JP2007286820A - Information sharing system and information sharing method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an information sharing system and a gateway device and method, capable of performing secure sharing of information by authenticating an information providing source by use of authentication information. <P>SOLUTION: A gateway device 21 of an information providing destination network requests an IP address of a processing server 14 of an information providing source network in a state where voice session is established by conversation service between IP phones, and when disclosure permission of IP address is reported, IP addresses of a print server 24 and a printer 23 of the information providing destination network are reported to the processing server 14, and the IP address of the processing server 14 is reported to the gateway device 21 of the information providing destination network. The reported IP address is stored, and in the information providing destination network, a formed one-time authentication key is reported to the information providing source network, whereby printing-out of digital information is performed when a received one-time authentication key is matched with the formed one-time authentication key. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to an information sharing system and a gateway apparatus and method for sharing information between mutual networks, and in particular, by receiving information sharing only from a specific authentication partner by authentication of an information provider using authentication information. The present invention relates to an information sharing system, a gateway device, and a method that enable information sharing in consideration of safety.

  In general, when information such as an electronic document is shared by a plurality of users, information sharing can be performed by providing a device that can be commonly accessed by the sharing user, such as a document management server. When providing information to an unspecified number of people, it is possible to provide information to a third party by starting up a Web server or the like that provides Web content.

  Among them, when information is shared between specific users, it is common to share the information by simply transmitting the information using an e-mail function or a P2P (Peer to Peer) function.

  The information provider (user) who received the information can share information by referring to the provided content, but when making an inquiry about the content of the provided information to the information provider, For example, inquiries can be made using methods such as telephone, facsimile, electronic mail, and bulletin board. In this case, from the perspective of the provider who provided the information, if a specific information is provided, it can be easily determined that the inquiry is for that information. If so, it takes time to identify the information to be inquired.

  In response to the inquiry, the information provider may provide further information to the user who has made the inquiry as necessary. In such a case, in order to provide information immediately, it is necessary to constantly monitor the inquiry and to prepare the information to be provided in advance.

  As an example of a technology for providing information, there is a conventional technology that can provide a printing service for outputting information to a printer installed at the provider, where the information provider and the provider are at a long distance. 1 is disclosed.

  In the prior art disclosed in Patent Document 1, a proxy device that can communicate with a print server that cannot pass through a firewall by using IPP (Internet Printing Protocol) is provided, and a server site for the print server is established in the proxy device. Thus, the print server is regarded as an IPP server published on the Internet, and a print service request and a response can be exchanged.

  By using such a technology, it becomes possible to easily share necessary information between the information provider and the provider. However, in recent years, threats (risks) have been generated by exploiting rapidly developed technologies. It is also true that there is a need to protect the shared digital information from these threats.

Among such threats, there are DoS (Denial of Service) attacks, source IP address spoofing, and the like, and there is a possibility that unnecessary information is sent unrestricted by these threats.
JP 2003-58459 A

  However, in the prior art disclosed in Patent Document 1, a proxy device is provided so that communication can be performed across a firewall. However, it is necessary to know detailed information of the information providing destination printer in advance. There is a problem that information cannot be shared with a large number of providers.

  Further, in this conventional technique, since it is necessary to newly provide a proxy device, it takes a lot of time and a large amount of cost to construct the system.

  Furthermore, it is necessary to take measures in advance to protect against threats such as DoS (Denial of Service) attacks and source IP address spoofing.

  SUMMARY OF THE INVENTION An object of the present invention is to provide an information sharing system, a gateway device, and a method that enable highly secure information sharing by authenticating an information provider using authentication information.

  In order to achieve the above object, the invention of claim 1 establishes a call session between telephones provided at each point, and makes a transfer request of the digital information to a point of the other party that manages the digital information. In a shared information sharing system, a requesting unit that requests network identification information of a management apparatus that manages the digital information to a partner that manages the digital information, and the network identification received in response to the request by the requesting unit An information request transmitting unit that transmits an information request to which authentication information for authenticating the transmission source of the digital information is attached to the management device indicated by the information, and the information request transmitted by the information request transmitting unit from the other party to the information request Receiving means for receiving digital information to which authentication information is attached, and the receiving means received by the receiving means Confirmation means for confirming whether the authentication information given to the digital information matches the authentication information transmitted by the information request transmission means, and if the confirmation information confirms that the authentication information matches, the call The digital information to which the authentication information is assigned is shared between the points where the session is established.

  Further, the invention of claim 2 is characterized in that, in the invention of claim 1, authentication information for authenticating a transmission source of the digital information is created when the information request transmitting means transmits the information request. .

  The invention of claim 3 is the invention of claim 1 or 2, wherein the authentication information is one-time authentication information for performing one-time authentication, and the confirmation means uses the one-time authentication information for the digital information. It is characterized by authenticating the transmission source of information.

  According to a fourth aspect of the present invention, there is provided an information sharing method for sharing information by establishing a call session between telephones provided at each point and requesting transfer of the digital information to a point of the other party that manages the digital information. The network management information indicated by the network identification information received in response to the request by the requesting means, requesting the network identification information of the management apparatus managing the digital information to the other party managing the digital information. In addition, an information request to which authentication information for authenticating the transmission source of the digital information is attached is transmitted by an information request transmission unit, and the authentication information is given from the other party to the information request transmitted by the information request transmission unit. The digital information received by the receiving means and the authentication given to the digital information received by the receiving means If the confirmation information confirms whether the information matches the authentication information transmitted by the information request transmission means, and the confirmation means confirms that the authentication information matches, the authentication information between the points where the call session is established. The digital information to which is attached is shared.

  According to the present invention, an IP address of a client PC storing digital information is received from a network on the information providing side, and a one-time authentication key for authenticating the client PC of the IP address is created. The job request including the created one-time authentication key is sent to the information provider's network, the print data with the one-time authentication key is received, and the one-time authentication key is the same as the one-time authentication key sent. Since the printer is configured to print out from a certain case, there is an effect that unnecessary information is not sent from a third party and information can be shared in a state where high security is ensured.

  In addition, since the data session is established together with the voice session and the data communication is performed by the data session, the necessary information can be easily shared with each other without the need for information sharing. Also has the effect of becoming.

  Hereinafter, an embodiment of an information sharing system, a gateway apparatus and a method according to the present invention will be described in detail with reference to the accompanying drawings.

  FIG. 1 is a system configuration diagram of an information sharing system configured by applying the information sharing system, gateway device and method according to the present invention.

  In FIG. 1, this information sharing system shares predetermined digital information with a communication partner of the communication service by using a communication service represented by broadband communication such as voice communication using a communication line, video or chat. It is a secure system by transferring a one-time authentication key (hereinafter referred to as “one-time authentication key”) to the other party of the communication service and receiving only information from the other party having the one-time authentication key. It is a system that secures the nature.

  As voice communication at this time, for example, there is an IP phone using VoIP (Voice over Internet Protocol) technology, and as broadband communication, there are real-time video distribution and video chat using a network camera.

  Information sharing is performed with a communication partner using such a communication service.

  In the following, an example in which “IP phone” is used as a communication service will be described.

  This information sharing system includes an information provider network 10 that accepts a call by an IP telephone and provides shared information, and an information provider network that receives the information by sending a call to the information provider network 10 using the IP telephone. The information providing destination network 20 composed of 20 and connected to the information providing source network 10 is composed of one or more network segments.

  The information providing source network 10 and the information providing destination network 20 are connected by a communication line. For example, in addition to Internet connection, a public line such as a VPN (Virtual Private Network) or a wide area Ethernet (registered trademark) service or a dedicated line is used. Connect using wires. Of course, not only these WAN (Wide Area Network) connections but also connections within a closed network using LAN cables may be used. In this case, it is indicated that the information providing source network 10 and the information providing destination network 20 are in the same network (within the LAN).

  The information providing source network 10 includes a gateway device 11, an IP phone 12, a client PC 13, and a processing server 14. The information providing destination network 20 includes a gateway device 21, an IP phone 22, a printer 23, a print server 24, A client PC 25 is provided. In this information sharing system configured by connecting these networks, the digital information stored in the storage area of the client PC 13 installed in the information providing source network 10 is printed out by the printer 23 installed in the information providing destination network 20. To share information between each other.

  Each device belonging to each network is a node connected by a LAN cable and can communicate with each other.

  Below, each node which comprises a network is demonstrated.

  First, in the information providing source network 10, the gateway device 11 is configured by a router or a layer 3 switch, and is installed at an edge portion of the network and has a function of bridging data communication between the information providing source network 10 and an external network. .

  The gateway device 11 holds route information to nodes constituting the information providing source network 10, and refers to the destination information (IP address, port number, MAC address, etc.) of the received data. Transfer data based on information. That is, the information providing source network 10 shown in FIG. 1 is composed of nodes of an IP telephone 12, a client PC 13, and a processing server 14, and transfers voice packets and the like to the IP telephone 12, and transfers other packets to the client PC 13. .

  In addition, the gateway device 11 receives an IP address notification request of the client PC 13 from the external network, and performs a disclosure confirmation process for confirming whether it is appropriate to disclose the IP address of the client PC 13. In this disclosure confirmation processing, it is determined whether or not the information sharing system can be used while determining whether or not it is an appropriate partner by identifying the transmission source of the IP address notification request. If disclosure is possible through the disclosure confirmation process, an “accept response” indicating that the IP address can be disclosed is sent to the notification request source, and conversely, if it cannot be disclosed, a “reject response” is sent. .

  The IP address of the processing server 14 that receives the IP address of the device that processes the digital information shared from the destination network that has transmitted the permission response, for example, the device such as the printer 23 or the print server 24, and manages it as route information in return. Forward the address. The received IP addresses of the printer 23 and the print server 24 are transferred to the client PC 13 that manages digital information shared between the mutual networks.

  The IP telephone 12 packetizes the voice, establishes a voice session with the IP telephone 22 of the other party's network (information providing destination network 20), and makes a call by mutual communication with the other party.

  The client PC 13 manages digital information shared between the mutual networks. The client PC 13 is notified of the one-time authentication key from the processing server 14, creates print data in which the one-time authentication key is added to the digital information, and issues a print request to the print server 24 in the information providing destination network. The IP address specified as the destination information of the print request at this time is the IP address of the print server 24 notified when the data session is established.

  The processing server 14 receives the one-time authentication key from the client PC 25 of the information providing destination network 20 and transfers the one-time authentication key to the client PC 13.

  Next, in the information providing destination network 20, the gateway device 21 holds the route information to the nodes constituting the network like the gateway device 11 of the information providing source network 10, and transfers data based on the route information.

  In addition, a voice packet is received from the IP telephone set 22 in the information providing destination network 20, and a call is made by transferring the voice packet to the information providing source network 10. During this call, the operation status is confirmed by transferring a status confirmation request to the print server 24. When the voice session is established when the operation state of the print server 24 can be confirmed and the other party's IP telephone 12 responds to the call, processing is subsequently performed on the gateway device 11 of the network where the voice session is established. Request the IP address of the server 14.

  In response to this request, when an authorization response that can disclose the IP address of the processing server 14 is received, the IP addresses of the print server 24 and the printer 23 that have further confirmed the operation are notified. As a result, the received IP address of the processing server 14 is transferred to the print server 24.

  By these processes, a data session is established between networks in which voice sessions are established between IP telephones, and mutual notification of digital information becomes possible.

  When a print request is received in a state where the data session is established, the print request is transferred to the print server 24 indicated as the destination information of the print request.

  The IP telephone set 22 makes a call by packetizing the voice and transmitting the call to the other party's network, and a voice session is established by receiving a response to the call. Incidentally, H.264 standardized by ITU-T (International Telecommunication Union) etc. H.323, MGCP (Media Gateway Control Protocol), H.323. 248, a voice session between IP telephones is established by using a call control protocol such as SIP (Session Initiation Protocol).

  The printer 23 is an example of an image forming apparatus that shares information between mutual networks by printing out digital information. Based on a print request from the print server 24, a print process to a print medium is performed.

  The print server 24 controls printing of a print request from the client PC 14 of the partner information provider network 10. Also, a one-time authentication key creation process is performed by receiving a one-time authentication key creation request from the client PC 25. This one-time authentication key is an authentication key that is used only once, and is created by combining the time of creation or random alphanumeric characters and a predetermined password. The created one-time authentication key is transferred to the requesting client PC 25.

  The print server 24 also performs authentication processing by comparing whether the one-time authentication key included in the print data of the print request received from the client PC 14 of the information providing source network matches the one-time authentication key created earlier. To do. If they are the same, it indicates that the authentication has been successful. In this case, the print data is transferred to the printer 23 to execute print output.

  The client PC 25 registers the IP address of the processing server 14 that is the request destination of the job request notified from the gateway device 21 in the network. Also, the one-time authentication key creation request to be given to the job request is transferred to the print server 24, and the created one-time authentication key is received.

  Then, the created job request with the one-time authentication key is transferred to the processing server 14 of the information providing source network 10. This job request indicates a transmission request for a print job to be printed out.

  With the configuration described above, only print data that has been authenticated by the authentication key can be printed out.

  FIG. 2 is a diagram showing a modification of the configuration shown in FIG.

  In FIG. 1, a print server 24 is provided in the information providing destination network 20, a one-time authentication key is created by the print server 24 and authentication processing is performed, and a processing server 14 is provided in the information providing source network 10. Provided, and a process of transferring to the client PC 13 is performed. On the other hand, in FIG. 2, the processing performed by the print server 24 of the information providing destination network 20 is performed by the client PC 25 of the same network, and the processing of the processing server 14 of the information providing source network 10 is performed by the client PC 13. It is the structure made to do.

  FIG. 3 is a block diagram showing the configuration of the print server in the information sharing system of the present invention.

  The print server shown in FIG. 3 includes a communication unit 301, a control unit 302, a status confirmation unit 303, an authentication key creation unit 304, an authentication unit 305, an authentication key management unit 306, an output control unit 307, and a U / I 308. When the print data requested to be printed is printed, the one-time authentication key is confirmed and printed out to the printer.

  The communication unit 301 is a communication interface that performs data communication, and relays data in the print server.

  When the control unit 302 receives a status confirmation request via the communication unit 301, the control unit 302 instructs the status confirmation unit 303 to issue a printer status confirmation request, and the status confirmation unit 303 transmits the printer status via the communication unit 301. Confirmation is performed. The status confirmation unit 303 does not confirm the status of the printer in response to the status confirmation from the control unit 302, but inquires whether the printer is in a normal operation state by accessing the printer at regular intervals. In response to the state confirmation request, the operation state inquired in advance is returned.

  When the control unit 302 accepts a one-time authentication key creation request from the client terminal B via the communication unit 301, it makes a one-time authentication key creation request to the authentication key creation unit 304. Upon receipt of the creation request, the authentication key creation unit 304 creates a one-time authentication key that can be used only once by executing a key creation algorithm. The one-time authentication key created by the authentication key creation unit 304 is transferred to the control unit 302 and managed by the authentication key management unit 306.

  In a state where the one-time authentication key is managed by the authentication key management unit 306, the control unit 302 transfers the one-time authentication key to the client terminal B that is the source of the one-time authentication key creation request via the communication unit 301.

  Further, when a print request for print data is received from the client PC of the information providing source network via the communication unit 301, the control unit 302 authenticates the authentication unit 305 together with the one-time authentication key managed by the authentication key management unit 306. Make a request. Upon receiving this authentication request, the authentication unit 305 extracts the one-time authentication key by analyzing the print data, and determines whether the one-time authentication key matches the one-time authentication key received by the authentication key management unit 306. If the one-time authentication key matches, it indicates that the print request source can be authenticated, and if the one-time authentication key does not match, it indicates that the print request source cannot be authenticated.

  If the print request source can be authenticated because the one-time authentication key matches, the print data is transferred from the control unit 302 to the output control unit 307 and print output processing is performed. The output control unit 307 creates a print job and prints it out to the printer.

  With such a configuration, the print server can authenticate the print request source from the one-time authentication key included in the print data, and can print out only when authentication is successful.

  FIG. 4 is a sequence diagram showing a processing flow of the entire information sharing system of the present invention.

  In FIG. 4, the IP phone of the information providing source network is called using the IP phone of the information providing destination network (401). By this call, the gateway device of the information providing destination network transmits a status confirmation request for confirming the printer status to the print server (402), and receives a status confirmation response indicating the printer status from the print server (403). ). The print server is constantly checking the operating state of the printer.

  When the gateway device of the information providing destination network confirms the status of the printer in the network and a call response is made (404), a voice session is established between the mutual networks.

  With the voice session established, the gateway device of the information providing destination network requests the IP address of the processing server that processes various requests from the gateway device of the information providing source network (405). The gateway device of the information providing source network that has received the request for the IP address performs a disclosure confirmation process for confirming whether or not the IP address of the processing server of the network may be disclosed in response to the request (406).

  In this disclosure confirmation processing, the request source that has requested the IP address of the processing server is identified, that is, whether the request is made from the gateway device of the network in which the voice session is established. If it can be confirmed that the IP address request source is the gateway device of the network in which the voice session is established, a response permitting notification of the IP address (“permission response”) is returned (407).

  On the other hand, if it cannot be confirmed that the IP address request source is the gateway device of the network in which the voice session is established, a response that cannot notify the IP address ("rejection response") is returned (407). . When this rejection response is returned, the processing in information sharing is stopped.

  The gateway device of the information providing destination network that has received the permission response then notifies the IP address of the print server and printer connected to the network to the gateway device of the information providing source network (408). Upon receipt of this notification, the gateway device of the information providing source network returns the IP address of the processing server in the network (409).

  Upon receiving the IP address of the processing server of the information providing source network, the gateway device of the information providing destination network notifies the client PC in the information providing destination network of the IP address (410). At the same time, the gateway device of the information providing source network notifies the client PC in the information providing source network of the print server and printer IP address of the information providing destination network (411).

  As a result, a data session is established between the processing server of the information providing source network and the client PC of the information providing destination network, and the client PC of the information providing source network and the client PC of the information providing destination network.

  The IP address of the print server of the information providing destination network and the IP address of the printer are registered in the client PC of the information providing source network (412), and the client of the information providing source network is registered in the client PC of the information providing destination network. The IP address of the PC is registered (413).

  Subsequently, in order to request digital information, the client PC of the information providing destination network makes a one-time authentication key creation request to the print server in the network (414). Upon receiving the creation request, the print server performs an authentication key creation process for creating a one-time authentication key (415), and transfers the created one-time authentication key to the requesting client PC (416).

  As a result, the client terminal B is in a state of holding a one-time authentication key, and a digital information request (referred to as a “job request”) together with the one-time authentication key is indicated by the IP address acquired in the previous process. Transmit to the processing server (417). Upon receiving the job request, the processing server of the information providing source network transfers the one-time authentication key to the client PC of the same network that manages the digital information (418).

  The one-time authentication key created in this authentication key creation process is encrypted, and the authentication information including the encrypted one-time authentication key is transmitted together with the job request. The job request including the authentication information is transmitted. The received authentication information decrypted by the processing server of the information providing source network may be transferred to the client PC. This encryption process can prevent the one-time authentication key from being wiretapped or tampered with.

  The client PC that has received the one-time authentication key creates print data in which the one-time authentication key is added to the digital information (419). The client PC that created the print data makes a print request for the print data with the IP address of the print server acquired and registered in the previous process as the destination (420). The print server that has received the print request performs an authentication process (421), and issues a print data print request to the printer only when the print request is successful (422). A flowchart showing a detailed flow of the authentication process at this time is shown in FIG.

  If authentication cannot be performed by the authentication process, the print data requested for printing is discarded without requesting the printer to print.

  The printer that has received the print request prints out the print data requested to be printed (423).

  Through such processing, digital information can be shared between mutual networks as a print document on which print data is printed.

  FIG. 5 is another sequence diagram showing the processing flow of the entire information sharing system of the present invention.

  The sequence diagram shown in FIG. 5 is a sequence diagram when a job request is transmitted using a one-time authentication key created in advance.

  The sequence diagram shown in FIG. 5 is similar to the sequence diagram shown in FIG.

  With the voice session and data session established between the mutual networks, the IP address of the processing server of the information providing source network 20 is registered in the client PC 25 (412). Thereafter, a transfer request for the created one-time authentication key is made to the print server 24 (501), and the one-time authentication key is received (502).

  The received job request with the one-time authentication key is transferred to the processing server 14 of the information providing source network 10 (417). After the transfer, a one-time authentication key to be used next is created (503). The one-time authentication key at this time is created using the time at the time of creation.

  Thereafter, as in the process of FIG. 4, authentication is performed by comparing whether the one-time authentication key assigned to the received print data matches the one-time authentication key assigned, and printing is performed.

  FIG. 6 is a flowchart showing a detailed flow of the authentication processing shown in FIGS.

  The authentication process of FIG. 6 is a process performed by the print server of the information providing destination network. When the print request for the print data is received, the process is started, and the print data requested by the print request is analyzed to obtain the print data. The given one-time authentication key is extracted (601). The extracted one-time authentication key is compared with the one-time authentication key created in the authentication key creation process (602), and it is determined whether or not they match (603).

  If it is determined that they are the same authentication key (YES in 603), the printer is requested to print the print data (604). On the other hand, if it is determined that the two authentication keys do not match (NO in 603), the printing process is stopped (605) and the information sharing process is stopped.

  With the above processing, the information sharing system of the present invention can print out only the print data that can be authenticated by the one-time authentication key.

  This makes it possible to prevent a print output process for an unintended print request from a third party.

  Therefore, by applying the present invention, only the print request from a specific partner can be printed out, so that it is possible to expect an effect that information sharing with high security becomes possible.

  The present invention is not limited to the embodiments described above and shown in the drawings, and can be implemented with appropriate modifications within a range not changing the gist thereof.

  INDUSTRIAL APPLICABILITY The present invention can be applied to a system for sharing information between mutual networks, and particularly secures high security by authenticating information transmitted from the communication partner in information sharing with the partner in a digital communication state. This is useful for sharing information.

1 is a system configuration diagram of an information sharing system configured by applying an information sharing system, a gateway device, and a method according to the present invention. The other system block diagram of the information sharing system comprised by applying the information sharing system and gateway apparatus and method concerning this invention. The block diagram which shows the structure of the print server in the information sharing system of this invention. The sequence diagram which shows the flow of a process of the whole information sharing system of this invention. The other sequence figure which shows the flow of a process of the whole information sharing system of this invention. The flowchart which shows the flow of the authentication process of the sequence diagram shown in FIG. 4, FIG.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Information provider network 11 Gateway apparatus 12 IP telephone 13 Processing server 14 Client PC (client terminal A)
20 Information Destination Network 21 Gateway Device 22 IP Telephone 23 Client PC (Client Terminal B)
24 print server 25 printer 301 communication unit 302 control unit 303 status confirmation unit 304 authentication key creation unit 305 authentication unit 306 authentication key management unit 307 output control unit 308 U / I

Claims (4)

In an information sharing system for sharing information by establishing a call session between telephones provided at each point and requesting transfer of the digital information to the point of the other party that manages the digital information,
Request means for requesting network identification information of a management apparatus that manages the digital information to a partner that manages the digital information;
An information request transmission unit that transmits an information request to which authentication information for authenticating a transmission source of the digital information is attached to the management device indicated by the network identification information received in response to the request by the request unit;
Receiving means for receiving the digital information to which the authentication information is given from the other party for the information request transmitted by the information request transmitting means;
Confirmation means for confirming whether the authentication information given to the digital information received by the reception means matches the authentication information transmitted by the information request transmission means, and
When the confirmation means confirms that the authentication information matches, the digital information to which the authentication information is added is shared between the points where the call session is established. The information sharing system according to claim 1, wherein authentication information for authenticating a transmission source of the digital information is created when the information request is transmitted by the information request transmission unit. The authentication information is:
One-time authentication information that performs one-time authentication,
The information sharing system according to claim 1 or 2, wherein the confirmation unit authenticates a transmission source of the digital information using one-time authentication information. In an information sharing method for establishing information communication between telephones provided at each point, and sharing information by requesting transfer of the digital information to the point of the other party that manages the digital information.
Requesting the network identification information of the management apparatus that manages the digital information to the other party that has managed the digital information by request means,
An information request with authentication information for authenticating the transmission source of the digital information is transmitted to the management device indicated by the network identification information received in response to the request by the request unit by the information request transmission unit,
In response to the information request transmitted by the information request transmitting means, the receiving means receives the digital information provided with the authentication information from the other party,
Confirming by the confirmation means whether the authentication information given to the digital information received by the receiving means matches the authentication information transmitted by the information request transmitting means,
When the confirmation means confirms that the authentication information matches, the digital information to which the authentication information is attached is shared between the points where the call session is established.

Images