JP2007116509A - Communication terminal, program, communication system, and method for outputting security information - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a communication terminal capable of allowing a user to easily understand information concerning security with respect to a network communication line to which the communication terminal is connected at present, while keeping safety by the correspondence of only the communication terminal. <P>SOLUTION: The communication terminal 10 holds security information of the network, to be connected, and safety reference information 161, 162, where existence of the safety is set by security information, in a safety reference storage part 160. A safety reference determining part 170 determines the safety of the network to be connected through the use of one of two values, based on the security information and the safety reference information 161, 162 in the safety reference storage part 160. An output display part 190 displays the safety of the network, which is determined based on one of the two values, on a screen in a prescribed form with the reduced amount of information so as to allow the user to easily view it. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to output of network security information in a wireless communication network system, and more particularly to a communication terminal, a program, a communication system, and a security information output method for outputting security information of a plurality of wireless communication networks.

  In recent years, damage caused by one of techniques for stealing personal information called phishing on the Internet has been regarded as a problem. This phishing refers to directing users to websites disguised as financial institutions and online shopping, allowing them to enter their accounts, passwords, credit card numbers, etc. with clever descriptions and stealing their personal information. Is the method.

  On the other hand, in wireless communication, unlike wired communication, because it is wireless, it can be accessed within the communicable range, and since the connection destination is not visible, it is different from the connection destination that is supposed to be connected originally The situation that you have been connected to is considered.

  In particular, in wireless LAN (Local Area Network) communication, an unauthorized wireless LAN access point in which an SSID similar to an identifier called SSID (Service Set Identity) for identifying an original wireless LAN access point is set is used. By installing the wireless LAN access point in the vicinity of the wireless LAN access point, it is possible to easily guide the wireless LAN connection user.

  At this time, the wireless LAN terminal is connected to the wireless LAN access point by a method using an electronic certificate in authentication called IEEE (Institute of Electrical and Electronic Engineers) 802.1X as authentication when connecting to the wireless LAN access point. Except when using a method of performing mutual authentication between both of the LAN terminals, a situation in which connection to this unauthorized wireless LAN access point is conceivable.

  In the operation of a wireless LAN in a company, a situation where the above IEEE 802.1X is used in order to strictly authenticate a user is also conceivable. However, a separate authentication server is required to use this IEEE 802.1X, so in an environment where an authentication server cannot be prepared such as a home or SOHO (Small Office / Home Office), a passphrase is used instead. The method used is expected to be used in the future. In the method using this passphrase, the wireless LAN terminal and the wireless LAN access point only share the same value, and authentication is not performed in the sense that the communication partner is unique.

  Recently, such an unauthorized wireless LAN access point is intentionally placed near the original wireless LAN access point to guide the user, and the user intends to connect to the original wireless LAN access point. It is conceivable that personal information is passed by inputting important information such as a user account, a password, and a credit card number. Such threats are called “Evil Twins” and “WiPhishing”.

  At this time, the user thinks that the user is connected to the original wireless LAN access point, but there is no mechanism for determining that the user is connected to an unauthorized wireless LAN access point.

  Next, a plurality of wireless interfaces are being installed in portable terminals. At present, there are combinations of mobile phones, wireless LANs, Bluetooth (registered trademark), and NFC (Near Field Communication). In the future, it is conceivable that IEEE 802.16 (WiMAX) will increase in addition to this.

  In addition, there may be a plurality of connection destination network candidates even in one wireless interface. For example, in a wireless LAN, there are a large number of connection destination network candidates so that a plurality of wireless LAN access points can be seen simultaneously and connected to any of them.

  In other words, there are many wireless interfaces, and there are many connection destination network candidates in one wireless interface, so that the user understands each wireless situation and the user selects a wireless communication to use. Will require advanced knowledge from users.

  For this reason, it is considered that a function for appropriately selecting and connecting from a plurality of connection destinations is required without making the user aware of switching of the connection destination network. In addition, a plurality of connections can be considered simultaneously.

  In such a case, if the user fully understands the network to which the user is connected and does not determine whether the connected network is correct, the user is directed to an unauthorized network as described above, and important information is leaked. There is a risk of doing so.

  In general, some network connection applications running on a PC or the like are equipped with a function for displaying a currently connected wireless communication status. However, even if the details of each connection status are displayed, it is possible that only a knowledgeable user can understand.

  In addition, although a mobile terminal has a function of showing information about out-of-service / out-of-service information to a user by an antenna display or the like regarding a communication connection, it does not have a function of displaying a detailed connection status in an appropriate format that is easy for the user to understand . Also, from the viewpoint of security, it can be said that the mobile phone network is protected by a mobile phone operator and the user does not need to be aware of it.

  However, the wireless interface other than the wireless interface as a mobile phone is installed and used in the mobile phone, so that the security of the wireless communication section and the mobile phone service provider network protected by the mobile phone service provider so far is Because it is not necessarily protected, it is necessary to make the user aware of security.

In addition to this, VPN (Virtual Private Network) exists as a technology for securely accessing a certain network. When VPN is added, the number of networks that can be regarded as connectable further increases. In addition, in the case of VPN, it has different network characteristics from the wireless interface, and even if the connection characteristics are notified in detail, it will become increasingly difficult for users to understand the currently connected network. It is done. In other words, although it is still necessary to expect users to fully understand the network they are connected to and communicate safely, this is actually considered difficult. is there.
Japanese Patent Laying-Open No. 2005-065018

The conventional wireless communication network has the following problems.
The first problem is that in a communication terminal having a plurality of network connection candidates, it is difficult for a user of the communication terminal to understand security information regarding the connected network.

  The reason is that the conventional technology only notifies the authentication method for the detailed connection and the encryption method of the communication path for each connection, and does not consider that it can be easily understood by the user. is there.

  The second problem is that the communication terminal connects to an unauthorized network without the user of the communication terminal being aware.

  The reason is that the conventional technology only notifies the authentication method for the detailed connection and the encryption method of the communication path for each connection, and does not consider that it can be easily understood by the user. is there.

  The third problem is that the account or password for logging in to the service on the network may be leaked without the communication terminal user noticing because the communication terminal is connected to an unauthorized network. This is a point.

  The reason is that the communication terminal connected to the network inputs the account, password, credit card number, etc. for logging in to the WEB service etc. on the information input form of the WEB browser via the connected network. Whether or not it is left to the user's judgment, there is no mechanism to prevent in the communication terminal.

  In addition, as an example of the technology of the conventional wireless communication network system, Japanese Patent Laid-Open No. 2005-065018 (Patent Document 1) transmits setting information for connecting to the wireless LAN 4 by the setting information distribution server 2, The wireless terminal 1 receives a radio wave from the access point 3, extracts an access point ID from the radio wave, receives setting information from the setting information distribution server 2, and transmits the setting information and the access point ID to the access point 3. A technique of a wireless LAN connection system that receives a connection approval signal from the access point 3 to the wireless LAN 4 is disclosed, and the user of the wireless terminal 1 does not understand the network to which the wireless terminal 1 is currently connected. Even if it exists, it can communicate safely and the prior art which makes patent document 1 an example is communication. Connection information about the network youngest is connected, to notify the server on the network to the communication terminal, there is a problem that it is necessary that the server and the communication terminal corresponding together.

  The reason is that the communication terminal can receive connection approval from an access point on the connected network by receiving setting information such as a security encryption key held by a server on the network and receiving authentication. It is.

  An object of the present invention is to provide a communication terminal, a program, a communication system, and a security information output that enable a user to easily understand information related to security for a network communication path to which the communication terminal is currently connected by handling only the communication terminal. It is to provide a method.

  Another object of the present invention is to provide a communication terminal, a program, a communication system, and security information output capable of limiting the functions of the communication terminal according to the security level (safety) of the network to which the communication terminal is connected. It is to provide a method.

  In order to achieve the above object, the present invention provides a communication terminal for a communication system connected to a network from a communication terminal via a base station, wherein security information relating to the connected network is expressed in a predetermined format with a small amount of information. Generated and output.

  That is, according to the present invention, by generating and outputting security information related to the connected network in a predetermined format with a small amount of information, the user of the communication terminal can easily determine the safety of the network. It is what you want to do.

  Further, the present invention for achieving the above object is to determine the safety of the network based on safety standard information for determining the presence or absence of safety of the network, and to perform information based on the safety determination result. The security information in a predetermined format with a small amount is generated.

  That is, the present invention determines the security of the network based on the safety standard information for determining the presence or absence of the network safety, and the security information in a predetermined format with a small amount of information based on the safety determination result. Thus, the user of the communication terminal can easily determine the safety of the network while maintaining the safety of the network.

  Furthermore, the present invention for achieving the above-mentioned other object is provided by the application based on application activation availability determination information for determining whether the application can be activated according to at least one of the category and the security information. It is characterized by restricting execution of part or all of the function to be performed.

  In other words, the present invention makes it possible to limit the execution of some or all of the functions held by the application in correspondence with at least one of the category and the security information.

  ADVANTAGE OF THE INVENTION According to this invention, the presence or absence of safety | security with respect to the network which the communication terminal is connecting can determine easily without the user of a communication terminal understanding complicated network connection information.

  The reason is that security information related to the connected network is generated and output in a predetermined format with a small amount of information.

  In addition, according to the present invention, it is easy for the user of the communication terminal to determine whether or not the network connected to the communication terminal is safe without comprehending complicated network connection information while maintaining the safety of the network. it can.

  The reason is that the security of the network is determined based on the safety standard information for determining whether the network is safe, and the security information of a predetermined format with a small amount of information is generated based on the safety determination result. Because.

(First embodiment)
Next, the best mode for carrying out the present invention will be described in detail with reference to the drawings.

(Configuration of the first embodiment)
FIG. 1 is a diagram showing a configuration of a radio communication system according to the first embodiment of the present invention.

  Referring to FIG. 1, the wireless communication system according to the present embodiment includes a communication network system A (left side in the figure), a communication network system B (right side in the figure), the communication network system A, and the communication network system B. The communication terminal 10 is connected to a communication line capable of bidirectional communication with both.

  The communication network system A is a public wireless LAN system used as a specific service and Internet access in a specific area (wireless LAN (WLAN) spot), for example.

  The communication network system B is, for example, a private wireless LAN system used for in-house services within the company and Internet access.

  The public wireless LAN system, which is the communication network system A, includes an access point 20 that performs wireless communication with the communication terminal 10 and a public network 40.

  The private wireless LAN system, which is the communication network system B, determines whether or not the access point 30 that performs wireless communication with the communication terminal 10, the private network 50, and the communication terminal 10 that is trying to connect to the private network 50 can be connected. It is comprised from the authentication server 60 to judge.

  The communication terminal 10 includes a wireless communication interface that can access communication lines of the public network 40 and the private network 50, and may be a computer, a portable information terminal, a mobile phone, or the like that can be connected to the communication line.

  The access point 20 has a function as a base station based on the technology shown in IEEE 802.11, and has a function of relaying data communication between the communication terminal 10 and a device connected to the public network 40. . For example, the access point 20 is configured to perform encrypted communication with TKIP (Temporal Key Integrity Protocol) using PSK (Pre-Shared Key) with WPA (Wi-Fi Protected Access), and thus A function may be achieved.

  The access point 30 has a function as a base station based on the technology shown in IEEE 802.11, and has a function of relaying data communication between the communication terminal 10 and a device connected to the private network 50. .

  Further, the access point 30 holds a function as an access point based on the technology shown in IEEE 802.11i and IEEE 802.1X, and an authenticator function defined in IEEE 802.1X. A function for determining whether or not connection to the communication terminal 10 is possible through the exchange of authentication information with the authentication server 60 is required for the communication terminal 10 attempting communication connection. For example, the access point 30 is set to perform encrypted communication using AES (Advanced Encryption Standard) using 802.1X authentication with WPA2 (Wi-Fi Protected Access 2). Each of the above functions may be achieved by setting an access right to the communication terminal 10 in the authentication server 60 in advance so that communication can be performed via the communication server 30.

  The communication terminal 10 retains the function of a terminal based on the technology shown in IEEE 802.11, and is connected to each device connected to the public network 40 and the private network 50 via the access points 20 and 30 and the Internet protocol (IP ) Can be used for communication.

  Further, the communication terminal 10 holds a function as a terminal based on the technology shown in IEEE 802.11i and IEEE 802.1X, and a supplicant function defined in IEEE 802.1X, and performs data communication. Therefore, when connection negotiation (connection processing) using the access points 20 and 30 and the wireless physical layer, user authentication by IEEE 802.1X, and key exchange are completed, it operates as one terminal of this network. .

  Here, at the time of IEEE 802.1X authentication, for example, a user ID and a password may be required as identification information, or a user certificate that is held may be required. Depends on the authentication method selected at the time of authentication for network connection.

  FIG. 2 is a block diagram showing a configuration of the communication terminal 10 of FIG. In FIG. 2, the communication terminal 10 includes a connection setting input unit 110, a connection setting storage unit 120, a connection destination determination unit 130, a communication control unit 140, a wireless communication interface unit 150, a safety standard storage unit 160, a safety standard determination unit 170, A safety display unit 180, an output display unit 190, and a storage medium 200 are included.

  Each component of the communication terminal 10 generally has the following functions.

  The connection setting input unit 110 has a function of setting information necessary for the communication terminal 10 to connect to the network via the wireless communication interface 150 and passing the set information to the connection setting storage unit 120.

  The information to be set here can be set not only for a single network but also for connecting to a plurality of networks. For example, information to be set includes ESSID (Extended Service Set ID) for wireless LAN (WLAN) connection, connection methods such as WPA and WPA2, authentication methods such as 802.1X and PSK, data such as TKIP and CCMP It includes information such as encryption method, passphrase used for authentication, user ID / password, and certificate.

  The connection setting storage unit 120 has a function of storing information necessary for the communication terminal 10 to connect to the network via the wireless interface 150. The content of the information stored in the connection setting storage unit 120 is set by information passed from the connection setting input unit 110 and read by the connection destination determination unit 130.

  Here, the content stored in the connection setting storage unit 120 may be set by the connection setting input unit 110, or may be stored in advance in the connection setting storage unit 120. The connection setting storage unit 120 can store information for connecting to a plurality of networks.

  The connection destination determination unit 130 has a function of determining to which network the communication terminal 10 is connected via the wireless interface 150 and when to connect.

  Further, the connection destination determination unit 130 requests the communication control unit 140 for an access point that can be currently connected, and sets the access point list acquired from the communication control unit 140 and the settings held in the connection setting storage unit 120. In comparison, it has a function of determining a network suitable for communication connection and making a connection request to the network to the communication control unit 140. For example, in the case of a wireless LAN, an access point scan request is sent to the communication control unit 140, a connection that can be connected is selected from the acquired access points, and the connection for the determined connection is selected. It has a function of making a request to the communication control unit 140 together with the ESSID, connection method, encryption method, information necessary for authentication, and the like.

  The communication control unit 140 has a function of performing connection processing to the network based on a request from the connection destination determination unit 130. Specifically, the communication control unit 140 sends a function that plays a series of roles such as access point search, access point connection negotiation, data encryption / decryption, and access point search result to the connection destination determination unit 130. And a notification function.

  In addition, when the network connection is completed, the communication control unit 140 has a function of notifying the safety standard determination unit 170 of the completion together with information such as a connection method and an encryption method used for connection.

  Wireless communication interface unit 150 has a function of wirelessly transmitting data received from communication control unit 140 to the access point and a function of passing data received from the access point to communication control unit 140. That is, the wireless communication interface unit 150 is mainly used when communicating with an access point.

  The safety standard storage unit 160 has a function of storing safety standard information for determining whether the communication path to the connected network is safe and whether the connected network is reliable. The safety standard information stored in the safety standard storage unit 160 is read by the safety standard determination unit 170. For example, the safety standard storage unit 160 determines the safety of various methods (WPA2, WPA, 802.1X, PSK, open system authentication, shared key authentication, CCMP, TKIP, WEP, etc.) in the case of a wireless LAN. As a value for this, binary (0, 1) is stored for each combination. For example, if 802.1X is used with WPA2, EAP-TLS (Extended Authentication Protocol-Transport Layer Security) is used for 802.1X authentication, and CCMP is used for encryption, the security of the communication path 1 is stored as the value of the reliability and 1 as the reliability value of the network. In this case, when the value is 1, it indicates that it is safe, and when the value is 0, it means that it is not safe.

  The safety standard determination unit 170 has a function of determining whether the communication path to the connected network is safe and whether the connected network is reliable. Therefore, the safety standard determination unit 170 has a function of reading safety standard information for determining safety and reliability from the safety standard storage unit 160.

  Further, the safety standard determination unit 170 has a function of notifying connection information to the safety display unit 180 as necessary together with the determination result of the safety of the communication path and the reliability of the network.

  Further, when the notification is appropriately requested from the safety display unit 180, the safety standard determination unit 170 notifies the safety display unit 180 of the determination result and the connection information determined based on the stored connection information. It has a function. For example, in the case of a wireless LAN, for example, when 802.1X is used for WPA2, EAP-TLS is used for 802.1X authentication, and CCMP is used for encryption, the safety value of the communication path is 1. , That the value of the reliability of the network is 1. At this time, in order to present the reliability of an arbitrary network, the electronic certificate presented from the authentication server used at the time of authentication may be notified together.

  The safety display unit 180 has a function of notifying the output display unit 190 of the safety of the connected network based on the determination result notified from the safety standard determination unit 170 and the connection information. For example, the safety display unit 180 displays the electronic value on the authentication server side used for authentication in addition to the safety value of the communication path to the connected network being 1 and the network reliability value being 1. When notified of the certificate, the output display unit 190 is notified of information indicating that the communication path is safe and reliable and information indicating the contents of the electronic certificate.

  The output display unit 190 has a function of displaying the safety of the network notified from the safety display unit 180 on a screen so as to be visible to the user in a predetermined format with a small amount of information.

  Here, the hardware configuration of the communication terminal 10 will be described.

  FIG. 3 is a block diagram showing an example of the hardware configuration of the communication terminal 10 of the content update system according to the present embodiment.

  Referring to FIG. 12, a communication terminal 10 according to the present invention can be realized by a hardware configuration similar to that of a general computer device, and includes a CPU (Central Processing Unit) 301, a RAM (Random Access Memory). A main memory 302 used for a data work area and a temporary data save area, a communication control part 303 for transmitting and receiving data via the Internet 80, a display part such as a liquid crystal display, a printer and a speaker 304, an input unit 305 such as a keyboard and a mouse, an interface unit 306 that transmits and receives data by connecting to peripheral devices, a hard disk including a nonvolatile memory such as a ROM (Read Only Memory), a magnetic disk, and a semiconductor memory. An auxiliary storage unit 307 is a click device, and a system bus 308 for connecting the above components of the information processing apparatus to each other.

  The communication terminal 10 according to the present invention is implemented by mounting a circuit component composed of a hardware component such as an LSI (Large Scale Integration) in which a program 400 for realizing such a function is incorporated in the communication terminal 10. As a matter of course, it can be realized by software by executing the program 400 that provides each function of each component described above by the CPU 301 on the computer processing apparatus.

  That is, the CPU 301 (control unit 31) loads the program 400 stored in the auxiliary storage unit 307 to the main storage unit 302 and executes it, and controls the operation of the communication terminal 10 to thereby perform the functions described above. Realized in software.

(Operation of the first embodiment)
Next, refer to FIG. 1 and FIG. 2, FIG. 4 showing the operation of the communication terminal 10 of FIG. 1, and FIG. 5 showing the storage format in the safety standard storage unit 160 of FIG. An example of the overall operation of the present embodiment will be described in detail. 4 is realized by the CPU 301 of the computer constituting the communication terminal 10 moving the program 400 of the auxiliary storage unit 307 to the main storage unit 302 and executing it.

  In the data communication connection process, the communication terminal 10 connects to the network via the access points 20 and 30 to perform communication. This is because the communication terminal 10 and the access points 20 and 30 are negotiated. It becomes possible.

  That is, first, the connection destination determination unit 130 of the communication terminal 10 determines the connection destination by comparing the access point search result acquired from the communication control unit 140 with the setting stored in the connection setting storage unit 120. For example, it is assumed that two access points 20 connected to the public network 40 and an access point 30 connected to the private network 50 are detected as access point search results. At this time, since the connection setting storage unit 120 matches the connection information for the access point 30 connected to the private network 50, it is determined to access the private network 50.

  Next, the connection destination determination unit 130 requests the communication control unit 140 to connect to the network determined to be connected (step S401), so that the communication control unit 140 performs connection negotiation (connection to the access point). Process) (step S402). For example, in order to connect to the access point 30 for accessing the private network 50, EAP-TLS is used for 802.1X authentication and CCMP is used for encryption in connection with WPA2. Then, the 802.11 negotiation process, the 802.1X authentication process, and the key exchange negotiation are successfully completed between the communication terminal 10 and the access point.

  Next, when the connection negotiation is completed, the communication control unit 140 notifies the safety standard determination unit 170 that the connection is completed together with information used for the connection (step S403).

  Next, when the safety standard determination unit 170 receives a notification that the connection is completed (connection completion notification) from the communication control unit 140, the safety standard determination unit 170 stores the information used for the connection received together with the safety standard storage unit 160. Compared with the safety standard information (step S404), the safety of the communication path to the connected network is calculated (determined) (step S405), and further, the reliability of the network is calculated (determined) (step). S406). For example, when connecting to the private network 50 described above, in addition to the information that EAP-TLS is used for 802.1X authentication and CCMP is used for encryption in connection with WPA2, the EAP-TLS is used. Receives the authentication server certificate presented from the authentication server during authentication. For example, safety standard information 161 and 162 shown in FIG. 5 is stored in the safety standard storage unit 160. When WPA2 / 802.1X / EAP-TLS is used, the reliability value is 1, and CCMP When is used, the safety value of the communication path is calculated as 1.

  Next, in addition to the calculated reliability and the safety of the communication path, the safety standard determination unit 170 adds information that is a basis for calculating the reliability and notifies the safety display unit 180 (step S407). For example, the safety standard determination unit 170 includes information that the safety value of the communication path to the connected private network 50 is 1 and the reliability value is 1, and the authentication server side presented by the communication partner at the time of authentication. Both the electronic certificate and the safety display unit 180 are notified.

  Finally, the safety display unit 180 presents the safety of the communication path to the connected network, the reliability of the network, and the authentication server certificate that is the standard of reliability based on the notified information. Thus, the safety and reliability can be displayed on the output display unit 190 in a format that can be easily understood by a predetermined user with a small amount of information (step S408). For example, the output display unit 190 indicates that it is safe because the safety value is 1, the fact that the network is reliable because the reliability value is 1, and the authentication server certificate that is the reliability standard. By displaying the certificate information, the user can easily determine that the displayed authentication server certificate is securely connected to the network.

  In the safety standard determination unit 170, when there is no safety standard setting as a reference in the safety standard storage unit 160, an unknown value (for example, a value of −1) may be set.

  Further, as shown in FIG. 6, the access point 20 and the access point 30 shown in FIG. 1 are physically the same, but the network configuration of the present embodiment is connected to the public network 40 and the private network 50, respectively. FIG. 1 shows an access point 2030 having a function of transmitting beacons for identifying different ESSIDs and distinguishing connections to the public network 40 and the private network 50 using a VLAN (Virtual LAN) for each ESSID. A network configuration may be used instead of the access point 20 and the access point 30 shown.

(Effects of the first embodiment)
According to the configuration of the wireless communication system according to the present embodiment, the following effects are achieved.

  The first effect is that while a plurality of detailed network connection statuses are conventionally displayed, security information can be simplified while maintaining network safety. For this reason, even a user who does not require deep network knowledge can easily grasp the safety of the network connection state, and can be aware even if the user is connected to the wrong network.

  The reason is that the safety standard information 161 and 162 for determining whether the communication path to the connected network is safe and whether the connected network is reliable is stored in the safety standard storage unit 160, and stored communication is performed. This is because, based on the connection status of the network connection in the terminal 10, by binarizing the safety from the two viewpoints of the communication path and the communication partner, it is shown to the user in a predetermined format with a small amount of information.

  The second effect is that it is possible to easily cope with newly defined authentication methods and encryption methods.

  The reason is that it is possible to cope with the above-described method by only adding information on the newly defined authentication method and encryption method to the safety standard storage unit 160.

  The third effect is that a plurality of connection methods and connection settings having different characteristics in the communication terminal 10 are held, and communication is frequently performed in a situation where the communication speed, the security strength, the authentication method, and the like are different for each connected network. Even in a situation where the terminal 10 moves, the user can easily grasp the status of the currently connected network.

  This is because the safety standard storage unit 160 holds a plurality of connection methods, connection settings, and the like having different characteristics in the communication terminal 10.

(Second Embodiment)
Next, a second embodiment of the present invention will be described in detail with reference to the drawings.

(Configuration of Second Embodiment)
Referring to FIG. 7, this embodiment has the same configuration as that of the first embodiment of the present invention except that it includes a VPN / GW unit 70 and the Internet 80 in addition to the network configuration of FIG. It has become.

  The VPN / GW unit 70 is connected to the private network 50 and the Internet 80 and has a function of controlling access from the Internet 80 to the private network 50.

  The Internet 80 is connected to the public network 40 and the private network 50 via the VPN / GW unit 70.

  Here, in communication between the VPN / GW unit 70 and the Internet 80, in order to connect to the private network 50 from the Internet 80 side via the VPN / GW unit 70, authentication with the VPN / GW unit 70 is required. In data communication after the completion of authentication, communication with the VPN / GW unit 70 is encrypted, and communication with an authentication server, a terminal, or the like in the private network 50 becomes possible through a secure communication path.

  The block diagram showing the configuration of the communication terminal 10 of FIG. 7 according to the present embodiment is the same as that of the first embodiment, but some functions are added in the following points.

  The connection setting input unit 110 has a function of setting information for connecting with a VPN in addition to a function of setting information necessary for connecting to the network via the wireless interface 150 in the first implementation. This is different from the configuration of the connection setting input unit 110 according to the form.

  The connection setting storage unit 120 has the function of storing information necessary for connection with the VPN in addition to the function of storing information necessary for connecting to the network via the wireless interface 150 in the first embodiment. Different from the configuration of the connection setting storage unit 120 according to the form.

  The connection destination determination unit 130 is the first in that it has a function of determining VPN connection and timing of VPN connection in addition to a function of determining which network to connect to and when to connect via the wireless interface 150. This differs from the configuration of the connection destination determination unit 130 according to the embodiment.

  That is, the connection destination determination unit 130 determines whether or not network connection using VPN is possible based on the settings held in the connection setting storage unit 120 with respect to the communication control unit 140, and sends a VPN connection request to the communication control unit. 140. For example, in the case of IPsec, the connection destination determination unit 130 requests a connection request for the determined VPN connection to the communication control unit 140 together with a connection method, an authentication method, information necessary for authentication, and the like.

  The communication control unit 140 has a function of performing a VPN connection process in addition to a function of performing a connection process to the network based on a request from the connection destination determination unit 130, so that the communication control unit 140 according to the first embodiment has a function of performing a VPN connection process. Different from the configuration.

  That is, the communication control unit 140 includes a series of functions such as connection negotiation with the VPN / GW unit 70, data encapsulation (encryption / decryption), and a connection method used for the VPN connection when the VPN connection is completed. And a function of notifying the safety standard determination unit 170 of completion together with information such as an encryption method and an authentication method.

  The safety standard storage unit 160 has the same function as that of the first embodiment. For example, in the case of IPsec, the safety standard storage unit 160 has a value for determining security for various methods (EAP authentication, RSA key authentication, PKI authentication, PSK authentication, DES, 3DES, AES, etc.), respectively. Are stored as binary values (0, 1). For example, when the RSA key method is used for authentication and 3DES is used for encryption, the safety standard storage unit 160 sets the safety value of the communication path to 1, and the reliability value of the network. 1 is stored. In this case, a value of 1 indicates that it is safe, and a value of 0 means that it is not safe.

  The safety standard determination unit 170 is different from the configuration of the safety standard determination unit 170 according to the first embodiment in that it has a function of integrating a plurality of connection results used.

  That is, for example, when a VPN connection is made after wireless LAN connection is made, the safety standard determination unit 170 obtains two determination results even though they are used simultaneously. Have a function of combining them while maintaining safety.

(Operation of Second Embodiment)
Next, FIG. 10 and FIG. 11 showing the determination procedure of the safety standard determination unit 170 of the communication terminal 10 according to this embodiment, and a diagram showing the storage format in the safety standard storage unit 160 of FIG. 2 in the case of VPN. 9 and FIGS. 1, 5, and 7, the overall operation of the present embodiment will be described with reference to the flowchart of FIG. 8 showing the overall operation of the present embodiment. This will be described in detail focusing on the different parts. 10 and 11 is realized by the CPU 301 of the computer constituting the communication terminal 10 moving the program 400 of the auxiliary storage unit 307 to the main storage unit 302 and executing it.

  The communication terminal 10 connects to the public network 40 via the access point 20, and then performs VPN connection processing with the VPN / GW unit 70 in order to access the private network 50 via the Internet 80.

  Next, when the connection process is completed between the communication terminal 10 and the VPN / GW unit 70, secure communication between the communication terminal 10 and the VPN / GW unit 70 is started.

  More specifically, first, when the communication terminal 10 connects to the public network 40 via the access point 20, for example, for connection to the access point 20, encryption using a connection using PSK with WPA. Suppose you are using TKIP. At this time, as shown in FIG. 5, based on the safety standard information stored in the safety standard storage unit 160, the safety value of the communication path is 1 and the reliability value of the network is 0, and the public network 40 Is obtained (step S801 to step S806).

  Next, when the communication terminal 10 connects to the Internet 80 via the connected public network 40 and performs a VPN connection with the VPN / GW unit 70 via the Internet 80, the connection destination determination unit of the communication terminal 10 When 130 determines to establish a VPN connection with the VPN / GW unit 70, it makes a VPN connection request to the communication control unit 140 based on the information in the connection setting storage unit 120 (step S807). Upon receiving the VPN connection request, the communication control unit 140 exchanges with the VPN / GW unit 70 to generate a VPN tunnel (step S808).

  Here, when the generation of the VPN tunnel is completed, the communication control unit 140 notifies the safety standard determination unit 170 that the connection is completed, together with information used for the connection (step S809).

  Next, the safety standard determination unit 170 stores safety standard information 163 and 164 (see FIG. 9) in the safety standard storage unit 160 that stores a correspondence table for communication path safety related to VPN connection and a correspondence table for network reliability. ) And the VPN connection information notified from the communication control unit 140 (step S810), calculate (determine) the safety of the communication path for the currently connected VPN connection (step S811), and Reliability is calculated (determined) (step S812). For example, it is assumed that EAP-AKA is used for authentication using IPsec, and 3DES is used for data encryption. At this time, the safety standard storage unit 160 obtains a value of 1 for the safety of the communication path and 1 for the reliability of the network. Here, a value of 1 means safe, and a value of 0 means not safe.

  At this point, there are two types of safety and reliability of the communication channel: safety of the communication channel and network reliability for the wireless LAN connection, and safety of the communication channel and network reliability for the VPN connection. Will do.

  Here, the safety standard determination unit 170 in the present embodiment calculates (determines) the safety value of the communication path that integrates the wireless LAN connection and the VPN connection in accordance with the logic shown in FIG. 10 (step S813). Further, according to the logic shown in FIG. 11, the reliability value of the network integrating the wireless LAN connection and the VPN connection is calculated (determined) (step S814). At this stage of the present embodiment, the network reliability value for the VPN connection is 1 and the communication path safety value is 1.

  FIG. 10 is a flowchart showing a procedure for calculating the safety of the integrated communication path for step S813. The safety value of the communication path is irrespective of the safety value of the communication path with respect to the wireless LAN connection ( In step S1001), the safety value of the communication path with respect to the VPN connection is determined (step S1002) (step S1003, step S1004). Therefore, the safety value of the integrated communication path is calculated as 1.

  FIG. 11 is a flowchart showing a procedure for calculating the safety of the integrated communication path for step S814. Since the network reliability value for the VPN connection is a value of 1 in this example (step S1101), wireless communication is performed. Regardless of the network reliability value for the LAN connection (step S1102), the integrated network reliability value is calculated as 1 (step S1104).

  As another example, it is assumed that the wireless LAN connection is WPA2 and EAP-TLS is used and CCMP is used for encryption, IPsec is used for VPN connection, PSK is used for authentication, and data is encrypted. Is using AES.

  In this case, the network reliability value for the wireless LAN connection is a value of 1 from FIG. 5, and the communication path safety value is also a value of 1.

  On the other hand, the network reliability value for the VPN connection in this case is 0 as shown in FIG. 9, and the communication path safety value is 1.

  Therefore, when the integrated values are calculated, since the VPN connection value is 1 as shown in FIG. 10 for the safety value of the communication path (step S1004), a value of 1 is calculated as in the above example. On the other hand, as for the reliability value of the network, from FIG. 11, the value for VPN connection is 0 (step S1101), but for wireless LAN connection, the value is 1 (step S1102). Is calculated (step S1104).

  Regarding the subsequent operations (steps S815 and S816), the same operations as those in the first embodiment (steps S407 and S408) are performed.

  Moreover, this embodiment can be combined with the first embodiment described above.

(Effect of the second embodiment)
Next, the effect of the second embodiment for carrying out the present invention will be described.

  In the present embodiment, whether or not the communication path to the connected network is safe even in a situation where a plurality of connection situations are involved such that the communication terminal 10 is connected via a wireless LAN and then VPN connection is made. The safety standard information 163 and 164 for judging whether or not the connected network is reliable is stored in the safety standard storage unit 160, and the connection status of the network connection is integrated and recognized as one connection. By binarizing the safety from the two viewpoints, normally, multiple detailed network connection statuses are displayed, but in a predetermined format with a small amount of information while maintaining network safety Can be displayed. For this reason, even a user who does not require deep network knowledge can easily grasp the safety of the network connection state, and can be aware even if the user is connected to the wrong network.

(Third embodiment)
Next, a third embodiment of the present invention will be described in detail with reference to the drawings.

(Configuration of the third embodiment)
FIG. 12 is a diagram illustrating a configuration of a wireless communication system according to the third embodiment of the present invention.

  Referring to FIG. 12, the network configuration according to the third embodiment includes a mobile phone network 90 instead of the private network 50, and includes a base station (BS) 25 for accessing the mobile phone network 90 via radio. It differs from the network configuration according to the second embodiment in that it is provided instead of the access point 30.

  The method of accessing the mobile phone network 90 from the communication terminal 10 may be a method of accessing via the Internet 80 and the VPN / GW unit 70 in addition to the method via the base station 25, or directly from the public network 40. In the case of a network configuration having a communication path accessible to the mobile phone network 90, a method of directly accessing the mobile phone network 90 from the public network 40 may be used.

  The base station 25 has a function of transferring data between the communication terminal 10 and the mobile phone network 90.

  FIG. 13 is a block diagram showing a configuration of communication terminal 10 of FIG. 12 according to the present embodiment, which is different from communication terminal 10 according to the first and second embodiments in that mobile phone network communication interface 155 is provided.

  The cellular phone network communication interface 155 is used to access the cellular phone network 90 of FIG. 12, and has a function of transmitting and receiving data such as connection negotiation with the base station 25 and data communication.

  The communication control unit 140 according to the present embodiment performs control for accessing the mobile phone network 90 in addition to the functions of the communication control unit 140 according to the first and second embodiments, and performs data transmission / reception, connection processing, etc. A function for requesting the mobile phone network communication interface 155 to send and receive data to be used for the mobile phone, and when the connection to the mobile phone network 90 is completed, the connection to the mobile phone network 90 is completed together with the completion of the safety standard determination unit 170 And a function of notifying information.

(Operation of the third embodiment)
4 and 8 showing the operation of the first and second embodiments, flowcharts 10 and 11 showing the judgment procedure of the safety standard judgment unit 170, and the safety standard storage unit 160 of FIG. Referring to FIG. 14 showing the storage format of FIG. 1, and FIG. 1, FIG. 5, FIG. 9, and FIG. 12, the overall operation of the present embodiment will be described in detail with a focus on the differences from the operation of the previous embodiment. explain. 10 and 11 is realized by the CPU 301 of the computer constituting the communication terminal 10 moving the program 400 of the auxiliary storage unit 307 to the main storage unit 302 and executing it.

  Further, in this embodiment, the flowcharts of FIGS. 4, 8, 10, and 11 are dealt with by replacing the part related to the wireless LAN with the mobile phone network.

  First, the communication terminal 10 performs a connection negotiation with the base station 25 in order to connect to the mobile phone network 90, and completes the connection negotiation (steps S402 and S802).

  When the connection negotiation is completed and data communication is possible, the communication control unit 140 of the communication terminal 10 notifies the safety standard determination unit 170 that the connection to the mobile phone network 90 is completed (steps S403 and S804).

  FIG. 14 shows the value of the safety standard information 165 that is an example of the safety standard stored in the safety standard storage unit 160 according to the present embodiment.

  In the case of this safety standard information 165, when accessing the mobile phone network 90, the value of the reliability of the network is always 1 and the value of the safety of the communication path is 1 (step S405). Step S406, Step S805, Step S806).

Subsequent operations are the same as those in the first or second embodiment, and the safety standard determination unit 170 displays the calculated network reliability value and communication channel safety value as a safety indicator. Notification to the unit 180 (steps S407 and S815). Further, the safety description determination unit 170 may simultaneously notify that it is connected to the mobile phone network 90 at this time.
Yeah.

  In the present embodiment, the mobile phone network communication interface 155 is replaced with a Bluetooth (registered trademark) interface, a WiMAX interface, and a UWB (Ultra Wide Band) interface, and the security information determination standard corresponding to these interfaces is a safety standard storage unit. By storing in 160, it is possible to support each communication method.

  Note that this embodiment can be combined with any of the first and second embodiments described above, and can also be combined with an invention combining the first and second embodiments. It is.

(Effect of the third embodiment)
Next, the effect of the third embodiment for carrying out the present invention will be described.

  In the first and second embodiments, since only a single wireless communication interface unit 150 is provided, only information related to a single communication can be provided. However, in the third embodiment of the present invention, The mobile phone network communication interface unit 155 is provided, and the safety standard determination unit 170 can calculate the connection state for each communication connection.

  For this reason, the communication terminal 10 has two types of methods, that is, a wireless LAN connection method and a connection method to the mobile phone communication network 90, and each connection is possible even in a situation where connection states related to a plurality of connection interfaces are involved. The integrated connection information can be notified.

  In addition, it is possible to easily grasp the safety of the network connection state in a situation where the network is used regardless of whether the user is aware or not.

  In addition, by providing a Bluetooth (registered trademark) interface, a WiMAX interface, and a UWB interface instead of the mobile phone network communication interface 155, it is possible to cope with these network connection situations, and stored in the safety standard storage unit 160. It is possible to notify the network security information using the existing information.

(Fourth embodiment)
Next, a fourth embodiment of the present invention will be described in detail with reference to the drawings.

(Configuration of the fourth embodiment)
FIG. 15 is a block diagram illustrating a configuration of the communication terminal 10 according to the fourth embodiment. Referring to FIG. 15, the fourth embodiment is different from the above-described embodiment in that the communication terminal 10 according to the present embodiment includes a connection destination type storage unit 210 and a connection destination type determination unit 220.

  The connection destination type storage unit 210 holds information related to categorization of connected networks. This category can be set in advance, or a category can be added as appropriate.

  FIG. 16 is an example of a correspondence diagram showing the criteria for determining the connection destination type, and the category classification information 211 used for classifying the categories shown in FIG. 16 is stored in the connection destination type storage unit 210. ing.

  Referring to FIG. 16, in the connection destination type storage unit 210, for example, office, home, wireless spot, provider, mobile phone network and the like are registered as categories, and information serving as a reference for classifying each category is stored. Stored.

  Further, for example, the category classification information used for classifying the category includes items indicating various certificates, connection methods, RSA keys, the host name and IP address of the VPN / GW unit 70, and these items are Each category is retained.

  More specifically, the various certificates are office, home, wireless spot, provider, and mobile phone network certificates, and the authentication server certificate presented from the authentication server side during authentication using an electronic certificate. Certificate, certificate authority certificate used for verification of electronic certificate, etc. The above connection method is identified by information indicating whether the mobile phone network connection is used or the EAP-AKA authentication method is used These information are used to classify categories.

  The connection destination type determination unit 220 has a function of determining the type of connection destination based on the network connection information notified from the safety standard determination unit 170 and the category classification information stored in the connection destination type storage unit 210. If necessary, it has a function of notifying the safety display unit 180 of the determined connection destination category together with information notified from the safety standard determination unit 170.

(Operation of the fourth embodiment)
Next, regarding the operation of the communication terminal 10 according to the present embodiment, referring to the correspondence diagram stored in the connection destination type storage unit 210 of FIG. 16, using the flowchart of FIG. 17 showing the operation of the present embodiment. In the following, detailed description will be given focusing on differences from the operation of the communication terminal 10 according to the above-described embodiment. The processing shown in the present embodiment is realized by the CPU 301 of the computer constituting the communication terminal 10 moving the program 400 of the auxiliary storage unit 307 to the main storage unit 302 and executing it.

  The communication terminal 10 according to the present embodiment is first connected to the network determined by the connection destination determination unit 130 (step S1701), the connection is completed by the communication control unit 140, and is connected together with the completion of connection as a connection completion notification. The information used for the communication is notified to the safety standard determination unit 170 (step S1702), and the value for the safety of the communication path and the value for the reliability of the network are obtained based on the notified information (step S1703). Is the same as in the previous embodiment.

  Next, the safety standard determination unit 170 notifies the connection destination type determination unit 220 of the information notified from the communication control unit 140 together with the value for the safety of the communication path and the value for the reliability of the network (step S1704). . For example, the information notified to the connection destination type determination unit 220 is used for verification of the authentication server electronic certificate presented from the authentication server side at the time of authentication when connecting to the network, or the authentication server electronic certificate. Information on the certificate authority certificate, information on the RSA key used for authentication with the VPN / GW unit 70, the use of the EAP-AKA method for the authentication method of the wireless LAN, the host name and IP address of the VPN / GW unit 70 Including information about

  Here, for example, as shown in FIG. 16, offices, homes, wireless spots, providers, mobile phone networks, and the like are registered in the connection destination type storage unit 210 as categories, and each of them is used as a reference for classifying the categories. The category classification information 211 is stored. Note that information held for each category can be added and deleted as appropriate.

  Upon receiving the notification from the safety standard determination unit 170, the connection destination type determination unit 220 includes the connected network in any category based on the category classification information 211 illustrated in FIG. 16 stored in the connection destination type storage unit 210. It is determined whether or not (step S1705). For example, it is assumed that EAP-TLS is used for authentication using WPA and data communication encryption is performed using TKIP. At this time, from the safety standard determination unit 170, the network reliability value is 1, the communication path safety value is 1, and the electronic certificate of the authentication server 60 presented from the authentication server 60 side at the time of EAP-TLS authentication. Suppose that the certificate (certificate 01) is notified. Then, when the connection destination type determination unit 220 searches the connection destination type storage unit 210 to find out which category the electronic certificate (certificate 01) of the authentication server 60 is included in, the certificate 01 is categorized as “office”. To be included in the classification.

  In addition, when the information notified from the safety standard determination unit 170 is not included in any category, for example, the information notified from the safety standard determination unit 170 indicates that the safety is unknown. May notify the safety display unit 180 that the information notified from the safety standard determination unit 170 is not included in any category.

  Next, if necessary, the connection destination type determination unit 220 notifies the safety display unit 180 of the determined category together with the values of the communication path safety and the network reliability (step S1706).

  Next, the safety display unit 180 that has received the notification provides the output display unit by presenting the safety of the communication path to the connected network based on the notified information, the reliability of the network, and the categorized classification. It is possible to display which network is securely connected to the user via 190 (step S1707). For example, since the safety value is 1, an indication that the communication path to the connected network is safe, and since the reliability value is 1, an indication that the network is reliable, When the classified category is an office, the fact that it is connected to the office can be displayed, so that the user can easily determine that the network is securely connected to the displayed connection destination. It becomes.

  Note that the category and category classification information 211 can be set in advance for the information stored in the connection destination type storage unit 210, but the connection at that point in time when the communication terminal 10 is connected to the network. By providing a function of registering the state in a certain category, a mechanism that can easily perform setting for the connection destination type storage unit 210 may be provided.

  Further, the fourth embodiment can be combined with any of the first embodiment, the second embodiment, and the third embodiment described above, and further the first embodiment. It is also possible to combine with the invention which combined arbitrary embodiment from 3 to 3rd Embodiment.

  For example, when using a VPN connection, it is possible to use the RSA key used at the time of authentication, the host name and IP address of the VPN / GW unit 70, and when connecting to a mobile phone network It is possible to use information such as being connected to a mobile phone network and using EAP-AKA as an authentication method.

(Effect of the fourth embodiment)
Next, effects of the fourth exemplary embodiment for carrying out the present invention will be described.

  In the above-described embodiment, in addition to the reliability of the network and the safety of the communication path, there is only a means for notifying the electronic certificate presented by the authentication server used at the time of network authentication. A connection destination type determination unit 220 having a function of determining the type of the connection destination, and a connection destination type storage unit 210 having a function of holding the category classification information 211 as a reference for determining the type of the connection destination From this, it is possible to present a preset type of connection destination. For this reason, it is possible for the user to easily and reliably determine where the user is connected, and since the classification can be set by himself, the category classification information 211 can be easily expanded. Network classification and various functions can be linked to operate.

(Fifth embodiment)
Next, a fifth embodiment of the present invention will be described in detail with reference to the drawings.

  18 and 19 showing safety standard information 164 to 165 and safety standard information 166 to 167 stored in the safety standard storage unit 160, and category classification information 212 stored in the connection destination type storage unit 210. Referring to FIG. 20, in the fifth embodiment, the configuration in communication terminal 10 is the same as that in the fourth embodiment described above, but the safety standard value stored in safety standard storage unit 160 is the same. The definition method, the definition method of the category classification reference value stored in the connection destination type storage unit 210, and the functions of the safety standard determination unit 170 and the connection destination type determination unit 220 are different from those of the fourth embodiment.

  As shown in the safety standard information 166 to 167 in FIG. 18 and the safety standards 168 to 169 in FIG. 19, the safety standard storage unit 160 in the present embodiment is a predetermined numerical range from a value of 0 to a value of 1. This is significantly different from the safety standard storage unit 160 according to the fourth embodiment, which is stored as a binary value of 0 or 1 in that any one of the values is held. This value is a numerical value of the degree of reliability or safety. For example, a value of 1 indicates that reliability and safety are high, and a value of 0 indicates that reliability and safety are low. , 0.8 represents a relatively high reliability and safety, and 0.2 represents a relatively low reliability and safety. Here, the value is expressed as a value from 0 to 1, but it may be expressed in a range different from the range from 0 to 1 such as a value from 0 to 100.

  The safety standard determination unit 170 expresses the network reliability and the safety of the communication channel with numerical values from 0 to 1 in terms of the network reliability and the safety of the communication channel. Unlike the above-described embodiment, which is determined by the binary value of the above value, a result expressed by a numerical value from a value of 0 to a value of 1 is notified to the connection destination type determination unit 220 or the safety display unit 180. .

  The connection destination type storage unit 210 is used to classify the category as compared with the category classification information 211 (see FIG. 16) in the above-described fourth embodiment as shown in the category classification information 212 of FIG. Information such as ESSID is further stored as information.

  The connection destination type determination unit 220 has a function of notifying the connection destination type that will be connected together with the probability of being connected even when the network reliability value is not 1. In this respect, the network reliability value is 1, that is, different from the above-described embodiment in which the connection destination type is determined only when there is a certain value.

(Operation of the fifth embodiment)
Next, with respect to the operation of the communication terminal 10 according to the present embodiment, the correspondence stored in FIG. 17 showing the operation of the communication terminal 10 according to the above-described fourth embodiment and the connection destination type storage unit 210 of FIG. With reference to the figure (category classification information 211), a description will be given in detail focusing on parts different from the operation of the communication terminal 10 according to the above-described fourth embodiment. The processing shown in the present embodiment is realized by the CPU 301 of the computer constituting the communication terminal 10 moving the program 400 of the auxiliary storage unit 307 to the main storage unit 302 and executing it.

  The safety standard determination unit 170 receives information used for connection together with the connection completion notification from the communication control unit 140 as a network connection completion notification (step S1702). For example, if TKIP is used for encryption by authentication using PSK by WPA, such information and ESSID are received. Based on this information, the safety standard determination unit 170 calculates (determines) the network reliability value as 0.5 and the communication path safety value as 1 from the safety standard information in the safety standard storage unit 160. (Step S1703) The information received from the communication control unit 140 together with the calculated value is notified to the connection destination type determination unit 220 (Step S1704).

  The connection destination type determination unit 220 notified of these pieces of information searches the connection destination type storage unit 210 for a corresponding category and acquires (determines) (step S1705). For example, in the case of authentication using PSK with the notified ESSID (ESSID01), the category “home” in which ESSID01 is registered is acquired (determined).

  The connection destination type determination unit 220 that has acquired the category notifies the safety display unit 180 of the reliability of the network and the safety of the communication path together with the category (step S1706). In the above example, the network reliability value is 0.5, the communication path safety value is 1, and the category “home” is notified to the safety display unit 180.

  The safety display unit 180 that has received the notification notifies the reliability of the category to be displayed and the degree of safety of the communication path even when the network reliability value is not 1. That is, in the above example, since the network reliability value is 0.5, the reliability is 0.5 for the category to be displayed and the safety of the communication path is displayed. The point which the part 180 notifies differs from the above-mentioned embodiment. In this way, for example, the communication terminal 10 indicates that it is connected to “Home” with 50% reliability, or conversely, 100% is connected to “Home” in an unreliable state. It is expressed so that the user can intuitively judge.

  Next, the safety display unit 180 notifies the output display unit 190 of the above-described content, and the output display unit 190 can intuitively understand the reliability of the network and the safety of the communication path, respectively. The information notified from the safety display unit 180 is displayed (step S1707). For example, how many percent you can trust by using a bar-like format, how much encryption is strong, and how many stars you can trust and use a star-like mark The method expressed by

  Further, as shown in the output display unit 191 in FIG. 21, the output display unit 190 is a character string indicating a connection destination on the display screen, an icon registered corresponding to the connection destination, network reliability, and communication path. Connection destination information such as a key mark and the number for indicating the strength of safety may be displayed on the lower part of the display screen of the communication terminal 10.

  Further, in addition to a mark indicating that communication is in progress, information indicating that the connection is to a wireless LAN, VPN, or mobile phone network may be added. For example, as shown in the output display unit 191 in FIG. 21, a format in which various connection information is displayed on the upper right of the screen may be used.

  Further, the output display unit 190 may have a configuration in which only icons are displayed on the screen, and a detailed description is displayed when the icons on the screen are clicked.

  Note that, in the fifth embodiment of the present invention, when the communication terminal 10 uses the VPN connection, the safety standard storage unit 160 is configured by the above-described fourth as shown in the safety standards 166 and 167 in FIG. In addition to the definition of 0 value and 1 value in the embodiment, values in the range of 0 to 1 are stored.

  That is, when the VPN connection is used, the safety standard determination unit 170, as in the second embodiment, the network reliability for the wireless LAN connection and the safety of the communication path, and the network connection for the VPN connection. It will have both reliability and channel safety values.

  However, even in this case, the safety standard determination unit 170 has a function of calculating the reliability of the network and the safety of the communication path in an integrated form for both connections.

  Note that the safety standard determination unit 170 has an algorithm that adopts the value of the VPN connection as the reliability of the integrated network, similarly to FIG. On the other hand, it has an algorithm that compares the values of wireless LAN connection and VPN connection and adopts the value of the connection method having a larger value as the reliability of the integrated network.

  In addition, the safety standard determination unit 170 has a function of notifying a set of reliability of a single integrated network and safety of a communication path. Moreover, you may have the function to notify both the connection methods of wireless LAN and VPN connection.

  In addition, the safety display unit 180 sets character information corresponding to the reliability and safety levels stored in the safety standard storage unit 160 in advance, and stores the network information acquired from the connection destination type determination unit 220. It has a function of displaying character information, graphic information, voice information, and the like corresponding to reliability and communication path safety values as information indicating the reliability of the network and the safety level of the communication path. For example, when the safety value of the communication channel is 0.8, “the communication channel is encrypted at a level that is not a problem for normal use” and the safety value is 0. .2 is displayed as information indicating the security level, such as “The communication path is encrypted, but there is a risk of eavesdropping”, and the reliability value is 1. For example, “The connected network can be trusted”, and when the reliability value is 0.5, “The connected network may not be the intended network. Has a function of displaying from the output display unit 190 as information indicating the reliability level. In addition, at this time, it has a function to notify including the category of the connection destination.

  Further, this embodiment can be combined with any of the first embodiment, the second embodiment, the third embodiment, and the fourth embodiment of the present invention described above. Furthermore, the present invention can be combined with an invention in which any embodiment from the first embodiment to the fourth embodiment is combined.

(Effect of 5th Embodiment)
Next, effects of the fifth exemplary embodiment for carrying out the present invention will be described.

  The above-described fourth embodiment has means for accurately expressing a secure connection by expressing the reliability of the network and the safety of the communication channel with binary values indicating whether it is safe or not. In the present embodiment, the safety standard information 164 to 167 is configured so that the reference value can be given, for example, as a percentage (%) within a predetermined numerical value range such as a value from 0 to 1. Is stored in the safety standard storage unit 160, so that it is possible to calculate the degree of safety in a leveled format. For this reason, when the network is not secure, it is possible to delegate the decision to the user, such as entrusting the subsequent processing to the user, by presenting to the user how secure it is, and to allow flexible expression did.

(Sixth embodiment)
Next, a sixth embodiment of the present invention will be described in detail with reference to the drawings.

(Configuration of the sixth embodiment)
FIG. 22 is a block diagram showing the configuration of the communication terminal 10 according to the sixth embodiment of the present invention.

  The communication terminal 10 is different from the above-described embodiment in that the communication terminal 10 includes a processing mode storage unit 230 and a processing mode determination unit 240 and a part of the operation of the safety standard determination unit 170.

  While describing the operation of the communication terminal 10 according to the present embodiment, a detailed description will be given centering on differences from the above-described embodiment. The processing shown in the present embodiment is realized by the CPU 301 of the computer constituting the communication terminal 10 moving the program 400 in the auxiliary storage unit 307 to the main storage unit 302 and executing it.

  The processing mode storage unit 230 is a process in which the safety standard determination unit 170 in the fifth embodiment described above represents a network reliability value and a communication path safety value as a binary value of 0 and 1 values. Is stored, and a determination criterion for deciding which process is to be performed is read out from the processing mode determination unit 240. . For example, the processing mode storage unit 230 uses ESSID, the host name and IP address of the VPN / GW unit 70, and the connection to the mobile phone network as processing modes represented by binary values of 0, 1 and 1. As the processing mode represented by a numerical value in the range from 0 to 1, the ESSID, the host name and IP address of the VPN / GW unit 70, and the connection to the mobile phone network are similarly used. Etc. are associated. In addition, the value used as this criterion may be set in advance, or may be configured to be added as appropriate.

  The processing mode determination unit 240 is a process in which the safety standard determination unit 170 in the fifth embodiment described above represents a network reliability value and a communication path safety value as a binary value of 0 and 1 values. Network connection completion notification in the fifth embodiment (step S1702). The network connection completion notification in the fifth embodiment has a function of determining whether to perform the processing represented by a numerical value ranging from 0 to 1 or whether to perform processing. ), Based on the information presented from the safety standard determination unit 170, it is determined from the information stored in the processing mode storage unit 230 which of the above-mentioned processes the safety standard determination unit 170 performs. The safety standard determination unit 170 is notified of the processed mode. For example, if the connection is completed for ESSID01 and the processing mode storage unit 230 is associated with an operation that represents the reliability of the network and the safety of the communication path as a binary value of 0, 1; The reference determination unit 170 is notified to perform processing represented by binary values.

  The safety standard determination unit 170 includes both a process of representing the reliability of the network and the safety of the communication path with a value of 0, a binary value of 1, and a process of representing a numerical value ranging from a value of 0 to a value of 1. It has two modes for processing, and when it is notified from the communication control unit 140 that the connection has been completed, in order to determine which mode to process, the necessary information is sent to the processing mode determination unit 240. In addition, subsequent processing is performed based on the mode notified from the processing mode determination unit 240.

  Further, the sixth embodiment of the present invention can be combined with any of the first to fifth embodiments of the present invention described above, and further from the first embodiment. The present invention can be combined with an invention combining any embodiments up to the fifth embodiment.

(Effect of 6th Embodiment)
Next, effects of the sixth exemplary embodiment for carrying out the present invention will be described.

  In the above-described embodiment, the process of expressing the reliability of the network and the safety of the communication channel with binary values indicating whether the communication is safe or not, and, for example, a value from 0 to 1 is given as a percentage (%). Although two kinds of processing modes that can be performed were provided, the communication terminal 10 was configured to perform only one of the processes in a fixed manner. In the present embodiment, the processing mode can be dynamically changed by providing a mechanism capable of dynamically changing the processing mode by determining these two types of processing modes from the connected network. Therefore, depending on the connected network, the more appropriate information, the situation in which you want to strictly determine whether security is present or not and the situation in which you want to provide flexible information in cases where the judgment is left to the user. Can be provided.

(Seventh embodiment)
Next, a seventh embodiment of the present invention will be described in detail with reference to the drawings.

(Configuration of the seventh embodiment)
FIG. 23 is a block diagram showing a configuration of communication terminal 10 according to the seventh exemplary embodiment of the present invention. The communication terminal 10 according to the seventh embodiment is different from the communication terminal 10 according to the fourth embodiment described above in that it includes a communication application 250.

  The communication application 250 is an application having a communication function, and performs communication data transmission / reception via the communication control unit 140, and the category of the connected network according to the category notified from the connection destination type determination unit 220. And a function for limiting the functions of the application.

  The communication terminal 10 according to the seventh embodiment has a terminal configuration that does not include the connection destination type storage unit 210 and the connection destination type determination unit 220 in the configuration, and the reliability of the network between the communication application 250 and the safety standard determination unit 170. In addition, a configuration for exchanging safety of the communication path may be used.

  That is, the communication application 250 is added in the communication terminal 10 according to the first to third embodiments that does not include the connection destination type storage unit 210 and the connection destination type determination unit 220 in the configuration, and the added communication application A configuration may be employed in which network reliability and communication path safety are exchanged between 250 and the safety standard determination unit 170.

  In such a case, the communication application 250 restricts the functions of the application according to the information indicating the network reliability and the communication path safety notified from the safety standard determination unit 170.

(Operation of the seventh embodiment)
Next, the operation of the communication terminal 10 according to the present embodiment will be described in detail with a focus on differences from the fourth embodiment described above.

  FIG. 24 is a flowchart showing the operation of the communication terminal 10 of the present embodiment. The processing shown in the present embodiment is realized by the CPU 301 of the computer constituting the communication terminal 10 moving the program 400 of the auxiliary storage unit 307 to the main storage unit 302 and executing it.

  Referring to FIG. 24 and FIG. 17 illustrating the operation of the fourth embodiment, the communication terminal 10 of the present embodiment first connects to the network (step S2401), and based on the information indicating the connection status, safety is achieved. The network determination and the communication path safety are calculated (determined) by the sex determination unit 170 (step S2403), and the connection is determined according to the correspondence diagram stored in the connection destination type determination unit 220 and the connection destination type storage unit 210. Up to the point where the category of the network being determined is determined (step S2405), the process is the same as in the fourth embodiment.

  When notified of the category, the communication application 250 performs a process of limiting the functions of the application depending on the notified category (step S2406).

  For example, if the application is a mailer for the category to which the connected network belongs, the user ID and password flow in clear text on the communication path, so it is not possible to obtain mail by POP3. The application can be restricted according to the category.

  Also, for example, if the application is a WEB browser for the category to which the connected network belongs, the user ID and password flow in clear text on the communication path, so basic authentication is not possible. The application can be restricted according to the category.

  In addition, for example, functions such as non-encrypted data are not communicated, and a warning pop-up appears when information about credit card numbers etc. is sent with a browser form etc. By providing an application, it is possible to restrict functions according to the category.

  In addition to this, it is possible to limit various functions.

  In addition, the communication application 250 has a function of restricting functions other than the communication function with respect to the category. For example, by providing functions such as restricting file saving processing and printing processing for the category to which the connected network belongs, it becomes possible to restrict the function according to the category. . In addition to this, it is possible to limit various functions. In addition, it is possible to make a certain function available in the case of a certain category instead of the framework of restriction.

  In the present embodiment, it has been described above that the connection destination type storage unit 210 and the connection destination type determination unit 220 can be implemented even if they are not included in the constituent elements. In this case, the communication application 250 is notified of the reliability of the network and the safety of the communication path. However, the communication application 250 is connected according to the network reliability and the communication path safety value notified by the communication application 250. It is also possible to apply function restrictions corresponding to the part related to the security of the existing network.

  Specifically, when the network reliability value notified by the communication application 250 is 1, the user ID and password are transmitted, or information related to the credit card is transmitted. When the network reliability value notified in 250 is 0, it is possible to restrict functions such as not transmitting a user ID and password, and not transmitting information related to a credit card.

  Further, when the safety value of the communication path notified in the communication application 250 is 1, the user ID and password are transmitted in clear text at the application level, but the communication path notified in the communication application 250 When the security value is 0, it is possible to restrict functions such as not transmitting the user ID and password in clear text and not transmitting information related to the credit card.

  About subsequent operation | movement (step S2407-step S2408), the operation | movement (step S1706-step S1707) similar to 4th Embodiment is performed.

  As described above, according to the present embodiment, the execution of application functions that are at risk of security vulnerabilities is restricted based on the determined category, or the execution of some or all of the application functions is restricted. , Limiting the execution of some or all of the functions of the application including the notified middleware, and presenting a warning. Further, the output display unit 190 may output that the execution of the application function is restricted.

  Further, the seventh embodiment of the present invention can be combined with any of the first to sixth embodiments of the present invention described above, and further from the first embodiment. The present invention can be combined with an invention combining any invention up to the sixth embodiment.

(Effect of 7th Embodiment)
Next, effects of the seventh exemplary embodiment for carrying out the present invention will be described.

  In the seventh embodiment of the present invention, for example, by having application activation availability determination information for determining whether an application can be activated corresponding to the category or security information, the category or network to which the connected network belongs is included. Based on information related to security, a function for enabling or disabling the function of the communication application 250 or the application notified thereof is provided for the application. For this reason, when connecting to a certain network, it is necessary to prevent certain functions from being used, or when connected to an unreliable network from a security perspective, personal information such as credit cards is important. It is possible to implement a mechanism that prevents leaked information from being leaked.

(Eighth embodiment)
Next, an eighth embodiment of the present invention will be described in detail with reference to the drawings.

(Configuration of the eighth embodiment)
FIG. 25 is a block diagram showing the configuration of the communication terminal 10 according to the eighth embodiment of the present invention. The communication terminal 10 according to the eighth embodiment includes the application activation interface unit 280, the application activation management unit 260, the application activation management storage unit 290, and the application group 270, and thus the communication terminal according to the seventh embodiment described above. Different from 10.

  The application activation interface unit 280 is an interface for activating an application of the application group 270, and has a function of requesting the application activation management unit 260 to activate an application.

  The application activation management unit 260 determines whether or not the application requested from the application activation interface unit 280 can be activated. Has a function of not starting the application.

  Whether the application activation management unit 260 may activate the application based on the information notified from the connection destination type determination unit 220 in comparison with the information stored in the application activation management storage unit 290. It has a function to determine whether or not.

  The application activation management storage unit 290 stores each category stored in the connection destination type storage unit 210 for each application in the application group 270.

  FIG. 26 shows an application activation availability determination criterion table 291 that is an example of a criterion table for determining whether or not activation can be performed for a connection destination corresponding to each application stored in the application activation management storage unit 290.

  Referring to FIG. 26, for example, a value of 1 in the table means that the application may be activated, and a value of 0 means that the application cannot be activated. From this table, for example, it can be understood that the application 01 can be activated when connected to any connection destination. Further, for example, it can be seen that the application 02 can be activated when connected to the office, but cannot be activated at other locations.

  The application group 270 includes an application included in the communication terminal 10 and is activated in accordance with a request from the application activation management unit 260.

(Operation of the eighth embodiment)
Next, the operation of the communication terminal 10 according to the present embodiment will be described in detail with a focus on differences from the above-described embodiment.

  FIG. 27 is a flowchart showing the operation of the communication terminal 10 of the present embodiment. The processing shown in the present embodiment is realized by the CPU 301 of the computer constituting the communication terminal 10 moving the program 400 of the auxiliary storage unit 307 to the main storage unit 302 and executing it.

  Referring to FIG. 27 and FIG. 24 illustrating the operation of the seventh embodiment, the connection destination type determination unit 220 determines the category of the connected network from the connection to the network in the communication terminal 10 of the present embodiment. The processing so far (steps S2401 to S2405) is the same as the operation (steps S2401 to S2405) of the seventh embodiment described above.

  Next, the connection destination type determination unit 220 holds the acquired category (step S2706).

  Next, when the connection destination type determination unit 220 attempts to start an application via the application start interface unit 280, the application start interface unit 280 requests the application start management unit 260 to start the application ( Step S2707).

  Next, the application activation management unit 260 requested to activate the application determines whether the application can be activated on the network designated to be currently connected (step S2708).

  Specifically, based on the application name and each of the categories acquired from the connection destination type determination unit 220, the application activation management unit 260 determines whether the application activation can be performed in the application activation management storage unit 290. Judgment is made from the determination table 291 (see FIG. 26). For example, if the category of the application to be started up (application 01) is “office”, the value is 1 in the table, so that it is permitted to start up.

  Note that if there is no category corresponding to the application activation availability determination criterion table 291 in the application activation management storage unit 290, the application activation management unit 260 accepts activation as a default process, or does not permit It is preferable to set in advance to perform processing.

  Next, the application activation management unit 260 actually activates the application in the application group 270 only when activation is permitted (step S2709).

  About subsequent operation | movement (step S2710-step S2711), the operation | movement (step S2407-step S2408) similar to 7th Embodiment is performed.

  In this embodiment, the connection destination type storage unit 210 and the connection destination type determination unit 220 are configured to determine the category classification and confirm the activation right of the application. The connection start type determination unit 220 is not provided, and the application start management unit 260 is directly notified of information on the reliability of the network and the safety of the communication path from the safety standard determination unit 170, and the application start management for the application start conditions for these is provided. By storing the information in the storage unit 290, it may be configured to determine whether the application can be activated based on information indicating the reliability of the network and the safety of the communication path.

  As described above, the present embodiment restricts the execution of application functions that are at risk of security vulnerabilities based on the determined category and the application activation availability determination reference table, Limit the execution of all or part of the program, present a warning, etc. Further, the output display unit 190 may output that the execution of the application function is restricted.

  Further, a configuration in which a device apparatus is used instead of the application group 270 in the present embodiment is also possible. In this case, for example, by having device activation availability determination information that determines whether the device can be activated in accordance with the category, for example, the camera function is limited for each connected network, the audio output is limited, Configuration and processing such as limiting telephone functions are possible.

  Further, the eighth embodiment of the present invention can be combined with any of the first to seventh embodiments of the present invention described above, and further, the eighth embodiment to the first embodiment. It is also possible to combine the invention with any embodiment up to the seventh embodiment.

  Note that, in the eighth embodiment of the present invention, a function for restricting writing to and reading from the file system from an application may be provided instead of the application activation management unit 260. In this case, the communication terminal 10 holds read / write permission determination information for determining whether the application can read or write to the file system in advance in association with the determined category, thereby supporting the connected network. Thus, it is possible to restrict writing and reading of the application to the file system.

(Effect of 8th Embodiment)
Next, effects of the eighth exemplary embodiment for carrying out the present invention will be described.

  In the present embodiment, the application activation management storage unit 290 stores an application activation management determination criterion table 291 that is a criterion table for determining whether or not activation can be performed for a connection destination corresponding to each application stored in the application activation management storage unit 290. 290 holds a function for determining whether or not an application included in the communication terminal 10 can be executed according to the type of the connected network, the reliability of the network, and the safety of the communication path. For this reason, it is possible to execute a certain application only when connected to a certain network, and to disable execution of a certain application when connected to a certain network.

  Further, by configuring the device to control the device instead of the application, it is possible to obtain an effect that the camera and the audio output device can be used only when connected to a specific network.

(Ninth embodiment)
Next, a ninth embodiment of the present invention will be described in detail with reference to the drawings.

(Configuration of the ninth embodiment)
FIG. 28 is a block diagram showing the configuration of the communication terminal 10 according to the ninth embodiment of the present invention. The communication terminal 10 according to the ninth embodiment includes a firewall 300 on the data communication path between the communication application 250 and the communication control unit 140, and the notification from the connection destination type determination unit 220 is performed to the firewall 300. Thus, it is different from the communication terminal 10 according to the seventh embodiment described above.

  The firewall 300 has a function of relaying data communication performed between the communication application 250 and the communication control unit 140, and relays data or does not relay data based on a policy held by the firewall 300. And a function for dynamically changing a policy to be applied based on a category from the connection destination type determination unit 220.

  The connection type determination unit 220 has a function of notifying the firewall 300 of the determined category in the same manner as in the above-described embodiment.

(Operation of the ninth embodiment)
Next, the operation of the communication terminal 10 according to the present embodiment will be described in detail with a focus on differences from the above-described seventh embodiment. The processing shown in the present embodiment is realized by the CPU 301 of the computer constituting the communication terminal 10 moving the program 400 of the auxiliary storage unit 307 to the main storage unit 302 and executing it.

  First, the process (step S2401 to step S2405) from the connection to the network to the determination of the category of the connected network by the connection destination type determination unit 220 is the same as that in the seventh embodiment.

  Next, the connection destination type determination unit 220 according to the present embodiment notifies the determined category to the firewall 300, and the received firewall 300 is notified of which of the policies held by itself is applied. Based on the policy determined and applied, filtering processing is executed for the subsequent exchange of data between the communication application 250 and the communication control unit 140.

  Although it is possible for the firewall 300 to hold the policy to be applied by itself in advance, the firewall 300 may have a configuration in which the policy is stored in another function block or an authentication server and acquired appropriately.

  For the subsequent operations, the same operations as in the seventh embodiment (steps S2407 to S2408) are performed.

  As described above, according to the present embodiment, the firewall 300 has a policy (for example, data communication availability determination information) for determining whether or not data communication is allowed to be performed by the application via the wireless communication interface unit 150 in accordance with the category. Then, based on the determined category and the above policy, it is determined whether data communication is possible. In addition, the determination result of whether or not data communication is possible may be visually output from the output display unit 190.

  Further, the ninth embodiment of the present invention can be combined with any of the first to eighth embodiments of the present invention described above, and further, the first embodiment. It is also possible to combine with the invention which combined arbitrary embodiment from 8th to 8th Embodiment.

(Effect of 9th Embodiment)
Next, effects of the ninth exemplary embodiment for carrying out the present invention will be described.

  In the present embodiment, for example, data communication between the communication application 250 and the communication control unit 140 that determines whether or not data communication can be performed by the application via the wireless communication interface unit 150 corresponding to the category or the security information. A firewall 300 that holds permission determination information is provided, and information related to the connection destination network is notified to the firewall 300. For this reason, for example, data communication can be performed or not performed according to the connected network, so that the firewall policy can be dynamically applied.

  In this embodiment, a plurality of wireless communication interface units 150 that can be used simultaneously are provided, and a session management unit (not shown) is used as a constituent element instead of the firewall 300, and the session management unit is connected at the start of a session. By appropriately reading out the category from the destination type determination unit 220, the network application dynamically determines the network security information, the network reliability information, and the communication path safety information and the category when the session start request is received from the communication application 250. 250 may be notified.

  When the communication application 250 requests the session management unit to start a session, the communication application 250 can acquire the category or security information corresponding to the session, and then consider safety for communication performed in the session. Is possible.

  According to the present invention, the present invention can be applied to a communication terminal in a network system that requires a communication terminal having a wireless interface. In particular, the communication terminal can be prevented from connecting to an unauthorized network, and communication safety can be easily grasped. Make it possible.

It is a network block diagram explaining the radio | wireless communications system by 1st Embodiment. It is a block diagram which shows the structure of the communication terminal by 1st Embodiment. It is a block diagram which shows the hardware constitutions of the communication terminal by 1st Embodiment. It is a flowchart which shows operation | movement of the communication terminal by 1st Embodiment. It is a figure which shows the storage format of the safety standard memory | storage part in the case of WLAN by 1st Embodiment. It is a network block diagram explaining the extended example of the radio | wireless communications system by 1st Embodiment. It is a figure which shows the network structure explaining the radio | wireless communications system by 2nd Embodiment. It is a flowchart which shows operation | movement of the communication terminal by 2nd Embodiment. It is a figure which shows the storage format of the safety standard memory | storage part in the case of VPN by 2nd Embodiment. It is a flowchart which shows operation | movement of the communication terminal by 2nd Embodiment. It is a flowchart which shows operation | movement of the communication terminal by 2nd Embodiment. It is a network block diagram explaining the radio | wireless communications system by 3rd Embodiment. It is a block diagram which shows the structure of the communication terminal by 3rd Embodiment. It is a figure which shows the storage format of the safety standard memory | storage part in the case of the mobile telephone network connection by 3rd Embodiment. It is a block diagram which shows the structure of the communication terminal by 4th Embodiment. It is a response | compatibility figure which shows the reference | standard for determining the connection destination classification by 4th Embodiment. It is a flowchart which shows operation | movement of the communication terminal by 4th Embodiment. It is a figure which shows the storage format of the safety standard memory | storage part in the case of WLAN by 5th Embodiment. It is a figure which shows the storage format of the safety standard memory | storage part in the case of VPN by 5th Embodiment. It is a corresponding figure which shows the standard for determining the connection destination classification by 5th Embodiment. It is a figure which shows the example of a display on the screen by 5th Embodiment. It is a block diagram which shows the structure of the communication terminal by 6th Embodiment. It is a block diagram which shows the structure of the communication terminal by 7th Embodiment. It is a flowchart which shows operation | movement of the communication terminal by 7th Embodiment. It is a block diagram which shows the structure of the communication terminal by 8th Embodiment. It is a response | compatibility figure which shows the possibility of starting of the application in the connection destination by 8th Embodiment. It is a flowchart which shows operation | movement of the communication terminal by 8th Embodiment. It is a block diagram which shows the structure of the communication terminal by 9th Embodiment.

Explanation of symbols

10: Communication terminal 20, 30, 2030: Access point (base station)
25: BS (base station)
40: Public network 50: Private network 60: Authentication server 70: VPN / GW unit 80: Internet 90: Mobile phone network 110: Connection setting input unit 120: Connection setting storage unit 130: Connection destination determination unit 140: Communication control unit 150 : Wireless communication interface unit 155: mobile phone network communication interface unit 160: safety standard storage unit 161, 162, 163, 164, 165, 166, 167, 168, 169: safety standard information 170: safety standard determination unit 180: safety Display unit 190, 191: Output display unit 210: Connection destination type storage unit 211, 212: Category classification information 220: Connection destination type determination unit 230: Processing mode storage unit 240: Processing mode determination unit 250: Communication application 260: Application activation Management Department 2 0: application gun 280: application boot interface unit 290: application start managing storage unit 291: application activation determination criteria table 300: firewall 301: CPU
302: Main storage unit 303: Communication control unit 304: Presentation unit 305: Input unit 306: Interface unit 307: Auxiliary storage unit 308: System bus 400: Program 500: Internet

Claims (38)

In the communication terminal of the communication system connected to the network from the communication terminal via the base station,
A communication terminal that generates and outputs security information related to the connected network in a predetermined format with a small amount of information. Determining the safety of the network based on safety standard information for determining the presence or absence of safety of the network;
The communication terminal according to claim 1, wherein the security information is generated in a predetermined format with a small amount of information based on the safety determination result. The safety standard information is set for each security information as a binary value indicating whether safety is present or not,
Determining the security of the network based on the security information and the safety standard information;
The communication terminal according to claim 2, wherein the security information is generated as a binary value indicating whether the network is safe or unsafe. The safety standard information is set as a numerical value within a predetermined numerical range for the presence or absence of safety for each security information,
Determining the security of the network based on the security information and the safety standard information;
The communication terminal according to claim 2, wherein the security information is generated with a value within a predetermined numerical range. The safety standard information is set for each security information as a binary value indicating whether it is safe or not, and for each security information, it is set as a numerical value within a predetermined numerical range. And
Determining the security of the network based on the security information and the safety standard information;
The method according to claim 2, wherein the security information is switched between generation of a binary value indicating whether the network is safe or unsafe and generation of the security information with a value within a predetermined numerical range. Communication terminal. Based on the safety determined for each of the security information in each connected communication path on the network, determine the integrated safety that integrates a plurality of the safety,
The communication terminal according to any one of claims 2 to 5, wherein the security information in a predetermined format with a small amount of information is generated based on the determination result of the integrated safety. The security information includes information related to encryption of a communication path to the network,
The communication terminal according to any one of claims 2 to 6, wherein the safety is determined based on information related to encryption of the communication path and the safety standard information. The security information includes information related to the reliability of the network to be connected,
The communication terminal according to any one of claims 2 to 7, wherein the safety is determined based on information related to reliability of the network and the safety standard information. The category to which the network of the connection destination belongs is determined based on the category determination information for determining the category to which the network of the connection destination belongs, which is set in advance in association with each piece of information related to the reliability of the network to be connected. The communication terminal according to claim 8. Limiting the execution of part or all of the functions held by the application based on the application activation availability determination information for determining whether the application can be activated according to at least one of the category and the security information The communication terminal according to claim 9, wherein: Corresponding to at least one of the category and the security information, determining whether or not the data communication is possible based on data communication availability determination information for determining whether or not the data communication can be performed by an application via a wireless interface. The communication terminal according to claim 9 or 10, wherein the communication terminal is characterized in that: The communication terminal according to claim 11, wherein a plurality of pieces of data communication availability determination information can be held or acquired. Has multiple communication interfaces that can be used simultaneously,
When the application establishes a session for initiating communication, the determined category is obtained,
13. The system according to claim 9, further comprising: generating at least one of a category and security information corresponding to the session based on at least one of the acquired or notified security information. The communication terminal described in 1. Based on the read / write determination information for determining whether the application of the communication terminal can read or write to the file system in advance in association with at least one of the determined category or the notified security information The communication terminal according to any one of claims 9 to 13, wherein reading or writing to a file system in an application included in the communication terminal is restricted. The communication terminal according to any one of claims 9 to 14, wherein execution of a function having a risk of security vulnerability among functions possessed by the application is restricted. The communication according to any one of claims 9 to 15, wherein warning information is generated when there is the application that restricts execution of part or all of functions based on the application activation availability determination information. Terminal. Based on the device execution availability determination information for determining whether or not the device included in the communication terminal is set in advance in association with at least one of the determined category or the notified security information, the communication terminal The communication terminal according to any one of claims 9 to 16, wherein whether or not a device including the device is executable is determined. Having an output device,
Generating at least one of the received security information or the determined safety in a predetermined format with a small amount of information using the output device, and outputting in a format that can be easily judged visually The communication terminal according to any one of claims 2 to 17, wherein: The communication terminal according to claim 18, wherein the output device outputs the determined category together with the determined safety value in a predetermined format with a small amount of information. 20. The information set in advance according to the safety value is output together with the security information generated in a predetermined format with a small amount of information. The communication terminal described in 1. A program executed on the communication terminal of the communication system connected to the network from the communication terminal via the base station,
A program for causing the communication terminal to have a function of generating and outputting security information related to the connected network in a predetermined format with a small amount of information. A function for determining the safety of the network based on safety standard information for determining the presence or absence of safety of the network;
The program according to claim 21, wherein the communication terminal is provided with a function of generating the security information in a predetermined format with a small amount of information based on the safety determination result. A function for determining the safety for each security information in each communication path to be connected among the information on the network;
Based on the determined safety determination result, a function for determining integrated safety obtained by integrating a plurality of safety,
23. The program according to claim 22, wherein the communication terminal has a function of generating the security information in a predetermined format with a small amount of information based on the determined determination result of the integrated safety. The communication terminal has a function of determining the category based on category determination information for determining a category to which a connection destination network belongs, which is set in advance in association with information on reliability of the network to be connected among the security information. 24. The program according to any one of claims 21 to 23, wherein the program is stored in the program. Based on application activation availability determination information that determines whether or not an application can be activated corresponding to at least one of the category or the security information,
25. The program according to claim 24, wherein the communication terminal has a function of restricting execution of part or all of the functions held by the application. Based on the device execution availability determination information for determining whether or not the device included in the communication terminal is set in advance in association with at least one of the determined category or the notified security information, the communication terminal 26. The program according to claim 24 or 25, wherein the communication terminal is provided with a function of determining whether or not a device having the function can be executed. In a communication system for connecting to a network from a communication terminal via a base station,
The communication terminal is
A communication system, wherein security information relating to the connected network is generated and output in a predetermined format with a small amount of information. The communication terminal is
Determining the safety of the network based on safety standard information for determining the presence or absence of safety of the network;
28. The communication system according to claim 27, wherein the security information in a predetermined format with a small amount of information is generated based on the safety determination result. The communication terminal is
Based on the safety determined for each of the security information in each connected communication path on the network, determine the integrated safety that integrates a plurality of the safety,
The communication system according to claim 28, wherein the security information in a predetermined format with a small amount of information is generated based on the determination result of the integrated safety. The communication terminal is
Of the security information, the category is determined based on category determination information for determining a category to which a network of a connection destination belongs, which is set in advance in association with information on reliability of the network to be connected. 30. A communication system according to claim 28 or claim 29. The communication terminal is
Based on application activation availability determination information that determines whether or not an application can be activated corresponding to at least one of the category or the security information,
31. The communication system according to claim 30, wherein execution of part or all of the functions possessed by the application is restricted. The communication terminal is
Based on the device execution availability determination information for determining whether or not the device included in the communication terminal is set in advance in association with at least one of the determined category or the notified security information, the communication terminal 32. The communication system according to claim 30, wherein whether or not to execute the device is determined. In the security information output method of the communication terminal of the communication system connected to the network from the communication terminal via the base station,
A security information output method comprising a step in which the communication terminal generates and outputs security information related to the connected network in a predetermined format with a small amount of information. The communication terminal is
Determining the safety of the network based on safety standard information for determining the presence or absence of safety of the network;
34. The security information output method according to claim 33, further comprising: generating the security information in a predetermined format with a small amount of information based on the safety determination result. The communication terminal is
Determining the safety for each security information in each communication path to be connected;
Determining integrated safety based on the determined safety and integrating a plurality of safety;
35. The security information output method according to claim 34, further comprising: generating the security information in a predetermined format with a small amount of information based on the determined integrated safety. The communication terminal is
A step of determining the category based on category determination information for determining a category to which a network of a connection destination belongs, which is set in advance in association with each piece of information related to the reliability of the network to be connected among the security information. 36. The security information output method according to any one of claims 33 to 35, wherein: The communication terminal is
Based on application activation availability determination information that determines whether or not an application can be activated corresponding to at least one of the category or the security information,
37. The security information output method according to claim 36, further comprising a step of restricting execution of part or all of the functions possessed by the application. The communication terminal is
Based on the device execution availability determination information for determining whether or not the device included in the communication terminal is set in advance in association with at least one of the determined category or the notified security information, the communication terminal 38. The security information output method according to claim 36 or 37, further comprising the step of determining whether or not to execute the device.

Images