JP2007272919A - Representative verification system and method, and its portable terminal - Google Patents

Representative verification system and method, and its portable terminal Download PDF

Info

Publication number
JP2007272919A
JP2007272919A JP2007131744A JP2007131744A JP2007272919A JP 2007272919 A JP2007272919 A JP 2007272919A JP 2007131744 A JP2007131744 A JP 2007131744A JP 2007131744 A JP2007131744 A JP 2007131744A JP 2007272919 A JP2007272919 A JP 2007272919A
Authority
JP
Japan
Prior art keywords
server
data
proxy
certificate
portable terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
JP2007131744A
Other languages
Japanese (ja)
Inventor
Kenji Soga
健二 曽我
Toru Katayama
透 片山
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Priority to JP2007131744A priority Critical patent/JP2007272919A/en
Publication of JP2007272919A publication Critical patent/JP2007272919A/en
Withdrawn legal-status Critical Current

Links

Images

Abstract

<P>PROBLEM TO BE SOLVED: To provide a representative verification system in which a representative verification server authenticated by a server certificate verifies a signature attached to sent data in place of a portable terminal with poor throughput. <P>SOLUTION: The portable terminal certifies that the representative verification server 3 is reliable when the portable terminal 2 authenticates the representative verification server 3. The portable terminal prepares processing contents for data sent from a service server 1 and sends signed data and the prepared processing contents to the representative verification server certified as reliable. The representative verification server verifies a signature in place of the portable terminal, and when the validity of the signature is approved, the representative verification server performs data processing with the service server according to the processing contents sent from the portable terminal. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

本発明は、処理能力の乏しい携帯端末に代わり、サーバ証明書で認証された代理検証サーバが送られてきたデータに付いている署名を検証する代理検証システムに関する。   The present invention relates to a proxy verification system that verifies a signature attached to data sent by a proxy verification server authenticated by a server certificate, instead of a mobile terminal having a low processing capability.

従来の携帯端末による検証システムの概略を図2に示す。携帯端末2には、サーバ認証手段21、データ受信手段22、データ処理手段27、署名検証手段28、データ送信手段29が配置される。対向のサービスサーバ1は、証明書送付手段11、データ送信手段12、データ受信手段13から成る。   The outline of the verification system by the conventional portable terminal is shown in FIG. In the portable terminal 2, a server authentication unit 21, a data reception unit 22, a data processing unit 27, a signature verification unit 28, and a data transmission unit 29 are arranged. The opposite service server 1 includes a certificate sending unit 11, a data sending unit 12, and a data receiving unit 13.

この構成では、携帯端末2は、サービスサーバ1の証明書送付手段11からサーバ証明書を受け取ると、サーバ認証手段21で証明書の検証を行い、また、サービスサーバ1のデータ送信手段12から署名付きデータを受け取ると、データ受信手段22でデータを受け取り、データ処理手段27で受け取ったデータに対して処理を行い、署名検証手段28で受け取ったデータと署名を検証し整合すれば、データ処理手段27で行った処理結果をデータ送信手段29がサービスサーバ1のデータ受信手段13に送る。   In this configuration, when the mobile terminal 2 receives the server certificate from the certificate sending unit 11 of the service server 1, the portable terminal 2 verifies the certificate by the server authentication unit 21, and also signs the signature from the data transmission unit 12 of the service server 1. When the attached data is received, the data receiving means 22 receives the data, the data processing means 27 processes the received data, and if the signature received by the signature verification means 28 is verified and matched, the data processing means The data transmission means 29 sends the processing result performed at 27 to the data reception means 13 of the service server 1.

この従来の構成では、携帯端末は処理能力が貧弱なため、サーバ証明書の検証やデータの署名検証など負荷の大きい検証処理ができない、あるいは、非常に時間が掛かるという問題点があった。   In this conventional configuration, since the processing capability of the portable terminal is poor, there is a problem that verification processing with a heavy load such as server certificate verification and data signature verification cannot be performed, or it takes a very long time.

この問題点を解決しようとする認証代行システムの一例を図3に示す(例えば、特許文献1参照)。このシステムでは、携帯端末2の外部に配置された認証代行装置4の証明書検証手段41で、サービスサーバ1から送られたサーバ証明書を検証している。
特開2001−197055号公報 An example of an authentication agency system that attempts to solve this problem is shown in FIG. 3 (see, for example, Patent Document 1). In this system, the server certificate sent from the service server 1 is verified by the certificate verification means 41 of the authentication agent device 4 arranged outside the portable terminal 2.
Japanese Patent Laid-Open No. 2001-197055

しかしながら、従来の認証代行システムのように証明書検証手段を携帯端末2の外部に配置すると、携帯端末2に証明書検証手段が無いため、証明書検証手段を有する認証代行装置の正当性を携帯端末2が証明することができず、正当性が証明されていない認証代行装置では、その装置が行う署名検証の結果を信用することができない。   However, when the certificate verification means is arranged outside the portable terminal 2 as in the conventional authentication agency system, the validity of the authentication agency apparatus having the certificate validation means is portable because the portable terminal 2 has no certificate validation means. An authentication agent that cannot be certified by the terminal 2 and has not been validated cannot trust the result of signature verification performed by the device.

そこで本発明は、処理能力の乏しい携帯端末に代わり、サーバ証明書で認証された代理検証サーバが、送られてきたデータに付いている署名を検証する代理検証システム及び方法並びにその携帯端末を提供することを目的とする。   Therefore, the present invention provides a proxy verification system and method for verifying a signature attached to data sent by a proxy verification server authenticated by a server certificate, instead of a mobile terminal with poor processing capability, and the mobile terminal The purpose is to do.

上述の課題を解決するため、本発明では、携帯端末が代理検証サーバを認証することで、携帯端末は代理検証サーバを信頼できるものと認定する。携帯端末は、サービスサーバから送られてきたデータに対する処理内容を作成し、署名付きデータと作成した処理内容を信頼できると認定した代理検証サーバに送る。代理検証サーバは携帯端末の代わりに署名を検証し、署名が正しいものであると認められると、代理検証サーバは携帯端末から送られた処理内容に従って、サービスサーバとの間でデータ処理を行うことを特徴とする。   In order to solve the above-described problem, in the present invention, the mobile terminal authenticates the proxy verification server, and thus the mobile terminal recognizes that the proxy verification server can be trusted. The portable terminal creates processing contents for the data sent from the service server, and sends the signed data and the created processing contents to the proxy verification server that has been certified as reliable. The proxy verification server verifies the signature on behalf of the mobile terminal, and if the signature is found to be correct, the proxy verification server performs data processing with the service server in accordance with the processing content sent from the mobile terminal. It is characterized by.

本発明による第1の効果は、貧弱な処理能力の携帯端末を使ったシステムでサービスサーバからの署名付きデータを検証できることである。その理由は、正当性をサーバ認証で認められた代理検証サーバで署名の検証を代行するためである。   The first effect of the present invention is that the signed data from the service server can be verified in a system using a portable terminal with poor processing capability. The reason for this is to perform signature verification on behalf of a proxy verification server that is authorized by server authentication.

第2の効果は、携帯端末は代理検証サーバへ署名付きデータ、処理内容を転送した後、代理検証サーバとの接続を切断できることである。その理由は、携帯端末は代理検証サーバが必要とするデータを全て、すなわち、署名付きデータ、処理内容を転送しており、代理検証サーバが受信した後は携帯端末を必要としないためである。   The second effect is that the portable terminal can disconnect the connection with the proxy verification server after transferring the signed data and processing contents to the proxy verification server. The reason is that the mobile terminal transfers all data required by the proxy verification server, that is, signed data and processing contents, and does not need the mobile terminal after the proxy verification server receives it.

次に、本発明の最良の形態について図面を参照して説明する。   Next, the best mode of the present invention will be described with reference to the drawings.

図1は、本発明による第1の実施例の構成を示す。携帯端末2と、携帯端末2にサービスを提供するサービスサーバ1、携帯端末2の代行をする代理検証サーバ3から成る。   FIG. 1 shows the configuration of a first embodiment according to the present invention. It comprises a mobile terminal 2, a service server 1 that provides services to the mobile terminal 2, and a proxy verification server 3 that acts on behalf of the mobile terminal 2.

サービスサーバ1は、サービスサーバ1のサーバ証明書を送付する証明書送信手段11と、データを送信するデータ送信手段12と、データを受信するデータ受信手段13から成る。   The service server 1 includes a certificate transmission unit 11 that transmits a server certificate of the service server 1, a data transmission unit 12 that transmits data, and a data reception unit 13 that receives data.

携帯端末2は、サーバ証明書からサーバ認証を行うサーバ認証手段21、データを受信するデータ受信手段22、受信したデータから処理内容を作成する処理作成手段23、データを転送するデータ転送手段24、正当性を保証できる代理サーバを登録する信頼代理サーバリスト26、信頼代理サーバリスト26に登録されている代理サーバに署名付きデータを転送する転送先制御手段25から成る。   The portable terminal 2 includes a server authentication unit 21 that performs server authentication from a server certificate, a data reception unit 22 that receives data, a process creation unit 23 that creates processing contents from the received data, a data transfer unit 24 that transfers data, It consists of a trust proxy server list 26 for registering proxy servers that can guarantee correctness, and transfer destination control means 25 for transferring signed data to proxy servers registered in the trust proxy server list 26.

代理サーバ3は、代理サーバのサーバ証明書を送付する証明書送信手段31、携帯端末から受け取った署名付きデータを検証する署名検証手段32、携帯端末から受け取った処理内容に基づいてデータ処理を実行する処理実行手段33から成る。   The proxy server 3 executes data processing based on the certificate transmission unit 31 for sending the server certificate of the proxy server, the signature verification unit 32 for verifying the signed data received from the portable terminal, and the processing content received from the portable terminal It comprises processing execution means 33.

次に、本実施例の動作について説明する。まず、サービスサーバ1からのサービスを受ける前に、携帯端末2は、代理サーバ3の証明書送信手段31から、代理サーバ3のサーバ証明書を受け取る。サーバ証明書を受け取った携帯端末2は、サーバ認証手段21でサーバ証明書の検証を行う。検証の結果、正当なサーバ証明書であると判断されると、携帯端末2は、代理サーバ3が正当な代理サーバであるとみなし、以降はサービスサーバからのサービスを受けた時に代行させるサーバとして、代理サーバ3を信頼代理サーバリスト26に登録する。   Next, the operation of this embodiment will be described. First, before receiving the service from the service server 1, the mobile terminal 2 receives the server certificate of the proxy server 3 from the certificate transmission unit 31 of the proxy server 3. The mobile terminal 2 that has received the server certificate verifies the server certificate by the server authentication means 21. As a result of the verification, if it is determined that the server certificate is valid, the mobile terminal 2 regards the proxy server 3 as a valid proxy server, and from now on as a server to be substituted when receiving a service from the service server The proxy server 3 is registered in the trust proxy server list 26.

次に、携帯端末2がサービスサーバ1からサービスを受けるときには、まず、サービスサーバ1の証明書送信手段11から、サービスサーバ1のサーバ証明書を受け取る。サーバ証明書を受け取った携帯端末2は、サーバ認証手段21でサーバ証明書の検証を行う。検証の結果、正当なサーバ証明書であると判断されると、携帯端末2は、サービスサーバ1が正当なサービスサーバであるとみなし、以降の手順を実行する。   Next, when the mobile terminal 2 receives a service from the service server 1, first, the server certificate of the service server 1 is received from the certificate transmission unit 11 of the service server 1. The mobile terminal 2 that has received the server certificate verifies the server certificate by the server authentication means 21. If it is determined that the server certificate is valid as a result of the verification, the mobile terminal 2 regards the service server 1 as a valid service server, and executes the subsequent procedures.

サービスサーバ1は、データ送信手段12によって、送信するデータにサービスサーバの署名を付与し、携帯端末2にその署名付きデータを送信する。   The service server 1 assigns the signature of the service server to the data to be transmitted by the data transmission unit 12 and transmits the signed data to the portable terminal 2.

携帯端末2では、データ受信手段22が署名付きデータを受信し、処理作成手段23が、受信したデータに基づいた処理内容を作成する。データ転送手段24は、データ受信手段22が受信した署名付きデータ、処理作成手段23が作成したそのデータに対する処理内容を転送する。転送先制御手段25は、データ転送手段24からの転送データを信頼代理サーバリスト26に登録されている代理サーバ3に転送する。   In the portable terminal 2, the data receiving unit 22 receives the signed data, and the process creation unit 23 creates a process content based on the received data. The data transfer means 24 transfers the signed data received by the data receiving means 22 and the processing content for the data created by the process creating means 23. The transfer destination control unit 25 transfers the transfer data from the data transfer unit 24 to the proxy server 3 registered in the trust proxy server list 26.

代理サーバ3では、署名検証手段32が署名付きデータ、処理内容を受信し、署名を検証する。データと署名が整合すれば、処理実行手段33が携帯端末2から送られてきた処理内容をサービスサーバ1との間で実行する。   In the proxy server 3, the signature verification unit 32 receives the signed data and the processing content, and verifies the signature. If the data and the signature match, the processing execution means 33 executes the processing content sent from the portable terminal 2 with the service server 1.

次に、本実施例の効果について説明する。本実施例では、代理サーバ3の署名検証手段32で署名を検証するように構成されているため、携帯端末の貧弱な処理能力を使わずに署名を検証でき、携帯端末の負荷を軽減し、検証時間の高速化を図ることができる。   Next, the effect of the present embodiment will be described. In this embodiment, since the signature is verified by the signature verification means 32 of the proxy server 3, the signature can be verified without using the poor processing capability of the mobile terminal, reducing the load on the mobile terminal, The verification time can be increased.

また、本実施例では、さらに、携帯端末2にサーバ認証手段21を配置し、代理サーバ3の証明書を携帯端末で検証するようにしているため、携帯端末2は悪意のある代理サーバに代行を依頼することがなくなる。   Further, in the present embodiment, the server authentication means 21 is arranged in the mobile terminal 2 and the certificate of the proxy server 3 is verified by the mobile terminal. Therefore, the mobile terminal 2 acts as a proxy for a malicious proxy server. Will no longer be requested.

本発明によれば、携帯端末を用いたサービスシステムで、サービスサーバの証明書やサービスサーバから送られるデータの署名を検証した上でサービスを受けることが出来る信頼性の高いシステムを構築するといった用途に適用できる。   According to the present invention, a service system using a mobile terminal is used to construct a highly reliable system that can receive a service after verifying a certificate of a service server and a signature of data sent from the service server. Applicable to.

第1の実施例の構成図である。It is a block diagram of a 1st Example. 従来の携帯端末による検証システムの概略構成図である。It is a schematic block diagram of the verification system by the conventional portable terminal. 従来の認証代行システムの概略構成図である。It is a schematic block diagram of the conventional authentication agency system.

符号の説明Explanation of symbols

1 サービスサーバ
2 携帯端末
3 代理検証サーバ 1 Service server 2 Mobile terminal 3 Proxy verification server

Claims (3)

サービスデータに署名を付与して送信するサービスサーバと、
前記サービスサーバから署名付きデータを受信して、そのデータに基づいた処理内容を作成して転送する携帯端末と、
前記携帯端末から受信した署名付きデータの署名を検証してデータ処理を実行する代理検証サーバとを備え、
前記代理検証サーバは、サーバ証明書を送信する証明書送信手段を有し、
前記携帯端末は、前記代理検証サーバからサーバ証明書を受け取り、サーバの認証を行い、正当であると判断されれば信頼代理サーバリストに登録するサーバ認証手段と、
前記信頼代理サーバリストに登録されているサーバに署名付きデータを転送する転送先制御手段とを有することを特徴とする代理検証システム。 A service server for signing and sending service data; and
A mobile terminal that receives signed data from the service server and creates and transfers processing based on the data;
A proxy verification server that performs data processing by verifying a signature of signed data received from the mobile terminal;
The proxy verification server has certificate transmission means for transmitting a server certificate,
The mobile terminal receives a server certificate from the proxy verification server, authenticates the server, and if it is determined to be valid, server authentication means for registering in the trusted proxy server list;
A proxy verification system comprising transfer destination control means for transferring signed data to a server registered in the trust proxy server list. 携帯端末から受信した署名付きデータの署名を検証してデータ処理を実行する代理検証サーバが、サーバ証明書を送信し、
サービスサーバから署名付きデータを受信して、そのデータに基づいた処理内容を作成して転送する携帯端末が、前記代理検証サーバからサーバ証明書を受け取り、サーバの認証を行い、正当であると判断されれば信頼代理サーバリストに登録し、
前記信頼代理サーバリストに登録されているサーバに署名付きデータを転送する各ステップを含むことを特徴とする代理検証方法。 The proxy verification server that verifies the signature of the signed data received from the mobile device and executes the data processing sends the server certificate,
A mobile terminal that receives signed data from the service server, creates processing contents based on the data, and transfers it, receives the server certificate from the proxy verification server, authenticates the server, and determines that it is valid If so, register it in the trusted proxy server list,
A proxy verification method comprising the steps of transferring signed data to a server registered in the trusted proxy server list. サービスサーバから署名付きデータを受信して、そのデータに基づいた処理内容を作成して転送する携帯端末であって、
受信した署名付きデータの署名を検証してデータ処理を実行する代理検証サーバからサーバ証明書を受け取り、サーバの認証を行い、正当であると判断されれば信頼代理サーバリストに登録するサーバ認証手段と、
前記信頼代理サーバリストに登録されているサーバに署名付きデータを転送する転送先制御手段とを有することを特徴とする携帯端末。 A mobile terminal that receives signed data from a service server, creates processing contents based on the data, and transfers the processing contents.
Server authentication means that receives a server certificate from a proxy verification server that verifies the signature of the received signed data and executes data processing, authenticates the server, and registers it in the trusted proxy server list if it is determined to be valid When,
A portable terminal comprising transfer destination control means for transferring signed data to a server registered in the trust proxy server list.
JP2007131744A 2007-05-17 2007-05-17 Representative verification system and method, and its portable terminal Withdrawn JP2007272919A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2007131744A JP2007272919A (en) 2007-05-17 2007-05-17 Representative verification system and method, and its portable terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2007131744A JP2007272919A (en) 2007-05-17 2007-05-17 Representative verification system and method, and its portable terminal

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
JP2005098178A Division JP2006277534A (en) 2005-03-30 2005-03-30 Representative verification system and method, and its portable terminal

Publications (1)

Publication Number Publication Date
JP2007272919A true JP2007272919A (en) 2007-10-18

Family

ID=38675593

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2007131744A Withdrawn JP2007272919A (en) 2007-05-17 2007-05-17 Representative verification system and method, and its portable terminal

Country Status (1)

Country Link
JP (1) JP2007272919A (en)

Similar Documents

Publication Publication Date Title
KR101904177B1 (en) Data processing method and apparatus
US8321678B2 (en) System and method to send a message using multiple authentication mechanisms
US8943310B2 (en) System and method for obtaining a digital certificate for an endpoint
US11336449B2 (en) Information processing apparatus, computer program product, and resource providing method
US8560834B2 (en) System and method for client-side authentication for secure internet communications
US20150172064A1 (en) Method and relay device for cryptographic communication
EP3308499B1 (en) Service provider certificate management
TW201822072A (en) Two-dimensional code processing method, device and system
JP2003337868A5 (en) Service providing system, apparatus terminal and processing method thereof, authentication apparatus and method, service providing apparatus and method, and program
CN109995710B (en) Local area network equipment management system and method
JP7096736B2 (en) System and data processing method
US11240246B2 (en) Secure confirmation exchange for offline industrial machine
CN110958119A (en) Identity verification method and device
CN110943844B (en) Electronic document security signing method and system based on local service of webpage client
JP2011049978A (en) Communication apparatus, method, program and system
US8081758B2 (en) Communication support server, communication support method, and communication support system
US8452966B1 (en) Methods and apparatus for verifying a purported user identity
CN114125027A (en) Communication establishing method and device, electronic equipment and storage medium
JP2006277534A (en) Representative verification system and method, and its portable terminal
KR101446504B1 (en) Digital Signature Method Executed By Client Program Which Is Operated Independently From Web Browser
CN113904873B (en) Authentication method, authentication device, computing equipment and storage medium
JP2007274722A (en) Proxy authentication system and method, and mobile terminal thereof
JP2007272919A (en) Representative verification system and method, and its portable terminal
JP2005311531A5 (en)
CN110324290B (en) Network equipment authentication method, network element equipment, medium and computer equipment

Legal Events

Date Code Title Description
A521 Request for written amendment filed

Free format text: JAPANESE INTERMEDIATE CODE: A821

Effective date: 20070615

RD04 Notification of resignation of power of attorney

Free format text: JAPANESE INTERMEDIATE CODE: A7424

Effective date: 20080623

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20100302

A761 Written withdrawal of application

Free format text: JAPANESE INTERMEDIATE CODE: A761

Effective date: 20100419