JP6711773B2 - Digital certificate management system, digital certificate using terminal, and digital certificate management method - Google Patents

Description

INDUSTRIAL APPLICABILITY The present invention is suitable for use in a digital certificate management system that is added to information transmitted and received via a network and issues and manages a digital certificate that guarantees the validity of the information, and a digital certificate management system. The present invention relates to a digital certificate using terminal and a digital certificate management method.

2. Description of the Related Art Conventionally, with the spread of the open network, the Internet, a lot of information is exchanged via the Internet. For example, it has become common to use electronic mail via the Internet for exchanging information between users. On the other hand, since the Internet is an open network, it has been pointed out that there is a problem that information is intercepted, tampered with, or spoofing occurs on the communication path. Therefore, a public key cryptosystem is known as a method for appropriately solving such a problem (for example, Patent Document 1).

The public key cryptosystem is a system that performs encryption and decryption using a pair of keys, which is a public key that is widely open to the public and a private key that is kept secret only by the owner, and the plaintext encrypted with one key is Only the other key can decrypt. Therefore, in ciphertext communication, the sender sends the ciphertext obtained by encrypting the plaintext with the recipient's public key, and the receiver decrypts the received ciphertext with its own secret key to obtain the plaintext. .. As a result, the content of communication is kept secret, and the risk of interception or falsification of information is reduced.

Further, in order to verify the sender, the sender sends a ciphertext obtained by encrypting the message digest with a secret key and a public key with a digital certificate. The receiver verifies the validity of the public key based on the digital certificate, and verifies that the sender has the private key based on the fact that the message digest can be decrypted with the public key. This verifies that the sender is the person who issued the electronic certificate, and reduces the risk that the sender is spoofing.

JP 2001-36521 A

By using the public key cryptosystem in this way, confidentiality of information can be secured and the validity of the sender can be verified.
By the way, the electronic certificate attached by the sender is acquired by applying to the electronic certificate management system of the issuing authority of the electronic certificate from the sender's terminal for utilizing the electronic certificate as the sender himself. The issuing organization of the electronic certificate strictly examines the application content of the applicant and issues an electronic certificate to the applicant when it judges that the application content is appropriate. Therefore, the reliability of the digital certificate is ensured by the examination standard and examination ability of the issuing authority of the electronic certificate. As a result, the reliability of digital certificates may vary depending on the issuing organization, and inappropriate applications may not be excluded during the examination.

The present invention has been made in view of such circumstances, and an object thereof is an electronic certificate management system capable of further increasing the reliability of an electronic certificate, and an electronic certificate suitable for the electronic certificate management system. The purpose is to provide a document use terminal and a digital certificate management method.

A digital certificate management system that solves the above-mentioned problems is a digital certificate management system that issues a digital certificate based on application information and manages the issued digital certificate, from the application information transmitted by the terminal. The specific information acquired from the application information is acquired from the corporate information management device that acquires the corporate information included in the application information and the specific corporate number uniquely assigned to the corporate, and manages the corporate information in association with the specific corporate number. A corporate information determination unit that determines the validity of the corporate information included in the application information based on the degree of agreement between the corporate information obtained as a corporate number and the corporate information included in the application information, The corporate information judgment unit includes the application information.
A certificate issuing unit that issues an electronic certificate based on the application information in response to a result of determining that the corporate information to be included is valid.
Electronic certificate management system for solving the above-mentioned problems, and issues an electronic certificate based on application information, an electronic certificate management system for managing the issued electronic certificate, the country is assigned uniquely to corporations Based on the specified corporation number that is held by the corporation information management device that manages the specified corporation number, the specified corporation number that is held, and the corporation information that is held as information corresponding to the specified corporation number Included in the application information from the terminal that generates the application information that is necessary for issuing the electronic certificate and that includes the specific corporation number and the corporation information, and the application information transmitted from the terminal The corporate information and the specific corporate number are acquired, and the acquired specific corporate number is transmitted to the corporate information management device that also manages corporate information in which a country is associated with the specific corporate number, and the corporate information. The corporate information corresponding to the acquired specific corporate number is received from the management device, and the received corporate information and the corporate information included in the application information based on the degree of coincidence with the corporate information included in the application information. Correspondence to the result of the corporate information judging unit for judging the legitimacy and the corporate information judging unit for judging that the corporate information included in the application information is valid, a certificate for issuing an electronic certificate based on the application information. The main point is to have a book publishing department.

A digital certificate management method for solving the above problem is a digital certificate management method used in a digital certificate management system that issues a digital certificate based on application information and manages the issued digital certificate, Corporate information management in which the corporate information determination unit acquires corporate information contained in the application information and the specific corporate number uniquely assigned to the corporate from the application information, and manages the corporate information in association with the specific corporate number. The corporate information corresponding to the acquired specific corporate number is acquired from the device, and the legitimacy of the corporate information included in the application information is based on the degree of agreement between the acquired corporate information and the corporate information included in the application information. Then, the certificate issuing unit issues an electronic certificate based on the application information in response to the result that the corporate information determination unit determines that the corporate information included in the application information is valid.
A digital certificate management method for solving the above problem is a digital certificate management method used in a digital certificate management system that issues a digital certificate based on application information and manages the issued digital certificate, The terminal has the specific corporate number managed by the corporate information management device that manages the specific corporate number uniquely assigned to the corporation by the country, and the specific corporate number that is held and the specific corporate number Based on corporate information held as corresponding information, the application information that is necessary for issuing the electronic certificate and includes the specific corporate number and the corporate information is generated, and the corporate information determination unit, The corporate information and the specific corporate number included in the application information are acquired from the application information transmitted by the terminal, and the acquired specific corporate number is combined with corporate information in which a country is associated with the specific corporate number. The corporate information corresponding to the acquired specific corporate number is received from the corporate information management device while being transmitted to the managed corporate information management device, and the received corporate information matches the corporate information included in the application information. The validity of the corporate information included in the application information is determined based on the degree of the, and the certificate issuing unit responds to the result that the corporate information determination unit determines that the corporate information included in the application information is valid. The main point is to issue an electronic certificate based on the application information.

According to such a configuration, the corporate information included in the application information is determined to be valid based on the degree of agreement with the corporate information obtained based on the specific corporate number, and thus the electronic certificate Is issued. In other words, when it is determined that the corporate information included in the application information is not valid, the digital certificate is not issued. Therefore, the risk of issuing an electronic certificate in response to an unauthorized application for issuing an electronic certificate such as spoofing is reduced, and the reliability of the electronic certificate is improved. In addition, when issuing a digital certificate, it is possible to improve the accuracy of the examination of corporate information, reduce the examination load, and reduce the variation in examination.

As a preferred configuration, a certificate history storage unit that holds a history of issued digital certificates, and a history of searching and outputting a history of the electronic certificates registered in the certificate history storage unit in response to an external request. further comprising a search unit.
With such a configuration, with respect to the issued electronic certificate, it is possible to externally search and refer to the history related to the electronic certificate.

As a preferred configuration, a public key storage unit that stores a public key and makes it publicly available is further provided, and the registration information is targeted based on the registration information of the public key generated based on the issued digital certificate. A key registration unit that registers a public key in the public key storage unit together with the issued electronic certificate is provided.

With such a configuration, among the private key and the public key created based on the issued electronic certificate, the public key is registered in the public key storage unit together with the corresponding electronic certificate based on the registration information. As a result, the legitimacy of the public key is enhanced by providing the highly reliable digital certificate.

As a preferred configuration, the application information includes location information indicating the current location detected by the location measuring device provided in the terminal to which the application information is transmitted, and the location information included in the application information. And a location information processing unit that determines the degree of coincidence with the location of the corporation included in the corporation information corresponding to the specific corporation number, and the certificate issuing unit further includes the location information for issuing the electronic certificate. The determination result of the processing unit is reflected.

According to such a configuration, the degree of matching between the location information of the terminal that has transmitted the application information and the location of the corporation included in the corporation information corresponding to the specified corporation number is reflected in the judgment of validity, so the application information Is more legitimate and the trustworthiness of the digital certificate is higher.

As a preferred configuration, an IP address obtained from a domain management device that manages a domain and its IP address in association with each other based on the domain corresponding to the corporate information of the application information, and an IP obtained from the domain that transmitted the application information. A domain information processing unit that determines the degree of coincidence with an address is further included, and the certificate issuing unit further reflects the determination result of the domain information processing unit in the issuance of the electronic certificate.

With such a configuration, the degree of agreement between the IP address obtained from the domain management device based on the domain corresponding to the corporate information of the application information and the IP address obtained from the domain transmitting the application information is correct. Since it is reflected in the judgment, the validity of the application information is enhanced and the reliability of the digital certificate is further enhanced.

As a preferred configuration, the application information includes sender information, which is information indicating a person in charge of transmitting the communication message with the electronic certificate, and the certificate issuing unit stores the sender information. Including the above, the electronic certificate is issued.

With such a configuration, the sender information is added to the electronic certificate, so that the reliability of the electronic certificate is further enhanced.
As a preferred configuration, the application information includes recipient information that is information indicating a person who is in charge of receiving the communication message with the electronic certificate, and the certificate issuing unit includes the recipient information. And issue the electronic certificate.

With such a configuration, since the recipient information is added to the electronic certificate, the reliability of the electronic certificate is further improved for the recipient who receives the electronic certificate.
An electronic certificate utilizing terminal that solves the above problem is an electronic certificate utilizing terminal that issues an electronic certificate and applies for issuance of an electronic certificate to an electronic certificate management system that manages the issued electronic certificate. The electronic certificate management system is the electronic certificate management system according to any one of the above, and the electronic certificate using terminal includes corporate information and a specific corporate number uniquely assigned to the corporate. The application information is generated and transmitted to the electronic certificate management system, and the electronic certificate issued by the electronic certificate management system for the transmitted application information is received, and based on the received electronic certificate The gist of the present invention is to provide an application unit for applying the public key of the generated pair of public key and private key to the electronic certificate management system together with the electronic certificate.

With such a configuration, it becomes possible to obtain a highly reliable electronic certificate using a specific corporation number and to publish a public key related to the electronic certificate.
An electronic certificate utilizing terminal that solves the above-mentioned problems is an electronic certificate utilizing terminal that issues an electronic certificate and requests a verification of the electronic certificate from an electronic certificate management system that manages the issued electronic certificate. The electronic certificate management system is the electronic certificate management system according to any one of the above, wherein the electronic certificate using terminal receives an electronic certificate including a specific corporate number received from a sender. It is sent to the management system, the verification of the validity of the transmitted electronic certificate is requested to the electronic certificate management system, and the determination that the request is valid can be obtained from the electronic certificate management system. The electronic certificate sent by the sender based on the above, and the fact that the electronic certificate is trusted indicates the domain information of the electronic certificate utilizing terminal, the address information of the user of the electronic certificate utilizing terminal, and the transmission. A receiver for transmitting to the electronic certificate management system together with at least one piece of address information of the person.

According to such a configuration, when a highly reliable digital certificate using a specific corporate number is trusted, the fact that the digital certificate is trusted, that is, a message attached with the digital certificate is used, The electronic certificate management system can manage history. This enhances the traceability of communication.

According to the electronic certificate management system, the electronic certificate using terminal and the electronic certificate management method, the reliability of the electronic certificate can be further enhanced.

The block diagram which shows the schematic structure about one embodiment which materialized the electronic certificate management system, the electronic certificate utilization terminal, and the electronic certificate management method. FIG. 3 is a schematic diagram showing an outline of a data structure of a digital certificate used in the same embodiment. In the same embodiment, a block diagram showing a schematic configuration of an application unit of the electronic certificate using terminal. 3 is a block diagram showing a schematic structure of an authentication gateway in the embodiment. FIG. 3 is a schematic diagram showing a schematic structure of application information data received by an authentication gateway in the embodiment. FIG. 3 is a schematic diagram showing a schematic structure of data of disclosure contract information received by an authentication gateway in the embodiment. FIG. 3 is a schematic diagram showing a schematic structure of registration data of a digital certificate history received by an authentication gateway in the embodiment. FIG. 3 is a schematic diagram showing a schematic structure of reference data of a digital certificate history received by an authentication gateway in the embodiment. FIG. In the embodiment, a sequence diagram showing a processing procedure when the authentication gateway issues an electronic certificate. In the embodiment, a sequence diagram showing a processing procedure for obtaining a public key from an authentication gateway. In the same embodiment, a sequence diagram showing a processing procedure of transmitting and receiving a communication message. The schematic diagram showing the outline of other data structures about a digital certificate.

An embodiment in which a digital certificate management system, a digital certificate using terminal, and a digital certificate management method are embodied will be described with reference to FIGS. 1 to 11.
As shown in FIG. 1, a communication system 10 includes a domain management device 12, a first terminal 13, a second terminal 14, which are communicably connected to each other via an open network Internet N. An authentication gateway 30 as an electronic certificate management system is provided. Further, the authentication gateway 30 is connected to the corporate information management device 15 that manages corporate information so as to be capable of mutual communication through a communication path different from the Internet N.

The authentication gateway 30 is a so-called certification authority (CA), and has a function of issuing an electronic certificate (electronic certificate issuing function) and a function of managing the issued electronic certificate and its history (history function). And a function of releasing the registered public key (public key repository function).

As shown in FIG. 2, in this embodiment, the digital certificate 50 is a digital certificate of the “ITU-T X.509 v3” standard, and includes a pre-signature certificate 501, a signature algorithm 502, and a digital signature 503. Have. The basic area of the pre-signature certificate 501 is certificate version information 50a, certificate serial number 50b, hash function/public key cryptographic algorithm 50c, certificate issuer (certificate authority) 50d, certificate validity period 50e, certificate Issued: It has a corporation name 50f and an issued public key 50g. In the present embodiment, of these, the name of the corporation that has applied for the issuance of the electronic certificate is stored in the certificate issue target: corporation name 50f, and the issuance target public key 50g applies for the issuance of the electronic certificate. The public key generated by the corporation is stored.

The pre-signature certificate 501 has an extension area that can be used according to the purpose. In the present embodiment, the extended area of the pre-signing certificate 501 has corporate information 50h such as a specific corporate number and position information. In the corporate information 50h such as the specific corporate number/position information, the “corporate number” as the specific corporate number of the corporation that has applied for the issuance of the electronic certificate and the “corporate information” such as location information are stored. In the present embodiment, the "corporate number" is "the law concerning the use of numbers for identifying specific individuals in administrative procedures (May 31, 2013, Law No. 27)", It is a corporate number defined by the so-called number law.

As shown in FIG. 1, each of the first terminal 13 and the second terminal 14 is a computer device including a personal computer. The first terminal 13 and the second terminal 14 make various processing requests to various server devices such as the domain management device 12 and the authentication gateway 30 connected via the Internet N, and receive responses to the processing requests. For example, the first terminal 13 and the second terminal 14 may be connected to a mail server (not shown), and may exchange e-mail with each other via the mail server. In addition, the first terminal 13 and the second terminal 14 have a position measuring device such as GPS, and the current position detected by the position measuring device can be attached to communication data and transmitted. The first terminal 13 and the second terminal 14 have clocks, and can attach the current time measured by the clocks to communication data and transmit the data. In addition, in the present embodiment, the first terminal 13 and the second terminal 14 belong to different corporations, and these corporations each issue the electronic certificate 50 from the authentication gateway 30 and the public key to the authentication gateway 30. Have registered. Therefore, the first terminal 13 and the second terminal 14 can mutually request the authentication gateway 30 to authenticate the electronic certificate 50 and request to obtain the public key.

The first terminal 13 includes an application unit 13a as an electronic certificate using terminal that makes a predetermined application as a processing request to the authentication gateway 30, a transmission unit 13b that transmits a communication message with an electronic certificate to a recipient, and an electronic unit. It has a reception unit 13c as an electronic certificate using terminal that receives a communication message with a certificate from a sender. The second terminal 14 has an application unit 14a, a transmission unit 14b, and a reception unit 14c, and these functions are the same as the functions of the application unit 13a, the transmission unit 13b, and the reception unit 13c of the first terminal 13, respectively. Because it is similar, the detailed explanation is omitted.

The application unit 13 a processes the application for issuing the electronic certificate 50 to the authentication gateway 30, the process for receiving the electronic certificate 50 issued from the authentication gateway 30, and the public key disclosure to the authentication gateway 30. Perform processing to apply.

As shown in FIG. 3, the application unit 13a includes a certificate application unit 20, a certificate acquisition unit 21, a key generation unit 22, a signature unit 23, and a key disclosure application unit 24.
As shown in FIG. 5, the certificate application unit 20 acquires the information required to issue the electronic certificate 50 and generates the application information D1 required to issue the electronic certificate 50, and the generated application information. Apply for the issuance of the electronic certificate 50 based on D1 to the authentication gateway 30. The application information D1 is, for example, “corporate number D1a”, “organization name D1b”, “base address D1c”, “applicant name D1d”, “applicant identification code D1e”, “applicant terminal location information etc. D1f”. Including. The "organization name D1b" and the "base address D1c" compose "corporate information", and the "applicant name D1d" and "applicant identification code D1e" compose "applicant information". Further, the “applicant terminal position information etc. D1f” includes “latitude, longitude” and “time”. The “applicant identification code D1e” is a code for identifying an individual applicant, and may be an employee or customer number managed by a corporation or the like, an individual number managed by the administration, or the numbering system If allowed, it may be a personal number specified by the Number Law.

By the way, in the present embodiment, the “applicant” is a person who performs procedures such as application for the corporation on behalf of the corporation, and is, for example, an employee of the corporation, and the corporation transmits a message. In this case, the employee becomes the "applicant" or "sender". Further, when a corporation receives a message, employees of the corporation become “recipients”.

As shown in FIG. 3, the certificate acquisition unit 21 acquires the electronic certificate 50 issued in response to the application from the authentication gateway 30 and stores it in the first terminal 13.
The key generation unit 22 adds the contents of the extended area to the obtained electronic certificate 50, and based on the electronic certificate 50 to which the contents of the extended area are added, a pair of secret keys corresponding to the public key cryptosystem and Generate a public key.

The signature unit 23 stores the public key in the public key 50g to be issued of the received digital certificate 50, stores the algorithm of the public key cryptosystem in the signature algorithm 502 of the digital certificate 50, and stores the digital signature 503. The digital signature generated by the private key is stored in.

As shown in FIG. 6, the key disclosure application unit 24 generates the public key registration information D2 including the signed digital certificate 50 with the public key, and registers the public key based on the generated registration information D2. Apply to the authentication gateway 30. The registration information D2 includes, for example, "sender address D2a", "signed corporate public key D2b", "signed private public key D2c", "recipient address D2d", "applicant terminal location information etc. D2e". .. The “applicant terminal position information etc. D2e” includes “latitude, longitude” and “time”. If the private public key does not exist or is unnecessary, the signed private public key does not need to be stored in the signed private public key D2c. If the recipient is not specified, the recipient address does not have to be stored in the recipient address D2d.

The transmission unit 13b sends the communication text with the electronic certificate 50 to the recipient. More specifically, the transmission unit 13b calculates a so-called message digest (MD), which is a value such as a hash value that cannot reproduce the message from the message, in a predetermined method, and uses the calculated MD as its own secret. Encode with a key. Then, the transmitting unit 13b attaches the encoded MD and the electronic certificate 50 including the public key to the message and sends the message to the recipient. The transmission unit 13b notifies the authentication gateway 30 of information that the sender has attached the electronic certificate 50 of the sender and has sent the communication text, and the history is managed by the authentication gateway 30 as a history of the electronic certificate 50 of the sender. You may do it. For example, the information indicating that the message has been sent includes "sender address", "sender's corporate electronic certificate", "sender's personal electronic certificate", "recipient address", and "sender terminal". Location information etc." is included.

In the case of concealing the communication text, the transmission unit 13b encrypts the communication text with the public key of the recipient acquired in advance, and the encrypted communication text includes the encoded MD and the public key 50. And attach and send to the recipient. In order to acquire the public key, acquisition information having “sender address”, “recipient address”, “corporate electronic certificate number”, and “individual electronic certificate number” is transmitted to the authentication gateway 30.

At this time, the transmission unit 13b indicates that the communication text encrypted with the recipient's public key has been sent as the "sender address", the "receiver's corporate electronic certificate number", and the "receiver's personal electronic certificate number". , “Recipient address”, “Sender terminal position information, etc.”, and the history is managed by the authentication gateway 30 as a history of the electronic certificate 50 of the recipient.

The receiving unit 13c receives the message sent from the sender and the encoded MD attached to the message and the electronic certificate 50 including the public key. The receiving unit 13c calculates the MD from the communication text by the same prespecified method as the transmitting unit 13b. In addition, the receiving unit 13c confirms the validity of the electronic certificate 50 with the certificate authority that issued the electronic certificate 50, here the authentication gateway 30, and based on the confirmation result being "valid", the electronic certificate The MD encoded with the public key of the certificate 50 is restored to obtain the MD. Then, the receiving unit 13c verifies the non-tampering of the communication text and the reliability of the sender of the public key based on that the MD calculated from the communication text and the MD restored with the public key match. To do. On the other hand, if the non-tampering of the communication text cannot be verified or the reliability of the sender of the public key cannot be verified, the receiving unit 13c warns that and/or discards the communication text. The reception unit 13c indicates that the sender's electronic certificate 50 has been verified by the "sender address", "sender's corporate electronic certificate", "sender's individual electronic certificate", "recipient address", " It is also possible to notify the authentication gateway 30 together with the “recipient terminal position information and the like” and manage the history as a history of the sender's electronic certificate 50.

If the communication text is encrypted, the receiving unit 13c decrypts the communication text with its own secret key. Since the communication text encrypted with the public key of the recipient can be decrypted only with the private key of the recipient, the communication text is hidden using the public key cryptosystem.

At this time, as shown in FIG. 7, the reception unit 13c trusts the communication text encrypted with the public key of the receiver and notifies the authentication gateway 30 of the fact that the communication text is decrypted with the same content as the record information D3. The history of the recipient's electronic certificate 50 is managed by the authentication gateway 30. That is, the receiving unit 13c outputs the "sender address D3a", "corporate electronic certificate number D3b", "individual electronic certificate number D3c", "recipient address D3d", "recipient terminal position information etc. D3e", etc. Notify the authentication gateway 30. The history of the sender's electronic certificate 50 may be associated.

The domain management device 12 is a server device including a computer, and manages the latest registration information of domain names registered on the Internet N. Since the relationship between the "domain name" and the "IP address" often changes, the domain management device that manages the latest correspondence relationship each time the "IP address" corresponding to the "domain name" is referenced. It is certain to confirm the correspondence relationship with 12. The domain management device 12 receives a request for a domain name search from the authentication gateway 30, and returns an “IP address” corresponding to the domain as a result of the search request. In the request for the domain name search, “host name” and “domain name” are input to the domain. The domain management device 12 may input other information in addition to the “host name” and “domain name”, or may return other domain registration information in addition to the “IP address”.

The corporate information management device 15 is a server device including a computer, and manages a “corporate number” and a “public corporate electronic certificate” corresponding to the “corporate number”. The "public corporate electronic certificate" includes corporate information such as "corporate registration information", "trade name", "name", "head office", and "location of main office". Therefore, the corporate information management device 15 is a device that is directly or indirectly managed by a predetermined public organization such as a country. The corporate information management device 15 receives an inquiry from the authentication gateway 30 using the “corporate number” and the “corporate information”, and returns a “public corporate electronic certificate” corresponding to the “corporate number”. That is, the authentication gateway 30 acquires a highly reliable "public corporate electronic certificate" managed by the country based on the "corporate number", and uses the acquired "public corporate electronic certificate" as the acquired "public corporate electronic certificate". The included “corporate information” and the “corporate information” of the application information D1 are compared, and the validity of the application information D1 can be determined by obtaining the degree of coincidence.

Next, the authentication gateway 30 will be described in detail with reference to FIG. As described above, the authentication gateway 30 is a certificate authority and has an electronic certificate issuing function, a public key repository function, and a history function. The authentication gateway 30 is a server device including a computer and has a storage unit 45 that stores various data necessary for various processes.

The storage unit 45 is composed of a storage device such as a hard disk, and a storage area for storing data includes a digital certificate database (DB) 451, a public key DB 452 as a public key storage unit, and a certificate history storage. A history DB 453 as a unit is provided. The electronic certificate DB 451 stores the electronic certificate 50 issued by the authentication gateway 30, the public key DB 452 stores the electronic certificate 50 including the public key, and the history DB 453 stores the electronic certificate 50 including the public key. The acquisition history and the like are stored as a history regarding the electronic certificate 50.

Further, the authentication gateway 30 has, as an electronic certificate issuing function, an issue application processing unit 31, a domain information determination unit 32 as a domain information processing unit, a corporate information determination unit 33, a position information processing unit 34, and a personal identification. An information processing unit 35, a certificate issuing unit 36, a certificate registration unit 37, and a certificate verification unit 38 as a reply unit are provided.

The electronic certificate issuing function issues the electronic certificate 50 and registers the public key.
The issue application processing unit 31 receives the application information D1 from the application units 13a and 14a of the first terminal 13 and the second terminal 14, and determines whether or not the bibliographic items of the application information D1 are appropriate.

The domain information determination unit 32 requests the domain management device 12 to search for the “domain name” obtained based on the “corporate information” included in the application information D1, and corresponds to the “domain name” as a result of this search request. An "IP address" is obtained as the domain information. Further, the domain information determination unit 32 determines that the “IP address” corresponding to the “domain name” obtained from the domain management device 12 and the “IP address” obtained from the domain transmitting the application information D1 match each other. It is determined that the degree of matching is high, and if they do not match, it is determined that the degree of matching is low.

The corporate information determination unit 33 requests the corporate information management device 15 to perform a search based on the corporate number, and obtains a "public corporate electronic certificate" as a result of the search request. Further, the corporate information determination unit 33 compares the “corporate information” included in the application information D1 with the “corporate information” included in the acquired “public corporate electronic certificate”, and if they match, the degree of coincidence is high. It is determined to be high (valid), and if they do not match, the degree of matching is low (not valid). Since the corporation information judging unit 33 can obtain a highly reliable “public corporation electronic certificate” from the corporation information management device 15 based on the corporation number, the corporation information judging unit 33 checks the “corporate information” in issuing the electronic certificate 50. The accuracy will be improved, the inspection load will be reduced, and the variation in inspection will be reduced.

The degree of matching is, for example, “name” of corporate information included in “public corporate electronic certificate”, “
"Location of main office" is compared with "organization name D1b" and "base address D1c" of "corporate information" of application information D1. It should be noted that the address and the like may be determined in terms of the degree of coincidence in consideration of fluctuation in expression. Further, the items of the corporate information included in the “public corporate electronic certificate” and the corporate information included in the application information D1 do not always match, so consideration should be given to the combination of corresponding items and the importance of the items. You may consider the degree.

The position information processing unit 34 determines the identity between the “main office location” of the corporate information and the “longitude, latitude” included in the “applicant terminal position information etc. D1f” of the application information D1, and this determination result Is added to the determination of the degree of coincidence. This verifies that the application is made from the "main office location", prevents applications made from different locations, and increases the legitimacy of the application. In addition, the position information processing unit 34 verifies whether the “time” included in the “applicant terminal position information etc. D1f” is a normal business time, and adds this verification result to the determination of the degree of coincidence. Good. As a result, the time that can be applied is narrowed down to an appropriate range, inappropriate applications are excluded, and the validity of the application is further enhanced.

The personal identification information processing unit 35 determines the reliability of the “applicant name D1d” and the “applicant identification code D1e” included in the “applicant information” of the application information D1 based on the reliability of the “corporate information”. To do. If the "applicant information" is reliable, the personal identification information processing unit 35 may cause the electronic certificate 50 to include the "applicant information", or the applicant may be based on the "applicant information". The (personal) electronic certificate 51 (see FIG. 12) may be issued. That is, the reliability of the individual electronic certificate 51 of the applicant is assured based on the legitimacy of the “corporate information” and the management ability of the employee information of the corporation.

The certificate issuing unit 36 determines by the domain information determining unit 32 that the degree of matching is high, the corporate information determining unit 33 determines that the degree of matching is high (valid), and the position information processing unit 34 determines. The electronic certificate 50 based on the application information D1 is issued based on the determination that the degree of matching is high. That is, the certificate issuing unit 36 reflects the determination result of the domain information determining unit 32, the determination result of the corporate information determining unit 33, and the determination result of the position information processing unit 34 in the issuance of the electronic certificate. The certificate issuing unit 36 returns the issued electronic certificate 50 to the sender of the application information D1.

Note that the certificate issuing unit 36 can include the “applicant information” in the electronic certificate 50 according to the determination result or the instruction of the personal identification information processing unit 35, and can apply based on the “applicant information”. The electronic certificate 51 (see FIG. 12) can be issued to the person (individual).

The certificate registration unit 37 registers and manages the electronic certificates 50 and 51 issued by the certificate issuing unit 36 in the electronic certificate DB 451. Further, the certificate registration unit 37 registers the issuance of the electronic certificates 50 and 51 in the history DB 453 via the history registration unit 42 as a history regarding the electronic certificates 50 and 51.

The certificate verification unit 38 determines whether or not the electronic certificate is valid in response to receiving the verification information including the issued electronic certificates 50 and 51 from the first terminal 13 or the like, The judgment result is returned. When the verification information includes the “sender address” and the “recipient address”, the certificate verification unit 38 also determines the validity of these addresses via the domain information determination unit 32 and makes the determination. You can also send back the results.

The authentication gateway 30 includes a key registration unit 40 and a key search unit 41 as a public key repository function. The public key repository function registers a public key and makes the registered public key open to the public via the Internet N or the like so that the user of the authentication gateway 30 can obtain it.

As shown in FIG. 6, the key registration unit 40 registers the public key in the public key DB 452 based on the registration information D2. When the public key is registered in the public key DB 452, the key registration unit 40 generates registration information D2, and additionally registers the generated registration information D2 in the history DB 453 as a history regarding the electronic certificate 50 attached to the public key. .. The registration information D2 has a “sender address D2a”, a “signed corporate public key D2b”, a “signed private public key D2c”, a “recipient address D2d”, and a “sender terminal position information etc. D2e”.

The “sender address D2a” is the address of the person who publishes the public key, and the “signed corporate public key D2b” is the signed electronic certificate 50 including the generated public key of the corporation. The "signed private public key D2c" is the signed digital certificate 51 including the created private public key, and the "recipient address D2d" is the use of the public key specified by the public key creator. The sender's address, and the “sender terminal location information D2e” is the location of the sender. The "signed private public key D2c", the "recipient address D2d", and the "sender terminal location information D2e" may not be stored unless necessary.

The key search unit 41 searches the public key registered in the public key DB 452 based on the received acquisition information, and returns the searched public key. The acquired information has “sender address”, “recipient address”, “corporate electronic certificate number”, and “individual electronic certificate number”. Then, the key search unit 41 additionally registers in the history DB 453 that the public key is searched for from the public key DB 452 in association with the electronic certificate 50 attached to the public key.

The “sender address” is the address of the sender of the communication message, and the “recipient address” is the address of the recipient of the communication message who has published the public key. The “corporate electronic certificate number” and the “individual electronic certificate number” are numbers for identifying electronic certificates of corporations and individuals. For searching and registering history, it is only necessary to be able to specify the electronic certificate or public key registered in the authentication gateway 30, so these electronic certificates are unique rather than "corporate electronic certificate" or "personal electronic certificate". All you need to know is the "corporate electronic certificate number" and "personal electronic certificate number" you have. This point is the same in the following description. Instead of the "corporate electronic certificate number" or the "individual electronic certificate number", the "corporate electronic certificate" or the "individual electronic certificate" itself may be used.

The authentication gateway 30 has a history registration unit 42 and a history reference unit 43 as a history search unit as history functions. The history function stores the history in which the digital certificate and the public key are generated and is used, and makes them available for reference.

As shown in FIG. 7, the history registration unit 42 stores, in the history DB 453, “sender address D3a”, “corporate electronic certificate number D3b”, “individual electronic certificate number D3c”, and “recipient address” as record information D3. "D3d" and "recipient terminal position information etc. D3e" are registered.

The history registration unit 42 registers in the history DB 453 that the electronic certificate and the public key are generated and used. For example, in the history registration unit 42, the certificate issuing unit 36 issues the electronic certificate 50, the key registration unit 40 registers the public key in the public key DB 452, and the key search unit 41 is registered in the public key DB 452. The public key is searched, and the reply and other information are registered. In addition, the history registration unit 42 uses the history DB 453 as a history relating to the electronic certificate to which the public key is attached, to the effect that the recipient of the communication text decrypts the communication text received from the sender of the communication text using the public key. Register with. As a result, the recipient of the message can trust that the message received from the sender of the message is trusted based on the electronic certificate 50 and the like, and can verify that it has been decrypted.

As shown in FIG. 8, the history reference unit 43 receives the reference information D4 of the history regarding the electronic certificate 50 attached to the message from the sender of the message, searches the history regarding the electronic certificate 50, The search result is returned to the sender of the message. Thus, the sender of the communication message can confirm whether the receiver of the communication message has received the communication message and has decrypted the received communication message. The reference information D4 includes a "sender address D4a", a "recipient address D4b", a "referencer address D4c", a "referencer electronic certificate number D4d", and a "receiver terminal location information D4e". There is.

Further, the history reference unit 43 receives history reference information regarding the use of its own public key from the recipient of the message, searches the history regarding the electronic certificate 50, and returns the search result to the message. Reply to the recipient. Thus, the recipient of the message can confirm whether the sender of the message has acquired his public key.

(Action)
Next, the operation of the communication system 10 will be described with reference to FIGS. 9 to 11.
First, with reference to FIG. 9, a procedure in which the electronic certificate 50 is issued and the public key is disclosed will be described. Here, it is assumed that a corporation that requires the electronic certificate 50 requests the issuance of the electronic certificate 50 from the first terminal 13 to the authentication gateway 30 by the person in charge (applicant).

The first terminal 13 creates the application information D1 (message M10) for applying for the issuance of the electronic certificate by the application unit 13a, and performs the processing E10 of transmitting the created application information D1 to the authentication gateway 30.

The authentication gateway 30 receives the application information D1 from the first terminal 13 in the issue application processing unit 31 and performs the application content confirmation processing E11 for confirming the bibliographic items. As the application content confirmation processing E11, the issuance application processing unit 31 inspects whether the content of the application information D1 is excessive or deficient or inconsistent. Send to. Then, the first terminal 13, which has received the information indicating the rejection, performs the process E12 corresponding to the rejection. For example, as the processing E12 corresponding to the refusal, the refusal is transmitted on the screen display.

When the authentication gateway 30 confirms that the bibliographic items of the application information D1 are appropriate, the domain information determination unit 32 performs the verification process E13 based on the domain registration information. The domain information determination unit 32 makes an inquiry about the domain registration information in the verification process E13 and receives a reply to this inquiry. More specifically, the domain information determination unit 32 transmits the “host name” and the “domain name” (message M12) to the domain management device 12, and the domain registration information corresponding to the transmitted “host name” and “domain name”. "IP address" (message M13) is obtained from the domain management device 12 as a response. Then, the authentication gateway 30 determines the degree of coincidence between the “IP address” obtained by the domain information determination unit 32 and the “IP address” obtained from the application information D1. When the authentication gateway 30 determines that the degree of matching is low, the domain information determination unit 32 transmits information (message M11) to the effect that the domain is not accepted to the first terminal 13. Then, the first terminal 13 performs the process E12 corresponding to the information indicating the rejection.

Further, the authentication gateway 30 causes the corporate information determination unit 33 to perform verification processing E14 based on the corporate number. In the verification process E14, the corporation information determination unit 33 inquires about corporation information and obtains a response to this inquiry. More specifically, the corporate information determination unit 33 transmits the “corporate number” (message M14) to the corporate information management device 15, and the corporate information management device 15 displays “public corporate body” as the check result corresponding to the transmitted corporate number. An electronic certificate" (message M15) is obtained as a reply. Then, the authentication gateway 30 determines, by the corporate information determination unit 33, the degree of matching between the “corporate information” included in the “public corporate electronic certificate” obtained as a response and the “corporate information” of the application information D1. ..

At this time, the location information processing unit 34 also includes the location of the main office included in the corporate information of the "public corporation electronic certificate" and the "applicant terminal location information D1f" of the application information D1. The identity (degree of coincidence) with “longitude, latitude” may be determined and reflected in the determination of the electronic certificate issuance by the certificate issuing unit 36. Further, in the position information processing unit 34, the “time” included in the “applicant terminal position information etc. D1f” verifies the degree of coincidence with normal business hours, and the certificate issuing unit 36 determines the electronic certificate. It may be reflected. By such a comparison, the reliability of the electronic certificate 50 with respect to the corporation can be further enhanced.

Then, when it is determined that the degree of coincidence is low, the authentication gateway 30 transmits information (message M11) to the effect that it is not accepted from the corporate information determination unit 33 to the first terminal 13. Then, the first terminal 13 performs the process E12 corresponding to the information indicating the rejection.

Further, when the determination results of the domain information determination unit 32, the corporate information determination unit 33, and the position information processing unit 34 are all determined to have a high degree of coincidence, the authentication gateway 30 issues a certificate issuing unit 36. Then, the electronic certificate 50 issuance process E15 is performed. In the issuing process E15, the certificate issuing unit 36 issues the electronic certificate 50 shown in FIG. 2 based on the application information D1. Further, in the authentication gateway 30, the certificate registration unit 37 registers the electronic certificate 50 in the electronic certificate DB 451, and the history registration unit 42 registers in the history DB 453 that the electronic certificate 50 has been issued. The authentication gateway 30 also transmits the issued electronic certificate 50 (message M16) to the first terminal 13. Then, the first terminal 13 performs a receiving process E16 of the electronic certificate 50 in the application unit 14a. The authentication gateway 30 may issue the electronic certificate 51 (see FIG. 12) to the applicant (individual) of the corporation by the certificate issuing unit 36.

When the first terminal 13 receives the electronic certificate 50, the application unit 13a performs a process E17 of applying for registration of the public key. The application unit 13a generates a public key and a private key, stores the public key in the electronic certificate 50 in the process E17 of applying for registration of the public key, and then uses the digital certificate using the private key in the digital certificate 50. Is added. Then, the first terminal 13 generates registration information D2 including the digital certificate with the digital signature applied by the application unit 13a, and transmits the generated registration information D2 (message M17) to the authentication gateway 30.

When the authentication gateway 30 receives the registration information D2 from the first terminal 13, the key registration unit 40 performs public key registration processing E18. In the registration processing E18, the key registration unit 40 registers the public key included in the received registration information D2 in the public key DB 452, and the history registration unit 42 registers the public key corresponding to the electronic certificate 50. The history is registered in the history DB 453.

As a result, the authentication gateway 30 issues the electronic certificate 50 in response to the electronic certificate issuance application from the corporation, and also publishes the public key generated by the corporation based on the issued electronic certificate 50.

Next, with reference to FIG. 10, a procedure in which the sender of the communication message (the second terminal 14) acquires the public key of the receiver will be described. Here, it is assumed that the sender of the communication message uses the second terminal 14 to transmit the communication message to the receiver. In addition, the sender of the communication text shall encrypt the communication text with the acquired public key.

The second terminal 14 generates acquisition information of the public key disclosed by the receiver by the transmission unit 14b (process E20), and transmits the generated acquisition information of the public key (message M20) to the authentication gateway 30. The public key acquisition information includes the "sender address" and "recipient address" of the communication message.

The authentication gateway 30 causes the key search unit 41 to perform processing E21 of receiving public key acquisition information from the second terminal 14 and disclosing the public key. The key search unit 41 transmits the “sender address” and the “recipient address” (message M21) included in the acquired information to the domain management device 12 in the process E21 of disclosing the public key, and corresponds to each transmitted address. The latest "domain registration information" is obtained from the domain management device 12 as the inquiry result (message M22). Then, in the authentication gateway 30, the key search unit 41 transmits the public key (message M23) corresponding to the latest “domain registration information” based on the “recipient address” to the second terminal 14. Therefore, the second terminal 14 performs the process E22 of acquiring the public key corresponding to the "recipient address" by receiving the message M23.

Further, in the authentication gateway 30, the history registration unit 42 transmits the acquisition information of the public key as the history of the electronic certificate 50 corresponding to the public key, such as “sender address”, “recipient address”, and “time”. Is registered in the history DB 453. This makes it possible to verify that the sender of the message has obtained the public key.

Next, with reference to FIG. 11, a process when a communication message is transmitted and received will be described. Here, it is assumed that the sender of the message transmits the message using the second terminal 14, and the receiver of the message receives the message using the first terminal 13.

First, the second terminal 14 performs a process E30 of acquiring from the authentication gateway 30 the public key (message M30) corresponding to the “recipient address” of the recipient of the communication message by the transmission unit 14b, and communicates with the acquired public key. A cryptographic process E31 for encrypting a sentence is performed. Then, the second terminal 14 performs a process E32 of transmitting the communication start information (message M31) to the authentication gateway 30 by the transmitting unit 14b.

The authentication gateway 30 causes the history registration unit 42 to perform processing E33 of registering in the history DB 453 of the electronic certificate 50 that the encrypted communication text has been transmitted. In the registration process E33, the history registration unit 42 registers the “electronic certificate number”, the “sender address”, and the “recipient address” obtained from the communication start information in the history DB 453 as a history of the electronic certificate 50. This makes it possible to verify that the communication message has been sent from the sender to the receiver. The history registration unit 42 may verify the “sender address” and the “recipient address”. That is, the history registration unit 42 sends the sender's “sender address” and “recipient address” (message M32) to the domain management device 12 in order to make a domain inquiry, and the inquiry result (message M33) is domain managed. Obtained from device 12. As a result, the legitimacy of the “sender address” and the “recipient address” can also be registered as a history regarding the electronic certificate 50, and the reliability of the history can be improved.

Further, the second terminal 14 transmits the communication text (encoded communication text) (message M34) encrypted by the transmission unit 14b to the receiver. In addition to the encoded communication text, the communication text includes "sender's electronic certificate number", "recipient's electronic certificate number", "sender's address", "recipient's address", etc. Be done.

The first terminal 13 performs a reception process E34 of the encoded communication text received from the second terminal 14 by the receiving unit 13c. In the reception process E34, the reception unit 13c sends the communication content to the authentication gateway 30 in order to verify the sender of the communication message (message M35). The authentication gateway 30 causes the certificate verification unit 38, the domain information determination unit 32, and the like to start the verification process E35 in response to the verification request. The verification process E35 may verify the “sender address” and the “recipient address”. That is, the verification process E35 sends the “sender address” and the “recipient address” (message M36) to the domain management device 12 to make a domain inquiry, and obtains the inquiry result (message M37) from the domain management device 12. .. Then, the authentication gateway 30 verifies each address based on the verification result, and transmits the verification result (message M38) to the first terminal 13. Thereby, the legitimacy of the "sender address" and the "recipient address" is verified.

When the validity of the sender cannot be verified, the first terminal 13 determines that the sender is unreliable by the receiving unit 13c, and determines that the reliability of the encoded communication text is low. Then, the first terminal 13 does not decode the encoded communication text and discards it, or notifies the display screen that it is unreliable.

On the other hand, in the first terminal 13, when the validity of the sender can be verified, the receiving unit 13c determines that the sender of the communication text is reliable, and performs the decryption process E36 for decrypting the encrypted communication text. .. In the decryption process E36, the communication text (encoded communication text) encrypted with the public key of the recipient is decrypted with the private key of the recipient. Since the encoded communication message can be decrypted with its own private key, the tampering of the communication message is ensured.

In addition, the first terminal 13 causes the receiving unit 13c to perform a process E37 of sending the reception history information (message M39) indicating that the encoded communication text is reliably decoded to the authentication gateway 30. The reception history information has the same contents as the record information D3 and includes a "sender address", a "corporate electronic certificate number", a "personal electronic certificate number", and a "recipient address". When the authentication gateway 30 receives the reception history information from the first terminal 13, the history registration unit 42 performs a process E38 of registering the fact in the history DB 453 as a history regarding the electronic certificate 50 of the sender. This allows the sender of the message to verify that the recipient has decrypted the message.

That is, the authentication gateway 30 transmits a notification (message M40) indicating that the encoded communication text has been decoded by the first terminal 13 to the second terminal 14, and the notification is transmitted by the transmission unit 14b of the second terminal 14. , Is received as the latest history regarding the history regarding the electronic certificate 50 of the user. As a result, the second terminal 14 can know in a short time that the coded communication message transmitted by the second terminal 14 has been decoded by the first terminal 13 in real time.

In addition, the second terminal 14 transmits the reference information D4 (message M41) of the history regarding the electronic certificate 50 of the second terminal 14 to the authentication gateway 30 (process E39). The authentication gateway 30 searches the history regarding the sender's electronic certificate 50 according to the reference information D4 received from the second terminal 14, and returns the search result (message M42). Even in this case, the sender of the communication message (the second terminal 14) checks the history of the electronic certificate 50 used for the communication together with the communication message, and thus the receiver (the first terminal 13) who has received the communication message. ) Can confirm whether or not the message has been decrypted.

As described above, according to the digital certificate management system, the digital certificate using terminal, and the digital certificate management method according to the present embodiment, the effects described below can be obtained.
(1) The "certificate information" included in the application information D1 is determined to be valid based on the degree of matching with the corporate information obtained based on the "corporate number", and thus the electronic certificate 50 Is issued. In other words, when it is determined that the “corporate information” included in the application information D1 is not valid, the electronic certificate 50 is not issued. Therefore, the risk that the electronic certificate 50 is issued in response to an unauthorized application for issuing an electronic certificate such as spoofing is reduced, and the reliability of the electronic certificate 50 is improved. Further, in issuing the electronic certificate 50, it is possible to improve the accuracy of the examination of “corporate information”, reduce the examination load, and reduce the variation in examination.

(2) With respect to the issued digital certificate 50, a history relating to the digital certificate 50 can be searched and referenced from the outside.
(3) Of the private key and public key created based on the issued electronic certificate 50, the public key is registered in the public key DB 452 together with the corresponding electronic certificate 50 based on the registration information D2. As a result, the legitimacy of the public key is enhanced by providing the highly reliable digital certificate.

(4) Since the degree of coincidence between the “location information” of the terminal that has transmitted the application information D1 and the “location of the main office” included in the corporate information corresponding to the corporate number is reflected in the determination of validity, The validity of the application information D1 is further enhanced, and the reliability of the electronic certificate 50 is further enhanced.

(5) The degree of matching between the “IP address” obtained from the domain management device 12 based on the domain corresponding to the “corporate information” of the application information D1 and the “IP address” obtained from the domain that transmitted the application information D1 Is reflected in the validity determination, the validity of the application information D1 is enhanced, and the reliability of the electronic certificate 50 is further enhanced.

(6) The reliability of the electronic certificate 50 is further increased by adding the sender information, which is the person in charge of the corporation, to the electronic certificate 50.
(7) Since the recipient information indicating the recipient of the message is added to the electronic certificate 50, the reliability of the electronic certificate 50 is further enhanced for the recipient who receives the electronic certificate 50.

(8) Since the fact that the receiving terminal has requested the verification of the electronic certificate 50 is registered in the history DB 453, the traceability of communication is improved.
(9) Since the receiving terminal registers that the public key is trusted, that is, the communication text is decrypted by using the public key, the traceability of communication is improved. For example, the sender of the message can confirm that the message has been decrypted at the receiving terminal.

(10) According to the terminal that generates the application information D1 including the specific corporate number and applies for the issuance of the electronic certificate with the application information D1, acquisition of a highly reliable electronic certificate using the specific corporate number, It becomes possible to publish the public key related to the electronic certificate.

(11) According to the terminal notifying that the highly reliable electronic certificate using the specified corporate number is trusted, the message that the electronic certificate is trusted, that is, the communication message to which the electronic certificate is attached is used. Therefore, the history can be managed by the digital certificate management system. This enhances the traceability of communication.

(Other embodiments)
The above-described embodiment can also be implemented in the following modes.
In the above embodiment, the case where the electronic certificate 50 of a corporation is issued based on the corporation number is illustrated. However, this is not the only option, and for non-corporate individuals as well, as long as a highly reliable institution such as a public institution can verify the specific individual number that identifies the individual, a digital certificate that is highly reliable for the individual May be issued.

More specifically, as shown in FIG. 12, the electronic certificate 51 has the same items (51a to 51e, 512, 513) as the electronic certificate 50. The name of the individual who has applied for issuance of the electronic certificate is stored in the certificate issuance target: individual name 51f of the electronic certificate 51, and the issuance target public key 51g is for the issuance of the electronic certificate The public key generated by the individual may be stored. Further, the extension area of the pre-signing certificate 511 may have personal identification information 51h such as a specific personal number and position information. The personal identification information 51h such as the specific personal number and position information includes an electronic certificate. Personal information such as a specific personal number or location information of an individual who has applied for issuance of may be stored.

In the above embodiment, the case where the corporate electronic certificate 50 and the individual electronic certificate 51 are different has been illustrated. However, not limited to this, a plurality of electronic certificates may be handled as a group. For example, one electronic certificate may have a corporate electronic certificate and an individual electronic certificate. In this case, each electronic certificate may be verified.

In the above-described embodiment, the case where the authentication gateway 30 and the corporate information management device 15 are connected to each other via the communication path different from the Internet N so that they can communicate with each other has been illustrated. However, the present invention is not limited to this, and if the confidentiality of communication can be maintained, the authentication gateway and the corporate information management device may be connected via the Internet N so that they can communicate with each other.

In the embodiment described above, the extended area of the electronic certificate 50 is provided with an item of corporate information 50h such as a specific corporate number and position information, and "corporate information" is stored in this item. However, not limited to this, in addition to the corporate information being stored in items such as specific corporate number and location information, the expanded area is provided with items such as "applicant name" and "applicant identification number". The corresponding contents may be stored in each item. Further, an item “recipient information” may be provided and the content corresponding to this item may be stored. As a result, the validity of the electronic certificate 50 can be improved.

In the above embodiment, the case where the current position is detected by GPS etc. has been illustrated. However, the present position is not limited to this, and the current position may be detected based on a wireless or wired telephone communication network, a mail delivery area, or the like, or may be detected using GPS and the like.

In the above-described embodiment, the sender of the communication message (second terminal 14) gives a notification (message M40) that the encoded communication message transmitted by itself has been decoded by the receiver (first terminal 13). The case where it can be confirmed by receiving and the reply of the search result (message M42) with respect to the reference information D4 (message M41) is illustrated. However, the present invention is not limited to this, and the sender receives a notification (message M40) that the encoded communication text transmitted by the sender has been decoded by the receiver, or the search result for the reference information D4 (message M41). It may be possible to confirm it either by receiving the response of (message M42).

In the above embodiment, the case where the application information D1, the registration information D2, the record information D3, and the reference information D4 include “longitude/latitude” and “time” is illustrated. However, without being limited to this, at least one of “longitude/latitude” and “time” may not be included in at least one of the application information, public information, registration information, and reference information. This also makes it possible to reduce the amount of data handled while maintaining the reliability of the digital certificate.

-In the said embodiment, the 1st terminal 13 and the 2nd terminal 14 each illustrated the case where it provided with the application parts 13a and 14a, the transmission parts 13b and 14b, and the reception parts 13c and 14c. However, the present invention is not limited to this, and the first terminal and the second terminal may be provided with at least one of the application unit, the transmission unit, and the reception unit according to the application.

In the above embodiment, the case where the “applicant”, “recipient”, and “sender” are employees of a corporation is illustrated. However, the present invention is not limited to this, and as long as the device is capable of automatically performing the procedure, at least one of the “applicant”, the “receiver”, and the “sender” is the device in whole or in part. May be.

In the above embodiment, the certificate issuing unit 36 determines that the degree of matching by the domain information determining unit 32 is high, the degree of matching by the corporate information determining unit 33 is high, and the position information processing unit 34. The case where the electronic certificate 50 is issued based on the determination that the degree of matching is high is illustrated. However, the present invention is not limited to this, and the certificate issuing unit may issue the electronic certificate based on at least the result of determination by the corporate information determining unit 33 that the degree of matching is high (valid). This makes it possible to reduce the amount of data to be handled while maintaining the reliability of the digital certificate.

-In the above-mentioned embodiment, the case where the specified corporate number is a corporate number prescribed by the numbering law of Japan has been illustrated. However, not limited to this, any information that can publicly identify a corporation may be used as the specified corporation number. For example, a code that identifies a corporation in a foreign country that has the same function as a corporation number in Japan can be used. For example, "EIN" (Employer Identification Number) in the United States of America, "Enterprise Number" in Belgium, "KVK Number" in the Netherlands, and "Organization Number" in Finland are examples that correspond to corporate numbers in Japan. .. In Norway, "Business ID", in Denmark "CVR Number", in Sweden "Organization Number", in Singapore "UEN", in China "Organization Code", in Thailand "Registration Number", "CIN" is mentioned in India.

N... Internet, 10... Communication system, 12... Domain management device, 13... First terminal, 13a... Application section, 13b... Sending section, 13c... Receiving section, 14... Second terminal, 14a... Application section, 14b... Transmission Part, 14c... Receiving part, 15... Corporate information management device, 20... Certificate application part, 21... Certificate acquisition part, 22... Key generation part, 23... Signature part, 24... Key disclosure application part, 30... Authentication gateway , 31... Issuing application processing unit, 32... Domain information determining unit, 33... Corporate information determining unit, 34... Location information processing unit, 35... Personal identification information processing unit, 36... Certificate issuing unit, 37... Certificate registration unit , 38... Certificate verification unit, 40... Key registration unit, 41... Key search unit, 42... History registration unit, 43... History reference unit, 45... Storage unit, 50... Electronic certificate, 51... Electronic certificate, 451 ... electronic certificate database (DB), 452... public key DB, 453... history DB.

Claims (14)

Electronic certificate authentication gateway, issues an electronic certificate to verify the sender of the reliability of communication text based on the transmitted application information of a terminal belonging to corporations to the terminal, and manages the issued electronic certificate A book management system,
And corporate information included in the application information from the transmitted said application information of the terminal, obtains the specific corporate number assigned uniquely to the corporation, corporate information management for managing corporate information in association with a specific corporate number The legality of the corporate information included in the application information based on the degree of agreement between the corporate information obtained as a device corresponding to the specific corporate number acquired from the application information and the corporate information included in the application information. A corporate information determination unit that determines gender,
In response to the result that the corporate information judging unit judges that the corporate information contained in the application information is valid, a certificate issuing unit for issuing an electronic certificate based on the application information is provided ,
The application information includes location information indicating the current location detected by the location measuring device provided in the terminal to which the application information is transmitted, and the location information included in the application information and the specific corporation. Further comprising a position information processing unit that determines the degree of coincidence with the location of the corporation included in the corporation information corresponding to the number,
The certificate issuing unit further reflects the determination result of the position information processing unit in issuing the electronic certificate. Electronic certificate authentication gateway, issues an electronic certificate to verify the sender of the reliability of communication text based on the transmitted application information of a terminal belonging to corporations to the terminal, and manages the issued electronic certificate A book management system,
Country possesses the specific corporate number which is managed by the corporation information management apparatus for managing a specific corporate number assigned uniquely to the corporation, and the specific corporate number that this held corresponding to the said specific corporate number based on the corporate information held as the information, and said end <br/> end to generate the application information that includes said corporate information and the specific corporate number is required to the electronic certificate,
The corporate information and the specific corporate number included in the application information are acquired from the application information transmitted by the terminal, and the acquired specific corporate number is combined with corporate information in which a country is associated with the specific corporate number. While transmitting the corporate information corresponding to the acquired specific corporate number from the corporate information management device while transmitting to the corporate information management device to manage, the received corporate information and the corporate information included in the application information A corporate information determination unit that determines the validity of the corporate information included in the application information based on the degree of matching,
In response to the result that the corporate information judging unit judges that the corporate information contained in the application information is valid, a certificate issuing unit for issuing an electronic certificate based on the application information is provided ,
The application information includes location information indicating the current location detected by the location measuring device provided in the terminal to which the application information is transmitted, and the location information included in the application information and the specific corporation. Further comprising a position information processing unit that determines the degree of coincidence with the location of the corporation included in the corporation information corresponding to the number,
The certificate issuing unit further reflects the determination result of the position information processing unit in issuing the electronic certificate. Electronic certificate authentication gateway, issues an electronic certificate to verify the sender of the reliability of communication text based on the transmitted application information of a terminal belonging to corporations to the terminal, and manages the issued electronic certificate A book management system,
And corporate information included in the application information from the transmitted said application information of the terminal, obtains the specific corporate number assigned uniquely to the corporation, corporate information management for managing corporate information in association with a specific corporate number The legality of the corporate information included in the application information based on the degree of agreement between the corporate information obtained as a device corresponding to the specific corporate number acquired from the application information and the corporate information included in the application information. A corporate information determination unit that determines gender,
In response to the result that the corporate information judging unit judges that the corporate information contained in the application information is valid, a certificate issuing unit for issuing an electronic certificate based on the application information is provided ,
A match between the IP address obtained from the domain management device that manages the domain and its IP address based on the domain corresponding to the corporate information of the application information and the IP address obtained from the domain that transmitted the application information. Further comprising a domain information processing unit for determining the degree of
The certificate issuing unit further reflects the determination result of the domain information processing unit in issuing the electronic certificate. Electronic certificate authentication gateway, issues an electronic certificate to verify the sender of the reliability of communication text based on the transmitted application information of a terminal belonging to corporations to the terminal, and manages the issued electronic certificate A book management system,
Country possesses the specific corporate number which is managed by the corporation information management apparatus for managing a specific corporate number assigned uniquely to the corporation, and the specific corporate number that this held corresponding to the said specific corporate number said terminal based on the corporate information held as information to generate the application information including said particular corporation number is required to the electronic certificate and the corporation information,
The corporate information and the specific corporate number included in the application information are acquired from the application information transmitted by the terminal, and the acquired specific corporate number is combined with corporate information in which a country is associated with the specific corporate number. While transmitting the corporate information corresponding to the acquired specific corporate number from the corporate information management device while transmitting to the corporate information management device to manage, the received corporate information and the corporate information included in the application information A corporate information determination unit that determines the validity of the corporate information included in the application information based on the degree of matching,
In response to the result that the corporate information judging unit judges that the corporate information contained in the application information is valid, a certificate issuing unit for issuing an electronic certificate based on the application information is provided ,
A match between the IP address obtained from the domain management device that manages the domain and its IP address based on the domain corresponding to the corporate information of the application information and the IP address obtained from the domain that transmitted the application information. Further comprising a domain information processing unit for determining the degree of
The certificate issuing unit further reflects the determination result of the domain information processing unit in issuing the electronic certificate. A certificate history storage unit that holds a history of issued digital certificates,
Electronic certificate according to any one of claims 1-4, further comprising a history search unit that searches and output in accordance with history of the electronic certificate registered in the certificate history storage unit to an external request Book management system. A public key storage unit for storing the public key and for making it publicly available;
A key registration unit for registering the public key, which is the target of the registration information, in the public key storage unit together with the issued electronic certificate based on the registration information of the public key generated based on the issued electronic certificate. electronic certificate management system according to any one of claims 1 to 5, comprising. The application information includes sender information, which is information indicating a person in charge of sending a communication message with the electronic certificate,
The electronic certificate management system according to claim 1, wherein the certificate issuing unit issues the electronic certificate including the sender information. The application information includes recipient information, which is information indicating a person who is in charge of receiving a communication message with the electronic certificate,
The electronic certificate management system according to claim 1, wherein the certificate issuing unit issues the electronic certificate including the recipient information. A digital certificate using terminal that issues a digital certificate and applies to the digital certificate management system that manages the issued digital certificate to issue a digital certificate,
In the electronic certificate management system , the authentication gateway issues an electronic certificate for verifying the reliability of the sender of the message to the terminal based on the application information transmitted by the terminal belonging to the corporation, and issued this. Manage digital certificates,
Corporate information management that acquires corporate information included in the application information and a specific corporate number uniquely assigned to the corporate from the application information transmitted by the terminal, and manages the corporate information in association with the specific corporate number. The legality of the corporate information included in the application information based on the degree of agreement between the corporate information obtained as a device corresponding to the specific corporate number acquired from the application information and the corporate information included in the application information. A corporate information determination unit that determines gender,
In response to the result that the corporate information judging unit judges that the corporate information contained in the application information is valid, a certificate issuing unit for issuing an electronic certificate based on the application information is provided ,
The electronic certificate utilizing terminal generates application information including corporation information and a specific corporation number uniquely assigned to the corporation and transmits the application information to the electronic certificate management system, and the electronic certificate management apparatus transmits the application information to the electronic certificate management system. The electronic certificate management system receives the electronic certificate issued by the certificate management system, and a public key of a pair of public key and private key generated based on the received electronic certificate together with the electronic certificate. A terminal using a digital certificate, characterized in that it has an application section for applying for publication. A digital certificate using terminal that issues a digital certificate and requests verification of the digital certificate from a digital certificate management system that manages the issued digital certificate,
In the electronic certificate management system , the authentication gateway issues an electronic certificate for verifying the reliability of the sender of the message to the terminal based on the application information transmitted by the terminal belonging to the corporation, and issued this. Manage digital certificates,
Corporate information management that acquires corporate information included in the application information and a specific corporate number uniquely assigned to the corporate from the application information transmitted by the terminal, and manages the corporate information in association with the specific corporate number. The legality of the corporate information included in the application information based on the degree of agreement between the corporate information obtained as a device corresponding to the specific corporate number acquired from the application information and the corporate information included in the application information. A corporate information determination unit that determines gender,
In response to the result that the corporate information judging unit judges that the corporate information contained in the application information is valid, a certificate issuing unit for issuing an electronic certificate based on the application information is provided,
The electronic certificate using terminal transmits an electronic certificate including a specific corporation number received from a sender to the electronic certificate management system, and verifies the validity of the transmitted electronic certificate by the electronic certificate management system. That the sender has trusted the electronic certificate sent by the sender based on the fact that the determination that the request is valid is obtained from the electronic certificate management system, and that the electronic certificate is trusted. A receiver for transmitting to the electronic certificate management system together with at least one of the domain information of the electronic certificate using terminal, the address information of the user of the electronic certificate using terminal, and the address information of the sender. A terminal using a digital certificate characterized by: Electronic certificate authentication gateway, issues an electronic certificate to verify the sender of the reliability of communication text based on the transmitted application information of a terminal belonging to corporations to the terminal, and manages the issued electronic certificate A digital certificate management method used in a certificate management system,
The authentication gateway is a server device including a computer, and includes a corporate information determination unit, a certificate issuing unit, and a position information processing unit,
The corporation information determination unit obtains and corporate information included from the transmitted said application information of the terminal to the application information, and a specific corporate number assigned uniquely to the corporation, corporate information in association with a specific corporate number The corporate information corresponding to the acquired specific corporate number is acquired from the corporate information management device that manages, and is included in the application information based on the degree of agreement between the acquired corporate information and the corporate information included in the application information. The legality of corporate information
The certificate issuing unit issues an electronic certificate based on the application information in response to the result of the corporate information determination unit determining that the corporate information included in the application information is valid ,
The application information includes location information indicating the current location detected by the location measuring device provided in the terminal to which the application information is transmitted,
The location information processing unit determines the degree of coincidence between the location information included in the application information and the location of the corporation included in the corporation information corresponding to the specific corporation number,
The certificate issuing unit further reflects the determination result of the position information processing unit in the issuance of the electronic certificate. Electronic certificate authentication gateway, issues an electronic certificate to verify the sender of the reliability of communication text based on the transmitted application information of a terminal belonging to corporations to the terminal, and manages the issued electronic certificate A digital certificate management method used in a certificate management system,
The authentication gateway is a server device including a computer, and includes a corporate information determination unit, a certificate issuing unit, and a position information processing unit,
The terminal, country possesses the specific corporate number which is managed by the corporation information management apparatus for managing a specific corporate number assigned uniquely to the corporation, and the specific corporate number that this held, the said particular corporation Based on the corporate information held as information corresponding to the number, to generate the application information necessary for issuing the electronic certificate and including the specific corporate number and the corporate information,
The corporation information determination unit obtains the corporation information and the specific corporation number included in the application information from the application information transmitted by the terminal, and the country corresponds to the obtained specific corporation number to the specific corporation number. While sending the attached corporate information to the corporate information management device that also manages, receives the corporate information corresponding to the acquired specific corporate number from the corporate information management device, and receives the received corporate information and the application information. Determine the validity of the corporate information contained in the application information based on the degree of agreement with the corporate information included,
The certificate issuing unit issues an electronic certificate based on the application information in response to the result of the corporate information determination unit determining that the corporate information included in the application information is valid ,
The application information includes location information indicating the current location detected by the location measuring device provided in the terminal to which the application information is transmitted,
The location information processing unit determines the degree of coincidence between the location information included in the application information and the location of the corporation included in the corporation information corresponding to the specific corporation number,
The certificate issuing unit further reflects the determination result of the position information processing unit in the issuance of the electronic certificate. Electronic certificate authentication gateway, issues an electronic certificate to verify the sender of the reliability of communication text based on the transmitted application information of a terminal belonging to corporations to the terminal, and manages the issued electronic certificate A digital certificate management method used in a certificate management system,
The authentication gateway is a server device including a computer, and includes a corporate information determination unit, a certificate issuing unit, and a domain information processing unit,
Corporation the corporation information determination section, and corporate information included in the application information from the application information, and acquires the specific corporate number assigned uniquely to the corporation, to manage corporate information in association with a specific corporate number The corporate information corresponding to the acquired specific corporate number is acquired from the information management device, and the corporate information included in the application information is acquired based on the degree of agreement between the acquired corporate information and the corporate information included in the application information. Judge the legitimacy,
The certificate issuing unit issues an electronic certificate based on the application information in response to the result of the corporate information determination unit determining that the corporate information included in the application information is valid,
The domain information processing unit obtains the IP address obtained from the domain corresponding to the corporate information of the application information from the domain management device that manages the domain and its IP address in association with each other, and the domain that transmitted the application information. The degree of matching with the IP address
The certificate issuing unit further reflects the determination result of the domain information processing unit in issuing the electronic certificate. Electronic certificate authentication gateway, issues an electronic certificate to verify the sender of the reliability of communication text based on the transmitted application information of a terminal belonging to corporations to the terminal, and manages the issued electronic certificate A digital certificate management method used in a certificate management system,
The authentication gateway is a server device including a computer, and includes a corporate information determination unit, a certificate issuing unit, and a domain information processing unit,
The terminal, country possesses the specific corporate number which is managed by the corporation information management apparatus for managing a specific corporate number assigned uniquely to the corporation, and the specific corporate number that this held, the said particular corporation Based on the corporate information held as information corresponding to the number, to generate the application information necessary for issuing the electronic certificate and including the specific corporate number and the corporate information,
The corporation information determination unit obtains the corporation information and the specific corporation number included in the application information from the application information transmitted by the terminal, and the country corresponds to the obtained specific corporation number to the specific corporation number. While sending the attached corporate information to the corporate information management device that also manages, receives the corporate information corresponding to the acquired specific corporate number from the corporate information management device, and receives the received corporate information and the application information. Determine the validity of the corporate information contained in the application information based on the degree of agreement with the corporate information included,
The certificate issuing unit issues an electronic certificate based on the application information in response to the result of the corporate information determination unit determining that the corporate information included in the application information is valid ,
The domain information processing unit obtains an IP address obtained from a domain management apparatus that manages a domain and its IP address in association with each other based on a domain corresponding to the corporate information of the application information, and a domain that has transmitted the application information. The degree of matching with the IP address
The certificate issuing unit further reflects the determination result of the domain information processing unit in issuing the electronic certificate.

Images