JP2005159424A - Communication system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a communication system by which a communication terminal can be connected to a desired network via legitimate networks provided by a network side. <P>SOLUTION: The communication system is configured such that an information providing server 100 stores in advance connection information items to allow a communication terminal 200 to be connected to a desired network in a plurality of networks 11, the communication terminal 200 transmits connection request information for requesting connection to the desired network to the information providing server 100, the information providing server 100 receives the connection request information transmitted from the communication terminal 200, acquires the connection information items in response to the received connection request information, selects the connection information corresponding to the desired network and a user among the acquired connection information items, provides the selected connection information to the communication terminal 200, and the communication terminal 200 receives the provided connection information and connects with the desired network via a plurality of the networks 11 on the basis of the received connection information. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a communication system in which an information providing server that provides information and a communication terminal that processes information provided from the information providing server are communicably connected.

  As shown in FIG. 21, a conventional communication system includes an account database 21b for recording access information to a plurality of Internet service providers (hereinafter referred to as ISPs 23) connected to a predetermined carrier network 21a, and a communication terminal 22. When there is an access request to the ISP 23 via the carrier network 21a, the priority is selected from the ISP 23 that has made the access request or another ISP in which the access information is recorded, depending on the communication status in the carrier network 21a. A brain server 21d that selects an ISP 23 to be connected to the communication terminal 22 according to the table 21e is known, and the brain server 21d is known to establish a connection between the selected ISP 23 and the communication terminal 22 (see, for example, Patent Document 1). ).

As described above, the conventional communication system automatically selects an ISP 23 having a good communication status from among a plurality of ISPs 23 connected to the carrier network 21a according to the communication status in the carrier network 21a. Connect to the communication terminal 22. Therefore, for the user, there is no waste of accessing an ISP whose response is lowered or connection is impossible due to construction, failure, increased traffic, etc., and the connection to the Internet 25 is reliably promised. Can be improved.
Japanese Unexamined Patent Publication No. 2003-87433 (9th paragraph, FIG. 1)

  However, in recent years, there have been increasing opportunities to use communication terminals not only in the office but also in homes, shops, public facilities such as airports and stations, and want to send and receive information via multiple ISPs. The above-described conventional communication system can automatically select an ISP having a good communication status from among a plurality of ISPs and can reliably connect to a user's communication terminal. A connection with a desired network specified by the user via the network cannot be guaranteed.

  In addition, communication terminals connected to a desired network are known based on connection information for connecting to a desired network via a plurality of ISPs. However, in a conventional communication terminal, a communication terminal stores the communication terminal. It connects to the desired network according to the connection information. For this reason, the user does not know what connection route is connected from the communication terminal to the desired network, and there is a possibility that the communication terminal may connect to the desired network via an unauthorized network. Was left.

  The present invention has been made in order to solve the conventional problems. A communication terminal can connect to a desired network via a legitimate network provided by the network side, and a desired network designated by a user can be specified. An object of the present invention is to provide a communication system that can be reliably connected.

  The first aspect of the present invention is a communication system in which an information providing server that provides information on a plurality of networks and a communication terminal that is used by a user are communicably connected, and the information providing server includes a plurality of networks. Connection information storage means for storing connection information for connection is provided, connection request information is received by connection request information receiving means for receiving connection request information for requesting connection to a desired network, and the connection request information When connection request information is received by the receiving means, connection information is acquired by a connection information acquisition means for acquiring connection information from the connection information storage means, and the connection information acquired by the connection information acquisition means Connection information is selected by connection information selection means for selecting connection information corresponding to a desired network, and the connection information selection is performed. Connection information is provided by connection information providing means for providing the connection information selected by the means to the communication terminal, and the communication terminal sends a connection request by connection request information transmitting means for sending the connection request information to the information providing server. Connection information is received by connection information receiving means for transmitting information and receiving the connection information from the information providing server, and connected by connection means for connecting to the desired network according to the connection information received by the connection information receiving means I do.

  According to the present invention, the information providing server selects connection information corresponding to a desired network according to the connection request information transmitted by the communication terminal, and the communication terminal selects a plurality of networks according to the connection information selected by the information providing server. Therefore, when the place where the communication terminal is used is changed, the communication terminal can connect to the desired network via a plurality of networks.

  According to a second aspect of the present invention, the connection information storage means includes a directed graph data structure storage unit that stores the connection information in a directed graph data structure represented by a directed graph, and the connection information selection means includes the directed graph data structure. Based on this, a combination of the connection information is selected.

  According to the present invention, since connection information is stored in advance in a directed graph data structure and a combination of connection information is selected based on the directed graph data structure, a combination of connection information can be selected efficiently.

  In the third aspect of the present invention, a plurality of pieces of connection information corresponding to the desired network is stored in the connection information storage unit, and the connection information selection unit includes the connection information acquired by the connection information acquisition unit. A plurality of connection information candidates corresponding to the desired network are selected, and the connection information providing means provides the communication terminal with connection information candidates selected by the connection information selection means, and the communication terminal Connection information extraction means for extracting connection information from connection information candidates provided from the information providing server is provided, and the connection means connects to the desired network according to the connection information extracted by the connection information extraction means.

  According to the present invention, when there is a combination of a plurality of communicable connection information corresponding to a desired network, communication with the desired network is performed according to a route on the network with good information transmission efficiency in order to extract appropriate connection information. Can do.

  According to a fourth aspect of the present invention, the connection information includes network characteristic information representing network characteristics, and the connection information extracting means extracts connection information based on the network characteristic information.

  According to the present invention, when there is a combination of a plurality of communicable connection information corresponding to a desired network, appropriate connection information is extracted based on the network characteristic information. Can communicate with other networks.

  According to a fifth aspect of the present invention, the communication terminal includes network characteristic condition information input means for inputting network characteristic condition information representing a condition relating to the network characteristic, and the connection information selection means is configured to be connected to the network characteristic condition information input means. Connection information is extracted according to the inputted network characteristic condition information.

  According to the present invention, in order to extract appropriate connection information of connection information in accordance with network characteristic condition information input by a user using a communication terminal or the like, it is possible to communicate with a desired network according to a route on the network according to a user request. it can.

  In a sixth aspect of the present invention, the communication terminal includes authentication information transmitting means for transmitting authentication information for the information providing server to authenticate the user to the information providing server, and the information providing server includes the communication terminal. A user authentication unit that authenticates the user based on the authentication information transmitted from the server, and when the user authentication unit determines that the authentication information is correct, the connection request information receiving unit is transmitted from the communication terminal. Receive connection request information.

  According to the present invention, since the information providing server authenticates the user based on the authentication information transmitted from the communication terminal, unauthorized use of the user can be prevented.

  According to a seventh aspect of the present invention, the information providing server includes server authentication information transmitting means for transmitting to the communication terminal server authentication information for the communication terminal to authenticate the information providing server. Server authentication means for authenticating the information providing server based on the server authentication information transmitted from the information providing server, and when the server authentication means determines that the server authentication information is correct, the connection request information transmitting means The connection request information is transmitted to the information providing server.

  According to the present invention, since the communication terminal authenticates the server based on the server authentication information transmitted from the information providing server, the communication terminal communicates with a desired network using correct connection information provided from the information providing server. Can do.

  According to an eighth aspect of the present invention, in the communication system, the communication terminal and the information providing server share an encryption key, and information transmitted and received between the communication terminal and the information providing server is encrypted based on the encryption key. Or decrypt.

  According to the present invention, since the information transmitted and received between the communication terminal and the information providing server is encrypted or decrypted based on the shared encryption key, the confidentiality of the information transmitted and received between the communication terminal and the information providing server can be improved. .

  According to a ninth aspect of the present invention, the communication terminal generates a request information signature based on the connection request information to be transmitted to the information providing server, and the connection information received by the connection information receiving unit. Connection information confirmation means for confirming the integrity of the connection information signature means for generating a connection information signature based on the connection information to be transmitted to the communication terminal, and the connection request information Connection request information confirming means for confirming the integrity of the connection request information received by the receiving means, wherein the connection request information transmitting means transmits the request information signature together with the connection request information to the information providing server, The connection request information confirmation unit confirms the integrity of the connection request information received by the connection request information reception unit based on the request information signature transmitted from the communication terminal, and The information providing means provides the connection information signature together with the connection information to the communication terminal, and the connection information confirmation means is received by the connection information receiving means based on the connection information signature transmitted from the information providing server. Check the integrity of the connection information.

  According to this invention, the information providing server confirms the integrity of the connection request information based on the request information signature, and the communication terminal confirms the integrity of the connection information based on the connection information signature. It is possible to guarantee the integrity of information transmitted to and received from the server, and to prevent falsification of information.

  In a tenth aspect of the present invention, the communication system includes a proxy server connected to each of the networks, and the proxy server mediates transmission / reception of information transmitted / received between the communication terminal and the information providing server.

  According to the present invention, since the proxy server mediates transmission / reception of information transmitted / received between the communication terminal and the information providing server, the information providing server can be centrally managed, and management of the information providing server can be simplified.

  According to the present invention, it is possible to provide a communication system in which a communication terminal can be connected to a desired network via a valid network provided by the network side.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a system configuration diagram of a communication system according to the first embodiment of the present invention. As shown in FIG. 1, a communication system 1000 includes a network 11a, a network 11b, a network 11c, a network 11d, and a network 11e, an information providing server 100a that provides information about the network 11, an information providing server 100b, and an information providing server. 100c and a communication terminal 200 used by a user.

  A server 12a and a server 12a are connected to the network 11d and the network 11e, respectively. The communication terminal 200 may be a personal computer, a mobile phone, or a PDA, and may be any device that can communicate with the server 12 via the network 11. The server 12 is a file server, a Web server, a mail server, or the like, and the type of server is not limited.

  In this embodiment, for convenience of explanation, the server 12 is connected only to the network 11d and the network 11e. However, in the present invention, the server 12 may be connected to another network 11 as well. . The network 11d and the network 11e may be a LAN, the network 11a and the network 11c may be a network or an intranet managed by an ISP, and the network 11b may be configured to be the Internet. Note that the numbers of the server 12, the network 11, and the information providing server 100 are not particularly limited.

  FIG. 2 is a block configuration diagram of the information providing server according to the first embodiment of the present invention. As shown in FIG. 2, the information providing server 100 is configured to include a communication interface 110, an input / output unit 120, a connection information storage unit 130, and a control unit 140.

  The communication interface 110 is configured by a LAN interface or the like, and may be configured by any device that communicates with a communication device connected to the network 11. The input / output means 120 includes a display device such as a display and an input device such as a keyboard.

  The connection information storage unit 130 is configured by a database or the like, and stores connection information for connecting to a desired network among the plurality of networks 11 in advance. The connection information is information relating to various protocols, and includes authentication information compliant with each protocol, setting information for each protocol, information relating to a connection procedure compliant with each protocol, and the like. Hereinafter, the connection information is referred to as a profile. The profile is created by a network administrator who manages each network 11.

  Further, the connection information storage unit 130 may store the authentication information included in the profile for each user. The authentication information includes authentication information including a user identifier and password, or a certificate for proving the user.

  The connection information storage unit 130 includes a directed graph data structure storage unit 131 that stores a profile in a directed graph data structure represented by a directed graph. An example of a profile stored in the directed graph data structure is shown in FIG. In the directed graph data structure according to the embodiment of the present invention, a network identifier is represented as a node, and a connection direction between nodes is represented as a link, and a profile corresponding to the link exists.

  FIG. 3A is an example of a profile stored in the information providing server 100a. The directed graph data structure of the information providing server 100a includes a network identifier NW11a combined with the profile p.

  The profile p is information for connecting the network 11a and the network 11b, and includes information for communicating in accordance with PPP, and NW 11b and NW 11a that are identifiers for identifying the network 11b. The profile q is information for connecting the network 11a and the network 11c, and includes information for communicating in accordance with the Web authentication communication procedure, and NW11c and NW11a that are identifiers for identifying the network 11c. It is.

  The profile r is information for connecting the network 11b and the network 11d, and information for communicating in conformity with IPSec, L2TP, and PPP, and NW11d and NW11b that are identifiers for identifying the network 11d included. The profile s is information for connecting the network 11c and the network 11e, and includes information for communicating in accordance with the Web authentication communication procedure, and NW11e and NW11c that are identifiers for identifying the network 11e. It is.

  FIG. 3B is an example of a profile stored in the information providing server 100b. The directed graph data structure included in the information providing server 100b includes a profile r.

  FIG. 3C is an example of a profile stored in the information providing server 100c. The directed graph data structure included in the information providing server 100c includes a profile s.

  Note that the profiles p, q, r, and s are coupled in the direction of the arrow to the same network identifier for identifying the network 11. Further, the connection information storage unit 130 may store in advance a profile to be connected at the end-end in addition to the directed graph data structure.

  The control means 140 is configured to include a CPU (Central Processing Unit) that processes a program, a memory that stores the program, and the like. The control unit 140 includes a connection request information receiving unit 141, a connection information acquiring unit 142, a connection information selecting unit 143, and a connection information providing unit 144. These means may be program modules.

  The connection request information receiving unit 141 receives connection request information for requesting connection to a desired network from the communication terminal 200 via the communication interface 110. The connection request information includes information representing a desired network, information for identifying a user, and the like.

  The connection information acquisition unit 142 acquires a profile from the connection information storage unit 130 according to the connection request information received by the connection request information reception unit 141. For example, when a user using the communication terminal 200 makes a connection request for connecting to each network 11 or the server 12, the connection information acquisition unit 142 acquires each profile from the connection information storage unit 130, and acquires each acquired The profile is output to the connection information selection means 143.

  The connection information selection unit 143 selects a profile corresponding to a desired network and user among the profiles acquired by the connection information acquisition unit 142. Further, the connection information selection unit 143 selects a combination of profiles based on the directed graph data structure that the directed graph data structure storage unit 131 has.

  For example, in the information providing server 100a, when the connection request information transmitted from the communication terminal 200 indicates the network 11d as a desired network, the connection information selection unit 143 uses the directed graph data structure shown in FIG. The combination of the profiles p and r is selected based on the authentication, and the authentication information included in the selected profile, the authentication information conforming to each protocol, the setting information for each protocol, and the information related to the connection procedure conforming to each protocol is authenticated. In the information, authentication information corresponding to the user of the communication terminal 200 is acquired from the connection information storage unit 130, and the acquired authentication information is added to the combination of the profiles p and r.

  The connection information providing unit 144 provides the communication terminal 200 with the profile selected by the connection information selecting unit 143. For example, when the connection information selection unit 143 selects a combination of profiles p and r, the selected combination of profiles p and r is transmitted to the communication terminal 200 via the communication interface 110.

  FIG. 4 is a block configuration diagram of the communication terminal according to the first embodiment of the present invention. As shown in FIG. 4, the communication terminal 200 is configured to include an input / output unit 201, an application processing unit 202, a setting procedure execution unit 203, and a connection unit 230 configured by a LAN interface and the like.

  The input / output means 201 includes a display device such as a display and an input device such as a keyboard. The application processing means 202 processes an application program including a browser for browsing the contents of a Web site. The application processing unit 202 is not limited to a browser, and processes a program for communicating with a desired network 11 or a program for browsing the contents of a site connected to the desired network 11. .

  The setting procedure execution unit 203 is configured to include a connection request information transmission unit 210 and a connection information reception unit 220. The setting procedure execution unit 203 executes a procedure that can be connected to each network 11.

  The connection request information transmitting unit 210 transmits connection request information for requesting connection to a desired network to the information providing server 100. For example, the connection request information transmission unit 210 acquires connection request information from the information input by the user via the application processing unit 202, connects to the network 11, and then sends a connection request to the information providing server 100 in the connected network 11. Information is sent.

  The connection information receiving unit 220 is configured to receive a profile from the information providing server 100. For example, after the connection request information transmitting unit 210 transmits connection request information indicating the desired network 11d to the information providing server 100a in the connected network 11a, the connection information receiving unit 220 receives the profile p, from the information providing server 100a. The combination of r is received.

  The connection unit 230 is configured by a LAN interface or the like that can communicate with the network 11, and the communication method performed by the connection unit 230 may be wired or wireless. The connection unit 230 connects to a desired network via the plurality of networks 11 according to the profile received by the connection information reception unit 220.

  For example, when the connection information receiving unit 220 receives the combination of the profiles p and r, the connection unit 230 determines that the connection unit 230 is connected to a desired network via the plurality of networks 11 based on the combination of the profiles p and r. It connects and communicates with the server 12a.

  Here, FIG. 5 shows an image of communication based on the combination of profiles as profiles p and r. It is assumed that GW (GateWay) 31 and GW 32 are installed at both ends of the network 11a, and GW 32 and GW 33 are installed at both ends of the network 11b.

  In advance, the setting procedure execution unit 203 executes a communication procedure based on IEEE802.1x with the AP 13, and then executes a communication procedure based on PPPoE with the GW 31 to establish the network 11a. It comes to connect.

  As shown in FIG. 5, when the connection information receiving unit 220 receives the combination of profiles p and r, the connection unit 230 further communicates with the GW 32 based on the PPP based on the combination of the profiles p and r. A procedure is executed, and further, a communication procedure based on IPSec and L2TP is executed with the GW 33.

  The operation of the communication system according to the first embodiment of the present invention will be described below with reference to the drawings. FIG. 6 is a flowchart showing an operation flow of the communication system according to the first embodiment of the present invention.

  First, connection request information for requesting connection to a desired network is generated by the application processing unit 202 based on information related to the connection request input by the user, and the generated connection request information is the connection request information transmitting unit. (S101). Next, the connection request information is transmitted to the information providing server 100 by the connection request information transmitting unit 210 (S102).

  The connection request information is received from the communication terminal 200 by the connection request information receiving unit 141 (S103), and the profile is acquired from the connection information storing unit 130 by the connection information acquiring unit 142 according to the received connection request information (S103). S104). Next, a combination of profiles corresponding to a desired network and user in the profile acquired by the connection information acquisition unit 142 is selected by the connection information selection unit 143 (S105). The profile selected by the connection information selecting unit 143 is transmitted to the communication terminal 200 by the connection information providing unit 144 (S106).

  The combination of profiles transmitted from the information providing server 100 is received by the connection information receiving means 220 (S107), and in accordance with the combination of the received profiles, the desired network or server 12 or the like is connected via the plurality of networks 11. Communication is performed by the connection means 230 (S108).

  As described above, in the communication system according to the first embodiment of the present invention, the information providing server 100 corresponds to a desired network according to the connection request information transmitted by the communication terminal 200 (for example, its In the same manner, the communication terminal 200 connects to a desired network according to the profile selected by the information providing server 100, so that the communication terminal 200 selects a valid network provided on the network side. To connect to the desired network.

  In addition, since profiles are stored in advance in a directed graph data structure and a combination of profiles is selected based on the directed graph data structure, a combination of profiles can be selected efficiently.

  FIG. 7 is a system configuration diagram of a communication system according to the second embodiment of the present invention. As shown in FIG. 7, the communication system 2000 includes a network 11a, a network 11b, a network 11c, a network 11d, and a network 11e, an information providing server 300a that provides information about the network 11, an information providing server 300b, and an information providing server. 300c and a communication terminal 400 used by a user.

  Of the components constituting the communication system 2000 according to the second embodiment of the present invention, the same components as those constituting the communication system 1000 according to the first embodiment of the present invention are used. Are denoted by the same reference numerals, and description thereof is omitted. The difference between the network configuration according to the second embodiment of the present invention and the network configuration according to the first embodiment of the present invention is that the network 11e can be connected to the network 11d.

  FIG. 8 is a block configuration diagram of an information providing server according to the second embodiment of the present invention. As shown in FIG. 8, the information providing server 300 is configured to include a communication interface 110, an input / output unit 120, a connection information storage unit 330, and a control unit 340. Of the components constituting the information providing server 300 according to the second embodiment of the present invention, the same configuration as the components constituting the information providing server 100 according to the first embodiment of the present invention. Elements are denoted by the same reference numerals, and descriptions thereof are omitted.

  The connection information storage means 330 is configured by a database or the like, and stores a profile in advance. Further, the connection information storage means 330 stores authentication information included in the profile for each user. The authentication information includes authentication information including a user identifier and a password or a certificate for proving the user.

  The connection information storage unit 330 includes a directed graph data structure storage unit 331 that stores a profile in a directed graph data structure represented by a directed graph. Here, an example of a profile stored in the directed graph data structure is shown in FIG. Profile p to profile s are the same as those described in the first embodiment of the present invention.

  FIG. 9A is an example of a profile stored in the information providing server 300a. The profile t is information for connecting to the network 11e and the network 11d, and includes information for communicating in accordance with the Web authentication communication procedure, and NW11e and NW11d that are network identifiers.

  FIG. 9B is an example of a profile stored in the information providing server 300b. FIG. 9C is an example of a profile stored in the information providing server 300c, and includes a profile s and a profile t. Note that the profiles p, q, r, s, and t are coupled in the direction of the arrow to the same network identifier for identifying the network 11.

  The connection information selection unit 343 selects a profile corresponding to a desired network and user among the profiles acquired by the connection information acquisition unit 142. Further, the connection information selection unit 343 may select a plurality of profile combination candidates based on the directed graph data structure of the directed graph data structure storage unit 331.

  For example, in the information providing server 300a, when the connection request information transmitted from the communication terminal 400 indicates the network 11d as a desired network, the connection information selection unit 343 uses the directed graph data structure shown in FIG. A combination of profiles p and r and a combination of profiles q, s, and t are selected based on the authentication information according to each protocol, setting information for each protocol, and each protocol included in the selected profile. In the authentication information in the information regarding the compliant connection procedure, the authentication information corresponding to the user of the communication terminal 400 is acquired from the connection information storage means 330, and the acquired authentication information is added to each profile combination. ing.

  FIG. 10 is a block configuration diagram of a communication terminal according to the second embodiment of the present invention. As shown in FIG. 10, the communication terminal 400 is configured to include an input / output unit 201, an application processing unit 402, a setting procedure execution unit 403, and a connection unit 230. Of the constituent elements constituting the communication terminal 400 according to the second embodiment of the present invention, the same constituent elements as those constituting the communication terminal 200 according to the first embodiment of the present invention are used. Are denoted by the same reference numerals, and description thereof is omitted.

  The setting procedure execution unit 403 includes a connection request information transmission unit 210, a connection information reception unit 220, and a connection information extraction unit 440. The setting procedure execution means 403 executes a procedure that can be connected to each network 11.

  The connection information extraction unit 440 extracts an appropriate profile combination from the profile combination candidates provided from the information providing server 300. For example, the connection information extraction unit 440, when candidates for combinations of profiles p and r and combinations of profiles q, s, and t are provided from the information providing server 300a, the network among the candidates for these combinations Alternatively, a combination of profiles p and r with a small number of transits 11 may be extracted.

  The profile stored in the directed graph data structure of the information providing server 300 includes network characteristic information representing network characteristics, and the connection information extracting unit 440 extracts an appropriate combination of profiles based on the network characteristic information. You may make it do.

  Here, network characteristics will be described in detail with reference to FIG. The configuration related to the network 11 shown in FIG. 11 is not related to the system configuration of the communication system according to the second embodiment of the present invention.

  The network characteristics include security characteristics related to security, band characteristics related to bandwidth, delay characteristics related to transmission delay, and communication cost characteristics related to communication costs. A network manager or a telecommunications carrier or the like represents these characteristics numerically.

  The network characteristics include network characteristics of each network 11 and inter-network characteristics when connected via the network 11. For example, as shown in FIG. 11, the network characteristic of the network 11a has a security characteristic value of 1, a band characteristic value of 11, and a delay characteristic value of 1. Hereinafter, the network characteristics are represented as characteristics (1, 11, 1) in the order of security characteristic values, band characteristic values, and delay characteristic values.

  For example, the network characteristic of the network 11a is the characteristic (1, 100, 1), the network characteristic of the network 11b is the characteristic (1, 3, 20), and the network characteristic of the network 11c is the characteristic (7, 100). 1). As the security characteristic value is larger, the confidentiality is higher. As the band characteristic value is larger, the amount of information transmission increases. As the delay characteristic value is larger, the information transmission time is longer. The communication cost characteristic value increases as the value increases.

  Further, a security characteristic value representing from the communication terminal 400 to the entrance of the network 11 may be determined. For example, in FIG. 11, the security characteristic value from the communication terminal 400 to the entrance of the network 11a is 1, and the security characteristic value from the communication terminal 400 to the entrance of the network 11c is 10. Note that the security characteristic value may be determined according to the protocol used by the network 11.

  Further, the minimum value of the security characteristic value representing the communication terminal 400 to the inside of the network may be determined based on the network characteristic. For example, in FIG. 11, the minimum security characteristic value from the communication terminal 400 to the network 11a is set to 1 based on the network characteristics of the network 11a, and from the communication terminal 400 to the network 11c based on the network characteristics of the network 11c. The minimum security characteristic value is 7.

  Furthermore, a band characteristic value and a delay characteristic value that are generated by using a protocol that represent the communication terminal 400 to the entrance of the network 11 may be determined. For example, in FIG. 11, the band characteristic value and the delay characteristic value from the communication terminal 400 to the entrance of the network 11a are 11 and 6, respectively, and the band characteristic value and the delay characteristic value from the communication terminal 400 to the entrance of the network 11c are 2 respectively. 38.

  Further, the minimum value of the band characteristic value and the delay characteristic value representing from the communication terminal 400 to the inside of the network may be determined based on the network characteristic. For example, in FIG. 11, the minimum values of the band characteristic value and the delay characteristic value from the communication terminal 400 to the network 11a based on the network characteristics of the network 11a are 11 and 7, respectively, and the communication terminal is based on the network characteristics of the network 11c. The minimum value of the band characteristic value and the delay characteristic value from 400 to the network 11c is set to 2 and 39, respectively.

  A network administrator, a communication carrier, or the like determines network characteristic information included in a profile based on the above-described determined security characteristic value and a band characteristic value and a delay characteristic value generated by using the protocol. For example, the profile for connecting the communication terminal 400 and the network 11a includes characteristics (1, 11, 5). The profile for connecting the network 11b and the network 11c includes characteristics (10, 2, 5).

  Further, the network administrator or the communication carrier may determine the network characteristics between the end ends via the plurality of networks 11 in advance. For example, when determining the network characteristics between the end ends connected to the network 11c from the communication terminal 400 via the network 11a, the network 11a, and the network 11b, the minimum value of each network characteristic value is taken and the characteristics (7, 2 39).

  For example, an evaluation function for evaluating network characteristics is input to the connection information extracting unit 440 in advance, and an appropriate profile is extracted based on network characteristic information included in each profile. Here, when the security characteristic value is A, the band characteristic value is B, the delay characteristic value is C, and the communication cost characteristic value is D, the evaluation function f (A, B, C, D) = evaluation value Z It is represented by The security characteristic value A, the band characteristic value B, the delay characteristic value C, and the communication cost characteristic value D are not limited to four, and the evaluation function f (A) = Z is used. Good.

  More specifically, the evaluation function f may be expressed as (1 / A) + (1 / B) + C + D. The connection information extraction unit 440 selects a profile having a minimum evaluation value Z in order to select a highly evaluated profile based on end-to-end network characteristics corresponding to each profile. Note that weight a, weight b, weight c, and weight d, which are weight values, are added to the evaluation function so that the user of the communication terminal 400 can adjust the evaluation function f, and the evaluation function f is (1 / A). A formula of × a + (1 / B) × b + C × c + D × d may be used.

  The application processing unit 402 includes a network characteristic condition information input unit 450 and processes an application program including a browser for browsing the contents of a Web site. Further, the application processing means 402 is not limited to the browser, and processes a program for communicating with the desired network 11 or a program for browsing the contents of a site connected to the desired network 11. .

  The network characteristic condition information input means 450 inputs network characteristic condition information representing conditions relating to network characteristics, and outputs the inputted network characteristic condition information to the connection information extraction means 440.

  For example, the network characteristic condition information includes information indicating a condition where the security characteristic value A is 3 or more, or information indicating a condition where the security characteristic value A is 5 or more and the band characteristic value B is 3 or more. . Further, the network characteristic condition information input unit 450 may input information representing the above-described weights a to d, and outputs the inputted information representing the weights a to d to the connection information extracting unit 440. It is supposed to be.

  The connection information extracting means 440 is a condition represented by the network characteristic condition information according to the network characteristic condition information output by the network characteristic condition information input means 450 when there is a combination of a plurality of communicable profiles corresponding to the desired network. Profiles that satisfy the criteria are extracted.

  The connection information extraction unit 440 may extract a profile by combining the network characteristic condition information and the evaluation function f. For example, the connection information extracting unit 440 extracts, from among a plurality of profile combinations, those satisfying the conditions regarding the network characteristics indicated by the network characteristic condition information, and further evaluating the evaluation function from the combinations of profiles satisfying the extracted conditions. A profile having a minimum evaluation value is extracted using f.

  The operation of the communication system according to the second embodiment of the present invention will be described below with reference to the drawings.

  FIG. 12 is a flowchart showing an operation flow of the communication system according to the second embodiment of the present invention. Of the operations of the communication system according to the second embodiment of the present invention, the same operations as those of the communication system according to the first embodiment of the present invention are denoted by the same reference numerals.

  First, connection request information for requesting connection to a desired network is generated by the application processing unit 402 based on information related to the connection request input by the user, and the generated connection request information is the connection request information transmitting unit. (S101). Next, the connection request information is transmitted to the information providing server 300 by the connection request information transmitting unit 210 (S102).

  The connection request information is received from the communication terminal 400 by the connection request information receiving unit 141 (S103), and the profile is acquired from the connection information storing unit 330 by the connection information acquiring unit 142 according to the received connection request information (S103). S104). Next, a plurality of combinations of profiles corresponding to a desired network and user among the profiles acquired by the connection information acquisition unit 142 are selected by the connection information selection unit 343 (S201). The profile selected by the connection information selecting unit 343 is transmitted to the communication terminal 400 by the connection information providing unit 144 (S106).

  The combination of profiles transmitted from the information providing server 300 is received by the connection information receiving unit 220 (S107). When there are a plurality of received combination of profiles, an appropriate combination of profiles is extracted by the connection information extracting unit 440. Then, according to the combination of the extracted profiles, communication with the desired network or server 12 is performed by the connection means 230 via the plurality of networks 11 (S108).

  As described above, the communication system according to the second embodiment of the present invention extracts information in order to extract an appropriate profile when there is a combination of a plurality of communicable profiles corresponding to a desired network. It is possible to communicate with a desired network according to an efficient route on the network.

  In addition, when there is a combination of a plurality of communicable profiles corresponding to a desired network, appropriate connection information is extracted based on the network characteristic information. Can communicate.

  In addition, since an appropriate profile is extracted according to the network characteristic condition information input by the user using the communication terminal 400, it is possible to communicate with a desired network according to a route on the network according to the user's request.

  FIG. 13 is a system configuration diagram of a communication system according to the third embodiment of the present invention. As illustrated in FIG. 13, the communication system 3000 includes a network 11a, a network 11b, a network 11c, a network 11d, and a network 11e, an information providing server 500a that provides information about the network 11, an information providing server 500b, and an information providing server. 500c and a communication terminal 600 used by the user.

  Of the components constituting the communication system 3000 according to the third embodiment of the present invention, the same components as those constituting the communication system 2000 according to the second embodiment of the present invention are used. Are denoted by the same reference numerals, and description thereof is omitted.

  FIG. 14 is a sequence diagram of a communication system according to the third embodiment of the present invention. The communication terminal 600 transmits authentication information for authenticating the user to the information providing server 500. The information providing server 500 authenticates the user based on the authentication information transmitted from the communication terminal 600. Further, as in a procedure compliant with SSL (Secure Socket Layer), the information providing server 500 and the communication terminal 600 may mutually authenticate certificates transmitted to each other.

  After the user is authenticated or mutually authenticated, the information providing server 500 is connected to the communication terminal 600 in accordance with DH (Diffie-Hellman) key exchange, key exchange used in TLS (Transport Layer Security) or SSL, and the like. The encryption key used between the two is shared. Note that after the encryption key is shared, information transmitted and received between the communication terminal 600 and the information providing server 500 is encrypted or decrypted based on the shared encryption key.

  The communication terminal 600 generates a request information signature based on connection request information for requesting connection to a desired network, and transmits the connection request information to the information providing server 500 together with the generated request information signature. . The connection request information and the request information signature are encrypted based on the shared encryption key.

  The information providing server 500 confirms the integrity of the received connection request information based on the request information signature transmitted from the communication terminal 600. After confirming the integrity, the information providing server 500 generates a connection information signature based on the connection information for connecting to a desired network, and transmits the connection information together with the generated connection information signature to the communication terminal 600. It has become. The connection information and the connection information signature are encrypted based on the shared encryption key. The communication terminal 600 confirms the integrity of the received connection information based on the connection information signature transmitted from the information providing server 500.

  In addition, after confirming the integrity, the communication terminal 600 may transmit termination request information for requesting termination of provision of connection information to the information providing server 500. When receiving the end request information transmitted from the communication terminal 600, the information providing server 500 transmits end response information for responding to the received end request information to the communication terminal 600.

  FIG. 15 is a block diagram of an information providing server according to the third embodiment of the present invention. As shown in FIG. 15, the information providing server 500 is configured to include a communication interface 110, an input / output unit 120, a connection information storage unit 330, and a control unit 540. Of the constituent elements constituting the information providing server 500 according to the third embodiment of the present invention, the same means as the constituent elements constituting the information providing server 300 according to the second embodiment of the present invention. Are denoted by the same reference numerals, and description thereof is omitted.

  The control means 540 is configured to include a CPU (Central Processing Unit) that processes a program, a memory that stores the program, and the like. The control unit 540 includes a connection request information receiving unit 541, a connection information acquiring unit 142, a connection information selecting unit 343, a connection information providing unit 544, a user authentication unit 545, an encryption key sharing unit 546, a connection request information confirmation unit 547, Connection information signing means 548 and server authentication information transmitting means 549 are provided. These means may be program modules.

  The user authentication unit 545 authenticates the user based on the authentication information transmitted from the communication terminal 600. For example, the authentication information includes information for identifying the user, a password corresponding to the user, a certificate, and the like.

  When the user authentication unit 545 determines that the authentication information transmitted from the communication terminal 600 is correct, the encryption key sharing unit 546 generates an encryption key to be used with the communication terminal 600 and uses the generated encryption key as the communication terminal. 600 and share.

  The server authentication information transmitting unit 549 transmits server authentication information for the communication terminal 600 to authenticate the information providing server 500 to the communication terminal 600. For example, the server authentication information includes a certificate held by a server used in SSL.

  When the user authentication unit 545 determines that the authentication information transmitted from the communication terminal 600 is correct, the connection request information reception unit 541 receives a request information signature together with the connection request information from the communication terminal 600 via the communication interface 110. The received request information signature is output to the connection request information confirmation unit 547.

  In addition, when the connection request information or the request information signature is encrypted, the connection request information receiving unit 541 uses the encryption key shared with the communication terminal 600 by the encryption key sharing unit 546 to decrypt the connection request information. It has become.

  The connection request information confirmation unit 547 confirms the integrity of the connection request information received by the connection request information reception unit 541 based on the request information signature output by the connection request information reception unit 541. The request information signature includes an electronic signature based on the message digest, information indicating the integrity of the connection request information, and the like.

  For example, when the request information signature is information obtained by encrypting a hash value obtained from the connection request information using the user's private key, the connection request information confirmation unit 547 uses the user's public key to request the request information signature. Is decrypted, and it is determined whether or not the decrypted hash value matches the hash value obtained from the connection request information received by the connection request information receiving means 541. If they match, the connection request information confirmation unit 547 causes the connection information acquisition unit 142 to acquire a profile.

  The connection information signature unit 548 is configured to generate a connection information signature based on the profile selected by the connection information selection unit 343 and transmitted to the communication terminal 600. For example, the connection information signature unit 548 generates a hash value from information representing a combination of profiles using a predetermined hash function, encrypts the generated hash value using the secret key of the information providing server 500, and connects the connection information signature. Is supposed to generate.

  The connection information providing unit 544 transmits a connection information signature together with the profile selected by the connection information selecting unit 343 to the communication terminal 600. Note that the profile and the connection information signature are encrypted based on the shared encryption key.

  FIG. 16 is a block configuration diagram of a communication terminal according to the third embodiment of the present invention. As shown in FIG. 16, the communication terminal 600 is configured to include an input / output unit 201, an application processing unit 402, a setting procedure execution unit 603, and a connection unit 230. Of the constituent elements constituting the communication terminal 600 according to the third embodiment of the present invention, the same constituent elements as those constituting the communication terminal 400 according to the second embodiment of the present invention are used. Are denoted by the same reference numerals, and description thereof is omitted.

  The setting procedure execution unit 603 includes a connection request information transmission unit 610, a connection information reception unit 620, a connection information extraction unit 440, an authentication information transmission unit 660, an encryption key sharing unit 670, a request information signature unit 680, and a connection information confirmation unit 690. It is comprised so that it may contain. The setting procedure execution means 603 executes a procedure that can be connected to each network 11.

  The authentication information transmitting unit 660 transmits authentication information for authenticating the user to the information providing server 500. For example, when information for identifying the user or a password corresponding to the user is input from the user via the input / output unit 201, the authentication information transmitting unit 660 connects the authentication information for authenticating the user. The information is transmitted to the information providing server 500 via the means 230.

  After transmitting the authentication information to the information providing server 500, the encryption key sharing unit 670 is configured to share the encryption key used with the information providing server 500 with the information providing server 500.

  The server authentication unit 661 authenticates the information providing server 500 based on the server authentication information transmitted from the information providing server 500. When the server authentication unit 661 determines that the server authentication information transmitted from the information providing server 500 is correct, the encryption key sharing unit 670 generates an encryption key used with the information providing server 500, and the generated encryption key May be shared with the information providing server 500.

  The request information signing unit 680 generates a request information signature based on connection request information to be transmitted to the information providing server 500. For example, the request information signature unit 680 generates a hash value from the connection request information by using a predetermined hash function, and encrypts the generated hash value by using the user's private key to generate a request information signature. ing.

  The connection request information transmitting unit 610 obtains connection request information from the information input by the user via the application processing unit 402, connects to the network 11, and then sends the connection request information to the information providing server 500 in the connected network 11 together with the connection request information. The request information signature generated by the request information signature means 680 is transmitted to the information providing server 500. The connection request information and the request information signature are encrypted based on the encryption key shared with the information providing server 500 by the encryption key sharing unit 670.

  The connection information receiving unit 620 receives a profile and a connection information signature from the information providing server 500. When the profile and the connection information signature are encrypted, the connection information receiving unit 620 decrypts the connection information receiving unit 620 using the encryption key shared with the information providing server 500 by the encryption key sharing unit 670. ing.

  The connection information confirmation unit 690 confirms the integrity of the profile received by the connection information reception unit 620 based on the connection information signature transmitted from the information providing server 500. The connection information signature includes an electronic signature based on the message digest, information indicating the integrity of the profile, and the like.

  For example, when the connection information signature is information obtained by encrypting a hash value obtained from information representing a combination of profiles using the secret key of the information providing server 500, the connection information confirmation unit 690 includes the information providing server 500. The connection information signature is decrypted using the public key of the information, and it is determined whether or not the decrypted hash value matches the hash value obtained from the information representing the combination of profiles received by the connection information receiving unit 620. It is like that. If they match, the connection information confirmation unit 690 causes the connection information extraction unit 440 to extract an appropriate profile.

  The operation of the communication system according to the third embodiment of the present invention will be described below with reference to the drawings.

  17 and 18 are flowcharts showing the operation flow of the communication system according to the third embodiment of the present invention. Of the operation of the communication system according to the third embodiment of the present invention, the same reference numeral is assigned to the same operation as that of the communication system according to the second embodiment of the present invention.

  First, connection request information for requesting connection to a desired network is generated by the application processing unit 402 based on information related to the connection request input by the user, and the generated connection request information is the connection request information transmitting unit. 610 is acquired (S101). Next, authentication information for authenticating the user is transmitted to the information providing server 500 by the authentication information transmitting unit 660 (S301).

  The authentication information transmitted from the communication terminal 600 is received by the information providing server 500 by the user authentication unit 545 (S302), and the user authentication unit 545 determines whether or not the received authentication information is correct (S303).

  Here, only the information providing server 500 authenticates the user, but the certificate that the information providing server 500 and the communication terminal 600 transmit to each other as in a procedure compliant with SSL is the user authentication means 545. The server authentication unit 661 may authenticate each other.

  When it is determined that the authentication information is correct, an encryption key used between the information providing server 500 and the communication terminal 600 is generated by the encryption key sharing unit 546, and the generated encryption key is stored in the encryption key sharing unit 546 and It is shared with the communication terminal 600 by the encryption key sharing means 670 (S304, S305).

  The request information signature based on the connection request information to be transmitted to the information providing server 500 is generated by the request information signature unit 680 (S306), and the generated request information signature and the connection request information are obtained by using the shared encryption key. The connection request information signature is transmitted together with the connection request information to the information providing server 500 by the connection request information transmission unit 610 (S307, S308).

  The connection request information and the request information signature transmitted from the communication terminal 600 are received by the connection request information receiving unit 541 and decrypted using the shared encryption key (S309, S310).

  The integrity of the connection request information received by the connection request information receiving unit 541 is determined by the connection request information confirming unit 547 to determine whether the information related to the connection request information matches the information related to the request information signature. (S311).

  When it is determined that the request information signatures match, the profile is acquired from the connection information storage unit 330 by the connection information acquisition unit 142 according to the received connection request information (S104). Next, a plurality of combinations of profiles corresponding to a desired network and user among the profiles acquired by the connection information acquisition unit 142 are selected by the connection information selection unit 343 (S201).

  A connection information signature based on the selected profile is generated by the connection information signature means 548 (S312), and the generated combination of the connection information signature and the profile is encrypted using the shared encryption key, and the profile information A connection information signature together with the combination is transmitted to the communication terminal 600 by the connection information providing means 544 (S313, S314).

  The combination of profiles and the connection information signature transmitted from the information providing server 500 are received by the connection information receiving means 620 and decrypted using the shared encryption key (S315, S316).

  The integrity of the profile received by the connection information receiving means 620 is confirmed by determining whether or not the information related to the profile matches the information related to the connection information signature by the connection information confirmation means 690 (S317). ).

  When it is determined that the connection information signatures match, an appropriate combination of profiles is extracted by the connection information extraction unit 440 (S202), and a desired network or server is connected via the plurality of networks 11 according to the extracted combination of profiles. Communication with 12 or the like is performed by the connection means 230 (S108).

  As described above, in the communication system according to the third embodiment of the present invention, the information providing server 500 authenticates the user based on the authentication information transmitted from the communication terminal 600. Can be prevented.

  Further, since the communication terminal 600 authenticates the server based on the server authentication information transmitted from the information providing server 500, the communication terminal 600 communicates with a desired network using the correct connection information provided from the information providing server 500. can do.

  Further, since the information transmitted and received between the communication terminal 600 and the information providing server 500 is encrypted or decrypted based on the shared encryption key, the confidentiality of the information transmitted and received between the communication terminal 600 and the information providing server 500 is increased. Can do.

  Further, the information providing server 500 confirms the integrity of the connection request information based on the request information signature, and the communication terminal 600 confirms the integrity of the profile based on the connection information signature. It is possible to guarantee the integrity of information transmitted to and received from the server 500, and to prevent falsification of information.

  FIG. 19 is a system configuration diagram of a communication system according to the fourth embodiment of the present invention. As shown in FIG. 19, a communication system 4000 includes a network 11a, a network 11b, a network 11c, a network 11d, and a network 11e, an information providing server 500 that provides information related to the network 11, and a communication terminal 600 that is used by a user. The communication terminal 600 and the information providing server 500 have a configuration including a proxy server 700 that mediates transmission / reception of information transmitted / received.

  Of the components constituting the communication system 4000 according to the fourth embodiment of the present invention, the same components as those constituting the communication system 3000 according to the third embodiment of the present invention are used. Are denoted by the same reference numerals, and description thereof is omitted.

  Further, the connection information storage means 330 of the information providing server 500 according to the fourth embodiment of the present invention stores the directed graph data structure shown in FIGS. 9 (a) to 9 (c).

  Communication system 4000 establishes a secure communication channel between proxy server 700 and information providing server 500 in advance, and information transmitted and received between proxy server 700 and information providing server 500 using this secure communication channel. May be sent and received.

  FIG. 20 is a sequence diagram of a communication system according to the fourth embodiment of the present invention. The communication terminal 600 transmits connection request information for requesting connection to a desired network to the proxy server 700. The proxy server 700 includes network information representing the network 11 to which the communication terminal 600 is connected in the connection request information transmitted from the communication terminal 600, and transmits connection request information including the network information to the information providing server 500. Yes.

  Similar to the third embodiment of the present invention, before the communication terminal 600 transmits the connection request information to the proxy server 700, the communication terminal 600 sends authentication information for authenticating the user to the proxy server 700. The information providing server 500 may authenticate the user based on the authentication information transmitted from the communication terminal 600. After authenticating the user, the information providing server 500 shares the encryption key used with the communication terminal 600 via the proxy server 700, and after sharing the encryption key, the communication terminal 600 and the information providing server 500 You may make it encrypt or decrypt based on the encryption key which shared the information transmitted / received. The communication terminal 600 may generate a request information signature based on the connection request information, and transmit the connection request information together with the generated request information signature to the information providing server 500 via the proxy server 700.

  The information providing server 500 receives the connection request information transmitted from the communication terminal 600 via the proxy server 700, and transmits connection information corresponding to the received connection request information to the communication terminal 600 via the proxy server 700. It has become. As in the third embodiment of the present invention, the information providing server 500 generates a connection information signature based on the connection information, and transmits the connection information together with the generated connection information signature to the communication terminal 600. May be.

  As described above, in the communication system according to the fourth embodiment of the present invention, since the proxy server 700 mediates transmission / reception of information transmitted / received between the communication terminal 600 and the information providing server 500, the information providing server 500 Can be centrally managed, and management of the information providing server 500 can be simplified.

  A communication program that causes a communication terminal or an information providing server to execute the communication method described above is stored in a recording medium such as a semiconductor memory, a magnetic disk, an optical disk, a magneto-optical disk, or a magnetic tape to manufacture or modify the communication terminal. At this time, the communication program may be read from the recording medium into the communication terminal or the like.

1 is a system configuration diagram of a communication system according to a first embodiment of the present invention. The block block diagram of the information provision server which concerns on the 1st Embodiment of this invention The figure which shows an example of the profile stored with the directed graph data structure which concerns on the 1st Embodiment of this invention The block block diagram of the communication terminal which concerns on the 1st Embodiment of this invention The image figure which communicates based on the combination of the profile which concerns on the 1st Embodiment of this invention The flowchart which shows the flow of operation | movement of the communication system which concerns on the 1st Embodiment of this invention. The system block diagram of the communication system which concerns on the 2nd Embodiment of this invention. The block block diagram of the information provision server which concerns on the 2nd Embodiment of this invention. The figure which shows an example of the profile stored by the directed graph data structure which concerns on the 2nd Embodiment of this invention The block block diagram of the communication terminal which concerns on the 2nd Embodiment of this invention. Detailed illustration of network characteristics The flowchart which shows the flow of operation | movement of the communication system which concerns on the 2nd Embodiment of this invention. System configuration diagram of a communication system according to a third embodiment of the present invention Sequence diagram of a communication system according to the third embodiment of the present invention The block block diagram of the information provision server which concerns on the 3rd Embodiment of this invention. The block block diagram of the communication terminal which concerns on the 3rd Embodiment of this invention. The flowchart which shows the flow of operation | movement of the communication system which concerns on the 3rd Embodiment of this invention. The flowchart which shows the flow of operation | movement of the communication system which concerns on the 3rd Embodiment of this invention. The system block diagram of the communication system which concerns on the 4th Embodiment of this invention Sequence diagram of a communication system according to the fourth embodiment of the present invention System configuration diagram of conventional communication system

Explanation of symbols

11, 11a, 11b, 11c, 11d, 11e Network 12, 12a, 12b Server 100, 100a, 100b, 100c, 300, 300a, 300b, 300c, 500, 500a, 500b, 500c Information providing server 110 Communication interface 120 Input / output Means 130, 330 Connection information storage means 131, 331 Directed graph data structure storage section 140, 340, 540 Control means 141, 541 Connection request information reception means 142 Connection information acquisition means 143, 343 Connection information selection means 144, 544 Connection information provision means 200, 400, 600 Communication terminal 201 Input / output means 202, 402 Application processing means 203, 403, 603 Setting procedure execution means 210, 610 Connection request information transmission means 220, 620 Connection information Communication means 230 Connection means 440 Connection information extraction means 450 Network characteristic condition information input means 545 User authentication means 546, 670 Encryption key sharing means 547 Connection request information confirmation means 548 Connection information signature means 549 Server authentication information transmission means 660 Authentication information transmission means 661 Server authentication means 680 Request information signing means 690 Connection information confirmation means 700, 700a, 700b, 700c Proxy server 1000, 2000, 3000, 4000 Communication system

Claims (20)

In a communication system in which an information providing server that provides information on a plurality of networks and a communication terminal used by a user are connected to be able to communicate with each other,
The information providing server is
Connection information storage means for storing connection information for connecting to a plurality of networks;
Connection request information receiving means for receiving connection request information for requesting connection to a desired network;
Connection information acquisition means for acquiring connection information from the connection information storage means when connection request information is received by the connection request information reception means;
Connection information selection means for selecting connection information corresponding to the desired network among the connection information acquired by the connection information acquisition means;
Connection information providing means for providing the communication terminal with connection information selected by the connection information selection means,
The communication terminal is
Connection request information transmitting means for transmitting the connection request information to the information providing server; connection information receiving means for receiving the connection information from the information providing server;
A communication system comprising: connection means for connecting to the desired network according to connection information received by the connection information receiving means. The connection information storage means includes a directed graph data structure storage unit that stores the connection information in a directed graph data structure represented by a directed graph;
The communication system according to claim 1, wherein the connection information selection unit selects a combination of the connection information based on the directed graph data structure. A plurality of connection information corresponding to the desired network is stored in the connection information storage means,
The connection information selection means selects a plurality of connection information candidates corresponding to the desired network from the connection information acquired by the connection information acquisition means,
The connection information providing means provides the communication terminal with connection information candidates selected by the connection information selecting means,
The communication terminal is
Connection information extracting means for extracting connection information from connection information candidates provided from the information providing server;
The communication system according to claim 1, wherein the connection unit connects to the desired network according to connection information extracted by the connection information extraction unit. The connection information includes network characteristic information representing network characteristics,
The communication system according to claim 3, wherein the connection information extraction unit extracts connection information based on the network characteristic information. The communication terminal comprises network characteristic condition information input means for inputting network characteristic condition information representing a condition relating to the network characteristic,
5. The communication system according to claim 4, wherein the connection information selection unit extracts connection information according to the network characteristic condition information input by the network characteristic condition information input unit. The communication terminal is
The information providing server includes authentication information transmitting means for transmitting authentication information for authenticating the user to the information providing server,
The information providing server includes:
Comprising user authentication means for authenticating the user based on the authentication information transmitted from the communication terminal;
6. The connection request information receiving unit receives the connection request information transmitted from the communication terminal when the user authentication unit determines that the authentication information is correct. The communication system in any one. The information providing server includes:
Server authentication information transmitting means for transmitting to the communication terminal server authentication information for the communication terminal to authenticate the information providing server;
The communication terminal is
Server authentication means for authenticating the information providing server based on the server authentication information transmitted from the information providing server;
7. The connection request information transmission unit transmits the connection request information to the information providing server when the server authentication unit determines that the server authentication information is correct. The communication system in any one.   In the communication system, the communication terminal and the information providing server share an encryption key, and information transmitted and received between the communication terminal and the information providing server is encrypted or decrypted based on the encryption key. A communication system according to any one of claims 1 to 7. The communication terminal is
Request information signature means for generating a request information signature based on the connection request information for transmission to the information providing server;
Connection information confirmation means for confirming the integrity of the connection information received by the connection information reception means,
The information providing server includes:
A connection information signature means for generating a connection information signature based on the connection information for transmission to the communication terminal;
Connection request information confirmation means for confirming the integrity of the connection request information received by the connection request information receiving means,
The connection request information transmitting means transmits the request information signature together with the connection request information to the information providing server,
The connection request information confirming means confirms the integrity of the connection request information received by the connection request information receiving means based on the request information signature transmitted from the communication terminal,
The connection information providing means provides the connection information signature together with the connection information to the communication terminal;
9. The connection information confirming means confirms the integrity of the connection information received by the connection information receiving means based on the connection information signature transmitted from the information providing server. The communication system as described in any of the above. The communication system includes a proxy server connected to each network,
10. The communication system according to claim 1, wherein the proxy server mediates transmission / reception of information transmitted / received between the communication terminal and the information providing server. In a communication system in which an information providing server that provides information on a plurality of networks and a communication terminal used by a user are connected to be able to communicate with each other,
The information providing server is
A connection information storage means for storing connection information for connecting to a plurality of networks;
Receiving connection request information by connection request information receiving means for receiving connection request information for requesting connection to a desired network;
When connection request information is received by the connection request information receiving means, connection information is obtained by connection information obtaining means for obtaining connection information from the connection information storage means,
Select connection information by connection information selection means for selecting connection information corresponding to the desired network among the connection information acquired by the connection information acquisition means,
Providing connection information by connection information providing means for providing connection information selected by the connection information selecting means to the communication terminal;
The communication terminal is
Sending connection request information by connection request information sending means for sending the connection request information to the information providing server;
Receiving connection information by connection information receiving means for receiving the connection information from the information providing server;
A communication method characterized in that connection is made by connection means for connecting to the desired network in accordance with connection information received by the connection information receiving means. The connection information storage means includes a directed graph data structure storage unit that stores the connection information in a directed graph data structure represented by a directed graph;
The communication method according to claim 11, wherein the connection information selection unit selects a combination of the connection information based on the directed graph data structure. A plurality of connection information corresponding to the desired network is stored in the connection information storage means,
The connection information selection means selects a plurality of connection information candidates corresponding to the desired network from the connection information acquired by the connection information acquisition means,
The connection information providing means provides the communication terminal with connection information candidates selected by the connection information selecting means,
The communication terminal is
Connection information extracting means for extracting connection information from connection information candidates provided from the information providing server;
The communication method according to claim 11 or 12, wherein the connection unit connects to the desired network according to connection information extracted by the connection information extraction unit. The connection information includes network characteristic information representing network characteristics,
14. The communication method according to claim 13, wherein the connection information extraction unit extracts connection information based on the network characteristic information. The communication terminal comprises network characteristic condition information input means for inputting network characteristic condition information representing a condition relating to the network characteristic,
15. The communication method according to claim 14, wherein the connection information selection unit extracts connection information according to the network characteristic condition information input by the network characteristic condition information input unit. The communication terminal is
The information providing server includes authentication information transmitting means for transmitting authentication information for authenticating the user to the information providing server,
The information providing server includes:
Comprising user authentication means for authenticating the user based on the authentication information transmitted from the communication terminal;
16. The connection request information receiving unit receives connection request information transmitted from the communication terminal when the user authentication unit determines that the authentication information is correct. Any one of the communication methods. The information providing server includes:
Server authentication information transmitting means for transmitting to the communication terminal server authentication information for the communication terminal to authenticate the information providing server;
The communication terminal is
Server authentication means for authenticating the information providing server based on the server authentication information transmitted from the information providing server;
The connection request information transmitting unit transmits the connection request information to the information providing server when the server authentication unit determines that the server authentication information is correct. Any one of the communication methods.   In the communication system, the communication terminal and the information providing server share an encryption key, and information transmitted and received between the communication terminal and the information providing server is encrypted or decrypted based on the encryption key. The communication method according to any one of claims 11 to 17. The communication terminal is
Request information signature means for generating a request information signature based on the connection request information for transmission to the information providing server;
Connection information confirmation means for confirming the integrity of the connection information received by the connection information reception means,
The information providing server includes:
A connection information signature means for generating a connection information signature based on the connection information for transmission to the communication terminal;
Connection request information confirmation means for confirming the integrity of the connection request information received by the connection request information receiving means,
The connection request information transmitting means transmits the request information signature together with the connection request information to the information providing server,
The connection request information confirming means confirms the integrity of the connection request information received by the connection request information receiving means based on the request information signature transmitted from the communication terminal,
The connection information providing means provides the connection information signature together with the connection information to the communication terminal;
The connection information confirming means confirms the integrity of the connection information received by the connection information receiving means based on the connection information signature transmitted from the information providing server. The communication method according to any of the above. The communication system includes a proxy server connected to each network,
20. The communication method according to claim 11, wherein the proxy server mediates transmission / reception of information transmitted / received between the communication terminal and the information providing server.

Images