JP5317629B2 - Information management apparatus, information processing system, information management method, and information management program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an information management device for, when user information held by a certain company is used by another company, issuing an access token to limit the destination receiving the user information. <P>SOLUTION: The information management device communicates with terminal equipment used by a user and an information utilization device which utilizes the user information, and manages the user information. A storage means stores an information utilization device identifier for specifying the information utilization device and random numbers in association with each other.A connection means connects the random numbers stored in the storage means with authentication information to be used for authentication of the user.A hash value calculation means calculates a hash value by a hash function from a code connected by the connection means.An access token issuing means issues the hash value calculated by the hash value calculation means to the terminal equipment as an access token for accessing the user information. <P>COPYRIGHT: (C)2010,JPO&amp;INPIT

Description

  The present invention is capable of communicating with a terminal device used by a user and an information utilization device that utilizes user information that is information about the user, an information management device that manages the user information, an information processing system, The present invention relates to an information management method and an information management program.

When a user wants to use multiple services published on a portal site, etc., it is necessary to obtain an ID (account) at each portal site and manually input necessary user information individually. is there.
It is complicated for the user to input attribute information (user information) of the user having the same content. As a result, service use is not promoted without registration. Therefore, a method for skillfully managing and utilizing user information is required.

  For example, as shown in FIG. 25, when a user 2539 intends to use the service provided by the portal site Y2521 and the portal site X2522 using the terminal device 2530, the user 2539 uses the service of the portal site X2522. ID registration is required (step S2501). For this purpose, an operation indicating that registration is desired is performed on the portal site X2522 (step S2502-X), and further, name, address, age, date of birth are performed. Etc. to input ID registration (step S2503-X). The same thing needs to be done for the portal site Y2521 (step S2502-Y, step S2503-Y). As described above, the attribute information having the same contents must be input for each portal site and the ID must be registered, which is complicated for the user and may stop the registration.

  As a technology related to this, for example, Patent Document 1 discloses an information management system for managing information (user information) related to a user. When the password issuance request including the expiration date is received, a password having the expiration date is generated and transmitted to the mobile terminal. When the user identification information and the password are received from the communication device, the password is correctly within the expiration date. In some cases, an information management system that accesses and acquires user information of a user identified by user identification information is disclosed. That is, a mechanism is disclosed in which user information (attribute information) held by a communication carrier is sent to the sales company when the user applies for the service of the sales company.

In Non-Patent Documents 1, 2, and 3, as a Liberty ID-WSF model, user information registered in a server is directly exchanged between service providers, thereby saving user service registration and labor. Or what is intended to personalize services. Specifically, the user authenticates with an IdP (Identity Provider) through single sign-on (SSO, Single Sign-On), then logs in to an SP (Service Provider, service provider), and then AP (Attribute Provider). Necessary user information (attribute information) can be sent from the personal attribute provider) to the SP.
For example, as shown in FIG. 26, the authentication system 2615 registers the personal attribute providing system 2610 that provides the Web service and the disclosure target in the registry 2617 (step S2600). Then, using the terminal device 2630, the user 2639 performs single sign-on to the service system 2620 and requests the service start (step S2601). The service system 2620 makes a search request for access to user information to the discovery service 2616 of the authentication system 2615 (step S2602). The discovery service 2616 sends access request information to user information as a search result to the service system 2620 (step S2603). The service system 2620 requests user information from the personal attribute providing system 2610 (step S2604). The interaction service 2611 of the personal attribute providing system 2610 obtains permission (consent) for providing user information to the service system 2620 from the user 2639 of the terminal device 2630 (step S2605). The personal attribute providing system 2610 provides user information such as name, address, bank account number, and credit card number stored in the user information DB 2612 to the service system 2620 (step S2606). Then, the service system 2620 provides a service to the user 2639 of the terminal device 2630 (step S2607).

  Further, the exchange of user information (attribute information) based on single sign-on is also disclosed. That is, user information is exchanged between sites having a trust relationship under SSO. This is a case where the above-mentioned Liberty ID-WSF model is degenerated, and IdP and AP are the same user management business operator. For example, as shown in FIG. 27, the service system 2710 registers user ID information. For example, user01 is registered as the ID information of user A (step S2701-A). Similarly, the attribute management system 2720 registers user ID information. For example, userA is registered as ID information of user A (step S2701-B). The service system 2710 and the attribute management system 2720 establish a trust relationship in advance (step S2702). Next, the user information of the service system 2710 and the attribute management system 2720 is associated (linked). For example, user01 and userA are associated with each other to indicate the same user A (step S2703). When the service system 2710 wants to use the user information of the attribute management system 2720, the user information of the user A is provided based on the relationship of trust between the service system 2710 and the attribute management system 2720 and the user ID. (Step S2704).

Non-Patent Document 4 discloses provisional registration of Mobile Suica (registered trademark). In this method, information that takes time and effort is required to be temporarily registered with a PC (Personal Computer) or the like, and linked to a mobile phone later. For example, as shown in FIG. 28, the user 2839 performs ID registration in order to use the service of the portal site Y2821 (step S2801). For this purpose, first, the user 2839 performs provisional registration for the portal site Y2821 in advance using the PC 2831 (step S2802). For example, name, address, age, date of birth, etc. are entered. Then, the portal site Y2821 transmits temporary registration information (temporary password or the like) to the PC2831 (step S2803). The user 2839 uses the mobile phone 2832 to access the portal site Y2821 with the provisional registration information (authenticated by entering a temporary password), and performs the main registration (step S2804).
In this case, the user information related to the user 2839 is generally already managed by the attribute manager X system 2841. For example, the user information of the user 2839 is registered and managed in the mobile phone operator system corresponding to the attribute management company X system 2841 when the mobile phone 2832 is purchased.
Japanese Patent No. 3949384 Liberty Alliance, [Search August 7, 2008], Internet <URL: http://www.projectliberty.org/> Liberty Alliance, [Search August 7, 2008], Internet <URL: http://www.projectliberty.org/liberty/resource_center/specifications/liberty_alliance_id_wsf_2_0_specifications_including_errata_v1_0_updates> OASIS, [Search August 7, 2008], Internet <URL: http://www.oasis-open.org/specs/#samlv2.0> East Japan Railway Company, [Search August 7, 2008], Internet <URL: https://www.mobilesuica.com/ka/en/TypeSelect.aspx?returnId=SFRCMMEPC03>

However, such conventional techniques have the following problems.
The technique disclosed in Patent Document 1 has the following three problems.
<Problem 1>
There is a possibility that highly confidential information such as user information may be leaked to a third party not intended by the user.
(Reason) If the user ID and password required to obtain the user information are leaked to an unintended third party of the user who owns the user information, the user is assumed to be a legitimate user. This is because information can be accessed. The technique disclosed in Patent Literature 1 assumes a dedicated line connection between a so-called information management device and an information utilization device, but considering application in a wide-area network environment, the user ID and password are leaked. There is plenty of danger to do.

<Problem 2>
There is a possibility that the user information may be leaked to an operator other than the operator for which the user intends to send user information.
(Reason) If the user ID and password required to obtain the user information are leaked to another business other than the correct business to which the user information is sent, the business will be included in the user information. This is because it can be accessed.

<Problem 3>
The privacy of registered users may not be protected.
(Reason) This is because the user ID for managing or using the user information is sent to the operator as it is. Since the user ID is one of highly confidential information used for accessing the user information of the user, the user information is leaked by sending the user ID as it is to the business operator. Risk increases.

The technologies disclosed in Non-Patent Documents 1, 2, and 3 have the following two problems.
<Problem 4>
It is impossible for a user to make use of user information managed by a management company by a service provider in the judgment of the user.
(Reason) This is because in order to share user information, it is necessary to establish a trust relationship between the user information management company and the business operator. Further, the manager and the business operator cannot communicate because they do not know necessary information such as their access destinations (such as URL).

<Problem 5>
There are many pre-processing for the operator to use the user information managed by the manager, which is complicated and inconvenient.
(Reason) The user needs to register an ID (account) in advance in each of the management company and the service company. In addition, it is assumed that each ID is linked (linked) and single sign-on is performed.

The technique disclosed in Non-Patent Document 4 has the following problems.
<Problem 6>
User information that has already been managed cannot be used or used.

  That is, the user of the first business operator (mobile phone business operator) system (attribute management company X system 2841 in the example shown in FIG. 28) is the second business operator (portal site business operator) system (FIG. 28). In the example shown in the above, when performing ID registration on the portal site Y2821), it is necessary to register IDs independently for both operators, and the users of the users owned by the first operator The information cannot be used by the second operator.

  The present invention has been made paying attention to such problems of the prior art, and in the case where the information of a user possessed by a certain business is used by another business, the user information It is an object of the present invention to provide an information management device, an information processing system, an information management method, and an information management program that can transmit and receive data safely.

The gist of the present invention for achieving the object lies in the inventions of the following items.
[1] An information management device that can communicate with a terminal device used by a user and an information utilization device that utilizes user information, which is information about the user, and manages the user information, the terminal A permission request receiving means for receiving an access permission request for sending the user information to the information utilization device from the device, and specifying the information utilization device in a first access code corresponding to the access permission request A first linking unit for linking an information utilization apparatus identifier and a random number; a first hash value calculating unit for calculating a hash value from a code linked by the first linking unit by a hash function; An access token issuing means for issuing a hash value calculated by a hash value calculating means as an access token for accessing the user information; Storage means for associating and storing the access token, a user identifier for identifying the user, and a random number subjected to processing by the first hash value calculation means, the access token, and the information Based on the access token received by the access token receiving means, the access token receiving means for receiving the information utilizing apparatus identifier of the utilizing apparatus from the information utilizing apparatus, the second access code and the storage means stored in the storage means Connected by the second connecting means, an acquiring means for acquiring a random number, a second connecting means for connecting the received information utilization apparatus identifier to the random number acquired by the acquiring means and the second access code, and the second connecting means Second hash value calculation means for calculating a hash value from the generated code by a hash function, and the access token reception When the access token received by the means matches the hash value calculated by the second hash value calculation means, the user token associated with the access token in the storage means is indicated. Determination means for determining that the user's access request to the user information is legitimate, and the access permission request received by the permission request receiving means is a first access code, an information utilization device The acquisition means includes a random number stored in the storage means based on the first access code input to the terminal device by the user and the access token received by the access token receiving means. An information management device characterized in that

[2] The acquisition unit acquires the second access code from the terminal device based on an operation of the user with respect to the terminal device, and the second connection unit is acquired from the terminal device. The information management apparatus according to [1], wherein the second access code is used.

[3] The acquisition unit acquires the second access code from a terminal device of a second user who is another user designated by the user, and the second connection unit includes the second access code . Using the second access code acquired from the user's terminal device , the access token receiving means sends an access permission request for the user information of the user via the second user's terminal device. Received from the information utilization device, issued by the information management device to the terminal device of the second user, and used by the information utilization device from the terminal device of the second user. The access token of the user and the information utilization device identifier, and the acquisition means includes the access code of the user input by the second user to the terminal device of the second user, and the access token reception means. By Based on the received access token, the random number stored in the storage means is obtained, and the user designated to share the user information of the user with the second user. The information management apparatus according to [1] , wherein the information management apparatus stores the second user as an information sharer of the user in association with the second user .

[4] The storage means further stores the first access code connected by the first connecting means in association with the access token, and the acquisition means is received by the access token receiving means The first access code associated with the access token is acquired from the storage means, and the second connecting means is configured to add the random number and the information utilization device to the first access code acquired from the storage means. The information management apparatus according to [1], wherein identifiers are concatenated.

  [5] The apparatus further comprises user identifier acquisition means for acquiring a user identifier for identifying a user and an information utilization apparatus identifier from the terminal apparatus based on an operation of the user with respect to the terminal apparatus, and the storage means The information management apparatus according to any one of [1] to [4], further storing the user identifier acquired by the user identifier acquisition unit.

  [6] User information transmission means for transmitting the user information to the information utilization device when the access request is determined to be legitimate by the determination means [1] to The information management device according to any one of [5].

  [7] When the access request is determined to be legitimate by the determination means, the terminal device used by the user indicated by the user identifier associated with the access token in the storage means; The information processing apparatus further includes a transmission permission acquisition unit that obtains permission for transmission of user information to the information utilization apparatus by communication, and the user information transmission unit determines that the access request is valid by the determination unit. The information management device according to [6], wherein the user information is transmitted to the information utilization device when permission to transmit the user information is obtained by the transmission permission acquisition unit. .

  [8] The transmission permission acquisition means requests the terminal device to transmit a user identifier, and obtains a user identifier obtained by the request and a user identifier associated with the received access token. And the information management apparatus according to [7], wherein it is determined that permission to transmit user information to the information utilization apparatus has been obtained.

  [9] The first connecting unit connects a random number and identifier information, and the storage unit further associates the identifier information input to the hash function of the first hash value calculating unit with the access token. Any one of [1] to [8], wherein the second connection unit stores identifier information associated with the received access token from the storage unit and connects the identifier information to the random number. The information management device according to claim 1.

  [10] The apparatus further includes an encryption unit for encrypting the user information, and the user information transmission unit transmits the user information encrypted by the encryption unit [6] ] The information management apparatus as described in any one of [8].

[11] An information processing system in which an information management device that manages user information that is information about a user of a terminal device and an information utilization device that utilizes the user information are connected to be communicable, the information The management device includes a permission request receiving unit that receives an access permission request for sending the user information to the information utilization device from the terminal device, and a first access code corresponding to the access permission request. A first linking unit for linking an information utilization device identifier for identifying an information utilization device and a random number; and a first hash value calculating unit for calculating a hash value by a hash function from the codes linked by the first linking unit. And issuing the hash value calculated by the first hash value calculation means as an access token for accessing the user information An access token issuing means, a storage means for storing the access token, a user identifier for identifying the user, and a random number subjected to processing by the first hash value calculating means in association with each other; An access token receiving means for receiving the access token and an information utilization apparatus identifier of the information utilization apparatus from the information utilization apparatus; a second access code based on the access token received by the access token reception means; Acquisition means for acquiring a random number stored in the storage means; second connection means for connecting the received information utilization apparatus identifier to the random number acquired by the acquisition means and the second access code; Second hash value calculation for calculating a hash value by a hash function from codes connected by the second connecting means And the access token received by the access token receiving means and the hash value calculated by the second hash value calculating means are matched and matched with the access token in the storage means Determination means for determining that the access request to the user information of the user indicated by the user identifier is legitimate, and the access permission request received by the permission request receiving means is a first The access means includes an information utilization device identifier, and the acquisition means is based on the first access code input to the terminal device by the user and the access token received by the access token receiving means. get the stored random number in the storage unit, the information utilization device receives an access token access A token receiving means, an access token received by the access token receiving means, an information utilization device identifier for identifying the device itself, an access token transmitting means for transmitting to the information management device, and the access token corresponding to the access token An information processing system comprising: receiving means for receiving user information of the user transmitted from an information management device.

  [12] The information management device further includes encryption means for encrypting the user information, and the user information transmission means of the information management device is the user information encrypted by the encryption means. The information processing system according to [11], further comprising a decrypting unit that decrypts the encrypted user information received by the receiving unit.

[13] An information management method that is communicable with a terminal device used by a user and an information utilization device that utilizes user information that is information about the user, and is performed by an information management device that manages the user information. A permission request receiving step for receiving an access permission request for sending the user information to the information utilization device from the terminal device, and the information in a first access code corresponding to the access permission request. A first concatenation step of concatenating an information utilization device identifier for identifying a utilization device and a random number; a first hash value calculation step of calculating a hash value by a hash function from the codes concatenated in the first concatenation step; An access token for accessing the user information using the hash value calculated in the first hash value calculation step; And storing the access token issuing step, the access token, the user identifier for specifying the user, and the random number subjected to the processing in the first hash value calculating step in association with each other in the storage means Based on the storage step for storing, the access token, the information utilization device identifier of the information utilization device, the access token reception step for receiving the information utilization device identifier from the information utilization device, and the access token received in the access token reception step, An obtaining step for obtaining a second access code and a random number stored in the storage means; and a second for linking the received information utilization device identifier to the random number obtained in the obtaining step and the second access code . And the code concatenated in the second connecting step. A second hash value calculating step for calculating a hash value using a hash function, and the access token received in the access token receiving step and the hash value calculated in the second hash value calculating step are collated to match. If, have a, a determination step of determining that those access requests that a regular to the user information of the user indicated by the user identifier associated with the access token in said storing step, said The access permission request received in the permission request receiving step includes a first access code and an information utilization device identifier. In the obtaining step, the first access code input to the terminal device by the user, and In the access token received in the access token reception step Zui, the information management method and obtaining the stored random number in the storage means.

[14] An information management device that is communicable with a terminal device used by a user and an information utilization device that utilizes user information, which is information about the user, and includes a storage device, from the terminal device, Permission request receiving means for receiving an access permission request for sending the user information to the information utilization device; and an information utilization device for identifying the information utilization device in a first access code corresponding to the access permission request. A first connecting means for connecting the identifier and the random number; a first hash value calculating means for calculating a hash value from a code connected by the first connecting means by a hash function; and the first hash value calculation. An access token issuing means for issuing a hash value calculated by the means as an access token for accessing the user information; A storage control means for controlling the access token, a user identifier for identifying the user, and a random number subjected to processing by the first hash value calculation means to be associated with each other and stored in the storage device; An access token receiving means for receiving the access token and an information utilization apparatus identifier of the information utilization apparatus from the information utilization apparatus, and a second access code based on the access token received by the access token reception means And an acquisition means for acquiring the random number stored in the storage device; a second connection means for connecting the received information utilization apparatus identifier to the random number acquired by the acquisition means and the second access code; Second hash value calculation means for calculating a hash value by a hash function from the codes connected by the second connection means If the matching by matching the hash value calculated by the received access token the second hash value calculation unit by the access token receiving means, associated with the result the access token the storage control means The access request to the user information of the user indicated by the user identifier is made to function as a determination unit that determines that it is legitimate , and the first access is received as the access permission request received by the permission request receiving unit. The storage device based on the first access code input to the terminal device by the user and the access token received by the access token receiving unit. An information management program for acquiring random numbers stored in

The present invention operates as follows.
The permission request receiving means receives an access permission request from the information utilization apparatus for user information from the terminal apparatus, and the first connection means is information for identifying the information utilization apparatus in an access code corresponding to the permission request. The utilization device identifier and the random number are concatenated, the first hash value calculation means calculates a hash value from a code concatenated by the first connection means by a hash function, and the access token issuing means is the first token The hash value calculated by the hash value calculating means is issued as an access token for accessing the user information, and the storage means is the access token, a user identifier for identifying the user, and the first The hash value calculating means stores the random number that is the object of processing in association with each other, and the access token receiving means stores the access token. And the information utilization apparatus identifier of the information utilization apparatus from the information utilization apparatus, and the acquisition means stores the access code and the storage means based on the access token received by the access token reception means And the second concatenation unit concatenates the received information utilization device identifier to the random number and the access code acquired by the acquisition unit, and the second hash value calculation unit includes the second hash value calculation unit. The hash value is calculated by a hash function from the codes connected by the connecting means, and the judging means calculates the access token received by the access token receiving means and the hash value calculated by the second hash value calculating means. If they match and match, the user identification associated with the access token in the storage means In the user's determining that the user is a proper one requests for access to information illustrated.

  Thereby, even if the user information is not registered in advance for each system of the business operator, the user information registered in the system of one business operator can be used in the system of another business operator. In addition, since the user identifier is not sent / received directly on the network in order to send the user information to the system of another business operator, it is possible to prevent leakage of the user information to a third party, and security. Can provide a robust system.

  In the information utilizing apparatus, the access token receiving means receives the access token, and the access token transmitting means receives the access token received by the access token receiving means and an information utilizing apparatus identifier that identifies the apparatus. The information is transmitted to the management device, and the receiving means receives the user information of the user transmitted from the information management device corresponding to the access token. As a result, the user can utilize the user information registered in the information management apparatus even in the information utilization apparatus without inputting the user information in the information utilization apparatus. The user information is the same for the information utilization device and the information management device. Further, since the user identifier is not directly used for transmitting user information to the information utilization apparatus, privacy can be protected, information leakage can be prevented, and a system with high security can be provided.

  According to the information management apparatus, the information processing system, the information management method, and the information management program according to the present invention, even if the user information is not registered in advance for each business operator system, Registered user information can also be used in the systems of other companies. In addition, the user identifier is not sent or received directly over the network to send the user information to the system of another operator, thus preventing leakage of the user information to a third party that the user does not intend. Can provide a system with strong security. This saves the user the trouble of registering user information for starting service use for each business operator's system, further improving convenience.

Hereinafter, examples of various preferred embodiments for realizing the present invention will be described with reference to the drawings.
FIG. 1 is an explanatory diagram showing an example of a system configuration for realizing the embodiment of the present invention.
The information management apparatus 110, the information utilization apparatus 120, and the terminal apparatus 130 are connected via a communication network 140 and can communicate with each other. In addition, each device establishes a secure communication path such as SSL (Secure Socket Layer) / TLS (Transport Layer Security) as necessary, and unauthorized interception or interception of communication contents by a third party other than the communication partner. Can be prevented.

  User information is already registered in the information management apparatus 110, and is managed by a communication carrier, for example. The information utilization device 120 provides a service to the user 139 of the terminal device 130, and user registration of the user 139 is required to provide the service. For example, it is managed by a service provider.

  Hereinafter, a mobile phone will be mainly exemplified and described as the terminal device 130. The terminal device 130 may be any device that can perform data communication with the information management device 110 and the information utilization device 120. In addition to the mobile phone, the terminal device 130 may be a personal handy phone system (PHS), a fixed phone, a communicable PC (Personal Computer), It can also be applied to game machines, portable information terminals, information appliances, and the like. In the information processing system according to the present invention, the convenience of the user is enhanced in a terminal device that has a small number of keys (or is small) and is difficult to perform an input operation, such as a mobile phone.

FIG. 2 is an explanatory diagram showing an outline of a processing example according to the embodiment of the present invention.
User information (for example, personal attributes such as address, name, etc.) already managed by a certain operator when a user uses various services or registers a transaction or ID (identifier). Information) is securely sent to a different operator (second operator), so that the second operator can use or utilize the user information. Here, user information refers to personal information specified by the Act on the Protection of Personal Information (information about living individuals, including the name, date of birth, and other descriptions included in the information. (Including information that can be easily compared with other information and thereby can identify a specific individual), as long as it is information about the user Good.

  The portal site X221 and the portal site Y222 correspond to the information utilization device 120, the subscriber management device 210 corresponds to the information management device 110, and the terminal device 230 corresponds to the terminal device 130. That is, the user information of the user 239 is already registered in the subscriber management apparatus 210, and when the user 239 performs user registration in the portal site X221 or the portal site Y222, the user information is registered in the subscriber management apparatus 210. It is intended to use registered user information. More specifically, the subscriber management device 210 is managed by a communication carrier, and user information is already stored in the subscriber management device 210 when the mobile phone of the terminal device 230 is used. The user information is used by the portal site X221 and the portal site Y222 managed by another business operator.

In step S21, the user 239 uses the terminal device 230 to request the portal site Y222 for user registration.
In step S22, the portal site Y222 prompts the terminal device 230 to input user information.

In step S23, the user 239 uses the terminal device 230 to transmit the user information stored (registered) in the subscriber management device 210 to the portal site Y222 to the subscriber management device 210. Request. More specifically, an access token, which will be described later, is acquired from the subscriber management apparatus 210, and the access token is transmitted to the portal site Y222.
In step S24, the subscriber management apparatus 210 transmits user information to the portal site Y222.
In step S25, the portal site Y222 performs user registration of the user 239 based on the user information received from the subscriber management apparatus 210.

[First Embodiment]
Hereinafter, the first embodiment will be described. FIG. 3 is a conceptual module configuration diagram in the information management apparatus 110 according to the first embodiment.
The module generally refers to a component such as software or hardware that can be logically separated. Therefore, the module in the present embodiment indicates not only a module in a program but also a module in a hardware configuration. Therefore, the present embodiment also serves as an explanation of a program, a system, and a method. However, for the sake of explanation, the words “store”, “store”, and equivalent terms are used. However, when the embodiment is a program, these terms are controlled to be stored in the storage device. I mean. In addition, the modules correspond almost one-to-one with the functions. However, in mounting, one module may be composed of one program, or a plurality of modules may be composed of one program. A plurality of programs may be used. The plurality of modules may be executed by one computer, or one module may be executed by a plurality of computers in a distributed or parallel environment. Note that one module may include other modules. In the following, “connection” includes not only physical connection but also logical connection (data exchange, instruction, reference relationship between data, etc.).
Further, the system or apparatus includes a configuration in which a plurality of computers, hardware, devices, and the like are connected via a network and the like, and includes a case where the system or device is realized by a single computer, hardware, devices, and the like. The term “predetermined” is used in addition to a predetermined meaning, including the meaning according to the situation / state at that time or the situation / state until then.

  The information management apparatus 110 manages user information. As shown in the example of FIG. 3, the information management apparatus 110 includes an authentication module 111, a user information issue module 112, a user information storage module 113, an access token issue module 114, The access token verification module 115, the access token information storage module 116, and the information utilization apparatus information storage module 117 are provided. The authentication module 111, the user information issuing module 112, the access token issuing module 114, and the access token verification module 115 are connected to the terminal device 130 or the information utilization device 120 via the communication network 140.

  The authentication module 111 is connected to the user information storage module 113. The user (user) is authenticated by using an identifier unique to the user managed by the user information storage module 113 and credential information (information used for authentication such as a password) corresponding to the identifier.

  The user information issue module 112 is connected to the user information storage module 113. In response to a user information request from the information utilization apparatus 120, user information is acquired from the user information storage module 113 and returned.

  The user information storage module 113 is accessed from the authentication module 111 and the user information issue module 112. Stores information (user information such as personal attribute information) associated with the user. For example, as the data to be stored, there is a user information table 400 shown in the example of FIG. FIG. 4 is an explanatory diagram showing an example of the data structure of the user information table 400. The user information table 400 includes a user name column 410, an ID column 420, a PW column 430, an address column 440, a date of birth column 450, a gender column 460, a telephone number column 470, and an E-mail address column 480. Yes. The user name column 410 stores the name of the user. The ID column 420 stores an identifier that uniquely identifies the user. The PW column 430 stores a password that is credential information for using the information management apparatus 110. The address column 440 stores the address of the user. The birth date column 450 stores the birth date of the user. The gender column 460 stores the gender of the user. The telephone number column 470 stores the telephone number of the user. The E-mail address field 480 stores the user's e-mail address. In addition, you may make it memorize | store age, work place, etc. These data are collected in advance, for example, at the time of contracting a mobile phone as the terminal device 130.

  The access token issuing module 114 is connected to the access token information storage module 116 and the information utilization device information storage module 117. In order for the information utilization apparatus 120 to be able to access user information, a hash value created by concatenating a nonce (random number) that is a random number and a predetermined identifier and giving it to a predetermined hash function It is issued to the terminal device 130 of the user 139 as an access token for accessing the user information. That is, a nonce and a user access code and an information utilization device identifier are concatenated, a hash value is calculated by a hash function from the concatenated code, and the calculated hash value is used to access the user information. It is issued to the terminal device 130 as an access token. “Issuing” means creating an access token and making it valid, specifically, transmitting the created access token to the terminal device 130. This issuance definition is the same in the second embodiment or the third embodiment, and the first to third embodiments are used in the fifth embodiment or the sixth embodiment. The same applies to the parts.

  Further, the access token issuing module 114 receives an access permission request from the information utilization device 120 for user information from the terminal device 130, and specifies the information utilization device 120 in the access code corresponding to the permission request. An identifier and a nonce are concatenated (first concatenation), a hash value is calculated from the concatenated code by a hash function (first hash value calculation), and the calculated hash value is used to access user information The access token is issued as an access token, and the access token, the user identifier that identifies the user, and the nonce that is the processing target in the hash value calculation are associated with each other and stored in the access token information storage module 116.

FIG. 5 is an explanatory diagram illustrating an example of an access token issuing process performed by the access token issuing module 114.
The access token issuance module 114 inputs a nonce, an access code, and an information utilization device identifier connected to a predetermined hash function 520 (nonce + access code + information utilization device identifier 510) to create a hash value. , Access token 530. The access code is information unique to the user, and includes, for example, a PIN (Personal Identification Number) number, a password (PW column 430 of the user information table 400), and the like. The information utilization apparatus identifier is a code that can uniquely identify the information utilization apparatus 120. As the predetermined hash function, a known hash function (MD5, SHA1, etc.) may be used. The nonce may be a pseudo random number.
This access token can be used by a user other than the specified user, that is, a third party not intended by the user, handling the user information of the specified user or illegally using the user information. There is no such thing.

  Further, the access token issuing module 114 acquires the access code of the user 139 from the terminal device 130 based on the operation of the user 139 with respect to the terminal device 130, and concatenates the acquired access code and nonce to hash. A value may be calculated.

Further, the access token issuing module 114 presents information related to the information utilization device 120 stored in the information utilization device information storage module 117 to the terminal device 130 of the user 139, for example, and sends the user information destination. You may make it acquire (the information utilization apparatus 120 which transmits an access token to the information management apparatus 110). If the information utilization device information storage module 117 does not have information regarding the information utilization device 120 requested by the user 139, the user 139 may directly input information regarding the information utilization device 120 using the terminal device 130. Or may be acquired. At this time, the user 139 may confirm that the user information regarding the user 139 is to be used in the information utilization apparatus 120 and obtain an agreement. The information related to the information utilization device 120 includes, for example, an information utilization device identifier for uniquely identifying the information utilization device 120, and more specifically, the service provided by the information utilization device 120. It may be a URL of a homepage. Note that what is presented to the terminal device 130 of the user 139 may be the name (service name or the like) of the information utilization device 120.
Further, the access token issuing module 114 may acquire the user identifier and information utilization device identifier of the user 139 based on the operation of the user 139 with respect to the terminal device 130. Then, the acquired user identifier may be stored in the access token information storage module 116.

  The access token verification module 115 is connected to the access token information storage module 116 and the information utilization apparatus information storage module 117. The nonce and access code associated with the access token stored in the access token information storage module 116 are received from the access token and the information utilization device identifier included in the access request message to the user information from the information utilization device 120 Is included in the access request message by comparing and collating the hash value created by giving a predetermined hash function with the concatenation of the received information utilization device identifier and the access token included in the user information request. Verifies whether the access token is valid.

  That is, the access token verification module 115 acquires the access token for accessing the user information stored in the user information storage module 113 and the information utilization device identifier of the information utilization device 120 from the information utilization device 120, and Based on the acquired access token, the nonce stored in the access token information storage module 116 is acquired. Then, the acquired nonce, the access code of the user 139 and the information utilization apparatus identifier are concatenated, and a hash value is calculated by a hash function from the concatenated code. When the access token acquired from the information utilization device 120 and the calculated hash value are checked and matched, it is determined that the access request to the user information of the user 139 from the information utilization device 120 is legitimate. If the access request is determined to be legitimate, the user information of the user 139 is transmitted to the information utilization apparatus 120.

Further, the access token verification module 115 acquires the access code of the user 139 from the terminal device 130 based on the operation of the user 139 with respect to the terminal device 130, and concatenates the acquired access code and nonce to hash. A value may be calculated.
Further, the access token verification module 115 acquires the user identifier in the access request message from the information utilization apparatus 120 and stores it in the access token information storage module 116 based on the acquired information utilization apparatus identifier and user identifier. The acquired nonce may be acquired.
When the access token verification module 115 determines that the access request is valid, the access token verification module 115 transmits the user information of the user 139 to the information utilization device 120 to the terminal device 130 used by the user 139. Confirm that you want to. When the user 139 is confirmed (that is, when transmission is permitted), the user information of the user 139 is transmitted to the information utilization apparatus 120.

  Further, the access token verification module 115 receives the access token and the information utilization device identifier of the information utilization device 120 from the information utilization device 120, and based on the received access token, an access code and an access token information storage module The nonce stored in 116 is acquired, the acquired nonce and the access code and the received information utilization apparatus identifier are concatenated (second concatenation), and a hash value is calculated from the concatenated code by a hash function ( Second hash value calculation), and the received access token matches the hash value calculated by the second hash value calculation, the access token information storage module 116 associates the access token with the access token. User information indicated by the user identifier To the judges that the access is requested by the intended regular. When it is determined that the access request is legitimate, the user information is transmitted to the information utilization apparatus 120.

More specifically, when an access request to user information is made from the information utilization apparatus 120, the access token verification module 115 verifies as follows. FIG. 7 is a flowchart illustrating an example of access token verification processing. The access token verification module 115 performs processes other than step S716.
(1) Step S702 An access request message is received from the information utilization apparatus 120. An access token (request access token) and an information utilization apparatus identifier included in the access request message are acquired.
(2) Step S704 The user ID and nonce are acquired from the access token related information table 600 in the access token information storage module 116 using the access token (request access token) as a key. If the requested access token does not exist in the access token related information table 600, the process may move to step S714 and may be determined as an unauthorized access request.

(3) Step S706 The user 139 is prompted to input the access code of the user 139, and the access code is acquired.
(4) Step S708 A hash value (verification access token) is output as an input value obtained by concatenating the nonce, the acquired access code of the user 139, and the received information utilization apparatus identifier to a predetermined hash function. To do.
(5) Step S710 The verification access token and the request access token are compared and collated. If they are the same, it is determined that there is a possibility of a regular access request, and the process proceeds to Step S712. Proceed to

(6) Step S712 Furthermore, information related to the information utilization device 120 is presented to the terminal device 130 used by the user 139, and the user information of the user 139 is utilized in the information utilization device 120. Confirm that. If the user 139 agrees, the access request is regarded as a legitimate access request, and the process proceeds to step S716. Otherwise, the request is regarded as a false access request, and the process proceeds to step S714.
(7) Step S714 It is determined that the request is an unauthorized access, and the terminal device 130 of the user 139 is notified that there is such an access request. In addition, the information utilization apparatus 120 is replied to the effect that it cannot reply to the access request.
(8) Step S716 If the access request is a legitimate access request, the user information issuing module 112 uses the user identifier to extract the user information requested for access from the user information storage module 113, and the information utilization device. Send to 120.

  The access token information storage module 116 is accessed from the access token issuing module 114 and the access token verification module 115. The access token issued by the access token issuing module 114 is stored in association with the nonce necessary for generating the access token. Further, a nonce required for creating an access token issued by the access token issuing module 114 and a user identifier may be stored in association with each other. For example, as the data to be stored, there is an access token related information table 600 shown in the example of FIG. FIG. 6 is an explanatory diagram showing an example of the data structure of the access token related information table 600. The access token related information table 600 has an access token column 610, a user ID column 620, and a nonce column 630. The access token column 610 stores the generated access token. The user ID column 620 stores a user identifier. The nonce column 630 stores a nonce.

In other words, the access token verification module 115 uses the access token information storage module 116 in FIG. The access token related information table 600 as shown in the example of FIG.
The access token verification module 115 deletes the corresponding item from the access token related information table 600 when the access request from the information utilization device 120 is received and the verification of the access token and the transmission of the requested user information are completed. You may make it do.

  The information utilization apparatus information storage module 117 is accessed from the access token issuing module 114 and the access token verification module 115. In addition to the information utilization device identifier of the information utilization device 120 and the destination of the user information to the information utilization device 120, information related to the information utilization device 120 is managed.

FIG. 8 is a diagram illustrating a module configuration example in the information utilization apparatus 120 according to the first embodiment.
The information utilization apparatus 120 includes a user information request module 121, a service provision module 122, and a user information utilization module 123. Each module is connected to the information management device 110 or the terminal device 130 via the communication network 140.
The user information request module 121 receives an access token from the terminal device 130 and transmits the access token and the information utilization device identifier of the own device to the information management device 110. That is, user information is requested by presenting the access token and its own information utilization device identifier to the information management device 110.
The service providing module 122 provides information and services provided by the information utilization device 120 in response to a request from the terminal device 130.
The user information utilization module 123 receives the user information of the user 139 from the information management apparatus 110 corresponding to the access token transmitted by the user information request module 121. Then, the user information received from the information management apparatus 110 is passed to the service providing module 122 to utilize the user information.

FIG. 9 is a diagram illustrating a module configuration example in the terminal device 130 according to the first embodiment.
The terminal device 130 includes an input module 131, a user information request module 132, an output module 133, and a credential sending module 134. Each module is connected to the information management apparatus 110 or the information utilization apparatus 120 via the communication network 140.

  The input module 131 receives input from the user 139 to the terminal device 130. For example, as an operation input to the terminal device 130, input of credentials (information such as a password for the information management device 110 to authenticate the user 139), access code (the information management device 110 sends the user information to the information utilization device 120). When sending, there is an input of (used to confirm that the user is a predetermined user).

The user information request module 132 transmits a user information request message including an access token issued by the information management apparatus 110 to the information utilization apparatus 120. As a result, the information management apparatus 110 is requested to send user information from the information management apparatus 110 to the information utilization apparatus 120. In addition, a terminal device identifier that can identify the terminal device 130 is sent to the information management device 110.
The output module 133 displays the output on the display of the terminal device 130 or the like. For example, the user 139 is prompted to input credential information.
The credential sending module 134 receives the credential request from the information management apparatus 110, acquires the corresponding credential information, and sends the credential information to the information management apparatus 110. Note that the credential information may be acquired from another device.

  FIG. 10 is an explanatory diagram illustrating an example of user registration processing according to the first embodiment. That is, when the user 139 of the terminal device 130 performs user registration with the information utilization device 120, the information utilization device 120 acquires and uses the user information already stored in the information management device 110. The person 139 can omit the input of user information to the information utilization apparatus 120.

In step S <b> 1001, the terminal device 130 transmits a request for sending the user information of the user 139 to the information utilization device 120 to the information management device 110 in accordance with the operation of the user 139.
In step S <b> 1002, the information management apparatus 110 requests the terminal apparatus 130 to input a user identifier and a password for logging in to the information management apparatus 110.
In step S <b> 1003, the terminal device 130 sends the user identifier and password input by the user 139 to the information management device 110.

In step S1004, the information management apparatus 110 requests the terminal apparatus 130 to input the information utilization apparatus identifier and access code of the information utilization apparatus 120 that is the destination of user information.
In step S1005, the terminal apparatus 130 sends the information utilization apparatus identifier and access code of the information utilization apparatus 120 to the information management apparatus 110.
In step S1006, the information management apparatus 110 creates an access token. That is, a hash value is calculated for the access code of the user 139 received in step S1005, the information utilization apparatus identifier, and the nonce, and the user ID, nonce, and access token are stored in the access token information storage module 116. To do.

In step S1007, the information management apparatus 110 sends the access token created in step S1006 to the terminal apparatus 130.
In step S1008, the terminal apparatus 130 sends the access token received in step S1007 to the information utilization apparatus 120.
In step S1009, the information utilization apparatus 120 sends the access token received in step S1008 to the information management apparatus 110 as an access request message for user information. The information utilization device identifier of the information utilization device 120 is also sent together with the access token.

In step S1010, the information management apparatus 110 requests the terminal apparatus 130 to input an access code.
In step S <b> 1011, the terminal device 130 sends the access code input by the user 139 to the information management device 110.
In step S1012, the information management apparatus 110 verifies the access token received in step S1009 using the access code received in step S1011 and the information utilization apparatus identifier received in S1009. When requesting the input of the access code, the terminal device 130 is requested to input the user ID, and the user ID input in response to the request and the user ID corresponding to the received access token are If they match, it may be determined that transmission of user information is permitted.

In step S1013, the information management apparatus 110 sends the requested user information to the information utilization apparatus 120 if the result of the verification in step S1012 is a regular access request.
In step S1014, the information utilization apparatus 120 performs user registration of the user 139 using the user information received in step S1013.

  FIG. 11 is an explanatory diagram illustrating an example of a transmission process of merchandise shipping destination information according to the first embodiment. That is, in the case where the user 139 of the terminal device 130 purchases a product from the information utilization device 120 and requests delivery of the product, user information (for example, an address) already stored in the information management device 110 is requested. The information utilization apparatus 120 obtains the product distribution destination information), and the user 139 can omit the input of the user information to the information utilization apparatus 120.

In step S <b> 1101, the terminal device 130 accesses the information utilization device 120 for product purchase and the delivery service of the product according to the operation of the user 139.
In step S1102, the information utilization apparatus 120 requests user information from the terminal apparatus. For example, it requests input of an address or the like as a delivery destination when sending a product. At this time, the information utilization apparatus 120 sends the information utilization apparatus identifier including its own apparatus.
In step S1103, the terminal apparatus 130 requests the information management apparatus 110 to send user information to the information utilization apparatus 120. At this time, the terminal device 130 sends the information utilization device identifier received in step S1102.

In step S1104, the information management apparatus 110 requests the terminal apparatus 130 to input a user identifier and a password for logging in to the information management apparatus 110.
In step S <b> 1105, the terminal device 130 sends the user identifier and password input by the user 139 to the information management device 110.
In step S1106, the information management apparatus 110 requests the terminal apparatus 130 to input an access code.

In step S <b> 1107, the terminal apparatus 130 sends the access code input by the user 139 to the information management apparatus 110.
In step S1108, the information management apparatus 110 creates an access token. In other words, a hash value is calculated for the concatenation of the access code and nonce of the user 139 received in step S1107 and the information utilization apparatus identifier received in step S1103, and the access code and nonce are calculated as the access token information storage module 116. To store.
In step S1109, the information management apparatus 110 sends the access token created in step S1108 to the terminal apparatus 130.

In step S1110, the terminal apparatus 130 sends the access token received in step S1109 to the information utilization apparatus 120.
In step S1111, the information utilization apparatus 120 sends the access token received in step S1110 to the information management apparatus 110 as an access request message for user information. Also, the information utilization device identifier of the information utilization device 120, which is a part of the input value to the hash function, is sent together with the access token.
In step S1112, the information management apparatus 110 requests the terminal apparatus 130 to input an access code.

In step S <b> 1113, the terminal device 130 sends the access code input by the user 139 to the information management device 110.
In step S1114, the information management apparatus 110 verifies the access token received in step S1111 using the access code received in step S1113 and the information utilization apparatus identifier received in step S1111.
In step S1115, if the information management apparatus 110 is a legitimate access request as a result of the verification in step S1114, the information management apparatus 110 sends the requested user information to the information utilization apparatus 120.
In step S1116, the information utilization apparatus 120 sets the delivery destination of the product according to the user information received in step S1115. For example, the user information includes the address of the user 139, and the address is set as a delivery destination.
In step S1117, the information utilization apparatus 120 performs control so that the product is delivered to the delivery destination set in step S1116. Specifically, there is printing of a delivery slip. Then, the goods are actually delivered.

FIG. 12 is a flowchart illustrating a processing example according to the first exemplary embodiment.
In step S <b> 1201, the terminal device 130 accesses the service to the information utilization device 120 in accordance with the operation of the user 139. For example, there are the user registration shown in the example of FIG. 10, the product purchase service shown in the example of FIG.
In step S <b> 1202, the information utilization apparatus 120 requests user information from the terminal apparatus 130.
In step S <b> 1203, the terminal device 130 requests the information management device 110 to send the user information stored in the information management device 110 to the information utilization device 120.

In step S1204, the information management apparatus 110 requests the terminal apparatus 130 for credential information (which may include an access code).
In step S <b> 1205, the terminal device 130 sends credential information (which may include an access code) to the information management device 110 in accordance with the operation of the user 139.
In step S1206, the information management apparatus 110 verifies the credential information acquired in step S1205 and creates an access token.

In step S1207, the information management apparatus 110 sends the access token created in step S1206 to the terminal apparatus 130.
In step S1208, the terminal apparatus 130 sends the access token received in step S1207 to the information utilization apparatus 120.
In step S1209, the information utilization apparatus 120 requests user information of the user 139 from the information management apparatus 110. The access token received in step S1208 is included in the request.

In step S1210, the information management apparatus 110 requests the terminal apparatus 130 to input an access code.
In step S <b> 1211, the terminal apparatus 130 sends the access code input by the user 139 to the information management apparatus 110.
In step S1212, the information management apparatus 110 verifies the access token received in step S1209 using the access code received in step S1211.

In step S1213, if the information management apparatus 110 determines that the request in step S1209 is a regular access request as a result of the verification of the access token in step S1212, the information management apparatus 110 sends user information to the information utilization apparatus 120.
In step S1214, the information utilization apparatus 120 provides the service accessed in step S1201. For example, an account is created to provide user registration, product purchase service, and the like.

[Second Embodiment]
Next, a second embodiment will be described. The second embodiment is the same as the module configuration of the first embodiment.
As for the information management apparatus 110, functions are added to the access token issuing module 114, the access token information storage module 116, and the access token verification module 115 according to the first embodiment. In addition, the overlapping description is abbreviate | omitted about the site | part similar to 1st Embodiment.

FIG. 13 is an explanatory diagram illustrating an example of an access token issuing process performed by the access token issuing module 114 according to the second embodiment.
The access token issuing module 114 inputs a concatenation of a nonce and a selected identifier (nonce + selected identifier 1310) to a predetermined hash function 1320 to create a hash value, and sets it as an access token 1330.
As identifiers connected to the nonce, for example, an information utilization apparatus identifier, an access code, a terminal apparatus identifier (information that can uniquely identify the terminal apparatus), or a combination thereof (information utilization apparatus identifier + access code +... 1315) There is. These restrict the distribution destination (scope) of user information. That is, user information can be sent only to devices that can present such identification information.

FIG. 14 is an explanatory diagram showing an example of the data structure of the access token related information table 1400. This corresponds to the access token related information table 600 of the first embodiment, and is stored in the access token information storage module 116. In addition to the data stored in the access token related information table 600, the access token related information table 1400 further stores identifier information input as a hash function.
The access token related information table 1400 has an access token column 1410, a user ID column 1420, a hash function input value column 1430, and a nonce column 1440.
The access token column 1410 stores an access token.
The user ID column 1420 stores a user identifier.
The input value column 1430 for the hash function stores a part of the input to the hash function (“selected identifier” shown in the example of FIG. 13). If the input value field 1430 for the hash function is empty, an access token is generated as a default with a nonce, an access code, and an information utilization apparatus identifier. What is stored in the input value column 1430 for the hash function may be the identifier itself or the name of the identifier. In the case of an identifier name, a process for acquiring the identifier is performed. For example, an identifier stored in the access token information storage module 116 other than the access token related information table 1400 may be acquired or acquired from the terminal device 130.
The nonce column 1440 stores the nonce used to generate the access token of the line.
For example, the first line of the access token related information table 1400 shown in the example of FIG. 14 indicates that an access token is generated with a nonce, an access code, and an information utilization apparatus identifier. In the second line, In addition to the nonce, the access code, and the information utilization device identifier, the terminal device identifier is also connected to generate an access token. Note that a plurality of input values may be stored in the input value column 1430 for the hash function.

In other words, in order for the access token verification module 115 to use when making an access request from the information utilization apparatus 120, the user identifier, nonce, and access token issuing module 114 are used when the access token is issued using the access token included in the access request as a key. In the access token information storage module 116, an access token related information table 1400 as shown in the example of FIG. 14 is managed so that the identifier group (which may be one) used can be searched.
The access token verification module 115 acquires the access token and the information utilization apparatus identifier from the information utilization apparatus 120, and acquires the nonce and identifier information stored in the access token related information table 1400 based on the acquired access token. Then, the acquired nonce and identifier information are concatenated, and a hash value is calculated from the concatenated code using a hash function. When the acquired access token and the calculated hash value are checked and matched, it is determined that the access request to the user information of the user 139 from the information utilization apparatus 120 is legitimate.
The access token verification module 115 deletes the corresponding item from the access token related information table 1400 when the access request from the information utilization apparatus 120 is received and the verification of the access token and the transmission of the requested user information are completed. You may make it do.

FIG. 15 is a flowchart illustrating an example of access token verification processing according to the second embodiment. The access token verification module 115 performs processes other than step S1514.
(1) Step S1502 An access request message is received from the information utilization apparatus 120. From the access request message, an access token (request access token) and the information utilization device identifier of the information utilization device 120 that is the sender of the message are acquired.
(2) Step S1504 Using the access token (request access token) as a key, obtain a list of identifiers to be verified from the user ID, nonce, and access ID from the access token related information table 1400 of the access token information storage module 116. If the requested access token does not exist in the access token related information table 1400, the process proceeds to step S1516 and may be regarded as an unauthorized access request.

(3) Step S1506 Based on the identifier list acquired in step S1504, identifier information to be used for verification is acquired. If the identifier is included in the access request message received in step S1502 and the access token related information table 1400, it is acquired. Otherwise, the process proceeds to step S1508.
(4) Step S1508 An identifier to be used for necessary verification is acquired. For example, if the identifier to be used for the verification is a terminal device identifier, the terminal device identifier of the terminal device 130 that has communicated with the information utilization device 120 and sent the access token is acquired. If the identifier to be used for the verification is an access code, it is obtained by prompting the user 139 of the terminal device 130 to input the access code.
(5) Step S1510 A hash value (verification access token) is output using a predetermined hash function with a concatenation of a nonce and an identifier to be used for verification as an input value.

(6) Step S1512 The verification access token and the request access token are compared and collated. If they are the same, the access request is regarded as a regular access request, and the process proceeds to step S1514. If not, the process proceeds to step S1516.
(7) Step S1514 If it is a legitimate access request, the user information issuing module 112 uses the user identifier to extract the user information requested for access from the user information storage module 113, and the information utilization device. Send to 120.
(8) Step S1516 It is determined that the request is an unauthorized access, and the terminal device 130 of the user 139 is notified that there is such an access request. In addition, the information utilization apparatus 120 is replied to the effect that it cannot reply to the access request.

FIG. 16 is a diagram illustrating a module configuration example in the terminal device 1630 according to the second embodiment.
The terminal device 1630 includes an input module 1631, a user information request module 1632, an output module 1633, a credential sending module 1634, and a terminal device information sending module 1635. The terminal device 1630 corresponds to the terminal device 130 of the first embodiment, and the input module 1631, the user information request module 1632, the output module 1633, and the credential sending module 1634 are each in the first embodiment. This corresponds to the input module 131, the user information request module 132, the output module 133, and the credential sending module 134. A duplicate description of these will be omitted. In the description of the second embodiment, the terminal device 130 will be described.
The terminal device information sending module 1635 is connected to the information management device 110 or the information utilization device 120 via the communication network 140. In response to a request from the information management device 110 or the information utilization device 120, the terminal device identifier of the terminal device 1630 is sent.

FIG. 17 is an explanatory diagram illustrating an example of a user information transmission process according to the second embodiment. This processing example corresponds to the user registration processing example according to the first embodiment shown in the example of FIG. The information utilization apparatus 120 communicates with the terminal apparatus 130 via the portal site 1610.
In step S1701, the terminal apparatus 130 requests the information management apparatus 110 to send the user information of the user 139 itself to the portal site 1610 (information utilization apparatus 120) in response to the operation of the user 139. Send.
In step S1702, the information management apparatus 110 requests the terminal apparatus 130 to input a user identifier and credential information for logging into the information management apparatus 110.
In step S 1703, the terminal device 130 sends the user identifier and credential information input by the user 139 to the information management device 110.

In step S <b> 1704, the information management apparatus 110 informs the terminal apparatus 130 information related to the portal site 1610 to which user information is sent (for example, an identifier of the portal site 1610) or information related to the information utilization apparatus 120 (for example, Request information input device identifier, etc.).
In step S <b> 1705, the terminal device 130 sends information regarding the portal site 1610 and information regarding the information utilization device 120 input by the user 139 to the information management device 110.
In step S1706, the information management apparatus 110 creates an access token. That is to say, a hash value is calculated for the information related to the information utilization device 120 received in step S1705 and the nonce, and the information related to the information utilization device 120 and the nonce are stored in the access token information storage module 116.

In step S1707, the information management apparatus 110 sends the access token created in step S1706 to the terminal apparatus 130.
In step S1708, the terminal device 130 sends the access token received in step S1707 to the portal site 1610.
In step S1709, the portal site 1610 sends the access token received in step S1708 to the information utilization apparatus 120.

In step S1710, the information utilization apparatus 120 sends the access token received in step S1709 as an access request message for user information to the information management apparatus 110. The access request message includes information about the information utilization apparatus 120.
In step S1711, the information management apparatus 110 verifies the access token received in step S1710.
In step S1712, the information management apparatus 110 sends the requested user information to the information utilization apparatus 120 if the result of the verification in step S1711 is a regular access request. The user information includes the email address of the user 139.

In step S1713, the information utilization apparatus 120 performs user registration of the user 139 using the user information received in step S1712.
In step S <b> 1714, the information utilization apparatus 120 notifies the terminal apparatus 130 that the user registration has been completed using the e-mail address in the user information received in step S <b> 1712.
Accordingly, the user 139 of the terminal device 130 can send the user information to the information utilization apparatus 120 via the portal site 1610 without notifying the portal site 1610 of the user information.

[Third Embodiment]
Next, a third embodiment will be described. The third embodiment is similar to the module configuration of the first embodiment.
FIG. 18 is a diagram illustrating a module configuration example in the information management apparatus 1810 according to the third embodiment.
The information management apparatus 1810 includes an authentication module 1811, a user information issuance module 1812, a user information storage module 1813, an access token issuance module 1814, an access token verification module 1815, an access token information storage module 1816, and an information utilization apparatus information storage module 1817. And a user information encryption module 1818. The information management apparatus 1810 corresponds to the information management apparatus 110 of the first embodiment, and includes an authentication module 1811, a user information issue module 1812, a user information storage module 1813, an access token issue module 1814, an access token. The verification module 1815, the access token information storage module 1816, and the information utilization device information storage module 1817 are respectively the authentication module 111, the user information issue module 112, the user information storage module 113, and the access token issue module of the first embodiment. 114, the access token verification module 115, the access token information storage module 116, and the information utilization apparatus information storage module 117. A duplicate description of these will be omitted. In the description of the third embodiment, the information management apparatus 110 will be described.
The user information encryption module 1818 is connected to the information utilization apparatus 120 (information utilization apparatus 1910) or the terminal apparatus 130 via the communication network 140. User information requested by the information utilization device 120 (information utilization device 1910) (user information stored in the user information storage module 1813) is encrypted. As the encryption method, a known encryption method is used. In the case of using the common key encryption, a character string of an appropriate length sent from the terminal device 130 may be used as the common key.
The user information issuing module 1812 transmits the user information encrypted by the user information encryption module 1818 to the information utilization apparatus 120 (information utilization apparatus 1910).

FIG. 19 is a diagram illustrating a module configuration example in the information utilization apparatus 1910 according to the third embodiment.
The information utilization apparatus 1910 includes a user information request module 1911, a service provision module 1912, a user information utilization module 1913, and a user information decryption module 1914. The information utilization apparatus 1910 corresponds to the information utilization apparatus 120 of the first embodiment, and the user information request module 1911, the service provision module 1912, and the user information utilization module 1913 are respectively in the first embodiment. This corresponds to the user information request module 121, the service provision module 122, and the user information utilization module 123 in the form. A duplicate description of these will be omitted. In the description of the third embodiment, the information utilization device 120 will be described.
Corresponding to the information management apparatus 110 (information management apparatus 1810), the user information utilization module 1913 in the information utilization apparatus 120 (information utilization apparatus 1910) transmits the encrypted user information of the user 139 to the information management apparatus. 110 (information management apparatus 1810).
Then, the user information decryption module 1914 decrypts the encrypted user information received by the user information utilization module 1913. The decrypted user information is transferred to the service providing module 1912 to perform a service using the user information. As a decryption method, a known decryption method corresponding to the encryption method performed by the information management apparatus 110 (information management apparatus 1810) is used. In the case of using the common key encryption, a character string of an appropriate length sent from the terminal device 130 may be used as the common key.
Accordingly, it is possible to improve the safety of sending user information performed between the information management apparatus 110 (information management apparatus 1810) and the information utilization apparatus 120 (information utilization apparatus 1910).

[Fourth Embodiment]
Next, a fourth embodiment will be described.
In the above-described embodiment, the information management apparatus issues an access token to the user A in response to a request from the user A, and the access token transmitted from the information utilization apparatus, based on the information utilization apparatus identifier, The access token is verified, and access to the user information of the user A is permitted from the information utilization apparatus. In the verification, the user A is requested for unique information (access code) and used for the verification. In this case, the access token is transmitted to the information utilization device via the terminal device possessed by user A.

In the fourth embodiment, the information management apparatus issues an access token to the user B in response to a request from the user A, and is based on the access token and the information utilization apparatus identifier transmitted from the information utilization apparatus. The access token is verified, and access to the user information of the user A is permitted from the information utilization apparatus. In verification, the shared information (access code) is requested from the user B and used for verification. Thereby, the user B can browse the user information of the user A transmitted to the information utilization apparatus. In this case, the access token is transmitted to the information utilization device via the terminal device possessed by user B. That is, in this embodiment, access token issuance is different from the issuance in the first embodiment or the like, and a user (user B) other than user A designated by user A is a user. This means that an access token for enabling access to the user information of A is generated and the created access token is sent to the terminal device of user B. The issuance definition in the fourth embodiment is the same in the fifth embodiment or the sixth embodiment, and the parts using the fourth embodiment are the same.
The shared information here is secretly shared between the user A and the user B, and corresponds to the access code of the user A, for example.
Further, although there may be a plurality of users B, the case where there is only one user B will be mainly described for easy explanation.
For example, the user B is a spouse of the user A, and the user A teaches only his / her access code to the user B, and the user information which is the health information of the user A, etc. The case where the user B browses is applicable.

  Access code sharing means a code (access code) for permitting access to user information of a user to a user other than the user (second user, the above-mentioned user B). Notification and sharing with both parties. The second user sends an access request for the user information including the access token created using the access code to the information utilization apparatus.

FIG. 20 is a diagram illustrating a module configuration example in the information management apparatus 2010 according to the fourth embodiment.
The information management apparatus 2010 includes an authentication module 2011, a user information issuance module 2012, a user information storage module 2013, an access token issuance module 2014, an access token verification module 2015, an access token information storage module 2016, and an information utilization apparatus information storage module 2017. And the information sharing person confirmation module 2018, which corresponds to the information management apparatus 110 of the first embodiment shown in the example of FIG.
The authentication module 2011, user information issuance module 2012, user information storage module 2013, access token issuance module 2014, access token verification module 2015, access token information storage module 2016, and information utilization apparatus information storage module 2017 are examples of FIG. The authentication module 111, the user information issue module 112, the user information storage module 113, the access token issue module 114, the access token verification module 115, and the access token information storage in the information management apparatus 110 of the first embodiment shown in FIG. This corresponds to the module 116 and the information utilization apparatus information storage module 117, respectively. A duplicate description of these will be omitted. In the description of the fourth embodiment, the information management apparatus 110 will be described.
However, the access token issuance module 2014 in the present embodiment allows other users (second user, user B) designated by the user A to access the user information of the user A. Is generated and issued to the terminal device of the other user.
The access token information storage module 2016 is accessed from the access token issuing module 2014, the access token verification module 2015, and the information sharer confirmation module 2018, and information management according to the first embodiment (or the second embodiment) is performed. In addition to the access token information storage module 116 in the apparatus 110, a user identifier (shared information person ID) of a user to be shared is set to the first so that the access token is shared only with a predetermined user. In addition to the information stored in the access token information storage module 116 in the information management apparatus 110 according to the embodiment, the information is stored.

The information sharer confirmation module 2018 is connected to the access token information storage module 2016 and the information utilization apparatus information storage module 2017. The user information is permitted to be accessed by the second user intended by the user, and it is confirmed whether or not the user information is accessed by the second user. Specifically, it is confirmed whether or not the same access code as the user's access code has been input by the second user.
In addition, in order to prevent access by users other than the user and the second user, the user shares the access code only with the second user.

FIG. 21 is an explanatory diagram showing an example of the data structure of the access token related information table 2100 used in the fourth embodiment.
The access token related information table 2100 includes an access token column 2110, a user ID column 2120, an input value column 2130 for a hash function, an information sharer ID column 2140, and a nonce column 2150.
In order to use the access token from the information utilization apparatus 120, the access token is used so that the user ID, nonce, and identifier used by the access token issuing module 2014 can be searched using the access token as a key. The information storage module 2016 manages the access token related information table 2100.

The access token related information table 2100 is stored in the access token information storage module 2016. The access token related information table 600 according to the first embodiment corresponds to the access token related information table 2100. The access token column 2110, the user ID column 2120, and the nonce column 2150 of the access token related information table 2100 include an access token related information table. 600 corresponds to an access token field 610, a user ID field 620, and a nonce field 630, respectively. Compared with the access token related information table 1400 of the second embodiment, the access token column 2110, the user ID column 2120, the hash function input value column 2130, and the nonce column 2150 of the access token related information table 2100 are as follows. The access token related information table 1400 corresponds to the access token column 1410, the user ID column 1420, the hash function input value column 1430, and the nonce column 1440, respectively. A duplicate description of these will be omitted. Note that in the fourth embodiment, the input value column 2130 for the hash function is not necessary.
The information sharer ID column 2140 stores the identifier (information sharer ID) of the user who is permitted by the user to access his / her user information, acquired by the information sharer confirmation module 2018. When there are a plurality of persons to be shared, a plurality of information sharer IDs are stored in the information sharer ID column 2140 as shown in the second row of FIG.

FIG. 22 is an explanatory diagram illustrating a transmission processing example of user information of the user A to the user B according to the fourth embodiment. Note that user A (first user) uses the terminal device 130A, and user B (second user) uses the terminal device 130B. Further, it is assumed that the user information of user A is stored in the information management apparatus 110, and the user A and the user B can log in to the information management apparatus 110.
The processing from step S2201 to step S2210 is processing related to access token generation.

In step S <b> 2201, the terminal device 130 </ b> A accesses the information utilization device 120 to the information browsing service provided by the information utilization device 120 in accordance with the operation of the user A.
In step S2202, the information utilization apparatus 120 requests user information of the user A (hereinafter also referred to as “user A information”) to the terminal apparatus 130A. At this time, the information utilization apparatus 120 sends the information utilization apparatus identifier including its own apparatus.
In step S2203, the terminal device 130A requests the information management device 110 to transmit the user A information managed by the information management device 110 to the information utilization device 120 according to the operation of the user A. . At this time, the terminal apparatus 130A sends the information utilization apparatus identifier of the information utilization apparatus 120 received in step S2202, including the information utilization apparatus identifier.
In step S2204, the information management apparatus 110 requests the terminal apparatus 130A to input an ID and password necessary for logging in to the information management apparatus 110.
In step S <b> 2205, the terminal apparatus 130 </ b> A sends an ID and a password necessary for logging in to the information management apparatus 110 to the information management apparatus 110 in accordance with the operation of the user A.

In step S2206, the information management apparatus 110 requests the terminal apparatus 130A to input an access code and information sharer information (stored in the information sharer ID column 2140).
In step S <b> 2207, the terminal device 130 </ b> A inputs the access code and the identifier of the user B, which is information sharing information, to the information management device 110 in accordance with the operation of the user A. Note that the user A teaches this access code only to the user B, and is secretly managed for other users.
In step S2208, the information management apparatus 110 generates an access token. The generation of the access token is equivalent to the processing in the above-described embodiment. For example, a hash value is calculated for a concatenation of information related to the information utilization device 120 received in step S2203 (for example, an identifier of the information utilization device 120), and the nonce is stored as an access token information storage module. It stores in 2016.
In step S2209, the information management apparatus 110 associates the access token with the identifier of user B input in step S2207, and stores it in the access token information storage module 2016.
In step S2210, the information management apparatus 110 notifies the terminal apparatus 130A that the generation of the access token has been completed.

Processing from step S2211 to step S2215 is processing related to access token distribution.
In step S2211, the information management apparatus 110 notifies the terminal apparatus 130B that access to the user A information is permitted.
In step S2212, the terminal device 130B requests the information management device 110 to transmit an access token for accessing the user A information according to the operation of the user B.
In step S2213, the information management apparatus 110 requests the terminal apparatus 130B to log in to the information management apparatus 110.
In step S <b> 2214, the terminal device 130 </ b> B sends an ID and a password necessary for logging in to the information management device 110 to the information management device 110 in accordance with the operation of the user B.
In step S2215, the information management apparatus 110 transmits an access token to the terminal apparatus 130B.

Processing from step S2216 to step S2222 is processing related to browsing of user A information by user B.
In step S2216, the terminal device 130B requests the information utilization device 120 to browse the user A information in response to the operation of the user B. At the time of the request, the access token transmitted in step S2215 is attached.
In step S2217, the information utilization apparatus 120 requests the user A information from the information management apparatus 110. At the time of the request, the access token transmitted from the terminal device 130B in step S2216 and the information utilization device identifier of the information utilization device 120 itself are attached.
In step S2218, the information management apparatus 110 requests the terminal apparatus 130B to input an access code. Here, the access code input request to the terminal device 130B may be notified by e-mail, for example, and the information management apparatus 110 associates the access code input request with the user A information request in step S2217. Manage.

In step S2219, the terminal device 130B inputs an access code to the information management device 110 according to the operation of the user B. The access code here is the same as that entered by the terminal device 130A in step S2207.
In step S2220, the information management apparatus 110 verifies the access token. The verification of the access token is equivalent to the processing in the above-described embodiment.
In step S2221, the information management apparatus 110 sends user A information to the information utilization apparatus 120.
In step S2222, the information utilization apparatus 120 displays the user A information on the terminal apparatus 130B. That is, the user B can browse the user A information.

[Fifth Embodiment]
Next, a fifth embodiment will be described. In the fifth embodiment, any two or more of the second embodiment, the third embodiment, and the fourth embodiment are arbitrarily combined. Further, the modules in each form may be arbitrarily combined.
For example, although the module configuration is the same as that of the first embodiment, the information management apparatus 110 further includes a user information encryption module 1818, and the access token issuing module 114 is the example of FIG. The access token 1330 is created, the access token information storage module 116 stores the access token related information table 1400 as shown in the example of FIG. 14, and the access token verification module 115 is the example of FIG. The user information encryption module 1818 encrypts the user information, and the user information issuance module 112 sends the encrypted user information to the information utilization apparatus 120.
Further, the information utilization apparatus 120 has a user information utilization module 1913, and the user information utilization module 123 receives encrypted user information from the information management apparatus 110, and the user information decryption module 1914 receives it. Decrypt. The terminal device 130 has a terminal device information sending module 1635 and sends a terminal device identifier.

[Sixth Embodiment]
Next, a sixth embodiment will be described. In the sixth embodiment, the first to fifth embodiments are realized as a program.
FIG. 23 is an explanatory diagram illustrating a system configuration example that realizes the sixth embodiment.
The information management device 2310, the information utilization device 2320, and the terminal device 2330 are connected via a communication network 2340.
The information management device program 2311 is installed and used in the information management device 2310, the information utilization device program 2321 is installed in the information utilization device 2320, and the terminal device program 2331 is installed in the terminal device 2330. Each of the information management device 2310, the information utilization device 2320, and the terminal device 2330 functions as a computer (or as a computer with a built-in computer), and performs operations and processes according to installed programs. The information management device program 2311, the information utilization device program 2321, and the terminal device program 2331 are the information management device 110, the information utilization device 120, and the terminal device 130, respectively, in the first to fifth embodiments. It is a program to make it function.

The effects obtained by the above-described embodiment are listed below.
<First effect>
The object is to provide a robust information management system against leakage of confidential information of users.
(Reason) User information is protected by access management using an access token. The access token necessary for accessing the user information of the user is information that is generated by using a hash function and it is difficult to identify the user. This is because even if an access token leaks to an unintended third party, it is impossible for the third party to access user information.

<Second effect>
It is possible to prevent leakage of confidential information of a user to a business operator not intended by the user.
(Reason) Similar to the first effect, the access token necessary for accessing the user information of the user is used to specify the user who has designated the user information as the destination. Although it is information, access management is performed using the device identifier of the operator itself, so even if an access token leaks to a second operator other than the operator, the second operator This is because the user information of the user cannot be accessed.

<Third effect>
It is to protect user privacy.
(Reason) This is because the access token does not include information that can identify the user, and is temporary information.

<Fourth effect>
User information can be utilized even if there is no trust relationship between the information management device and the information utilization device.
(Reason) Even when there is no mutual trust relationship between the information management device and the information utilization device, information (identifier) of the information utilization device to which the user information is to be provided according to the request of the user himself / herself This is because the delivery destination of user information can be safely managed by giving to the management device. In addition, the user himself / herself can permit use of the user information managed by the information management device by the information utilization device at his / her own risk.

<Fifth effect>
User information can be used easily.
(Reason) This is because prior ID registration in an information utilization apparatus such as single sign-on is not necessary for utilization of user information. This is also because pre-ID collaboration is not assumed between the information management device and the information utilization device.

  The hardware configuration of the computer on which the program as the above-described embodiment is executed is a general computer as shown in FIG. 24. Specifically, there are many other than the processing according to the above-described embodiment. It is a computer that can be a server that can execute the above process at high speed. Authentication module 111, user information issuance module 112, access token issuance module 114, access token verification module 115, user information request module 121, service provision module 122, user information utilization module 123, user information request module 132, credential CPU 2410 for executing a program such as a sending module 134, a RAM 2430 for storing the program and data, a ROM 2420 for storing a program for starting the computer, an HD 2440 as an auxiliary storage device, a keyboard, a mouse UI / F2450 that serves as an interface with the operator by inputting data by an operator's operation or outputting data to a CRT or a liquid crystal display, etc., and a remover such as a CD-R A removable media reader writer 2460 for reading from and writing to Le media, communication line I / F2470 for connecting to a communication network, and, and a bus 2480 for exchanging data by connecting them. A plurality of these computers may be connected to each other via a network.

The program described above may be provided by being stored in a recording medium, or the program may be provided by communication means. In that case, for example, the above-described program may be regarded as an invention of a “computer-readable recording medium recording the program”.
The “computer-readable recording medium on which a program is recorded” refers to a computer-readable recording medium on which a program is recorded, which is used for program installation, execution, program distribution, and the like.
The recording medium is, for example, a digital versatile disc (DVD), which is a standard established by the DVD Forum, such as “DVD-R, DVD-RW, DVD-RAM,” and DVD + RW. Standard “DVD + R, DVD + RW, etc.”, compact disc (CD), read-only memory (CD-ROM), CD recordable (CD-R), CD rewritable (CD-RW), Blu-ray disc ( Blu-ray Disc (registered trademark), magneto-optical disk (MO), flexible disk (FD), magnetic tape, hard disk, read-only memory (ROM), electrically erasable and rewritable read-only memory (EEPROM), flash Includes memory, random access memory (RAM), etc. .
The program or a part of the program can be recorded on the recording medium and stored or distributed. Also, by communication, for example, a local area network (LAN), a metropolitan area network (MAN), a wide area network (WAN), a wired network used for the Internet, an intranet, an extranet, etc., or wireless communication It can be transmitted using a transmission medium such as a network or a combination thereof, and can also be carried on a carrier wave.
Furthermore, the program may be a part of another program, or may be recorded on a recording medium together with a separate program.

It is explanatory drawing which shows the system configuration example which implement | achieves embodiment of this invention. It is explanatory drawing which shows the outline of the example of a process by embodiment of this invention. It is a figure which shows the module structural example in the information management apparatus of 1st Embodiment. It is explanatory drawing which shows the example of a data structure of a user information table. It is explanatory drawing which shows the example of an access token issue process by the access token issue module of 1st Embodiment. It is explanatory drawing which shows the example of a data structure of an access token related information table. It is a flowchart which shows the verification processing example of the access token by 1st Embodiment. It is a figure which shows the module structural example in the information utilization apparatus of 1st Embodiment. It is a figure which shows the module structural example in the terminal device of 1st Embodiment. It is explanatory drawing which shows the process example of the user registration by 1st Embodiment. It is explanatory drawing which shows the example of a transmission process of the merchandise shipping destination information by 1st Embodiment. It is a flowchart which shows the process example by 1st Embodiment. It is explanatory drawing which shows the example of an issuing process of the access token by the access token issuing module of 2nd Embodiment. It is explanatory drawing which shows the example of a data structure of an access token related information table. It is a flowchart which shows the example of a verification process of the access token by 2nd Embodiment. It is a figure which shows the module structural example in the terminal device of 2nd Embodiment. It is explanatory drawing which shows the example of a transmission process of the user information by 2nd Embodiment. It is a figure which shows the module structural example in the information management apparatus of 3rd Embodiment. It is a figure which shows the module structural example in the information utilization apparatus of 3rd Embodiment. It is a figure which shows the module structural example in the information management apparatus of 4th Embodiment. It is explanatory drawing which shows the example of a data structure of an access token related information table. It is explanatory drawing which shows the example of a transmission process of the user information of the user A with respect to the user B by 4th Embodiment. It is explanatory drawing which shows the system configuration example which implement | achieves 6th Embodiment. It is a block diagram which shows the hardware structural example of the computer which implement | achieves embodiment of this invention. In conventional technology, it is explanatory drawing which shows the process example which registers user information to a site. It is explanatory drawing which shows the process example of Liberty ID-WSF in a prior art. It is explanatory drawing which shows the process example of the exchange of attribute information based on SSO (single sign-on) in a prior art. In prior art, it is explanatory drawing which shows the example of a process which performs this registration after performing temporary registration.

Explanation of symbols

DESCRIPTION OF SYMBOLS 110 ... Information management apparatus 111 ... Authentication module 112 ... User information issue module 113 ... User information storage module 114 ... Access token issue module 115 ... Access token verification module 116 ... Access token information storage module 117 ... Information utilization apparatus information storage module DESCRIPTION OF SYMBOLS 120 ... Information utilization apparatus 121 ... User information request module 122 ... Service provision module 123 ... User information utilization module 130 ... Terminal apparatus 131 ... Input module 132 ... User information request module 133 ... Output module 134 ... Credential sending module 139 ... User 140 ... Communication network 210 ... Subscriber management device 221, 222 ... Portal site 230 ... Terminal device 239 ... User 1610 ... Portal site 1 DESCRIPTION OF SYMBOLS 30 ... Terminal device 1631 ... Input module 1632 ... User information request module 1633 ... Output module 1634 ... Credential sending module 1635 ... Terminal device information sending module 1810 ... Information management device 1811 ... Authentication module 1812 ... User information issuing module 1813 ... Use User information storage module 1814 ... Access token issue module 1815 ... Access token verification module 1816 ... Access token information storage module 1817 ... Information utilization device information storage module 1818 ... User information encryption module 1910 ... Information utilization device 1911 ... User information request Module 1912 ... Service providing module 1913 ... User information utilization module 1914 ... User information decryption module 2010 ... Information Information management device 2011 ... Authentication module 2012 ... User information issue module 2013 ... User information storage module 2014 ... Access token issue module 2015 ... Access token verification module 2016 ... Access token information storage module 2017 ... Information utilization device information storage module 2018 ... Information sharing person confirmation module 2310 ... Information management device 2311 ... Information management device program 2320 ... Information utilization device 2321 ... Information utilization device program 2330 ... Terminal device 2331 ... Terminal device program 2339 ... User 2340 ... Communication network

Claims (14)

An information management device capable of communicating with a terminal device used by a user and an information utilization device utilizing user information that is information about the user, and managing the user information,
A permission request receiving means for receiving an access permission request for sending the user information to the information utilization device from the terminal device ;
First connection means for connecting an information utilization device identifier for identifying the information utilization device and a random number to a first access code corresponding to the access permission request;
First hash value calculating means for calculating a hash value by a hash function from the codes connected by the first connecting means;
An access token issuing means for issuing a hash value calculated by the first hash value calculating means as an access token for accessing the user information;
Storage means for associating and storing the access token, a user identifier for identifying the user, and a random number subjected to processing by the first hash value calculation means;
Access token receiving means for receiving the access token and the information utilization device identifier of the information utilization device from the information utilization device;
Obtaining means for obtaining a second access code and a random number stored in the storage means based on the access token received by the access token receiving means;
Second connection means for connecting the received information utilization apparatus identifier to the random number acquired by the acquisition means and the second access code;
Second hash value calculating means for calculating a hash value by a hash function from the codes connected by the second connecting means;
When the access token received by the access token receiving means matches the hash value calculated by the second hash value calculating means and matches, the user associated with the access token in the storage means Determining means for determining that the access request to the user information of the user indicated by the identifier is legitimate;
Equipped with,
As the access permission request received by the permission request receiving means, including a first access code, an information utilization apparatus identifier,
The acquisition unit acquires the random number stored in the storage unit based on the first access code input to the terminal device by the user and the access token received by the access token reception unit. An information management device characterized by the above. The acquisition means includes
Based on the user's operation on the terminal device, the second access code is acquired from the terminal device,
The second connecting means includes
The information management device according to claim 1, wherein the second access code acquired from the terminal device is used. The acquisition means includes
Obtaining the second access code from a terminal device of a second user who is another user designated by the user;
The second connecting means includes
Using the second access code is obtained from the terminal device of the second user,
The access token receiving unit receives an access permission request for the user information of the user from the information utilization device via the terminal device of the second user, and the information management device Issued to the terminal device of the second user, and includes the access token and the information utilization device identifier of the user that the information utilization device acquires from the second user terminal device;
The acquisition means stores the storage based on the access code of the user input to the terminal device of the second user by the second user and the access token received by the access token receiving means. Get the random number stored in the means,
Notifying the second user designated by the user that the user information of the user is to be shared with the second user, and the information management device as the information sharer of the user The information management apparatus according to claim 1, wherein the second user is stored in association with each other . The storage means
Further stored in association with the first access code linked by the first coupling means to the access token,
The acquisition means includes
Obtaining the first access code associated with the access token received by the access token receiving means from the storage means;
The second connecting means includes
The information management apparatus according to claim 1, wherein the random number and the information utilization apparatus identifier are connected to the first access code acquired from the storage unit. Further comprising: a user identifier for identifying a user and an information utilization device identifier from the terminal device based on an operation of the user with respect to the terminal device;
The information storage device according to any one of claims 1 to 4, wherein the storage unit further stores the user identifier acquired by the user identifier acquisition unit. The user information transmitting means for transmitting the user information to the information utilization apparatus when the access request is determined to be legitimate by the determining means. The information management device according to claim 1. When the determination means determines that the access request is legitimate, the communication means communicates with the terminal device used by the user indicated by the user identifier associated with the access token in the storage means Further comprising transmission permission acquisition means for obtaining permission for transmission of user information to the information utilization device,
The user information transmitting means includes
Transmitting the user information to the information utilization apparatus when the determination unit determines that the access request is legitimate and the transmission permission acquisition unit obtains permission to transmit the user information. The information management apparatus according to claim 6. The transmission permission acquisition means includes
When the terminal device is requested to transmit a user identifier, and the user identifier obtained by the request matches the user identifier associated with the received access token, the information utilization The information management apparatus according to claim 7, wherein it is determined that permission to transmit user information to the apparatus has been obtained. The first connecting means connects the random number and the identifier information,
The storage means further stores identifier information input to the hash function of the first hash value calculation means in association with the access token,
The second connecting means includes
The information management apparatus according to any one of claims 1 to 8, wherein identifier information associated with the received access token is acquired from the storage unit and connected to the random number. An encryption means for encrypting the user information;
The information management apparatus according to any one of claims 6 to 8, wherein the user information transmission unit transmits the user information encrypted by the encryption unit. An information processing system in which an information management device that manages user information, which is information about a user of a terminal device, and an information utilization device that utilizes the user information are connected to be communicable,
The information management device includes:
A permission request receiving means for receiving an access permission request for sending the user information to the information utilization device from the terminal device ;
First connection means for connecting an information utilization device identifier for identifying the information utilization device and a random number to a first access code corresponding to the access permission request;
First hash value calculating means for calculating a hash value by a hash function from the codes connected by the first connecting means;
An access token issuing means for issuing a hash value calculated by the first hash value calculating means as an access token for accessing the user information;
Storage means for associating and storing the access token, a user identifier for identifying the user, and a random number subjected to processing by the first hash value calculation means;
Access token receiving means for receiving the access token and the information utilization device identifier of the information utilization device from the information utilization device;
Obtaining means for obtaining a second access code and a random number stored in the storage means based on the access token received by the access token receiving means;
Second connection means for connecting the received information utilization apparatus identifier to the random number acquired by the acquisition means and the second access code;
Second hash value calculating means for calculating a hash value by a hash function from the codes connected by the second connecting means;
When the access token received by the access token receiving means matches the hash value calculated by the second hash value calculating means and matches, the user associated with the access token in the storage means Determining means for determining that the access request to the user information of the user indicated by the identifier is legitimate;
Equipped with,
As the access permission request received by the permission request receiving means, including a first access code, an information utilization apparatus identifier,
The acquisition unit acquires a random number stored in the storage unit based on a first access code input to the terminal device by the user and an access token received by the access token reception unit;
The information utilization device is:
An access token receiving means for receiving an access token;
An access token transmitting means for transmitting an access token received by the access token receiving means and an information utilization apparatus identifier for identifying the own apparatus to the information management apparatus;
Receiving means for receiving user information of the user transmitted from the information management device corresponding to the access token;
An information processing system comprising: The information management device includes:
An encryption means for encrypting the user information;
User information transmission means of the information management device transmits the user information encrypted by the encryption means;
The information utilization device is:
The information processing system according to claim 11, further comprising: decrypting means for decrypting the encrypted user information received by the receiving means. An information management method that can be communicated with a terminal device used by a user and an information utilization device that utilizes user information that is information about the user, and is performed by an information management device that manages the user information,
A permission request receiving step for receiving an access permission request for sending the user information to the information utilization device from the terminal device ;
A first connection step of connecting an information utilization device identifier for identifying the information utilization device and a random number to a first access code corresponding to the access permission request;
A first hash value calculating step of calculating a hash value by a hash function from the codes concatenated in the first connecting step;
An access token issuing step for issuing the hash value calculated in the first hash value calculating step as an access token for accessing the user information;
A storage step of associating and storing the access token, a user identifier for identifying the user, and a random number subjected to processing in the first hash value calculation step in a storage unit;
Receiving the access token and the information utilization device identifier of the information utilization device from the information utilization device; and
An obtaining step for obtaining a second access code and a random number stored in the storage means based on the access token received in the access token receiving step;
A second connection step of connecting the received information utilization apparatus identifier to the random number acquired in the acquisition step and the second access code ;
A second hash value calculating step of calculating a hash value by a hash function from the codes concatenated in the second connecting step;
If the access token received in the access token receiving step matches the hash value calculated in the second hash value calculating step and matches, the user associated with the access token in the storing step A determination step of determining that the access request to the user information of the user indicated by the identifier is legitimate,
I have a,
The access permission request received in the permission request receiving step includes a first access code, an information utilization apparatus identifier,
In the obtaining step, the random number stored in the storage unit is obtained based on the first access code input to the terminal device by the user and the access token received in the access token receiving step. An information management method characterized by that. An information management device that is communicable with a terminal device used by a user and an information utilization device that utilizes user information that is information about the user, and includes a storage device ,
A permission request receiving means for receiving an access permission request for sending the user information to the information utilization device from the terminal device ;
First connection means for connecting an information utilization device identifier for identifying the information utilization device and a random number to a first access code corresponding to the access permission request;
First hash value calculating means for calculating a hash value by a hash function from the codes connected by the first connecting means;
An access token issuing means for issuing a hash value calculated by the first hash value calculating means as an access token for accessing the user information;
The access token and a user identifier identifying the user, the first control store control means so as to store in the storage device in association with a random number as a target of processing by the hash value calculation unit When,
Access token receiving means for receiving the access token and the information utilization device identifier of the information utilization device from the information utilization device;
Obtaining means for obtaining a second access code and a random number stored in the storage device based on the access token received by the access token receiving means;
Second connection means for connecting the received information utilization apparatus identifier to the random number acquired by the acquisition means and the second access code;
Second hash value calculating means for calculating a hash value by a hash function from the codes connected by the second connecting means;
If matching by matching the hash value calculated by the received access token the second hash value calculation unit by the access token receiving means, associated with the result the access token the storage control means Function as a determination means for determining that the access request to the user information of the user indicated by the user identifier is legitimate ,
As the access permission request received by the permission request receiving means, including a first access code, an information utilization apparatus identifier,
The acquisition unit acquires a random number stored in the storage device based on a first access code input to the terminal device by the user and an access token received by the access token reception unit. An information management program characterized by

Images