JP5834118B2 - Information operation device, information output device, and information operation program - Google Patents

Description

  Embodiments described herein relate generally to an information operation device, an information output device, and an information operation program that transmit and receive device operation commands.

  In recent years, there is a technique for operating a TV by connecting an information operation terminal such as a smartphone or a tablet to the TV via an interface.

JP 2005-149205 A

  The present embodiment provides an information operation device and an information output device that improve the convenience by allowing the information output device to be operated from the information operation device while preventing the information output device from being operated without permission from the user. An apparatus and an information operation program are provided.

According to the present embodiment, an application execution unit that executes an application and generates a device operation instruction;
A first communication processing unit for transmitting an authentication request to the first communication device and receiving an authentication requestor transmitted from the first communication device in response to the authentication request;
An application authentication processing unit that generates a platform authenticator that is encrypted based on a key shared with the first communication device and the predetermined key information for the received authentication requestor;
An application origin information giving unit for giving origin information of the application to the platform authenticator;
There is provided an information operation device comprising: a second communication processing unit that transmits the device operation command and a platform authenticator to which the origin information is given to the first communication device.

2 is a block diagram showing an example of the overall configuration of the information processing system 4. FIG. The block diagram which shows the internal structure of the information operating device 1 in 1st Embodiment. The block diagram which shows the internal structure of the web application execution part 21 and the application authentication process part 23. FIG. The block diagram which shows the internal structure of the information output device 3 in 1st Embodiment. The block diagram which shows the internal structure of the web application distribution server 5 in 1st Embodiment. The flowchart at the time of starting of the web application execution part 21 and the application authentication process part 23. FIG. The flowchart which shows an example of the process sequence at the time of authentication request command detection. 5 is a flowchart illustrating an example of a procedure for transmitting a device operation command to the information output device 3; The flowchart which shows an example of the process sequence of the information output device 3 at the time of authentication request reception. The flowchart of the process sequence of the information output device 3 at the time of the 3rd connection establishment request | requirement. FIG. 5 is a sequence diagram showing an example of processing procedures of the information operating device 1 and the information output device 3. The block diagram which shows an example of an internal structure of the information operating device 1 in 2nd Embodiment. The figure which shows an example of the data structure of the permission origin list | wrist 10. FIG. The flowchart which shows an example of the process sequence at the time of authentication request command detection. The block diagram which shows an example of the internal structure of the information operating device 1 in 3rd Embodiment. The block diagram which shows the internal structure of the web application distribution server 5 in 3rd Embodiment. The flowchart which shows an example of the process sequence of permission origin list update. The block diagram which shows an example of the internal structure of the information operating device 1 in 4th Embodiment. The block diagram which shows the internal structure of the web application distribution server 5 in 4th Embodiment. The flowchart which shows an example of the process sequence at the time of authentication request command detection. The block diagram which shows the internal structure of the information operating device 1 in 5th Embodiment. The flowchart which shows the process sequence at the time of the authentication request command detection in 5th Embodiment. The block diagram which shows the internal structure of the information processing apparatus in 6th Embodiment. 10 is a flowchart showing a processing procedure when an authentication request command is detected in the sixth embodiment. The block diagram which shows the internal structure of the information processing apparatus in 7th Embodiment. The figure which shows the table which registered the correspondence of key number, key validity, and key information. The block diagram which shows the internal structure of the web application distribution server 5 in 7th Embodiment. The block diagram which shows the internal structure of the information output device 3 in 7th Embodiment. The flowchart which shows the process sequence at the time of the authentication request | requirement containing a revocation process. The flowchart which shows the process sequence at the time of the key update in 7th Embodiment.

  Hereinafter, an embodiment of the present invention will be described with reference to the drawings.

(First embodiment)
FIG. 1 is a block diagram showing an example of the overall configuration of an information processing system 4 that transmits a device operation command from the information operation device 1 via the network 2 to remotely operate the information output device (second communication device) 3. An information processing system 4 in FIG. 1 includes an information operation device 1 that receives a web application from a server and executes a program including a remote device operation instruction, an information output device 3 that displays an image, and a web application that distributes the application. A distribution server (first communication device) 5 is provided. The information operating device 1 and the web application distribution server 5 are connected by a network 2 such as the Internet. Similarly, the information operating device 1 and the information output device 3 are also connected by the network 2 and send and receive information via a network interface. Here, page files and media files that are components of the web application are managed on the server (Web application distribution server 5), and the storage location is specified by a location identifier called URL (Uniform Resource Locator).

  The information operating device 1 includes a CPU 12, a main memory 13, a display 14, an input device 15, a network interface unit 16, and a storage unit 17 connected to a common bus 11. The input device 15 is a mouse, a keyboard, a touch panel, or the like. The storage unit 17 stores a web application (Web application) and a platform application (hereinafter, PF application). The web application is executed by the web application execution unit 21, and the PF application is executed by the PF application execution unit (application authentication processing unit 22). The web application includes an IP connection management unit 24, an input reception unit 25, an HTTP processing unit 26, and an application origin giving unit 27, which are software modules.

  The information output device 3 includes a network interface unit 31 and a device operation command processing unit 32 that processes a device operation command transmitted from the information operation device 1.

  The web application distribution server 5 includes a network interface unit 41 and a storage unit 42. As will be described later, the storage unit 42 stores a page file 42a and a media file 42b.

  When a web application is executed by the information operating device 1, an application execution unit program that is an execution environment of the web application is executed as a preparation. At this time, a shell program such as an OS executed by the CPU 12 of the information operating device 1 reads the application execution unit program from the storage unit in the information operating device 1 according to a user request or the like. Further, the CPU 12 stores the read application execution unit program in the main memory 13 and executes the application execution unit program.

  The Web application is started by specifying the URL of the page file by the user or program. At that time, the CPU 12 issues a command to acquire a page file of the specified URL to the network interface unit 16. The network interface unit 16 connects to the server of the specified URL and issues a download instruction for the corresponding file.

  The network interface unit 41 of the Web application distribution server 5 reads the corresponding file from the storage unit 42 and returns it to the information operating device 1. The network interface unit 16 of the information operating device 1 places the corresponding file in the main memory 13. In the page file, URLs of media files used by the application are listed. Similarly to the page file, the CPU 12 issues a download command to the network interface unit 16 for these files, and the downloaded file is stored in the main memory 13 or Arranged in the storage unit 17.

  When a file necessary for execution is prepared, the application execution unit program converts the page file arranged in the main memory 13 or the storage unit 17 into an instruction that can be interpreted by the CPU 12 and executes it by the CPU 12. The execution result is output to the display 14 of the information operating device 1 according to the arrangement data included in the page file. The arrangement data includes a button (link) for displaying and executing another page file, and includes URL information of the page file. When the button is selected due to a user request, the application execution program issues a new page file download request, and when the necessary files are available, including the media files used in the page file, a new page file is created. Display and execution of.

  Via a script language called JavaScript (registered trademark) included in the page file or the like, it is possible to communicate with an HTTP server or a WebSocket server using a protocol called HTTP or a WebSocket protocol. That is, when an operation function via HTTP or WebSocket is provided on the Web application distribution server 5 side, remote operation can be performed using a JavaScript program. Application developers can easily create a remote operation application using a web application, but if there is no access control on the web application distribution server 5 at this time, there is a risk that remote operation will be performed from an unauthorized web application. There is also. For this reason, as information for identifying a Web application, there is URL information (Origin information) included in a WebSocket header or an HTTP header. By performing access control on the information output device 3 side using this URL information, it becomes possible to permit remote operation only to a Web application on a specific server.

  However, since the HTTP and WebSocket protocols are public information, it cannot be dealt with when an execution environment (hereinafter referred to as a platform) of a Web application that disguises the URL information of the HTTP or WebSocket protocol appears. For this reason, it is necessary to use some information to tell the HTTP server or WebSocket server that the Web application is running on the correct platform. This is because the URL information given by the platform can be trusted if the platform is correct. As this information, for example, the web application side may use a common key to encrypt and send device operation instructions, but the web application page file is written in plain text and should store confidential information. The method of storing the common key becomes a problem.

  In addition, there is a technique that makes it difficult to obtain the common key by obfuscating the web application, but since it is finally converted into a format that can be interpreted by the browser, the common key can be obtained relatively easily. Therefore, there is a problem with the security strength.

  Another method is to encrypt the device operation instructions on the platform side, but if the device operation instruction encryption function is added to the browser that is the platform entity, the change to the existing browser becomes large-scale. It ’s not a good idea.

  When performing remote operation of the information output device 3 using HTTP or WebSocket protocol, it is conceivable to perform access control using the origin information (URL information) of the web application requesting the operation, but HTTP or WebSocket protocol The URL information contained in the header may not be reliable. This is because the specifications of HTTP and WebSocket protocols are open to the public, and it is relatively easy to develop a platform (fake browser) that sends spoofed URL information. In order to perform access control correctly, it is necessary to guarantee to the information output apparatus 3 that the Web application requesting the operation operates on the correct platform and the URL information is reliable.

  From the above viewpoint, the information processing system 4 in FIG. 1 can guarantee to the information output device 3 that the URL information of the Web application executed by the information operating device 1 is reliable.

  FIG. 2 is a block diagram showing an internal configuration of the information operating device 1 according to the first embodiment. 2 includes a web application execution unit 21 that executes a web application, a PF application execution unit 22 that executes a PF application, and an application authentication processing unit 23 provided in the PF application execution unit 22. An IP connection management unit 24 that performs control to transmit a device operation command and an authentication token (platform authenticator) to the information output device 3, an input reception unit 25 that receives user input, and a Web application from the Web application distribution server 5 HTTP processing unit 26 for performing, application origin giving unit 27 for granting origin information of the Web application to the authentication token, device search processing unit 28 for performing processing for searching for the information output device 3, and a first for acquiring the web application The second connection between the information output device 3 and the first connection unit 33 that performs the connection establishment process 1 and receives the web application The second connection unit 34 that transmits the authentication request and receives the authentication requester, and the third connection with the information processing apparatus 3 and the platform authenticator to which the device operation instruction and the source information are given. And a fourth connection unit 36 that establishes a fourth connection for performing device search, transmits a device search command, and receives a search result.

  The application authentication processing unit 23 generates an authenticator (authentication token) that guarantees that the Web application is operating on the correct platform.

  The web application execution unit 21 has a browser function that is an execution environment for executing a web application that runs on a browser. The PF application executed by the PF application execution unit 22 is a native application configured in an instruction format that can be directly executed by a computer. On the other hand, the web application is generally an HTML or JavaScript file described in a plain text format, or various media files used from these.

  Although the web application executed by the web application execution unit 21 and the PF application executed by the PF application execution unit 22 can be developed separately, the web application execution unit 21 generally has a complicated mechanism and it is difficult to add a new function. When it is desired to realize some specific function, if the target function can be realized by the application authentication processing unit 23, development can be performed at a lower development cost than when the inside of the browser is changed. Although it is difficult to include secret information in HTML and JavaScript, which are Web application description languages, the protection strength of secret information can be increased because the PF application is a native application.

  On the other hand, the PF application cannot operate the internal data of the browser (for example, connection data or data to be communicated), and can operate the internal data of the browser only when the external operation interface is not disclosed by the browser. Therefore, the degree of freedom is low.

  The web application execution unit 21 has a function of acquiring, executing, and displaying a web application written in HTML or JavaScript and a media file such as a moving image or a sound referred to by the web application. The web application execution unit 21 requests the HTTP processing unit 26 to acquire a web application in response to an application execution request from an input receiving unit 25 that accepts user input or an authentication request unit described later, and executes the acquired web application. Start.

  In addition, the web application execution unit 21 executes the application on the authorized platform with respect to the application authentication processing unit 23 when a remote device operation instruction is included in the program written in JavaScript or the like of the web application. It has a function of requesting acquisition of an authenticator (authentication token) that guarantees that. The application authentication processing unit 23 passes the acquired authentication token to the application origin giving unit 27 together with information for identifying the position of the information output device 3 (for example, Fully Qualified Domain Name (FQDN) or IP address). The application origin assigning unit 27 assigns an application origin location identifier (for example, URL information or Origin information) to the authentication token. Here, Origin information is the domain portion of the URL. For example, if the application is acquired from http://www.toshiba.com/application_1, Origin is www.toshiba.com.

  The application origination granting unit 27 transmits the authentication token assigned with the location identifier of the app origination to the information output device 3 using the third connection unit 35 that manages the connection with the information output device 3. 24. The IP connection management unit 24 instructs the third connection unit 35 to establish the third connection for sending the authentication token, and establishes the third connection. Thereafter, the third connection unit 35 stores the authentication token as information. Send to output device 3. As a result, the information output apparatus 3 can determine that the third connection to which the authentication token has been sent is a connection established by a legitimate platform. Further, the information output device 3 can determine that the origin of the application is given by the regular platform. Once the authentication token is transmitted to the information output device 3, the authentication is invalidated (the one-time password is assumed) when the same authentication token is transmitted again through another connection. Thereby, information security can be improved.

  The Web application execution unit 21 further has a function of generating a device operation command, and has a function of requesting the IP connection management unit 24 to transmit using the third connection unit 35. Therefore, the IP connection management unit 24 has a function of sending a device operation command to the information output device 3 using the third connection unit 35. Since the information output device 3 has already sent the authentication token by the third connection unit 35, it can be determined that the third connection is a connection established by the legitimate platform. It can be determined that the operation command is sent from an application running on a regular platform, and the origin of the application can also be correctly determined.

  In response to an authentication token generation request from the web application execution unit 21, the application authentication processing unit 23 has a function of generating an authentication token and passing it to the web application execution unit 21. In order for the information output device 3 to verify that the operating platform is correct, the information output device 3 and the application authentication processing unit 23 need to authenticate. Therefore, the application authentication processing unit 23 issues a second connection establishment request to the second connection unit 34 through the IP connection management unit 24 when the second connection with the information output device 3 is not established. It has a function of establishing a connection and requesting authentication. As the authentication method, generally well-known methods such as password authentication and challenge-and-response may be used. For example, when challenge-and-response is used as an authentication method, the application authentication processing unit 23 designates the second connection unit 34 through the IP connection management unit 24 and sends an authentication request through the second connection. 3 has a function of receiving a challenge, which is an authentication requestor, from 3 and generating a response and passing it as an authenticator (authentication token) to the web application execution unit 21. Thereafter, when the Web application execution unit 21 designates the third connection unit 35 and sends the response from the IP connection management unit 24, the authentication is completed. When normal password authentication is used, the application authentication processing unit 23 designates the second connection unit 34 to the information output device 3 and transmits a password from the IP connection management unit 24, and outputs information as an authentication result. The random character string received from the device 3 is passed to the web application execution unit 21. The web application execution unit 21 designates the third connection unit 35 and sends the character string by the IP connection management unit 24. If the sent character string matches the received character string, it can be proved that the third connection is valid.

  In this way, when the second connection and the third connection are separated, the second connection is sent to the information output device 3 when the information to be kept secret from the Web application or the information that cannot be tampered with is sent. By sending information that should be concealed or tampered with the Web application, the Web application can access only the data transmitted and received through the first connection, so that the information can be concealed and tampering can be prevented.

  The IP connection management unit 24 identifies a plurality of connection units including the first to fourth connection units 33 to 36 described above, and transmits data using the connection unit specified by the caller of the IP connection management unit 24. To do.

  The first connection unit 33 is called from the IP connection management unit 24, receives the location information of the web application distribution server and the location information of the application specified from the IP connection management unit 24, and is a connection with the web application distribution server 5. 1 has a function of acquiring a Web application and returning it to the IP connection management unit 24.

  The second connection unit 34 is called from the IP connection management unit 24, receives the position information of the information output device 3 designated from the IP connection management unit 24, and establishes the second connection if it is not established, It has a function of transmitting an authentication request to the information output device 3, receiving an authentication request from the information output device 3, and returning it to the IP connection management unit 24.

  The third connection unit 35 is called from the IP connection management unit 24 and receives the location information of the information output device 3 designated from the IP connection management unit 24. If the third connection is not established, the third connection unit 35 is established. It has a function of transmitting an authentication token and a device operation command passed from the IP connection management unit 24.

  The fourth connection unit 36 is called from the IP connection management unit 24, transmits the device search command received from the IP connection management unit 24 by establishing the fourth connection, and sends the received device search result to the IP connection management unit 24. Has a function to return.

  FIG. 3 is a block diagram showing an internal configuration of the Web application execution unit 21 and the application authentication processing unit 23 in the information operating device 1 of FIG. In FIG. 3, the PF application execution unit 22 is omitted, but the application authentication processing unit 23 is provided inside the PF application execution unit 22 as in FIG. 2. The detailed configuration of the information processing apparatus will be described below with reference to FIG.

  The web application execution unit 21 includes a page execution unit 51 (so-called web browser) having a function of displaying and executing a web application, and an authenticator (authentication) that proves that the web application itself is operating on a regular platform. An authentication request unit 52 having a function of requesting a token), an operation command generating unit 53 having a function of generating a remote device operation command, an operation command transmitting unit 54 having a function of transmitting a device operation command, and an authentication token. An authentication token transmission unit 55 having a transmission function.

  The authentication request unit 52, the operation command generation unit 53, the operation command transmission unit 54, and the authentication token transmission unit 55 other than the page execution unit 51 formed of a web browser are software modules in the web application.

  The application authentication processing unit 23 includes an authentication token generation unit 61 having a function of generating an authentication token for proving that the application is a correct platform, and a start application URL having a function of managing a URL of a page displayed first by the application The management unit 62 includes a key management unit 63 having a function of managing a key for generating an authentication token, and an authentication processing unit 64 having a function of making an authentication request to the HTTP server or the WebSocket server.

  By separating the application authentication processing unit 23 and the web application execution unit 21, it is possible to generate an authentication token for guaranteeing the validity of the platform safely without storing secret information on the web application execution unit 21 side. become.

  The page execution unit 51 in the web application execution unit 21 has a function of receiving a web application start request and start position information (start URL information) from the input reception unit 25 and the start application URL management unit 62 and executing the web application. Have. When receiving a start request, the page execution unit 51 passes start URL information to the HTTP processing unit 26 and acquires the Web application. Furthermore, it has a function to execute the web application based on the processing contents described in the learned web application. Further, when the authentication request is included in the Web application, the authentication request unit 52 is called by specifying the position information (for example, IP address) of the information output device 3 to acquire the authentication token, and then the authentication request is sent to the authentication token transmission unit 55 The authentication token acquired from the unit 52 is passed and called. Further, when the operation request is included in the Web application, the device operation command is generated by designating the device operation command identifier, calling the operation command generation unit 53, and specifying the device operation command in the operation command transmission unit 54. Has a function to call. Further, the page execution unit 51 has a function of passing location information of the origin of the application being executed in accordance with a request from the application origin giving unit 27.

  The authentication request unit 52 has a function of receiving the position information of the information output device 3 from the page execution unit 51 and calling the authentication token generation unit 61 of the application authentication processing unit 23. Further, it has a function of receiving an authenticator (authentication token) from the authentication token generation unit 61 and passing it to the page execution unit 51. As will be described later, when multiple authenticators are encrypted, the user may input a password and pass the password to the authentication token generator 61.

  The authentication token transmission unit 55 has a function of receiving the location information and the authentication token of the information output device 3 from the page execution unit 51, passing the location information and the authentication token of the information output device 3 to the application origin giving unit 27 and calling them. The authentication token transmission unit 55 has a function of receiving the connection unit identifier (identifier of the third connection unit 35) from the application origin providing unit 27 and storing it in the main memory 13 or the like.

  The operation command generation unit 53 has a function of receiving the type of device operation command from the page execution unit 51, generating a device operation command in a specific format, and passing it to the page execution unit 51. As long as this format is determined in advance between the information output device 3 and the operation command generator 53, the detailed format of the format is not limited.

  The operation command transmission unit 54 receives the device operation command from the page execution unit 51, acquires the identifier of the connection unit stored in the main memory 13 or the like by the authentication token transmission unit 55, sends the device operation command to the transmission message, and specifies the transmission destination. The 3-connection unit 35 has a function of passing to the IP connection management unit 24 and calling it. At this time, as long as the connection is not disconnected, a plurality of device operation commands can be transmitted without retransmitting the authentication token.

  The application origin giving unit 27 receives the authentication token and the location information of the information output device 3 from the authentication token sending unit 55, and acquires the location information (URL information) of the application origin from the page execution unit 51 and gives it to the authentication token. To do. In addition, it has a function of passing an authentication token with application origin information to the IP connection management unit 24 as a transmission message and a transmission destination as position information of the information output device 3. By the application origin giving unit 27, the information output device 3 can grasp which application has issued the device operation command.

  The authentication token generation unit 61 receives the authentication request from the authentication request unit 52 of the Web application execution unit 21 together with the position information of the information output device 3, and when the second connection as the authentication connection is not established It has a function of requesting the IP connection management unit 24 to establish an authentication connection. That is, it has a function of passing an authentication request command as a transmission message and position information of the information output device 3 as a transmission destination and calling the second connection unit 34 to make a request for establishing a second connection. If the second connection has already been established, only the authentication request message is sent. Also, a connection establishment result (only when connection is established) and a message from the authentication destination are received from the IP connection management unit 24, and these are passed to the application authentication processing unit 23 to request execution of authentication, and the result is authenticated. It passes to the request unit 52. For example, in the case of authentication by challenge and response, a function that receives a challenge that is a response to the authentication request command from the IP connection management unit 24 and passes it to the application authentication processing unit 23, and a response from the application authentication processing unit 23 And a function of returning it to the authentication request unit 52 as an authentication token. When a password is received from the authentication request unit 52, the received password is also passed to the application authentication processing unit 23 when the application authentication processing unit 23 is requested to execute authentication.

  The application authentication processing unit 23 receives the authentication request from the authentication token generation unit 61 together with the message received from the authentication destination, issues a key acquisition command to the key management unit 63, and receives the received key and the message received from the authentication destination. It has a function to generate an authentication token. For example, in challenge-and-response, a response is generated using a method (such as HMAC-SHA1 or HMAC-MD5) using a message (challenge) and a key received from an authentication destination. It has a function of passing this response as an authentication token to the authentication token generating unit 61. Before generating this response, the response may be generated after further encrypting the challenge with another key. That is, the response may be encrypted in multiple. As this key, there is a method of receiving and using a password input by the user from the authentication request unit 52. As an encryption method, a generally known method such as a common key encryption such as AES or an XOR operation may be used. Similarly, a key for generating a response may be encrypted with the password input by the user, and then a response may be generated with the encrypted key. The generated response may be further encrypted with the password input by the user. May be used.

  The key management unit 63 has a function of passing a key in response to a key acquisition request from the application authentication processing unit 23. This key has a function of being stored in a place where it cannot be read or difficult to read by other than the key management unit 63 and obtained from that place.

  The start application URL management unit 62 has a function of reading start URL information from secondary storage or the like when starting an application and passing it to the page execution unit 51 to request the start of the Web application.

  The IP connection management unit 24 has a function of establishing a connection with a server and transmitting / receiving data using a communication protocol such as WebSocket protocol or HTTP. As a destination server designation, a location identifier (FQDN information or IP address information) or connection identifier information that has already been connected is received. When a location identifier is designated, the server is first connected with the corresponding server based on the location identifier information. Establish a connection. After that, when a location identifier is specified, it has a function of sending a connection message specified by the caller using a connected connection, and when receiving connection identifier information that has already been connected, using the specified connection. . It also has a function of receiving a response from the server and returning it with the connection information to the caller. The IP connection management unit 24 can send an authentication token and a device operation command via the third connection unit 35 and an authentication request via the second connection unit 34. Moreover, it also has a function of managing the first connection unit 33 that acquires applications. For this purpose, a plurality of connection units can be managed simultaneously, and the connection unit to be used is classified according to the caller or connection identifier.

  In addition, when a connection disconnection or connection failure occurs, the IP connection management unit 24 determines the connection part where the connection disconnection or connection failure has occurred, determines the establishment request source block of the connection part, and returns an error. It may have a function. In addition, when the information search device 1 includes a device search processing unit 28 described later, the IP connection management unit 24 separately manages a fourth connection unit 36 that manages a fourth connection that is a device search connection. Also have.

  The device search processing unit 28 receives the search command of the information output device 3 to generate a device search command, and uses the IP connection management unit 24 and the fourth connection unit 36 called from the IP connection management unit 24 to use the information output device 3. And a list of position identifiers of the found information output device 3 is returned. As a device discovery protocol, a generally known protocol such as UPnP or NetBIOS may be used. When the web application execution unit 21 knows the position identifier of the information output device 3 in advance, the device search processing unit 28 is not necessarily required. The device search processing unit 28 eliminates the need to previously set information on which operated device exists in the network 2 on the operating device side. When the device search processing unit 28 does not exist, the fourth connection unit 36 is not essential.

  The application authentication processing unit 23 uses the location identifier of the information output device 3 acquired by the device search processing unit 28 to send / receive an authentication request and an authentication token to / from the information output device 3 via the second connection unit 34. I do.

  The input receiving unit 25 has a function of receiving a user input and passing the input content to the page execution unit 51 in accordance with the input. For example, when a link included in a page is selected by an external input device such as a mouse or a keyboard, selection information is transmitted to the page execution unit 51, and the page execution unit 51 acquires and executes a link destination page based on the received selection information. .

  The HTTP processing unit 26 receives the location identifier (URL information) of the acquired data together with the data acquisition request on the server, connects to the server corresponding to the URL information via the IP connection management unit 24 and the first connection unit 33, and acquires the data It has a function to perform. The received data has a function of passing to the data acquisition request source.

  FIG. 4 is a block diagram showing an internal configuration of the information output apparatus 3 in the first embodiment. 4 includes an IP connection management unit 70, a message analysis unit 71, an authentication challenge generation unit 72, an authentication token inspection unit 73, a device operation command processing unit 74, an application origin inspection unit 75, and a device search response unit. 76, first to fourth connection sections 78, 34-36. In the present specification, the second to fourth connection units 34 to 36 in the information operating device 1 and the second to fourth connection units 34 to 36 in the information operating device 1 are denoted by the same reference numerals. That is, the connection establishment process is performed between the connection parts having the same reference numerals.

  The IP connection management unit 70 has functions of establishing a connection with the information operating device 1 and transmitting / receiving data using a communication protocol such as WebSocket protocol or HTTP. The IP connection management unit 70 separately manages the second connection unit 34 and the third connection unit 35, and receives the authentication token, the origin information, and the device operation command in the third connection unit 35, and the second connection unit And a function of receiving an authentication request at 34 and transmitting an authentication challenge as an authentication requestor. To this end, the IP connection management unit 70 is capable of managing a plurality of connection units at the same time, and has a function of separating connection units to be used according to a caller or a connection identifier. In addition, when the information output device 3 includes a later-described device search response unit, the IP connection management unit 70 establishes a device search connection, receives a search command, and transmits a response to the search command. 36 is also managed separately. Further, the IP connection management unit 70 may have a function of separately managing the first connection unit 78 that acquires the permitted source list.

  The message analysis unit 71 divides the command received via the third connection unit 35 into a device operation command, an authentication token, and source information, and passes the authentication token to the authentication token inspection unit 73, where the source information is the application source inspection unit. 75. The device operation command has a function of receiving the inspection result from the application origin inspection unit 75 or the authentication token inspection unit 73 and passing it to the device operation instruction processing unit 74 only when the origin information and the authentication token are determined to be appropriate. .

  The authentication challenge generation unit 72 generates an authentication challenge and returns it to the request source via the second connection unit 34 when an authentication request is passed from the IP connection management unit 70 via the second connection unit 34. It has a function. This challenge may be generated by generating a random character string. In addition, it has a function of generating a response to the authentication challenge using key information (common key) stored in the information output device 3 and storing it as verification authentication token information.

  The authentication token inspection unit 73 has a function of inspecting the authentication token passed through the second connection unit 34. The authentication challenge generator 72 checks whether the authentication token passed in the verification authentication token information stored is present, and if it exists, returns a result indicating that the authentication token is proper. Returns a result that the authentication token is invalid. When the authentication token is appropriate, the authentication token information stored is deleted. As a result, it is possible to generate a password (one-time password) that is valid only once.

  The device operation command processing unit 74 processes the device operation command received from the information operation device 1 and controls a tuner unit (not shown) or sends an instruction to switch a video displayed on a screen output unit (not shown). It has a function.

  The application origin inspection unit 75 analyzes the header information at the time of establishing the third connection, determines the source of the application that has made the connection establishment request, and determines whether the source is included in the permitted source list. If it is included, it returns a result that the source is appropriate, and if it is not included, it has a function to return a result that is invalid. Here, the permitted source list is a list of Web application acquisition sources that can issue authentication tokens, and is provided for each Web application. The permitted origin list is managed by, for example, the web application distribution server 5.

  In response to a device search request from the information operating device 1, which will be described later, the device search response unit 76 performs a process of returning the name and IP address of the device itself. As a device search protocol, a method defined by the UPnP standard or a name search method using NetBIOS may be used. The device search response unit 76 is not an essential component.

  FIG. 5 is a block diagram showing an internal configuration of the Web application distribution server 5 in the first embodiment. The information output device 3 in FIG. 5 includes an HTTP server processing unit 43 and a content / media file acquisition unit 44. The HTTP server processing unit 43 includes the network interface unit 41 illustrated in FIG. 1, and the content / media file acquisition unit 44 includes the storage unit 42 illustrated in FIG. 1.

  The HTTP server processing unit 43 has a function of passing the URL information passed from the information operating device 1 to the content / media file acquiring unit 44 to request file acquisition, and passing the received file to the information operating device 1.

  The content / media file acquisition unit 44 converts the URL information passed from the HTTP server processing unit 43 into a file position in a storage (not shown) provided in the Web application distribution server 5, reads the file from the storage unit, and performs HTTP server processing. It has a function to pass to the unit 43.

  FIG. 6 is a flowchart illustrating an example of a processing procedure when the web application execution unit 21 and the application authentication processing unit 23 in the information operating device 1 are activated. At startup, the first page to be displayed set for each application (apparatus) is acquired from the Web application distribution server 5 and executed. The details are as follows.

  The start application URL management unit 62 in the application authentication processing unit 23 loads URL information of a page to be displayed first at the time of application activation from the area managed by the start application URL management unit 62 such as storage, and the page execution unit 51 The URL information is passed to request page display (step S1).

  The page execution unit 51 receives the URL information, and requests the HTTP processing unit 26 to obtain page data pointed to by the URL information (step S2).

  The HTTP processing unit 26 connects to the server pointed to by the URL, issues a page acquisition command based on the URL information, and returns the data to the page execution unit 51 after acquiring the page data (step S3). The page execution unit 51 starts executing the web application based on the acquired data (step S4).

  By changing the URL information managed for each information operating device 1, the page data acquired from the server changes, so that the processing content can be changed. For example, the channel change application (apparatus) and the recording / viewing application (apparatus) can be realized as separate applications.

  When an authentication request command appears during the execution of the Web application, establishment of an authentication token authentication connection (second connection) indicating the validity of the platform, and device operation connection (first connection) with the information output device 3 3 connection) is established.

  FIG. 7 is a flowchart showing an example of a processing procedure when an authentication request command is detected when performing authentication by challenge and response.

  When the page execution unit 51 detects an authentication request command during execution of the Web application (step S11), it passes the position information of the information output device 3 to the authentication request unit 52 and makes an authentication request. At this time, the password received by requesting the user to input the password may be passed to the authentication request unit 52. Next, when receiving the location information and password of the information output device 3 to the authentication token generating unit 61, the authentication requesting unit 52 passes the password and requests generation of the authentication token (step S12).

  The authentication token generation unit 61 acquires information of the second connection unit 34 (step S13), and confirms whether the second connection has already been established (step S14). If it has not been established yet, it requests the IP connection management unit 24 to establish a connection (authentication connection, second connection) with the information output device 3 from the location information of the information output device 3 (step S15). . The IP connection management unit 24 establishes a second connection with the information output device 3 using the second connection unit 34. After establishing the second connection, the authentication token generating unit 61 stores the identifier information of the second connection unit 34 in the main memory 13 or the like (step S16).

  When the process of step S16 is completed, or when the second connection has already been established, an authentication request is transmitted to the information output device 3 through the second connection unit 34 to the IP connection management unit 24 (step S16). S17).

  The IP connection management unit 24 receives the challenge from the information output device 3 through the second connection unit 34 (step S18), and the second connection unit 34 returns the challenge to the authentication token generation unit 61. At this time, the establishment of the second connection may be discarded. Next, the authentication token generation unit 61 passes the received challenge to the application authentication processing unit 23, and generates a response request (step S19).

  Upon receiving a challenge from the information output device 3, the application authentication processing unit 23 requests the key management unit 63 to obtain a key for generating a response. In accordance with the request from the application authentication processing unit 23, the key management unit 63 acquires a key from the storage or the like, and returns the key to the application authentication processing unit 23 (step S20). Thereafter, the application authentication processing unit 23 generates a response from the acquired key and challenge, and returns the response to the authentication token generation unit 61 (step S21). As an algorithm for generating a response, a generally known method such as HMAC-SHA1 or HMAC-MD5 may be used. At this time, a key used for challenge, response, and challenge generation may be further encrypted with the password received from the page execution unit 51.

  The authentication token generation unit 61 returns an authentication token for the authentication request unit 52 to the authentication token transmission unit 55. At this time, the authentication token is used as a transmission message, the position information of the information output device 3 is used as connection destination information, and the authentication token transmission unit 55 is requested to transmit the authentication token (step S22).

  The authentication token transmission unit 55 passes a connection establishment request to the source information adding unit together with the authentication token, and the source information adding unit acquires the location information (URL information) of the source of the application from the page execution unit 51 and transmits it to the transmission data. The transmission data and the connection destination information are transferred to the IP connection management unit 24 (step S23).

  The IP connection management unit 24 establishes a third connection (operation connection) with the information output device 3 through the third connection unit 35 based on the received connection destination information (step S24).

  Thereafter, the IP connection management unit 24 transmits an authentication token to the information output device 3 via the third connection unit 35 (step S25), and returns the identifier information of the third connection unit 35 to the authentication token transmission unit 55. Finally, the authentication token transmission unit 55 stores the received identifier information of the third connection unit 35 in the main memory 13 or the like (step S26). At this time, the third connection unit 35 can transmit the device operation command any number of times using the third connection unit 35 without disconnecting the third connection.

  In the WebSocket protocol, the third connection is disconnected when the page is moved by the page execution unit 51, that is, when another page starts to be executed, or when the Web application itself explicitly disconnects the connection. At that time, the authentication process shown in FIG. 7 is performed again. In HTTP, since the connection is generally disconnected for each communication, an authentication token and a device operation command are transmitted simultaneously.

  When a device operation command appears during execution of the Web application, the device operation command is transmitted via the third connection unit 35.

  FIG. 8 is a flowchart showing an example of a procedure for transmitting a device operation command from the information operating device 1 to the information output device 3. When a device operation command appears during the execution of the Web application, the page execution unit 51 notifies the operation command generation unit 53 of the operation request content and makes a device operation request generation request (step S31).

  The operation command generating unit 53 generates a device operation command in a specific format that can be sent through the third connection via the third connection unit 35, and returns it to the page execution unit 51 (step S32). The page execution unit 51 passes the device operation command received from the operation command generation unit 53 to the operation command transmission unit 54 and requests transmission of the device operation command. The operation command transmission unit 54 acquires the identifier information of the third connection unit 35 stored by the authentication token transmission unit 55 when the third connection is established from the main memory 13 or the like (step S33).

  When the identifier information cannot be acquired (step S34), the operation command transmission unit 54 considers that the third connection has not been established and returns an error to the page execution unit 51 (step S35). When there is identifier information, the operation command transmission unit 54 passes the device operation command received from the page execution unit 51 and the identifier information of the third connection unit 35 acquired from the main memory 13 to the IP connection management unit 24. Request transmission of equipment operation command. The IP connection management unit 24 identifies the connection from the identifier information of the first connection unit, passes the device operation command to the third connection unit 35, and transmits the device operation command (step S36). Again, by not disconnecting the third connection, it is possible to transmit the device operation command many times using the third connection unit 35.

  FIG. 9 is a flowchart showing an example of a processing procedure of the information output apparatus 3 when receiving an authentication request. When the second connection is established by the second connection unit 34 and the authentication request is received (step S41), the IP connection management unit 70 of the information output device 3 sends an authentication request (challenge) to the authentication challenge generation unit 72. ) Is requested (step S42). In response to the request, the authentication challenge generation unit 72 generates, for example, a random character string as a challenge. Also, an authentication key stored in a storage area such as a storage (not shown) of the information output device 3 is acquired (step S43), an authenticator (response) corresponding to the challenge is generated, and an authenticator list (response list) (Step S44). At this time, the password may be further encrypted with a challenge or response, or an authentication key for generating a challenge. Further, the generated authentication requestor (challenge) is returned to the IP connection management unit 70, and the IP connection management unit 70 returns an authentication requestor to the information operating device 1 via the second connection unit 34 (step S45).

  FIG. 10 is a flowchart showing an example of the processing procedure of the information output apparatus 3 at the time of the third connection establishment request. The IP connection management unit 70 of the information output device 3 calls the message analysis unit 71 when a request for establishment of the third connection is received through the third connection unit 35 (step S51). The message analysis unit 71 acquires the origin information of the establishment request source Web application included in the connection establishment request message (step S52), and passes it to the application origin inspection unit 75.

  The application origin inspection unit 75 acquires a permitted origin list from a storage area such as a storage of the information output device 3 (not shown), and determines whether the acquired origin information is included in the permitted origin list (step S53). If not included, an error is generated (step S54), and the third connection is disconnected. On the other hand, if it is included, the message analysis unit 71 also acquires authentication token (authentication) information included in the message of the connection establishment request (step S55) and passes it to the authentication token checking unit 73.

  The authentication token checking unit 73 acquires the authenticator list (response list) from the authentication challenge generating unit 72, and determines whether or not the received authentication token information is included in the response list (step S56). If it is included, it is determined that a correct authenticator has been sent, and the third connection establishment is completed (step S57). On the other hand, if there is no received authentication token information in the response list, the connection is disconnected assuming that an illegal connection is established (step S54).

  FIG. 11 is a sequence diagram illustrating an example of processing procedures of the information operation device 1 and the information output device 3 including generation of an authentication token and transmission of a device operation command in the first embodiment.

  At the time of the first authentication request, the information operating device 1 first requests the information output device 3 to establish a second connection by the second connection unit 34 (step S61). Next, the information operating device 1 receives the authentication challenge generated by the information output device 3 (steps S62 and S63), generates a response, and uses it as an authentication token (step S64).

  Next, prior to the request for establishment of the third connection by the third connection unit 35, the information operating device 1 adds the origin information of the web application to the transmission message (step S65), and the information output device 3 The origin information is transmitted together with the request for establishing the connection (step S66).

  The information output device 3 verifies the authentication token passed through the third connection (step S67), and if it is correct, continues the processing. Further, the information operating device 1 transmits a device operation command to the information output device 3 through the third connection unit 35 (step S68). When the third connection is disconnected due to page transition or the like, the information operating device 1 makes an authentication request again via the second connection unit 34 (step S69). Thereafter, the information operating device 1 disconnects the third connection (step S70).

  If the second connection is not disconnected, the second connection unit 34 does not need to make a second connection establishment request again. After the authentication request is made (step S71), the processing after step S62 is repeated.

  As described above, according to the present embodiment, an authentication token that guarantees the validity of the platform can be given to communication of a session for transmitting a device operation command. That is, the device output control of the information output device 3 using the source information of the Web application in HTTP, WebSocket, etc., which has been difficult since the source information is not reliable, can be reliably performed on the information output device 3 side. This makes it possible to implement flexible access control during remote operation, such as changing the contents of device operations that can be performed by a Web application.

  For example, it is assumed that the recorded content deletion function of the operated device is released to a web application distributed on www.toshiba.com via the WebSocket protocol. In the case of only checking the header included in WebSocket, the information manipulation device 1 that adds www.toshiba.com as the source information regardless of the actual source of the application is allowed to delete the content, and www.toshiba.com There is a possibility that content will be deleted from a malicious web application that is placed on other servers, especially servers where anyone can freely place a web application.

  The present embodiment is greatly characterized in that the web application execution unit 21 and the application authentication processing unit 23 are separated. In general, it is difficult to provide confidential information in JavaScript, which is a language for describing the processing contents of a Web application (corresponding to a part of the Web application execution unit 21 such as JavaScript), and to ensure the validity of the platform. It is unsuitable for storing such keys. Therefore, in the present embodiment, the Web application execution unit 21 and the application authentication processing unit 23 are separated, and the key information that is secret information is provided on the side of the application authentication processing unit 23 that is difficult to analyze, and a part of authentication or generation of an authentication token is performed. By executing the processing, it is difficult to create a platform that performs the equivalent operation, that is, the emulation of this embodiment. In the present embodiment in which the Web application execution unit 21 and the application authentication processing unit 23 are separated, the authentication request unit 52 and the authentication token generation unit 61 have a function of connecting both modules.

  If the common key for generating the authentication token cannot be acquired, authentication with the information output device 3 cannot be performed, so that the information output device 3 can correctly determine whether it is a device operation command from the correct platform.

  Further, in many cases, the application environment itself (browser) of the web application cannot be changed, but in this embodiment, the application authentication processing unit 23 and the browser part (part of the web application execution unit 21) are clearly separated. There is also an advantage that the application authentication processing unit 23 can be implemented as a plug-in or the like.

  Furthermore, the application authentication processing unit 23 and the Web application execution unit 21 side may be separated from each other in modules, may have different languages used for mounting, and often cannot share the same connection. For this reason, in the present embodiment, the third connection unit 35 that manages the operation connection (third connection) used by the Web application execution unit 21 and the authentication connection (second connection) used by the application authentication processing unit 23. It is also a great feature that the second connection unit 34 that manages the connection) is separated.

  When the connection is separated, it is necessary to be able to confirm on the information output device 3 side that the second connection and the third connection are established with the same information operating device 1. That is, it is necessary to distinguish whether the third connection is made from a malicious application that imitates the protocol or from a legitimate application. In order to solve this, in the third embodiment, the third connection unit 35 that manages the third connection established from the Web application execution unit 21 that cannot store the secret information uses the second connection unit 34 to perform the application authentication process. The authentication token generated by the unit 23 is received from the application authentication processing unit 23 and sent to prove to the information output device 3 that the operation connection is established from the correct platform. In order to realize this function, it is a characteristic point of the present embodiment that an IP connection management unit 24 for independently managing the third connection unit 35 and the second connection unit 34 is provided.

  As related technologies, there are research and patents related to security for mobile agents, for example, research and patents for verifying the correctness of mobile agents on the platform to which the mobile agent moves. According to Patent Document 1, it is possible to prevent the operation of an unauthorized mobile agent that has been tampered with by signing the mobile agent on the platform of the movement source and verifying that the mobile agent has not been tampered with at the movement destination. However, in the system assumed in the present embodiment, even if the application including the device operation code is signed, the information output apparatus 3 receives only the device operation command. Therefore, the signature of the application cannot be verified. Correctness cannot be guaranteed. Although it is possible to sign only the device operation command, there is a possibility that the entire device operation command signed on the platform imitating the device operation protocol is copied and used for another application. According to the present embodiment, even if a device operation instruction is copied, an authentication token cannot be generated unless an authentication key (common key) included in the code described in the native code and difficult to extract is copied, and the device It is not possible to create a platform for performing illegal operations.

  As described above, in the first embodiment, according to the Web application executed by the information operating device 1, the second connection unit 34 establishes the second connection and requests the authentication to the information output device 3, and receives this request. The information output device 3 generates an authentication requestor (challenge) and transmits it to the information operating device 1.

  The information operating device 1 that has received the authentication requester encrypts the authentication requestor using the common key managed by the key management unit 63 and generates an authentication token. This authentication token is transmitted to the information output device 3 that has transmitted the authentication requester, and the information output device 3 that has received the authentication token encrypts the authentication requestor with the common key that it owns and matches the received one. Whether or not the authentication token is transmitted from the legitimate information operating device 1 can be verified.

  Further, the information operation device 1 transmits a request for establishing a third connection for transmitting the authentication token and the device operation command to the information output device 3 before transmitting the authentication token to the information output device 3. At that time, the origin information of the Web application is included as header information of the establishment request for the third connection. The information output device 3 that has received the request for establishment of the third connection verifies whether or not the origin of the Web application included in the establishment request is registered in its own authorized origin list and is registered Only the third connection establishment process is performed. As a result, it is possible to prevent the information output device 3 from being arbitrarily operated by a device operation command transmitted from an unintended Web application.

  Furthermore, the information operating device 1 includes a first connection unit 33 that manages a first connection for acquiring a Web application from the Web application distribution server 5 and a second connection for transmitting and receiving an authenticator and an authentication requestor. A second connection unit 34 for managing the connection and a third connection unit 35 for managing the third connection for transmitting the authentication token and the device operation command are separately provided, and management of these connection units is performed by IP connection management. Since it is performed by the unit 24, various information transmitted and received by each connection can be managed in a unified manner.

  In addition, a common key used for generating an authentication token is held in the application authentication processing unit 23 in the PF application execution unit 22, and the web application execution unit 21 that executes a web application written in a general language such as HTML or JavaScript is used. However, since the common key is not managed, the common key can be managed safely.

(Second Embodiment)
In the first embodiment, the application authentication processing unit 23 has not inspected the origin of the web application executed by the page execution unit 51. For this reason, for example, even when a malicious web application operates and makes an authentication request, there is a drawback that an authentication token is passed. For this reason, when a malicious web application passes an authentication token to the outside, the information output device 3 can be illegally operated in cooperation with a malicious platform that imitates information transmitted and received by the third connection unit 35. End up. For this reason, in the second embodiment, by checking the origin of the web application, for example, the authentication token can be passed only to the web application acquired from the reliable web application distribution server 5 to prevent unauthorized use of the authentication token. It becomes possible.

  FIG. 12 is a block diagram illustrating an example of an internal configuration of the information operating device 1 according to the second embodiment. 3 in that an application origin inspection unit 65 and a permitted origin list inspection unit 66 are added to the application authentication processing unit 23 of FIG. Of these, the permitted origin list inspection unit 66 is not an essential component. In FIG. 12, the PF application execution unit 22 is omitted, but the application authentication processing unit 23 is provided inside the PF application execution unit 22 as in FIG.

  The application origin inspection unit 65 has a function of determining whether or not an authentication token can be passed to the origin from the origin information of the currently executed page. For this purpose, the application origin inspection unit 65 obtains the origin information of the currently executed page from the page execution unit 51 when the authentication request generation unit 61 requests the authentication token generation unit 61 to generate an authentication token. . Further, a list of source information that may be given a token from the data storage area such as the storage unit 17 and the main memory 13 in the information operating device 1 (hereinafter referred to as a permitted source list) is acquired, and the list currently being executed is included in the list. Determine whether page origin information is included. If the origin information is included, it is determined that the authentication token can be passed, and the processing is continued. If the origin information is not included, it is determined that the authentication token should not be passed, and the page execution unit 51 is determined. Function to return an error. For example, if the www.toshiba.com and www.toshiba.co.jp domains are included in the permitted source list, an authentication token if the running web application is a web application obtained from the www.toshiba.com domain But does not pass an authentication token for web apps obtained from the www.toshiba.co.uk domain. Further, when the information operating device 1 includes the permitted source list inspection unit 66, the information operating device 1 has a function of passing the permitted source list and requesting the validity verification of the permitted source list.

  In addition, there is a risk of passing an authentication token to the information output device 3 that is not assumed to be falsified. For this reason, the information manipulation device 1 according to the second embodiment may include a permitted origin list inspection unit 66 that performs falsification verification of the permitted origin list. If the application origin list can be stored in a storage area that is difficult to tamper with, such as a read-only memory, the permitted origin list inspection unit 66 is not an essential component. The permitted source list checking unit 66 verifies the signature by giving the signature given to the permitted source list using the public key held by the permitted source list checking unit 66, and returns an error when the tampering is detected. It has a function. As a signature verification method, a generally known method such as RSA signature or DSA signature may be used.

  FIG. 13 is a diagram showing an example of the data structure of the permitted source list 10. The permitted source list 10 is divided into a permitted source list part 10a and a signature part 10b. The permitted source list part 10a includes (1) the number of permitted sources, (2) a list of permitted sources (the number of elements is (1) Specified). The origin information permitted at this time may include, for example, information using a regular expression, which is one of methods for expressing a set of character strings as one character string, which is defined by the POSIX standard. On the other hand, the signature part 10b includes a signature for verifying tampering with the permitted source list part 10a. This signature is signed by a secret key for the public key possessed by the permitted origin list inspection unit 66.

  FIG. 14 is a flowchart illustrating an example of a processing procedure when an authentication request command is detected. The flowchart in FIG. 14 differs from that in FIG. 7 in that the application origin verification process (1) to (4) is entered. Here, only the processes (1) to (4) will be described.

  When an authentication request is received from the authentication request unit 52, the authentication token generation unit 61 requests the application origin inspection unit 65 to perform application origin inspection. The application origin inspection unit 65 acquires the origin of the web application for which there is an authentication request currently being executed from the page execution unit 51 (step S81). That is, the page execution unit 51 has a function of acquiring the origin of the web application currently being executed and returning the origin data in response to the request.

  Next, the application origin inspection unit 65 acquires a permitted origin list from a storage device such as a storage (step S82). In the case where the information operating device 1 includes a permitted origin inspection unit, the application origin inspection unit 65 passes the permitted source list to the permitted source list inspection unit 66 and requests falsification verification of the permitted source list. The permitted origin list inspection unit 66 acquires a public key for verifying the signature given to the permitted origin list inspection unit 66 managed by itself (step S83). The permission list inspection unit verifies the signature of the permission source list using this public key (step S84). If no alteration is detected as a result of the verification, it is determined whether the origin of the application is included in the permitted origin list (steps S85 and S86).

  If tampering is detected in step S84, or if it is determined that it is not included in the permitted source list in step S85, an error is returned to the page execution unit 51 (steps S85, S87), and it is included in the permitted source list. Performs the processing from step S13 onward in FIG.

  According to the present embodiment, it is possible to prevent an authentication token from being generated for a Web application placed on the Web application distribution server 5 other than that assumed by the author of the permitted source list, and an authentication token can be used for an unauthorized Web application. Can reduce the risk of generation. The risk of unauthorized use of the authentication token, that is, remote operation by an unauthorized web application can be prevented.

  As described above, in the second embodiment, when making an authentication request to the information output device 3, whether or not the origin of the Web application that has made the authentication request is registered in the permitted origin list Therefore, there is no possibility that an authentication request from an unintended Web application is transmitted to the information output device 3.

(Third embodiment)
In the second embodiment, the permitted source list is not updated. For this reason, the permitted source list is fixed, and it is impossible to add or delete the Web application distribution server 5 where the Web application that permits remote operation is placed. In contrast, in the third embodiment, the permitted source list is updated, and the Web application distribution server 5 can be added or deleted.

  FIG. 15 is a block diagram illustrating an example of an internal configuration of the information operating device 1 according to the third embodiment. FIG. 15 differs in that a permitted origin list acquisition unit 67 is added to the application authentication processing unit 23 of FIG. In FIG. 15, the PF application execution unit 22 is omitted, but the application authentication processing unit 23 is provided inside the PF application execution unit 22 as in FIG.

  The permitted origin list acquisition unit 67 uses the HTTP processing unit 26 to acquire the permitted source list from the web application distribution server 5 via the IP connection management unit 24 and the first connection unit 33 called from the IP connection management unit 24. If it has been updated, it has a function of issuing a verification request by passing the acquired permitted source list to the permitted source list inspection unit 66. For example, whether or not it has been updated may be compared with the permitted source list stored in the information operating device 1 or with the last update date and time of the list file. Further, the verification result of the permitted source list inspection unit 66 is acquired, and when the alteration is not detected, the permitted source list stored in the storage of the information operating device 1 is added to the permitted source list acquired from the web application distribution server 5. Has a function to replace.

  FIG. 16 is a block diagram showing the internal structure of the Web application distribution server 5 in the third embodiment. The difference is that a permission list acquisition unit 45 is added to the Web application distribution server 5 of FIG.

  The permission list acquisition unit 45 has a function of acquiring the latest permission source list from a storage (not shown) in accordance with a request from the information operating device 1 or the information output device 3 and returning it to the request source via the HTTP server processing unit 43. By updating the permitted source list managed by the Web application distribution server 5, the information operating device 1 and the information output device 3 can keep the permitted source list up-to-date.

  FIG. 17 is a flowchart showing an example of a processing procedure for updating the permitted source list. The permission list acquisition unit 45 is called when the information operating device 1 is started or periodically at regular intervals, and the latest permission source list is called from the HTTP processing unit 26 and the HTTP processing unit 26. Obtained (downloaded) from the Web application distribution server 5 via the first connection unit 33 called from the IP connection management unit 24 (step S91). Then, a comparison is made with the permitted origin list stored in the information operating device 1 (step S92). If it is determined that there is no update, the process is terminated. If it is determined that there is an update, a public key for signature verification is obtained from the information operating device 1 (step S93), and the Web application distribution server 5 is acquired. The signature of the permitted origin list acquired from (1) is verified (step S94). If tampering occurs, an error is generated (steps S95 and S96). If tampering is not detected, the permission source list stored in the information operating device 1 is acquired from the web application distribution server 5. The source list is overwritten (steps S95 and S97).

  As described above, in the third embodiment, since the web application distribution server 5 updates the permitted source list, the information operating device 1 periodically accesses the web application distribution server 5 to update the permitted source list. By obtaining the version, the permitted source list held by the information operating device 1 can always be kept up-to-date.

(Fourth embodiment)
The fourth embodiment described below has a function of assigning a permission source list to a usage certificate issued by a reliable server for each application, and determining whether or not to pass an authentication token based on the list. Allowed source information can be changed on a Web application basis. Here, the usage permit is information that proves that the Web application that transmits the device operation instruction is distributed from the regular Web application distribution server 5, and the usage certificate is issued for each Web application. The A license is not issued for every Web application, and the Web applications that can use the license are limited.

  FIG. 18 is a block diagram illustrating an example of an internal configuration of the information operating device 1 according to the fourth embodiment. 18 differs from the application authentication processing unit 23 of FIG. 3 in that a usage permit analysis unit 68 is added and a usage permit management unit 56 is added to the Web application execution unit 21 of FIG. In FIG. 18, the PF application execution unit 22 is omitted, but the application authentication processing unit 23 is provided inside the PF application execution unit 22 as in FIG. 2.

  The usage permit management unit 56 acquires a usage permit from the web application distribution server 5 for each web application from a reliable server via the IP connection management unit 24 and the first connection unit 33 called from the IP connection management unit 24. It has a function of passing to the license analysis unit 68. In this case, application identification information is passed. The usage permit includes permission source list information and signature information along with device operation permission information. This signature is signed with public key cryptography. A publicly known method such as RSA encryption may be used as the public key encryption method.

  The license analysis unit 68 has a function of analyzing the license acquired from the license management unit 56 and extracting a license origin list.

  FIG. 19 is a block diagram showing the internal structure of the Web application distribution server 5 in the fourth embodiment. The difference is that a usage certificate generating unit 46 is added to the Web application distribution server 5 of FIG.

  The usage certificate generating unit 46 has a function of generating and returning a usage certificate for each Web application in accordance with a usage certificate acquisition request from the information operating device 1. The usage certificate generation unit 46 receives the identification information of the web application, obtains permission source list information and device operation permission information corresponding to the web application from a storage (not shown), signs them, and passes them through the HTTP server processing unit 43. Function to return to the request source. The usage certificate generation unit 46 does not dynamically generate a usage certificate at the time of acquisition request, but generates a usage certificate in advance and stores it in a storage (not shown). It may have a function of reading and returning a usage permit.

  FIG. 20 is a flowchart illustrating an example of a processing procedure when an authentication request command is detected. 14 differs from FIG. 14 in the permitted source list acquisition method of (1) to (2). Here, only the processes (1) to (2) will be described.

  The usage permit management unit 56 is called from the application origin inspection unit 65, and acquires a usage permit for each application from the web application distribution server 5 via the first connection unit 33 called from the IP connection management unit 24 (step S101). ). Next, the obtained license is passed to the license analyzer 68. The usage license analysis unit 68 analyzes the received usage license and extracts a permitted origin list from the usage certificate (step S102). Furthermore, it passes to the permission origin list inspection part 66, and requests the inspection of the presence or absence of falsification.

  The usage permit acquired from the Web application distribution server 5 is sent to the information output device 3 together with the device operation command. The information output device 3 that has received the usage permit and the device operation command determines whether to accept the device operation command based on the contents of the usage permit.

  As described above, in the fourth embodiment, the information operating device 1 obtains a usage permit from the web application distribution server 5 and makes an authentication request based on the permitted origin list included in the usage permit. Therefore, there is no possibility of sending an authentication request from an unintended Web application to the information output device 3. Further, the information operating device 1 can verify that the web application is transmitted from the legitimate web application distribution server 5 based on the usage permit.

(Fifth embodiment)
In the first embodiment, the caller of the application authentication processing unit 23 is not verified. Depending on the implementation form of the application authentication processing unit 23, only the application authentication processing unit 23 can be taken out and used for an unauthorized information manipulation device 1 in which the application origin information is fake. On the other hand, in the fifth embodiment, it is possible to prevent unauthorized diversion by verifying the call source of the application authentication processing unit 23 and determining whether it matches the assumed call source information.

  FIG. 21 is a block diagram showing an internal configuration of the information operating device 1 according to the fifth embodiment. FIG. 21 is obtained by adding a caller detection unit 81 and a platform verification unit 82 to the application authentication processing unit 23 of FIG.

  The caller detection unit 81 has a function of determining where in the web application the application authentication processing unit 23 has been called when an authentication request is made, and obtaining an identifier. The web application is a collection of a large number of software modules (hereinafter simply referred to as modules), and the call source detection unit 81 passes the call source module identifier to the platform verification unit 82 and calls it, so that the call source is correct. It has a function of requesting determination of whether or not there is.

  The platform verification unit 82 has a function of determining whether or not the caller is an assumed module. The identifier of the caller module is received from the caller detection unit 81, and the platform verification unit 82 acquires the caller information assumed by itself and the information of the actual caller module, and verifies whether they match. As a verification method at this time, it is assumed that the hash value of the caller module is calculated to determine whether it matches the expected one, and the flow of the module call (caller address) is referred to and assumed. There are a method for determining whether they match, a method for determining whether they match the file name of the calling module, and the like.

  In the present embodiment, it is possible to exclude an unauthorized caller without storing a secret in the caller, that is, the Web application execution unit 21.

  FIG. 22 is a flowchart showing a processing procedure when an authentication request command is detected in the fifth embodiment. The flowchart of FIG. 22 is different from FIG. 7 in that the platform verification process of (1) to (2) is entered. Here, only the processes (1) to (2) will be described.

  When the authentication request unit 52 calls the authentication token generation unit 61, the authentication token generation unit 61 requests the call source detection unit 81 to detect the call source (step S12). The caller detection unit 81 determines the module that has called the authentication token generation unit 61 (step S111), and returns the module identifier to the authentication token generation unit 61. The authentication token generation unit 61 further passes the module identifier received from the call source detection unit 81 to the platform verification unit 82 to request verification of the call source (step S112), and the platform verification unit 82 uses the module identifier. Module specific information (a) is acquired (step S113). As the unique information, a hash value of the module program, a caller address on the main memory 13 where the module exists, a file name, and the like can be considered. Further, the platform verification unit 82 acquires unique information (b) stored in advance in an area where alteration is difficult. Further, it is determined whether the unique information (a) acquired from the caller matches the assumed unique information (b) (step S114). If they match, it is determined that the caller is correct and the processing in steps S13 to S26 of FIG. 7 is continued. If they do not match, it is determined that the caller is invalid and an error is generated (step S115).

  As described above, in the fifth embodiment, a platform for verifying where the application authentication processing unit 23 is called from in order to prevent an unauthorized information manipulation device 1 that impersonates the application authentication processing unit 23 that generates an authentication token. A verification unit 82 is provided. Thereby, it is possible to specify where the application authentication processing unit 23 is called from within the Web application, and it is possible to prevent fraud such as faking the application authentication processing unit 23.

(Sixth embodiment)
In the fifth embodiment, it is assumed that the web application execution unit 21 does not have a secret. However, when the web application execution unit 21 can have secret information, the authentication of the application authentication processing unit 23 by authentication is performed. Unauthorized use prevention can be realized.

  FIG. 23 is a block diagram illustrating an internal configuration of the information processing apparatus according to the sixth embodiment. FIG. 23 is different from FIG. 21 in that a platform verification / authentication unit 57 is added in the Web application execution unit 21. In FIG. 23, the PF application execution unit 22 is omitted, but the application authentication processing unit 23 is provided inside the PF application execution unit 22 as in FIG.

  The platform verification authentication unit 57 has key information, and has a function of performing authentication with the platform verification unit 82 using the key. As this authentication method, a generally well-known method such as challenge and response may be used. Unless key information used for authentication is stolen, it is difficult to create an operation device that imitates the platform verification and authentication unit 57. Generally, authentication has a feature that the implementation cost is lower than the integrity verification described in the fifth embodiment, and the Web application execution unit 21 can be kept secret, that is, the Web application execution unit 21 has key information. Can be stored in a manner that is difficult to read from a third party, there is an advantage of using the sixth embodiment.

  FIG. 24 is a flowchart showing a processing procedure when an authentication request command is detected in the sixth embodiment. The flowchart of FIG. 24 is different from FIG. 22 in the platform verification processing of (1) to (2). Here, only the processes (1) to (2) will be described.

  When the authentication request unit 52 calls the authentication token generation unit 61, the authentication token generation unit 61 requests the call source detection unit 81 to detect the call source (step S12). The caller detection unit 81 determines the module that has called the authentication token generation unit 61 (step S111), and returns the module identifier to the authentication token generation unit 61. The authentication token generation unit 61 also passes the module identifier to the platform verification unit 82 and issues an authentication request. The platform verification unit 82 issues an authentication request to the platform verification authentication unit 57 of the module identified by the passed module identifier (step S121). The platform verification / authentication unit 57 responds to the authentication by using the key possessed by itself for the authentication request (step S122). As this authentication method, a generally well-known method such as challenge and response may be used. The platform verification unit 82 checks the authentication result (step S123). If the authentication is successful, the processing after the second connection unit 34 information acquisition in FIG. 7 (steps S13 to S26) is continued, while the authentication fails. Causes an error (step S124).

  As described above, in the sixth embodiment, when the web application execution unit 21 can have secret information, the platform verification authentication unit 57 is provided in the web application execution unit 21 to perform an authentication request. It is possible to specify where in the Web application the application authentication processing unit 23 has been called, and to prevent fraud such as faking the application execution unit 21.

(Seventh embodiment)
In the first embodiment, the validity of the key used for generating the authentication token is not confirmed. If the authentication token generation key is stolen, the authentication token can be illegally generated, and the information output device 3 can be remotely operated by an unauthorized platform. On the other hand, in the seventh embodiment, it is possible to check the validity of the key for generating the authentication token and to revoke (invalidate) the illegal key to cope with the threat at the time of key theft. .

  FIG. 25 is a block diagram illustrating an internal configuration of the information processing apparatus according to the seventh embodiment. FIG. 25 differs from FIG. 3 in that a revocation detection unit 83, a key revocation unit 84, and a key update unit 85 are added to the application authentication processing unit 23. 25, the PF application execution unit 22 is omitted, but the application authentication processing unit 23 is provided inside the PF application execution unit 22 as in FIG.

  In the present embodiment, the key management unit 63 manages a plurality of keys as shown in FIG. As key data, for example, it has information of a key number, key validity, and key information.

  The revocation detection unit 83 has a function of detecting key invalidity (revocation). As this method, for example, in cooperation with the information output device 3, the information output device 3 transmits a key number used for authentication along with the challenge via the second connection unit 34, and a key given by the revoke detection unit 83. It has a function of determining that a key less than the number is invalid, and a function of inquiring the invalid number of the key to the Web application distribution server 5.

  The key revocation unit 84 has a function of receiving the revoked key number information from the revocation detection unit 83 and actually revoking the key. For example, FIG. 26 shows a table in which the correspondence between key numbers, key validity, and key information managed by the key management unit 63 is registered. In the key information shown in FIG. 26, the key number 0 is invalid and 1, 2,... N are valid as an initial state. Write invalid information about the key validity information of 1 and 2.

  The key update unit 85 downloads the latest key information from the Web application distribution server 5 via the IP connection management unit 24 and the first connection unit 33 called from the IP connection management unit 24, performs signature verification, and detects falsification. If not, the key information stored in the operating device is overwritten. The key update unit 85 is not an essential configuration.

  FIG. 27 is a block diagram showing the internal structure of the Web application distribution server 5 in the seventh embodiment. 27 differs from FIG. 5 in that a key information providing unit 47 is added.

  The key information providing unit 47 acquires the latest key information from the storage included in the web application distribution server 5 (not shown) in accordance with the key information acquisition request from the information operating device 1 or the information output device 3, and the HTTP server processing unit 43 It has the function to transmit to a request origin via.

  FIG. 28 is a block diagram showing the internal structure of the information output device 3 in the seventh embodiment. The difference is that the information output device 3 of FIG.

  The key update unit 77 has a function of transmitting an acquisition request for the latest key information to the Web application distribution server 5 via the IP connection management unit 70 and the first connection unit 78 called from the IP connection management unit 70. When the key update unit 77 receives the key information, it overwrites the key information stored in a storage (not shown) of the information output device 3 with the received key information. The key update unit 77 is executed when the information output device 3 is activated or periodically, and can keep the key information up-to-date.

  FIG. 29 is a flowchart showing a processing procedure at the time of an authentication request including a revoke process in the seventh embodiment. The flowchart of FIG. 29 differs from that of FIG. 7 in that the processing from the response generation request to the response (authentication token) generation is different.

  After the authentication token generating unit 61 issues a request for generating a response corresponding to the challenge information (step S131), the revoke detecting unit 83 receives the key number (N and N) transmitted from the information output device 3 via the second connection unit 34. (Step S132), it is determined that a key less than the key number (0... N-1) is invalid, and the key revocation unit 84 is called. The key revocation unit 84 rewrites the key validity information of the key having the given key number 0... N-1 to the key information as shown in FIG. 26 (step S133). Thereafter, the key management unit 63 acquires key information of the key number N (step S134). The application authentication processing unit 23 generates a response from the acquired key information and the received challenge information, and returns it as an authentication token (step S135).

  FIG. 30 is a flowchart showing a processing procedure at the time of key update in the seventh embodiment. The key update unit 77 performs a key update process when the information operating device 1 is activated or at regular intervals. First, the key update unit 77 downloads the latest key data from the Web application distribution server 5 via the IP connection management unit 70 and the first connection unit 78 called from the IP connection management unit 70 (step S141). Next, the signature verification public key stored in the information operating device 1 is read (step S142), and signature verification of the downloaded key data is performed (step S143). If tampering is detected, an error is generated (steps S144 and S145). If no tampering is detected, the key data in the format shown in FIG. Is overwritten and saved (steps S144 and S146).

  As described above, in the seventh embodiment, the key data acquired from the Web application distribution server 5 is verified using the public key for signature verification possessed by the information operating device 1. Since the key is updated, the key can be updated safely.

  Here, a use scene of the invention according to the above-described embodiment will be described.

  In recent years, it has become common to write rich client applications (web applications) in HTML and JavaScript. Along with this, examples of describing application software to be executed by a digital application such as a digital TV, a mobile phone, a smart phone, etc. by a web application have come out. IPTV in digital TV is a straightforward example, and a standard for displaying a menu screen or a moving image playback screen using web application technology has appeared.

  This web application is executed in a browser-based execution environment that can interpret HTML and JavaScript. This web application is generally composed of a plurality of page files and media files. The media file here refers to a file that stores moving image data such as JPEG, GIF, and MPEG, and a file that stores audio data such as MP3. On the other hand, in a page file, control program information such as JavaScript may be stored in addition to arrangement information such as characters and images described in HTML and display character data. JavaScript is a protocol called HTTP (XMLHTTPRequest) or WebSocket, and can communicate with an HTTP server or WebSocket server.

  HTTP servers and WebSocket servers can be remotely operated by installing interfaces that operate various functions of the devices on the server. For example, when a WebSocket server is installed in a digital TV and channel change and recording reservation functions can be performed via the WebSocket protocol, remote control such as channel change and recording reservation can be performed from a web application that runs on the browser of a tablet terminal. It becomes possible to operate.

  When an information operation device for operating various functions of an information output device such as a digital TV is wirelessly transmitted from an information operation device such as a tablet terminal to remotely operate the information output device, the information operation device is connected to a web server. The web application in which the device operation command is described is acquired and executed, and the device operation command is transmitted to the information output device based on the execution result.

  Therefore, if the web application executed by the information operation device is not reliable, the information output device is operated without permission. In such a case, the invention according to the above-described embodiment allows the information output apparatus to be operated from the information operation apparatus while preventing the information output apparatus from being operated without the user's permission. Can be improved.

  At least a part of the information operation device 1 and the information output device 3 described in the above-described embodiment may be configured by hardware or software. When configured by software, a program that realizes at least a part of the functions of the information operating device 1 and the information output device 3 is stored in a recording medium such as a flexible disk or a CD-ROM, and is read and executed by a computer. Also good. The recording medium is not limited to a removable medium such as a magnetic disk or an optical disk, but may be a fixed recording medium such as a hard disk device or a memory.

  Further, a program for realizing at least a part of the functions of the information operating device 1 and the information output device 3 may be distributed via a communication line (including wireless communication) such as the Internet. Further, the program may be distributed in a state where the program is encrypted, modulated or compressed, and stored in a recording medium via a wired line such as the Internet or a wireless line.

  The aspect of the present invention is not limited to the individual embodiments described above, and includes various modifications that can be conceived by those skilled in the art, and the effects of the present invention are not limited to the contents described above. That is, various additions, modifications, and partial deletions can be made without departing from the concept and spirit of the present invention derived from the contents defined in the claims and equivalents thereof.

  DESCRIPTION OF SYMBOLS 1 Information operation apparatus, 3 Information output apparatus, 5 Web application distribution server, 21 Web application execution part, 23 Application authentication process part, 24 IP connection management part, 25 Input reception part, 26 HTTP process part, 27 Application origin provision part, 28 device search processing unit, 33 first connection unit, 34 second connection unit, 35 third connection unit, 36 fourth connection unit, 51 page execution unit, 52 authentication request unit, 53 operation command generation unit, 54 operation command transmission , 55 Authentication token transmission unit, 61 Authentication token generation unit, 62 Start application URL management unit, 63 Key management unit, 64 Authentication processing unit, 70 IP connection management unit, 71 Message analysis unit, 72 Authentication challenge generation unit, 73 Authentication token inspection unit, 74 Device operation command processing unit, 75 Application origin inspection unit, 76 Device search response Department, 77 key update unit, 78 first connection part

Claims (12)

An application execution unit that executes an application and generates a device operation instruction;
A first communication processing unit for transmitting an authentication request to the first communication device and receiving an authentication requestor transmitted from the first communication device in response to the authentication request;
An application authentication processing unit that generates a platform authenticator that is encrypted based on a key shared with the first communication device and the predetermined key information for the received authentication requestor;
An application origin information giving unit for giving origin information of the application to the platform authenticator;
An information operation device comprising: a second communication processing unit configured to transmit the device operation command and a platform authenticator to which the origin information is given to the first communication device. A third communication processing unit for performing connection establishment processing for transmitting a device search command for searching for the first communication device, and transmitting a device search command using the established connection;
A device search processing unit that receives, via the third communication processing unit, position identification information of the first communication device transmitted from the first communication device in response to the device search command;
The first communication processing unit and the second communication processing unit perform respective connection establishment processes with the first communication device that has transmitted the position identification information based on the position identification information. The information operation device according to claim 1. A permitted source list acquisition unit that acquires a permitted source list that lists acquisition destinations of applications that can issue the platform authenticator generation instruction;
An application origin verification unit that verifies whether the acquisition source of the application is included in the permitted origin list,
3. The information operating device according to claim 1, wherein the application authentication processing unit prohibits generation of the platform authenticator when it is verified that the application origin verification unit does not include the application authentication processing unit. A permitted origin list inspection unit for verifying whether or not a signature attached to the permitted origin list is correct with a public key for signature verification;
4. The information operating device according to claim 3, wherein the application authentication processing unit prohibits generation of the platform authenticator when the authorized source list checking unit verifies that the signature is not correct. A fourth communication processing unit for transmitting and receiving data to and from the second communication device;
The application execution unit acquires a usage permit certifying that the application is transmitted from a regular acquisition source from the second communication device via the fourth communication processing unit,
The information operating device according to claim 3 or 4, wherein the permitted origin list acquisition unit acquires the permitted origin list included in the usage permit.   6. The information operating device according to claim 4, wherein the permitted origin list is provided for each of the applications.   The permitted source list acquisition unit periodically receives the latest permitted source list transmitted from the second communication device via the fourth communication processing unit, and updates the permitted source list. An information operating device according to any one of claims 3 to 6. A platform verification unit that verifies whether at least one of the information for identifying the application execution unit and the procedure for executing the application by the application execution unit matches a presumed one,
8. The information operating device according to claim 1, wherein the application authentication processing unit generates the platform authenticator only when it is verified that the application is matched by the platform verification unit. 9. A revoke detector that inquires of the second communication device about the validity of the key used to generate the platform authenticator;
A key revocation unit that performs revocation processing of the key when information indicating that the revocation unit is invalid is received from the second communication device in response to the inquiry from the revocation unit. The information operating device according to claim 1.   The key information of the key used to generate the platform authenticator is received from the second communication device via the fourth communication processing unit, and the key invalidation process is performed based on the key information. The information manipulation device according to claim 1, further comprising a key revocation unit. A first communication processing unit for transmitting an authentication requestor to the information operating device;
A second communication processing unit for performing connection establishment processing for receiving a device operation command and a platform authenticator from the information operation device;
A permitted origin verification unit that verifies whether or not the origin information of the application included in the connection request of the second communication processing unit transmitted from the information manipulation device is registered in the permitted source list;
An authenticator verification unit for verifying whether or not the platform authenticator transmitted from the information manipulation device is registered in an authenticator list;
The device operation from the information operating device via the first communication processing unit when it is verified that it is registered by the permitted origin verification unit and is verified by the authenticator verification unit. An information output device comprising: a connection management unit that performs control to receive a command. Upon receiving an authentication request from the application, an authentication request is transmitted to the first communication device, and in response to this, a connection establishment process for receiving the authentication requestor transmitted from the first communication device is performed, and the authentication request Receiving a child;
Generating an authentication requestor received from the first communication device based on a key shared with the first communication device and key information input by a user;
Providing source information of the application to the platform authenticator;
A computer-readable information operation program for causing a computer to execute a step of transmitting a platform authenticator to which the device operation command and the origin information are given to the first communication device.

Images