WO2020213643A1 - ネットワークシステム、デバイスおよび処理方法 - Google Patents

ネットワークシステム、デバイスおよび処理方法 Download PDF

Info

Publication number
WO2020213643A1
WO2020213643A1 PCT/JP2020/016576 JP2020016576W WO2020213643A1 WO 2020213643 A1 WO2020213643 A1 WO 2020213643A1 JP 2020016576 W JP2020016576 W JP 2020016576W WO 2020213643 A1 WO2020213643 A1 WO 2020213643A1
Authority
WO
WIPO (PCT)
Prior art keywords
zone
devices
digital certificate
address
network system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2020/016576
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
久利寿 帝都
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Connectfree Corp
Original Assignee
Connectfree Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Connectfree Corp filed Critical Connectfree Corp
Priority to EP20791230.4A priority Critical patent/EP3958500A4/en
Priority to US17/604,716 priority patent/US12022008B2/en
Publication of WO2020213643A1 publication Critical patent/WO2020213643A1/ja
Anticipated expiration legal-status Critical
Priority to US18/667,367 priority patent/US12388659B2/en
Priority to US19/271,695 priority patent/US20250343702A1/en
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/69Types of network addresses using geographic information, e.g. room number
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5092Address allocation by self-assignment, e.g. picking addresses at random and testing if they are already in use
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/52Network services specially adapted for the location of the user terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/62Establishing a time schedule for servicing the requests

Definitions

  • This disclosure relates to a network system consisting of a device having an authenticated IP address, the device, and a processing method in the network system.
  • ICT information and communication technology
  • Patent Document 1 discloses geolocation as a technique for identifying a computer, mobile device, website visitor or other actual geographic location connected to the Internet.
  • Patent Document 1 discloses a technique for supporting the update of location information when the IP (Internet Protocol) address assigned to a general household customer changes.
  • IP Internet Protocol
  • This disclosure solves such a problem by adopting a framework that uses an authenticated IP address, and provides a solution that can provide various services using location information.
  • a network system including a plurality of devices.
  • Each of the plurality of devices receives data from another device, a communication unit for data communication with another device, a storage unit for storing an electronic certificate including a public key for determining the IP address of the own device, and a storage unit for storing an electronic certificate. It includes a decision unit that determines the IP address of another device based on the public key contained in the digital certificate.
  • the digital certificate contains location information associated with the corresponding device.
  • the position information may indicate any zone generated by dividing the zone hierarchically.
  • the location information may consist of a code that reflects the hierarchical structure of the target zone.
  • One of the multiple devices requests the location information to be set in the own device from the other devices associated with the zone higher than the zone indicated by the location information associated with the own device. You may try to do it.
  • the network system may further include a certificate authority that signs a digital certificate to be stored in the request source in response to a request from any of the plurality of devices.
  • One of the multiple devices exchanges a digital certificate with the other device to establish a session, and then sends the information generated or collected by the own device to the other device. You may.
  • the first device of the plurality of devices may be configured to manage the resources associated with the first device and may be managed in response to a request from the second device of the plurality of devices. It may be configured to allocate at least a portion of the resources it has. Information on resource allocation may be shared between the first device and the second device.
  • One of the plurality of devices may respond to a request for the current position from another device and respond with specific information for identifying the device associated with the current position.
  • One of the plurality of devices may include a function of managing the value that is the price for the product or service.
  • the devices constituting the network system have a communication unit for data communication with other devices, a storage unit for storing an electronic certificate including a public key for determining the IP address of the own device, and an electronic certificate received from the other device. Includes a decision unit that determines the IP address of another device based on the public key contained in.
  • the digital certificate contains location information associated with the corresponding device.
  • a processing method in a network system including the first and second devices includes a step in which the first device transmits a first digital certificate including a first public key for determining the IP address of the first device to the second device, and a second device. However, the step of determining the IP address of the first device based on the first public key included in the first digital certificate received from the first device, and the second device is the second device.
  • the digital certificate contains location information associated with the corresponding device.
  • the present disclosure it is possible to acquire the authenticated location information of the device and to provide various services using the authenticated location information.
  • FIG. 1 It is a schematic diagram which shows an example of the application using the location information provided by the network system according to this embodiment. It is a sequence diagram which shows the processing procedure for realizing the application shown in FIG. It is a schematic diagram which shows another example of the application using the location information provided by the network system according to this embodiment. It is a schematic diagram which shows the system configuration example for realizing the application shown in FIG. It is a schematic diagram for demonstrating resource management in the application shown in FIG. It is a figure which shows an example of the ticket information used in the application shown in FIG. It is a sequence diagram which shows the processing procedure for realizing the application shown in FIG. It is a schematic diagram which shows still another example of the application using the location information provided by the network system according to this embodiment. It is a schematic diagram which shows the route selection using the application shown in FIG. It is a sequence diagram which shows the processing procedure for realizing the application shown in FIG.
  • the network system 1 has a function of managing and providing location information of one or a plurality of devices.
  • FIG. 1 is a schematic diagram showing an example of the overall configuration of the network system 1 according to the present embodiment.
  • the network system 1 includes a plurality of devices 10, each of which is associated with a physical location or range.
  • the position or range associated with each device 10 may be the position or range in which each device 10 actually exists, or the position or range in which each device 10 provides management or service.
  • devices 10A1, 10B1, 10C1 exist in association with the three zones A, B, and C.
  • the device 10A2, 10A3, 10A4 further exists in the zone A
  • the device 10B2, 10B3, 10B4, 10B5 further exists in the zone B
  • the device 10C2, 10C3, 10C4 further exists in the zone C.
  • each device may be collectively referred to simply as "device 10.”
  • the location information associated with each device 10 can be determined and provided.
  • Each device 10 has an authenticated IP address.
  • the "authenticated IP address” means a state in which the validity of the IP address held by each device 10 is guaranteed to the communication destination or a third party. More specifically, “authenticated IP address” means an IP address generated by an irreversible cryptographic hash function and directly or indirectly authenticated by a certificate authority 2 (details). Will be described later). By using such an “authenticated IP address”, it can be guaranteed that the IP address used by each device 10 for data communication is not spoofed.
  • any device 10 included in the network system 1 will be uniquely identified based on the IP address of each device 10. That is, since the IP address itself of each device serves as the identification information for each device, the location information and the related information can be determined and provided based on the identification information (that is, the IP address) of each device 10. It will be possible.
  • the IP address is assumed to be a global IP address that can also be used for data communication between devices 10 connected to the Internet, but it may be a private IP address that is used only within a specific network.
  • the number of bits that make up an IP address differs depending on the version.
  • the currently established IPv4 (Internet Protocol Version 4) defines a 32-bit address section
  • the currently established IPv6 (Internet Protocol Version 6) defines a 128-bit address section.
  • IP address according to IPv6 will be mainly described.
  • the present disclosure is also applicable to a network address specified by a larger number of bits or a network address specified by a smaller number of bits.
  • the "device” includes any device having a function of performing data communication with another device using the IP address of each device.
  • the device 10 may be configured as a single communication device, as a part of some object, or incorporated in some object.
  • the device 10 is, for example, a personal computer, a smartphone, a tablet, or a wearable device (for example, a smart watch or AR glass) worn on the user's body (for example, an arm or head). You may. Further, the device 10 may be a control device installed in a smart home appliance, a connected automobile, a factory, or a part thereof.
  • the network system 1 may further include one or more certificate authorities 2.
  • Each of the certificate authorities 2 may be a computer composed of one or more servers.
  • One or a plurality of certificate authorities 2 may be used to authenticate the IP address of each device 10.
  • any device 10 may be in charge of all or part of the functions provided by the certificate authority 2.
  • the devices 10 and the device 10 and the certificate authority 2 are connected to each other so as to be capable of data communication via arbitrary wired communication or wireless communication.
  • a kind of peer-to-peer connection is used for communication between the devices 10 and communication between the device 10 and the certificate authority 2.
  • Any protocol including TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) can be adopted for this communication.
  • Each of the device 10 and the certificate authority 2 connected to the network can be regarded as a "node" of the network, and in the following description, each of the device 10 and the certificate authority 2 may be referred to as a "node”.
  • FIG. 2 is a schematic diagram showing a hardware configuration example of the device 10 included in the network system 1 according to the present embodiment.
  • the device 10 includes a control unit 110, which is a processing circuitry, as a main component.
  • the control unit 110 is a calculation subject for providing functions and executing processing according to the present embodiment.
  • the control unit 110 may be configured so that the processor executes computer-readable instructions stored in the memory by using the processor and the memory as shown in FIG.
  • the control unit 110 may be realized by using a hard-wired logic circuit such as an ASIC (Application Specific Integrated Circuit) in which a circuit corresponding to a computer-readable instruction is incorporated.
  • the control unit 110 may be realized by realizing a circuit corresponding to a computer-readable instruction on the FPGA (field-programmable gate array).
  • the control unit 110 may be realized by appropriately combining a processor, a memory, an ASIC, an FPGA, and the like.
  • control unit 110 includes a processor 102, a main memory 104, a storage 106, and a ROM (Read Only Memory) 108.
  • the processor 102 is an arithmetic circuit that sequentially reads and executes computer-readable instructions.
  • the processor 102 is composed of, for example, a CPU (Central Processing Unit), an MPU (Micro Processing Unit), a GPU (Graphics Processing Unit), and the like.
  • the control unit 110 may be realized by using a plurality of processors 102 (multiprocessor configuration), or the control unit 110 may be realized by using a processor having a plurality of cores (multicore configuration).
  • the main memory 104 is a volatile storage device such as a DRAM (Dynamic Random Access Memory) or a SRAM (Static Random Access Memory).
  • the processor 102 expands the designated program among the various programs stored in the storage 106 or the ROM 108 on the main memory 104 and cooperates with the main memory 104 to realize various processes according to the present embodiment. ..
  • the storage 106 is, for example, a non-volatile storage device such as an HDD (Hard Disk Drive), an SSD (Solid State Drive), or a flash memory.
  • the storage 106 stores various programs executed by the processor 102 and various data as described later.
  • the ROM 108 fixedly stores various programs executed by the processor 102 and various data as described later.
  • the device 10 further includes a network interface 120 for connecting the device 10 to the network.
  • the network interface 120 corresponds to a communication unit for performing data communication with another device 10 via the network.
  • the network interface 120 includes, for example, a wired connection terminal such as an Ethernet (registered trademark) port, a USB (Universal Serial Bus) port, a serial port such as IEEE 1394, and a legacy parallel port.
  • the network interface 120 may include processing circuits and antennas for wireless communication with devices, routers, mobile base stations and the like.
  • the wireless communication supported by the network interface 120 includes, for example, Wi-Fi (registered trademark), Bluetooth (registered trademark), ZigBee (registered trademark), LPWA (Low Power Wide Area), GSM (registered trademark), W-CDMA, and the like. It may be any of CDMA200, LTE (Long Term Evolution), and 5th generation mobile communication system (5G).
  • 5G 5th generation mobile communication system
  • the device 10 may include an internal interface 130, an input unit 140, and an output unit 150 as optional components.
  • the internal interface 130 performs data communication with the target object when the device 10 is configured as a part of some object or incorporated in some object.
  • the internal interface 130 includes, for example, a wired connection terminal such as a USB (Universal Serial Bus) port, a serial port such as IEEE 1394, and a legacy parallel port.
  • the internal interface 130 may include a circuit such as an analog / digital conversion circuit that captures an electric signal.
  • the input unit 140 is a component for receiving an input operation of a user who operates the device 10.
  • the input unit 140 may be, for example, a keyboard, a mouse, a touch panel arranged on the display device, an operation button arranged in the housing of the device 10, or the like.
  • the output unit 150 is a component for presenting the processing result of the processor 102 to the outside.
  • the output unit 150 may be, for example, an LCD (Liquid Crystal Display) or an organic EL (Electro-Luminescence) display. Further, the output unit 150 may be a head-mounted display mounted on the user's head, or may be a projector that projects an image on the screen. Alternatively, the output unit 150 may be an indicator or the like arranged in the housing of the device 10.
  • the input unit 140 and the output unit 150 are optional components, they may be connected from the outside of the device 10 via an arbitrary interface such as USB.
  • the device 10 further has components for reading various programs and / or various data from non-transitory media in which various programs (computer-readable instructions) and / or various data are stored. May be good.
  • the media may be, for example, an optical media such as a DVD (Digital Versatile Disc), a semiconductor media such as a USB memory, or the like.
  • the necessary programs and data may be installed on the device 10 from the distribution server on the network. In this case, the necessary programs and data are acquired via the network interface 120.
  • control unit 110 that realizes the provision of functions and the execution of processing according to the present embodiment, and the technical scope of the present application includes at least the hardware and / or software for realizing the control unit 110.
  • the hardware may include not only a configuration including a processor and a memory, but also a configuration using a hard-wired circuit using an ASIC or the like or a configuration using an FPGA. That is, the control unit 110 can be realized by installing a program on a general-purpose computer, or can be realized as a dedicated chip.
  • the software executed by the processor may include not only the software distributed via the media but also the software appropriately downloaded via the distribution server.
  • control unit 110 shown in FIG. 2, and can be implemented by using any technology according to the time when it is realized.
  • the IP address of each device 10 is authenticated by using a public key infrastructure (PKI: public key infrastructure).
  • PKI public key infrastructure
  • FIG. 3 is a diagram for explaining an example of IP address authentication processing in the network system 1 according to the present embodiment.
  • the device 10 has a key pair consisting of a private key 160 and a public key 162.
  • the hash value 166 is calculated by inputting the public key 162 into the predetermined hash function 164, and all or part of the calculated hash value 166 is used as the IP address 168 of the device 10.
  • the IP address 168 of the device 10 that is the source of the public key 162 is unique based on the public key 162 obtained from the other device 10. Can be decided.
  • the public key 162 is to be transmitted together with the digital certificate 170 or incorporated in the digital certificate 170, and the public key 162 (that is, the determined IP address 168) is transmitted based on the digital certificate 170. Legitimacy) can be secured. That is, each device 10 shares a predetermined hash function 164 among the devices 10, and the other device 10 is based on the public key 162 included in the digital certificate 170 received from the other device 10. It has the logic to determine the IP address of the device.
  • the IP address 168 itself can be authenticated, and the device itself holds such an authenticated IP address 168, so that each device can be statically or dynamically. It is possible to build an independent network without using a specifically assigned IP address.
  • the private key 160 and the public key 162, which are the key pairs, may be created by the device 10 itself, or may be provided from the outside and stored in the device 10 in advance. When provided from the outside, the device 10 may acquire only the private key 160 and generate the public key 162 by itself.
  • a bit string for example, 512 bits
  • a known cryptographic algorithm for example, elliptic curve cryptography
  • An algorithm may be used to generate a public key 162 consisting of a bit string (for example, 256 bits) of a predetermined length from the private key 160.
  • the random number generator may be realized by using a function provided by the OS, or may be realized by using a hard-wired circuit such as an ASIC. ..
  • the hash function 164 calculates a hash value 166 composed of a bit string (for example, 256 bits) having a predetermined length.
  • the hash function 164 not only the public key 162 but also an arbitrary keyword may be input.
  • a message associated with a predetermined organization may be used.
  • a message including the name of the trademark owned by the predetermined organization may be used.
  • the name of a registered trademark owned by a predetermined organization for example, "connectFree"
  • All or part of the hash value 166 calculated by the hash function 164 is used as the IP address 168.
  • IP address 168 For example, when a 256-bit (64-digit hexadecimal representation) hash value 166 is calculated, any 32 digits (for example, the first 32 digits) of the 64-digit hash value 166 can be used as an IP address corresponding to IPv6. It may be determined as 168 (128 bits). Alternatively, the first eight digits of the 64-digit hash value 166 may be determined as the IP address 168 (32 bits) corresponding to IPv4.
  • the 128-bit hash value 166 may be calculated from the hash function 164 in consideration of the IP address 168 (128 bits) corresponding to IPv6. In this case, all of the calculated hash values 166 can be determined as the IP address 168 (128 bits) corresponding to IPv6.
  • the determined IP address may include a predetermined eigenvalue (unique character string) for identification.
  • the first two digits (first and second digits from the beginning) of the IP address 168 in hexadecimal representation may be fixed to a predetermined unique character string (for example, "FC").
  • a value (type identification information) indicating the type of the device 10 may be embedded in the third and fourth digits from the beginning of the IP address 168 in hexadecimal representation.
  • the hash function 164 is a one-way function, so the public key 162 cannot be calculated back from the IP address 168. Therefore, the private key 160 and the private key 160 are used until the determined IP address 168 satisfies a predetermined condition (in this case, all or a part of the first four digits becomes a predetermined value).
  • the public key 162 may be generated repeatedly.
  • the third party determines the IP address 168 of the device 10 by the device 10 itself. It is possible to judge whether or not it is a good one. Further, by including a value indicating the type of the device 10 in the IP address 168, a third party can identify the type of the device 10 from the determined IP address 168.
  • a predetermined specific eigenvalue for example, the first two digits are "FC"
  • FIG. 4 is a diagram showing an example of the digital certificate 170 used in the network system 1 according to the present embodiment.
  • Each device 10 holds the digital certificate 170 as shown in FIG. 4, and transmits it to another device 10 as needed.
  • the digital certificate 170 is typically stored in storage 106 or ROM 108 (see FIG. 2) of device 10. That is, the storage 106 or ROM 108 of the device 10 corresponds to a storage unit that stores the digital certificate 170.
  • the digital certificate 170 as shown in FIG. 4 may be created in advance by the certificate authority 2 and provided to each device 10, or may be created by each device 10 by itself (however, the certificate authority signature may be created by itself. It will be the signature of the device 10 itself).
  • the certificate authority 2 issues the digital certificate 170
  • the device 10 requests the certificate authority 2 to issue the digital certificate together with the public key 162 held by the own device 10 (hereinafter, "certificate"). Also referred to as a "signing request").
  • the certificate authority 2 registers the public key 162 and issues an electronic certificate 170 including the certificate authority signature 178 generated according to a predetermined algorithm. That is, the certificate authority 2 signs the digital certificate 170 to be stored in the request source in response to the certificate signing request from any device.
  • FIG. 4 as an example, X.
  • the digital certificate 170 according to the 509v3 certificate format is shown. More specifically, referring to FIG. 4, the digital certificate 170 held by each device 10 has a version information 171, a serial number 172, a signature algorithm 173, an issuer identification name 174, and a validity period 175. , The subject identification name 176, the public key 162, the certificate authority signature 178, and the extended information 180.
  • Version information 171 indicates the version information of the certificate format.
  • the serial number 172 indicates a serial number in the issuing entity (certificate authority 2 or device 10) of the digital certificate 170.
  • the signature algorithm 173 indicates the algorithm used to generate the certificate authority signature 178 included in the digital certificate 170.
  • the issuer identification name 174 indicates information for identifying the issuing entity (certificate authority 2 or device 10) of the digital certificate 170.
  • the validity period 175 indicates the validity period of the digital certificate 170.
  • the subject identification name 176 indicates information for identifying the person to be issued the digital certificate 170 (usually, the device 10 holding the digital certificate 170).
  • the public key 162 is a public key 162 held by the device 10 holding the digital certificate 170, and is used to determine the IP address of the own device.
  • the certificate authority signature 178 is a signature (hash value) generated by the certificate authority 2.
  • the extended information 180 can include arbitrary information.
  • the network system 1 according to the present embodiment includes a zone ID 182 (details will be described later) indicating location information associated with each device 10.
  • the zone ID 182 includes location information associated with the device in which the digital certificate 170 is stored (ie, the device corresponding to the zone ID 182). By referring to the zone ID 182 included in the digital certificate 170, the position or range in which each device 10 exists can be easily specified.
  • Zone ID used in the network system 1 according to the present embodiment.
  • FIG. 5 is a schematic diagram for explaining a zone ID used in the network system 1 according to the present embodiment.
  • the range is hierarchically divided according to the request.
  • FIG. 5 shows an example in which the quadtree space division is used, but the present invention is not limited to this, and any division method can be used.
  • the zones in which the zone ID can be set are divided into four zones A to D. That is, the highest zone ID in FIG. 5 is “A”, “B”, “C”, and “D”.
  • Each divided zone can be further divided into four.
  • the zone having the zone ID "A” is further divided into four.
  • the zone IDs of each divided zone are "AA”, "AB”, "AC”, and "AD”.
  • the zone with the zone ID "AA” is further divided into four.
  • the zone IDs of each divided zone are "AAA”, “AAB”, “AAC”, and “AAD”.
  • the zones whose zone IDs are "AB” and “AC” are each divided into four. That is, the zone IDs of the zones obtained by dividing the zone whose zone ID is "AB” into four are "ABA”, “ABB”, “ABC”, and “ABD”, and the zone ID is "AC”.
  • the zone IDs of the zones obtained by dividing the above into four are "ACA”, “ACB”, “ACC”, and "ACD".
  • the zone with the zone ID "D" is also divided into four, and some of the divided zones are further divided into four.
  • the position information can be determined by repeating the operation of dividing all or part of the target zone into four to the required particle size. That is, the determined position information indicates any zone generated by dividing the zone hierarchically.
  • FIG. 6 is a schematic diagram for explaining a zone ID code system used in the network system 1 according to the present embodiment.
  • An example of the code system shown in FIG. 6 corresponds to the zone division shown in FIG.
  • zone IDs "A”, “B”, “C”, and “D” are assigned to the first layer.
  • a zone ID in which a character for identification is further added to the entire zone ID of the corresponding first layer is used.
  • "A”, “B”, “C”, and “D” are added as identification characters after "A” to the four zones obtained by dividing the zone ID "A”.
  • "AA”, "AB”, “AC”, and "AD” are used.
  • a zone ID in which characters for identification are further added to the entire zone ID of the corresponding second layer is used.
  • characters for identification are added as identification characters after "AA” to the four zones obtained by dividing "AA” into zone IDs.
  • “AAA”, “AAB”, “AAC”, and “AAD” are used.
  • the zone ID is determined according to the same rules even when the hierarchy is deeper.
  • the zone ID which is the location information, is composed of a code that reflects the hierarchical structure of the target zone.
  • the zone ID existing above the arbitrary zone ID can be uniquely specified.
  • a zone to which "AAA" is added as a zone ID can be determined to be a partial area of a zone to which "AA” is added as a zone ID, and a partial area of a zone to which "A" is added as a zone ID. It can also be judged that.
  • FIGS. 5 and 6 for convenience of explanation, an example in which one alphabetic character is added each time the hierarchy is deepened is shown, but the present invention is not limited to this, and the identification information of an arbitrary length is specified according to a predetermined rule. (Letters, numbers, etc.) may be added in sequence.
  • the state divided into four is defined as the highest level (first layer), but the highest level may be any number of zones. Further, it is not necessary to limit the number of divisions to 4 for the second layer and below, and the divisions can be sequentially divided into arbitrary numbers.
  • the "zone” shown in FIG. 5 is not necessarily limited to a physical range, but may include a zone division defined according to artificially arranged rules.
  • the hierarchy of the "zone” may be associated with an artificially arranged address notation (for example, "prefecture", "city", “town”, “address", "room number”, etc.).
  • the number of divisions and the division hierarchy of the "zone” shown in FIG. 5 are not limited in any way.
  • the zone ID corresponding to the address of the first store may be further divided and the zone ID may be assigned to each seat.
  • Zone ID setting and updating a processing example related to setting and updating the zone ID for each device 10 will be described.
  • a predetermined zone ID may be set for each device 10, and a digital certificate 170 including the set zone ID may be issued by the certificate authority 2.
  • the zone ID may be set for the connected device 10 based on the connection relationship on the network.
  • processing examples such as setting the zone ID based on the connection relationship on the network and issuing the digital certificate 170 will be described.
  • FIG. 7 is a schematic diagram for explaining the process related to the setting of the zone ID in the network system 1 according to the present embodiment.
  • FIG. 7 shows an example of processing when the device 10A2 (see FIG. 1) is connected to the network of the device 10A1 associated with the zone A.
  • FIG. 7A shows an example in which the device 10A2 requests the device 10A1 connected to the same network to assign a zone ID.
  • device 10A2 requests a zone ID from device 10A1 ((1) zone ID request).
  • the device 10A1 further adds identification information to the zone ID assigned to the own device to determine the zone ID, and responds to the device 10A2 ((2) zone ID).
  • the device 10A2 transmits a certificate signing request including the zone ID assigned by the device 10A1 and the public key 162 of the own device to the certificate authority 2 ((3) certificate signing request).
  • the certificate authority 2 In response to the certificate signing request, the certificate authority 2 generates a digital certificate 170 for the device 10A2 and transmits it to the device 10A2 ((4) digital certificate).
  • the device 10A2 stores the digital certificate 170 from the certificate authority 2 and uses it for data communication with another device.
  • the device 10 in the lower hierarchy is set as the own device with respect to other devices associated with the zone in the hierarchy higher than the zone indicated by the zone ID (location information) associated with the own device. Request location information to be.
  • FIG. 7B shows an example in which the request from the device 10A2 requests the device 10A2 connected to the same network to issue the digital certificate 170.
  • the device 10A2 requests the device 10A1 to issue a digital certificate 170 ((1) certificate issuance request).
  • the request for issuance of the digital certificate 170 includes the public key 162 of the device 10A2.
  • the device 10A1 further adds identification information to the zone ID assigned to the own device to determine the zone ID of the device 10A2 ((2) zone ID determination). ..
  • the device 10A2 transmits a certificate signing request including the zone ID determined for the device 10A1 and the public key 162 of the device 10A2 to the certificate authority 2 ((3) certificate signing request).
  • the certificate authority 2 In response to the certificate signing request, the certificate authority 2 generates an electronic certificate 170 for the device 10A2, transmits it to the device 10A1, relays the device 10A1 and delivers it to the device 10A2 ((4) digital certificate). ..
  • the device 10A2 stores the digital certificate 170 from the certificate authority 2 and uses it for data communication with another device.
  • the process related to the zone ID setting shown in FIG. 7 is an example, and any setting method may be adopted.
  • the process related to the zone ID setting shown in FIG. 7 may be re-executed.
  • the zone ID can be updated by such re-execution.
  • each device may implement a function of managing the value (including ordinary currency and virtual currency) in consideration of money or goods or services. For example, by giving a budget to each device, it is possible to realize payment processing without human intervention.
  • FIG. 8 is a schematic diagram showing an example of an application using location information provided by the network system 1 according to the present embodiment.
  • devices 10DT1 to 10DT6 which are fire alarms, are arranged on each floor of the building.
  • a device 10HST which is a host that aggregates various information including fire detection of a building, is also arranged, and the device 10HST can perform data communication with each of the devices 10DT1 to 10DT6.
  • the device 10HST is capable of data communication with the device 10MST, which is a host assigned to the fire engine or a host that aggregates notifications to the fire engine.
  • zone ID is assigned to each floor of the building (“AKPRMM1” to “AKPRMM6”).
  • a session for data communication is established by exchanging the digital certificate 170 including the zone ID between the device 10DT5 and the device 10HST.
  • the digital certificate 170 to be exchanged also includes the zone ID of the device 10DT5.
  • the device 10DT5 specifies the zone ID possessed by the device 10 in the upper layer from the zone ID "AKPRMM5" of the own device. In this example, it can be identified that the notification destination is "AKPRMM" from which the last character is removed from "AKPRMM5" which is the zone ID of the device 10DT5.
  • the device 10HST When the device 10HST receives the fire detection information from the device 10DT5, the device 10HST identifies the zone ID of the device 10DT5 by referring to the electronic certificate 170 obtained in advance from the device 10DT5, and together with the zone ID that identifies the fire detection information. Notify device 10MST.
  • the device 10MST can identify the position of the fire alarm (device 10DT2) in which a fire is detected based on the notification information from the device 10HST. Then, the necessary action is taken according to the identified position.
  • FIG. 9 is a sequence diagram showing a processing procedure for realizing the application shown in FIG. With reference to FIG. 9, a process of first establishing a session is executed between the devices.
  • the host device 10HST transmits the digital certificate 170 of its own device to the device 10MST of the fire department (sequence SQ10), and the device 10MST also transmits the digital certificate 170 of its own device to the device 10HST (sequence SQ11).
  • Device 10HST and device 10MST establish a session by exchanging digital certificates 170 (sequence SQ12).
  • the device 10DT5 which is a fire alarm, transmits the digital certificate 170 of its own device to the device 10HST (sequence SQ13), and the device 10HST also transmits the digital certificate 170 of its own device to the device 10DT5 (sequence SQ14).
  • Device 10DT5 and device 10HST establish a session by exchanging digital certificates 170 (sequence SQ15).
  • FIG. 9 shows only the process of establishing a session between the device 10DT5 and the device 10HST, but similarly for the other devices 10DT1 to 10DT4 and 10DT6, a session is established with the device 10HST. To do.
  • the device 10DT5 detects a fire (sequence SQ16)
  • the device 10DT5 transmits the fire detection information to the device 10HST (sequence SQ17).
  • the device 10HST determines the zone ID of the device 10DT5 with reference to the digital certificate 170 received from the device 10DT5 (sequence SQ18). Then, the device 10DT5 transmits the fire detection information from the device 10DT5 and the determined zone ID of the device 10DT5 to the device 10MST (sequence SQ19).
  • the device 10DT5 constituting the network system 1 exchanges the digital certificate 170 with the device 10HST to establish a session, and then transmits the information generated or collected by the own device to the device 10HST.
  • the device 10DT5 can be reliably identified based on the contents of the digital certificate 170 used to establish the session.
  • the information detected by the fire alarm is transmitted to the fire engine and the like together with the position of the detected fire alarm, so that the position information necessary for the fire extinguishing activity can be provided to the fire engine. ..
  • FIGS. 8 and 9 an example of notification by a fire alarm is shown as a typical example, but the present invention is not limited to this, and an intrusion detection device using an arbitrary monitoring and detection device (for example, an infrared sensor or a camera) Etc.).
  • an intrusion detection device using an arbitrary monitoring and detection device for example, an infrared sensor or a camera
  • devices such as fire alarms and sprinklers may hold or manage deposits in advance that allow them to pay for the water required in the event of a fire.
  • a device such as a fire alarm or sprinkler detects a fire, it provides information to the fire department and the like without the intervention of a person such as an administrator, and costs. Can be managed autonomously.
  • Second application example> As a second application example, a configuration for managing the right to use services such as reservation and use of hotel rooms will be described.
  • FIG. 10 is a schematic diagram showing another example of an application using location information provided by the network system 1 according to the present embodiment.
  • the device 10TRM which is a mobile terminal held by the user
  • a device 10KEY which is a locking device
  • a device 10KEY is arranged in front of each room of the accommodation facility 40.
  • ticket information as described later is provided to the mobile terminal and the target locking device.
  • the same ticket information is shared between the mobile terminal and the target locking device, and when the user approaches the reserved room, communication is performed between the user's mobile terminal and the target locking device.
  • the room is unlocked.
  • the communication between the mobile terminal and the locking device may be started automatically, or may be started after the user explicitly performs an operation.
  • FIG. 11 is a schematic diagram showing a system configuration example for realizing the application shown in FIG. With reference to FIG. 11, devices 10KEY1, 10KEY2, 10KEY3, ... Which are one or more locking devices associated with each room of the hotel are arranged.
  • the devices 10KEY1, 10KEY2, 10KEY3, ... Can perform data communication with the device 10SRV, which is a server that manages hotel reservations and the like.
  • the device 10SRV which is a server, can also perform data communication with the device 10TRM, which is a mobile terminal.
  • the device 10SRV which is a server, manages reservations for each room managed by the devices 10KEY1, 10KEY2, 10KEY3, ..., Which are locking devices. Considering the room managed by each locking device as a "resource”, the device 10SRV can also be considered to manage the resources to be provided according to the requested service. Information for providing the service determined according to the resource management as described later is transmitted as the ticket information 50 to the device 10TRM which is a mobile terminal and the device 10KEY which provides the resource.
  • FIG. 12 is a schematic diagram for explaining resource management in the application shown in FIG.
  • the device 10SRV which is a server, manages time as a resource for each room associated with the devices 10KEY1, 10KEY2, 10KEY3, .... Since each room of the hotel accepts only one usage reservation (that is, service) at a certain time, the service is assigned to the time axis so as not to overlap.
  • the authenticated IP address of the device 10 that requested the service can also be used in resource management.
  • the ticket information 50 is transmitted to the device 10 that requested the service and the device 10 that provides the reserved resource.
  • FIG. 13 is a diagram showing an example of ticket information 50 used in the application shown in FIG. With reference to FIG. 13, the ticket information 50 includes a resource allocation period 51, a resource IP address 52, a resource zone ID 53, and a service providing destination IP address 54.
  • the resource allocation period 51 indicates the time when the room can be used.
  • the IP address 52 of the resource indicates the IP address of the device 10KEY, which is a locking device associated with the reserved room.
  • the resource zone ID 53 indicates a zone ID possessed by the device 10KEY, which is a locking device associated with the reserved room.
  • the IP address 54 of the service provider indicates the device 10TRM that reserved the room.
  • Such ticket information 50 is shared between the device 10TRM and the target device 10KEY.
  • the devices 10KEY1, 10KEY2, 10KEY3, ... which are locking devices, are configured to manage the resources associated with each device. Then, in response to the request from the device 10TRM, at least a part of the resources managed by the devices 10KEY1, 10KEY2, 10KEY3, ... Is allocated. Further, the information related to the allocation of the resource is shared between the device 10KEY that provided the resource and the device 10TRM that requested the resource.
  • FIG. 14 is a sequence diagram showing a processing procedure for realizing the application shown in FIG. With reference to FIG. 14, a process of first establishing a session is executed between the devices.
  • the device 10SRV which is a server, transmits the digital certificate 170 of its own device to the device 10KEY, which is a locking device (sequence SQ20), and the device 10KEY also transmits the digital certificate 170 of its own device to the device 10SRV (sequence SQ21).
  • Device 10SRV and device 10KEY establish a session by exchanging digital certificates 170 (sequence SQ22).
  • FIG. 14 shows only the process of establishing a session between the device 10SRV and one device 10KEY, but with respect to each of one or more devices 10KEY1, 10KEY2, 10KEY3, ... Also establishes a session with device 10SRV as well.
  • the device 10TRM which is a mobile terminal, transmits the digital certificate 170 of the own device to the device 10SRV (sequence SQ23), and the device 10SRV also transmits the digital certificate 170 of the own device to the device 10KEY (sequence SQ24).
  • Device 10DT5 and device 10HST establish a session by exchanging digital certificates 170 (sequence SQ25).
  • the device 10TRM transmits a reservation request to the device 10SRV (sequence SQ27).
  • the device 10SRV receives a reservation request from the device 10TRM and secures a resource capable of providing the requested service (sequence SQ28).
  • the device 10TRM generates the ticket information 50 according to the secured resource (sequence SQ29).
  • the device 10SRV transmits the generated ticket information 50 to the device 10TRM that has transmitted the reservation request and the device 10KEY that provides the reserved resource (sequences SQ30 and SQ31).
  • the device 10TRM When approaching the room reserved by the user, the device 10TRM transmits the digital certificate 170 of the own device to the device 10KEY (sequence SQ32), and the device 10KEY also transmits the digital certificate 170 of the own device to the device 10TRM (sequence SQ33). ).
  • Device 10TRM and device 10KEY establish a session by exchanging digital certificates 170 (sequence SQ34). Then, a process of inquiring the ticket information 50 from each other is executed between the device 10TRM and the device 10KEY (sequence SQ35). When the inquiry process of the ticket information 50 is successfully completed, the device 10KEY unlocks the managed room (sequence SQ36).
  • the present invention is not limited to this and can be used as an arbitrary usage certificate.
  • the mobile terminal itself can be used as an admission ticket for various facilities such as amusement facilities and various events such as concerts.
  • the mobile terminal itself can be used as a train or aircraft ticket.
  • authentication terminals such as keys and tickets for each room of the accommodation facility (for example, gates and ticketing machines) as devices can give a budget to themselves.
  • the budget may be held in cooperation with deposits, settlement companies, and the like.
  • the mobile device itself can be budgeted. In this way, seamless money can be exchanged between the authentication terminal and the mobile terminal, and a system without human intervention such as an administrator can be constructed.
  • transportation resource means a physical or human resource used in a moving body such as an automobile, railroad, aircraft, or ship. Basically, “transportation resources” are finite and are appropriately arbitrated and used as requested. In the following, a system composed of devices 10 that manage such traffic resources is assumed.
  • FIG. 15 is a schematic diagram showing still another example of the application using the location information provided by the network system 1 according to the present embodiment.
  • FIG. 15 shows a system that assumes a road on which a vehicle passes as a traffic resource. More specifically, assuming four roads, a traffic resource is defined for each intersecting section of each road 61, 62, 63, 64, and a device 10 for managing each traffic resource is arranged. It is assumed that a zone ID indicating a traffic resource to be managed is set in each device 10.
  • the device 10 (zone: Avenue 001) associated with the road 61 has a resource table 71 for managing traffic resources.
  • device 10 (zone: Avenue 002) associated with road 62 has a resource table 72 for managing traffic resources.
  • device 10 (zone: street 001) associated with road 63 has a resource table 73 for managing traffic resources.
  • the device 10 (zone: street 002) associated with the road 64 has a resource table 74 for managing traffic resources.
  • Vehicles existing in the associated traffic resource are registered in the resource tables 71 to 74.
  • Each vehicle has an IP address and is capable of data communication with the device 10 associated with each traffic resource.
  • each device 10 that manages the resource tables 71 to 74 registers the IP address and the like of the vehicle in the corresponding resource table. Further, each device 10 that manages the resource tables 71 to 74 deletes the IP address of the vehicle from the corresponding resource table when the vehicle finishes using the associated traffic resource. Further, additional information such as the traveling direction of each vehicle may be registered together.
  • FIG. 16 is a schematic diagram showing route selection using the application shown in FIG. With reference to FIG. 16, for example, by allocating the traffic resources of the road 61 and the road 63 to the vehicle (IP address xx) in advance, the vehicle can pass smoothly.
  • the vehicle You can secure a kind of "right" to pass through.
  • a zone ID associated with each of the traffic resources is prepared, the device 10 to which each zone ID is assigned manages the corresponding traffic resource, and the service using each traffic resource is also managed. By configuring it, optimal use of transportation resources can be realized.
  • the vehicle which is a mobile body, can identify the device 10 that manages the available traffic resources by using the zone ID code system.
  • FIG. 17 is a sequence diagram showing a processing procedure for realizing the application shown in FIG. In FIG. 17, in addition to the device 10M mounted on the vehicle and the device 10RM1,10RM2,10RM3,10RM4 which is a resource manager for managing the roads 61,62,63,64, the upper level of the device 10RM1,10RM2,10RM3,10RM4 An example of a network system including the device 10SRV which is a zone management server existing in the hierarchy is shown.
  • the device 10M mounted on the vehicle acquires the current position by an arbitrary method (sequence SQ40).
  • the current position is acquired based on information from GPS or a mobile base station.
  • the device 10M transmits the digital certificate 170 of the own device to the device 10SRV which is the zone management server (sequence SQ41), and the device 10SRV also transmits the digital certificate 170 of the own device to the device 10M (sequence SQ42).
  • Device 10M and device 10SRV establish a session by exchanging digital certificates 170 (sequence SQ43).
  • the device 10M transmits a connection destination node inquiry including the current position acquired in the sequence SQ40 to the device 10SRV (sequence SQ44).
  • the device 10SRV responds to the device 10M with the connection destination node based on the current position included in the connection destination node inquiry (sequence SQ45).
  • the connection destination node is information for identifying the device 10 that manages the traffic resource to be used by the device 10M. It should be noted that the connection destination node may include a plurality of devices 10. In this example, it is assumed that the device 10RM1 which is the resource manager is notified as the connection destination node.
  • the device 10SRV responds to the request for the current position from the device 10M and responds to the connection destination node (specific information) for identifying the devices 10RM1, 10RM2, 10RM3, and 10RM4 associated with the current position. To do.
  • the device 10M transmits the digital certificate 170 of the own device to the device 10RM1 which is the resource manager (sequence SQ46), and the device 10RM1 also transmits the digital certificate 170 of the own device to the device 10M (sequence SQ47).
  • Device 10M and device 10RM1 establish a session by exchanging digital certificates 170 (sequence SQ48).
  • the device 10M transmits a resource request to the device 10RM1 (sequence SQ49).
  • the device 10RM1 receives a resource request from the device 10M and allocates a resource according to the request (sequence SQ50). Then, the device 10RM1 transmits a resource request response indicating that the resource has been secured to the device 10M (sequence SQ51). Further, the device 10RM1 identifies a traffic resource following the traffic resource managed by the device 10RM1, and responds to the device 10M with a connection destination node indicating a device manager who manages the identified traffic resource (sequence SQ52). In this example, it is assumed that the device 10RM2, which is the resource manager, is notified as the connection destination node.
  • the device 10M transmits the digital certificate 170 of the own device to the device 10RM2 which is the resource manager (sequence SQ53), and the device 10RM2 also transmits the digital certificate 170 of the own device to the device 10M (sequence SQ54).
  • Device 10M and device 10RM2 establish a session by exchanging digital certificates 170 (sequence SQ55).
  • the device 10M transmits a resource request to the device 10RM2 (sequence SQ56).
  • the device 10RM2 receives the resource request from the device 10M and secures the resource according to the request (sequence SQ57). Then, the device 10RM2 transmits a resource request response indicating that the resource has been secured to the device 10M (sequence SQ58). Further, the device 10RM2 identifies the traffic resource following the traffic resource managed by the device 10RM2, and responds to the device 10M with a connection destination node indicating a device manager who manages the identified traffic resource (sequence SQ59).
  • the same pretreatment as the sequences SQ46 to SQ52 and the sequences SQ53 to SQ59 is repeated.
  • the devices 10RM1, 10RM2, 10RM3, and 10RM4 are configured to manage the traffic resources associated with each device. Then, in response to the request from the device 10M, at least a part of the traffic resources managed by the devices 10RM1, 10RM2, 10RM3, 10RM4 is allocated.
  • each seat of each flight such as a railroad, an aircraft, or a ship can be treated as a transportation resource.
  • budget Budget can also be allocated to the above transportation resources. In this case, if it is desired to guarantee that the destination is reached in the shortest time, it is possible to propose a mechanism in which the road user charges for the traffic resource. On the other hand, although it is an efficient route, on a road that is not congested, transportation resources can pay the user and the like from the budget.
  • dynamically changing such a role for example, it is possible to delegate or substitute the processing of one device 10 to another device 10.
  • the device in charge of processing The role may be changed such that 10 is changed to another device 10, or another device 10 is added in addition to the device 10 in charge of processing. Any method for optimally using the device 10 as the whole network system can be adopted.
  • the network system 1 According to the network system 1 according to the present embodiment, it is possible to acquire the authenticated location information of the device and to provide various services using the authenticated location information.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
PCT/JP2020/016576 2019-04-19 2020-04-15 ネットワークシステム、デバイスおよび処理方法 Ceased WO2020213643A1 (ja)

Priority Applications (4)

Application Number Priority Date Filing Date Title
EP20791230.4A EP3958500A4 (en) 2019-04-19 2020-04-15 NETWORK SYSTEM, DEVICE AND METHOD OF PROCESSING
US17/604,716 US12022008B2 (en) 2019-04-19 2020-04-15 Network system, device, and processing method
US18/667,367 US12388659B2 (en) 2019-04-19 2024-05-17 Network system, device, and processing method
US19/271,695 US20250343702A1 (en) 2019-04-19 2025-07-16 Network system, device, and processing method

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2019-080299 2019-04-19
JP2019080299A JP7127845B2 (ja) 2019-04-19 2019-04-19 ネットワークシステム、デバイスおよび処理方法

Related Child Applications (2)

Application Number Title Priority Date Filing Date
US17/604,716 A-371-Of-International US12022008B2 (en) 2019-04-19 2020-04-15 Network system, device, and processing method
US18/667,367 Continuation US12388659B2 (en) 2019-04-19 2024-05-17 Network system, device, and processing method

Publications (1)

Publication Number Publication Date
WO2020213643A1 true WO2020213643A1 (ja) 2020-10-22

Family

ID=72837541

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2020/016576 Ceased WO2020213643A1 (ja) 2019-04-19 2020-04-15 ネットワークシステム、デバイスおよび処理方法

Country Status (5)

Country Link
US (3) US12022008B2 (enExample)
EP (1) EP3958500A4 (enExample)
JP (4) JP7127845B2 (enExample)
TW (1) TWI879765B (enExample)
WO (1) WO2020213643A1 (enExample)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI836220B (zh) * 2021-05-25 2024-03-21 周士剛 網路預售收取與驗證使用憑證的系統與方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070061574A1 (en) * 2001-04-12 2007-03-15 Microsoft Corporation Methods and Systems for Unilateral Authentication of Messages
JP2012504285A (ja) 2008-09-29 2012-02-16 タジツ トランスファー リミテッド ライアビリティ カンパニー ジオロケーション支援データ転送記憶
JP2015170303A (ja) * 2014-03-10 2015-09-28 日本Ra株式会社 取引管理システム、取引管理サーバ及びプログラム
JP2017103614A (ja) * 2015-12-01 2017-06-08 システムプラザ株式会社 電子証明書管理システム、電子証明書利用端末及び電子証明書管理方法

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7610487B2 (en) * 2003-03-27 2009-10-27 Microsoft Corporation Human input security codes
JP4101839B2 (ja) 2003-06-19 2008-06-18 日本電信電話株式会社 セッション制御サーバ及び通信システム
US7401215B2 (en) 2003-09-29 2008-07-15 Sun Microsystems, Inc. Method and apparatus for facilitating cryptographic layering enforcement
GB0407335D0 (en) 2004-03-31 2004-05-05 British Telecomm Authorisation
US7716139B2 (en) 2004-10-29 2010-05-11 Research In Motion Limited System and method for verifying digital signatures on certificates
DE602004003503T2 (de) * 2004-10-29 2007-05-03 Research In Motion Ltd., Waterloo System und Verfahren zur Verifikation von digitalen Unterschriften von Zertifikaten
GB0520836D0 (en) * 2005-10-13 2005-11-23 Scansafe Ltd Remote access to resources
CN101291216B (zh) 2007-04-16 2011-11-16 华为技术有限公司 P2p网络系统及其认证方法
US8953798B2 (en) 2010-10-29 2015-02-10 Telefonaktiebolaget L M Ericsson (Publ) Enhanced cryptographically generated addresses for secure route optimization in mobile internet protocol
US9332002B1 (en) * 2013-03-14 2016-05-03 Amazon Technologies, Inc. Authenticating and authorizing a user by way of a digital certificate
JP2015170305A (ja) 2014-03-10 2015-09-28 日本Ra株式会社 診断支援システム、診断支援サーバ及びプログラム
US10230710B2 (en) 2016-08-04 2019-03-12 Visa International Service Association Token based network service among IoT applications
JP6729334B2 (ja) 2016-12-06 2020-07-22 富士通株式会社 トランザクション管理方法、トランザクション管理プログラム及びトランザクション管理装置
JP6711773B2 (ja) 2017-03-21 2020-06-17 システムプラザ株式会社 電子証明書管理システム、電子証明書利用端末及び電子証明書管理方法
EP3695635B1 (en) * 2017-10-13 2023-10-11 Visa International Service Association Mitigating risk for hands-free interactions

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070061574A1 (en) * 2001-04-12 2007-03-15 Microsoft Corporation Methods and Systems for Unilateral Authentication of Messages
JP2012504285A (ja) 2008-09-29 2012-02-16 タジツ トランスファー リミテッド ライアビリティ カンパニー ジオロケーション支援データ転送記憶
JP2015170303A (ja) * 2014-03-10 2015-09-28 日本Ra株式会社 取引管理システム、取引管理サーバ及びプログラム
JP2017103614A (ja) * 2015-12-01 2017-06-08 システムプラザ株式会社 電子証明書管理システム、電子証明書利用端末及び電子証明書管理方法

Also Published As

Publication number Publication date
US12388659B2 (en) 2025-08-12
EP3958500A1 (en) 2022-02-23
US12022008B2 (en) 2024-06-25
EP3958500A4 (en) 2022-09-14
JP2024073556A (ja) 2024-05-29
JP7127845B2 (ja) 2022-08-30
JP7461073B2 (ja) 2024-04-03
JP2022145898A (ja) 2022-10-04
US20220200811A1 (en) 2022-06-23
US20240305475A1 (en) 2024-09-12
JP2025118852A (ja) 2025-08-13
TWI879765B (zh) 2025-04-11
JP2020178279A (ja) 2020-10-29
US20250343702A1 (en) 2025-11-06
TW202046679A (zh) 2020-12-16
JP7688346B2 (ja) 2025-06-04

Similar Documents

Publication Publication Date Title
JP7152591B2 (ja) ビークルツーエブリシング通信解決策
JP7536346B2 (ja) 通信システム、通信装置、通信方法および通信プログラム
US20250343702A1 (en) Network system, device, and processing method
JP2024170510A (ja) データ送信方法、通信処理方法、装置、および通信処理プログラム
KR102112922B1 (ko) 블록체인 기반의 무선 네트워크 운영 방법 및 시스템
Djigal et al. Secure framework for future smart city
Kaurav et al. Blockchain for emergency vehicle routing in healthcare services: An integrated secure and trustworthy system
TW202543263A (zh) 網路系統、裝置以及處理方法
JP7788595B2 (ja) 通信方法およびネットワーク化システム
CN115189882B (zh) 一种群智感知中基于区块链的分布式身份认证方法
US20250373415A1 (en) Network system, information processing device, and communication method
US12261962B2 (en) Information communication method, information communication system and method
JP2016039427A (ja) 判定装置,端末装置,判定プログラム,端末プログラム,及び通信システム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20791230

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2020791230

Country of ref document: EP

Effective date: 20211119

WWG Wipo information: grant in national office

Ref document number: 202117052285

Country of ref document: IN