JP2014039193A - Information processor, management device, information processing method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To verify the validity of each of a plurality of applications operating while cooperating with each other without directly performing any procedure necessary for verifying the validity of each application.SOLUTION: An information processor verifies the validity of a leaf certificate 1511 of a first application 151 by using an intermediate certificate 1521 of a second application 152, and verifies the validity of TC signature 1512a added to a setting file 1512 related to the operation setting of a cooperative operation by using the leaf certificate 1511. Then, the information processor verifies the validity of the package names of the first application 151 and the second application 152 by using the package name of the setting file 1512. Then, the information processor verifies the validity of a CP certificate 1513 of the first application 151 by using the hash value of the CP certificate of the setting file 1512, and verifies the validity of a CP signature 1514 by using the CP certificate 1513. The information processor permits the above mentioned cooperative operation when all the applications are valid.

Description

  The present invention relates to a technique for verifying the validity of an application using an electronic signature.

For example, Patent Documents 1 and 2 disclose a technique for verifying the validity of data included in an electronic file using an electronic signature added to the electronic file.
Patent Document 1 discloses a mechanism for detecting a change or alteration of metadata without encrypting the entire file including the media file and metadata. In the invention described in Patent Document 1, the hash value and digital signature generated by the content server are included in the metadata, and the client receiving the file uses the hash value and the digital signature to verify the validity of the metadata. Confirm. Patent Document 2 calculates a hash of recorded data and metadata based on recorded data, metadata, and digital signature included in a digital medium file, and a hash result and a decrypted digital signature Is disclosed to authenticate digital media files.

Special table 2008-539525 JP 2003-234737 A

  By the way, an information processing apparatus may provide an additional function by operating a plurality of application software (hereinafter abbreviated as “application”) in cooperation with each other. For example, when the information processing apparatus operates a mail application for creating an e-mail and a camera application for taking a photograph taken with a camera in cooperation with each other, By operating, it is possible to attach a photographic image obtained by photographing at that time to an e-mail.

In order for this type of application linkage operation to be realized on a user terminal without fraud as intended by a specific application provider such as the aforementioned mail application provider, the legitimacy of each application (for example, tampering) It is effective to first verify whether or not the application provider is impersonated. However, a specific application provider can digitally sign all of these applications, or provide data such as digital certificates necessary to verify that this digital signature is valid. It is difficult to deal with applications that have already been circulated in the system that performs the procedure. In this mechanism, the above-described procedure is required every time an application is newly developed or an application is updated.
Therefore, an object of the present invention is to provide a mechanism for verifying the legitimacy of each application without performing a procedure necessary for verifying the legitimacy of a plurality of applications operating in cooperation with each other. That is.

  In order to solve the above-described problem, an information processing apparatus according to the present invention stores a first application to which an electronic signature of a first application provider is added and a second application provided by a second application provider. An acquisition unit for acquiring a setting file including an application identifier indicating the first and second applications operating in cooperation with each other, and verification data for verifying the validity of the electronic signature; And a verification unit that verifies the validity of the electronic signature using the verification data of the setting file acquired by the unit.

  In the information processing apparatus of the present invention, a permission unit that permits the linked operation of the first and second applications indicated by the application identifier of the acquired setting file based on whether the electronic signature of the first application provider is valid. You may make it prepare.

  In the information processing apparatus of the present invention, the storage unit stores a first electronic certificate issued to the second application provider in association with the first application, and the acquisition unit stores the first electronic certificate. The configuration file to which the electronic signature of the second application provider that can be verified using an electronic certificate is added is acquired, and the verification unit uses the first electronic certificate to acquire the configuration file. The validity of the electronic signature added to the URL may be verified.

  In the information processing apparatus of the present invention, the storage unit stores a second electronic certificate associated with a higher rank in the certificate chain than the first electronic certificate in association with the second application, and the verification unit May verify the validity of the first electronic certificate using the second electronic certificate.

  The information processing apparatus according to the present invention includes a communication unit that communicates with a management device that stores the setting file, and the acquisition unit acquires the setting file of the first application from the management device through communication of the communication unit. You may do it.

  In the information processing apparatus of the present invention, the application storage unit stores a third electronic certificate that is issued to the first application provider and that can verify the validity of the electronic signature added to the first application. The verification unit verifies the validity of the third electronic certificate associated with the first application using the hash value of the third electronic certificate as the verification data, and the third electronic certificate The validity of the electronic signature added to the first application may be verified using an electronic certificate.

  In the information processing apparatus of the present invention, the setting file may include the application identifier and the verification data corresponding to a plurality of combinations of the first and second applications operating in cooperation with each other.

  The information processing method of the present invention is an information processing method of an information processing apparatus that stores a first application to which a digital signature of a first application provider is added and a second application provided by a second application provider. An acquisition step of acquiring a setting file including an application identifier indicating the first and second applications operating in cooperation with each other and verification data for verifying the validity of the electronic signature; and the acquisition step And a verification step of verifying the validity of the electronic signature using the verification data of the setting file acquired in (1).

  The program of the present invention is linked to a computer of an information processing apparatus that stores a first application to which an electronic signature of a first application provider is added and a second application provided by a second application provider. An acquisition step of acquiring a setting file including an application identifier indicating the first and second applications that operate, and verification data for verifying the validity of the electronic signature; and the setting file acquired in the acquisition step And a verification step for verifying the validity of the electronic signature using verification data.

  According to the present invention, it is possible to verify the validity of each application without directly performing a procedure necessary for verifying the validity of a plurality of applications operating in cooperation with each other.

The figure which shows the whole structure of an application management system. The block diagram which shows the hardware constitutions of a terminal device. Explanatory drawing of a structure of a 1st application and a 2nd application (1st Embodiment). The block diagram which shows the hardware constitutions of CP server. The block diagram which shows the hardware constitutions of a management server. The figure explaining the specific example of the cooperation operation | movement of an application. The functional block diagram which shows the function structure of the control part of a terminal device (1st Embodiment). The functional block diagram which shows the function structure of the control part of a management server (1st Embodiment). The sequence diagram which shows the flow of a setting file production | generation process (1st Embodiment). Explanatory drawing of a structure of a setting file and a 1st application (1st Embodiment). The flowchart which shows the flow of an application verification process (1st Embodiment). Explanatory drawing of the content of application verification processing (1st Embodiment). Explanatory drawing of a structure of a 1st application and a 2nd application (2nd Embodiment). The functional block diagram which shows the function structure of the control part of a terminal device (2nd Embodiment). FIG. 10 is a sequence diagram showing a flow of setting file generation processing (second embodiment). The flowchart which shows the flow of an application verification process (2nd Embodiment). Explanatory drawing of the content of application verification processing (2nd Embodiment). Explanatory drawing of the content of application verification processing (modification 1).

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[First Embodiment]
First, a first embodiment of the present invention will be described.
FIG. 1 is a diagram showing the overall configuration of the application management system 1.
As shown in FIG. 1, the application management system 1 includes an information processing apparatus 10, a CP (Contents Provider) server 20, and a management server 30. The information processing apparatus 10, the CP server 20, and the management server 30 are each connected to the network NW. Here, the network NW is a communication network including a mobile communication network, a gateway, and the Internet.

The information processing apparatus 10 is a user terminal operated by a user, and here is a smartphone. In addition to this, the information processing apparatus 10 may be an information processing apparatus that operates application software such as a tablet computer, a notebook computer, and a PDA (Personal Digital Assistant). The CP server 20 is a distribution device that accumulates applications provided by a content provider (first application provider) and distributes the accumulated applications to the information processing apparatus 10 or the like. The management server 30 is a management device managed by a telecommunications carrier that provides the information processing apparatus 10 with various communication services such as voice communication and data communication. This communication carrier is also, for example, an application provider (second application provider) operated by the information processing apparatus 10.
Although only one information processing apparatus 10 is illustrated in FIG. 1, there are actually a plurality of information processing apparatuses 10. In the application management system 1, two or more CP servers 20 and management servers 30 may exist instead of one.
Next, configurations of the information processing apparatus 10, the CP server 20, and the management server 30 will be described.

FIG. 2 is a block diagram illustrating a hardware configuration of the information processing apparatus 10. As illustrated in FIG. 2, the information processing apparatus 10 includes a control unit 11, an operation unit 12, a communication unit 13, a display unit 14, and a storage unit 15.
The control unit 11 includes a microcomputer having a central processing unit (CPU), a read only memory (ROM), and a random access memory (RAM). The CPU controls each unit of the information processing apparatus 10 by reading a program stored in the ROM or the storage unit 15 into the RAM and executing the program. The operation unit 12 is an operation device that has a touch screen and a physical key provided on the display surface of the display unit 14 and is operated by a user. The communication unit 13 has a wireless communication circuit and an antenna, and is an interface for connecting to and communicating with the network NW. The display unit 14 includes, for example, a liquid crystal display, and displays various screens on a display surface that displays an image.

  The storage unit 15 includes a storage device such as an EEPROM (Electronically Erasable and Programmable ROM) and a flash memory, and stores various programs executed by the control unit 11 and applications such as the first application 151 and the second application 152. doing. The first application 151 is an application (first application) downloaded and installed from the CP server 20 by the information processing apparatus 10. The second application 152 is an application (second application) provided to the telecommunications carrier, for example, an application preinstalled in the information processing apparatus 10 or an application downloaded from a predetermined application providing server.

FIG. 3 is an explanatory diagram of the configuration of the first application 151 and the second application 152.
As shown in FIG. 3A, the first application 151 is an application in which a leaf certificate 1511, a setting file 1512, and a CP certificate 1513 are associated with each other, and a CP signature 1514 is further added. Yes.
The leaf certificate 1511 is an electronic certificate (first electronic certificate) issued to a communication carrier, and is authenticated by, for example, an intermediate certificate authority. Here, the leaf certificate 1511 is an electronic certificate (that is, a public key certificate) according to a public key cryptosystem. The leaf certificate 1511 includes a public key that is a pair of private keys assigned to the management server 30. This secret key is held in a secure environment such as a predetermined certificate authority.

  The setting file 1512 is a data file used for operation setting of the information processing apparatus 10 when a plurality of applications are operated in cooperation with each other. Specifically, the setting file 1512 includes package names of the first application 151 and the second application 152 that operate in cooperation with each other, and a hash value of the CP certificate 1513. The package name is an application identifier assigned for each application. In FIG. 3A, the package name is “Aps1_package” and “Aps2_package”. The hash value of the CP certificate 1513 is a hash value generated according to a predetermined algorithm using the CP certificate 1513, and is verification data for verifying the validity of the CP certificate 1513. The setting file 1512 is added with a TC signature 1512a as an electronic signature indicating that the setting file 1512 has been authenticated by the communication carrier. Here, “TC” stands for “Telecommunications Carrier” (communication carrier).

The CP certificate 1513 is an electronic certificate issued to the content provider (third electronic certificate). The CP certificate 1513 may be issued by a third party such as an intermediate certificate authority, or may be issued by a content provider. The CP certificate 1513 is a public key certificate here, and includes a public key that is a pair of private keys held by the CP server 20.
The CP signature 1514 is an electronic signature indicating that the first application 151 has been authenticated by the content provider.
The package name of the first application 151 is represented as “Aps1_package”.

As shown in FIG. 3B, the second application 152 is an application associated with the intermediate certificate 1521. The intermediate certificate 1521 is an electronic certificate issued to a communication carrier, and is authenticated by a root certificate authority that is higher than the intermediate certificate authority. That is, the intermediate certificate 1521 is an electronic certificate (second electronic certificate) that is associated with a higher rank than the leaf certificate 1511 in the certificate chain and authenticates the leaf certificate 1511.
The package name of the second application 152 is represented as “Aps2_package”.

FIG. 4 is a block diagram illustrating a hardware configuration of the CP server 20. As shown in FIG. 4, the CP server 20 includes a control unit 21, a communication unit 22, and a storage unit 23.
The control unit 21 includes a microcomputer having a CPU, a ROM, and a RAM. The CPU controls each unit of the CP server 20 by reading the program stored in the ROM or the storage unit 23 into the RAM and executing it. The communication unit 22 has a modem or the like and is an interface for connecting to the network NW for communication. The storage unit 23 is a storage device having, for example, a hard disk device, and stores various programs executed by the control unit 21. In addition to this, the storage unit 23 stores an application (for example, the first application 151) distributed to the information processing apparatus 10 and the like, a setting file (for example, the setting file 1512) corresponding to this application, a CP certificate 1513, and the like. Remember.

FIG. 5 is a block diagram illustrating a hardware configuration of the management server 30. As shown in FIG. 5, the management server 30 includes a control unit 31, a communication unit 32, and a storage unit 33.
The control unit 31 includes a microcomputer having a CPU, a ROM, and a RAM. The CPU controls each unit of the management server 30 by reading a program stored in the ROM or the storage unit 33 into the RAM and executing the program. The communication unit 32 has a modem and the like, and is an interface for connecting to the network NW for communication. The storage unit 33 is a storage device having a hard disk device, for example, and stores various programs executed by the control unit 31 and leaf certificates 1511.
In FIG. 5, the character string “setting file” is illustrated in a rectangle represented by a broken line at the storage unit 33, but this is stored in the storage unit 33 in a second embodiment to be described later. This means that it is not related to the first embodiment.

By the way, in the information processing apparatus 10, the first application 151 and the second application 152 can be operated in cooperation with each other to provide an additional function that is not in a single operation. The application linking operation means that a plurality of applications operate in a connected manner in order to provide a function different from the function provided by the application operating alone. The application linking operation is realized, for example, by causing one application to operate (e.g., activate) another application.
Here, a specific example of the linkage operation of the application will be described.

FIG. 6 is a diagram for explaining a specific example of an application linkage operation.
As shown in FIG. 6A, the second application 152 is a mail application that provides functions such as creation and transmission / reception of electronic mail here. Here, the first application 151 is a display application for processing and displaying e-mails transmitted and received using the second application 152. When the first application 151 and the second application 152 are linked to each other, the information processing apparatus 10 first transmits an e-mail exchanged with a transmission / reception partner designated by the user (here, Mr. A). The first application 151 is operated so as to request the second application 152 to provide. Next, in response to a request from the first application 151, the information processing apparatus 10 operates the second application 152 so as to provide (return) an electronic mail exchanged with the designated transmission / reception partner. The information processing apparatus 10 displays a mail display screen on the display unit 14 in accordance with the linkage operation of the first application 151 and the second application 152.

FIG. 6B is a diagram showing an e-mail display screen displayed by the linkage operation. As shown in FIG. 6 (b), on this mail display screen, e-mail exchanged using the function of the second application 152 is displayed in a so-called chat format using the function of the first application 151. . The user who sees the mail display screen can grasp the exchange of the e-mails in time series for each e-mail transmission / reception partner.
FIG. 6C is a diagram showing a mail display screen when the first application 151 is updated. As shown in FIG. 6 (b), in this mail display screen, the time series order of the exchange of e-mails is displayed in a chat format, but the character portion to be emphasized such as “when” or “18:00” is displayed. It is automatically identified and highlighted.

Thus, even if the second application 152 is the same, if the version of the first application 151 (that is, before and after the update) is different, the functions provided by the linkage operation are also different. However, even if the application version changes, the package name of the application is the same before and after the update. Therefore, the package name of the first application 151 for displaying the mail screen shown in FIG. 6B and the package name of the first application 151 for displaying the mail screen shown in FIG. , “Aps1_package”.
Note that the linkage operation may be realized by, for example, a plurality of applications operating simultaneously or using a common parameter, and is a function different from that when the application operates alone. As long as the operation is provided. Therefore, various ways of connection between applications can be considered.
Next, the functional configuration of the information processing apparatus 10 will be described.

FIG. 7 is a functional block diagram illustrating a functional configuration of the control unit 11 of the information processing apparatus 10. As illustrated in FIG. 7, the control unit 11 of the information processing apparatus 10 realizes functions corresponding to an acquisition unit 111, a verification unit 112, a permission unit 113, and an application operation unit 114.
The acquisition unit 111 acquires a setting file 1512 that is generated by the communication carrier so as to correspond to the first application 151. Here, the acquisition unit 111 acquires the setting file 1512 stored in the storage unit 15 and associated with the first application 151.

  The verification unit 112 verifies the validity of the CP certificate 1513 associated with the first application 151 using the hash value of the CP certificate 1513 included in the setting file 1512 acquired by the acquisition unit 111, and this CP The validity of the CP signature 1514 added to the first application 151 is verified using the certificate 1513. In addition to this, for example, the verification unit 112 verifies the validity of the leaf certificate 1511 using the intermediate certificate 1521 associated with the second application 152, or uses the leaf certificate 1511 to set the configuration file. The validity of the TC signature 1512a of 1512 is verified (that is, the identity of the signer is verified). Further, the verification unit 112 uses the TC signature 1512a to confirm that the setting file 1512 is valid. The verification unit 112 confirms that the setting file 1512 is valid when the contents of the setting file 1512 are not falsified (that is, the non-tampering property is confirmed).

  The permission unit 113 performs an operation setting related to whether or not the linkage operation can be realized based on whether or not the CP signature 1514 is valid in the verification result by the verification unit 112. In this case, when the verification unit 112 obtains a verification result that the CP signature 1514 is valid, the permission unit 113 displays the first application 151 and the second application indicated by the package names included in the acquired setting file 1512. 152 linkage operations are permitted. On the other hand, if the verification unit 112 does not obtain a verification result that the CP signature 1514 is valid, the permission unit 113 does not permit this linkage operation.

The application operation unit 114 reads and operates the application stored in the storage unit 15. For example, the application operation unit 114 operates the first application 151 and the second application 152 so as to realize the linked operation permitted by the permission unit 113.
Next, the functional configuration of the management server 30 will be described.

FIG. 8 is a functional block diagram illustrating a functional configuration of the control unit 31 of the management server 30. As illustrated in FIG. 8, the control unit 31 of the management server 30 realizes functions corresponding to a generation unit 311, a signature unit 312, and a transmission control unit 313. Here, a functional configuration related to generation of the setting file 1512 corresponding to the first application 151 will be described.
The generation unit 311 is issued to the content provider and the package name indicating the first application 151 provided by the content provider and the second application 152 provided to the communication carrier and operating in conjunction with the application. A setting file 1512 including the hash value of the CP certificate 1513 is generated.

The signature unit 312 adds the TC signature 1512a to the setting file 1512 generated by the generation unit 311. The signature unit 312 adds an electronic signature that can be verified using the leaf certificate 1511 as a TC signature 1512a.
The transmission control unit 313 transmits the setting file 1512 to which the TC signature 1512 a is added by the signature unit 312 to the CP server 20 by the communication unit 32. The CP server 20 distributes the setting file 1512 acquired from the management server 30 in association with the first application 151. The transmission unit of the present invention is realized by the cooperation of the transmission control unit 313 and the communication unit 32.
Next, the operation of the application management system 1 will be described.

  The characteristic operation of the application management system 1 is broadly divided into (I) setting file generation processing and (II) application verification processing. The setting file generation process is a process that is performed prior to providing the first application 151 and generates a setting file 1512 corresponding to the first application 151. The application authentication process is a process of verifying the validity of a plurality of applications that operate in cooperation after the CP server 20 provides the first application 151.

(I) Setting File Generation Processing FIG. 9 is a sequence diagram showing the flow of setting file generation processing. FIG. 10 is an explanatory diagram of the configuration of the setting file 1512 and the first application 151.
For example, when a newly created application is to be provided, the CP server 20 performs a necessary procedure for the management server 30 when there is a linkage operation realized using the application. Hereinafter, a procedure for realizing the linkage operation of the first application 151 with the second application 152 will be described.

The CP server 20 accesses the management server 30 when the first application 151 and the second application 152 to be linked with each other are designated by the content provider. First, the CP server 20 includes “Aps_package1” that is the package name of the first application 151, “Aps_package2” that is the package name of the second application 152 that operates in conjunction with the first application 151, and the CP certificate 1513. The hash value is transmitted to the management server 30 (step SA1).
The hash value of the CP certificate 1513 may be generated according to a known algorithm. The CP server 20 calculates the hash value of the CP certificate 1513 using, for example, a hash function called MD5 (Message Digest Algorithm 5).

When the management server 30 receives the package name transmitted in step SA1 and the hash value of the CP certificate 1513, the management server 30 generates a setting file 1512 including the received package name and the hash value of the CP certificate 1513. (Step SA2).
Next, the management server 30 adds a TC signature 1512a that can be verified using the leaf certificate 1511 to the setting file 1512 generated by the process of step SA2 (step SA3). The management server 30 may generate the TC signature 1512a using the secret key assigned to the server itself, and the specific generation method of the TC signature 1512a is not particularly limited. The setting file 1512 having the configuration shown in FIG. 10A is generated by the process of step SA3. The setting file 1512 is authenticated by the communication carrier by adding the TC signature 1512a.
The management server 30 transmits the setting file 1512 signed in the process of step SA3 and the leaf certificate 1511 stored in the storage unit 33 to the CP server 20 (step SA4).

When the CP server 20 receives the leaf certificate 1511 and the setting file 1512 transmitted in the process of step SA4 and acquires them, as shown in FIG. 10B, the acquired leaf certificate 1511 and the setting file 1512 is associated with the first application 151 and stored in the storage unit 15 (step SA5).
Next, the CP server 20 associates the CP certificate 1513 with the first application 151, and adds a CP signature 1514 that can be verified using the CP certificate 1513 to the first application 151 (step SA6). The CP server 20 may generate the CP signature 1514 using the secret key assigned to the server itself, and the specific generation method of the CP signature 1514 is not particularly limited. The first application 151 shown in FIG. 10C (same as FIG. 3A) is generated by the process of step SA6.
The above is the description of the setting file generation process. After the setting file generation processing described above, the CP server 20 associates the first application 151 with the leaf certificate 1511, the setting file 1512, and the CP certificate 1513 corresponding to the first application 151, thereby processing the information processing apparatus 10. Deliver to. The information processing apparatus 10 acquires (that is, downloads) these data (corresponding to the first application 151 shown in FIG. 3A) and stores the data in the storage unit 15.
Next, application verification processing will be described.

(II) Application Verification Processing FIG. 11 is a flowchart showing the flow of application verification processing. FIG. 12 is an explanatory diagram of the contents of the application verification process.
The information processing apparatus 10 first reads the first application 151 and the second application 152 that operate in association from the storage unit 15 and acquires them (step SB1). Next, the information processing apparatus 10 verifies the validity of the leaf certificate 1511 associated with the first application 151 using the intermediate certificate 1521 associated with the second application 152 (step SB2). The verification process in step SB2 corresponds to the verification of the circled number “1” in FIG.
The process of verifying the validity of the leaf certificate 1511 using the intermediate certificate 1521 may be performed by a known method. For example, the information processing apparatus 10 accesses a predetermined certificate authority server, refers to a revoked certificate list called a CRL (Certificate Revocation List), and determines that both the leaf certificate 1511 and the intermediate certificate 1521 are within the expiration date. Judge whether to do. If the information processing apparatus 10 confirms that the leaf certificate 1511 is not falsified or impersonated, the information processing apparatus 10 determines that the leaf certificate 1511 is valid. On the other hand, the information processing apparatus 10 determines that the leaf certificate 1511 is not valid when the leaf certificate 1511 or the intermediate certificate 1521 is out of the validity period or has been checked for falsification or impersonation. .

Next, the information processing apparatus 10 determines whether or not the leaf certificate 1511 associated with the setting file 1512 is valid based on the verification result of step SB2 (step SB3). If the information processing apparatus 10 determines that the leaf certificate 1511 is valid (step SB3; YES), the information processing apparatus 10 proceeds to the process of step SB4.
Next, the information processing apparatus 10 verifies the validity of the TC signature 1512a added to the setting file 1512 using the leaf certificate 1511 determined to be valid (step SB4). The verification process in step SB4 corresponds to the verification of the circled number “2” in FIG. Here, the information processing apparatus 10 extracts the public key from the leaf certificate 1511 associated with the first application 151, and verifies the validity of the TC signature 1512a using this public key. As described in the section “(I) Configuration File Generation Processing”, the configuration file 1512 is paired with the public key so that the validity can be verified using the leaf certificate 1511 in the processing of step SA3. A TC signature 1512a is added using a secret key. The information processing apparatus 10 should determine that the TC signature 1512a is valid by verification using the public key included in the leaf certificate 1511.
Examples of public key cryptosystems include RSA (Rivest Shamir Adleman) and DSA (Digital Signature Standard).

Next, the information processing apparatus 10 determines whether or not the TC signature 1512a added to the setting file 1512 is valid based on the verification result of Step SB4 (Step SB5). If the information processing apparatus 10 determines that the TC signature 1512a is valid (step SB5; YES), the information processing apparatus 10 proceeds to the process of step SB6.
Next, the information processing apparatus 10 uses the package names of the first application 151 and the second application 152 included in the setting file 1512 that the TC signature 1512a determines to be valid, and the first application 151 acquired in the process of step SB1. And the validity of the 2nd application 152 is verified (step SB6). The verification process in step SB6 corresponds to the verification of the circled number “3” in FIG. Here, if there is no falsification or impersonation of the application, the package name of the setting file 1512 and the package names of the first application 151 and the second application 152 should match each other.

Next, the information processing apparatus 10 determines whether the package names of the first application 151 and the second application 152 are valid based on the verification result of Step SB6 (Step SB7). If the information processing apparatus 10 determines that the package names of the first application 151 and the second application 152 are valid (step SB7; YES), the information processing apparatus 10 proceeds to the process of step SB8.
Next, the information processing apparatus 10 verifies the validity of the CP certificate 1513 associated with the first application 151 using the hash value of the CP certificate 1513 included in the setting file 1512 (step SB8). The verification process in step SB8 corresponds to the verification of the circled number “4” in FIG. If there is no falsification or impersonation of the application, the hash value calculated from the CP certificate 1513 added to the first application 151 and the hash value included in the setting file 1512 should match. Therefore, the information processing apparatus 10 calculates the hash value using the CP certificate 1513 according to the hash value calculation method (here, MD5) used by the CP server 20 in the process of step SA1, and the hash value of the setting file 1512 Compare with.

Next, the information processing apparatus 10 determines whether the CP certificate 1513 included in the first application 151 is valid based on the verification result of Step SB8 (Step SB9). If the information processing apparatus 10 determines that the CP certificate 1513 associated with the first application 151 is valid (step SB9; YES), the information processing apparatus 10 proceeds to the process of step SB10.
Next, the information processing apparatus 10 verifies the validity of the CP signature 1514 added to the first application 151 using the CP certificate 1513 determined to be valid (step SB10). The verification process in step SB10 corresponds to the verification of the circled number “5” in FIG. In the process of step SA6, as described above, the CP signature 1514 is added using the secret key that is paired with the public key of the CP certificate 1513. Therefore, if there is no falsification or impersonation of the CP certificate 1513 associated with the first application 151, the information processing apparatus 10 should determine that the CP signature 1514 is valid by verification using this public key. is there.

  Next, the information processing apparatus 10 determines whether or not the CP signature 1514 added to the first application 151 is valid based on the verification result of Step SB10 (Step SB11). Here, when the information processing apparatus 10 determines that the CP signature 1514 added to the first application 151 is valid (step SB11; YES), the information processing apparatus 10 permits the linkage operation of the first application 151 and the second application 152 ( Step SB12). In this way, the information processing apparatus 10 performs a plurality of verifications and sets the operation so as to permit the linked operation of the first application 151 and the second application 152 on the condition that all of them are determined to be valid. I do.

  On the other hand, when the information processing apparatus 10 determines “NO” in any of the processes of steps SB3, SB5, SB7, SB9, or SB11, that is, when it is determined that any one of the verifications is not valid, The operation setting is performed so as not to permit the linked operation of the first application 151 and the second application 152. Thereby, even if the application is illegally used in some way, it is possible to prevent the information processing apparatus 10 from realizing a cooperative operation that is not intended by the communication carrier.

  According to the application management system 1 of the first embodiment described above, when permitting a linked operation of a plurality of applications, it is not necessary for a communication carrier to add an electronic signature to all applications, and an electronic certificate is used. There is no need to perform procedures such as sending data. Further, after obtaining the setting file 1512 for a certain application, the CP server 20 can repeatedly use the setting file 1512 as long as the package name does not change even after the application is updated.

Further, the CP server 20 can acquire the setting file 1512 independently of the application. Therefore, even if the setting file 1512 corresponding to the already distributed application is generated afterwards, if the CP server 20 provides the leaf certificate 1511 and the setting file 1512 to the information processing apparatus 10, the information processing is performed. The device 10 can execute the above-described application verification process.
Further, the information processing apparatus 10 performs operation settings related to the linkage operation according to the setting file 1512. As a result, for example, even when the combination of applications that operate in association with each other changes, the CP server 20 can cope with the update by updating the setting file 1512 without updating the application.

[Second Embodiment]
Next, a second embodiment of the present invention will be described.
In the first embodiment described above, the information processing apparatus 10 verifies the validity of the setting file 1512 using the intermediate certificate 1521 and the leaf certificate 1511. However, the setting file 1512 is valid. The method for verification is not limited to this. In the second embodiment, instead of using the intermediate certificate 1521 and the leaf certificate 1511, the management server 30 manages the setting file 1512 so that it is regarded as being authenticated by the communication carrier. In this case, it is desirable that the management server 30 has a configuration capable of strictly managing information security so that the information such as the setting file 1512 is not falsified or leaked.
Since the hardware configuration of the application management system 1 of this embodiment is the same as that of the first embodiment described above, description thereof is omitted here. In the following description, the same hardware configuration, functional configuration, and processing steps as those in the first embodiment are denoted by the same reference numerals, and description thereof will be omitted as appropriate.
First, the configuration of the first application 151 and the second application 152 of the present embodiment will be described.

FIG. 13 is an explanatory diagram of the configuration of the first application 151 and the second application 152 stored in the information processing apparatus 10.
As shown in FIG. 13, the first application 151 is an application associated with a CP certificate 1513, while a leaf certificate 1511 and a setting file 1512 are associated with each other, as in the first embodiment. Make it not exist. Further, the second application 152 does not need to be associated with the intermediate certificate 1521 for verifying the validity of the leaf certificate 1511.

FIG. 14 is a functional block diagram illustrating a functional configuration of the control unit 11 of the information processing apparatus 10. As illustrated in FIG. 14, the control unit 11 of the information processing apparatus 10 implements functions corresponding to an acquisition unit 111, a verification unit 112, a permission unit 113, and an application operation unit 114.
The acquisition unit 111 acquires the setting file 1512 from the management server 30 through communication of the communication unit 13. For example, the acquisition unit 111 acquires the corresponding setting file 1512 by the communication unit 13 in response to an instruction from the user through the operation of the operation unit 12 so that the first application 151 and the second application 152 are linked. .
The verification unit 112 determines the CP signature added to the first application 151 based on the setting file 1512 acquired by the communication unit 13 by the acquisition unit 111 and the first application 151 and the second application 152 acquired from the storage unit 15. The validity of 1514 is verified. The verification unit 112 does not perform verification of the validity of the TC signature 1512a, and performs subsequent verification by the same method as in the first embodiment.
The permission unit 113 and the application operation unit 114 realize the same functions as those in the first embodiment described above, and thus description thereof is omitted here.
Next, the operation of the application management system 1 will be described. Also in this embodiment, the characteristic operation of the application management system 1 is roughly divided into (I) setting file generation processing and (II) application verification processing.

(I) Setting File Generation Processing FIG. 15 is a sequence diagram showing the flow of setting file generation processing.
First, the CP server 20 sets “Aps_package1”, which is the package name of the first application 151 to be newly provided, “Aps_package2”, which is the package name of the second application 152 operating in cooperation with the first application 151, and CP The hash value of the certificate 1513 is transmitted to the management server 30 (step SA1). Next, the management server 30 generates a setting file 1512 including the package names of the first application 151 and the second application 152 transmitted in the process of step SA1 and the hash value of the CP certificate 1513 (step SA2). . The processes in steps SA1 and SA2 may be performed by the same method as in the first embodiment described above.

  Next, the management server 30 stores the setting file 1512 generated in the process of step SA2 in the storage unit 33 (step SA7). Here, for example, the management server 30 stores the setting file 1512 in association with a combination of package names of a plurality of applications that operate in cooperation (corresponding to the description of the setting file 1512 in the storage unit 33 in FIG. 5). .

Next, the management server 30 transmits a completion notification indicating that the generation of the setting file 1512 has been completed to the CP server 20 (step SA8). The CP server 20 that has received the completion notification associates the first application 151 with the CP certificate 1513, adds the CP signature 1514 to the first application 151, and stores it in the storage unit 15 (step SA6). The first application 151 having the configuration shown in FIG. 13A is generated by the process of step SA6. The process of step SA6 may be performed by the same method as in the first embodiment described above.
The above is the description of the setting file generation process. The CP server 20 associates the first application 151 and the CP certificate 1513 with each other and distributes them to the information processing apparatus 10 after the above setting file generation processing. The information processing apparatus 10 acquires (that is, downloads) the first application 151 associated with the CP certificate 1513 and stores the first application 151 in the storage unit 15.
Next, application verification processing will be described.

(II) Application Verification Processing FIG. 16 is a flowchart showing the flow of application verification processing. FIG. 17 is an explanatory diagram of the contents of the application verification process.
The information processing apparatus 10 first reads the first application 151 and the second application 152 from the storage unit 15 and acquires them (step SB1).
Next, the information processing apparatus 10 acquires the setting file 1512 corresponding to the first application 151 and the second application 152 acquired in the process of step SB1 through communication with the management server 30 (step SB13). Here, the information processing apparatus 10 requests the management server 30 to transmit the setting file 1512 corresponding to the first application 151 and the second application 152 acquired in the process of step SB1, for example, by specifying a package name. The management server 30 reads the setting file 1512 stored in the storage unit 33 corresponding to the package name, and transmits it to the information processing apparatus 10.

Next, the information processing apparatus 10 uses the package names of the first application 151 and the second application 152 included in the setting file 1512 acquired in the process of step SB13, and the first application 151 acquired in the process of step SB1 and The validity of the second application 152 is verified (step SB6) (see the circled number “1” in FIG. 17).
Next, when the information processing apparatus 10 determines that the package names of the first application 151 and the second application 152 are valid based on the verification result of step SB6 (step SB7; YES), the CP included in the setting file 1512 The validity of the CP certificate 1513 is verified using the hash value of the certificate 1513 (step SB8) (see the circled number “2” in FIG. 17).

  Next, when the information processing apparatus 10 determines that the CP certificate 1513 added to the first application 151 is valid based on the verification result of Step SB8 (Step SB9; YES), the information processing apparatus 10 uses the CP certificate 1513. Then, the validity of the CP signature 1514 is verified (step SB10) (see the circled number “3” in FIG. 17).

Next, when the information processing apparatus 10 determines that the CP signature 1514 added to the first application 151 is valid based on the verification result of step SB10 (step SB11; YES), the first application 151 and the second application The linkage operation 152 is permitted (step SB12).
On the other hand, if the information processing apparatus 10 determines “NO” in any of steps SB3, SB5, SB7, SB9, or SB11, that is, if it is determined that any one of the verifications is not valid, the first application 151 and the second application 152 are not permitted to cooperate.

  According to the application management system 1 of the second embodiment described above, in addition to the effects described in the first embodiment, the CP server 20 signs the setting file, and the information processing apparatus 10 verifies the setting file. Steps SB2 and SB4 for verifying the characteristics can be omitted. For this reason, according to the application management system 1 of this embodiment, it is possible to further reduce the amount of processing necessary for verifying the validity of the application.

[Modification]
The present invention can be implemented in a form different from the above-described embodiment. The present invention can also be implemented in the following forms, for example. Further, the following modifications may be combined as appropriate.
(Modification 1)
In each embodiment described above, the management server 30 includes the hash value of the CP certificate 1513 in the setting file 1512 as verification data. However, the management server 30 may include the CP certificate 1513 in the setting file 1512 as verification data.
In this modification, the CP server 20 transmits the CP certificate 1513 instead of transmitting the hash value of the CP certificate 1513 in the process of step SA1. Then, the management server 30 may perform the processing performed using the hash value of the CP certificate 1513 in the first embodiment described above instead of the CP certificate 1513.
Note that the CP server 20 does not have to associate the CP certificate 1513 with the first application 151 in the process of step SA6.

FIG. 18 is an explanatory diagram of the contents of the application verification process when the verification data is the CP certificate 1513 in the configuration of the first embodiment.
As illustrated in FIG. 18, the information processing apparatus 10 verifies the validity of the CP signature 1514 by using the CP certificate 1513 included in the setting file 1512 in the same manner as in the first embodiment described above (FIG. 18). (See circle number “4”). Since the verification of the circled numbers “1” to “3” in FIG. 18 may be the same as in the first embodiment described above, the description thereof is omitted here.
Although description and illustration are omitted, in the application management system 1 of the second embodiment described above, the management server 30 may include the CP certificate 1513 as verification data in the setting file 1512.
As described above, the setting file 1512 of each embodiment described above may be provided at least by a communication carrier (second application provider). However, in the application management system 1, it is desirable that the setting file 1512 is configured with particularly reliable information, for example, that the validity of the setting file 1512 has been confirmed by the telecommunications carrier.

(Modification 2)
In the application management system 1 according to the first embodiment described above, the validity of the leaf certificate 1511 is verified using the intermediate certificate 1521. However, under the situation where the leaf certificate 1511 can be regarded as valid in advance. If so, this verification may be omitted.
In the application management system 1 according to the second embodiment described above, the management server 30 adds a TC signature 1512a that can be verified with the leaf certificate 1511 to the setting file 1512, and the leaf certificate 1511 and the setting file. 1512 may be provided to the CP server 20. In this case, the information processing apparatus 10 may verify the validity of the TC signature 1512a by the same method as the process in step SB4 of the first embodiment described above.

(Modification 3)
In each of the above-described embodiments, the management server 30 generates the setting file 1512 including the package name and the hash value of the CP certificate 1513 corresponding to one combination of a plurality of applications that operate in association with each other. Instead, the management server 30 may generate a setting file that includes a package name and a hash value of the CP certificate 1513 corresponding to a plurality of combinations of a plurality of applications that operate in association with each other. For example, the management server 30 may generate only one setting file for each CP server 20, or classifies the application in a specific group unit based on the genre of the application and sets one for each group. A file may be generated.
According to the application management system 1 of this modification, the number of executions of the setting file generation process can be reduced.

(Modification 4)
The provider of the application of the present invention is not limited to a telecommunications carrier or a content provider, and may be, for example, an individual. In the present invention, the attribute of the application provider is not particularly limited.
In the application management system 1 of each embodiment described above, the verification order in the application verification process may be changed within a range that does not interfere with the validity of the CP signature 1514.
Further, in the present invention, any kind of application that can perform the linkage operation and any function provided by the linkage operation may be used, or three or more applications may be linked. When three or more applications are linked and operated, package names corresponding to all of them are included in the setting file 1512.
In the present invention, the application identifier is not limited to information called a package name, but may be an identifier having an application identification function.
In the present invention, the method for verifying the validity of the electronic certificate and the method for verifying the validity of the electronic signature are not limited to the method of the above-described embodiment, and other known methods may be used. For example, in the above-described embodiment, the configuration using the private key and the public key may be replaced with a configuration using the public key. In the present invention, the method for generating an electronic signature and the algorithm for encryption are not particularly limited.

(Modification 5)
In each embodiment mentioned above, each function which control part 11 of information processor 10 and control part 31 of management server 30 realize is realized by combination of a plurality of programs, or by cooperation of a plurality of hardware resources. Can be realized.
The information processing apparatus and management apparatus of the present invention can also be understood as a program and information processing method executed by the computer and the control unit 11 and a program and management method executed by the computer and the control unit 31.

DESCRIPTION OF SYMBOLS 1 ... Application management system, 10 ... Information processing apparatus, 11 ... Control part, 111 ... Acquisition part, 112 ... Verification part, 113 ... Authorization part, 114 ... Application operation part, 12 ... Operation part, 13 ... Communication part, 14 ... Display unit 15 ... Storage unit 151 ... First application 1511 ... Leaf certificate 1512 ... Setting file 1512a ... TC signature 1513 ... CP certificate 1514 ... CP signature 152 ... Second application 1521 ... Intermediate Certificate, 20 ... CP server, 21 ... Control unit, 22 ... Communication unit, 23 ... Storage unit, 30 ... Management server, 31 ... Control unit, 311 ... Generation unit, 312 ... Signature unit, 313 ... Transmission control unit, 32 ... Communication unit, 33 ... Storage unit

Claims (10)

A storage unit for storing the first application to which the electronic signature of the first application provider is added and the second application provided by the second application provider;
An acquisition unit for acquiring a setting file including an application identifier indicating the first and second applications operating in cooperation with each other and verification data for verifying validity of the electronic signature;
An information processing apparatus comprising: a verification unit that verifies the validity of the electronic signature using the verification data of the setting file acquired by the acquisition unit. The information processing according to claim 1, further comprising: a permission unit that permits the linked operation of the first and second applications indicated by the application identifier of the acquired setting file based on whether the electronic signature is valid. apparatus. The storage unit
Storing the first electronic certificate issued to the second application provider in association with the first application;
The acquisition unit
Obtaining the setting file to which the electronic signature of the second application provider that can be verified for validity using the first electronic certificate is added;
The verification unit
The information processing apparatus according to claim 1, wherein the validity of the electronic signature added to the setting file is verified using the first electronic certificate. The storage unit
Storing a second electronic certificate associated with a higher rank than the first electronic certificate in a certificate chain in association with the second application;
The verification unit
The information processing apparatus according to claim 3, wherein the validity of the first electronic certificate is verified using the second electronic certificate. A communication unit that communicates with a management device that stores the setting file;
The acquisition unit
The information processing apparatus according to claim 1, wherein a setting file of the first application is acquired from the management apparatus through communication of the communication unit. The application storage unit
Storing a third electronic certificate issued to the first application provider and capable of verifying the validity of the electronic signature added to the first application;
The verification unit
Using the hash value of the third electronic certificate as the verification data, the validity of the third electronic certificate associated with the first application is verified, and the third electronic certificate is used. The information processing apparatus according to claim 1, wherein the validity of the electronic signature added to the first application is verified. The configuration file is
The application identifier and the verification data are included in correspondence with a plurality of combinations of the first and second applications that operate in cooperation with each other. 7. Information processing device. An application identifier indicating a first application provided by the first application provider and a second application provided by the second application provider and operating in conjunction with the first application; and the first application provider A generating unit that generates an electronic certificate issued to the server or a setting file including a hash value of the electronic certificate;
A signature unit for adding the electronic signature of the second application provider to the setting file generated by the generation unit;
A management apparatus comprising: a transmission unit that transmits the setting file to which the electronic signature has been added by the signature unit to a distribution device that distributes the first application in association with the setting file. An information processing method for an information processing apparatus for storing a first application to which an electronic signature of a first application provider is added and a second application provided by a second application provider,
An acquisition step of acquiring a setting file including an application identifier indicating the first and second applications operating in cooperation with each other and verification data for verifying the validity of the electronic signature;
And a verification step of verifying the validity of the electronic signature using the verification data of the setting file acquired in the acquisition step. In the computer of the information processing apparatus that stores the first application to which the electronic signature of the first application provider is added and the second application provided by the second application provider,
An acquisition step of acquiring a setting file including an application identifier indicating the first and second applications operating in cooperation with each other and verification data for verifying the validity of the electronic signature;
A program for executing the verification step of verifying the validity of the electronic signature using the verification data of the setting file acquired in the acquisition step.

Images