CN100343841C - Terminal device authentication system - Google Patents

Abstract

A terminal-device authentication system is capable of appropriately allocating the allocation target of a CE device. The device ID of the CE device (3) includes company information. The CE device (3) uses the company information to inquire of a company-information allocation server (6) about an authentication-target allocation server (8) to be connected and uses the device ID to inquire of the authentication-target allocation server (8) about an authentication server (9) to be connected. The CE device (3), which is authenticated in the authentication server (9), transmits an authentication result to a service server (10).

Description

Terminal device authentication system

Technical field

The present invention relates to a kind of device authentication system etc., particularly under the situation that has a plurality of certificate servers that equipment is authenticated, by in advance device id being mapped with the certificate server of carrying out authentication, finish the authenticated device Verification System by the appropriate authentication server.

Background technology

In recent years, CE (Consumer Electronics: consumption electronic product) constantly popularizing by equipment.So-called consumer electronic devices comprises for example audio and video equipments such as video recorder, hard disk recorder, stereophonic sound system, televisor, personal digital assistant), electronic equipment such as game machine, home router PC, digital camera, portable shooting video reproduction all-in-one, PDA (Personal Digital Assistance:, household electrical appliance such as automatic rice cooker, refrigerator, and other some built-in computer and can use the electronic equipment of network service.

The user is by its service content of CE device access downloaded, the service that can use server to provide.

In the service that server provides, the service that only provides to the specific CE equipment through device authentication also is provided in the service that both oriented all CE equipment provide.

Server utilizes certificate server that CE equipment is authenticated when the service that needs device authentication is provided, the authentication by after service just is provided.

Fig. 8 is the exemplary plot of a structure of CE device authentication system 100.

This Verification System proposes in undocumented patent documentation (patented claim 2002-144896).

In the past, during the CE device authentication, directly sent authentication information (important safety information such as password, device id) to service server; There is the problem of secure context in service server mostly by individual or group's management arbitrarily, therefore, is provided with the device authentication server in this Verification System in addition and carries out device authentication.

In the Verification System 100, CE equipment 101, certificate server 102, service server 103 interconnect by the Internet 104.

The user is connected to service server 103 with CE equipment 101, just the service that can use service server 103 to provide.

When the user wished that the service of using needs device authentication, service server 103 required CE equipment 101 to go certificate server 102 to carry out device authentication to the information of CE equipment 101 transmission certificate servers 102; Correspondingly, CE equipment 101 is accepted the device authentication of certificate server 102.

Service server 103 confirms that CE equipment 101 after certificate server 102 has been accepted device authentication, provides service to CE equipment 101.

In this Verification System, when CE equipment 101 is authenticated,,, service server 103 which certificate server to be authenticated (certificate server 102 among Fig. 8) by so can knowing the CE equipment 101 of request authentication because have only a certificate server 102.

Therefore, when requesting service authenticated, service server 103 can send the information of certificate server 102 to CE equipment 101.

But when a plurality of certificate server 102, after CE equipment 101 these systems of visit, service server 103 offhand what a scheme are used for sending to CE equipment 101 information of suitable certificate server 102.Therefore a problem occurred, promptly CE equipment 101 is difficult to obtain the information of appropriate authentication server 102.

When the enterprise of CE equipment 101 is sold in a plurality of manufacturings, just need to prepare a plurality of certificate servers 102, distribute certificate server 102 according to the CE equipment 101 that visits.

In addition, though be not the correlation technique of the device authentication of CE equipment, below invention has proposed a kind of technology of distributing certificate server when having a plurality of certificate server according to calling party.

It is by judging that (InternetService Provider: the ISP) registered user is the authentication processing that domestic consumer or specific user come distributing user to ISP that the spy opens the technology of putting down in writing in the 2002-197061 communique.Allocator is as follows:

At first, the telephone number that domestic consumer is used distinguishes with the telephone number that the specific user uses.Then, distribution server is determined domestic consumer or specific user according to telephone number, and it is assigned to separately certificate server.And then terminal sends user-id/password to distribution server.

The technology that the spy opens 2000-331095 communique record is after accepting user capture, and user's visit is assigned to this user that certificate server to its distribution ID when registering.

Allocator is as follows: at first, the user sends user ID and password to distribution server.Then, distribution server is distinguished the certificate server of this user ID of distribution according to the certain bits of user ID.And then, to distinguishing that the certificate server that obtains sends user ID and password, authenticates the user.

As common business form, behind the authentication purpose ground by the distribution CE of enterprise equipment, a plurality of certificate servers still may be prepared by enterprise.Even use the technology in the above-mentioned patent documentation, still be difficult to handle such situation.

Therefore, the device authentication system that the purpose of this invention is to provide the authentication purpose ground that can distribute CE equipment rightly.

Summary of the invention

Terminal device authentication system provided by the invention is characterized in that possessing (the 1st structure) for achieving the above object:

Service server, when providing the service that needs device authentication to terminal device, to the link information of above-mentioned terminal device transmission to the 1st distribution server, and from above-mentioned terminal device reception authentication result; The 1st distribution server receives the 1st assignment information from terminal device, sends the link information of pointing to corresponding the 2nd distribution server of the 1st assignment information; The 2nd distribution server receives the 2nd assignment information from terminal device, sends the link information of pointing to the corresponding certificate server of the 2nd assignment information; Certificate server carries out device authentication after terminal device receives authentication information, authentication result is sent to above-mentioned terminal device.

In addition, in the 1st structure of terminal device authentication system of the present invention, use the terminal device of service that service server provides, its structure can comprise (the 2nd structure): the 1st receiving element receives to the 1st distribution server link information from above-mentioned service server;

The 1st transmitting element, the link information of using above-mentioned the 1st receiving element to be received is connected to above-mentioned the 1st distribution server, sends the 1st assignment information; The 2nd receiving element receives the link information of pointing to above-mentioned corresponding the 2nd distribution server of the 1st assignment information that sends from above-mentioned the 1st distribution server; The 2nd transmitting element, the link information of using above-mentioned the 2nd receiving element to be received is connected to above-mentioned the 2nd distribution server, sends the 2nd assignment information; The 3rd receiving element receives the link information of pointing to the above-mentioned corresponding certificate server of the 2nd assignment information that sends from above-mentioned the 2nd distribution server; The authentication information transmitting element, the link information of using above-mentioned the 3rd receiving element to be received is connected to above-mentioned certificate server, sends authentication information; The authentication result receiving element receives the authentication information that uses above-mentioned authentication information transmitting element to be sent from above-mentioned certificate server and carries out authentication result; The authentication result transmitting element sends the authentication result that above-mentioned authentication result receiving element is received to above-mentioned service server.

In addition, in the 1st structure of terminal device authentication system of the present invention, provide the 1st distribution server to terminal device to the link information of the 2nd distribution server, its structure can comprise (the 3rd structure): receiving element, the connection of receiving terminal equipment receives the 1st assignment information from above-mentioned terminal device; Transmitting element sends the link information of pointing to above-mentioned corresponding the 2nd distribution server of the 1st assignment information that receives to above-mentioned terminal device.

In addition, the terminal device authentication system that the present invention can provide, it is characterized in that possessing (the 4th structure): service server, when providing the service that needs device authentication to terminal device, receive assignment information from above-mentioned terminal device, use the above-mentioned assignment information that receives from the link information of distribution system reception, the above-mentioned link information that receives is sent to above-mentioned terminal device, receive the authentication result of above-mentioned certificate server from above-mentioned terminal device to certificate server;

Above-mentioned distribution system receives above-mentioned assignment information from above-mentioned service server, sends the link information of pointing to the above-mentioned corresponding certificate server of assignment information that receives to above-mentioned service server; Above-mentioned certificate server receives the device authentication that authentication information carries out above-mentioned terminal device from above-mentioned terminal device, sends the authentication result of the said equipment authentication to above-mentioned terminal device.

In addition, in the 4th structure of terminal device authentication system of the present invention, provide distribution system to the link information of certificate server to service server, its structure can possess (the 5th structure): the assignment information receiving element receives assignment information from service server; The link information transmitting element sends the link information of pointing to the above-mentioned corresponding certificate server of assignment information that receives.

In addition, in the 4th structure of terminal device authentication system of the present invention, provide the service server of service to terminal device, its structure can possess (the 6th structure): the assignment information receiving element receives assignment information from terminal device; The assignment information transmitting element sends the above-mentioned assignment information that receives to distribution system; The link information receiving element receives the link information of pointing to the above-mentioned corresponding certificate server of assignment information that sends from above-mentioned distribution system; The link information transmitting element sends the above-mentioned link information that receives to above-mentioned terminal device.

In addition, in the distribution system of the 5th structure of the present invention, above-mentioned assignment information is made of the 1st assignment information and the 2nd assignment information, the structure of above-mentioned distribution system can comprise (the 7th structure): the 1st distribution server, receive above-mentioned the 1st assignment information from service server, send the link information of pointing to corresponding the 2nd distribution server of the 1st assignment information to above-mentioned service server; The 2nd distribution server receives the 2nd assignment information from service server, sends the link information of pointing to the corresponding certificate server of the 2nd assignment information to above-mentioned service server;

In addition, the 7th structure of the present invention receive service server from distribution system to the link information of certificate server, its structure can possess (the 8th structure): the assignment information receiving element receives the 1st assignment information and the 2nd assignment information from terminal device; The 1st transmitting element is connected to the 1st distribution server, sends above-mentioned the 1st assignment information that receives to above-mentioned the 1st distribution server; The 2nd receiving element receives the link information of pointing to above-mentioned corresponding above-mentioned the 2nd distribution server of the 1st assignment information that sends from above-mentioned the 1st distribution server; The 2nd transmitting element, the link information of using above-mentioned the 1st receiving element to be received is connected to above-mentioned the 2nd distribution server, sends above-mentioned the 2nd assignment information; The 2nd receiving element receives the link information of pointing to the above-mentioned corresponding above-mentioned certificate server of the 2nd assignment information that sends from above-mentioned the 2nd distribution server; The link information transmitting element sends the link information that above-mentioned the 2nd receiving element is received to above-mentioned terminal device.

In addition, in the distribution system of the 7th structure of the present invention, provide the 1st distribution server to the link information of the 2nd distribution server to service server, its structure can possess (the 9th structure): receiving element receives the 1st assignment information from service server; Transmitting element sends the link information of pointing to above-mentioned corresponding the 2nd distribution server of the 1st assignment information that receives.

In addition, in the distribution system of the 7th structure of the present invention, provide the 2nd distribution server to the certificate server link information to service server, its structure can possess (the 10th structure): receiving element receives the 2nd assignment information from service server; Transmitting element sends the link information of pointing to the above-mentioned corresponding certificate server of the 2nd assignment information that receives.

In addition, the present invention is the terminal device method of service that service server provides in a kind of terminal device authentication system that uses the 1st structure by computer, above-mentioned computer possesses the 1st receiving element, the 1st transmitting element, the 2nd receiving element, the 2nd transmitting element, the 3rd receiving element, the 3rd transmitting element, the authentication information transmitting element, authentication information receiving element and authentication result transmitting element, the feature of this terminal device method is to be made of following steps: the 1st receiving step receives link information to the 1st distribution server by above-mentioned the 1st receiving element from above-mentioned service server; The 1st forwarding step, the link information of using above-mentioned the 1st receiving step to be received is connected to above-mentioned the 1st distribution server, sends the 1st assignment information by above-mentioned the 1st transmitting element; The 2nd receiving step by above-mentioned the 2nd receiving element, receives the link information of pointing to above-mentioned corresponding the 2nd distribution server of the 1st assignment information that sends from above-mentioned the 1st distribution server; The 2nd forwarding step, the link information of using above-mentioned the 2nd receiving step to be received is connected to above-mentioned the 2nd distribution server, sends the 2nd assignment information by above-mentioned the 2nd transmitting element; The 3rd receiving step by above-mentioned the 3rd receiving element, receives the link information of pointing to the above-mentioned corresponding certificate server of the 2nd assignment information that sends from above-mentioned the 2nd distribution server; The authentication information forwarding step, the link information of using above-mentioned the 3rd receiving step to be received is connected to above-mentioned certificate server, sends authentication information by above-mentioned authentication information transmitting element; The authentication result receiving step by above-mentioned authentication information receiving element, receives the authentication information that uses above-mentioned authentication information forwarding step to be sent from above-mentioned certificate server and carries out authentication result; The authentication result forwarding step by above-mentioned authentication result transmitting element, sends the authentication result that above-mentioned authentication result receiving step is received to above-mentioned service server.

In addition, the present invention relates in the terminal device authentication system of the 1st structure provides the 1st distribution method to the link information of distribution server to terminal device, the feature of the 1st distribution method provided by the present invention is to comprise: in the computer that possesses receiving element and transmitting element, receiving step, by above-mentioned receiving element, the connection of receiving terminal equipment receives the 1st assignment information from above-mentioned terminal device; Forwarding step by above-mentioned transmitting element, sends the link information of pointing to above-mentioned corresponding the 2nd distribution server of the 1st assignment information that receives to above-mentioned terminal device.

In addition, the present invention relates in the terminal device authentication system of the 4th structure, provide distribution method to service server to the link information of certificate server, the feature of distribution method provided by the present invention is to comprise: in the computer system that possesses assignment information receiving element and assignment information transmitting element, the assignment information receiving step, by above-mentioned assignment information receiving element, receive assignment information from service server; The link information forwarding step by above-mentioned link information transmitting element, sends the link information of pointing to the above-mentioned corresponding certificate server of assignment information that receives.

In addition, the present invention relates to a kind of in the terminal device authentication system of the 4th structure, the service providing method of service is provided to terminal device, the feature of service providing method provided by the present invention is to comprise: in the computer that possesses assignment information receiving element, assignment information transmitting element, link information receiving element, link information transmitting element, the assignment information receiving step, by above-mentioned assignment information receiving element, receive assignment information from terminal device; The assignment information forwarding step by above-mentioned assignment information transmitting element, sends the above-mentioned assignment information that receives to distribution system; The link information receiving step by above-mentioned link information receiving element, receives the link information of pointing to the above-mentioned corresponding certificate server of assignment information that sends from above-mentioned distribution system; The link information forwarding step by above-mentioned link information transmitting element, sends the above-mentioned link information that receives to above-mentioned terminal device.

In addition, the present invention relates to a kind of distribution system from the 7th structure and receive service server method to the link information of certificate server, the feature of service server method provided by the present invention is to comprise: in the computer that possesses assignment information receiving element, the 1st transmitting element, the 1st receiving element, the 2nd transmitting element, the 2nd receiving element, link information transmitting element, the assignment information receiving step, by above-mentioned assignment information receiving element, receive the 1st assignment information and the 2nd assignment information from terminal device; The 1st forwarding step is connected to the 1st distribution server, sends above-mentioned the 1st assignment information that receives by above-mentioned the 1st transmitting element to above-mentioned the 1st distribution server; The 1st receiving step by above-mentioned the 1st receiving element, receives the link information of pointing to above-mentioned corresponding above-mentioned the 2nd distribution server of the 1st assignment information that sends from above-mentioned the 1st distribution server; The 2nd forwarding step, the link information of using above-mentioned the 1st receiving step to be received is connected to above-mentioned the 2nd distribution server, sends the 2nd assignment information by above-mentioned the 2nd transmitting element; The 2nd receiving step receives the link information of pointing to the above-mentioned corresponding above-mentioned certificate server of the 2nd assignment information that sends by above-mentioned the 2nd receiving element from above-mentioned the 2nd distribution server; The link information forwarding step sends the link information that above-mentioned the 2nd receiving element is received by above-mentioned link information transmitting element to above-mentioned terminal device.

In addition, the present invention relates in the distribution system of the 7th structure provides the 1st distribution method to the link information of the 2nd distribution server to service server, the feature of the 1st distribution method provided by the present invention is to comprise: in the computer that possesses receiving element and transmitting element, receiving step receives the 1st assignment information by above-mentioned receiving element from service server; Forwarding step sends the link information of pointing to above-mentioned corresponding the 2nd distribution server of the 1st assignment information that receives by above-mentioned transmitting element.

In addition, the present invention relates in the distribution system of the 7th structure provides the 2nd distribution method to the link information of certificate server to service server, the feature of the 2nd distribution method provided by the present invention is to comprise: in the computer that possesses receiving element and transmitting element, receiving step receives the 2nd assignment information by above-mentioned receiving element from service server; Forwarding step sends the link information of pointing to the above-mentioned corresponding certificate server of the 2nd assignment information that receives by above-mentioned transmitting element.

In addition, the invention provides a kind of terminal device program, in by the terminal device authentication system of the 1st structure, use the computer of service that service server provides to be constituted and realized following function in the terminal device: the 1st receiving function, from the link information of above-mentioned service server reception to the 1st distribution server; The 1st sending function, the link information of using above-mentioned the 1st receiving function to be received is connected to above-mentioned the 1st distribution server, sends the 1st assignment information; The 2nd receiving function receives the link information of pointing to above-mentioned corresponding the 2nd distribution server of the 1st assignment information that sends from above-mentioned the 1st distribution server; The 1st sending function, the link information of using above-mentioned the 2nd receiving function to be received is connected to above-mentioned the 2nd distribution server, sends the 2nd assignment information; The 3rd receiving function receives the link information of pointing to the above-mentioned corresponding certificate server of the 2nd assignment information that sends from above-mentioned the 2nd distribution server; The authentication information sending function, the link information of using above-mentioned the 3rd receiving function to be received is connected to above-mentioned certificate server, sends authentication information; The authentication result receiving function receives the authentication information that uses above-mentioned authentication information sending function to be sent from above-mentioned certificate server and carries out authentication result; The authentication result sending function sends the authentication result that above-mentioned authentication result receiving function is received to above-mentioned service server.

In addition, the invention provides the 1st allocator, in by the terminal device authentication system of the 1st structure, provide and in the 1st distribution server that computer constituted of the link information of the 2nd distribution server, realize following function: receiving function to terminal device, the connection of receiving terminal equipment receives the 1st assignment information from above-mentioned terminal device; Sending function sends the link information of pointing to above-mentioned corresponding the 2nd distribution server of the 1st assignment information that receives to above-mentioned terminal device.

In addition, the invention provides allocator, provide to service server in by the terminal device authentication system of the 4th structure and realize following function in the distribution system that computer constituted of the link information of certificate server: the assignment information receiving function receives assignment information from service server; The link information sending function sends the link information of pointing to the above-mentioned corresponding certificate server of assignment information that receives.

In addition, the invention provides the service server program, provide to terminal device in by the terminal device authentication system of the 4th structure and realize following function in the service server that computer constituted of service: the assignment information receiving function receives assignment information from terminal device; The assignment information sending function sends the above-mentioned assignment information that receives to distribution system; The link information receiving function receives the link information of pointing to the above-mentioned corresponding certificate server of assignment information that sends from above-mentioned distribution system; The link information sending function sends the above-mentioned link information that receives to above-mentioned terminal device.

In addition, the invention provides the service server program, realizing following function by reception from the distribution system of the 7th structure in the service server that computer constituted of the link information of certificate server: the assignment information receiving function receives the 1st assignment information and the 2nd assignment information from terminal device; The 1st sending function is connected to the 1st distribution server, sends above-mentioned the 1st assignment information that receives to above-mentioned the 1st distribution server; The 1st receiving function receives the link information of pointing to above-mentioned corresponding above-mentioned the 2nd distribution server of the 1st assignment information that sends from above-mentioned the 1st distribution server;

The 2nd sending function, the link information of using above-mentioned the 1st receiving function to be received is connected to above-mentioned the 2nd distribution server, sends above-mentioned the 2nd assignment information; The 2nd receiving function receives the link information of pointing to the above-mentioned corresponding above-mentioned certificate server of the 2nd assignment information that sends from above-mentioned the 2nd distribution server; The link information sending function sends the link information that above-mentioned the 2nd receiving function is received to above-mentioned terminal device.

In addition, the invention provides the 1st allocator, provide the following function of realization in the 1st distribution server that computer constituted of the 2nd distribution server link information to service server in by the distribution system of the 7th structure: receiving function receives the 1st assignment information from service server; Sending function sends the link information of pointing to above-mentioned corresponding the 2nd distribution server of the 1st assignment information that receives.

In addition, the invention provides the 2nd allocator, provide the following function of realization in the 2nd distribution server that computer constituted of certificate server link information to service server in by the distribution system of the 7th structure: receiving function receives the 2nd assignment information from service server; Sending function sends the link information of pointing to the above-mentioned corresponding certificate server of the 2nd assignment information that receives.

In addition, the present invention also provides the storage medium that the computer of having stored above-mentioned each program can read.

Further, the terminal device in the 2nd structure of the present invention can followingly constitute (the 11st structure): possess: the link information storage unit, store the link information that above-mentioned the 3rd receiving element is received to certificate server; And confirmation unit, receive after the link information of above-mentioned the 1st distribution server from above-mentioned service server, whether confirmed by above-mentioned link information cell stores above-mentioned link information;

Confirming by above-mentioned confirmation unit under the situation that above-mentioned link information is stored that above-mentioned authentication information transmitting element uses above-mentioned link information of storing to be connected to above-mentioned certificate server, sends authentication information.

Further, terminal device in the 11st structure can followingly constitute (the 12nd structure): the above-mentioned link information that above-mentioned card information transmitting unit uses above-mentioned link information storage unit to be stored can't be connected under the situation of above-mentioned certificate server, the link information that is received based on above-mentioned the 1st receiving element, use link information, be connected to above-mentioned certificate server and send authentication information by the obtained certificate server of above-mentioned the 1st transmitting element, above-mentioned the 2nd receiving element, above-mentioned the 2nd transmitting element and above-mentioned the 3rd receiving element; Above-mentioned link information storage unit is used the link information in the link information updated stored of above-mentioned obtained certificate server.According to the present invention, can distribute the authentication purpose ground of CE equipment rightly.

Description of drawings

Fig. 1 is the schematic network structure of the device authentication system of present embodiment.

Fig. 2 is an exemplary plot of the logical organization of device id.

Fig. 3 is used for the figure of the 1st embodiment CE equipment that illustrates with the relation between each server.

Fig. 4 is the process flow diagram that is used for illustrating the program when the 1st embodiment service server provides the service of needs authentication.

Fig. 5 A to Fig. 5 B is an exemplary plot as the agreement of device authentication trigger.

Fig. 6 is used for the figure of the 2nd embodiment CE equipment that illustrates with the relation between each server.

Fig. 7 is the process flow diagram that is used for illustrating the program when the 2nd embodiment service server provides the service of needs authentication.

The 8th figure is the synoptic diagram of the structure of the CE device authentication system that proposed in the undocumented patent documentation.

Embodiment

Describe the 1st embodiment and the 2nd embodiment of suitable enforcement of the present invention with reference to the accompanying drawings in detail.

[summary of the 1st embodiment]

As shown in Figure 2, CE equipment 3 has been stored the device id 13 that the satellite information 16 that can freely be set by the company information 15 that can determine an enterprise and enterprise is constituted.

Among Fig. 3, service server 10 is when CE equipment 3 provides the service that needs device authentication, to the link information of CE equipment 3 transmissions to company information distribution server 6.

CE equipment 3 uses this link information to send company information 15 to company information distribution server 6.

These company information 15 retrieval distribution server tables 21 of company information distribution server 6 usefulness are obtained the link information to authentication purpose ground distribution server 8.In the distribution server table 21, company information 15 is mapped with the authentication purpose ground distribution server 8 that each enterprise manages respectively.And company information distribution server 6 sends obtained link information to CE equipment 3.

CE equipment 3 uses this link information to be connected to the authentication location destination distribution server 8 that this enterprise manages, transmitting apparatus ID13.

Authentication purpose ground distribution server 8 retrieval facility ID13 from certificate server table 22 obtains link information that point to be responsible for certificate server 9 that CE equipment 3 is authenticated.

In the certificate server table 22, each device id 13 is mapped with the certificate server of being responsible for its CE equipment 3 is authenticated 9.This be because, even the CE equipment 3 of same enterprise has sometimes also been prepared a plurality of certificate servers 9 according to CE equipment 3.And authentication purpose ground distribution server 8 sends obtained link information to CE equipment 3.

CE equipment 3 can be determined the responsible certificate server 9 that oneself is authenticated according to this link information.

CE equipment 3 uses this link information to be connected to certificate server 9, sends the necessary authentication informations of device authentication such as password, device id 13.

Correspondingly, 9 pairs of CE equipment of certificate server 3 carry out device authentication.

Like this, in the present embodiment, CE equipment 3 is inquired the authentication purpose ground distribution server 8 that connect to company information distribution server 6, and then inquires the certificate server 9 that connect to authentication purpose ground distribution server 8.

At this moment, carry out distribution in the company information distribution server 6, carry out distribution in the authentication purpose ground distribution server 8 according to device id 13 according to the connection destination of company information.

Like this, before connecting company information distribution server 6, each enterprise carries out common processing; Then can set alone from the processing that company information distribution server 6 receives after the link information of authentication purpose ground distribution server 8 by each enterprise.

[detailed description of the 1st embodiment]

Fig. 1 is the schematic network structure of the device authentication system 1 of present embodiment.

CE equipment 3 in the device authentication system 1, company information distribution server 6, authentication purpose ground distribution server 8a, 8b, 8c ..., certificate server 9a, 9b, 9c ..., service server 10 etc. can interconnect by the Internet 5.

A plurality of CE equipment 3, service server 10 are arranged, only put down in writing 1 among them among Fig. 1 respectively.In addition, company information distribution server 6 has only 1 in device authentication system 1.

Below intended distinction authentication purpose ground distribution server 8a not, 8b, 8c ... situation under, only note is made authentication purpose ground distribution server 8.Similarly, for certificate server 9a, 9b, 9c ..., when not distinguishing, only note is made certificate server 9.

CE equipment 3 is by for example CE equipment that electric equipment products constituted such as televisor, video recorder, CD writer, sound equipment, game machine, PDA, automatic rice cooker, air-conditioning.

Built-in computer in the CE equipment 3 with communication function, can follow various servers (service server 10, company information distribution server 6, authentication purpose ground distribution server 8, certificate server 9, other server) communication via the Internet 5, constitute terminal device.

Stored in the CE equipment 3 and be used for oneself with the device id that other CE equipment makes a distinction, the server on communication objective ground can be discerned CE equipment 3 by receiving device id from CE equipment 3.

As described below, device id comprises manufacturing or the company information of sale enterprise and the satellite information that each enterprise can set up on their own of representing CE equipment 3.

In addition, also stored the password that is used for device authentication in the CE equipment 3, when device authentication, used.

Password is the character string with cryptographic function, though the password that becomes than password length, in fact password and password can when being used for device authentication.

Service server 10 is to offer the server that services sites is used for providing to CE equipment 3 service.

Service server 10 sends content to the CE of access service website equipment 3, and service is provided.The user uses these contents, the acceptance service by the service that CE equipment 3 can be provided by service server 10.

In providing, service server 10 has for example music content, travel information content, movie contents, cuisines content etc.

The service that service server 10 provided comprises that the information that the personal information, the facility information of CE equipment, the Internet that for example comprise hobby etc. connect setup parameter etc. provides, and the upgrading of the maintenance of CE equipment, software etc.In addition, also can be provided in line stores service, affinity service (specification of equipment and service are followed from the specification of miscellaneous equipment and the match service of service request).

In addition, if CE equipment 3 is toilet seats, can also provides by inductor detection user's defecation and check the service that health status is such.

Service that need not device authentication can provide and the service that needs device authentication are provided in the service that service server 10 provides.

CE equipment 3 is when requiring to need the service of device authentication, and service server 10 can require CE equipment 3 to be connected to company information distribution server 6.

Here, the service that sends music data with the stereo to built-in CE equipment 3 is an example, and the situation of CE equipment 3 when the service that need to require device authentication is described.

At first, service server 10 sends picture data to stereo, is used for demonstrating music and selects picture.This select picture HTML (Hypertext Markup Language)) etc. data can (Hypertext MarkupLanguage: computerese be recorded and narrated with for example HTML.

Then, stereo uses this picture data to demonstrate music on the display that stereo had and selects picture.

In selecting picture, can progressively select the melody that to download according to music categories, composer, melody name etc.

This selection operation can carry out without device authentication, according to user's selection demonstration respective picture.

After having selected melody, download phase has just needed device authentication.This can realize that this label is relevant with the download button of selecting screen displayed by embedded tags in picture data, and informing business server 10 will be carried out the operation that needs device authentication.

Thus, after the user clicks download button, send the notice that need carry out device authentication from CE equipment 3 to service server 10, correspondingly, service server 10 sends the information (being called the device authentication trigger) of trigger equipment authentication starting to CE equipment 3.

CE equipment 3 receives the device authentication trigger from service server 10, carries out a series of acts of authentication whereby.

Comprise the link information to company information distribution server 6 in the device authentication trigger, CE equipment 3 uses these information just can be connected to company information distribution server 6.

Company information distribution server 6 specifies its authentication purpose ground distribution server 8 that should connect for CE equipment 3.

Company information distribution server 6 has been stored the distribution server table that company information and authentication purpose ground distribution server 8 are mapped, receive the company information that is included in the device id from CE equipment 3, send the link information of the authentication purpose ground distribution server 8 that connect to CE equipment 3.

Authentication purpose ground distribution server 8 is the unit setting with the enterprise, gives the CE equipment certificate server 9 that 3 indications should connect.

Authentication purpose ground distribution server 8 has been stored the certificate server table that device id and certificate server 9 are mapped, and from CE equipment 3 receiving equipment ID, sends the link information of the certificate server 9 that connect to CE equipment 3.

Certificate server 9 is the server units that CE equipment 3 carried out device authentication.At 1 enterprise, single or multiple certificate servers 9 have been prepared.Certificate server 9 carries out device authentication based on the device id and the password of CE equipment 3.

Uniform resource locator) or URI (Unique Resource Identifier: services sites such as the company information distribution server 6 more than specifying on the Internet 5, authentication purpose ground distribution server 8, certificate server 9, service server 10 such as unique resource identifier) in addition, by URL (Uniform Resource Locators:.

These URL, URI etc. have been comprised, these information connection specified server of CE equipment 3 uses in link information when then, CE equipment 3 is with each server interaction.

That is, link information has comprised the information that the connection destination (company information distribution server 6, authentication purpose ground distribution server 8, certificate server 9 etc.) of CE equipment 3 is determined in for example " http://abc.Zony.co.jp " such being used for.

In addition, it is all encrypted that CE equipment 3 or each server send the data that receive, to prevent third-party improper access.

Like this, company information distribution server 6 and authentication purpose ground distribution server 8 have constituted the 1st distribution server and the 2nd distribution server respectively, the link information that service server 10 sends to company information distribution server 6 to CE equipment 3, the link information that company information distribution server 6 sends to authentication purpose ground distribution server 8, distribution server 8 transmissions in authentication purpose ground are to the link information of certificate server 9.

Fig. 2 is an exemplary plot of the logical organization of the device id 13 that had of CE equipment 3.

Device id 13 is made of the satellite information 16 that the company information 15 that can determine an enterprise and each enterprise can freely set.

Satellite information 16 can comprise sequence number, the CE equipment 3 of CE equipment 3 for example kind, make various information such as date, be example with the sequence number that comprises CE equipment 3 in the present embodiment.According to this sequence number, can determine CE equipment 3.

Particularly, device id 13 can adopt the EUI-64 that IEEE (IEEE-USA) managed (Extended Unique Indentifier 64bit: expansion unique identifier, 64 bits) etc.

EUI-64 is the standard of managing CE equipment 3 with the information of 64 bits.

Especially, in whole 64 bits, high-order 24 bits are called OUI (OrganizationallyUnique Identifier: organization unique identifier), be the code that IEEE distributes to each enterprise (supplier).In the present embodiment, OUI is corresponding to company information 15.

Low level 40 bits beyond the OUI can be managed voluntarily by each enterprise, corresponding to the satellite information in the present embodiment 16.

In the present embodiment, company information 15 has constituted employed the 1st assignment information when company information distribution server 6 is obtained the link information of authentication purpose ground distribution server 8, and device id 13 has constituted employed the 2nd assignment information when authentication purpose ground distribution server 8 is obtained the link information of certificate server 9.

Fig. 3 is used to illustrate the figure of CE equipment 3 with the relation between each server.

CE equipment 3 each stage from service server 10 acceptance services progressively is described below.

Step 1:CE equipment 3 needs the service of device authentication, service server 10 to send to be connected to the required link information of company information distribution server 6 to service server 10 request.

Step 2:CE equipment 3 uses this link information to be connected to company information distribution server 6, sends company information 15 to company information distribution server 6.

Company information distribution server 6 has each company information 15 with being connected to the distribution server table 21 that distribution server 8 required link informations in authentication purpose ground are mapped.By distribution server table 21 CE equipment 3 is associated with the authentication purpose ground distribution server 8 that each enterprise managed.

Company information distribution server 6 is a key assignments retrieval distribution server table 21 with the company information 15 that receives from CE equipment 3, then the link information of the authentication purpose ground distribution server 8 that retrieves is sent to CE equipment 3.

Step 3:CE equipment 3 uses the link information that is received from company information distribution server 6, is connected to the authentication purpose ground distribution server 8 of the own enterprise of responsible this CE equipment 3 among each authentication purpose ground distribution server 8.

Then, CE equipment 3 reads the device id 13 of oneself, sends to authentication purpose ground distribution server 8.

Authentication purpose ground distribution server 8 has the certificate server table 22 that device id 13 is mapped with the link information of the certificate server of being responsible for CE equipment 3 is authenticated 9.

By certificate server table 22 each CE equipment 3 is associated with each certificate server 9.

In addition,, might not be defined in this, for example, also can specify correspondence on the macrotaxonomy more at different model of CE equipment 3 or the like though the structure of present embodiment is to specify corresponding certificate server 9 to each CE equipment 3.For example, can be set to model and be 000 CE equipment 3 and be authenticated by link information 1 determined certificate server 9, model is that 3 of the CE equipment of △ △ △ are authenticated by link information 2 determined certificate servers 9.That is, each enterprise can set up the corresponding relation of CE equipment 3 with certificate server 9 on their own.

Distribution server 8 uses in authentication purpose ground are retrieved certificate server table 22 from the device id 13 that CE equipment 3 is received as key assignments, and the link information of the certificate server 9 that retrieves is sent to CE equipment 3.

Step 4:CE equipment 3 uses this link information to be connected to certificate server 9 from the link information that company information distribution server 6 receives to certificate server 9.Then, CE equipment 3 sends the necessary authentication informations of device authentication such as password or device id 13 to certificate server 9.

Certificate server 9 has the authentication information table 23 that device id 13 is mapped with authentication information, and the authentication information that contrast is received from CE equipment 3 and the authentication information of authentication information table 23 carry out device authentication.Then, certificate server 9 sends authentication result to CE equipment 3.

Step 5:CE equipment 3 sends the authentication result that receives from certificate server 9 to service server 10, and request server provides service.

Judge the authentication result of CE equipment 3 after the service server 10 reception authentication results, when CE equipment 3 has passed through the authentication of certificate server 9, just provide service to CE equipment 3; During not by authentication, then send corresponding warning, service is not provided to CE equipment 3.

Fig. 4 is the process flow diagram that is used for the program of devices illustrated Verification System 1 service server 10 when CE equipment 3 provides the service of needs authentication.

In addition, CE equipment 3, company information distribution server 6 have each program that quadrangle is enclosed in the process flow diagram.

At first, CE equipment 3 need to propose the services request (step 5) of authentication to service server 10.

Correspondingly, service server 10 is to CE equipment 3 transmitting apparatus authentication trigger, and indication is to the connection (step 50) of company information distribution server 6.

CE equipment 3 is connected to company information distribution server 6 from service server 10 receiving equipments authentication trigger (the 1st receiving element).Then, CE equipment 3 reads the device id 13 that is set in self, and then obtains company information 15 from this device id 13, sends to company information distribution server 6 (the 1st transmitting element).Thus, CE equipment 3 requires company information distribution server 6 to confirm be connected to which authentication purpose ground distribution server 8 (step 10).

Company information distribution server 6 receives company informations 15 (receiving element) from CE equipment 3, retrieve the link information of the authentication purpose ground distribution server 8 that sensing CE equipment 3 should connect from distribution server table 21 as key assignments.Then, send the link information (transmitting element) (step 70) that retrieves to CE equipment 3.

CE equipment 3 receives link information (the 2nd receiving element) from company information distribution server 6, uses this link information to be connected to authentication purpose ground distribution server 8.Then, CE equipment 3 is to authentication purpose ground distribution server 8 transmitting apparatus ID13 (the 2nd transmitting element), and confirmation request should be connected to which certificate server 9 (step 15).

Correspondingly, authentication purpose ground distribution server 8 is from CE equipment 3 receiving equipment ID13, as key assignments from certificate server table 22, retrieve point to the certificate server 9 that CE equipment 3 should connect link information then, send the link information (transmitting element) (step 80) that retrieves to CE equipment 3.

Then, CE equipment 3 uses the link information to certificate server 9 that is received from authentication purpose ground distribution server 8 to be connected to certificate server 9.Then, CE equipment 3 sends authentication information (authentication information transmitting element) to certificate server 9, receives authentication result (authentication information receiving element) from certificate server 9.Like this, CE equipment 3 is on one side with certificate server 9 communications, Yi Bian carried out a series of device authentication (step 20, step 93).

This device authentication sequence can be by for example to authentication informations such as certificate server 9 transmitting apparatus ID13 or passwords, use authentication information tables 23 that it is confirmed to realize by certificate server 9 then.

Security socket layer) etc. in addition, following device authentication to carry out before data transmit, (Secure Sockets Layer: encryption technology is guaranteed the safe structure that the circuit of CE equipment 3 and certificate server 9 is connected for example can to use SSL.With the SSL technology communication line is encrypted, can be realized tight security communication.

Certificate server 9 sends according to carrying out authentication result (step 95) from CE equipment 3 received authentication informations to CE equipment 3.At this moment, disposal password of certificate server 9 distribution sends to CE equipment 3, and also this disposal password is sent to CE equipment 3, and this password uses when confirming subsequently when service server 10 whether CE equipment 3 has passed through the authentication of certificate server 9.

By issuing this disposal password, can prevent to have the pretending to be of forgery server etc. of said function with certificate server 9.

Certificate server 9 association store the disposal password issued and as the device id 13 of the CE equipment 3 of target of issue.

CE equipment 3 sends authentication result and the disposal password (authentication result transmitting element) that receives from certificate server 9 to service server 10, proposes services request (step 25).In this case, can use encryption technology such as SSL to improve the security that circuit connects.

Then, service server 10 receives authentication result, device id 13 and disposal password from CE equipment 3.

Then, service server 10 sends to certificate server 9 to received device id 13 and disposal password, requires certificate server 9 to confirm whether it is that certificate server 9 is issued (step 55) from CE equipment 3 received authentication results really.

Certificate server 9 receives device id 13 and disposal password from service server 10, and they are checked with disposal password mutually with the device id 13 that before associates in step 95, confirms whether be the authentication that certificate server 9 is done really.Then, the result of authenticate-acknowledge is sent to service server 10 (step 98).

In addition, use encryption technologies such as SSL, can improve in above step 55 and the step 98 service server 10 with the security of communication between the certificate server 9.

Service server 10 receives the authenticate-acknowledge result from certificate server 9, confirm that the authentication result that CE equipment 3 is sent is that certificate server 9 is issued really, and then, the authentication result that receives from CE equipment 3 has proved under the situation of authentication of CE equipment 3, has begun to provide the service (step 60) to CE equipment 3.

CE equipment 3 uses (step 30) from service objects such as service server 10 received contents for the user.

In addition, in the step 60, can't obtain under the situation of authenticate-acknowledge from certificate server 9, perhaps can not prove under the situation of authentication of CE equipment 3 from CE equipment 3 received authentication results, service server 10 provides service for CE equipment 3.

Fig. 5 A and Fig. 5 B are the presentation graphs as an example of the agreement of device authentication trigger.

Fig. 5 A is the employed agreement of former device authentication, the URL34 and the device authentication version 35 of the connection destination that connects when comprising URL33, the authentification failure of the website that CE equipment 3 connects after the title 32, authentication success of the service that URL31, certificate server provided (authentication service) of certificate server.

Have several versions in the device authentication, authentication version difference, service available in the service server is also different.The employed version of device authentication version 35 expressions.

Like this, comprised the link information (URL) to certificate server in the former agreement, CE equipment 3 uses these information to be connected to certificate server.

Fig. 5 B has represented to be used as in the present embodiment example of the agreement of device authentication trigger.

Master agreement 41 and auxiliary agreement 50 have been comprised in this agreement.

Usually use master agreement 41 to connect company information distribution server 6, company information distribution server 6 breaks down or company information distribution server 6 is busy and work as, in the time of can't being connected to company information distribution server 6, then use auxiliary agreement 50 to be connected to the company information distribution server 6 of preparation.

Usually, master agreement 41 and auxiliary agreement 50 are made of same information.

The URL45 and the device authentication edition 46 of the connection destination that connects when comprising CE equipment 3 connects after the title 43, authentication success of the URL42 of company information distribution server 6, service (distribution services) that company information distribution server 6 is provided website URL44, authentification failure in the master agreement 41.

Like this, comprise the link information to company information distribution server 6 in the master agreement 41, CE equipment 3 uses these information to connect company information distribution server 6.

More than Shuo Ming the 1st embodiment can obtain following effect:

(1) enterprise distributing equipment authentication purpose ground is administered in the authentication of pressing CE equipment 3, and then the enterprise that is assigned with can be assigned to each certificate server 9 to the device authentication destination.

(2) during device authentication, the confidential information that is to use each enterprise to set up on their own is respectively mostly carried out.And, need the information of all over products of device authentication all to focus on above the device authentication destination distribution server, the confidential information of each enterprise or production information (may recognize production quantity according to device id 13) might be revealed to other enterprises.But present embodiment can accomplish to allow that each enterprise is only shared distributes the company information distribution server 6 on authentication purpose ground by company information, so the confidential information management easily, and is safe.

(3) can reduce detection certificate server 9 required times and cost.

(4) by the definite agreement that is used for determining certificate server 9 is separated with the authentication protocol of certificate server 9, can adapt to various authentication modes and proprietary authentication mode openly.

(5) from CE equipment 3 to the connection procedure of company information distribution server 6, need not to send password or device ids 13 to company information distribution server 6, can improve security.

(6) from CE equipment 3 to the connection procedure of authentication purpose ground distribution server 8, need not to send passwords to authentication purpose ground distribution server 8, can improve security.

In addition, though in the illustrated situation of present embodiment, do not comprise link information in the authentication trigger from service server 10, promptly do not specify card server 9 to certificate server 9; But might not be defined in this, also can only enter allocated phase under the situation of not specifying certificate server 9, over-allocation slightly under the situation of having specified directly goes certificate server 9 to accept authentication from CE equipment 3.

In addition, expect popularizing of CE equipment 3 from now on, can adopt the basic mode of device authentication system 1 as the device authentication standard scheme.

So far, present embodiment is to divide the certificate server 9 that is used in authentication CE equipment 3 in company information distribution server 6 and authentication purpose ground distribution server 8; But, CE equipment 3 is by company information distribution server 6 and authentication purpose ground distribution server 8, in case got the link information of certificate server 9, this link information is stored (link information storage unit), CE equipment 3 just can be skipped being connected to company information distribution server 6 and authentication purpose ground distribution server 8 later on, but read the link information of the certificate server 9 of storage, be connected to certificate server 9.

In order to make CE equipment 3 directly connect certificate servers 9, from the device authentication trigger that service server 10 receives, must comprise necessary information and be used to judge corresponding with distribution services.Particularly, must for example record and narrate contents such as " the Object ID that is used for determining distribution services be DADP (Device Authentication Service DiscoveryProtocol: the device authentication service discovery protocol) " in the service name 43 among Fig. 5 B.

Read in the CE equipment 3 slave units authentications trigger be used for determining the ObjectID of distribution services after, then confirm whether to have in the device authentication trigger before this link information (confirmation unit) that authenticates the certificate server 9 of CE equipment 3 by distribution services being used to of distributing.If have the link information of certificate server 9, CE equipment 3 does not remove to connect company information distribution server 6 and authentication purpose ground distribution server 8, directly connects certificate server 9, authenticates.

Even CE equipment 3 visit is the link information destination of known certificate server 9,, also can make a mistake if certificate server 9 has changed.Under these circumstances, utilize distribution services, obtain the link information of certificate server 9 according to above-mentioned steps.

After CE equipment 3 is accepted authenticate-acknowledge from certificate server 9, will be from the link information buffer-stored (renewal) of the received certificate server of authentication purpose ground distribution server 8.

As mentioned above, in the present embodiment, CE equipment 3 sends the device id 13 with structure shown in Figure 2 to company information distribution server 6; Also can the full detail of device id not sent out, CE equipment 3 is this information which enterprise makes but only for example send to company information distribution server 6, and promptly company information 15.

In addition, if satellite information 16 further comprises device category information 16-1 and device hardware identifying information 16-2, can a transmitting apparatus kind of information 16-1 to authentication purpose ground distribution server 8, and only to certificate server 9 transmitting apparatus ID13.Be to send entire equipment ID, still send a necessary MIN part; Criterion is to have company information distribution server 6 and authentication purpose ground distribution server 8 to be used for determining that next is connected the enough information of destination at least.

For determining quantity of information necessary in the device id, service server 10 and company information distribution server 6 can be specified company information distribution server 6 and authentication purpose ground distribution server 8 information necessary amounts respectively to CE equipment 3.In addition, company information distribution server 6 and authentication purpose ground distribution server 8 also can be in advance when being connected the quantity of information of essential device id be notified to CE equipment 3.

During designated equipment ID a part of, both can explicitly call for to comprise high-order several bits, also can provide the mask information of only obtaining necessary position information, obtain its result after calculating with device id 13 with mask information.For example, device id 13 comprises company information 15 " 1010 " and satellite information 16 " 110001101 "; If supposition only needs company information 15, mask information " 1111000000000 " then is provided, a transmitting apparatus ID gets final product with the logic and operation result " 1010000000000 " of mask information.Being not limited thereto of the part of designated equipment ID is as long as it is just passable to get data necessary.

[summary of the 2nd embodiment]

Among Fig. 6, when CE equipment 3 provides the service that needs device authentication at requested service server 10, to service server 10 transmitting apparatus ID13.

Service server 10 extracts company information 15 from this device id 13, send to company information distribution server 6.

These company information 15 retrieval distribution server tables 21 of company information distribution server 6 usefulness are obtained the link information to authentication purpose ground distribution server 8.

Then, company information distribution server 6 sends to service server 10 to obtained link information.

Service server 10 these link informations of use are connected to the authentication purpose ground distribution server 8 that enterprise managed of CE equipment 3, transmitting apparatus ID13.

Authentication purpose ground distribution server 8 retrieval facility ID13 from certificate server table 22 obtains link information that point to be responsible for certificate server 9 that CE equipment 3 is authenticated.Then, authentication purpose ground distribution server 8 sends to service server 10 to obtained link information.

Service server 10 sends to CE equipment 3 to this link information.

CE equipment 3 can be determined the responsible certificate server 9 that oneself is authenticated according to this link information.

CE equipment 3 uses this link information to be connected to certificate server 9, sends the necessary authentication informations of device authentication such as password, device id 13.

Correspondingly, 9 pairs of CE equipment of certificate server 3 carry out device authentication.

Like this, in the present embodiment, service server 10 is determined certificate server 9 according to device id 13.

[the 2nd embodiment in detail]

Network structure in the present embodiment is identical with the 1st embodiment (Fig. 1).Use same-sign to represent corresponding structural element in the following explanation.In addition, the 3 employed device ids of the CE equipment in the present embodiment identical with shown in Fig. 2.

Fig. 6 is used to illustrate the figure of CE equipment 3 with the relation between each server of constitution equipment Verification System 1.

Each stage till CE equipment 3 is accepted to serve from service server 10 progressively is described below.

Step 1:CE equipment 3 need to propose the services request of device authentication to service server 10.And, when sending request, read the device id 13 of oneself, send to service server 10.

Step 2: service server 10 extracts company information 15 and sends to company information distribution server 6 from CE equipment 3 receiving equipment ID13 among the slave unit ID13.

Identical with the 1st embodiment, company information distribution server 6 has each company information 15 with being connected to the distribution server table 21 that distribution server 8 required link informations in authentication purpose ground are mapped.By distribution server table 21 CE equipment 3 is associated with the authentication purpose ground distribution server 8 that each enterprise managed.

Company information distribution server 6 is a key assignments retrieval distribution server table 21 with the company information 15 that receives from service server 10, then the link information of the authentication purpose ground distribution server 8 that retrieves is sent to service server 10.

Step 3: service server 10 uses the link information that is received from company information distribution server 6, is connected to the authentication purpose ground distribution server 8 of responsible this CE equipment 3 among each authentication purpose ground distribution server 8.

Then, service server 10 is sending to authentication purpose ground distribution server 8 from CE equipment 3 received device ids 13.

Identical with the 1st embodiment, authentication purpose ground distribution server 8 has the certificate server table 22 that device id 13 is mapped with the link information of the certificate server of being responsible for CE equipment 3 is authenticated 9.

By certificate server table 22 each CE equipment 3 is associated with each certificate server 9.

Distribution server 8 uses in authentication purpose ground are retrieved certificate server table 22 from the device id 13 that CE equipment 3 is received as key assignments, and the link information of the certificate server 9 that retrieves is sent to service server 10.

Step 4: service server 10 receives from authentication purpose ground distribution server 8 and points to the link information of being responsible for certificate server 9 that CE equipment 3 is authenticated, and this link information is sent to CE equipment 3.

Step 5:CE equipment 3 uses this link information to be connected to certificate server 9 from the link information that service server 10 receives to certificate server 9.Then, CE equipment 3 sends the necessary authentication informations of device authentication such as password or device id 13 to certificate server 9.

Identical with the 1st embodiment, certificate server 9 has the authentication information table 23 that device id 13 is mapped with authentication information, and the authentication information that contrast is received from CE equipment 3 and the authentication information of authentication information table 23 carry out device authentication.Then, certificate server 9 sends authentication result to CE equipment 3.

Step 6:CE equipment 3 sends the authentication result that receives from certificate server 9 to service server 10, and request server provides service.

Judge the authentication result of CE equipment 3 after the service server 10 reception authentication results, when CE equipment 3 has passed through the authentication of certificate server 9, just provide service to CE equipment 3; During not by authentication, then send corresponding warning, service is not provided to CE equipment 3.

Like this, can lump together the distribution system of regarding as to CE equipment 3 transmission distribution destination link informations to company information distribution server 6 (the 1st distribution server) and authentication purpose ground distribution server 8 (the 2nd distribution server).And this distribution system possesses the assignment information receiving element and the link information transmitting element that sends to the link information (URL) of certificate server 9 that receives assignment information (device id 13, company information 15) from service server 10.

In addition, also the function of this distribution system can be realized on a distribution server with the function merging back of company information distribution server 6 and authentication purpose ground distribution server 8.

And then, like this company information distribution server 6 and authentication purpose ground distribution server 8 to be regarded as under the situation of distribution system, service server 10 has just possessed: the assignment information receiving element receives assignment information from CE equipment 3; The assignment information transmitting element sends assignment information to distribution system; The link information receiving element is from the link information of distribution system reception to certificate server 9; The link information transmitting element sends to CE equipment 3 to the link information that receives.

In addition, constitute in each server of distribution system, after company information distribution server 6 (the 1st distribution server) receives the 1st assignment information (company information 15) from service server 10, to the link information of service server 10 transmissions to authentication purpose ground distribution server 8 (the 2nd distribution server); Authentication purpose ground distribution server 8 sends the link information to certificate server 9 after receiving the 2nd assignment information (device id 13) from service server 10.

Fig. 7 is the process flow diagram that is used for illustrating the program of device authentication system 1 service server 10 when CE equipment 3 provides the service of needs authentication of the 2nd embodiment.

In addition, service server 10, company information distribution server 6, authentication purpose ground distribution server 8 have each program that quadrangle is enclosed in the process flow diagram.

At first, CE equipment 3 requested service servers 10 provide the service (step 105) that needs authentication.

Correspondingly, service server 10 requires to service server 10 transmitting apparatus ID13 (step 130) to CE equipment 3 transmitting apparatus authentication trigger.

CE equipment 3 reads the device id 13 of oneself after receiving the device authentication trigger from service server 10, sends to service server 10 (step 110).

Service server 10 is from CE equipment 3 receiving equipment ID13 (assignment information receiving element).Then, service server 10 extracts company information 15 among this device id 13 and sends to company information distribution server 6 (the 1st transmitting element) (step 135).

Thus, service server 10 requires company information distribution server 6 to confirm which authentication purpose ground distribution server 8 CE equipment 3 should be connected to.

Company information distribution server 6 receives company informations 15 (receiving element) from service server 10, retrieve the link information of the authentication purpose ground distribution server 8 that sensing CE equipment 3 should connect from distribution server table 21 as key assignments.Then, send the link information (transmitting element) (step 160) that retrieves to service server 10.

Service server 10 receives link information (the 1st receiving element) from company information distribution server 6, uses this link information to be connected to authentication purpose ground distribution server 8.Then, service server 10 sends the device id 13 (the 2nd transmitting element) that receives from CE equipment 3 to authentication purpose ground distribution server 8, and confirmation request CE equipment 3 should be connected to which certificate server 9 (step 140).

Correspondingly, authentication purpose ground distribution server 8 is from service server 10 receiving equipment ID13 (receiving element), as key assignments from certificate server table 22, retrieve point to the certificate server 9 that CE equipment 3 should connect link information then, send the link information (transmitting element) (step 170) that retrieves to service server 10.

Then, service server 10 sends it to CE equipment 3 (link information transmitting element) from the link information (the 2nd receiving element) that authentication purpose ground distribution server 8 receives to certificate server 9.At this time, service server 10 is accepted the information (step 145) of the device authentication of certificate server 9 also to CE equipment 3 transmitting apparatus authentication trigger as indication CE equipment 3.

CE equipment 3 uses the link information to certificate server 9 that receives from service server 10 to be connected to certificate server 9, carries out a series of device authentication sequence (step 115, step 180) with certificate server 9.

This device authentication sequence can be by for example to authentication informations such as certificate server 9 transmitting apparatus ID13 or passwords, use authentication information tables 23 that it is confirmed to realize by certificate server 9 then.

In addition, follow device authentication to carry out before data transmit, for example can use encryption technology such as SSL to guarantee the safety that the circuit of CE equipment 3 and certificate server 9 is connected.

Certificate server 9 sends according to carrying out authentication result (step 185) from CE equipment 3 received authentication informations to CE equipment 3.At this moment, disposal passwords of certificate server 9 distribution also send to CE equipment 3, and this password is used for confirming at service server 10 subsequently whether CE equipment 3 have passed through the authentication of certificate server 9.

By issuing this disposal password, can prevent to have the pretending to be of forgery server etc. of said function with certificate server 9.

Certificate server 9 association store the disposal password issued and as the device id 13 of the CE equipment 3 of target of issue.

CE equipment 3 sends authentication result and the disposal password that receives from certificate server 9 to service server 10, requires server that service (step 120) is provided.In this case, also can use encryption technology such as SSL to improve the security that circuit connects.

Then, service server 10 receives authentication result, device id 13 and disposal password from CE equipment 3.

Service server 10 sends to certificate server 9 to the device id 13 and the disposal password that receive, confirms whether the authentication result that receives from CE equipment 3 is the authentication (step 150) that certificate server 9 is issued really.

Certificate server 9 receives device id 13 and disposal password from service server 10, and they are checked with disposal password mutually with the device id 13 that before associates in step 185, confirms whether be the authentication that certificate server is done really.Then, the result of authenticate-acknowledge is sent to service server 10 (step 190).

In addition, use encryption technologies such as SSL, can improve in above step 150 and the step 190 service server 10 with the security of communication between the certificate server 9.

Service server 10 receives the authenticate-acknowledge result from certificate server 9, confirm that the authentication result that CE equipment 3 is sent is that certificate server 9 is issued really, and then, proved that the authentication result that receives from CE equipment 3 is under the situation of authentication of CE equipment 3, begins to provide the service (step 155) to CE equipment 3.

CE equipment 3 uses (step 125) from service objects such as service server 10 received contents for the user.

In addition, in the step 155, can't obtain under the situation of authenticate-acknowledge from certificate server 9, perhaps can not prove under the situation of authentication of CE equipment 3 from CE equipment 3 received authentication results, service server 10 provides service for CE equipment 3.

The above effect same of Shuo Ming the 2nd embodiment (1)～(4) that can obtain to put down in writing in the 1st embodiment.

Can obtain following effect in addition:

(1) when requested service server 10 provides the service that needs device authentication, CE equipment 3 is to service server 10 transmitting apparatus ID13, from the link information of service server 10 receptions to certificate server 9.This action that CE equipment 3 is carried out is identical with former device authentication system, so can be with former equipment as CE equipment 3.

(2) from service server 10 in the connection procedure of company information distribution server 6, need not to send password or device ids 13 to company information distribution server 6, can improve security.

(3) from service server 10 in the connection procedure of authentication purpose ground distribution server 8, need not to send passwords to authentication purpose ground distribution server 8, can improve security.

Claims (19)

1. terminal device authentication system is characterized in that possessing:

Service server when providing the service that needs device authentication to terminal device, to the link information of above-mentioned terminal device transmission to the 1st distribution server, receives authentication result from above-mentioned terminal device;

The 1st distribution server receives the 1st assignment information from terminal device, sends the link information of pointing to corresponding the 2nd distribution server of the 1st assignment information;

The 2nd distribution server receives the 2nd assignment information from terminal device, sends the link information of pointing to the corresponding certificate server of the 2nd assignment information;

Certificate server carries out device authentication after terminal device receives authentication information, authentication result is sent to above-mentioned terminal device.

2. a terminal device uses the service that service server provided in the described terminal device authentication system of claim 1, it is characterized in that possessing:

The 1st receiving element is from the link information of above-mentioned service server reception to the 1st distribution server;

The 1st transmitting element, the link information of using above-mentioned the 1st receiving element to be received is connected to above-mentioned the 1st distribution server, sends the 1st assignment information;

The 2nd receiving element receives the link information of pointing to above-mentioned corresponding the 2nd distribution server of the 1st assignment information that sends from above-mentioned the 1st distribution server;

The 2nd transmitting element, the link information of using above-mentioned the 2nd receiving element to be received is connected to above-mentioned the 2nd distribution server, sends the 2nd assignment information;

The 3rd receiving element receives the link information of pointing to the above-mentioned corresponding certificate server of the 2nd assignment information that sends from above-mentioned the 2nd distribution server;

The authentication information transmitting element, the link information of using above-mentioned the 3rd receiving element to be received is connected to above-mentioned certificate server, sends authentication information;

The authentication result receiving element receives the authentication information that uses above-mentioned authentication information transmitting element to be sent from above-mentioned certificate server and carries out authentication result;

The authentication result transmitting element sends the authentication result that above-mentioned authentication result receiving element is received to above-mentioned service server.

3. the 1st distribution server provides link information to the 2nd distribution server to terminal device in the described terminal device authentication system of claim 1, it is characterized in that possessing:

Receiving element is accepted the connection from terminal device, receives the 1st assignment information from above-mentioned terminal device;

Transmitting element sends the link information of pointing to above-mentioned corresponding the 2nd distribution server of the 1st assignment information that receives to above-mentioned terminal device.

4. terminal device authentication system is characterized in that possessing:

Service server, when providing the service that needs device authentication to terminal device, receive assignment information from above-mentioned terminal device, use the above-mentioned assignment information that receives from the link information of distribution system reception to certificate server, the above-mentioned link information that receives is sent to above-mentioned terminal device, receive the authentication result of above-mentioned certificate server from above-mentioned terminal device;

Above-mentioned distribution system receives above-mentioned assignment information from above-mentioned service server, sends the link information of pointing to the above-mentioned corresponding certificate server of assignment information that receives to above-mentioned service server;

Above-mentioned certificate server receives the device authentication that authentication information carries out above-mentioned terminal device from above-mentioned terminal device, sends the authentication result of the said equipment authentication to above-mentioned terminal device.

5. distribution system in the described terminal device authentication system of claim 4, provides link information to certificate server to service server, it is characterized in that possessing:

The assignment information receiving element receives assignment information from service server;

The link information transmitting element sends the link information of pointing to the above-mentioned corresponding certificate server of assignment information that receives.

6. a service server provides service to terminal device in the described terminal device authentication system of claim 4, it is characterized in that possessing:

The assignment information receiving element receives assignment information from terminal device;

The assignment information transmitting element sends the above-mentioned assignment information that receives to distribution system;

The link information receiving element receives the link information of pointing to the above-mentioned corresponding certificate server of assignment information that sends from above-mentioned distribution system;

The link information transmitting element sends the above-mentioned link information that receives to above-mentioned terminal device.

7. distribution system as claimed in claim 5 is characterized in that,

Above-mentioned assignment information is made of the 1st assignment information and the 2nd assignment information,

Above-mentioned distribution system possesses:

The 1st distribution server receives above-mentioned the 1st assignment information from service server, sends the link information of pointing to corresponding the 2nd distribution server of the 1st assignment information to above-mentioned service server;

The 2nd distribution server receives the 2nd assignment information from service server, sends the link information of pointing to the corresponding certificate server of the 2nd assignment information to above-mentioned service server.

8. service server, accessory rights require 7 described distribution systems to receive link information to certificate server, it is characterized in that possessing:

The assignment information receiving element receives the 1st assignment information and the 2nd assignment information from terminal device;

The 1st transmitting element is connected to the 1st distribution server, sends above-mentioned the 1st assignment information that receives to above-mentioned the 1st distribution server;

The 1st receiving element receives the link information of pointing to above-mentioned corresponding above-mentioned the 2nd distribution server of the 1st assignment information that sends from above-mentioned the 1st distribution server;

The 2nd transmitting element, the link information of using above-mentioned the 1st receiving element to be received is connected to above-mentioned the 2nd distribution server, sends above-mentioned the 2nd assignment information;

The 2nd receiving element receives the link information of pointing to the above-mentioned corresponding above-mentioned certificate server of the 2nd assignment information that sends from above-mentioned the 2nd distribution server;

The link information transmitting element sends the link information that above-mentioned the 2nd receiving element is received to above-mentioned terminal device.

9. the 1st distribution server provides link information to the 2nd distribution server to service server in the described distribution system of claim 7, it is characterized in that possessing:

Receiving element receives the 1st assignment information from service server;

Transmitting element sends the link information of pointing to above-mentioned corresponding the 2nd distribution server of the 1st assignment information that receives.

10. the 2nd distribution server provides link information to certificate server to service server in the described distribution system of claim 7, it is characterized in that possessing:

Receiving element receives the 2nd assignment information from service server;

Transmitting element sends the link information of pointing to the above-mentioned corresponding certificate server of the 2nd assignment information that receives.

11. a terminal device implementation method by the utilization of computer realization to the service that service server provided in the described terminal device authentication system of claim 1, is characterized in that,

Above-mentioned computer: possess the 1st receiving element, the 1st transmitting element, the 2nd receiving element, the 2nd transmitting element, the 3rd receiving element, authentication information transmitting element, authentication result receiving element and authentication result transmitting element,

Described method possesses:

The 1st receiving step receives link information to the 1st distribution server by above-mentioned the 1st receiving element from above-mentioned service server;

The 1st forwarding step, the link information of using above-mentioned the 1st receiving step to be received is connected to above-mentioned the 1st distribution server, sends the 1st assignment information by above-mentioned the 1st transmitting element;

The 2nd receiving step by above-mentioned the 2nd receiving element, receives the link information of pointing to above-mentioned corresponding the 2nd distribution server of the 1st assignment information that sends from above-mentioned the 1st distribution server;

The 2nd forwarding step, the link information of using above-mentioned the 2nd receiving step to be received is connected to above-mentioned the 2nd distribution server, sends the 2nd assignment information by above-mentioned the 2nd transmitting element;

The 3rd receiving step receives the link information of pointing to the above-mentioned corresponding certificate server of the 2nd assignment information that sends by above-mentioned the 3rd receiving element from above-mentioned the 2nd distribution server;

The authentication information forwarding step, the link information of using above-mentioned the 3rd receiving step to be received is connected to above-mentioned certificate server, sends authentication information by above-mentioned authentication information transmitting element;

The authentication result receiving step by above-mentioned authentication information receiving element, receives the authentication information that uses above-mentioned authentication information forwarding step to be sent from above-mentioned certificate server and carries out authentication result;

The authentication result forwarding step by above-mentioned authentication result transmitting element, sends the authentication result that above-mentioned authentication result receiving step is received to above-mentioned service server.

12. the 1st distribution method provides link information to the 2nd distribution server to terminal device in the described terminal device authentication system of claim 1, it is characterized in that possessing:

In the computer that possesses receiving element and transmitting element,

Receiving step by above-mentioned receiving element, is accepted the connection from terminal device, receives the 1st assignment information from above-mentioned terminal device;

Forwarding step by above-mentioned transmitting element, sends the link information of pointing to above-mentioned corresponding the 2nd distribution server of the 1st assignment information that receives to above-mentioned terminal device.

13. a distribution method provides link information to certificate server to service server in the described terminal device authentication system of claim 4, it is characterized in that possessing:

In the computer system that possesses assignment information receiving element and link information transmitting element,

The assignment information receiving step by above-mentioned assignment information receiving element, receives assignment information from service server;

The link information forwarding step by above-mentioned link information transmitting element, sends the link information of pointing to the above-mentioned corresponding certificate server of assignment information that receives.

14. a service providing method provides service to terminal device in the described terminal device authentication system of claim 4, it is characterized in that possessing:

In the computer system that possesses assignment information receiving element, assignment information transmitting element, link information receiving element, link information transmitting element,

The assignment information receiving step by above-mentioned assignment information receiving element, receives assignment information from terminal device;

The assignment information forwarding step by above-mentioned assignment information transmitting element, sends the above-mentioned assignment information that receives to distribution system;

The link information receiving step by above-mentioned link information receiving element, receives the link information of pointing to the above-mentioned corresponding certificate server of assignment information that sends from above-mentioned distribution system;

The link information forwarding step by above-mentioned link information transmitting element, sends the above-mentioned link information that receives to above-mentioned terminal device.

15. a service server method, accessory rights require the link information of 7 described distribution systems receptions to certificate server, it is characterized in that possessing:

In the computer that possesses assignment information receiving element, the 1st transmitting element, the 1st receiving element, the 2nd transmitting element, the 2nd receiving element, link information transmitting element,

The assignment information receiving step by above-mentioned assignment information receiving element, receives the 1st assignment information and the 2nd assignment information from terminal device;

The 1st forwarding step is connected to the 1st distribution server, sends above-mentioned the 1st assignment information that receives by above-mentioned the 1st transmitting element to above-mentioned the 1st distribution server;

The 1st receiving step by above-mentioned the 1st receiving element, receives the link information of pointing to above-mentioned corresponding above-mentioned the 2nd distribution server of the 1st assignment information that sends from above-mentioned the 1st distribution server;

The 2nd forwarding step, the link information of using above-mentioned the 1st receiving step to be received is connected to above-mentioned the 2nd distribution server, sends the 2nd assignment information by above-mentioned the 2nd transmitting element;

The 2nd receiving step receives the link information of pointing to the above-mentioned corresponding above-mentioned certificate server of the 2nd assignment information that sends by above-mentioned the 2nd receiving element from above-mentioned the 2nd distribution server;

The link information forwarding step sends the link information that above-mentioned the 2nd receiving element is received by above-mentioned link information transmitting element to above-mentioned terminal device.

16. the 1st distribution method provides link information to the 2nd distribution server to service server in the described distribution system of claim 7, it is characterized in that possessing:

In the computer that possesses receiving element and transmitting element,

Receiving step by above-mentioned receiving element, receives the 1st assignment information from service server;

Forwarding step sends the link information of pointing to above-mentioned corresponding the 2nd distribution server of the 1st assignment information that receives by above-mentioned transmitting element.

17. the 2nd distribution method provides link information to certificate server to service server in the described distribution system of claim 7, it is characterized in that possessing:

In the computer that possesses receiving element and transmitting element,

Receiving step by above-mentioned receiving element, receives the 2nd assignment information from service server;

Forwarding step sends the link information of pointing to the above-mentioned corresponding certificate server of the 2nd assignment information that receives by above-mentioned transmitting element.

18. terminal device as claimed in claim 2 is characterized in that,

Possess:

The link information storage unit is stored the link information to certificate server that above-mentioned the 3rd receiving element is received; And

Whether confirmation unit when receiving link information to above-mentioned the 1st distribution server from above-mentioned service server, has confirmed by above-mentioned link information cell stores above-mentioned link information,

Confirming by above-mentioned confirmation unit under the situation that above-mentioned link information is stored that above-mentioned authentication information transmitting element uses above-mentioned link information of storing to be connected to above-mentioned certificate server, sends authentication information.

19. terminal device as claimed in claim 18 is characterized in that,

The above-mentioned link information that above-mentioned authentication information transmitting element uses above-mentioned link information storage unit to be stored can't be connected under the situation of above-mentioned certificate server, the link information that is received based on above-mentioned the 1st receiving element, use link information, be connected to above-mentioned certificate server and send authentication information by the obtained certificate server of above-mentioned the 1st transmitting element, above-mentioned the 2nd receiving element, above-mentioned the 2nd transmitting element and above-mentioned the 3rd receiving element;

Above-mentioned link information storage unit is used the above-mentioned obtained link information in the link information updated stored of certificate server.

Images