JP2005339055A - Access control device and access control method - Google Patents

Access control device and access control method Download PDF

Info

Publication number
JP2005339055A
JP2005339055A JP2004155127A JP2004155127A JP2005339055A JP 2005339055 A JP2005339055 A JP 2005339055A JP 2004155127 A JP2004155127 A JP 2004155127A JP 2004155127 A JP2004155127 A JP 2004155127A JP 2005339055 A JP2005339055 A JP 2005339055A
Authority
JP
Japan
Prior art keywords
computer resource
access
certificate
user terminal
identification information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
JP2004155127A
Other languages
Japanese (ja)
Inventor
Norihiro Ishikawa
Tsuyoshi Kato
Hiromitsu Sumino
剛志 加藤
憲洋 石川
宏光 角野
Original Assignee
Ntt Docomo Inc
株式会社エヌ・ティ・ティ・ドコモ
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ntt Docomo Inc, 株式会社エヌ・ティ・ティ・ドコモ filed Critical Ntt Docomo Inc
Priority to JP2004155127A priority Critical patent/JP2005339055A/en
Publication of JP2005339055A publication Critical patent/JP2005339055A/en
Application status is Pending legal-status Critical

Links

Images

Abstract

PROBLEM TO BE SOLVED: To efficiently control access to computer resources distributed on a network without using a central management storage device that collectively manages access rights to computer resources of each user terminal 10.
An access control apparatus according to the present invention includes an access right certificate including identification information of a computer resource and identification information of a group having the right to access the computer resource and an access right for storing the computer resource in association with each other. Responding to an acquisition request from the certificate storage unit 22, an affiliated certificate storage unit 23 for storing an affiliated certificate including group identification information and identification information of user terminals belonging to the group, and another access control device 20a And transmitting units 21 and 26 for transmitting an access right certificate associated with the computer resource to the other access control apparatus 20a.
[Selection] Figure 1

Description

  The present invention relates to an access control apparatus and an access control method for controlling access of a user terminal to a computer resource.

  Conventionally, an access control system for controlling access of a user terminal to a computer resource as in Patent Document 1 is known. A conventional access control system will be described with reference to FIG.

  As shown in FIG. 7, the conventional access control system includes a file access execution device 11, a user affiliation group list storage device 12, a file group storage device 13, and an access right / file name correspondence list storage device 14. doing.

  The file access execution device 11 refers to the user affiliation group list storage device 12 and the access right / file name correspondence list storage device 14 and accesses the user terminal 10 to a specific file stored in the file group storage device 13. Is allowed or rejected.

  The user belonging group list storage device 12 classifies and registers a plurality of user terminals into a plurality of groups, that is, stores which group each user terminal 10 belongs to. Specifically, the user affiliation group list storage device 12 is configured to store the identification information of each group in association with the identification information of user terminals belonging to the group.

  The file group storage device 13 stores a plurality of files that are a kind of computer resource.

  The access right / file name correspondence list storage device 14 sets the access right for each file stored in the file group storage device 13 for a specific group stored in the user affiliation group list storage device 12, The setting contents are stored. Specifically, the access right / file name correspondence list storage device 14 is configured to store a correspondence relationship between a file name and an access right to the file.

  Here, an operation for controlling access of the user terminal 10 to a file stored in the file group storage device 13 in the conventional access control system will be briefly described.

  First, the user terminal 10 transmits an access request for a specific file stored in the file group storage device 13 to the file access execution device 11.

  Secondly, the file access execution device 11 specifies which group the user terminal 10 belongs to by making an inquiry to the user membership group list storage device 12.

  Third, the file access execution device 11 makes an inquiry to the access right / file name correspondence list storage device 14 to determine whether the group to which the user terminal 10 belongs has the access right to the specific file. recognize.

Fourth, when the group to which the user terminal 10 belongs has access rights to the specific file, the file access execution device 11 transmits the specific file to the user terminal 10 (that is, the specific file If the group to which the user terminal 10 belongs does not have access rights to the specific file, the access request is rejected (that is, access to the specific file is permitted). do not do).
JP-A-8-50559

  However, in the conventional access control system, in order for the file access execution device 11 to check whether or not the user terminal 10 has the right to access a specific file, the central management storage device (the user belonging group list storage device 12 or the access right) Since it is necessary to make an inquiry to the file name correspondence list storage device 14), depending on the communication status between the file access execution device 11 and the storage device, the file access execution device 11 accesses the specific file of the user terminal 10. Therefore, there is a problem in that the access request to the specific file from the user terminal 10 that should be permitted can be rejected.

  Further, in the conventional access control system, the access right to each file of each user terminal 10 is collectively managed in the central management storage device (the user belonging group list storage device 12 and the access right / file name correspondence list storage device 14). Therefore, there is a problem that files cannot be freely distributed among a plurality of user terminals.

  Therefore, the present invention has been made in view of the above points, and access control that enables efficient access control to computer resources distributed on a network without using a central management storage device as described above. An object is to provide an apparatus and an access control method.

  A first feature of the present invention is an access control apparatus that controls access of a user terminal to a computer resource, the access right including identification information of the computer resource and identification information of a group having access rights to the computer resource. An access right certificate storage unit for storing the certificate and the computer resource in association with each other, and in response to the acquisition request for the computer resource from another access control device, the computer resource to the other access control device And a transmission unit that transmits the access right certificate associated with the computer resource.

  According to this invention, even when there is no central management storage device that collectively manages access rights to each computer resource of each user terminal, each access right certificate distributed along with the computer resources on the network In the access control apparatus, access control to the computer resources of the user terminal can be performed.

  In the first feature of the present invention, an affiliation certificate storage unit for storing an affiliation certificate including identification information of the group and identification information of user terminals belonging to the group, and the affiliation certificate from the other access control device Identification information of the group specified by the issue request and identification information of the user terminal when obtaining the issuance permission notification of the affiliation certificate from the computer resource owner terminal in response to the certificate issuance request An affiliation certificate issuance / transmission unit that issues and transmits the affiliation certificate including the affiliation certificate to the other access control device may be provided.

  In the first aspect of the present invention, the access right certificate includes identification information of the computer resource, identification information of a group having an access right to the computer resource, and identification information of an owner of the computer resource. Including, in response to a request for access to the computer resource from the user terminal, in the affiliation certificate storage unit, the identification information of the group having the right to access the computer resource and the identification information of the user terminal A determination unit that determines whether or not an affiliation certificate is stored; and when determining that the affiliation certificate is not stored, the access right certificate storage unit is referred to, and the computer resource owner terminal A certificate request section for requesting the certificate of the certificate to be issued to It may be configured to include an access control unit which permits access to the computer resources to the user terminal.

  According to this invention, whether or not to grant the user terminal access right to the computer resource even when there is no central management storage device that collectively manages the access right to each computer resource of each user terminal. The intention of the owner of the computer resource can be reflected.

  In the first feature of the present invention, the affiliation certificate is provided with an electronic signature related to the owner of the computer resource, and the access control unit is issued by the owner terminal of the computer resource. When the affiliation certificate has not been tampered with, the computer resource encrypted with the public key of the user terminal may be transmitted to the user terminal.

  According to this invention, it is possible to prevent unauthorized access to the computer resources of the user terminal by falsifying the contents of the affiliation certificate distributed on the network.

  A second feature of the present invention is an access control method for controlling access of a user terminal to a computer resource, wherein the access control device identifies identification information of the computer resource and a group having an access right to the computer resource. A step of storing an access right certificate including information and the computer resource in association with each other, and the access control device responding to an acquisition request for the computer resource from the other access control device; And the step of transmitting the access right certificate associated with the computer resource together with the computer resource, and the other access control device, based on the access right certificate, from the user terminal Allow access to computer resources And summarized in that a step of determining whether.

  As described above, according to the present invention, efficient access to computer resources distributed on a network can be achieved without using a central management storage device that collectively manages access rights for each computer resource of each user terminal. An access control apparatus and an access control method that enable control can be provided.

(Configuration of access control apparatus according to an embodiment of the present invention)
With reference to FIGS. 1 to 3, the configuration of a node (access control apparatus) 20 constituting a network that implements an access control method according to an embodiment of the present invention will be described. The node 20 is one node on the network constituted by a plurality of nodes, and these plural nodes all have the same configuration.

  Specifically, the access control method according to the present embodiment includes a content, a program distributed on a network configured based on a connection established by a plurality of nodes (access control devices) with adjacent nodes, Access rights of computer resources such as services are controlled by distributed management.

  As shown in FIG. 1, the node 20 includes a communication unit 21, a computer resource holding unit 22, an affiliation certificate holding unit 23, an access right certificate generation unit 24, an affiliation certificate generation unit 25, and an access right. And a management control unit 26.

  The communication unit 21 transmits / receives various data such as computer resources, access right certificates, and affiliation certificates to / from other nodes 20a in the network.

  The computer resource holding unit 22 stores a computer resource and an access right certificate in association with each other. For example, the computer resource holding unit 22 is a computer resource encrypted using a shared key exchanged with another node 20a via the communication unit 21 or a shared key created by a computer resource owner terminal. Is remembered.

  As shown in FIG. 2, the access right certificate includes “computer resource name (computer resource identification information)”, “computer resource owning user name”, “access right holding group name”, “issue date” , “Electronic signature of computer resource owning user”.

  The “computer resource owner user name” is identification information of the owner of the computer resource (for example, the IP address of the owner terminal of the computer resource may be used). The “access right holding group name” is identification information of a group having an access right to the computer resource.

  “Issued date / time” indicates the date / time when the access right certificate was issued. For example, the “issue date / time” may be the date and time when the access right certificate generation unit 26 of the node 20 generates the access right certificate, or the access right certificate generation unit 26a of another node 20a It may be the date and time when the access right certificate was generated or the date and time when the access right certificate was received from another node 20a.

  “Electronic signature of the computer resource owning user” is the “computer resource name”, “computer resource owning user name”, and “access right holding group name” in the access right certificate by the private key related to the owner of the computer resource. ”And“ issue date ”are encrypted. Therefore, only the owner of the computer resource can change or tamper with the access right certificate.

  The affiliation certificate holding unit 23 stores the affiliation certificate shown in FIG. Specifically, as shown in FIG. 3, “Affiliation Certificate”, “Group Name (Group Identification Information)”, “Affiliation User Name”, “Computer Resource Owner User Name”, “Issuance Date / Time”, And “electronic signature of the user who owns the computer resource”.

  “Affiliated user name” is identification information of user terminals belonging to the group, and may be, for example, an address (IP address or the like) of a user terminal, a user ID in a predetermined service, or the like.

  The “computer resource owner user name” is identification information of the owner of the computer resource (for example, the IP address of the owner terminal of the computer resource may be used).

  “Issued date / time” indicates the date / time when the affiliation certificate was issued. For example, the “issue date / time” may be the date / time when the affiliation certificate generation unit 25 of the node 20 generates the affiliation certificate, or the affiliation certificate generation unit 25a of another node 20a may generate the affiliation certificate. May be the date and time when the certificate is generated, or may be the date and time when the affiliation certificate is received from another node 20a.

  “Computer resource owning user's electronic signature” is the “group name”, “affiliated user name”, “computer resource owning user name” and “issue” in the affiliation certificate by the private key associated with the computer resource owner. It is calculated by encrypting “date and time”. Therefore, only the owner of the computer resource can change or tamper with the affiliation certificate.

  The access right certificate generation unit 24 generates an access right certificate relating to the computer resource based on a registration request for the computer resource from the user terminal 10 belonging to the node 20 and registers it in the computer resource holding unit 22 It is.

  The affiliation certificate generation unit 25 generates the affiliation certificate and registers it in the affiliation certificate holding unit 23 in response to an instruction from the access right management control unit 26.

  The access right management control unit 26 controls access of the user terminal 10 to the computer resources stored in the computer resource holding unit 22.

  Specifically, the access right management control unit 26 refers to the computer resource holding unit 22 and the belonging certificate holding unit 23 in response to an access request to the computer resource from the user terminal 10, and belongs to the belonging certificate holding unit. 23, it is determined whether or not a affiliation certificate including identification information (group name) of a group having an access right to the computer resource and identification information (user name) of the user terminal is stored. Has been.

  In addition, the access right management control unit 26 is configured to permit the user terminal 10 to access the computer resource when it determines that the above-mentioned belonging certificate is stored in the belonging certificate holding unit 23. ing.

  On the other hand, if the access right management control unit 26 determines that the above-mentioned affiliation certificate is not stored in the affiliation certificate holding unit 23, the access right management control unit 26 refers to the computer resource holding unit 22 to determine the owner terminal of the computer resource. It is configured to request the issue of the affiliation certificate.

  Here, the access right management control unit 26 is configured to permit the user terminal 10 to access the computer resource when the above-mentioned affiliation certificate is issued by another node 20a.

  If the access right management control unit 26 determines that the user terminal 10 is permitted to access the computer resource, the affiliation certificate has not been falsified by the electronic signature attached to the affiliation certificate. If it is not falsified, the computer resource is encrypted using the public key of the user terminal 10 and transmitted to the user terminal 10.

  Further, the access right management control unit 26 is configured to encrypt the computer resource using a predetermined encryption key and register it in the computer resource holding unit 22 in response to a computer resource registration request from the user terminal 10. Has been. The encryption key used here is a common key known between the node 20 and the user terminal (computer resource owner) 10.

The access right management control unit 26 is configured to manage the computer resource encryption key correspondence list 26 1 associating the such computer resources encryption key and the computer resources used for encrypting the.

  In addition, the access right management control unit 26 sends the computer list holding unit 22 together with the computer resource to the other node 20a via the communication unit 21 in response to a computer resource acquisition request from the other node 20a. Is configured to transmit an access right certificate associated with the computer resource.

  Further, the access right management control unit 26 acquires the computer resource and the access right certificate from the other node 20a via the communication unit 21 in response to the computer resource acquisition request from the user terminal 10, and the computer resource It is configured to register in the holding unit 22.

  Further, the access right management control unit 26 obtains a notice of permission for issuing a affiliation certificate from the computer resource owner terminal (for example, the user terminal 10) in response to a request for affiliation certificate from another node 20a. In this case, the affiliation certificate generation unit 25 is instructed to issue an affiliation certificate including the identification information of the group designated by the issue request and the identification information of the user terminal (for example, the IP address of the user terminal 10a). The affiliation certificate generated by the affiliation certificate generation unit 25 is transmitted to another node 20a.

The user terminal 10 holds the (public key and private key of the user terminal 10) 10 1 asymmetric key pair generated by an existing method such as PKI.

(Access control method according to an embodiment of the present invention)
The access control method according to this embodiment will be described below with reference to FIGS.

  First, with reference to FIG. 4, an operation in which the user terminal 10 registers computer resources with the node 20 to which the user terminal 10 belongs will be described.

  As shown in FIG. 4, in step S <b> 1001, the user terminal 10 transmits a new computer resource registration request to the access right management control unit 26 of the node 20. Here, the registration request includes the computer resource body, “computer resource name”, “access right holding group name” permitting access to the computer resource, and “computer resource possession” indicating the identification information of the user terminal 10. User name ”and the private key of the user terminal 10 are included.

  In step S <b> 1002, the access right management control unit 26 “computer resource name”, “access right holding group name”, “computer resource possessing user name”, and the private key of the user terminal 10 included in the registration request from the user terminal 10. Are input to the access right certificate generation unit 24.

  In step S1003, the access right certificate generation unit 24 generates an access right certificate related to the computer resource based on the information input from the access right management control unit 26. In step S1004, the access right management control unit 26.

In step S1005, the access right management control unit 26 encrypts the computer resource transmitted from the user terminal 10 with a predetermined encryption key, and in step S1006, associates the computer list with the predetermined encryption key. and stores the resource encryption key correspondence list 26 1.

  In step S1007, the access right management control unit 26 transmits the encrypted computer resource and the access right certificate generated by the access right certificate generation unit 24 to the computer resource holding unit 22.

  In step S1008, the computer resource holding unit 22 stores the computer resource transmitted from the access right management control unit 26 in association with the access right certificate.

  Secondly, with reference to FIG. 5, an operation when the user terminal 10 accesses a computer resource stored in another node 20a will be described.

  As illustrated in FIG. 5, in step S2001, the user terminal 10 transmits a computer resource acquisition request stored in another node 20a to the node 20 at a predetermined timing.

  In step S2002, the access right management control unit 26 of the node 20 is stored in the other node 20a with respect to the other node 20a via the communication unit 21 in response to an acquisition request from the user terminal 10. Send a computer resource acquisition request.

  In step S2003, the other node 20a transmits the corresponding computer resource and the access right certificate relating to the computer resource to the node 20 in response to the acquisition request from the node 20. The access right management control unit 26 registers the computer resource and the access right certificate received from the other node 20 a in the computer resource holding unit 22. In addition, since this computer resource is encrypted with a known shared key between the node 20 and the other node 20a by another node 20a, the user terminal 10 uses the computer resource as it is. I can't.

  In step S2004, the user terminal 10 transmits a request for using the computer resource to the node 20.

  In step S2005, the access right management control unit 26 refers to the computer resource holding unit 22 and the affiliation certificate holding unit 23 to determine whether the user terminal 10 has the right to access the computer resource.

  Specifically, the access right management control unit 26 specifies a group that is permitted to access the computer resource from the access right certificate associated with the computer resource in the computer resource holding unit 22. . Then, the access right management control unit 26 searches the affiliation certificate holding unit 23 to confirm whether or not the user terminal 10 belongs to the specified group.

  If it is determined that the user terminal 10 belongs to the specified group, the operation proceeds to step S2008.

  On the other hand, when it is determined that the user terminal 10 does not belong to the specified group, in step S2006, the access right management control unit 26 uses the access right associated with the computer resource in the computer resource holding unit 22. Information about the owner of the computer resource (for example, the IP address of the computer resource owner terminal) is acquired from the certificate.

  Then, the access right management control unit 26 sends the above specified group name and identification information of the user terminal 10 to the other node 20a to which the owner of the computer resource belongs via the communication unit 21. A request for issuing a certificate of belonging is sent.

  In step S2007, when the other node 20a receives the issue permission notification from the computer resource owner terminal, the other node 20a issues the above-mentioned affiliation certificate and transmits it to the node 20.

  On the other hand, when the other node 20a fails to obtain the issue permission notification from the computer resource owner terminal, the other node 20a notifies the node 20 that the above-mentioned affiliation certificate cannot be issued.

  In step S2008, the access right management control unit 26 verifies the electronic signature given to the affiliation certificate received from the other node 20a via the communication unit 21, so that the affiliation certificate has not been falsified. Confirm about.

  When the access right management control unit 26 confirms that the affiliation certificate has not been tampered with, in step S2009, the access right management control unit 26 decrypts the computer resource with a known shared key between the node 20 and the other node 20a. After that, encryption is performed with the public key of the user terminal 10, and the encrypted computer resource is transmitted to the user terminal 10 in step S2010.

  On the other hand, when the access right management control unit 26 confirms that the affiliation certificate has been tampered with, the access right management control unit 26 transmits a message to the user terminal 10 that access to the computer resource is not permitted.

  Thirdly, with reference to FIG. 6, the operation when the user terminal 10a belonging to the other node 20a accesses the computer resource stored in the node 20 will be described.

  As shown in FIG. 6, in step S3001, the user terminal 10a transmits a request for acquiring a computer resource stored in the node 20 to another node 20a at a predetermined timing.

  In step S3002, the access right management control unit 26a of the other node 20a responds to the acquisition request from the user terminal 10a, and the computer resources stored in the node 20a are transmitted to the node 20 via the communication unit 21a. Send an acquisition request.

  In step S3003, in response to the acquisition request from the other node 20a, the node 20 transmits the corresponding computer resource and the access right certificate relating to the computer resource to the other node 20a. The access right management control unit 26a of the other node 20a registers the computer resource and access right certificate received from the node 20 in the computer resource holding unit 22a of the other node 20a. Since the computer resource is encrypted by the node 20 with a known shared key between the node 20 and the other node 20a, the user terminal 10a cannot use the computer resource as it is. .

  In step S3004, the user terminal 10a transmits a use request for the computer resource to the other node 20a.

  In step S3005, the access right management control unit 26a uses the computer resource holding unit 22a to obtain information about the owner of the computer resource (for example, the IP of the user terminal 10) from the access right certificate associated with the computer resource. Address).

  Then, the access right management control unit 26a requests the node 20 to issue an affiliation certificate including the group name having the access right to the computer resource and the identification information of the user terminal 10a via the communication unit 21a. Send.

  In step S3006, the access right management control unit 26 of the node 20 requests the user terminal 10 that is the owner terminal of the computer resource to use the computer resource from the user terminal 10a belonging to the other node 20a (that is, , A request to issue an affiliation certificate from another node 20a) is notified.

  In step S3007, when the user terminal 10 determines that the user terminal 10a is allowed to access the computer resource, the user terminal 10 and the “group name” that permits access to the computer resource, and the private key of the user terminal 10 A permission response including the above is notified to the access right management control unit 26 of the node 20.

  If the user terminal 10 determines not to permit access to the computer resource of the user terminal 10a, the user terminal 10 notifies the access right management control unit 26 of the node 20 of a rejection response to that effect.

  In step S3008, when receiving the permission response from the user terminal 10, the access right management control unit 26 obtains the “group name” included in the permission response, the secret key of the user terminal 10, and the identification information of the user terminal 10a. , Input to the affiliation certificate generation unit 25.

  In step S3009, the affiliation certificate generation unit 25 generates the above-mentioned affiliation certificate based on the information input by the access right management control unit 26. In step S3010, the affiliation certificate generation unit 25 converts the generated affiliation certificate into the access right management control unit. 26.

  In step S3011, the affiliation certificate generated by the affiliation certificate generation unit 25 is transmitted to the other node 20a via the communication unit 21.

  On the other hand, when the access right management control unit 26 of the node 20 receives a rejection notification from the user terminal 10, it cannot issue the above-mentioned affiliation certificate to the other nodes 20a via the communication unit 21. Notify that.

  In step S3012, the access right management control unit 26a of the other node 20a verifies the belonging certificate by verifying the electronic signature given to the belonging certificate received from the node 20 via the communication unit 21a. Check if it is not.

  When the access right management control unit 26a confirms that the affiliation certificate has not been tampered with, in step S3013, the computer resource decrypts the computer resource with a known shared key between the node 20 and the other node 20a. After that, encryption is performed with the public key of the user terminal 10a, and the encrypted computer resource is transmitted to the user terminal 10a in step S3014.

  On the other hand, when the access right management control unit 26a confirms that the affiliation certificate has been tampered with, the access right management control unit 26a transmits a message to the user terminal 10a that access to the computer resource is not permitted.

(Operation and Effect of Access Control Device and Access Control Method According to One Embodiment of the Present Invention)
According to the access control device and the access control method according to the present embodiment, even when there is no central management storage device that collectively manages access rights to the computer resources of the user terminals 10 and 10a, With the access right certificate distributed along with the computer resources, the access control for the computer resources of the user terminals 10 and 10a can be performed in the nodes 20 and 20a.

  Further, according to the access control device and the access control method according to the present embodiment, even when there is no central management storage device that collectively manages access rights to the computer resources of the user terminals 10 and 10a, Whether or not to grant the access right of the user terminal 10, 10a to the computer resource can reflect the will of the owner of the computer resource.

  Further, according to the access control device and the access control method according to the present embodiment, it is possible to prevent unauthorized access to the computer resources of the user terminals 10 and 10a by falsifying the contents of the affiliation certificate distributed on the network. it can.

It is a functional block diagram of a node (access control device) according to an embodiment of the present invention. It is an example of the access right certificate produced | generated by the access right certificate production | generation part of the node which concerns on one Embodiment of this invention. It is an example of the affiliation certificate produced | generated by the affiliation certificate production | generation part of the node which concerns on one Embodiment of this invention. It is a sequence diagram which shows the operation | movement which registers the computer resource provided by the user terminal with a node in the access control method which concerns on one Embodiment of this invention. It is a sequence diagram which shows the operation | movement which provides a computer resource with respect to the user terminal which belongs to an own node in the access control method which concerns on one Embodiment of this invention. It is a sequence diagram which shows the operation | movement which provides a computer resource with respect to the user terminal which belongs to another node in the access control method which concerns on one Embodiment of this invention. It is a whole block diagram of the system which implement | achieves the access control method based on a prior art.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10, 10a ... User terminal 11 ... File access execution apparatus 12 ... User affiliation group list storage apparatus 13 ... File group storage apparatus 14 ... Access right and file name correspondence list storage apparatus 20, 20a ... Node 21 ... Communication part 22 ... Computer resource Holding unit 23 ... belonging certificate holding unit 24 ... access right certificate generating unit 25 ... belonging certificate generating unit 26 ... access right management control unit

Claims (5)

  1. An access control device that controls access of a user terminal to a computer resource,
    An access right certificate including identification information of the computer resource and identification information of a group having the right to access the computer resource, and an access right certificate storage unit that associates and stores the computer resource;
    A transmission unit that transmits the access right certificate associated with the computer resource together with the computer resource to the other access control device in response to the acquisition request of the computer resource from the other access control device; An access control apparatus comprising:
  2. An affiliation certificate storage unit for storing an affiliation certificate including identification information of the group and identification information of user terminals belonging to the group;
    In response to a request for issuance of the affiliation certificate from the other access control device, when the issuance permission notice of the affiliation certificate is obtained from the owner terminal of the computer resource, the specified by the issuance request 2. The affiliation certificate issuance / transmission unit that issues the affiliation certificate including group identification information and user terminal identification information and transmits the affiliation certificate to the other access control device. Access control device.
  3. The access right certificate includes identification information of the computer resource, identification information of a group having an access right to the computer resource, and identification information of an owner of the computer resource,
    In response to a request for access to the computer resource from the user terminal, the affiliation certificate storage unit includes the identification information of a group having an access right to the computer resource and the identification information of the user terminal. A determination unit for determining whether or not a book is stored;
    If it is determined that the affiliation certificate is not stored, the affiliation certificate issuance request that requests the owner terminal of the computer resource to issue the affiliation certificate with reference to the access right certificate storage unit And
    The access control apparatus according to claim 1, further comprising: an access control unit that permits the user terminal to access the computer resource when the affiliation certificate is issued.
  4. The affiliation certificate is given an electronic signature related to the owner of the computer resource,
    The access control unit transmits the computer resource encrypted with the public key of the user terminal to the user terminal when the affiliation certificate issued by the computer resource owner terminal has not been tampered with. The access control apparatus according to claim 3.
  5. An access control method for controlling access of a user terminal to a computer resource,
    An access control device storing an access right certificate including identification information of the computer resource and identification information of a group having access rights to the computer resource, and the computer resource in association with each other;
    In response to a request for acquisition of the computer resource from another access control device, the access control device, together with the computer resource, the access right certificate associated with the computer resource. Sending
    A method for determining whether to permit access to the computer resource from the user terminal based on the access right certificate.

JP2004155127A 2004-05-25 2004-05-25 Access control device and access control method Pending JP2005339055A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2004155127A JP2005339055A (en) 2004-05-25 2004-05-25 Access control device and access control method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2004155127A JP2005339055A (en) 2004-05-25 2004-05-25 Access control device and access control method

Publications (1)

Publication Number Publication Date
JP2005339055A true JP2005339055A (en) 2005-12-08

Family

ID=35492576

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2004155127A Pending JP2005339055A (en) 2004-05-25 2004-05-25 Access control device and access control method

Country Status (1)

Country Link
JP (1) JP2005339055A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011209802A (en) * 2010-03-29 2011-10-20 Sony Corp Memory device, host device and memory system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011209802A (en) * 2010-03-29 2011-10-20 Sony Corp Memory device, host device and memory system

Similar Documents

Publication Publication Date Title
Tong et al. Cloud-assisted mobile-access of health data with privacy and auditability
JP2013152757A (en) Intersystem single sign-on
EP3089061B1 (en) Method for reading attributes from an id-token
US7370351B1 (en) Cross domain authentication and security services using proxies for HTTP access
Chadwick Federated identity management
US7155616B1 (en) Computer network comprising network authentication facilities implemented in a disk drive
US6442688B1 (en) Method and apparatus for obtaining status of public key certificate updates
JP4690389B2 (en) Digital copyright management method and apparatus using certificate disposal list
JP4571865B2 (en) Identity-based encryption system
US6185308B1 (en) Key recovery system
CN101370069B (en) Image encryption/decryption system
CN1284088C (en) Access control system
JP4177040B2 (en) Content utilization apparatus, network system, and license information acquisition method
EP1984866B1 (en) Document security management system
US7716722B2 (en) System and method of proxy authentication in a secured network
KR100765774B1 (en) Method and apparatus for managing domain
US6892300B2 (en) Secure communication system and method of operation for conducting electronic commerce using remote vault agents interacting with a vault controller
CN1939028B (en) Accessing protected data on network storage from multiple devices
US8296827B2 (en) Method for enabling an administrator to configure a recovery password
KR100734162B1 (en) Method and apparatus for secure distribution of public/private key pairs
US6801998B1 (en) Method and apparatus for presenting anonymous group names
JP3980355B2 (en) License information storage device, content reproduction device, and license information distribution system
US5757920A (en) Logon certification
CN100580657C (en) Distributed single sign-on service
CN102217277B (en) Method and system for token-based authentication