JP6146818B2 - Information processing apparatus, information processing method, electronic device, communication method, and program - Google Patents

Description

The present invention relates to an information processing apparatus and information processing method, an electronic device and a communication method, and a program , and in particular, an information processing apparatus and an information processing method capable of securely providing a service that is not limited to the platform of a terminal device The present invention relates to an electronic device, a communication method, and a program .

  In recent years, application programs related to proximity communication can be provided in mobile terminal devices such as mobile phones equipped with IC (Integrated Circuit) chips that perform proximity communication by contact or non-contact, thereby providing various services. Has been made.

  However, since the mobile terminal device has a limited storage capacity of a memory for storing an application program for providing a service, the service that can be provided by the mobile terminal device alone is limited.

  Therefore, an application program related to near field communication is stored in a storage area associated with unique identification information on the server so that the application program is executed on the server when the mobile terminal device provides a service. A proposed system has been proposed (see, for example, Patent Document 1). As a result, the service can be provided without being limited by the storage capacity of the memory in the mobile terminal device.

JP 2002-354143 A

  However, the cited document 1 does not mention data processed by executing an application program on a server.

  For example, there is no mention of whether or not data processed by executing an application program on the server is stored on the server. Therefore, when data to be processed by executing the application program is stored on the mobile terminal device side, the capacity of the data is limited to the storage capacity of the memory of the mobile terminal device.

  Also, the cited document 1 does not mention how security for data processed by executing an application program on a server is ensured.

  The present invention has been made in view of such a situation, and enables a service that is not limited to a platform of a terminal device to be securely provided.

An information processing apparatus according to one aspect of the present invention is an information processing apparatus that performs first communication by contact or non-contact and second communication different from the first communication, and the electronic apparatus A data storage unit that stores data in a storage area for each unique authentication information, a program storage unit that stores a predetermined application program, a communication unit that performs the second communication with the electronic device, and an external authentication server Based on the authentication information transmitted from the authenticated electronic device and the identification information for identifying the application program for providing the service related to the first communication, the authentication is performed in the data storage unit. Of the data stored in the storage area corresponding to the information, used to execute the application program corresponding to the identification information Comprises a data identifying unit for identifying the data to be, on the basis of the data identified by the data identifying unit, and an execution unit for executing the application program corresponding to the identification information.

In one aspect of the present invention, a memory corresponding to authentication information based on authentication information indicating authentication by an external authentication server and identification information for identifying an application program for providing a service related to communication of the data stored in the area, the data used for the execution of the application program corresponding to the identification information is specified, based on the specific data, the application program corresponding to the identification information is performed.

  According to one aspect of the present invention, it is possible to securely provide a service that is not limited to the platform of the terminal device.

It is a figure which shows the structural example of one Embodiment of the information processing system to which this invention is applied. It is a block diagram which shows the structural example of a portable terminal device. It is a block diagram which shows the structural example of an authentication server. It is a block diagram which shows the function structural example of a portable terminal device. It is a block diagram which shows the function structural example of an authentication server. It is a block diagram which shows the function structural example of SA server. It is a flowchart explaining the example of a service provision process. It is a block diagram which shows the other function structural example of SA server. It is a block diagram which shows the structural example of the information processing system which refers or updates user data. It is a flowchart explaining the example of a reference or update process of user data. It is a flowchart explaining the other example of a reference or update process of user data. It is a flowchart explaining the further another example of the reference or update process of user data. It is a block diagram which shows the structural example of the information processing system which provides the service for which processing speed is calculated | required. It is a flowchart explaining the example of the provision process of the service for which a processing speed is calculated | required.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

[Configuration example of information processing system]
FIG. 1 is a block diagram showing a configuration example of an embodiment of an information processing system to which the present invention is applied. The information processing system in FIG. 1 provides a user who uses the mobile terminal device 11 with services such as an electronic money service, a ticket gate service, an attendance management service, or an entrance management service, for example.

  The mobile terminal device 11 is configured as a portable electronic device such as a mobile phone or a PDA (Personal Digital Assistant), and performs near field communication (NFC (Near Field Communication)) with the reader / writer 12. Proximity communication is communication that is performed within a distance of several tens of centimeters between devices that communicate with each other, and devices that communicate with each other are contactless. A server (not shown) is connected to the reader / writer 12, and the reader / writer 12 performs proximity communication with the mobile terminal device 11 and supplies information obtained as a result to the server (not shown).

  In addition, the mobile terminal device 11 performs wireless communication with a base station (not shown), thereby enabling an authentication server 13 and an SA (Secure Application) server 14 via a network such as the Internet connected to the base station (not shown). Communicate with. The authentication server 13 and the SA server 14 are connected to each other via a network such as the Internet. The authentication server 13 performs authentication processing for the mobile terminal device 11 by communicating with the mobile terminal device 11. The SA server 14 communicates with the mobile terminal device 11 and executes a program for providing a service for the user who uses the mobile terminal device 11, thereby realizing the service for the user. The mobile terminal device 11, the authentication server 13, and the SA server 14 all have a tamper resistant function, and are between the mobile terminal device 11 and the authentication server 13 and between the mobile terminal device 11 and the SA server 14. Mutual authentication is performed with

[Configuration example of portable terminal device]
Next, a configuration example of the mobile terminal device 11 will be described with reference to FIG.

  In FIG. 2, a CPU (Central Processor Unit) 31 executes various processes according to a program stored in a ROM (Read Only Memory) 32 or a program loaded in a RAM (Random Access Memory) 33. The RAM 33 also appropriately stores data necessary for the CPU 31 to execute various processes.

  The CPU 31, ROM 32, and RAM 33 are connected to each other via a bus 34. An input / output interface 35 is also connected to the bus 34.

  The input / output interface 35 includes an input unit 36 including keys, buttons, a touch panel, and a microphone, a display including an LCD (Liquid Crystal Display) and an organic EL (Electro-Luminescence), and an output unit 37 including a speaker. A storage unit 38 composed of a hard disk or the like, a first communication unit 39 including an antenna for performing wireless communication, and a second communication unit 40 including an antenna for performing near field communication are connected.

  The storage unit 38 stores information unique to the mobile terminal device 11 for authenticating the mobile terminal device 11.

  The first communication unit 39 performs wireless communication processing with a base station (not shown), and the second communication unit 40 performs proximity communication processing with the reader / writer 12.

  Also, a drive 41 is connected to the input / output interface 35 as necessary, and a removable medium 42 made of a semiconductor memory or the like is appropriately mounted, and a computer program read from the drive is installed in the storage unit 38 as necessary. Is done.

[Configuration example of authentication server]
Next, a configuration example of the authentication server 13 will be described with reference to FIG.

  In FIG. 3, the CPU 51 executes various processes according to a program stored in the ROM 52 or a program loaded in the RAM 53. The RAM 53 also appropriately stores data necessary for the CPU 51 to execute various processes.

  The CPU 51, ROM 52, and RAM 53 are connected to each other via a bus 54. An input / output interface 55 is also connected to the bus 54.

  The input / output interface 55 includes an input unit 56 including a keyboard and a mouse, a display including a CRT (Cathode Ray Tube) and an LCD, an output unit 57 including a speaker, and a storage unit including a hard disk. 58, a communication unit 59 including a modem and a terminal adapter is connected.

  The communication unit 59 performs communication processing via a network such as the Internet.

  A drive 60 is connected to the input / output interface 55 as necessary, and a removable medium 61 such as a magnetic disk, an optical disk, a magneto-optical disk, or a semiconductor memory is appropriately mounted, and a computer program read from them is loaded. It is installed in the storage unit 58 as necessary.

  The configuration of the SA server 14 is the same as the configuration of the authentication server 13 described with reference to FIG.

[Functional configuration example of portable terminal device]
Next, a functional configuration example of the mobile terminal device 11 will be described with reference to FIG.

  4 includes a device driver 71, a virtual machine 72, middleware 73, a VSE applet 74, a communication unit 75, a secure element 76, and a CLF (Contactless Frontend) 77. Note that the device driver 71, the virtual machine 72, the middleware 73, and the VSE applet 74 surrounded by a broken line in the mobile terminal device 11 of FIG. 4 are realized by the CPU 31 (FIG. 2). Assume that the hierarchy is shown.

  The device driver 71 controls devices such as the communication unit 75, the secure element 76, and the CLF 77.

  The virtual machine 72 is configured as a process virtual machine such as a Dalvik virtual machine, for example.

  The middleware 73 includes an API (Application Program Interface) and provides a function related to predetermined communication to the VSE applet 74. For example, the middleware 73 provides the VSE applet 74 with a function for accessing the secure element 76 and a function related to communication via the communication unit 75 or the CLF 77. Part or all of the middleware 73 may exist in a hierarchy between the device driver 71 and the virtual machine 72.

  A VSE (Virtual Secure Element) applet 74 is an application program that runs on the virtual machine 72, for example, and executes processing corresponding to the operation when the mobile terminal device 11 is operated by the user. Specifically, the VSE applet 74 executes processing related to communication between the reader / writer 12 and the SA server 14 according to the authentication result of the mobile terminal device 11.

  The communication unit 75 corresponds to the first communication unit 39 in FIG. 2 and communicates with the authentication server 13 and the SA server 14 by performing wireless communication with a base station (not shown).

  The secure element 76 stores secure data when an application program related to near field communication with the reader / writer 12 is executed. The secure element 76 is assigned a secure ID, which is information unique to the mobile terminal device 11. In the prior art, the secure element stores an applet as an application program executed to provide a service such as an electronic money service, and permanent user data described later. In the information processing system, applets and user data are stored in the SA server 14.

  The CLF 77 corresponds to the second communication unit 40 in FIG. 2 and includes an antenna for performing proximity communication with the reader / writer 12 and a control unit for controlling proximity communication, and performs proximity communication with the reader / writer 12.

[Functional configuration example of authentication server]
Next, a functional configuration example of the authentication server 13 will be described with reference to FIG.

  5 includes a communication unit 91 and an authentication processing unit 92.

  The communication unit 91 corresponds to the communication unit 59 in FIG. 3 and communicates with the mobile terminal device 11 and the SA server 14 via a network such as the Internet.

  The authentication processing unit 92 authenticates the mobile terminal device 11 based on authentication information (for example, a secure ID) supplied from the mobile terminal device 11 via the communication unit 91 for authenticating the mobile terminal device 11. . When the authentication processing unit 92 successfully authenticates the mobile terminal device 11, the authentication processing unit 92 supplies access information for accessing the SA server 14 to the mobile terminal device 11 via the communication unit 91.

[SA Server function configuration example]
Next, a functional configuration example of the SA server 14 will be described with reference to FIG.

  The SA server 14 in FIG. 6 includes a communication unit 111, an operating system 112, an applet DB (Data Base) 114, and a personalized DB 115.

  The communication unit 111 communicates with the mobile terminal device 11 and the authentication server 13 via a network such as the Internet (not shown).

  The operating system 112 manages and controls the entire SA server 14. The operating system 112 includes a data management unit 112a and an applet management unit 112b.

  The data management unit 112a functions as a file system and manages data (hereinafter referred to as user data) stored in the personalized DB 113. Based on the authentication information (secure ID) of the mobile terminal device 11 supplied from the mobile terminal device 11 via the communication unit 111, the data management unit 112a is selected from the user data stored in the personalized DB 113. The user data associated with the authentication information is specified.

  The applet management unit 112b manages applets (application programs) stored in the applet DB 114. Based on the identification information for identifying the applet supplied from the mobile terminal device 11 via the communication unit 111, the applet management unit 112b selects the applet corresponding to the identification information from the applets stored in the applet DB 114. Select and start (execute).

  The personalized DB 113 has a storage area for each authentication information unique to the mobile terminal device 11 (that is, for each user), and stores user data associated with the authentication information in each storage area. In the personalized DB 113, user data stored in the storage area for each user is made permanent.

  The applet DB 114 stores applets that are executed to provide services such as an electronic money service to the user of the mobile terminal device 11. The applet stored in the applet DB 114 is associated with identification information unique to the applet. The applet stored in the applet DB 114 is activated when identification information unique to the applet is transmitted from the mobile terminal device 11. In the applet DB 114, for example, each applet is registered in advance for each content provider that provides the applet.

  In the applet DB 114, for example, an applet having a function such as FeliCa (trademark) OS is stored. In general, FeliCa OS executes processing related to services such as electronic money services, and electronic devices equipped with FeliCa OS are used for commercial transactions as alternatives to credit cards and prepaid cards. The applet management unit 112b of the operating system 112 activates a non-contact or contact IC card applet such as FeliCa OS originally installed in the mobile terminal device 11 in the SA server 14 to establish a connection with the mobile terminal device 11. A service such as an electronic money service is provided to the user of the mobile terminal device 11 by communication.

  In this manner, an applet for executing a service related to near field communication with the reader / writer 12 that has been conventionally activated on the portable terminal device 11 is activated on the SA server 14.

[About user registration]
Here, user registration by the mobile terminal device 11 will be described.

  First, in the mobile terminal device 11, a user registration screen for performing user registration for using an applet provided by a certain content provider is displayed on the Web browser by the user's operation, and the VSE applet 74 is activated accordingly. Then, the VSE applet 74 connects the mobile terminal device 11 and the authentication server 13. Then, the authentication processing unit 92 of the authentication server 13 authenticates the mobile terminal device 11 by authenticating the secure element 76 via the VSE applet 74. When the mobile terminal device 11 is normally authenticated, the authentication server 13 acquires the secure ID stored in the secure element 76 via the VSE applet 74. Specifically, the VSE applet 74 accesses the secure element 76 to acquire a secure ID, and transmits the acquired secure ID as authentication information of the mobile terminal device 11 to the authentication server 13 via the communication unit 75 ( Supply).

  The authentication server 13 transmits (supplies) the acquired secure ID to the SA server 14, and the operating system 112 stores the secure ID from the authentication server 13 in a storage unit (not shown) in the SA server 14. User registration is performed. At this time, individual information (personalized data) such as a user's membership number and name required by the content provider is also stored together with the secure ID. Further, in the SA server 14, the data management unit 112a secures a storage area corresponding to the secure ID in the personalized DB 113, and generates a data area used for the user-registered applet in the storage area. An initial value is set for data (user data).

  The user registration is performed via the VSE applet 74. However, the present invention is not limited to this. For example, the content provider (CP) responds to the user operation on the user registration screen displayed on the Web browser. You may make it carry out via the CP server which owns.

[Example of service provision processing]
Next, an example of a service providing process when the applet stored in the SA server 14 is activated as described above will be described with reference to the flowchart of FIG.

  At this time, the user tries to enjoy a desired service by causing the portable terminal device 11 and the reader / writer 12 to perform proximity communication by bringing the portable terminal device 11 possessed close to the reader / writer 12.

  For example, when the user taps the icon of the VSE applet 74 displayed on the display screen in the mobile terminal device 11, the mobile terminal device 11 starts up the VSE applet 74 and the VSE applet 74 in step S 11. Connects the mobile terminal device 11 and the authentication server 13 (step S12 and step S31). In step S <b> 32, the authentication processing unit 92 of the authentication server 13 authenticates the mobile terminal device 11 by authenticating the secure element 76 via the VSE applet 74. When the mobile terminal device 11 is normally authenticated, the VSE applet 74 accesses the secure element 76 and acquires a secure ID.

  In step S13, the VSE applet 74 transmits (supplies) the acquired secure ID to the authentication server 13 via a network such as the communication unit 75, the base station, and the Internet.

  In step S <b> 33, the communication unit 91 of the authentication server 13 receives the secure ID transmitted from the mobile terminal device 11 via a network such as the Internet and supplies the secure ID to the authentication processing unit 92.

  In step S33, when the secure ID from the communication unit 91 is supplied to the authentication processing unit 92, the authentication processing unit 92 is access information for the mobile terminal device 11 to access the SA server 14, and only once. Issue a one-time URL (Uniform Resource Locator) that is valid access information. The access information for the mobile terminal device 11 to access the SA server 14 is not limited to the one-time URL, but may be other information.

  In step S34, the communication unit 91 of the authentication server 13 transmits the one-time URL issued by the authentication processing unit 92 to the VSE applet 74 via a network such as the Internet and a base station.

  In step S14, when receiving the one-time URL from the authentication server 13, the VSE applet 74 transmits a connection request to the SA server 14 based on the one-time URL in step S15. Note that this connection request includes a secure ID.

  In step S51, the communication unit 111 of the SA server 14 receives the connection request from the VSE applet 74. When the operating system 112 confirms that the user is a registered user based on the secure ID included in the connection request from the VSE applet 74, the communication unit 111 returns a response to the connection request in step S52. Send to. The VSE applet 74 receives the response from the SA server 14 in step S16. As a result, the connection between the VSE applet 74 (mobile terminal device 11) and the SA server 14 is established.

  Thereafter, in step S53, the operating system 112 of the SA server 14 enters an applet activation standby state (standby state).

  In step S17, the VSE applet 74 activates the mobile terminal device 11. More specifically, the VSE applet 74 changes the display color on the display screen of the mobile terminal device 11 and puts the CLF 77 in a proximity communication standby state.

  As described above, the display color of the display screen of the mobile terminal device 11 changes, so that the user recognizes that the mobile terminal device 11 is in a state in which proximity communication is possible, and connects the mobile terminal device 11 to the reader / writer 12. Hesitate (close).

  In a state where the portable terminal device 11 and the reader / writer 12 are close to each other, the reader / writer 12 transmits a polling command (hereinafter simply referred to as polling) to the CLF 77 in step S71. Upon receiving polling from the reader / writer 12 in step S91, the CLF 77 transmits a response to the polling to the reader / writer 12 in step S92. In step S <b> 72, the reader / writer 12 receives a response from the CLF 77. In this way, the reader / writer 12 captures the portable terminal device 11 as a communication partner by transmitting polling.

  Here, the communication protocol of the near field communication performed between the portable terminal device 11 and the reader / writer 12 is a Type A method or a Type B method standardized by ISO 14443. As a general-purpose command format in these communication protocols (communication methods), there is a command format called Application Protocol Data Unit (APDU) defined in ISO 7816-4. A command conforming to the APDU command format is hereinafter referred to as an APDU command.

  Returning to the description of FIG. 7, after the processing of steps S71 and S72 and steps S91 and S92, communication of the Type A method or the Type B method is repeated between the mobile terminal device 11 and the reader / writer 12, and ISO When communication by 14443-3 is performed, in step S73, the reader / writer 12 transmits select (AID), which is a command for selecting and starting an applet (application), among the APDU commands to the CLF 77. .

  Here, AID (Application Identifier) is identification information for identifying an applet defined in ISO 7816-5, and is uniquely given to the applet.

  In step S <b> 93, when the CLF 77 receives a select (AID) from the reader / writer 12, the CLF 77 supplies the received select (AID) to the VSE applet 74.

  In step S <b> 18, when the VSE applet 74 receives the select (AID) from the CLF 77, the VSE applet 74 transmits the received select (AID) to the SA server 14.

  The communication protocol for communication between the VSE applet 74 (mobile terminal device 11) and the SA server 14 is HTTP (Hyper Text Transfer Protocol) or HTTPS (Hyper Text Transfer Protocol Secure), which has a higher security level than HTTP. Specifically, for example, TCAP (Thin Client Application Protocol) is used. TCAP is a communication protocol for operating a FeliCa-compatible mobile phone or reader / writer from a FeliCa-compatible server application via a network, and is used for electronic payments. The communication protocol between the mobile terminal device 11 and the SA server 14 is not limited to HTTP or HTTPS, but may be TCP / IP (Transmission Control Protocol / Internet Protocol).

  In step S <b> 54, the communication unit 111 of the SA server 14 receives the select (AID) from the VSE applet 74 and supplies it to the operating system 112.

  In step S55, the data management unit 112a of the operating system 112 is in the storage area corresponding to the secure ID of the personalized DB 113 based on the secure ID received in step S51 and the select (AID) from the VSE applet 74. Among the user data, the user data in the data area used for the applet identified by the AID of select (AID) is specified.

  In step S56, the applet management unit 112b of the operating system 112 selects, from the applet DB 114, an applet corresponding to the AID of select (AID) from the VSE applet 74 using the user data specified by the data management unit 112a. ,to start.

  In step S57, the operating system 112 supplies a response to select (AID) to the communication unit 111 and causes the VSE applet 74 to transmit the response using TCAP.

  In step S19, when the VSE applet 74 receives a response to the select (AID) from the SA server 14, the VSE applet 74 transmits a response to the received select (AID) to the CLF 77.

  In step S94, when receiving the response from the VSE applet 74, the CLF 77 transmits the received response to the reader / writer 12. In step S74, the reader / writer 12 receives the response from the CLF 77.

  In step S74 and subsequent steps, the reader / writer 12 transmits an APDU command such as an authentication request command, a READ command (reference command), and a WRITE command (update command) to the CLF 77. The CLF 77 supplies the APDU command from the reader / writer 12 to the VSE applet 74, and the VSE applet 74 transmits the APDU command to the SA server 14. The SA server 14 executes processing according to the transmitted APDU command, and transmits a response (processing result) to the VSE applet 74. The VSE applet 74 supplies the response transmitted from the SA server 14 to the CLF 77, and the CLF 77 transmits the response to the reader / writer 12.

  In this way, when the mobile terminal device 11 (VSE applet 74) behaves like a gateway, an APDU command is transmitted and received between the reader / writer 12 and the SA server 14, and the applet is executed on the SA server 14. Thus, a service is provided to the user of the mobile terminal device 11.

  At this time, the user can make the mobile terminal device 11 and the reader / writer 12 perform near field communication as in the conventional case, and enjoy the service executed by the applet on the mobile terminal device 11. The service executed by the applet on the SA server 14 can be enjoyed.

  According to the above processing, the mobile terminal device 11 is authenticated by the secure ID, and an applet activation request is sent from the reader / writer 12 that performs near field communication with the authenticated mobile terminal device 11 via the mobile terminal device 11. In the SA server 14, user data corresponding to the secure ID and used for the applet requested to be activated is specified, and the applet is activated using the user data. As described above, since user data is stored on the SA server 14 and an applet is executed, there is no need to store user data or execute an applet on the mobile terminal device 11. Without being limited by the processing capability of the mobile terminal device 11 or the storage capacity of the memory. In addition, since the user data is managed by a secure ID that is authentication information of the mobile terminal device 11, the security of the user data can be sufficiently secured. Therefore, it is possible to securely provide a service that is not limited to the terminal device.

  In addition, when storing user data on the mobile terminal device 11, the storage capacity of the user data used for the applet provided by the content provider (CP) is limited due to the limitation of the storage capacity. Since user data is stored in the secure SA server 14, a storage area of user data used for each applet can be flexibly allocated, and a fair system is provided to the content provider (CP). Will be able to.

  Furthermore, in the conventional system, it is not easy to collectively manage the near field communication log (transaction log) of the mobile terminal device 11, but in the configuration described above, the transaction log includes the reader / writer 12 and the SA server. Therefore, the transaction log can be easily managed collectively by the SA server 14. Thereby, it is possible to grasp on the SA server 14 side what service the user using the mobile terminal device 11 has enjoyed, and for example, it is possible to provide a service more suited to the user's preference. become.

  In the above, the authentication server 13 and the SA server 14 are configured separately, but may be configured integrally as shown in FIG.

  FIG. 8 is a block diagram showing a functional configuration example of the SA server 14 configured to include the function of the authentication server 13. In addition, in the SA server 14 of FIG. 8, about the structure provided with the same function as what was provided in the SA server 14 of FIG. 6, the same name and the same code | symbol shall be attached | subjected, and the description is abbreviate | omitted suitably. And

  That is, the SA server 14 in FIG. 8 differs from the SA server 14 in FIG. 6 in that an authentication processing unit 131 is newly provided. The authentication processing unit 131 has the same function as the authentication processing unit 92 in the authentication server 13 of FIG.

  In the case of the configuration of the SA server 14 shown in FIG. 8, the SA server 14 does not need to transmit a one-time URL to the VSE applet 74 after the authentication of the VSE applet 74 in the process described with reference to the flowchart of FIG. .

  By the way, as described above, since the user data is managed on the SA server 14 side, the user provider as well as the user himself / herself may be able to refer to or update the user data.

  Hereinafter, a configuration of an information processing system in which a user or a content provider can refer to or update user data of the SA server 14 will be described.

[Configuration example of an information processing system that references or updates user data]
FIG. 9 shows a configuration example of an information processing system in which a user or a content provider can refer to or update user data of the SA server 14.

  In the information processing system of FIG. 9, components having the same functions as those provided in the information processing system of FIG. 1 are given the same names and the same reference numerals, and descriptions thereof are omitted as appropriate. And

  That is, the information processing system in FIG. 9 differs from the information processing system in FIG. 1 in that the reader / writer 12 is deleted and a CP (content provider) server 151 is newly provided.

  The mobile terminal device 11 communicates with the authentication server 13 and the SA server 14 via a network such as the Internet connected to a base station (not shown) by performing wireless communication with a base station (not shown). In addition to the above, it communicates with the CP server 151. The authentication server 13, the SA server 14, and the CP server 151 are connected to each other via a network such as the Internet.

  The CP server 151 provides predetermined content to the mobile terminal device 11 in response to a request from the mobile terminal device 11. Further, the CP server 151 issues a permit for enabling access to the SA server 14 and transmits it to the mobile terminal device 11 or the authentication server 13. When the permit is authenticated by the mobile terminal device 11 or the authentication server 13, the CP server 151 can access the SA server 14.

  Hereinafter, a process of referring to or updating user data in the information processing system of FIG. 9 will be described.

[Example 1 of referencing or updating user data]
First, a process in which the user of the mobile terminal device 11 refers to or updates the user data of the SA server 14 via the CP server 151 will be described with reference to the flowchart of FIG.

  First, in the Web browser of the mobile terminal device 11, when the user performs an operation for requesting content to the CP server 151, the CP server 151 sends a Web page corresponding to the request to the mobile terminal device 11 in step S <b> 111. Send.

  The portable terminal device 11 receives the web page from the CP server 151 in step S131, and displays it on the web browser in step S132.

  For the Web page displayed on the Web browser of the mobile terminal device 11, an operation for starting the VSE applet 74 is performed by the user such as pressing a start link button for starting the VSE applet 74. Then, the portable terminal device 11 activates the VSE applet 74 in step S133. Thereafter, in the mobile terminal device 11, the VSE applet 74 functions as a plug-in on the Web browser.

  Thereafter, when the VSE applet 74 obtains the URL of the CP server 151 for accessing the CP server 151 from the Web browser, in step S134, the license for enabling the CP server 151 to access the SA server 14 is obtained. Request (permit request) is transmitted to the CP server 151. The URL of the CP server 151 is stored, for example, in an activation link button for activating the VSE applet 74 of the web page displayed on the web browser.

  Upon receiving the permit request from the VSE applet 74 in step S112, the CP server 151 issues a permit for enabling access to the SA server 14, and in step S113, the CP is issued to the portable terminal device. 11 to send. The permit may be stored in the CP server 151 in advance.

  When receiving the permit from the CP server 151 in step S135, the portable terminal device 11 authenticates the received permit in step S136. When the permit is successfully authenticated, the VSE applet 74 of the mobile terminal device 11 connects the mobile terminal device 11 and the authentication server 13 (step S137 and step S151). In step S152, the authentication processing unit 92 of the authentication server 13 authenticates the portable terminal device 11 by authenticating the secure element 76 via the VSE applet 74. When the mobile terminal device 11 is normally authenticated, the VSE applet 74 accesses the secure element 76 to acquire a secure ID, and transmits the acquired secure ID to the authentication server 13 in step S138.

  In step S <b> 153, the communication unit 91 of the authentication server 13 receives the secure ID transmitted from the mobile terminal device 11 and supplies it to the authentication processing unit 92.

  In step S153, when the secure ID from the communication unit 91 is supplied to the authentication processing unit 92, the authentication processing unit 92 issues a one-time URL.

  In step S <b> 154, the communication unit 91 of the authentication server 13 transmits the one-time URL issued by the authentication processing unit 92 to the mobile terminal device 11.

  In step S139, when receiving the one-time URL from the authentication server 13, the VSE applet 74 of the mobile terminal device 11 transmits a connection request to the SA server 14 based on the one-time URL in step S140. Note that this connection request includes a secure ID.

  In step S171, the communication unit 111 of the SA server 14 receives the connection request from the VSE applet 74. When the operating system 112 confirms that the user is a registered user based on the secure ID included in the connection request from the VSE applet 74, in step S172, the communication unit 111 returns a response to the connection request to the portable terminal device. 11 to send.

  In step S <b> 141, when the VSE applet 74 of the mobile terminal device 11 receives the response from the SA server 14, it transmits the response to the CP server 151. In step S114, the CP server 151 receives the response from the VSE applet 74. Thereby, the connection between the CP server 151 and the SA server 14 via the mobile terminal device 11 is established.

  Here, when an operation for referring to or updating the user data is performed by the user on the web page displayed on the web browser of the mobile terminal device 11, the CP server 151, in step S115, A request command for requesting data reference or update is transmitted to the mobile terminal device 11. This request command includes an AID that identifies an applet in which user data to be referenced or updated is used.

  In step S142, the mobile terminal device 11 receives the request command from the CP server 151, and transmits it to the SA server 14 using TCAP. At this time, the request command includes the secure ID of the mobile terminal device 11.

  When the SA server 14 receives the request command from the mobile terminal device 11 in step S173, the SA server 14 refers to or updates the user data specified by the secure ID and AID included in the request command in step S174.

  In step S175, the SA server 14 transmits a response to the request command to the mobile terminal device 11 using TCAP.

  In step S143, when receiving the response from the SA server 14, the mobile terminal device 11 transmits the received response to the CP server 151.

  In step S116, when receiving a response from the mobile terminal device 11, the CP server 151 transmits the content corresponding to the response to the mobile terminal device 11 as a Web page.

  The request command transmitted by the CP server 151 is a READ command (reference command) or a WRITE command (update command). More specifically, when the user of the mobile terminal device 11 requests reference to user data, the CP server 151 transmits a READ command, and the SA server 14 transmits a response to the READ command. When the user of the mobile terminal device 11 requests updating of user data, the CP server 151 requests reference of user data, receives the response, transmits a WRITE command, and the SA server 14 Send a response to the command.

  In the mobile terminal device 11, the VSE applet 74 executes processing corresponding to the command from the CP server 151 like a script. Here, the command transmitted / received between the mobile terminal device 11 and the SA server 14 needs to comply with the APDU command format, but the command transmitted / received between the mobile terminal device 11 and the CP server 151. This is not the case.

  As described above, the user of the mobile terminal device 11 can refer to or update the user data of the SA server 14 via the CP server 151.

  In the above description, the CP server 151 transmits the request command to the SA server 14 via the mobile terminal device 11. However, the CP server 151 transmits the request command directly to the SA server 14. Also good.

[Example 2 of referencing or updating user data]
Here, referring to the flowchart of FIG. 11, the CP server 151 transmits a request command directly to the SA server 14, whereby the user of the mobile terminal device 11 refers to the user data of the SA server 14 via the CP server 151. Or the process to update is demonstrated.

  In the flowchart of FIG. 11, the processes of steps S211 to S213 by the CP server 151, steps S231 to S238 by the mobile terminal device 11, and steps S251 to S254 by the authentication server 13 are performed by the CP server 151 in the flowchart of FIG. Steps S111 to S113, steps S131 to S138 performed by the mobile terminal device 11, and steps S151 to S154 performed by the authentication server 13 are the same as those in FIG.

  That is, in step S239, when the VSE applet 74 of the mobile terminal device 11 receives the one-time URL from the authentication server 13, it transmits the secure ID obtained from the secure element to the CP server 151 together with the one-time URL.

  When the CP server 151 receives the one-time URL and the secure ID from the portable terminal device 11 in step S214, the CP server 151 transmits a connection request to the SA server 14 based on the one-time URL in step S215. Note that this connection request includes a secure ID.

  In step S <b> 271, the communication unit 111 of the SA server 14 receives the connection request from the CP server 151. When the operating system 112 authenticates the CP server 151 based on the secure ID included in the connection request from the CP server 151, the communication unit 111 transmits a response to the connection request to the CP server 151 in step S272. In step S216, the CP server 151 receives the response from the VSE applet 74. Thereby, the connection between the CP server 151 and the SA server 14 is established.

  Here, when an operation for referring to or updating user data is performed by the user on the Web page displayed on the Web browser of the mobile terminal device 11, the CP server 151 displays the user in step S 217. A request command for requesting reference or update of data is transmitted to the SA server 14 using TCAP. This request command includes a secure ID of the mobile terminal device 11 and an AID that identifies an applet in which user data to be referred to or updated is used.

  When the SA server 14 receives the request command from the CP server 151 in step S273, the SA server 14 refers to or updates the user data specified by the secure ID and the AID included in the request command in step S274.

  In step S275, the SA server 14 transmits a response to the request command to the CP server 151 using TCAP.

  In step S218, when receiving a response to the request command from the SA server 14, the CP server 151 transmits the content corresponding to the response to the mobile terminal device 11 as a Web page.

  Note that commands transmitted and received between the CP server 151 and the SA server 14 conform to the APDU command format.

  As described above, even when the CP server 151 transmits the request command directly to the SA server 14, the user of the mobile terminal device 11 refers to or updates the user data of the SA server 14 via the CP server 151. Will be able to.

  In the above, the process when the user of the mobile terminal device 11 refers to or updates the user data of the SA server 14 via the CP server 151 has been described. However, the CP (content provider) that owns the CP server 151 The user data of the SA server 14 can be referred to or updated.

[Example 3 of referencing or updating user data]
Here, with reference to the flowchart of FIG. 12, a process in which the CP that owns the CP server 151 refers to or updates the user data of the SA server 14 will be described.

  When the CP server 151 and the authentication server 13 are connected, the authentication server 13 transmits a permit request to the CP server 151 in step S331.

  Upon receiving the permit request from the authentication server 13 in step S311, the CP server 151 issues a permit for accessing the SA server 14, and transmits the permit to the authentication server 13 in step S312.

  Upon receiving the permit from the CP server 151 in step S332, the authentication server 13 authenticates the received permit in step S333. When the permit is successfully authenticated, the authentication processing unit 92 of the authentication server 13 issues a one-time URL.

  In step S <b> 334, the communication unit 91 of the authentication server 13 transmits the one-time URL issued by the authentication processing unit 92 to the CP server 151.

  In step S313, when receiving the one-time URL from the authentication server 13, the CP server 151 transmits a connection request to the SA server 14 based on the one-time URL in step S314.

  When the communication unit 111 of the SA server 14 receives the connection request from the CP server 151 in step S351, the communication unit 111 transmits a response to the connection request to the CP server 151 in step S352. In step S315, the CP server 151 receives the response from the SA server 14. Thereby, the connection between the CP server 151 and the SA server 14 is established.

  Here, when the CP server 151 is operated by the CP to refer to or update user data used for a specific applet, the CP server 151 refers to or updates the user data in step S316. A request command for requesting is sent to the SA server 14 using TCAP. This request command includes an AID that identifies a specific applet.

  When the SA server 14 receives the request command from the CP server 151 in step S353, the SA server 14 refers to or updates the user data specified by the AID included in the request command in step S354. The user data referred to or updated here only needs to be used for a specific applet, and user data corresponding to a plurality of secure IDs (a plurality of portable terminal devices 11, that is, a plurality of users) is referred to or updated. Become so.

  In step S355, the SA server 14 transmits a response to the request command to the CP server 151 using TCAP.

  In step S317, when the CP server 151 receives a response to the request command from the mobile terminal device 11, the CP server 151 outputs contents corresponding to the response to a display unit (not shown) of the CP server 151.

  As described above, the content provider that owns the CP server 151 can directly refer to or update the user data of the SA server 14. As a result, the content provider can easily grasp the user data that has been stored in the portable terminal device 11 that is conventionally owned by each individual user. The service range can be expanded by providing a simple service or sharing user data with other content providers.

  In the above, the information processing system of FIG. 1 can provide a user using the mobile terminal device 11 with services such as an electronic money service, a ticket gate service, an attendance management service, or a room entry management service, for example. I have explained.

  However, in the processing described with reference to FIG. 7, it takes a certain time until the request from the reader / writer 12 is transmitted to the SA server 14 and the response is received by the reader / writer 12. Cannot provide the required services.

  Therefore, in the following, a configuration and processing capable of providing a service that requires processing speed will be described.

[Another configuration example of the information processing system]
FIG. 13 is a block diagram of an information processing system that provides a ticket gate service at a railway station to a user who uses the mobile terminal device 11.

  In the information processing system in FIG. 13, configurations having the same functions as those provided in the information processing system in FIG. 1 are denoted by the same names and the same reference numerals, and descriptions thereof are omitted as appropriate. And

  That is, the information processing system in FIG. 13 is different from the information processing system in FIG. 1 in that the authentication server 13 is deleted and a station server 171 is newly provided.

  The reader / writer 12 is configured as a part of station equipment such as an automatic ticket gate at a railway station, and is connected to the station server 171.

  The station server 171 manages information obtained by processing in the station service device including the reader / writer 12 and supplies the information to the SA server 14 as necessary. The SA server 14 and the station server 171 are connected to each other via a network such as the Internet or an intranet.

  The SA server 14 includes the function of the authentication server 13 and is the SA server 14 described with reference to FIG.

[Example of service provision processing that requires processing speed]
Next, an example of service provision processing by the information processing system of FIG. 13 will be described with reference to the flowchart of FIG.

  First, in the mobile terminal device 11, for example, when the user taps the icon of the VSE applet 74 displayed on the display screen, the mobile terminal device 11 starts up the VSE applet 74 in step S411, and the VSE applet 74 is activated. The applet 74 connects the mobile terminal device 11 and the SA server 14 (steps S412 and S431). In step S432, the authentication processing unit 131 of the SA server 14 authenticates the mobile terminal device 11 by authenticating the secure element 76 via the VSE applet 74. When the mobile terminal device 11 is normally authenticated, the VSE applet 74 accesses the secure element 76 and acquires a secure ID.

  In step S413, the VSE applet 74 transmits (supplies) the acquired secure ID to the SA server 14 via the communication unit 75, the base station, and a network such as the Internet, and user data corresponding to the secure ID. Send request.

  In step S433, the communication unit 111 of the SA server 14 receives the secure ID transmitted from the mobile terminal device 11 via a network such as the Internet and supplies the secure ID to the operating system 112.

  In step S434, in response to a request for user data corresponding to the secure ID, the data management unit 112a of the operating system 112 identifies the user data corresponding to the secure ID in the personalized DB 113, and copies (copies) the user data. ) To the communication unit 111. Here, the data management unit 112a encrypts a copy of the user data with a signature. In addition, the data management unit 112a may attach time information (time stamp) indicating the current time to the specified user data of the personalized DB 113 and a copy of the user data.

  In step S434, the communication unit 111 transmits a copy of the user data specified by the data management unit 112a to the VSE applet 74.

  In step S <b> 414, when the VSE applet 74 receives the copy of the user data from the SA server 14, the VSE applet 74 supplies the copy of the user data to the middleware 73. In step S451, the middleware 73 obtains a copy of user data from the VSE applet 74, and in step S452, caches it in a storage area (not shown).

  Here, in the mobile terminal device 11, a copy of user data may be temporarily stored in a storage area (not shown), or stored as permanent data, and a new copy of user data from the SA server 14. The permanent data may be updated each time it is transmitted.

  In step S415, the VSE applet 74 activates the mobile terminal device 11. More specifically, the VSE applet 74 changes the display color on the display screen of the mobile terminal device 11 and puts the CLF 77 in a proximity communication standby state.

  As described above, the display color of the display screen of the mobile terminal device 11 is changed, so that the user recognizes that the mobile terminal device 11 is in a state in which proximity communication is possible, and is configured as a part of the automatic ticket gate. The portable terminal device 11 is held (closed) to the reader / writer 12.

  When the mobile terminal device 11 and the reader / writer 12 come close to each other, the reader / writer 12 transmits polling to the CLF 77, which is not shown, and the CLF 77 returns a response to the reader / writer 12. That is, the reader / writer 12 captures the mobile terminal device 11 as a communication partner.

  In step S471, the reader / writer 12 transmits a system code, which is information for identifying the system, to the CLF 77. The system code transmitted here indicates that the system in which the mobile terminal device 11 is used is a ticket gate system.

  In step S491, when the CLF 77 receives the system code from the reader / writer 12, the CLF 77 supplies the system code to the middleware 73.

  When the middleware 73 acquires the system code from the CLF 77 in step S453, the middleware 73 transitions to the emulation mode in step S454. Thereby, the middleware 73 comes to execute processing relating to the ticket gate processing. It should be noted that the reader / writer 12 only needs to transmit not the system code but information that allows the middleware 73 to emulate an applet that executes processing related to the ticket gate processing. For example, select (AID), which is one of the APDU commands described above, may be transmitted from the reader / writer 12.

  In this example, the middleware 73 emulates an applet that executes processing related to the ticket gate processing, but the VSE applet 74 may emulate an applet that executes processing related to the ticket gate processing.

  Thereafter, in step S455, the middleware 73 supplies a response to the system code to the CLF 77. In step S492, when the CLF 77 receives a response from the middleware 73, the CLF 77 transmits the response to the reader / writer 12.

  When the reader / writer 12 receives a response from the CLF 77 in step S472, the reader / writer 12 transmits a user data READ request (READ command) in step S473. In step S493, the CLF 77 receives the READ request from the reader / writer 12 and supplies the READ request to the middleware 73.

  When the middleware 73 receives a READ request from the CLF 77 in step S456, in step S457, the middleware 73 copies a copy of user data with a signature cached in a storage area (not shown) as a response to the READ request. Supply to CLF77.

  In step S494, when the CLF 77 receives a response (copy of user data) from the middleware 73, the CLF 77 transmits the response to the reader / writer 12.

  When the reader / writer 12 receives a response from the CLF 77 in step S474, the reader / writer 12 performs a gate opening / closing process of the automatic ticket gate in step S475. If the copy of the user data has a signature and time information, the reader / writer 12 checks the signature and time information, and according to the result, opens / closes the gate of the automatic ticket gate. It may be.

  In this way, the user of the mobile terminal device 11 can pass through the gate of the automatic ticket gate by placing the mobile terminal device 11 on the reader / writer 12 as a part of the automatic ticket gate.

  In step S476, the reader / writer 12 supplies the station server 171 with a WRITE request for user data stored in the SA server 14 based on a response (copy of user data) from the CLF 77. Here, it is assumed that the above-mentioned signature is attached to the WRITE request.

  When the station server 171 acquires the WRITE request from the reader / writer 12 in step S511, the station server 171 transmits the WRITE request to the SA server 14 in step S512. The station server 171 sends an authentication request to the SA server 14 before sending the WRITE request to the SA server 14, and sends a WRITE request to the SA server 14 after receiving the response. May be.

  When the SA server 14 receives the WRITE request from the station server 171 in step S435, the SA server 14 updates the user data to which the signature is attached based on the signature attached to the WRITE request in step S436. More specifically, the balance information of electronic money stored as user data in the personalized DB 113 is rewritten to balance information reduced by the amount of the railway fare used by the user of the mobile terminal device 11. When time information is attached to the user data, the SA server 14 matches the user data based on the time indicated by the time information and the time when the WRITE request from the station server 171 is received. You may make it check sex.

  According to the above processing, a copy of the user data stored in the SA server 14 is cached in the mobile terminal device 11, and based on the copy of the user data, the processing related to the near field communication is not performed on the SA server 14, Since it is executed on the portable terminal device 11, it is possible to provide a service that requires a processing speed such as a ticket gate service.

  Note that the processing from the transmission of the WRITE request by the station server 171 to the update of user data by the SA server 14 need not be executed in real time, but may be executed by batch processing.

  In the above, the authentication information of the mobile terminal device 11 is the secure ID of the secure element 76, but any information that can authenticate the mobile terminal device 11 securely may be used. For example, when the mobile terminal device 11 is a mobile phone, the phone number may be used as authentication information. When the mobile terminal device 11 has a biometric authentication function such as fingerprint authentication, the biometric information is used. It may be authentication information. Conventionally, information unique to a UICC (Universal Integrated Circuit Card) for storing an applet executed in the mobile terminal device 11 may be used as authentication information.

  In the above description, the proximity communication between the portable terminal device 11 and the reader / writer 12 is performed by the Type A method or the Type B method. However, the TYPE A method or the standardized by ISO 18092 It may be performed by a method other than the Type B method. Furthermore, the proximity communication between the portable terminal device 11 and the reader / writer 12 may be communication by contact using a terminal instead of communication by non-contact.

  Furthermore, in the information processing system described above, one SA server 14 is provided. However, an SA server may be provided for each applet (that is, for each content provider that provides an applet).

  In the above description, the VSE applet 74 has a plurality of functions. However, the plurality of VSE applets 74 may have the respective functions.

  The series of processes described above can be executed by hardware or can be executed by software. When a series of processing is executed by software, a program constituting the software may execute various functions by installing a computer incorporated in dedicated hardware or various programs. For example, it is installed from a program recording medium in a general-purpose personal computer or the like.

  As shown in FIG. 3, a program recording medium that stores a program that is installed in a computer and can be executed by the computer includes a magnetic disk (including a flexible disk), an optical disk (CD-ROM (Compact Disc-Read Only). Memory), DVD (Digital Versatile Disc) (including magneto-optical disk), or removable media 61 that is a package medium made of semiconductor memory, or ROM 52 or RAM 53 in which a program is temporarily or permanently stored It is comprised by the hard disk etc. which comprise. The storage of the program in the program storage medium is performed by a wired or wireless communication medium such as a network, a local area network, the Internet, or digital sanitary broadcasting via a communication unit (not shown) that is an interface such as a router or a modem as necessary. It is done using.

  The program executed by the computer may be a program that is processed in time series in the order described in this specification, or in parallel or at a necessary timing such as when a call is made. It may be a program for processing.

The embodiment of the present invention is not limited to the above-described embodiment, and various modifications can be made without departing from the gist of the present invention.

  DESCRIPTION OF SYMBOLS 11 Portable terminal device, 12 Reader / writer, 13 Authentication server, 14 SA server, 74 VSE applet, 75 Communication part, 76 Secure element, 77 CLF, 92 Authentication processing part, 112 Operating system, 112a Data management part, 112b Applet management part , 113 Personalized DB, 114 Applet DB, 131 Authentication Processing Unit

Claims (3)

An electronic apparatus that performs first communication by contact or non-contact and an information processing apparatus that performs second communication different from the first communication,
A data storage unit for storing data in a storage area for each authentication information unique to the electronic device;
A program storage unit for storing a predetermined application program;
A communication unit that performs the second communication with the electronic device;
The data storage based on the authentication information transmitted from the electronic device authenticated by an external authentication server and the identification information for identifying the application program for providing the service related to the first communication A data specifying unit for specifying the data used for executing the application program corresponding to the identification information among the data stored in a storage area corresponding to the authentication information;
An information processing apparatus comprising: an execution unit that executes the application program corresponding to the identification information based on the data specified by the data specifying unit. An electronic apparatus that performs first communication by contact or non-contact and an information processing apparatus that performs second communication different from the first communication,
A data storage unit for storing data in a storage area for each authentication information unique to the electronic device;
A program storage unit for storing a predetermined application program;
A communication unit that performs the second communication with the electronic device;
The data storage based on the authentication information transmitted from the electronic device authenticated by an external authentication server and the identification information for identifying the application program for providing the service related to the first communication A data specifying unit for specifying the data used for executing the application program corresponding to the identification information among the data stored in a storage area corresponding to the authentication information;
An information processing method of an information processing apparatus comprising: an execution unit that executes the application program corresponding to the identification information based on the data specified by the data specifying unit,
The data specifying unit includes the authentication information transmitted from the electronic device authenticated by an external authentication server, and identification information for identifying the application program for providing the service related to the first communication. Based on the data storage unit, the data used for execution of the application program corresponding to the identification information among the data stored in the storage area corresponding to the authentication information,
An information processing method including a step in which the execution unit executes the application program corresponding to the identification information based on the data specified by the data specifying unit. An electronic apparatus that performs first communication by contact or non-contact and an information processing apparatus that performs second communication different from the first communication,
A data storage unit for storing data in a storage area for each authentication information unique to the electronic device;
A program storage unit for storing a predetermined application program;
A program that causes a computer to execute information processing of an information processing apparatus that includes the electronic device and a communication unit that performs the second communication,
The data storage based on the authentication information transmitted from the electronic device authenticated by an external authentication server and the identification information for identifying the application program for providing the service related to the first communication The data used for execution of the application program corresponding to the identification information among the data stored in the storage area corresponding to the authentication information,
A program that causes a computer to execute processing including a step of executing the application program corresponding to the identification information based on the data specified by the data specifying unit .

Images