JP2007274722A - Proxy authentication system and method, and mobile terminal thereof - Google Patents

Proxy authentication system and method, and mobile terminal thereof Download PDF

Info

Publication number
JP2007274722A
JP2007274722A JP2007131745A JP2007131745A JP2007274722A JP 2007274722 A JP2007274722 A JP 2007274722A JP 2007131745 A JP2007131745 A JP 2007131745A JP 2007131745 A JP2007131745 A JP 2007131745A JP 2007274722 A JP2007274722 A JP 2007274722A
Authority
JP
Japan
Prior art keywords
server
proxy
data
mobile terminal
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
JP2007131745A
Other languages
Japanese (ja)
Inventor
Kenji Soga
健二 曽我
Toru Katayama
透 片山
Yoshihiro Suzuki
祐宏 鈴木
Masaaki Takizawa
政明 瀧澤
Naoki Sasamura
直樹 笹村
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
NEC Informatec Systems Ltd
Original Assignee
NEC Corp
NEC Informatec Systems Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp, NEC Informatec Systems Ltd filed Critical NEC Corp
Priority to JP2007131745A priority Critical patent/JP2007274722A/en
Publication of JP2007274722A publication Critical patent/JP2007274722A/en
Pending legal-status Critical Current

Links

Images

Abstract

<P>PROBLEM TO BE SOLVED: To provide a proxy authentication system in which a proxy verification server checks a signature added to transmitted data instead of a mobile terminal having poor processing ability. <P>SOLUTION: The mobile terminal 2 produces a procedure with respect to data transmitted from a service server 1, and transmits data with a signature and the produced procedure to the proxy authentication server 3 which is previously registered on a reliable proxy server list 26 and can guarantee authenticity. The proxy authentication server checks the signature instead of the mobile terminal. When the signature is recognized as being authentic, the proxy authentication server performs a data process in association with the service server in accordance with the procedure transmitted form the mobile terminal. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

本発明は、処理能力の乏しい携帯端末に代わり、サーバ証明書で認証された代理検証サーバが送られてきたデータに付いている署名を検証する代理検証システムに関する。   The present invention relates to a proxy verification system that verifies a signature attached to data sent by a proxy verification server authenticated by a server certificate, instead of a mobile terminal having a low processing capability.

従来の携帯端末による検証システムの概略を図2に示す。携帯端末2には、サーバ認証手段21、データ受信手段22、データ処理手段27、署名検証手段28、データ送信手段29が配置される。対向のサービスサーバ1は、証明書送付手段11、データ送信手段12、データ受信手段13から成る。   The outline of the verification system by the conventional portable terminal is shown in FIG. In the portable terminal 2, a server authentication unit 21, a data reception unit 22, a data processing unit 27, a signature verification unit 28, and a data transmission unit 29 are arranged. The opposite service server 1 includes a certificate sending unit 11, a data sending unit 12, and a data receiving unit 13.

この構成では、携帯端末2は、サービスサーバ1の証明書送付手段11からサーバ証明書を受け取ると、サーバ認証手段21で証明書の検証を行い、また、サービスサーバ1のデータ送信手段12から署名付きデータを受け取ると、データ受信手段22でデータを受け取り、データ処理手段27で受け取ったデータに対して処理を行い、署名検証手段28で受け取ったデータと署名を検証し整合すれば、データ処理手段27で行った処理結果をデータ送信手段29がサービスサーバ1のデータ受信手段13に送る。   In this configuration, when the mobile terminal 2 receives the server certificate from the certificate sending unit 11 of the service server 1, the portable terminal 2 verifies the certificate by the server authentication unit 21, and also signs the signature from the data transmission unit 12 of the service server 1. When the attached data is received, the data receiving means 22 receives the data, the data processing means 27 processes the received data, and if the signature received by the signature verification means 28 is verified and matched, the data processing means The data transmission means 29 sends the processing result performed at 27 to the data reception means 13 of the service server 1.

この従来の構成では、携帯端末は処理能力が貧弱なため、サーバ証明書の検証やデータの署名検証など負荷の大きい検証処理ができない、あるいは、非常に時間が掛かるという問題点があった。   In this conventional configuration, since the processing capability of the portable terminal is poor, there is a problem that verification processing with a heavy load such as server certificate verification and data signature verification cannot be performed, or it takes a very long time.

この問題点を解決しようとする認証代行システムの一例を図3に示す(例えば、特許文献1参照)。このシステムでは、携帯端末2の外部に配置された認証代行装置4の証明書検証手段41で、サービスサーバ1から送られたサーバ証明書を検証している。
特開2001−197055号公報 An example of an authentication agency system that attempts to solve this problem is shown in FIG. 3 (see, for example, Patent Document 1). In this system, the server certificate sent from the service server 1 is verified by the certificate verification means 41 of the authentication agent device 4 arranged outside the portable terminal 2.
Japanese Patent Laid-Open No. 2001-197055

しかしながら、従来の認証代行システムのように証明書検証手段を携帯端末2の外部に配置すると、携帯端末2に証明書検証手段が無いため、証明書検証手段を有する認証代行装置の正当性を携帯端末2が証明することができず、正当性が証明されていない認証代行装置では、その装置が行う署名検証の結果を信用することができない。   However, when the certificate verification means is arranged outside the portable terminal 2 as in the conventional authentication agency system, the validity of the authentication agency apparatus having the certificate validation means is portable because the portable terminal 2 has no certificate validation means. An authentication agent that cannot be certified by the terminal 2 and has not been validated cannot trust the result of signature verification performed by the device.

そこで本発明は、処理能力の乏しい携帯端末に代わり、代理検証サーバが、送られてきたデータに付いている署名を検証する代理検証システム及び方法並びにその携帯端末を提供することを目的とする。   SUMMARY OF THE INVENTION Accordingly, an object of the present invention is to provide a proxy verification system and method in which a proxy verification server verifies a signature attached to transmitted data, and a mobile terminal thereof, instead of a mobile terminal with poor processing capability.

上述の課題を解決するため、本発明では、携帯端末が代理検証サーバを認証することで、携帯端末は代理検証サーバを信頼できるものと認定する。携帯端末は、サービスサーバから送られてきたデータに対する処理内容を作成し、署名付きデータと作成した処理内容を信頼できると認定した代理検証サーバに送る。代理検証サーバは携帯端末の代わりに署名を検証し、署名が正しいものであると認められると、代理検証サーバは携帯端末から送られた処理内容に従って、サービスサーバとの間でデータ処理を行うことを特徴とする。   In order to solve the above-described problem, in the present invention, the mobile terminal authenticates the proxy verification server, and thus the mobile terminal recognizes that the proxy verification server can be trusted. The portable terminal creates processing contents for the data sent from the service server, and sends the signed data and the created processing contents to the proxy verification server that has been certified as reliable. The proxy verification server verifies the signature on behalf of the mobile terminal, and if the signature is found to be correct, the proxy verification server performs data processing with the service server in accordance with the processing content sent from the mobile terminal. It is characterized by.

本発明による第1の効果は、貧弱な処理能力の携帯端末を使ったシステムでサービスサーバからの署名付きデータを検証できることである。その理由は、正当性をサーバ認証で認められた代理検証サーバで署名の検証を代行するためである。   The first effect of the present invention is that the signed data from the service server can be verified in a system using a portable terminal with poor processing capability. The reason for this is to perform signature verification on behalf of a proxy verification server that is authorized by server authentication.

第2の効果は、携帯端末は代理検証サーバへ署名付きデータ、処理内容を転送した後、代理検証サーバとの接続を切断できることである。その理由は、携帯端末は代理検証サーバが必要とするデータを全て、すなわち、署名付きデータ、処理内容を転送しており、代理検証サーバが受信した後は携帯端末を必要としないためである。   The second effect is that the portable terminal can disconnect the connection with the proxy verification server after transferring the signed data and processing contents to the proxy verification server. The reason is that the mobile terminal transfers all data required by the proxy verification server, that is, signed data and processing contents, and does not need the mobile terminal after the proxy verification server receives it.

次に、本発明の最良の形態について図面を参照して説明する。   Next, the best mode of the present invention will be described with reference to the drawings.

図1は、本発明の第1の実施例の構成を示す。携帯端末2と、携帯端末2にサービスを提供するサービスサーバ1、携帯端末2の代行をする代理検証サーバ3から成る。   FIG. 1 shows the configuration of a first embodiment of the present invention. It comprises a mobile terminal 2, a service server 1 that provides services to the mobile terminal 2, and a proxy verification server 3 that acts on behalf of the mobile terminal 2.

サービスサーバ1は、サービスサーバ1のサーバ証明書を送付する証明書送信手段11と、データを送信するデータ送信手段12と、データを受信するデータ受信手段13から成る。   The service server 1 includes a certificate transmission unit 11 that transmits a server certificate of the service server 1, a data transmission unit 12 that transmits data, and a data reception unit 13 that receives data.

携帯端末2は、サーバ証明書からサーバ認証を行うサーバ認証手段21、データを受信するデータ受信手段22、受信したデータから処理内容を作成する処理作成手段23、データを転送するデータ転送手段24、正当性を保証できる代理サーバを登録する信頼代理サーバリスト26、信頼代理サーバリスト26に登録されている代理サーバに署名付きデータを転送する転送先制御手段25から成る。信頼代理サーバリスト26には、正当性を保証できる代理サーバとその接続方法の組のリストが予め登録されている。転送先制御手段25は、予め信頼代理サーバリスト26に登録された正当性を保証できる代理サーバから1つを選択し、その代理サーバにデータを転送する。   The portable terminal 2 includes a server authentication unit 21 that performs server authentication from a server certificate, a data reception unit 22 that receives data, a process creation unit 23 that creates processing contents from the received data, a data transfer unit 24 that transfers data, It consists of a trust proxy server list 26 for registering proxy servers that can guarantee correctness, and transfer destination control means 25 for transferring signed data to proxy servers registered in the trust proxy server list 26. In the trusted proxy server list 26, a list of combinations of proxy servers that can be guaranteed correctness and their connection methods is registered in advance. The transfer destination control means 25 selects one of the proxy servers that can guarantee the validity registered in the trust proxy server list 26 in advance, and transfers the data to the proxy server.

代理サーバ3は、携帯端末から受け取った署名付きデータを検証する署名検証手段32、携帯端末から受け取った処理内容に基づいてデータ処理を実行する処理実行手段33から成る。   The proxy server 3 includes a signature verification unit 32 that verifies signed data received from the mobile terminal, and a process execution unit 33 that executes data processing based on the processing content received from the mobile terminal.

次に、本実施例の動作について説明する。本実施例では転送先制御手段25が、予め信頼代理サーバリスト26に登録された正当性を保証できる代理サーバから1つを選択し、その代理サーバにデータを転送する。   Next, the operation of this embodiment will be described. In this embodiment, the transfer destination control means 25 selects one from the proxy servers that can guarantee the validity registered in advance in the trust proxy server list 26 and transfers the data to the proxy server.

携帯端末2がサービスサーバ1からサービスを受けるときには、まず、サービスサーバ1の証明書送信手段11から、サービスサーバ1のサーバ証明書を受け取る。サーバ証明書を受け取った携帯端末2は、サーバ認証手段21でサーバ証明書の検証を行う。検証の結果、正当なサーバ証明書であると判断されると、携帯端末2は、サービスサーバ1が正当なサービスサーバであるとみなし、以降の手順を実行する。   When the mobile terminal 2 receives a service from the service server 1, first, the server certificate of the service server 1 is received from the certificate transmission unit 11 of the service server 1. The mobile terminal 2 that has received the server certificate verifies the server certificate by the server authentication means 21. If it is determined that the server certificate is valid as a result of the verification, the mobile terminal 2 regards the service server 1 as a valid service server, and executes the subsequent procedures.

サービスサーバ1は、データ送信手段12によって、送信するデータにサービスサーバの署名を付与し、携帯端末2にその署名付きデータを送信する。   The service server 1 assigns the signature of the service server to the data to be transmitted by the data transmission unit 12 and transmits the signed data to the portable terminal 2.

携帯端末2では、データ受信手段22が署名付きデータを受信し、処理作成手段23が、受信したデータに基づいた処理内容を作成する。データ転送手段24は、データ受信手段22が受信した署名付きデータ、処理作成手段23が作成したそのデータに対する処理内容を転送する。転送先制御手段25は、データ転送手段24からの転送データを予め信頼代理サーバリスト26に登録されている正当性を保証できる代理サーバ3に転送する。   In the portable terminal 2, the data receiving unit 22 receives the signed data, and the process creation unit 23 creates a process content based on the received data. The data transfer means 24 transfers the signed data received by the data receiving means 22 and the processing content for the data created by the process creating means 23. The transfer destination control unit 25 transfers the transfer data from the data transfer unit 24 to the proxy server 3 that can guarantee the legitimacy registered in the trust proxy server list 26 in advance.

代理サーバ3では、署名検証手段32が署名付きデータ、処理内容を受信し、署名を検証する。データと署名が整合すれば、処理実行手段33が携帯端末2から送られてきた処理内容をサービスサーバ1との間で実行する。   In the proxy server 3, the signature verification unit 32 receives the signed data and the processing content, and verifies the signature. If the data and the signature match, the processing execution means 33 executes the processing content sent from the portable terminal 2 with the service server 1.

次に、本実施例の効果について説明する。本実施例では、代理サーバ3の署名検証手段32で署名を検証するように構成されているため、携帯端末の貧弱な処理能力を使わずに署名を検証でき、携帯端末の負荷を軽減し、検証時間の高速化を図ることができる。   Next, the effect of the present embodiment will be described. In this embodiment, since the signature is verified by the signature verification means 32 of the proxy server 3, the signature can be verified without using the poor processing capability of the mobile terminal, reducing the load on the mobile terminal, The verification time can be increased.

また、本実施例では、サーバ証明書による代理サーバの認証を行わないため、認証処理の負荷を軽減することが出来る。代わりに、転送先制御手段25は信頼代理サーバリスト26に登録されているサーバのみにデータを転送するため、サーバ証明書による代理サーバの認証を省略しても代理サーバの正当性は保証されている。   In this embodiment, since the proxy server is not authenticated by the server certificate, the load on the authentication process can be reduced. Instead, since the transfer destination control means 25 transfers data only to servers registered in the trusted proxy server list 26, the validity of the proxy server is guaranteed even if the proxy server authentication by the server certificate is omitted. Yes.

本発明によれば、携帯端末を用いたサービスシステムで、サービスサーバの証明書やサービスサーバから送られるデータの署名を検証した上でサービスを受けることが出来る信頼性の高いシステムを構築するといった用途に適用できる。   According to the present invention, a service system using a mobile terminal is used to construct a highly reliable system that can receive a service after verifying a certificate of a service server and a signature of data sent from the service server. Applicable to.

第1の実施例の構成図である。It is a block diagram of a 1st Example. 従来の携帯端末による検証システムの概略構成図である。It is a schematic block diagram of the verification system by the conventional portable terminal. 従来の認証代行システムの概略構成図である。It is a schematic block diagram of the conventional authentication agency system.

符号の説明Explanation of symbols

1 サービスサーバ
2 携帯端末
3 代理検証サーバ 1 Service server 2 Mobile terminal 3 Proxy verification server

Claims (3)

サービスデータに署名を付与して送信するサービスサーバと、
前記サービスサーバから署名付きデータを受信して、そのデータに基づいた処理内容を作成して転送する携帯端末と、
前記携帯端末から受信した署名付きデータの署名を検証してデータ処理を実行する代理検証サーバとを備え、
前記携帯端末は、予め正当性を保証できる代理サーバが登録された信頼代理サーバリストと、
前記信頼代理サーバリストに登録されているサーバに署名付きデータを転送する転送先制御手段とを有することを特徴とする代理検証システム。 A service server for signing and sending service data; and
A mobile terminal that receives signed data from the service server and creates and transfers processing based on the data;
A proxy verification server that performs data processing by verifying a signature of signed data received from the mobile terminal;
The mobile terminal is a trusted proxy server list in which proxy servers that can guarantee validity are registered in advance;
A proxy verification system comprising transfer destination control means for transferring signed data to a server registered in the trust proxy server list. サービスサーバから署名付きデータを受信して、そのデータに基づいた処理内容を作成して転送する携帯端末が、予め正当性を保証できる代理サーバが登録された信頼代理サーバリストに登録されているサーバに署名付きデータを転送することを特徴とする代理検証方法。   A server in which a mobile terminal that receives signed data from a service server and creates and transfers processing contents based on the data is registered in a trusted proxy server list in which a proxy server that can guarantee validity is registered in advance A proxy verification method characterized in that signed data is transferred to a proxy. サービスサーバから署名付きデータを受信して、そのデータに基づいた処理内容を作成して転送する携帯端末であって、
予め正当性を保証できる代理サーバが登録された信頼代理サーバリストと、
前記信頼代理サーバリストに登録されているサーバに署名付きデータを転送する転送先制御手段とを有することを特徴とする携帯端末。 A mobile terminal that receives signed data from a service server, creates processing contents based on the data, and transfers the processing contents.
A trusted proxy server list in which proxy servers that can guarantee validity in advance are registered;
A portable terminal comprising transfer destination control means for transferring signed data to a server registered in the trust proxy server list.
JP2007131745A 2007-05-17 2007-05-17 Proxy authentication system and method, and mobile terminal thereof Pending JP2007274722A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2007131745A JP2007274722A (en) 2007-05-17 2007-05-17 Proxy authentication system and method, and mobile terminal thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2007131745A JP2007274722A (en) 2007-05-17 2007-05-17 Proxy authentication system and method, and mobile terminal thereof

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
JP2005098178A Division JP2006277534A (en) 2005-03-30 2005-03-30 Representative verification system and method, and its portable terminal

Publications (1)

Publication Number Publication Date
JP2007274722A true JP2007274722A (en) 2007-10-18

Family

ID=38676951

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2007131745A Pending JP2007274722A (en) 2007-05-17 2007-05-17 Proxy authentication system and method, and mobile terminal thereof

Country Status (1)

Country Link
JP (1) JP2007274722A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011041080A (en) * 2009-08-13 2011-02-24 Konica Minolta Business Technologies Inc Authentication system, authentication device, and method and program for controlling them

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001197055A (en) * 2000-01-07 2001-07-19 Nippon Steel Corp Device, method, and service system for proxy authentication and computer-readable recording medium
JP2004153388A (en) * 2002-10-29 2004-05-27 Ntt Data Corp Apparatus for generating expired certificate information, apparatus for verifying validity of certificate, apparatus for disclosing expired certificate information, and program thereof
JP2004172908A (en) * 2002-11-19 2004-06-17 V-Sync Co Ltd Communication system, communication method, and program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001197055A (en) * 2000-01-07 2001-07-19 Nippon Steel Corp Device, method, and service system for proxy authentication and computer-readable recording medium
JP2004153388A (en) * 2002-10-29 2004-05-27 Ntt Data Corp Apparatus for generating expired certificate information, apparatus for verifying validity of certificate, apparatus for disclosing expired certificate information, and program thereof
JP2004172908A (en) * 2002-11-19 2004-06-17 V-Sync Co Ltd Communication system, communication method, and program

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011041080A (en) * 2009-08-13 2011-02-24 Konica Minolta Business Technologies Inc Authentication system, authentication device, and method and program for controlling them

Similar Documents

Publication Publication Date Title
KR101904177B1 (en) Data processing method and apparatus
US8560834B2 (en) System and method for client-side authentication for secure internet communications
US8943310B2 (en) System and method for obtaining a digital certificate for an endpoint
TW201822072A (en) Two-dimensional code processing method, device and system
US8321678B2 (en) System and method to send a message using multiple authentication mechanisms
US8555069B2 (en) Fast-reconnection of negotiable authentication network clients
US20150172064A1 (en) Method and relay device for cryptographic communication
KR101570656B1 (en) Method and system for identifying anonymous entity
KR101571225B1 (en) Method and device for anonymous entity identification
JP2003337868A5 (en) Service providing system, apparatus terminal and processing method thereof, authentication apparatus and method, service providing apparatus and method, and program
CN110943844B (en) Electronic document security signing method and system based on local service of webpage client
RU2004119442A (en) THREE-WAY CHECK AND AUTHENTICATION OF STARTUP FILES FORWARDED FROM THE SERVER TO THE CLIENT
JP2009140275A (en) Non-contact ic card authentication system
CN110958119A (en) Identity verification method and device
JP2011049978A (en) Communication apparatus, method, program and system
US20080172719A1 (en) Method and apparatus for realizing accurate billing in digital rights management
US8452966B1 (en) Methods and apparatus for verifying a purported user identity
KR101446504B1 (en) Digital Signature Method Executed By Client Program Which Is Operated Independently From Web Browser
JP5391551B2 (en) Authentication system, server device, and authentication method
CN111225001B (en) Block chain decentralized communication method, electronic equipment and system
JP2006277534A (en) Representative verification system and method, and its portable terminal
JP2007274722A (en) Proxy authentication system and method, and mobile terminal thereof
CN116074061A (en) Data processing method and device for rail transit, electronic equipment and storage medium
CN113904873B (en) Authentication method, authentication device, computing equipment and storage medium
TWI599909B (en) Electronic signature verification system

Legal Events

Date Code Title Description
RD04 Notification of resignation of power of attorney

Free format text: JAPANESE INTERMEDIATE CODE: A7424

Effective date: 20080623

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20100629

A02 Decision of refusal

Free format text: JAPANESE INTERMEDIATE CODE: A02

Effective date: 20101027