JP2002312244A - Remote access control system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a remote access control system with high security ability. SOLUTION: In the remote access control system provided with a server device for transferring a transportable program code to a communication terminal through a network, the transportable program code has a communication function section which displays a communication function being an original purpose. The communication terminal is provided with at least a memory means for storing the transportable program code and a memory control means for deleting the stored contents of the memory means according to the indications output from the server device when the communication function section functions. The communication function section includes communications with the server device in its original purpose.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a remote access control system. is there.

[0002]

2. Description of the Related Art Documents related to conventional mobile devices include the following document 1.

Document 1: Japanese Unexamined Patent Application Publication No. 10-149310 In the system and method for cache management in a mobile user file system described in Document 1, an algorithm and system for cache management related to a file system cache in a file management system. Is disclosed.

[0004]

However, the above document 1
Does not address cache security in a mobile environment.

Mobile devices have the advantage of being extremely easy to use because of their portability and compactness. However, they are superior in portability and compactness.
It also means that the risk of loss or theft is high. As an example, the size of the body of the mobile phone is about 130 mm long,
Since it has a width of about 40 mm and a thickness of about 20 mm, it is excellent in portability, but has a high risk of loss or theft.

[0006] Highly confidential information (customer information and personal information) is stored in the mobile device, or a database inside a firewall (a large number of confidential information is stored in this database). In many cases, a communication program or the like that can access the Internet is stored, so that once lost and misused, enormous damage may occur.

[0007] For example, when customer information or the like stored in the lost mobile device is displayed on the display screen of the lost mobile device, the customer information is leaked, and the contents of the database are reduced using a communication program. When transferred to the mobile device and displayed on the screen, a large amount of confidential information stored in the database is leaked.

[0008] Even if the display from the display screen can be prevented, if confidential information or a communication program remains in a storage means such as a hard disk, it may be read and misused by some method. In order to ensure security, it is necessary to completely delete such confidential information and communication programs in the event of loss or theft, but conventional mobile devices do not have such functions. I wasn't equipped.

[0009]

In order to solve the above problems, in a remote access control system including a server device for transferring a portable program code to a communication terminal via a network, (1) the portable program code is (2) the communication terminal has a storage unit for storing at least the portable program code, and (3) when the communication function unit is functioning. Storage management means for deleting the storage content of the storage means in response to an instruction provided from the server device, and (4) the communication function unit performs communication with the server device within its original purpose. It is characterized by including.

[0010]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS (A) Embodiment Hereinafter, an embodiment will be described with an example in which a remote access control system according to the present invention is applied to a mobile communication system.

In mobile devices, under various conditions unique to mobile devices, such as low CPU power and a small storage area, the resources are effectively utilized and various network systems (customer management system, inventory management system, schedule system, etc.) are used. ) Is required to operate.

(A-1) Configuration of the Embodiment FIG. 1 shows a configuration example of a main part of the mobile communication system 20 of the present embodiment.

In FIG. 1, a mobile communication system 20 includes a wide area network 21 and an intranet 22.
And a mobile network 23.

A large number of mobile devices (for example, one) are accommodated in the mobile network 23. As specific examples of the mobile device, a mobile phone, a PHS terminal, a notebook computer terminal, a PDA terminal, or the like can be used.

The mobile device 1 is usually carried and used by an authorized user (eg, a salesperson) U1.

As shown in FIG. 1, a configuration example of a main part of the mobile device 1 includes a program starting unit 8, a cache managing unit 9, and a cache 10.

The cache 10 is, for example, a hard disk, and is storage means capable of semi-permanently storing stored contents.

The cache 10 is not limited to a magnetic storage device such as a hard disk, but may be any device that can maintain the stored contents even when the user U1 turns off the power of the mobile device 1. (Flash memory: ElectricalErasable Programmable R
OM) or a writable ROM (read only memory).

If necessary, the cache 10
Can be configured by a RAM (random access memory).

In the state shown in FIG.
In one area, a program PR1 having a communication function is stored, and in another area, data DT1 is stored.

Here, the program PR1 is, for example, Ja
network such as va (registered trademark)
The data is transferred from above and stored in the cache 10. Since the data is transferred over the network, if the time required to download all the codes is too long, not only is it not easy to use, but also the possibility that the code will not fit within the storage capacity of the cache 10 comes out. Therefore, it is preferable that the size of the program PR1 is not so large.

Further, in order to prevent intrusion of a computer virus or the like, the program PR1 is executed by Java.
It is desirable to take a form such as (registered trademark) which is transferred on a network in an intermediate code state and interpreted and executed after being received by the mobile device 1.

In this sense, the program PR1 is an executable code on the cache 10, but is in an intermediate code state on the server 2 or on the network.

The main function of the program PR1 may be any one of customer management, inventory management, schedule management, and the like.

Since the size of the program PR1 is small, the main function of the program PR1 is usually limited to one. Here, as an example, the program P
R1 is a program for customer management, another program PR2 is a program for inventory management, and another program PR3 is a program for schedule management.

Since the storage capacity of the cache 10 is small, many programs (P
R1 to PR3) in the cache 10 at the same time. Therefore, basically, whenever the user U1 wants to use any program, the user U1 deletes the unused program from the cache 10 and writes the program to be downloaded to the storage area vacated by the deletion. become.

The mobile device 1 executes the program PR1 (and the data D) from such a delete operation performed by the user U1.
It does not have a function to protect T1). Therefore, the program PR1 (and the data DT1) is physically completely deleted from the cache 10 by the deletion operation.

The data DT1 may be stored together with the program (PR1 or the like) or may be stored in the program (PR1).
, Etc.), the data has been downloaded from the server 2 (database 6).

The data DT1 includes data newly written or changed in response to the operation of the user U1 when executing the customer management corresponding to the program PR1. The data newly written or changed on the mobile device 1 side can be reflected in the contents of the data stored in the database 6 by the original function (function for customer management) of the program PR1.

In the present embodiment, a malicious user UX attempting to abuse the mobile device 1 when the authorized user U1 is lost cannot use both the program (eg, PR1) and the data DT1. Is to do so.

The data DT1 is confidential information such as customer information, and should not be known to unauthorized third parties without notice.
Is used in a state where it is mounted on the mobile device 1, it becomes possible to access confidential information stored in the database 6 or the like, so that it is also used by unauthorized third parties. It must not be.

The cache management unit 9 that manages the cache 10 functions when reading or writing to the cache 10 or the like. Therefore, the downloaded program (for example, PR1) and data (for example, D
When writing (T1) to the cache 10, or when newly writing or changing data (for example, DT1) in response to an operation of the user U1, the cache management unit 9 functions. Become.

Further, malicious user UX for confidential information
When a program (for example, PR1) or data (DT1) is deleted based on an instruction from the server 2 or the like in order to prohibit access from the server 2, the function to execute the deletion is provided in the program activation unit 8. I have. The deletion is realized, for example, by writing a predetermined bit pattern indicating invalidity to a corresponding storage area.

The deletion of a program (eg, PR1) or data (DT1) by the program starting unit 8 is not only performed dynamically based on a deletion instruction from the server 2, but also based on a preset valid time. Executed statically.

The valid time includes, for example, NOW, ON
E TIME, several days, no time limit, etc.

Here, NOW indicates that the data is deleted immediately after the valid time data is supplied, and ONE TIME indicates that the data is to be deleted.
After the valid time data is supplied, the network system is deleted once after using the network system once on the mobile device 1. Several days indicate that the data is deleted several days after the valid time is supplied. This indicates that no deletion period is set at the time of supply of valid time data.

In addition, in NOW, ONE TIME, and several days, there are two types: deletion of only data (for example, DT1) and deletion of both data and programs (for example, DT1 and PR1).
There is a street. If necessary, you can delete only the program, but it is usually pointless to store only the data to be processed even though there is no main program to process. Here, it is assumed that only the program is not deleted.

The valid time data is basically stored in a client-side program (eg, PR1), downloaded, and read by the cache management unit 9. Only the valid time data can be transmitted to the cache management unit 9 alone. Valid time data stored and downloaded in the client-side program and the server 2
If the valid time data transmitted independently from the client indicates a different valid time, the valid time data transmitted alone is used preferentially, and the valid time data stored and downloaded in the client-side program is ignored. You.

Thus, the server 2 can dynamically change each of the effective times statically given in advance at any time.

The transmission of the valid time data from the server 2 alone is a deletion instruction from the server 2 described above.

The function of deleting data (for example, DT1) may be provided not in the cache management unit 9 but in a program (for example, PR1), but generally, the program PR1 deletes PR1 itself. Since it is impossible, the program starting unit 8 needs to have at least a function of deleting a program (for example, PR1).

Further, the program starting unit 8 stores the content (tag) of the HTML file mounted on the server 2 side.
And a browsing function of displaying a list of programs installed in the server 2 on a display screen of the display unit of the mobile device 1 by using the service management function of Jini. User U1
Can visually select the desired program (for example, the customer management program PR1) from the program list while viewing the program list.

Such a program starting unit 8 can be realized by, for example, a Web browser.

On the other hand, the server 2 is connected to the intranet 2
2, the installation location is a segment in the intranet 22 (portion separated by a router) or a public segment (demilitarized zone) not protected by a firewall. The server 2 has a function of communicating with the program (for example, PR1) downloaded by the mobile device 1.

An example of the configuration of the main part of the server 2 is as shown in FIG.

That is, the server 2 has a program management unit 4
And a program delivery management unit 7, which is connected to the database 6 arranged in the intranet 22.
Among them, the program management unit 4 transfers the programs PR1 to PRN (where N is 3) which are transferred to the client (that is, the mobile device 1) and executed on the client side.
(The above natural numbers).

Also, the program delivery management section 7
(HyperText Transfer Protocol) protocol and the like, which is provided with a protocol for delivering the programs (PR1 to PR3, etc.) to the mobile device 1.

In the server 2, server-side programs SR1 to SRN corresponding to the programs PR1 to PRN delivered to the client side are mounted.

Client-side programs PR1 to PRN
Configures various network systems (customer management system, inventory management system, schedule system, etc.) in pairs with the corresponding server-side programs SR1 to SRN.

For example, the program PR1 and the program S
R1 constitutes the customer management system, and the program P
The inventory management system is configured by R2 and the program SR2, and the schedule management system is configured by the program PR3 and the program SR3.

Although a certain degree of processing (for example, customer management) is possible only with the function of the mobile device 1, basically,
To realize the functions of the network system (for example, customer management), the corresponding client-side program and server-side program (for example, program PR1 and program S)
R1) will communicate. Therefore, the program PR2 and the program SR21 communicate with each other to perform inventory management, and the program PR3 and the program SR3 communicate with each other to perform schedule management.

The communication between the client-side program (for example, PR1) and the server-side program (for example, SR1) is performed by the mobile network 23 and the wide area network 2.
1, and via the intranet 22.

Here, the customer management system means that customer data is centrally managed on the server 2 (database 6), and information obtained by a sales representative (for example, the user U1) from the customer is stored in a client program (here, PR1). ) Is a system for inputting data into the database 6 using the following method. The same applies to the inventory management system and the schedule management system.

The wide area network 21 may be, for example, the Internet.

The database 6 stores customer information used by the customer management system, inventory information used by the inventory management system, schedule information used by the schedule management system, and the like. All of these customer information, stock information, and schedule information are confidential information accumulated by the company that manages and operates the intranet 22.

The operation of the present embodiment having the above configuration will be described below.

(A-2) Operation of the Embodiment FIG. 2 shows an operation sequence focusing on cache management from downloading a program to using a network system. The operation sequence includes steps S1 to S5.

In FIG. 2, a legitimate user U 1 of the mobile device 1 activates the program activation unit 8 of the mobile device 1 in order to use, for example, the customer management system as a network system. At this time, the URL (Uniform
Resource Locator) (S1)
First, a predetermined top page is read into the program starting unit 8 from the HTML file stored in the server 2 or using the service management function of Jini (S2), and the top page is read by the (program starting unit 8).
Is displayed on the display unit of the mobile device 1).

Next, in the mobile device 1, a list of programs displayed on the screen by the user U1 operating the tag on the top page (or a list of programs already displayed on the top page) is displayed. Is stored in the cache 10 (S3).

Thereafter, unless it is particularly necessary to obtain the latest program list, the list is obtained not from the server 2 but from the cache 10.

The list of programs stored in the cache 10 and displayed on the screen of the display unit of the mobile device 1 includes, for example, each network such as a “customer management program”, an “inventory management program”, and a “schedule management program”. Contains a tag indicating the system.

Here, since the user U1 wants to execute the customer management system, the user U1 selects and operates the tag of the "customer management program". Thereby, on the server 2 side, the program PR on the server 2 associated with the tag is
1 is selected by the program delivery management unit 7 and delivered over the network 21 (S4), and stored in the cache 10 via the cache management unit 9 (S4).
5).

When all the codes of the program PR1 are stored in the cache 10 and the download of the program PR1 is completed, the user U1 can use the mobile device 1 to use the network system (here, the customer management system).

As a specific method of downloading the client program PR1 of the customer management system to the mobile device 1 by the user (for example, a salesperson) U1, the user U1 is connected to a LAN (local area network) in the intranet 22. May be downloaded from the server 2, or may be downloaded from the server 2 by connecting to the intranet 22 by dial-up connection with a PHS terminal or the like at a destination.

After the download, the dial-up connection is cut off, the customer management system is used using only the mobile device 1, and customer information is input to the database 6 as needed.

The downloaded program PR
1 may include valid time data indicating valid time such as the above-mentioned ONE TIME, several days, and no time limit.

Since customer information is important data that must not be leaked, here, for example, the effective time is set to ONE T
IME. It is assumed that the data to be deleted is set to only data.

At any time during the period until the cache management unit 9 deletes the program PR1 in the cache 10 based on the valid time data and the valid time data transmitted independently from the server 2, the customer management system is activated. It can be used by the user U1.

The program PR1 on the client side
When the user U1 uses the customer management system configured by the server-side program SR1, the programs PR1 and SR1 communicate with each other in accordance with the operation of the mobile device 1 by the user U1. The program starting unit 8 is a client program P of the customer management system.
When R1 is activated, this communication automatically starts with the server 2.

When necessary for this communication, the program SR1 accesses the database 6 and transmits data such as customer information stored in the database 6 to the program PR1 in the mobile device 1, and transmits this data. The received program PR1 stores the data in the cache 10 as data DT1.

On the other hand, in this communication, when the data DT1 is changed or newly added in accordance with the operation of the mobile device 1 by the user U1, the program PR1 in the cache 10 relates to the change or addition. The information is transmitted to the program SR1 on the server 2 side, and the program SR1 may change the content of the corresponding data stored in the database 6 based on the information. Thereby, for example, customer information in the database 6 is updated to the latest contents.

Assuming that the user U1 is a salesperson, the salesperson U1 can update the customer information and the like from the place where he is.
The time from when the salesperson knows the new information to when the information is reflected in the database 6 is shorter than before.

Here, the designation of the effective time is the same as that of the ONE
Because it is TIME, the sales representative U1 adds or changes the customer data DT1, and finally inputs customer information to reflect the result of the addition or change in the database 6, and completes the upload of the data DT1. Then, the cache management unit 9 deletes the data DT1 from the cache 10 based on the valid time ONE TIME.

By the way, in the past, since the salesperson U1 who returned to the company always used the client system (stationary personal computer) to input the information, the security for important customer information is not secured on the intranet 22.
And company premises.

On the other hand, in this embodiment, the salesperson U
No. 1 enters customer information using the mobile device 1 on the go without returning to the company. This is a great advantage of the present embodiment in that the contents of the database 6 can be updated immediately and customer management or the like can always be performed based on the latest information.
With the risk of theft or loss.

As a countermeasure for this, the following FIGS.
Is valid.

The operation sequence of FIG. 3 shows an operation sequence when the valid time is dynamically changed, taking the case of a customer management system as an example. The operation sequence is
It is composed of steps S11 to S13.

In FIG. 3, for the customer management and the like,
When the program PR1 written in the cache 10 is transmitted to the program SR1 on the server 2 side (S11), and a single valid time data is sent from the server 2 to the program PR1 as a reply (S12), the program PR1 is sent. Transmits the received valid time data to the cache management unit 9 (S13).

Here, the static effective time given when the program PR1 is first downloaded to the mobile device 1 is, for example, three days, and one day has already passed since the present download. In this case, the remaining valid time is two days,
If the single valid time data transmitted from the server 2 in step 12 indicates, for example, the NOW, the valid time data is received by the program PR1 and the cache management unit 9
(S13), the cache management unit 9 immediately deletes the program PR1.

Since the deletion needs to be processed with the highest priority, for example, even during the execution of the program PR1, the cache management unit 9 manages the validity time of the program PR1. The program PR1 is forcibly terminated and the deletion is executed.

The cache management unit 9 controls the cache 1
When the program PR1 is deleted from the inside of 0, the customer management system cannot be used using the mobile device 1 thereafter. Such a sudden deletion may result in the user U1 losing authority to use the customer management system when a legitimate user U1 reports that the mobile device 1 has been lost or when unauthorized use is detected. In some cases, for example, it can be performed by the server 2.

It should be noted that the detection of unauthorized use is performed by the authorized user U.
The server 2 can detect unauthorized use by checking the access record from the mobile device 1 even if there is no notification from the server 2. For example, this is the case where access to data for which access authority is not granted is attempted many times.

Also, for example, a case where the result of the user authentication is negative can be handled as unauthorized use.

Note that the user authentication may be verified on the server 2 side, but the mobile device 1 itself may be equipped with all or a part of the verification function.

For example, in a case where the input of a predetermined password or user ID is required before the use of the network system, the input of the password or the user ID is continuously performed a predetermined number of times (for example, about three times). If not, it is determined to be unauthorized use and the mobile device 1
The program PR in the cache 10 is determined only by
1 may be deleted.

When counting the number of times that the password or the user ID has not been correctly input, for example, even when the power of the mobile device 1 is turned off and the operation of the program starting unit 8 is ended, the number of times is counted. It is necessary to be able to maintain the count value without resetting.

When deleting a program (for example, PR1) stored in the cache 10 as described above,
As shown in FIG. 4, for example, the server 2 that has detected unauthorized use
The program starting unit 8 which receives the valid time data indicating the NOW from the side, detects unauthorized use by its own verification function, or detects the elapse of the valid time (for example, ONE TIME), An instruction to delete the (program PR1) and data DT1 is issued (S21), and the cache management unit 9 having received the instruction executes the deletion.

Thus, for example, if the effective time of the client-side program (for example, PR1) of the network system that handles important data is set to ONE TIME, a highly reliable mobile device 1 can be obtained when the mobile device 1 is stolen or lost. By executing access control, it is possible to reliably prevent data leakage and unauthorized use of network systems.

Even when the valid time is set to be long, the cache management unit 9 automatically operates immediately after the valid time elapses to delete the programs and data in the cache 10, and before the valid time elapses. Even if there is any unauthorized use due to authentication failure, the mobile device 1
Since the cache management unit 9 executes the deletion based on an independent judgment or an instruction from the server 2, it is possible to reliably prevent data leakage and unauthorized use of the network system.

Further, even when the authentication function fails to give a negative authentication result to a malicious user, it is possible to obtain NOW as independent valid time data based on detection of the above-mentioned unauthorized use other than authentication. It is possible to send
Unauthorized use can be reliably prevented.

It is preferable to include not only data but also a program from the viewpoint of security from the viewpoint of security. However, if the program is deleted, the program must be downloaded again the next time the network system is used. It is necessary to start, and the efficiency is reduced. Therefore, it is better to adaptively determine according to the situation.

(A-3) Effects of the Embodiment As described above, according to the present embodiment, robust security can be realized even under the conditions with many restrictions specific to mobile devices, and the reliability of access control can be improved. It is possible to increase.

(B) Other Embodiments In the above embodiment, a mobile device has been described as an example, but the scope of the present invention is not necessarily limited to a mobile device.

For example, the present invention can be applied to non-mobile devices (stationary devices) such as desktop personal computers.

In the case of a non-mobile device, the storage capacity of the cache is not small as in the case of a mobile device, but the application of the present invention is effective depending on the installation environment and the like.

For example, when the non-mobile device is a personal computer installed in the home of the user U1, the communication security system is more vulnerable than a computer terminal in an intranet protected by a firewall. Since the risk of leaking confidential information due to misuse of mechanisms such as telnet and so-called Trojan horses is not small, it is effective to apply the present invention to improve security.

The client-side program in the above embodiment may be realized by Java (registered trademark), but may be realized by a portable programming language on a network other than Java (registered trademark). .

Further, each function of the server 2 in the above embodiment need not necessarily be mounted in the same server. For example, the program delivery management unit 7 and the program management unit 4 may be mounted on separate servers.

[0099]

As described above, according to the present invention, a remote access control system having excellent security and high reliability can be provided.

[Brief description of the drawings]

FIG. 1 is a schematic diagram illustrating a configuration example of a main part of a mobile communication system according to an embodiment.

FIG. 2 is an operation explanatory diagram of the embodiment.

FIG. 3 is an operation explanatory diagram of the embodiment.

FIG. 4 is an operation explanatory diagram of the embodiment.

[Explanation of symbols]

DESCRIPTION OF SYMBOLS 1 ... Mobile device, 2 ... Server, 4 ... Program management part, 7 ... Program delivery management part, 8 ... Program starting part, 9 ... Cache management part, 10 ... Cache, 20 ...
Mobile communication system, 21 ... wide area network, 22
… Intranet, 23… Mobile network, PR
1 to PRN: Client side program, SR1 to SR
N: Server-side program.

Claims (5)

[Claims] 1. A remote access control system including a server device for transferring a portable program code to a communication terminal via a network, wherein the portable program code includes a communication function unit for performing a communication function which is an original purpose. The communication terminal comprises: a storage unit for storing at least the portable program code; and a storage for deleting storage contents of the storage unit in response to an instruction provided from the server device when the communication function unit functions. A remote access control system, characterized in that the communication function unit includes communication with the server device in its original purpose. 2. The remote access control system according to claim 1, wherein the storage unit stores processing data processed by a communication function unit of the portable program code in addition to the portable program code. Remote access control system characterized by comprising a part. 3. The remote access control system according to claim 2, wherein the portable program code has a security function unit in addition to the communication function unit that exhibits a communication function that is an original purpose. Wherein the processing unit deletes the processing data stored in the storage unit in response to an instruction provided from the server device when the communication function unit functions. 4. The remote access control system according to claim 1, wherein said communication terminal exists in a low security environment having lower security than said server device. 5. The remote access control system according to claim 1, wherein said communication terminal is a portable communication terminal.