JP2002157223A - Service providing system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To dynamically select information to be transmitted/received according to the authority of a user, and to prevent the same operation from being received plural times by erroneous operation. SOLUTION: In a request data preparing part 102, service utilization request data are prepared and sent to a basic authentication part 106. In the basic authentication part 106, the user is authenticated, and in respect to a legal user, a service utilization request is accepted. Requested data are retrieved by a data storage part 107 and dispatched to a data converting part 110. The data converting part 110 inquires whether tagged data can be provided to the user or not to a policy managing part 109. Corresponding to the user ID of the user, the tag and the state of a utilization system 111, the policy managing part 109 judges permission/refusal and the data converting part 110 converts data so that data permitted by the policy managing part 109 can be disclosed and refused data can be hidden, and provides the data to an application executing part 103.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a service providing system for providing contents distribution and use of contents as a service, and more particularly, to protecting services by appropriately providing services to those who have rights, and illegally using contents. The present invention relates to a service providing system for performing prevention.

[0002]

2. Description of the Related Art With the development of information and communication technology represented by the Internet, it is possible to distribute music and games via a network, and to perform balance inquiries and transfers from a mobile phone or a personal computer at home as in Internet banking. Services are becoming more common.
However, with an unspecified number of service users,
In addition to responding to the diverse needs of service users, it has become necessary to sufficiently consider measures for information security threats.

As a response to various needs, for example, as disclosed in Japanese Patent Application Laid-Open No. 2000-82039, "Display Control Information Generation Method and Computer", client terminals having various capabilities are provided according to their capabilities. In order to provide a user interface, there is one that dynamically generates display control information such as HTML with reference to terminal attribute information.

As a technique for ensuring information security, Japanese Patent Laid-Open No. 2000-19960 describes a "remote operation method" as follows. That is, when the user inputs a control signal when transmitting a control signal from the operation terminal to the control device, a next operation right is generated, and the control device uses the control signal and a signal including the next operation right and the current operation right in common. Encrypt with the key and transfer to the operation terminal. The next operation right is stored in the operation terminal. The control device decrypts the transferred ciphertext with the common key, obtains the control signal, the current operation right and the next operation right, and checks whether the current operation right matches the operation right registered in the control device. Judge, and if they match, send a control signal to the control device. The next operation right is registered in the control device.

[0005]

However, such a conventional method has the following problems. That is, JP-A-2000-
Regarding 82039, when content is provided, content to be provided is dynamically generated based on terminal attribute information transmitted from a client terminal. Does not take into account whether or not you have permission to view. In the case of content that contains important confidential information, that requires privacy protection, or that is provided only to members, etc., the content must be considered in consideration of the authority of the content user to be provided. It must be generated and distributed.

[0006] In Japanese Patent Application Laid-Open No. 2000-19960, if the same operation is performed a plurality of times by mistake from the operation terminal, the control device recognizes that a valid control signal has been sent a plurality of times and repeatedly executes the same control. Could be done. For example, if this method is applied to Internet banking, there is a problem that if a transfer operation signal is sent by mistake multiple times, the transfer is made unnecessarily large without detecting it. .

An object of the present invention is to provide a service providing system for dynamically selecting information to be provided or received according to the authority of a user.

[0008] Another object of the present invention is to provide a communication system in which the same control signal is erroneously transmitted a plurality of times when using a service.
An object of the present invention is to provide a service providing system that does not accept a request multiple times without a user's confirmation.

[0009]

SUMMARY OF THE INVENTION The present invention is a service providing system for executing information processing for providing a predetermined service to a user, wherein a plurality of pieces of service information for providing the service are provided. Means for storing, request information for requesting the service contents, user attribute indicating the characteristic of the user, and request data including an authenticator for authenticating the user, and a means for accepting the request data based on the user attribute and the authenticator Means for authenticating the user, means for determining whether the user can access information included in the service information based on the result of the authentication, and service information corresponding to the request information, Means for searching from accessible service information, and converting the searched service information to adapt to the determined access permission A means that, and means for presenting the transformed the service information was. Note that the conversion includes displaying accessible information and suppressing display of inaccessible information.

In another aspect of the present invention, reception of the same request data is suppressed.

In addition, the following service providing system is also included in the present invention. A request data creation unit that creates a request by attaching a user attribute and an authenticator, a basic authentication unit that performs user authentication based on the user attribute and the authenticator, a policy management unit that specifies accessible data attributes, And a data conversion unit for reconstructing the data according to the data attribute specified by the policy management unit and providing the data to the user.

An application execution unit for attaching a user attribute and an authenticator to an operation request characterized by a delivery confirmation value and a data attribute and transmitting the operation request, and a basic authentication unit for performing user authentication based on the user attribute and the authenticator A usage history management unit that checks whether the delivery confirmation value has already been received, a policy management unit that specifies accessible data attributes, and a usage system that analyzes an operation request and determines based on the determination of the policy management unit. A service providing system having a command analyzer for operating.

Further, in each of the above service providing systems, the policy management unit has a function of restricting a data attribute that can be used by a user attribute and a function of restricting a data attribute that can be used by a state of a using system.

Further, the present invention includes a service providing system in which the basic authentication unit has a function of updating the delivery confirmation value and a function of encrypting the delivery confirmation value so that only the user can decrypt the delivery confirmation value.

Further, the application execution unit has a function of confirming that the delivery confirmation value returned from the basic authentication unit has been received, and a function of decoding the delivery confirmation value and storing the operation request for the next transmission. A service providing system is also included in the present invention.

[0016]

Embodiments of the present invention will be described below with reference to the drawings. FIG. 1 is a block diagram showing a case where the present invention is applied to a plant monitoring and control system as one embodiment of the present invention. FIG. 1 shows a means by which the service using unit 101 obtains information from the service providing unit 104 and a means by which the service using unit 101 operates the use system 111.

The service using unit 101 includes a request data creating unit 102 and an application executing unit 103. The request data creation unit 102 converts a user request into a user ID,
The password is sent to the service providing unit 106 together with the password. The application execution unit 103 browses data passed from the service providing unit 106 and operates the use system 111.

The service providing unit 104 includes a use history management unit 105, a basic authentication unit 106, a data storage unit 107, a policy management unit 109, a data conversion unit 110, and a command analysis unit 108. The usage history management unit 105 manages the usage history of the user. The basic authentication unit 106 authenticates a user. The data storage unit 107 stores data and searches for necessary data according to a request. Policy management unit 1
09 determines whether to permit or reject the data use.
The data converter 110 converts data into a form usable by the user. The command analyzing unit 108 is a service using unit 1
The operation command for the use system 111 sent from the program 01 is analyzed.

First, a processing flow in which the service using unit 101 obtains information from the service providing unit 104 will be described with reference to FIG. The service using unit 101 designates the data to be provided by providing the authentication information in the request data creating unit 102 (step 201).
4 (step 202). The basic authentication unit 106 checks whether the user attribute and the authenticator are correctly associated and authenticates the user (step 203). When the user is authenticated, the basic authentication unit 106 makes a data search request to the data storage unit 107 (step 204).
The data storage unit 107 searches for the requested data (step 205). Here, in the data stored in the data storage unit 107, each data element is characterized by a tag as a data attribute. The data conversion unit 110 reads the tag of the searched data with the tag (step 2).
06), and inquire of the policy management unit 109 whether each tagged data can be provided to the corresponding user (step 207). The policy management unit 109 determines permission / denial of data provision based on the user ID and tag authenticated by the basic authentication unit 106 (step 208). The data conversion unit 110 discloses the permitted data and hides the rejected data based on the determination result of the policy management unit 109 (step 209). Data conversion section 110 performs encrypted communication to provide the created data to the user (step 210). An existing method such as SSL can be used as the encryption communication method. Here, in the public key cryptosystem, a public key that can be disclosed to everyone and a private key that must be kept secret by individuals are used as a pair, and data encrypted with the public key must be the same as the private key to be paired. Data cannot be decrypted. Utilizing this property,
By encrypting and passing an encryption key used for encrypted communication with a public key, data can be provided only to authenticated users. The public key of the user guarantees the owner of the key by issuing a digital certificate from a trusted third party.

A specific image for each processing step is shown below. FIG. 3 shows a specific example of the request data creation unit 102. In FIG. 3, a user ID 301 is used as a user attribute, and a desired service list 30 is used as data to be provided.
3, the request data 304 (here, “pump and valve”) is selected. The user's private key is encrypted by a password, and there is a section for inputting the password 302 in order to decrypt this. The decrypted secret key is used to digitally sign the user ID 301 and the request data 304. By pressing a “login” button 305, the user ID 3
01 and a set of request data 304, a digital signature 401 thereof, and a certificate 402 of a public key paired with the private key used for the signature are transmitted to the service providing unit 104, and a request is made to the service providing unit 104 ( Step 202). Since user authentication can be performed by verifying the digital signature 401, the present embodiment uses the digital signature 401 as an authenticator. To cancel, a “cancel” button 306 is pressed.

The basic authentication unit 106 verifies the certificate 402 and obtains a correct public key. The digital signature 401 is checked using the public key to authenticate the user (step 203). If it can be confirmed that the user is a valid user, the basic authentication unit 106 passes the requested data search request to the data storage unit 107 (step 20).
4) Pass the user ID to the policy management unit 109. The data storage searches for the corresponding data in accordance with the passed data request (step 205). In the present embodiment, “pump and valve” is passed as the request data 304, and a file related to the monitor and control screen of the pump and valve is searched. FIG. 5 shows a specific example of the searched file. The data in the file is characterized by tags.

Here, <x> y </ x> is characterized by data y and tag x. A data file of this format is XML (e
There is a standard description language called Xtensible Markup Language). In the case of FIG. 5, the pump tag 501a includes a component that forms the monitoring control screen of the pump and creates a monitoring screen.
atch tag 501b, sta for controlling pump activation
An rt tag 501c and a stop tag 501d for performing pump stop control are controlled. Similarly, the valve tag 501e includes components constituting the monitoring control screen of the valve, and controls a watch tag 501f for creating the monitoring screen, an open tag 501g for controlling the opening of the valve, and a close tag 501h for controlling the closing of the valve. are doing. In this embodiment, a screen configuration program 502 for performing monitoring control is provided as data surrounded by tags 501.

The data file with the tag is passed to the data conversion unit 110 and is used as basic data for constituting data to be presented to the service use unit 101. The data converter 110 reads the tag 501 (step 20).
6) Whether the data with the corresponding tag 501 may be provided to the service using unit 101 or not.
9 (step 207). In the policy management unit 109, the user ID passed from the basic authentication unit 106
301 and the tag 501 passed from the data conversion unit 110
A determination is made as to whether to permit or reject the provision of data (step 208).

FIG. 6 shows a matrix for making this determination. In FIG. 6, the user IDs 301a to 301c and the tag 50
The matrix is composed of 1a to 1h, and permission and denial are expressed by × in the matrix. For example, it is permitted to provide a pump monitoring screen to the user whose user ID 301 is user A, but to refuse to provide a stop control screen. The conditional statement in the matrix describes the condition for permitting information provision. In the condition statement 601a of FIG. 6, the condition for providing the pump monitoring screen to the user whose user ID 301 is user B is "IF
Power = ON ". This indicates that the pump monitoring screen is provided only when the power of the pump is turned on. Similarly, as a condition for providing a pump start screen to a user whose user ID 301 is user A,
In the conditional statement 601b, "IF t> 9:00 and t>1" indicates that the time t is from 9:00 to 17:00.
7:00 ”, and as a condition for providing a pump stop screen to a user whose user ID 301 is user B,
The fact that the rotation speed of the pump is less than 10,000 is described as “IF rotation speed <10000” in the conditional statement 601c.

In FIG. 3, it is assumed that the user with user ID 301 of user B has issued a service use request for "pump and valve", and the tagged data file of FIG. 5 has been searched in response to this request. The data conversion unit 110 forms a converted file 701 in the format of FIG. 7 in cooperation with the policy management unit 109. When the power of the pump is turned on and the number of revolutions of the pump is less than 10000, the presentation of the pump monitoring screen, the pump stop screen, the valve monitoring screen, and the valve closing screen is permitted to user B, and FIG. This is an HTML file which is a data format for providing information on the Web. FIG. 8 shows an image viewed by a Web browser by a service user who has received the data of FIG. On the screen, a pump monitoring screen 801, a pump stop screen 80
2. A valve monitoring screen 803 and a valve closing screen 804 are displayed. On the other hand, when the power of the pump is off and the pump rotation speed is 10000 or less, the provision of the pump monitoring screen 801 and the pump stop screen 802 is rejected. Next, a valve monitoring screen 803 and a valve closing screen 804 are displayed.

Although the case of browsing the monitoring control screen has been described above, the same processing can be performed when browsing a general document. In response to the browsing request for the confidential document, the confidential document 1001 as shown in FIG. 10 is searched from the data storage unit 107 as a tagged data file. Here, the confidential document 1001 is managed by a secret tag 501i, and s1, s2, and s3 tags are defined according to the security level. For example, the s1 tag 501j is a company secret level, the s2 tag 501k is an executive level, and the s3 tag 501L.
Is defined as confidential information at the officer level, and confidential documents 100
1 can be configured. The data conversion unit 110 reconfigures the tagged data and the data that can be provided by inquiring of the policy management unit 109 about permission / denial.

The policy management unit 109 judges permission / denial using the matrix shown in FIG. FIG.
1 is a user whose user ID 301 is user A is an s1 tag 5
User I can view only company secret data with 01i
A user whose D301 is user B can browse other than the officer data with the s3 tag 501L attached, and the user ID 301 is user
The user of C indicates that all data is viewable. Here, the data conversion unit 110 determines that the user ID 301 is
For the user who is user B, the data enclosed by the s3 tag is converted into a “***” mark and cannot be viewed. FIG. 12 shows an example of the converted HTML file.
The HTML file provided from the data conversion unit 110 is transferred to the application execution unit 103 of the service user by the above-described encryption communication in step 210.

FIG. 13 shows an example of this screen display. Even if a third party eavesdrops on data flowing on the network,
If there is no secret key for decrypting the encryption key used for the encryption communication, it is possible to prevent the screen of FIG. 10 from being displayed.

This embodiment is characterized in that the information to be provided changes when the user changes or the state of the use system changes, thereby realizing confidentiality protection and privacy protection.

Next, a method in which the service use unit 101 safely operates the use system 111 will be described with reference to FIG.
This will be described using the processing flow of No. 4. As an example, consider a case where a pump stop command is transmitted to the service providing unit 104 by pressing the pump stop button 805 in FIG.

When the pump stop button 805 is pressed,
The application executing unit 103 creates a set of a value and a command synchronized by the service providing unit 104 and the service using unit 101 as one data (step 1401). The synchronized data may be a time or a counter.

As shown in FIG. 15, the command 1501 is:
Tagged data. Command is comm
indicated by an and tag 501m and a target tag 501
n is the destination of the command, pump tags 501a and s
The top tag 501c indicates a command to stop the pump. "Ad% f38wh! F74"
A control signal 1502 to be actually transmitted to the usage system 111, which is a special value depending on the usage system 111.

Next, command 1 as data with a tag
501 is encrypted together with the user ID 301 and the counter 1503 using a randomly generated encryption key (step 1402) to form encrypted data 1504. The encryption key is encrypted with the public key of the service providing unit (step 1).
403). The encrypted data 1504 and the encrypted encryption key 1505 are signed with the secret key of the service using unit 101 (step 1404). Application execution unit 1
03, the encrypted data 1504, the encrypted encryption key 1
A set 505, signature data 1506, and an electronic certificate 1507 for verifying the signature are sent to the basic authentication unit 106 (step 1405).

In the basic authentication unit 106, the electronic certificate 150
7 to obtain the user's public key (step 140
6), the signature data 1503 is verified with the public key (step 1407). The basic authentication unit 106 is the service providing unit 10
Then, the encrypted encryption key 1505 is decrypted using the secret key of No. 4 to obtain an encryption key (step 1408). The encrypted data 1504 is decrypted using this encryption key,
03 and a command 1501 are obtained (step 1409).
The basic authentication unit 106 inquires the counter 1503 to the usage history management unit 105 and checks whether the counter has already been received (step 1410). If received, the command 1501 is rejected (step 1411),
If not received, the counter 1503 of the user registered in the use history management unit 105 is updated to the latest one (step 1412), and the command 1501 is passed to the command analysis unit (step 1413). For example, when the user counter 1503 stored in the application execution unit 103 is n, the value of the counter 1503 is attached as n + 1. If the transmitted counter 1503 is equal to or smaller than n, it is determined that the transmission data has already been received and rejected. The transmitted counter 1503 is n +
If it is 1, the command 1501 is authenticated, and the registration value of the usage history management unit 105 is updated to n + 1. New counter 1
503 is encrypted with the user's public key and returned to the service using unit 101 (step 1414). In the application execution unit 103, the encrypted counter 150
3 is displayed, a delivery confirmation screen is displayed (step 1).
415), the counter 1503 is decrypted with the user's secret key and stored for the next command transmission (step 1416).

In the present embodiment, the service using unit 101
It is characterized in that the same command is prevented from being received a plurality of times by using a value synchronized with the service providing unit 104. In the case of a system using the Internet, there is an unauthorized access technique called a retransmission attack in which data sniffed in the middle of the network is transmitted as it is, and this is prevented.

Further, even if the button is pressed several times by mistake, the same command is not received plural times.
Erroneous operation can be prevented. Also, it can be confirmed that the transmitted command has been reliably transmitted to the use system 111.

FIG. 16 shows a processing flow in the command analysis unit 108. The command analysis unit 108 outputs the command 1
The tag 501 of the tag 501 is analyzed (step 1601), and the policy management unit 109 is inquired about permission to use the tag 501 (step 1602). In the policy management unit 109, the user ID 301, the tag 501, and the usage system 1
The permission / denial is determined based on the state of No. 11 (step 1603). In the case of rejection, the user is notified of rejection (step 1604), and in the case of permission, a control signal 1502 enclosed by a tag is transmitted to the use system 111 (step 1605).

In the present embodiment, by transmitting the control signal 1502 surrounded by the tag 501, the data format is different for each device to be controlled (for example, a pump) (for example, company A is the X system, company B is the Y system). Method, etc.) is characterized in that access control can be performed by the same method if the control target itself is the same.

[0039]

As described above, according to the present invention, confidentiality protection and privacy protection can be realized by changing the provided content itself depending on the state of the user and the use system. Also, retransmission attacks and erroneous operations can be prevented. Further, even when the data format is different for each device to be controlled, access control can be applied by the same method by characterizing the control target with the same tag.

[Brief description of the drawings]

FIG. 1 is an overall configuration diagram of a service providing system to which the present invention is applied.

FIG. 2 is a flowchart showing a procedure of a process of providing information to a service user to which the present invention is applied.

FIG. 3 is an example of an initial screen provided by a service using unit to a user.

FIG. 4 is a diagram showing a data set created by a request data creation unit.

FIG. 5 is a diagram showing a format of plant monitoring control screen data stored in a data storage unit.

FIG. 6 is a diagram illustrating a matrix describing a rule for determining whether to permit or reject service provision managed by the policy management unit.

FIG. 7 is a diagram showing a format of plant monitoring control screen data converted by a data conversion unit.

FIG. 8 is an example of a screen displaying plant monitoring control screen data passed from a data conversion unit.

FIG. 9 is an example of a screen displaying data passed from a data conversion unit when a restriction is imposed on the policy management unit.

FIG. 10 is a diagram showing a format of confidential data stored in a data storage unit.

FIG. 11 is a diagram showing a matrix describing a rule for determining which user is permitted or rejected confidential information.

FIG. 12 is a diagram showing a format of confidential data converted by a data conversion unit.

FIG. 13 is an example of a screen displaying confidential data passed from a data conversion unit.

FIG. 14 is a flowchart illustrating a procedure of a process of transmitting a command from the service using unit to the service providing unit.

FIG. 15 is a schematic diagram of a data set sent from the service using unit to the service providing unit.

FIG. 16 is a flowchart illustrating a procedure of processing in a command analysis unit.

[Explanation of symbols]

301: User ID, 302: Password, 304: Request data, 305: Login button, 306: Cancel button, 501: Tag, 502: Screen configuration program, 601: Conditional statement, 701: Converted file, 8
01: Pump monitoring screen, 802: Pump stop screen, 80
3: Valve monitoring screen, 804: Valve closing screen, 805 ...
Pump stop button, 1501 command, 1502 control signal, 1503 counter, 1504 encrypted data

──────────────────────────────────────────────────続 き Continued on the front page (51) Int. Cl. ⁷ Identification symbol FI Theme coat ゛ (Reference) G09C 1/00 640 G09C 1/00 640B H04L 9/08 H04L 9/00 601C 9/32 673A (72) Invention Person Teruji Sekozawa 1099 Ozenji Temple, Aso-ku, Kawasaki City, Kanagawa Prefecture Inside System Development Laboratory, Hitachi, Ltd. (72) Inventor Ken Miyao 5-2-1 Omika-cho, Hitachi City, Ibaraki Prefecture Information Control System Business, Hitachi, Ltd. Part F term (reference) 5B075 KK54 KK63 PQ02 5B085 AE06 AE23 BE07 5J104 AA07 AA09 AA16 EA05 EA06 EA19 KA01 LA03 LA06 MA02 NA02 NA05

Claims (4)

[Claims] 1. A service providing system for executing information processing for providing a predetermined service to a user, comprising: means for storing service information for providing the service; and requesting the service content. Request information including request information to be performed, a user attribute indicating characteristics of the user, and request data including an authenticator for authenticating the user; and a unit for authenticating the user based on the user attribute and the authenticator. Means for determining whether or not the user can access information included in the service information based on the result of the authentication; and means for searching service information corresponding to the request information from the accessible service information. Means for converting the retrieved service information so as to adapt to the determined access permission / prohibition; and Means for presenting service information. 2. The service providing system according to claim 1, wherein said receiving means receives the second and subsequent request data when a plurality of the same request data have been input. A service providing system characterized by deterrence. 3. The service providing system according to claim 2, wherein the accepting unit is configured to, when a plurality of the same contents of the request data are input, confirm that the user inputs a plurality of the same data. Receiving the request data input from the second time onward, the service providing system. 4. The service providing system according to claim 3, wherein the accepting unit is configured to provide a plurality of inputs to the user when a plurality of the same request data are input. A service providing system for presenting information indicating the following. The service providing system according to claim 1, further comprising a function of restricting the data attribute that can be used.