WO2013145517A1 - 情報処理装置、情報処理システム、情報処理方法及びプログラム - Google Patents
情報処理装置、情報処理システム、情報処理方法及びプログラム Download PDFInfo
- Publication number
- WO2013145517A1 WO2013145517A1 PCT/JP2013/000390 JP2013000390W WO2013145517A1 WO 2013145517 A1 WO2013145517 A1 WO 2013145517A1 JP 2013000390 W JP2013000390 W JP 2013000390W WO 2013145517 A1 WO2013145517 A1 WO 2013145517A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- service
- user
- access
- access token
- information processing
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/41—User authentication where a single sign-on provides access to a plurality of computers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
Definitions
- the present technology relates to an information processing apparatus capable of communicating with another information processing apparatus via a network, an information processing system including the information processing apparatus, an information processing method and a program in the information processing apparatus.
- a service in order to facilitate mashup between network services, a service can use functions of other services without directly being given the ID / password of the user managed there.
- Various protocols have been proposed.
- a typical protocol for this is Oauth and the like, which has been used in services such as Facebook (registered trademark), for example.
- Auth a service provider that manages a user's ID / password delegates the access right to the service provider without providing an ID or password to a service (consumer) that uses the functions of the service provider. (For example, refer to Patent Document 1).
- this protocol has a restriction that it cannot be used from a device that does not have such an input / output function such as a display or a keyboard that bears UX (User Experience) at the time of user authentication.
- UX User Experience
- the authentication procedure for using the same service must be performed for every device, which is very laborious and practical as in the method (3). There wasn't. Furthermore, since the access right obtained by the authentication usually has an expiration date, when the expiration date expires, the authentication is required again, and it is necessary to frequently repeat the authentication procedure.
- an object of the present technology is to provide an information processing apparatus, an information processing system, an information processing method, and a program capable of reducing the labor of authentication processing necessary for cooperation of a plurality of devices and network services. It is to provide.
- an information processing apparatus includes a communication unit, a storage unit, and a control unit.
- the communication unit can communicate with a service on a network having resources relating to a user of the first device, the second device, and the first device.
- the control unit accesses the service based on the acquisition request for the access right to the resource from the first device and the approval information indicating the user's approval for the acquisition of the access right.
- the communication unit can be controlled to transmit an access token issuance request indicating, and receive the access token issued by the service from the service. Further, the control unit can control the storage unit so as to securely store the received access token.
- the information processing apparatus can share access tokens for user resources among a plurality of devices, so that it is possible to reduce the effort of authentication processing required for cooperation between a plurality of devices and network services.
- the control unit may control the communication unit to access the resource using the stored access token in response to a request from a second device associated with the user.
- the second device can access the network service by using the access token acquired by the processing of the first device and the information processing apparatus without going through an authentication process with the service.
- the control unit may control the communication unit to transmit the stored access token to the first device or the second device via a secure communication path.
- the first device or the second device can directly access the service without using the information processing device by using the received access token, so that the load on the information processing device is reduced.
- the first device includes an input device to which an operation necessary for the user to notify the service of the approval intention is input, and an output device that outputs a screen for the input,
- the information processing apparatus wherein the second device does not include the input device and the output device.
- the control unit controls the communication unit to receive association information indicating association between the user, the first device, and the second device from the first device, and receives the received information.
- the storage unit may be controlled to store the association information.
- An information processing system includes a server device and an information processing device.
- the server device includes a first communication unit, a storage unit, and a first control unit.
- the first communication unit can communicate with a user device and a service on a network having resources related to the user of the user device.
- the control unit indicates the access right to the service based on an acquisition request for the access right to the resource from the user device and approval information indicating the user's approval for the acquisition of the access right.
- the first communication unit can be controlled to transmit an access token issue request and receive an access token issued by the service from the service.
- the first control unit can control the storage unit so as to securely store the received access token.
- the information processing apparatus includes a second communication unit and a second control unit.
- the second communication unit can communicate with the server device and the service.
- the second control unit receives the stored access token from the server device via a secure communication path, and uses the received access token to access the resource.
- the communication unit can be controlled.
- An information processing method for acquiring an access right acquisition request from a first device to a resource related to a user of the first device included in a service on a network, and acquiring the access right.
- An access token issue request indicating the access right is transmitted to the service.
- An access token issued by the service is received from the service.
- the received access token is stored securely.
- a program causes the information processing apparatus to execute a first reception step, a first transmission step, a second reception step, and a storage step.
- the first reception step an acquisition request for access right to the resource related to the user of the first device that the service on the network has from the first device, and approval of the user for the acquisition of the access right are shown. Approval information is received.
- the first transmission step a request for issuing an access token indicating the access right is transmitted to the service.
- an access token issued by the service is received from the service.
- the received access token is securely stored.
- 1 is a diagram illustrating a network configuration of a system according to a first embodiment of the present technology. It is the block diagram which showed the hardware constitutions of the server in 1st Embodiment. It is the block diagram which showed the hardware constitutions of the device in 1st Embodiment. It is the block diagram which showed the software module structure of the server in 1st Embodiment. It is the block diagram which showed the software module structure of the device in 1st Embodiment. It is the figure which showed the outline
- FIG. 1 is a diagram showing a network configuration of a system according to the present embodiment.
- this system includes a server 100 on the cloud, a network service 200, and a device 300. Each of these can be communicated by the WAN 50. There may be a plurality of network services 200 and devices 300.
- the server 100 mediates communication between a plurality of devices 300, and has a function of receiving access rights (access tokens) to the network service 200 possessed by users of the devices 300 and managing the access tokens.
- a user authentication server 150 is connected to the server 100.
- the user authentication server 150 performs user authentication processing using a user ID and a password in response to a request from the server 100 in association processing between each device 300 and a user, which will be described later.
- the network service 200 provides a network service to other devices (server 100, device 300, etc.).
- the network service 200 provides a service authentication mechanism for providing a service, presents the requested access content to the user via the device 300, and obtains approval from the user to perform service authentication processing.
- the number of network services 200 may be four or more.
- the device 300 includes, for example, a smartphone, a mobile phone, a tablet PC (Personal Computer), a desktop PC, a notebook PC, a PDA (Personal Digital Assistant), a portable AV player, an electronic book, a digital still camera, a camcorder, a television device, and a PVR. (Personal Video Recorder), game device, projector, car navigation system, digital photo frame, HDD (Hard Disk Drive) device, healthcare device, home appliance, etc. In the figure, only three devices 300A to 300C are shown, but the number of devices 300 may be four or more.
- FIG. 2 is a diagram illustrating a hardware configuration of the server 100.
- the server 100 includes a central processing unit (CPU) 11, a read only memory (ROM) 12, a random access memory (RAM) 13, an input / output interface 15, and a bus 14 that connects these components to each other.
- CPU central processing unit
- ROM read only memory
- RAM random access memory
- bus 14 that connects these components to each other.
- the CPU 11 appropriately accesses the RAM 13 or the like as necessary, and comprehensively controls each block of the server 100 while performing various arithmetic processes in the access token acquisition process and the like.
- the ROM 12 is a non-volatile memory in which an OS to be executed by the CPU 11, firmware such as programs and various parameters are fixedly stored.
- the RAM 13 is used as a work area for the CPU 11 and temporarily holds the OS, various applications being executed, and various data being processed.
- a display unit 16 an operation receiving unit 17, a storage unit 18, a communication unit 19 and the like are connected to the input / output interface 15.
- the display unit 16 is an output device using, for example, an LCD (Liquid Crystal Display), an OELD (Organic ElectroLuminescence Display), a CRT (Cathode Ray Tube), or the like.
- LCD Liquid Crystal Display
- OELD Organic ElectroLuminescence Display
- CRT Cathode Ray Tube
- the operation receiving unit 17 is, for example, a pointing device such as a mouse, a keyboard, a touch panel, and other input devices.
- the operation reception unit 17 is a touch panel
- the touch panel can be integrated with the display unit 16.
- the storage unit 18 is, for example, a non-volatile memory using a flash memory such as an HDD or an SSD (Solid State Drive).
- the storage unit 18 stores the OS, various applications, and various data.
- the storage unit 18 stores programs such as a plurality of software modules, which will be described later, and an access token acquired from the network service 200. These programs may be provided to the server 100 via the WAN 50, or may be provided as a recording medium that can be read by the server 100.
- the communication unit 19 is a NIC or the like for connecting to the WAN 50 and is responsible for communication processing with the device 300.
- FIG. 3 is a diagram illustrating a hardware configuration of the device 300.
- the hardware configuration of the device 300 is basically the same as the hardware configuration of the server 100. That is, the device 300 includes a CPU 31, a ROM 32, a RAM 33, an input / output interface 35, a bus 34 that connects them, a display unit 36, an operation reception unit 37, a storage unit 38, and a communication unit 39.
- the display unit 36 may be built in the device 300 or may be externally connected to the device 300.
- the CPU 31 controls each block such as the storage unit 38 and the communication unit 39 and executes communication processing with the server 100 and the network service 200 and various data processing.
- the storage unit 38 stores programs such as a plurality of software modules, which will be described later, and various databases. These programs may be provided to the device 300 via the WAN 50, or may be provided as a recording medium readable by the device 300.
- the communication unit 39 may be a wireless communication module such as a wireless LAN.
- the operation reception unit 37 is configured only with buttons and switches, such as a keyboard and a touch panel. There may be no character input function.
- the display unit 36 may be able to display a photo slide show and measurement values, but may not have a function of outputting a UI of an application such as a browser.
- FIG. 4 is a diagram illustrating a configuration of software modules included in the server 100. As shown in the figure, the server 100 has a module manager such as a database manager 110, a security manager 120, and a communication manager 130.
- a module manager such as a database manager 110, a security manager 120, and a communication manager 130.
- the database manager 110 collectively manages the database that the server 100 has.
- the database manager 110 includes software modules of a user / device management unit 111 and an access token management unit 112.
- the user / device management unit 111 manages the list of devices 300 for each user ID that uniquely identifies the user of the device 300.
- the access token management unit 112 manages an access token for accessing the resources of the network service 200 acquired from the various network services 200 for each user ID and for each service ID that uniquely identifies the network service 200. .
- the security manager 120 collectively handles processing related to security in communication between the server 100, the device 300, and the network service 200.
- the security manager 120 includes software modules of a user authentication processing unit 121, a simple setting processing unit 122, a service authentication processing unit 123, a service access processing unit 124, a device authentication unit 125, and a cryptographic processing unit 126.
- the user authentication processing unit 121 performs user authentication processing (details will be described later) of the device 300 on the device-based security mechanism.
- the device-based security mechanism is a mechanism in which mutual authentication at the device level is performed between the devices 300 and between the device 300 and the server 100, and a communication path is established for performing secure communication without user intervention.
- the security-related processing units between the devices 300 and between the device 300 and the server 100 are connected by a secure communication path, and function as one security system.
- the device-based security mechanism embeds a key / certificate in advance in the device 300 and the server 100, and based on these, an authentication process for confirming that the device 300 and the server 100 are authentic, A key exchange process for generating a key to be used in subsequent communications is performed.
- the above authentication process and key exchange process are performed at End To End regardless of the actual connection form.
- the devices 300A and 300B are connected via the server 100, the devices 300A and 300B are not actually connected directly, but the authentication process and the key exchange process are performed by the devices A and B.
- the server 100 simply relays these processes by the communication unit 19.
- the simple setting processing unit 122 sets user information in another device 300 using the user-authenticated device 300 on the device-based security mechanism, and sets it as an authenticated (association set) device.
- the server 100 can set the user information in the device B by trusting the user information of the device 300A, and thus can be regarded as having performed user authentication.
- any type of user interface may be used for the user information setting process.
- a list of images or icons of other devices 300 searched by the device search process is displayed on the display unit 36 of the setting source device 300A.
- the user of the device 300A selects the image or icon by clicking, touching, or enclosing the image or icon, a setting request message is transmitted from the device 300A to the selected other device via the server 100.
- response information to that effect is transmitted to the setting source device 300A via the server 100.
- the display mode of the image or icon of the set device is changed in the list. For example, the image or icon is surrounded by a frame, or the color thereof is changed. As a result, the user can know that the setting has been completed.
- Setting user information by simple setting does not require a user interface for user authentication (input of ID and keyword), and thus, for example, even a small device without a display device or a keyboard can be set. .
- the user authenticates the user with the user ID and password with only one of the devices, and sets other devices with the above simple settings, so that various devices can be used without any troublesome operations.
- the service authentication processing unit 123 In response to a request from the device 300, the service authentication processing unit 123 communicates with the network service 200 to perform service authentication processing and acquire an access token. Details of the service authentication process will be described later.
- the service access processing unit 124 accesses the network service 200 by using the access token acquired by the request from the device 300.
- the device authentication unit 125 performs the authentication process of the device 300 as the device-based security mechanism described above.
- the cryptographic processing unit 126 performs cryptographic processing as a device-based security mechanism. That is, the exchange between the security manager 120 and other modules is encrypted based on the device-based security mechanism. Further, the security manager 120 is firmly protected on each device 300 and the server 100 by, for example, software tamper resistance processing.
- the communication manager 130 includes a communication unit 131 as a software module.
- the communication unit 131 performs communication processing between the security manager 120 and the device 300.
- FIG. 5 is a diagram illustrating a configuration of software modules included in the device 300.
- the device 300 includes module managers of a communication manager 310, a security manager 320, a user / device UI manager 330, and a service UI manager 340.
- the communication manager 310 includes a communication unit 311 as a software module.
- the communication unit 311 performs communication processing between the security manager 320 and the server 100.
- the security manager 320 includes software modules of a device authentication unit 321, an encryption processing unit 322, a user authentication unit 323, a simple setting unit 324, a user information management unit 325, and a service authentication unit 326.
- the device authentication unit 321 performs device authentication as the device-based security mechanism.
- the cryptographic processing unit 322 performs cryptographic processing as the device-based security mechanism.
- the user authentication unit 323 performs user authentication processing with the server 100 (the user authentication processing unit 121) on the device-based security mechanism.
- the easy setting unit 324 performs the above-described simple setting process with the server 100 (the simple setting processing unit 122) on the device-based security mechanism.
- the user information management unit 325 manages the user ID associated with the device 300 by the simple setting process.
- the service authentication unit 326 performs processing related to network service authentication with the server 100 on the device-based security mechanism.
- the service access request unit 327 performs processing related to access to the network service with the server 100 on the device-based security mechanism.
- the user / device UI manager 330 includes a simple setting UI unit 331 and a user authentication UI unit 341 as software modules.
- the simple setting UI unit 331 generates and controls a UI displayed on the display unit 36 for the simple setting process.
- the user authentication UI unit 332 generates and controls a UI displayed on the display unit 36 for the user authentication.
- the service UI manager 340 includes a service UI unit 341 as a software module.
- the service UI unit 34 generates and controls a UI displayed on the display unit 36 for authentication and access of the network service 200.
- the user authentication process between the server 100 and the device 300 is performed as follows.
- the user authentication UI unit 332 receives a user ID and password from the user and sends them to the user authentication unit 323.
- the user authentication unit 323 sends the user ID and password to the user authentication processing unit 121 of the server 100 via the device base security mechanism.
- the user authentication processing unit 121 requests the user authentication server 150 for authentication. When the authentication is successful, the user authentication processing unit 121 sends the user ID and device ID to the user / device management unit 111 and sends the authentication result to the device 300.
- the user / device management unit 111 adds the device ID received from the user authentication processing unit 121 to the device list on the user database.
- the user authentication unit 323 of the device 300 Upon receiving the authentication result, the user authentication unit 323 of the device 300 sends the user ID to the user information management unit 325 for recording.
- FIG. 6 is a diagram showing an overview of network service authentication in the present embodiment.
- Various methods can be used as the network service authentication process in the present embodiment. For example, a method corresponding to OAuth is used.
- the access right to the network service is represented by an access token.
- an access token is issued from the network service when the user approves access to his / her resource (account) on the network service.
- the device that receives service authentication is called Consumer
- the side that performs authentication processing on the network service side and the side that issues the access token is called Service Provider.
- the server 100 corresponds to a consumer
- the network service 200 corresponds to a service provider.
- the device 300 requests the server 100, which is a consumer, to use the resource on the network service 200, which is a service provider (to obtain an access right) (see FIG. 6). (1)).
- the server 100 requests the network service 200 for authentication ((2) in the figure).
- the network service 200 Upon receiving the authentication request from the server 100, the network service 200 confirms whether or not to approve the authentication (acquisition of access right) to the user of the device 300 ((3) in the figure).
- the network service 200 issues an access token to the server 100 ((5) in the figure).
- the server 100 calls a resource (API) on the network service 200 using the issued access token ((6) in FIG. 8).
- API resource
- the approval by the user uses a web page for authentication prepared on the network service 200 side, so that a browser is used as a UI module on the device 300 side.
- service authentication is actually performed, since it is assumed that a browser is installed on the user device, authentication is not necessarily performed on all devices.
- FIG. 7 is a sequence diagram showing the flow of the network service authentication.
- FIG. 8 is a flowchart showing the flow of network service authentication processing in the device 300.
- FIG. 9 is a flowchart showing a flow of network service authentication processing in the server 100.
- the service authentication unit 326 of the device 300 transmits a login request to the network service 200 to the service authentication processing unit 123 of the server 100 using the device-based security mechanism (step 71 in FIG. 8 step 81).
- the service authentication processing unit 123 of the server 100 Upon receiving the login request (step 91 in FIG. 9), the service authentication processing unit 123 of the server 100 requests a request token from the network service 200 (step 72 in FIG. 7 and step 92 in FIG. 9).
- the network service 200 Upon receipt of the request token request, the network service 200 issues a request token (unapproved) to the service authentication processing unit 123 of the server 100 (step 73 in FIG. 7).
- the service authentication processing unit 123 of the server 100 Upon receiving the issued request token (step 93 in FIG. 9), the service authentication processing unit 123 of the server 100 transmits the request token and the URL to the service authentication page to the service authentication unit 326 of the device 300. (Redirect device 300 to the URL) (step 74 in FIG. 7, step 94 in FIG. 9).
- the service authentication unit 326 of the device 300 receives the request token and the authentication URL, and transmits them to the service UI unit 341 (step 82 in FIG. 8).
- the service UI unit 341 accesses the network service 200 using the authentication URL (step 74 in FIG. 7), and displays a confirmation screen for approving service authentication on the display unit 36 using the browser (step 75 in FIG. 7). , Step 83 in FIG.
- the user When accessing the authentication URL, the user is requested by the network service 200 to input a user ID and password.
- the confirmation screen is displayed.
- the server 100 is prevented from acquiring the user ID / password and illegally storing and using it.
- the service UI unit 341 When the service UI unit 341 receives an operation for selecting approval / disapproval from the user on the confirmation screen, the service UI unit 341 transmits the result to the network service 200 (step 76 in FIG. 7 and step 84 in FIG. 8).
- the service UI unit 341 receives a request token indicating approval from the network service 200 and transmits it to the service authentication unit 326 (FIG. 8). 8 step 86).
- the service authentication unit 326 transmits the received request token to the service authentication processing unit 123 of the server 100 (step 87 in FIG. 8).
- the service authentication processing unit 123 of the server 100 Upon receiving the request token from the service authentication unit 326 of the device 300 (step 95 in FIG. 9), the service authentication processing unit 123 of the server 100 requests an access token from the network service 200 based on the request token (step in FIG. 7). 77, step 96 of FIG.
- the network service 200 issues an access token to the service authentication processing unit 123 of the server 100 (step 78 in FIG. 7), and the service authentication processing unit 123 receives the issued access token. (Step 97 in FIG. 9).
- the service authentication processing unit 123 Upon receiving the access token, the service authentication processing unit 123 sends the access token to the access token management unit 112 and stores it in the storage unit 18 in association with the user ID and service ID (step 98 in FIG. 9).
- the service authentication processing unit 123 notifies the service authentication unit 326 of the device 300 of completion of the service authentication process (access token acquisition process) (step 99 in FIG. 9).
- the service authentication unit 326 of the device 300 receives the process completion notification (step 88 in FIG. 8).
- FIG. 10 is a flowchart showing a flow of access processing to the network service by the device 300.
- FIG. 11 is a flowchart showing a flow of access processing to the network service by the server 100.
- the device 300 in this case may be a device engaged in the network service authentication process, or may be another device not engaged in the authentication process and connected to the device engaged in the authentication process by the device-based security mechanism. Also good. Further, the device 300 may include a browser display unit 36 and an operation reception unit 37 necessary for the service authentication process (for example, a PC, a smartphone, or the like), or may not include (for example, a digital photo). Frames and healthcare equipment).
- the service UI unit 341 of the device 300 accepts an access request to the network service from the user, and transmits it to the service access request unit 327 (step 101 in FIG. 10).
- the service access request unit 327 Upon receiving the access request, the service access request unit 327 transmits an access request to the network service 200 together with the user ID to the service access processing unit 124 of the server 100 (step 102 in FIG. 10).
- the service access processing unit 124 of the server 100 receives the access request (step 111 in FIG. 11)
- the service access processing unit 124 acquires an access token corresponding to the user ID stored in the storage unit 18 from the access token management unit 112. (Step 112 in FIG. 11).
- the service access processing unit 124 accesses the network service 200 using the acquired access token (step 113 in FIG. 11).
- the service access processing unit 124 transmits an access result (for example, API) to the network service 200 to the service access request unit 327 of the device 300 (step 114 in FIG. 11).
- an access result for example, API
- the service access request unit 327 of the device 300 receives the access result and transmits it to the service UI unit 341 (step 103 in FIG. 10).
- the service UI unit 341 presents the access result to the user via the display unit 36 (step 104 in FIG. 10).
- the server 100 securely stores the access token acquired from the network service 200 in response to a request from the device 300 on the server 100.
- Security between the server 100 and the device 300 and between the plurality of devices 300 is protected by the above-described device-based security mechanism regardless of the input of the user ID / password pair. This is performed without depending on the user authentication process in the device 300.
- the access token acquired and stored by the server 100 is associated with another device-based security mechanism.
- Device 300 can be used.
- a UI function for inputting an ID / password or notifying an approval intention (for example, pressing an OK button) when approving the acquisition of an access token is provided on the device 300.
- the network service 200 can be used even by a device 300 that does not have a UI function (character or operation input device and UI output device) for inputting an ID / password or pressing a button.
- access to the network service 200 using the access token acquired by the server 100 always passes through the server 100.
- access to the network service 200 tends to continuously access several service APIs provided by the network service 200, so that it is not efficient to go through the server 100 each time.
- the security managers of the plurality of devices 300 and the server 100 can be regarded as a single system linked through cryptographic communication. Therefore, in this embodiment, the device 300 temporarily acquires an access token managed on the server 100 side, and directly accesses the network service 200 using this.
- FIG. 12 is a block diagram showing a software module configuration of the server 100 in the present embodiment.
- FIG. 13 is a block diagram showing the software module configuration of the device 300 in this embodiment.
- the server 100 replaces the service access processing unit 124 in the first embodiment with an access token transfer processing unit. 127.
- the device 300 includes a service access unit 328 instead of the service access request unit 327 in the first embodiment.
- the access token transfer processing unit 127 of the server 100 acquires an access token from the access token management unit 112 and transfers it to the device 300 in accordance with a request from the device 300.
- the service access unit 328 of the device 300 acquires an access token managed on the server 100 side, and directly accesses the network service 200 using this.
- FIG. 14 is a flowchart showing the flow of access processing to the network service by the device 300 in this embodiment.
- FIG. 15 is a flowchart showing the flow of access processing to the network service by the server 100 in this embodiment.
- the service UI unit 341 of the device 300 receives an access request for a network service from a user and transmits it to the service access unit 328 (step 141 in FIG. 14).
- the service access unit 328 Upon receipt of the access request, the service access unit 328 transmits an access token transfer request together with the user ID and service ID to the access token transfer processing unit 127 of the server 100 (step 142 in FIG. 14).
- the access token transfer processing unit 127 of the server 100 acquires an access token to the network service 200 corresponding to the user ID and the service ID from the access token management unit 112. (Step 152 in FIG. 15).
- the access token transfer processing unit 127 transmits the acquired access token to the service access unit 328 of the transfer request source device 300 (step 153 in FIG. 15).
- the service access unit 328 of the device 300 Upon receiving the access token from the server 100, the service access unit 328 of the device 300 accesses the network service 200 using the access token, and transmits the access result to the service UI unit 341 (step 143 in FIG. 14).
- the service UI unit 341 presents the access result to the network service 200 to the user via the display unit 36 (step 144 in FIG. 14).
- the device 300 can temporarily acquire the access token managed on the server 100 side, and can directly access the network service 200 using the access token. Thereby, the access efficiency to the network service 200 is improved and the load on the server 100 is reduced.
- the storage location of the access token acquired by the server 100 is the storage unit 18 (access token management unit 112) inside the server 100.
- the access token may be stored in another storage device on the cloud that is physically separated from the server 100 as long as security is ensured.
- the device 300 acquires an access token from the server 100 each time the network service 200 is accessed. However, the device 300 may hold the access token once acquired from the server 100 in the RAM 33 or the storage unit 38 for a certain period of time. If the device 300 receives a network service access request that requires the same access token as the stored one, the device 300 may use it again.
- a device-based security mechanism is used for communication between the devices 300 and between the device 300 and the server 100.
- a device-based security mechanism may not be used.
- a first device a second device, a communication unit capable of communicating with a service on a network having resources relating to a user of the first device;
- a storage unit Based on the acquisition request for the access right to the resource from the first device and the approval information indicating the user's approval for the acquisition of the access right, an access token indicating the access right is sent to the service.
- An information processing apparatus comprising: a control unit capable of controlling the storage unit so as to securely store the received access token.
- the control unit controls the communication unit to access the resource using the stored access token in response to a request from a second device associated with the user.
- the control unit controls the communication unit to transmit the stored access token to the first device or the second device via a secure communication path.
- the first device includes an input device to which an operation necessary for the user to notify the service of the intention of approval is input, and an output device that outputs a screen for the input,
- the second apparatus does not include the input device and the output device.
- the control unit controls the communication unit to receive association information indicating association between the user, the first device, and the second device from the first device, and receives the received information.
- An information processing apparatus that controls the storage unit to store the association information.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Information Transfer Between Computers (AREA)
- Telephonic Communication Services (AREA)
Abstract
Description
(1)ユーザの概念が廃され、どのデバイス/サービスも自由に連携する(例えばDLNA(Digital Living Network Alliance))。
(2)ユーザの手元にある、制御される側のデバイス/サービスを、制御する側のデバイスがユーザ認証し、制御される側のデバイス/サービスはユーザ認証しない(TV番組録画機器へのリモート予約)。
(3)ユーザ認証処理は他のデバイスを経由して実行されるが、デバイス/サービス連携機能が利用されるたびに、それぞれのデバイス/サービス毎にユーザID/パスワードが入力される(例えば、PC上でのネットワークファイル共有)。
(4)上記(3)で、一度入力された他のデバイス/サービス用のID/パスワードが、ユーザの手元のデバイスで記憶され、次回以降自動的にそれが用いられる。
上記第2の機器は上記入力装置及び上記出力装置を有さない
情報処理装置。
上記サーバ装置は、第1の通信部と、記憶部と、第1の制御部とを有する。第1の通信部は、ユーザ機器と、当該ユーザ機器のユーザに関するリソースを有するネットワーク上のサービスと通信可能である。上記制御部は、上記ユーザ機器からの、上記リソースへのアクセス権の取得要求と、当該アクセス権の取得に対する上記ユーザの承認を示す承認情報とに基づいて、上記サービスへ、上記アクセス権を示すアクセストークンの発行要求を送信し、上記サービスから、当該サービスによって発行されたアクセストークンを受信するように上記第1の通信部を制御可能である。また第1の制御部は、記受信されたアクセストークンを安全に記憶するように上記記憶部を制御可能である。
上記情報処理装置は、第2の通信部と、第2の制御部とを有する。上記第2の通信部は、上記サーバ装置及び上記サービスと通信可能である。上記第2の制御部は、上記サーバ装置から、上記記憶されたアクセストークンを安全な通信路を介して受信し、上記受信されたアクセストークンを用いて、上記リソースへアクセスするように上記第2の通信部を制御可能である。
まず、本技術の第1の実施形態を説明する。
図1は、本実施形態に係るシステムのネットワーク構成を示した図である。
図2は、上記サーバ100のハードウェア構成を示した図である。同図に示すように、サーバ100は、CPU(Central Processing Unit)11、ROM(Read Only Memory)12、RAM(Random Access Memory)13、入出力インタフェース15、及び、これらを互いに接続するバス14を備える。
図3は、上記デバイス300のハードウェア構成を示した図である。同図に示すように、デバイス300のハードウェア構成も、上記サーバ100のハードウェア構成と基本的に同様である。すなわち、デバイス300は、CPU31、ROM32、RAM33、入出力インタフェース35、及び、これらを互いに接続するバス34、表示部36、操作受付部37、記憶部38、通信部39を備える。ここで表示部36は、デバイス300に内蔵されていてもよいし、デバイス300に外部接続されていてもよい。
図4は、上記サーバ100が有するソフトウェアモジュールの構成を示した図である。同図に示すように、サーバ100は、データベースマネージャ110、セキュリティマネージャ120及びコミュニケーションマネージャ130の各モジュールマネージャを有する。
図5は、上記デバイス300が有するソフトウェアモジュールの構成を示した図である。同図に示すように、デバイス300は、コミュニケーションマネージャ310、セキュリティマネージャ320、ユーザ/デバイスUIマネージャ330及びサービスUIマネージャ340の各モジュールマネージャを有する。
次に、以上のように構成されたシステムにおけるサーバ100及びデバイス300の動作について説明する。本実施形態及び他の実施形態において、サーバ100及びデバイス300における動作は、CPUと、その制御下において実行される上記各ソフトウェアモジュールとで協働して行われる。
まず、上記ネットワークサービス認証処理について説明する。図6は、本実施形態におけるネットワークサービス認証の概要を示した図である。
次に、上記ネットワークサービス認証により取得されたアクセストークンを利用した、ネットワークサービス200へのアクセス処理について説明する。
以上説明したように、本実施形態では、サーバ100は、デバイス300からの要求によりネットワークサービス200から取得したアクセストークンをサーバ100上に安全に記憶する。
次に、本技術の第2の実施形態を説明する。本実施形態においては、特に説明しない箇所は、上記第1の実施形態と同様の構成である。また本実施形態において、上記第1の実施形態と同様の機能及び構成を有する箇所には同一の符号を付し、その説明を省略または簡略化する。
図12は、本実施形態におけるサーバ100のソフトウェアモジュール構成を示したブロック図である。また図13は、本実施形態におけるデバイス300のソフトウェアモジュール構成を示したブロック図である。
次に、本実施形態におけるサーバ100及びデバイスの動作について説明する。ネットワークサービス認証処理については、上記第1の実施形態と同様である。
図14は、本実施形態におけるデバイス300によるネットワークサービスへのアクセス処理の流れを示したフローチャートである。また図15は、本実施形態におけるサーバ100によるネットワークサービスへのアクセス処理の流れを示したフローチャートである。
以上説明したように、本実施形態によれば、サーバ100側で管理しているアクセストークンを、デバイス300が一時的に取得し、これを用いて直接ネットワークサービス200へアクセスすることができる。これによりネットワークサービス200へのアクセス効率が向上するとともに、サーバ100の負荷が軽減する。
本技術は上述の実施形態にのみ限定されるものではなく、本技術の要旨を逸脱しない範囲内において種々変更され得る。
本技術は以下のような構成も採ることができる。
(1)
第1の機器と、第2の機器と、前記第1の機器のユーザに関するリソースを有するネットワーク上のサービスと通信可能な通信部と、
記憶部と、
前記第1の機器からの、前記リソースへのアクセス権の取得要求と、当該アクセス権の取得に対する前記ユーザの承認を示す承認情報とに基づいて、前記サービスへ、前記アクセス権を示すアクセストークンの発行要求を送信し、前記サービスから、当該サービスによって発行されたアクセストークンを受信するように前記通信部を制御し、
前記受信されたアクセストークンを安全に記憶するように前記記憶部を制御する
ことが可能な制御部と
を具備する情報処理装置。
(2)
上記(1)に記載の情報処理装置であって、
前記制御部は、前記ユーザと関連付けられた第2の機器からの要求に応じて、前記記憶されたアクセストークンを用いて前記リソースへアクセスするように前記通信部を制御する
情報処理装置。
(3)
上記(1)または(2)に記載の情報処理装置であって、
前記制御部は、安全な通信路を介して前記第1の機器または前記第2の機器へ前記記憶されたアクセストークンを送信するように前記通信部を制御する
情報処理装置。
(4)
上記(1)~(3)に記載の情報処理装置であって、
前記第1の機器は、前記ユーザが前記承認の意思を前記サービスへ通知するために必要な操作が入力される入力装置と、当該入力のための画面を出力する出力装置とを有し、
前記第2の機器は前記入力装置及び前記出力装置を有さない
情報処理装置。
(5)
上記(1)~(4)のいずれかに記載の情報処理装置であって、
前記制御部は、前記第1の機器から、前記ユーザと、前記第1の機器と、前記第2の機器との関連付けを示す関連付け情報を受信するように前記通信部を制御し、前記受信された前記関連付け情報を記憶するように前記記憶部を制御する
情報処理装置。
13、33…RAM
18、38…記憶部
19、39…通信部
36…表示部
37…操作受付部
50…WAN
100…サーバ
112…アクセストークン管理部
123…サービス認証処理部
124…サービスアクセス処理部
127…アクセストークン転送処理部
131…通信部
150…ユーザ認証サーバ
200(200A、200B、200C)…ネットワークサービス
300(300A、300B、300C)…デバイス
311…通信部
326…サービス認証部
327…サービスアクセス要求部
328…サービスアクセス部
341…サービスUI部
Claims (8)
- 第1の機器と、第2の機器と、前記第1の機器のユーザに関するリソースを有するネットワーク上のサービスと通信可能な通信部と、
記憶部と、
前記第1の機器からの、前記リソースへのアクセス権の取得要求と、当該アクセス権の取得に対する前記ユーザの承認を示す承認情報とに基づいて、前記サービスへ、前記アクセス権を示すアクセストークンの発行要求を送信し、前記サービスから、当該サービスによって発行されたアクセストークンを受信するように前記通信部を制御し、
前記受信されたアクセストークンを安全に記憶するように前記記憶部を制御する
ことが可能な制御部と
を具備する情報処理装置。 - 請求項1に記載の情報処理装置であって、
前記制御部は、前記ユーザと関連付けられた第2の機器からの要求に応じて、前記記憶されたアクセストークンを用いて前記リソースへアクセスするように前記通信部を制御する
情報処理装置。 - 請求項1に記載の情報処理装置であって、
前記制御部は、安全な通信路を介して前記第1の機器または前記第2の機器へ前記記憶されたアクセストークンを送信するように前記通信部を制御する
情報処理装置。 - 請求項1に記載の情報処理装置であって、
前記第1の機器は、前記ユーザが前記承認の意思を前記サービスへ通知するために必要な操作が入力される入力装置と、当該入力のための画面を出力する出力装置とを有し、
前記第2の機器は前記入力装置及び前記出力装置を有さない
情報処理装置。 - 請求項2に記載の情報処理装置であって、
前記制御部は、前記第1の機器から、前記ユーザと、前記第1の機器と、前記第2の機器との関連付けを示す関連付け情報を受信するように前記通信部を制御し、前記受信された前記関連付け情報を記憶するように前記記憶部を制御する
情報処理装置。 - サーバ装置と情報処理装置とを具備する情報処理システムであって、
前記サーバ装置は、
ユーザ機器と、当該ユーザ機器のユーザに関するリソースを有するネットワーク上のサービスと通信可能な第1の通信部と、
記憶部と、
前記ユーザ機器からの、前記リソースへのアクセス権の取得要求と、当該アクセス権の取得に対する前記ユーザの承認を示す承認情報とに基づいて、前記サービスへ、前記アクセス権を示すアクセストークンの発行要求を送信し、前記サービスから、当該サービスによって発行されたアクセストークンを受信するように前記第1の通信部を制御し、
前記受信されたアクセストークンを安全に記憶するように前記記憶部を制御する
ことが可能な第1の制御部と
を有し、
前記情報処理装置は、
前記サーバ装置及び前記サービスと通信可能な第2の通信部と、
前記サーバ装置から、前記記憶されたアクセストークンを安全な通信路を介して受信し、前記受信されたアクセストークンを用いて、前記リソースへアクセスするように前記第2の通信部を制御可能な第2の制御部と
を有する
情報処理システム。 - 第1の機器から、ネットワーク上のサービスが有する当該第1の機器のユーザに関するリソースへのアクセス権の取得要求と、当該アクセス権の取得に対する前記ユーザの承認を示す承認情報とを受信し、
前記サービスへ、前記アクセス権を示すアクセストークンの発行要求を送信し、
前記サービスから、当該サービスによって発行されたアクセストークンを受信し、
前記受信されたアクセストークンを安全に記憶する
情報処理方法。 - 情報処理装置に、
第1の機器から、ネットワーク上のサービスが有する当該第1の機器のユーザに関するリソースへのアクセス権の取得要求と、当該アクセス権の取得に対する前記ユーザの承認を示す承認情報とを受信するステップと、
前記サービスへ、前記アクセス権を示すアクセストークンの発行要求を送信するステップと、
前記サービスから、当該サービスによって発行されたアクセストークンを受信するステップと、
前記受信されたアクセストークンを安全に記憶するステップと
を実行させるプログラム。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201380015365.5A CN104169935B (zh) | 2012-03-28 | 2013-01-25 | 信息处理装置、信息处理系统、信息处理方法 |
JP2014507353A JP6098636B2 (ja) | 2012-03-28 | 2013-01-25 | 情報処理装置、情報処理システム、情報処理方法及びプログラム |
US14/383,603 US9760708B2 (en) | 2012-03-28 | 2013-01-26 | Information processing apparatus, information processing system, information processing method, and program |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2012073374 | 2012-03-28 | ||
JP2012-073374 | 2012-03-28 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2013145517A1 true WO2013145517A1 (ja) | 2013-10-03 |
Family
ID=49258845
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2013/000390 WO2013145517A1 (ja) | 2012-03-28 | 2013-01-25 | 情報処理装置、情報処理システム、情報処理方法及びプログラム |
Country Status (4)
Country | Link |
---|---|
US (1) | US9760708B2 (ja) |
JP (1) | JP6098636B2 (ja) |
CN (1) | CN104169935B (ja) |
WO (1) | WO2013145517A1 (ja) |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140229739A1 (en) | 2013-02-12 | 2014-08-14 | Amazon Technologies, Inc. | Delayed data access |
JP2015184825A (ja) * | 2014-03-20 | 2015-10-22 | キヤノン株式会社 | 中継装置、通信装置、それらの制御方法、システム、及びプログラム |
JP2015184826A (ja) * | 2014-03-20 | 2015-10-22 | キヤノン株式会社 | 中継装置、中継方法、中継システム、及びプログラム |
JP2016508643A (ja) * | 2013-02-12 | 2016-03-22 | アマゾン テクノロジーズ インコーポレイテッド | データセキュリティサービス |
CN106031085A (zh) * | 2014-02-18 | 2016-10-12 | 三星电子株式会社 | 用于在无线通信系统中传输和接收认证信息的方法和设备 |
US10055594B2 (en) | 2012-06-07 | 2018-08-21 | Amazon Technologies, Inc. | Virtual service provider zones |
US10075295B2 (en) | 2013-02-12 | 2018-09-11 | Amazon Technologies, Inc. | Probabilistic key rotation |
US10075471B2 (en) | 2012-06-07 | 2018-09-11 | Amazon Technologies, Inc. | Data loss prevention techniques |
US10084818B1 (en) | 2012-06-07 | 2018-09-25 | Amazon Technologies, Inc. | Flexibly configurable data modification services |
US10211977B1 (en) | 2013-02-12 | 2019-02-19 | Amazon Technologies, Inc. | Secure management of information using a security module |
US10313312B2 (en) | 2013-06-13 | 2019-06-04 | Amazon Technologies, Inc. | Key rotation techniques |
US10467422B1 (en) | 2013-02-12 | 2019-11-05 | Amazon Technologies, Inc. | Automatic key rotation |
US10587405B2 (en) | 2014-06-27 | 2020-03-10 | Amazon Technologies, Inc. | Supporting a fixed transaction rate with a variably-backed logical cryptographic key |
JP2020509475A (ja) * | 2017-02-09 | 2020-03-26 | アリババ・グループ・ホールディング・リミテッドAlibaba Group Holding Limited | 信頼できるログイン方法、サーバ、およびシステム |
US10666436B2 (en) | 2013-02-12 | 2020-05-26 | Amazon Technologies, Inc. | Federated key management |
US10721075B2 (en) | 2014-05-21 | 2020-07-21 | Amazon Technologies, Inc. | Web of trust management in a distributed system |
JP2020154447A (ja) * | 2019-03-18 | 2020-09-24 | 富士ゼロックス株式会社 | 情報処理システム及びプログラム |
US11036869B2 (en) | 2013-02-12 | 2021-06-15 | Amazon Technologies, Inc. | Data security with a security module |
JP2022070968A (ja) * | 2015-11-12 | 2022-05-13 | エムエックス・テクノロジーズ・インコーポレーテッド | 分散された、非集中化されたデータ集約 |
US11626996B2 (en) | 2014-09-15 | 2023-04-11 | Amazon Technologies, Inc. | Distributed system web of trust provisioning |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9536065B2 (en) * | 2013-08-23 | 2017-01-03 | Morphotrust Usa, Llc | System and method for identity management |
JP6322976B2 (ja) * | 2013-11-29 | 2018-05-16 | 富士通株式会社 | 情報処理装置及びユーザ認証方法 |
US10395024B2 (en) * | 2014-03-04 | 2019-08-27 | Adobe Inc. | Authentication for online content using an access token |
US10484345B2 (en) * | 2014-07-31 | 2019-11-19 | Visa International Service Association | System and method for identity verification across mobile applications |
CN110214437B (zh) * | 2016-12-07 | 2023-04-14 | 马维尔亚洲私人有限公司 | 用于存储器访问令牌重新分配的系统和方法 |
EP3355141B1 (de) * | 2017-01-27 | 2019-03-06 | Siemens Aktiengesellschaft | Operator-system für ein prozessleitsystem |
US10334659B2 (en) * | 2017-05-09 | 2019-06-25 | Verizon Patent And Licensing Inc. | System and method for group device access to wireless networks |
GB2565270B (en) | 2017-07-03 | 2022-08-31 | Arm Ip Ltd | Secure server and compute nodes |
IL253632B (en) * | 2017-07-24 | 2022-01-01 | Sensepass Ltd | A system and method for distance-based secure communication over an unsecured communication channel |
JP6381837B1 (ja) * | 2018-01-17 | 2018-08-29 | 株式会社Cygames | 通信を行うためのシステム、プログラム、方法及びサーバ |
JP7247692B2 (ja) * | 2019-03-22 | 2023-03-29 | 富士フイルムビジネスイノベーション株式会社 | トークン管理装置及びトークン管理プログラム |
CN114866247B (zh) * | 2022-04-18 | 2024-01-02 | 杭州海康威视数字技术股份有限公司 | 一种通信方法、装置、系统、终端及服务器 |
CN114900344A (zh) * | 2022-04-26 | 2022-08-12 | 四川智能建造科技股份有限公司 | 一种身份认证方法、系统、终端及计算机可读存储介质 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2011080874A1 (ja) * | 2009-12-28 | 2011-07-07 | 日本電気株式会社 | ユーザ情報活用システム、装置、方法およびプログラム |
WO2012017561A1 (ja) * | 2010-08-06 | 2012-02-09 | 富士通株式会社 | 仲介処理方法、仲介装置及びシステム |
Family Cites Families (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
BRPI0513195A (pt) * | 2004-07-09 | 2008-04-29 | Matsushita Electric Ind Co Ltd | sistemas para administrar autenticação e autorização de usuário, e para suportar o usuário, métodos para administrar autenticação e autorização de usuário, para acessar serviços de múltiplas redes, para o controlador de autenticação processar uma mensagem de pedido de autenticação, selecionar a combinação de controladores de autenticação do resultado de busca, autenticar um usuário, e descobrir o caminho a um domìnio tendo relação empresarial com o domìnio doméstico, para o controlador de autorização processar a mensagem de pedido de autorização de serviço, e executar autorização de serviço, para um controlador de autenticação e autorização executar autenticação e autorização de serviço, para proteger o sìmbolo de usuário, e para a autoridade de controle de acesso no domìnio doméstico do usuário prover ao controlador de autenticação uma informação de perfil de assinatura limitada do usuário, para alcançar autenticação e autorização rápidas, e para alcançar registro único para acessar múltiplas redes, e, formatos para informação de capacidade de assinatura, para um sìmbolo de usuário, para um domìnio tendo relação empresarial com o domìnio doméstico de um usuário para pedir afirmação de autenticação e de autorização, e para um terminal de usuário indicar suas credenciais para acessar múltiplas redes em múltiplos domìnios administrativos |
US20060119883A1 (en) * | 2004-10-08 | 2006-06-08 | Sharp Laboratories Of America, Inc. | Methods and systems for imaging device credential consolidation |
JP2008529184A (ja) * | 2005-02-04 | 2008-07-31 | コーニンクレッカ フィリップス エレクトロニクス エヌ ヴィ | 認可ドメインを作成する方法、装置、システム及びトークン |
US20090007250A1 (en) * | 2007-06-27 | 2009-01-01 | Microsoft Corporation | Client authentication distributor |
AU2009294815B2 (en) * | 2008-09-16 | 2015-10-29 | Telefonaktiebolaget Lm Ericsson (Publ) | Key management in a communication network |
CN101771677B (zh) * | 2008-12-31 | 2013-08-07 | 华为技术有限公司 | 一种向访问用户提供资源的方法、服务器和系统 |
US8364970B2 (en) * | 2009-02-18 | 2013-01-29 | Nokia Corporation | Method and apparatus for providing enhanced service authorization |
JP5440210B2 (ja) | 2010-01-28 | 2014-03-12 | 富士通株式会社 | アクセス制御プログラム、アクセス制御方法およびアクセス制御装置 |
US20110231912A1 (en) * | 2010-03-19 | 2011-09-22 | Salesforce.Com, Inc. | System, method and computer program product for authenticating a mobile device using an access token |
US9965613B2 (en) * | 2010-12-03 | 2018-05-08 | Salesforce.Com, Inc. | Method and system for user session discovery |
US8868915B2 (en) * | 2010-12-06 | 2014-10-21 | Verizon Patent And Licensing Inc. | Secure authentication for client application access to protected resources |
ES2694423T3 (es) * | 2011-03-08 | 2018-12-20 | Telefónica S.A. | Un método para proporcionar acceso autorizado a una aplicación de servicio con el fin de usar un recurso protegido de un usuario final |
US8533796B1 (en) * | 2011-03-16 | 2013-09-10 | Google Inc. | Providing application programs with access to secured resources |
US9405896B2 (en) * | 2011-04-12 | 2016-08-02 | Salesforce.Com, Inc. | Inter-application management of user credential data |
US8544069B1 (en) * | 2011-04-29 | 2013-09-24 | Intuit Inc. | Methods systems and articles of manufacture for implementing user access to remote resources |
US8650622B2 (en) * | 2011-07-01 | 2014-02-11 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods and arrangements for authorizing and authentication interworking |
US8732814B2 (en) * | 2011-08-15 | 2014-05-20 | Bank Of America Corporation | Method and apparatus for token-based packet prioritization |
US8996887B2 (en) * | 2012-02-24 | 2015-03-31 | Google Inc. | Log structured volume encryption for virtual machines |
WO2013145518A1 (ja) * | 2012-03-28 | 2013-10-03 | ソニー株式会社 | 情報処理装置、情報処理システム、情報処理方法及びプログラム |
US9256722B2 (en) * | 2012-07-20 | 2016-02-09 | Google Inc. | Systems and methods of using a temporary private key between two devices |
-
2013
- 2013-01-25 WO PCT/JP2013/000390 patent/WO2013145517A1/ja active Application Filing
- 2013-01-25 CN CN201380015365.5A patent/CN104169935B/zh not_active Expired - Fee Related
- 2013-01-25 JP JP2014507353A patent/JP6098636B2/ja not_active Expired - Fee Related
- 2013-01-26 US US14/383,603 patent/US9760708B2/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2011080874A1 (ja) * | 2009-12-28 | 2011-07-07 | 日本電気株式会社 | ユーザ情報活用システム、装置、方法およびプログラム |
WO2012017561A1 (ja) * | 2010-08-06 | 2012-02-09 | 富士通株式会社 | 仲介処理方法、仲介装置及びシステム |
Non-Patent Citations (2)
Title |
---|
RYU WATANABE ET AL.: "An Investigation of the Platform Technology for Mobile Terminals", THE JOURNAL OF THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS, vol. 94, no. 9, 1 September 2011 (2011-09-01), pages 827 - 843 * |
TAKAO OGURA ET AL.: "Proposal of Secure Data/ Service Collaboration Method among Public Clouds", IEICE TECHNICAL REPORT, vol. 111, no. 146, 14 July 2011 (2011-07-14), pages 69 - 74 * |
Cited By (38)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10055594B2 (en) | 2012-06-07 | 2018-08-21 | Amazon Technologies, Inc. | Virtual service provider zones |
US10834139B2 (en) | 2012-06-07 | 2020-11-10 | Amazon Technologies, Inc. | Flexibly configurable data modification services |
US10474829B2 (en) | 2012-06-07 | 2019-11-12 | Amazon Technologies, Inc. | Virtual service provider zones |
US10084818B1 (en) | 2012-06-07 | 2018-09-25 | Amazon Technologies, Inc. | Flexibly configurable data modification services |
US10075471B2 (en) | 2012-06-07 | 2018-09-11 | Amazon Technologies, Inc. | Data loss prevention techniques |
US10382200B2 (en) | 2013-02-12 | 2019-08-13 | Amazon Technologies, Inc. | Probabilistic key rotation |
US10467422B1 (en) | 2013-02-12 | 2019-11-05 | Amazon Technologies, Inc. | Automatic key rotation |
US11372993B2 (en) | 2013-02-12 | 2022-06-28 | Amazon Technologies, Inc. | Automatic key rotation |
JP2016508643A (ja) * | 2013-02-12 | 2016-03-22 | アマゾン テクノロジーズ インコーポレイテッド | データセキュリティサービス |
US11036869B2 (en) | 2013-02-12 | 2021-06-15 | Amazon Technologies, Inc. | Data security with a security module |
US10211977B1 (en) | 2013-02-12 | 2019-02-19 | Amazon Technologies, Inc. | Secure management of information using a security module |
US10210341B2 (en) | 2013-02-12 | 2019-02-19 | Amazon Technologies, Inc. | Delayed data access |
US10666436B2 (en) | 2013-02-12 | 2020-05-26 | Amazon Technologies, Inc. | Federated key management |
US11695555B2 (en) | 2013-02-12 | 2023-07-04 | Amazon Technologies, Inc. | Federated key management |
US20140229739A1 (en) | 2013-02-12 | 2014-08-14 | Amazon Technologies, Inc. | Delayed data access |
US10404670B2 (en) | 2013-02-12 | 2019-09-03 | Amazon Technologies, Inc. | Data security service |
US10075295B2 (en) | 2013-02-12 | 2018-09-11 | Amazon Technologies, Inc. | Probabilistic key rotation |
US10601789B2 (en) | 2013-06-13 | 2020-03-24 | Amazon Technologies, Inc. | Session negotiations |
US10313312B2 (en) | 2013-06-13 | 2019-06-04 | Amazon Technologies, Inc. | Key rotation techniques |
US11470054B2 (en) | 2013-06-13 | 2022-10-11 | Amazon Technologies, Inc. | Key rotation techniques |
US11323479B2 (en) | 2013-07-01 | 2022-05-03 | Amazon Technologies, Inc. | Data loss prevention techniques |
CN106031085B (zh) * | 2014-02-18 | 2019-07-12 | 三星电子株式会社 | 用于在无线通信系统中传输和接收认证信息的方法和设备 |
US10708774B2 (en) | 2014-02-18 | 2020-07-07 | Samsung Electronics Co., Ltd. | Method and device for transmitting and receiving authentication information in wireless communication system |
CN106031085A (zh) * | 2014-02-18 | 2016-10-12 | 三星电子株式会社 | 用于在无线通信系统中传输和接收认证信息的方法和设备 |
JP2015184826A (ja) * | 2014-03-20 | 2015-10-22 | キヤノン株式会社 | 中継装置、中継方法、中継システム、及びプログラム |
JP2015184825A (ja) * | 2014-03-20 | 2015-10-22 | キヤノン株式会社 | 中継装置、通信装置、それらの制御方法、システム、及びプログラム |
US10158418B2 (en) | 2014-03-20 | 2018-12-18 | Canon Kabushiki Kaisha | Relay apparatus, communication apparatus, control methods thereof, system, and non-transitory computer-readable storage medium |
US10721075B2 (en) | 2014-05-21 | 2020-07-21 | Amazon Technologies, Inc. | Web of trust management in a distributed system |
US10587405B2 (en) | 2014-06-27 | 2020-03-10 | Amazon Technologies, Inc. | Supporting a fixed transaction rate with a variably-backed logical cryptographic key |
US11368300B2 (en) | 2014-06-27 | 2022-06-21 | Amazon Technologies, Inc. | Supporting a fixed transaction rate with a variably-backed logical cryptographic key |
US11626996B2 (en) | 2014-09-15 | 2023-04-11 | Amazon Technologies, Inc. | Distributed system web of trust provisioning |
JP2022070968A (ja) * | 2015-11-12 | 2022-05-13 | エムエックス・テクノロジーズ・インコーポレーテッド | 分散された、非集中化されたデータ集約 |
JP7460670B2 (ja) | 2015-11-12 | 2024-04-02 | エムエックス・テクノロジーズ・インコーポレーテッド | 分散された、非集中化されたデータ集約 |
US11212271B2 (en) | 2017-02-09 | 2021-12-28 | Advanced New Technologies Co., Ltd. | Trusted login of user accounts |
US11057363B2 (en) | 2017-02-09 | 2021-07-06 | Advanced New Technologies Co., Ltd. | Trusted login of user accounts |
JP2020509475A (ja) * | 2017-02-09 | 2020-03-26 | アリババ・グループ・ホールディング・リミテッドAlibaba Group Holding Limited | 信頼できるログイン方法、サーバ、およびシステム |
JP2020154447A (ja) * | 2019-03-18 | 2020-09-24 | 富士ゼロックス株式会社 | 情報処理システム及びプログラム |
JP7200776B2 (ja) | 2019-03-18 | 2023-01-10 | 富士フイルムビジネスイノベーション株式会社 | 情報処理システム及びプログラム |
Also Published As
Publication number | Publication date |
---|---|
CN104169935B (zh) | 2017-10-31 |
JP6098636B2 (ja) | 2017-03-22 |
US9760708B2 (en) | 2017-09-12 |
CN104169935A (zh) | 2014-11-26 |
JPWO2013145517A1 (ja) | 2015-12-10 |
US20150101032A1 (en) | 2015-04-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6098636B2 (ja) | 情報処理装置、情報処理システム、情報処理方法及びプログラム | |
US9191394B2 (en) | Protecting user credentials from a computing device | |
JP6056384B2 (ja) | システム及びサービス提供装置 | |
EP2883340B1 (en) | Authorization method, apparatus, and system | |
US7941831B2 (en) | Dynamic update of authentication information | |
US9038138B2 (en) | Device token protocol for authorization and persistent authentication shared across applications | |
EP3148160B1 (en) | Information processing apparatus, information processing method, and program | |
US10356079B2 (en) | System and method for a single sign on connection in a zero-knowledge vault architecture | |
US20180332137A1 (en) | Information processing apparatus, system, information processing method, and program | |
TW201516729A (zh) | 終端驗證登記系統、終端驗證登記方法及記錄媒體 | |
US11824942B2 (en) | Communication system, information processing apparatus, and information processing method | |
WO2017094774A1 (ja) | 制御システム、通信制御方法、及びプログラム | |
JP2013251835A (ja) | 情報処理装置、情報処理システム、情報処理方法及びプログラム | |
US20240089249A1 (en) | Method and system for verification of identify of a user | |
JP2017084378A (ja) | クラウドサービス提供システム及びクラウドサービス提供方法 | |
WO2016095449A1 (zh) | 一种虚拟桌面的显示方法、终端和存储介质 | |
JPWO2013042412A1 (ja) | 通信システム、通信方法、及びプログラム | |
US9565174B2 (en) | Information processing server system, control method, and program | |
JP5749222B2 (ja) | アクセス許可制御システム、アクセス許可制御方法 | |
US11924286B2 (en) | Encrypted communication processing apparatus, encrypted communication processing system, and non-transitory recording medium | |
JP6162611B2 (ja) | 通信制御サーバ、通信制御方法、及びプログラム | |
JP6880579B2 (ja) | 情報提供システム | |
JP6334275B2 (ja) | 認証装置、認証方法、認証プログラム、及び認証システム | |
JP2020086775A (ja) | 端末装置、認証支援装置及びプログラム | |
JP2010146039A (ja) | 画面転送方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 13768942 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2014507353 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14383603 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 13768942 Country of ref document: EP Kind code of ref document: A1 |