WO2007108114A1 - Domain participation method, attribute certificate selection method, communication terminal, ic card, ce device, attribute certificate issuing station, and content server - Google Patents

Domain participation method, attribute certificate selection method, communication terminal, ic card, ce device, attribute certificate issuing station, and content server Download PDF

Info

Publication number
WO2007108114A1
WO2007108114A1 PCT/JP2006/305729 JP2006305729W WO2007108114A1 WO 2007108114 A1 WO2007108114 A1 WO 2007108114A1 JP 2006305729 W JP2006305729 W JP 2006305729W WO 2007108114 A1 WO2007108114 A1 WO 2007108114A1
Authority
WO
WIPO (PCT)
Prior art keywords
domain
attribute certificate
certificate
communication terminal
attribute
Prior art date
Application number
PCT/JP2006/305729
Other languages
French (fr)
Japanese (ja)
Inventor
Satoshi Ohta
Original Assignee
Matsushita Electric Industrial Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Matsushita Electric Industrial Co., Ltd. filed Critical Matsushita Electric Industrial Co., Ltd.
Priority to PCT/JP2006/305729 priority Critical patent/WO2007108114A1/en
Publication of WO2007108114A1 publication Critical patent/WO2007108114A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Definitions

  • the present invention relates to a domain participation method, an attribute certificate selection method, a communication terminal, an IC card, a CE device, and an attribute certificate, in which content is acquired by a secure method using one CE device in a plurality of user environments. It relates to an issuing authority and a content server.
  • PKI Public Key Infrastructure
  • PKI is an infrastructure that provides security services such as confidentiality, authentication, integrity, and non-repudiation by providing encryption and digital signature functions.
  • a certificate authority issues a public key certificate as proof of the user's identity.
  • the client device and the server device obtain each other's public key certificate.
  • Methods of obtaining a public key certificate include obtaining the other party's public key certificate and obtaining it from the repository.
  • each device of the client device and the server device acquires the public key certificate of the communication partner, it verifies the validity 'validity by the signature of the acquired public key certificate, expiration date, etc. Prove.
  • Each device signs the value shared with the other party with the private key owned by itself and transmits it to the other party, thereby making it possible for each other to obtain the public key certificate acquired earlier. We can verify that we are the rightful owner.
  • Examples of applications that provide authentication and encryption communication using a public key certificate as described above include SSL, IPsec, and the like.
  • the user can authenticate the user by possessing the public key / private key pair.
  • a data communication system including attribute confirmation processing and a data communication method including attribute confirmation processing are known as a system using such authentication by public key certificate and access control by attribute certificate. Teach (see Patent Document 1).
  • the shop server and the user device are expressed as an entity.
  • the shop server and the user device own the public key certificate and the attribute certificate.
  • Patent Document 1 an attribute code is added to each function of an entity that executes data communication, for example, each function such as a device that executes content purchase and a server that receives a content purchase request. There is.
  • the functions that the entity can execute are determined by the attribute code of the attribute certificate.
  • Each entity performs mutual authentication between entities when attempting to perform a certain function in data communication with another entity. If this mutual authentication is successful, attribute authentication is performed to confirm what function the communication partner can execute.
  • An entity uses an attribute certificate when performing attribute authentication of the entity with which it is communicating, and the method of obtaining this attribute certificate may be sent by the other party, obtained from a repository, etc. There is a way.
  • An entity that has acquired the attribute certificate of the other party of communication verifies the attribute certificate. As a result of verification, if it is determined that the attribute certificate is correct, the attribute described in the attribute certificate is confirmed. If the confirmed attribute matches the one assumed, the entity permits the other party to perform the function given by the attribute.
  • the entity rejects the communication partner from executing the function.
  • Patent Document 1 Japanese Patent Application Laid-Open No. 2002-139998
  • a family or a plurality of users use one CE (Consumer Electronics) device.
  • CE Consumer Electronics
  • the CE device has to be limited to one user, there is a problem if the user who performs content acquisition with the CE device is limited.
  • An object of the present invention is to provide a domain participation method, an attribute certificate selection method, a communication terminal, and an IC card, in which one CE device can be used in a plurality of user environments and content can be acquired in a secure manner. , CE equipment, attribute certificate issuing authority, and content server.
  • the domain participation method of the present invention is a domain participation method for acquiring content in a secure manner using one CE device in a plurality of user environments, and the public key of the CE device as a domain representative. Based on the certificate, the memory with the IC card function where the attribute certificate is stored, and the attribute certificate of the communication terminal who is the domain participant, domain participation permission is permitted.
  • the domain participation notification step of notifying domain participation to the attribute certificate issuing authority that issues the attribute certificate, and the attribute certificate issuing office receiving the domain participation notification from the communication terminal enables the CE device to be published.
  • Domain participation which issues a domain participation permission attribute certificate in which a key certificate is associated with an attribute certificate of the communication terminal, and a public key certificate of the CE device is associated with an attribute certificate of the communication terminal to the communication terminal And a step of issuing a permission attribute certificate.
  • FIG. 1 is a block diagram showing an example of a communication system for realizing a domain joining method according to an embodiment of the present invention.
  • FIG. 2 A block diagram showing a configuration of a communication terminal in a communication system for realizing a domain joining method according to an embodiment of the present invention.
  • FIG. 3 A block diagram showing a configuration of an IC card in a communication system for realizing a domain participation method according to an embodiment of the present invention.
  • FIG. 4 A block diagram showing a configuration of a CE device in a communication system for realizing a domain participation method according to an embodiment of the present invention.
  • FIG. 5 A block diagram showing a configuration of an attribute certificate issuing station in a communication system for realizing a domain participation method according to an embodiment of the present invention.
  • FIG. 6 A sequence diagram showing an example of a communication procedure of a system for realizing a domain joining method according to an embodiment of the present invention.
  • FIG. 7 A block diagram for explaining the operation at the time of domain participation application of a communication terminal in the communication system for realizing the domain participation method according to one embodiment of the present invention.
  • FIG. 8 In a communication system for realizing a domain participation method according to an embodiment of the present invention Block diagram for explaining the operation at the time of content acquisition of the communication terminal
  • FIG. 9 A block diagram for explaining the operation at the time of applying for a domain participant in an IC card in a communication system for realizing a domain participation method according to an embodiment of the present invention.
  • FIG. 10 A block diagram for explaining an operation at the time of content acquisition of an IC card in a communication system realizing a domain participation method according to an embodiment of the present invention
  • FIG. 11 A block diagram for explaining a method of issuing a domain participation permission attribute certificate of an attribute certificate issuing authority in a communication system for realizing a domain participation method according to an embodiment of the present invention.
  • FIG. 12 A block diagram for explaining a processing method at the time of content acquisition of a CE device in a communication system for realizing a domain participation method according to an embodiment of the present invention. Best Mode for Carrying Out the Invention
  • FIG. 1 is a block diagram showing an example of a communication system for realizing a domain joining method according to an embodiment of the present invention.
  • the communication system 100 for realizing the domain participation method of this example is a communication terminal 200, an IC card 300, a CE device 400, an attribute certificate issuing station 500, and a content server 60.
  • communication terminal 200 and CE device 400 are connected to network 800 via access point (AP) 700, and communication in this communication system 100 is performed.
  • the network may be in the form of direct communication between devices as long as data transfer is possible.
  • FIG. 2 is a block diagram showing a configuration of a communication terminal in a communication system for realizing a domain participation method according to an embodiment of the present invention.
  • the communication terminal 200 used in the communication system 100 includes a network input / output unit 201, an external device access request unit 202, an external device operation unit 203, a device information storage unit 204, and a public key certificate.
  • Storage unit 205 domain participation permission attribute certificate issuance request unit 206, An attribute certificate storage unit 207, a domain participation permission attribute certificate reception unit 208, a domain participation permission attribute certificate output unit 209, and a card slot input / output unit 210 are provided.
  • the network input / output unit 201 transmits and receives information to and from the attribute certificate issuing authority 500 and the content server 600 connected to the CE device 400 and the network 800.
  • the external device access request unit 202 requests the CE device 400, which is an external device, to access including user information.
  • the external device operation unit 203 selects content from the communication terminal 200 and determines content acquisition.
  • the device information storage unit 204 stores device information of an external device input via the network input / output unit 201, user information of the communication terminal 200, and the like.
  • Public key certificate storage unit 205 stores the public key certificate of the user of communication terminal 200.
  • Domain participation permission attribute certificate issuance request unit 206 sends attribute certificate issuance authority 500 via network I / O unit 201 and network 800 in order to join CE device 400 as a domain representative. Apply for domain advisors.
  • the attribute certificate storage unit 207 stores the attribute certificate of the communication terminal 200.
  • the domain participation permission attribute certificate reception unit 208 receives the domain participation permission attribute certificate issued from the attribute certificate issuing station 500 via the network input / output unit 201 and the network 800.
  • the domain participation permission attribute certificate output unit 209 sends the domain participation permission attribute certificate received by the domain participation permission attribute certificate receiving unit 220 from the attribute certificate issuing station 500 to the card slot input / output unit 210. .
  • the card slot input / output unit 210 receives the domain participation permission attribute certificate received from the domain participation permission attribute certificate output unit 209 and the user of the communication terminal 200 stored in the public key certificate storage unit 205.
  • the public key certificate or the like is transmitted to the IC card 300 connected to the card slot input / output unit 210.
  • the card slot input / output unit 210 is stored in the IC card 300 connected thereto. Receive card information.
  • FIG. 3 is a block diagram showing a configuration of an IC card in a communication system for realizing a domain participation method according to an embodiment of the present invention.
  • the IC card 300 used in the communication system 100 includes an input / output unit 301, a certificate transmission unit 302, a public key certificate storage unit 303, an attribute certificate storage unit 304, and device information reading. Part 305, certificate verification and notification part 306, certificate comparison and verification part 307, domain management part 3
  • the input / output unit 301 transmits / receives information to / from the communication terminal 200, the CE device 400, and the like.
  • the certificate transmission unit 302 receives the public key certificate and the attribute certificate read out from the public key certificate storage unit 303 and the attribute certificate storage unit 304 when applying for domain participation of the communication terminal 200, and outputs the certificate to the input / output unit 301. Send to an external device via
  • the public key certificate storage unit 303 stores the public key certificate of the device to which the IC card 300 is connected.
  • the attribute certificate storage unit 304 stores the attribute certificate of the device to which the IC card 300 is connected.
  • the device information reading unit 305 reads the information of the public key certificate and the attribute certificate of the CE device 400 which is the domain representative, in order to establish a connection with the CE device 400.
  • the certificate verification notification unit 306 notifies the CE device 400 via the input / output unit 301 whether or not the user compared and verified by the certificate comparison verification unit 307 is an appropriate user.
  • the certificate comparison and verification unit 307 compares and verifies the user information acquired from the communication terminal 200 by the device information reading unit 305 and the attribute certificate stored in the attribute certificate storage unit 304.
  • the domain management unit 308 manages whether or not the domain participation permission attribute certificate associated with the public key certificate of the CE device 400 that is the domain representative is the correct domain.
  • FIG. 4 is a block diagram showing the configuration of a CE device in a communication system for realizing the domain participation method according to an embodiment of the present invention.
  • CE device 400 used in communication system 100 is connected to the network. Force unit 401, user information transfer unit 402, card slot input / output unit 403, authentication result notification unit 4
  • a device information reading unit 405 an external device access request providing unit 406, and a screen display device connection unit 407.
  • network input / output unit 401 transmits / receives information to / from devices connected to network 800.
  • the user information transfer unit 402 transmits the user information acquired from the communication terminal 200 to the IC card 300.
  • the card slot input / output unit 403 transmits / receives information to / from the IC card 300 connected thereto.
  • the authentication result notification unit 404 receives a notification of a diagnosis result as to whether the user information of the communication terminal 200 is appropriate or not from the certificate verification notification unit 306 of the IC card 300.
  • the device information reading unit 405 reads the device information of the device connected to the network 800 via the network input / output unit 401.
  • the external device access request providing unit 406 transfers the content request of the communication terminal 200 to the content server 600.
  • the screen display device connection unit 407 transmits the content information acquired from the content server 600 to the screen display device 900 shown in FIG. 1 connected thereto.
  • FIG. 5 is a block diagram showing a configuration of an attribute certificate issuing station in a communication system for realizing a domain participation method according to an embodiment of the present invention.
  • the attribute certificate issuing station 500 used in the communication system 100 includes a network input / output unit 501, a domain participation reception unit 502, a domain creation unit 503, and a domain storage unit 5.
  • the domain participation permission attribute certificate issuing unit 505 is provided.
  • network input / output unit 501 transmits / receives information to / from devices connected to network 800.
  • the domain participation reception unit 502 receives the CE device 40 received via the network input / output unit 501.
  • a domain creation unit 503 is a CE that is a domain representative received by the domain participation reception unit 502.
  • the public key certificate of the device 400 and the attribute certificate of the communication terminal 200 that participates in the domain are associated with the domain by the dull attribute, and the associated domain participation permission attribute certificate is sent to the domain storage unit 504.
  • the domain storage unit 504 stores the domain participation permission attribute certificate associated by the domain creation unit 503 for each domain.
  • the domain participation permission attribute certificate issuing unit 505 stores the domain participation permission attribute stored in the domain storage unit 504 with respect to the communication terminal 200 that performs domain participation via the network input / output unit 501. Read the certificate from time to time and issue it.
  • FIG. 6 is a sequence diagram showing an example of a communication procedure of a system for realizing the domain participation method according to an embodiment of the present invention.
  • the communication terminal 200 needs to join the domain with the CE device 400 as the domain representative. .
  • CE device 400 which is a domain representative, stores its own public key certificate and attribute certificate in IC card 300 (step ST601), and this public key certificate is stored.
  • the IC card 300 storing the document and the attribute certificate is delivered to the communication terminal 200 which is a domain participant (step ST602).
  • Communication terminal 200 which has acquired IC card 300 has an attribute certificate of its own attribute certificate and the public key certificate and attribute certificate of CE device 400 which is the domain representative stored in IC card 300. Book publishing agency 500 (step ST603).
  • Attribute certificate issuing authority 500 associates the public key certificate of CE device 400 that is the domain representative with the attribute certificate of communication terminal 200, and creates a domain participation permission attribute certificate (step ST 604). And issue the created domain participation permission attribute certificate to the communication terminal 200 (step ST605).
  • the communication terminal 200 having issued the domain participation permission attribute certificate from the attribute certificate issuing station 500 stores the received domain participation permission attribute certificate in the IC card 300 (step ST 606).
  • communication terminal 200 can participate in a domain in which CE device 400 is the domain representative, and can use CE device 400.
  • the communication terminal 200 that is permitted to join the domain with the CE device 400 as the domain representative is the IC device 300 in which the domain participation permission attribute certificate is stored.
  • the CE device 400 having the IC card 300 returned from the communication terminal 200 inserts the IC card 300 returned from the communication terminal 200 into a card slot (not shown) (step ST 608).
  • the input / output unit 301 of the IC card 300 is connected to the card slot input / output unit 210 of the CE device 400.
  • communication terminal 200 participates in a domain in which CE device 400 is the domain representative.
  • CE device 400 compares the user information with the domain participation permission attribute certificate in IC card 300. (Step ST610).
  • Communication terminal 200 acquires access information at the time of authentication with CE device 400.
  • the authentication method at the time of access between the communication terminal 200 and the CE device 400 is not particularly limited.
  • mutual authentication using a public key certificate or an attribute using an attribute certificate It may be any of the certification.
  • CE device 400 determines that the access information from communication terminal 200 is user information of a domain participant, content request and disclosure of the domain representative in IC card 300 inserted are made.
  • the key certificate and the attribute certificate of the communication terminal 200 are transmitted (provided) to the content server 600 (step ST611).
  • Content server 600 identifies (authenticates) the public key certificate provided from CE device 400 with the device information and the attribute certificate (user information) (step ST 612), and reproduces the CE key according to the user. Send (provide) possible content to the CE device 400 (step ST613)
  • FIG. 21 is a block diagram for explaining an operation at the time of domain participation application for a communication terminal in the communication system in the communication system for realizing the domain participation method according to the embodiment of the present invention.
  • domain participation permission attribute certificate issuance request section 206 performs network entry / output section 201 and domain input / output section 201 for domain participation. Apply to the attribute certificate issuing authority 500 via the network 800 for participation in the domain.
  • the communication terminal 200 provides the attribute certificate issuing station 500 with the attribute certificate stored in the attribute certificate storage unit 207 in order to indicate that the communication terminal 200 itself is a domain participant.
  • the attribute certificate stored in the attribute certificate storage unit 207 in order to indicate that the communication terminal 200 itself is a domain participant.
  • attribute certificate issuing authority 500 associates the public key certificate of CE device 400 that is the domain representative with the attribute certificate of communication terminal 200, creates a domain participation permission attribute certificate, and creates it.
  • the domain participation permission attribute certificate is issued to the communication terminal 200.
  • Communication terminal 200 receives the domain participation request attribute certificate issued from attribute certificate issuing station 500 via domain 800 and network input / output unit 201, and domain certificate for packet participation permission attribute certificate receiving unit 208 Do.
  • the domain participation permission attribute certificate receiving unit 208 sends the domain participation permission attribute certificate received from the attribute certificate issuing station 500 to the domain participation permission attribute certificate output unit 209.
  • the domain participation permission attribute certificate output unit 209 stores the domain participation permission attribute certificate received from the domain participation permission attribute certificate reception unit 208 in the IC card 300 connected to the card slot output unit 210. .
  • communication terminal 200 can communicate with CE device 400 by participating in a domain in which CE device 400 is the domain representative.
  • FIG. 8 is a block diagram for explaining the operation at the time of content acquisition of the communication terminal in the communication system for realizing the domain participation method according to the embodiment of the present invention.
  • the external device access request unit 202 accesses the CE device 400 that is the external device via the network input / output unit 201 including user information.
  • the device authentication at the time of access between the communication terminal 200 and the CE device 400 at this time is mutual authentication using the public key certificate of the user stored in the public key certificate storage unit 205, or the attribute certificate It is possible to use any of the attribute authentication methods using the attribute certificate stored in the storage unit 207, and is not particularly limited.
  • the external device operation unit 203 performs content selection from the communication terminal 200 and content acquisition determination.
  • FIG. 9 is a block diagram for explaining an operation at the time of applying for a domain participant in an IC card in a communication system for realizing a domain participation method according to an embodiment of the present invention.
  • the IC card 300 is first inserted into the CE device 400 as shown in FIG.
  • the device information reading unit 305 is a CE device.
  • the public key certificate and the attribute certificate of the CE device 400 read by the device information reading unit 305 are stored in the public key certificate storage unit 303 and the attribute certificate storage unit 304.
  • the IC card 300 storing the public key certificate and the attribute certificate of the CE device 400 which is the domain representative is connected to the card slot input / output unit 210 of the communication terminal 200 as shown in FIG. .
  • certificate sending unit 302 of IC card 300 receives CE device 400 which is a domain representative from public key certificate storage unit 303 and attribute certificate storage unit 304 when domain participation application for communication terminal 200 is applied. Read out the public key certificate and attribute certificate of and send the public key certificate and attribute certificate of this CE device 400 to the attribute certificate issuing authority 500.
  • the attribute certificate issuing authority 500 having received this receives the domain participation permission attribute certificate which is created by associating the public key certificate of the CE device 400 which is the domain representative with the attribute certificate of the communication terminal 200 as a communication terminal. Issue to 200
  • the IC card 300 inserted in the communication terminal 200 has the domain participation permission attribute certificate issued from the attribute certificate issuing station 500 to the communication terminal 200, and the attribute certificate storage unit 304 performs communication end. Received from the end 200.
  • IC card 300 having received the domain participation permission attribute certificate from communication terminal 200 has domain participation permission attribute associated with the public key certificate of CE device 400 which is the domain representative in domain management unit 308. Manage whether the certificate is in the correct domain.
  • FIG. 10 is a block diagram for explaining an operation at the time of content acquisition of an IC card in a communication system for realizing a domain participation method according to an embodiment of the present invention.
  • the IC card 300 at the time of content acquisition compares the user information acquired from the communication terminal 200 by the device information reading unit 305 with the attribute certificate stored in the attribute certificate storage unit 304 by certificate comparison and verification.
  • the part 307 compares and verifies.
  • the IC card 300 completes the comparison and verification of the user information and the attribute certificate in the certificate comparison and verification unit 307
  • the user compared and verified in the certificate comparison and verification unit 307 is an appropriate user.
  • the certificate verification and notification unit 306 notifies the CE device 400 via the input / output unit 301 whether or not the certificate verification notification unit 306 has received the certificate.
  • the certificate transmission unit 302 of the IC card 300 determines that the user compared and verified by the certificate comparison / verification unit 307 is an appropriate user from the certificate verification notification unit 306 to the CE device 400. After being notified, the content server of the CE device 400 who is the domain representative and the attribute certificate of the user of the communication terminal 200 who is the domain participant from the CE device 400 via the network 800 via the content server Send to 600
  • FIG. 11 is a block diagram for explaining a method of issuing a domain participation permission attribute certificate of an attribute certificate issuing authority in a communication system for realizing a domain participation method according to an embodiment of the present invention.
  • the attribute certificate issuing station 500 in the case of issuing a domain participation permission attribute certificate has a domain participation reception unit 502 that is a public key certificate of CE device 400 whose domain representative is And an attribute certificate, and an attribute certificate of the communication terminal 200 which is a domain participant, through the network input / output unit 501. Then, the domain participation reception unit 502 sends the public key certificate and attribute certificate of the CE device 400 received via the network input / output unit 501 and the attribute certificate of the communication terminal 200 to the domain creation unit 503.
  • Domain creation section 503 has the public key certificate of CE device 400 that is the domain representative received by domain participation reception section 502 and the attribute certificate of communication terminal 200 that participates in domain with the domain attribute. Associating of, and sending the associated domain participation permission attribute certificate to the domain storage unit 504.
  • the domain storage unit 504 stores the domain participation permission attribute certificate associated in the domain creation unit 503 for each domain.
  • domain participation permission attribute certificate issuing unit 505 transmits the domain participation stored in domain storage unit 504 to communication terminal 200 performing domain participation via network input / output unit 501. Read out and issue permission attribute certificates as appropriate.
  • FIG. 12 is a block diagram for explaining a processing method at the time of content acquisition of a CE device in a communication system for realizing a domain participation method according to an embodiment of the present invention.
  • the CE device 400 at the time of content acquisition is connected in advance to the content server 600 via the network 800, and a screen display device 900 for displaying content information is connected, Shall be
  • the user information transfer unit 402 of the CE device 400 transfers, to the IC card 300, the user information for which the communication terminal 200 has also been obtained in advance.
  • the authentication result notification unit 404 of the CE device 400 receives, from the certificate verification notification unit 306 of the IC card 300, a notification of a diagnosis result as to whether the user information of the communication terminal 200 is appropriate.
  • the external device access request providing unit 406 of the CE device 400 transfers the content request of the communication terminal 200 to the content server 600.
  • the domain participation in the IC card 300 can be used.
  • Content from CE device 400 with password for using authorization attribute certificate Acquisition is possible.
  • the power of storing one public key certificate and a plurality of attribute certificates in one domain using an IC card 300 is disclosed.
  • the storage medium for storing the document may be, for example, a flash memory having an IC card function, as long as it is removable and retains the security function equivalent to that of the IC card 300.
  • one public key certificate and a plurality of attribute certificates can be stored in association with one domain using an IC card, and domain management can be facilitated. Therefore, domain participation method, attribute certificate selection method, communication terminal, IC card, CE device, attribute certificate that acquires content in a secure way using one CE device in multiple user environments Useful as an issuing authority and content server.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

Provided is a domain participation method capable of acquiring a content by a secure method by using one CE device in a plurality of user environments. The domain participation method includes: a domain participation report step for reporting a domain participation to an attribute certificate issuing station (500) which issues a domain participation permission certificate according to a public key certificate of a CE device (400) as a domain representative, an IC card (300) containing the attribute certificate, and an attribute certificate of a communication terminal (200) as a domain participant; and a domain participation permission attribute certificate issuing step in which the attribute certificate issuing station (500) receives the domain participation report from the communication terminal (200), correlates the public key certificate of the CE device (400) with the attribute certificate of the communication terminal (200), and issues a domain participation permission attribute certificate in which the public key certificate of the CE device (400) is correlated with the attribute certificate of the communication terminal (200), to the communication terminal (200).

Description

明 細 書  Specification
ドメイン参加方法、属性証明書選択方法、通信端末、 ICカード、 CE機器 、属性証明書発行局およびコンテンツサーバ  Domain participation method, attribute certificate selection method, communication terminal, IC card, CE device Attribute certificate issuing authority and content server
技術分野  Technical field
[0001] 本発明は、複数のユーザ環境において 1つの CE機器を使用してセキュアな方法で コンテンツを取得するドメイン参加方法、属性証明書選択方法、通信端末、 ICカード 、 CE機器、属性証明書発行局およびコンテンツサーバに関する。  The present invention relates to a domain participation method, an attribute certificate selection method, a communication terminal, an IC card, a CE device, and an attribute certificate, in which content is acquired by a secure method using one CE device in a plurality of user environments. It relates to an issuing authority and a content server.
背景技術  Background art
[0002] 近年、音楽や映像といったコンテンツの流通がインターネットを介して行われること が多くなり、ユーザが手軽に好みのコンテンツを取得できるようになつている。  In recent years, the distribution of content such as music and video has often been performed via the Internet, and it has become possible for users to easily acquire favorite content.
[0003] しかしながら、インターネットはあらゆるユーザに開かれた環境であるため、悪意の あるユーザによるコンテンツの不正取得が問題となる。  However, since the Internet is an open environment for all users, unauthorized acquisition of content by malicious users becomes a problem.
[0004] このようなコンテンツの不正取得を防止する方法として、ユーザがコンテンツを保有 するコンテンツサーバにアクセスする際に認証を行うシステムがある。このようなシステ ムにおいては、公開鍵暗号基盤(PKI : Public Key Infrastructure)を認証に使用する ものが多くある。  As a method of preventing such unauthorized acquisition of content, there is a system that performs authentication when a user accesses a content server that holds content. In such systems, many use Public Key Infrastructure (PKI) for authentication.
[0005] PKIは、暗号化やディジタル署名 t ヽつた機能を提供することにより、守秘性、認証 、完全性、否認防止といったセキュリティサービスを提供するインフラである。この PKI においては、認証局が利用者の身分を証明するものとして公開鍵証明書を発行する  [0005] PKI is an infrastructure that provides security services such as confidentiality, authentication, integrity, and non-repudiation by providing encryption and digital signature functions. In this PKI, a certificate authority issues a public key certificate as proof of the user's identity.
[0006] 以下に、ユーザのクライアント機器がコンテンツを保有しているサーバ機器に接続 する際の認証について説明する。 [0006] The following describes authentication when a user's client device connects to a server device that holds content.
[0007] クライアント機器カゝらサーバ機器へのアクセス要求が発生すると、クライアント機器 およびサーバ機器は、互いの公開鍵証明書を取得する。公開鍵証明書の取得の方 法には、相手力もの公開鍵証明書の取得、およびリポジトリからの取得などがある。 When an access request to a client device server device is generated, the client device and the server device obtain each other's public key certificate. Methods of obtaining a public key certificate include obtaining the other party's public key certificate and obtaining it from the repository.
[0008] クライアント機器およびサーバ機器の各機器は、通信相手の公開鍵証明書を取得 すると、取得した公開鍵証明書の署名 ·有効期限などによりその正当性'有効性を検 証する。 [0008] When each device of the client device and the server device acquires the public key certificate of the communication partner, it verifies the validity 'validity by the signature of the acquired public key certificate, expiration date, etc. Prove.
[0009] この検証において、公開鍵証明書が正当かつ有効なものであることがわかると、通 信相手が公開鍵証明書の正当な所有者であるかを検証する。この検証には、公開鍵 証明書に含まれる公開鍵と対になっている秘密鍵による署名が用いられる。  [0009] In this verification, if it is found that the public key certificate is valid and valid, it is verified whether the communication partner is the valid owner of the public key certificate. For this verification, a signature with a private key paired with the public key contained in the public key certificate is used.
[0010] 各機器は、通信相手との間で共有している値に自身の所有している秘密鍵による 署名を行い通信相手に送信することで、互いが先に取得した公開鍵証明書の正当 な所有者であるかを検証できる。  [0010] Each device signs the value shared with the other party with the private key owned by itself and transmits it to the other party, thereby making it possible for each other to obtain the public key certificate acquired earlier. We can verify that we are the rightful owner.
[0011] 以上のような、公開鍵証明書を利用して認証および暗号ィ匕通信を提供するアプリケ ーシヨンとしては、 SSLや IPsec等がある。  [0011] Examples of applications that provide authentication and encryption communication using a public key certificate as described above include SSL, IPsec, and the like.
[0012] 上述した通り、 PKIでは利用者が公開鍵と秘密鍵のペアを所有していることにより、 利用者の認証を行うことができる。 [0012] As described above, in PKI, the user can authenticate the user by possessing the public key / private key pair.
[0013] し力しながら PKIにおける認証では、利用者がどのような権限を所有しているかに ついては確認できない。従って、アクセス制御を行うためには、利用者の所有してい る権限を確認する仕組みが必要である。その方法としてあるのが属性証明書によるァ クセス制御である。 [0013] However, authentication in PKI can not confirm what authority the user has. Therefore, in order to perform access control, it is necessary to have a mechanism to confirm the rights owned by the user. The method is access control by attribute certificate.
[0014] 従来、このような公開鍵証明書による認証および属性証明書によるアクセス制御を 用いたシステムとして、「属性確認処理を含むデータ通信システムおよび属性確認処 理を含むデータ通信方法」が知られて ヽる(特許文献 1参照)。  Conventionally, “a data communication system including attribute confirmation processing and a data communication method including attribute confirmation processing” are known as a system using such authentication by public key certificate and access control by attribute certificate. Teach (see Patent Document 1).
[0015] 特許文献 1にお 、て、ショップサーバおよびユーザ機器はエンティティと表現される 。ショップサーバおよびユーザ機器は公開鍵証明書と属性証明書を所有して 、る。  [0015] In Patent Document 1, the shop server and the user device are expressed as an entity. The shop server and the user device own the public key certificate and the attribute certificate.
[0016] 特許文献 1にお 、ては、データ通信を実行するエンティティの機能毎、例えばコン テンッ購入を実行する機器、コンテンツの購入要求を受けるサーバ等の機能毎に属 性コードを付与している。  [0016] In Patent Document 1, an attribute code is added to each function of an entity that executes data communication, for example, each function such as a device that executes content purchase and a server that receives a content purchase request. There is.
[0017] すなわち、エンティティが実行可能な機能は、属性証明書の属性コードにより定まる 。各エンティティは、もう一方のエンティティとのデータ通信において、ある機能を実行 しょうとするとき、エンティティ間において相互認証を行う。この相互認証が成功すると 、通信相手がどのような機能を実行可能かにつ ヽて確認するために属性認証を行う [0018] エンティティは、通信相手のエンティティの属性認証を行う際に、属性証明書を用 いるが、この属性証明書の取得方法としては、相手に送付してもらう、リポジトリから入 手するなどの方法がある。 That is, the functions that the entity can execute are determined by the attribute code of the attribute certificate. Each entity performs mutual authentication between entities when attempting to perform a certain function in data communication with another entity. If this mutual authentication is successful, attribute authentication is performed to confirm what function the communication partner can execute. An entity uses an attribute certificate when performing attribute authentication of the entity with which it is communicating, and the method of obtaining this attribute certificate may be sent by the other party, obtained from a repository, etc. There is a way.
[0019] 通信相手の属性証明書を取得したエンティティは、属性証明書の検証を行う。検証 の結果、正しい属性証明書であることが分力ると、属性証明書に記載されている属性 の確認を行う。確認した属性が、想定していたものと一致している場合は、ェンティテ ィは通信相手が属性によって与えられた機能を実行することを許可する。  An entity that has acquired the attribute certificate of the other party of communication verifies the attribute certificate. As a result of verification, if it is determined that the attribute certificate is correct, the attribute described in the attribute certificate is confirmed. If the confirmed attribute matches the one assumed, the entity permits the other party to perform the function given by the attribute.
[0020] また、取得した証明書の検証の結果、属性証明書または属性証明書に記載された 属性情報が不正なものである場合は、エンティティは通信相手が機能を実行すること を拒絶する。  [0020] Also, if the attribute certificate or the attribute information described in the attribute certificate is invalid as a result of verification of the acquired certificate, the entity rejects the communication partner from executing the function.
[0021] これにより、他のエンティティになりすまして処理を実行することが防止され、安全な コンテンッ取引等のデータ通信が可能となる。  [0021] This prevents execution of processing spoofing as another entity, and enables data communication such as secure content transaction.
特許文献 1 :特開 2002— 139998号公報  Patent Document 1: Japanese Patent Application Laid-Open No. 2002-139998
発明の開示  Disclosure of the invention
発明が解決しょうとする課題  Problem that invention tries to solve
[0022] し力しながら、前記従来の「属性確認処理を含むデータ通信システムおよび属性確 認処理を含むデータ通信方法」では、家族や複数のユーザが 1つの CE (Consumer Electronics)機器を使用する場合、 CE機器は 1人のユーザに限定しなければならず 、 CE機器でコンテンツ取得を行うユーザが限定されると 、う課題がある。  In the conventional “data communication system including attribute confirmation processing and data communication method including attribute confirmation processing”, a family or a plurality of users use one CE (Consumer Electronics) device. In the case where the CE device has to be limited to one user, there is a problem if the user who performs content acquisition with the CE device is limited.
[0023] 本発明の目的は、複数のユーザ環境においても、 1つの CE機器を使用可能にでき 、かつセキュアな方法でコンテンツを取得できるドメイン参加方法、属性証明書選択 方法、通信端末、 ICカード、 CE機器、属性証明書発行局およびコンテンツサーバを 提供することである。  An object of the present invention is to provide a domain participation method, an attribute certificate selection method, a communication terminal, and an IC card, in which one CE device can be used in a plurality of user environments and content can be acquired in a secure manner. , CE equipment, attribute certificate issuing authority, and content server.
課題を解決するための手段  Means to solve the problem
[0024] 本発明のドメイン参加方法は、複数のユーザ環境において 1つの CE機器を使用し てセキュアな方法でコンテンツを取得するドメイン参加方法であって、ドメイン代表者 である前記 CE機器の公開鍵証明書と、属性証明書が格納された ICカード機能を備 えたメモリと、ドメイン参加者である通信端末の属性証明書とを元に、ドメイン参加許 可属性証明書を発行する属性証明書発行局にドメイン参加通知を行うドメイン参カロ 通知ステップと、前記属性証明書発行局が、前記通信端末からドメイン参加通知を 受けることにより、前記 CE機器の公開鍵証明書と前記通信端末の属性証明書を関 連付け、前記 CE機器の公開鍵証明書と前記通信端末の属性証明書を関連付けた ドメイン参加許可属性証明書を前記通信端末に発行するドメイン参加許可属性証明 書発行ステップと、を備える構成を採る。 The domain participation method of the present invention is a domain participation method for acquiring content in a secure manner using one CE device in a plurality of user environments, and the public key of the CE device as a domain representative. Based on the certificate, the memory with the IC card function where the attribute certificate is stored, and the attribute certificate of the communication terminal who is the domain participant, domain participation permission is permitted. The domain participation notification step of notifying domain participation to the attribute certificate issuing authority that issues the attribute certificate, and the attribute certificate issuing office receiving the domain participation notification from the communication terminal enables the CE device to be published. Domain participation which issues a domain participation permission attribute certificate in which a key certificate is associated with an attribute certificate of the communication terminal, and a public key certificate of the CE device is associated with an attribute certificate of the communication terminal to the communication terminal And a step of issuing a permission attribute certificate.
発明の効果  Effect of the invention
[0025] 本発明によれば、 1つの公開鍵証明書と複数の属性証明書とを、 ICカードを用いて 1つのドメインに関連付けて収めることができるので、ドメインの管理を容易にできるよ うになる。また、公開鍵証明書と属性証明書との関連付けによるユーザ判別が可能に なるので、複数のユーザが 1つの CE機器を使用することができ、 1つの CE機器を用 いて、アクセスするユーザに応じたコンテンツを提供することができる。  According to the present invention, since one public key certificate and multiple attribute certificates can be stored in association with one domain using an IC card, domain management can be facilitated. Become. In addition, since user identification is possible by associating a public key certificate with an attribute certificate, multiple users can use one CE device, and it is possible to use one CE device according to the user who accesses it. Content can be provided.
図面の簡単な説明  Brief description of the drawings
[0026] [図 1]本発明の一実施の形態に係るドメイン参加方法を実現する通信システムの一例 を示す構成図  FIG. 1 is a block diagram showing an example of a communication system for realizing a domain joining method according to an embodiment of the present invention.
[図 2]本発明の一実施の形態に係るドメイン参加方法を実現する通信システムにおけ る通信端末の構成を示すブロック図  [FIG. 2] A block diagram showing a configuration of a communication terminal in a communication system for realizing a domain joining method according to an embodiment of the present invention.
[図 3]本発明の一実施の形態に係るドメイン参加方法を実現する通信システムにおけ る ICカードの構成を示すブロック図  [FIG. 3] A block diagram showing a configuration of an IC card in a communication system for realizing a domain participation method according to an embodiment of the present invention.
[図 4]本発明の一実施の形態に係るドメイン参加方法を実現する通信システムにおけ る CE機器の構成を示すブロック図  [FIG. 4] A block diagram showing a configuration of a CE device in a communication system for realizing a domain participation method according to an embodiment of the present invention.
[図 5]本発明の一実施の形態に係るドメイン参加方法を実現する通信システムにおけ る属性証明書発行局の構成を示すブロック図  [FIG. 5] A block diagram showing a configuration of an attribute certificate issuing station in a communication system for realizing a domain participation method according to an embodiment of the present invention.
[図 6]本発明の一実施の形態に係るドメイン参加方法を実現するシステムの通信手順 の一例を示すシーケンス図  [FIG. 6] A sequence diagram showing an example of a communication procedure of a system for realizing a domain joining method according to an embodiment of the present invention.
[図 7]本発明の一実施の形態に係るドメイン参加方法を実現する通信システムにおけ る通信端末のドメイン参カ卩申請時の動作を説明するためのブロック図  [FIG. 7] A block diagram for explaining the operation at the time of domain participation application of a communication terminal in the communication system for realizing the domain participation method according to one embodiment of the present invention.
[図 8]本発明の一実施の形態に係るドメイン参加方法を実現する通信システムにおけ る通信端末のコンテンツ取得時の動作を説明するためのブロック図 [FIG. 8] In a communication system for realizing a domain participation method according to an embodiment of the present invention Block diagram for explaining the operation at the time of content acquisition of the communication terminal
[図 9]本発明の一実施の形態に係るドメイン参加方法を実現する通信システムにおけ る ICカードのドメイン参カ卩申請時の動作を説明するためのブロック図  [FIG. 9] A block diagram for explaining the operation at the time of applying for a domain participant in an IC card in a communication system for realizing a domain participation method according to an embodiment of the present invention.
[図 10]本発明の一実施の形態に係るドメイン参加方法を実現する通信システムにお ける ICカードのコンテンツ取得時の動作を説明するためのブロック図  [FIG. 10] A block diagram for explaining an operation at the time of content acquisition of an IC card in a communication system realizing a domain participation method according to an embodiment of the present invention
[図 11]本発明の一実施の形態に係るドメイン参加方法を実現する通信システムにお ける属性証明書発行局のドメイン参加許可属性証明書の発行方法について説明す るためのブロック図  [FIG. 11] A block diagram for explaining a method of issuing a domain participation permission attribute certificate of an attribute certificate issuing authority in a communication system for realizing a domain participation method according to an embodiment of the present invention.
[図 12]本発明の一実施の形態に係るドメイン参加方法を実現する通信システムにお ける CE機器のコンテンツ取得時の処理方法について説明するためのブロック図 発明を実施するための最良の形態  [FIG. 12] A block diagram for explaining a processing method at the time of content acquisition of a CE device in a communication system for realizing a domain participation method according to an embodiment of the present invention. Best Mode for Carrying Out the Invention
[0027] 以下、本発明の実施の形態について、図面を参照して詳細に説明する。なお、各 図において同一の構成または機能を有する構成要素および相当部分には、同一の 符号を付してその説明は繰り返さない。 Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. It is to be noted that components and corresponding parts having the same configuration or function in the respective drawings are denoted by the same reference numerals, and the description thereof will not be repeated.
[0028] 図 1は、本発明の一実施の形態に係るドメイン参加方法を実現する通信システムの 一例を示す構成図である。 FIG. 1 is a block diagram showing an example of a communication system for realizing a domain joining method according to an embodiment of the present invention.
[0029] 図 1に示すように、本例のドメイン参加方法を実現する通信システム 100は、通信端 末 200、 ICカード 300、 CE機器 400、属性証明書発行局 500、コンテンツサーノ 60As shown in FIG. 1, the communication system 100 for realizing the domain participation method of this example is a communication terminal 200, an IC card 300, a CE device 400, an attribute certificate issuing station 500, and a content server 60.
0などで構成される。 It consists of 0 etc.
[0030] なお、図 1に示すシステムにおいては、通信端末 200と CE機器 400は、アクセスポ イント (AP) 700を経由してネットワーク 800に接続する形態を採っている力 本通信 システム 100における通信ネットワークは、データ転送が可能なものであればよぐ機 器同士で直接通信を行う形態であってもよい。  In the system shown in FIG. 1, communication terminal 200 and CE device 400 are connected to network 800 via access point (AP) 700, and communication in this communication system 100 is performed. The network may be in the form of direct communication between devices as long as data transfer is possible.
[0031] 図 2は、本発明の一実施の形態に係るドメイン参加方法を実現する通信システムに おける通信端末の構成を示すブロック図である。  FIG. 2 is a block diagram showing a configuration of a communication terminal in a communication system for realizing a domain participation method according to an embodiment of the present invention.
[0032] 図 2に示すように、通信システム 100で用いられる通信端末 200は、ネットワーク入 出力部 201、外部機器アクセス要求部 202、外部機器操作部 203、機器情報格納 部 204、公開鍵証明書格納部 205、ドメイン参加許可属性証明書発行要求部 206、 属性証明書格納部 207、ドメイン参加許可属性証明書受信部 208、ドメイン参加許 可属性証明書出力部 209、カードスロット入出力部 210を備えている。 As shown in FIG. 2, the communication terminal 200 used in the communication system 100 includes a network input / output unit 201, an external device access request unit 202, an external device operation unit 203, a device information storage unit 204, and a public key certificate. Storage unit 205, domain participation permission attribute certificate issuance request unit 206, An attribute certificate storage unit 207, a domain participation permission attribute certificate reception unit 208, a domain participation permission attribute certificate output unit 209, and a card slot input / output unit 210 are provided.
[0033] 図 2において、ネットワーク入出力部 201は、 CE機器 400およびネットワーク 800に 接続された属性証明書発行局 500およびコンテンツサーバ 600などとの間で情報を 送受信する。 In FIG. 2, the network input / output unit 201 transmits and receives information to and from the attribute certificate issuing authority 500 and the content server 600 connected to the CE device 400 and the network 800.
[0034] 外部機器アクセス要求部 202は、外部機器である CE機器 400にユーザ情報を含 むアクセスを要求する。  The external device access request unit 202 requests the CE device 400, which is an external device, to access including user information.
[0035] 外部機器操作部 203は、通信端末 200からのコンテンツ選択、およびコンテンツ取 得決定を行う。  The external device operation unit 203 selects content from the communication terminal 200 and determines content acquisition.
[0036] 機器情報格納部 204は、ネットワーク入出力部 201を介して入力される外部機器の 機器情報、および通信端末 200のユーザ情報などを格納する。  The device information storage unit 204 stores device information of an external device input via the network input / output unit 201, user information of the communication terminal 200, and the like.
[0037] 公開鍵証明書格納部 205は、通信端末 200のユーザの公開鍵証明書を格納する Public key certificate storage unit 205 stores the public key certificate of the user of communication terminal 200.
[0038] ドメイン参加許可属性証明書発行要求部 206は、 CE機器 400をドメイン代表者と するドメインに参加するために、ネットワーク入出力部 201およびネットワーク 800を 介して、属性証明書発行局 500にドメイン参カ卩申請を行う。 Domain participation permission attribute certificate issuance request unit 206 sends attribute certificate issuance authority 500 via network I / O unit 201 and network 800 in order to join CE device 400 as a domain representative. Apply for domain advisors.
[0039] 属性証明書格納部 207は、通信端末 200の属性証明書を格納する。 The attribute certificate storage unit 207 stores the attribute certificate of the communication terminal 200.
[0040] ドメイン参加許可属性証明書受信部 208は、ネットワーク入出力部 201およびネット ワーク 800を介して、属性証明書発行局 500から発行されるドメイン参加許可属性証 明書を受信する。 The domain participation permission attribute certificate reception unit 208 receives the domain participation permission attribute certificate issued from the attribute certificate issuing station 500 via the network input / output unit 201 and the network 800.
[0041] ドメイン参加許可属性証明書出力部 209は、ドメイン参加許可属性証明書受信部 2 08が属性証明書発行局 500から受信したドメイン参加許可属性証明書を、カードス ロット入出力部 210に送る。  The domain participation permission attribute certificate output unit 209 sends the domain participation permission attribute certificate received by the domain participation permission attribute certificate receiving unit 220 from the attribute certificate issuing station 500 to the card slot input / output unit 210. .
[0042] カードスロット入出力部 210は、ドメイン参加許可属性証明書出力部 209から受け 取ったドメイン参加許可属性証明書、および公開鍵証明書格納部 205に格納されて いる通信端末 200のユーザの公開鍵証明書などを、カードスロット入出力部 210に 接続された ICカード 300に送信する。  The card slot input / output unit 210 receives the domain participation permission attribute certificate received from the domain participation permission attribute certificate output unit 209 and the user of the communication terminal 200 stored in the public key certificate storage unit 205. The public key certificate or the like is transmitted to the IC card 300 connected to the card slot input / output unit 210.
[0043] また、カードスロット入出力部 210は、これに接続された ICカード 300に格納されて いるカード情報を受信する。 In addition, the card slot input / output unit 210 is stored in the IC card 300 connected thereto. Receive card information.
[0044] 図 3は、本発明の一実施の形態に係るドメイン参加方法を実現する通信システムに おける ICカードの構成を示すブロック図である。  FIG. 3 is a block diagram showing a configuration of an IC card in a communication system for realizing a domain participation method according to an embodiment of the present invention.
[0045] 図 3に示すように、通信システム 100で用いられる ICカード 300は、入出力部 301、 証明書送信部 302、公開鍵証明書格納部 303、属性証明書格納部 304、機器情報 読み取り部 305、証明書検証通知部 306、証明書比較検証部 307、ドメイン管理部 3As shown in FIG. 3, the IC card 300 used in the communication system 100 includes an input / output unit 301, a certificate transmission unit 302, a public key certificate storage unit 303, an attribute certificate storage unit 304, and device information reading. Part 305, certificate verification and notification part 306, certificate comparison and verification part 307, domain management part 3
08を備えている。 It has 08.
[0046] 図 3において、入出力部 301は、通信端末 200および CE機器 400などと情報の送 受信を行う。  In FIG. 3, the input / output unit 301 transmits / receives information to / from the communication terminal 200, the CE device 400, and the like.
[0047] 証明書送信部 302は、通信端末 200のドメイン参加申請時に、公開鍵証明書格納 部 303および属性証明書格納部 304から読み出した公開鍵証明書および属性証明 書を、入出力部 301を介して外部機器に送信する。  The certificate transmission unit 302 receives the public key certificate and the attribute certificate read out from the public key certificate storage unit 303 and the attribute certificate storage unit 304 when applying for domain participation of the communication terminal 200, and outputs the certificate to the input / output unit 301. Send to an external device via
[0048] 公開鍵証明書格納部 303は、 ICカード 300が接続される機器の公開鍵証明書を 格納する。  The public key certificate storage unit 303 stores the public key certificate of the device to which the IC card 300 is connected.
[0049] 属性証明書格納部 304は、 ICカード 300が接続される機器の属性証明書を格納 する。  The attribute certificate storage unit 304 stores the attribute certificate of the device to which the IC card 300 is connected.
[0050] 機器情報読み取り部 305は、 CE機器 400との接続を確立するために、ドメイン代表 者である CE機器 400の公開鍵証明書および属性証明書の情報を読み取る。  The device information reading unit 305 reads the information of the public key certificate and the attribute certificate of the CE device 400 which is the domain representative, in order to establish a connection with the CE device 400.
[0051] 証明書検証通知部 306は、証明書比較検証部 307で比較検証したユーザが適切 なユーザである力否かを、入出力部 301を介して CE機器 400に通知する。 The certificate verification notification unit 306 notifies the CE device 400 via the input / output unit 301 whether or not the user compared and verified by the certificate comparison verification unit 307 is an appropriate user.
[0052] 証明書比較検証部 307は、機器情報読み取り部 305が通信端末 200から取得した ユーザ情報と属性証明書格納部 304に格納されている属性証明書とを比較検証す る。 The certificate comparison and verification unit 307 compares and verifies the user information acquired from the communication terminal 200 by the device information reading unit 305 and the attribute certificate stored in the attribute certificate storage unit 304.
[0053] ドメイン管理部 308は、ドメイン代表者である CE機器 400の公開鍵証明書と関連付 けられたドメイン参加許可属性証明書が正しいドメインである力否かを管理する。  The domain management unit 308 manages whether or not the domain participation permission attribute certificate associated with the public key certificate of the CE device 400 that is the domain representative is the correct domain.
[0054] 図 4は、本発明の一実施の形態に係るドメイン参加方法を実現する通信システムに おける CE機器の構成を示すブロック図である。  FIG. 4 is a block diagram showing the configuration of a CE device in a communication system for realizing the domain participation method according to an embodiment of the present invention.
[0055] 図 4に示すように、通信システム 100で用いられる CE機器 400は、ネットワーク入出 力部 401、ユーザ情報転送部 402、カードスロット入出力部 403、認証結果通知部 4[0055] As shown in FIG. 4, CE device 400 used in communication system 100 is connected to the network. Force unit 401, user information transfer unit 402, card slot input / output unit 403, authentication result notification unit 4
04、機器情報読み取り部 405、外部機器アクセス要求提供部 406、画面表示機器 接続部 407を備えている。 04, a device information reading unit 405, an external device access request providing unit 406, and a screen display device connection unit 407.
[0056] 図 4において、ネットワーク入出力部 401は、ネットワーク 800に接続された機器との 間で情報を送受信する。 In FIG. 4, network input / output unit 401 transmits / receives information to / from devices connected to network 800.
[0057] ユーザ情報転送部 402は、通信端末 200から取得したユーザ情報を ICカード 300 に ¾5送する。 The user information transfer unit 402 transmits the user information acquired from the communication terminal 200 to the IC card 300.
[0058] カードスロット入出力部 403は、これに接続された ICカード 300との間で情報を送 受信する。  The card slot input / output unit 403 transmits / receives information to / from the IC card 300 connected thereto.
[0059] 認証結果通知部 404は、通信端末 200のユーザ情報が適切である力否かの診断 結果の通知を ICカード 300の証明書検証通知部 306から受け取る。  The authentication result notification unit 404 receives a notification of a diagnosis result as to whether the user information of the communication terminal 200 is appropriate or not from the certificate verification notification unit 306 of the IC card 300.
[0060] 機器情報読み取り部 405は、ネットワーク入出力部 401を介して、ネットワーク 800 に接続された機器の機器情報を読み取る。 The device information reading unit 405 reads the device information of the device connected to the network 800 via the network input / output unit 401.
[0061] 外部機器アクセス要求提供部 406は、通信端末 200のコンテンツ要求をコンテンツ サーバ 600に転送する。 The external device access request providing unit 406 transfers the content request of the communication terminal 200 to the content server 600.
[0062] 画面表示機器接続部 407は、これに接続された図 1に示す画面表示機器 900に、 コンテンツサーバ 600から取得したコンテンツ情報を送信する。 The screen display device connection unit 407 transmits the content information acquired from the content server 600 to the screen display device 900 shown in FIG. 1 connected thereto.
[0063] 図 5は、本発明の一実施の形態に係るドメイン参加方法を実現する通信システムに おける属性証明書発行局の構成を示すブロック図である。 FIG. 5 is a block diagram showing a configuration of an attribute certificate issuing station in a communication system for realizing a domain participation method according to an embodiment of the present invention.
[0064] 図 5に示すように、通信システム 100で用いられる属性証明書発行局 500は、ネット ワーク入出力部 501、ドメイン参加受信部 502、ドメイン作成部 503、ドメイン格納部 5As shown in FIG. 5, the attribute certificate issuing station 500 used in the communication system 100 includes a network input / output unit 501, a domain participation reception unit 502, a domain creation unit 503, and a domain storage unit 5.
04、ドメイン参加許可属性証明書発行部 505を備えて 、る。 04, the domain participation permission attribute certificate issuing unit 505 is provided.
[0065] 図 5において、ネットワーク入出力部 501は、ネットワーク 800に接続された機器との 間で情報を送受信する。 In FIG. 5, network input / output unit 501 transmits / receives information to / from devices connected to network 800.
[0066] ドメイン参加受信部 502は、ネットワーク入出力部 501を介して受信した CE機器 40The domain participation reception unit 502 receives the CE device 40 received via the network input / output unit 501.
0の公開鍵証明書および属性証明書、通信端末 200の属性証明書をドメイン作成部0 public key certificate and attribute certificate, domain certificate of attribute certificate of communication terminal 200
503に送る。 Send to 503.
[0067] ドメイン作成部 503は、ドメイン参加受信部 502で受信したドメイン代表者である CE 機器 400の公開鍵証明書とドメイン参加を行う通信端末 200の属性証明書とをダル ープ属性でドメインの関連付けを行 、、関連付けたドメイン参加許可属性証明書をド メイン格納部 504に送る。 A domain creation unit 503 is a CE that is a domain representative received by the domain participation reception unit 502. The public key certificate of the device 400 and the attribute certificate of the communication terminal 200 that participates in the domain are associated with the domain by the dull attribute, and the associated domain participation permission attribute certificate is sent to the domain storage unit 504.
[0068] ドメイン格納部 504は、ドメイン作成部 503で関連付けられたドメイン参加許可属性 証明書をドメインごとに格納する。 The domain storage unit 504 stores the domain participation permission attribute certificate associated by the domain creation unit 503 for each domain.
[0069] ドメイン参加許可属性証明書発行部 505は、ネットワーク入出力部 501を介して、ド メイン参加を行う通信端末 200に対して、ドメイン格納部 504に格納されて ヽるドメイ ン参加許可属性証明書を適時読み出して発行する。 The domain participation permission attribute certificate issuing unit 505 stores the domain participation permission attribute stored in the domain storage unit 504 with respect to the communication terminal 200 that performs domain participation via the network input / output unit 501. Read the certificate from time to time and issue it.
[0070] 次に、本例のドメイン参加方法を実現する通信システム 100の通信手順について 説明する。図 6は、本発明の一実施の形態に係るドメイン参加方法を実現するシステ ムの通信手順の一例を示すシーケンス図である。 Next, the communication procedure of the communication system 100 for realizing the domain participation method of this example will be described. FIG. 6 is a sequence diagram showing an example of a communication procedure of a system for realizing the domain participation method according to an embodiment of the present invention.
[0071] 本例のドメイン参加方法を実現するシステム 100においては、まず、通信端末 200 は、 CE機器 400を使用するために、 CE機器 400をドメイン代表者とするドメインに参 加する必要がある。 In the system 100 for realizing the domain participation method of this example, first, in order to use the CE device 400, the communication terminal 200 needs to join the domain with the CE device 400 as the domain representative. .
[0072] そこで、図 6に示すように、ドメイン代表者である CE機器 400は、自身の公開鍵証 明書および属性証明書を ICカード 300に格納し (ステップ ST601)、この公開鍵証 明書および属性証明書を格納した ICカード 300を、ドメイン参加者である通信端末 2 00に渡す (ステップ ST602)。  Therefore, as shown in FIG. 6, CE device 400, which is a domain representative, stores its own public key certificate and attribute certificate in IC card 300 (step ST601), and this public key certificate is stored. The IC card 300 storing the document and the attribute certificate is delivered to the communication terminal 200 which is a domain participant (step ST602).
[0073] ICカード 300を入手した通信端末 200は、自身の属性証明書と、 ICカード 300に 格納されているドメイン代表者である CE機器 400の公開鍵証明書および属性証明 書を、属性証明書発行局 500に提供する (ステップ ST603)。  Communication terminal 200 which has acquired IC card 300 has an attribute certificate of its own attribute certificate and the public key certificate and attribute certificate of CE device 400 which is the domain representative stored in IC card 300. Book publishing agency 500 (step ST603).
[0074] 属性証明書発行局 500は、ドメイン代表者である CE機器 400の公開鍵証明書と通 信端末 200の属性証明書を関連付け、ドメイン参加許可属性証明書を作成し (ステツ プ ST604)、作成したドメイン参加許可属性証明書を通信端末 200に発行する (ステ ップ ST605)。  Attribute certificate issuing authority 500 associates the public key certificate of CE device 400 that is the domain representative with the attribute certificate of communication terminal 200, and creates a domain participation permission attribute certificate (step ST 604). And issue the created domain participation permission attribute certificate to the communication terminal 200 (step ST605).
[0075] 属性証明書発行局 500からドメイン参加許可属性証明書を発行された通信端末 2 00は、受け取ったドメイン参加許可属性証明書を ICカード 300に格納する(ステップ ST606)。 [0076] これにより、通信端末 200は、 CE機器 400をドメイン代表者とするドメインに参加す ることができ、 CE機器 400を使用することができるようになる。 The communication terminal 200 having issued the domain participation permission attribute certificate from the attribute certificate issuing station 500 stores the received domain participation permission attribute certificate in the IC card 300 (step ST 606). Thus, communication terminal 200 can participate in a domain in which CE device 400 is the domain representative, and can use CE device 400.
[0077] このようにして CE機器 400をドメイン代表者とするドメインへの参カ卩が許可された通 信端末 200は、ドメイン参加許可属性証明書が格納された ICカード 300を、 CE機器Thus, the communication terminal 200 that is permitted to join the domain with the CE device 400 as the domain representative is the IC device 300 in which the domain participation permission attribute certificate is stored.
400に返却する(ステップ ST607)。 It returns to 400 (step ST607).
[0078] 通信端末 200から ICカード 300を返却された CE機器 400は、通信端末 200から返 却された ICカード 300をカードスロット(不図示)に挿入する(ステップ ST608)。これ により、 CE機器 400のカードスロット入出力部 210に、 ICカード 300の入出力部 301 が接続される。 The CE device 400 having the IC card 300 returned from the communication terminal 200 inserts the IC card 300 returned from the communication terminal 200 into a card slot (not shown) (step ST 608). As a result, the input / output unit 301 of the IC card 300 is connected to the card slot input / output unit 210 of the CE device 400.
[0079] 以上の手順により、通信端末 200は、 CE機器 400をドメイン代表者とするドメインに 参加する。  According to the above procedure, communication terminal 200 participates in a domain in which CE device 400 is the domain representative.
[0080] 次に、本例のドメイン参加方法における属性証明書選択手順について説明する。  Next, an attribute certificate selection procedure in the domain participation method of this example will be described.
[0081] 図 6において、 CE機器 400は、通信端末 200からユーザ情報を含むコンテンツへ のアクセス(ステップ ST609)があると、ユーザ情報と ICカード 300内のドメイン参加 許可属性証明書とを比較する (ステップ ST610)。 In FIG. 6, when there is access to content including user information from communication terminal 200 (step ST 609), CE device 400 compares the user information with the domain participation permission attribute certificate in IC card 300. (Step ST610).
[0082] 通信端末 200は、 CE機器 400との認証時にアクセス情報を取得する。ここで、通信 端末 200と CE機器 400とのアクセス時における認証方法にっ 、ては、特に限定され るものではなぐ例えば、公開鍵証明書を用いた相互認証、あるいは属性証明書を 用いた属性認証の何れであってもよ 、。 Communication terminal 200 acquires access information at the time of authentication with CE device 400. Here, the authentication method at the time of access between the communication terminal 200 and the CE device 400 is not particularly limited. For example, mutual authentication using a public key certificate or an attribute using an attribute certificate It may be any of the certification.
[0083] そして、 CE機器 400は、通信端末 200からのアクセス情報がドメイン参加者のユー ザ情報であると判断すると、コンテンツ要求と、挿入されている ICカード 300内のドメ イン代表者の公開鍵証明書と、通信端末 200の属性証明書をコンテンツサーバ 600 に送信 (提供)する (ステップ ST611)。 When CE device 400 determines that the access information from communication terminal 200 is user information of a domain participant, content request and disclosure of the domain representative in IC card 300 inserted are made. The key certificate and the attribute certificate of the communication terminal 200 are transmitted (provided) to the content server 600 (step ST611).
[0084] コンテンツサーバ 600は、 CE機器 400から提供された公開鍵証明書を機器情報、 属性証明書をユーザ情報と識別 (認証)し (ステップ ST612)、ユーザに応じた CE機 器 400で再生可能なコンテンツを、 CE機器 400に送信 (提供)する (ステップ ST613Content server 600 identifies (authenticates) the public key certificate provided from CE device 400 with the device information and the attribute certificate (user information) (step ST 612), and reproduces the CE key according to the user. Send (provide) possible content to the CE device 400 (step ST613)
) o ) o
[0085] 次に、通信端末 200のドメイン参カ卩申請時の動作について説明する。図 7は、本発 明の一実施の形態に係るドメイン参加方法を実現する通信システムにおける通信端 末のドメイン参カ卩申請時の動作を説明するためのブロック図である。 Next, the operation of the communication terminal 200 at the time of domain participant application will be described. Figure 7 shows the present invention FIG. 21 is a block diagram for explaining an operation at the time of domain participation application for a communication terminal in the communication system in the communication system for realizing the domain participation method according to the embodiment of the present invention.
[0086] 図 7において、通信端末 200がドメイン参カ卩申請を行う場合には、まず、ドメイン参 加許可属性証明書発行要求部 206が、ドメイン参加を行うために、ネットワーク入出 力部 201およびネットワーク 800を介して、属性証明書発行局 500にドメイン参カロ申 請を行う。  In FIG. 7, when communication terminal 200 applies for domain participation, first, domain participation permission attribute certificate issuance request section 206 performs network entry / output section 201 and domain input / output section 201 for domain participation. Apply to the attribute certificate issuing authority 500 via the network 800 for participation in the domain.
[0087] このとき、通信端末 200は、自身がドメイン参加者であることを示すために、属性証 明書格納部 207に格納されている属性証明書を属性証明書発行局 500に提供 (送 信)する。  At this time, the communication terminal 200 provides the attribute certificate issuing station 500 with the attribute certificate stored in the attribute certificate storage unit 207 in order to indicate that the communication terminal 200 itself is a domain participant. Believe)
[0088] これに対し、属性証明書発行局 500は、ドメイン代表者である CE機器 400の公開 鍵証明書と通信端末 200の属性証明書を関連付け、ドメイン参加許可属性証明書を 作成し、作成したドメイン参加許可属性証明書を通信端末 200に発行する。  On the other hand, attribute certificate issuing authority 500 associates the public key certificate of CE device 400 that is the domain representative with the attribute certificate of communication terminal 200, creates a domain participation permission attribute certificate, and creates it. The domain participation permission attribute certificate is issued to the communication terminal 200.
[0089] 通信端末 200は、属性証明書発行局 500から発行されたドメイン参加要求属性証 明書を、ネットワーク 800およびネットワーク入出力部 201を介して、ドメイン参加許可 属性証明書受信部 208が受信する。  Communication terminal 200 receives the domain participation request attribute certificate issued from attribute certificate issuing station 500 via domain 800 and network input / output unit 201, and domain certificate for packet participation permission attribute certificate receiving unit 208 Do.
[0090] そして、ドメイン参加許可属性証明書受信部 208は、属性証明書発行局 500から 受信したドメイン参加許可属性証明書をドメイン参加許可属性証明書出力部 209に 送る。 また、ドメイン参加許可属性証明書出力部 209は、ドメイン参加許可属性証 明書受信部 208から受け取ったドメイン参加許可属性証明書を、カードスロット出力 部 210に接続されている ICカード 300に格納する。  Then, the domain participation permission attribute certificate receiving unit 208 sends the domain participation permission attribute certificate received from the attribute certificate issuing station 500 to the domain participation permission attribute certificate output unit 209. In addition, the domain participation permission attribute certificate output unit 209 stores the domain participation permission attribute certificate received from the domain participation permission attribute certificate reception unit 208 in the IC card 300 connected to the card slot output unit 210. .
[0091] これにより、通信端末 200は、 CE機器 400をドメイン代表者とするドメインに参加し て CE機器 400と通信することができるようになる。  By this means, communication terminal 200 can communicate with CE device 400 by participating in a domain in which CE device 400 is the domain representative.
[0092] 次に、通信端末 200のコンテンツ取得時の動作について説明する。図 8は、本発明 の一実施の形態に係るドメイン参加方法を実現する通信システムにおける通信端末 のコンテンツ取得時の動作を説明するためのブロック図である。  Next, the operation of the communication terminal 200 at the time of content acquisition will be described. FIG. 8 is a block diagram for explaining the operation at the time of content acquisition of the communication terminal in the communication system for realizing the domain participation method according to the embodiment of the present invention.
[0093] 図 8において、通信端末 200がコンテンツを取得する場合には、外部機器アクセス 要求部 202が、外部機器である CE機器 400に、ネットワーク入出力部 201を介して ユーザ情報を含むアクセスを要求する。 [0094] このときの通信端末 200と CE機器 400とのアクセス時の機器認証は、公開鍵証明 書格納部 205に格納されているユーザの公開鍵証明書を用いた相互認証、もしくは 属性証明書格納部 207に格納されて 、る属性証明書を用いた属性認証の何れでも でき、特に限定されない。 In FIG. 8, when the communication terminal 200 acquires the content, the external device access request unit 202 accesses the CE device 400 that is the external device via the network input / output unit 201 including user information. To request. The device authentication at the time of access between the communication terminal 200 and the CE device 400 at this time is mutual authentication using the public key certificate of the user stored in the public key certificate storage unit 205, or the attribute certificate It is possible to use any of the attribute authentication methods using the attribute certificate stored in the storage unit 207, and is not particularly limited.
[0095] 通信端末 200は、 CE機器 400との間で機器認証が確立した後、外部機器操作部 203が通信端末 200からのコンテンツ選択、およびコンテンツ取得決定を行う。  In the communication terminal 200, after device authentication is established with the CE device 400, the external device operation unit 203 performs content selection from the communication terminal 200 and content acquisition determination.
[0096] 次に、 ICカード 300のドメイン参カ卩申請時の動作について説明する。図 9は、本発 明の一実施の形態に係るドメイン参加方法を実現する通信システムにおける ICカー ドのドメイン参カ卩申請時の動作を説明するためのブロック図である。  Next, the operation at the time of domain participant application for the IC card 300 will be described. FIG. 9 is a block diagram for explaining an operation at the time of applying for a domain participant in an IC card in a communication system for realizing a domain participation method according to an embodiment of the present invention.
[0097] ドメイン参加申請時の ICカード 300は、まず、図 1に示したように CE機器 400に揷 入される。  At the time of domain participation application, the IC card 300 is first inserted into the CE device 400 as shown in FIG.
[0098] CE機器 400に挿入された ICカード 300は、機器情報読み取り部 305が、 CE機器 In the IC card 300 inserted into the CE device 400, the device information reading unit 305 is a CE device.
400との接続を確立するために、ドメイン代表者である CE機器 400の公開鍵証明書 および属性証明書の情報を読み取る。 Reads the public key certificate and attribute certificate information of CE device 400 that is the domain representative to establish a connection with 400.
[0099] 機器情報読み取り部 305が読み取った CE機器 400の公開鍵証明書および属性証 明書は、公開鍵証明書格納部 303および属性証明書格納部 304に格納される。 The public key certificate and the attribute certificate of the CE device 400 read by the device information reading unit 305 are stored in the public key certificate storage unit 303 and the attribute certificate storage unit 304.
[0100] ドメイン代表者である CE機器 400の公開鍵証明書および属性証明書が格納され た ICカード 300は、図 9に示すように、通信端末 200のカードスロット入出力部 210に 接続される。 The IC card 300 storing the public key certificate and the attribute certificate of the CE device 400 which is the domain representative is connected to the card slot input / output unit 210 of the communication terminal 200 as shown in FIG. .
[0101] これにより、 ICカード 300の証明書送信部 302は、通信端末 200のドメイン参加申 請時に、公開鍵証明書格納部 303および属性証明書格納部 304からドメイン代表者 である CE機器 400の公開鍵証明書および属性証明書を読み出し、この CE機器 40 0の公開鍵証明書および属性証明書を属性証明書発行局 500に送信する。  By this means, certificate sending unit 302 of IC card 300 receives CE device 400 which is a domain representative from public key certificate storage unit 303 and attribute certificate storage unit 304 when domain participation application for communication terminal 200 is applied. Read out the public key certificate and attribute certificate of and send the public key certificate and attribute certificate of this CE device 400 to the attribute certificate issuing authority 500.
[0102] これを受けた属性証明書発行局 500は、ドメイン代表者である CE機器 400の公開 鍵証明書と通信端末 200の属性証明書を関連付けて作成したドメイン参加許可属性 証明書を通信端末 200に発行する。  The attribute certificate issuing authority 500 having received this receives the domain participation permission attribute certificate which is created by associating the public key certificate of the CE device 400 which is the domain representative with the attribute certificate of the communication terminal 200 as a communication terminal. Issue to 200
[0103] 通信端末 200に挿入された ICカード 300は、属性証明書発行局 500から通信端末 200に発行されたドメイン参加許可属性証明書を、属性証明書格納部 304で通信端 末 200から受け取る。 The IC card 300 inserted in the communication terminal 200 has the domain participation permission attribute certificate issued from the attribute certificate issuing station 500 to the communication terminal 200, and the attribute certificate storage unit 304 performs communication end. Received from the end 200.
[0104] そして、通信端末 200からドメイン参加許可属性証明書を受け取った ICカード 300 は、ドメイン管理部 308において、ドメイン代表者である CE機器 400の公開鍵証明書 と関連付けられたドメイン参加許可属性証明書が正しいドメインであるか否かを管理 する。  Then, IC card 300 having received the domain participation permission attribute certificate from communication terminal 200 has domain participation permission attribute associated with the public key certificate of CE device 400 which is the domain representative in domain management unit 308. Manage whether the certificate is in the correct domain.
[0105] 次に、 ICカード 300のコンテンツ取得時の動作について説明する。図 10は、本発 明の一実施の形態に係るドメイン参加方法を実現する通信システムにおける ICカー ドのコンテンツ取得時の動作を説明するためのブロック図である。  Next, an operation at the time of content acquisition of the IC card 300 will be described. FIG. 10 is a block diagram for explaining an operation at the time of content acquisition of an IC card in a communication system for realizing a domain participation method according to an embodiment of the present invention.
[0106] コンテンツ取得時の ICカード 300は、まず、機器情報読み取り部 305が通信端末 2 00から取得したユーザ情報と属性証明書格納部 304に格納されている属性証明書 とを証明書比較検証部 307で比較検証する。  First, the IC card 300 at the time of content acquisition compares the user information acquired from the communication terminal 200 by the device information reading unit 305 with the attribute certificate stored in the attribute certificate storage unit 304 by certificate comparison and verification. The part 307 compares and verifies.
[0107] そして、 ICカード 300は、証明書比較検証部 307でのユーザ情報と属性証明書と の比較検証が終了した後、証明書比較検証部 307で比較検証したユーザが適切な ユーザであるか否かを、証明書検証通知部 306から入出力部 301を介して CE機器 400に通知する。  Then, after the IC card 300 completes the comparison and verification of the user information and the attribute certificate in the certificate comparison and verification unit 307, the user compared and verified in the certificate comparison and verification unit 307 is an appropriate user. The certificate verification and notification unit 306 notifies the CE device 400 via the input / output unit 301 whether or not the certificate verification notification unit 306 has received the certificate.
[0108] また、 ICカード 300の証明書送信部 302は、証明書比較検証部 307で比較検証し たユーザが適切なユーザであるとの診断結果が証明書検証通知部 306から CE機器 400に通知された後、ドメイン代表者である CE機器 400の公開鍵証明書と、ドメイン 参加者である通信端末 200のユーザの属性証明書とを、 CE機器 400からネットヮー ク 800を経由してコンテンツサーバ 600に送信する。  Further, the certificate transmission unit 302 of the IC card 300 determines that the user compared and verified by the certificate comparison / verification unit 307 is an appropriate user from the certificate verification notification unit 306 to the CE device 400. After being notified, the content server of the CE device 400 who is the domain representative and the attribute certificate of the user of the communication terminal 200 who is the domain participant from the CE device 400 via the network 800 via the content server Send to 600
[0109] 次に、属性証明書発行局 500のドメイン参加許可属性証明書の発行方法について 説明する。図 11は、本発明の一実施の形態に係るドメイン参加方法を実現する通信 システムにおける属性証明書発行局のドメイン参加許可属性証明書の発行方法に ついて説明するためのブロック図である。  Next, the method of issuing the domain participation permission attribute certificate of the attribute certificate issuing station 500 will be described. FIG. 11 is a block diagram for explaining a method of issuing a domain participation permission attribute certificate of an attribute certificate issuing authority in a communication system for realizing a domain participation method according to an embodiment of the present invention.
[0110] 図 11にお ヽて、ドメイン参加許可属性証明書を発行する場合の属性証明書発行 局 500は、ドメイン参加受信部 502が、ドメイン代表者である CE機器 400の公開鍵証 明書および属性証明書、ドメイン参加者である通信端末 200の属性証明書を、ネット ワーク入出力部 501を介して受信する。 [0111] そして、ドメイン参加受信部 502は、ネットワーク入出力部 501を介して受信した CE 機器 400の公開鍵証明書および属性証明書、通信端末 200の属性証明書をドメイン 作成部 503に送る。 In FIG. 11, the attribute certificate issuing station 500 in the case of issuing a domain participation permission attribute certificate has a domain participation reception unit 502 that is a public key certificate of CE device 400 whose domain representative is And an attribute certificate, and an attribute certificate of the communication terminal 200 which is a domain participant, through the network input / output unit 501. Then, the domain participation reception unit 502 sends the public key certificate and attribute certificate of the CE device 400 received via the network input / output unit 501 and the attribute certificate of the communication terminal 200 to the domain creation unit 503.
[0112] ドメイン作成部 503は、ドメイン参加受信部 502で受信したドメイン代表者である CE 機器 400の公開鍵証明書とドメイン参加を行う通信端末 200の属性証明書とをダル ープ属性でドメインの関連付けを行 、、関連付けたドメイン参加許可属性証明書をド メイン格納部 504に送る。  Domain creation section 503 has the public key certificate of CE device 400 that is the domain representative received by domain participation reception section 502 and the attribute certificate of communication terminal 200 that participates in domain with the domain attribute. Associating of, and sending the associated domain participation permission attribute certificate to the domain storage unit 504.
[0113] ドメイン格納部 504は、ドメイン作成部 503で関連付けられたドメイン参加許可属性 証明書をドメインごとに格納する。  The domain storage unit 504 stores the domain participation permission attribute certificate associated in the domain creation unit 503 for each domain.
[0114] そして、ドメイン参加許可属性証明書発行部 505は、ネットワーク入出力部 501を介 して、ドメイン参カ卩を行う通信端末 200に対して、ドメイン格納部 504に格納されてい るドメイン参加許可属性証明書を適時読み出して発行する。  Then, domain participation permission attribute certificate issuing unit 505 transmits the domain participation stored in domain storage unit 504 to communication terminal 200 performing domain participation via network input / output unit 501. Read out and issue permission attribute certificates as appropriate.
[0115] 次に、 CE機器 400のコンテンツ取得時の処理方法について説明する。図 12は、本 発明の一実施の形態に係るドメイン参加方法を実現する通信システムにおける CE機 器のコンテンツ取得時の処理方法について説明するためのブロック図である。  Next, a processing method at the time of content acquisition of the CE device 400 will be described. FIG. 12 is a block diagram for explaining a processing method at the time of content acquisition of a CE device in a communication system for realizing a domain participation method according to an embodiment of the present invention.
[0116] コンテンツ取得時の CE機器 400は、図 1に示したように、予め、ネットワーク 800を 介してコンテンツサーノ 600に接続され、かつ、コンテンツ情報を表示する画面表示 機器 900が接続されて 、るものとする。  As shown in FIG. 1, the CE device 400 at the time of content acquisition is connected in advance to the content server 600 via the network 800, and a screen display device 900 for displaying content information is connected, Shall be
[0117] 図 12において、 CE機器 400のユーザ情報転送部 402は、前もって通信端末 200 力も取得したユーザ情報を ICカード 300に転送する。 In FIG. 12, the user information transfer unit 402 of the CE device 400 transfers, to the IC card 300, the user information for which the communication terminal 200 has also been obtained in advance.
[0118] また、 CE機器 400の認証結果通知部 404は、通信端末 200のユーザ情報が適切 であるか否かの診断結果の通知を ICカード 300の証明書検証通知部 306から受け 取る。 Further, the authentication result notification unit 404 of the CE device 400 receives, from the certificate verification notification unit 306 of the IC card 300, a notification of a diagnosis result as to whether the user information of the communication terminal 200 is appropriate.
[0119] そして、 CE機器 400の外部機器アクセス要求提供部 406は、通信端末 200のコン テンッ要求をコンテンツサーバ 600に転送する。  Then, the external device access request providing unit 406 of the CE device 400 transfers the content request of the communication terminal 200 to the content server 600.
[0120] ところで、本例のドメイン参加方法にぉ 、ては、携帯電話などの通信端末 200を使 用しなくても、ドメインに参加しているユーザであれば、 ICカード 300内のドメイン参加 許可属性証明書を使用するためのパスワードを用いて、 CE機器 400からコンテンツ の取得が可能である。 By the way, according to the domain participation method of this example, even if a user is participating in the domain without using the communication terminal 200 such as a mobile phone, the domain participation in the IC card 300 can be used. Content from CE device 400 with password for using authorization attribute certificate Acquisition is possible.
[0121] また、本例のドメイン参加方法では、 1つの公開鍵証明書と複数の属性証明書を、 I Cカード 300を用いて 1つのドメインに納めるようにしている力 公開鍵証明書と属性 証明書を納める記憶媒体としては、リムーバブルであり、 ICカード 300相当のセキユリ ティ機能を保持したものであれば、例えば ICカード機能を備えたフラッシュメモリであ つてもよい。  In addition, in the domain participation method of this example, the power of storing one public key certificate and a plurality of attribute certificates in one domain using an IC card 300 is disclosed. The storage medium for storing the document may be, for example, a flash memory having an IC card function, as long as it is removable and retains the security function equivalent to that of the IC card 300.
産業上の利用可能性  Industrial applicability
[0122] 本発明に係るドメイン参加方法は、 1つの公開鍵証明書と複数の属性証明書とを、 I Cカードを用いて 1つのドメインに関連付けて収めることができ、ドメインの管理を容易 にできるようになるので、複数のユーザ環境において 1つの CE機器を使用してセキュ ァな方法でコンテンツを取得するドメイン参加方法、属性証明書選択方法、通信端 末、 ICカード、 CE機器、属性証明書発行局およびコンテンツサーバとして有用であ る。 According to the domain participation method of the present invention, one public key certificate and a plurality of attribute certificates can be stored in association with one domain using an IC card, and domain management can be facilitated. Therefore, domain participation method, attribute certificate selection method, communication terminal, IC card, CE device, attribute certificate that acquires content in a secure way using one CE device in multiple user environments Useful as an issuing authority and content server.

Claims

請求の範囲 The scope of the claims
[1] 複数のユーザ環境において 1つの CE機器を使用してセキュアな方法でコンテンツ を取得するドメイン参加方法であって、  [1] A domain participation method for acquiring content in a secure manner using one CE device in multiple user environments,
ドメイン代表者である前記 CE機器の公開鍵証明書と、属性証明書が格納された IC カード機能を備えたメモリと、ドメイン参加者である通信端末の属性証明書とを元に、 ドメイン参加許可属性証明書を発行する属性証明書発行局にドメイン参加通知を行 うドメイン参加通知ステップと、  Based on the public key certificate of the CE device that is the domain representative, the memory with the IC card function that stores the attribute certificate, and the attribute certificate of the communication terminal that is the domain participant, domain participation permission A domain participation notification step of notifying the attribute certificate issuing authority which issues the attribute certificate of domain participation;
前記属性証明書発行局が、前記通信端末からドメイン参加通知を受けることにより 、前記 CE機器の公開鍵証明書と前記通信端末の属性証明書を関連付け、前記 CE 機器の公開鍵証明書と前記通信端末の属性証明書を関連付けたドメイン参加許可 属性証明書を前記通信端末に発行するドメイン参加許可属性証明書発行ステップと 、を備える、ドメイン参加方法。  The attribute certificate issuing authority associates the public key certificate of the CE device with the attribute certificate of the communication terminal by receiving domain participation notification from the communication terminal, and the public key certificate of the CE device and the communication. A domain participation permission attribute certificate issuing step of issuing a domain participation permission associated with an attribute certificate of a terminal to the communication terminal.
[2] 前記 CE機器が、前記メモリの公開鍵証明書および属性証明書を含み、前記通信 端末が前記ドメイン参加許可属性証明書を格納した前記メモリを取得した後、前記ド メイン参加許可属性証明書を取得した前記通信端末力 のアクセスがあった場合に 、アクセス情報内のユーザ情報を元に前記メモリ内にある属性証明書の中から前記 通信端末に該当する属性証明書の検索を行う属性証明書検索ステップと、 [2] After the CE device includes the public key certificate and the attribute certificate of the memory, and the communication terminal acquires the memory storing the domain participation permission attribute certificate, the domain participation permission attribute certificate is obtained. When there is an access from the communication terminal power which has acquired a document, an attribute for searching for an attribute certificate corresponding to the communication terminal from among the attribute certificates in the memory based on the user information in the access information Certificate search step,
前記属性証明書検索ステップで、前記 CE機器が前記通信端末力ものアクセスに 含まれるユーザ情報と一致する属性証明書があった場合、前記 CE機器の公開鍵証 明書と、前記通信端末のからのアクセスに含まれるユーザ情報と一致する属性証明 書をコンテンツサーバに送信する属性証明書送信ステップと、を備える、請求項 1記 載のドメイン参加方法における属性証明書選択方法。  In the attribute certificate search step, if there is an attribute certificate that matches the user information included in the access of the CE device to the communication terminal, the public key certificate of the CE device and the communication terminal The attribute certificate transmission step of transmitting to the content server an attribute certificate that matches the user information included in the access of the attribute certificate selection method in the domain participation method according to claim 1.
[3] 請求項 1記載のドメイン参加方法と前記ドメイン参加方法における属性証明書選択 方法とを組み合わせることにより、前記公開鍵証明書が機器情報の識別、前記属性 証明書がユーザの識別を行って、前記公開鍵証明書および前記属性証明書を用い て機器とユーザに応じたサービスを提供するサービス方法。 [3] The public key certificate identifies device information and the attribute certificate identifies a user by combining the domain participation method according to claim 1 and the attribute certificate selection method in the domain participation method. A service method for providing a service according to an apparatus and a user using the public key certificate and the attribute certificate.
[4] ユーザ本人であることの証明を行う属性証明書を保持しており、前記属性証明書発 行局に前記通信端末のユーザ情報、および、前記通信端末の属性証明書を通知す るドメイン参加許可属性証明書発行要求部と、 [4] holds an attribute certificate that certifies the identity of the user, and notifies the attribute certificate issuing station of user information of the communication terminal and an attribute certificate of the communication terminal. Domain participation permission attribute certificate issuance request unit,
前記メモリに格納されて!ヽる前記 CE機器の公開鍵証明書と属性証明書を前記通 信端末のネットワーク入出力部を経由して前記属性証明書発行局に通知し、前記属 性証明書発行局から発行された前記ドメイン参加許可属性証明書を受信するドメイ ン参加許可属性証明書受信部と、  Stored in the memory! The public key certificate and attribute certificate of the CE device are notified to the attribute certificate issuing authority via the network input / output unit of the communication terminal, and the attribute certificate issuing authority issues the attribute certificate. A domain participation permission attribute certificate receiving unit for receiving a domain participation permission attribute certificate;
前記ドメイン参加許可属性証明書を前記メモリに格納するドメイン参加許可属性証 明書出力部と、を具備する、請求項 1記載のドメイン参加方法においてドメイン参カロ 申請を行う通信端末。  A communication terminal for making domain participation request in the domain participation method according to claim 1, comprising: a domain participation permission attribute certificate output unit for storing the domain participation permission attribute certificate in the memory.
[5] 前記 CE機器に接続された画面表示機器で表示されて ヽるコンテンツの取得操作 を行う通信端末であって、  [5] A communication terminal for acquiring content that is displayed on a screen display device connected to the CE device.
ユーザ情報を含む機器情報を格納する機器情報格納部と、  A device information storage unit that stores device information including user information;
前記機器情報格納部のユーザ情報を用いて前記 CE機器にアクセスを行うための 外部機器アクセス要求部と、  An external device access request unit for accessing the CE device using the user information of the device information storage unit;
前記 CE機器との認証が確立されると、前記 CE機器を経由した前記画面表示機器 でコンテンツ選択およびコンテンツの取得を行う外部機器操作部と、を具備する、請 求項 4記載の通信端末。  The communication terminal according to claim 4, further comprising: an external device operation unit that performs content selection and content acquisition on the screen display device via the CE device when authentication with the CE device is established.
[6] 前記 CE機器の前記公開鍵証明書を格納する公開鍵証明書格納部と、 [6] A public key certificate storage unit for storing the public key certificate of the CE device;
前記 CE機器の前記属性証明書を予め格納する属性証明書格納部と、 前記通信端末が前記ドメイン参加許可属性証明書発行要求部で前記属性証明書 発行局にアクセスを行った後、前記ドメイン代表者の証明書情報を前記通信端末の ネットワーク入出力部を介して前記属性証明書発行局に送信する証明書送信部と、 前記ドメイン代表者の前記公開鍵証明書と関連付けられた前記ドメイン参加者属性 証明書を管理するドメイン管理部と、を具備する、請求項 1記載のドメイン参加方法に おける前記通信端末に接続される前記メモリとしての ICカード。  An attribute certificate storage unit for storing the attribute certificate of the CE device in advance; and after the communication terminal accesses the attribute certificate issuing authority by the domain participation permission attribute certificate issuance request unit, the domain representative is represented Certificate transmitting unit for transmitting certificate information of the person to the attribute certificate issuing authority via the network input / output unit of the communication terminal; and the domain participant associated with the public key certificate of the domain representative An IC card as the memory connected to the communication terminal in the domain joining method according to claim 1, further comprising: a domain management unit that manages an attribute certificate.
[7] 前記通信端末力 のコンテンツ取得アクセスを前記 CE機器で受信し、ユーザがドメ インに参加しているかどうかを判断する前記 CE機器に接続される ICカードであって、 前記通信端末でユーザ情報を受け取った前記 CE機器力 ユーザ情報を取得し、 前記ユーザ情報と前記属性証明書格納部にある属性証明書とを比較検証する証明 書比較検証部と、 [7] An IC card connected to the CE device for receiving content acquisition access of the communication terminal by the CE device and determining whether the user participates in a domain, the user using the communication terminal A certificate for acquiring the CE device power user information that has received information, and comparing and verifying the user information with the attribute certificate in the attribute certificate storage unit. Book comparison and verification department,
前記比較検証部での検証結果により前記ユーザ情報が適切であるか否かを前記 C E機器に通知する証明書検証通知部と、  A certificate verification notification unit for notifying the CE device whether or not the user information is appropriate according to the verification result of the comparison verification unit;
前記比較検証部での検証結果により前記ユーザ情報が適切である場合に、前記 C E機器の公開鍵証明書と前記通信端末の属性証明書を前記 CE機器のネットワーク を経由してコンテンツサーバに送信する証明書送信部と、を具備する、請求項 6記載 の ICカード。  The public key certificate of the CE device and the attribute certificate of the communication terminal are transmitted to the content server via the network of the CE device when the user information is appropriate according to the verification result in the comparison and verification unit. The IC card according to claim 6, comprising: a certificate transmission unit.
[8] 前記ドメイン参加許可証明書を発行する属性証明書発行局であって、  [8] An attribute certificate issuing authority that issues the domain participation permit certificate, and
ドメイン参加者である前記通信端末力ゝらのドメイン参加通知を受信するドメイン参カロ 受信部と、  A domain participant reception unit for receiving a domain participation notification of the communication terminal, which is a domain participant, and
前記通信端末および、前記通信端末に接続されて!ヽる前記メモリから証明書情報 を受信し、前記ドメイン代表者である前記 CE機器の公開鍵証明書と前記ドメイン参 加者である前記通信端末の属性証明書とをグループ属性でドメインの関連付けを行 うドメイン作成部と、  The communication terminal and certificate information is received from the memory connected to the communication terminal and the public key certificate of the CE device as the domain representative and the communication terminal as the domain participant A domain creation unit that associates a domain with the attribute certificate of
前記ドメイン作成部で関連付けた属性証明書をドメインごとに格納するドメイン格納 部と、  A domain storage unit that stores, for each domain, the attribute certificate associated by the domain creation unit;
前記ドメイン作成部で関連付けた属性証明書を前記ドメイン参加者である前記通信 端末に発行するドメイン参加許可属性証明書発行部と、を具備する、請求項 1記載 のドメイン参加方法における属性証明書発行局。  The domain participation permission attribute certificate issuing unit according to claim 1, further comprising: a domain participation permission attribute certificate issuing unit that issues the attribute certificate associated by the domain creation unit to the communication terminal that is the domain participant. Station.
[9] 前記通信端末のコンテンツ要求の際に前記属性証明書発行局から前記ドメイン参 加許可属性証明書を発行されたユーザ力 のアクセスに含まれるユーザ情報に基づ き、コンテンツにユーザの証明書情報を通知することでセキュアなコンテンツの取得 を行う、予めコンテンツサーバにネットワーク接続され、かつコンテンツ情報を表示す る画面表示機器が接続された CE機器であって、  [9] At the time of content request of the communication terminal, the content is certified by the user based on the user information included in the access of the user who has issued the domain participation permission attribute certificate from the attribute certificate issuing authority. It is a CE device that is connected to a content server in advance and connected to a network and that has a screen display device that displays content information.
前記通信端末力 のユーザ情報を含むアクセスを受け、ユーザ情報を接続されて V、る前記メモリに転送するユーザ情報転送部と、  A user information transfer unit which receives an access including user information of the communication terminal power and which is connected to the user information and transferred to the memory;
前記メモリの証明書検証通知部から受けた結果をアクセスした前記通信端末に返 信する認証結果通知部と、 前記通信端末のコンテンッ要求を前記コンテンッサーバに通知するアクセス要求 提供部と、を具備する、請求項 1記載のドメイン参加方法における CE機器。 An authentication result notification unit that returns the result received from the certificate verification notification unit of the memory to the communication terminal that has accessed the information; The CE device according to the domain participation method according to claim 1, further comprising: an access request providing unit that notifies the content server of a content request of the communication terminal.
前記コンテンツ要求を行う前記通信端末の属性証明書と、前記ドメイン代表者であ る前記 CE機器の公開鍵証明書を取得し、前記公開鍵証明書を機器情報、前記属 性証明書をユーザとして識別することにより、前記ユーザに応じた前記 CE機器で再 生可能なコンテンツを提供する請求項 2記載の属性証明書選択方法におけるコンテ ンッサーバ  An attribute certificate of the communication terminal that makes the content request and a public key certificate of the CE device that is the domain representative are acquired, the public key certificate is device information, and the attribute certificate is a user. The content server according to the attribute certificate selection method according to claim 2, wherein the content that can be reproduced by the CE device according to the user is provided by identifying the content certificate.
PCT/JP2006/305729 2006-03-22 2006-03-22 Domain participation method, attribute certificate selection method, communication terminal, ic card, ce device, attribute certificate issuing station, and content server WO2007108114A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2006/305729 WO2007108114A1 (en) 2006-03-22 2006-03-22 Domain participation method, attribute certificate selection method, communication terminal, ic card, ce device, attribute certificate issuing station, and content server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2006/305729 WO2007108114A1 (en) 2006-03-22 2006-03-22 Domain participation method, attribute certificate selection method, communication terminal, ic card, ce device, attribute certificate issuing station, and content server

Publications (1)

Publication Number Publication Date
WO2007108114A1 true WO2007108114A1 (en) 2007-09-27

Family

ID=38522154

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2006/305729 WO2007108114A1 (en) 2006-03-22 2006-03-22 Domain participation method, attribute certificate selection method, communication terminal, ic card, ce device, attribute certificate issuing station, and content server

Country Status (1)

Country Link
WO (1) WO2007108114A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130031884A (en) * 2010-09-17 2013-03-29 노키아 지멘스 네트웍스 오와이 Remote verification of attributes in a communication network
US9215220B2 (en) 2010-06-21 2015-12-15 Nokia Solutions And Networks Oy Remote verification of attributes in a communication network
JP2016510564A (en) * 2013-02-01 2016-04-07 マイクロソフト テクノロジー ライセンシング,エルエルシー Secure computing device accessories

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004015530A (en) * 2002-06-07 2004-01-15 Sony Corp Access right management system, relay server and method therefor, as well as computer program
JP2004046430A (en) * 2002-07-10 2004-02-12 Sony Corp Remote access system, remote access method, remote access program, and recording medium recorded with remote access program
JP2005250939A (en) * 2004-03-05 2005-09-15 Matsushita Electric Ind Co Ltd Apparatus and method for managing linkable equipment group
JP2006500652A (en) * 2002-09-23 2006-01-05 コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ Certificate-based authentication domain
JP2006014325A (en) * 2004-06-24 2006-01-12 Palo Alto Research Center Inc Method and apparatus for using portable security token to facilitate public key certification for device group in network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004015530A (en) * 2002-06-07 2004-01-15 Sony Corp Access right management system, relay server and method therefor, as well as computer program
JP2004046430A (en) * 2002-07-10 2004-02-12 Sony Corp Remote access system, remote access method, remote access program, and recording medium recorded with remote access program
JP2006500652A (en) * 2002-09-23 2006-01-05 コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ Certificate-based authentication domain
JP2005250939A (en) * 2004-03-05 2005-09-15 Matsushita Electric Ind Co Ltd Apparatus and method for managing linkable equipment group
JP2006014325A (en) * 2004-06-24 2006-01-12 Palo Alto Research Center Inc Method and apparatus for using portable security token to facilitate public key certification for device group in network

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9215220B2 (en) 2010-06-21 2015-12-15 Nokia Solutions And Networks Oy Remote verification of attributes in a communication network
US10218514B2 (en) 2010-06-21 2019-02-26 Nokia Technologies Oy Remote verification of attributes in a communication network
KR20130031884A (en) * 2010-09-17 2013-03-29 노키아 지멘스 네트웍스 오와이 Remote verification of attributes in a communication network
JP2013530650A (en) * 2010-09-17 2013-07-25 ノキア シーメンス ネットワークス オサケユキチュア Remote verification of attributes in communication networks
KR101580443B1 (en) * 2010-09-17 2015-12-28 노키아 솔루션스 앤드 네트웍스 오와이 Remote verification of attributes in a communication network
JP2016510564A (en) * 2013-02-01 2016-04-07 マイクロソフト テクノロジー ライセンシング,エルエルシー Secure computing device accessories
US9948636B2 (en) 2013-02-01 2018-04-17 Microsoft Technology Licensing, Llc Securing a computing device accessory

Similar Documents

Publication Publication Date Title
JP4965558B2 (en) Peer-to-peer authentication and authorization
US10567370B2 (en) Certificate authority
US6880079B2 (en) Methods and systems for secure transmission of information using a mobile device
US7818576B2 (en) User controlled anonymity when evaluating into a role
JP5694344B2 (en) Authentication using cloud authentication
US8752203B2 (en) System for managing computer data security through portable data access security tokens
AU2008344384B2 (en) Information distribution system and program for the same
US20100229241A1 (en) Method of accessing service, device and system thereof
JP2005532736A (en) Biometric private key infrastructure
EP3376708A1 (en) Anonymous communication system and method for subscribing to said communication system
KR20170106515A (en) Multi-factor certificate authority
JP2003067326A (en) Resource distribution system on network and mutual authentication system
JP2009086802A (en) Mediation method and system for authentication
US8234497B2 (en) Method and apparatus for providing secure linking to a user identity in a digital rights management system
EP2957064B1 (en) Method of privacy-preserving proof of reliability between three communicating parties
JP2015194879A (en) Authentication system, method, and provision device
JP2009118110A (en) Method and system for provisioning meta data of authentication system, its program and recording medium
WO2007108114A1 (en) Domain participation method, attribute certificate selection method, communication terminal, ic card, ce device, attribute certificate issuing station, and content server
CN116506118A (en) Identity privacy protection method in PKI certificate transparentization service
JP4552785B2 (en) Encrypted communication management server
EP1959607B1 (en) A method and system for authenticating the identity
KR100993333B1 (en) Method for enrollment and authentication using private internet access devices and system
CN110099063B (en) Method for generating conference registration certificate
JP5660454B2 (en) Device-to-device connection method that ensures privacy
AU2015271650A1 (en) Identity verification

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 06729696

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06729696

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP