JP4041448B2 - Service verification system, authentication requesting terminal, service using terminal, and service providing method - Google Patents

Description

  The present invention relates to a service verification system that provides a plurality of services, an authentication request terminal that is authenticated by the service verification system and uses a service provided by the service verification system, and a service verification system based on an authentication result of the authentication request terminal The present invention relates to a service use terminal that uses the service provided by the service and a service providing method.

  2. Description of the Related Art Conventionally, systems that provide services to mobile phones and PHS in mobile communication and the like are known. In order to use such a service, it is necessary to make a contract with a company that provides the service. Many companies that provide services provide services only to users (regular users) who have contracted to use the services, and do not provide services to users who have not contracted. For this reason, a method for allowing only authorized users to use the service is necessary, and such a method has already been realized.

Currently, the service verification system that provides services manages customer information of authorized users, uses this customer information to authenticate whether the user requesting the use of the service is an authorized user, and only when the authentication result is correct A control method that permits use of the service is used. In order to make the service available only to authorized users, it is necessary to create such a system.
Bruce Schneier, "APPLIED CRYPTOGRAPHY", John Wiley & Sons, Inc., 1996, pp.52-56 “NTT Docomo Technical Journal Vol.9 No.4”, Telecommunications Association, January 2002, pp.34-43. Keiji Tachikawa, "" W-CDMA MOBILE COMMUNICATIONS SYSTEM ", John Wiley & Sons, Ltd, 2002, pp.345-356

  However, in the above-mentioned system, when a company providing a certain service intends to provide another service, a system for connecting only to a regular user who is a contractor must be created from the beginning. It takes a lot of cost and design time. Also, system maintenance management is necessary to prevent service stoppage due to a failure or the like, but the management cost tends to increase as the system becomes larger. In this respect, the above-described system has room for further improvement.

  Accordingly, an object of the present invention is to provide a service verification system, an authentication requesting terminal, a service using terminal, and a service providing method capable of solving the above-described problems and suppressing an increase in cost.

Service verification system according to the present invention is a service verification system that provides a plurality of services, and authentication information storage means for storing authentication information for authenticating the available user a first service, the user Usable service information storage means that can be used and stores information related to services other than the first service, and use of a second service different from the first service stored in the previous period available service information storage means A use permission message information storing means for storing message information based on a use permission message for identifying the use permission, and a first message receiving means for receiving a message according to the first service authentication method. The authentication message stored in the authentication information storage means is received by the first message receiving means. By verifying based on the information, the user who identifies the user in the first service and authenticates whether or not the user can use the first service, and the first service can be used by the authentication unit Received from the first terminal by the user authenticated to be other service use request receiving means for receiving a second service use request, and the use request received by the other service use request receiving means. At the time, based on the information in the available service information storage means, the other service availability judgment means for judging whether or not the user can use the second service, and the other service availability judgment means by the second service availability judgment means. 2 when it is determined that the service 2 can be used, the use permission message information storage means determines whether the service is based on the use permission message. When the use permission message information update means for validating the message information and the other service use availability determination means determine that the second service can be used, a use permission response based on the use permission message is sent. Received by a use permission response transmitting means for transmitting to the first terminal, a second message receiving means for receiving a message based on the use permission response transmitted from the second terminal, and received by the second message receiving means. The service provision availability judgment means for judging whether or not the second service can be provided based on the received message and the message information stored in the use permission message information storage means, and the service provision availability judgment means If it is determined that the second service can be provided, use of the second service is permitted, and the use permission message is granted. Use permission message state release means for invalidating message information stored in the sage information storage means.

  The service verification system according to the present invention preferably stores authentication information storage means for storing authentication information for authenticating a user who can use the first service, and information related to services available to each user. Usage permission message information for storing message information for restoring the usage permission message for identifying the usage permission when the available service information storage means and the use of the second service different from the first service are permitted. Storage means; usage permission message status storage means for storing message status information indicating whether message information is available; and first message reception means for receiving a message in accordance with the authentication scheme of the first terminal; The message received by the first message receiving means is based on the authentication information stored in the authentication information storing means. And verifying that the user of the first terminal is identified and authenticating whether the user can use the first service, and that the first service is authenticated by the authenticating means. Information of the other service use request receiving means that receives the use request of the second service transmitted from the first terminal, and the information of the usable service information storage means when the use request is received by the other service use request receiving means. And the use permission message when the second service is determined to be available by the other service availability determination unit and the other service availability determination unit. In the information storage means, message information for restoring a use permission message for identifying use permission of the second service is stored, and a use permission message is stored. When it is determined that the second service can be used by the use permission message state update unit that stores message state information indicating a state in which the message information can be used in the state storage unit and the other service availability determination unit A use permission response transmitting means for transmitting a use permission response based on the use permission message to the first terminal; a second message receiving means for receiving a message based on the use permission response transmitted from the second terminal; Based on the message status information stored in the usage permission message status storage means, whether or not the message received by the second message reception means is available and the message information stored in the usage permission message information storage means And verify whether the message is consistent, and send the second service to the second terminal. When it is determined by the service provision availability determination means that determines whether or not the service can be provided and the service provision availability determination means that the second service can be provided, the use of the second service is permitted and the use permission is granted. Use permission message state release means for setting the message state information in the message state storage means to an unusable state.

  As described above, the service verification system according to the present invention includes an authentication unit, and when a message according to the authentication method of the terminal is transmitted from the first terminal, the user of the first terminal is specified by the message. It authenticates whether the first terminal can use the first service. Then, when the other service use request receiving means receives the second service use request transmitted from the first terminal in a state where the user of the first terminal is authenticated by the authentication, The availability determination unit determines whether the user can use the second service based on the usage service information storage unit. With such a configuration, it is determined whether or not the second service can be used in a state in which the user of the first terminal is authenticated as a legitimate user. Authentication can be omitted for the second service. As a result of the determination, if it is determined that the second service can be used, message information for restoring the use permission message for identifying the use permission is stored in the use permission message information storage means, and the use permission message is used. In addition to storing possible message state information, a use permission response based on the use permission message is transmitted to the first terminal. When a message based on the usage permission message is transmitted from the second terminal, the message is received by the second message receiving means, and the usage permission message based on the message is in a usable state. Is verified based on the usage permission message state storage means, and further, whether the usage permission message is correctly configured is verified based on the message information stored in the usage permission message information storage means. If the message is available and the usage permission message itself is correctly configured, the second service is provided to the second terminal. When it is determined that the second service can be used by the service verification system in this way, a use permission response based on the use permission message is transmitted to the first terminal, and the second terminal is received by the first terminal. By transmitting a message based on the usage permission message to the service verification system, the service verification system verifies whether the usage permission message based on the message transmitted from the second terminal is available or not. It is possible to determine whether a service can be provided to the second terminal without specifying the user of the terminal. As described above, by using the authentication result of the first service when using the second service, it is not necessary to create a new authentication means from the beginning when providing the second service, and cost and design time Can be reduced. Any method may be used for causing the second terminal to know the use permission response received by the first terminal. For example, it is good also as transmitting from a 1st terminal to a 2nd terminal by short-distance radio | wireless, and the user who looked at the 1st terminal may input manually into a 2nd terminal. Note that the first terminal and the second terminal may be the same terminal, and in this case, it is preferable because a use permission response can be communicated inside the terminal.

  The service verification system further includes additional information storage means for storing additional information for verifying a message based on additional information used for using the second service, and further based on the additional information in the second message receiving means. Receiving the message and determining whether or not the second service can be provided to the second terminal based on the additional information stored in the additional information storage unit in the service provision availability determination unit; good.

  Thus, by using additional information further, security can be improved and a 2nd service can be provided more safely. As additional information, for example, identification information for identifying the second terminal, authentication information for authenticating the second terminal, and the like can be considered.

  When the service verification system receives the use request by the area information storage means for storing the usable area information related to the area where the second service can be used and the other service use request receiving means, the presence of the first terminal exists. Area information update means for deriving usable area information from information relating to the sphere area and storing the usable area information in the area information storage means, and the service provision availability determination means is stored in the area information storage means Based on the available area information, it is further determined whether or not the service area of the second terminal is within an area where the service can be used, and the service area of the second terminal can use the service If it is within, it may be characterized that it is determined that the second service can be provided.

  Thus, when the use request for the second service is received, the area information that can use the second service is derived from the area where the first terminal is located, and is stored in the area information storage means as the usable area information. In addition, when the message transmitted from the second terminal is received, it is determined based on the area information storage means whether or not the area where the second terminal is located is within the usable area. By adopting the configuration for determining whether or not the service 2 can be provided, the second service can be used only in the permitted area, and the chances of unauthorized use can be reduced and the security can be improved. .

  In the service verification system, when the area information update means determines that a use permission response is available based on the message information stored in the use permission message information storage means, the area where the first terminal is located is the use area. When moving outside the usable area determined by the available area information, the usable area information derived from the information about the area where the first terminal has moved is stored in the area information storage means. It is also good.

  When the first terminal authenticated in this way moves in the area where the user moves, the area information update unit updates the available area information stored in the area information storage unit, thereby moving the user It is possible to cope with.

  In the service verification system, when the area information update unit determines that a use permission response is available based on the message information stored in the use permission message information storage unit, the area where the first terminal is located is the use area. When the user moves out of the available area determined by the available area information and receives the use request by the other service use request receiving means, the available area derived from the information regarding the located area after the first terminal has moved. Information may be stored in the area information storage means.

  Deriving usable area information from the area of the first terminal when the other service utilization request receiving means receives the other service utilization request after the area of the first terminal authenticated in this way moves. By doing so, it is possible to cope with the case where the user is moving.

  In the service verification system, when the use request is received by the time information storage means for storing the available time information related to the time when the second service can be used and the other service use request receiving means, Time information update means for storing in the information storage means, wherein the service provision availability determination means determines whether the time when the message is received by the second message receiving means is included in the time in which the service can be used Determining further based on the available time information stored in the means, and determining that the second service can be provided when the time when the message is received is included in the time in which the second service can be used. It is good as a feature.

  As described above, the time in which the second service can be used is stored in the time information storage means as available time information, and when the message is transmitted from the second terminal, the reception time of the message is changed to the second service. By adopting a configuration for determining whether or not the second service can be provided by determining whether or not the service is included in the available time, the second service can be used only within the permitted time. It is possible to improve security by reducing the chances of unauthorized use. The method for setting the time for which the second service can be used can be set, for example, for how many minutes after the use permission response is transmitted to the first terminal, and the type of the second service. It can also be set according to.

  In the service verification system, the use permission response transmitting unit transmits a use permission response further based on the available area information derived from the information related to the area where the first terminal is located, and the service provision availability determining unit 2 Based on the area information obtained from the message received by the message receiving means, it is further determined whether or not the service area of the second terminal is within an area where service can be used, and the presence of the second terminal. If the service area is within an area where the service can be used, it may be determined that the second service can be provided.

  Thus, when the use request for the second service is received, area information that can use the second service is derived from the area where the first terminal is located, and a use permission response based on the available area information. Is transmitted to the first terminal, and when the message is transmitted from the second terminal, it is determined whether or not the second terminal is included in the available area on which the message is based. By adopting the configuration for determining whether or not the service 2 can be provided, the second service can be used only in the permitted area, and the chances of unauthorized use can be reduced and the security can be improved. At the same time, the service verification system can be configured not to store information on the available area.

  In the service verification system, the use permission response transmitting means transmits a use permission response further based on the available time information, and the service provision availability determining means is based on the message received by the second message receiving means. 2 In the message receiving means, it is further determined whether or not the time when the service verification system receives the message is within the time in which the service can be used. It is good also as determining that it can provide.

  In this way, when the use permission response based on the available time information is further transmitted to the first terminal as to the time during which the second service can be used, the message is based when the message is transmitted from the second terminal. By adopting a configuration for determining whether or not the reception time of the message is included in the available time and determining whether or not the second service can be provided, the second time is allowed only within the permitted time. The service cannot be used, the chances of unauthorized use can be reduced, security can be improved, and the service verification system can be configured not to store information about available time.

Authentication request terminal according to the present invention includes an authentication information storage means for storing authentication information for using the first service, and according to the authentication method, the message based on the authentication information stored in the authentication information storage unit Service A first message transmission means for transmitting to the verification system; and when the service verification system determines that the first service can be used, a request for using the second service provided by the service verification system is sent to the service verification It is characterized by comprising other service use request sending means for sending to the system and use permission response receiving means for receiving a use permission response based on the use permission message.

  In this way, a message based on the authentication information for using the first service is transmitted to the service verification system, and when the service verification system is authenticated as a legitimate user, a request for using the second service is issued. By transmitting, the authentication of the second service can be omitted by using the authentication result of the first service. The authentication requesting terminal has a use permission response receiving unit, and receives a use permission response based on the use permission message. If the second terminal (service utilization device) is made aware of this use permission response, the second terminal transmits a message based on the use permission response to the service verification system, and the service verification system is based on the message. It is possible to verify whether or not the usage permission message to be used can be used, and the second service can be used without performing original authentication by the second terminal. It should be noted that the authentication requesting terminal itself may have the function of the second terminal, and even in that case, the advantage that the authentication can be omitted when using the second service can be enjoyed.

  In the authentication request terminal, the use permission response receiving unit may receive a use permission response further based on usable time information of the second service.

  If the use permission response receiving means receives the use permission response further based on the available time information and transmits a message based on the use permission response to the service verification system, the service verification system receives the message from the second terminal. It can be determined whether the message reception time is within the available time on which the message is based. Thus, by limiting the available time of the second service, opportunities for unauthorized use can be reduced and security can be improved.

Service terminal according to the present invention, by using the usage permission response received in order to utilize the second service provided by the service verification system, the service utilization terminal for using the second service An authentication information storage unit storing authentication information for using the first service, and a message based on the authentication method and transmitting a message based on the authentication information stored in the authentication information storage unit to the service verification system . One message transmission means and another service that transmits a use request for the second service provided by the service verification system to the service verification system when it is determined that the first service can be used by the service verification system Usage request sending means and usage permission to receive usage permission response based on usage permission message And a response receiving unit, the message is characterized in that the authentication request terminal based on the use permission response received from the service verification system.

  By transmitting a message based on the usage permission response received by the authentication requesting terminal to the service verification system in this way, the service verification system can determine whether or not the usage permission message based on the transmitted message is usable. Therefore, the service use terminal can use the second service by omitting the user authentication.

  The service use terminal includes additional information storage means for storing additional information used for using the second service, and the message transmitted by the second message transmission means is the additional information stored in the additional information storage means. It is good also as a characteristic based on.

  Thus, by using additional information further, security can be improved and a 2nd service can be provided more safely. As the additional information, for example, identification information for identifying the service using terminal, authentication information for authenticating the service using terminal, and the like can be considered.

  A service providing method according to the present invention includes a service verification system that provides a plurality of services, an authentication request terminal that is authenticated by the service verification system and uses a first service provided by the service verification system, A service is provided in a service verification network system comprising: a service using terminal that uses a second service provided by the service verification system based on a response transmitted to an authentication requesting terminal for using the service of A service providing method, wherein the authentication requesting terminal conforms to the authentication method with respect to the service verification system and transmits a message based on authentication information, and a message received in the first message transmitting step. , The service verification system An authentication step for identifying a user in the first service and authenticating whether or not the user can use the first service by verifying based on authentication information stored in advance in the system; and When the authentication request terminal receives the use request in the other service use request sending step for sending the second service use request to the service verification system and the other service use request sending step when the use request is available In addition, the service verification system determines whether or not the user can use the second service based on information about services available to each user stored in advance in the service verification system. In the availability determination step and the other service availability determination step, the second A use permission message information update step for validating message information based on a use permission message for identifying use permission of the second service in the use permission message information storage means when it is determined that the service can be used; A use permission response transmitting step in which the service verification system transmits a use permission response based on a use permission message to the authentication requesting terminal when it is determined that the second service can be used in the other service use permission determining step; A message based on the use permission response received by the authentication requesting terminal in the use permission response transmitting step is received in the second message transmitting step in which the service using terminal transmits to the service verification system, and in the second message transmitting step. Messages and the usage permission message Based on the message information stored in the sage information storage means, the second service can be provided by the service provision availability determination step for determining whether or not the second service can be provided and the service provision availability determination step. A use permission message state release step for permitting the use of the second service and invalidating the message information stored in the use permission message information storage means when it is determined that the second service is used. To do.

  As described above, the service providing method according to the present invention specifies the user of the authentication request terminal by the message according to the authentication method of the authentication request terminal transmitted from the authentication request terminal, and the authentication request terminal can use the first service. Whether authentication is performed in the authentication step. When the authentication request terminal user authenticates that the user of the authentication request terminal is an authorized user, the other service use request transmission step receives the second service use request transmitted from the authentication request terminal. In the availability determination step, it is determined whether the user can use the second service based on the usage service information storage means. With such a configuration, by determining whether the second service can be used in a state where it is authenticated that the user of the authentication requesting terminal is a legitimate user, the authentication result of the first service is used to Authentication can be omitted for the second service. As a result of the determination, if it is determined that the second service can be used, message information for restoring the use permission message for identifying the use permission is stored in the use permission message information storage unit, and the use permission is identified. Message state information indicating a state in which the use permission message is available is stored, and a use permission response based on the use permission message is transmitted to the authentication requesting terminal. In the second message transmission step, when a usage request based on the usage permission response is transmitted from the service usage terminal, the usage request is received, and the usage permission message based on the message is usable. Whether or not the usage permission message is correctly configured based on the message information stored in the usage permission message information storage means and used. When it is determined that the permission message is usable and the use permission message itself is correctly configured, the second service is provided to the service using terminal. When it is determined that the second service can be used in this way, it is included in the use permission response based on the use permission message and transmitted to the authentication requesting terminal, and the service using terminal receives the message based on the use permission response received by the authentication requesting terminal. Is transmitted to the service verification system, the service verification system determines whether or not the status of the usage permission message based on the message transmitted in the second message transmission step is usable. It is possible to determine whether or not a service can be provided to a service using terminal without specifying a user. As described above, by using the authentication result of the first service when using the second service, it is not necessary to create a new authentication means from the beginning when providing the second service, and cost and system design time Can be reduced. Any method may be used to make the service use terminal know the use permission response received by the authentication requesting terminal. For example, it may be transmitted from the authentication requesting terminal to the service using terminal by short-range radio, or a user who sees the authentication requesting terminal may manually input to the service using terminal. The authentication requesting terminal and the service using terminal may be the same terminal. In this case, it is preferable because a use permission message can be communicated inside the terminal.

  In the service providing method, the second message transmission step further receives a message based on the additional information, and the service provision availability determination step further includes a second message transmission step based on the additional information stored in the additional information storage means. The message received in step 1 may be verified to determine whether or not the second service is available at the service using terminal.

  Thus, by using additional information further, security can be improved and a 2nd service can be provided more safely. As the additional information, for example, identification information for identifying the service using terminal, authentication information for authenticating the service using terminal, and the like can be considered.

  In the service providing method, when a use request is received in the other service use request transmission step, the usable area information is derived from information related to the area where the authentication requesting terminal is located, and the usable area information is stored in the area information storage means. An area information update step for storing, and the service provision availability determining step is based on the available area information stored in the area information storage means, and the service area of the service using terminal is within the area where the service can be used. It is further possible to determine whether the second service can be provided if the service use terminal area is within an area where the service can be used.

  As described above, when the service verification system receives the second service use request in the other service use request transmission step, the second service available area is derived from the area where the authentication requesting terminal is located. Whether or not the service using terminal is included in the available area stored in the area information storing unit when the message is transmitted from the service using terminal in the second message transmission step as information. By determining whether or not to provide the second service, it is possible to use the second service only in the permitted area, and to improve security by reducing opportunities for unauthorized use. Can do.

  In the service providing method, when it is determined that a use permission response is available based on the message information stored in the available message information storage means in the area information update step, the area where the authentication requesting terminal is located is used. When moving outside the available area determined by the available area information, the available area information derived from the information about the area in which the vehicle has been moved may be stored in the area information storage means.

  When the area where the authentication requesting terminal authenticated in this way moves, the available area information stored in the area information storage means can be updated to handle the case where the user is moving. It is.

  In the service providing method, when it is determined that a use permission response is available based on the message information stored in the available message information storage means in the area information update step, the area where the authentication requesting terminal is located is used. If the authentication requesting terminal transmits a use request for the second service in the other service use request sending step when moving outside the useable area determined by the available area information, information on the in-service area after the move The usable area information derived from the above information may be stored in the area information storage means.

  After the service area of the first terminal thus authenticated moves, the available area information is derived from the service area of the first terminal when the other service use request is received in the other service use request receiving step. By doing so, it is possible to cope with the case where the user is moving.

  The service providing method includes a time information update step of storing, in the time information storage means, available time information related to a time during which the second service can be used when a use request is received in the other service use request sending step. In the service provision availability determination step, the time when the message is received by the second message receiving unit is included in the time in which the service can be used, or based on the available time information stored in the time information storage unit The determination may be made and it may be determined that the second service can be provided when the time when the message is received is included in the time in which the second service can be used.

  Thus, the time when the second service can be used is stored in the time information storage means as the available time information, and the message reception time is used when the message is transmitted from the second terminal in the second message transmission step. By determining whether or not the service is included in the possible time and determining whether or not the second service can be provided, the second service can be used only within the permitted time. Security can be improved. The method for setting the time for which the second service can be used can be set, for example, for how many minutes after the use permission response is transmitted to the authentication requesting terminal. It can also be set accordingly.

  In the service providing method, the use permission response transmitting step transmits a use permission response further based on the available area information derived from the information related to the area where the authentication requesting terminal is located, and the service providing availability determining step includes the first 2 Based on the area information obtained from the message received in the message transmission step, it is further determined whether the service area of the service using terminal is within the area where the service can be used, and the service area of the service using terminal uses the service It may be characterized in that it is determined that the second service can be provided as long as it is within the possible area.

  Thus, when the use request for the second service is received, area information that can use the second service is derived from the area where the first terminal is located, and a use permission response based on the available area information. Is transmitted to the first terminal, and when the message is transmitted from the second terminal, it is determined whether or not the second terminal is included in the available area on which the message is based. By determining whether or not the service 2 can be provided, the second service can be used only in the permitted area, and the chances of unauthorized use can be reduced, security can be improved, and service verification can be performed. The system can be configured not to store information about the available area.

  In the service providing method, the use permission response transmitting step transmits the use permission response further based on the available time information, and the service providing availability determining step is based on the message received in the second message transmitting step. Then, it is further determined whether or not the time at which the service verification system receives the message in the second message transmission step is within a time when the service can be used, and if the time is within the time when the service can be used It may be characterized that it is determined that the second service can be provided.

  In this way, when the use permission response based on the available time information is further transmitted to the first terminal as to the time during which the second service can be used, the message is based when the message is transmitted from the second terminal. By determining whether or not the reception time of the message is included in the available time and determining whether or not the second service can be provided, the second service can be used only within the permitted time. As a result, it is possible to improve the security by reducing the chances of unauthorized use, and the service verification system can be configured not to store information on the available time.

  According to the present invention, since it is determined whether the user of the authentication requesting terminal is an authorized user by authentication by the authentication means, the user can use the second service. Can be used to omit authentication for the second service. A usage permission message for identifying the usage permission is stored, a usage permission response based on the usage permission message is transmitted to the authentication requesting terminal, and the usage request message based on the usage permission response obtained from the authentication requesting terminal is the second. When it is transmitted from the terminal, the message status information of the usage permission message based on the usage request message is verified based on the usage permission message status DB. A second service is provided to the terminal. As a result, the service verification system can determine whether or not the service can be provided to the second terminal without only identifying the user of the second terminal, only by verifying the state of the use permission message. As described above, when the second service is used, it is not necessary to create a new authentication unit from the beginning when providing the second service by using the authentication result of the first service, cost and design time. Can be reduced.

DESCRIPTION OF EMBODIMENTS Hereinafter, preferred embodiments of a service verification network system according to the present invention will be described in detail with reference to the drawings. In the description of the drawings, the same elements are denoted by the same reference numerals, and redundant description is omitted.
(First embodiment)

  FIG. 1 is a block diagram showing a configuration of a service verification network system 1 according to the first embodiment of the present invention. As shown in FIG. 1, the service verification network system 1 includes a service verification system 10, an authentication request terminal 30, and a service use terminal 40. First, the outline of each component will be described. The service verification system 10 has a function of providing a plurality of services. The authentication requesting terminal 30 is a terminal that uses the service A (first service) provided by the service verification system 10 and is a terminal that is authenticated by the service verification system 10 in order to use the service A. The service using terminal 40 is a terminal that uses the service B (second service) provided by the service verification system 10. Examples of services provided in the service verification network system 1 according to the present embodiment include a mobile phone as the service A and a wireless LAN as the service B. In this case, the authentication request terminal 30 is a mobile phone terminal, a service using terminal. A PC with a wireless LAN card can be assumed as 40. Note that the authentication requesting terminal 30 and the service using terminal 40 may be the same terminal. As an example of the same terminal, for example, a Dotchimo (registered trademark) that can use both a mobile phone and a PHS in one terminal can be assumed.

  The service verification system 10 includes an authentication information storage unit (referred to as “authentication information DB”) 11, an available service information storage unit (referred to as “available service information DB”) 12, a use permission message state storage unit (“use permission message state”). DB ”) 13), communication means 14 and 15 that communicate with the authentication request terminal 30 and the service use terminal 40, the authentication means 16, the other service availability determination means 17, and the use permission message state. The update means 18, the service provision availability determination means 19, and the use permission message state cancellation means 20 are provided. Here, the service verification system 10 is configured by a single device, but may be configured by a plurality of devices. For example, the first apparatus configured by the authentication information DB 11, the authentication unit 16, and the communication unit 14, the available service information DB 12, the other service availability determination unit 17, the communication unit 14, the use permission message state update unit 18, And a second device configured by the use permission message state DB 13 and a third device configured by the service provision availability determination unit 19, the communication unit 15, and the use permission message state update unit 20. Also good. Here, the service verification system 10 includes three databases, but may include two databases, that is, an authentication information DB and an available service information DB.

  The authentication information DB 11 is a database that stores authentication information for authenticating a user who can use the service A. FIG. 2 is a diagram illustrating an example of data items stored in the authentication information DB 11. As shown in FIG. 2, the authentication information DB 11 stores data of items indicated by “ID”, “password”, “shared secret”, “private key”, “public key”, and “authentication method”. For items other than “ID”, description of data contents is omitted. “ID” is identification information for specifying a user who uses the service A. Each information of “password”, “shared secret”, “private key”, and “public key” is information necessary for authentication. The “authentication method” is information indicating what method is used for authentication. By having this information, the authentication method can be changed according to the user. The authentication information DB 11 may store data of items other than the data items illustrated in FIG.

  The available service information DB 12 is a database that stores information related to services available to each user. FIG. 3 is a diagram illustrating an example of data items stored in the available service information DB 12. As shown in FIG. 3, the usable service information DB 12 stores data of items indicated by “ID” and “service B”. “ID” is identification information for specifying a user, similar to the ID in the authentication information DB 11. “Service B” is a service different from the service A provided by the service verification system 10. Here, although information about the service B is included, if there are other services provided by the service verification system 10, the items stored in the available service information DB 12 increase or decrease according to the number of services. Referring to FIG. 3, it can be seen that a user whose ID is U100 can use service B in addition to service A, and a user whose ID is U101 cannot use service B.

  The use permission message state DB 13 is a database that stores message state information of a use permission message for identifying the use permission when the use of the service B different from the service A is permitted. FIG. 4 is a diagram illustrating an example of data items stored in the use permission message state DB 13. As shown in FIG. 4, the use permission message state DB 13 stores data of items indicated by “use permission ID” and “state”. The “use permission ID” is identification information for specifying a use permission message. It identifies that a user is permitted to use service B. The use permission ID may be the use permission message itself. Here, the use permission ID is assumed to be the use permission message. “Status” is information indicating whether or not the service B indicated by the use permission ID can be used. When providing a plurality of services, the use permission message state DB 13 has a table as shown in FIG. 4 for each service. The use permission message state DB 13 according to the present embodiment stores a use permission ID (use permission message), and has a role as a use permission message information storage unit that stores message information for restoring the use permission message. Yes. Here, although the usage permission message and the message status information are stored together in the usage permission message status information DB 13, a configuration may be adopted that includes storage means for storing these information separately. When the usage permission message and the message status information are stored separately, for example, the two pieces of information can be associated with each other by the usage permission ID.

  The communication unit 14 has a function of performing communication with the authentication request terminal 30. Specifically, the communication unit 14 includes 1) a function as a first message receiving unit that receives authentication information transmitted from the authentication requesting terminal 30, and 2) an authentication result transmitting unit that transmits an authentication result to the authentication requesting terminal 30. 3) Function as a service use request receiving means for receiving a service B use request transmitted from the authentication requesting terminal 30 4) Use permission to the authentication requesting terminal 30 when the service B can be used It has a function as a use permission response transmission means for transmitting a response.

  The communication unit 15 has a function of performing communication with the service using terminal 40. Specifically, the communication means 15 is 1) a function as a second message receiving means for receiving a service B use request transmitted from the service use terminal 40, and 2) a function for providing a service to the service use terminal 40. , Etc. The service use request message transmitted from the service use terminal 40 is based on the use permission response received by the authentication request terminal 30. Here, a configuration having two communication means 14 and 15 for communicating with each of the authentication requesting terminal 30 and the service using terminal 40 is adopted, but the communication protocol of the authentication requesting terminal 30 and the service using terminal 40 is the same. It is also possible to communicate with the respective terminals 30 and 40 by one communication means.

  The authentication unit 16 has a function of identifying the user of the authentication request terminal 30 using the message received from the authentication request terminal 30 by the communication unit 14 and authenticating whether the user can use the service A. The authentication unit 16 is connected to the authentication information DB 11 and verifies the authentication information included in the message received from the authentication requesting terminal 30 based on the authentication information stored in the authentication information DB 11 and transmits the authentication request. It is authenticated whether the user of the terminal 30 is a regular user. For the authentication here, an ID and password verification method, a public key cryptosystem, or the like can be adopted. If the user is authenticated as a legitimate user, the user can use the service A provided by the service verification system 10 by the authentication request terminal 30.

  The other service availability determination unit 17 has a function of determining whether or not the user of the authentication request terminal 30 can use the service when the communication unit 14 receives a request for using another service transmitted from the authentication request terminal 30. Have The other service availability determination unit 17 is connected to the available service information DB 12, and when a use request for the other service is transmitted, the user of the authentication request terminal 30 refers to the available service information DB 12 and the user of the authentication request terminal 30 Is a service that can be used. For example, in the case of the usable service information DB 12 shown in FIG. 3, when a use request for service B is received from the authentication request terminal 30 whose user ID is authenticated as U 101, the other service use determination unit 17 uses It will be judged as impossible.

  The use permission message state update unit 18 has a function of updating the use permission message state DB 13. Specifically, when it is determined that another service can be used by the other service availability determination unit 17, an ID (use permission ID) is given to the use permission, and the ID is updated in a newly added format. . Note that the “state” at this time is available (indicated by a circle in FIG. 3).

  The service provision availability determination unit 19 has a function of determining whether the service B can be provided to the service use terminal 40 when the communication unit 14 receives the service use request received from the service use terminal 40. The service provision availability determination means 19 determines whether or not the service can be provided by verifying the message status information of the usage permission message based on the usage request message based on the usage permission message status DB 13, and uses permission. If the message status is available, it is determined that service B can be provided.

  When the message is transmitted from the service use terminal 40 and the service provision availability determination unit 19 determines that the service can be provided, the use permission message state release unit 20 changes the state of the use permission message from the usable state. It has a function to update to an unusable state. That is, once a use request including a use permission message is received and another service is provided, the service is updated to be unusable (indicated by a cross in FIG. 3). If the usage request using one usage message is not accepted multiple times in this way, even if the usage permission message is known to a third party, the risk of misuse by the third party can be reduced. it can.

  Next, the authentication request terminal 30 according to the present embodiment will be described. As shown in FIG. 1, the authentication request terminal 30 according to the present embodiment includes an authentication information storage unit (referred to as “authentication information DB”) 31, a first message transmission unit 33, an authentication result reception unit 34, and other services. A use request transmitting unit 35, a use permission response receiving unit 36, and a communication unit 32 are included.

  The authentication information DB 31 is a database that stores authentication information for using the first service, and the data items to be stored are the same as the authentication information DB 11 included in the service verification system 10 (see FIG. 2).

  The first message transmission unit 33 has a function of extracting authentication information stored in the authentication information DB 31 and transmitting a message for authentication to the service verification system 10. The information extracted from the authentication information DB 31 differs depending on the authentication method. For example, when authentication is performed using a password, the ID, password, and authentication method are extracted. When authentication is performed using a secret key method, the ID and secret are extracted. The key and the authentication method are extracted, and the predetermined message is encrypted with the secret key. In any case, the information regarding the authentication method is information necessary for synchronizing the authentication method between the authentication requesting terminal 30 and the service verification system 10.

  The authentication result receiving unit 34 has a function of receiving an authentication result transmitted from the service verification system 10.

  The other service use request transmission unit 35 has a function of transmitting a use request for the service B. The other service use request transmitting unit 35 transmits a use request for the service B when it is determined that the service A can be used based on the authentication result received by the authentication result receiving unit 34.

  The usage permission response receiving unit 36 has a function of receiving a usage permission response based on the usage permission message transmitted from the service verification system 10.

  The communication unit 14 has a function of communicating with the service verification system 10.

  Next, the service using terminal 40 according to the present embodiment will be described. As shown in FIG. 1, the service using terminal 40 includes a second message transmission unit 41 and a communication unit 42.

  The second message transmission unit 41 has a function of creating and transmitting a message requesting the use of the service B different from the authenticated service A. The second message transmitting unit 41 creates a message based on the usage permission response received by the usage permission response receiving unit 36 by the authentication requesting terminal 30. For example, a usage request message can be created by processing a usage permission response using a predetermined function. In such a system, since the use permission message is not clarified in the authentication request terminal 30 or the service use terminal 40, the risk of leakage of information can be reduced. An arbitrary method can be adopted as a method for transmitting the use permission response from the authentication requesting terminal 30 to the service using terminal 40. For example, the authentication requesting terminal 30 and the service using terminal 40 may be communicable by short-range wireless or connected by a cable. Further, the use permission message displayed on the display of the authentication requesting terminal 30 may be transmitted by inputting to the service using terminal 40.

  Next, the operation of the service verification network system 1 according to the present embodiment will be described with reference to FIGS. 5 and 6 and the service providing method according to the embodiment will be described.

  First, the authentication requesting terminal 30 performs authentication for using the service A (S10). Details of the authentication process will be described with reference to FIG. First, the authentication request terminal 30 transmits a message based on the authentication information to the service verification system 10 (S11). When the service verification system 10 receives a message transmitted from the authentication requesting terminal 30 (S12), the service verification system 10 performs an authentication process based on the received message (S13). The service verification system 10 analyzes the authentication information from the message transmitted from the authentication request terminal 30 and authenticates the authentication request terminal 30 based on the authentication information stored in the authentication information DB 11. When the authentication process is completed, the service verification system 10 transmits an authentication result to the authentication requesting terminal 30 (S14). Here, it is assumed that the user of the authentication requesting terminal 30 is a legitimate user and has been authenticated that the service A can be used, but if the user of the authentication requesting terminal 30 is not authenticated as a legitimate user, the authentication requesting terminal 30 cannot use service A. The authentication request terminal 30 receives the authentication result transmitted from the service verification system 10 (S15). If the authentication result received by the authentication requesting terminal 30 indicates that the authentication requesting terminal 30 has been correctly authenticated, the authentication requesting terminal 30 can use the service A. The flow so far is the same as the conventional service verification network system, and the user is authenticated in order to use a predetermined service.

  Again referring to FIG. Next, the authentication requesting terminal 30 transmits a use request for the service B different from the service A to the service verification system 10 (S20). When the service verification system 10 receives the other service use request transmitted from the authentication requesting terminal 30 (S22), it determines whether the user of the authentication requesting terminal 30 can use the service B (S24). Specifically, it is determined whether or not the service B can be used based on the available service information DB 12 that stores information related to a service that can be used by the user of the authentication requesting terminal 30 by contract or the like. In addition, since the user is specified by the authentication process, it is possible to extract information on available services from the available service information DB 12. For example, when the user ID is U100, it is determined that the service B can be used (see FIG. 3). Here, it is assumed that service B is determined to be usable. When it is determined that the service B can be used, the service verification system 10 gives a use permission ID (use permission message) for identifying the use permission of the service B to the user, and updates the use permission message state DB 13 (S26). . For example, it is assumed that “A102” in the third row is added as a new usage permission message in the usage permission message state DB 13 shown in FIG. The usage permission message is initially added in a usable state (indicated by “◯” in FIG. 4).

  Next, the service verification system 10 transmits a use permission response for the service B related to the use request to the authentication requesting terminal 30 (S28). When the authentication requesting terminal 30 receives the use permission response (S30), it transmits the received use permission response to the service use terminal 40. In the present embodiment, it is assumed that the authentication requesting terminal 30 can wirelessly communicate with the service using terminal 40, and the authentication requesting terminal 30 transmits a use permission response to the service using terminal 40 by radio (S32). It is assumed that the terminal 40 receives a use permission response (S34).

  When the service use terminal 40 receives the use permission response transmitted from the authentication request terminal 30 (S34), the service use terminal 40 creates a message requesting the use of the service B based on the use permission response. The transmitted message is transmitted to the service verification system 10 (S36). The service verification system 10 receives the message transmitted from the service use terminal 40 (S38), analyzes the use permission message based on the received message, and retrieves the message state information from the use permission message state DB 13 (S40). ). Next, it is determined whether or not the usage permission message based on the received message is usable, whether or not the received message itself is correctly configured, and whether or not the service can be provided. (S46). For example, if the usage permission message extracted from the usage request is “A102”, according to the usage permission message status DB 13, it is determined that the status is “◯”, so that the service verification system 10 can use the service. A service can be provided to the terminal 40. When the service can be provided, the use permission message state releasing unit 20 changes the state of the use permission message stored in the use permission message state DB 13 from the usable state to the unusable state, and changes the usable state of the service B. To release.

  Next, the service verification system 10 transmits a use permission response to the service using terminal 40 (S48), and the service using terminal 40 receives the use permission response transmitted from the service providing terminal (S50) and uses the service B. It becomes possible. Thus, the operation flow of the service verification network system 1 according to this embodiment is completed.

  The service verification system 10 (service verification network system 1) according to the present embodiment includes an authentication unit 16 that determines whether or not the service A can be used, an other service availability determination unit 17, and a use permission message state DB 13. Then, it is determined whether the service B can be used in a state where the user is specified by the authentication unit 16 and the service A is available. Thus, it can be determined whether or not the service B can be used without requiring authentication. If it is determined that the service B can be used, message state information that the use permission message is usable for the use permission is stored in the use permission message state DB 13 and a use permission response based on the use permission message is stored. Is transmitted to the authentication requesting terminal 30. Accordingly, when a message based on the use permission response is transmitted, the service verification system 10 can provide the service B to the service use terminal 40 that has transmitted the message without authentication. Accordingly, when providing a new service B in the service verification system 10 that provides the service A, the authentication means for the service A can be obtained without newly constructing the authentication means 16 for authenticating the user who can use the service B. By using the authentication result according to 16, the service verification system 10 can be prepared at low cost and in a short time.

In addition, the service providing method according to the present embodiment receives a use request for service B in a state where the user of the authentication requesting terminal 30 is specified by the authentication process and the service A can be used, and determines the use of service B. Therefore, it is only necessary to determine whether or not the specified user can use the service B, and no new authentication is required. When it is determined that the service B can be used, message status information indicating that the service B can be used by giving a use permission message is stored in the use permission message state DB 13 and the use based on the use permission message is used. An authorization response is transmitted to the authentication requesting terminal 30. Thereby, in this service providing method, when a usage request including the usage permission message is transmitted, the service B can be provided to the service usage terminal 40 that has transmitted the usage request without authentication. Accordingly, when providing a new service B in the service verification system 10 that provides the service A, the authentication means for the service A can be obtained without newly constructing the authentication means 16 for authenticating the user who can use the service B. By using the authentication result according to 16, the service verification system 10 can be prepared at low cost and in a short time.
(Second Embodiment)

  Next, a service verification network system according to the second embodiment of the present invention will be described. The service verification network system according to the second embodiment has the same basic configuration as the service verification network system according to the first embodiment, but the configuration of the service verification system 10a is different. FIG. 7 is a block diagram showing the configuration of the service verification system 10a according to the second embodiment. As shown in FIG. 7, in addition to the configuration of the service verification system 10 according to the first embodiment, the service verification system 10a according to the second embodiment includes an area information storage means (referred to as “area information DB”) 22, an area An information update unit 21, a time information storage unit (referred to as “time information DB”) 24, and a time information update unit 23 are further provided.

  The area information DB 22 is a database that stores usable area information related to an area where the second service can be used. FIG. 8 is a diagram illustrating an example of data stored in the area information DB 22. The area information DB 22 stores information on “use permission ID” and “usable area”. The “use permission ID” is identification information for specifying the use permission message, and is the same as that stored in the use permission message state DB 13. “Available area” is information related to an area where the second service can be used. If the service using terminal 40 does not exist in the available area, the service is not provided. Here, the usable area information is associated with the use permission ID, but it is not always necessary to have such a data structure. For example, the usable area information may be stored in association with the identification information of the authentication requesting terminal 30. Further, it may be stored independently of other information.

  The area information update unit 21 has a function of updating the area information DB 22. The area information updating means 21 is a service for making the service B available from the area where the authentication requesting terminal 30 has transmitted the use request when the service B is judged to be usable by the other service use availability judging means 17. Derive possible areas. For example, an area including the area where the authentication request terminal 30 is located can be used, or a part of the area where the authentication request terminal 30 is located can be used. Of course, the area where the authentication requesting terminal 30 is located may coincide with the available area. Then, the derived usable area information is stored in the area information DB 22. In addition, when the authentication requesting terminal 30 that has already been permitted to use other services and the message status information stored in the usage permission message status DB 13 is usable has moved and its area has changed, The other service use request is transmitted again from the authentication requesting terminal 30. In this case, the available area is derived from the area where the authentication requesting terminal 30 is located, and the newly derived available area information is stored. The area information DB 22 is updated. In addition, since the use permission response to the other service use request has already been transmitted, the use permission response is not transmitted in this case. With such a configuration, the available area can always be updated according to the area where the authentication requesting terminal 30 is located, and the service verification system 10a can receive a use permission message when receiving another service request again. It is only necessary to update the status DB 13 and it is not necessary to monitor the area where all the authentication requesting terminals 30 that are connected need to be monitored, so the burden on the service verification system 10 can be reduced.

  The time information DB 24 is a database that stores available time information related to the time during which the second service can be used. FIG. 9 is a diagram illustrating an example of data stored in the time information DB 24. The time information DB 24 stores information on “usage permission ID” and “usable time”. The “use permission ID” is identification information for specifying the use permission message, and is the same as that stored in the use permission message state DB 13. “Available time” is information relating to a time during which the second service can be used, and the service is not provided unless a use request message for the second service is received from the service using terminal within the available time. Here, the available time information is associated with the use permission ID, but it is not always necessary to have such a data structure. For example, the available time information may be stored in association with the identification information of the authentication requesting terminal 30. The information may be stored independently of other information.

  The time information update unit 23 has a function of updating the time information DB 24. The time information updating unit 23 sets an available time during which the service B can be used when the service B is determined to be available by the other service availability determination unit 17. For example, it is possible to set the available time up to 10 minutes after the determination for the use request for other services as the available time, 5 minutes for the service B, and 10 minutes for the service C different from the service B. Thus, the available time can be set for each service. Then, the time information update unit 23 stores the set available time information in the area information DB 22.

  Next, the operation of the service verification network system according to the second embodiment will be described with reference to FIG. 10, and the service providing method according to the second embodiment will be described.

  First, the authentication requesting terminal 30 performs authentication for using the service A (S10). This step is the same as the authentication step in the first embodiment (see FIG. 6).

  Next, the authentication requesting terminal 30 transmits a use request for the service B different from the service A to the service verification system 10 (S20). When the service verification system 10 receives the other service use request transmitted from the authentication requesting terminal 30 (S22), it determines whether the user of the authentication requesting terminal 30 can use the service B (S24). Here, it is assumed that service B is determined to be usable. When it is determined that the service B can be used, the service verification system 10 gives a use permission ID for identifying the use permission of the service B for the user, and updates the use permission message state DB 13 (S26). The usage permission message is initially added in a usable state (indicated by a circle in FIG. 4).

  Subsequently, the service verification system 10a derives usable area information that can use the second service from the area where the authentication requesting terminal 30 is located by the area information updating unit 21, and stores the information in the area information DB 22. Further, the service verification system 10a sets the available time information that can use the second service by the time information update unit 23, and stores it in the time information DB 24.

  Next, the service verification system 10 transmits a use permission response based on the use permission message for the service B related to the use request to the authentication requesting terminal 30 (S28). When the authentication requesting terminal 30 receives the use permission response (S30), it transmits the received use permission response to the service use terminal 40. In the present embodiment, it is assumed that the authentication requesting terminal 30 can wirelessly communicate with the service using terminal 40, and the authentication requesting terminal 30 transmits a use permission response to the service using terminal 40 by radio (S32). It is assumed that the terminal 40 receives a use permission response (S34).

  When the service use terminal 40 receives the use permission response transmitted from the authentication request terminal 30 (S34), the service use terminal 40 creates a message requesting the use of the service B based on the use permission response. The transmitted message is transmitted to the service verification system 10 (S36). The service verification system 10 receives the message transmitted from the service use terminal 40 (S38), analyzes the use permission message based on the received message, and retrieves the message state information from the use permission message state DB 13 (S40). ). Subsequently, the consistency of whether or not the usage permission message based on the received message is usable and whether or not the received message itself is correctly configured is determined based on the usage permission message status DB 13. The service verification system 10a according to the second embodiment searches for information on an available area from the area information DB 22, and searches for information on an available time from the time information DB 24 (S43). In the service verification system 10a, the service provision availability determination unit 19 determines whether the service use terminal 40 exists in the area indicated by the available area information stored in the area information DB 22. Furthermore, the service provision availability determination unit 19 determines whether or not the time at which the second service use request message is received is within the available time stored in the time information DB 24. By these determinations, when the service using terminal is in the available area and the message is further transmitted within the available time, the service providing availability determining unit 19 determines that the second service can be used ( S46). When the service can be provided, the use permission message state releasing unit 20 changes the state of the use permission message stored in the use permission message state DB 13 from the usable state to the unusable state, and changes the usable state of the service B. To release.

  Next, the service verification system 10 transmits a use permission response to the service using terminal 40 (S48), and the service using terminal 40 receives the use permission response transmitted from the service providing terminal (S50) and uses the service B. It becomes possible. The operation flow of the service verification network system according to this embodiment is thus completed.

  Similar to the service verification system 10 according to the first embodiment, the service verification system 10a according to the second embodiment provides the service B when the service verification system 10a that provides the service A provides a new service B. The service verification system 10a can be prepared at low cost and in a short time by using the authentication result by the authentication means 16 of the service A without newly constructing the authentication means 16 for authenticating available users. .

  Furthermore, the service verification system 10a according to the second embodiment stores the available area information in the area information DB 22 and permits the use of the service in the available area, so that the area where the service can be used is limited. Therefore, it is possible to improve security by reducing the chances of unauthorized use. In addition, since the available time information is stored in the time information DB 24 and the use of the service is permitted within the time, the time during which the service can be used is limited, the opportunity for unauthorized use is reduced, and security is improved. Can do.

Further, the service providing method according to the second embodiment is similar to the service providing method according to the first embodiment. In the service verification system 10 that provides the service A, the service B is provided when the new service B is provided. The service verification system 10 can be prepared at low cost and in a short time by using the authentication result by the authentication means 16 of the service A without newly constructing the authentication means 16 for authenticating the available user. .
(Third embodiment)

  Next, a service verification network system according to the third embodiment of the present invention will be described. The service verification network system according to the third embodiment has the same basic configuration as the service verification network system 1 according to the first embodiment (see FIG. 1), but a use permission response transmitted from the service verification system 10. And the information included in the use request transmitted from the service use terminal 40 are different from the service verification network system 1 according to the first embodiment. Hereinafter, differences from the service verification network system 1 according to the first embodiment will be described.

  In addition, the communication unit 14 of the service verification system 10 according to the third embodiment transmits a use permission response to the use request for another service when the other service can be used. Is based on the usable area information and the usable time information in addition to the information on the use permission message. Accordingly, the second message transmission unit 41 of the service usage terminal 40 according to the third embodiment creates a usage request message based on the available area information and the available time information in addition to the information on the usage permission message. And a function of transmitting to the service verification system 10.

  Next, the operation of the service verification network system according to the third embodiment will be described with reference to FIG. 11, and the service providing method according to the third embodiment will be described.

  Since the operation of the service verification network system according to the third embodiment is basically the same as that of the service verification network system 1 according to the first embodiment, the operation of the service verification system 10 according to the first embodiment is the same as the operation of the service verification network system 1 according to the first embodiment. Different points will be described. In step S28, when transmitting a use permission response for service B, a use permission response based on the use permission message, the usable area information, and the usable time information is transmitted to the authentication requesting terminal 30. The service use terminal 40 that has received the use permission response in step S34, based on the use request response based on the use permission message, the available area information, and the available time information, when transmitting the use request message in step S36. The message is created and transmitted to the service verification system 10 (S36). When the service verification system 10 receives the message transmitted from the service use terminal 40 (S38), the service verification system 10 matches the status of the use permission message on which the message is based and whether or not the received message itself is correctly configured. Is determined based on the use permission message state DB 13. Here, if the usage permission message based on the usage request message is “A102”, it can be seen that the status is “◯” with reference to the usage permission message status DB 13. Further, the usage request area information and usage request time information based on the usage request message received from the service usage terminal 40 are analyzed (S44), and whether or not the service area of the service usage terminal 40 is included in the available area. In addition, it is determined whether or not the reception time of the usage request message is within the available time, and it is determined whether or not the service B can be provided (S46).

  Similar to the service verification network system 1 and method according to the first embodiment, the service verification network system and method according to the third embodiment enables the service B to be used by using the authentication result of the service A. It is not necessary to provide a new authentication means for B, and the service verification system 10 that provides the service B at a low cost and in a short time can be prepared.

  Further, in the service verification network system according to the third embodiment, since the use permission message state DB 13 of the service verification system 10 is configured not to have usable area information or usable time information, data stored in the service verification system 10 The amount can be reduced.

  The service verification network system of the present invention has been described in detail with reference to the embodiment, but the present invention is not limited to the above embodiment.

  For example, in the second embodiment, when determining whether or not the service B can be used, the available area information and the available time information are also used, but only one of them may be used. In this way, it is possible to increase the speed of the provision determination process by reducing the determination steps while improving security.

  In addition, the service using terminal further includes an identification information storing unit that stores identification information for identifying its own terminal as additional information. Based on the identification information and the use permission response received by the authentication requesting terminal 30, A service B usage request message may be created and transmitted to the service verification system 10. By adopting such a configuration, it is possible to limit terminals that can use the second service, and thus security can be improved.

  In addition, the service use terminal further includes an authentication information storage unit that stores authentication information as additional information. Based on the authentication information and the use permission response received by the authentication requesting terminal 30, the service use terminal A message may be created and transmitted to the service verification system 10. By adopting such a configuration, the second service can be provided more safely.

It is a block diagram which shows the structure of the service verification network system which concerns on embodiment. It is a figure which shows the example of the data item stored in authentication information DB. It is a figure which shows the example of the data item stored in usable service information DB. It is a figure which shows the example of the data item stored in use permission message status DB. It is a flowchart which shows operation | movement of the service verification network system which concerns on 1st Embodiment. It is a flowchart which shows an authentication process. It is a block diagram which shows the structure of the service verification system which concerns on 2nd Embodiment. It is a figure which shows the example of the data stored in area information DB. It is a figure which shows the example of the data stored in time information DB. It is a flowchart which shows operation | movement of the service verification network system which concerns on 2nd Embodiment. It is a flowchart which shows operation | movement of the service verification network system which concerns on 2nd Embodiment.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Service verification network system, 10 ... Service verification system, 11 ... Authentication information DB, 12 ... Available service information DB, 13 ... Usage permission message status DB, 14, 15 ... Communication means, 16 ... Authentication means, 17 ... Others Service availability determination unit, 18 ... Usage permission message status update unit, 19 ... Service provision availability determination unit, 30 ... Authentication request terminal, 31 ... Authentication information DB, 32 ... Communication unit, 33 ... Authentication information transmission unit, 34 ... Authentication Result receiving means 35 ... Other service use request sending means 26 ... Use permission response receiving means 40 ... Service use terminal 41 ... Use request sending means 42 ... Communication means.

Claims (19)

A service verification system that provides multiple services,
Authentication information storage means for storing authentication information for authenticating a user who can use the first service;
Available service information storage means for storing information related to services other than the first service that can be used by the user;
A use permission message for storing message information based on a use permission message for identifying the use permission when permitting use of a second service different from the first service stored in the available service information storage means. Information storage means;
First message receiving means for receiving a message in accordance with the authentication method of the first service;
By verifying the message received by the first message receiving means based on the authentication information stored in the authentication information storage means, the user in the first service is specified and the user uses the first service An authentication means for authenticating whether it is possible;
Other service usage request receiving means for receiving a usage request for the second service, transmitted by a user who is authenticated by the authentication means to be able to use the first service and is using the first service;
When the use request is received by the other service use request receiving unit, whether or not the user can use the second service is determined based on information in the available service information storage unit. A determination means;
Use permission message information updating means for validating message information based on the use permission message in the use permission message information storage means when it is determined by the other service use permission determination means that the second service can be used;
A use permission response transmitting unit that transmits a use permission response based on the use permission message when it is determined by the other service use permission determination unit that the second service can be used;
Second message receiving means for receiving a message based on the use permission response;
Service provision availability judging means for judging whether or not the second service can be provided based on the message received by the second message receiving means and the message information stored in the use permission message information storage means;
When the service provision availability determination unit determines that the second service can be provided, the use of the second service is permitted, and the message information stored in the use permission message information storage unit is invalidated. Use permission message state release means to
A service verification system comprising: Additional information storage means for storing additional information for verifying a message further based on the additional information used for using the second service;
Whether the second message receiving means can further receive a message based on the additional information, and the service provision availability determining means can provide the second service based on the additional information stored in the additional information storage means. The service verification system according to claim 1, wherein it is determined whether or not. Area information storage means for storing available area information relating to an area where the second service can be used;
When the use request is received by the other service use request receiving means, the use area information is derived from the information relating to the area where the first terminal is located, and the use area information is stored in the area information storage means. Area information updating means for
With
The service provision availability determination unit further determines whether or not the service area of the second terminal is within an area where service can be used, based on the available area information stored in the area information storage unit. If the area where the second terminal is located is within an area where the service can be used, it is determined that the second service can be provided.
The service verification system according to claim 1 or 2, wherein When the area information update means determines that a use permission response is available based on the message information stored in the use permission message information storage means, the area where the first terminal is located is determined by the available area information. When the mobile terminal moves outside the usable area to be identified, the usable area information derived from the information about the area in which the first terminal has moved is stored in the area information storage means. The service verification system according to claim 3.   When the area information update means determines that a use permission response is available based on the message information stored in the use permission message information storage means, the area where the first terminal is located is determined by the available area information. When moving out of the available area to be identified and receiving a use request by the other service use request receiving means, the available area information derived from the information about the area in which the first terminal has moved is obtained. The service verification system according to claim 3 or 4, wherein the service information is stored in the area information storage means. Time information storage means for storing available time information relating to a time during which the second service can be used;
Time information updating means for storing available time information in the time information storage means when the use request is received by the other service use request receiving means;
Further comprising
The service provision availability determination unit may further include a time when the message is received by the second message reception unit is included in a time during which the service can be used, or based on availability time information stored in the time information storage unit. And determining that the second service can be provided when the time when the message is received is included in the time in which the second service can be used.
The service verification system according to any one of claims 1 to 5, wherein: The usage permission response transmitting means transmits the usage permission response further based on the available area information derived from the information related to the area where the first terminal is located,
The service provision availability determination unit is configured to determine whether or not the service area of the second terminal is within an area where service can be used, based on area information obtained from the message received by the second message reception unit. And if the area where the second terminal is located is within an area where the service can be used, it is determined that the second service can be provided.
The service verification system according to any one of claims 1 to 6, wherein: The use permission response transmitting means transmits the use permission response further based on the available time information,
Based on the message received by the second message receiving means, the service provision availability determination means has a time when the service verification system receives the message in the second message receiving means within a time when the service can be used. Whether the second service can be provided if the service is within the available time,
The service verification system according to claim 1, wherein: An authentication requesting terminal that can use the first service provided by the service verification system according to any one of claims 1 to 8 and performs authentication for using the first service,
Authentication information storage means for storing authentication information for using the first service;
A first message transmission unit that follows an authentication scheme and transmits a message based on the authentication information stored in the authentication information storage unit to the service verification system;
When it is determined by the service verification system that the first service can be used, another service usage request transmission unit that transmits a usage request for the second service provided by the service verification system to the service verification system;
A use permission response receiving means for receiving a use permission response based on the use permission message;
An authentication requesting terminal comprising: A service use terminal for using the second service by using the use permission response received to use the second service provided by the service verification system;
A second message transmission means for transmitting a message for using the second service;
10. The service use terminal according to claim 9, wherein the authentication request terminal according to claim 9 is based on a use permission response received from the service verification system. Additional information storage means for storing additional information used for using the second service;
11. The service using terminal according to claim 10, wherein the message transmitted by the second message transmitting unit is further based on additional information stored in the additional information storing unit. A service verification system that provides a plurality of services; an authentication requesting terminal that is authenticated by the service verification system and uses the first service provided by the service verification system; and the authentication for using a second service A service providing method for providing a service in a service verification network system comprising: a service using terminal that uses a second service provided by the service verification system based on a response transmitted to a requesting terminal;
A first message sending step in which the authentication requesting terminal follows the authentication method and sends a message based on authentication information to the service verification system;
By verifying the message received in the first message transmission step based on the authentication information stored in advance in the service verification system, the user in the first service can be specified and the user can use the first service An authentication step for authenticating whether or not,
When the first service is available, the authentication requesting terminal transmits a second service usage request to the service verification system;
When the use request is received in the other service use request transmission step, the service verification system stores the user on the basis of information related to services available to each user stored in the service verification system in advance. Another service availability determination step for determining whether the second service is available;
Message information based on a usage permission message for identifying the usage permission of the second service in the usage permission message information storage means when it is determined that the second service can be used in the other service availability determination step. A permission message information update step for enabling
A use permission response transmitting step in which the service verification system transmits a use permission response based on a use permission message to the authentication requesting terminal when it is determined that the second service can be used in the other service use permission determining step; ,
A second message transmitting step in which the service using terminal transmits a message based on the use permission response received by the authentication requesting terminal in the use permission response transmitting step to the service verification system;
A service provision availability determination step for determining whether or not the second service can be provided based on the message received in the second message transmission step and the message information stored in the use permission message information storage unit;
If it is determined in the service provision availability determination step that the second service can be provided, the use of the second service is permitted, and the message information stored in the use permission message information storage unit is invalidated. A use permission message state release step to be
A service providing method characterized by comprising: In the second message transmission step, a message based on additional information is further received,
13. The service provision according to claim 12, wherein in the service provision availability determination step, it is determined whether or not the second service is available based on the additional information stored in the additional information storage unit. Method. When the use request is received in the other service use request transmission step, the use area information is derived from the information related to the area where the authentication request terminal is located, and the use area information is stored in the area information storage means. An area information update step,
The service provision availability determination step further determines based on the available area information stored in the area information storage means whether the service area of the service using terminal is within an area where service can be used, If the service area of the service using terminal is within an area where the service can be used, it is determined that the second service can be provided.
14. The service providing method according to claim 12, wherein the service providing method is provided.   Based on the message information stored in the available message information storage means in the area information update step, when it is determined that a use permission response is available, the area where the authentication requesting terminal is located is determined by the available area information. 15. The service provision according to claim 14, wherein when the user moves out of the usable area, the usable area information derived from the information regarding the existing area after the movement is stored in the area information storage unit. Method.   Based on the message information stored in the available message information storage means in the area information update step, when it is determined that a use permission response is available, the area where the authentication requesting terminal is located is determined by the available area information. When the authentication requesting terminal transmits a second service usage request in the other service usage request transmission step when moving outside the available area, the available area derived from information about the area in which the mobile station has been moved 16. The service providing method according to claim 14, wherein information is stored in the area information storage means. A time information update step of storing, in the time information storage means, available time information relating to a time during which the second service can be used when the use request is received in the other service use request transmission step;
In the service provision availability determination step, the time when the message is received in the second message transmission step is included in the time in which the service can be used, or based on the available time information stored in the time information storage unit And determining that the second service can be provided when the time when the message is received is included in the time in which the second service can be used.
The service providing method according to claim 12, wherein the service providing method is provided. In the use permission response transmitting step, the use permission response is further transmitted based on the available area information derived from the information related to the area where the authentication requesting terminal is located,
In the service provision availability determination step, based on the area information obtained from the message received in the second message transmission step, it is further determined whether or not the service area of the service using terminal is within the area where the service can be used. If the area where the user terminal is located is within an area where the service can be used, it is determined that the second service can be provided.
The service providing method according to claim 12, wherein the service providing method is provided. In the use permission response transmission step, the use permission response further based on the available time information is transmitted,
In the service provision availability determination step, based on the message received in the second message transmission step, the time when the service verification system received the message in the second message transmission step is within the time when the service can be used. Whether the second service can be provided if the service is within the available time,
The service providing method according to claim 12, wherein the service providing method is provided.

Images