US20070245146A1 - Apparatus and method for securely realizing cooperative processing - Google Patents
Apparatus and method for securely realizing cooperative processing Download PDFInfo
- Publication number
- US20070245146A1 US20070245146A1 US11/808,544 US80854407A US2007245146A1 US 20070245146 A1 US20070245146 A1 US 20070245146A1 US 80854407 A US80854407 A US 80854407A US 2007245146 A1 US2007245146 A1 US 2007245146A1
- Authority
- US
- United States
- Prior art keywords
- signature
- server
- instruction
- network
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/76—Proxy, i.e. using intermediary entity to perform cryptographic operations
Definitions
- the present invention relates to a technology for realizing cooperative processing wherein processors present on a network cooperate, and in particular to a security technology associated with cooperative processing.
- LAN Local Area Network
- a facsimile machine such as a facsimile machine, a printer, a copier, and a multifunction device having these functions integrated so that these devices can communication with information processors such as personal computers or a mail server.
- information processors such as personal computers or a mail server.
- Examples of conventional workflow systems include those disclosed in, for example, Japanese Patent Laid-Open Publications Nos. Hei 8-123744, 2002-99686, and 2001-282970.
- a request for a service in each of processors forming the flow is made by sequentially transmitting instruction data from one processor to another.
- a risk of falsification or “spoofing” there may arise cases wherein the level of security cannot be maintained at a level required by the processor.
- an external processor incorporated into the workflow include various processors such as, for example, a time stamp server for providing a presence authentication of data as a third party agent and an accounting server (for example, a settlement processor of a credit card company) for collecting money on behalf of a service provider.
- processors such as, for example, a time stamp server for providing a presence authentication of data as a third party agent and an accounting server (for example, a settlement processor of a credit card company) for collecting money on behalf of a service provider.
- an electronic signature system such as PKI (Public Key Infrastructure) is used.
- PKI Public Key Infrastructure
- Such an electronic signature system can be used for communication of instruction data between processors.
- Certificate authorities in general include certificate authorities of various levels, and range from those that with a high level of public trust, such as those provided by national governments or recognized corporations such as the Verisign Corporation, to those especially built within a company or a division of a company.
- CA Certificate authorities
- the CA publicizes the public key certificate of each user (in PKI, each processor is also a user) through a web server or an LDAP (Lightweight Directory Access Protocol) server so that a party who wishes to verify an electronic signature obtains the public key certificate necessary for the verification from these servers.
- LDAP Lightweight Directory Access Protocol
- the system is configured such that a processor outside the company can obtain the public key certificate issued by the in-house CA
- Japanese Patent Laid-Open Publication No. 2002-164884 discloses a signature proxy server used for providing electronic signature when documents are exchanged between devices within different intranets. On behalf of a device within the intranet, the signature proxy server provides an electronic signature on a document originating from a device within the intranet and verifies the electronic signature on a document from outside to a device within the intranet.
- Japanese Patent Laid-Open Publication No. 2002-164884 does not, however, consider electronically signed documents within the intranet.
- a device within the intranet does not attach an electronic signature to the data originating from the device and the signature proxy server attaches an electronic signature to the data to be transmitted from a device within the intranet to the outside without verifying the authenticity of the data.
- an information processor for transmitting, to a job processor, instruction data having a process description for instructing a job process or data to be processed in a job process to instruct execution of the job process, the information processor comprising a selection unit for selecting one of a first signature key certified by a first certificate authority and a second signature key certified by a second certificate authority for signing instruction data or data to be processed; a signing unit for signing the instruction data or the data to be processed using the signature key selected by the selection unit; and transmitting unit for transmitting, to the job processor, the instruction data or the data to be processed signed by the signing unit.
- a job processor comprising a key storage unit having separate signature keys, one for the inside of a network to which the job processor belongs and the other for the outside of the network; a receiver unit for receiving job flow instruction data which indicates process instruction to each of the job processors and the next job processor of each of the job processors; a signature verification unit for verifying an electronic signature attached to the job flow instruction data received at the receiver unit; a processor unit for identifying, from the job flow instruction data, a process instruction the job processor should execute when the verification by the signature verification unit is successful and for executing the process according to the process instruction; an instruction data creation unit for creating output job flow instruction data to be transmitted to a next job processor based on the received job flow instruction data when the process is executed by the processor unit; a judging unit for judging whether or not the next job processor is a device within the network; a signature processor unit for electronically signing the output job flow instruction data using the signature key for the inside when the next job processor is a device within the network and using the
- an instruction data creating device for creating job flow instruction data which indicates a process instruction for each job processor and a next job processor for each job processor for a system for realizing a service by sequentially sending the job flow instruction data among the job processors and each job processor sequentially executing the process instruction for the job processor
- the device comprising a key storage unit having a signature key for inside the network to which the instruction data creating device belongs and a signature key for outside the network; a judgment unit for judging whether or not there is a job processor outside the network in the group of job processors for the service; a signature processor unit for electronically signing the job flow instruction data using the signature for the outside when the judgment unit judges that there is a device which is outside the network in the group of job processors for the service and using the signature for the inside otherwise; and a transmitter unit for transmitting the job flow instruction data electronically signed by the signature processor unit to a first job processor among the group of job processors for the service.
- a proxy device provided between an internal network and an external network, for intermediating exchange of documents between a device on the internal network and a device on the external network
- the proxy device comprising a first signature verification unit for verifying an electronic signature attached to a document transmitted from the device on the internal network to the device on the external network; and a first signature conversion unit for, when it is determined in the verification by the first verification unit that the electronic signature attached to the document is signed using a signature key for the internal network, deleting the electronic signature from the document, re-attaching an electronic signature to the document using a signature key of the proxy device for the external network, and transmitting the electronically signed document to the device on the external network.
- a proxy device provided between an internal network and an external network for intermediating exchange of documents between a device on the internal network and a device on the external network
- the proxy device comprising a signature verification unit for verifying an electronic signature attached to a document transmitted from a device on the external network to a device on the internal network; and a signature conversion unit for deleting, when verification by the signature verification unit is successful, the electronic signature from the document, re-attaching an electronic signature to the document using a signature key of the proxy device for the internal network, and transmitting the document to the device on the internal network.
- FIG. 1 is an explanatory diagram showing an example of a system configuration for realizing a cooperative service.
- FIG. 2 is an explanatory diagram showing a structure of an application server in a system of FIG. 1 .
- FIG. 3 is a diagram showing an example of description of a job flow instruction to which an electronic signature is attached.
- FIG. 4 is an explanatory diagram showing another example structure of a system for realizing a cooperative service.
- FIG. 5 is an explanatory diagram showing a structure of an instruction input device in an alternative embodiment of the present invention.
- FIG. 6 is an explanatory diagram showing a system structure of an alternative embodiment of the present invention.
- FIG. 7 is an explanatory diagram showing a structure of a signature proxy device in the alternative embodiment of the present invention shown in FIG. 6 .
- FIG. 1 an example system configuration of a service providing system to which the present invention can be applied will be described.
- the illustrated system comprises an instruction input device 10 and a plurality of application servers 20 .
- An application server 20 is a server which provides a predetermined processing service in response to a request from another device.
- Examples of such a server 20 includes, for example, a document database server, a mail server, and an image processing server for applying processes such as color conversion and rotation to image data.
- the server 20 provides these processing services in the form of, for example, a web application service.
- the instruction input device 10 is a device for inputting a user's processing instruction to the system.
- a user can input, into the instruction input device 10 , an execution instruction of cooperative services as described above.
- the instruction input device 10 can be constructed by, for example, incorporating into a personal computer a user interface program for receiving input instructions from the user. It is, however, preferable that, in consideration of document processing services in offices, a digital multifunction device which includes a function to read a paper document and convert the paper document into electronic data, in addition to information processing and communication functions, be used as the instruction input device 10 .
- a digital multifunction device is a device which has functions of a scanner, printer, copier, facsimile transmission/reception, network communication, and so on.
- a user inputs an execution instruction of a desired cooperative service to the instruction input device 10 .
- the instruction input device 10 creates instruction data indicating the content of the cooperative service (this data will hereinafter referred to as a “job flow instruction”).
- the job flow instruction 30 contains a description of the process each of the servers 20 is to execute for the cooperative service (this description is hereinafter referred to as an “individual instruction”) and information on the order of execution of the processes.
- a specific structure of such a job flow instruction may be, for example, a structure in which individual server instructions 32 - 1 , 32 - 2 , and 32 - 3 are arranged according to the order of execution of the processes of the cooperative service.
- the individual instruction 32 for each server 20 includes description of the name of the server 20 (this name is hereinafter referred to as a “service name”) or the like so that each server 20 can identify the individual instruction 32 within the job flow instruction 30 which is directed to the server 20 .
- each server 20 can identify the server 20 which will perform the next process from the description of the service name of the individual instruction 32 following the individual instruction 32 directed to the server 20 . It is also possible to alternatively or additionally include a description of the next server 20 to perform a process (that is, the server to which the job flow instruction should be next transmitted) in the individual instruction 32 . In this manner, each server 20 can identify a description of the process directed to the server 20 from the job flow instruction 30 , execute a process according to the process description, and send the job flow instruction 30 to the next server 20 after completion of the process being performed.
- a URL Universal Resource Locator
- URI Uniform Resource Identifier
- a cooperative service process starts when the job flow instruction 30 as described above is transmitted from the instruction input device 10 to a first server 20 - 1 of the cooperative service.
- the server 20 - 1 identifies the individual instruction 32 - 1 directed to the server 20 - 1 from the job flow instruction 30 and executes a process accordingly.
- the server 20 - 1 then deletes the individual instruction 32 - 1 directed to the server 20 - 1 from the job flow instruction 30 to create a new job flow instruction 30 a and transmits the new flow instruction 30 a to the next server 20 - 2 in the job flow.
- the server 20 - 2 Upon receipt of the job flow instruction 30 a , the server 20 - 2 operates in a manner similar to that of the server 20 - 1 , deletes the individual instruction 32 - 2 directed to the server 20 - 2 from the job flow instruction 30 a to create a new job flow instruction 30 b , and transmits the job flow instruction 30 b to a next server 20 - 3 .
- an electronic signature system is employed as a mechanism to allow verification, by each server 20 , of authenticity (i.e. the data is not falsified, etc.) of the job flow instructions 30 , 30 a , 30 b , . . . (hereinafter referred collectively as “job flow instruction 30”) received by the server 20 . More specifically, when the instruction input device 10 or the server 20 is to transmit the job flow instruction 30 , an electronic signature of the instruction input device 10 or of the server 20 is attached to the job flow instruction 30 and the server 20 receiving the job flow instruction 30 verifies the signature to judge the authenticity of the received job flow instruction 30 .
- the server 20 - 1 and the 20 - 3 are located within the same company as the instruction input device 10 (that is, on the intranet of this company) and the server 20 - 2 is located outside the company (outside the intranet)
- the job flow instruction 30 a sent from the server 20 - 1 to the server 20 - 2 is signed using a secret key corresponding to a public key certificate issued by a certificate authority (CA) within the company to which the server 20 - 1 belongs
- CA certificate authority
- public key certificates from a CA within the company (or division) to which the server 20 belongs (this CA is referred to as “in-house CA” hereinafter) and from a CA of a public organization such as a government or an entity such as Verisign Corporation (this CA is referred to as “public CA” hereinafter) are provided to each server 20 (the key pairs corresponding to the certificates need not be the same for the in-house CA and for the public CA).
- each server 20 can attach two types of electronic signatures, one for in-house use and the other for external use, and selectively employ either of the two types of electronic signatures based on whether the destination device of the job flow instruction is within or outside the company.
- the in-house CA authenticates a public key of only particular users belonging to the company or the division (here, “user” includes not only an individual, but also a group of people or a device), whereas the public CA authenticates public keys of many unspecified users.
- FIG. 2 is a functional block diagram of a server 20 in this system.
- FIG. 2 primarily shows portions of the functions of the server 20 related to the electronic signature.
- the server 20 may contain other functions.
- a network I/F (interface) unit 202 is a unit for controlling data communication between the server 20 and the local area network.
- An instruction division/integration unit 204 is a unit for dividing a job flow instruction 30 received from a previous server 20 through the network I/F 202 and for assembling a job flow instruction 30 to be transmitted to a next server 20 .
- the job flow instruction 30 is divided into a portion describing the content of the process and a portion describing the electronic signature. This process will now be described using a specific example job flow instruction as shown in FIG. 3 .
- FIG. 3 shows an example job flow instruction written based on an XML-signature (extensible Markup Language-signature; RFC3275).
- the job flow instruction contains a process content element 310 describing the content of the process of the server 20 and a signature element 320 describing information of electronic signature corresponding to the process content element 310 .
- the process content element 310 contains individual instructions 312 and 314 directed to servers 20 .
- the individual instructions 312 and 314 respectively contain service names 3122 and 3142 indicating the destination of the instruction, process names 3124 and 3144 indicating the type of process the destination service is to execute, and parameters 3126 for the process to be executed.
- the signature element 320 contains a signature information element 322 indicating data such as the algorithm used for the electronic signature of the job flow instruction 30 and a hash value of the target element of the signature (in this case, the process content element 310 ), a signature value element 324 indicating a signature value determined from the signature target element using the algorithm, and a key information element 326 describing information for specifying a public key to be used for verification of the electronic signature.
- the key information element 326 contains information necessary for specifying the public key certificate corresponding to the secret key used for calculation of the value of the electronic signature.
- the XML-signature standards noted above can be referred to for details of each element within the signature element 320 .
- the instruction division/integration unit 204 divides a job flow instruction 30 received from the previous sever 20 and having a structure as described into the process content element 310 and the signature element 320 .
- the instruction division/integration unit 204 further divides the signature element 320 into a segment containing the signature information element 322 and the signature value element 324 and a segment containing the key information element 326 .
- the process content element 310 is sent to an instruction processor unit 212 and to a signature verification unit 210
- the key information element 326 is sent to a verification key selection unit 208
- the signature information element 322 and the signature value element 324 are sent to the signature verification unit 210 .
- a key storage unit 206 stores the secret key of the server 20 which is used for electronically signing the job flow instruction 30 to be sent to the next server, etc., and public keys of other servers 20 used for verification of signatures on the received job flow instructions 30 .
- the key storage unit 206 stores, as the secret keys to be used for signing, an in-house secret key certified by the in-house CA and an external secret key certified by a public CA. These two secret keys may have the same value, but the corresponding public key certificates differ from each other in that one is for internal use and the other is for external use.
- the verification key selection unit 208 obtains, from the key storage unit 206 , a public key indicated in the information of the key information element 326 sent from the instruction division/integration unit 204 and sends the public key to the signature verification unit 210 .
- the signature verification unit 210 verifies the electronic signature attached to the job flow instruction 30 using the process content element 310 , the signature information element 322 and the signature value element 324 received from the instruction division/integration unit 204 , and a public key received from the verification key selection unit 208 .
- the signature value indicated in the signature value element 324 is decoded using the public key received from the verification key selection section 208 (in this step, the algorithm shown in the signature information element 322 is used), and a hash value of the process content element 310 is calculated.
- the signature verification unit 210 determines that verification is successful.
- the verification fails, there is a possibility that the process content element 310 and/or the signature element 320 is falsified, and, thus, the server 20 executes a predetermined error process.
- An instruction processor unit 212 is a unit for executing a process for the job flow instruction 30 .
- the instruction processor unit 212 identifies an individual instruction 32 directed to its own device from the job flow instruction 30 and executes the process indicted in the individual instruction 32 .
- the server 20 applies the indicated resolution conversion process to the image data received along with the job flow instruction 30 ; this image data is the processing target of the process corresponding to the instruction.
- each server 20 deletes the individual instruction 32 directed to this server 20 upon completion of the process and transmits the job flow instruction 30 to the next server 20 as shown in FIG. 1
- the individual instruction 32 at the leading end of the received job flow instruction 30 is the individual instruction directed to the server.
- the instruction processor unit 212 terminates the process to the job flow instruction 30 because there is a possibility that the process content element 310 and/or the signature element 320 is falsified, and executes a predetermined error process.
- an instruction creation unit 214 removes the individual instruction 32 directed to the server from the job flow instruction 30 received from the previous server 20 and creates a process content element 310 of a job flow instruction directed to the next server 20 (this instruction is hereinafter referred to as “output job flow instruction”).
- this instruction is hereinafter referred to as “output job flow instruction”.
- the parameters of the processes in the next server 20 or in the subsequent servers 20 may be determined based on the process of the server 20 . In these cases, parameters determined as the result of the process are written to the process content element 130 of the output job flow instruction.
- a signature key selection unit 216 selects a signature key to be used for electronic signing of the process content element 310 of the output job flow instruction.
- the key storage unit 206 stores two signature keys (secret keys) of the server 20 , one for use inside the company and the other for external use, and the signature key selection unit 216 selects the secret key to be used from these two types of keys. In this selection, it is judged whether the server 20 which is the destination of the output job flow instruction is within or outside the company, and, based on this judgment, the signature key selection unit 216 selects either an in-house signature key if the destination server 20 is within the company, or an external signature key if the destination server 20 is external to the company.
- the judgment as to whether the destination server 20 is within or outside the company is based on the URL indicated in the service name of the individual instruction 314 to the destination server 20 .
- This judgment based on the URL can be accomplished by, for example, inquiring and obtaining from a predetermined name server the IP address corresponding to the URL of the service name and then judging whether the server is within or outside the company based on the obtained IP address.
- the signature key selection unit 216 reads the selected signature key from the key storage unit 206 and sends the selected signature key to a signature creation unit 218 .
- the signature creation unit 218 creates an electronic signature for the process content element 310 received from the instruction creation unit 214 using the signature key obtained from the signature key selection unit 216 .
- a hash value of the process content element 310 is calculated and a signature value is calculated by applying the signature key to the hash value.
- the signature creation unit 218 creates a signature information element 322 describing the algorithm used for calculation of the signature value, a signature value element 324 containing the signature value, and a key information element 326 indicating the public key certificate corresponding to the used signature key, and sends these elements to the instruction division/integration unit 204 .
- the instruction division/integration unit 204 adds the signature information element 322 , the signature value element 324 , and the key information element 326 created by the signature creation unit 218 to the process content element 310 created by the instruction creation unit 214 to create an output job flow instruction.
- the created output job flow instruction is transmitted to the destination server 20 via the network I/F unit 202 .
- a server 20 which executes a partial process within the cooperative service judges whether the server 20 to execute the next process is within or outside the company and attaches an electronic signature which can be verified using a public key certificate issued by a public CA when the next server 20 is outside.
- the outside server 20 can verify the signature by obtaining a public key certificate of the in-house server 20 from a public CA.
- in-house information such as, for example, organizational structure information contained in the public key certificate from the in-house CA.
- the server 20 attaches an electronic signature that can be verified using a public key certificate from the in-house CA to the job flow instruction. Because of this, the next server 20 , which is within the company, can easily verify the signature without the necessity to obtain a public key certificate from a public CA on the Internet.
- the signature key is selected based on whether the next server is an internal or external server.
- This configuration is only one example, and the selection of the signature keys may, in another example, be realized based on whether or not the next server belongs to a particular division within the same company.
- an electronic signature to be applied to a job flow instruction 30 has been described. It is also possible, using a similar mechanism, to apply an electronic signature corresponding to the destination for data to be transmitted along with the job flow instruction (for example, target data for a process in the next device).
- the above-described electronic signature system can also be applied to a system having a structure as shown in FIG. 4 .
- a system shown in FIG. 4 includes a job flow controller 25 in addition to the instruction input device 10 and the servers 20 .
- the job flow controller 25 is a device that controls execution of processes in the servers 20 in this system. More specifically, the job flow controller 25 receives a job flow instruction 30 created by the instruction input device 10 , extracts individual instructions 32 for servers 20 from the job flow instruction 30 , and transmits the individual instructions 32 to the corresponding server 20 according to the order of the processes.
- Each of the servers 20 receives the individual instruction 32 , executes the process according to the received individual instruction 32 , and returns the data of the processing result to the job flow controller 25 when the process is completed.
- the job flow controller 25 receives this data and transmits the individual instruction 32 to the next server 20 . These steps are repeated so that one service flow can be realized by the cooperation of a plurality of servers 20 .
- the job flow controller 25 is connected to an internal network within the same company as the instruction input device 10 .
- the job flow controller 25 has a signature key certified by an in-house public key certificate and a signature key certified by an outside public key certificate.
- the job flow controller 25 verifies the electronic signature attached to a job flow instruction 30 received from the instruction input device 10 .
- the job flow controller 25 judges that the signature is a valid signature by the instruction input device 10
- the job flow controller 25 extracts, from the process content element 310 of the job flow instruction 30 , individual instructions 32 ( 312 , 314 , etc.) directed to the servers 20 and transmits the individual instruction in order.
- the job flow controller 25 judges whether the destination server 20 of the individual instruction 32 is a device directly connected to the internal network or one located outside the company, and attaches an electronic signature to the individual instruction 32 using a signature key corresponding to the in-house certificate if the destination server 20 is on the intranet, or using a signature key corresponding to an outside certificate if the destination server 20 is outside. With this configuration, it is possible to smoothly verify the signature regardless of whether the server 20 receiving the individual instruction 32 is part of, or external to, the company intranet.
- the electronic signature of the in-house instruction input device 10 contained in the job flow instruction 30 from the instruction input device 10 is not transmitted to an outside server 20 .
- individual server 20 judges whether the server 20 to which the job flow instruction 30 is next to be transmitted is internal or external to the company, and attaches an electronic signature using a signature key corresponding to the judgment.
- This configuration is only an example of the present invention, and an alternative example such as, for example, the configuration which will be described below may be employed.
- each server 20 creates a job flow instruction 30 to be sent to the next server 20 and attaches an electronic signature of its own device.
- a job flow instruction created and electronically signed by the instruction input device 10 is transmitted from a server 20 to the next server 20 .
- the instruction input device 10 in this embodiment judges whether each of the servers 20 to be used for the cooperative service requested by the user is a device internal or external to the company.
- the instruction input device 10 attaches a signature to the job flow instruction using an outside signature key. Conversely, when all servers 20 used for the cooperative service are within the company, the instruction input device 10 electronically signs using an in-house signature key.
- FIG. 5 is a functional block diagram showing a structure of an instruction input device 10 according to this embodiment.
- an operation display unit 102 is a unit which displays a user interface through use of which a user can input an instruction which is received by the operation display unit 102 .
- An execution instruction of a cooperative service from the user is input from the operation display unit 102 .
- the operation display unit 102 displays a list of names of selectable cooperative services, allows the user to select a desired service, and, when appropriate, permits the user to input processing parameters.
- An example of a processing parameter could be, for example, a mail destination address for a server providing an electronic mail transmission service.
- a service DB (database) 104 contains templates of job flow instructions 30 corresponding to the cooperative services, the templates being correlated to the name of the cooperative services.
- This template is a template of a portion, in the signed job flow instruction of FIG. 3 , corresponding to the process content element 310 .
- the process content element 310 contains information for specifying the server 20 to be used such as, for example, the service name 3122 and 3142 .
- An instruction creation unit 106 receives the user's selection of the cooperative service and the corresponding parameters from the operation display unit 102 , obtains a template of the job flow instruction corresponding to the selected cooperative service from the service DB 104 , and completes a process content element 310 of the job flow instruction by substituting the received parameters into the template.
- the created process content element 310 is provided to an instruction integration unit 114 and a signature creation unit 112 .
- the instruction creation unit 106 sends information on the service names 3122 and 3142 of the servers 20 contained in the process content element 310 to a signature key selection unit 110 .
- a key storage unit 108 stores two types of keys for electronic signature to the job flow instruction 30 , one corresponding to a public key certificate issued by an in-house CA and the other corresponding to a public key certificate issued by a public CA.
- the signature key selection unit 110 judges whether or not there any of the servers 20 are outside the company. When the signature key selection unit 110 judges that there is at least one outside server 20 , the signature key selection unit 110 selects an outside signature key and when the signature key selection unit 110 judges that there is no outside server 20 , the signature key selection unit 110 selects an in-house signature key. The signature key selection unit 110 retrieves the selected signature key from the key storage unit 108 and sends the key to the signature creation unit 112 .
- the signature creation unit 112 creates a signature information element 322 , a signature value element 324 , and a key information element 326 in a manner similar to the above using the process content element 310 received from the instruction creation unit 106 and the signature key received from the signature key selection unit 110 , and sends the created elements to the instruction integration unit 114 .
- the instruction integration unit 114 creates an output job flow instruction by adding the signature information element 322 , signature value element 324 , and key information element 326 created by the signature creation unit 112 to the process content element 310 created by the instruction creation unit 106 .
- the created output job flow instruction is transmitted to a first server 20 in the cooperative service via a network I/F unit 102 .
- each of the servers 20 verifies the electronic signature of the instruction input device 10 in the received job flow instruction 30 , and, when the verification is successful, the server 20 identifies an individual instruction 32 directed to itself from the instruction 30 , executes the process indicated in the individual instruction 32 , and transmits the received job flow instruction 30 to the next server 20 without any change.
- a signature proxy device 40 is provided on a LAN 50 (or intranet) within the company, to which the instruction input device 10 and the servers 20 are connected.
- the signature proxy device 40 is certified with public key certificates from an in-house CA and from a public CA.
- an application server 60 is present outside the company (outside the intranet).
- the instruction input device 10 and the servers 20 on the in-house LAN 50 need only have a secret key corresponding to a public key certificate issued by the in-house CA.
- the instruction input device 10 and the server 20 electronically signs the job flow instruction 30 to be sent to the next server 20 using the in-house secret key.
- the process in the server 20 is similar to those of the server 20 in the embodiment shown in FIG. 2 except that there is no selection of the key to be used for signing (that is, the in-house signature key is always used).
- an IP address and name of the signature proxy device 40 are set as a proxy server to be used when the instruction input device 10 or the server 20 is to transmit the job flow instruction 30 to outside the intranet.
- the instruction input device 10 and the servers 20 judge whether the destination server is within or outside the company, and, when the destination server is within the company, the instruction input device 10 or the server 20 directly transmits the signed instruction 30 to the destination server, and, when the destination server is outside the company, the instruction input device 10 or the server 20 transmits the signed instruction 30 to the signature proxy device 40 .
- the server 20 - 2 judges that the next server 60 is an outside device and sends the signed job flow instruction 30 to the signature proxy server 40 .
- the signature proxy device 40 receiving this job flow instruction 30 verifies the signature of the job flow instruction 30 , and, when the verification is successful, the signature proxy device 40 deletes the signature element 320 of the electronic signature of the server 20 - 2 (which uses the in-house signature key) from the job flow instruction 30 , creates a job flow instruction 35 by attaching an electronic signature to the process content element 310 appearing as a result of the deletion of the signature element 320 using a secret key corresponding to an outside public key certificate of the signature proxy device 40 , and transmits the job flow instruction 35 to the outside destination server 60 .
- An in-house server 20 does not directly receive a job flow instruction from an outside server 60 .
- a job flow instruction 37 directed to an in-house server 20 - 3 from an outside server 60 is first received by the signature proxy device 40 .
- the signature proxy server 40 verifies the electronic signature attached to the job flow instruction 37 , and, when the verification is successful, the signature proxy device 40 deletes the signature element 320 of the electronic signature of the outside server 60 from the job flow instruction 37 , creates an in-house job flow instruction 30 by attaching an electronic signature to the process content element 310 appearing as a result of the deletion of the signature element using a secret key corresponding to an in-house public key certificate of the signature proxy device 40 , and transmits the in-house job flow instruction 30 to the destination server 20 - 3 .
- the signature proxy device 40 replaces electronic signatures attached to instructions communicated from inside to outside the company, and instructions communicated to the inside of the company from outside.
- the instruction input device 10 and servers 20 within the company are only required to be certified with a public key certificate from the in-house CA and to electronically sign the instruction using the in-house signature key regardless of whether the destination is internal or external to the company.
- the signature proxy server 40 replaces the signature with a signature for outside use. In this manner, it is possible to detect any falsification or the like of the job flow instruction 30 between the in-house servers 20 and, at the same time, detect any falsification or the like of the job flow instructions between the inside and outside of the company.
- the outside server 60 can verify the signature on the instruction 35 by merely obtaining an outside public key certificate of the signature proxy device 40 from the public CA, verification of a signature is a simple task.
- the signature of the signed instruction 37 from the outside server 60 is verified by the signature proxy device 40 , and, when the verification is successful, the electronic signature on the job flow instruction 37 is replaced with an in-house electronic signature of the signature proxy device 40 and the job flow instruction 37 is sent to the destination in-house server 20 - 3 . Therefore, according to this configuration, the servers 20 within the company is only required to have a capability to verify signature using a public key certificate issued by the in-house CA, and there is no need for the in-house server 20 to be compatible with the public key certificate of an outside CA.
- an instruction division/integration unit 404 upon reception of a job flow instruction 30 via a network I/F unit 402 , provides a process content element 310 extracted from the job flow instruction 30 to a signature verification unit 410 and a signature conversion controller unit 412 , a signature information element 322 and a signature value element 324 (refer to FIG. 3 ) extracted from the job flow instruction 30 to a signature verification unit 410 , and a key information element 326 extracted from the job flow instruction 30 to a verification key selection unit 408 .
- the verification key selection unit 408 retrieves a public key indicated in the key information element 326 from a key storage unit 406 and sends the selected public key to the signature verification unit 410 .
- the signature verification unit 410 executes a signature verification process similar to that in the embodiment shown in FIG. 2 using the public key. The result of this verification (successful or failure) is sent to the signature conversion controller unit 412 .
- the signature conversion controller unit 412 instructs the signature key selection unit 416 to replace the signature on the job flow instruction 30 with an outside signature when the job flow instruction 30 is from a server 20 within the company.
- the signature conversion controller unit 412 instructs the signature key selection unit 416 to replace the signature on the job flow instruction 30 with an in-house signature.
- the judgment on whether the job flow instruction 30 is from a server 20 within the company or from an outside server 60 can be done by checking whether the public key used for the signature verification in the signature verification unit 410 is certified by an in-house CA or by an outside CA. Alternatively, the judgment can be made by the signature conversion controller unit 412 receiving information on the originating URL and IP address of the job flow instruction 30 from the network I/F unit 402 and deciding accordingly.
- the signature proxy device 40 reviews not only the origin, but also the destination. Specifically, the signature conversion controller unit 412 judges that the signature should be replaced for instructions from the inside to the outside of the company and for instructions from the outside to the inside of the company and that the signature should not be replaced for instructions between devices within the company.
- the destination of the job flow instruction 30 can be determined from the URL indicated in the service name 3122 of the individual instruction at the leading end of the process content element 310 of the job flow instruction 30 or from the destination IP address received from the network I/F unit 402 .
- the signature key selection unit 416 selects a signature key (in-house or external) of the proxy device 40 corresponding to the instruction from the signature key conversion controller unit 412 from the key storage unit 406 and sends the selected key to a signature creation unit 418 .
- the signature creation unit 418 calculates a value for an electronic signature corresponding to the process content element 310 using the sent signature key and sends a signature information element 322 , a signature value element 324 , and a signature information element 326 indicating the electronic signature to the instruction division/integration unit 404 .
- the instruction division/integration unit 404 re-constructs a job flow instruction by combining the received elements 322 , 324 , and 326 into the received process content element 310 and transmits the created job flow instruction to the destination server via the network I/F unit 402 .
- the signature conversion controller unit 412 judges that there is no need for replacement of a signature (for example, when the instruction is from an in-house device to another), this judgment is sent to the instruction division/integration unit 404 .
- the instruction division/integration unit 404 receiving this information transmits the job flow instruction 30 received from the network I/F unit 402 to the destination server without any change.
- the in-house server 20 uses only a signature key corresponding to a public key certificate certified by the in-house CA. There are, however, situations wherein the in-house server 20 is also certified by a public key certificate from an outside CA. In such a case, the signature proxy device 40 verifies the signature of a job flow instruction from the in-house server 20 to an outside server 60 and judges whether the signature attached to the instruction corresponds to the in-house or outside certificate. When the signature proxy device 40 judges that the signature corresponds to an in-house CA, the signature proxy device 40 replaces the signature, and when the signature proxy device 40 judges that the signature corresponds to an outside CA, the signature proxy device 40 skips the replacement step.
- each server 20 within the company judges whether the destination of the job flow instruction 30 is inside or outside of the company and sends the job flow instruction 30 to the signature proxy device 40 when the destination is outside.
- a signature proxy server 40 is provided as a gateway on the boundary between the in-house LAN 50 and the Internet and monitors the job flow instruction 30 which is to be sent from the in-house LAN 50 to the Internet.
- the signature proxy device 40 verifies the electronic signature of a job flow instruction 30 which is found through the monitoring, and, when it is determined that the signature was created using a secret key corresponding to an in-house public key certificate, the signature proxy device 40 applies the signature replacement process as described above and transmits the job flow instruction 30 to the destination server on the Internet.
- the signature proxy device 40 also monitors the job flow instructions which is to be sent into the in-house LAN 50 from the Internet, and, when the job flow instruction is signed using a secret key corresponding to an outside public key certificate, performs the signature replacement process as described above. With this configuration, advantages similar to the embodiment shown in FIGS. 6 and 7 can be obtained.
- the signature proxy device 40 may be one of the application servers 20 , include a description of the process content of the signature proxy device 40 in the job flow instruction 30 , and for the signature proxy device 40 to perform the signature replacement process as described above according to the description of the process content.
- the judgment as to whether the destination device to which the job flow instruction is to be transmitted next is internal or external to the company is made based on the URL of the destination device described in the job flow instruction.
- the IP address, FQDN, and the electronic mail address of the destination device may be explicitly described in the job flow instruction or may be described in a packet header when the instruction is transmitted in the form of packets.
- the server 20 and the job flow controller 25 can obtain destination information suitable in each case and can judge whether the destination is inside or outside the company from the obtained information.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Computer And Data Communications (AREA)
Abstract
A device for facilitating verification of an electronic signature in an exchange of instructions between an in-house server and an outside server. Each server which is to execute a partial process of a cooperative service has, in a key storage unit (206), secret keys corresponding to public key certificates issued by an in-house CA and by an outside public CA. A signature key selection unit 216 judges whether a server which is to execute a process next is a device within or outside the company and selects an in-house secret key when the next server is an in-house device and an outside secret key when the next server is an outside device. A signature creation unit (218) calculates a value of an electronic signature for an job flow instruction to the next server using the selected secret key. An instruction division/integration unit (204) transmits to the next server the job flow instruction with the electronic signature value attached.
Description
- This is a Continuation of application Ser. No. 10/653,191 filed on Sep. 3, 2003. The disclosure of the prior application is hereby incorporated by reference herein in its entirety.
- 1. Field of the Invention
- The present invention relates to a technology for realizing cooperative processing wherein processors present on a network cooperate, and in particular to a security technology associated with cooperative processing.
- 2. Description of the Related Art
- Workflow systems are currently being proposed in which various services can be provided for office functions by connecting to a LAN (Local Area Network) devices such as a scanner, a facsimile machine, a printer, a copier, and a multifunction device having these functions integrated so that these devices can communication with information processors such as personal computers or a mail server.
- In recent years, technologies allowing various web applications to cooperate with one other have been proposed. It is highly expected that, if an overall system can be constructed by connecting various application services and service providers accessible through the Internet and provided, the cost for developing a system can be significantly reduced because existing services can be utilized. In connection with this, languages such as XML (extensible Markup Language) or the like also are attracting attention as a common platform enabling such cooperative services.
- Examples of conventional workflow systems include those disclosed in, for example, Japanese Patent Laid-Open Publications Nos. Hei 8-123744, 2002-99686, and 2001-282970.
- In a workflow system, a request for a service in each of processors forming the flow is made by sequentially transmitting instruction data from one processor to another. Where there is a risk of falsification or “spoofing”, there may arise cases wherein the level of security cannot be maintained at a level required by the processor.
- This problem becomes particularly significant when a processor located outside of an internal network(such as intranet) is to be incorporated into the workflow. Examples of an external processor incorporated into the workflow include various processors such as, for example, a time stamp server for providing a presence authentication of data as a third party agent and an accounting server (for example, a settlement processor of a credit card company) for collecting money on behalf of a service provider.
- In order to prevent such falsification of data or spoofing, an electronic signature system such as PKI (Public Key Infrastructure) is used. Such an electronic signature system can be used for communication of instruction data between processors.
- However, in the case when data is transmitted between a processor located inside an internal network and another processor located outside that network, verification of the electronic signature becomes difficult. This is due to the following reasons.
- Certificate authorities (“CA”) in general include certificate authorities of various levels, and range from those that with a high level of public trust, such as those provided by national governments or recognized corporations such as the Verisign Corporation, to those especially built within a company or a division of a company. When a workflow combining processors within the intranet of a company and processors present on the Internet is to be performed, it is likely that the CAs issuing public key certificates to the processors differ from each other. In order to address this issue, the CA publicizes the public key certificate of each user (in PKI, each processor is also a user) through a web server or an LDAP (Lightweight Directory Access Protocol) server so that a party who wishes to verify an electronic signature obtains the public key certificate necessary for the verification from these servers. When instruction data electronically signed by a processor within a company (within an intranet) using a secret key of the public key certificate of a in-house CA is transmitted to a processor outside the company (outside the intranet), the external processor may sometimes be blocked by a firewall and be unable to obtain the public key certificate from the in-house CA.
- If, on the other hand, the system is configured such that a processor outside the company can obtain the public key certificate issued by the in-house CA, a problem remains that the public key certificate issued by the in-house CA commonly includes information such as the name of the owner of the certificate and their job location. If this information is transmitted outside the company, the organization within the company may be made known.
- In connection with these problems, Japanese Patent Laid-Open Publication No. 2002-164884 discloses a signature proxy server used for providing electronic signature when documents are exchanged between devices within different intranets. On behalf of a device within the intranet, the signature proxy server provides an electronic signature on a document originating from a device within the intranet and verifies the electronic signature on a document from outside to a device within the intranet.
- Japanese Patent Laid-Open Publication No. 2002-164884 does not, however, consider electronically signed documents within the intranet. In other words, in the configuration disclosed in this reference, a device within the intranet does not attach an electronic signature to the data originating from the device and the signature proxy server attaches an electronic signature to the data to be transmitted from a device within the intranet to the outside without verifying the authenticity of the data.
- According to one aspect of the present invention, there is provided an information processor for transmitting, to a job processor, instruction data having a process description for instructing a job process or data to be processed in a job process to instruct execution of the job process, the information processor comprising a selection unit for selecting one of a first signature key certified by a first certificate authority and a second signature key certified by a second certificate authority for signing instruction data or data to be processed; a signing unit for signing the instruction data or the data to be processed using the signature key selected by the selection unit; and transmitting unit for transmitting, to the job processor, the instruction data or the data to be processed signed by the signing unit.
- According to another aspect of the present invention, there is provided a job processor comprising a key storage unit having separate signature keys, one for the inside of a network to which the job processor belongs and the other for the outside of the network; a receiver unit for receiving job flow instruction data which indicates process instruction to each of the job processors and the next job processor of each of the job processors; a signature verification unit for verifying an electronic signature attached to the job flow instruction data received at the receiver unit; a processor unit for identifying, from the job flow instruction data, a process instruction the job processor should execute when the verification by the signature verification unit is successful and for executing the process according to the process instruction; an instruction data creation unit for creating output job flow instruction data to be transmitted to a next job processor based on the received job flow instruction data when the process is executed by the processor unit; a judging unit for judging whether or not the next job processor is a device within the network; a signature processor unit for electronically signing the output job flow instruction data using the signature key for the inside when the next job processor is a device within the network and using the signature key for the outside otherwise; and a transmitter unit for transmitting the output job flow instruction data electronically signed by the signature processor unit to the next job processor.
- According to another aspect of the present invention, there is provided an instruction data creating device for creating job flow instruction data which indicates a process instruction for each job processor and a next job processor for each job processor for a system for realizing a service by sequentially sending the job flow instruction data among the job processors and each job processor sequentially executing the process instruction for the job processor, the device comprising a key storage unit having a signature key for inside the network to which the instruction data creating device belongs and a signature key for outside the network; a judgment unit for judging whether or not there is a job processor outside the network in the group of job processors for the service; a signature processor unit for electronically signing the job flow instruction data using the signature for the outside when the judgment unit judges that there is a device which is outside the network in the group of job processors for the service and using the signature for the inside otherwise; and a transmitter unit for transmitting the job flow instruction data electronically signed by the signature processor unit to a first job processor among the group of job processors for the service.
- According to still another aspect of the present invention, there is provided a proxy device provided between an internal network and an external network, for intermediating exchange of documents between a device on the internal network and a device on the external network, the proxy device comprising a first signature verification unit for verifying an electronic signature attached to a document transmitted from the device on the internal network to the device on the external network; and a first signature conversion unit for, when it is determined in the verification by the first verification unit that the electronic signature attached to the document is signed using a signature key for the internal network, deleting the electronic signature from the document, re-attaching an electronic signature to the document using a signature key of the proxy device for the external network, and transmitting the electronically signed document to the device on the external network.
- According to still another aspect of the present invention, there is provided a proxy device provided between an internal network and an external network for intermediating exchange of documents between a device on the internal network and a device on the external network, the proxy device comprising a signature verification unit for verifying an electronic signature attached to a document transmitted from a device on the external network to a device on the internal network; and a signature conversion unit for deleting, when verification by the signature verification unit is successful, the electronic signature from the document, re-attaching an electronic signature to the document using a signature key of the proxy device for the internal network, and transmitting the document to the device on the internal network.
-
FIG. 1 is an explanatory diagram showing an example of a system configuration for realizing a cooperative service. -
FIG. 2 is an explanatory diagram showing a structure of an application server in a system ofFIG. 1 . -
FIG. 3 is a diagram showing an example of description of a job flow instruction to which an electronic signature is attached. -
FIG. 4 is an explanatory diagram showing another example structure of a system for realizing a cooperative service. -
FIG. 5 is an explanatory diagram showing a structure of an instruction input device in an alternative embodiment of the present invention. -
FIG. 6 is an explanatory diagram showing a system structure of an alternative embodiment of the present invention. -
FIG. 7 is an explanatory diagram showing a structure of a signature proxy device in the alternative embodiment of the present invention shown inFIG. 6 . - Preferred embodiments of the present invention will now be described referring to the drawings.
- Referring to
FIG. 1 , an example system configuration of a service providing system to which the present invention can be applied will be described. - The illustrated system comprises an
instruction input device 10 and a plurality of application servers 20. - An application server 20 is a server which provides a predetermined processing service in response to a request from another device. Examples of such a server 20 includes, for example, a document database server, a mail server, and an image processing server for applying processes such as color conversion and rotation to image data. The server 20 provides these processing services in the form of, for example, a web application service.
- The
instruction input device 10 is a device for inputting a user's processing instruction to the system. A user can input, into theinstruction input device 10, an execution instruction of cooperative services as described above. Theinstruction input device 10 can be constructed by, for example, incorporating into a personal computer a user interface program for receiving input instructions from the user. It is, however, preferable that, in consideration of document processing services in offices, a digital multifunction device which includes a function to read a paper document and convert the paper document into electronic data, in addition to information processing and communication functions, be used as theinstruction input device 10. A digital multifunction device is a device which has functions of a scanner, printer, copier, facsimile transmission/reception, network communication, and so on. - In this system, a user inputs an execution instruction of a desired cooperative service to the
instruction input device 10. In response to the input instruction, theinstruction input device 10 creates instruction data indicating the content of the cooperative service (this data will hereinafter referred to as a “job flow instruction”). - The
job flow instruction 30 contains a description of the process each of the servers 20 is to execute for the cooperative service (this description is hereinafter referred to as an “individual instruction”) and information on the order of execution of the processes. A specific structure of such a job flow instruction may be, for example, a structure in which individual server instructions 32-1, 32-2, and 32-3 are arranged according to the order of execution of the processes of the cooperative service. The individual instruction 32 for each server 20 includes description of the name of the server 20 (this name is hereinafter referred to as a “service name”) or the like so that each server 20 can identify the individual instruction 32 within thejob flow instruction 30 which is directed to the server 20. The service name is written in the form of, for example, a URL (Universal Resource Locator) or a URI (Uniform Resource Identifier). In this configuration, because the individual instructions 32 are arranged in the order of the processes, each server 20 can identify the server 20 which will perform the next process from the description of the service name of the individual instruction 32 following the individual instruction 32 directed to the server 20. It is also possible to alternatively or additionally include a description of the next server 20 to perform a process (that is, the server to which the job flow instruction should be next transmitted) in the individual instruction 32. In this manner, each server 20 can identify a description of the process directed to the server 20 from thejob flow instruction 30, execute a process according to the process description, and send thejob flow instruction 30 to the next server 20 after completion of the process being performed. - In the example configuration of
FIG. 1 , a cooperative service process starts when thejob flow instruction 30 as described above is transmitted from theinstruction input device 10 to a first server 20-1 of the cooperative service. Upon receipt of thejob flow instruction 30, the server 20-1 identifies the individual instruction 32-1 directed to the server 20-1 from thejob flow instruction 30 and executes a process accordingly. The server 20-1 then deletes the individual instruction 32-1 directed to the server 20-1 from thejob flow instruction 30 to create a new job flow instruction 30 a and transmits the new flow instruction 30 a to the next server 20-2 in the job flow. Upon receipt of the job flow instruction 30 a, the server 20-2 operates in a manner similar to that of the server 20-1, deletes the individual instruction 32-2 directed to the server 20-2 from the job flow instruction 30 a to create a new job flow instruction 30 b, and transmits the job flow instruction 30 b to a next server 20-3. - In such a system, an electronic signature system is employed as a mechanism to allow verification, by each server 20, of authenticity (i.e. the data is not falsified, etc.) of the job flow
instructions 30, 30 a, 30 b, . . . (hereinafter referred collectively as “job flowinstruction 30”) received by the server 20. More specifically, when theinstruction input device 10 or the server 20 is to transmit thejob flow instruction 30, an electronic signature of theinstruction input device 10 or of the server 20 is attached to thejob flow instruction 30 and the server 20 receiving thejob flow instruction 30 verifies the signature to judge the authenticity of the receivedjob flow instruction 30. - In such a system, when, for example, the server 20-1 and the 20-3 are located within the same company as the instruction input device 10 (that is, on the intranet of this company) and the server 20-2 is located outside the company (outside the intranet), if the job flow instruction 30 a sent from the server 20-1 to the server 20-2 is signed using a secret key corresponding to a public key certificate issued by a certificate authority (CA) within the company to which the server 20-1 belongs, there may be problems such as that the outside server 20-2 cannot obtain, from the CA within the company, the public key certificate necessary for the verification of the signature, as already described above.
- According to the present embodiment, public key certificates from a CA within the company (or division) to which the server 20 belongs (this CA is referred to as “in-house CA” hereinafter) and from a CA of a public organization such as a government or an entity such as Verisign Corporation (this CA is referred to as “public CA” hereinafter) are provided to each server 20 (the key pairs corresponding to the certificates need not be the same for the in-house CA and for the public CA). When a server 20 electronically signs the
job flow instruction 30 to be transmitted to the next server 20, the server 20 judges whether the next server 20 is within or outside of the company, and electronically signs thejob flow instruction 30 using a secret key corresponding to the public key certificate of the in-house CA when the next server 20 is within the company and electronically signs thejob flow instruction 30 using the secret key corresponding to the public key certificate of the public CA when the next server 20 is located outside the company. In other words, in this example configuration, each server 20 can attach two types of electronic signatures, one for in-house use and the other for external use, and selectively employ either of the two types of electronic signatures based on whether the destination device of the job flow instruction is within or outside the company. - Here, the in-house CA authenticates a public key of only particular users belonging to the company or the division (here, “user” includes not only an individual, but also a group of people or a device), whereas the public CA authenticates public keys of many unspecified users.
-
FIG. 2 is a functional block diagram of a server 20 in this system.FIG. 2 primarily shows portions of the functions of the server 20 related to the electronic signature. The server 20 may contain other functions. - In
FIG. 2 , a network I/F (interface)unit 202 is a unit for controlling data communication between the server 20 and the local area network. - An instruction division/
integration unit 204 is a unit for dividing ajob flow instruction 30 received from a previous server 20 through the network I/F 202 and for assembling ajob flow instruction 30 to be transmitted to a next server 20. In the division of the receivedjob flow instruction 30, in effect, thejob flow instruction 30 is divided into a portion describing the content of the process and a portion describing the electronic signature. This process will now be described using a specific example job flow instruction as shown inFIG. 3 . -
FIG. 3 shows an example job flow instruction written based on an XML-signature (extensible Markup Language-signature; RFC3275). The job flow instruction contains aprocess content element 310 describing the content of the process of the server 20 and asignature element 320 describing information of electronic signature corresponding to theprocess content element 310. - The
process content element 310 containsindividual instructions individual instructions service names process names parameters 3126 for the process to be executed. - The
signature element 320 contains asignature information element 322 indicating data such as the algorithm used for the electronic signature of thejob flow instruction 30 and a hash value of the target element of the signature (in this case, the process content element 310), asignature value element 324 indicating a signature value determined from the signature target element using the algorithm, and akey information element 326 describing information for specifying a public key to be used for verification of the electronic signature. Thekey information element 326 contains information necessary for specifying the public key certificate corresponding to the secret key used for calculation of the value of the electronic signature. The XML-signature standards noted above can be referred to for details of each element within thesignature element 320. - The instruction division/
integration unit 204 divides ajob flow instruction 30 received from the previous sever 20 and having a structure as described into theprocess content element 310 and thesignature element 320. The instruction division/integration unit 204 further divides thesignature element 320 into a segment containing thesignature information element 322 and thesignature value element 324 and a segment containing thekey information element 326. After these division steps, theprocess content element 310 is sent to aninstruction processor unit 212 and to asignature verification unit 210, thekey information element 326 is sent to a verificationkey selection unit 208, and thesignature information element 322 and thesignature value element 324 are sent to thesignature verification unit 210. - A
key storage unit 206 stores the secret key of the server 20 which is used for electronically signing thejob flow instruction 30 to be sent to the next server, etc., and public keys of other servers 20 used for verification of signatures on the receivedjob flow instructions 30. In the present embodiment, thekey storage unit 206 stores, as the secret keys to be used for signing, an in-house secret key certified by the in-house CA and an external secret key certified by a public CA. These two secret keys may have the same value, but the corresponding public key certificates differ from each other in that one is for internal use and the other is for external use. - The verification
key selection unit 208 obtains, from thekey storage unit 206, a public key indicated in the information of thekey information element 326 sent from the instruction division/integration unit 204 and sends the public key to thesignature verification unit 210. - The
signature verification unit 210 verifies the electronic signature attached to thejob flow instruction 30 using theprocess content element 310, thesignature information element 322 and thesignature value element 324 received from the instruction division/integration unit 204, and a public key received from the verificationkey selection unit 208. In this verification process, the signature value indicated in thesignature value element 324 is decoded using the public key received from the verification key selection section 208 (in this step, the algorithm shown in thesignature information element 322 is used), and a hash value of theprocess content element 310 is calculated. When the result of the decoding matches the calculated hash value, thesignature verification unit 210 determines that verification is successful. When, on the other hand, the verification fails, there is a possibility that theprocess content element 310 and/or thesignature element 320 is falsified, and, thus, the server 20 executes a predetermined error process. - An
instruction processor unit 212 is a unit for executing a process for thejob flow instruction 30. When verification by thesignature verification unit 210 is successful, theinstruction processor unit 212 identifies an individual instruction 32 directed to its own device from thejob flow instruction 30 and executes the process indicted in the individual instruction 32. For example, when an individual instruction 32, within thejob flow instruction 30, directed to the server 20 indicates an execution instruction of resolution conversion to image data, the server 20 applies the indicated resolution conversion process to the image data received along with thejob flow instruction 30; this image data is the processing target of the process corresponding to the instruction. - In a configuration in which each server 20 deletes the individual instruction 32 directed to this server 20 upon completion of the process and transmits the
job flow instruction 30 to the next server 20 as shown inFIG. 1 , the individual instruction 32 at the leading end of the receivedjob flow instruction 30 is the individual instruction directed to the server. In addition to this configuration, it is also possible to identify the individual instruction directed to the receiving server, for example, by referring to thedescription 3122 of the service name. - When verification fails in the
signature verification unit 210, theinstruction processor unit 212 terminates the process to thejob flow instruction 30 because there is a possibility that theprocess content element 310 and/or thesignature element 320 is falsified, and executes a predetermined error process. - When the signature verification is successful and the
instruction processor unit 212 applies the process, aninstruction creation unit 214 removes the individual instruction 32 directed to the server from thejob flow instruction 30 received from the previous server 20 and creates aprocess content element 310 of a job flow instruction directed to the next server 20 (this instruction is hereinafter referred to as “output job flow instruction”). In some cases, the parameters of the processes in the next server 20 or in the subsequent servers 20 may be determined based on the process of the server 20. In these cases, parameters determined as the result of the process are written to the process content element 130 of the output job flow instruction. - A signature
key selection unit 216 selects a signature key to be used for electronic signing of theprocess content element 310 of the output job flow instruction. As described earlier, thekey storage unit 206 stores two signature keys (secret keys) of the server 20, one for use inside the company and the other for external use, and the signaturekey selection unit 216 selects the secret key to be used from these two types of keys. In this selection, it is judged whether the server 20 which is the destination of the output job flow instruction is within or outside the company, and, based on this judgment, the signaturekey selection unit 216 selects either an in-house signature key if the destination server 20 is within the company, or an external signature key if the destination server 20 is external to the company. The judgment as to whether the destination server 20 is within or outside the company is based on the URL indicated in the service name of theindividual instruction 314 to the destination server 20. This judgment based on the URL can be accomplished by, for example, inquiring and obtaining from a predetermined name server the IP address corresponding to the URL of the service name and then judging whether the server is within or outside the company based on the obtained IP address. The signaturekey selection unit 216 reads the selected signature key from thekey storage unit 206 and sends the selected signature key to asignature creation unit 218. - The
signature creation unit 218 creates an electronic signature for theprocess content element 310 received from theinstruction creation unit 214 using the signature key obtained from the signaturekey selection unit 216. In the signature creation process, a hash value of theprocess content element 310 is calculated and a signature value is calculated by applying the signature key to the hash value. Then, thesignature creation unit 218 creates asignature information element 322 describing the algorithm used for calculation of the signature value, asignature value element 324 containing the signature value, and akey information element 326 indicating the public key certificate corresponding to the used signature key, and sends these elements to the instruction division/integration unit 204. - The instruction division/
integration unit 204 adds thesignature information element 322, thesignature value element 324, and thekey information element 326 created by thesignature creation unit 218 to theprocess content element 310 created by theinstruction creation unit 214 to create an output job flow instruction. The created output job flow instruction is transmitted to the destination server 20 via the network I/F unit 202. - As described, in the configuration of this embodiment, a server 20 which executes a partial process within the cooperative service judges whether the server 20 to execute the next process is within or outside the company and attaches an electronic signature which can be verified using a public key certificate issued by a public CA when the next server 20 is outside. Thus, when an outside server 20 receives a job flow instruction from an in-house server 20, the outside server 20 can verify the signature by obtaining a public key certificate of the in-house server 20 from a public CA. At the same time, it is possible to prevent leakage of in-house information such as, for example, organizational structure information contained in the public key certificate from the in-house CA.
- On the other hand, in the present embodiment, when the next server 20 to execute a process is a server within the company, the server 20 attaches an electronic signature that can be verified using a public key certificate from the in-house CA to the job flow instruction. Because of this, the next server 20, which is within the company, can easily verify the signature without the necessity to obtain a public key certificate from a public CA on the Internet.
- In the above embodiment, the signature key is selected based on whether the next server is an internal or external server. This configuration is only one example, and the selection of the signature keys may, in another example, be realized based on whether or not the next server belongs to a particular division within the same company.
- Moreover, in the above embodiment, an electronic signature to be applied to a
job flow instruction 30 has been described. It is also possible, using a similar mechanism, to apply an electronic signature corresponding to the destination for data to be transmitted along with the job flow instruction (for example, target data for a process in the next device). - The above-described electronic signature system can also be applied to a system having a structure as shown in
FIG. 4 . - A system shown in
FIG. 4 includes ajob flow controller 25 in addition to theinstruction input device 10 and the servers 20. Thejob flow controller 25 is a device that controls execution of processes in the servers 20 in this system. More specifically, thejob flow controller 25 receives ajob flow instruction 30 created by theinstruction input device 10, extracts individual instructions 32 for servers 20 from thejob flow instruction 30, and transmits the individual instructions 32 to the corresponding server 20 according to the order of the processes. Each of the servers 20 receives the individual instruction 32, executes the process according to the received individual instruction 32, and returns the data of the processing result to thejob flow controller 25 when the process is completed. Thejob flow controller 25 receives this data and transmits the individual instruction 32 to the next server 20. These steps are repeated so that one service flow can be realized by the cooperation of a plurality of servers 20. - In this embodiment, the
job flow controller 25 is connected to an internal network within the same company as theinstruction input device 10. - In a system as shown in
FIG. 4 as described, thejob flow controller 25 has a signature key certified by an in-house public key certificate and a signature key certified by an outside public key certificate. Thejob flow controller 25 verifies the electronic signature attached to ajob flow instruction 30 received from theinstruction input device 10. When thejob flow controller 25 judges that the signature is a valid signature by theinstruction input device 10, thejob flow controller 25 extracts, from theprocess content element 310 of thejob flow instruction 30, individual instructions 32 (312, 314, etc.) directed to the servers 20 and transmits the individual instruction in order. When transmitting the instruction, thejob flow controller 25 judges whether the destination server 20 of the individual instruction 32 is a device directly connected to the internal network or one located outside the company, and attaches an electronic signature to the individual instruction 32 using a signature key corresponding to the in-house certificate if the destination server 20 is on the intranet, or using a signature key corresponding to an outside certificate if the destination server 20 is outside. With this configuration, it is possible to smoothly verify the signature regardless of whether the server 20 receiving the individual instruction 32 is part of, or external to, the company intranet. - Similar to the configuration described above, with this configuration, the electronic signature of the in-house
instruction input device 10 contained in thejob flow instruction 30 from theinstruction input device 10 is not transmitted to an outside server 20. - In the system described above, individual server 20 judges whether the server 20 to which the
job flow instruction 30 is next to be transmitted is internal or external to the company, and attaches an electronic signature using a signature key corresponding to the judgment. This configuration, however, is only an example of the present invention, and an alternative example such as, for example, the configuration which will be described below may be employed. - Specifically, in the example used to illustrate the above embodiment, each server 20 creates a
job flow instruction 30 to be sent to the next server 20 and attaches an electronic signature of its own device. In another embodiment, a job flow instruction created and electronically signed by theinstruction input device 10 is transmitted from a server 20 to the next server 20. In this configuration, attention is given to whether theinstruction input device 10 uses a signature key corresponding to an in-house public key certificate or an external public key certificate for electronically signing the job flow instruction. In consideration of this point, theinstruction input device 10 in this embodiment judges whether each of the servers 20 to be used for the cooperative service requested by the user is a device internal or external to the company. When the servers 20 include at least one external device, theinstruction input device 10 attaches a signature to the job flow instruction using an outside signature key. Conversely, when all servers 20 used for the cooperative service are within the company, theinstruction input device 10 electronically signs using an in-house signature key. -
FIG. 5 is a functional block diagram showing a structure of aninstruction input device 10 according to this embodiment. In this structure, anoperation display unit 102 is a unit which displays a user interface through use of which a user can input an instruction which is received by theoperation display unit 102. An execution instruction of a cooperative service from the user is input from theoperation display unit 102. In order to allow input of execution instruction, for example, theoperation display unit 102 displays a list of names of selectable cooperative services, allows the user to select a desired service, and, when appropriate, permits the user to input processing parameters. An example of a processing parameter could be, for example, a mail destination address for a server providing an electronic mail transmission service. A service DB (database) 104 contains templates of job flowinstructions 30 corresponding to the cooperative services, the templates being correlated to the name of the cooperative services. This template is a template of a portion, in the signed job flow instruction ofFIG. 3 , corresponding to theprocess content element 310. Theprocess content element 310 contains information for specifying the server 20 to be used such as, for example, theservice name - An
instruction creation unit 106 receives the user's selection of the cooperative service and the corresponding parameters from theoperation display unit 102, obtains a template of the job flow instruction corresponding to the selected cooperative service from theservice DB 104, and completes aprocess content element 310 of the job flow instruction by substituting the received parameters into the template. The createdprocess content element 310 is provided to aninstruction integration unit 114 and asignature creation unit 112. In addition, theinstruction creation unit 106 sends information on theservice names process content element 310 to a signaturekey selection unit 110. - A
key storage unit 108 stores two types of keys for electronic signature to thejob flow instruction 30, one corresponding to a public key certificate issued by an in-house CA and the other corresponding to a public key certificate issued by a public CA. - Based on the information of the servers 20 used in the cooperative service provided from the
instruction creation unit 106, the signaturekey selection unit 110 judges whether or not there any of the servers 20 are outside the company. When the signaturekey selection unit 110 judges that there is at least one outside server 20, the signaturekey selection unit 110 selects an outside signature key and when the signaturekey selection unit 110 judges that there is no outside server 20, the signaturekey selection unit 110 selects an in-house signature key. The signaturekey selection unit 110 retrieves the selected signature key from thekey storage unit 108 and sends the key to thesignature creation unit 112. - The
signature creation unit 112 creates asignature information element 322, asignature value element 324, and akey information element 326 in a manner similar to the above using theprocess content element 310 received from theinstruction creation unit 106 and the signature key received from the signaturekey selection unit 110, and sends the created elements to theinstruction integration unit 114. - The
instruction integration unit 114 creates an output job flow instruction by adding thesignature information element 322,signature value element 324, andkey information element 326 created by thesignature creation unit 112 to theprocess content element 310 created by theinstruction creation unit 106. The created output job flow instruction is transmitted to a first server 20 in the cooperative service via a network I/F unit 102. - From thereon, each of the servers 20 verifies the electronic signature of the
instruction input device 10 in the receivedjob flow instruction 30, and, when the verification is successful, the server 20 identifies an individual instruction 32 directed to itself from theinstruction 30, executes the process indicated in the individual instruction 32, and transmits the receivedjob flow instruction 30 to the next server 20 without any change. - Next, another alternative embodiment will be described. In this embodiment, as shown in
FIG. 6 , asignature proxy device 40 is provided on a LAN 50 (or intranet) within the company, to which theinstruction input device 10 and the servers 20 are connected. Thesignature proxy device 40 is certified with public key certificates from an in-house CA and from a public CA. In this description, it is assumed that anapplication server 60 is present outside the company (outside the intranet). - In this system, the
instruction input device 10 and the servers 20 on the in-house LAN 50 need only have a secret key corresponding to a public key certificate issued by the in-house CA. Theinstruction input device 10 and the server 20 electronically signs thejob flow instruction 30 to be sent to the next server 20 using the in-house secret key. The process in the server 20 is similar to those of the server 20 in the embodiment shown inFIG. 2 except that there is no selection of the key to be used for signing (that is, the in-house signature key is always used). - In the
instruction input device 10 and the server 20 within the company, an IP address and name of thesignature proxy device 40 are set as a proxy server to be used when theinstruction input device 10 or the server 20 is to transmit thejob flow instruction 30 to outside the intranet. When sending a signed job flow instruction to the next server 20, theinstruction input device 10 and the servers 20 judge whether the destination server is within or outside the company, and, when the destination server is within the company, theinstruction input device 10 or the server 20 directly transmits the signedinstruction 30 to the destination server, and, when the destination server is outside the company, theinstruction input device 10 or the server 20 transmits the signedinstruction 30 to thesignature proxy device 40. In the embodiment shown inFIG. 6 , the server 20-2 judges that thenext server 60 is an outside device and sends the signed job flowinstruction 30 to thesignature proxy server 40. - The
signature proxy device 40 receiving this job flowinstruction 30 verifies the signature of thejob flow instruction 30, and, when the verification is successful, thesignature proxy device 40 deletes thesignature element 320 of the electronic signature of the server 20-2 (which uses the in-house signature key) from thejob flow instruction 30, creates ajob flow instruction 35 by attaching an electronic signature to theprocess content element 310 appearing as a result of the deletion of thesignature element 320 using a secret key corresponding to an outside public key certificate of thesignature proxy device 40, and transmits thejob flow instruction 35 to theoutside destination server 60. - An in-house server 20 does not directly receive a job flow instruction from an
outside server 60. Ajob flow instruction 37 directed to an in-house server 20-3 from anoutside server 60 is first received by thesignature proxy device 40. Thesignature proxy server 40 verifies the electronic signature attached to thejob flow instruction 37, and, when the verification is successful, thesignature proxy device 40 deletes thesignature element 320 of the electronic signature of theoutside server 60 from thejob flow instruction 37, creates an in-house job flowinstruction 30 by attaching an electronic signature to theprocess content element 310 appearing as a result of the deletion of the signature element using a secret key corresponding to an in-house public key certificate of thesignature proxy device 40, and transmits the in-house job flowinstruction 30 to the destination server 20-3. - In this manner, the
signature proxy device 40 replaces electronic signatures attached to instructions communicated from inside to outside the company, and instructions communicated to the inside of the company from outside. With this replacement process, theinstruction input device 10 and servers 20 within the company are only required to be certified with a public key certificate from the in-house CA and to electronically sign the instruction using the in-house signature key regardless of whether the destination is internal or external to the company. When the instruction is to be sent outside, thesignature proxy server 40 replaces the signature with a signature for outside use. In this manner, it is possible to detect any falsification or the like of thejob flow instruction 30 between the in-house servers 20 and, at the same time, detect any falsification or the like of the job flow instructions between the inside and outside of the company. In addition, because theoutside server 60 can verify the signature on theinstruction 35 by merely obtaining an outside public key certificate of thesignature proxy device 40 from the public CA, verification of a signature is a simple task. - In addition, in this system, the signature of the signed
instruction 37 from theoutside server 60 is verified by thesignature proxy device 40, and, when the verification is successful, the electronic signature on thejob flow instruction 37 is replaced with an in-house electronic signature of thesignature proxy device 40 and thejob flow instruction 37 is sent to the destination in-house server 20-3. Therefore, according to this configuration, the servers 20 within the company is only required to have a capability to verify signature using a public key certificate issued by the in-house CA, and there is no need for the in-house server 20 to be compatible with the public key certificate of an outside CA. - An example structure of the
signature proxy device 40 will now be described referring toFIG. 7 . - In this
device 40, an instruction division/integration unit 404, upon reception of ajob flow instruction 30 via a network I/F unit 402, provides aprocess content element 310 extracted from thejob flow instruction 30 to asignature verification unit 410 and a signatureconversion controller unit 412, asignature information element 322 and a signature value element 324 (refer toFIG. 3 ) extracted from thejob flow instruction 30 to asignature verification unit 410, and akey information element 326 extracted from thejob flow instruction 30 to a verificationkey selection unit 408. The verificationkey selection unit 408 retrieves a public key indicated in thekey information element 326 from akey storage unit 406 and sends the selected public key to thesignature verification unit 410. Thesignature verification unit 410 executes a signature verification process similar to that in the embodiment shown inFIG. 2 using the public key. The result of this verification (successful or failure) is sent to the signatureconversion controller unit 412. - The signature
conversion controller unit 412 instructs the signaturekey selection unit 416 to replace the signature on thejob flow instruction 30 with an outside signature when thejob flow instruction 30 is from a server 20 within the company. On the other hand, when thejob flow instruction 30 is from anoutside server 60, the signatureconversion controller unit 412 instructs the signaturekey selection unit 416 to replace the signature on thejob flow instruction 30 with an in-house signature. The judgment on whether thejob flow instruction 30 is from a server 20 within the company or from anoutside server 60 can be done by checking whether the public key used for the signature verification in thesignature verification unit 410 is certified by an in-house CA or by an outside CA. Alternatively, the judgment can be made by the signatureconversion controller unit 412 receiving information on the originating URL and IP address of thejob flow instruction 30 from the network I/F unit 402 and deciding accordingly. - In the above example, it is described that only instructions from the inside to the outside of the company or the instructions from the outside to the inside of the company are received by the
signature proxy device 40. When, however, there is a possibility that an instruction from an in-house server 20 to another transmits through thesignature proxy device 40, thesignature proxy server 40 reviews not only the origin, but also the destination. Specifically, the signatureconversion controller unit 412 judges that the signature should be replaced for instructions from the inside to the outside of the company and for instructions from the outside to the inside of the company and that the signature should not be replaced for instructions between devices within the company. The destination of thejob flow instruction 30 can be determined from the URL indicated in theservice name 3122 of the individual instruction at the leading end of theprocess content element 310 of thejob flow instruction 30 or from the destination IP address received from the network I/F unit 402. - The signature
key selection unit 416 selects a signature key (in-house or external) of theproxy device 40 corresponding to the instruction from the signature keyconversion controller unit 412 from thekey storage unit 406 and sends the selected key to asignature creation unit 418. Thesignature creation unit 418 calculates a value for an electronic signature corresponding to theprocess content element 310 using the sent signature key and sends asignature information element 322, asignature value element 324, and asignature information element 326 indicating the electronic signature to the instruction division/integration unit 404. The instruction division/integration unit 404 re-constructs a job flow instruction by combining the receivedelements process content element 310 and transmits the created job flow instruction to the destination server via the network I/F unit 402. - When the signature
conversion controller unit 412 judges that there is no need for replacement of a signature (for example, when the instruction is from an in-house device to another), this judgment is sent to the instruction division/integration unit 404. The instruction division/integration unit 404 receiving this information transmits thejob flow instruction 30 received from the network I/F unit 402 to the destination server without any change. - In the above examples, the in-house server 20 uses only a signature key corresponding to a public key certificate certified by the in-house CA. There are, however, situations wherein the in-house server 20 is also certified by a public key certificate from an outside CA. In such a case, the
signature proxy device 40 verifies the signature of a job flow instruction from the in-house server 20 to anoutside server 60 and judges whether the signature attached to the instruction corresponds to the in-house or outside certificate. When thesignature proxy device 40 judges that the signature corresponds to an in-house CA, thesignature proxy device 40 replaces the signature, and when thesignature proxy device 40 judges that the signature corresponds to an outside CA, thesignature proxy device 40 skips the replacement step. - In the embodiment described with reference to
FIGS. 6 and 7 , each server 20 within the company judges whether the destination of thejob flow instruction 30 is inside or outside of the company and sends thejob flow instruction 30 to thesignature proxy device 40 when the destination is outside. Alternatively, it is also possible to employ a configuration wherein the in-house server 20 does not perform such judgment. In such a case, asignature proxy server 40 is provided as a gateway on the boundary between the in-house LAN 50 and the Internet and monitors thejob flow instruction 30 which is to be sent from the in-house LAN 50 to the Internet. Thesignature proxy device 40 verifies the electronic signature of ajob flow instruction 30 which is found through the monitoring, and, when it is determined that the signature was created using a secret key corresponding to an in-house public key certificate, thesignature proxy device 40 applies the signature replacement process as described above and transmits thejob flow instruction 30 to the destination server on the Internet. Thesignature proxy device 40 also monitors the job flow instructions which is to be sent into the in-house LAN 50 from the Internet, and, when the job flow instruction is signed using a secret key corresponding to an outside public key certificate, performs the signature replacement process as described above. With this configuration, advantages similar to the embodiment shown inFIGS. 6 and 7 can be obtained. - It is also possible for the
signature proxy device 40 to be one of the application servers 20, include a description of the process content of thesignature proxy device 40 in thejob flow instruction 30, and for thesignature proxy device 40 to perform the signature replacement process as described above according to the description of the process content. - In the above-described embodiments, the judgment as to whether the destination device to which the job flow instruction is to be transmitted next is internal or external to the company is made based on the URL of the destination device described in the job flow instruction. Alternatively, it is also possible to base this judgment on an IP address, a FQDN (Fully Qualified Domain Name), an e-mail address, or any other appropriate information associated with the destination device. The IP address, FQDN, and the electronic mail address of the destination device may be explicitly described in the job flow instruction or may be described in a packet header when the instruction is transmitted in the form of packets. In either case, the server 20 and the
job flow controller 25 can obtain destination information suitable in each case and can judge whether the destination is inside or outside the company from the obtained information. - Although specific embodiments of the invention have been described, it will be understood by those having skill in the art that changes can be made to these specific embodiments without departing from the spirit and scope of the invention. The scope of the invention is not to be restricted, therefore, to the specific embodiments, and it is intended that the appended claims cover any and all such applications, modifications, and embodiments within the scope of the present invention.
Claims (8)
1. An information processor for instructing a job processor to execute a job process, the information processor comprising:
a selection unit for selecting one of a first signature key certified by a first certificate authority and a second signature key certified by a second certificate authority for signing instruction data having a process description for instructing a job process or data to be processed in a job process;
a signing unit for signing the instruction data or the data to be processed using the signature key selected by the selection unit; and
a transmitter unit for transmitting, to the job processor, the instruction data or the data to be processed signed by the signing unit,
wherein the selection unit selects the first signature key when the job processor is located within a predetermined network and selects the second signature key otherwise.
2. An information processor according to claim 1 , wherein
the certificate authority certifying the first signature key is a certificate authority which certifies users within the predetermined network, and
the certificate authority certifying the second signature key is a certificate authority which certifies other users outside the predetermined network.
3. An information processing method executed by an information processor for instructing a job processor to execute a job process, the method comprising the steps of;
selecting one of a first signature key certified by a first certificate authority and a second signature key certified by a second certificate authority for signing instruction data having a process description for instructing a job process or data to be processed in a job process;
electronically signing the instruction data or the data to be processed using the signature key selected the selection step;
transmitting, to the job processor, the instruction data or the data to be processed which is electronically signed in the electronically signing, step,
wherein the selecting selects the first signature key when the job processor is located within a predetermined network and selects the second signature key otherwise.
4. A proxy device provided between an internal network and an external network, for exchanging documents between a device on the internal network and a device on the external network, the proxy device comprising:
a first signature verification unit that verifies a first electronic signature attached to a document transmitted from a device on an internal network to a device on an external network is signed using a signature key for the internal network, and
a first signature conversion unit that deletes the first electronic signature once the signature is verified by the first verification unit and attaches a second electronic signature to the document using a signature key of the proxy device for the external network, the signature key for the internal network and the signature key for the external network being separately generated and exclusive of each other, and
a transmitter unit for transmitting the electronically signed document to the device on the external network.
5. A proxy device according to claim 4 , further comprising:
a second signature verification unit that verifies a third electronic signature attached to a document transmitted from a device on the external network to a device on the internal network is signed using a signature key for the external network, and
a second signature conversion unit that deletes the third electronic signature once the signature is verified by the second signature verification unit and attaches a fourth electronic signature to the document using a signature key of the proxy device for the internal network, the signature key for the external network and the signature key for the internal network being separately generated and exclusive of each other, and
a transmitter unit for transmitting the electronically signed document to the device on the internal network.
6. A method for exchanging, in a proxy device provided between an internal network and an external network, documents between a device on the internal network and a device on the external network, the method comprising the steps of:
verifying a first electronic signature attached to a document transmitted from a device on the internal network to a device on the external network;
deleting the first electronic signature from the document when it is determined in the verification that the first electronic signature attached to the document is signed using a signature key for the internal network;
attaching a second electronic signature to the document from which the first electronic signature has been deleted using a signature key of the proxy device for the external network, the signature key for the internal network and the signature key for the external network being separately generated and exclusive of each other, and
transmitting the document to which an electronic signature is re-attached using the signature key for the external network to the device on the external network.
7. A proxy device provided between an internal network and an external network for exchanging documents between a device on the internal network and a device on the external network, the proxy device comprising:
a signature verification unit that verifies a first electronic signature attached to a document transmitted from a device on the external network to a device on the internal network is signed using a signature key for the external network;
a signature conversion unit that deletes the first signature once the signature is verified by the the signature verification unit and attaches a second electronic signature to the document using a signature key of the proxy device for the internal network, the signature key for the external network and the signature key for the internal network being separately generated and exclusive of each other, and
a transmitter unit for transmitting the document to the device on the internal network.
8. A method for changing, in a proxy device provided between an internal network and an external network, documents between a device on the internal network and a device on the external network, the method comprising the steps of:
verifying a first electronic signature attached to a document transmitted from a device on the external network to a device on the internal network;
deleting the first electronic signature from the document when the verification is successful;
attaching a second electronic signature to the document from which the first electronic signature is deleted using a signature key of the proxy device for the internal network, the signature key for the external network and the signature key for the internal network being separately generated and exclusive of each other, and
transmitting the document having an electronic signature re-attached using the signature key for the internal network to the device on the internal network.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/808,544 US20070245146A1 (en) | 2003-03-25 | 2007-06-11 | Apparatus and method for securely realizing cooperative processing |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2003082612A JP4470384B2 (en) | 2003-03-25 | 2003-03-25 | Information processing apparatus, job processing apparatus, instruction data creation apparatus, and signature proxy apparatus |
JP2003-082612 | 2003-03-25 | ||
US10/653,191 US7246241B2 (en) | 2003-03-25 | 2003-09-03 | Apparatus and method for securely realizing cooperative processing |
US11/808,544 US20070245146A1 (en) | 2003-03-25 | 2007-06-11 | Apparatus and method for securely realizing cooperative processing |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/653,191 Continuation US7246241B2 (en) | 2003-03-25 | 2003-09-03 | Apparatus and method for securely realizing cooperative processing |
Publications (1)
Publication Number | Publication Date |
---|---|
US20070245146A1 true US20070245146A1 (en) | 2007-10-18 |
Family
ID=32985009
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/653,191 Expired - Fee Related US7246241B2 (en) | 2003-03-25 | 2003-09-03 | Apparatus and method for securely realizing cooperative processing |
US11/808,544 Abandoned US20070245146A1 (en) | 2003-03-25 | 2007-06-11 | Apparatus and method for securely realizing cooperative processing |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/653,191 Expired - Fee Related US7246241B2 (en) | 2003-03-25 | 2003-09-03 | Apparatus and method for securely realizing cooperative processing |
Country Status (4)
Country | Link |
---|---|
US (2) | US7246241B2 (en) |
JP (1) | JP4470384B2 (en) |
KR (1) | KR100502741B1 (en) |
CN (1) | CN1290024C (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080068640A1 (en) * | 2006-09-19 | 2008-03-20 | Canon Kabushiki Kaisha | Data-processing device, data-processing method, and computer program |
US20090282417A1 (en) * | 2008-05-12 | 2009-11-12 | Canon Kabushiki Kaisha | Workflow executing apparatus, workflow executing method, and storage medium |
US20090327735A1 (en) * | 2008-06-26 | 2009-12-31 | Microsoft Corporation | Unidirectional multi-use proxy re-signature process |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
HUP0103350A2 (en) * | 2001-08-17 | 2003-04-28 | Péter Ladányi | Electronic writing device for generating electronic signature of enhanced security |
FR2875977A1 (en) * | 2004-09-29 | 2006-03-31 | France Telecom | CRYPTOGRAPHIC SYSTEM AND METHOD WITH A PUBLIC KEY AND CERTIFICATION SERVER, MEMORIES ADAPTED FOR THIS SYSTEM |
JP4723909B2 (en) * | 2005-05-27 | 2011-07-13 | 株式会社日立製作所 | Data exchange method, data exchange management device, and data exchange management program |
JP4591870B2 (en) * | 2005-08-24 | 2010-12-01 | 富士ゼロックス株式会社 | Cooperation processing method, cooperation processing device, external cooperation system, program |
JP5108285B2 (en) * | 2006-11-30 | 2012-12-26 | 株式会社日立製作所 | Signature method, information processing apparatus, and signature program |
JP6226197B2 (en) * | 2014-05-23 | 2017-11-08 | パナソニックIpマネジメント株式会社 | Certificate issuing system, client terminal, server device, certificate acquisition method, and certificate issuing method |
JP6056811B2 (en) * | 2014-07-14 | 2017-01-11 | コニカミノルタ株式会社 | Workflow system, workflow execution device, workflow execution method, and workflow execution program |
CN106557285B (en) * | 2015-09-25 | 2020-07-24 | 腾讯科技(深圳)有限公司 | Printing method and apparatus |
US10339299B1 (en) | 2016-03-08 | 2019-07-02 | Kashmoo, Inc. | Runtime management of application components |
JP6745933B2 (en) * | 2018-03-26 | 2020-08-26 | 三菱電機インフォメーションシステムズ株式会社 | Individual signature system |
US11886434B1 (en) | 2019-08-05 | 2024-01-30 | Bildr, Inc. | Management of application entities |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5642420A (en) * | 1994-03-03 | 1997-06-24 | Fujitsu Limited | Cryptoinformation repeater, subscriber terminal connected thereto, and cryptocommunication method |
US6157721A (en) * | 1996-08-12 | 2000-12-05 | Intertrust Technologies Corp. | Systems and methods using cryptography to protect secure computing environments |
US6178505B1 (en) * | 1997-03-10 | 2001-01-23 | Internet Dynamics, Inc. | Secure delivery of information in a network |
US20020138577A1 (en) * | 2000-12-22 | 2002-09-26 | Teng Joan C. | Domain based workflows |
US6567913B1 (en) * | 1998-12-24 | 2003-05-20 | Pitney Bowes Inc. | Selective security level certificate meter |
US20030120610A1 (en) * | 2001-12-20 | 2003-06-26 | Au-System Aktiebolag | Secure domain network |
US6772341B1 (en) * | 1999-12-14 | 2004-08-03 | International Business Machines Corporation | Method and system for presentation and manipulation of PKCS signed-data objects |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH08123744A (en) | 1994-10-26 | 1996-05-17 | Hitachi Ltd | Work flow system |
JP2001282970A (en) | 2000-03-29 | 2001-10-12 | Hitachi Software Eng Co Ltd | Work flow managing system |
JP4299447B2 (en) | 2000-09-12 | 2009-07-22 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Workflow system, information processing apparatus, and storage medium |
JP3629516B2 (en) | 2000-11-02 | 2005-03-16 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Proxy server, electronic signature system, electronic signature verification system, network system, electronic signature method, electronic signature verification method, and storage medium |
-
2003
- 2003-03-25 JP JP2003082612A patent/JP4470384B2/en not_active Expired - Fee Related
- 2003-09-03 US US10/653,191 patent/US7246241B2/en not_active Expired - Fee Related
- 2003-09-22 KR KR10-2003-0065693A patent/KR100502741B1/en active IP Right Grant
- 2003-10-10 CN CNB2003101007866A patent/CN1290024C/en not_active Expired - Fee Related
-
2007
- 2007-06-11 US US11/808,544 patent/US20070245146A1/en not_active Abandoned
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5642420A (en) * | 1994-03-03 | 1997-06-24 | Fujitsu Limited | Cryptoinformation repeater, subscriber terminal connected thereto, and cryptocommunication method |
US6157721A (en) * | 1996-08-12 | 2000-12-05 | Intertrust Technologies Corp. | Systems and methods using cryptography to protect secure computing environments |
US6178505B1 (en) * | 1997-03-10 | 2001-01-23 | Internet Dynamics, Inc. | Secure delivery of information in a network |
US6567913B1 (en) * | 1998-12-24 | 2003-05-20 | Pitney Bowes Inc. | Selective security level certificate meter |
US6772341B1 (en) * | 1999-12-14 | 2004-08-03 | International Business Machines Corporation | Method and system for presentation and manipulation of PKCS signed-data objects |
US20020138577A1 (en) * | 2000-12-22 | 2002-09-26 | Teng Joan C. | Domain based workflows |
US20030120610A1 (en) * | 2001-12-20 | 2003-06-26 | Au-System Aktiebolag | Secure domain network |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080068640A1 (en) * | 2006-09-19 | 2008-03-20 | Canon Kabushiki Kaisha | Data-processing device, data-processing method, and computer program |
US8120794B2 (en) * | 2006-09-19 | 2012-02-21 | Canon Kabushiki Kaisha | Data-processing device, data-processing method, and computer program |
US20090282417A1 (en) * | 2008-05-12 | 2009-11-12 | Canon Kabushiki Kaisha | Workflow executing apparatus, workflow executing method, and storage medium |
US8601478B2 (en) * | 2008-05-12 | 2013-12-03 | Canon Kabushiki Kaisha | Division, linking and sequential execution of workflows based on the fewest number of divided partitions |
US20090327735A1 (en) * | 2008-06-26 | 2009-12-31 | Microsoft Corporation | Unidirectional multi-use proxy re-signature process |
Also Published As
Publication number | Publication date |
---|---|
JP2004297109A (en) | 2004-10-21 |
KR20040086106A (en) | 2004-10-08 |
JP4470384B2 (en) | 2010-06-02 |
CN1290024C (en) | 2006-12-13 |
US7246241B2 (en) | 2007-07-17 |
CN1532711A (en) | 2004-09-29 |
KR100502741B1 (en) | 2005-07-21 |
US20040193889A1 (en) | 2004-09-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20070245146A1 (en) | Apparatus and method for securely realizing cooperative processing | |
JP4339240B2 (en) | Method for providing document services | |
Santesson et al. | X. 509 internet public key infrastructure online certificate status protocol-OCSP | |
US7734910B2 (en) | Managed device, management system, method for controlling a managed device and medium | |
US6515988B1 (en) | Token-based document transactions | |
US6981139B2 (en) | Digital certificate management system, digital certificate management apparatus, digital certificate management method, update procedure determination method and program | |
US8171526B2 (en) | Service providing system, information processing apparatus, service providing server and service providing method | |
US6601102B2 (en) | Secure token-based document server | |
US8261080B2 (en) | System and method for managing digital certificates on a remote device | |
US20050005097A1 (en) | Communication system and method in public key infrastructure | |
US20040213283A1 (en) | Information transmitting apparatus, information saving apparatus, information receiving apparatus, method for using the same, and recording medium thereof | |
GB2418112A (en) | Device providing encryption services for Internet fax machines | |
KR20230093077A (en) | Platform and method for certifying an electronic contract for electronic identification and trust services (eidas) | |
EP1372293A2 (en) | Authentication and authorization infrastructure system with notification function for issuance of certificate revocation list | |
JP2000057112A (en) | Method for executing remote procedure call on network, and network system capable of executing remote procedure call | |
US20060294383A1 (en) | Secure data communications in web services | |
WO2004012415A1 (en) | Electronic sealing for electronic transactions | |
US20040138910A1 (en) | Service providing apparatus, service providing method and computer-readable storage medium | |
KR102462411B1 (en) | Platform and method for authenticating electronic announcements for electronic identification and authentication services (EDS) | |
US9258125B2 (en) | Generating evidence of web services transactions | |
Malpani et al. | X. 509 Internet public key infrastructure online certificate status protocol-ocsp | |
JP4304956B2 (en) | Job processing control apparatus and job processing control method | |
JP2004213067A (en) | Service providing device, image forming device, service providing method and unauthorized use prevention method | |
Standard | Devices profile for web services version 1.1 | |
OUT et al. | Devices Profile for Web Services |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: FUJI XEROX CO., LTD., JAPAN Free format text: CHANGE OF ADDRESS;ASSIGNOR:FUJI XEROX CO., LTD.;REEL/FRAME:019599/0518 Effective date: 20070726 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |