JP2004260803A - Radio ad hoc communication system, terminal, attribute certificate issue proposing and requesting method at terminal, and program for implementation thereof - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To autonomously carry out the issue of an attribute certificate in a distributed radio ad hoc communication system. <P>SOLUTION: A terminal B200 transmits a beacon 2011 to log on a network of a radio ad hoc communication system. In the beacon 2011, whether the terminal B200 has an attribute certificate or not is indicated. A terminal A100 which has received the beacon 2011 checks the beacon. When it is determined that the terminal B200 does not have the attribute certificate, the terminal A100 transmits an attribute certificate issue proposing message 1032 to the terminal B200 for requesting the issue of an attribute certificate. In response to this, the terminal B200 transmits an attribute certificate issue requesting message 2041. Then, the terminal A100 transmits an attribute certificate issuing message 1052 to the terminal B200. <P>COPYRIGHT: (C)2004,JPO&NCIPI

Description

The present invention relates to a wireless ad hoc communication system, and in particular, a wireless ad hoc communication system that authenticates access authority to a network using a terminal authority authentication certificate, a terminal in the system, a processing method in these, and a computer (terminal) ) Related to the program to be executed.

  As electronic devices have become smaller and higher in performance and can be easily carried and used, an environment that enables communication by connecting a terminal to a network when needed is required. Yes. As one of them, the development of a network that is temporarily constructed as necessary, that is, a wireless ad hoc network technology is underway. In this wireless ad hoc network, each terminal (for example, a computer, a personal digital assistant (PDA), a mobile phone, etc.) is autonomously distributed and connected to each other without providing a specific access point.

  Generally, authority management using a terminal authority authentication certificate is performed in order to prevent a device that does not have authority to connect to a certain network resource from accessing. As an example of this terminal authority authentication certificate, an attribute certificate is X.M. 509 Newly defined in version 3 and a standardized process specification (Standard Track RFC (Request For Comments)) from April 2002, the profile (definition of contents of data field included in attribute certificate) has been compiled. . By using the attribute certificate as an access permit to the network resource, the authority to connect to the network resource can be confirmed, and the connection can be permitted only to the terminal having the connection qualification. In this specification, an attribute certificate is described as an example of a terminal authority authentication certificate. For example, a terminal authority is described in an XML language or the like, and the authority authority creates and signs it. Even if it is, it can function as a terminal authority authentication certificate in the present invention.

In a conventional communication system, data used for authentication is centrally managed by a specific device on the network. For example, a technique is proposed in which one public key management device is shared by a plurality of wireless communication switching systems, and when a mobile terminal moves to a service area of a certain wireless communication switching system, the public key management device requests the public key of the mobile terminal (For example, refer to Patent Document 1).
JP-A-10-112883 (FIG. 1)

  In a conventional communication system, data used for authentication is centrally managed. However, in a wireless ad hoc communication system, a terminal always moves, and a terminal constituting a network differs depending on the time. It does not always exist. In addition, due to the nature of the wireless medium, a communication path to a device that performs such centralized management is not always ensured, and thus is not suitable for centralized management.

  Accordingly, an object of the present invention is to autonomously distribute terminal authority authentication certificates in a wireless ad hoc communication system. In particular, the present invention is useful in a wireless network in which all wireless terminals constituting the network transmit management information (for example, beacons and the like).

  In order to solve the above-mentioned problem, a wireless ad hoc communication system according to claim 1 of the present invention is a wireless ad hoc communication system configured by a plurality of terminals, and includes beacon information indicating that a terminal authority authentication certificate is not provided. And a second terminal that proposes to the first terminal to make a terminal authority authentication certificate issuance request in response to the signal. This brings about the effect that the terminal authority authentication certificate issuance process is expanded with the second terminal using the signal from the first terminal as a trigger.

  According to a second aspect of the present invention, there is provided a terminal authority authentication certificate when receiving means for receiving a signal containing beacon information and when the receiving means receives a signal containing predetermined beacon information from another terminal. Terminal authority authentication certificate issuance proposing means for proposing to the other terminal to issue an issuance request. This brings about the effect that the terminal authority authentication certificate issuance process is expanded by using a signal including beacon information as a trigger.

  The terminal according to claim 3 of the present invention is the terminal according to claim 2, further comprising means for acquiring terminal identification information of the other terminal from the signal from the other terminal received by the receiving means. And the terminal authority authentication certificate issuance proposing means makes the proposal based on the terminal identification information. This brings about the effect that the terminal authority authentication certificate issuance request is confirmed after the terminal to be proposed is confirmed.

  The terminal according to claim 4 of the present invention is the terminal according to claim 2, wherein the terminal authority authentication certificate issuance proposing means proposes the terminal authority authentication certificate issuance request to the other terminal. And presents the public key certificate of the terminal together. This brings about the effect that the identity of the terminal that has proposed the terminal authority authentication certificate issuance request is confirmed by the transmitting terminal of the signal including the beacon information.

  Further, the terminal according to claim 5 of the present invention has a receiving means for receiving a signal including beacon information, and when the receiving means receives a signal including predetermined beacon information from another terminal, the terminal is in possession of the other terminal. A terminal authority authentication certificate issuance proposing means that issues a terminal authority authentication certificate and proposes it to the other terminals. This brings about the effect that the terminal authority authentication certificate is issued prior to the terminal authority authentication certificate issuance request using a signal including beacon information as a trigger.

  The terminal according to claim 6 of the present invention is the terminal according to claim 5, further comprising means for acquiring terminal identification information of the other terminal from the signal from the other terminal received by the receiving means. And the terminal authority authentication certificate issuance proposing means makes the proposal based on the terminal identification information. As a result, the terminal authority authentication certificate is received after the terminal authority certificate issuance request is confirmed.

  According to a seventh aspect of the present invention, in the terminal according to the fifth aspect, the terminal authority authentication certificate issuance proposing means proposes the terminal authority authentication certificate issuance request to the other terminal. At the same time, the public key certificate of the terminal is also presented. This brings about the effect that the identity of the terminal that has proposed the terminal authority authentication certificate issuance is confirmed by the transmitting terminal of the signal including the beacon information.

  In addition, the terminal according to claim 8 of the present invention includes a receiving unit for receiving a signal including beacon information, and when the receiving unit receives a signal including beacon information from another terminal, If the signal does not indicate that the terminal authority authentication certificate is present, terminal authority authentication certificate issuance proposing means for proposing to the other terminal to make a request for issuing the terminal authority authentication certificate is provided. Thereby, when the transmitting terminal of the signal including the beacon information does not have the terminal authority authentication certificate, the terminal authority authentication certificate issuance process is expanded using the signal as a trigger.

  The terminal according to claim 9 of the present invention is the terminal according to claim 8, further comprising means for acquiring terminal identification information of the other terminal from the signal from the other terminal received by the receiving means. The terminal authority authentication certificate issuance proposing means is configured to make the proposal based on the terminal identification information. This brings about the effect that the terminal authority authentication certificate issuance request is confirmed after the terminal to be proposed is confirmed.

  According to a tenth aspect of the present invention, in the terminal according to the eighth aspect, the terminal authority authentication certificate issuance proposing means proposes the terminal authority authentication certificate issuance request to the other terminal. At the same time, the public key certificate of the terminal is also presented. This brings about the effect that the identity of the terminal that has proposed the terminal authority authentication certificate issuance request is confirmed by the transmitting terminal of the signal including the beacon information.

  A terminal according to claim 11 of the present invention is a terminal authority authentication certificate issuance request receiving means for receiving a terminal authority authentication certificate issuance request in the terminal according to claim 10, and the terminal authority authentication certificate. When the issuance request receiving means receives a terminal authority authentication certificate issuance request from the other terminal, a confirmation means for displaying information related to the other terminal and prompting confirmation, and when the confirmation is made, to the other terminal A terminal authority authentication certificate issuance means for issuing a terminal authority authentication certificate to the other terminal and notifying the other terminal of rejection of the terminal authority authentication certificate issuance request when the confirmation is rejected. To do. This brings about the effect that the terminal authority authentication certificate is issued after the terminal authority authentication certificate issuance request terminal is confirmed.

  A terminal according to claim 12 of the present invention further comprises a terminal authority authentication certificate issuing terminal list table that holds the public key certificate of the terminal authority authentication certificate issuing terminal in the terminal according to claim 11; The terminal authority authentication certificate issuing means obtains the public key certificate of the terminal authority authentication certificate issuing terminal held in the terminal authority authentication certificate issuing terminal list table when issuing the terminal authority authentication certificate Send to the terminal. This brings about the effect of facilitating the verification of the terminal authority authentication certificate in other terminals.

  The terminal according to claim 13 of the present invention is the terminal according to claim 11, further comprising a terminal authority authentication certificate revocation list table that holds a revocation list of the terminal authority authentication certificate, and the terminal authority authentication certificate The certificate issuing means transmits the terminal authority authentication certificate revocation list held in the terminal authority authentication certificate revocation list table to the other terminal when issuing the terminal authority authentication certificate. As a result, the terminal authority authentication certificate expired when the terminal authority authentication certificate is verified in another terminal is brought about.

  A terminal according to claim 14 of the present invention is a receiving means for receiving a signal containing beacon information, and when the receiving means receives a signal containing beacon information from another terminal, the other terminal If the above signal does not indicate that the terminal authority authentication certificate is possessed, the terminal authority authentication certificate issuance proposal is proposed by issuing a terminal authority authentication certificate owned by the other terminal to the other terminal. Means. Thereby, when the transmitting terminal of the signal including the beacon information does not have the terminal authority authentication certificate, the terminal authority authentication certificate is issued prior to the terminal authority authentication certificate issuance request using the signal as a trigger. Bring about an effect.

  The terminal according to claim 15 of the present invention is the terminal according to claim 14, further comprising means for acquiring terminal identification information of the other terminal from the signal from the other terminal received by the receiving means. And the terminal authority authentication certificate issuance proposing means makes the proposal based on the terminal identification information. As a result, the terminal authority authentication certificate is received after the terminal authority certificate issuance request is confirmed.

  According to a sixteenth aspect of the present invention, in the terminal according to the fourteenth aspect, the terminal authority authentication certificate issuance proposing means proposes the terminal authority authentication certificate issuance request to the other terminal. At the same time, the public key certificate of the terminal is also presented. This brings about the effect that the identity of the terminal that has proposed the terminal authority authentication certificate issuance is confirmed by the transmitting terminal of the signal including the beacon information.

  A terminal according to claim 17 of the present invention proposes a transmission means for transmitting a signal including beacon information indicating that no terminal authority authentication certificate is provided, and a request for issuing a terminal authority authentication certificate for the signal. A terminal authority authentication certificate issuance proposal receiving means for receiving, a confirmation means for prompting confirmation by displaying information on the other terminal when the terminal authority authentication certificate issuance proposal receiving means receives the proposal from the other terminal, If the above confirmation is made, the other terminal is requested to issue a terminal authority authentication certificate. If the confirmation is rejected, the terminal authority authentication certificate issuance proposal is issued to the other terminal. Terminal authority authentication certificate issuance requesting means for notifying rejection. As a result, the terminal authority authentication certificate issuing terminal is confirmed, and the terminal authority authentication certificate is requested to be issued.

  The terminal according to claim 18 of the present invention is the terminal according to claim 17, wherein the terminal authority authentication certificate issuance requesting means requests the other terminal to issue the terminal authority authentication certificate. Is also presented with the public key certificate of the terminal. This brings about the effect that the terminal authority authentication certificate issuing terminal confirms the identity of the terminal that has requested the terminal authority authentication certificate issuance request.

  The terminal according to claim 19 of the present invention receives a transmission means for transmitting a signal including beacon information indicating that the terminal authority authentication certificate is not provided, and a proposal of a request for issuing a terminal authority authentication certificate for the signal. A terminal authority authentication certificate issuance proposal receiving means, a confirmation means for displaying the information about the other terminal and prompting confirmation when the terminal authority authentication certificate issuance proposal receiving means receives the proposal from the other terminal, and When confirmation is made, if the proposal includes a terminal authority authentication certificate that has already been issued, the terminal authority authentication certificate is received, and if the proposal does not include an issued terminal authority authentication certificate Comprises terminal authority authentication certificate issuance request means for requesting the other terminal to issue a terminal authority authentication certificate. As a result, when a proposal for requesting issuance of a terminal authority authentication certificate is received, it is determined whether the proposal includes the issued terminal authority authentication certificate, and the terminal authority authentication certificate is received or the terminal This brings about the action of requesting the issuance of the authority authentication certificate.

  A terminal according to claim 20 of the present invention is the terminal according to claim 19, wherein the terminal authority authentication certificate issuance request means requests the other terminal to issue the terminal authority authentication certificate. And presents the public key certificate of the terminal together. This brings about the effect that the terminal authority authentication certificate issuing terminal confirms the identity of the terminal that has requested the terminal authority authentication certificate issuance request.

  A terminal according to claim 21 of the present invention is configured to receive a signal including beacon information, and to issue a terminal authority authentication certificate when the receiving unit receives a signal including predetermined beacon information from another terminal. Terminal authority authentication certificate issuance requesting means for making a request to the other terminal. This brings about the effect that the terminal authority authentication certificate issuance request is made in response to the reception of the signal including the beacon information.

  The terminal according to claim 22 of the present invention is the terminal according to claim 21, further comprising means for obtaining terminal identification information of the other terminal from the signal from the other terminal received by the receiving means. The terminal authority authentication certificate issuance requesting unit is configured to make the proposal based on the terminal identification information. This brings about the effect of making a request after confirming the terminal to which the terminal authority authentication certificate is to be issued.

  Further, the terminal according to claim 23 of the present invention is a terminal authority authentication certificate table that holds a first terminal authority authentication certificate indicating the access authority of the terminal itself, and reception for receiving a signal including beacon information. And when the receiving means receives a signal including beacon information from another terminal, the signal indicates that the other terminal has a second terminal authority authentication certificate indicating the access authority of the other terminal. If it is shown, it comprises authentication request means for presenting the first terminal authority authentication certificate held in the terminal authority authentication certificate table and requesting the other terminal to authenticate the own terminal. . This brings about the effect that the mutual authentication processing based on the terminal authority authentication certificate is developed using a signal including beacon information from another terminal having the terminal authority authentication certificate as a trigger.

  According to a twenty-fourth aspect of the present invention, there is provided a terminal according to the twenty-third aspect, wherein a terminal authority authentication certificate issuing terminal list table holding a public key certificate of a terminal authority authentication certificate issuing terminal and the authentication request An authentication request receiving means for receiving a second authentication request requested by the other terminal in response to an authentication request by the means; and the second authentication request included in the second authentication request received by the authentication request receiving means. Verification means for verifying the terminal authority authentication certificate with the public key included in the public key certificate held in the terminal authority authentication certificate issuing terminal list table is further provided. This brings about the effect | action that the receiving terminal of the said signal verifies the terminal authority authentication certificate which shows the access authority of the transmitting terminal of the signal containing beacon information.

  The terminal according to claim 25 of the present invention is the terminal according to claim 24, further comprising a terminal authority authentication certificate revocation list table that holds a terminal authority authentication certificate revocation list, wherein the verification means includes When the second terminal authority authentication certificate has been revoked in the terminal authority authentication certificate revocation list held in the terminal authority authentication certificate revocation list table, it is determined that the authentication has failed. As a result, the terminal authority authentication certificate that has expired when the terminal authority authentication certificate is verified in the terminal is brought about.

  A terminal according to claim 26 of the present invention includes a terminal authority authentication certificate issuing terminal list table holding a public key certificate of a terminal authority authentication certificate issuing terminal and a first terminal authority authentication certificate. Transmitting means for transmitting a signal including beacon information indicating that the terminal has a second terminal authority authentication certificate, and a terminal for holding the second terminal authority authentication certificate indicating the access authority of the terminal itself An authority authentication certificate table; an authentication request receiving means for receiving a first authentication request from another terminal for the signal; and the first authentication request included in the first authentication request received by the authentication request receiving means. Verification means for verifying the terminal authority authentication certificate with the public key contained in the public key certificate held in the terminal authority authentication certificate issuing terminal list table, and authentication is successful in this verification means Second authentication that presents the second terminal authority authentication certificate held in the terminal authority authentication certificate table to the other terminal and requests the other terminal to authenticate the own terminal. Authentication request means for making a request. This brings about the effect that the mutual authentication processing based on the terminal authority authentication certificate is developed using a signal including beacon information indicating that the terminal authority authentication certificate is included as a trigger.

  The terminal according to claim 27 of the present invention is the terminal according to claim 26, further comprising a terminal authority authentication certificate revocation list table for holding a terminal authority authentication certificate revocation list, wherein the verification means includes When the second terminal authority authentication certificate has been revoked in the terminal authority authentication certificate revocation list held in the terminal authority authentication certificate revocation list table, it is determined that the authentication has failed. As a result, the terminal authority authentication certificate that has expired when the terminal authority authentication certificate is verified in the terminal is brought about.

  In addition, the terminal authority authentication certificate issuance proposing method according to claim 28 of the present invention includes a procedure for receiving a signal including beacon information, and that the signal indicates that the signal source terminal has a terminal authority authentication certificate. If not shown, it includes a procedure for making a request for issuing a terminal authority authentication certificate to the transmission source terminal. Thereby, when the transmitting terminal of the signal including the beacon information does not have the terminal authority authentication certificate, the terminal authority authentication certificate issuance process is expanded using the signal as a trigger.

  A terminal authority authentication certificate issuance proposal method according to claim 29 of the present invention is the terminal authority authentication certificate issuance proposal method according to claim 28, wherein the terminal of the other terminal is based on the signal from the other terminal. A procedure for obtaining identification information is further provided, and the proposal is made based on the terminal identification information. This brings about the effect that the terminal authority authentication certificate issuance request is confirmed after the terminal to be proposed is confirmed.

  In addition, the terminal authority authentication certificate issuance proposing method according to claim 30 of the present invention is a method for receiving a signal including beacon information, and that the signal indicates that the source terminal of the signal has a terminal authority authentication certificate. If not shown, it includes a procedure for issuing a terminal authority authentication certificate owned by the transmission source terminal and proposing it to the transmission source terminal. Thereby, when the transmitting terminal of the signal including the beacon information does not have the terminal authority authentication certificate, the terminal authority authentication certificate is issued prior to the terminal authority authentication certificate issuance request using the signal as a trigger. Bring about an effect.

  In addition, the terminal authority authentication certificate issuance request method according to claim 31 of the present invention includes a procedure for transmitting a signal including beacon information indicating that no terminal authority authentication certificate is provided, and a terminal authority authentication certificate for the signal. A procedure for receiving a proposal for an issuance request, a procedure for prompting confirmation by displaying information on the sender terminal of the proposal, and issuing a terminal authority authentication certificate to the sender terminal if the confirmation is made And when the confirmation is rejected, a procedure for notifying the transmission source terminal of rejection of the terminal authority authentication certificate issuance proposal is provided. As a result, the terminal authority authentication certificate issuing terminal is confirmed, and the terminal authority authentication certificate is requested to be issued.

  A terminal authority authentication certificate issuance request method according to claim 32 of the present invention includes a procedure for transmitting a signal including beacon information indicating that no terminal authority authentication certificate is provided, and a terminal authority authentication certificate for the signal. A procedure for receiving a proposal for an issuance request, a procedure for prompting confirmation by displaying information related to the transmission source terminal of the proposal, and when the confirmation is made, the proposal includes a terminal authority authentication certificate that has been issued. The terminal authority authentication certificate is received in the case, and if the proposal does not include the issued terminal authority authentication certificate, a request for issuing the terminal authority authentication certificate to the source terminal is requested. It comprises. As a result, when a proposal for requesting issuance of a terminal authority authentication certificate is received, it is determined whether the proposal includes the issued terminal authority authentication certificate, and the terminal authority authentication certificate is received or the terminal This brings about the action of requesting the issuance of the authority authentication certificate.

  A terminal authority authentication certificate issuance request method according to claim 33 of the present invention includes a procedure for receiving a signal including beacon information, and issuing a terminal authority authentication certificate upon receiving the signal from another terminal. And a procedure for requesting another terminal. This brings about the effect that the terminal authority authentication certificate issuance request is made in response to the reception of the signal including the beacon information.

  A terminal authority authentication certificate issuance request method according to claim 34 of the present invention is the terminal authority authentication certificate issuance request method according to claim 33 of the present invention. A procedure for obtaining terminal identification information of the terminal is further provided, and the request is made based on the terminal identification information. This brings about the effect of making a request after confirming the terminal to which the terminal authority authentication certificate is to be issued.

  According to a 35th aspect of the present invention, there is provided a program for receiving a signal including beacon information, and a terminal authority authentication unless the signal indicates that the beacon transmission source terminal has a terminal authority authentication certificate. The terminal is caused to execute a procedure proposed to the transmission source terminal so as to make a certificate issuance request. Thereby, when the transmitting terminal of the signal including the beacon information does not have the terminal authority authentication certificate, the terminal authority authentication certificate issuance process is expanded using the signal as a trigger.

  The program according to claim 36 of the present invention is a program for receiving a signal including beacon information and, if the signal does not indicate that the transmission source terminal of the signal has a terminal authority authentication certificate, A terminal authority authentication certificate having the terminal as an owner is issued, and the terminal is caused to execute a procedure proposed to the transmission source terminal. Thereby, when the transmitting terminal of the signal including the beacon information does not have the terminal authority authentication certificate, the terminal authority authentication certificate is issued prior to the terminal authority authentication certificate issuance request using the signal as a trigger. Bring about an effect.

  The program according to claim 37 of the present invention receives a procedure for transmitting a signal including beacon information indicating that no terminal authority authentication certificate is provided, and a proposal for issuing a terminal authority authentication certificate for the signal. A procedure, a procedure for prompting confirmation by displaying information on the proposed source terminal, and when the confirmation is made, the source terminal is requested to issue a terminal authority authentication certificate. In the case of rejection, the terminal is caused to execute a procedure for notifying the transmission source terminal of rejection of the terminal authority authentication certificate issuance proposal. As a result, the terminal authority authentication certificate issuing terminal is confirmed, and the terminal authority authentication certificate is requested to be issued.

  A program according to claim 38 of the present invention receives a procedure for transmitting a signal including beacon information indicating that the terminal authority authentication certificate is not provided, and a proposal for issuing a terminal authority authentication certificate for the signal. A procedure, a procedure for prompting confirmation by displaying information on the sender terminal of the proposal, and if the confirmation is made, if the proposal includes an issued terminal authority authentication certificate, the terminal authority authentication When the certificate is received and the proposal does not include the issued terminal authority authentication certificate, the terminal executes a procedure for requesting the source terminal to issue the terminal authority authentication certificate. is there. As a result, when a proposal for requesting issuance of a terminal authority authentication certificate is received, it is determined whether the proposal includes the issued terminal authority authentication certificate, and the terminal authority authentication certificate is received or the terminal This brings about the action of requesting the issuance of the authority authentication certificate.

  The program according to claim 39 of the present invention requests the other terminal to issue a procedure for receiving a signal including beacon information and to issue a terminal authority authentication certificate upon receiving the signal from the other terminal. The procedure to perform is to be executed by the terminal. This brings about the effect that the terminal authority authentication certificate issuance request is made in response to the reception of the signal including the beacon information.

  According to the present invention, in the wireless ad hoc communication system, the terminal authority authentication certificate can be issued in an autonomous distributed manner.

  Next, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a diagram showing a configuration example of a radio terminal 300 used in the radio ad hoc communication system in the embodiment of the present invention. The wireless terminal 300 includes a communication processing unit 320, a control unit 330, a display unit 340, an operation unit 350, a speaker 360, a microphone 370, and a memory 600, and a bus 380 is connected therebetween. It has become. An antenna 310 is connected to the communication processing unit 320. The communication processing unit 320 configures a network interface layer (data link layer) frame from a signal received via the antenna 310. Further, the communication processing unit 320 transmits a frame of the network interface layer via the antenna 310.

  The control unit 330 controls the entire wireless terminal 300. For example, a predetermined process is performed with reference to a frame configured by the communication processing unit 320. The display unit 340 displays predetermined information, and for example, a liquid crystal display can be used. The operation unit 350 is for performing an operation instruction to the wireless terminal 300 from the outside. For example, a keyboard, a button switch, or the like can be used. The speaker 360 outputs audio and is used to alert the user of the wireless terminal 300 and exchange audio information with other terminals. The microphone 370 performs voice input from the outside to the wireless terminal 300, and is used for exchanging voice information with other terminals and instructing operations.

  The memory 600 includes an attribute certificate issuing terminal list table 610 that holds information related to the issuing terminal of the attribute certificate, an attribute certificate table 620 that holds an attribute certificate indicating the access authority of the wireless terminal 300 itself, and expired attributes. An attribute certificate revocation list table 630 that holds information related to a certificate, and a generated key table 650 that holds a public key, a private key, and a public key certificate are stored as information related to the generated key of the wireless terminal 300 itself.

  FIG. 2 is a configuration example of the attribute certificate issuing terminal list table 610 according to the embodiment of the present invention. This attribute certificate issuance terminal list table 610 holds information related to terminals that have a history of issuing attribute certificates in the past, and corresponds to each of the terminal identifiers 611 of the attribute certificate issuance terminals. The certificate 612 is held. The terminal identifier 611 only needs to uniquely identify the terminal in the network. For example, a MAC (Media Access Control) address in Ethernet (registered trademark) can be used. The public key certificate 612 is a terminal public key certificate identified by the corresponding terminal identifier 611. The public key certificate proves the identity of the certificate owner (subject) and includes the public key of the certificate owner. This public key certificate is signed by a certificate authority (CA) as a certificate issuer.

  FIG. 3 is a diagram showing a format 710 of the public key certificate 612 held in the attribute certificate issuing terminal list table 610. The public key certificate format 710 is roughly composed of a pre-signature certificate 711, a signature algorithm 718, and a signature 719. The pre-signature certificate 711 includes a serial number 712, an issuer 714, an expiration date 715, an owner 716, an owner 716, and an owner public key 717.

  The serial number 712 is a serial number of the public key certificate and is numbered by a certificate authority. The issuer 714 is the name of the certificate authority that is the issuer of the public key certificate. The public key certificate is uniquely identified by the issuer 714 and the serial number 712. The expiration date 715 is the expiration date of the public key certificate. The owner 716 is the name of the owner of the public key certificate. The owner public key 717 is the owner 716 public key.

  The signature 719 is a signature by the certificate authority for the public key certificate, and the signature algorithm 718 is a signature algorithm used for this signature 719. The signature algorithm is composed of a message digest algorithm and a public key encryption algorithm. The message digest algorithm is one of hash functions (summary functions), and is an algorithm for creating a message digest of the pre-signature certificate 711. Here, the message digest is obtained by compressing input data (pre-signature certificate 711) into a fixed-length bit string, and is also called a thumbprint or a fingerprint (fingerprint). Known message digest algorithms include SHA-1 (Secure Hash Algorithm 1), MD2 (Message Digest # 2), MD5 (Message Digest # 5), and the like. The public key encryption algorithm is an algorithm for encrypting the message digest obtained by the message digest algorithm with the secret key of the certificate authority. Known public key encryption algorithms include RSA based on a prime factorization problem, DSA based on a discrete logarithm problem, and the like. Thus, the signature 719 is obtained by encrypting the message digest of the pre-signature certificate 711 with the private key of the certificate authority.

  Accordingly, a message digest can be obtained by decrypting the signature 719 of the public key certificate with the public key of the certificate authority. The user of the public key certificate creates the message digest of the pre-signature certificate 711 by itself and compares it with the message digest decrypted with the public key of the certificate authority, so that the contents of the pre-signature certificate 711 can be obtained. It can be verified that it has not been tampered with.

  FIG. 4 is a diagram showing an attribute certificate format 720 held in the attribute certificate table 620. This attribute certificate is roughly composed of attribute certification information 721, a signature algorithm 728, and a signature 729. The attribute certification information 721 includes an owner public key certificate identifier 723, an issuer 724, a serial number 722, and an expiration date 725.

  The owner public key certificate identifier 723 is for identifying the public key certificate of the owner of the attribute certificate. Specifically, it is identified by the issuer 714 and serial number 712 of the public key certificate 710 (FIG. 3). The public key certificate identifier 723 may have any function for identifying the owner. For example, the MAC address of the owner may be used. The issuer 724 is the name of an attribute certificate authority (AA) that is an issuer of the attribute certificate, and can use, for example, the issuer's MAC address. The serial number 722 is a serial number of the attribute certificate and is numbered by the attribute certificate authority that is the issuer of the attribute certificate. The attribute certificate is uniquely identified by the serial number 722 and the issuer 724. The expiration date 725 is the expiration date of the attribute certificate.

  The signature 729 is a signature by the attribute certificate authority for the attribute certificate, and the signature algorithm 728 is a signature algorithm used for this signature 729. The contents of the signature algorithm are the same as the signature algorithm 718 of the public key certificate described above, and the signature 729 is obtained by encrypting the message digest of the attribute certification information 721 with the secret key of the attribute certification authority.

  Therefore, a message digest can be obtained by decrypting the signature 729 of the attribute certificate with the public key of the attribute certificate authority. The user of the attribute certificate creates a message digest of the attribute certification information 721 by itself and compares it with the message digest decrypted with the public key of the attribute certification authority, so that the contents of the attribute certification information 721 are falsified. You can verify that it is not.

  FIG. 5 is a configuration example of the attribute certificate revocation list table 630 according to the embodiment of the present invention. This attribute certificate revocation list table 630 holds information related to a revoked attribute certificate, and holds a pair of a revoked attribute certificate identifier 631 and a revoked revocation time 632. Yes. An attribute certificate revocation list (ARL: Attribute certificate Revocation List) is issued in order to forcibly revoke an attribute certificate when a terminal is lost or stolen. A pair of the attribute certificate identifier 631 and the revocation time 632 is extracted from each revocation list entry of the attribute certificate revocation list and held. The attribute certificate identifier 631 is for identifying the revoked attribute certificate. Specifically, the attribute certificate identifier 631 is identified by the issuer 724 and the serial number 722 of the attribute certificate 720 (FIG. 4).

  FIG. 6 is a diagram showing the format of the attribute certificate revocation list 730. This attribute certificate revocation list is roughly composed of a pre-signature revocation list 731, a signature algorithm 738, and a signature 739. The pre-signed revocation list 731 includes a pre-signed revocation list issuer 734 and zero or more revocation list entries 735. The revocation list entry 735 is a pair of the attribute certificate identifier 736 of the revoked attribute certificate and the revocation time 737 that has been revoked. A pair of the attribute certificate identifier 736 and the revocation time 737 in the revocation list entry 735 corresponds to a pair of the attribute certificate identifier 631 and the revocation time 632 in the attribute certificate revocation list table 630 (FIG. 5).

  The signature 739 is a signature by the issuer for the attribute certificate revocation list, and the signature algorithm 738 is a signature algorithm used for this signature 739. The contents of the signature algorithm are the same as the signature algorithm 718 of the public key certificate described above, and the signature 739 is obtained by encrypting the message digest of the pre-signature revocation list 731 with the issuer's private key.

  Therefore, a message digest can be obtained by decrypting the signature 739 of the attribute certificate revocation list with the issuer's public key. The user of the attribute certificate revocation list creates the message digest of the pre-signature revocation list 731 by himself and compares it with the message digest decrypted with the issuer's public key, so that the contents of the pre-signature revocation list 731 Can be verified that has not been tampered with.

  In wireless ad-hoc communication systems, it is difficult to assume the existence of a fixed server that centrally manages attribute certificate revocation lists, so all terminals that make up the network can issue attribute certificate revocation lists. And A terminal that has issued an attribute certificate revocation list broadcasts the attribute certificate revocation list to other terminals, so that the validity of the attribute certificate can be verified at other terminals. Further, when reconnecting to the network, each terminal exchanges the attribute certificate revocation list with each other and merges the attribute certificate revocation list table 630 to maintain the latest state. When issuing an attribute certificate revocation list, it is desirable to attach a public key certificate and an attribute certificate so that the issuer can be easily authenticated.

  Next, the operation of the wireless ad hoc communication system in the embodiment of the present invention will be described with reference to the drawings. In the embodiment of the present invention, in order for a terminal to connect to a network resource, an “initial registration” procedure (FIG. 7 or FIG. 15) in which the terminal issues an attribute certificate, and the terminal uses the attribute certificate. The “mutual authentication” procedure (FIG. 18) for performing authentication is performed. Each process in FIGS. 7, 15, and 18 is realized by the control unit 330 in the wireless terminal 300.

  FIG. 7 is a diagram showing a first example of the procedure of initial registration in the embodiment of the present invention. Here, the terminal A (100) is an attribute certificate issuing terminal that has already entered the network, and the terminal B (200) is a terminal that is newly entering the network.

  Each terminal in the wireless ad hoc communication system periodically transmits a beacon to inform other terminals of its existence. In the embodiment of the present invention, the beacon includes not only a signal including only beacon information as a beacon signal but also a signal in which some data information is added to the beacon information. In the example of FIG. 7, the terminal A receives the beacon 2011 transmitted (201) by the terminal B (101), and the terminal B receives the beacon 1022 transmitted (102) by the terminal A (202). Thereby, the terminal A and the terminal B grasp each other's terminal identifier by the following beacon frame configuration.

  The frame structures of these beacons 2011 and 1022 are as shown in FIG. The beacon frame 810 includes a header part 811 and a payload part 812. The header portion 811 includes a start terminal identifier 813, an end terminal identifier 814, a transmission terminal identifier 815, a reception terminal identifier 816, a frame type 817, and an attribute certificate presence / absence 818. The starting point terminal identifier 813 is the terminal identifier of the terminal that first transmitted this frame. Note that the terminal identifier is not limited as long as it uniquely identifies the terminal in the network as described above. For example, a MAC address in Ethernet (registered trademark) can be used. The end terminal identifier 814 is the terminal identifier of the terminal that is the final destination of this frame. In the beacon frame 810, a broadcast address (for example, 1 for all bits) is set in the end-point terminal identifier 814.

  The transmission terminal identifier 815 and the reception terminal identifier 816 are used when relaying a frame. In a wireless ad hoc communication system, not all terminals in a network can communicate directly, and if a frame is to be transmitted to a terminal that does not reach radio waves, a communication path must be established by multi-hop via another terminal. I must. In this case, a transmitting terminal identifier 815 and a receiving terminal identifier 816 are used between terminals that transmit and receive frames.

  The frame type 817 indicates the type of frame, and here indicates a beacon frame. The presence / absence of attribute certificate 818 indicates whether or not the beacon frame transmission source terminal has an attribute certificate indicating authority to access network resources. In the initial registration sequence of FIG. 7, since the terminal B does not have an attribute certificate, the presence / absence 818 of the attribute certificate indicates that it does not have it. In this example of the beacon frame, the data 819 of the payload portion 812 does not include other information.

  Upon receiving the beacon 2011 transmitted from the terminal B (101), the terminal A checks the start terminal identifier 814 and the presence / absence of the attribute certificate 818 in the beacon frame 810. If it is determined that terminal B, which is the starting terminal, does not have an attribute certificate, terminal A transmits (103) an attribute certificate issuance proposal message 1032 that is proposed to terminal B to make an attribute certificate issue request. . In this case, the presence or absence of the attribute certificate indicated in the beacon is verified assuming that the attribute certificate issuance proposal message is automatically transmitted. However, terminal A does not check the presence or absence of this attribute certificate. At this time, an attribute certificate issuance proposal message may be created and transmitted to the terminal B.

  The frame structure of this attribute certificate issuance proposal message 1032 is as shown in FIG. The attribute certificate issuance proposal frame 820 includes a header part 821 and a payload part 822. The header part 821 includes a start terminal identifier 823, an end terminal identifier 824, a transmission terminal identifier 825, a reception terminal identifier 826, and a frame type 827. The contents in the header part 821 are the same as those of the beacon frame 810 described with reference to FIG. Further, in this attribute certificate issuance proposal frame 820, the public key certificate 8291 of the terminal A that is the transmission source is included as the data 829 of the payload portion 822. The public key certificate 8291 of the terminal A is previously stored in the generated key table 650 of the terminal A. The data 829 may include a terminal identifier in addition to the public key certificate 8291.

  When the terminal B receives the attribute certificate issuance proposal message 1032 transmitted from the terminal A, the terminal B confirms the terminal A from the contents (203). For example, by displaying the start terminal identifier 823 (FIG. 9) of the attribute certificate issuance proposal frame 820 and the public key owner 716 (FIG. 3) in the public key certificate 8291 on the display unit 340 (FIG. 1), the correctness is obtained. The user is prompted to determine whether the terminal is an attribute certificate issuing terminal. Thereby, it is possible to prevent a malicious terminal or an unintended terminal from intervening due to address forgery or the like. When the transmission source terminal A is a trusted terminal and the terminal A intends to issue an attribute certificate, the user performs a confirmation operation using the operation unit 350 (FIG. 1).

  When the proposal is accepted by the user's confirmation (203), the terminal B transmits an attribute certificate issuance request message 2041 for requesting issuance of the attribute certificate to the terminal A (204). The frame structure of the attribute certificate issuance request message 2041 is as shown in FIG. 9 and is the same as the frame 820 of the attribute certificate issuance proposal message 1032. The same is true in that the data 839 of the payload portion 832 includes the public key certificate 8391 of the terminal B that is the transmission source.

  When the proposal is rejected by the user's confirmation (203), the terminal B may transmit an attribute certificate issuance proposal rejection message notifying the rejection of the attribute certificate issuance proposal to the terminal A. The frame structure of this attribute certificate issuance proposal rejection message is as shown in FIG. The attribute certificate issuance proposal rejection frame 840 includes a header portion 841 and a payload portion 842. The header portion 841 includes a start terminal identifier 843, an end terminal identifier 844, a transmission terminal identifier 845, a reception terminal identifier 846, a frame type 847, and a rejection reason type 848. The contents in the header portion 841 are the same as those of the beacon frame 810 described with reference to FIG. 8, but the rejection reason type 848 is unique to the attribute certificate issuance proposal rejection frame 840. In the rejection reason type 848, for example, a reason such as cancellation by the user or not being trusted as the attribute certification authority is coded and shown.

  Upon receiving the attribute certificate issuance request message 2041 transmitted from the terminal B, the terminal A confirms the terminal B from the content (104). For example, by displaying the start terminal identifier 833 (FIG. 9) of the attribute certificate issuance request frame 830 and the public key owner 716 (FIG. 3) in the public key certificate 8391 on the display unit 340 (FIG. 1), The user is prompted to determine whether the terminal is reliable. If the source terminal B is a trusted terminal, the user performs a confirmation operation using the operation unit 350 (FIG. 1).

  Upon confirmation by the user, the terminal A transmits an attribute certificate issue message 1052 to the terminal B in order to issue an attribute certificate (105). The frame structure of this attribute certificate issue message 1052 is as shown in FIG. The attribute certificate issuance frame 860 includes a header part 861 and a payload part 862. The header part 861 includes a start terminal identifier 863, an end terminal identifier 864, a transmission terminal identifier 865, a reception terminal identifier 866, and a frame type 867. The contents in the header portion 861 are the same as those in the attribute certificate issuance proposal frame 820 described with reference to FIG. Also, in this attribute certificate issuance frame 860, the attribute certificate 8691 signed by the terminal A with the requesting terminal B as the owner is included as the data 869 of the payload portion 862. Upon receiving (205) the attribute certificate issue message 1052 from the terminal A, the terminal B extracts the attribute certificate 8691 from the attribute certificate issue frame 860 and stores it in the attribute certificate table 620.

  Note that if the confirmation (104) is rejected by the user, the terminal A may send an attribute certificate issuance request rejection message to the terminal B for notifying the rejection of the attribute certificate issuance request. The frame structure of this attribute certificate issuance request rejection message is as shown in FIG. 10 and is the same as that of the attribute certificate issuance proposal rejection frame 840.

  FIG. 12 is a diagram showing a modification of the first example of the initial registration procedure in the embodiment of the present invention. In this modification, when an attribute certificate issuance proposal message is transmitted from the attribute certificate issuing terminal, the number of messages exchanged between the terminals is calculated by issuing the attribute certificate and attaching it to the message. To reduce. Here, the point that the terminal A (100) is an attribute certificate issuing terminal and the terminal B (200) is a new entry terminal is the same as in the first embodiment of FIG. Similarly, both terminals transmit beacons. Terminal A receives beacon 2311 transmitted (231) by terminal B (131), and terminal B receives beacon 1322 transmitted by terminal A (132) ( 232), terminal A and terminal B know each other's terminal identifier. The frame structure of these beacons is as described with reference to FIG. 8 as in the first embodiment.

  In the embodiment of FIG. 12, unlike the first embodiment of FIG. 7, the terminal A (100), which is the attribute certificate issuing terminal that received the beacon, sends an attribute certificate issue request message (2041 in FIG. 7). The attribute certificate is issued to the terminal B (200), which is a new entry terminal, without being received, and is included in the data of the payload portion of the attribute certificate issuance proposal message 1332 and transmitted. This attribute certificate is signed by the terminal A with the terminal B as the owner as the owner. The frame structure 1820 of the attribute certificate issuance proposal message 1332 in this case is as shown in FIG. 13, and the attribute certificate of FIG. 9 is included except that the data 1829 of the payload portion 1822 includes the attribute certificate 18292 to the issue destination terminal. The configuration is the same as the frame configuration 820 of the certificate issuance proposal message. As a result, the number of messages can be reduced as compared with the first embodiment of FIG. Whether or not the attribute certificate issuance proposal message includes the attribute certificate 18292 may be determined based on the frame type 827 or 1827 in the terminal B (200). You may make it judge by the content.

  In the example of FIG. 12, when the terminal B (200) receives (233) the attribute certificate issuance proposal message 1332 transmitted (133) from the terminal A (100), the terminal B (200) confirms the terminal A (100) from the contents. To do. For example, the start terminal identifier 1823 of the attribute certificate issuance proposal frame 1820 is displayed to prompt the user to determine whether or not the attribute certificate issuance terminal is correct. Thereby, it is possible to prevent a malicious terminal or an unintended terminal from intervening due to address forgery or the like. When the source terminal A (100) is a trusted terminal and accepts the attribute certificate issued by the terminal A (100), the user performs a confirmation operation using the operation unit 350 (FIG. 1). The terminal B (200) that has received the attribute certificate issuance proposal message 1332 from the terminal A (100) extracts the attribute certificate 18292 from the payload portion 1822 of the attribute certificate issuance proposal frame 1820 and obtains the attribute certificate table 620. (FIG. 1).

  When confirmation (233) is made by the user, the terminal B (200) transmits (234) an attribute certificate issuance proposal reception message 2341 for receiving the attribute certificate issuance proposal message 1332 to the terminal A (100). The frame configuration 1830 of the attribute certificate issuance proposal receipt message 2341 is as shown in FIG. 14, and is basically the same as the frame configuration of the attribute certificate issuance request message in FIG.

  When the proposal is rejected by the user confirmation (233), the terminal B (200) transmits an attribute certificate issuance proposal rejection message notifying the rejection of the attribute certificate issuance proposal to the terminal A. Also good. The frame configuration 840 of this attribute certificate issuance proposal rejection message is the same as that described with reference to FIG.

  FIG. 15 is a diagram illustrating a second example of the initial registration procedure according to the embodiment of the present invention. The point that the terminal A (100) is an attribute certificate issuing terminal and the terminal B (200) is a new entry terminal is the same as in the first embodiment of FIG. Similarly, both terminals transmit beacons, terminal A receives beacon 2211 transmitted (221) by terminal B (121), and terminal B receives beacon 1222 transmitted (122) by terminal A ( 222), terminal A and terminal B know each other's terminal identifier. The frame configurations of these beacons 2211 and 1222 are also as shown in FIG.

  In the second embodiment of FIG. 15, unlike the first embodiment of FIG. 7, the terminal B that is a new entry terminal that has received the beacon receives the attribute certificate without receiving the attribute certificate issuance proposal message. An attribute certificate issuance request message 2251 is transmitted (225) to terminal A, which is the issuing terminal. The frame structure 830 of the attribute certificate issuance request message 2041 is as described with reference to FIG. At this time, if the terminal B does not have the public key certificate of the terminal A that is the transmission destination of the attribute certificate issuance request message 2251, the terminal B transmits the public key certificate request message 2231. A public key certificate is requested from terminal A (223). The frame configuration 1870 of the public key certificate request message 2231 is as shown in FIG. 16, and is the same as the frame 820 (FIG. 9) of the attribute certificate issuance proposal message 1032 described in the first embodiment of FIG. However, the payload part 1872 does not include a public key certificate.

  The terminal A receiving the public key certificate request message 2231 (123) transmits the public key certificate of its own terminal held in the generated key table 650 (FIG. 1) by the public key certificate request response message 1242 (124). ) As a result, the terminal B receives (224) the public key certificate of the terminal A that is the attribute certificate issuing terminal. The frame configuration 1880 of the public key certificate request response message 1242 is as shown in FIG. 17, and is the same as the frame 820 (FIG. 9) of the attribute certificate issuance proposal message 1032 described in the first embodiment of FIG. It is. The same applies to the point that the public key certificate 1889 of the terminal A, which is the transmission source terminal, is included as data in the payload portion 1882.

  Upon receiving the attribute certificate issuance request message 2251 transmitted from the terminal B, the terminal A confirms the terminal B from the contents (125). For example, by displaying the start terminal identifier 833 (FIG. 9) of the attribute certificate issuance request frame 830 and the public key owner 716 (FIG. 3) in the public key certificate 8391 on the display unit 340 (FIG. 1), The user is prompted to determine whether the terminal is reliable. If the source terminal B is a trusted terminal, the user performs a confirmation operation using the operation unit 350 (FIG. 1).

  Upon confirmation by the user, the terminal A transmits an attribute certificate issue message 1262 to the terminal B in order to issue an attribute certificate (126). As a result, the terminal B receives the attribute certificate (226). The frame structure 860 of the attribute certificate issue message 1262 is as described with reference to FIG.

  FIG. 18 is a diagram showing a mutual authentication procedure in the embodiment of the present invention. The terminals that have completed initial registration perform mutual authentication by verifying each other's attribute certificate. In the wireless ad hoc communication system according to the embodiment of the present invention, each terminal periodically transmits a beacon to notify other terminals of its own existence. In the following, it is assumed that the terminal A makes an authentication request using the beacon of the terminal B as a trigger, but it is sufficient that authentication is finally performed mutually, and the beacon of any terminal may be used as a trigger.

  First, the terminal B transmits a beacon 2111 in order to enter the network (211). The frame structure of this beacon 2111 is as shown in FIG. Unlike the initial registration sequence of FIG. 7, since the terminal B has an attribute certificate in the mutual authentication of FIG. 18, the presence / absence 818 of this attribute certificate indicates “has”.

  When the terminal A receives the beacon 2111 transmitted from the terminal B (111), the terminal A checks the presence / absence 818 of the attribute certificate of the beacon frame 810. If it is determined that the terminal B has the attribute certificate, the terminal A transmits an authentication request message 1122 to authenticate the terminal A to the terminal B (112). The frame structure of the authentication request message 1122 is as shown in FIG. The authentication request frame 870 includes a header part 871 and a payload part 872. The header portion 871 includes a start terminal identifier 873, an end terminal identifier 874, a transmission terminal identifier 875, a reception terminal identifier 876, and a frame type 877. The contents in the header portion 871 are the same as those in the attribute certificate issuance proposal frame 820 described with reference to FIG. Further, in the authentication request frame 870, the public key certificate 8791 and the attribute certificate 8792 of the terminal A that is the transmission source are included as the data 879 of the payload portion 872. The public key certificate 8791 of the terminal A is previously stored in the generated key table 650 of the terminal A, and the attribute certificate 8792 of the terminal A is previously stored in the attribute certificate table 620 of the terminal A.

  Upon receiving the authentication request message 1122 transmitted from the terminal A, the terminal B authenticates the terminal A from the contents (212). Specifically, the public key of the attribute certification authority is extracted from the public key certificate 612 (FIG. 2) of the attribute certificate issuing terminal list table 610, and the attribute certificate 8792 included in the authentication request message 1122 by this public key. By decrypting the signature 729 (FIG. 4), a message digest at the time of signature is obtained. Then, a message digest of the attribute certification information 721 (FIG. 4) of the attribute certificate 8792 is newly generated. It is confirmed that the newly generated message digest matches the message digest at the time of signing. If they do not match, the attribute certificate may have been tampered with after signing, and verification of the attribute certificate will fail. If the two match, the owner public key certificate identifier 723 (FIG. 4) of the attribute certificate 8792 included in the authentication request message 1122 further indicates the public key certificate 8791 included in the authentication request message 1122. Confirm that it matches the issuer 714 and serial number 712 (FIG. 3). If they match, it can be confirmed that the terminal A that is the owner of the public key certificate is the owner of the attribute certificate. If they do not match, the owner of the attribute certificate is not the terminal A, and the verification of the attribute certificate fails.

  When verifying this attribute certificate, it is necessary to confirm that the attribute certificate is not included in the attribute certificate revocation list table 630. When the issuer 724 and serial number 722 (FIG. 4) of the attribute certificate 8792 are included in the attribute certificate identifier 631 (FIG. 5) of the attribute certificate revocation list table 630, the attribute certificate 8792 is revoked. It expires at time 632. Therefore, in that case, the verification of the attribute certificate fails.

  If the authentication of the terminal A is successful (212), the terminal B transmits an authentication success message 2131 notifying that the authentication of the terminal A is successful to the terminal A (213). The authentication response frame structure of this authentication success message 2131 is as shown in FIG. The authentication response frame 880 includes a header part 881 and a payload part 882. The header portion 881 includes a start terminal identifier 883, an end terminal identifier 884, a transmission terminal identifier 885, a reception terminal identifier 886, and a frame type 887. The contents in the header portion 881 are the same as those in the attribute certificate issuance proposal frame 820 described with reference to FIG. In the case of the authentication success message 2131, the frame type 887 is an authentication success frame. This authentication response frame 880 further includes a response reason type 888, but is not particularly required in the case of successful authentication.

  If the verification of the attribute certificate of the terminal A fails (212), the terminal B transmits an authentication failure message notifying that the authentication of the terminal A is successful to the terminal A. The authentication response frame structure of this authentication failure message is as described with reference to FIG. However, in the case of an authentication failure message, the frame type 887 is an authentication failure frame, and the response reason type 888 indicates the reason for the authentication failure, such as a message digest mismatch or attribute certificate revocation reason. It is. these. The authentication success message 2131 or the authentication failure message is received and confirmed by the terminal A (113).

  When the verification of the attribute certificate of terminal A is successful (212), terminal B further transmits an authentication request message 2141 to authenticate terminal B to terminal A (214). The frame configuration of the authentication request message 2141 is the same as that in FIG. 19 described above, and includes the public key certificate 8791 and the attribute certificate 8792 of the terminal B that is the transmission source.

  When the terminal A receives the authentication request message 2141 transmitted from the terminal B, the terminal A authenticates the terminal B from the contents (114). The contents of this authentication are as described above, and verification of the attribute certificate, confirmation of the owner of the attribute certificate, confirmation of the attribute certificate revocation list table 630, and the like are performed.

  If the authentication of the terminal B is successful (212), the terminal A transmits an authentication success message 1152 notifying that the authentication of the terminal B is successful to the terminal B (115). The authentication response frame structure of the authentication success message 1152 is the same as that in FIG. If the verification of the attribute certificate of the terminal B (212) fails, the terminal A transmits an authentication failure message notifying that the authentication of the terminal B is successful to the terminal B. The authentication response frame structure of this authentication failure message is also as described with reference to FIG. The authentication success message 1152 or the authentication failure message is received and confirmed by the terminal B (215).

  In this way, when the terminal A and the terminal B successfully authenticate each other's terminals, the mutual authentication is completed. After the mutual authentication is completed, the contents of the attribute certificate issuing terminal list table 610 and the attribute certificate revocation list table 630 are exchanged and merged. Also, a terminal that newly becomes an attribute certificate issuing terminal broadcasts and distributes its public key certificate to all terminals. Further, as described above, the terminal that has issued the attribute certificate revocation list broadcasts the attribute certificate revocation list to other terminals. Accordingly, the same contents of the attribute certificate issuing terminal list table 610 and the attribute certificate revocation list table 630 of each terminal connected to the network are maintained.

  Next, a processing flow of each terminal of the wireless ad hoc communication system according to the embodiment of the present invention will be described with reference to the drawings.

  FIG. 21 is a diagram showing a processing flow of the attribute certificate issuing terminal in the first embodiment of the initial registration of FIG. First, when a beacon is received from another terminal, it is determined whether or not the beacon indicates that the transmission source terminal of the beacon has an attribute certificate (step S911). If the beacon indicates that it has an attribute certificate, it is not necessary to issue an attribute certificate, and the process ends without performing this initial registration process. If the beacon does not indicate that it has an attribute certificate, it is proposed to check the beacon start terminal identifier and request the source terminal to issue the attribute certificate (step S912). .

  Thereafter, if there is an attribute certificate issuance request (step S913), information on the requesting terminal is displayed to prompt confirmation (step S914). As a result, when the request source terminal is confirmed as a reliable terminal (step S915), an attribute certificate is issued to the request source terminal (step S916). Conversely, if the confirmation is rejected, the requesting terminal is notified of the rejection of the attribute certificate issuance request (step S917).

  FIG. 22 is a diagram showing a process flow of a new entry terminal in the first embodiment of the initial registration of FIG. First, a beacon indicating that no attribute certificate is present is transmitted (step S921). Thereafter, when there is an attribute certificate issuance proposal from another terminal responding to the beacon (step S922), the user is prompted to confirm the terminal that made the proposal (step S923). If the source terminal is a trusted terminal, confirmation is made that the terminal intends to issue an attribute certificate (step S924). When this confirmation is made, an attribute certificate issuance request is made to the transmission source terminal (step S925). Thus, the attribute certificate can be issued (step S926). On the other hand, if this confirmation is not made, the initial registration process is not completed and the attribute certificate is not issued.

  FIG. 23 is a diagram showing the flow of processing of the attribute certificate issuing terminal in the modified example of the first embodiment of the initial registration of FIG. First, when a beacon is received from another terminal, it is determined whether or not the beacon indicates that the transmission source terminal of the beacon has an attribute certificate (step S971). If the beacon indicates that it has an attribute certificate, it is not necessary to issue an attribute certificate, and the process ends without performing this initial registration process. If the beacon does not indicate that it has an attribute certificate, the beacon starting terminal identifier is confirmed, the attribute certificate is issued to the transmission source terminal (step S972), and the attribute certificate is The message is included in the proposal message and transmitted (step S973).

  FIG. 24 is a diagram showing the flow of processing of a new entry terminal in a modification of the first embodiment of the initial registration of FIG. First, a beacon indicating that no attribute certificate is present is transmitted (step S981). Thereafter, when there is an attribute certificate issuance proposal from another terminal responding to the beacon (step S982), the user is prompted to confirm the terminal that made the proposal (step S983). If the source terminal is a trusted terminal (step S984), the attribute certificate issued by the terminal is received (step S985), and a message indicating that the attribute certificate has been received is sent to the source terminal. Transmit (step S986).

  FIG. 25 is a diagram showing a process flow of a new entry terminal in the second example of the initial registration of FIG. First, the start terminal identifier 813 (FIG. 8) of the received beacon is grasped, and it is determined whether or not the beacon transmission source terminal is requested to issue an attribute certificate (step S951). If no issue is desired, the process ends. If the new entry terminal does not have the public key certificate of the beacon transmission source terminal (step S952), the public key certificate is requested from the beacon transmission source terminal (step S953) and received (step S953). Step S954).

  If it is determined that the public key included in the public key certificate is that of the beacon transmission source terminal and the terminal issues an attribute certificate (step S955), the transmission source terminal The attribute certificate issuance request is made (step S956). Thereby, the issue of the attribute certificate can be received. On the other hand, when it is not possible to confirm that the public key belongs to the beacon transmission source terminal, the attribute certificate issuance request is not performed.

  FIG. 26 is a diagram showing the flow of processing of the attribute certificate issuing terminal in the second embodiment of the initial registration of FIG. First, if there is a request for a public key certificate from another terminal (step S961), the public key certificate is transmitted in response to the request (step S962). Thereafter, if there is an attribute certificate issuance request (step S963), information on the requesting terminal is displayed to prompt confirmation (step S964). As a result, when the requesting terminal is confirmed as a reliable terminal (step S965), an attribute certificate is issued to the requesting terminal (step S966). Conversely, if the confirmation is rejected, the requesting terminal is notified of the rejection of the attribute certificate issuance request (step S967).

  FIG. 27 is a diagram illustrating a process flow of the beacon receiving terminal in the mutual authentication of FIG. First, when a beacon is received from another terminal, it is determined whether or not the beacon indicates that the transmitting terminal of the beacon has an attribute certificate (step S931). If the beacon does not indicate that the attribute certificate is present, mutual authentication cannot be performed, and thus the mutual authentication process is terminated without performing the mutual authentication process. In this case, an attribute certificate issuance proposal is made from the attribute certificate issuing terminal. On the other hand, if the beacon indicates that it has an attribute certificate, an authentication request is transmitted to the beacon transmission terminal (step S932). As a result, if authentication fails in the beacon transmission terminal, the mutual authentication is not completed (step S933), and the two terminals cannot form a network with each other. On the other hand, if the authentication is successful at the beacon transmission terminal, an authentication request is transmitted from the beacon transmission terminal.

  When the authentication request is received (step S934), the authentication request source beacon transmission terminal is authenticated (step S935). If the authentication is successful (step S936), the success of the authentication is transmitted to the authentication requesting terminal (beacon transmitting terminal) (step S937). On the other hand, if the authentication has failed (step S936), the fact that the authentication has failed is transmitted to the authentication requesting terminal (step S938).

  FIG. 28 is a diagram illustrating a process flow of the beacon transmission terminal in the mutual authentication of FIG. First, a beacon indicating that it has an attribute certificate is transmitted (step S941). Thereafter, when an authentication request from another terminal responding to the beacon is received (step S942), the authentication request source beacon receiving terminal is authenticated (step S943). If the authentication fails (step S944), the fact that the authentication has failed is transmitted to the authentication requesting terminal (beacon receiving terminal) (step S945). On the other hand, when the authentication is successful (step S944), the fact that the authentication is successful is transmitted to the authentication requesting terminal (step S946), and the authentication request is transmitted to the beacon receiving terminal (step S947). Thereafter, a response to the authentication request is transmitted from the beacon receiving terminal (step S948).

  Next, a connection relationship between terminals in the wireless ad hoc communication system according to the embodiment of the present invention will be described with reference to the drawings.

  FIG. 29 is a diagram illustrating a process in which terminals configure a network of a wireless ad hoc communication system. First, assuming that the terminal A (100) functions as an attribute certificate issuing terminal, the attribute certificate issuing terminal list table 610 of the terminal A holds the public key certificate (PK-A) of the terminal A, The attribute certificate table (AC-A) issued by terminal A is held in the attribute certificate table of terminal A (FIG. 29A). When terminal B (200) transmits a beacon, an attribute certificate is issued from terminal A to terminal B. As a result of initial registration, terminal B's attribute certificate issuing terminal list table 610 shows terminal A's public key certificate. Certificate (PK-A) is held, and the attribute certificate (AC-A) issued by terminal A is held in the attribute certificate table of terminal B (FIG. 29B). After mutual registration, terminal A and terminal B constitute a network of a wireless ad hoc communication system.

  Thereafter, when the terminal C transmits a beacon, an attribute certificate is issued from the terminal A to the terminal C via the terminal B. After the initial registration, the terminal C performs wireless authentication, for example, by performing mutual authentication with the terminal B. Enter the network of the communication system (FIG. 29C). Further, when terminal C transmits a beacon, terminal D enters the network of the wireless ad hoc communication system through the same procedure (FIG. 29 (c)).

  When terminal A that has been functioning as an attribute certificate issuing terminal is disconnected from the network for some reason, other terminals function as attribute certificate issuing terminals. There are various selection criteria for the attribute certificate issuing terminal. For example, it is possible to select a terminal present at the central position at a certain point in time, a terminal having the largest remaining battery capacity, or the like. For example, assuming that the terminal B is selected as the attribute certificate issuing terminal, the terminal B broadcasts and distributes its own public key certificate (PK-B) to all connected terminals. Each terminal stores the public key certificate (PK-B) of terminal B in the attribute certificate issuing terminal list table 610 together with the terminal identifier of terminal B (FIG. 29 (d)).

  FIG. 30 is a diagram illustrating a process in which a terminal once disconnected re-enters the network of the wireless ad hoc communication system. After terminal A is disconnected and terminal B functions as an attribute certificate issuing terminal, when terminal E transmits a beacon (FIG. 30A), an attribute certificate is sent from terminal B to terminal E. publish. As a result of the initial registration, the attribute certificate issuing terminal list table 610 of the terminal E has the public key certificate (PK-B) of the terminal B that is the current attribute certificate issuing terminal and the terminal that is the past attribute certificate issuing terminal. A's public key certificate (PK-A) is held. Further, the attribute certificate (AC-B) issued by the terminal B is held in the attribute certificate table of the terminal E (FIG. 30 (b)).

  Thereafter, when the terminal A connects again, the terminal A performs authentication using the attribute certificate (AC-A) issued by the terminal A that has been held. After mutual authentication, the attribute certificate issuing terminal list table 610 is updated with the terminal B. As a result, the public key certificate (PK-B) of the terminal B is newly held in the attribute certificate issuing terminal list table 610 of the terminal A (FIG. 30 (c)).

  As described above, according to the embodiment of the present invention, the attribute certificate issuing terminal that has received the beacon checks the presence / absence 818 (FIG. 8) of the attribute certificate in the beacon frame 810, and the beacon transmitting terminal If the attribute certificate issuance request frame 820 (FIG. 9) for proposing the attribute certificate issuance request is transmitted to the beacon transmission terminal, the attribute certificate is triggered by these. It is possible to issue a book by autonomously distributing it.

  Here, the embodiment of the present invention is illustrated, and the present invention is not limited to this, and various modifications can be made without departing from the gist of the present invention.

  Further, the processing procedure described here may be regarded as a method having a series of these procedures, or may be regarded as a program for causing a computer (terminal) to execute the series of procedures or a recording medium storing the program. .

  As an application example of the present invention, for example, the present invention can be applied when a terminal authority authentication certificate is issued between terminals in a wireless ad hoc communication system.

It is a figure which shows the structural example of the radio | wireless terminal 300 used in the radio | wireless ad hoc communication system in embodiment of this invention. It is a structural example of the attribute certificate issuing terminal list table 610 in the embodiment of the present invention. It is a figure which shows the format 710 of the public key certificate 612 hold | maintained at the attribute certificate issuing terminal list table 610 in embodiment of this invention. It is a figure which shows the format 720 of the attribute certificate hold | maintained at the attribute certificate table 620 in embodiment of this invention. It is a structural example of the attribute certificate revocation list table 630 in the embodiment of the present invention. It is a figure which shows the format of the attribute certificate revocation list | wrist 730 in embodiment of this invention. It is a figure which shows the 1st Example of the procedure of the initial registration in embodiment of this invention. It is a figure which shows the structure of the beacon frame 810 in embodiment of this invention. It is a figure which shows the structure of the attribute certificate issuance proposal frame 820 and the attribute certificate issuance request frame 830 in the embodiment of the present invention. It is a figure which shows the structure of the attribute certificate issuance proposal rejection frame 840 and the attribute certificate issuance request rejection frame 850 in the embodiment of the present invention. It is a figure which shows the structure of the attribute certificate issue frame 860 in embodiment of this invention. It is a figure which shows the modification of the 1st Example of the procedure of the initial registration in embodiment of this invention. It is a figure which shows the structure of the attribute certificate issue proposal frame 1820 in embodiment of this invention. It is a figure which shows the structure of the attribute certificate issue proposal reception frame 1830 in embodiment of this invention. It is a figure which shows the 2nd Example of the procedure of the initial registration in embodiment of this invention. It is a figure which shows the structure of the public key certificate request | requirement flame | frame 870 in embodiment of this invention. It is a figure which shows the structure of the public key certificate request | requirement response frame 880 in embodiment of this invention. It is a figure which shows the procedure of the mutual authentication in embodiment of this invention. It is a figure which shows the structure of the authentication request frame 870 in embodiment of this invention. It is a figure which shows the structure of the authentication response frame 880 in embodiment of this invention. It is a figure which shows the flow of a process in the 1st Example of the attribute certificate issuing terminal in the case of the initial registration in embodiment of this invention. It is a figure which shows the flow of a process in the 1st Example of the new entry terminal in the case of the initial registration in embodiment of this invention. It is a figure which shows the flow of a process in the modification of the 1st Example of the attribute certificate issuing terminal in the case of the initial registration in embodiment of this invention. It is a figure which shows the flow of a process in the modification of the 1st Example of the new entry terminal in the case of the initial registration in embodiment of this invention. It is a figure which shows the flow of a process in the 2nd Example of the new entry terminal in the case of the initial registration in embodiment of this invention. It is a figure which shows the flow of a process in the 2nd Example of the attribute certificate issuing terminal in the case of the initial registration in embodiment of this invention. It is a figure which shows the flow of a process of the beacon receiving terminal in the case of the mutual authentication in embodiment of this invention. It is a figure which shows the flow of a process of the beacon transmission terminal in the case of the mutual authentication in embodiment of this invention. It is a figure which shows the process in which the terminals comprise the network of a wireless ad hoc communication system in embodiment of this invention. It is a figure which shows the process in which the terminal once disconnected in embodiment of this invention rejoins the network of a radio | wireless ad hoc communication system.

Explanation of symbols

DESCRIPTION OF SYMBOLS 300 Wireless terminal 310 Antenna 320 Communication processing part 330 Control part 340 Display part 350 Operation part 360 Speaker 370 Microphone 380 Bus 600 Memory 610 Attribute certificate issuing terminal list table 620 Attribute certificate table 630 Attribute certificate revocation list table 650 Generation key table 710 Public key certificate 720 Attribute certificate 730 Attribute certificate revocation list 810 Beacon frame 820 Attribute certificate issuance proposal frame 830 Attribute certificate issuance request frame 840 Attribute certificate issuance proposal rejection frame 850 Attribute certificate issuance request rejection frame 860 attribute Certificate issuance frame 870 Authentication request frame 880 Authentication response frame 1820 Attribute certificate issuance proposal frame 1830 Attribute certificate issuance proposal reception frame 1870 Public key certificate request Frame 1880 Public key certificate request response frame

Claims (39)

A wireless ad hoc communication system composed of a plurality of terminals,
A first terminal that transmits a signal including beacon information indicating that it does not have a terminal authority authentication certificate;
A wireless ad hoc communication system comprising: a second terminal that proposes to the first terminal to make a terminal authority certificate issuance request in response to the signal. Receiving means for receiving a signal including beacon information;
And a terminal authority authentication certificate issuance proposing means that proposes to the other terminal to request a terminal authority authentication certificate when the receiving means receives a signal including predetermined beacon information from the other terminal. A terminal characterized by. Means for obtaining terminal identification information of the other terminal from the signal from the other terminal received by the receiving means;
The terminal according to claim 2, wherein the terminal authority authentication certificate issuance proposing means makes the proposal based on the terminal identification information. The terminal authority authentication certificate issuance proposing means presents a public key certificate of the terminal together when proposing the terminal authority authentication certificate issuance request to the other terminal. 2. The terminal according to 2. Receiving means for receiving a signal including beacon information;
When this receiving means receives a signal including predetermined beacon information from another terminal, it issues a terminal authority authentication certificate owned by the other terminal and proposes to the other terminal a terminal authority authentication certificate A terminal characterized by comprising issue proposal means. Means for obtaining terminal identification information of the other terminal from the signal from the other terminal received by the receiving means;
6. The terminal according to claim 5, wherein the terminal authority authentication certificate issuance proposing means makes the proposal based on the terminal identification information. The terminal authority authentication certificate issuance proposing means presents a public key certificate of the terminal together when proposing the terminal authority authentication certificate issuance request to the other terminal. 5. The terminal according to 5. Receiving means for receiving a signal including beacon information;
When this receiving means receives a signal including beacon information from another terminal, the terminal authority authentication certificate issuance request is made if the signal does not indicate that the other terminal has a terminal authority authentication certificate. A terminal authority authentication certificate issuance proposing means for proposing to another terminal. Means for obtaining terminal identification information of the other terminal from the signal from the other terminal received by the receiving means;
9. The terminal according to claim 8, wherein the terminal authority authentication certificate issuance proposing means makes the proposal based on the terminal identification information. The terminal authority authentication certificate issuance proposing means presents a public key certificate of the terminal together when proposing the terminal authority authentication certificate issuance request to the other terminal. 8. The terminal according to 8. A terminal authority authentication certificate issuance request receiving means for receiving a terminal authority authentication certificate issuance request;
When the terminal authority authentication certificate issuance request receiving unit receives a terminal authority authentication certificate issuance request from the other terminal, a confirmation unit that displays information about the other terminal and prompts for confirmation;
If the confirmation is made, a terminal authority authentication certificate is issued to the other terminal, and if the confirmation is rejected, a request for issuing a terminal authority authentication certificate is rejected to the other terminal. The terminal according to claim 10, further comprising terminal authority authentication certificate issuing means for notifying. A terminal authority authentication certificate issuing terminal list table that holds the public key certificate of the terminal authority authentication certificate issuing terminal;
The terminal authority authentication certificate issuing means uses the public key certificate of the terminal authority authentication certificate issuing terminal held in the terminal authority authentication certificate issuing terminal list table when the terminal authority authentication certificate is issued as the other The terminal according to claim 11, wherein the terminal is transmitted to the terminal. A terminal authority authentication certificate revocation list table that holds a terminal authority authentication certificate revocation list;
The terminal authority authentication certificate issuing unit transmits the terminal authority authentication certificate revocation list held in the terminal authority authentication certificate revocation list table to the other terminal when the terminal authority authentication certificate is issued. The terminal according to claim 11, characterized in that: Receiving means for receiving a signal including beacon information;
When this receiving means receives a signal including beacon information from another terminal, if the signal does not indicate that the other terminal has a terminal authority authentication certificate, the terminal authority having the other terminal as the owner A terminal, comprising: a terminal authority authentication certificate issuance proposing unit that issues an authentication certificate and proposes to another terminal. Means for obtaining terminal identification information of the other terminal from the signal from the other terminal received by the receiving means;
15. The terminal according to claim 14, wherein the terminal authority authentication certificate issuance proposing means makes the proposal based on the terminal identification information. The terminal authority authentication certificate issuance proposing means presents a public key certificate of the terminal together when proposing the terminal authority authentication certificate issuance request to the other terminal. 14. The terminal according to 14. A transmission means for transmitting a signal including beacon information indicating that the terminal authority authentication certificate is not included;
A terminal authority authentication certificate issuance proposal receiving means for receiving a terminal authority authentication certificate issuance request proposal for the signal;
When the terminal authority authentication certificate issuance proposal receiving unit receives the proposal from another terminal, a confirmation unit that displays information about the other terminal and prompts for confirmation;
When the confirmation is made, the other terminal is requested to issue a terminal authority authentication certificate, and when the confirmation is rejected, a terminal authority authentication certificate issuance proposal is issued to the other terminal. A terminal comprising terminal authority authentication certificate issuance request means for notifying rejection. 18. The terminal authority authentication certificate issuance requesting unit presents a public key certificate of the terminal together when requesting the terminal authority authentication certificate to be issued to the other terminal. The listed terminal. A transmission means for transmitting a signal including beacon information indicating that the terminal authority authentication certificate is not included;
A terminal authority authentication certificate issuance proposal receiving means for receiving a terminal authority authentication certificate issuance request proposal for the signal;
When the terminal authority authentication certificate issuance proposal receiving unit receives the proposal from another terminal, a confirmation unit that displays information about the other terminal and prompts for confirmation;
When the confirmation is made, if the proposal includes the issued terminal authority authentication certificate, the terminal authority authentication certificate is received, and the proposal does not include the issued terminal authority authentication certificate. In this case, a terminal comprising terminal authority authentication certificate issuance requesting means for requesting the other terminal to issue a terminal authority authentication certificate. The terminal authority authentication certificate issuance requesting means also presents the public key certificate of the terminal when requesting the issuance of the terminal authority authentication certificate to the other terminal. The listed terminal. Receiving means for receiving a signal including beacon information;
And a terminal authority authentication certificate issuance requesting unit that requests the other terminal to issue a terminal authority authentication certificate when the receiving unit receives a signal including predetermined beacon information from the other terminal. Characteristic terminal. Means for obtaining terminal identification information of the other terminal from the signal from the other terminal received by the receiving means;
The terminal according to claim 21, wherein the terminal authority authentication certificate issuance requesting unit makes the proposal based on the terminal identification information. A terminal authority authentication certificate table holding a first terminal authority authentication certificate indicating the access authority of the own terminal;
Receiving means for receiving a signal including beacon information;
When the receiving means receives a signal including beacon information from another terminal, the signal indicates that the other terminal has the second terminal authority authentication certificate indicating the access authority of the other terminal. Authentication request means for presenting the first terminal authority authentication certificate held in the terminal authority authentication certificate table and requesting the other terminal to authenticate the own terminal. Terminal. A terminal authority authentication certificate issuing terminal list table that holds the public key certificate of the terminal authority authentication certificate issuing terminal;
Authentication request receiving means for receiving a second authentication request requested by the other terminal in response to an authentication request by the authentication request means;
The public key included in the public key certificate held in the terminal authority authentication certificate issuing terminal list table is the second terminal authority authentication certificate included in the second authentication request received by the authentication request receiving means. 24. The terminal according to claim 23, further comprising: verification means for verifying by the above. A terminal authority authentication certificate revocation list table that holds a terminal authority authentication certificate revocation list;
The verification means determines that the authentication has failed when the second terminal authority authentication certificate has been revoked in the terminal authority authentication certificate revocation list held in the terminal authority authentication certificate revocation list table. The terminal according to claim 24, wherein the terminal is performed. A terminal authority authentication certificate issuing terminal list table that holds the public key certificate of the terminal authority authentication certificate issuing terminal;
Transmitting means for transmitting a signal including beacon information indicating that the second terminal authority authentication certificate is provided to another terminal having the first terminal authority authentication certificate;
A terminal authority authentication certificate table holding the second terminal authority authentication certificate indicating the access authority of the own terminal;
Authentication request receiving means for receiving a first authentication request from another terminal for the signal;
The public key included in the public key certificate held in the terminal authority authentication certificate issuing terminal list table includes the first terminal authority authentication certificate included in the first authentication request received by the authentication request receiver. A verification means to verify by,
When authentication is successful in this verification means, the second terminal authority authentication certificate held in the terminal authority authentication certificate table is presented to the other terminal, and A terminal comprising: an authentication requesting unit that performs a second authentication request for requesting authentication. A terminal authority authentication certificate revocation list table that holds a terminal authority authentication certificate revocation list;
The verification means determines that the authentication has failed when the second terminal authority authentication certificate has been revoked in the terminal authority authentication certificate revocation list held in the terminal authority authentication certificate revocation list table. The terminal according to claim 26, wherein the terminal is performed. Receiving a signal containing beacon information;
And a procedure for proposing to the source terminal to make a terminal authority authentication certificate issuance request if the signal does not indicate that the source terminal of the signal has a terminal authority authentication certificate. The terminal authority authentication certificate issuance proposal method. A step of obtaining terminal identification information of the other terminal from the signal from the other terminal;
29. The terminal authority authentication certificate issuance proposal method according to claim 28, wherein the proposal is performed based on the terminal identification information. Receiving a signal containing beacon information;
If the signal does not indicate that the signal source terminal has a terminal authority authentication certificate, the terminal authority authentication certificate with the source terminal as the owner is issued and proposed to the source terminal And a terminal authority authentication certificate issuance proposing method. A procedure for transmitting a signal including beacon information indicating that the terminal authority authentication certificate is not included;
A procedure for receiving a request for issuing a terminal authority authentication certificate for the signal;
A procedure for prompting confirmation by displaying information on the proposal source terminal;
When the confirmation is made, the transmission source terminal is requested to issue a terminal authority authentication certificate. When the confirmation is rejected, a terminal authority authentication certificate issuance proposal is issued to the transmission source terminal. A terminal authority authentication certificate issuance request method comprising a procedure for notifying rejection. A procedure for transmitting a signal including beacon information indicating that the terminal authority authentication certificate is not included;
A procedure for receiving a request for issuing a terminal authority authentication certificate for the signal;
A procedure for prompting confirmation by displaying information on the proposal source terminal;
When the confirmation is made, if the proposal includes the issued terminal authority authentication certificate, the terminal authority authentication certificate is received, and the proposal does not include the issued terminal authority authentication certificate. A terminal authority authentication certificate issuance request method comprising: a procedure for requesting the transmission source terminal to issue a terminal authority authentication certificate. Receiving a signal containing beacon information;
And a procedure for requesting the other terminal to issue a terminal authority authentication certificate upon receipt of the signal from the other terminal. A step of obtaining terminal identification information of the other terminal from the signal from the other terminal;
The terminal authority authentication certificate issuance request method according to claim 33, wherein the request is made based on the terminal identification information. Receiving a signal containing beacon information;
If the signal does not indicate that the source terminal of the signal has a terminal authority authentication certificate, the terminal is caused to execute a procedure for proposing to the source terminal to issue a terminal authority authentication certificate issuance request. A program characterized by Receiving a signal containing beacon information;
If the signal does not indicate that the signal source terminal has a terminal authority authentication certificate, the terminal authority authentication certificate with the source terminal as the owner is issued and proposed to the source terminal A program that causes a terminal to execute a procedure. A procedure for transmitting a signal including beacon information indicating that the terminal authority authentication certificate is not included;
A procedure for receiving a request for issuing a terminal authority authentication certificate for the signal;
A procedure for prompting confirmation by displaying information on the proposal source terminal;
When the confirmation is made, the transmission source terminal is requested to issue a terminal authority authentication certificate. When the confirmation is rejected, a terminal authority authentication certificate issuance proposal is issued to the transmission source terminal. A program for causing a terminal to execute a procedure for notifying rejection. A procedure for transmitting a signal including beacon information indicating that the terminal authority authentication certificate is not included;
A procedure for receiving a request for issuing a terminal authority authentication certificate for the signal;
A procedure for prompting confirmation by displaying information on the proposal source terminal;
When the confirmation is made, if the proposal includes the issued terminal authority authentication certificate, the terminal authority authentication certificate is received, and the proposal does not include the issued terminal authority authentication certificate. In this case, the program causes the terminal to execute a procedure for requesting the source terminal to issue a terminal authority authentication certificate. Receiving a signal containing beacon information;
A program for causing a terminal to execute a procedure for requesting the other terminal to issue a terminal authority authentication certificate upon receiving the signal from the other terminal.

Images