JP4611809B2 - Service use qualification examination apparatus and method - Google Patents

Description

  The present invention relates to a service use qualification examination apparatus and method for performing examination of service use qualification or access control when providing services, functions, and resources via a communication network.

  A public key infrastructure (hereinafter referred to as PKI), which is an electronic authentication technology, is based on public key cryptography by using a public key certificate that proves the connection between the public key and the ID of the owner of the public key. Strict ID authentication is possible. A user can use a security function based on PKI (hereinafter referred to as a PKI function) such as authentication of a communication partner and verification of the authenticity of an electronic document using a public key certificate. In recent years, various applications and devices that are already widely used, such as Web browsers, mailers, and network routers, are beginning to have a PKI function.

  By the way, many general authentication services provide key information and public key certificate issuance services by an operation method mainly using human resources (for example, see Non-Patent Documents 1 to 3). In particular, when a public key certificate used for strict authentication is issued, manual operation, that is, off-line issuance at a reception desk or the like is often performed. For example, in Non-Patent Document 1, application information is obtained from a user who intends to register, the existence is confirmed based on the application information, and the intention to apply by telephone to the person or related person after the authentication is completed. Confirmation is performed and a predetermined mail is sent to the user for authentication. Also, even in Non-Patent Document 2, upon receiving an electronic certificate issuance request from the user, the certificate authority examines the identity of the applicant and then stores the electronic certificate in an IC card for use. Issued offline to the applicant. Further, in Non-Patent Document 3, an e-mail is transmitted based on information of an Internet domain administrator, which is information that can be obtained by WHOIS, and whether or not a certificate is issued is determined based on the reachability. As a result, part of the work related to the examination is automated, and a faster issuance work is realized as compared with the conventional authentication service.

“VeriSign Q & A”, [online], [Search April 21, 2005], Internet, <URL: http://www.verisign.co.jp/securemail/help/faq/600001/index.html> “E-Probatio PS Introduction / Use Image”, [online], [Search May 16, 20005], Internet, <URL: https://www.e-probatio.com/ps/about/introduction.html > “Concept of identity verification”, [online], [Search April 21, 2005], Internet, <URL: http://www.geotrust.co.jp/popup_concept.htm>

  Since the use of such public key certificates is strictly limited depending on the use, the user needs to generate a public key for each use and receive a public key certificate related to the public key. is there. However, it is not easy for users to prepare (or obtain) or maintain key information and public key certificates essential for using the PKI function, and at present, the PKI function is implemented. However, it is difficult to use.

  In addition, as described above, in the conventional authentication service, the key information and public key certificate issuance service is provided by a manual operation method, so that the cost for providing the service is increased. Expenses borne by users are also increasing, and this is one of the main reasons why PKI services are not popularized.

  As described above, one of the reasons why the conventional technology adopts an offline-based operation method is that a method for automatically examining service qualification online is not established. Technically, a variety of technologies that can be applied to automatic examinations have been developed, such as ID-password methods, PKI authentication, ACL (Access Control List) and role-based access control methods, etc. It is possible to adopt either method in developing the apparatus.

  However, the method for examining the qualification for providing services can be extremely diverse depending on the contents of the service and the operational requirements of the installation destination. Therefore, it is assumed that the device for providing the authentication service has been developed as described above. However, it is impossible to fully respond to the examination of eligibility for providing the service. In particular, in the public key certificate issuing service of PKI as described above, the tendency is remarkable, and it is considered that online service provision is avoided.

  Accordingly, the present invention has been made to solve the above-described problems of the prior art, and in a service via a general network including an authentication service, key information, a public key certificate, predetermined information, and software It is an object of the present invention to provide a service use qualification examination apparatus and method capable of automatically issuing services such as the above without relying on human hands.

In order to solve the above-described problems and achieve the object, the disclosed technique is connected to a network having a requester's terminal requesting provision of a service available via the network, and the requester's terminal A service use qualification examination apparatus that performs examination processing according to a service use request including a service name and information necessary for receiving the service, and receives the service use request from the requester's terminal, and The examination items for examining the examination items necessary for the service acceptance request means for transmitting the examination result for the service use request to the requester's terminal and the services that can be examined by the service usage qualification examination device. An examination processing means provided for each service, a service that can be examined by the service use qualification examination apparatus, Based on the examination method assignment information that associates the examination processing means designation list including the examination items necessary for the service, the examination processing means to be examined is identified from the service name in the service use request, and the examination processing is performed. An examination method specifying means for passing the service use request to the means and executing the examination, and when the service use request is valid in all examination processing means in the examination processing means designation list, It is characterized by providing services for requests.

Further, according to the disclosed technology , in the above invention, the service use request includes a digital signature regarding the content of the service use request and a public key certificate in which the requester is previously authenticated by a predetermined certification authority. Signature information is included, and as the examination processing means, the integrity of the entire service use request is verified using the digital signature in the signature information, and up to a predetermined trust point using the public key certificate. It is characterized by comprising authentication domain examination processing means for determining whether or not the service use request is valid by verifying whether or not an authentication path can be constructed.

Further, according to the disclosed technology , in the above-described invention, the service use request includes parameter information including parameters required in the examination corresponding to the service name, and the examination processing unit uses the parameter information. The validity of the service use request is determined based on predetermined examination conditions.

Further, the disclosed technology is characterized in that in the above invention, an examination processing means corresponding to a new examination matter is created, and an editing processing means for editing the examination method allocation information according to the contents of the service is further provided. To do.

In addition, the disclosed technology is such that a service use qualification examination apparatus connected via a network to a requester's terminal that requests provision of a service that can be used via a network, according to a request from the requester's terminal A service usage qualification screening method for performing a service screening process, the first step of receiving a service usage request including a service name of the service requested by the requester and information necessary for receiving the service; The service name is extracted from the service use request, and the screening process corresponding to the extracted service name is referred to by referring to the screening method assignment information including the screening process designation list including the service name and the screening items corresponding to the service name. In the second step of acquiring the means designation list, one unprocessed examination item is extracted from the examination processing means designation list. The examination items are examined to determine whether or not the service use request is valid. When the service use request is valid, there is no unprocessed examination item in the examination processing means designation list. A third step of performing a review, and a step of providing a service for the service use request to the requester's terminal when the service use request is valid for all the examination items in the examination processing means designation list. And 4 processes.

Further, according to the disclosed technology , in the above invention, the service use request includes a digital signature regarding the content of the service use request and a public key certificate in which the requester is previously authenticated by a predetermined certification authority. Signature information is included, and in the third step, the digital signature in the signature information is used as an examination item to verify the integrity of the entire service use request, and the public key certificate is used to And a process for determining whether or not the service use request is legitimate by verifying whether or not an authentication path up to the trust point can be constructed.

In the disclosed invention, the service use request includes parameter information including parameters required in the examination corresponding to the service name, and in the third step, the examination item includes: A process for determining whether the service use request is valid based on a predetermined examination condition using the parameter information is included.

According to the disclosed technology , examination processing is performed in units of examination items performed in various services, and examination processing is performed based on examination method allocation information that associates services with examination items necessary for the services. As a result, it is possible to respond to the examination process of services consisting of various combinations of examination items without human intervention, and it is possible to automatically provide the service requested by the user. . As a result, the service can be provided flexibly and safely according to the operation requirements of the service.

Further, according to the disclosed technology , authentication of the identity of a requester of a service having a public key certificate that has been authenticated by a predetermined certification authority is performed in a safe and strict manner using an electronic signature technology represented by PKI. Can be implemented. Also. Since the requester's identity is authenticated using the requestor's public key certificate that has already been issued, the service can be automatically provided (online) on the network, It also has an effect that it becomes easy for the requester to prepare (or obtain) and maintain and manage key information and public key certificates essential for using the PKI function.

In addition, according to the disclosed technology , parameter information necessary for receiving the service desired by the requester can be arbitrarily set in the service use request, so that an arbitrary examination is performed based on the parameter information. It is possible to construct an examination processing means that can do this. As a result, it is possible to flexibly cope with various operational requirements.

In addition, according to the disclosed technology , an editing means for editing the examination method allocation information is provided, so even if a new operation requirement is set or an existing operation requirement is changed, the operation requirement is not changed. It is possible to respond flexibly to matching examination processes.

  Embodiments of a service use qualification examination apparatus and method according to the present invention will be described below in detail with reference to the accompanying drawings.

  In this embodiment, a user or subject who is going to receive a service by the service use qualification examination apparatus according to the present invention is preliminarily provided by a certification authority (hereinafter referred to as a basic certification authority) with a public key certificate. It is assumed that it has been issued. In other words, the subject is authenticated online on the premise that the public key certificate authenticated by the basic certification authority can be trusted. In the following, a service usage qualification examination apparatus and method for automatically examining usage qualifications in authentication services such as key information and public key certificate issuing services will be described.

  FIG. 1 is a diagram showing an example of the configuration of a network system to which a service use qualification examination apparatus according to the present invention is applied. As shown in FIG. 1, a system to which a service use qualification examination apparatus is applied is a user who wants to receive an authentication service such as a key information or public key certificate issuing service (hereinafter referred to as a requester). ), A service use qualification examination device 20 that examines a requester's request for an authentication service, and a user information management device that makes an inquiry about predetermined information at the time of examination by the service use qualification examination device 20 30 are connected to a network 40 such as the Internet.

  Here, in addition to the case where the requester is an individual who wishes to receive the key information and public key certificate issuing services, for example, the requester collectively issues public key certificates for a plurality of employees in a certain company. There is a case. In the former case, the requester and the person who is authenticated by the public key certificate (hereinafter referred to as the subject) are the same, but in the latter case, the requester and the subject of the public key certificate are the same. Must not.

  The user information management device 30 refers to an information processing terminal possessed by a basic certification body that performs authentication with a high degree of trust and an examination information provider that holds information necessary for examination of a subject. . As described above, the basic certification body needs to be objectively recognized as performing certification with a high degree of trust, and a local public body can be cited as such an organization. Further, as an example of the examination information providing organization, a settlement organization that performs settlement of charges can be cited.

  FIG. 2 is a block diagram schematically showing a functional configuration of the service use qualification examination apparatus according to the present invention. The service use qualification screening apparatus 20 includes a request reception processing unit 21, screening processing units 22 </ b> A to 22 </ b> X, a screening method assignment information storage unit 23, and a screening method identification unit 24.

  The request reception processing unit 21 receives a service use request from the terminal 10 of the requester requesting the service use qualification examination, extracts a service name from the received service use request, and delivers it to the examination method specifying unit 24. In response to the examination result from the examination method specifying unit 24 for the received service use request, the examination result is transmitted via the network 40 to the requester's terminal that is the transmission source of the service use request. For example, if the service use request cannot be authenticated, information indicating that the authentication has failed is sent, and if authentication is successful, information indicating that the authentication was successful and the result should be sent to the requester. Send information.

  FIG. 3 is a diagram illustrating an example of a data configuration of a service use request for requesting an authentication service transmitted from the requester's terminal to the service use qualification examination apparatus. The service use request 100 includes a requester name 101, a service name 102, parameter information 103, and signature information 104. The requester name 101 is the name of the user who performs the service use request 100 (that is, the requester). The service name 102 is the service name 102 requested by the requester, and indicates what kind of authentication service the user wants to receive. The parameter information 103 includes information necessary for determining whether the requester (or the subject in the case where the requester and the subject do not match) are appropriate (authenticated) as a person to be authenticated in the authentication service. This is information used for the authentication service (processing) itself, and differs depending on the service name 102 requested. For example, in the case of a public key certificate issuance service, this parameter information includes personal information such as address and telephone number, information such as a settlement number for proof of payment, and the organization name of the subject. You can list the public key itself such as email address or information you want to post on the public key certificate. The signature information 104 is information for verifying on the side of the service provider (that is, the service use qualification examination apparatus 20) that the service use request 100 is certainly created by the requester. Specifically, the signature information 104 is a secret key paired with a public key in which the “requester name”, “service name”, and “parameter information” (or their hash values) are registered with the basic certification authority. And the digital signature encrypted by the public key certificate issued by the basic certification authority.

  When the examination processing unit 22A to 22X is instructed to execute the examination process by inputting the service use request 100 by the examination method identification unit 24, the examination processing unit 22A to 22X does not perform the examination necessary for the use qualification examination of the authentication service without human intervention. And the result of the examination process is returned to the examination method specifying unit 24. The examination performed in the certification of use of the certification service is generally composed of a combination of various examination items, and the examination items differ depending on the contents of the intended certification service (that is, the service name 102). For this reason, in this embodiment, the examination processing units 22A to 22X are constructed by setting examination items as a minimum unit of examination and using the minimum unit as a functional block. That is, the examination processing units 22A to 22X are provided for each examination item. Therefore, one or more examination processing units 22A to 22X exist in the service use qualification examination apparatus 20, but in reality, examination contents (examination items) differ depending on the contents of the service and the operation requirements of the introduction destination. The examination processing units 22A to 22X that execute a plurality of different examination processes are prepared. Note that the examination processing units 22A to 22X access the user information management apparatus 30 according to the examination contents to obtain necessary information and conduct examination.

  The examination method allocation information storage unit 23 stores examination method allocation information in which examination processing units 22A to 22X (examination items) are associated with service names in the authentication service. FIG. 4 is a diagram illustrating an example of the configuration of examination method allocation information. As shown in FIG. 4, the examination method allocation information 130 lists service names 131 that can be examined by the service use qualification examination apparatus 20 and elements that are examination items necessary for the authentication service of the service name 131. And an examination processing unit designation list 132. For example, a service name 131 of “Public Key Certificate A / Issuance Service” of No. 1 is associated with an examination processing unit designation list 132 of “Authentication Domain Examination, Subject Name Examination, Fee Payment Status Examination”. . This is because the “Public Key Certificate A / Issuance Service” needs to execute three examination items (elements): “Authentication Domain Examination”, “Subject Name Examination”, and “Charge Payment Status Examination”. Show. The examination method assignment information 130 can be changed by editing processing means (not shown). For example, a set of a new service name 131 and an examination processing unit designation list 132 can be added to the examination method allocation information 130, or the contents of the examination processing unit designation list 132 for an existing service name 131 can be changed.

  The examination method specifying unit 24 refers to the examination method allocation information 130 of the examination method allocation information storage unit 23 from the service name 102 in the service usage request 100 acquired from the request reception processing unit 21 and executes the service usage request 100. An examination processing unit designation list 132 in which examination items (elements) to be examined are described is acquired. Then, one screening processing unit 22A to 22X (element) is extracted from the screening processing unit designation list 132, and the service usage request 100 is passed to the screening processing unit 22A to 22X to instruct the execution. Thereafter, when the examination results from the designated examination processing units 22A to 22X are received and the examination results indicate validity, the remaining examination processing units 22A to 22A not yet executed in the examination processing unit designation list 132 are displayed. Similarly, 22X is instructed to execute the examination in the same manner. If the screening processing units 22A to 22X in all screening processing unit designation lists 132 are screened and it is determined that the service use request 100 is valid, the result is output to the request reception processing unit 21. When the examination results from the designated examination processing units 22 </ b> A to 22 </ b> X do not indicate validity, the result indicating that the service use request 100 is invalid is output to the request reception processing unit 21. In this embodiment, the examination method specifying unit 24 issues an instruction to perform examination processing in the order of examination items (elements) listed in the examination processing unit designation list 132.

  As described above, since a plurality of examination processing units 22A to 22X for executing different examination processes are provided in the service use qualification examination apparatus 20, examination methods having diversity depending on service contents and operational requirements of installation destinations. It becomes possible to cope with. Further, by constructing the examination processing unit 22 for executing new examination items and changing the examination method allocation information 130, it becomes possible to cope with the case where new examination items are required in the authentication service. .

  Next, the operation processing procedure of the service use qualification examination apparatus having such a configuration will be described with reference to the flowchart of FIG. First, when the service usage qualification examination apparatus 20 receives the service usage request 100 from the requester's terminal 10 connected to the network 40 by the request reception processing unit 21 (step S101), the request reception processing unit 21 receives the service usage request. The service name 102 is extracted from the request 100 (step S102), and the extracted service name 102 is passed to the examination method specifying unit 24. Next, the examination method specifying unit 24 acquires the corresponding examination processing unit designation list 132 from the examination method assignment information 130 in the examination method assignment information storage unit 23 using the passed service name 102 as a key (step S103).

  Thereafter, the examination method specifying unit 24 extracts one element in order from the first element of the obtained examination processing unit designation list 132 (step S104), and performs step S101 for the examination processing units 22A to 22X corresponding to the element. The examination process is executed with the service use request 100 acquired in the above as an input (step S105).

  The examination processing units 22A to 22X selected by the examination method specifying unit 24 perform examination processing using information necessary for the own examination processing units 22A to 22X among the information included in the service use request 100 (step S106). . The examination method specifying unit 24 determines the result of whether or not the requester's service request by the examination processing units 22A to 22X is valid (step S107). At this time, if necessary, the examination processing units 22A to 22X access the user information management device 30 to obtain (inquire) information necessary for examination.

  As a result of the determination by the screening processing units 22A to 22X, when it is determined that the service use request 100 from the requester is not valid (No in Step S107), the screening method specifying unit 24 accepts it in Step S101. The service use request 100 is rejected (step S108), and the request acceptance processing unit 21 sends a message to that effect to the requester's terminal 10 (step S109), and ends the service use qualification examination process.

  On the other hand, as a result of the determination by the examination processing units 22A to 22X, when it is determined that the service use request 100 by the requester is valid (Yes in step S107), the examination processing units 22A to 22X obtain the result. Return to the examination method identification unit 24. Thereafter, the examination method specifying unit 24 determines whether or not there is an unprocessed element in the examination processing unit designation list 132 acquired in Step S103 (Step S110). If there is an unprocessed element in the examination processing unit designation list 132 (Yes in step S110), one unprocessed element in the examination processing unit designation list 132 is extracted (step S111), and step Returning to S105, the above-described processing is repeated again. On the other hand, if there is no unprocessed element in the examination processing unit designation list 132 (No in step S110), all examinations in the examination processing unit designation list 132 have passed, and the service accepted in step S101. The usage request 100 is permitted (step S112), and the request reception processing unit 21 transmits the result required by the notification and examination for permitting the requester to use the service to the requester's terminal 10 (step S113). ), The service use qualification screening process is terminated.

  Here, specific processing contents of the examination processing units 22A to 22X constituting the service use qualification examination apparatus 20 will be described. FIG. 6 is a block diagram schematically illustrating a specific configuration example of the service usage qualification examination apparatus, and FIG. 7 schematically illustrates an example of a network configuration to which the service usage qualification examination apparatus in FIG. 6 is applied. FIG. As shown in FIG. 7, in this system, the reliability of the requester's terminal 10 that makes a request for using the authentication service, the service use qualification examination apparatus 20A, and the requester (subject) to the network 40 such as the Internet. Are connected to a basic certification authority authentication device 31 possessed by a basic certification authority that has previously performed authentication sufficient for payment, and a payment information management device 32 possessed by a credit card company or the like that manages payment information of the requester (subject). Yes. Here, the basic certification authority authentication device 31 and the payment information management device 32 correspond to the user information management device 30 of FIG.

  In addition, the service use qualification examination apparatus 20A is the same as the service use qualification examination apparatus 20 shown in FIG. 2, in which the examination processing units 22A to 22X perform an authentication domain examination and an authentication domain examination processing unit 22a. A name examination processing unit 22b, a fee payment status examination processing unit 22c that performs fee payment situation examination, and a key quality examination processing unit 22d that performs key quality examination are configured.

  The authentication domain examination processing unit 22a uses the requester name 101 and the signature information 104 included in the service use request 100 to determine whether the requester belongs to the authentication domain (that is, the service use request). (To confirm the identity of the creator) Specifically, the signature information 104 of the service use request 100 is verified, the completeness of the service use request 100 is confirmed as to whether the service use request 100 has been tampered with after creation, and the signature information 104 is verified. An authentication path (whether a valid verification path to a root certificate issued by a trusted issuer) is determined whether or not the public key certificate used in the process reaches a trust point defined in advance in the authentication domain examination processing unit 22a. Confirm whether it can be constructed. As a result, whether or not the signature information 104 is generated by the person represented by the public key certificate, that is, the identity of the requester of the service use request 100 is confirmed.

  In the verification of the certification path, it is assumed that the certification domain examination processing unit 22a is preliminarily provided with list information related to the trusted issuer, and this list information is used as necessary (for example, the type of service name 102). By changing (depending on), the criteria of the examination can be controlled. For example, when there are multiple basic certification bodies with different degrees of reliability, the criteria for auditing can be controlled by differently ranking the degree of reliability of basic certification bodies required by the type of service. Can do. Thus, by changing the examination criteria, it is possible to flexibly change the strictness of examination in the authentication domain examination.

  An example of the execution of the examination process of FIG. 5 by the authentication domain examination processing unit will be described with reference to the flowchart of FIG. The authentication domain examination processing unit 22a receives the service use request 100 as an input from the examination method specifying unit 24, and acquires the signature information 104 from the service usage request 100 (step S201). Next, the signature information 104 is used to verify whether the service use request 100 has been tampered with (step S202). Specifically, the signature information 104 is disclosed as the “requester name”, “service name” and “parameter information” (or their hash values) of the service use request 100 encrypted with the requester's private key. Since it is composed of a key certificate, the signature information 104 therein is decrypted with the public key certified by the public key certificate, and decrypted, and the “requester name” and “service name” of the service use request 100 ”And“ parameter information ”(or their hash values) to verify whether the contents have been tampered with.

  As a result of the verification, when the verification has succeeded without being falsified (Yes in step S203), the identity of the service use request 100 is further confirmed using the public key certificate in the signature information 104. (Step S204). Specifically, it is confirmed whether or not the public key certificate reaches the basic certification authority (trust point) in the list information selected according to the service name 102. As a result, when the identity of the requester can be confirmed (Yes in step S205), it is determined that the service use request 100 is valid (step S206), and the process returns to the flowchart of FIG.

  Further, when the verification of the signature information 104 is not successful in step S203 (in the case of No in step S203), or in the case where the identity of the requester cannot be confirmed in step S205 (in the case of No in step S205). Determines that the service use request 100 is invalid (step S207), and the process returns to the flowchart of FIG.

  The subject name examination processing unit 22b uses the parameter information 103 included in the service use request 100 to perform a subject name examination process. For example, in the case of a service that issues a public key certificate, the subject name (subject DN (Distingushed Name)) to be set in the public key certificate to be issued, specified in the parameter information 103, is set in advance. Compared with conditions defined in the examination processing unit 22b (such as a comparison condition for the upper part of the DN), the validity of the service use request 100 is determined.

  An example of the execution of the examination process of FIG. 5 by the subject name examination processing unit will be described with reference to the flowchart of FIG. Here, an example of subject name examination in a public key certificate issuance service is given. The subject name examination processing unit 22b receives the service use request 100 as an input from the examination method identification unit 24, and obtains parameter information 103 from the service usage request 100 (step S221). Next, the subject name examination processing unit 22b determines whether the information regarding the subject name registration in the parameter information 103 satisfies a predetermined condition (step S222). This predetermined condition may not be provided, or a country name or an organization name may be provided. For example, when the subject name of a public key certificate required for a certain service is limited to the country and a specific organization name, the country name (for example, Japan) and the organization name (for example, ABC Corporation) This condition can be set.

  As a result of the determination, if the predetermined condition is satisfied (Yes in step S222), the service use request 100 is considered valid (step S223), and the process returns to the flowchart of FIG. On the other hand, when the predetermined condition is not satisfied (No in step S222), it is determined that the service use request 100 is invalid (step S224), and the process returns to the flowchart of FIG.

  The fee payment status examination processing unit 22c uses the requester name 101 or the parameter information 103 of the service use request 100 to examine the requester's fee payment status. Specifically, payment information management of an external fee payment system using information specified by the requester name 101 or parameter information 103 (separately, a payment number paid out by the payment system when paying a fee) as a search key The device 32 is inquired, the requester's fee payment status is examined, and the validity of the service use request 100 by the requester is determined.

  An example of execution of the examination process of FIG. 5 by the fee payment situation examination processing unit will be described with reference to the flowchart of FIG. However, here, the fee payment status examination processing unit 22 c shows a case where examination is performed using the settlement number specified in the parameter information 103. The fee payment status examination processing unit 22c receives the service use request 100 as an input from the examination method identification unit 24, and obtains parameter information 103 from the service usage request 100 (step S241). Next, the fee payment status examination processing unit 22c inquires the payment information management device 32 about the payment status of the payment number paid out by the payment system in the parameter information 103 (step S242). When the payment information management device 32 receives an inquiry about the payment status of the fee from the fee payment status examination processing unit 22c of the service use qualification examination device 20, the payment information management device 32 searches for the payment status of the fee for the settlement number and finds the result. It transmits to the service use qualification examination device 20.

  Upon receiving the inquiry result from the settlement information management device 32, the fee payment status examination processing unit 22c determines whether or not the fee for the settlement number has been paid (step S243). As a result of the determination, if the fee has been paid (Yes in step S243), it is determined that the service use request 100 is valid (step S244), and the process returns to the flowchart of FIG. On the other hand, if the fee has not been paid (No in step S243), the service use request 100 is determined to be invalid (step S245), and the process returns to the flowchart of FIG.

  The key quality review processing unit 22d uses the parameter information 103 of the service use request 100 to perform a quality review process on the public key for registering the requester. Specifically, in the case of a service that issues a public key certificate, a method of specifying public key information that is a target of a public key certificate issued as parameter information 103 is generally used. The service usage request 100 is verified by verifying whether the quality is sufficient when judged from a scientific point of view, and whether it is duplicated with the public key information targeted by a public key certificate issued in the past. Review for gender.

  An example of execution of the examination process of FIG. 5 by the key quality examination processing unit will be described with reference to the flowchart of FIG. The key quality examination processing unit 22d receives the service use request 100 as an input from the examination method specifying unit 24, and acquires the parameter information 103 from the request (step S261). Next, the key quality examination processing unit 22d performs quality inspection on the public key to be issued in the parameter information 103 (step S262). As described above, this quality inspection determines the expiration date of the public key from a cryptographic point of view, or determines whether the same public key has already been registered.

  As a result, if the quality of the public key is sufficient (Yes in step S263), the service use request 100 is considered valid (step S264), and the process returns to the flowchart of FIG. On the other hand, if the quality of the public key is not sufficient (No in step S263), the service use request 100 is determined to be invalid (step S265), and the process returns to the flowchart of FIG.

  Here, in FIG. 7, the requester makes a request to the service use request 100 as shown in FIG. 3, “Requester name 101,“ Public key certificate A / issued service ”as the service name 102, necessary parameter information 103 An outline of the flow of processing when the signature information 104 is input and transmitted from the requester's terminal 10 to the service use qualification examination apparatus 20 will be described.

  When receiving the service usage request 100 from the terminal 10, the request acceptance processing unit 21 of the service usage qualification screening device 20 extracts the service name “public key certificate A / issued service” from the request 10 and sends it to the screening method identification unit 24. hand over. The examination method specifying unit 24 selects “authentication domain examination, subject person” as the examination processing unit designation list 132 corresponding to the service name “public key certificate A / issued service” from the examination method assignment information 130 of the examination method assignment information storage unit 23. "Name examination, fee payment status examination". Therefore, the examination method specifying unit 24 instructs to execute processing one by one in the order of “authentication domain examination processing unit 22a” → “subject name examination processing unit 22b” → “fee payment status examination processing unit 22c”. put out. However, if any of the examination processing units 22a to 22c determines that the service use request 100 is invalid, the examination processing units 22a to 22c terminate the process. The contents of these examinations are performed based on the flowcharts of FIGS. 5 and 8 to 10 described above, and detailed description thereof is omitted.

  Note that the examination processing units 22A to 22X in the service use qualification examination apparatus 20 can be arbitrarily adapted to a service for examining the use qualification using the service use qualification examination apparatus 20, and an editing process (not shown). An examination processing unit for carrying out examination items required by a new service can be created by means and implemented in the service use qualification examination apparatus 20. Moreover, it is also possible to change the functions of the examination processing units 22A to 22X by the editing processing means. Furthermore, as described above, the service name 131 and the examination processing unit designation list 132 in the examination method assignment information 130 can be changed by the editing processing means.

  In the above description using FIG. 6, the examination processing units 22a to 22d perform examination processing based on the PKI function. However, the examination processing units 22a to 22d are not limited to this, but based on other methods such as an access control method. It can also be applied to the screening process. Furthermore, in the above description, the case where the target of the service requested by the service use request is an authentication service is exemplified. However, the present invention is not limited to this, for example, a service for browsing user information, The present invention can also be applied to services that provide information and software over a network, such as software download services.

  As described above, in the service use qualification screening device 20 described above, it is desirable to share an input / output interface so that various screening processing units 22A to 22X can be dynamically added and switched. Specifically, the service use request 100 is given as an input to each of the examination processing units 22A to 22X, and information indicating whether the service use request 100 is valid as the output of the examination processing units 22A to 22X. By using (for example, a truth value), the input / output interface can be shared.

  Also, implementation as a server program for inter-process communication, implementation with distributed objects such as Java (registered trademark) RMI (Remote Method Invocation), CORBA (Common Object Request Broker Architecture), implementation with Java (registered trademark) Servlet, etc. Implementation of the processing functions of the examination processing units 22A to 22X can be realized by using a general-purpose mounting method that enables dynamic addition and switching of processing logic that is widely spread. As described above, various examination processing units 22A to 22X can be dynamically added to or switched from the service use qualification examination apparatus 20.

  According to this embodiment, an examination processing section is provided for each examination item for the examination method of service provision qualification, which has extremely diverse contents depending on the contents of the service and the operation requirements of the introduction destination, and further, examination processing is performed on the service name. Since the departments are associated with each other and the examination processing departments conduct examinations in order, it is possible to respond to examinations of various service provisioning qualifications without relying on human resources, and automatically provide authentication services. Has the effect of being able to. In addition, even in the examination of the qualifications for providing various services, if the requester has a public key certificate authenticated by a basic certification body, the request is promptly executed without using human resources. It also has the effect that it can be done. As a result, public key generation, public key certificate preparation (or acquisition), and maintenance management are easier for the user than before, and an environment that is easier to use can be provided.

  As described above, the service use qualification examination apparatus according to the present invention is useful when providing information and software via a network, and in particular, using a highly reliable public key certificate, It is suitable for providing authentication services such as issuing other public key certificates.

It is a figure which shows an example of a structure of the network system with which the service utilization qualification examination apparatus by this invention is applied. It is a block diagram which shows typically the function structure of the service utilization qualification examination apparatus by this invention. It is a figure which shows an example of the data structure of the service use request for performing the request | requirement of an authentication service. It is a figure which shows an example of a structure of examination method allocation information. It is a flowchart which shows the operation | movement processing procedure of a service use qualification examination apparatus. It is a block diagram which shows typically the specific structural example of a service use qualification examination apparatus. FIG. 7 is a diagram schematically illustrating an example of a network configuration to which the service use qualification examination apparatus of FIG. 6 is applied. It is a flowchart which shows an example of the examination process of an authentication domain examination process part. It is a flowchart which shows an example of the examination process of a subject name examination process part. It is a flowchart which shows an example of the examination process of a fee payment status examination process part. It is a flowchart which shows an example of the screening process of a key quality screening process part.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Terminal 20, 20A Service use qualification examination device 21 Request reception processing part 22A-22X Examination processing part 22a Authentication domain examination processing part 22b Subject name examination processing part 22c Fee payment situation examination processing part 22d Key quality examination processing part 23 Examination method Allocation information storage unit 24 Examination method identification unit 30 User information management device 31 Basic certification authority authentication device 32 Settlement information management device 40 Network

Claims (5)

Service use connected to a network having a requester's terminal requesting provision of a service available via the network and including a service name of the service from the requester's terminal and information necessary for receiving the service A service use qualification screening device that performs screening processing according to requirements,
Examination item storage means for storing examination items necessary for the service in association with services that can be examined by the service use qualification examination device, together with the order of examination of the examination items;
An examination processing means is provided for each examination item, and executes an examination process corresponding to the examination item;
When the service use request is received from the requester's terminal, the examination item storage means is referred to obtain the examination items necessary for the service designated in the service use request and the order of examination of the examination items. A means for obtaining examination items,
For each of the examination processing means corresponding to the examination items acquired by the examination item acquisition means, the examination processing is executed according to the order acquired by the examination item acquisition means, and the examination processing by the examination processing means is executed. Determining whether or not the service use request is valid every time, and when determining that the service use request is valid, the examination processing corresponding to the examination items designated in the next order in the order means to execute the examination process, if it is determined not valid, e Bei and examination execution means for terminating the examination process in accordance the service request,
The service use request includes signature information including a digital signature relating to the content of the service use request and a public key certificate in which the requester is previously authenticated from a predetermined certification authority,
Is it possible to verify the integrity of the entire service use request using the digital signature in the signature information as the examination processing means and construct an authentication path up to a predetermined trust point using the public key certificate? Whether or not the public key certificate is selected from list information of basic certification bodies having different degrees of reliability according to the type of service, corresponding to the service name included in the service use request. Characterized by comprising authentication domain examination processing means for judging whether or not the service use request is legitimate by verifying whether or not the basic certification authority in the selected list information is reached. Service usage qualification screening device. The service use request includes parameter information including parameters required in the examination corresponding to the service name,
The service use qualification examination apparatus according to claim 1 , wherein the examination processing unit determines whether or not the service use request is valid based on a predetermined examination condition using the parameter information. 3. The method according to claim 1, further comprising an editing processing unit that creates a screening processing unit corresponding to a new screening item, and edits information stored in the screening item storage unit according to a service content. The service usage qualification screening device described. A service usage qualification examination apparatus connected via a network to a requester's terminal that requests provision of a service that can be used via a network performs a service examination process according to a request from the requester's terminal. A qualification screening method,
A first step of receiving a service use request including a service name of the service requested by the requester and information necessary for receiving the service;
Referencing examination item storage means for storing examination items necessary for the service in association with a service that can be examined by the service use qualification examination device together with the order of examination of the examination items, and received in the first step A second step of obtaining the examination items necessary for the service designated by the service use request and the order of examining the examination items;
For each examination processing means that is provided for each examination item and executes examination processing corresponding to the examination item and corresponds to the examination item acquired in the second step, the second step The examination process is executed in accordance with the order acquired in step (b), and each time the examination process by the examination processing unit is executed, it is determined whether or not the service use request is valid, and the service use request is valid. If it is determined that there is a request, the screening processing means corresponding to the screening items designated in the next order in the order is caused to execute the screening process. look including a third step of the end,
The service use request includes signature information including a digital signature relating to the content of the service use request and a public key certificate in which the requester is previously authenticated from a predetermined certification authority,
In the third step, the integrity of the entire service use request is verified using the digital signature in the signature information as an examination item, and an authentication pass up to a predetermined trust point using the public key certificate Selecting the list information corresponding to the service name included in the service use request from the list information of the basic certification body having a different degree of reliability depending on the type of service. Including a process of determining whether the service use request is valid by verifying whether or not the public key certificate reaches the basic certification authority in the selected list information. A service usage qualification screening method. The service use request includes parameter information including parameters required in the examination corresponding to the service name,
The said 3rd process WHEREIN: The process which determines the propriety of the said service utilization request | requirement based on predetermined | prescribed examination conditions using the said parameter information is included in the examination matter, The claim 4 characterized by the above-mentioned. Service usage qualification screening method.

Images