JP3912788B2 - TERMINAL DEVICE, PROGRAM FOR CONNECTING TERMINAL DEVICE TO OBJECT DEVICE, RECORDING MEDIUM RECORDING THE PROGRAM, TERMINAL CONNECTION METHOD - Google Patents

Description

  The present invention relates to a terminal device that automatically connects to a target device, or a device that allows a terminal device to automatically connect to a target device.

  As a system for automatically connecting a terminal computer to a predetermined server computer, for example, there is an automatic connection system described in Patent Document 1.

The terminal computer refers to the connection information file at the time of connection, and connects to the server computer corresponding to the connection information when the connection information is within the expiration date. When the connection information is not within the expiration date, the connection information is connected to the specific server computer, the connection information is downloaded, registered in the connection information file, and connected to the server computer corresponding to the connection information.
Japanese Patent Laid-Open No. 10-171756

  However, in the above automatic connection system, the user must consider communication means (for example, a modem or a LAN) according to the location of the terminal computer, and the user is automatically aware of the predetermined server computer without any awareness. It cannot be connected.

  The present invention solves such problems and provides a terminal device and the like that can be connected to a target device without the user being aware of the communication means according to the location of the terminal device and without considering the connection procedure. For the purpose.

(1) A terminal device according to the present invention is capable of communicating with a target device, and for each device for position determination, a position determination table in which the address, response data, and location are stored with a determination order, and a communication method A terminal device having a connection procedure table in which a current position and a connection process for connecting to a target device are stored in association with each other, and 1) a communication method storage means for storing a communication method of the terminal device from a communication method detecting means for detecting a communication method of the terminal device, 2) by referring to said position determination table, for each position discrimination device, consistent with the response data stored in the position determination table response until the data is acquired, the on determination rank order, the response data acquisition means for reading the address attempts to acquire the response data from the respective position discrimination device, 3) the position From another table, the location corresponding to the response data the match, a position determining means for obtaining a current position of the terminal device, 4) before SL connection procedure table, the current position of the detected communication method and the terminal device A connection processing unit that executes a corresponding connection process , and 5) acquisition of response data by the response data acquisition unit, acquisition of a current position by the position determination unit, until the connection processing unit determines that the connection is complete, And the connection processing by the connection processing means is repeated.

  Therefore, since the connection process according to the current position of the terminal device is performed, the user is not aware of the communication means (for example, a modem or a LAN) according to the current position of the terminal device and considers the connection procedure. Without connecting the terminal device to the target device.

Delete

Delete

(2) (9) A program according to the present invention provides a computer capable of communicating with a target device .
1) A position determination table in which the address, response data, and location are stored with a determination order for each position determination device, and 2) a communication method, a current position, and a connection process for connecting to the target device. a connection procedure tables stored in association with the, from the communication method storage means for storing 3) communication method of the computer, and a communication method detecting means for detecting a communication method of the computer, 4) the position determination table Referring to each position determination device , each address determination device reads out the addresses in the order of determination until response data matching the response data stored in the position determination table is acquired. Response data acquisition means for attempting to acquire response data from 5), and from the position determination table, the location corresponding to the acquired response data is Comprising a position determining means for obtaining a current position of Yuta, in 6) before SL connection procedure table, a connection processing means for executing a connection process corresponding to the current position of the detected communication method and the terminal device, wherein the connection A program for functioning as a device that repeats acquisition of response data by the response data acquisition unit, acquisition of a current position by the position determination unit, and connection processing by the connection processing unit until it is determined that the connection is completed by the processing unit It is.

  Therefore, by executing such a program, the terminal device can be connected to the target device regardless of the position of the terminal device or the communication means.

( 3 ) In the program according to the present invention , the position determining means acquires the following positions 1) to 3) as the current position of the computer : 1) Into the intranet to which the target device is connected 2) A position that can be connected, 2) a position that is outside the intranet to which the target device is connected and can be connected to the Internet, and 3) a position that is outside the intranet to which the target device is connected and can be connected to a wireless LAN. Thereby, the connection process according to the positions of the computers 1) to 3) can be performed.

( 4 ) In the program according to the present invention , the computer can be connected to the Internet via a wireless LAN, and the connection processing means is such that the current position of the computer is outside the intranet to which the target device is connected. When the wireless LAN can be connected, the computer is connected to the gateway device via the wireless LAN, and the gateway device establishes a connection between the Internet and the computer . Thus, when the computer is in a position where it can be connected to the wireless LAN, the computer can be automatically connected to the Internet.

( 5 ) In the program according to the present invention , the computer can be connected to the relay device via the Internet, and the connection processing means has a current position of the computer outside the intranet to which the target device is connected. When the computer is connected to the Internet, the computer is connected to the relay device via the Internet, and the connection between the intranet and the computer is established by the relay device.

  Thereby, when the terminal device is in a position where it can be connected to the Internet, the terminal device can be automatically connected to the intranet by the relay device. For example, a VPN (Virtual Private Network) between the terminal device and the intranet can be established.

Delete

( 6 ) In the program according to the present invention , the connection procedure table stores a current position and a connection process in which a plurality of priorities are set, and the connection processing means sets the current position in descending order of priority. A corresponding connection process is executed.

  Thereby, it is possible to connect to the position determination device based on the priority and to perform a connection process for making it possible to access a place at a stage closer to the target device.

( 7 ) In the program according to the present invention , the position determination device is a target device. That is, the response data acquisition means can connect the computer to the target apparatus using the address of the target apparatus (address of the position determination apparatus).

( 8 ) In the program according to the present invention, the check result obtained by checking the trust state of the terminal in the computer based on the predetermined check item data is acquired, and further, the computer is requested to authenticate to the target device accompanying the check result. In this case, the target device is provided with means for authenticating the trust state of the terminal in the computer based on the check result from the computer .

  Therefore, even if the terminal is in an unknown state, the user can perform appropriate authentication for the terminal simply by connecting the mobile device to the terminal. Thereby, it is possible to select only a safe third party terminal and receive authentication for connecting to a predetermined network. For example, it is possible to guarantee the safety of an Internet cafe terminal and connect it to a corporate network.

  Also, the user can carry a lightweight portable device such as a USB key and connect to a predetermined network from a terminal on the go. This eliminates the need to carry around a terminal such as a computer device.

(10) A terminal connection method according to the present invention is a terminal connection method for connecting a terminal device communicable with a target device to the target device. The terminal device has an address, a response, and a response for each position determination device. It is possible to access a position determination table in which data and place are stored with a determination order , and a connection procedure table in which a communication method, a current position, and a connection process for connecting to a target device are stored in association with each other. In addition, the communication method of the terminal device is stored in a storage unit, and the terminal device 1) processing for detecting the communication method of the terminal device stored in the storage unit, and 2) the position determination table see, the respective position discrimination device, until said response data matches the response data stored in the position determination table is acquired, the determination order order, before A response data acquisition process tries to obtain the response data from the respective position discrimination device reads the address, 3) obtained from the position determination table, the location corresponding to the response data the match, as the current position of the terminal device a process of, 4) before SL connection procedure table, and executes the connection process corresponding to the current position of the detected communication method and the terminal device, 5) the response data acquisition process, the process of obtaining the current position, and The connection process is repeatedly executed until it is determined that the connection is completed in the connection process .

  Therefore, the terminal device can be connected to the target device regardless of the position of the terminal device and the communication means.

  In the present invention, the “terminal device” corresponds to the home PC 300, the hotel PC 400, the company PC 100, and the portable information terminal 500 in the first embodiment described below. The “target device” is a device to which the terminal device is to connect, and corresponds to the in-house server 12 and the VPN server 200 in the intranet 10 in the first embodiment described below.

  The “position determination device” is a device that transmits response data to a terminal device, and corresponds to the external server 250, the internal server 12, and the gateway computer 550 on the Internet in the first embodiment described below. A “relay device” establishes a connection between an intranet to which a target device is connected and a terminal device, and corresponds to the VPN server 200 in the first embodiment described below.

  The “position determination table” is a table in which the address of the position determination device, response data, and location are stored in association with each other, and corresponds to the position determination table shown in FIG. The “connection procedure table” is a table in which a communication method, a current position, and a connection process for connecting to a target device are stored in association with each other. In the first embodiment below, the connection method table shown in FIG. It corresponds to.

  The “communication method detection means” is means for detecting the communication method of the terminal device, and corresponds to a CPU such as a home PC 300 or a company PC 100 that executes step S10 in FIG. The “response data acquisition means” is means for acquiring response data by connecting to a position discriminating apparatus. In the first embodiment described below, steps S24 and S26, S30 and S32 in FIG. This corresponds to the CPU of home PC 300, company PC 100, etc. that executes S38.

  “Position determining means” is means for acquiring the location corresponding to the response data from the position determination table as the current position of the terminal device. In the first embodiment, the home PC 300 and the company PC 100 that execute step S40 in FIG. It corresponds to the CPU. The “connection processing means” is means for executing connection processing corresponding to the communication method in the connection procedure table and the current position of the terminal device. In the first embodiment below, the home PC 300, company that executes step S58 in FIG. Corresponds to CPU such as PC100.

  The “connection process for connecting to the target device” is a concept including processing for connecting to a device, a network, or the like on the route to the target device. In the first embodiment described below, this corresponds to a CPU such as a home PC 300 or a company PC 100 that executes step S58 in FIG. In other words, this corresponds to connection to the VPN server 200 and login ID input processing.

  “Check item data” is data in which items for checking the state of the terminal are recorded. The “check result” is data indicating a result of checking the state of the terminal based on the check item data, and is data represented by numerical information or character information.

  The “program” is a concept that includes not only a program that can be directly executed by the CPU but also a program in a source format, a compressed program, an encrypted program, and the like.

A Embodiment 1
1. Overall Configuration FIG. 1a shows a configuration example of an entire system including a terminal device and a target device according to the present invention. In the company, a LAN (Local Area Network) having an in-house server 12 and a plurality of company PCs is functioned as an intranet 10.

  The in-house server 12 provides information to employees and manages employee information (for example, provision of schedule information through a bulletin board or the like). Employees share information held by the internal server 12 by connecting to the internal server 12 from the company PC.

  In the company, the company PC 100 is connected to the intranet 10 via a wired LAN and a HUB. The VPN server 200, the external server 250, the home PC 300, and the hotel PC 400 are connected to the Internet.

  The VPN server 200 connects a terminal device to be connected to the in-house server 12 via the Internet to the intranet 10. It has a function of authenticating the user of the terminal device and is installed in the service center.

  Further, the external server 250 manages a company HP (XX company portal) that publishes information (for example, product information, employment information, etc.) for general public viewing.

  The home PC 300 and the company PC 100 are terminal devices used to connect to the in-house server 12 in the intranet 10 via the Internet by a USB device 600 described later.

  The portable information terminal 500 can be connected to the Internet via a public wireless LAN 520 and a gateway computer 550. This is a terminal device used to connect to the intranet 10 (in-house server 12) via the public wireless LAN 520.

  The USB device 600 realizes automatic connection from the terminal device to the in-house server 12 in the intranet 10. As shown in FIG. 1b, the user can connect to the in-house server 12 without being aware of the communication means (LAN, Internet, etc.) simply by attaching the USB device 600 to the terminal device.

2. Hardware Configuration FIG. 2A shows a hardware configuration example of the home PC 300. The home PC 300 includes a CPU 320, a display 322, a mouse / keyboard 324, a memory 326, a hard disk 328, a USB connector 330 connected to the USB device 600, a communication interface 332, and the like connected via a bus line. The communication interface 332 of the home PC 300 is a modem. The hard disk 328 stores a browser program for connecting to the Internet, an operating system (OS), and the like.
FIG. 2B shows a hardware configuration example of the USB device 600. The USB device 600 includes a ROM 620, a RAM 622, a USB connector 624, and the like that store automatic connection software connected via a bus line. The CPU of the terminal device (home PC 300, company PC 100, etc.) to which the USB device 600 is attached executes automatic connection processing, which will be described later, according to automatic connection software.

  The automatic connection software records the position determination table, connection method table, MAC address of in-house server 12, IP address of VPN server 200, telephone number for dial-up connection, user ID, login ID, which will be described later, etc. ing.

  The hardware configuration of company PC 100 is basically the same as that shown in FIG. 2A, and its communication interface is a LAN cable. The hardware configuration of the hotel PC 400 is basically the same as that shown in FIG. 2A, and its communication interface is a modem.

  The hardware configuration of the VPN server 200 is basically the same as that shown in FIG. 2A. The hard disk stores a user DB 220 for accumulating user information, an authentication program for authenticating a user based on a user ID received from the terminal device, and the like. The hardware configuration of portable information terminal 500 is basically the same as that shown in FIG. 2A, and includes a wireless LAN card for performing wireless communication.

3. Automatic connection processing The following describes each processing when the USB device 600 is connected to the in-house server 12 in the intranet 10 by attaching it to the home PC 300, the company PC 100, and the portable information terminal 500. .
(1) Connection from Home PC 300 FIGS. 3A and 3B are schematic diagrams of the overall flow and processing when automatic connection from the home PC 300 to the in-house server 12 is performed. The user attaches the USB device 600 to the home PC 300. Thereby, the CPU 320 of the home PC 300 determines the communication method of the home PC 300 according to the automatic connection software stored in the USB device 600 (step S10 in FIG. 3a). That is, an inquiry is made to the operating system (OS) of the home PC 300 to determine “modem”.
Next, the CPU 320 executes current position determination processing shown in FIGS. 4 and 5 (step S12 in FIG. 3a). The CPU 320 refers to the data of the determination order 1 in the position determination table shown in FIG. 6 (step S20 in FIG. 4). Since the MAC address “00: 11: 22: 33: 44: 55” is specified, an attempt is made to connect to the computer having this MAC address (steps S22 and S24 in FIG. 4). This MAC address “00: 11: 22: 33: 44: 55” is the address of the in-house server 12 in the intranet 10. Therefore, the response cannot be received (connection cannot be made), and the process proceeds to step S42 in FIG. 4 (steps S26 and S42 in FIG. 4).

  The CPU 320 refers to the next determination order 2 data in the position determination table of FIG. 6 (step S42 in FIG. 4). Since the MAC address is indefinite, the process proceeds to step S28 to determine whether the IP address is indefinite (steps S22 and S28 in FIG. 4). Since the IP address “211.211.211.5” has been specified, an attempt is made to connect to the computer of this IP address (step S30 in FIG. 4, (i) in FIG. 3b). This IP address is that of the external server 250 on the Internet, and the HP of company XX is transmitted to the home PC 300 ((ii) in FIG. 3b). It is determined that this response matches the TCP page “XX company portal” in the position determination table of FIG. 6 (step S32 in FIG. 4).

  Next, the process proceeds to step S40 in FIG. 5, and the location “external network (Internet)” is determined as the current position from the position determination table in FIG. That is, because the home PC 300 is connected to the external server 250 on the Internet, the current position is determined as “external network (Internet)”. Thus, the current position determination process (FIG. 3a, step S12) is terminated, and then the connection process corresponding to the current position shown in FIG. 7 is executed (step S14 in FIG. 3a).

  Since the communication method “modem” is determined in step S10 of FIG. 3a, the location of the communication method “modem” column in the connection method table shown in FIG. 8 is matched with the current position “external net (Internet)” of the home PC 300.

  First, in the connection method table, it is determined whether or not the location “intranet” having the priority “1” matches the current position “external network (Internet)”, and determines that they do not match (steps S50 and S52 in FIG. 7). ). In this case, the process proceeds to the next priority “2”, and it is determined whether or not the location “Internet” with the priority “2” matches the current position “external network (Internet)” (step S54 in FIG. 7). S52). The CPU 320 determines that they match.

  Next, it is determined whether or not the process of the priority “2” in which the place and the current position match is completed (step S56 in FIG. 7). Since the processing of the priority “2” is “VPN connection”, it is determined that the connection is not completed, and the process proceeds to step S58.

  The CPU 320 connects from the home PC 300 to the VPN server 200 of the service center via the Internet in order to execute the process “VPN connection” with the priority “2” (step S58 in FIG. 7, (iii) in FIG. 3b). The VPN server 200 transmits the user ID recorded in the automatic connection software. In the dial-up connection method, the telephone number recorded in the automatic connection software is used.

The VPN server 200 authenticates the user of the home PC 300 based on the user DB 220. Then, a VPN (Virtual Private Network) is established between the home PC 300 and the intranet 10, and connection permission is returned to the home PC 300 ((iv) (v) in FIG. 3b).

  Thus, the connection process corresponding to the current position (step S14 in FIG. 3A) is terminated, and then it is determined whether or not the process completion flag is set (step S16 in FIG. 3A). This processing completion flag is set when the terminal device (home PC 300) is connected to the in-house server 12 (see steps S56, S60, and S62 in FIG. 7).

  Here, since the processing completion flag is not set, the process returns to step S10 in FIG. 3a, and the CPU 320 determines the communication method “modem” of the home PC 300.

  Next, the CPU 320 executes the current position determination process shown in FIGS. 4 and 5 again (step S12 in FIG. 3a). The CPU 320 refers to the data of the determination order 1 in the position determination table shown in FIG. 6 (step S20 in FIG. 4). Since the MAC address “00: 11: 22: 33: 44: 55” has been specified, an attempt is made to connect to the in-house server 12 with this MAC address (steps S22 and S24 in FIG. 4).

  Here, since the home PC 300 has established a VPN connection with the intranet 10 via the VPN server 200, the home PC 300 receives a response from the in-house server 12 and proceeds to step S40 in FIG. 5 (step S26 in FIG. 4).

  Thereby, the location “intranet” is determined as the current position of the home PC 300 from the position determination table of FIG. 6 (step S40 in FIG. 5). Next, connection processing corresponding to the current position shown in FIG. 7 is executed (step S14 in FIG. 3a).

  Since the communication method “modem” is determined in step S10 in FIG. 3a, the location of the communication method “modem” column in the connection method table shown in FIG. 8 is matched with the current position “intranet” of the home PC 300. It is determined that the place “intranet” having the priority “1” matches the current position “intranet” (step S52 in FIG. 7).

  Next, the process of priority “1” in which the location and the current position match is determined to be “connection complete”, and a connection completion message is displayed (steps S56 and S60 in FIG. 7). Further, a connection completion flag is set (step S62 in FIG. 7). In step S16 in FIG. 3a, it is determined that the processing completion flag is set, and the processing by the automatic connection software is terminated.

  As described above, the user can automatically establish a connection between the home PC 300 and the in-house server 12 without being aware of the communication means (modem) of the home PC 300 and without considering the connection procedure.

  Note that the process when the hotel apparatus 400 automatically connects to the in-house server 12 using the USB device 600 is the same as the process described above. Further, before connecting to the VPN server 200, the connection state of the VPN server 200 may be confirmed by specifying and executing the IP address of the VPN server 200 in the ping command.

(2) Connection from company PC 100 A case where the company PC 100 automatically connects to the in-house server 12 will be described below. The USB device 600 is attached to the company PC 100, and the CPU of the company PC 100 makes an inquiry to the operating system (OS) to determine “Ethernet (trademark)” (LAN cable) (step S10 in FIG. 3a).
Next, the CPU of the company PC 100 executes the current position determination process shown in FIGS. 4 and 5 (step S12 in FIG. 3a). The CPU refers to the data of the determination order 1 in the position determination table shown in FIG. 6 and tries to connect to the in-house server 12 with the MAC address “00: 11: 22: 33: 44: 55” (step S20 in FIG. 4). S22, S24). Here, since the company PC 100 is connected to the intranet 10 via the wired LAN, the company PC 100 receives a response from the in-house server 12 and proceeds to step S40 in FIG. 5 (step S26 in FIG. 4).

  Thereby, the location “intranet” is determined as the current position of the company PC 100 from the position determination table of FIG. 6, and the connection process corresponding to the current position shown in FIG. 7 is executed (step S40 in FIG. 5, step S14 in FIG. 3a). .

  Since it is determined that the communication method is “Ethernet”, the location of the communication method “Ethernet” column in the connection method table shown in FIG. 8 is matched with the current position “Intranet” of the company PC 100. It is determined that the place “intranet” having the priority “1” matches the current position “intranet” (step S52 in FIG. 7).

  Next, the processing of the priority “1” in which the location and the current position coincide with each other is determined to be “connection completion”, and a connection completion message is displayed and a connection completion flag is set (FIG. 7, steps S56, S60, S62). In step S16 in FIG. 3a, it is determined that the processing completion flag is set, and the processing by the automatic connection software is terminated.

(3) Connection from portable information terminal 500 Hereinafter, a case where automatic connection from the portable information terminal 500 to the in-house server 12 will be described. FIG. 9 shows an outline of processing among the portable information terminal 500, the gateway computer 550, and the VPN server 200. By attaching the USB device 600 to the portable information terminal 500, the CPU of the portable information terminal 500 makes an inquiry to the operating system (OS) and determines the communication method “wireless LAN” (step S10 in FIG. 3a).
Next, the CPU of the portable information terminal 500 executes the current position determination process shown in FIGS. 4 and 5 (step S12 in FIG. 3a). The CPU refers to the data of the determination order 1 in the position determination table shown in FIG. 6 and tries to connect to the in-house server 12 with the MAC address “00: 11: 22: 33: 44: 55” (step S20 in FIG. 4). S22, S24). Since there is no response, the next data in the determination order 2 is referred to (step S42 in FIG. 4).

  Since the MAC address is indefinite and the IP address “211.211.211.5” is specified, the CPU tries to connect to the external server 250 of this IP address (steps S22, S28, and S30 in FIG. 4). Here, since portable information terminal 500 is not connected to the Internet, it cannot receive a response. Therefore, the next data in the determination order 3 is referred to (step S42 in FIG. 4).

  Since the MAC address is indefinite and the IP addresses “192.168.1.1, 192.168.1.2” are specified, the CPU tries to connect to the computers having these IP addresses (steps S22, S28, S30 in FIG. 4). These IP addresses are the IP addresses of the computers in the intranet 10. Here, since portable information terminal 500 is not connected to intranet 10, it cannot receive a response. Therefore, the next data in the determination order 4 is referred to (step S42 in FIG. 4).

  Since the CPU has an indefinite MAC address and IP address and the TCP message “login message” has been specified, the CPU connects to the gateway computer 550 via the public wireless LAN 520 (steps S22 and S28 in FIG. 4 and step S34 in FIG. 5). , S36). The gateway computer 550 is connected by using a predetermined IP address stored in the automatic connection software.

  Thereby, portable information terminal 500 receives the login message from gateway computer 550 (steps S70 and S72 in FIG. 9). It is determined that this response matches the TCP page “login message” in the position determination table in FIG. 6 (step S38 in FIG. 5). Then, the location “external network (public wireless LAN)” is determined as the current position of the portable information terminal 500 from the position determination table in FIG. 6 (step S40 in FIG. 5). Next, connection processing corresponding to the current position shown in FIG. 7 is executed (step S14 in FIG. 3a).

  Since the communication method is “wireless LAN”, matching between the location of the communication method “wireless LAN” column in the connection method table shown in FIG. 8 and the current position “external network (public wireless LAN)” of the portable information terminal 500 is performed. Do.

  First, in the connection method table, the place of priority “1 to 3” does not match the current position “external network (public wireless LAN)” (steps S52 and S54 in FIG. 7). It is determined that the location “external net (public wireless LAN)” with the priority “4” matches the current position “external net (public wireless LAN)” (step S52 in FIG. 7).

  Next, since the process “login ID input” with the priority “4” in which the location and the current position coincide with each other is not completed, the login ID input process is executed (step S58 in FIG. 7). That is, the CPU inputs the login ID stored in the automatic connection software. As a result, the portable information terminal 500 is connected to the Internet via the wireless public LAN 520 and the gateway computer 550 (steps S74 and S76 in FIG. 9).

  Thus, the connection process corresponding to the current position (step S14 in FIG. 3a) is terminated, and it is determined whether or not the process completion flag is set (step S16 in FIG. 3a). Since the processing completion flag is not set, the process returns to step S10 in FIG. 3a, and the CPU determines the communication method “wireless LAN”.

  Next, the CPU executes current position determination processing shown in FIGS. 4 and 5 (step S12 in FIG. 3a). The CPU refers to the data of the determination order 1 in the position determination table shown in FIG. 6 and tries to connect to the in-house server 12 with the MAC address “00: 11: 22: 33: 44: 55” (step S20 in FIG. 4). S22, S24). Since there is no response, the next data in the determination order 2 is referred to (step S42 in FIG. 4).

  The CPU has an undefined MAC address and tries to connect to the external server 250 with the IP address “211.211.211.5” (steps S22, S28, and S30 in FIG. 4). Here, since portable information terminal 500 is connected to the Internet through the above-described processing, it receives a response from external server 250. This response is determined to match the TCP page “XX company portal” in the position determination table of FIG. 6 (step S32 in FIG. 4).

  Next, the process proceeds to step S40 in FIG. 5, and the location “external network (Internet)” is determined as the current position of the portable information terminal 500 from the position determination table in FIG. Next, connection processing corresponding to the current position shown in FIG. 7 is executed (step S14 in FIG. 3a).

  Since the communication method is “wireless LAN”, the location of the communication method “wireless LAN” column in the connection method table shown in FIG. 8 is matched with the current position “external network (Internet)” of the portable information terminal 500.

  First, in the connection method table, it is determined that the place “intranet” having the priority “1” does not match the current position “external net (Internet)” (step S52 in FIG. 7). It is determined that the location “Internet” of the next priority “2” matches the current position “external net (Internet)” (steps S54 and S52 in FIG. 7).

  Next, it is determined that the process of priority “2” in which the location matches the current position is not completed, and the process of “priority“ 2 ”“ VPN connection ”is executed. (Steps S56 and S58 in FIG. 7). The VPN server 200 establishes a VPN between the portable information terminal 500 and the intranet 10, and returns a connection permission to the portable information terminal 500 (steps S78 and S80 in FIG. 9).

  Thus, the connection process corresponding to the current position (step S14 in FIG. 3a) is terminated, and it is determined whether or not the process completion flag is set (step S16 in FIG. 3a). Since the processing completion flag is not set, the process returns to step S10 in FIG. 3a, and the CPU determines the communication method “wireless LAN”.

  Next, the CPU executes the current position determination process shown in FIGS. 4 and 5 again (step S12 in FIG. 3a). The CPU refers to the data of the determination order 1 in the position determination table shown in FIG. 6 and tries to connect to the in-house server 12 with the MAC address “00: 11: 22: 33: 44: 55” (step S20 in FIG. 4). S22, S24).

  Here, since the portable information terminal 500 has established a VPN connection with the intranet 10 via the VPN server 200, the mobile information terminal 500 receives a response from the in-house server 12 (step S26 in FIG. 4), moves to step S40 in FIG. The location “intranet” is determined as the current position of the portable information terminal 500 from the position determination table of FIG. Next, connection processing corresponding to the current position shown in FIG. 7 is executed (step S14 in FIG. 3a).

  Since the communication method is “wireless LAN”, the location of the communication method “wireless LAN” column in the connection method table shown in FIG. 8 is matched with the current position “intranet” of the portable information terminal 500. It is determined that the place “intranet” having the priority “1” matches the current position “intranet” (step S52 in FIG. 7).

  Next, the processing of the priority “1” in which the location and the current position coincide with each other is determined to be “connection completion”, and a connection completion message is displayed and a connection completion flag is set (FIG. 7, steps S56, S60, S62). In step S16 in FIG. 3a, it is determined that the processing completion flag is set, and the processing by the automatic connection software is terminated.

  As described above, the user automatically establishes the connection between the portable information terminal 500 and the in-house server 12 without being aware of the communication means (wireless LAN) of the portable information terminal 500 and without considering the connection procedure. be able to.

(4) Other Examples In the above-described embodiment, the system configuration in which the VPN server 200 of the service center and the intranet including the in-house server 12 are connected via the Internet is described as an example. However, as shown in FIG. 10, the present invention can also be applied to a system in which the VPN server 200 and the intranet are connected by a dedicated line.
Further, in the above-described embodiment, a case has been described in which the USB device 600 is attached to the terminal device, and the connection between the terminal device and the in-house server 12 is automatically performed. However, instead of using the USB device 600, the terminal device itself may store the automatic connection software and execute the above-described automatic connection processing.

  In the above-described embodiment, the USB device 600 capable of USB connection is described as an example of the connection device. However, any device that can be connected to a terminal device regardless of wired wireless communication may be used. For example, a PC card, various memory cards, an IC card, an IC chip, or a mobile phone incorporating these is applicable. Further, when connecting by wire, a terminal port other than a USB connector (for example, IEEE1394 port, serial port, parallel port, etc.) may be used.

  Further, in the above-described embodiment, in the position determination table (determination order 1) of FIG. 6, connection is made to the internal server 12 (MAC address “00: 11: 22: 33: 44: 55”) that is the final connection target. Is determined based on the presence / absence of the response, whether or not the current position of the terminal device is the intranet 10 (steps S24 and S26 in FIG. 4 and step S40 in FIG. 5). However, it may be determined whether or not the current position of the terminal device is the intranet 10 by attempting to connect to any computer in the intranet 10.

  In the above-described embodiment, a case where one communication method is determined for each terminal device (for example, the communication method “modem” for the home PC 300) is described (step S10 in FIG. 3a). However, a plurality of communication methods may be determined. For example, priorities may be set for a plurality of communication methods, and the connection processing illustrated in FIG. 7 may be performed in order from the communication method with the highest priority. For example, when the connection process of step S58 in FIG. 7 fails due to the communication method “modem” with the priority “1” (or fails when executed several times), the communication method “wireless LAN” with the next highest priority is used. The connection process is performed.

  Further, in the current position determination process shown in FIGS. 4 and 5, the process proceeds to the determination order “5” in the position determination table of FIG. 6, and the current position of the terminal device is determined to be “external net (unknown)”. is there. The connection process in this case is shown in FIG.

  Since the process proceeds to the priority “3” in the connection method table of FIG. 8 and matches at the place “unknown” (step S104 in FIG. 11), the process is “the communication method of the next order” (step S108 in FIG. 11). For this reason, it shifts to the communication method with the next highest priority, and the connection process is executed (steps S118 and S120 in FIG. 11). If connection cannot be established by all communication methods, a connection impossible message is displayed and a processing completion flag is set (steps S122 and S124 in FIG. 11).

  Further, the USB device 600 shown in the above embodiment may be provided with a button for inputting a start command for automatic connection processing. In the above-described embodiment, the automatic connection software of the USB device 600 realizes the above function in cooperation with the operating of the home PC 300 or the like. However, part or all of the functions may be realized solely by the automatic connection software.

B Embodiment 2
Below, a description will be given of a USB device (hereinafter referred to as a portable device 711) provided with a program and a CPU for checking the terminal status in the terminal device and authenticating it together with the above-described automatic connection software.
1. Overall Configuration FIG. 12 shows the overall configuration of the system in this embodiment. In this system, when the portable device 711 is attached to the terminal 713 connected to the Internet, the terminal state is automatically authenticated by the VPN server 717.
The mobile device 711 is a USB (Universal Serial Bus) device owned by the user, and can be connected to an arbitrary computer device having a USB port by USB.

  The terminal 713 is a computer device installed in an Internet cafe or the like, and can be connected to the Internet via a communication line. In addition, the terminal 713 includes a USB port for connection with the portable device 711.

  The check item server 715 is a computer device installed in an authentication service provider or the like, and can be connected to the Internet via a communication line. The check item server 715 records check item data 716 for the portable device 711 to check the terminal state of the terminal 713.

  The VPN server 717 is a computer device installed at an authentication service provider or the like, and can be connected to the Internet via a communication line. The VPN server 717 determines whether or not the terminal 13 can authenticate the terminal state, and establishes a VPN between the terminal 13 and the intranet 10. Further, an authentication program 718 for authenticating the terminal 713 is recorded.

  Note that the terminal 713, the check item server 715, and the VPN server 717 can communicate with each other via the Internet.

  FIG. 13 shows an example in which a USB device 750 that is a portable device 711 is connected to a personal computer 760 that is a terminal 713.

  The USB device 750 is used by being connected to the USB port 761 of the personal computer 760. As shown in the figure, the USB device 750 is large enough to be easily carried by the user.

2. Outline of Processing FIG. 14 shows processing in this embodiment. A user who has a portable device 711 connects the portable device 711 to a connection port when using a so-called public terminal installed in an Internet cafe or the like. For example, when the portable device 711 is a USB device, it is connected to the USB port of the terminal 713.
When the portable device 711 is connected, a predetermined program group recorded in the portable device 711 is executed on the CPU of the terminal 713 by an automatic start processing function that is an OS function in the terminal 713.

  The CPU of the terminal 713 performs the above-described communication method determination process and the current position determination process of the terminal 713 to determine whether the current position of the terminal 713 is “Internet” (steps S800, S802, and S804).

  If the current position of the terminal 713 is “Internet”, the CPU of the terminal 713 connects to the check item server 715 in accordance with the program of the portable device 711 and acquires the check item data 716 (step S806). The check item data 716 describes a plurality of check items to be checked, such as terminal OS information, application software version information, and presence / absence of virus check.

  The CPU of the terminal 713 executes a terminal state check process based on the acquired check item data 716, and records a check result for each check item (step S808).

  The CPU of the terminal 713 performs connection processing according to the current position of the terminal 713 described above, and connects to the VPN server 717 (step S810).

  If the recorded check result clears the predetermined standard, it is determined that the terminal state of the terminal 713 is reliable, and an authentication request is transmitted to the VPN server 717 (step S812).

  In response to the authentication request, the VPN server 717 transmits an arbitrary random number to the terminal 713.

  Upon receipt of the transmission, the portable device 711 creates a message digest from both the received random number data and the check result data for checking the terminal status, and encrypts it with the secret key recorded in the portable device 711. Create electronic signature data.

  The terminal 713 adds the electronic signature data to the random number data and the check result data, and transmits it to the VPN server 717.

  Upon receiving the transmission, the VPN server 717 decrypts the electronic signature data with the public key corresponding to the secret key recorded in the portable device 711, and obtains a message digest. If the decrypted message digest matches the message digest created from the transmission data, the information content of the data received from the terminal 713 and the validity of the sender can be confirmed.

  If the validity is confirmed, the VPN server 717 activates the recorded authentication program 718 to determine whether or not the random number received from the terminal 713 matches the random number previously transmitted to the terminal 713. In this case, it is further determined whether or not the check result of the terminal state clears a predetermined standard, and if it is cleared, permission to connect to the intranet 10 is given (steps S814 and S816). . That is, a VPN between the terminal 713 and the intranet 10 is established.

  After that, the terminal 713 again performs the above-described current position determination process and connection process according to the current position, and connects to the in-house server 12 in the intranet 10 (steps S818, S820, S822).

  In step S802, if the current position of the terminal 713 is not the Internet, the terminal status check process is executed based on the check item data recorded in advance in the portable device 711. Connection processing is performed (steps S824, S826, S820, S822).

3. Hardware configuration
(1) Mobile Device FIG. 15 is a hardware configuration diagram of the mobile device 711. The portable device 711 is a USB device including two internal buses. The first bus 711I is connected to the first RAM 711c, the first ROM 711d, and the communication port 711h, and the second bus 711J is connected to the second RAM 711a, A second ROM 711b, a secret key storage device 711e, and a CPU 711f are connected. Further, a dual port memory 711g is connected to both the first bus 711I and the second bus 711J.

  The first RAM 711c stores check item data 2051 acquired from the check item server 715 and check result data 2053 created during the terminal status check process.

  In the first ROM 711d, the above-described automatic connection software, the check item acquisition program 2071 for acquiring check item data from the check item server 715, the terminal state check program 2073 for checking the terminal state of the terminal 713, and the terminal 713 include the VPN server 717. Are recorded an authentication request program 2075 for making an authentication request and a user data deletion program 2077 for deleting user usage history data and the like in the terminal 713.

  In the second ROM 711b, an electronic signature program for applying an electronic signature to predetermined data using a private key recorded in the private key storage device 711e is recorded.

  The secret key storage device 711e is composed of a memory that cannot be written unless a special device is used. For example, PROM, EPROM, EEPROM, UV-EPROM, etc. correspond to this.

  Note that the secret key storage device 711e may be configured from a memory having a circuit that cannot be written to or read from unless a special process is performed. For example, a memory device having a circuit that cannot input / output data unless a password is input corresponds to this.

  The private key storage device 711e records a private key used for an electronic signature and data of an electronic certificate issued from a certificate authority.

  By connecting the first bus 711I and the second bus 711J by the dual port memory 711g, the CPU of the other device connected to the first bus 711I via the communication port is connected to the second bus 711J. It is possible to prevent direct access to various devices. As a result, the private key storage device 711 in which the electronic certificate is stored can be concealed to provide a highly secure configuration.

  The dual port memory 213 has at least two interrupt lines (A interrupt and B interrupt) for making an interrupt request to the CPU 711f.

(2) Terminal FIG. 16 shows a hardware configuration diagram of the terminal 713. This apparatus includes a display 713a, a CPU 713b, a memory 713c, a keyboard / mouse 713d, a hard disk 713e, a communication port 713f, and a communication circuit 713g.
Application programs such as a browser program, an e-mail program, and a virus check program are recorded on the hard disk 713e.

  The communication port 713f is a device to which the portable device 711 is connected. For example, when the portable device 711 is a USB device, the USB port corresponds to this.

(3) Check Item Server FIG. 17 shows a hardware configuration diagram of the check item server 715. This apparatus includes a display 715a, a CPU 715b, a memory 715c, a keyboard / mouse 715d, a hard disk 715e, and a communication circuit 715f.
The hard disk 715e stores check item data 716 for checking the terminal state of the terminal 713 to which the portable device 711 is connected. The communication circuit 715f is a circuit for performing communication with other devices, and can be connected to the terminal 713 and the VPN server 717 via the Internet here.

(4) VPN Server FIG. 18 shows a hardware configuration diagram of the VPN server 717. This apparatus includes a display 717a, a CPU 717b, a memory 717c, a keyboard / mouse 717d, a hard disk 717e, and a communication circuit 717f.
An authentication program 718 for authenticating the terminal 713 to which the portable device 711 is connected is recorded on the hard disk 717e. The communication circuit 717f is a circuit for performing communication with other devices, and here can be connected to the terminal 713 and the check item server 715 via the Internet.

(5) Contents of each process Below, as an example of the case where the portable device 711 is attached to the terminal 713 connected to the Internet (see FIG. 12), the check item data acquisition process (step S806) shown in FIG. A terminal status check process (step S808) and an authentication request process to the VPN server 717 (step S812) will be described.
(5-1) Check Item Data Acquisition Processing When the portable device 711 is connected to the terminal 713 by the user, the portable device 711 sends a signal that causes the terminal 713 to recognize it as a CD-ROM device via the communication port 711h. As a result, the automatic execution function (auto-run) of the terminal 713 can be used, and the check item acquisition program 2071 recorded in the first ROM of the portable device 711 is executed in the CPU 713b of the terminal 713.
FIG. 19 is a flowchart when the CPU 713b performs the check item data acquisition process by executing the check item acquisition program 2071.

  When the CPU 713b of the terminal 713 requests the check item data (step S601), the check item server 715 extracts the check item data 716 from the hard disk 715e (step S611), adds an electronic signature thereto, and transmits it to the terminal 713. (Step S613).

  Upon receiving the transmission, the terminal 713 confirms the electronic signature added to the check item data (step S603). If the validity of the check item data received by the electronic signature can be confirmed, the check item data is recorded in the first RAM 711c of the portable device 711.

  FIG. 20 shows an example of the check item data 2051. In this data, an item ID 901, a check item 903, a check method 1_905, a check method 2_907, and a check method 3_909 are recorded.

  If the terminal 713 is not connected to the Internet, the check item data acquisition process is not performed and the process may be terminated. In this case, check item data recorded in advance in the first RAM 711c of the portable device 711 may be used.

(5-2) Terminal Status Check Processing When the check item data 2051 is recorded in the first RAM 711c of the mobile device 711, the terminal status check program 2073 recorded in the first ROM 711d of the mobile device 711 is executed in the CPU 713b of the terminal 713. The
FIG. 21 is a flowchart when the CPU 713b performs the terminal status check process by executing the terminal status check program 2073.

  The CPU 713b accesses the check item data 2051 in the first RAM 711c of the portable device 711 and reads the check method for each check item (step S801). For example, in the check item data of FIG. 20, when checking the check item “OS type” having the item ID “01”, check method 1 “environment variable OS = Windows NT”, check method 2 “environment variable OS” = Windows 2000 ", check method 3" environment variable OS = Windows XP "data is read.

  The CPU 713b checks the terminal state based on the data of the check method 1 “environment variable OS = WindowsNT” (step S803). That is, the OS environment variable of the terminal 713 is acquired, it is determined whether or not the OS is Windows NT (trademark), and the determination result is recorded in the check result data 2053 (step S805).

  FIG. 22 shows an example of the check result data 2053. In this data, an item ID 921, a check item 923, a check result 1_925, a check result 2_927, and a check result 3_929 are recorded.

  For example, when the OS of the terminal 713 is Windows 2000 (trademark), it is determined that the check method 1 “environment variable OS = Windows NT” is false (False), and “× (defect)” is recorded in the check result 1_925. Is done.

  Similarly, the CPU 713b checks the terminal state based on the data of the check method 2 “environment variable OS = Windows2000” (step S807). That is, the OS environment variable of the terminal 713 is acquired to determine whether or not the OS is Windows 2000 (trademark), and the determination result is recorded in the check result data 2053 (step S807).

  For example, when the OS of the terminal 713 is Windows 2000 (trademark), it is determined that the check method 2 “environment variable OS = Windows 2000” is true, and “◯ (good)” is recorded in the check result 2_927. Is done.

  Similarly, the CPU 713b checks the terminal state based on the data of the check method 3 “environment variable OS = WindowsXP” (step S811). That is, the OS environment variable of the terminal 713 is acquired, it is determined whether or not the OS is Windows XP (trademark), and the determination result is recorded in the check result data 2053 (step S813).

  For example, when the OS of the terminal 713 is Windows 2000 (trademark), it is determined that the check method 3 “environment variable OS = Windows XP” is false, and “x” is recorded in the check result 3_929.

  In the above process, the check process for the check item may be terminated when “◯” is recorded in the check result 2_927.

  In the above process, three types of check methods 1 to 3 are used, but three or more or three or less check methods may be used. Thereby, a stricter check process can be performed.

  The CPU 713b determines whether there is an unchecked item in the check item data 2051, and if there is, returns to step S801 and repeats the same processing (step S815, YES). For example, since the check item “completion of virus scanning” of the item ID “02” is unchecked, this data is read to check the terminal state.

  In addition, “in the virusbuster log“ update date> 2003/9/1 12:00 ”and“ no virus ”” in the check method 1_905 in the check item “completion of virus scan” is the virus check of Virusbuster (trademark). Is performed within a predetermined period of time to check for virus infection. Specifically, “log file storage location”, “message content indicating virus infection”, and the like are described.

  The check method 2_907 describes a method for performing a check similar to the check method 1_905 in the virus scan (trademark). The check method 3_909 describes a method for performing the same check as the check method 1_905 in the antivirus (trademark).

  If there is no unchecked item in step S815, the CPU 713b ends the process (step S815, NO).

(5-3) Authentication request processing to VPN server When the check result data 2053 is recorded in the first RAM 711c of the portable device 711, the authentication request program 2075 recorded in the first ROM 711d of the portable device 711 is executed in the CPU 713b of the terminal 713. Is done.
FIG. 23 is a flowchart when the CPU 713b performs an authentication request process to the VPN server by executing the authentication request program 2075.

  The CPU 713b accesses the first RAM 711c of the portable device 711 and reads the check result data 2053 (step S1001). For example, check result data as shown in FIG. 22 is read.

  The CPU 713b searches for data marked “◯” in the check results 1 to 3 of the check result data 2053. If at least one “◯” data can be searched (step S10003, YES), it is assumed that the check result data is equal to or higher than the reference, and an authentication request is transmitted to the VPN server 717 (step S1005).

  If the “◯” data cannot be searched in the check results 1 to 3 of the check result data 2053, the CPU 713b ends the process (step S10003, NO). In this case, the VPN server cannot be authenticated.

  In the above description, if at least one “◯ (good)” exists in the check result that is the result of the terminal state check process, the check result data is above the reference, but the setting of the reference is limited to this. It will never be done. For example, the condition may be that there are two or more “◯ (good)”. Moreover, it is good also as a condition that "(circle)" exists only about the check result of a predetermined check item. Furthermore, the reference may be changed by the user.

  In response to the authentication request, the CPU 717b of the VPN server 717 requests the terminal 713 for a user ID / password (step S1011).

  When the CPU 713b of the terminal 713 writes data to a predetermined bit of the dual port memory 711g of the portable device 711, the dual port memory 711g makes an interrupt request to the CPU 711f (A interrupt (FIG. 2)).

  In response to the interrupt request (A interrupt), the CPU 711f of the portable device 711 records the user ID / password 2032 recorded in the second ROM 711b in a predetermined area of the dual port memory 711g that can be accessed by the CPU 713b of the terminal 713. To do.

  The CPU 713b of the terminal 713 reads the user ID / password recorded in the predetermined area and transmits it to the VPN server 717 (step S1007).

  Upon receiving the transmission, the CPU 717b of the VPN server generates an arbitrary random number and transmits it to the terminal 17 (step S1013).

  The CPU 713b of the terminal 713 creates an electronic signature based on the received random number and the read check result data (step S1009).

  The process for creating an electronic signature is shown below. When the CPU 713b of the terminal 713 writes the random number and the check result in a predetermined area of the dual port memory 711g, the dual port memory 711g makes an interrupt request to the CPU 711f (B interrupt).

  In response to the interrupt request (B interrupt), the CPU 711f of the portable device 711 reads the electronic signature program 2031 recorded in the second ROM 711b onto the second RAM 711a and executes it.

  By executing the electronic signature program 2031, the CPU 711 f reads both the random number and the check result recorded in the dual port memory 711 g and creates a message digest. For example, the message digest may be generated using an algorithm standard based on a one-way function such as MD2, MD4, MD5SHA (Secure Hash Algorithm).

  The CPU 711f encrypts the generated message digest with the secret key recorded in the secret key storage device 711e to create electronic signature data, and records this in a predetermined area of the dual port memory 711g.

  The CPU 713b of the terminal 713 reads the electronic signature data recorded in the dual port memory 711g, adds the electronic signature data to the random number data and the check result data, and transmits it to the VPN server 717 (step S1010).

  Upon receiving the transmission, the VPN server 717 verifies the electronic signature data (step S1015). The CPU 717 b of the VPN server 717 decrypts the electronic signature data with a public key corresponding to the secret key recorded in the portable device 711 to obtain a message digest. If the decrypted message digest matches the message digest created from the transmission data, the information content of the data received from the terminal 713 and the validity of the sender can be confirmed.

  The CPU 717b of the VPN server 717 verifies the electronic signature data, and if the validity of the data can be confirmed, it further verifies whether or not the received random number matches the previously transmitted random number (step S1017). If the two random numbers match, the check result is verified (step S1019).

  In the VPN server 717, check result verification is performed using a check result verification table set for each user. FIG. 24 shows an example of the check result verification table. In this table, a user ID 1101, a verification check item 1_1103, a verification check item 2_1105, a verification check item 3_1107, etc. are recorded.

  Based on the received user ID, the CPU 717b of the VPN server 717 acquires the verification check item set for the user ID from the check result verification table. For example, in the case of the user with the user ID “1111”, “01: OS type”, “02: Completion of virus scan”, and “05:...” Are set as the verification check items.

  Further, the check status of the received check result data is compared with the check result verification table, and it is determined whether or not “◯” exists in the same item as each verification check item in the check result data.

  For example, if the check result data shown in FIG. 22 is for the terminal 713 of the user with the user ID “1111”, “OS type”, which is the same check item as the verification check item 1 — 1103 “01: OS type”. In the check result 2_927, “◯” exists. Accordingly, it can be determined that the verification check item 1_1103 of the user ID satisfies the condition in the check result data.

  Similarly, the check result data 2053 can be verified for the verification check items 2, 3.

  In the verification of the check result, it is determined whether or not the terminal 713 can authenticate the terminal state, and the CPU 717b transmits a notification of whether or not authentication is possible to the terminal 713 (step S1020).

  For example, if the user check result data 2053 matches the conditions of all the verification check items 1, 2... Recorded in the user record of the check result verification table, it is determined that authentication is possible. The CPU 717b transmits an authentication ticket that allows the terminal 713 to access another server device together with a notification that authentication is possible. In addition, a VPN between the terminal 713 and the intranet 10 is established.

  As a result, the terminal 713 can access the intranet 10. The terminal 713 can be connected to the in-house server 12 by performing the above-described current position determination process and connection process according to the current position.

  If the user check result data 2053 does not match the conditions of all the verification check items 1, 2,... Recorded in the user record of the check result verification table, it is determined that authentication is impossible. The CPU 717b transmits a notification that authentication is impossible to the terminal 713. In this case, the terminal 713 is not connected to the intranet 10.

  If the current position of the terminal 713 is not the Internet, the above-described terminal status check process is executed based on the check item data recorded in advance in the portable device 711 (steps S804, S824, and S826 in FIG. 14). If it is satisfactory, connection processing according to the current position is performed (steps S826 and S820), and if not satisfactory, connection processing is not performed (step S826: NO).

  Note that the above-described determination of whether or not authentication is possible is based on the condition that all verification check items in the check result verification table are satisfied, but may be based on the condition that only predetermined verification check items are satisfied. Furthermore, it may be a condition that a predetermined number of verification check items are satisfied.

  As described above, it is possible to authenticate only a secure public terminal whose terminal status has been checked and connect it to a predetermined network without having to carry the terminal.

  In particular, in a company or the like, terminals that access the in-house network from the outside can be limited to only safe terminals. As a result, it is possible to protect computer devices in the in-house network from intrusion by a third party due to computer virus infection or unauthorized access.

  Further, by using the portable device in this embodiment, it is possible to perform work on the go without distributing notebook type personal computers or the like to employees. Thereby, cost reduction can be expected.

  In the above embodiment, a USB device capable of USB connection is used as the portable device. However, the present invention is not limited to this, and the portable device has a secret calculation processing means in an area that cannot be accessed from a connected terminal. Any device that can be connected to a terminal regardless of wired wireless communication may be used. For example, an IC card, an IC chip, or a mobile phone incorporating these corresponds to this. Further, when connecting by wire, a terminal connection port other than the USB port may be used. For example, an IEEE 1394 port, a serial port, a parallel port, and the like correspond to this.

  In the above embodiment, the check item data 716 from the check item server 715 is not digitally signed, but in order to improve the reliability of the check item data, the signed check item data 716 is transmitted, The terminal 713 may be configured to confirm this.

  In the above-described embodiment, the terminal state check process is performed using the check item data 716 from the check item server 715. However, using the check item data recorded in advance in the portable device or the terminal 713, You may make it perform a terminal state check process. In addition, when the terminal 713 is not connected to the Internet, the check process of the terminal state may be performed using check item data recorded in advance. In the above embodiment, the automatic connection software is stored in the mobile device, but may be stored in the terminal 713.

  In the above embodiment, each process shown in FIG. 14 is performed using the mobile device 711. By making the hardware configuration of the terminal 713 the same as that of the mobile device 711 (including each program and the like), Each process shown in FIG. 14 may be performed without using the portable device 711.

  In the above embodiment, the check item data acquisition program, the terminal status check program, and the authentication request program are configured to be recorded in the ROM1 area of the portable device 711. However, all or some of these programs are stored in the RAM1 area. You may comprise so that it may record on.

  Thereby, each program can be downloaded and updated from the Internet via the terminal 713, and it is possible to easily cope with a change in the program. In this case, the portable device 711 may be configured so that it cannot be executed on the terminal 713 unless the validity is confirmed by an electronic signature added to each program.

  In addition to the above embodiment, a process for deleting the user's usage history from the terminal 713 may be performed. For example, immediately after the portable device 711 is connected to the terminal 713, the “usage history deletion program” recorded in the ROM 1 or the like of the portable device 711 is made resident in the memory of the terminal 713, and the program is connected to the portable device 711. It may be configured to execute a process of deleting the user's usage history data by detecting the release of the user.

  The user usage history data includes all data indicating user operations such as a browser cache, a cookie file, and input history data.

  In the above embodiment, the terminal state check program recorded in the portable device 711 is read from the CPU 713b of the terminal 713 and executed, but the program is copied to the memory 713c of the terminal 713 or the hard disk 713e and executed. It may be.

  Accordingly, even if the terminal state check program is compressed and recorded in the portable device 711, it is possible to cope with it, and the memory capacity of the portable device 711 can be saved.

  In the above embodiment, transmission data (random number and check result data) and electronic signature data from the terminal 713 are transmitted to the VPN server 717, but in addition to this, a certificate may be transmitted. . As a result, data tampering and spoofing can be prevented, and data safety can be improved.

It is a figure which shows the whole structure of the system provided with the terminal device and the target apparatus. It is a figure when attaching the USB device 600 to a terminal device. 2 is a diagram illustrating a hardware configuration of a home PC 300 and a USB device 600. FIG. It is a flowchart which shows an automatic connection process (overall process flow). 3 is a conceptual diagram when connecting a home PC 300 to an intranet 10. FIG. It is a flowchart which shows the determination process of a present position. It is a flowchart which shows the determination process of a present position. It is a figure which shows a position determination table. It is a flowchart which shows the connection process according to a present position. It is a figure which shows a connection method table. An overview of processing among the portable information terminal 500, the gateway computer 550, and the VPN server 200 is shown. It is a figure which shows the whole structure of the system provided with the terminal device and the target apparatus. It is a flowchart which shows a connection process in case there exists a some communication method. It is a figure which shows the whole structure in Embodiment 2. FIG. It is a figure which shows the relationship between the personal computer and USB device in Embodiment 2. FIG. It is a figure which shows the outline | summary of the process in Embodiment 2. FIG. 10 is an example illustrating a hardware configuration diagram of a mobile device according to Embodiment 2. FIG. It is an example which shows the hardware block diagram of the terminal in Embodiment 2. It is an example which shows the hardware block diagram of the check item server in Embodiment 2. It is an example which shows the hardware block diagram of the VPN server in Embodiment 2. FIG. 10 is a diagram illustrating a flowchart in “check item data acquisition processing” in the second exemplary embodiment. It is a figure which shows the example of the check item data in Embodiment 2. FIG. 10 is a diagram illustrating a flowchart in “terminal state check processing” in the second exemplary embodiment. It is a figure which shows the example of the check result data in Embodiment 2. FIG. 10 is a diagram illustrating a flowchart in “authentication request processing to VPN server” in the second exemplary embodiment. It is a figure which shows the example of the check result verification table in Embodiment 2.

Explanation of symbols

10. Intranet
12 ... In-house server
100 ... Company PC
200 ... VPN server
250 ... External server
300 ... Home PC
400 ... hotel PC
500 ・ ・ ・ ・ Mobile information terminal
520 ... Public wireless LAN
550 ... Gateway computer
711 ... Mobile devices
713 ... ・ Terminal
715 ... Check item server
717 ... ・ VPN server

Claims (10)

Can communicate with the target device,
For each position determination device , a position determination table in which the address, response data, and location are stored with a determination order, and
A connection procedure table in which a communication method, a current position, and a connection process for connecting to a target device are stored in association with each other;
A terminal device comprising:
Communication method detecting means for detecting the communication method of the terminal device from the communication method storage means for storing the communication method of the terminal device;
With reference to the position determination table , for each position determination device , the addresses are read in the order of determination until response data matching the response data stored in the position determination table is obtained Response data acquisition means for attempting to acquire response data from each position determination device ;
Position determining means for acquiring a location corresponding to the matched response data from the position determination table as a current position of the terminal device;
A connection processing unit configured to execute before Symbol connection procedure table, a connection process corresponding to the current position of the detected communication method and the terminal device,
With
Repeating the acquisition of response data by the response data acquisition means, the acquisition of the current position by the position determination means, and the connection processing by the connection processing means until the connection processing means determines that the connection is complete,
A terminal device characterized by the above. A computer that can communicate with the target device
For each position determination device , a position determination table in which the address, response data, and location are stored with a determination order, and
Communication method, a connection procedure tables stored current position, and the connection processing for connecting to the destination device and is associated with,
A communication method detecting means for detecting a communication method of the computer from a communication method storage means for storing the communication method of the computer;
With reference to the position determination table , for each position determination device , the addresses are read in the order of determination until response data matching the response data stored in the position determination table is obtained Response data acquisition means for attempting to acquire response data from each position determination device ;
Position determining means for acquiring a location corresponding to the acquired response data as the current position of the computer from the position determination table;
A connection processing unit configured to execute before Symbol connection procedure table, a connection process corresponding to the current position of the detected communication method and the terminal device,
With
Until it is determined that the connection is completed by the connection processing means, the response data acquisition means by the response data acquisition means, the current position acquisition by the position determination means, and the connection processing by the connection processing means are repeated.
A program for functioning as a device. In the program of Claim 2 ,
The position determining means obtains the following positions (1) to (3) as the current position of the computer ,
(1) A position connectable to the intranet to which the target device is connected,
(2) a position outside the intranet to which the target device is connected and capable of connecting to the Internet;
(3) A position outside the intranet to which the target device is connected and connectable to a wireless LAN. In the program of Claim 3 ,
Furthermore, the computer can be connected to the Internet via a wireless LAN,
When the current position of the computer is outside the intranet to which the target device is connected and is connectable to a wireless LAN, the response data acquisition means is predetermined instead of the address of the position determination device. To connect to the gateway device using the address of, to obtain response data, the connection processing means to connect the computer to the Internet,
It is characterized by. In the program of Claim 3 ,
Furthermore, the computer can be connected to a relay device via the Internet,
The connection processing means includes
When the current location of the computer is outside the intranet to which the target device is connected and is connectable to the Internet,
Connecting the computer to a relay device via the Internet, and establishing a connection between the intranet and the computer by the relay device;
It is characterized by. In the program in any one of Claims 2-5,
The connection procedure table stores a current position and a connection process in which a plurality of priorities are set,
The connection processing means executes connection processing corresponding to the current position in descending order of priority;
It is characterized by. In the program according to any one of claims 2 to 5 ,
The position determining device is the target device;
It is characterized by. In the program according to any one of claims 2 to 7,
The computer acquires a check result obtained by checking a trust state of a terminal in the computer based on the predetermined check item data, and further causes the computer to request authentication of the target device with the check result. Means for causing the target device to authenticate the trust state of the terminal in the computer based on the check result from the computer ,
It is characterized by.   A recording medium for recording the program according to claim 2. A terminal connection method for connecting a terminal device communicable with a target device to the target device,
The terminal device has a position determination table in which the address, response data, and location are stored with a determination order for each position determination device, and a connection method for connecting to the communication method, the current position, and the target device. Is stored in the storage means, and the communication method of the terminal device is stored in the storage means.
The terminal device
1) processing for detecting the communication method of the terminal device stored in the storage means;
2) With reference to the position determination table , for each position determination device , the addresses are read in the order of determination until response data matching the response data stored in the position determination table is obtained. Response data acquisition processing that attempts to acquire response data from each of the position determination devices ,
3) from the position determination table, to obtain a location corresponding to the matched response data as the current position of the terminal device;
4) before SL connection procedure table, and executes the connection process corresponding to the current position of the detected communication method and the terminal device,
5) repeatedly executing the response data acquisition process, the current position acquisition process, and the connection process until the connection process determines that the connection is complete ;
A terminal connection method characterized by the above.

Images