the connection information of the destination peer 2-2 are transmitted from the communication unit 21-2 via the network N to the source peer 2-1. (Step S824).
  • the control unit 23-1 of the source peer 2-1 has received the connection information and token of the destination peer 2-2 transmitted from the destination peer 2-2 via the network N in the communication unit 21-1.
  • the authenticity of the token is determined by determining whether or not the token received from the destination peer 2-2 matches the token generated by itself and transmitted to the authentication peer 2-11. Confirm the sex (step S826).
  • the source peer 2-1 uses the token to authenticate that the communication terminal 2-m connected via the alternative route (secondary route) R11 is the destination peer 2-2. conduct.
  • the control unit 23-1 of the source peer 2-1 After confirming the authenticity, that is, on condition that the token received from the destination peer 2-2 matches the token transmitted to the authentication peer 2-11, the control unit 23-1 of the source peer 2-1 makes a call. Using the connection information of the destination peer 2-2, the direct route R0 shown in FIG. 3 that directly connects the source peer 2-1 and the destination peer 2-2 is established (step S827). As a result, the authentication of the destination peer 2-2 by the source peer 2-1 using the token and the direct connection between the source peer 2-1 and the destination peer 2-2 are realized.
  • the control unit 23-1 of the source peer 2-1 sets the user ID of the disposal right holder of the token table 5 from the communication unit 21-1 via the network N.
  • the right to dispose of the token table 5 is given by the user of the source peer 2-1 to the authentication peer 2-11.
  • Step S828 shown in FIG. 12 The user of the authentication peer 2-11 who has acquired the disposal right of the token table 5 can edit or delete the data of the token table 5.
  • the user of the authentication peer 2-11 who has acquired the disposal right of the token table 5 obtains a new seed or the like from the seed issuing peer 2-3 in exchange for the data of the token table 5 via the external system of the network N. Can be obtained. Since the data that can be acquired in exchange for the data in the token table 5 is an external system of network N, it is not limited to the seed, and is arbitrary as long as it can be used to enjoy some network service. Is.
  • control unit 23-1 of the source peer 2-1 reports from the communication unit 21-1 to the authentication peer 2-11 via the network N that the transfer of the disposal right of the token table 5 is completed (). Step S829).
  • control unit 23-1 of the source peer 2-1 includes a token, a user ID of the source peer 2-1 as a communication terminal (peer) 2-m that is a source of data, and a data transmission destination.
  • the connection information table 6 for registering the user ID and connection information of the destination peer 2-2 in association with each other as the communication terminal (peer) 2-m is registered from the communication unit 21-1 via the network N in the shared ledger 20. (Step S830).
  • the control unit 23-1 of the source peer 2-1 makes an authentication peer from the communication unit 21-1 via the network N to request the multiplexing requesting the multiplexing of the connection path with the destination peer 2-2. It is transmitted to 2-11 (step S831).
  • the multiplexing request includes tokens, user IDs of source peer 2-1 and destination peer 2-2, and the like.
  • the source peer 2-1 connects the source peer 2-1 and the destination peer 2-2 to the authentication peer 2-11 via the relay peers 2-4 to 2-6.
  • the control unit 23-11 of the authentication peer 2-11 responds to the communication unit 21-11 receiving the multiplexing request transmitted from the source peer 2-1 via the network N (step S832).
  • a relay request for relaying data communication between the source peer 2-1 and the destination peer 2-2 is transmitted from the communication unit 21-11 to the relay peers 2-4 to 2-6 via the network N. (Step S833).
  • the relay request includes the token and the user IDs of the source peer 2-1 and the destination peer 2-2.
  • the control units 23-4 to 23-6 of the relay peers 2-4 to 2-6 receive the relay request transmitted from the authentication peer 2-11 via the network N by the communication units 21-4 to 21-6, respectively.
  • the user ID of the communication terminal (peer) 2-m which is the source of the data corresponding to the token included in the relay request, and the communication terminal (peer), which is the destination of the data.
  • the 2-m user ID and connection information are acquired from the connection information table 6 of the shared ledger 20 from the communication units 21-4 to 21-6 via the network N (step S835 shown in FIG. 13).
  • the control units 23-4 to 23-6 of the relay peers 2-4 to 2-6 are the sources of the data acquired from the connection information table 6 by the user ID of the source peer 2-1 included in the relay request, respectively. Whether or not it matches the user ID of the communication terminal (peer) 2-m, and whether or not the user ID of the destination peer 2-2 matches the user ID of the communication terminal (peer) 2-m to which the data is transmitted. By determining whether or not it is, the authenticity of the token is confirmed (step S836).
  • the user ID of the source peer 2-1 and the user ID of the destination peer 2-2 received from the authentication peer 2-11 are the source of the data acquired from the connection information table 6, respectively.
  • Units 23-4 to 23-6 are connected to the destination peer 2-2 via the network N so as to be able to communicate with each other by using the connection information of the destination peer 2-2 (step S837).
  • the relay peers 2-4 to 2-6 send a connection completion report from the communication unit 21-4 to 21-6 via the network N to report that the connection with the destination peer 2-2 is completed, respectively. It is transmitted to the authentication peer 2-11 (step S838).
  • the control unit 23-11 of the authentication peer 2-11 responds to the communication unit 21-11 receiving the connection completion report transmitted from the relay peers 2-4 to 2-6 via the network N, respectively.
  • a data transmission request requesting transmission of data to the relay peers 2-4 to 2-6 is transmitted from the communication unit 21-11 to the source peer 2-1 via the network N (step S839).
  • the data transmission request includes the user IDs of the relay peers 2-4 to 2-6, connection information, and the like.
  • the control unit 23-1 of the source peer 2-1 responds to the reception of the data transmission request transmitted from the authentication peer 2-11 via the network N by the communication unit 21-1 (step S841).
  • the relay peer 2-4 By using the connection information of the relay peers 2-4 to 2-6 included in the data transmission request to connect to the relay peers 2-4 to 2-6 via the network N so as to be communicable, the relay peer 2-4
  • the alternative routes (secondary routes) R4 to R6 shown in FIG. 3 via ⁇ 2-6 are established (step S842 shown in FIG. 14).
  • multiplexing of the connection route between the source peer 2-1 and the destination peer 2-2 using the token is realized.
  • control unit 23-1 of the source peer 2-1 receives data from the communication unit 21-1 with the destination peer 2-2 via the direct route R0, the alternative route (sub route) R4 to R6, and R11. After the communication is started (step S843), the three-point authentication process is terminated.
  • the three-point authentication system 1 includes a plurality of communication terminals (peers) 2-m that are connected via the network N and communicate in a peer-to-peer manner.
  • the plurality of communication terminals (peers) 2-m are located between the source peer 2-1 that is the source of data, the destination peer 2-2 that is the destination of data, and the communication terminal (peer) 2-m. It comprises an authentication peer 2-11, which assists in establishing a connection path.
  • the source peer 2-1 identifies the user ID of the source peer 2-1 which is the source identification information for identifying the source peer 2-1 and the destination identification for identifying the destination peer 2-2.
  • Includes a second storage unit 22-1 that stores the user ID of the destination peer 2-2, which is information.
  • the destination peer 2-2 includes a storage unit 22-2 that stores connection information necessary for connection with the destination peer 2-2.
  • the authentication peer 2-11 includes a storage unit 22-11 that stores connection information necessary for connecting to the source peer 2-1 and connection information necessary for connecting to the relay peers 2-4 to 2-6. ..
  • the source peer 2-1 establishes a direct route R0 which is a connection route directly connected to the destination peer 2-2 with the support of the authentication peer 2-11, and after the establishment of the direct route R0, An alternative route (sub-route) R4 to R6 that connects the authentication peer 2-11 to the destination peer 2-2 via the relay peers 2-4 to 2-6 different from the authentication peer 2-11.
  • a direct route R0 which is a connection route directly connected to the destination peer 2-2 with the support of the authentication peer 2-11
  • An alternative route (sub-route) R4 to R6 that connects the authentication peer 2-11 to the destination peer 2-2 via the relay peers 2-4 to 2-6 different from the authentication peer 2-11.
  • the source peer 2-1 identifies the connection request from the seed, which is the right to connect to the destination terminal 2-2, and the authentication serial ID issued by the authentication peer 2-11. Generate a token for.
  • the source peer 2-1 registers the user of the source peer 2-1 as the disposal right holder of the token table 5 for registering the token.
  • the source peer 2-1 is a connection request requesting a connection with the destination peer 2-2, and transmits the connection request including the token to the authentication peer 2-11 via the network N. Further, the source peer 2-1 responds to receiving the token transmitted from the destination peer 2-2 via the network N and the connection information necessary for connecting to the destination peer 2-2.
  • the source peer 2-1 receives the user ID of the source peer 2-1, the user ID of the destination peer 2-2, and the connection information of the destination peer 2-2. Generate a connection information table 6 to be registered in association with each other. Then, the source peer 2-1 is authenticated by transmitting the user ID of the source peer 2-1 and the user ID of the destination peer 2-2 to the authentication peer 2-11 via the network N. Request peers 2-11 to support the establishment of alternative routes (secondary routes) R4 to R6 via the network N.
  • the authentication peer 2-11 receives the user ID of the source peer 2-1 transmitted from the source peer 2-1 via the network N and the user ID of the destination peer 2-2, and substitutes the user ID.
  • the user ID of the source peer 2-1 and the user ID of the destination peer 2-2 are transmitted via the network N.
  • the relay peers 2-4 to 2-6 are requested to connect to the transmission destination peer 2-2 via the network N.
  • the relay peers 2-4 to 2-6 receive the user ID of the source peer 2-1 and the user ID of the destination peer 2-2 transmitted from the authentication peer 2-11 via the network N. Then, in response to the request for connection with the destination peer 2-2, the connection information of the destination peer 2-2 is acquired from the connection information table 6. Then, in the relay peers 2-4 to 2-6, the user ID of the received source peer 2-1 and the user ID of the destination peer 2-2 are registered in the connection information table 6, respectively. The destination terminal 2-2 and the network N are used using the connection information of the destination peer 2-2 on condition that the user ID of the peer 2-1 and the user ID of the destination peer 2-2 are matched. Connect via.
  • the authentication peer 2-11 transfers the connection information of the relay terminals 2-4 to 2-6 to the network N after the transmission destination peer 2-2 and the relay peers 2-4 to 2-6 are connected via the network N. It is transmitted to the source peer 2-1 via.
  • the source peer 2-1 uses the connection information necessary for connecting to the relay peers 2-4 to 2-6 transmitted from the authentication peer 2-11 via the network N, and the relay peers 2-4-2 are used. By connecting to -6 via the network N, alternative routes (secondary routes) R4 to R6 are established.
  • the three-point authentication system 1 calculates the authentication peer 2-11 by authenticating the destination peer 2-2 in order to logically connect using the token. The amount can be reduced, and the authentication of the destination peer 2-2 can be speeded up and made highly efficient. Further, since the three-point authentication system 1 can logically multiplex the connection path (logical path) by software without depending on the hardware as in the conventional case, it is possible to solve problems such as cost. can. Further, since the authentication peer 2-11 can outsource the routing to the relay peers 2-4 to 2-6 by using the token, the three-point authentication system 1 puts the load of the routing work on the authentication peer 2. It can be distributed to a plurality of communication terminals 2-m such as -11 and relay peers 2-4 to 2-6.
  • the three-point authentication system 1 multiplexes the connection path between the source peer 2-1 and the destination peer 2-2, divides the data using an algorithm such as secret sharing, and delivers non-duplicate communication packets. By doing so, it is possible to prevent the entire data from being leaked even if any of the connection paths is hacked, and to conceal the contents of the data. Further, the three-point authentication system 1 can substantially prevent data leakage by subdividing the connection path or transmitting data concealed by exclusive OR (XOR). In addition, the three-point authentication system 1 divides the data according to the number of connection routes, adds a serial number, and distributes the data, so that the data can be transmitted with high efficiency, so that the communication speed of the data can be increased. Can be done.
  • XOR exclusive OR
  • the three-point authentication system 1 can avoid a bottleneck due to a specific connection route by delivering the same communication packet to a plurality of connection routes. Further, the three-point authentication system 1 distributes the same communication packet to a plurality of connection paths to improve the connection availability between the source peer 2-1 and the source peer 2-2, thereby making any connection. It is robust because it can be retransmitted via another connection route even if the route fails.
  • the three-point authentication system 1 can realize efficient communication.
  • a graph database can be formed by communication between communication terminals (peers) 2-m.
  • the three-point authentication system 1 can improve the efficiency of authentication, connection, and routing between the source peer 2-1 and the destination peer 2-2 by using the token.
  • the three-point authentication system 1 quantifies and evaluates the contribution of the authentication peer 2-11 and the relay peers 2-4 to 2-6 to the network by using the disposal right of the token table 5 as an incentive. It can generate incentives and raise awareness of participation.
  • the three-point authentication system 1 can improve the network performance and the availability by increasing and maintaining the peer density by the participation of a large number of communication terminals (peers) 2-m.
  • connection function and the routing function between the source peer 2-1 and the source peer 2-2 which have been conventionally implemented by the server computer, are streamlined by the token and replaced by the communication terminal (peer) 2-m. As a result, it is possible to dramatically improve end-to-end security and distribution efficiency by multiplexing connection routes.
  • the three-point authentication system 1 can realize efficient communication.
  • the source peer 2-1 requests the authentication peer 2-11 to multiplex the connection route with the destination peer 2-2, and the authentication peer 2-11 is the source peer 2-1.
  • the connection path between the source peer 2-1 and the destination peer 2-2 is multiplexed.
  • the present invention is not limited to this, and the source peer 2-1 transmits a first connection inquiry asking whether or not the connection with the destination peer 2-2 is possible to a plurality of authentication peers. By doing so, the connection path between the source peer 2-1 and the destination peer 2-2 may be multiplexed.
  • FIG. 15 is a conceptual diagram of a P2P type network according to this modified example.
  • the same components as those of the three-point authentication system 1 according to the above embodiment are designated by the same reference numerals, and the description thereof will be omitted.
  • the communication terminal (peer) 2-m includes a source peer 2-1, a destination peer 2-2, a seed issuing peer 2-3, an authentication peer 2-11 to 2-13, and the like.
  • Multiple authentication peers 2- (10 + n) (n is a natural number) are included.
  • the authentication peers 2- (10 + n) (n ⁇ 2) such as the authentication peers 2-12 and 2-13 function as the relay peer (“relay terminal” in the present invention) in the above embodiment.
  • the source peer 2-1 holds (stores) the user IDs of the source peer 2-1 and the destination peer 2-2 in the storage unit 22-1. Further, the source peer 2-1 belongs to a plurality of connection groups, and holds the connection information necessary for connection with the plurality of authentication peers (support terminal and relay terminal) 2- (10 + n) in the storage unit 22-1 (the storage unit 22-1).
  • the control unit 23-1 of the source peer 2-1 directly routes R0 and the alternative route (sub route) R (10 + n) according to the formula shown in Equation 1 below.
  • Quantitative evaluation value fi i is the depth of multiple factors (alternative route (secondary route) R (10 + n)) for the reliability that the communication terminal 2-m connected via) is the destination peer 2-2.
  • Number is calculated.
  • Cn is a constant (reliability constant) evaluated and quantified by a third party (P2P network) for the reliability of the authentication peer 2- (10 + n).
  • Dn is a confidence constant for the destination peer 2-2 of the authentication peer 2- (10 + n).
  • These reliability constants Cn and Dn are represented by numerical values of "0" to "1", and the larger the numerical value, the higher the reliability.
  • the quantitative evaluation value fi is improved by adding an alternative route (secondary route) R (10 + n) (n ⁇ 2) and multiplexing the connection route between the source peer 2-1 and the destination peer 2-2. do.
  • Authentication peer 2- (10 + n) has an authentication function, a connection function, and a routing function between the source peer 2-1 and the destination peer 2-2.
  • the authentication peer 2- (10 + n) stores a graph database in which the user IDs of the source peer 2-1 and the destination peer 2-2 and the connection information are registered in association with each other, respectively, in the storage unit 2- (10 + n) (fourth storage). Part).
  • the authentication peer 2- (10 + n) holds (stores) the confidence constants Cn and Dn in the storage unit 2- (10 + n).
  • the reliability constants Cn and Dn are notified from the communication unit 21- (10 + n) to the source peer 2-1 via the network N.
  • the product of the reliability constant Cn and the reliability constant Dn calculated in advance may be notified to the source peer 2-1.
  • 16 to 19 are flowcharts showing the details of the three-point authentication process according to this modification.
  • the control unit 23-1 of the source peer 2-1 is set to the authentication peer 2- (10 + n).
  • the confidence constant Dn (or the product of the confidence constant Cn and the confidence constant Dn) are acquired from the communication unit 21-1 via the network N from the authentication peer 2- (10 + n) (shown in FIG. 16). Step S1601).
  • control unit 23-1 of the source peer 2-1 calculates the quantitative evaluation value fi according to the mathematical formula shown in the following equation 1 (step S1602).
  • control unit 23-1 of the source peer 2-1 determines whether or not the quantitative evaluation value fi is equal to or greater than a predetermined threshold value (step S1603).
  • step S1603 When the control unit 23-1 of the source peer 2-1 determines that the quantitative evaluation value fi is less than a predetermined threshold value (step S1603; No), the direct route R0 and the alternative route (secondary route) R (10 + n) The alternative route (secondary route) R (10 + n) (n ⁇ 2) is assumed to have insufficient reliability (security) that the communication terminal 2-m connected via) is the destination peer 2-2. ) Is added to increase the reliability, and the connection information of the authentication peer 2- (10 + n) (n ⁇ 2) stored in the storage unit 22-1 is used to authenticate the authentication peer 2- (10 + n) (n ⁇ 2). 2) is connected to the network N so as to be communicable (step S1604).
  • control unit 23-1 of the source peer 2-1 transmits the first connection inquiry from the communication unit 21-1 to the authentication peer 2- (10 + n) (n ⁇ 2) via the network N (step). S1605).
  • the control unit 23- (10 + n) (n ⁇ 2) of the authentication peer 2- (10 + n) (n ⁇ 2) sends a first connection inquiry transmitted from the source peer 2-1 via the network N to the communication unit 21.
  • -In response to the reception in (10 + n) (n ⁇ 2) is the user ID of the destination peer 2-2 included in the first connection query registered in the graph database? Depending on whether or not the call destination peer 2-2 can be authenticated, it is determined (step S1607).
  • the user ID of the destination peer 2-2 is not registered in the graph database, and the destination peer 2
  • the first connection inquiry is transmitted from the communication unit 21- (10 + n) (n ⁇ 2) to another authentication peer via the network N. Therefore, the authentication of the destination peer 2-2 is outsourced to another authentication peer (step S1608).
  • the other authentication peer responds to the reception of the authentication inquiry transmitted from the authentication peer 2-11 via the network N by the communication unit, and performs the same processing as the authentication peer 2- (10 + n) (n ⁇ 2). I do.
  • the control unit 23- (10 + n) (n ⁇ 2) of the authentication peer 2- (10 + n) (n ⁇ 2) the user ID of the call destination peer 2-2 is registered in the graph database, and the call destination peer
  • the authentication serial ID (relay terminal issuance information) is issued (step S1609).
  • the authentication serial ID (relay terminal issuance information) issued by the authentication peer 2- (10 + n) (n ⁇ 2) is different from the authentication serial ID (support terminal issuance information) issued by the authentication peer 2-11. There is. Further, the authentication serial ID (relay terminal issuance information) issued by the authentication peer 2- (10 + n) (n ⁇ 2) is also different for each authentication peer 2-11.
  • control unit 23- (10 + n) (n ⁇ 2) of the authentication peer 2- (10 + n) (n ⁇ 2) gives the first connection answer that the connection with the destination peer 2-2 is possible, and the communication unit. It is transmitted from 21- (10 + n) (n ⁇ 2) to the source peer 2-1 via the network N (step S1610).
  • the control unit 23-1 of the source peer 2-1 can be connected to the destination peer 2-2 transmitted from the authentication peer 2- (10 + n) (n ⁇ 2) via the network N.
  • a token consisting of a hash value of the seed and the authentication serial ID is issued (generated) from the seed and the authentication serial ID (FIG. 18).
  • the same seed is used for authentication peer 2-11 and authentication peer 2- (10 + n) (n ⁇ 2)
  • the authentication serial ID is authentication peer 2-11 and authentication.
  • a different one is used for each peer 2- (10 + n) (n ⁇ 2). Therefore, different tokens are issued for each of the authentication peer 2-11 and the authentication peer 2- (10 + n) (n ⁇ 2).
  • the token is attached to a communication packet when communicating data with the authentication peer 2- (10 + n) (n ⁇ 2).
  • the control unit 23-1 of the source peer 2-1 generates the token table 5 shown in FIG. 5A from the communication unit 21-1 to the shared ledger 20 via the network N (step S1613). Since different tokens are issued for each of the authentication peer 2-11 and the authentication peer 2- (10 + n) (n ⁇ 2), the token table 5 also has the authentication peer 2-11 and the authentication peer 2- (10 + n). Different things are generated for each (n ⁇ 2).
  • control unit 23-1 of the source peer 2-1 transmits a connection request from the communication unit 21-1 to the authentication peer 2- (10 + n) (n ⁇ 2) via the network N (step S1614). ..
  • the control unit 23- (10 + n) (n ⁇ 2) of the authentication peer 2- (10 + n) (n ⁇ 2) sends a connection request transmitted from the source peer 2-1 via the network N to the communication unit 21- (10 + n) (n ⁇ 2).
  • the user ID of the issuer of the token corresponding to the hash value of the seed included in the connection request and the expiration date of the seed are set by the communication unit 21-.
  • (10 + n) (n ⁇ 2) is acquired from the token table 5 of the shared ledger 20 via the network N (step S1616).
  • control unit 23- (10 + n) (n ⁇ 2) of the authentication peer 2- (10 + n) (n ⁇ 2) is a user of the source peer 2-1 in which the user ID of the token issuer is included in the authentication query.
  • the authenticity of the token included in the connection request is confirmed by determining whether or not the ID matches and whether or not the seed has expired (step S1617).
  • FIG. 15 shows FIG. 15 via the authentication peer 2- (10 + n) (n ⁇ 2) by connecting to the destination peer 2-2 via the network N so as to be communicable using the connection information of the destination peer 2-2.
  • the indicated alternative route (secondary route) R (10 + n) (n ⁇ 2) is established (step S1618).
  • control unit 23- (10 + n) (n ⁇ 2) of the authentication peer 2- (10 + n) (n ⁇ 2) has completed the establishment of the alternative route (secondary route) R (10 + n) (n ⁇ 2).
  • the alternative route establishment report is transmitted from the communication unit 21- (10 + n) (n ⁇ 2) to the authentication peer 2- (10 + n) (n ⁇ 2) via the network N (step S1619).
  • the control unit 23-1 of the source peer 2-1 has received the alternative route establishment report transmitted from the authentication peer 2- (10 + n) (n ⁇ 2) via the network N by the communication unit 21-1.
  • the user ID of the disposal right holder of the token table 5 is transmitted from the communication unit 21-1 via the network N to the user of the source peer 2-1.
  • the right to dispose of the token table 5 is given by the user of the source peer 2-1 to the authentication peer 2- (10 + n). ) (N ⁇ 2) (step S1621).
  • control unit 23-1 of the source peer 2-1 notifies that the transfer of the disposal right of the token table 5 is completed from the communication unit 21-1 via the network N to the authentication peer 2- (10 + n) (n).
  • the process returns to the process of step S1601 in order to recalculate the quantitative evaluation value fi for the reliability after the addition of the alternative route (secondary route) R (10 + n). ..
  • the control unit 23-1 of the source peer 2-1 determines that the quantitative evaluation value fi is equal to or higher than a predetermined threshold value (step S1603; Yes)
  • the direct route R0 and the alternative route (secondary route) R Assuming that the reliability that the communication terminal 2-m connected via (10 + n) is the transmission destination peer 2-2 is sufficiently high, the direct route R0 and the alternative route (secondary route) from the communication unit 21-1 After starting data communication with the destination peer 2-2 via R11 to R13 (step S1623), the three-point authentication process ends.
  • the control unit 23-1 of the source peer 2-1 detects a quantitative evaluation value fi when the authentication peer 2- (10 + n) in which the product of the confidence constant Cn and the confidence constant Dn is “1” is detected.
  • the multiplexing of the connection path may be terminated at that time.
  • the alternative route (secondary route) via the authentication peer 2- (10 + n) in which the product of the confidence constant Cn and the confidence constant Dn is “0” does not contribute to the improvement of the quantitative evaluation value fi. It may not be added.
  • the communication terminal 2-m connected via the direct path R0 after the direct path R0 is established is the transmission destination peer 2-2. Calculate the reliability of. Then, the three-point authentication system 1 connects to the authentication peers 2-12 and 2-13 via the network N on condition that the reliability is less than a predetermined threshold value, and connects to the destination peer 2-2. Is requested via the network N to establish alternative routes (secondary routes) R4 to R6.
  • the source peer 2-1 includes a storage unit 22-1 that stores connection information necessary for connection with the authentication peers 2-12, 2-13, and the like. Further, the authentication peers 2-12 and 2-13 include storage units 2-12 and 2-13 for storing connection information necessary for connection with the destination peer 2-2, respectively.
  • the source peer 2-1 calculates the reliability that the communication terminal 2-m connected via the direct route R0 is the destination peer 2-2.
  • the source peer 2-1 connects to the authentication peer 2-12 via the network N by using the connection information of the authentication peer 2-12, provided that the reliability is less than a predetermined threshold value.
  • the source peer 2-1 is for specifying the connection request from the seed, which is the right to connect to the destination terminal 2-2, and the authentication serial ID issued by the authentication peer 2-12. Generate a token.
  • the source peer 2-1 requests the authentication peer 2-12 to connect to the destination peer 2-2 via the network N by transmitting the connection request including the token via the network N.
  • the authentication peer 2-12 uses the connection information of the destination peer 2-2 in response to the request from the source peer 2-1 to connect to the destination peer 2-2 via the network N.
  • An alternative route (secondary route) R12 is established by connecting to the destination peer 2-2 via the network N.
  • the source peer 2-1 establishes an alternative route (sub route) R12 that connects to the destination peer 2-2 via the authentication peer 2-12, and then goes through the direct route R0 and the alternative route (sub route) R12.
  • the reliability that the communication terminal 2-m connected to the communication terminal 2-m is the destination peer 2-2 is calculated. Then, the source peer 2-1 requests the authentication peer 2-13 to connect to the destination peer 2-2 via the network N, provided that the reliability is less than a predetermined threshold value.
  • the authentication peer 2-13 uses the connection information of the destination peer 2-2 in response to the request from the source peer 2-1 to connect to the destination peer 2-2 via the network N.
  • the alternative route (sub route) R13 is established by connecting to the destination peer 2-2 via the network N.
  • the three-point authentication system 1 according to the present modification can also have the same effect as the three-point authentication system 1 according to the above embodiment.
  • the communication terminal 2-m connected via the direct route R0 and the alternative route (secondary route) R (10 + n) using the token is the transmission destination peer 2.
  • the connection route between the source peer 2-1 and the destination peer 2-2 can be multiplexed.
  • the communication terminal 2-m connected via the direct route R0 and the alternative route (secondary route) R (10 + n) is the transmission destination peer 2-2.
  • the reliability can be evaluated quantitatively.
  • the three-point authentication system 1 according to this modification can realize efficient communication.
  • control unit 23-11 of the authentication peer 2-11 states that the user ID of the destination peer 2-2 is registered in the graph database and the destination peer 2-2 can be authenticated. If it is determined, it is described as issuing an authentication serial ID.
  • the present invention is not limited to this, and the control unit 23-11 of the authentication peer 2-11 can authenticate the destination peer 2-2 even when the destination peer 2-2 can be authenticated. May be outsourced to a communication terminal (peer) 2-m belonging to its own connection group.
  • the control unit 23-11 of the authentication peer 2-11 sends the first connection inquiry from the communication unit 21-11 to its own connection group such as relay peers 2-4 to 2-6 via the network N.
  • the authentication of the destination peer 2-2 is entrusted to the communication terminal (peer) 2-m belonging to its own connection group.
  • the communication terminal (peer) 2-m entrusted with the authentication of the destination peer 2-2 receives the first connection inquiry transmitted from the authentication peer 2-11 via the network N by the communication unit 21-m. In response to this, the connection information corresponding to the user ID of the destination peer 2-2 included in the first connection inquiry is acquired from the graph database from the communication unit 21-m via the network N. Then, the communication terminal (peer) 2-m entrusted with the authentication of the destination peer 2-2 may perform the same processing as the authentication peer 2-11.
  • the authentication peer 2-11 can realize the outsourcing of the authentication of the destination peer 2-2, so that the load of the authentication work of the destination peer 2-2 can be distributed.
  • the program executed by the CPU of the control unit 23-m is stored in ROM or the like in advance.
  • the present invention is not limited to this, and by applying a program for executing the above-mentioned processing to an existing general-purpose computer, the present invention can function as a communication terminal (peer) 2-m according to the above-described embodiment. You may.
  • the method of providing such a program is arbitrary, and may be stored and distributed on a computer-readable recording medium (flexible disc, CD (Compact Disc) -ROM, DVD (Digital Versatile Disc) -ROM, etc.), for example.
  • a computer-readable recording medium flexible disc, CD (Compact Disc) -ROM, DVD (Digital Versatile Disc) -ROM, etc.
  • the program may be stored in a storage on a network such as the Internet and provided by downloading the program.
  • the above processing when executed by the division between the OS and the application program or the cooperation between the OS and the application program, only the application program may be stored in the recording medium or the storage. It is also possible to superimpose a program on a carrier wave and distribute it via a network. For example, the above program may be posted on a bulletin board system (BBS: Bulletin Board System) on the network, and the program may be distributed via the network. Then, by starting this program and executing it in the same manner as other application programs under the control of the OS, the above processing may be executed.
  • BSS Bulletin Board System
  • Three-point authentication system (communication system) 2-m communication terminal (peer) 2-1 Source peer (source terminal) 2-2 Destination peer (destination terminal) 2-3 Seed issuing peer 2-4-2-6 Relay peer (relay terminal) 2- (10 + n) authentication peer 2-11 authentication peer (support terminal) 2-12, 2-13 Authentication peer (relay terminal) 4 Seed table 5 Token table (connection request table) 6 Connection information table 21-m Communication unit 22-m Storage unit 22-1 Storage unit (second storage unit) 22-2 Memory unit (3rd storage unit) 22-11 Storage unit (first storage unit) 22-12, 22-13 Storage unit (4th storage unit) 23-m control unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

To provide a multiple-factor tripartite authentication routing system that enables efficient communications. A transmission source peer (2-1) serving as a data transmission source from among a plurality of communication terminals, which are connected via a network (N) and perform peer-to-peer communications, establishes a direct route (R0), which is directly connected to a transmission source peer (2-2) serving as a data transmission source, with the assistance of an authentication peer (2-11) that assists the establishment of connection routes among the communication terminals. After the establishment of the direct route (R0), alternative routes (sub routes) (R4 to R6, R12, R13) connected to the transmission source peer (2-2) via intermediate peers (2-4 to 2-6, 2-12, 2-13) are established.

Description

発信元端末、通信システム、通信方法、及びプログラムSource terminal, communication system, communication method, and program
 本発明は、発信元端末、通信システム、通信方法、及びプログラムに関し、特に効率的な通信を実現可能な発信元端末、通信システム、通信方法、及びプログラムに関する。 The present invention relates to a source terminal, a communication system, a communication method, and a program, and particularly to a source terminal, a communication system, a communication method, and a program capable of realizing efficient communication.
 特定のサーバコンピュータではなく、通信可能に接続された対等な状態の複数の通信装置(ピア)のうちのいずれかが、アクセスポイントとして動作するグループオーナーとなることで、グループ内の通信装置(ピア)同士の通信を可能にするピア・ツウ・ピアという通信方式が知られている(例えば特許文献1参照)。なお、本明細書中に特許文献1の明細書、特許請求の範囲、図面全体を参考として取り込むものとする。 By becoming a group owner that operates as an access point, one of a plurality of communication devices (peers) in an equal state connected to each other, instead of a specific server computer, becomes a communication device (peer) in the group. ) Are known as a communication method called peer-to-peer that enables communication between each other (see, for example, Patent Document 1). The specification of Patent Document 1, the scope of claims, and the entire drawing shall be incorporated into this specification as a reference.
特開2005-100419号公報Japanese Unexamined Patent Publication No. 2005-100419
 しかしながら、ピア・ツウ・ピアにおいて、グループ内の通信装置(ピア)同士の接続経路を複数確立して多重化を行う場合、ハードウェアの依存度が高く、経路によって、メディアアクセスや物理層の位相が拮抗しているとき等にアプリケーション層が意図する多重化にならず、コスト等の問題も生じるため、接続経路の多重化を簡便に行うことができず、効率的に通信を行うことが困難であるという問題があった。 However, in peer-to-peer, when multiple connection paths between communication devices (peers) in a group are established and multiplexing is performed, the dependence on hardware is high, and depending on the path, media access and the phase of the physical layer It is not possible to easily multiplex the connection path and it is difficult to communicate efficiently because the multiplexing does not occur as intended by the application layer when they are in competition with each other and problems such as cost occur. There was a problem that it was.
 本発明は、上記の課題を解決するためになされたものであって、効率的な通信を実現可能な発信元端末、通信システム、通信方法、及びプログラムを提供することを目的とする。 The present invention has been made to solve the above problems, and an object of the present invention is to provide a source terminal, a communication system, a communication method, and a program capable of realizing efficient communication.
 上記の目的を達成するため、本発明の第1の観点に係る発信元端末(2-1)は、ネットワーク(N)を介して接続され、ピア・ツウ・ピア方式で通信を行う複数の通信端末(2-m)のうちのデータの発信元となる発信元端末(2-1)であって、前記通信端末(2-m)間に接続経路を確立することを支援する該通信端末(2-m)である支援端末(2-11)の支援によって、前記データの発信先となる該通信端末(2-m)である発信先端末(2-2)と直接接続する該接続経路である第1接続経路(R0)を確立し、前記第1接続経路(R0)の確立後、前記通信端末(2-m)のうち、前記支援端末(2-11)とは異なる中継端末(2-4~2-6,2-12,2-13)を経由して該発信先端末(2-2)と接続する該接続経路である第2接続経路(R4~R6,R12,R13)を確立する、ことを特徴とする。 In order to achieve the above object, the source terminal (2-1) according to the first aspect of the present invention is connected via the network (N), and a plurality of communications communicating in a peer-to-peer manner. The communication terminal (2-1) that is the source of data among the terminals (2-m) and supports the establishment of a connection path between the communication terminals (2-m). With the support of the support terminal (2-11) which is 2-m), the connection route is directly connected to the destination terminal (2-2) which is the communication terminal (2-m) which is the transmission destination of the data. After establishing a certain first connection route (R0) and establishing the first connection route (R0), the relay terminal (2) of the communication terminals (2-m) different from the support terminal (2-11). -4 to 2-6, 2-12, 2-13) to connect to the destination terminal (2-2) via the second connection route (R4 to R6, R12, R13), which is the connection route. It is characterized by being established.
 上記の発信元端末(2-1)は、前記第1接続経路(R0)の確立後、前記支援端末(2-11)に前記第2接続経路(R4~R6)の確立の支援を前記ネットワーク(N)を介して要求することにより、該第2接続経路(R4~R6)を確立する、ようにしてもよい。 After the establishment of the first connection path (R0), the source terminal (2-1) supports the support terminal (2-11) to establish the second connection path (R4 to R6). The second connection path (R4 to R6) may be established by requesting via (N).
 上記の発信元端末(2-1)は、前記第1接続経路(R0)の確立後、前記中継端末(2-12,2-13)に前記ネットワーク(N)を介して接続し、前記発信先端末(2-2)との接続を該ネットワーク(N)を介して要求することにより、前記第2接続経路(R4~R6)を確立する、ようにしてもよい。 After the first connection path (R0) is established, the source terminal (2-1) connects to the relay terminal (2-12, 2-13) via the network (N), and the transmission is made. The second connection path (R4 to R6) may be established by requesting the connection with the destination terminal (2-2) via the network (N).
 上記の発信元端末(2-1)は、前記第1接続経路(R0)の確立後、該第1接続経路(R0)を介して接続された前記通信端末(2-m)が前記発信先端末(2-2)であることの信頼度を算出し、前記信頼度が所定の閾値未満であることを条件に、前記発信先端末(2-2)との接続を前記中継端末(2-12,2-13)に前記ネットワーク(N)を介して要求する、ようにしてもよい。 In the source terminal (2-1), after the establishment of the first connection path (R0), the communication terminal (2-m) connected via the first connection path (R0) is the transmission destination. The reliability of being a terminal (2-2) is calculated, and the connection with the destination terminal (2-2) is made to the relay terminal (2-) on condition that the reliability is less than a predetermined threshold value. 12, 2-13) may be requested via the network (N).
 上記の発信元端末(2-1)は、前記発信先端末(2-2)との接続を要求する接続要求であって、該接続要求を特定するための第1接続要求識別情報を含む該接続要求を前記ネットワーク(N)を介して前記支援端末(2-11)に送信し、前記発信先端末(2-2)から前記ネットワーク(N)を介して送信される前記第1接続要求識別情報と、該発信先端末(2-2)との接続に必要な接続情報と、を受信したことに応答して、該発信先端末(2-2)から受信した第1接続要求識別情報が前記支援端末(2-11)に送信した第1接続要求識別情報に合致することを条件に、該発信先端末(2-2)の接続情報を用いて、該発信先端末(2-2)と該ネットワーク(N)を介して接続することにより、前記第1接続経路(R0)を確立する、ようにしてもよい。 The source terminal (2-1) is a connection request requesting a connection with the destination terminal (2-2), and includes the first connection request identification information for specifying the connection request. The first connection request identification transmitted via the network (N) to the support terminal (2-11) and transmitted from the destination terminal (2-2) via the network (N). In response to receiving the information and the connection information necessary for connecting to the destination terminal (2-2), the first connection request identification information received from the destination terminal (2-2) The destination terminal (2-2) uses the connection information of the destination terminal (2-2) on condition that it matches the first connection request identification information transmitted to the support terminal (2-11). The first connection path (R0) may be established by connecting to and via the network (N).
 上記の発信元端末(2-1)は、前記第1接続経路(R0)の確立後、前記中継端末(2-12,2-13)に前記ネットワーク(N)を介して接続し、前記第1接続要求識別情報とは異なる第2接続要求識別情報を含む前記接続要求を該ネットワーク(N)を介して送信することにより、該第2接続経路(R4~R6)を確立する、ようにしてもよい。 After establishing the first connection path (R0), the source terminal (2-1) connects to the relay terminal (2-12, 2-13) via the network (N), and the first connection terminal (2-1) is connected to the relay terminal (2-12, 2-13) via the network (N). The second connection path (R4 to R6) is established by transmitting the connection request including the second connection request identification information different from the first connection request identification information via the network (N). May be good.
 上記の発信元端末(2-1)は、前記発信先端末(2-2)と接続するための権利と、前記支援端末(2-11)が発行した支援端末発行情報と、から前記第1接続要求識別情報を生成し、前記権利と、前記中継端末(2-12,2-13)が発行した中継端末発行情報と、から前記第2接続要求識別情報を生成する、ようにしてもよい。 The source terminal (2-1) has the right to connect to the destination terminal (2-2) and the support terminal issuance information issued by the support terminal (2-11). The connection request identification information may be generated, and the second connection request identification information may be generated from the right and the relay terminal issuance information issued by the relay terminal (2-12, 2-13). ..
 上記の発信元端末(2-1)は、前記第1接続要求識別情報を登録する接続要求テーブル(5)の処分権者として該発信元端末(2-1)のユーザを登録し、前記第1接続経路(R0)の確立後、前記接続要求テーブル(5)の処分権者を前記支援端末(2-11)のユーザに変更することにより、該接続要求テーブル(5)の処分権を、該支援端末(2-11)のユーザに移転する、ようにしてもよい。 The source terminal (2-1) registers the user of the source terminal (2-1) as the disposal right holder of the connection request table (5) for registering the first connection request identification information, and the first connection request identification information is registered. 1 After the connection route (R0) is established, the disposal right of the connection request table (5) can be changed by changing the disposal right holder of the connection request table (5) to the user of the support terminal (2-11). It may be transferred to the user of the support terminal (2-11).
 本発明の第2の観点に係る通信システム(1)は、ネットワーク(N)を介して接続され、ピア・ツウ・ピア方式で通信を行う複数の通信端末(2-m)を具備する通信システム(1)であって、前記複数の通信端末(2-m)のうちのデータの発信元となる発信元端末(2-1)は、前記通信端末(2-m)間に接続経路を確立することを支援する該通信端末(2-m)である支援端末(2-11)の支援によって、前記データの発信先となる該通信端末(2-m)である発信先端末(2-2)と直接接続する該接続経路である第1接続経路(R0)を確立し、前記第1接続経路(R0)の確立後、前記通信端末(2-m)のうち、前記支援端末(2-11)とは異なる中継端末(2-4~2-6,2-12,2-13)を経由して該発信先端末(2-2)と接続する該接続経路である第2接続経路(R4~R6,R12,R13)を確立する、ことを特徴とする。 The communication system (1) according to the second aspect of the present invention is a communication system including a plurality of communication terminals (2-m) connected via a network (N) and communicating in a peer-to-peer system. In (1), the source terminal (2-1), which is the source of data among the plurality of communication terminals (2-m), establishes a connection route between the communication terminals (2-m). With the support of the support terminal (2-11), which is the communication terminal (2-m) that supports the data, the destination terminal (2-2), which is the communication terminal (2-m), is the destination of the data. ) Is established, and after the first connection path (R0) is established, the support terminal (2-m) of the communication terminals (2-m) is established. The second connection route (2-2), which is the connection route for connecting to the destination terminal (2-2) via a relay terminal (2-4 to 2-6, 2-12, 2-13) different from 11). It is characterized by establishing R4 to R6, R12, R13).
 上記の通信システム(1)において、前記発信元端末(2-1)は、前記発信先端末(2-2)から前記ネットワーク(N)を介して送信される該発信先端末(2-2)との接続に必要な接続情報を受信し、前記第1接続経路(R0)の確立後、前記発信先端末(2-2)の接続情報を登録する接続情報テーブル(6)を生成し、前記支援端末(2-11)に前記第2接続経路(R4~R6)の確立の支援を前記ネットワーク(N)を介して要求し、前記発信先端末(2-2)と前記中継端末(2-4~2-6)とが前記ネットワーク(N)を介して接続された後、前記支援端末(2-11)から該ネットワーク(N)を介して送信される該中継端末(2-4~2-6)との接続に必要な接続情報を用いて、該中継端末(2-4~2-6)と該ネットワーク(N)を介して接続することにより、前記第2接続経路(R4~R6)を確立し、前記支援端末(2-11)は、前記中継端末(2-4~2-6)の前記接続情報を記憶する第1記憶部(22-11)を含み、前記発信元端末(2-1)から前記ネットワーク(N)を介して前記第2接続経路(R4~R6)の確立の支援が要求されたことに応答して、前記発信先端末(2-2)との接続を前記中継端末(2-4~2-6)に該ネットワーク(N)を介して要求し、前記発信先端末(2-2)と前記中継端末(2-4~2-6)とが前記ネットワーク(N)を介して接続された後、該中継端末(2-4~2-6)の接続情報を前記ネットワーク(N)を介して前記発信元端末(2-1)に送信し、前記中継端末(2-4~2-6)は、前記支援端末(2-11)から前記ネットワーク(N)を介して前記発信先端末(2-2)との接続が要求されたことに応答して、前記発信先端末(2-2)の接続情報を前記接続情報テーブル(6)から取得し、前記発信先端末(2-2)の接続情報を用いて、該発信先端末(2-2)と前記ネットワーク(N)を介して接続する、ようにしてもよい。 In the communication system (1), the source terminal (2-1) is a destination terminal (2-2) transmitted from the destination terminal (2-2) via the network (N). After receiving the connection information necessary for connection with and establishing the first connection path (R0), the connection information table (6) for registering the connection information of the destination terminal (2-2) is generated, and the above The support terminal (2-11) is requested to support the establishment of the second connection route (R4 to R6) via the network (N), and the destination terminal (2-2) and the relay terminal (2-) are requested. After the 4 to 2-6) are connected via the network (N), the relay terminal (2-4 to 2) transmitted from the support terminal (2-11) via the network (N). By connecting to the relay terminal (2-4 to 2-6) via the network (N) using the connection information necessary for the connection with -6), the second connection path (R4 to R6) is used. ) Is established, and the support terminal (2-11) includes a first storage unit (22-11) that stores the connection information of the relay terminal (2-4 to 2-6), and the source terminal. Connection with the destination terminal (2-2) in response to a request from (2-1) to support the establishment of the second connection path (R4 to R6) via the network (N). Is requested to the relay terminal (2-4 to 2-6) via the network (N), and the transmission destination terminal (2-2) and the relay terminal (2-4 to 2-6) are described. After being connected via the network (N), the connection information of the relay terminal (2-4 to 2-6) is transmitted to the source terminal (2-1) via the network (N), and the above is described. The relay terminal (2-4 to 2-6) responds to the request for connection from the support terminal (2-11) to the destination terminal (2-2) via the network (N). Then, the connection information of the destination terminal (2-2) is acquired from the connection information table (6), and the connection information of the destination terminal (2-2) is used to obtain the connection information of the destination terminal (2-2). ) And the network (N).
 上記の通信システム(1)において、前記発信元端末(2-1)は、前記発信元端末(2-1)を特定するための発信元識別情報と、前記発信先端末(2-2)を特定するための発信先識別情報と、を記憶する第2記憶部(22-1)を含み、前記第1接続経路(R0)の確立後、前記発信元識別情報と、前記発信先識別情報と、前記発信先端末(2-2)の接続情報と、を対応付けて登録する前記接続情報テーブル(6)を生成し、前記発信元識別情報と、前記発信先識別情報と、を前記ネットワーク(N)を介して前記支援端末(2-11)に送信することにより、該支援端末(2-11)に前記第2接続経路(R4~R6)の確立の支援を要求し、前記支援端末(2-11)は、前記発信元端末(2-1)から前記ネットワーク(N)を介して送信される前記発信元識別情報と、前記発信先識別情報と、を受信したことに応答して、該発信元識別情報と、該発信先識別情報と、を前記ネットワーク(N)を介して前記中継端末(2-4~2-6)に送信することにより、前記発信先端末(2-2)との接続を該中継端末(2-4~2-6)に要求し、前記中継端末(2-4~2-6)は、前記支援端末(2-11)から前記ネットワーク(N)を介して送信される前記発信元識別情報と、前記発信先識別情報と、を受信したことに応答して、該受信した該発信元識別情報と、該発信先識別情報と、がそれぞれ前記接続情報テーブル(6)に登録されている前記発信元識別情報と、前記発信先識別情報と、に合致することを条件に、前記発信先端末(2-2)の接続情報を用いて、該発信先端末(2-2)と前記ネットワーク(N)を介して接続する、ようにしてもよい。 In the above communication system (1), the source terminal (2-1) uses the source identification information for identifying the source terminal (2-1) and the destination terminal (2-2). After the establishment of the first connection path (R0), the source identification information and the destination identification information include a second storage unit (22-1) for storing the destination identification information for identification. , The connection information table (6) for registering the connection information of the destination terminal (2-2) in association with each other is generated, and the source identification information and the destination identification information are stored in the network ( By transmitting to the support terminal (2-11) via N), the support terminal (2-11) is requested to support the establishment of the second connection route (R4 to R6), and the support terminal (2-11) is requested. 2-11) responds to receiving the source identification information and the destination identification information transmitted from the source terminal (2-1) via the network (N). By transmitting the source identification information and the destination identification information to the relay terminal (2-4 to 2-6) via the network (N), the destination terminal (2-2) The relay terminal (2-4 to 2-6) is requested to connect to the relay terminal (2-4 to 2-6), and the relay terminal (2-4 to 2-6) is connected to the support terminal (2-11) via the network (N). In response to receiving the source identification information and the destination identification information transmitted, the received source identification information and the destination identification information are each in the connection information table. The destination terminal is used with the connection information of the destination terminal (2-2) on condition that the source identification information registered in (6) and the destination identification information match. (2-2) may be connected via the network (N).
 上記の通信システム(1)において、前記発信元端末(2-1)は、前記中継端末(2-12,2-13)との接続に必要な接続情報を記憶する第2記憶部(22-1)を含み、前記中継端末(2-12,2-13)の接続情報を用いて、該中継端末(2-12,2-13)と前記ネットワーク(N)を介して接続し、前記発信先端末(2-2)との接続を前記中継端末(2-12,2-13)に前記ネットワーク(N)を介して要求し、前記中継端末(2-12,2-13)は、前記発信先端末(2-2)との接続に必要な接続情報を記憶する第4記憶部(2-12,2-13)を含み、前記発信元端末(2-1)から前記ネットワーク(N)を介して前記発信先端末(2-2)との接続が要求されたことに応答して、前記発信先端末(2-2)の接続情報を用いて、該発信先端末(2-2)と前記ネットワーク(N)を介して接続することにより、前記第2接続経路(R12,R13)を確立する、ようにしてもよい。 In the above communication system (1), the source terminal (2-1) is a second storage unit (22-) that stores connection information necessary for connection with the relay terminal (2-12, 2-13). 1) is included, and the connection information of the relay terminal (2-12, 2-13) is used to connect to the relay terminal (2-12, 2-13) via the network (N), and the transmission is performed. The relay terminal (2-12, 2-13) is requested to connect to the destination terminal (2-2) via the network (N), and the relay terminal (2-12, 2-13) is said. The network (N) from the source terminal (2-1) includes a fourth storage unit (2-12, 2-13) that stores connection information necessary for connecting to the destination terminal (2-2). In response to a request for connection to the destination terminal (2-2) via And the second connection path (R12, R13) may be established by connecting via the network (N).
 上記の通信システム(1)において、前記発信元端末(2-1)は、前記第1接続経路(R0)の確立後、該第1接続経路(R0)を介して接続された前記通信端末(2-m)が前記発信先端末(2-2)であることの信頼度を算出し、前記信頼度が所定の閾値未満であることを条件に、前記発信先端末(2-2)との接続を前記中継端末(2-12,2-13)に前記ネットワーク(N)を介して要求する、ようにしてもよい。 In the above communication system (1), the source terminal (2-1) is the communication terminal (2-1) connected via the first connection path (R0) after the establishment of the first connection path (R0). Calculate the reliability that 2-m) is the destination terminal (2-2), and with the destination terminal (2-2) on condition that the reliability is less than a predetermined threshold value. The connection may be requested to the relay terminal (2-12, 2-13) via the network (N).
 上記の通信システム(1)において、前記中継端末(2-12,2-13)は、第1中継端末(2-12)と、第2中継端末(2-13)と、を含み、前記発信元端末(2-1)は、前記第1中継端末(2-12)を経由して前記発信先端末(2-2)と接続する第2接続経路(R12)の確立後、前記第1接続経路(R0)及び該第2接続経路(R12)を介して接続された前記通信端末(2-m)が前記発信先端末(2-2)であることの信頼度を算出し、前記信頼度が前記所定の閾値未満であることを条件に、該発信先端末(2-2)との接続を前記第2中継端末(2-13)に前記ネットワーク(N)を介して要求する、ようにしてもよい。 In the above communication system (1), the relay terminal (2-12, 2-13) includes a first relay terminal (2-12) and a second relay terminal (2-13), and the transmission is made. The original terminal (2-1) is connected to the first connection after establishing a second connection path (R12) to be connected to the destination terminal (2-2) via the first relay terminal (2-12). The reliability that the communication terminal (2-m) connected via the route (R0) and the second connection route (R12) is the destination terminal (2-2) is calculated, and the reliability is calculated. Is requested to the second relay terminal (2-13) via the network (N) to connect to the destination terminal (2-2) on condition that is less than the predetermined threshold. You may.
 本発明の第3の観点に係る通信方法は、ネットワーク(N)を介して接続され、ピア・ツウ・ピア方式で通信を行う複数の通信端末(2-m)のうちのデータの発信元となる発信元端末(2-1)による通信方法であって、前記通信端末(2-m)間に接続経路を確立することを支援する該通信端末(2-m)である支援端末(2-11)の支援によって、前記データの発信先となる該通信端末(2-m)である発信先端末(2-2)と直接接続する該接続経路である第1接続経路(R0)を確立し、前記第1接続経路(R0)の確立後、前記通信端末(2-m)のうち、前記支援端末(2-11)とは異なる中継端末(2-4~2-6,2-12,2-13)を経由して該発信先端末(2-2)と接続する該接続経路である第2接続経路(R4~R6,R12,R13)を確立する、ことを特徴とする。 The communication method according to the third aspect of the present invention is a communication method according to a third aspect of the present invention with a data source among a plurality of communication terminals (2-m) connected via a network (N) and communicating by a peer-to-peer method. A support terminal (2-m) that is a communication method using a source terminal (2-1) and is a communication terminal (2-m) that supports the establishment of a connection path between the communication terminals (2-m). With the support of 11), the first connection route (R0), which is the connection route directly connected to the transmission destination terminal (2-2), which is the communication terminal (2-m) to which the data is transmitted, is established. After the establishment of the first connection path (R0), the relay terminal (2-4 to 2-6, 2-12) different from the support terminal (2-11) among the communication terminals (2-m), It is characterized in that a second connection route (R4 to R6, R12, R13), which is the connection route for connecting to the transmission destination terminal (2-2) via 2-13), is established.
 本発明の第4の観点に係るプログラムは、ネットワーク(N)を介して接続され、ピア・ツウ・ピア方式で通信を行う複数の通信端末(2-m)のうちのデータの発信元となる発信元端末(2-1)のコンピュータに、前記通信端末(2-m)間に接続経路を確立することを支援する該通信端末(2-m)である支援端末(2-11)の支援によって、前記データの発信先となる該通信端末(2-m)である発信先端末(2-2)と直接接続する該接続経路である第1接続経路(R0)を確立する手順と、前記第1接続経路(R0)の確立後、前記通信端末(2-m)のうち、前記支援端末(2-11)とは異なる中継端末(2-4~2-6,2-12,2-13)を経由して該発信先端末(2-2)と接続する該接続経路である第2接続経路(R4~R6,R12,R13)を確立する手順と、を実行させる。 The program according to the fourth aspect of the present invention is connected via a network (N) and is a source of data among a plurality of communication terminals (2-m) that communicate in a peer-to-peer manner. Support for the support terminal (2-11), which is the communication terminal (2-m), which supports the establishment of a connection path between the communication terminals (2-m) in the computer of the source terminal (2-1). A procedure for establishing a first connection route (R0), which is a connection route that directly connects to a transmission destination terminal (2-2), which is the communication terminal (2-m) to which the data is transmitted, and the above. After the establishment of the first connection path (R0), among the communication terminals (2-m), the relay terminals (2-4 to 2-6, 2-12, 2-) different from the support terminals (2-11). The procedure for establishing a second connection route (R4 to R6, R12, R13), which is the connection route for connecting to the transmission destination terminal (2-2) via 13), is executed.
 本発明によれば、効率的な通信を実現可能な発信元端末、通信システム、通信方法、及びプログラムを提供することができる。 According to the present invention, it is possible to provide a source terminal, a communication system, a communication method, and a program capable of realizing efficient communication.
本実施形態に係る三点認証システムの構成例を示す図である。It is a figure which shows the configuration example of the three-point authentication system which concerns on this embodiment. 通信端末の構成例を示すブロック図である。It is a block diagram which shows the configuration example of a communication terminal. 本実施形態に係るP2P型ネットワークの概念図である。It is a conceptual diagram of the P2P type network which concerns on this embodiment. シードテーブルの構成例を示す図である。It is a figure which shows the configuration example of a seed table. (a)は、トークン使用前のトークンテーブルの構成例を示す図であり、(b)は、本実施形態に係るトークン使用後のトークンテーブルの構成例を示す図である。(A) is a diagram showing a configuration example of a token table before using a token, and (b) is a diagram showing a configuration example of a token table after using a token according to the present embodiment. 多重化テーブルの構成例を示す図である。It is a figure which shows the configuration example of a multiplexing table. シード発行処理の詳細を示すフローチャートである。It is a flowchart which shows the details of a seed issuance process. 本実施形態に係る三点認証処理の詳細を示すフローチャートである。It is a flowchart which shows the detail of the three-point authentication process which concerns on this embodiment. 三点認証処理の続きを示すフローチャートである。It is a flowchart which shows the continuation of a three-point authentication process. 三点認証処理の続きを示すフローチャートである。It is a flowchart which shows the continuation of a three-point authentication process. 三点認証処理の続きを示すフローチャートである。It is a flowchart which shows the continuation of a three-point authentication process. 三点認証処理の続きを示すフローチャートである。It is a flowchart which shows the continuation of a three-point authentication process. 三点認証処理の続きを示すフローチャートである。It is a flowchart which shows the continuation of a three-point authentication process. 三点認証処理の続きを示すフローチャートである。It is a flowchart which shows the continuation of a three-point authentication process. 変形例に係るP2P型ネットワークの概念図である。It is a conceptual diagram of the P2P type network which concerns on a modification. 変形例に係る三点認証処理の詳細を示すフローチャートである。It is a flowchart which shows the detail of the three-point authentication process which concerns on a modification. 変形例に係る三点認証処理の続きを示すフローチャートである。It is a flowchart which shows the continuation of the three-point authentication process which concerns on a modification. 変形例に係る三点認証処理の続きを示すフローチャートである。It is a flowchart which shows the continuation of the three-point authentication process which concerns on a modification. 変形例に係る三点認証処理の続きを示すフローチャートである。It is a flowchart which shows the continuation of the three-point authentication process which concerns on a modification. 変形例に係るトークン使用後のトークンテーブルの構成例を示す図である。It is a figure which shows the configuration example of the token table after using the token which concerns on the modification.
 以下、本発明を実施するための形態について説明する。 Hereinafter, embodiments for carrying out the present invention will be described.
 本発明は、以下の技術的思想の基に発明された。 The present invention was invented based on the following technical ideas.
 本発明者は、ピア・ツウ・ピア方式において、論理レイヤが存在するオーバーレイネットワーク上に論理的に複数の接続経路を確立する通信システムを発明した。かかる通信システムを実現するためには、LTE(Long Term Evolution)やWi-Fi(Wireless Fidelity)等といった数多くのレイヤ2(データリンク層)以下の通信規格が存在する中で、ピア・ツウ・ピア(P2P)型ネットワークを構成する通信端末(ピア)の認証、接続、及びルーティングを、ハードウェアに依存することなく、ソフトウェアにより軽量的に行う必要が生じた。そこで、本発明者は、かかる課題を解決して、効率的な通信を実現するため、本発明に係る多重因子三点認証ルーティングシステムを発明した。 The present inventor has invented a communication system that logically establishes a plurality of connection paths on an overlay network in which a logical layer exists in a peer-to-peer system. In order to realize such a communication system, there are many layer 2 (data link layer) or lower communication standards such as LTE (Long Term Evolution) and Wi-Fi (Wireless Fidelity). It has become necessary to perform lightweight authentication, connection, and routing of communication terminals (peers) constituting the (P2P) type network by software without depending on hardware. Therefore, the present inventor has invented a multi-factor three-point authentication routing system according to the present invention in order to solve such a problem and realize efficient communication.
 まず、本発明の実施形態に係る三点認証システム(通信システム)の構成について図面を参照しつつ説明する。 First, the configuration of the three-point authentication system (communication system) according to the embodiment of the present invention will be described with reference to the drawings.
 図1は、本実施形態に係る三点認証システムの構成例を示すブロック図である。 FIG. 1 is a block diagram showing a configuration example of a three-point authentication system according to this embodiment.
 図1に示すように、三点認証システム1は、複数の通信端末2-m(mは自然数)を具備する。複数の通信端末2-mは、インターネット等のネットワークNを介して相互に通信可能に接続され、ピア・ツウ・ピア方式で通信を行う。共通の手続で通信をする通信端末は、ピアと呼ばれる。本発明の手続を理解する通信端末2-mは、ピアであり、複数の通信端末2-m(ピア)は、ピア・ツウ・ピア(P2P)型ネットワークを構成する。また、三点認証システム1は、ネットワークN上の複数の通信端末(ピア)2-mから構成されるブロックチェーンや分散ハッシュテーブル(Distributed Hash Table, DHT)等による分散台帳技術を用いてデータを分散管理する共有台帳20を具備する。 As shown in FIG. 1, the three-point authentication system 1 includes a plurality of communication terminals 2-m (m is a natural number). The plurality of communication terminals 2-m are connected to each other so as to be able to communicate with each other via a network N such as the Internet, and communicate by a peer-to-peer method. A communication terminal that communicates by a common procedure is called a peer. The communication terminal 2-m for understanding the procedure of the present invention is a peer, and a plurality of communication terminals 2-m (peers) constitute a peer-to-peer (P2P) type network. Further, the three-point authentication system 1 uses a distributed ledger technology such as a block chain composed of a plurality of communication terminals (peers) 2-m on the network N and a distributed hash table (DHT) to obtain data. A shared ledger 20 for distributed management is provided.
 通信端末(ピア)2-mは、例えば汎用のパーソナルコンピュータ、汎用のサーバコンピュータ、若しくはタブレットコンピュータ、スマートフォン、及びデジタル家庭電化製品等のIP(Internet Protocol)通信機能を持つCPU(Central Processing Unit)を備えたスマートデバイス等から構成される。 The communication terminal (peer) 2-m is a CPU (Central Processing Unit) having an IP (Internet Protocol) communication function for, for example, a general-purpose personal computer, a general-purpose server computer, a tablet computer, a smartphone, and a digital home electric appliance. It consists of equipped smart devices and the like.
 図2は、通信端末の構成例を示すブロック図である。 FIG. 2 is a block diagram showing a configuration example of a communication terminal.
 図2に示すように、通信端末(ピア)2-mは、それぞれ、通信部21-mと、記憶部22-mと、制御部23-mと、を備え、これらはバス等を介して接続される。 As shown in FIG. 2, the communication terminal (peer) 2-m includes a communication unit 21-m, a storage unit 22-m, and a control unit 23-m, respectively, which are via a bus or the like. Be connected.
 通信部21-mは、例えば無線通信装置等から構成される。通信部21-mは、P2P通信方式で他の通信端末(ピア)2-mとネットワークNを介したデータの送受信を行う。 The communication unit 21-m is composed of, for example, a wireless communication device or the like. The communication unit 21-m transmits / receives data to / from another communication terminal (peer) 2-m via the network N by the P2P communication method.
 記憶部22-mは、例えば汎用のフラッシュメモリ等の不揮発性メモリ等から構成される。記憶部22-mは、通信端末(ピア)2-mのユーザを特定するためのユーザID(Identification)を保持(記憶)する。ユーザIDは、例えば32バイトのバイナリデータから構成される。 The storage unit 22-m is composed of, for example, a non-volatile memory such as a general-purpose flash memory. The storage unit 22-m holds (stores) a user ID (Identification) for identifying a user of the communication terminal (peer) 2-m. The user ID is composed of, for example, 32 bytes of binary data.
 制御部23-mは、例えばCPU、ROM(Read Only Memory)、及びRAM(Random Access Memory)等から構成される。CPUは、RAMをワークメモリとして用い、ROM及び記憶部22に記憶されているプログラム等を適宜実行することによって、通信端末(ピア)2-mの各種動作を制御する。 The control unit 23-m is composed of, for example, a CPU, a ROM (ReadOnlyMemory), a RAM (RandomAccessMemory), and the like. The CPU uses the RAM as a work memory, and controls various operations of the communication terminal (peer) 2-m by appropriately executing a program or the like stored in the ROM and the storage unit 22.
 図3は、本実施形態に係るP2P型ネットワークの概念図である。 FIG. 3 is a conceptual diagram of a P2P type network according to this embodiment.
 図3に示すように、通信端末(ピア)2-mには、データの発信元となる通信端末(以下、「発信元ピア(発信元端末)」という。)2-1と、データの発信先となる通信端末(以下、「発信先ピア(発信先端末)」という。)2-2と、発信先端末2-2と接続するための権利であるシードを発行するシード発行ピア(以下、「シード発行ピア」という。)2-3と、発信元ピア2-1と発信先ピア2-2との認証機能、接続機能、及びルーティング機能を有する通信端末(以下、「認証ピア(支援端末)」という。)2-11と、発信元ピア2-1と発信先ピア2-2とのデータの通信を中継する3つの通信端末(以下、「中継ピア(中継端末)」という。)2-4~2-6と、が含まれる。なお、中継ピアの数は、“3”に限定されるものではなく、任意である。 As shown in FIG. 3, the communication terminal (peer) 2-m includes a communication terminal (hereinafter referred to as "source peer (source terminal)") 2-1 that is a source of data and data transmission. A seed issuing peer that issues a seed that is the right to connect to the destination communication terminal (hereinafter referred to as "destination peer (destination terminal)") 2-2 and the destination terminal 2-2 (hereinafter referred to as "destination peer"). A communication terminal having an authentication function, a connection function, and a routing function between the source peer 2-1 and the destination peer 2-2 (hereinafter referred to as "seed issuing peer") (hereinafter, "authentication peer (support terminal)"). ) ”.) Three communication terminals that relay data communication between 2-11, source peer 2-1 and destination peer 2-2 (hereinafter referred to as“ relay peer (relay terminal) ”) 2 -4 to 2-6 and so on. The number of relay peers is not limited to "3" and is arbitrary.
 発信元ピア2-1は、発信元ピア2-1のユーザID(発信元ピア2-1を特定するための発信元識別情報)及び発信先ピア2-2のユーザID(発信先ピア2-2を特定するための発信先識別情報)、並びに発信元ピア2-1との接続に必要なIPアドレス等の接続情報、及び後述する自己が所属する接続グループの親(グループオーナ)に当たる認証ピア2-11との接続に必要な接続情報を記憶部(第2記憶部)22-1に保持(記憶)する。その一方で、発信元ピア2-1は、発信先ピア2-2の接続情報を記憶部22-1に保持していない。本実施形態において、発信元ピア2-1は、シード発行ピア2-3より購入して発行されたシードから、発信先ピア2-2の認証、並びに発信元ピア2-1と発信先ピア2-2との接続及びルーティングの正当性及び効率化の向上を図るためのトークン(第1及び第2接続要求識別情報)を生成する。ここで、本発明に係る「第1及び第2接続要求識別情報」は、トークンそれ自体に限定されるものではなく、通信端末2-mの認証、並びに通信端末2-m間の接続経路の確立及び多重化に使用可能なデジタルデータであれば任意であり、例えばトークンのハッシュ値等であってもよい。発信元ピア2-1は、トークンを使用して、発信先ピア2-2を認証するとともに、発信先ピア2-2との接続経路を複数確立して多重化することにより、発信先ピア2-2とデータの通信を効率的に行うことができる。 The source peer 2-1 is a user ID of the source peer 2-1 (source identification information for identifying the source peer 2-1) and a user ID of the destination peer 2-2 (destination peer 2-). Destination identification information for identifying 2), connection information such as the IP address required to connect to the source peer 2-1 and the authentication peer that is the parent (group owner) of the connection group to which the user belongs, which will be described later. The connection information necessary for connecting to 2-11 is stored (stored) in the storage unit (second storage unit) 22-1. On the other hand, the source peer 2-1 does not hold the connection information of the destination peer 2-2 in the storage unit 22-1. In the present embodiment, the source peer 2-1 authenticates the destination peer 2-2 from the seed purchased and issued from the seed issuing peer 2-3, and the source peer 2-1 and the destination peer 2 -Generate tokens (first and second connection request identification information) for improving the validity and efficiency of connection and routing with -2. Here, the "first and second connection request identification information" according to the present invention is not limited to the token itself, but is the authentication of the communication terminal 2-m and the connection path between the communication terminals 2-m. Any digital data that can be used for establishment and multiplexing is arbitrary, and may be, for example, a hash value of a token. The source peer 2-1 uses the token to authenticate the destination peer 2-2, and establishes and multiplexes a plurality of connection routes with the destination peer 2-2 to multiplex the destination peer 2. -Data can be efficiently communicated with -2.
 発信先ピア2-2は、発信元ピア2-1及び発信先ピア2-2のユーザID、並びに発信先ピア2-2との接続に必要なIPアドレス等の接続情報及び自己が所属する接続グループの親(グループオーナ)に当たる認証ピア2-11との接続に必要な接続情報を記憶部(第3記憶部)22-2に保持(記憶)する。その一方で、発信先ピア2-2は、発信元ピア2-1の接続情報を記憶部22-2に保持していない。 The destination peer 2-2 has connection information such as the user IDs of the source peer 2-1 and the destination peer 2-2, the IP address necessary for connecting to the destination peer 2-2, and the connection to which the user belongs. The connection information required for connection with the authentication peer 2-11, which is the parent (group owner) of the group, is stored (stored) in the storage unit (third storage unit) 22-2. On the other hand, the destination peer 2-2 does not hold the connection information of the source peer 2-1 in the storage unit 22-2.
 シード発行ピア2-3は、シード発行ピア2-3が発行したシードに関する情報を登録するためのシードテーブルを記憶部23-2に備える。 The seed issuing peer 2-3 provides a seed table for registering information regarding the seed issued by the seed issuing peer 2-3 in the storage unit 23-2.
 図4は、シードテーブルの構成例を示す図である。 FIG. 4 is a diagram showing a configuration example of a seed table.
 図4に示すように、シードテーブル4は、シード発行ピア2-3が発行したシード毎に、シードのハッシュ値と、専用の暗号鍵(以下、「シード専用鍵」という。)を用いて暗号化されたシード(以下、「暗号化シード」という。)と、シードの有効期限と、を対応付けて登録する。 As shown in FIG. 4, the seed table 4 is encrypted by using the hash value of the seed and the dedicated encryption key (hereinafter referred to as “seed-only key”) for each seed issued by the seed issuing peer 2-3. The converted seed (hereinafter referred to as "encrypted seed") and the expiration date of the seed are registered in association with each other.
 図3に示す認証ピア2-11は、発信元ピア2-1、発信先ピア2-2、及び中継ピア2-4~2-6等の通信端末(ピア)2-mが所属する接続グループを形成するもので、この接続グループの親(グループオーナ)に当たる。認証ピア2-11は、自己の接続グループに所属する通信端末(ピア)2-mの認証を行って、通信端末(ピア)2-m間に接続経路を確立することを支援する。認証ピア2-11は、自己の接続グループに所属する通信端末(ピア)2-mのユーザIDと、接続情報と、を対応付けて登録(記憶)するグラフデータベースを記憶部(第1記憶部)2-11に備える。認証ピア2-11の制御部23-11は、自己の接続グループに所属する通信端末(ピア)2-mに時折ハートビートを送るなどして、自己の接続グループに所属する通信端末(ピア)2-mのユーザID及び接続情報を取得してグラフデータベースに登録する。このようなグラフデータベースによって、認証ピア2-11は、通信端末(ピア)2-mが認証ピア2-11の接続グループに所属しているというグラフ関係を維持管理する。また、グラフデータベースは、認証ピア2-11の接続グループに所属している通信端末(ピア)2-mの信頼性や接続性の評価等を記憶する。本実施形態において、発信元ピア2-1、発信先ピア2-2、及び中継ピア2-4~2-6は、いずれも認証ピア2-11の接続グループに所属している。したがって、認証ピア2-11は、(1)発信元ピア2-1が認証ピア2-11の接続グループに所属していること、(2)発信先ピア2-2が認証ピア2-11の接続グループに所属していること、及び(3)中継ピア2-4~2-6が認証ピア2-11の接続グループに所属していることというグラフ関係を維持管理する。具体的に、本実施形態に係る記憶部(第1記憶部)2-11が備えるグラフデータベースは、発信元ピア2-1、発信先ピア2-2、及び中継ピア2-4~2-6のユーザIDと接続情報とを対応付けて登録(記憶)する。 The authentication peer 2-11 shown in FIG. 3 is a connection group to which the communication terminals (peers) 2-m such as the source peer 2-1 and the destination peer 2-2 and the relay peers 2-4 to 2-6 belong. Is the parent (group owner) of this connection group. The authentication peer 2-11 authenticates the communication terminal (peer) 2-m belonging to its own connection group, and supports the establishment of a connection route between the communication terminals (peer) 2-m. The authentication peer 2-11 stores (first storage) a graph database that registers (stores) the user ID of the communication terminal (peer) 2-m belonging to its own connection group and the connection information in association with each other. ) Prepare for 2-11. The control unit 23-11 of the authentication peer 2-11 occasionally sends a heartbeat to the communication terminal (peer) 2-m belonging to its own connection group, and the communication terminal (peer) belonging to its own connection group. Acquire the 2-m user ID and connection information and register them in the graph database. With such a graph database, the authentication peer 2-11 maintains and manages the graph relationship that the communication terminal (peer) 2-m belongs to the connection group of the authentication peer 2-11. Further, the graph database stores the reliability and connectivity evaluation of the communication terminal (peer) 2-m belonging to the connection group of the authentication peer 2-11. In the present embodiment, the source peer 2-1 and the destination peer 2-2, and the relay peers 2-4 to 2-6 all belong to the connection group of the authentication peer 2-11. Therefore, in the authentication peer 2-11, (1) the source peer 2-1 belongs to the connection group of the authentication peer 2-11, and (2) the destination peer 2-2 is the authentication peer 2-11. It maintains and manages the graph relationship that it belongs to the connection group and (3) the relay peers 2-4 to 2-6 belong to the connection group of the authentication peer 2-11. Specifically, the graph database included in the storage unit (first storage unit) 2-11 according to the present embodiment includes the source peer 2-1 and the destination peer 2-2, and the relay peers 2-4 to 2-6. The user ID of the user and the connection information are registered (stored) in association with each other.
 中継ピア2-4~2-6は、それぞれ自己のユーザID、及び自らが属する接続グループの親(グループオーナ)に当たる認証ピア2-11との接続に必要な接続情報を記憶部22-4~22-6に保持(記憶)する。その一方で、中継ピア2-4~2-6は、発信元ピア2-1及び発信先ピア2-2の接続情報を記憶部22-4~22-6に保持していない。 The relay peers 2-4 to 2-6 store their own user IDs and the connection information necessary for connecting to the authentication peer 2-11, which is the parent (group owner) of the connection group to which they belong. Hold (remember) at 22-6. On the other hand, the relay peers 2-4 to 2-6 do not hold the connection information of the source peer 2-1 and the destination peer 2-2 in the storage units 22-4 to 22-6.
 図1に示す共有台帳20は、シードが適切な発信元ピア2-1又はユーザに発行されたものである真贋を証明する仕組であって、単純に一つのサーバコンピュータから構成されるものよりも、事故に対する耐性を有する。共有台帳20は、発信元ピア2-1が生成したトークンに関する情報を登録するためのトークンテーブル(接続要求テーブル)と、発信元ピア2-1と発信先ピア2-2との経路を多重化する際に用いられる接続情報テーブルと、を備える。 The shared ledger 20 shown in FIG. 1 is a mechanism for proving the authenticity that the seed is issued to an appropriate source peer 2-1 or a user, rather than simply consisting of one server computer. , Resistant to accidents. The shared ledger 20 multiplexes the token table (connection request table) for registering information about the token generated by the source peer 2-1 and the route between the source peer 2-1 and the destination peer 2-2. It is provided with a connection information table used when the operation is performed.
 図5(a)は、トークン使用前のトークンテーブルの構成例を示す図であり、(b)は、本実施形態に係るトークン使用後のトークンテーブルの構成例を示す図である。 FIG. 5A is a diagram showing a configuration example of a token table before using a token, and FIG. 5B is a diagram showing a configuration example of a token table after using a token according to the present embodiment.
 図5(a)及び(b)に示すように、トークンテーブル5は、トークンと、トークンを生成する際にベースとされたシードのハッシュ値と、シードの有効期限と、トークンの発行者のユーザID(本実施形態では「発信元ピア2-1のユーザID」)と、トークンテーブル5の現在の処分権者のユーザIDと、を対応付けて登録する。ここで、トークンテーブル5の処分権とは、トークンテーブル5のデータを編集したり、消去したりする権利をいう。 As shown in FIGS. 5A and 5B, the token table 5 shows the token, the hash value of the seed used as the basis for generating the token, the expiration date of the seed, and the user of the issuer of the token. The ID (“user ID of source peer 2-1” in this embodiment) and the user ID of the current disposal right holder in the token table 5 are registered in association with each other. Here, the disposal right of the token table 5 means the right to edit or delete the data of the token table 5.
 図5(a)に示すように、発信元ピア2-1がトークンを使用して、発信元ピア2-1と発信先ピア2-2とを直接接続する図3に示す直接経路(第1接続経路)R0の確立する前は、トークンテーブル5の処分権者のユーザIDとして、トークンの発行者である発信元ピア2-1のユーザIDがトークンテーブル5に登録されている。 As shown in FIG. 5 (a), the direct route (first) shown in FIG. 3 in which the source peer 2-1 directly connects the source peer 2-1 and the destination peer 2-2 using a token. Before the connection route) R0 is established, the user ID of the source peer 2-1 which is the issuer of the token is registered in the token table 5 as the user ID of the disposal right holder of the token table 5.
 図5(b)に示すように、発信元ピア2-1がトークンを使用して、直接経路R0の確立した後は、トークンテーブル5の処分権者のユーザIDとして、直接経路R0の確立に貢献した認証ピア2-11のユーザIDがトークンテーブル5に登録されている。 As shown in FIG. 5B, after the source peer 2-1 uses the token to establish the direct route R0, the direct route R0 is established as the user ID of the disposal right holder of the token table 5. The user ID of the contributing authentication peer 2-11 is registered in the token table 5.
 図6は、接続情報テーブルの構成例を示す図である。 FIG. 6 is a diagram showing a configuration example of the connection information table.
 図6に示すように、接続情報テーブル6は、トークンと、データの発信元となる通信端末(ピア)2-m(本実施形態では「発信元ピア2-1」)のユーザIDと、データの発信先となる通信端末(ピア)2-m(本実施形態では「発信先ピア2-2」)のユーザID及び接続情報と、を対応付けて登録する。 As shown in FIG. 6, the connection information table 6 contains a token, a user ID of a communication terminal (peer) 2-m (“source peer 2-1” in the present embodiment) that is a source of data, and data. The user ID and connection information of the communication terminal (peer) 2-m (“destination peer 2-2” in this embodiment) to be the destination of the call are registered in association with each other.
 次に、上記構成を備える三点認証システム1が実行する各種処理について図面を参照して説明する。 Next, various processes executed by the three-point authentication system 1 having the above configuration will be described with reference to the drawings.
 発信元ピア2-1において、ユーザがシードの発行を要求したことに応答して、三点認証システム1は、シード発行処理を実行する。 In response to the user's request for seed issuance at the sender peer 2-1 the three-point authentication system 1 executes the seed issuance process.
 図7は、シード発行処理の詳細を示すフローチャートである。 FIG. 7 is a flowchart showing the details of the seed issuance process.
 図7に示すシード発行処理において、まず、発信元ピア2-1の制御部23-1は、シードの発行を要求するシード発行要求を、通信部21-1からネットワークNを介してシード発行ピア2-3に送信する(ステップS701)。シード発行要求には、発信元ピア2-1のユーザID等が含まれる。 In the seed issuance process shown in FIG. 7, first, the control unit 23-1 of the source peer 2-1 makes a seed issuance request from the communication unit 21-1 via the network N to the seed issuance peer. It is transmitted to 2-3 (step S701). The seed issuance request includes the user ID of the source peer 2-1 and the like.
 シード発行ピア2-3の制御部23-3は、発信元ピア2-1からネットワークNを介して送信されるシード発行要求を通信部21-3で受信したことに応答して(ステップS702)、シード及びシード専用鍵を発行する(ステップS703)。 The control unit 23-3 of the seed issuing peer 2-3 responds to the communication unit 21-3 receiving the seed issuing request transmitted from the source peer 2-1 via the network N (step S702). , Issuing a seed and a seed-only key (step S703).
 次に、シード発行ピア2-3の制御部23-3は、シードのハッシュ値を算出する(ステップS704)。 Next, the control unit 23-3 of the seed issuing peer 2-3 calculates the hash value of the seed (step S704).
 続いて、シード発行ピア2-3の制御部23-3は、シード専用鍵を用いて、シードを暗号化して暗号化シードを生成する(ステップS705)。 Subsequently, the control unit 23-3 of the seed issuing peer 2-3 uses the seed-only key to encrypt the seed and generate an encrypted seed (step S705).
 そして、シード発行ピア2-3の制御部23-3は、シードのハッシュ値と、暗号化シードと、を対応付けて登録するシードテーブル4を記憶部22-3に生成する(ステップS706)。 Then, the control unit 23-3 of the seed issuing peer 2-3 generates a seed table 4 in the storage unit 22-3 to register the hash value of the seed and the encrypted seed in association with each other (step S706).
 また、シード発行ピア2-3の制御部23-3は、シードのハッシュ値及びシード専用鍵を通信部21-3からネットワークNを介して発信元ピア2-1に送信する(ステップS707)。 Further, the control unit 23-3 of the seed issuing peer 2-3 transmits the hash value of the seed and the seed-dedicated key from the communication unit 21-3 to the source peer 2-1 via the network N (step S707).
 発信元ピア2-1の制御部23-1は、シード発行ピア2-3からネットワークNを介して送信されるシードのハッシュ値及びシード専用鍵を通信部21-1で受信して(ステップS708)、記憶部22-1に保存してから(ステップS709)、シード発行処理を終了する。 The control unit 23-1 of the source peer 2-1 receives the hash value of the seed and the seed-only key transmitted from the seed issuing peer 2-3 via the network N in the communication unit 21-1 (step S708). ), After saving in the storage unit 22-1 (step S709), the seed issuance process is terminated.
 また、発信元ピア2-1において、ユーザが発信先ピア2-2とのデータの通信を要求したことに応答して、三点認証システム1は、三点認証処理(通信方法)を実行する。 Further, in response to the user requesting the communication of data with the destination peer 2-2 in the source peer 2-1 the three-point authentication system 1 executes the three-point authentication process (communication method). ..
 図8~図14は、本実施形態に係る三点認証処理の詳細を示すフローチャートである。 8 to 14 are flowcharts showing the details of the three-point authentication process according to the present embodiment.
 図8~図14に示す三点認証処理において、まず、発信元ピア2-1の制御部23-1は、記憶部22-1に記憶される認証ピア2-11の接続情報を用いて、認証ピア2-11とネットワークNを介して通信可能に接続する(図8に示すステップS801)。 In the three-point authentication process shown in FIGS. 8 to 14, first, the control unit 23-1 of the source peer 2-1 uses the connection information of the authentication peer 2-11 stored in the storage unit 22-1 to be used. It is communicably connected to the authentication peer 2-11 via the network N (step S801 shown in FIG. 8).
 そして、発信元ピア2-1の制御部23-1は、発信先ピア2-2との接続が可能か否かを問い合わせる第1接続問合せを、通信部21-1からネットワークNを介して認証ピア2-11に送信する(ステップS802)。第1接続問合せには、発信元ピア2-1及び発信先ピア2-2のユーザID等が含まれる。 Then, the control unit 23-1 of the source peer 2-1 authenticates the first connection inquiry asking whether the connection with the destination peer 2-2 is possible from the communication unit 21-1 via the network N. It is transmitted to peer 2-11 (step S802). The first connection inquiry includes the user IDs of the source peer 2-1 and the destination peer 2-2.
 認証ピア2-11の制御部23-11は、発信元ピア2-1からネットワークNを介して送信される第1接続問合せを通信部21-11で受信したことに応答して(ステップS803)、第1接続問合せに含まれる発信先ピア2-2のユーザIDがグラフデータベースに登録されているか否かにより、発信先ピア2-2の認証が可能か否かを判別する(ステップS804)。 The control unit 23-11 of the authentication peer 2-11 responds to the reception of the first connection inquiry transmitted from the source peer 2-1 via the network N by the communication unit 21-11 (step S803). , Whether or not the destination peer 2-2 can be authenticated is determined based on whether or not the user ID of the destination peer 2-2 included in the first connection inquiry is registered in the graph database (step S804).
 認証ピア2-11の制御部23-11は、発信先ピア2-2のユーザIDがグラフデータベースに登録されておらず、発信先ピア2-2の認証が不能であると判別した場合(ステップS804;No)、第1接続問合せを通信部21-11からネットワークNを介して他の認証ピアに送信することより、発信先ピア2-2の認証を他の認証ピアに委託する(ステップS805)。他の認証ピアは、認証ピア2-11からネットワークNを介して送信される認証問合せを通信部で受信したことに応答して、認証ピア2-11と同様の処理を行う。 When the control unit 23-11 of the authentication peer 2-11 determines that the user ID of the destination peer 2-2 is not registered in the graph database and the authentication of the destination peer 2-2 is impossible (step). S804; No), by transmitting the first connection inquiry from the communication unit 21-11 to another authentication peer via the network N, the authentication of the destination peer 2-2 is outsourced to the other authentication peer (step S805). ). The other authentication peer performs the same processing as the authentication peer 2-11 in response to receiving the authentication inquiry transmitted from the authentication peer 2-11 via the network N by the communication unit.
 一方、認証ピア2-11の制御部23-11は、発信先ピア2-2のユーザIDがグラフデータベースに登録されており、発信先ピア2-2の認証が可能であると判別した場合(ステップS804;Yes)、認証シリアルID(支援端末発行情報)を発行する(ステップS806)。 On the other hand, when the control unit 23-11 of the authentication peer 2-11 determines that the user ID of the destination peer 2-2 is registered in the graph database and the destination peer 2-2 can be authenticated (). Step S804; Yes), the authentication serial ID (support terminal issuance information) is issued (step S806).
 そして、認証ピア2-11の制御部23-11は、発信元ピア2-1との接続が可能か否かを問い合わせる第2接続問合せを通信部21-11からネットワークNを介して、ユーザIDから特定される発信先ピア2-2に送信する(図9に示すステップS807)。第2接続問合せには、認証シリアルID等が含まれる。 Then, the control unit 23-11 of the authentication peer 2-11 makes a second connection inquiry asking whether or not the connection with the source peer 2-1 is possible from the communication unit 21-11 via the network N, and the user ID. It is transmitted to the destination peer 2-2 specified from (step S807 shown in FIG. 9). The second connection inquiry includes an authentication serial ID and the like.
 発信先ピア2-2の制御部23-2は、認証ピア2-11からネットワークNを介して送信される第2接続問合せを通信部21-2で受信したことに応答して(ステップS808)、発信元ピア2-1との接続が可能か否かの回答(以下、「第2接続可否回答」という。)を、通信部21-2からネットワークNを介して認証ピア2-11に送信する(ステップS809)。発信元ピア2-1との接続が可能か否かの回答には、認証シリアルID等が含まれる。 The control unit 23-2 of the destination peer 2-2 responds to the reception of the second connection inquiry transmitted from the authentication peer 2-11 via the network N by the communication unit 21-2 (step S808). , The answer as to whether or not the connection with the source peer 2-1 is possible (hereinafter referred to as "the answer as to whether or not the second connection is possible") is transmitted from the communication unit 21-2 to the authentication peer 2-11 via the network N. (Step S809). The answer as to whether or not the connection with the source peer 2-1 is possible includes the authentication serial ID and the like.
 認証ピア2-11の制御部23-11は、発信先ピア2-2からネットワークNを介して送信される発信元ピア2-1との接続が可能との第2接続回答を通信部21-11で受信したことに応答して(ステップS810)、発信先ピア2-2との接続が可能か否かの回答(以下、「第1接続回答」という。)として、発信先ピア2-2との接続が可能との第1接続回答を、通信部21-11からネットワークNを介して発信元ピア2-1に送信する(ステップS811)。第1接続回答には、認証シリアルID等が含まれる。 The control unit 23-11 of the authentication peer 2-11 gives a second connection response that the connection with the source peer 2-1 transmitted from the destination peer 2-2 via the network N is possible. In response to the reception in No. 11 (step S810), the destination peer 2-2 is used as an answer as to whether or not the connection with the destination peer 2-2 is possible (hereinafter referred to as "first connection answer"). The first connection answer that the connection with is possible is transmitted from the communication unit 21-11 to the source peer 2-1 via the network N (step S811). The first connection response includes an authentication serial ID and the like.
 発信元ピア2-1の制御部23-1は、認証ピア2-11からネットワークNを介して送信される発信先ピア2-2との接続が可能との第1接続回答を通信部21-1で受信したことに応答して(ステップS812)、記憶部22-1に保存されているシードのハッシュ値に対応する暗号化シード及びシードの有効期限を、通信部21-1からネットワークNを介してシード発行ピア2-3のシードテーブル4より取得する(ステップS813)。 The control unit 23-1 of the source peer 2-1 gives the first connection response that the connection with the destination peer 2-2 transmitted from the authentication peer 2-11 via the network N is possible in the communication unit 21-. In response to the reception in 1 (step S812), the encrypted seed corresponding to the hash value of the seed stored in the storage unit 22-1 and the expiration date of the seed are set from the communication unit 21-1 to the network N. Obtained from the seed table 4 of the seed issuing peer 2-3 via the seed table 4 (step S813).
 続いて、発信元ピア2-1の制御部23-1は、シード専用鍵を用いて、シード発行ピア2-3から取得した暗号化シードから、シード発行ピア2-3が発行したシードを復号する(図10に示すステップS814)。 Subsequently, the control unit 23-1 of the source peer 2-1 uses the seed-only key to decrypt the seed issued by the seed issuing peer 2-3 from the encrypted seed acquired from the seed issuing peer 2-3. (Step S814 shown in FIG. 10).
 そして、発信元ピア2-1の制御部23-1は、シードと認証シリアルIDとから、シードと認証シリアルIDとのハッシュ値からなるトークンを発行(生成)する(ステップS815)。トークンは、認証ピア2-11に対してデータを通信する際の通信パケットに添付される。 Then, the control unit 23-1 of the source peer 2-1 issues (generates) a token consisting of a hash value of the seed and the authentication serial ID from the seed and the authentication serial ID (step S815). The token is attached to a communication packet when communicating data with the authentication peer 2-11.
 そして、発信元ピア2-1の制御部23-1は、トークンと、トークンを生成する際にベースとされたシードのハッシュ値と、トークンの発行者として発信元ピア2-1のユーザIDと、シードの有効期限と、トークンテーブル5の処分権者として発信元ピア2-1のユーザIDと、を対応付けて登録する図5(a)に示すトークンテーブル5を、通信部21-1からネットワークNを介して共有台帳20に生成する(ステップS816)。 Then, the control unit 23-1 of the source peer 2-1 includes the token, the hash value of the seed used as the base when the token is generated, and the user ID of the source peer 2-1 as the issuer of the token. , The token table 5 shown in FIG. 5A, which registers the expiration date of the seed and the user ID of the source peer 2-1 as the disposal right holder of the token table 5 in association with each other, is registered from the communication unit 21-1. Generated in the shared ledger 20 via the network N (step S816).
 また、発信元ピア2-1の制御部23-1は、発信先ピア2-2との接続を要求する接続要求を、通信部21-1からネットワークNを介して認証ピア2-11に送信する(ステップS817)。接続要求には、トークン及びシードのハッシュ値等が含まれる。接続要求に含まれるトークンは、接続要求を特定するための接続要求識別情報となる。このようにして、発信元ピア2-1は、認証ピア2-11に、発信元ピア2-1と発信先ピア2-2とを直接接続する図3に示す直接経路(第1接続経路)R0の確立の支援をネットワークNを介して要求する。 Further, the control unit 23-1 of the source peer 2-1 transmits a connection request requesting a connection with the destination peer 2-2 from the communication unit 21-1 to the authentication peer 2-11 via the network N. (Step S817). The connection request includes the hash value of the token and the seed. The token included in the connection request becomes the connection request identification information for specifying the connection request. In this way, the source peer 2-1 directly connects the source peer 2-1 and the destination peer 2-2 to the authentication peer 2-11 as shown in FIG. 3 (first connection route). Request support for the establishment of R0 via network N.
 認証ピア2-11の制御部23-11は、発信元ピア2-1からネットワークNを介して送信される接続要求を通信部21-11で受信したことに応答して(ステップS818)、接続要求に含まれるシードのハッシュ値に対応するトークンの発行者のユーザID及びシードの有効期限を、通信部21-11からネットワークNを介して共有台帳20のトークンテーブル5より取得する(ステップS819)。 The control unit 23-11 of the authentication peer 2-11 responds to the reception of the connection request transmitted from the source peer 2-1 via the network N by the communication unit 21-11 (step S818), and connects. The user ID of the issuer of the token corresponding to the hash value of the seed included in the request and the expiration date of the seed are acquired from the communication unit 21-11 via the network N from the token table 5 of the shared ledger 20 (step S819). ..
 そして、認証ピア2-11の制御部23-11は、トークンの発行者のユーザIDが認証問合せに含まれる発信元ピア2-1のユーザIDに合致するか否かや、シードの有効期限内か否かを判別することにより、接続要求に含まれるトークンの真正性を確認する(ステップS820)。 Then, the control unit 23-11 of the authentication peer 2-11 determines whether or not the user ID of the issuer of the token matches the user ID of the sender peer 2-1 included in the authentication inquiry, and within the expiration date of the seed. By determining whether or not it is, the authenticity of the token included in the connection request is confirmed (step S820).
 真正性の確認後、認証ピア2-11の制御部23-11は、記憶部22-11に記憶される発信先ピア2-2の接続情報を用いて、発信先ピア2-2とネットワークNを介して通信可能に接続することにより、認証ピア2-11を経由する図3に示す代替経路(副経路)R11を確立する(ステップS821)。 After confirming the authenticity, the control unit 23-11 of the authentication peer 2-11 uses the connection information of the destination peer 2-2 stored in the storage unit 22-11 to connect the destination peer 2-2 and the network N. The alternative route (secondary route) R11 shown in FIG. 3 via the authentication peer 2-11 is established by connecting to the communication via the communication peer (step S821).
 そして、認証ピア2-11の制御部23-11は、トークン及び発信元ピア2-1の接続情報を通信部21-11からネットワークNを介して発信元ピア2-2に送信する(図11に示すステップS822)。 Then, the control unit 23-11 of the authentication peer 2-11 transmits the token and the connection information of the source peer 2-1 from the communication unit 21-11 to the source peer 2-2 via the network N (FIG. 11). Step S822).
 発信先ピア2-2の制御部23-2は、認証ピア2-11からネットワークNを介して送信されるトークン及び発信元ピア2-1の接続情報を通信部21-2で受信したことに応答して(ステップS823)、発信元ピア2-1の接続情報を用いて、トークン及び発信先ピア2-2の接続情報を通信部21-2からネットワークNを介して発信元ピア2-1に送信する(ステップS824)。 The control unit 23-2 of the destination peer 2-2 receives the token transmitted from the authentication peer 2-11 via the network N and the connection information of the source peer 2-1 in the communication unit 21-2. In response (step S823), using the connection information of the source peer 2-1, the token and the connection information of the destination peer 2-2 are transmitted from the communication unit 21-2 via the network N to the source peer 2-1. (Step S824).
 発信元ピア2-1の制御部23-1は、発信先ピア2-2からネットワークNを介して送信される発信先ピア2-2の接続情報及びトークンを通信部21-1で受信したことに応答して(ステップS825)、発信先ピア2-2から受信したトークンが、自己が生成して認証ピア2-11に送信したトークンに合致するか否かを判別することにより、トークンの真正性を確認する(ステップS826)。このようにして、発信元ピア2-1は、トークンを使用して、代替経路(副経路)R11を介して接続された通信端末2-mが発信先ピア2-2であることの認証を行う。 The control unit 23-1 of the source peer 2-1 has received the connection information and token of the destination peer 2-2 transmitted from the destination peer 2-2 via the network N in the communication unit 21-1. In response to (step S825), the authenticity of the token is determined by determining whether or not the token received from the destination peer 2-2 matches the token generated by itself and transmitted to the authentication peer 2-11. Confirm the sex (step S826). In this way, the source peer 2-1 uses the token to authenticate that the communication terminal 2-m connected via the alternative route (secondary route) R11 is the destination peer 2-2. conduct.
 真正性の確認後、即ち発信先ピア2-2から受信したトークンが認証ピア2-11に送信したトークンに合致することを条件に、発信元ピア2-1の制御部23-1は、発信先ピア2-2の接続情報を用いて、発信元ピア2-1と発信先ピア2-2とを直接接続する図3に示す直接経路R0を確立する(ステップS827)。これにより、トークンを使用した発信元ピア2-1による発信先ピア2-2の認証、及び発信元ピア2-1と発信先ピア2-2との直接接続は、実現する。 After confirming the authenticity, that is, on condition that the token received from the destination peer 2-2 matches the token transmitted to the authentication peer 2-11, the control unit 23-1 of the source peer 2-1 makes a call. Using the connection information of the destination peer 2-2, the direct route R0 shown in FIG. 3 that directly connects the source peer 2-1 and the destination peer 2-2 is established (step S827). As a result, the authentication of the destination peer 2-2 by the source peer 2-1 using the token and the direct connection between the source peer 2-1 and the destination peer 2-2 are realized.
 続いて、発信元ピア2-1の制御部23-1は、図5(b)に示すように、通信部21-1からネットワークNを介してトークンテーブル5の処分権者のユーザIDを、発信元ピア2-1のユーザIDから、認証ピア2-11のユーザIDに書き換える電子署名を行うことにより、トークンテーブル5の処分権を、発信元ピア2-1のユーザから認証ピア2-11のユーザに移転する(図12に示すステップS828)。トークンテーブル5の処分権を取得した認証ピア2-11のユーザは、トークンテーブル5のデータを編集したり、消去したりすることができる。また、トークンテーブル5の処分権を取得した認証ピア2-11のユーザは、ネットワークNの外部システムを介して、トークンテーブル5のデータと引き換えに、シード発行ピア2-3から新たなシード等を取得することができる。なお、トークンテーブル5のデータと引き換えに取得できるものは、ネットワークNの外部システムであるため、シードに限定されるものではなく、何等かのネットワークサービスを享受することに利用できるものであれば任意である。 Subsequently, as shown in FIG. 5B, the control unit 23-1 of the source peer 2-1 sets the user ID of the disposal right holder of the token table 5 from the communication unit 21-1 via the network N. By digitally signing the user ID of the source peer 2-1 to the user ID of the authentication peer 2-11, the right to dispose of the token table 5 is given by the user of the source peer 2-1 to the authentication peer 2-11. (Step S828 shown in FIG. 12). The user of the authentication peer 2-11 who has acquired the disposal right of the token table 5 can edit or delete the data of the token table 5. Further, the user of the authentication peer 2-11 who has acquired the disposal right of the token table 5 obtains a new seed or the like from the seed issuing peer 2-3 in exchange for the data of the token table 5 via the external system of the network N. Can be obtained. Since the data that can be acquired in exchange for the data in the token table 5 is an external system of network N, it is not limited to the seed, and is arbitrary as long as it can be used to enjoy some network service. Is.
 そして、発信元ピア2-1の制御部23-1は、トークンテーブル5の処分権の移転が完了したことを、通信部21-1からネットワークNを介して認証ピア2-11に報告する(ステップS829)。 Then, the control unit 23-1 of the source peer 2-1 reports from the communication unit 21-1 to the authentication peer 2-11 via the network N that the transfer of the disposal right of the token table 5 is completed (). Step S829).
 また、発信元ピア2-1の制御部23-1は、トークンと、データの発信元となる通信端末(ピア)2-mとして発信元ピア2-1のユーザIDと、データの発信先となる通信端末(ピア)2-mとして発信先ピア2-2のユーザID及び接続情報と、を対応付けて登録する接続情報テーブル6を、通信部21-1からネットワークNを介して共有台帳20に生成する(ステップS830)。 Further, the control unit 23-1 of the source peer 2-1 includes a token, a user ID of the source peer 2-1 as a communication terminal (peer) 2-m that is a source of data, and a data transmission destination. The connection information table 6 for registering the user ID and connection information of the destination peer 2-2 in association with each other as the communication terminal (peer) 2-m is registered from the communication unit 21-1 via the network N in the shared ledger 20. (Step S830).
 そして、発信元ピア2-1の制御部23-1は、発信先ピア2-2との接続経路の多重化を要求する多重化要求を、通信部21-1からネットワークNを介して認証ピア2-11に送信する(ステップS831)。多重化要求には、トークン、並びに発信元ピア2-1及び発信先ピア2-2のユーザID等が含まれる。このようにして、発信元ピア2-1は、認証ピア2-11に、中継ピア2-4~2-6を経由して発信元ピア2-1と発信先ピア2-2とを接続する図3に示す代替経路(副経路)(第2接続経路)R4~R6の確立の支援を要求する。 Then, the control unit 23-1 of the source peer 2-1 makes an authentication peer from the communication unit 21-1 via the network N to request the multiplexing requesting the multiplexing of the connection path with the destination peer 2-2. It is transmitted to 2-11 (step S831). The multiplexing request includes tokens, user IDs of source peer 2-1 and destination peer 2-2, and the like. In this way, the source peer 2-1 connects the source peer 2-1 and the destination peer 2-2 to the authentication peer 2-11 via the relay peers 2-4 to 2-6. We request support for establishing alternative routes (secondary routes) (second connection routes) R4 to R6 shown in FIG.
 認証ピア2-11の制御部23-11は、発信元ピア2-1からネットワークNを介して送信される多重化要求を通信部21-11で受信したことに応答して(ステップS832)、発信元ピア2-1と発信先ピア2-2とのデータの通信の中継を要求する中継要求を、通信部21-11からネットワークNを介して中継ピア2-4~2-6に送信する(ステップS833)。中継要求には、トークン、並びに発信元ピア2-1及び発信先ピア2-2のユーザID等が含まれる。 The control unit 23-11 of the authentication peer 2-11 responds to the communication unit 21-11 receiving the multiplexing request transmitted from the source peer 2-1 via the network N (step S832). A relay request for relaying data communication between the source peer 2-1 and the destination peer 2-2 is transmitted from the communication unit 21-11 to the relay peers 2-4 to 2-6 via the network N. (Step S833). The relay request includes the token and the user IDs of the source peer 2-1 and the destination peer 2-2.
 中継ピア2-4~2-6の制御部23-4~23-6は、それぞれ認証ピア2-11からネットワークNを介して送信される中継要求を通信部21-4~21-6で受信したことに応答して(ステップS834)、中継要求に含まれるトークンに対応するデータの発信元となる通信端末(ピア)2-mのユーザIDと、データの発信先となる通信端末(ピア)2-mのユーザID及び接続情報と、を通信部21-4~21-6からネットワークNを介して共有台帳20の接続情報テーブル6より取得する(図13に示すステップS835)。 The control units 23-4 to 23-6 of the relay peers 2-4 to 2-6 receive the relay request transmitted from the authentication peer 2-11 via the network N by the communication units 21-4 to 21-6, respectively. In response to the request (step S834), the user ID of the communication terminal (peer) 2-m, which is the source of the data corresponding to the token included in the relay request, and the communication terminal (peer), which is the destination of the data. The 2-m user ID and connection information are acquired from the connection information table 6 of the shared ledger 20 from the communication units 21-4 to 21-6 via the network N (step S835 shown in FIG. 13).
 中継ピア2-4~2-6の制御部23-4~23-6は、それぞれ中継要求に含まれる発信元ピア2-1のユーザIDが接続情報テーブル6から取得したデータの発信元となる通信端末(ピア)2-mのユーザIDに合致するか否かや、発信先ピア2-2のユーザIDがデータの発信先となる通信端末(ピア)2-mのユーザIDに合致するか否かを判別することにより、トークンの真正性を確認する(ステップS836)。 The control units 23-4 to 23-6 of the relay peers 2-4 to 2-6 are the sources of the data acquired from the connection information table 6 by the user ID of the source peer 2-1 included in the relay request, respectively. Whether or not it matches the user ID of the communication terminal (peer) 2-m, and whether or not the user ID of the destination peer 2-2 matches the user ID of the communication terminal (peer) 2-m to which the data is transmitted. By determining whether or not it is, the authenticity of the token is confirmed (step S836).
 真正性の確認後、即ち認証ピア2-11から受信した発信元ピア2-1のユーザIDと発信先ピア2-2のユーザIDとが、それぞれ接続情報テーブル6から取得したデータの発信元となる通信端末(ピア)2-mのユーザIDとデータの発信先となる通信端末(ピア)2-mのユーザIDとに合致することを条件に、中継ピア2-4~2-6の制御部23-4~23-6は、それぞれ発信先ピア2-2の接続情報を用いて、発信先ピア2-2とネットワークNを介して通信可能に接続する(ステップS837)。 After confirming the authenticity, that is, the user ID of the source peer 2-1 and the user ID of the destination peer 2-2 received from the authentication peer 2-11 are the source of the data acquired from the connection information table 6, respectively. Control of relay peers 2-4 to 2-6 on condition that the user ID of the communication terminal (peer) 2-m and the user ID of the communication terminal (peer) 2-m to which the data is transmitted match. Units 23-4 to 23-6 are connected to the destination peer 2-2 via the network N so as to be able to communicate with each other by using the connection information of the destination peer 2-2 (step S837).
 そして、中継ピア2-4~2-6は、それぞれ発信先ピア2-2との接続が完了したことを報告する接続完了報告を、通信部21-4~21-6からネットワークNを介して認証ピア2-11に送信する(ステップS838)。 Then, the relay peers 2-4 to 2-6 send a connection completion report from the communication unit 21-4 to 21-6 via the network N to report that the connection with the destination peer 2-2 is completed, respectively. It is transmitted to the authentication peer 2-11 (step S838).
 認証ピア2-11の制御部23-11は、中継ピア2-4~2-6からネットワークNを介して、それぞれ送信される接続完了報告を通信部21-11で受信したことに応答して(ステップS839)、中継ピア2-4~2-6へデータを送信することを要求するデータ送信要求を、通信部21-11からネットワークNを介して発信元ピア2-1に送信する(ステップS840)。データ送信要求には、中継ピア2-4~2-6のユーザID及び接続情報等が含まれる。 The control unit 23-11 of the authentication peer 2-11 responds to the communication unit 21-11 receiving the connection completion report transmitted from the relay peers 2-4 to 2-6 via the network N, respectively. (Step S839), a data transmission request requesting transmission of data to the relay peers 2-4 to 2-6 is transmitted from the communication unit 21-11 to the source peer 2-1 via the network N (step S839). S840). The data transmission request includes the user IDs of the relay peers 2-4 to 2-6, connection information, and the like.
 発信元ピア2-1の制御部23-1は、認証ピア2-11からネットワークNを介して送信されるデータ送信要求を通信部21-1で受信したことに応答して(ステップS841)、データ送信要求に含まれる中継ピア2-4~2-6の接続情報を用いて、中継ピア2-4~2-6とネットワークNを介して通信可能に接続することにより、中継ピア2-4~2-6を経由する図3に示す代替経路(副経路)R4~R6を確立する(図14に示すステップS842)。これにより、トークンを使用した発信元ピア2-1と発信先ピア2-2との接続経路の多重化は、実現する。 The control unit 23-1 of the source peer 2-1 responds to the reception of the data transmission request transmitted from the authentication peer 2-11 via the network N by the communication unit 21-1 (step S841). By using the connection information of the relay peers 2-4 to 2-6 included in the data transmission request to connect to the relay peers 2-4 to 2-6 via the network N so as to be communicable, the relay peer 2-4 The alternative routes (secondary routes) R4 to R6 shown in FIG. 3 via ~ 2-6 are established (step S842 shown in FIG. 14). As a result, multiplexing of the connection route between the source peer 2-1 and the destination peer 2-2 using the token is realized.
 そして、発信元ピア2-1の制御部23-1は、通信部21-1から直接経路R0、代替経路(副経路)R4~R6及びR11を介して発信先ピア2-2とのデータの通信を開始してから(ステップS843)、三点認証処理を終了する。 Then, the control unit 23-1 of the source peer 2-1 receives data from the communication unit 21-1 with the destination peer 2-2 via the direct route R0, the alternative route (sub route) R4 to R6, and R11. After the communication is started (step S843), the three-point authentication process is terminated.
 以上説明したように、本実施形態に係る三点認証システム1は、ネットワークNを介して接続され、ピア・ツウ・ピア方式で通信を行う複数の通信端末(ピア)2-mを具備する。複数の通信端末(ピア)2-mは、データの発信元となる発信元ピア2-1と、データの発信先となる発信先ピア2-2と、通信端末(ピア)2-m間に接続経路を確立することを支援する認証ピア2-11と、を備える。発信元ピア2-1は、発信元ピア2-1を特定するための発信元識別情報である発信元ピア2-1のユーザIDと、発信先ピア2-2を特定するための発信先識別情報である発信先ピア2-2のユーザIDと、を記憶する第2記憶部22-1を含む。発信先ピア2-2は、発信先ピア2-2との接続に必要な接続情報を記憶する記憶部22-2を含む。認証ピア2-11は、発信元ピア2-1との接続に必要な接続情報、及び中継ピア2-4~2-6との接続に必要な接続情報を記憶する記憶部22-11を含む。 As described above, the three-point authentication system 1 according to the present embodiment includes a plurality of communication terminals (peers) 2-m that are connected via the network N and communicate in a peer-to-peer manner. The plurality of communication terminals (peers) 2-m are located between the source peer 2-1 that is the source of data, the destination peer 2-2 that is the destination of data, and the communication terminal (peer) 2-m. It comprises an authentication peer 2-11, which assists in establishing a connection path. The source peer 2-1 identifies the user ID of the source peer 2-1 which is the source identification information for identifying the source peer 2-1 and the destination identification for identifying the destination peer 2-2. Includes a second storage unit 22-1 that stores the user ID of the destination peer 2-2, which is information. The destination peer 2-2 includes a storage unit 22-2 that stores connection information necessary for connection with the destination peer 2-2. The authentication peer 2-11 includes a storage unit 22-11 that stores connection information necessary for connecting to the source peer 2-1 and connection information necessary for connecting to the relay peers 2-4 to 2-6. ..
 本実施形態において、発信元ピア2-1は、認証ピア2-11の支援によって、発信先ピア2-2と直接接続する接続経路である直接経路R0を確立し、直接経路R0の確立後、認証ピア2-11に、認証ピア2-11とは異なる中継ピア2-4~2-6を経由して発信先ピア2-2と接続する接続経路である代替経路(副経路)R4~R6の確立の支援をネットワークNを介して要求することにより、代替経路(副経路)R4~R6を確立する。 In the present embodiment, the source peer 2-1 establishes a direct route R0 which is a connection route directly connected to the destination peer 2-2 with the support of the authentication peer 2-11, and after the establishment of the direct route R0, An alternative route (sub-route) R4 to R6 that connects the authentication peer 2-11 to the destination peer 2-2 via the relay peers 2-4 to 2-6 different from the authentication peer 2-11. By requesting support for the establishment of the alternative route (secondary route) R4 to R6 via the network N.
 具体的に、発信元ピア2-1は、発信先端末2-2と接続するための権利であるシードと、認証ピア2-11が発行した認証シリアルIDと、から、接続要求を特定するためのトークンを生成する。次に、発信元ピア2-1は、トークンを登録するトークンテーブル5の処分権者として発信元ピア2-1のユーザを登録する。続いて、発信元ピア2-1は、発信先ピア2-2との接続を要求する接続要求であって、トークンを含む接続要求をネットワークNを介して認証ピア2-11に送信する。さらに、発信元ピア2-1は、発信先ピア2-2からネットワークNを介して送信されるトークンと、発信先ピア2-2との接続に必要な接続情報と、を受信したことに応答して、発信先ピア2-2から受信したトークンが認証ピア2-11に送信したトークンに合致することを条件に、発信先ピア2-2の接続情報を用いて、発信先ピア2-2とネットワークNを介して接続することにより、直接経路R0を確立する。そして、発信元ピア2-1は、直接経路R0の確立後、トークンテーブル5の処分権者を認証ピア2-11のユーザに変更することにより、トークンテーブル5の処分権を、認証ピア2-11のユーザに移転する。 Specifically, the source peer 2-1 identifies the connection request from the seed, which is the right to connect to the destination terminal 2-2, and the authentication serial ID issued by the authentication peer 2-11. Generate a token for. Next, the source peer 2-1 registers the user of the source peer 2-1 as the disposal right holder of the token table 5 for registering the token. Subsequently, the source peer 2-1 is a connection request requesting a connection with the destination peer 2-2, and transmits the connection request including the token to the authentication peer 2-11 via the network N. Further, the source peer 2-1 responds to receiving the token transmitted from the destination peer 2-2 via the network N and the connection information necessary for connecting to the destination peer 2-2. Then, on condition that the token received from the destination peer 2-2 matches the token transmitted to the authentication peer 2-11, the destination peer 2-2 is used using the connection information of the destination peer 2-2. Directly establishes the route R0 by connecting to and via the network N. Then, after the direct route R0 is established, the source peer 2-1 changes the disposal right holder of the token table 5 to the user of the authentication peer 2-11, so that the disposal right of the token table 5 is changed to the authentication peer 2-. Move to 11 users.
 また、発信元ピア2-1は、直接経路R0の確立後、発信元ピア2-1のユーザIDと、発信先ピア2-2のユーザIDと、発信先ピア2-2の接続情報と、を対応付けて登録する接続情報テーブル6を生成する。そして、発信元ピア2-1は、発信元ピア2-1のユーザIDと、発信先ピア2-2のユーザIDと、をネットワークNを介して認証ピア2-11に送信することにより、認証ピア2-11に代替経路(副経路)R4~R6の確立の支援をネットワークNを介して要求する。 Further, after the direct route R0 is established, the source peer 2-1 receives the user ID of the source peer 2-1, the user ID of the destination peer 2-2, and the connection information of the destination peer 2-2. Generate a connection information table 6 to be registered in association with each other. Then, the source peer 2-1 is authenticated by transmitting the user ID of the source peer 2-1 and the user ID of the destination peer 2-2 to the authentication peer 2-11 via the network N. Request peers 2-11 to support the establishment of alternative routes (secondary routes) R4 to R6 via the network N.
 認証ピア2-11は、発信元ピア2-1からネットワークNを介して送信される発信元ピア2-1のユーザIDと、発信先ピア2-2のユーザIDと、を受信して、代替経路(副経路)R4~R6の確立の支援が要求されたことに応答して、発信元ピア2-1のユーザIDと、発信先ピア2-2のユーザIDと、をネットワークNを介して中継ピア2-4~2-6に送信することにより、発信先ピア2-2との接続を中継ピア2-4~2-6にネットワークNを介して要求する。 The authentication peer 2-11 receives the user ID of the source peer 2-1 transmitted from the source peer 2-1 via the network N and the user ID of the destination peer 2-2, and substitutes the user ID. In response to the request for assistance in establishing routes (sub-routes) R4 to R6, the user ID of the source peer 2-1 and the user ID of the destination peer 2-2 are transmitted via the network N. By transmitting to the relay peers 2-4 to 2-6, the relay peers 2-4 to 2-6 are requested to connect to the transmission destination peer 2-2 via the network N.
 中継ピア2-4~2-6は、認証ピア2-11からネットワークNを介して送信される発信元ピア2-1のユーザIDと、発信先ピア2-2のユーザIDと、を受信して、発信先ピア2-2との接続が要求されたことに応答して、発信先ピア2-2の接続情報を接続情報テーブル6から取得する。そして、中継ピア2-4~2-6は、受信した発信元ピア2-1のユーザIDと、発信先ピア2-2のユーザIDと、がそれぞれ接続情報テーブル6に登録されている発信元ピア2-1のユーザIDと、発信先ピア2-2のユーザIDと、に合致することを条件に、発信先ピア2-2の接続情報を用いて、発信先端末2-2とネットワークNを介して接続する。 The relay peers 2-4 to 2-6 receive the user ID of the source peer 2-1 and the user ID of the destination peer 2-2 transmitted from the authentication peer 2-11 via the network N. Then, in response to the request for connection with the destination peer 2-2, the connection information of the destination peer 2-2 is acquired from the connection information table 6. Then, in the relay peers 2-4 to 2-6, the user ID of the received source peer 2-1 and the user ID of the destination peer 2-2 are registered in the connection information table 6, respectively. The destination terminal 2-2 and the network N are used using the connection information of the destination peer 2-2 on condition that the user ID of the peer 2-1 and the user ID of the destination peer 2-2 are matched. Connect via.
 認証ピア2-11は、発信先ピア2-2と中継ピア2-4~2-6とがネットワークNを介して接続された後、中継端末2-4~2-6の接続情報をネットワークNを介して発信元ピア2-1に送信する。 The authentication peer 2-11 transfers the connection information of the relay terminals 2-4 to 2-6 to the network N after the transmission destination peer 2-2 and the relay peers 2-4 to 2-6 are connected via the network N. It is transmitted to the source peer 2-1 via.
 発信元ピア2-1は、認証ピア2-11からネットワークNを介して送信される中継ピア2-4~2-6との接続に必要な接続情報を用いて、中継ピア2-4~2-6とネットワークNを介して接続することにより、代替経路(副経路)R4~R6を確立する。 The source peer 2-1 uses the connection information necessary for connecting to the relay peers 2-4 to 2-6 transmitted from the authentication peer 2-11 via the network N, and the relay peers 2-4-2 are used. By connecting to -6 via the network N, alternative routes (secondary routes) R4 to R6 are established.
 このように、本実施形態に係る三点認証システム1は、トークンを使用して、論理的に接続経路するために発信先ピア2-2の認証を行うことで、認証ピア2-11の計算量を低減し、発信先ピア2-2の認証を高速化及び高効率化することができる。そして、三点認証システム1は、従来のようにハードウェアに依存することなく、ソフトウェアにより論理的に接続経路(論理経路)を多重化することができるため、コスト等の問題を解決することができる。さらに、認証ピア2-11は、トークンを使用して、中継ピア2-4~2-6にルーティングを委託することができるため、三点認証システム1は、ルーティング作業の負荷を、認証ピア2-11及び中継ピア2-4~2-6等の複数の通信端末2-mに分散させることができる。 As described above, the three-point authentication system 1 according to the present embodiment calculates the authentication peer 2-11 by authenticating the destination peer 2-2 in order to logically connect using the token. The amount can be reduced, and the authentication of the destination peer 2-2 can be speeded up and made highly efficient. Further, since the three-point authentication system 1 can logically multiplex the connection path (logical path) by software without depending on the hardware as in the conventional case, it is possible to solve problems such as cost. can. Further, since the authentication peer 2-11 can outsource the routing to the relay peers 2-4 to 2-6 by using the token, the three-point authentication system 1 puts the load of the routing work on the authentication peer 2. It can be distributed to a plurality of communication terminals 2-m such as -11 and relay peers 2-4 to 2-6.
 また、三点認証システム1は、発信元ピア2-1と発信先ピア2-2との接続経路を多重化し、秘密分散等のアルゴリズムを使用してデータを分割し、重複しない通信パケットを配信することで、いずれかの接続経路がハッキングされてもデータ全体が漏洩することを防止して、データの内容を秘匿することができる。さらに、三点認証システム1は、接続経路を細分化したり、排他的論理和(XOR)で秘匿化したデータを送信したりすることで、データの漏洩を事実上ほぼ防止することができる。また、三点認証システム1は、データを接続経路の数に応じて分割し、シリアル番号を付加して配信することで、データを高効率に伝送できるため、データの通信速度を高速化することができる。 In addition, the three-point authentication system 1 multiplexes the connection path between the source peer 2-1 and the destination peer 2-2, divides the data using an algorithm such as secret sharing, and delivers non-duplicate communication packets. By doing so, it is possible to prevent the entire data from being leaked even if any of the connection paths is hacked, and to conceal the contents of the data. Further, the three-point authentication system 1 can substantially prevent data leakage by subdividing the connection path or transmitting data concealed by exclusive OR (XOR). In addition, the three-point authentication system 1 divides the data according to the number of connection routes, adds a serial number, and distributes the data, so that the data can be transmitted with high efficiency, so that the communication speed of the data can be increased. Can be done.
 一方、三点認証システム1は、複数の接続経路に同一の通信パケットを配信することで、特定の接続経路によるボトルネックを回避することができる。また、三点認証システム1は、複数の接続経路に同一の通信パケットを配信して、発信元ピア2-1と発信元ピア2-2との接続可用性を向上させることで、いずれかの接続経路に障害が生じても別の接続経路で再送できるようになるため、堅牢である。 On the other hand, the three-point authentication system 1 can avoid a bottleneck due to a specific connection route by delivering the same communication packet to a plurality of connection routes. Further, the three-point authentication system 1 distributes the same communication packet to a plurality of connection paths to improve the connection availability between the source peer 2-1 and the source peer 2-2, thereby making any connection. It is robust because it can be retransmitted via another connection route even if the route fails.
 この結果、本実施形態に係る三点認証システム1は、効率的な通信を実現できる。 As a result, the three-point authentication system 1 according to the present embodiment can realize efficient communication.
 また、共有台帳20のトークンテーブル5に記録されるトークンの履歴は、ビッグデータ(個人情報を含まないが属性情報を含む)として活用できる。さらに、多重化による接続経路の分割は、分散ストレージとして応用できる。通信端末(ピア)2-m同士の通信によって、グラフデータベースを形成することができる。 Further, the history of tokens recorded in the token table 5 of the shared ledger 20 can be utilized as big data (not including personal information but including attribute information). Furthermore, the division of the connection path by multiplexing can be applied as distributed storage. A graph database can be formed by communication between communication terminals (peers) 2-m.
 さらに、三点認証システム1は、トークンを使用することで、発信元ピア2-1と発信先ピア2-2との認証、接続、及びルーティングを効率化することができる。また、三点認証システム1は、トークンテーブル5の処分権をインセンティブに使用することで、認証ピア2-11及び中継ピア2-4~2-6によるネットワークへの貢献を定量化して評価し、インセンティブを発生させ、参加意識を高めることができる。そして、三点認証システム1は、多数の通信端末(ピア)2-mの参加により、ピア密度を高めて維持することで、ネットワーク性能を向上させ、可用性を高めることができる。 Furthermore, the three-point authentication system 1 can improve the efficiency of authentication, connection, and routing between the source peer 2-1 and the destination peer 2-2 by using the token. In addition, the three-point authentication system 1 quantifies and evaluates the contribution of the authentication peer 2-11 and the relay peers 2-4 to 2-6 to the network by using the disposal right of the token table 5 as an incentive. It can generate incentives and raise awareness of participation. The three-point authentication system 1 can improve the network performance and the availability by increasing and maintaining the peer density by the participation of a large number of communication terminals (peers) 2-m.
 さらに、従来、サーバコンピュータによって実装されていた発信元ピア2-1と発信元ピア2-2との接続機能及びルーティング機能が、トークンによって効率化され、通信端末(ピア)2-mによって代替えすることができるようになったため、接続経路の多重化によりエンドツーエンドでのセキュリティや配信効率を飛躍的に向上させることができる。 Further, the connection function and the routing function between the source peer 2-1 and the source peer 2-2, which have been conventionally implemented by the server computer, are streamlined by the token and replaced by the communication terminal (peer) 2-m. As a result, it is possible to dramatically improve end-to-end security and distribution efficiency by multiplexing connection routes.
 この結果、本実施形態に係る三点認証システム1は、効率的な通信を実現できる。 As a result, the three-point authentication system 1 according to the present embodiment can realize efficient communication.
 なお、本発明は、上記の実施形態に限定されず、種々の変形、応用が可能である。以下、本発明に適用可能な上記の実施形態の変形態様について、説明する。 The present invention is not limited to the above embodiment, and various modifications and applications are possible. Hereinafter, modifications of the above embodiment applicable to the present invention will be described.
 上記の実施形態では、発信元ピア2-1が、発信先ピア2-2との接続経路の多重化を認証ピア2-11に要求し、認証ピア2-11が、発信元ピア2-1と発信先ピア2-2とのデータの通信の中継を中継ピア2-4~2-6に要求することにより、発信元ピア2-1と発信先ピア2-2との接続経路を多重化するものとして説明した。しかしながら、本発明はこれに限定されるものではなく、発信元ピア2-1が、発信先ピア2-2との接続が可能か否かを問い合わせる第1接続問合せを、複数の認証ピアに送信することにより、発信元ピア2-1と発信先ピア2-2との接続経路を多重化してもよい。 In the above embodiment, the source peer 2-1 requests the authentication peer 2-11 to multiplex the connection route with the destination peer 2-2, and the authentication peer 2-11 is the source peer 2-1. By requesting relay peers 2-4 to 2-6 to relay data communication between the source peer 2-2 and the destination peer 2-2, the connection path between the source peer 2-1 and the destination peer 2-2 is multiplexed. Explained as what to do. However, the present invention is not limited to this, and the source peer 2-1 transmits a first connection inquiry asking whether or not the connection with the destination peer 2-2 is possible to a plurality of authentication peers. By doing so, the connection path between the source peer 2-1 and the destination peer 2-2 may be multiplexed.
 図15は、本変形例に係るP2P型ネットワークの概念図である。なお、上記の実施形態に係る三点認証システム1と同様の構成については、同一の符号を付し、その説明を省略する。 FIG. 15 is a conceptual diagram of a P2P type network according to this modified example. The same components as those of the three-point authentication system 1 according to the above embodiment are designated by the same reference numerals, and the description thereof will be omitted.
 図15に示すように、通信端末(ピア)2-mには、発信元ピア2-1、発信先ピア2-2、シード発行ピア2-3、及び認証ピア2-11~2-13等の複数の認証ピア2-(10+n)(nは自然数)が含まれる。本変形例では、認証ピア2-12及び2-13等の認証ピア2-(10+n)(n≧2)を上記の実施形態における中継ピア(本発明における「中継端末」)として機能させる。 As shown in FIG. 15, the communication terminal (peer) 2-m includes a source peer 2-1, a destination peer 2-2, a seed issuing peer 2-3, an authentication peer 2-11 to 2-13, and the like. Multiple authentication peers 2- (10 + n) (n is a natural number) are included. In this modification, the authentication peers 2- (10 + n) (n ≧ 2) such as the authentication peers 2-12 and 2-13 function as the relay peer (“relay terminal” in the present invention) in the above embodiment.
 本変形例において、発信元ピア2-1は、発信元ピア2-1及び発信先ピア2-2のユーザIDを記憶部22-1に保持(記憶)する。また、発信元ピア2-1は、複数の接続グループに属し、複数の認証ピア(支援端末及び中継端末)2-(10+n)との接続に必要な接続情報を記憶部22-1に保持(記憶)する。発信元ピア2-1の制御部23-1は、代替経路(副経路)R(10+n)の確立後、下記の数1に示す数式に従って、直接経路R0及び代替経路(副経路)R(10+n)を介して接続された通信端末2-mが発信先ピア2-2であることの信頼度についての定量的評価値fi(iは多重因子の深さ(代替経路(副経路)R(10+n)の数))を求める。 In this modification, the source peer 2-1 holds (stores) the user IDs of the source peer 2-1 and the destination peer 2-2 in the storage unit 22-1. Further, the source peer 2-1 belongs to a plurality of connection groups, and holds the connection information necessary for connection with the plurality of authentication peers (support terminal and relay terminal) 2- (10 + n) in the storage unit 22-1 (the storage unit 22-1). Remember. After the alternative route (sub route) R (10 + n) is established, the control unit 23-1 of the source peer 2-1 directly routes R0 and the alternative route (sub route) R (10 + n) according to the formula shown in Equation 1 below. ) Quantitative evaluation value fi (i is the depth of multiple factors (alternative route (secondary route) R (10 + n)) for the reliability that the communication terminal 2-m connected via) is the destination peer 2-2. ) Number)) is calculated.
Figure JPOXMLDOC01-appb-M000001
Figure JPOXMLDOC01-appb-M000001
 ここで、Cnは、認証ピア2-(10+n)の信頼性について第三者(P2Pネットワーク)が評価して定量化した定数(信頼定数)である。Dnは、認証ピア2-(10+n)の発信先ピア2-2に対する信頼定数である。これらの信頼定数Cn及びDnは、“0”~“1”の数値で表され、数値が大きい程、信頼度が高くなる。定量的評価値fiは、代替経路(副経路)R(10+n)(n≧2)を追加し、発信元ピア2-1と発信先ピア2-2との接続経路を多重化することによって向上する。 Here, Cn is a constant (reliability constant) evaluated and quantified by a third party (P2P network) for the reliability of the authentication peer 2- (10 + n). Dn is a confidence constant for the destination peer 2-2 of the authentication peer 2- (10 + n). These reliability constants Cn and Dn are represented by numerical values of "0" to "1", and the larger the numerical value, the higher the reliability. The quantitative evaluation value fi is improved by adding an alternative route (secondary route) R (10 + n) (n ≧ 2) and multiplexing the connection route between the source peer 2-1 and the destination peer 2-2. do.
 認証ピア2-(10+n)は、発信元ピア2-1と発信先ピア2-2との認証機能、接続機能、及びルーティング機能を有する。認証ピア2-(10+n)は、それぞれ発信元ピア2-1及び発信先ピア2-2のユーザIDと接続情報とを対応付けて登録するグラフデータベースを記憶部2-(10+n)(第4記憶部)に備える。認証ピア2-(10+n)は、信頼定数Cn及びDnを記憶部2-(10+n)に保持(記憶)する。信頼定数Cn及びDnは、通信部21-(10+n)からネットワークNを介して発信元ピア2-1に通知される。なお、予め算出した信頼定数Cnと信頼定数Dnとの積が、発信元ピア2-1に通知されてもよい。 Authentication peer 2- (10 + n) has an authentication function, a connection function, and a routing function between the source peer 2-1 and the destination peer 2-2. The authentication peer 2- (10 + n) stores a graph database in which the user IDs of the source peer 2-1 and the destination peer 2-2 and the connection information are registered in association with each other, respectively, in the storage unit 2- (10 + n) (fourth storage). Part). The authentication peer 2- (10 + n) holds (stores) the confidence constants Cn and Dn in the storage unit 2- (10 + n). The reliability constants Cn and Dn are notified from the communication unit 21- (10 + n) to the source peer 2-1 via the network N. The product of the reliability constant Cn and the reliability constant Dn calculated in advance may be notified to the source peer 2-1.
 図16~図19は、本変形例に係る三点認証処理の詳細を示すフローチャートである。 16 to 19 are flowcharts showing the details of the three-point authentication process according to this modification.
 図16~図19に示す三点認証処理において、上記の実施形態に係るステップS801~S829の処理を実行した後、発信元ピア2-1の制御部23-1は、認証ピア2-(10+n)の信頼定数Cn及び信頼定数Dn(又は信頼定数Cnと信頼定数Dnとの積)を、通信部21-1からネットワークNを介して認証ピア2-(10+n)より取得する(図16に示すステップS1601)。 In the three-point authentication process shown in FIGS. 16 to 19, after executing the processes of steps S801 to S829 according to the above embodiment, the control unit 23-1 of the source peer 2-1 is set to the authentication peer 2- (10 + n). ) And the confidence constant Dn (or the product of the confidence constant Cn and the confidence constant Dn) are acquired from the communication unit 21-1 via the network N from the authentication peer 2- (10 + n) (shown in FIG. 16). Step S1601).
 そして、発信元ピア2-1の制御部23-1は、下記の数1に示す数式に従って、定量的評価値fiを算出する(ステップS1602)。 Then, the control unit 23-1 of the source peer 2-1 calculates the quantitative evaluation value fi according to the mathematical formula shown in the following equation 1 (step S1602).
 続いて、発信元ピア2-1の制御部23-1は、定量的評価値fiが所定の閾値以上であるか否かを判別する(ステップS1603)。 Subsequently, the control unit 23-1 of the source peer 2-1 determines whether or not the quantitative evaluation value fi is equal to or greater than a predetermined threshold value (step S1603).
 発信元ピア2-1の制御部23-1は、定量的評価値fiが所定の閾値未満であると判別した場合(ステップS1603;No)、直接経路R0及び代替経路(副経路)R(10+n)を介して接続された通信端末2-mが発信先ピア2-2であることの信頼度(セキュリティ)が不十分であるものとして、代替経路(副経路)R(10+n)(n≧2)を追加して、信頼度を高めるべく、記憶部22-1に記憶される認証ピア2-(10+n)(n≧2)の接続情報を用いて、認証ピア2-(10+n)(n≧2)とネットワークNを介して通信可能に接続する(ステップS1604)。 When the control unit 23-1 of the source peer 2-1 determines that the quantitative evaluation value fi is less than a predetermined threshold value (step S1603; No), the direct route R0 and the alternative route (secondary route) R (10 + n) The alternative route (secondary route) R (10 + n) (n ≧ 2) is assumed to have insufficient reliability (security) that the communication terminal 2-m connected via) is the destination peer 2-2. ) Is added to increase the reliability, and the connection information of the authentication peer 2- (10 + n) (n ≧ 2) stored in the storage unit 22-1 is used to authenticate the authentication peer 2- (10 + n) (n ≧ 2). 2) is connected to the network N so as to be communicable (step S1604).
 そして、発信元ピア2-1の制御部23-1は、第1接続問合せを、通信部21-1からネットワークNを介して認証ピア2-(10+n)(n≧2)に送信する(ステップS1605)。 Then, the control unit 23-1 of the source peer 2-1 transmits the first connection inquiry from the communication unit 21-1 to the authentication peer 2- (10 + n) (n ≧ 2) via the network N (step). S1605).
 認証ピア2-(10+n)(n≧2)の制御部23-(10+n)(n≧2)は、発信元ピア2-1からネットワークNを介して送信される第1接続問合せを通信部21-(10+n)(n≧2)で受信したことに応答して(図17に示すステップS1606)、第1接続問合せに含まれる発信先ピア2-2のユーザIDがグラフデータベースに登録されているか否かにより、発信先ピア2-2の認証が可能か否かを判別する(ステップS1607)。 The control unit 23- (10 + n) (n ≧ 2) of the authentication peer 2- (10 + n) (n ≧ 2) sends a first connection inquiry transmitted from the source peer 2-1 via the network N to the communication unit 21. -In response to the reception in (10 + n) (n ≧ 2) (step S1606 shown in FIG. 17), is the user ID of the destination peer 2-2 included in the first connection query registered in the graph database? Depending on whether or not the call destination peer 2-2 can be authenticated, it is determined (step S1607).
 認証ピア2-(10+n)(n≧2)の制御部23-(10+n)(n≧2)は、発信先ピア2-2のユーザIDがグラフデータベースに登録されておらず、発信先ピア2-2の認証が不能であると判別した場合(ステップS1607;No)、第1接続問合せを通信部21-(10+n)(n≧2)からネットワークNを介して他の認証ピアに送信することより、発信先ピア2-2の認証を他の認証ピアに委託する(ステップS1608)。他の認証ピアは、認証ピア2-11からネットワークNを介して送信される認証問合せを通信部で受信したことに応答して、認証ピア2-(10+n)(n≧2)と同様の処理を行う。 In the control unit 23- (10 + n) (n ≧ 2) of the authentication peer 2- (10 + n) (n ≧ 2), the user ID of the destination peer 2-2 is not registered in the graph database, and the destination peer 2 When it is determined that the authentication of -2 is impossible (step S1607; No), the first connection inquiry is transmitted from the communication unit 21- (10 + n) (n ≧ 2) to another authentication peer via the network N. Therefore, the authentication of the destination peer 2-2 is outsourced to another authentication peer (step S1608). The other authentication peer responds to the reception of the authentication inquiry transmitted from the authentication peer 2-11 via the network N by the communication unit, and performs the same processing as the authentication peer 2- (10 + n) (n ≧ 2). I do.
 一方、認証ピア2-(10+n)(n≧2)の制御部23-(10+n)(n≧2)は、発信先ピア2-2のユーザIDがグラフデータベースに登録されており、発信先ピア2-2の認証が可能であると判別した場合(ステップS1607;Yes)、認証シリアルID(中継端末発行情報)を発行する(ステップS1609)。認証ピア2-(10+n)(n≧2)が発行する認証シリアルID(中継端末発行情報)は、認証ピア2-11が発行する認証シリアルID(支援端末発行情報)とは異なるものとなっている。また、認証ピア2-(10+n)(n≧2)が発行する認証シリアルID(中継端末発行情報)も、認証ピア2-11毎に異なるものとなっている。 On the other hand, in the control unit 23- (10 + n) (n ≧ 2) of the authentication peer 2- (10 + n) (n ≧ 2), the user ID of the call destination peer 2-2 is registered in the graph database, and the call destination peer When it is determined that the authentication of 2-2 is possible (step S1607; Yes), the authentication serial ID (relay terminal issuance information) is issued (step S1609). The authentication serial ID (relay terminal issuance information) issued by the authentication peer 2- (10 + n) (n ≧ 2) is different from the authentication serial ID (support terminal issuance information) issued by the authentication peer 2-11. There is. Further, the authentication serial ID (relay terminal issuance information) issued by the authentication peer 2- (10 + n) (n ≧ 2) is also different for each authentication peer 2-11.
 そして、認証ピア2-(10+n)(n≧2)の制御部23-(10+n)(n≧2)は、発信先ピア2-2との接続が可能との第1接続回答を、通信部21-(10+n)(n≧2)からネットワークNを介して発信元ピア2-1に送信する(ステップS1610)。 Then, the control unit 23- (10 + n) (n ≧ 2) of the authentication peer 2- (10 + n) (n ≧ 2) gives the first connection answer that the connection with the destination peer 2-2 is possible, and the communication unit. It is transmitted from 21- (10 + n) (n ≧ 2) to the source peer 2-1 via the network N (step S1610).
 発信元ピア2-1の制御部23-1は、認証ピア2-(10+n)(n≧2)からネットワークNを介して送信される発信先ピア2-2との接続が可能との第1接続回答を通信部21-1で受信したことに応答して(ステップS1611)、シードと認証シリアルIDとから、シードと認証シリアルIDとのハッシュ値からなるトークンを発行(生成)する(図18に示すステップS1612)。トークンを発行する際、シードは、認証ピア2-11及び認証ピア2-(10+n)(n≧2)で同一のものが使用される一方で、認証シリアルIDは、認証ピア2-11及び認証ピア2-(10+n)(n≧2)毎に異なるものが使用される。このため、トークンは、認証ピア2-11及び認証ピア2-(10+n)(n≧2)毎に異なるものが発行される。トークンは、認証ピア2-(10+n)(n≧2)に対してデータを通信する際の通信パケットに添付される。 The control unit 23-1 of the source peer 2-1 can be connected to the destination peer 2-2 transmitted from the authentication peer 2- (10 + n) (n ≧ 2) via the network N. In response to receiving the connection response in the communication unit 21-1 (step S1611), a token consisting of a hash value of the seed and the authentication serial ID is issued (generated) from the seed and the authentication serial ID (FIG. 18). Step S1612) shown in. When issuing a token, the same seed is used for authentication peer 2-11 and authentication peer 2- (10 + n) (n ≧ 2), while the authentication serial ID is authentication peer 2-11 and authentication. A different one is used for each peer 2- (10 + n) (n ≧ 2). Therefore, different tokens are issued for each of the authentication peer 2-11 and the authentication peer 2- (10 + n) (n ≧ 2). The token is attached to a communication packet when communicating data with the authentication peer 2- (10 + n) (n ≧ 2).
 そして、発信元ピア2-1の制御部23-1は、図5(a)に示すトークンテーブル5を、通信部21-1からネットワークNを介して共有台帳20に生成する(ステップS1613)。トークンは、認証ピア2-11及び認証ピア2-(10+n)(n≧2)毎に異なるものが発行されることから、トークンテーブル5も、認証ピア2-11及び認証ピア2-(10+n)(n≧2)毎に異なるものが生成される。 Then, the control unit 23-1 of the source peer 2-1 generates the token table 5 shown in FIG. 5A from the communication unit 21-1 to the shared ledger 20 via the network N (step S1613). Since different tokens are issued for each of the authentication peer 2-11 and the authentication peer 2- (10 + n) (n ≧ 2), the token table 5 also has the authentication peer 2-11 and the authentication peer 2- (10 + n). Different things are generated for each (n ≧ 2).
 また、発信元ピア2-1の制御部23-1は、接続要求を、通信部21-1からネットワークNを介して認証ピア2-(10+n)(n≧2)に送信する(ステップS1614)。 Further, the control unit 23-1 of the source peer 2-1 transmits a connection request from the communication unit 21-1 to the authentication peer 2- (10 + n) (n ≧ 2) via the network N (step S1614). ..
 認証ピア2-(10+n)(n≧2)の制御部23-(10+n)(n≧2)は、発信元ピア2-1からネットワークNを介して送信される接続要求を通信部21-(10+n)(n≧2)で受信したことに応答して(ステップS1615)、接続要求に含まれるシードのハッシュ値に対応するトークンの発行者のユーザID及びシードの有効期限を、通信部21-(10+n)(n≧2)からネットワークNを介して共有台帳20のトークンテーブル5より取得する(ステップS1616)。 The control unit 23- (10 + n) (n ≧ 2) of the authentication peer 2- (10 + n) (n ≧ 2) sends a connection request transmitted from the source peer 2-1 via the network N to the communication unit 21- (10 + n) (n ≧ 2). In response to the reception in 10 + n) (n ≧ 2) (step S1615), the user ID of the issuer of the token corresponding to the hash value of the seed included in the connection request and the expiration date of the seed are set by the communication unit 21-. (10 + n) (n ≧ 2) is acquired from the token table 5 of the shared ledger 20 via the network N (step S1616).
 そして、認証ピア2-(10+n)(n≧2)の制御部23-(10+n)(n≧2)は、トークンの発行者のユーザIDが認証問合せに含まれる発信元ピア2-1のユーザIDに合致するか否かや、シードの有効期限内か否かを判別することにより、接続要求に含まれるトークンの真正性を確認する(ステップS1617)。 Then, the control unit 23- (10 + n) (n ≧ 2) of the authentication peer 2- (10 + n) (n ≧ 2) is a user of the source peer 2-1 in which the user ID of the token issuer is included in the authentication query. The authenticity of the token included in the connection request is confirmed by determining whether or not the ID matches and whether or not the seed has expired (step S1617).
 真正性の確認後、認証ピア2-(10+n)(n≧2)の制御部23-(10+n)(n≧2)は、記憶部22-(10+n)(n≧2)に記憶される発信先ピア2-2の接続情報を用いて、発信先ピア2-2とネットワークNを介して通信可能に接続することにより、認証ピア2-(10+n)(n≧2)を経由する図15に示す代替経路(副経路)R(10+n)(n≧2)を確立する(ステップS1618)。 After confirming the authenticity, the control unit 23- (10 + n) (n ≧ 2) of the authentication peer 2- (10 + n) (n ≧ 2) is stored in the storage unit 22- (10 + n) (n ≧ 2). FIG. 15 shows FIG. 15 via the authentication peer 2- (10 + n) (n ≧ 2) by connecting to the destination peer 2-2 via the network N so as to be communicable using the connection information of the destination peer 2-2. The indicated alternative route (secondary route) R (10 + n) (n ≧ 2) is established (step S1618).
 そして、認証ピア2-(10+n)(n≧2)の制御部23-(10+n)(n≧2)は、代替経路(副経路)R(10+n)(n≧2)の確立が完了したことを報告する代替経路確立報告を、通信部21-(10+n)(n≧2)からネットワークNを介して認証ピア2-(10+n)(n≧2)に送信する(ステップS1619)。 Then, the control unit 23- (10 + n) (n ≧ 2) of the authentication peer 2- (10 + n) (n ≧ 2) has completed the establishment of the alternative route (secondary route) R (10 + n) (n ≧ 2). The alternative route establishment report is transmitted from the communication unit 21- (10 + n) (n ≧ 2) to the authentication peer 2- (10 + n) (n ≧ 2) via the network N (step S1619).
 発信元ピア2-1の制御部23-1は、認証ピア2-(10+n)(n≧2)からネットワークNを介して送信される代替経路確立報告を通信部21-1で受信したことに応答して(図19に示すステップS1620)、図20に示すように、通信部21-1からネットワークNを介してトークンテーブル5の処分権者のユーザIDを、発信元ピア2-1のユーザIDから、認証ピア2-(10+n)(n≧2)のユーザIDに書き換える電子署名を行うことにより、トークンテーブル5の処分権を、発信元ピア2-1のユーザから認証ピア2-(10+n)(n≧2)のユーザに移転する(ステップS1621)。 The control unit 23-1 of the source peer 2-1 has received the alternative route establishment report transmitted from the authentication peer 2- (10 + n) (n ≧ 2) via the network N by the communication unit 21-1. In response (step S1620 shown in FIG. 19), as shown in FIG. 20, the user ID of the disposal right holder of the token table 5 is transmitted from the communication unit 21-1 via the network N to the user of the source peer 2-1. By digitally signing the ID to rewrite the user ID of the authentication peer 2- (10 + n) (n ≧ 2), the right to dispose of the token table 5 is given by the user of the source peer 2-1 to the authentication peer 2- (10 + n). ) (N ≧ 2) (step S1621).
 そして、発信元ピア2-1の制御部23-1は、トークンテーブル5の処分権の移転が完了したことを、通信部21-1からネットワークNを介して認証ピア2-(10+n)(n≧2)に報告してから(ステップS1622)、代替経路(副経路)R(10+n)の追加後の信頼度についての定量的評価値fiを再度算出すべく、ステップS1601の処理へとリターンする。 Then, the control unit 23-1 of the source peer 2-1 notifies that the transfer of the disposal right of the token table 5 is completed from the communication unit 21-1 via the network N to the authentication peer 2- (10 + n) (n). After reporting to ≧ 2) (step S1622), the process returns to the process of step S1601 in order to recalculate the quantitative evaluation value fi for the reliability after the addition of the alternative route (secondary route) R (10 + n). ..
 そして、発信元ピア2-1の制御部23-1は、定量的評価値fiが所定の閾値以上であると判別した場合(ステップS1603;Yes)、直接経路R0及び代替経路(副経路)R(10+n)を介して接続された通信端末2-mが発信先ピア2-2であることの信頼度が十分高くなったとして、通信部21-1から直接経路R0及び代替経路(副経路)R11~R13を介して発信先ピア2-2とのデータの通信を開始してから(ステップS1623)、三点認証処理を終了する。なお、発信元ピア2-1の制御部23-1は、信頼定数Cnと信頼定数Dnとの積が“1”となる認証ピア2-(10+n)が検出された場合、定量的評価値fiが必ず“1”となって所定の閾値以上となることから、その時点で接続経路の多重化を終了してもよい。また、信頼定数Cnと信頼定数Dnとの積が“0”となる認証ピア2-(10+n)を経由する代替経路(副経路)は、定量的評価値fiの向上に何等寄与しないことから、追加されないようにしてもよい。 Then, when the control unit 23-1 of the source peer 2-1 determines that the quantitative evaluation value fi is equal to or higher than a predetermined threshold value (step S1603; Yes), the direct route R0 and the alternative route (secondary route) R Assuming that the reliability that the communication terminal 2-m connected via (10 + n) is the transmission destination peer 2-2 is sufficiently high, the direct route R0 and the alternative route (secondary route) from the communication unit 21-1 After starting data communication with the destination peer 2-2 via R11 to R13 (step S1623), the three-point authentication process ends. The control unit 23-1 of the source peer 2-1 detects a quantitative evaluation value fi when the authentication peer 2- (10 + n) in which the product of the confidence constant Cn and the confidence constant Dn is “1” is detected. Is always "1" and exceeds a predetermined threshold value. Therefore, the multiplexing of the connection path may be terminated at that time. Further, the alternative route (secondary route) via the authentication peer 2- (10 + n) in which the product of the confidence constant Cn and the confidence constant Dn is “0” does not contribute to the improvement of the quantitative evaluation value fi. It may not be added.
 以上説明したように、本変形例に係る三点認証システム1は、直接経路R0を確立した後、直接経路R0を介いて接続された通信端末2-mが発信先ピア2-2であることの信頼度を算出する。そして、三点認証システム1は、信頼度が所定の閾値未満であることを条件に、認証ピア2-12及び2-13にネットワークNを介して接続し、発信先ピア2-2との接続をネットワークNを介して要求することにより、代替経路(副経路)R4~R6を確立する。 As described above, in the three-point authentication system 1 according to this modification, the communication terminal 2-m connected via the direct path R0 after the direct path R0 is established is the transmission destination peer 2-2. Calculate the reliability of. Then, the three-point authentication system 1 connects to the authentication peers 2-12 and 2-13 via the network N on condition that the reliability is less than a predetermined threshold value, and connects to the destination peer 2-2. Is requested via the network N to establish alternative routes (secondary routes) R4 to R6.
 具体的に、発信元ピア2-1は、認証ピア2-12及び2-13等との接続に必要な接続情報を記憶する記憶部22-1を含む。また、認証ピア2-12及び2-13は、それぞれ発信先ピア2-2との接続に必要な接続情報を記憶する記憶部2-12及び2-13を含む。 Specifically, the source peer 2-1 includes a storage unit 22-1 that stores connection information necessary for connection with the authentication peers 2-12, 2-13, and the like. Further, the authentication peers 2-12 and 2-13 include storage units 2-12 and 2-13 for storing connection information necessary for connection with the destination peer 2-2, respectively.
 発信元ピア2-1は、直接経路R0を確立した後、直接経路R0を介して接続された通信端末2-mが発信先ピア2-2であることの信頼度を算出する。発信元ピア2-1は、信頼度が所定の閾値未満であることを条件に、認証ピア2-12の接続情報を用いて、認証ピア2-12とネットワークNを介して接続する。次に、発信元ピア2-1は、発信先端末2-2と接続するための権利であるシードと、認証ピア2-12が発行した認証シリアルIDと、から、接続要求を特定するためのトークンを生成する。そして、発信元ピア2-1は、トークンを含む接続要求をネットワークNを介して送信することにより、発信先ピア2-2との接続を認証ピア2-12にネットワークNを介して要求する。 After establishing the direct route R0, the source peer 2-1 calculates the reliability that the communication terminal 2-m connected via the direct route R0 is the destination peer 2-2. The source peer 2-1 connects to the authentication peer 2-12 via the network N by using the connection information of the authentication peer 2-12, provided that the reliability is less than a predetermined threshold value. Next, the source peer 2-1 is for specifying the connection request from the seed, which is the right to connect to the destination terminal 2-2, and the authentication serial ID issued by the authentication peer 2-12. Generate a token. Then, the source peer 2-1 requests the authentication peer 2-12 to connect to the destination peer 2-2 via the network N by transmitting the connection request including the token via the network N.
 認証ピア2-12は、発信元ピア2-1からネットワークNを介して発信先ピア2-2との接続が要求されたことに応答して、発信先ピア2-2の接続情報を用いて、発信先ピア2-2とネットワークNを介して接続することにより、代替経路(副経路)R12を確立する。 The authentication peer 2-12 uses the connection information of the destination peer 2-2 in response to the request from the source peer 2-1 to connect to the destination peer 2-2 via the network N. , An alternative route (secondary route) R12 is established by connecting to the destination peer 2-2 via the network N.
 発信元ピア2-1は、認証ピア2-12を経由して発信先ピア2-2と接続する代替経路(副経路)R12の確立後、直接経路R0及び代替経路(副
経路)R12を介して接続された通信端末2-mが発信先ピア2-2であることの信頼度を算出する。そして、発信元ピア2-1は、信頼度が所定の閾値未満であることを条件に、発信先ピア2-2との接続を認証ピア2-13にネットワークNを介して要求する。 The source peer 2-1 establishes an alternative route (sub route) R12 that connects to the destination peer 2-2 via the authentication peer 2-12, and then goes through the direct route R0 and the alternative route (sub route) R12. The reliability that the communication terminal 2-m connected to the communication terminal 2-m is the destination peer 2-2 is calculated. Then, the source peer 2-1 requests the authentication peer 2-13 to connect to the destination peer 2-2 via the network N, provided that the reliability is less than a predetermined threshold value.
 認証ピア2-13は、発信元ピア2-1からネットワークNを介して発信先ピア2-2との接続が要求されたことに応答して、発信先ピア2-2の接続情報を用いて、発信先ピア2-2とネットワークNを介して接続することにより、代替経路(副経路)R13を確立する。 The authentication peer 2-13 uses the connection information of the destination peer 2-2 in response to the request from the source peer 2-1 to connect to the destination peer 2-2 via the network N. , The alternative route (sub route) R13 is established by connecting to the destination peer 2-2 via the network N.
 これにより、本変形例に係る三点認証システム1においても、上記の実施形態に係る三点認証システム1と同様の効果を奏することができる。また、本変形例に係る三点認証システム1は、トークンを使用して、直接経路R0及び代替経路(副経路)R(10+n)を介して接続された通信端末2-mが発信先ピア2-2であることの認証を根拠に、発信元ピア2-1と発信先ピア2-2との接続経路を多重化することができる。さらに、本変形例に係る三点認証システム1は、直接経路R0及び代替経路(副経路)R(10+n)を介して接続された通信端末2-mが発信先ピア2-2であることの信頼度を、定量的に評価することができる。 Thereby, the three-point authentication system 1 according to the present modification can also have the same effect as the three-point authentication system 1 according to the above embodiment. Further, in the three-point authentication system 1 according to this modification, the communication terminal 2-m connected via the direct route R0 and the alternative route (secondary route) R (10 + n) using the token is the transmission destination peer 2. Based on the authentication of -2, the connection route between the source peer 2-1 and the destination peer 2-2 can be multiplexed. Further, in the three-point authentication system 1 according to this modification, the communication terminal 2-m connected via the direct route R0 and the alternative route (secondary route) R (10 + n) is the transmission destination peer 2-2. The reliability can be evaluated quantitatively.
 この結果、本変形例に係る三点認証システム1は、効率的な通信を実現できる。 As a result, the three-point authentication system 1 according to this modification can realize efficient communication.
 上記の実施形態において、認証ピア2-11の制御部23-11は、発信先ピア2-2のユーザIDがグラフデータベースに登録されており、発信先ピア2-2の認証が可能であると判別した場合、認証シリアルIDを発行するものとして説明した。しかしながら、本発明はこれに限定されるものではなく、認証ピア2-11の制御部23-11は、発信先ピア2-2の認証が可能である場合でも、発信先ピア2-2の認証を自己の接続グループに所属する通信端末(ピア)2-mに委託してもよい。 In the above embodiment, the control unit 23-11 of the authentication peer 2-11 states that the user ID of the destination peer 2-2 is registered in the graph database and the destination peer 2-2 can be authenticated. If it is determined, it is described as issuing an authentication serial ID. However, the present invention is not limited to this, and the control unit 23-11 of the authentication peer 2-11 can authenticate the destination peer 2-2 even when the destination peer 2-2 can be authenticated. May be outsourced to a communication terminal (peer) 2-m belonging to its own connection group.
 具体的に、認証ピア2-11の制御部23-11は、第1接続問合せを通信部21-11からネットワークNを介して、中継ピア2-4~2-6等の自己の接続グループに所属する通信端末(ピア)2-mに送信することより、発信先ピア2-2の認証を自己の接続グループに所属する通信端末(ピア)2-mに委託する。 Specifically, the control unit 23-11 of the authentication peer 2-11 sends the first connection inquiry from the communication unit 21-11 to its own connection group such as relay peers 2-4 to 2-6 via the network N. By transmitting to the communication terminal (peer) 2-m to which it belongs, the authentication of the destination peer 2-2 is entrusted to the communication terminal (peer) 2-m belonging to its own connection group.
 発信先ピア2-2の認証の委託を受けた通信端末(ピア)2-mは、認証ピア2-11からネットワークNを介して送信される第1接続問合せを通信部21-mで受信したことに応答して、第1接続問合せに含まれる発信先ピア2-2のユーザIDに対応する接続情報を、通信部21-mからネットワークNを介してグラフデータベースより取得する。そして、発信先ピア2-2の認証の委託を受けた通信端末(ピア)2-mは、認証ピア2-11と同様の処理を行えばよい。 The communication terminal (peer) 2-m entrusted with the authentication of the destination peer 2-2 receives the first connection inquiry transmitted from the authentication peer 2-11 via the network N by the communication unit 21-m. In response to this, the connection information corresponding to the user ID of the destination peer 2-2 included in the first connection inquiry is acquired from the graph database from the communication unit 21-m via the network N. Then, the communication terminal (peer) 2-m entrusted with the authentication of the destination peer 2-2 may perform the same processing as the authentication peer 2-11.
 これにより、認証ピア2-11は、発信先ピア2-2の認証の委託を実現できるようになるため、発信先ピア2-2の認証作業の負荷を分散することができる。 As a result, the authentication peer 2-11 can realize the outsourcing of the authentication of the destination peer 2-2, so that the load of the authentication work of the destination peer 2-2 can be distributed.
 上記の実施形態において、制御部23-mのCPUが実行するプログラムは、予めROM等に記憶されていた。しかしながら、本発明は、これに限定されず、上述の処理を実行させるためのプログラムを、既存の汎用コンピュータに適用することで、上記の実施形態に係る通信端末(ピア)2-mとして機能させてもよい。 In the above embodiment, the program executed by the CPU of the control unit 23-m is stored in ROM or the like in advance. However, the present invention is not limited to this, and by applying a program for executing the above-mentioned processing to an existing general-purpose computer, the present invention can function as a communication terminal (peer) 2-m according to the above-described embodiment. You may.
 このようなプログラムの提供方法は任意であり、例えばコンピュータが読取可能な記録媒体(フレキシブルディスク、CD(Compact Disc)-ROM、DVD(Digital Versatile Disc)-ROM等)に格納して配布してもよいし、インターネット等のネットワーク上のストレージにプログラムを格納しておき、これをダウンロードさせることにより提供してもよい。 The method of providing such a program is arbitrary, and may be stored and distributed on a computer-readable recording medium (flexible disc, CD (Compact Disc) -ROM, DVD (Digital Versatile Disc) -ROM, etc.), for example. Alternatively, the program may be stored in a storage on a network such as the Internet and provided by downloading the program.
 また、上記の処理をOSとアプリケーションプログラムとの分担、又はOSとアプリケーションプログラムとの協働によって実行する場合には、アプリケーションプログラムのみを記録媒体やストレージに格納してもよい。また、搬送波にプログラムを重畳し、ネットワークを介して配信することも可能である。例えば、ネットワーク上の掲示板(BBS:Bulletin Board System)に上記プログラムを掲示し、ネットワークを介してプログラムを配信してもよい。そして、このプログラムを起動し、OSの制御下で、他のアプリケーションプログラムと同様に実行することにより、上記の処理を実行できるように構成してもよい。 Further, when the above processing is executed by the division between the OS and the application program or the cooperation between the OS and the application program, only the application program may be stored in the recording medium or the storage. It is also possible to superimpose a program on a carrier wave and distribute it via a network. For example, the above program may be posted on a bulletin board system (BBS: Bulletin Board System) on the network, and the program may be distributed via the network. Then, by starting this program and executing it in the same manner as other application programs under the control of the OS, the above processing may be executed.
 なお、本発明は、本発明の広義の精神と範囲を逸脱することなく、様々な実施の形態及び変形が可能とされるものである。また、上述した実施の形態は、本発明の一実施例を説明するためのものであり、本発明の範囲を限定するものではない。 It should be noted that the present invention enables various embodiments and modifications without departing from the broad spirit and scope of the present invention. Further, the above-described embodiment is for explaining an embodiment of the present invention, and does not limit the scope of the present invention.
 本出願は、2020年7月3日に出願された日本国特許出願2020-116017に基づく。本明細書中に日本国特許出願2020-116017の明細書、特許請求の範囲、図面全体を参照として取り込むものとする。 This application is based on the Japanese patent application 2020-116017 filed on July 3, 2020. The specification, claims, and drawings of Japanese patent application 202-116017 are incorporated herein by reference.
       1    三点認証システム(通信システム)
       2-m  通信端末(ピア)
       2-1  発信元ピア(発信元端末)
       2-2  発信先ピア(発信先端末)
       2-3  シード発行ピア
   2-4~2-6  中継ピア(中継端末)
   2-(10+n) 認証ピア
       2-11 認証ピア(支援端末)
  2-12,2-13 認証ピア(中継端末)
       4    シードテーブル
       5    トークンテーブル(接続要求テーブル)
       6    接続情報テーブル
      21-m  通信部
      22-m  記憶部
      22-1  記憶部(第2記憶部)
      22-2  記憶部(第3記憶部)
      22-11 記憶部(第1記憶部)
22-12,22-13 記憶部(第4記憶部)
      23-m  制御部 1 Three-point authentication system (communication system)
2-m communication terminal (peer)
2-1 Source peer (source terminal)
2-2 Destination peer (destination terminal)
2-3 Seed issuing peer 2-4-2-6 Relay peer (relay terminal)
2- (10 + n) authentication peer 2-11 authentication peer (support terminal)
2-12, 2-13 Authentication peer (relay terminal)
4 Seed table 5 Token table (connection request table)
6 Connection information table 21-m Communication unit 22-m Storage unit 22-1 Storage unit (second storage unit)
22-2 Memory unit (3rd storage unit)
22-11 Storage unit (first storage unit)
22-12, 22-13 Storage unit (4th storage unit)
23-m control unit

Claims (16)

  1.  ネットワーク(N)を介して接続され、ピア・ツウ・ピア方式で通信を行う複数の通信端末(2-m)のうちのデータの発信元となる発信元端末(2-1)であって、
     前記通信端末(2-m)間に接続経路を確立することを支援する該通信端末(2-m)である支援端末(2-11)の支援によって、前記データの発信先となる該通信端末(2-m)である発信先端末(2-2)と直接接続する該接続経路である第1接続経路(R0)を確立し、
     前記第1接続経路(R0)の確立後、前記通信端末(2-m)のうち、前記支援端末(2-11)とは異なる中継端末(2-4~2-6,2-12,2-13)を経由して該発信先端末(2-2)と接続する該接続経路である第2接続経路(R4~R6,R12,R13)を確立する、
     ことを特徴とする発信元端末(2-1)。     A source terminal (2-1) that is a source of data among a plurality of communication terminals (2-m) that are connected via a network (N) and communicate in a peer-to-peer manner.
    The communication terminal to which the data is transmitted is supported by the support terminal (2-11), which is the communication terminal (2-m) that supports the establishment of a connection path between the communication terminals (2-m). Establish a first connection route (R0), which is the connection route that directly connects to the destination terminal (2-2), which is (2-m).
    After the establishment of the first connection path (R0), the relay terminal (2-4 to 2-6, 2-12, 2) different from the support terminal (2-11) among the communication terminals (2-m) -13) Establishes a second connection route (R4 to R6, R12, R13), which is the connection route for connecting to the destination terminal (2-2) via the destination terminal (2-2).
    Source terminal (2-1) characterized by this.
  2.  前記第1接続経路(R0)の確立後、前記支援端末(2-11)に前記第2接続経路(R4~R6)の確立の支援を前記ネットワーク(N)を介して要求することにより、該第2接続経路(R4~R6)を確立する、
     ことを特徴とする請求項1に記載の発信元端末(2-1)。     After the establishment of the first connection route (R0), the support terminal (2-11) is requested to support the establishment of the second connection route (R4 to R6) via the network (N). Establish a second connection route (R4 to R6),
    The source terminal (2-1) according to claim 1.
  3.  前記第1接続経路(R0)の確立後、前記中継端末(2-12,2-13)に前記ネットワーク(N)を介して接続し、前記発信先端末(2-2)との接続を該ネットワーク(N)を介して要求することにより、前記第2接続経路(R4~R6)を確立する、
     ことを特徴とする請求項1に記載の発信元端末(2-1)。     After establishing the first connection path (R0), the relay terminal (2-12, 2-13) is connected to the relay terminal (2-12, 2-13) via the network (N), and the connection with the transmission destination terminal (2-2) is made. The second connection path (R4 to R6) is established by requesting via the network (N).
    The source terminal (2-1) according to claim 1.
  4.  前記第1接続経路(R0)の確立後、該第1接続経路(R0)を介して接続された前記通信端末(2-m)が前記発信先端末(2-2)であることの信頼度を算出し、
     前記信頼度が所定の閾値未満であることを条件に、前記発信先端末(2-2)との接続を前記中継端末(2-12,2-13)に前記ネットワーク(N)を介して要求する、
     ことを特徴とする請求項3に記載の発信元端末(2-1)。     After the establishment of the first connection path (R0), the reliability that the communication terminal (2-m) connected via the first connection path (R0) is the destination terminal (2-2). Is calculated,
    The relay terminal (2-12, 2-13) is requested to connect to the transmission destination terminal (2-2) via the network (N) on condition that the reliability is less than a predetermined threshold value. do,
    The source terminal (2-1) according to claim 3.
  5.  前記発信先端末(2-2)との接続を要求する接続要求であって、該接続要求を特定するための第1接続要求識別情報を含む該接続要求を前記ネットワーク(N)を介して前記支援端末(2-11)に送信し、
     前記発信先端末(2-2)から前記ネットワーク(N)を介して送信される前記第1接続要求識別情報と、該発信先端末(2-2)との接続に必要な接続情報と、を受信したことに応答して、該発信先端末(2-2)から受信した第1接続要求識別情報が前記支援端末(2-11)に送信した第1接続要求識別情報に合致することを条件に、該発信先端末(2-2)の接続情報を用いて、該発信先端末(2-2)と該ネットワーク(N)を介して接続することにより、前記第1接続経路(R0)を確立する、
     ことを特徴とする請求項1に記載の発信元端末(2-1)。     A connection request requesting a connection with the destination terminal (2-2), the connection request including the first connection request identification information for specifying the connection request is made via the network (N). Send to the support terminal (2-11) and
    The first connection request identification information transmitted from the destination terminal (2-2) via the network (N) and the connection information necessary for connection with the destination terminal (2-2) are provided. The condition is that the first connection request identification information received from the destination terminal (2-2) matches the first connection request identification information transmitted to the support terminal (2-11) in response to the reception. The first connection path (R0) is established by connecting to the destination terminal (2-2) via the network (N) using the connection information of the destination terminal (2-2). Establish,
    The source terminal (2-1) according to claim 1.
  6.  前記第1接続経路(R0)の確立後、前記中継端末(2-12,2-13)に前記ネットワーク(N)を介して接続し、前記第1接続要求識別情報とは異なる第2接続要求識別情報を含む前記接続要求を該ネットワーク(N)を介して送信することにより、該第2接続経路(R4~R6)を確立する、
     ことを特徴とする請求項5に記載の発信元端末(2-1)。     After the establishment of the first connection path (R0), a second connection request different from the first connection request identification information is connected to the relay terminal (2-12, 2-13) via the network (N). The second connection path (R4 to R6) is established by transmitting the connection request including the identification information via the network (N).
    The source terminal (2-1) according to claim 5.
  7.  前記発信先端末(2-2)と接続するための権利と、前記支援端末(2-11)が発行した支援端末発行情報と、から前記第1接続要求識別情報を生成し、
     前記権利と、前記中継端末(2-12,2-13)が発行した中継端末発行情報と、から前記第2接続要求識別情報を生成する、
     ことを特徴とする請求項6に記載の発信元端末(2-1)。     The first connection request identification information is generated from the right to connect to the destination terminal (2-2) and the support terminal issuance information issued by the support terminal (2-11).
    The second connection request identification information is generated from the right and the relay terminal issuance information issued by the relay terminal (2-12, 2-13).
    The source terminal (2-1) according to claim 6.
  8.  前記第1接続要求識別情報を登録する接続要求テーブル(5)の処分権者として該発信元端末(2-1)のユーザを登録し、
     前記第1接続経路(R0)の確立後、前記接続要求テーブル(5)の処分権者を前記支援端末(2-11)のユーザに変更することにより、該接続要求テーブル(5)の処分権を、該支援端末(2-11)のユーザに移転する、
     ことを特徴とする請求項5に記載の発信元端末(2-1)。     The user of the source terminal (2-1) is registered as the disposal right holder of the connection request table (5) for registering the first connection request identification information.
    After the establishment of the first connection path (R0), the disposal right of the connection request table (5) is changed by changing the disposal right holder of the connection request table (5) to the user of the support terminal (2-11). To the user of the support terminal (2-11),
    The source terminal (2-1) according to claim 5.
  9.  ネットワーク(N)を介して接続され、ピア・ツウ・ピア方式で通信を行う複数の通信端末(2-m)を具備する通信システム(1)であって、
     前記複数の通信端末(2-m)のうちのデータの発信元となる発信元端末(2-1)は、
     前記通信端末(2-m)間に接続経路を確立することを支援する該通信端末(2-m)である支援端末(2-11)の支援によって、前記データの発信先となる該通信端末(2-m)である発信先端末(2-2)と直接接続する該接続経路である第1接続経路(R0)を確立し、
     前記第1接続経路(R0)の確立後、前記通信端末(2-m)のうち、前記支援端末(2-11)とは異なる中継端末(2-4~2-6,2-12,2-13)を経由して該発信先端末(2-2)と接続する該接続経路である第2接続経路(R4~R6,R12,R13)を確立する、
     ことを特徴とする通信システム(1)。     A communication system (1) having a plurality of communication terminals (2-m) connected via a network (N) and communicating in a peer-to-peer manner.
    The source terminal (2-1) that is the source of data among the plurality of communication terminals (2-m) is
    The communication terminal to which the data is transmitted is supported by the support terminal (2-11), which is the communication terminal (2-m) that supports the establishment of a connection path between the communication terminals (2-m). Establish a first connection route (R0), which is the connection route that directly connects to the destination terminal (2-2), which is (2-m).
    After the establishment of the first connection path (R0), the relay terminal (2-4 to 2-6, 2-12, 2) different from the support terminal (2-11) among the communication terminals (2-m) -13) Establishes a second connection route (R4 to R6, R12, R13), which is the connection route for connecting to the destination terminal (2-2) via the destination terminal (2-2).
    A communication system (1) characterized by the above.
  10.  前記発信元端末(2-1)は、
     前記発信先端末(2-2)から前記ネットワーク(N)を介して送信される該発信先端末(2-2)との接続に必要な接続情報を受信し、
     前記第1接続経路(R0)の確立後、前記発信先端末(2-2)の接続情報を登録する接続情報テーブル(6)を生成し、
     前記支援端末(2-11)に前記第2接続経路(R4~R6)の確立の支援を前記ネットワーク(N)を介して要求し、
     前記発信先端末(2-2)と前記中継端末(2-4~2-6)とが前記ネットワーク(N)を介して接続された後、前記支援端末(2-11)から該ネットワーク(N)を介して送信される該中継端末(2-4~2-6)との接続に必要な接続情報を用いて、該中継端末(2-4~2-6)と該ネットワーク(N)を介して接続することにより、前記第2接続経路(R4~R6)を確立し、
     前記支援端末(2-11)は、
     前記中継端末(2-4~2-6)の前記接続情報を記憶する第1記憶部(22-11)を含み、
     前記発信元端末(2-1)から前記ネットワーク(N)を介して前記第2接続経路(R4~R6)の確立の支援が要求されたことに応答して、前記発信先端末(2-2)との接続を前記中継端末(2-4~2-6)に該ネットワーク(N)を介して要求し、
     前記発信先端末(2-2)と前記中継端末(2-4~2-6)とが前記ネットワーク(N)を介して接続された後、該中継端末(2-4~2-6)の接続情報を前記ネットワーク(N)を介して前記発信元端末(2-1)に送信し、
     前記中継端末(2-4~2-6)は、
     前記支援端末(2-11)から前記ネットワーク(N)を介して前記発信先端末(2-2)との接続が要求されたことに応答して、前記発信先端末(2-2)の接続情報を前記接続情報テーブル(6)から取得し、
     前記発信先端末(2-2)の接続情報を用いて、該発信先端末(2-2)と前記ネットワーク(N)を介して接続する、
     ことを特徴とする請求項9に記載の通信システム(1)。     The source terminal (2-1) is
    Upon receiving the connection information necessary for connecting to the destination terminal (2-2) transmitted from the destination terminal (2-2) via the network (N),
    After establishing the first connection path (R0), a connection information table (6) for registering the connection information of the destination terminal (2-2) is generated.
    The support terminal (2-11) is requested to support the establishment of the second connection path (R4 to R6) via the network (N).
    After the destination terminal (2-2) and the relay terminal (2-4 to 2-6) are connected via the network (N), the support terminal (2-11) connects to the network (N). ), The relay terminal (2-4-2-6) and the network (N) are connected by using the connection information necessary for the connection with the relay terminal (2-4 to 2-6) transmitted via). By connecting via the above, the second connection path (R4 to R6) is established, and the second connection path (R4 to R6) is established.
    The support terminal (2-11) is
    The first storage unit (22-11) for storing the connection information of the relay terminals (2-4 to 2-6) is included.
    In response to a request from the source terminal (2-1) to support the establishment of the second connection path (R4 to R6) via the network (N), the destination terminal (2-2). ) Is requested from the relay terminal (2-4 to 2-6) via the network (N).
    After the transmission destination terminal (2-2) and the relay terminal (2-4 to 2-6) are connected via the network (N), the relay terminal (2-4 to 2-6) The connection information is transmitted to the source terminal (2-1) via the network (N), and the connection information is transmitted to the source terminal (2-1).
    The relay terminals (2-4 to 2-6) are
    Connection of the destination terminal (2-2) in response to a request from the support terminal (2-11) to connect to the destination terminal (2-2) via the network (N). Information is acquired from the connection information table (6), and information is obtained from the connection information table (6).
    Using the connection information of the destination terminal (2-2), the destination terminal (2-2) is connected to the destination terminal (2-2) via the network (N).
    The communication system (1) according to claim 9.
  11.  前記発信元端末(2-1)は、
     前記発信元端末(2-1)を特定するための発信元識別情報と、前記発信先端末(2-2)を特定するための発信先識別情報と、を記憶する第2記憶部(22-1)を含み、
     前記第1接続経路(R0)の確立後、前記発信元識別情報と、前記発信先識別情報と、前記発信先端末(2-2)の接続情報と、を対応付けて登録する前記接続情報テーブル(6)を生成し、
     前記発信元識別情報と、前記発信先識別情報と、を前記ネットワーク(N)を介して前記支援端末(2-11)に送信することにより、該支援端末(2-11)に前記第2接続経路(R4~R6)の確立の支援を要求し、
     前記支援端末(2-11)は、
     前記発信元端末(2-1)から前記ネットワーク(N)を介して送信される前記発信元識別情報と、前記発信先識別情報と、を受信したことに応答して、該発信元識別情報と、該発信先識別情報と、を前記ネットワーク(N)を介して前記中継端末(2-4~2-6)に送信することにより、前記発信先端末(2-2)との接続を該中継端末(2-4~2-6)に要求し、
     前記中継端末(2-4~2-6)は、
     前記支援端末(2-11)から前記ネットワーク(N)を介して送信される前記発信元識別情報と、前記発信先識別情報と、を受信したことに応答して、該受信した該発信元識別情報と、該発信先識別情報と、がそれぞれ前記接続情報テーブル(6)に登録されている前記発信元識別情報と、前記発信先識別情報と、に合致することを条件に、前記発信先端末(2-2)の接続情報を用いて、該発信先端末(2-2)と前記ネットワーク(N)を介して接続する、
     ことを特徴とする請求項10に記載の通信システム(1)。     The source terminal (2-1) is
    A second storage unit (22-) that stores the source identification information for identifying the source terminal (2-1) and the destination identification information for identifying the destination terminal (2-2). Including 1)
    After the establishment of the first connection route (R0), the connection information table for registering the source identification information, the destination identification information, and the connection information of the destination terminal (2-2) in association with each other. Generate (6) and
    By transmitting the source identification information and the destination identification information to the support terminal (2-11) via the network (N), the second connection to the support terminal (2-11) is made. Requesting assistance in establishing routes (R4 to R6),
    The support terminal (2-11) is
    In response to receiving the source identification information and the destination identification information transmitted from the source terminal (2-1) via the network (N), the source identification information is used. By transmitting the destination identification information to the relay terminal (2-4 to 2-6) via the network (N), the connection with the destination terminal (2-2) is relayed. Request to the terminal (2-4 to 2-6) and
    The relay terminals (2-4 to 2-6) are
    In response to receiving the source identification information and the destination identification information transmitted from the support terminal (2-11) via the network (N), the received source identification information The destination terminal, provided that the information and the destination identification information match the source identification information and the destination identification information registered in the connection information table (6), respectively. Using the connection information of (2-2), the destination terminal (2-2) is connected to the network (N) via the network (N).
    The communication system (1) according to claim 10.
  12.  前記発信元端末(2-1)は、
     前記中継端末(2-12,2-13)との接続に必要な接続情報を記憶する第2記憶部(22-1)を含み、
     前記中継端末(2-12,2-13)の接続情報を用いて、該中継端末(2-12,2-13)と前記ネットワーク(N)を介して接続し、
     前記発信先端末(2-2)との接続を前記中継端末(2-12,2-13)に前記ネットワーク(N)を介して要求し、
     前記中継端末(2-12,2-13)は、
     前記発信先端末(2-2)との接続に必要な接続情報を記憶する第4記憶部(2-12,2-13)を含み、
     前記発信元端末(2-1)から前記ネットワーク(N)を介して前記発信先端末(2-2)との接続が要求されたことに応答して、前記発信先端末(2-2)の接続情報を用いて、該発信先端末(2-2)と前記ネットワーク(N)を介して接続することにより、前記第2接続経路(R12,R13)を確立する、
     ことを特徴とする請求項9に記載の通信システム(1)。     The source terminal (2-1) is
    A second storage unit (22-1) for storing connection information necessary for connection with the relay terminal (2-12, 2-13) is included.
    Using the connection information of the relay terminal (2-12, 2-13), the relay terminal (2-12, 2-13) is connected to the relay terminal (2-12, 2-13) via the network (N).
    A connection with the destination terminal (2-2) is requested from the relay terminal (2-12, 2-13) via the network (N).
    The relay terminals (2-12, 2-13)
    Includes a fourth storage unit (2-12, 2-13) that stores connection information required for connection to the destination terminal (2-2).
    In response to a request from the source terminal (2-1) to connect to the destination terminal (2-2) via the network (N), the destination terminal (2-2) The second connection path (R12, R13) is established by connecting to the destination terminal (2-2) via the network (N) using the connection information.
    The communication system (1) according to claim 9.
  13.  前記発信元端末(2-1)は、
     前記第1接続経路(R0)の確立後、該第1接続経路(R0)を介して接続された前記通信端末(2-m)が前記発信先端末(2-2)であることの信頼度を算出し、
     前記信頼度が所定の閾値未満であることを条件に、前記発信先端末(2-2)との接続を前記中継端末(2-12,2-13)に前記ネットワーク(N)を介して要求する、
     ことを特徴とする請求項12に記載の通信システム(1)。     The source terminal (2-1) is
    After the establishment of the first connection path (R0), the reliability that the communication terminal (2-m) connected via the first connection path (R0) is the destination terminal (2-2). Is calculated,
    The relay terminal (2-12, 2-13) is requested to connect to the transmission destination terminal (2-2) via the network (N) on condition that the reliability is less than a predetermined threshold value. do,
    The communication system (1) according to claim 12.
  14.  前記中継端末(2-12,2-13)は、
     第1中継端末(2-12)と、
     第2中継端末(2-13)と、
     を含み、
     前記発信元端末(2-1)は、
     前記第1中継端末(2-12)を経由して前記発信先端末(2-2)と接続する第2接続経路(R12)の確立後、前記第1接続経路(R0)及び該第2接続経路(R12)を介して接続された前記通信端末(2-m)が前記発信先端末(2-2)であることの信頼度を算出し、
     前記信頼度が前記所定の閾値未満であることを条件に、該発信先端末(2-2)との接続を前記第2中継端末(2-13)に前記ネットワーク(N)を介して要求する、
     ことを特徴とする請求項13に記載の通信システム(1)。     The relay terminals (2-12, 2-13)
    The first relay terminal (2-12) and
    With the second relay terminal (2-13),
    Including
    The source terminal (2-1) is
    After establishing the second connection route (R12) to connect to the transmission destination terminal (2-2) via the first relay terminal (2-12), the first connection route (R0) and the second connection. The reliability that the communication terminal (2-m) connected via the route (R12) is the transmission destination terminal (2-2) is calculated.
    The second relay terminal (2-13) is requested to connect to the destination terminal (2-2) via the network (N) on condition that the reliability is less than the predetermined threshold value. ,
    The communication system (1) according to claim 13.
  15.  ネットワーク(N)を介して接続され、ピア・ツウ・ピア方式で通信を行う複数の通信端末(2-m)のうちのデータの発信元となる発信元端末(2-1)による通信方法であって、
     前記通信端末(2-m)間に接続経路を確立することを支援する該通信端末(2-m)である支援端末(2-11)の支援によって、前記データの発信先となる該通信端末(2-m)である発信先端末(2-2)と直接接続する該接続経路である第1接続経路(R0)を確立し、
     前記第1接続経路(R0)の確立後、前記通信端末(2-m)のうち、前記支援端末(2-11)とは異なる中継端末(2-4~2-6,2-12,2-13)を経由して該発信先端末(2-2)と接続する該接続経路である第2接続経路(R4~R6,R12,R13)を確立する、
     ことを特徴とする通信方法。     A communication method using a source terminal (2-1) that is a source of data among a plurality of communication terminals (2-m) that are connected via a network (N) and communicate in a peer-to-peer manner. There,
    The communication terminal to which the data is transmitted is supported by the support terminal (2-11), which is the communication terminal (2-m) that supports the establishment of a connection path between the communication terminals (2-m). Establish a first connection route (R0), which is the connection route that directly connects to the destination terminal (2-2), which is (2-m).
    After the establishment of the first connection path (R0), the relay terminal (2-4 to 2-6, 2-12, 2) different from the support terminal (2-11) among the communication terminals (2-m) -13) Establishes a second connection route (R4 to R6, R12, R13), which is the connection route for connecting to the destination terminal (2-2) via the destination terminal (2-2).
    A communication method characterized by that.
  16.  ネットワーク(N)を介して接続され、ピア・ツウ・ピア方式で通信を行う複数の通信端末(2-m)のうちのデータの発信元となる発信元端末(2-1)のコンピュータに、
     前記通信端末(2-m)間に接続経路を確立することを支援する該通信端末(2-m)である支援端末(2-11)の支援によって、前記データの発信先となる該通信端末(2-m)である発信先端末(2-2)と直接接続する該接続経路である第1接続経路(R0)を確立する手順と、
     前記第1接続経路(R0)の確立後、前記通信端末(2-m)のうち、前記支援端末(2-11)とは異なる中継端末(2-4~2-6,2-12,2-13)を経由して該発信先端末(2-2)と接続する該接続経路である第2接続経路(R4~R6,R12,R13)を確立する手順と、
     を実行させるためのプログラム。     To the computer of the source terminal (2-1) that is the source of data among a plurality of communication terminals (2-m) that are connected via the network (N) and communicate in a peer-to-peer manner.
    The communication terminal to which the data is transmitted is supported by the support terminal (2-11), which is the communication terminal (2-m) that supports the establishment of a connection path between the communication terminals (2-m). The procedure for establishing the first connection route (R0), which is the connection route directly connected to the destination terminal (2-2), which is (2-m), and
    After the establishment of the first connection path (R0), the relay terminal (2-4 to 2-6, 2-12, 2) different from the support terminal (2-11) among the communication terminals (2-m) A procedure for establishing a second connection route (R4 to R6, R12, R13), which is the connection route for connecting to the destination terminal (2-2) via -13), and
    A program to execute.
PCT/JP2021/025226 2020-07-03 2021-07-02 Transmission source terminal, communication system, communication method, and program WO2022004894A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2022522009A JP7128565B2 (en) 2020-07-03 2021-07-02 Source terminal, communication system, communication method, and program

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2020116017 2020-07-03
JP2020-116017 2020-07-03

Publications (1)

Publication Number Publication Date
WO2022004894A1 true WO2022004894A1 (en) 2022-01-06

Family

ID=79316402

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/025226 WO2022004894A1 (en) 2020-07-03 2021-07-02 Transmission source terminal, communication system, communication method, and program

Country Status (2)

Country Link
JP (1) JP7128565B2 (en)
WO (1) WO2022004894A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008026288A1 (en) * 2006-08-31 2008-03-06 Fujitsu Limited Network connected terminal device authenticating method, network connected terminal device authenticating program and network connected terminal device authenticating apparatus
JP2011211490A (en) * 2010-03-30 2011-10-20 Panasonic Corp Vpn device, ip communication apparatus, and server device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008026288A1 (en) * 2006-08-31 2008-03-06 Fujitsu Limited Network connected terminal device authenticating method, network connected terminal device authenticating program and network connected terminal device authenticating apparatus
JP2011211490A (en) * 2010-03-30 2011-10-20 Panasonic Corp Vpn device, ip communication apparatus, and server device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
OMATA, EIJI : "Peer-to-Peer Streamingover Heterogeneous Networks", IPSJ JOURNAL, vol. 47, no. 2, 15 February 2006 (2006-02-15), JP, pages 334 - 345, XP055896912, ISSN: 1882-7764 *

Also Published As

Publication number Publication date
JP7128565B2 (en) 2022-08-31
JPWO2022004894A1 (en) 2022-01-06

Similar Documents

Publication Publication Date Title
KR101260188B1 (en) Secure node identifier assignment in a distributed hash table for peer-to-peer networks
US11050724B2 (en) IaaS-aided access control for information centric networking with Internet-of-Things
TW201919363A (en) Method and system for quantum key distribution and data processing
AU2016369606A1 (en) Systems and methods for secure multi-party communications using a proxy
US8402264B2 (en) Method for securing an interaction between nodes and related nodes
US20170149748A1 (en) Secure Group Messaging and Data Steaming
CN111404950B (en) Information sharing method and device based on block chain network and related equipment
EP3014465B1 (en) Identity management system
CN108306872B (en) Network request processing method and device, computer equipment and storage medium
Marino et al. PKIoT: A public key infrastructure for the Internet of Things
Braeken et al. Anonymous lightweight proxy based key agreement for IoT (ALPKA)
Vinoth et al. An efficient key agreement and authentication protocol for secure communication in industrial IoT applications
CN114285555A (en) Multicast method and device based on block chain
WO2022004894A1 (en) Transmission source terminal, communication system, communication method, and program
US20180034633A1 (en) Cryptographic material sharing among entities with no direct trust relationship or connectivity
Spaho et al. Application of JXTA-overlay platform for secure robot control
Wanda et al. Model of secure P2P mobile instant messaging based on virtual network
CN108900584B (en) Data transmission method and system for content distribution network
CN101471938A (en) Authentication method, system and device for point-to-point network
WO2023020764A1 (en) Coordinating peer-to-peer data transfer using blockchain
Lee et al. An adaptive authentication protocol based on reputation for peer-to-peer system
Saravanabhavan et al. Blockchain-Based Secure Menger's Authentication for Industrial IOT
CN115550472A (en) Heterogeneous data processing method and device
KR102425058B1 (en) Method for propagating block of blockchain nodes
KR101984007B1 (en) A method for providing the information on the content which other user receives in p2p network-based content delivery service

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21834084

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2022522009

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21834084

Country of ref document: EP

Kind code of ref document: A1