SERVER SYSTEM AND METHOD FOR CONTROLLING MULTIPLE SERVICE SYSTEMS

Abstract
Each of one or more information element groups as for each user in management information kept by a server system (C(j)) includes mID (an ID that is shared with C(j) and a service system (Si(j)), and that is different for each user). C(j) receives a request from a user terminal. C(j) identifies, on the basis of the received request, one or more mIDs respectively corresponding to one or more service systems, from the management information, for the user for the user terminal. C(j) sends, to each of the one or more Si(j), a request associated with the mID(s) corresponding to the Si(j) among the identified one or more mIDs, and the control content(s) for the Si(j).
Description
TECHNICAL FIELD

The present invention generally relates to control of a service system.


TECHNICAL BACKGROUND

Generally, identification codes are used for access control like authentication. The term “identification code” means any data used for access control, for example, authentication. The term “identification code” in this DESCRIPTION can mean “identification code” appearing in the description of “Act on Prohibition of Unauthorized Computer Access” (in Japan). We know “passwords” like one-time passwords as an example of “identification code”. We can present Patent Literature 1 (PTL 1) as an authentication technique.


CITATION LIST
Patent Literature



  • [PTL 1] JP3678417



SUMMARY OF INVENTION
Technical Problem

Impersonation crimes in the Internet happen frequently with password leakage, password cracking, and so on. Therefore, service system administrators often ask the system users to strengthen their passwords (and IDs) management, or to regularly change their passwords.


However, it is not easy, for a user using many service systems in the Internet, to manage his passwords (and IDs), for example, to manage his password (and IDs) for every service system he uses, and furthermore, to change their passwords regularly.


There are many users who cannot remember all passwords (and IDs) for the corresponding service systems. Such users set an identical password (and ID) for plural service systems, or keep their passwords (and IDs) in their notebooks, PCs, and so on. However, we cannot see these management manners are secure.


The problem given above can occur not only for passwords (and IDs) but also other identification codes (for example, one-time passwords).


On the other hand, we can see other problems given below, in the case where one user makes use of plural service systems.


For example, there can be a user who has a trouble in the viewpoint of convenience, that he/she has to give his/her information data to the first service system after getting the data from the second service system, in order to provide the data to the first service system.


Furthermore, there can be a user can have a fear the viewpoint of security, that someone else may impersonate him to access the service system he uses.


Solution to Problem

Constructed is a server system (one or more computers) which can communicate with plural user terminals and plural service systems. A server system (for example, the control center machine) keeps management information including one or more information element groups for each user. Each of one or more information element groups is shared with the server system and a service system, and includes an ID (mID) that is different for each user. The server system receives a request from a user terminal. The server system identifies, on the basis of the request, one or more mIDs respectively corresponding to one or more service systems, from the management information, for the user for the user terminal. The server system sends, to each of the one or more service systems, a request associated with the mID(s) corresponding to the service system among the identified one or more IDs, and the control content(s) for the service system.


Advantageous Effects of Invention

It is possible to securely enhance convenience for utilization of plural service systems.





BRIEF DESCRIPTION OF DRAWINGS


FIG. 1 shows the overview of the authentication process according to Embodiment 1.



FIG. 2 shows an example of the construction of UM.



FIG. 3 shows an example of the construction of UP.



FIG. 4 shows an example of the construction of Si(j) (S1(1)).



FIG. 5 shows an example of the construction of C(j) (C(1)).



FIG. 6 shows an example of the construction of uListi(j) (uList1(1)).



FIG. 7 shows an example of the construction of aListi(j) (aList1(1)).



FIG. 8 shows an example of the construction of pList.



FIG. 9 shows an example of the construction of sList(j) (sList(1)).



FIG. 10 shows an example of the construction of cList(j) (cList(1)).



FIG. 11 shows tpw provision by C(1).



FIG. 12 shows an example of the flow for First registration.



FIG. 13 shows an example of the flow for Second or further registration.



FIG. 14 shows an example of the flow for tpw issuance according to Embodiment 1.



FIG. 15 shows an example of the authentication system according to Embodiment 2.



FIG. 16 shows an example of pList.



FIG. 17 shows an example of the flow for tpw issuance according to Embodiment 2.



FIG. 18 shows an example of the flow for tpw issuance according to Embodiment 3.



FIG. 19 shows a concrete example of FIG. 18.



FIG. 20 shows an example of the flow for tpw issuance according to Embodiment 4.



FIG. 21 shows an example of the flow for tpw issuance according to Embodiment 5.



FIG. 22 shows an example of the flow for tpw deletion according to Embodiment 6.



FIG. 23 shows an example of the construction of uListi(j) according to Embodiment 7.



FIG. 24 shows an example of the construction of aList(j) according to Embodiment 7.



FIG. 25 shows an example of the flow for authentication and sharing according to Embodiment 8.



FIG. 26 shows an example of the abstract of the identification code management.



FIG. 27 shows examples of the construction of the shutter system.



FIG. 28 shows an example of the flow for each of Registration procedure #1, Registration procedure #2, and Authentication shutter operation procedure.



FIG. 29 shows an example of the flow for Login procedure.



FIG. 30 shows examples of the screen transition.



FIG. 31 shows an example of the flow for the registration according to Embodiment 8.





DESCRIPTION OF EMBODIMENT

Some embodiments are described as follows.


Then, we provide a password as an example of the identification code common among plural service systems is password. As we describe below, common passwords are associated with some restrictions like such as at least one of the expiration date and the frequency of possible use. In our embodiments, we provide, as an example of common passwords, a one-time password which is available during the very day when it is issued, and which has no limit for the number of use. Here we mean, by “one-time”, at least the former of that it has some restriction for the period it can be used, and that it can be used only once. Hereafter, we often call such a password “a common 1-day password”. As we describe later, in some embodiments, a password does not have to be a tpw (a common 1-day password). For example, in some embodiments, a password can be a temporary password of another type, or can be a usual fixed password that can be used only at a certain service system.


In the following description, we use the term “AAA-list” to represent information data, but it can be realized with an arbitrary data structure. Namely, we can call an AAA-list by the term “an AAA-data” in order to mean that the data structure does not matter about that information data. Still more, the configurations of lists we show are only examples. Hence two or more lists can be merged to be a one list, and one list can be divided into plural lists.


In the following description, “storage unit” may be one or more storage devices including memories. For example, a storage unit may be at least a main storage device of a main storage device (typically, a volatile memory) and an auxiliary storage device (typically, a nonvolatile memory). An auxiliary storage device may be, for example, a HDD (Hard Disk Drive) or a SSD (Solid State Drive).


In the following description, “processor” may typically be a microprocessor (for example, CPU (Central Processing Unit)), and can include a private hardware circuit (for example, ASIC (Application Specific Integrated Circuit)) which executes a part of the process such as encryption or decryption.


In at least one embodiment, a control center machine which issues common 1-day passwords, intervenes in the two entities, a service system and a user, and thereby an authentication among three entities is executed. In the description of the embodiments, we adopt the following notations. Here, generally there are one or more users, but for simplicity of the description, we mention the embodiments under the condition that the number of users is one, because in the embodiments, no transmission is yielded among users.

    • tpw: a common 1-day password
    • C(j): a control center machine (where j is an integer more than or equal to 1 (j=1, 2, 3, . . . )) (A manager or an owner of a control center machine may be an individual, a private company, or a government and municipal office.)
    • Si: a service system (where i is an integer more than or equal to 1 (i=1, 2, 3, . . . )) (A manager or an owner of a service system may be an individual, a private company, or a government and municipal office.)
    • Si(j): Si registered in C(j)
    • U: a user
    • UP: a first user terminal (a user device to access to Si(j), for example, a personal computer, PC)
    • UM: the second user terminal (a user terminal which is used for sending requests of tpw issuance, and with which device authentication can be performed, for example, a mobile terminal such as a smartphone)
    • APP: an application program (software) which is executed for corresponding with C(j) when a tpw request is made
    • suKeyi(j): a key shared by U (such as UM) and Si(j)
    • cID(j): the control center machine ID assigned to C(j)
    • sysIDi(j): the service system ID assigned to Si(j)
    • mIDi(j): the master ID to Si(j), and information shared by C(j) and Si(j), that differs from user to user
    • tReqPw(j): a password used for a request of tpw issuances
    • reqPw: the seed information for tReqPw(j) (that is the first information a user has in mind)
    • uIDi(j): a user ID for Si(j) (that is the second information a user has in mind), which is shared by U and Si(j)
    • aID(j): ID assigned to APP (As mentioned later, plural distinct aID(j)s can be assigned to an identical APP in order to evade user-linkability.)
    • uListi(j): a management list that Si(j) stores (the list which keeps information on U)
    • aList(j): a first management list that C(j) stores (the list which keeps information on UM etc.)
    • sList(j): a second management list that C(j) stores (the list which keeps information on Si(j) etc.)
    • cList(j): a third management list that C(j) stores (the list which keeps information on C(j) etc.)
    • pList: a list that UM stores (the list which keeps information on C(j) and Si(j) etc.)
    • tpwInfoi(j): information accompanied by tpw which is determined by Si(j) and which can include information on the use restriction of tpw (In the following embodiments, because tpw is a common 1-day password, every tpwInfoi(j) includes the expiration date “before 00:00 of the next day of the date of tpw issue” and the frequency of possible use “no limit” as its restriction.)
    • Ticket: an electronic permit for registration of U to C(j), which is issued by C(j)
    • Passi(j): an electronic permit for tpw issuance, which is issued by C(j)


In the following embodiments, one user uses two terminals (or more). However, one user may as well use only one terminal, and in that case, the terminal such as UM may as well play serve both the second user terminal and the first one.


Also, in the following description, no matter whether the number of C(j) is one or more, the numbers of reqPw, APP or pList may be one, and reqPw, APP or pList may exist for each C(j). In the following description, the numbers of reqPw, APP and pList are all one regardless of the number of C(j).


Also, in the following description, whereas we often explain processes for the subject of a program such as APP, the subject of processes may be a processor because a decided process is performed appropriately using a storage unit (such as a memory) and/or an interface unit (such as a communication port) etc. according as a program is executed by a processor (such as a CPU (Central Processing Unit)). A process described for the subject of a program may be a process that a processor or an apparatus/system possessing the processor performs. A program may be installed to an apparatus such as a computer using a program source. A program source may be, for example, a program distribution server or a storage media that a computer can read. In the case that a program source is a program distribution server, the program distribution server includes a processor (such as a CPU) and a storage unit, and furthermore, the storage unit may store distribution programs and programs being distributed. And then, the processor of the program distribution server may distribute programs being distributed to other computers, according as that the processor of the program distribution server executes the distribution program.


Embodiment 1

In the following, we describe Embodiment 1. In Embodiment 1, there is one control center machine (only the C(1))



FIG. 1 shows the overview of the authentication process at Embodiment 1.


An authentication among three entities is executed, according as that a control center machine 101 (C(1)) that issues tpw intervenes in the two entities, a service system 103 (In FIG. 1, illustrated is only Si(1)) and a user terminal 105 (the first user terminal 105A (UP), the second user terminal 105B (UM)).


A user (U) inputs a reqPw (for example, the value “xxxx”) at the display screen that is shown by APP executed in UM the user possesses, and UM (APP) generates tReqPw(1) based on the input reqPw, and sends a request of tpw issuance (Step 50). The request of tpw issuance is associated with (includes) the generated tReqPw(1) and Pass1(1) that is issued by the C(1) in the pre-registration and that is stored in the UM.


The C(1) receives the request of tpw issuance, and judges whether tReqPw(1) related to the request of tpw issuance coincides with the pre-registered tReqPw(1) or not, and whether Pass1(1) related to the request of tpw issuance valid or not (Step 51). In the case where both judgements are positive, the C(1) determines a tpw (for example, the value “1234”), and issues the determined tpw to the U(UM) and the S1(1) (Steps 53 and 54). At that time, the C(1) sends, to the S1(1), the information suite which includes mID1(1) shared by S1(1) and C(1), and the determined tpw (Step 53).


The UM (APP) receives the tpw from the C(1), and outputs (or, displays) the received tpw (for example, the value “1234”) (Step 55). The output of tpw may be by means of other type output such as speech output, instead of or besides display.


The U (UP) inputs, for S1(1), the same tpw with the tpw in the information suite that UM received, and uID1(1) (for example, the value “yyyy”) that the U has in mind (Step 56).


The Si(1) identifies U corresponding to mID1(1) received from the C(1). The S1(1) judges whether the input uID1(1) coincides with the pre-registered uID1(1) or not, and whether the input tpw coincides with the tpw received from the C(1) (Step 57) or not. In the case where both judgements are positive, the S1(1) provides service for the U.


There are three parameters (keys) given, for identifying the U, below:

    • tReqPw(1) shared by the C(1) and the U;
    • uID1(1) shared by the S1(1) and the U; and
    • mID1(1) shared by the C(1) and the S1(1).


The three IDs given above can be known only by two entities.


Namely,

    • The S1(1) does not know the tReqPw(1);
    • The C(1) does not know the uID1(1); and
    • The U does not know the mID1(1).


Thus, by purposely making three-way deadlock, wherever data breach happens, unless any two entities leak data simultaneously, then impersonation crime cannot be materialized.


Since the U uses the UM that the U possesses in order to get the tpw, no hardware for exclusive use is necessary. Also, as described later, the C(1) can recognize the UM without UM's sending its individual identification number. In this embodiment, two-factor authentication with authentication by memories (user authentication being authentication for tReqPw(1) generated based on reqPw U has in mind) and authentication by possessions (device authentication being authentication of Pass1(1) stored in UM used at registration) can be performed.


In the following, explained are configuration examples of UM, UP, Si(j) (S1(1)), C(j) (C(1)), uListi(j) (uList1(1)), aList(j) (aList(1)), pList, sList(j) (sList(1)) and cList(j) (cList(1)).



FIG. 2 shows a configuration example of the UM.


The UM is a mobile terminal such as a smartphone. A smartphone is a kind of smart devices. A smart device is a multifunctional device which is available for not only simple calculation but also wide variety of use, and typically is a smartphone or a tablet PC. The UM comprises a touch panel type display 211, a storage unit 213, an I/F (communication interface device) 214, and a processor 212 that is coupled to those. The touch panel type display 211 is an example of an input device and a display device, and is a one-piece device with an input device and a display device. The storage unit 213 stores programs such as an APP and data such as a pList. The processor 212 executes the APP. The APP refers to or updates the pList, and communicates with an external apparatus such as C(j) (the C(1)) via the I/F 214, by turns. The APP may display at least a part of the pList on the touch panel type display 211, and may send (input) the received tpw to the UP via a wireless LAN or the like.



FIG. 3 shows a configuration example of the UP.


The UP comprises a storage unit 311, an I/F 313, an input device 315, a display device 314 and a processor 312 that is coupled to those. The input device 315 is a device with which a user inputs data, and is, for example, a keyboard and a pointing device. The display device 314 is a device on which data is displayed, and is, for example, a liquid crystal display device. The storage unit 311 stores programs such as a web browser, and data. The processor 312, by executing a program such as the web browser, communicates with an external apparatus such as the Si(j) (S1(1)) via the I/F 313.



FIG. 4 shows a configuration example of the Si(j) (S1(1)).


The Si(j) (S1(1)) comprises a computer system that provides services to user terminals (for example, the UP), and is typically a computer system of a service company. The Si(j) (S1(1)) is one or more computers, and comprises a storage unit 411, an I/F 413, and a processor 412 that is coupled to those. The storage unit 411 stores programs and data such as a uListi(j) (uList1(1)). The processor 412, by executing the programs in the storage unit 411, refers to or updates the uListi(j) (uList1(1)), and communicates with an external apparatus such as the UP via the I/F 413.



FIG. 5 shows a configuration example of the C(j) (C(1)).


The C(j) (C(1)) is a computer system that issues tpw. The C(j) (C(1)) is one or more computers, and comprises a storage unit 511, an I/F 513 and a processor 512 that is coupled to those. The storage unit 511 stores programs and data such as an aList(j) (aList(1)), a sList(j) (sList(1)) and a cList(j) (cList(1)). The processor 512, by executing the programs in the storage unit 511, refers to or updates the aList(j) (aList(1)), the sList(j) (sList(1)) and the cList(j) (cList(1)), and communicates with an external apparatus such as the UM or the Si(j) (S1(1)) via the I/F 513.



FIG. 6 shows a configuration example of the uListi(j) (uList1(1)). Here, in FIG. 6 to FIG. 10, the names of the information elements in the lists are written with capital letters. Also, in the following, we call a row (a record) in a list “account”.


The uListi(j) (uList1(1)) has data on U. The information elements that each account in the uListi(j) has, are, for example, UID, MID, TPW, TPWINFO, SUKEY and OTHERS. The UID indicates uIDi(j) registered. The MID indicates mIDi(j) registered. The TPW indicates tpw registered. The TPWINFO indicates tpwInfoi(j). The SUKEY indicates suKeyi(j) registered. The OTHERS indicates other information elements, and may include the user name of U, for example.



FIG. 7 shows a configuration example of the aList(j) (aList(1)).


The aList(j) (aList(1)) has data on UM etc. The information elements that each account in aListi(j) has, are, for example, SN, SYSID, MID, TREQPW, AID and OTHERS. The SN indicates serial numbers (sn) registered. The SYSID indicates sysIDi(j) registered. The MID indicates mIDi(j) registered. The TREQPW indicates tReqPw(j) registered. The AID indicates aID(j) registered. One aID(j) is assigned to one APP and one C(j), but plural distinct aID(j)s may be generated for one APP and one C(j). The OTHERS indicates other information elements, and may include information necessary for operation etc. by C(j), for example.



FIG. 8 shows a configuration example of the pList.


The pList (pList) has data on C(j) and Si(j) etc. The information elements that each account in pList has, are, for example, SYSID, CID, RAND, AID, PASS, SUKEY and OTHERS. The SYSID indicates sysIDi(j) registered. The CID indicates cID(j) registered. The RAND indicates a random number registered (that we write as Rand hereafter). The Rand, as described later, is used in order to generate (figure out) tReqPw(j). The AID indicates aID(j) registered. The PASS indicates Passi(j) registered. The Passi(j) is an electronic permit for tpw issuance. The details of Passi(j) are described later. The SUKEY indicates suKeyi(j) registered. The OTHERS indicates other information elements, and may include information on communication etc. with C(j), for example.



FIG. 7 shows a configuration example of the sList(j) (sList(1)).


The sList(j) (sList(1)) has data on Si(j) etc. The information elements that each account in sList(j) has, are, for example, SYSID and OTHERS. The SYSID indicates sysIDi(j) registered. The OTHERS indicates other information elements, and may include the name of Si(j) and information necessary for communication with Si(j) (such as FQDN (Fully Qualified Domain Name) and the network address), for example.



FIG. 10 shows a configuration example of the cList(j) (cList(1)).


The cList(j) (cList(1)) has data on other C(j) etc. (In this embodiment, since the number of C(j) is one, cList(j) is blank.) The information elements that each account in cList(j) has, are, for example, CID and OTHERS. The CID indicates cID(j) registered. The OTHERS indicates other information elements, and may include the name of other C(j) and information necessary for communication with other C(j) (such as FQDN and the network address), for example.



FIG. 11 shows tpw provision by the C(1).


The C(1) provides tpw (such as the value “1234”) (and mIDi(1)) to all Si(1) the user makes a contract with (respective Si(1) corresponding to sysIDi(j) identified by the aList(1) for the identified user). According to the example given by FIG. 11, the Si(1) which the user makes a contract with are S1(1), S2(1) and S3(1). The C(1) may provide tpw to the Si(1) without tpw query by the Si(1), and may provide tpw to the Si(1) as the response for tpw query by the Si(1). The U (UP) can login to any Si(1) which the U make a contract with, using the identical tpw, until the expiration date that tpwInfoi(1) represents (for example, during the day (the valid period does not have to be for 24 hours, and the period of validity does not have to be until 23:59 on the day (that is, one example that means the time just before 0:00 on the next day))). The tpwInfoi(1) may be distinct for each Si(1), and may be identical for plural Si(1).


In the following, we describe the flow of the process performed in this embodiment.


<Pre-Registration>
<<First Registration>>


FIG. 12 shows an example of the flow for the first registration.


First registration is a pre-registration by which U that is not registered in C(1) becomes able to use Si(1). First registration includes a two-stage procedure. The first stage is a procedure performed between U and Si(1), and the second stage is a procedure performed between U and C(1).


The first stage (the procedure performed between U and Si(1)) consists of Step 1201 to Step 1207 in the following. Here, we think that the U makes a usage application to the S1(1).


(Step 1201) The U (UP) sends the usage application to the S1(1). At that time, the U (UP) determines uID1(1) used for the S1(1).


(Step 1202) The S1(1) receives the usage application from the U (UP), determines suKey1(1) for the U as the response for the application, and adds the account to uList1(1). The S1(1) registers, to the added account, the determined uID1(1) as UID, and registers the determined suKey1(1) as SUKEY.


(Step 1203) The S1(1) sends, to C(1), a user addition request associated with sysID1(1).


(Step 1204) The C(1) receives the user addition request, determines mID1(1) corresponding to both sysID1(1) and the added U, and adds the account to aList(1). The C(1) registers, to the added account, sn (such as the serial number for the accounts) as SN, sysID1(1) related to the user addition request as SYSID, and the determined mID1(1) as MID. Hereafter, we often write, as “sn1”, the sn determined here.


(Step 1205) The C(1) generates a registration ticket (hereafter, Ticket), and sends the generated Ticket and mID1(1) determined in Step 1204, to the S1(1). Ticket is based on the first digital signature (hereafter, “Sign1”), cID(1), the registered sn1 and sysID1(1). Specifically, the Ticket includes Sign1, cID(1), sn1 and sysID1(1) (Ticket=(sn1, cID(1), sysID1(1), Sign1)). The Sign1 is based on the cID(1), the registered sn1 and sysID1(1). Here, in the Ticket, the sn is the information element that the C(1) uses in order to identify the user (the serial number, for example). The cID(j) is the information element that the APP uses in order to identify to which control center machine to register (In some way such as that cID(j) includes the information necessary for communication with C(j), the information necessary for communication with C(j) and cID(j) have only to be associated with each other in APP). The Ticket does not have to include sysID1(1). For example, the Sign1 includes the cID(1), the sn1 and the sysID1(1) (Sign1=sign(sn1, cID(1), sysID1(1), aux)). If the sysID1(1) is not included in the Ticket, then the sysID1(1) does not have to be included in the Sign1. The Sign1 has only to be verified by C(1) for its validity. Here, aux (auxiliary information) may include some information elements in the uList1(1) (for example, at least a part of the OTHERS). The aux does not have to be included in the Sign1.


(Step 1206) The S1(1) receives the Ticket and the mID1(1) from the C(1). The S1(1) associates the uID1(1) registered at Step 1202 with the received mID1(1). Specifically, the S1(1) registers, as MID, the received mID1(1) to the account with the uID1(1) registered at Step 1202.


(Step 1207) The S1(1) sends, to the U (UP), the received Ticket and the suKey1(1) registered at Step 1202.


The second stage (the procedure performed between U and C(1)) consists of Steps 1208 to 1211 in the following.


(Step 1208) The U determines reqPw, and inputs, to the UM, the determined reqPw, and the Ticket and the suKey1(1) that are received with UP. The APP in the UM, in response to that input, determines a random number (Rand), and generates tReqPw(1). The tReqPw(1) is based on the determined Rand and the input reqPw (Hereafter, we often write, as “Rand1”, the Rand determined here). Specifically, for example, the tReqPw(1) is the irreversibly converted value of reqPw using a collision-resistant one-way function (hash function) and the Rand1 (tReqPw(j)=hj(Rand1, reqPw)). Whereas the tReqPw(j) plays a role of passwords, since it is something indecipherably encrypted by a collision-resistant one-way function etc., the secrecy of reqPw can be kept. The function h for generation of tReqPw, as the notation of hj, may be distinct for each control center machine. Therefore the U, only with having one reqPw in mind, can register the tReqPw distinct for each control center machine. The UM (APP) sends the Ticket and the tReqPw(1) to the C(1) identified by the cID(1) in the Ticket. Here, whereas the confidentiality may be decreased, it is possible that the UM sends the Rand and the reqPw to the C(1), and the C(1) generates the tReqPw(1) using the Rand and the reqPw sent by the UM. Also, the Rand does not have to be, but, with Rand, it can be avoided that all tReqPw(1) for the identical U in the aList(1) in the C(1) are of the same value.


(Step 1209) The C(1) receives the Ticket and the tReqPw(1) from the UM (APP). The C(1) judges whether the Ticket is valid or not by judging whether the Sign1 in the Ticket is correct or not. In the case where the judgement is positive, the C(1) identifies the account in the aList(1) that has SN coinciding with the sn in the Ticket. The C(1) generates aID(1) for the APP (UM) that is the sender of Ticket, registers the generated aID(1) as AID, and registers the received tReqPw(1) as TREQPW for the identified account. Whereas tReqPw(j) plays a role of passwords, since it is something indecipherably encrypted by a collision-resistant one-way function etc., the secrecy of reqPw can be kept even if tReqPw(j) is leaked from aList(1).


(Step 1210) The C(1) generates Pass1(1), and sends the generated Pass1(1) to the UM (APP). The Pass1(1) is based on the sn1, the cID(1) and the sysID1(1) that are already registered in the aList(1), the aID(1) registered at Step 1209, and the second digital signature (hereafter, “Sign2”). Specifically, for example, the Pass1(1) includes the sn1, the cID(1), the sysID1(1), the aID(1) and the Sign2 (Pass1(1)=(sn1, cID(1), sysID1(1), aID(1), Sign2)). The aID(1) in Pass1(1) is the information element used for identifying all (or some) Si(1) that are the issue destinations of tpw when receiving a request of tpw issuance from the UM later (In the aList(1), an identical aID(1) is associated with to plural sysIDi(1)). Sign2 is based on sn1, cID(1), sysID1(1) and aID(1) that is registered at Step 1209. Specifically, for example, the Sign2 includes the sn1, the cID(1), the sysID1(1) and the aID(1) (Sign2=sign(sn1, cID(1), sysID1(1), aID(1), aux)).


(Step 1211) The UM (APP) receives the Pass1(1) from C(1), and adds an account in the pList. The UM (APP), to the added account, registers the sysID1(1) in the Pass1(1) (or in the Ticket) as SYSID, the cID(1) in the Pass1(1) (or in the Ticket) as CID, the Rand1 determined at Step 1208 as RAND, the aID(1) in Pass1(1) as AID, the received Pass1(1) as PASS, and the suKey1(1) input at Step 1208 as SUKEY. Here, among the information elements registered in an account in the pList, information elements, for example, except for the cID(1) and sysID1(1), may be encrypted using at least one of the data UM has (for example, at least one of the individual identification data and the personal identity number in the future (and its accompanying data)) and the data the U has in mind (for example, reqPw), as the encryption key (Since cID(1) and sysID1(1) are open information elements, they do not have to be encrypted).


<<Second or Further Registration>>


FIG. 13 shows an example of the flow for Second or further registration.


When the U that is already registered in the C(1) make a use of another service system (say, S2(1)), the U can use the aID(1) received at the First registration. Specifically, the first stage is the same with that for First registration (Steps 1301 to 1307 are the same with Steps 1201 to 1207, respectively). The second stage (the procedure performed between the U and the C(1)) is in the following. Mainly, we describe the difference from the second stage in the First registration, and omit or simplify the description for similarities with the second stage in First registration.


(Step 1308) The U inputs, to the UM, the reqPw that the U has used at the First registration (data that the U has in mind) and the Ticket and suKey2(1) that are received with the UP. The UM (APP) displays the pList to the touch panel type display 211, and receives, from the U, the choice of the accounts now used. The UM (APP) judges whether the cID(1) in the input Ticket is the same with the cID(1) obtained from the chosen account, or not. In the case where this judgement is positive, the UM (APP) generates tReqPw(1) (=h1(the obtained Rand1, the input reqPw)), and sends the generated tReqPw(1), Pass1(1) obtained from the account, and the input Ticket, to the C(1).


(Step 1309) The C(1) receives the Ticket, the Pass1(1) and the tReqPw(1) from the UM (APP). The C(1), by verifying the Sign1 in the received Ticket, judges whether the Ticket is valid or not. In the case where the judgement is positive, the C(1) identifies the account in the aList(1) that has SN coinciding with the sn (hereafter, “sn2”) in the Ticket, and also retrieves the aID(1) from the received Pass1(1). The C(1) registers, to the identified account, sn2 in the Ticket as SN, the retrieved aID(1) as AID, and the received tReqPw(1) as TREQPW.


(Step 1310) The C(1) generates Pass2(1) (=(sn2, cID(1), sysID2(1), aID(1), Sign2)), and sends the generated the Pass2(1) to the UM (APP). The Sign2 in the Pass2(1) is Sign2=sign(sn2, cID(1), sysID2(1), aID(1), aux).


(Step 1311) UM (APP) receives the Pass2(1) from the C(1), and adds an account in the pList. The UM (APP), to the added account, registers the sysID2(1) in Pass2(1) (or in the Ticket) as SYSID, the cID(1) in the Pass2(1) (or in the Ticket) (or cID(1) obtained at Step 1308) as CID, the Rand1 obtained at Step 1308 as RAND, the Pass2(1) as PASS, and the suKey2(1) input at Step 1308 as SUKEY.


As described above, Pre-registration consists of First registration and Second or further registration. The U may clarify, to the UM (APP), which of the First registration and the Second or further registration it is. For example, the APP displays the screen that receives the choice that is either First registration or the Second or further registration (such as GUI (Graphical User Interface) with the button for First registration and the button for the Second or further registration), and, according to which button is pushed, may determine to execute which process of the First registration and the Second or further registration. Also, the U may choose the First registration in the case where the U uses some Si(1) first time after the First registration for the C(1) has been finished. In this case, it turns out that, for an identical U, plural distinct aID(1) are registered in the C(1). Whether it is the First registration or the Second or further registration, is whether an identical aID(1) is associated with plural distinct Si(1) or not. If the association is performed, then the restoration is relatively easy in case the UM is lost or reqPw is forgotten, and so on. Because, if the U tells, to some Si(1), the effect, then the Si(1) can send mIDi(1) corresponding to the U to the C(1), and the C(1) can identify aID(1) associating with the mIDi(1), and can identify, with the aList(1), all sysIDi(1) associating with the identified aID(1). Also, for the U, since an identical aID(1) associates with plural distinct sysIDi(1), the group of Si(1) for the U can be identified. On the other hand, if the association is not performed, then it can be avoided that the C(1) may identify, with the aList(1), which plural Si(1) the U uses. In Embodiment 1, the U can choose whether the association is performed or not.


<Issuance of Tpw (Common 1-Day Password)>

In the following, we describe the flow for the issuance of tpw that can be available for all or some Si(1) the U registers to use.



FIG. 14 shows an example of the flow for the issuance of tpw at Embodiment 1. Here, in the following description, the group of plural SYSID (here, all SYSID registered in pList) is denoted by “SYSIDGroup”. Also, at least one of SYSID is denoted by “SYSIDPart”. Hence, SYSIDPart satisfies SYSIDPart⊂SYSIDGroup (“SYSIDPart⊂SYSIDGroup” includes the case of SYSIDPart=SYSIDGroup). And, PassSYSIDPart for SYSIDPart⊂SYSIDGroup is {Passi(1)}K. K stands for sysIDi(1)εSYSIDPart. That is, the meaning of PassSYSIDPart is the set of Passi(1) each of which is corresponding to the respective sysIDi(1) constructing SYSIDPart. The flow of the issuance for tpw that U can use for all in SYSIDPart C SYSIDGroup, is in the following.


(Step 1401) The UM (APP) displays, for example, at least a part of data in the pList, and receives, from the U, the choice of SYSIDPart among SYSIDGroup and the input of reqPw. UM (APP) chooses one Passi(1) from PassSYSIDPart. Also, the UM (APP) obtains Rand from the account with the chosen Passi(1), and generates tReqPw(1) using the obtained Rand and the input reqPw. The UM (APP) sends a request of tpw issuance associated with SYSIDPart chosen by the U, the generated tReqPw(1) and the chosen Passi(1), to the C(1) identified by the cID(1) corresponding to the chosen Passi(1). Here, the choice of SYSIDPart may be performed by the UM (APP) instead of the U.


(Step 1402) The C(1) receives the request of tpw issuance from the UM (APP), and performs the first judgement of whether the tReqPw(1) related to the request is correct or not, and the second judgement of whether Passi(1) related to the request is valid or not. The first judgement is, for example, the judgement of whether TREQPW for the account (an account in aList(1)) with sn coinciding with the sn in the Passi(1) coincides with the tReqPw(1) related to the request, or not. The second judgement is performed by judging whether Sign2 in the Passi(1) is correct or not, using the information elements (CID, SYSID, AID) for the account (an account in aList(1)) with the sn coinciding with sn in Passi(1) and the information elements (cID(1), sysIDi(1), aID(1)) in the Passi(1). In the case where at least one of the first judgement and the second judgement is negative, the C(1) may stop the process. In the case where both of the first judgement and the second judgement are positive, the C(1) performs Step 1403.


(Step 1403) The C(1) refers to the aList(1), and identifies all the accounts that have AID coinciding with the aID(1) in the Passi(1) judged to be valid, and that have SYSID coinciding with some sysIDi(1) in SYSIDPart related to the request of tpw issuance. The C(1) obtains the respective MID (mIDi(1)) from all the identified accounts. The set of mIDi(1) obtained here, is denoted by “MIDGroup”. MIDGroup is {mIDi(1)}L. L stands for “sysIDi(1) εSYSIDPart, AID=aID(1)”.


(Step 1404) The C(1) determines tpw. The tpw may be, for example, a random value. The C(1), for each sysIDi(1) (εSYSIDPart), performs the following. In the description for Steps from 1404 to 1407, one sysIDi(1) is taken as an example. The C(1) sends, to Si(1) corresponding to sysIDi(1), mIDi(1) corresponding to the Si(1) and the determined tpw (the C(1) sends a request of tpw registration associated with the mIDi(1) and the tpw, to the Si(1)). Here, the C(1) sends tpw without query from the Si(1), but, as described above, the C(1) may send tpw as a response for the query.


(Step 1405) The Si(1) receives the mIDi(1) corresponded to the Si(1) and the determined tpw, from the C(1). The Si(1) identifies the account in the uListi(1) that has MID coinciding with the received mIDi(1). The Si(1) registers, to the identified account, the received tpw as TPW. Also, the Si(1) determines tpwInfoi(1) for the tpw, and registers, to the account, the determined tpwInfoi(1) as TPWINFO. The tpwInfoi(1) may include information that represents the restriction on tpw such as the expiration date of the tpw and the frequency of possible use. In this embodiment, as described above, since the tpw means a common 1-day password, tpwInfoi(1) includes, as the use restriction, the expiration of date “before 00:00 of the next day of the date of tpw issue” and the frequency of possible use “no limit”.


(Step 1406) The Si(1) obtains SUKEY (suKeyi(1)) for the account identified at Step 1405. The Si(1) encrypts, with the obtained suKeyi(1), data mesi(j) (mesi(1)) including the registered tpwInfoi(1). As a result, eMesi(1) (the encrypted data for mesi(1)) that is EncSUKEY (mesi(1)), is obtained (SUKEY=suKeyi(1)). The Si(1) sends the obtained eMesi(1) to the C(1). Here, mesi(1) may include information on Si(1) besides tpwInfoi(1). The information on the Si(1) may include uIDi(1) for the U (UID obtained from the account identified at Step 1405). The encryption function (Enc) may be, for example, the encryption function for a pre-determined symmetric encryption scheme. The eMesi(1), as described later, is a data that reaches UM (APP) via C(1). And, the eMesi(1) is, by the UM (APP), decrypted with the identical suKeyi(1) with the suKeyi(1) used for the encryption. That means that the mesi(1) is obtained. The UM (APP) displays at least a part of the data in the obtained mesi(1) (for example, uIDi(1)) to the touch panel type display 211. Therefore, even if the U has forgotten uIDi(1), the U can know uIDi(1) in appropriate timing of the response for a request of tpw issuance (without UM's (APP's) bothering to make a query for uIDi(1)).


(Step 1407) In the case where the C(1) receives the responses (eMesi(1)) from all the Si(1) corresponding to sysIDi(1) (εSYSIDPart), C(1) sends all of those eMesi(1) (={eMesi(1)}M), and the tpw determined at Step 1404, to UM (APP) (M=sysIDi(1)εSYSIDPart).


(Step 1408) The UM (APP) receives {eMesi(1)}M and tpw from the C(1). The UM (APP) performs the following for each eMesi(1) included in {eMesi(1)}M. One eMesi(1) is taken as an example. The UM (APP) identifies the account corresponding to the eMesi(1) from the pList. The UM (APP) obtains SUKEY (suKeyi(1)) from the identified account, and decrypts eMesi(1) using the obtained suKeyi(1). Therefore, the mesi(1) is obtained. The UM (APP), for at least a part of the information elements in the obtained mesi(1), performs at least one of displaying it and registering it to the account identified above. The UM (APP) may register the received tpw to the account. UM (APP) may display the received tpw to Touch panel type display 211.


<Use of Si(1)>


The flow is similar with the flow described with referring to FIG. 1. Specifically, it is, for example, the following. In the following, one Si(1) is taken as an example (Here, at the use phase of Si(1), the tpw provided for the U is already registered in the uListi(1) the Si(1) has). The U inputs uIDi(1) and tpw to the UP. The Si(1) receives a service provision request from the U (UP). The service provision request is associated with the uIDi(1) and tpw that are input to the UP. The Si(1) performs the collation for the uIDi(1) and tpw. Specifically, the Si(1) judges whether there is an account to which UID and TPW coinciding with the uIDi(1) and the tpw respectively are registered, or not. In the case where the judgement is positive, the Si(1) provides services for the U (UP) (For example, Si(1) permits the login).


The identical tpw can be available to the plural Si(1) during the day (The expiration date the tpw for Si(1) is according to tpwInfoi(1) that is corresponding to Si(1) and related to the tpw). Here, the expiration date of the tpw (the expiration date that tpwInfoi(1) related to the tpw represents) does not have to be necessarily for 24 hours and to be until 23:59 on the day. Also, besides the expiration date, the frequency of possible use (N times (N is an arbitrary integer greater then or equal to 1)) may be defined as the restriction for tpw. The tpwInfoi(1) may be distinct for each Si(1).


Also, the UM (APP) may display all (or a part) of the uIDi(1) used at that respective Si(1) the U uses. For example, the UM (APP) may issue a query to the C(1) for user ID as the response for a request from the U. The flow from the query for the user ID to its response, may be similar with the flow from the query of a request of tpw issuance to its response. In the response, the encrypted user ID (the uIDi(1) encrypted with suKeyi(1)) coming from the Si(1) via the C(1) may be included. Also, in the response, one or more encrypted user ID corresponding to each of all (or a part) Si(1). The UM (APP) may decrypt the encrypted user ID with suKeyi(1), and display the decrypted user ID.


Also, for at least one Si(1), instead of sending tpw without the query from Si(1), the C(1) itself may keep it (For example, the C(1) may register the tpw to the account corresponding to the Si(1) (an account in the aList(1))). In this case, when the Si(1) receives a service provision request from the U (UP), the Si(1) may send the tpw query associated with mIDi(1) for the U. The C(1), when receiving the tpw query, may identify the tpw for mIDi(1) corresponding to the tpw query, and may send the identified tpw to the Si(1) the tpw query origin.


Thus, according to Embodiment 1, at least one effect of the following can be successful.


(1) U is relieved from trouble of the management of ID and passwords. If the U obtains a tpw (common 1-day password) once a day, then the U can log in to all (or a part) of Si(1) the U uses, with the identical tpw during the day. Therefore, the U is relieved from trouble of the management. Also, even if uIDi(1) is forgotten, it is displayed to the UM. This respect contributes the release from trouble of the management.


(2) Security is enhanced.


tpw gets unavailable in one day (after the expiration date represented by tpwInfoi(1)). Therefore, even if the tpw is stolen, the tpw is not available on the next day. Hence, the security is enhanced. Also, by restricting the frequency of possible use besides the expiration date, further security enhancement can be expected. Also, the tpw cannot be obtained using any user terminals except for UM used at Pre-registration. Because, in a user terminal except for the UM, there does not exist the pList in which the information elements obtained at Pre-registration are registered. This respect also contributes the enhancement of security. Also, even if UM is picked up by other people, since the reqPw that U has in mind is necessary for a request of tpw issuance, it cannot happen that the tpw is obtained by other people unless reqPw is known to other people.


(3) It is tolerant to information leakage.


The U does not know mIDi(1) shared by the C(1) and the Si(1). The C(1) does not know uIDi(1) shared by the Si(1) and the U. The Si(1) does not know tReqPw(1) shared by the C(1) and the U. Thus, by intentional three-way deadlock, even if information leakage happens at any one of the three entities, impersonation is not materialized.


(4) The growth for use of Si(1) can be expected.


For the U, use of service in the Internet begins with checking the ID and the password. The more the number of the service used, the more troublesome the management of ID and passwords is. By being relieved from such inconvenience, users are expected to expand use of the Internet more.


Embodiment 2

In the following, we describe Embodiment 2. Then, we mainly describe the difference from Embodiment 1, and omit or simplify the description for similarities with Embodiment 1.


In Embodiment 2, there are two or more C(j). For example, as shown in FIG. 15, we suppose that C(1) and C(2) exist. Also, we suppose that S1(1) and S2(1) are registered to the C(1), and that S1(2) and S2(2) are registered to the C(2). And, we suppose that U is registered to those four service systems (the S1(1), S2(1), S2(1) and S2(2)). At that time, we suppose that the U, at the registration to the S2(1), uses the data registered in the pList at the registration to the S1(1), but the U, at the registration to the S2(2), does not use the data registered in the pList at the registration to the S1(2). In other words, we suppose that the First registration is performed for the S1(1), and that the Second or further registration is performed for the S2(1). Also, we suppose that the First registration is performed for the S1(2) and for the S2(2), too. If AID is of the same value, then RAND is also of the same value. Also, if AID is of the same value, then CID is also of the same value.


Consequently, the pList is as shown in FIG. 16. That means, AID associated with the S2(1) is aID(1), that is, of the same with AID associated with the S1(1). On the other hand, AID associated with the S2(2) is aID(2′), that is, different from AID associated with the S2(1). In the case where there are two or more C(j), it is guessable that the UM (APP) performs the flow for tpw issuance at Embodiment 1 for every C(j). However, then, tpw should be distinct for each C(j), and the convenience for the U is decreased.


Then, in Embodiment 2, tpw can be common for two or more C(j).



FIG. 17 shows an example of the flow for tpw issuance at Embodiment 2.


Between the UM (APP) and the C(1) (the destination of the first request of tpw issuance on the day), the flow for tpw issuance at Embodiment 1 is performed. Then, the UM (APP) receives tpw from the C(1).


The UM (APP) receiving the tpw, performs the following process between the UM (APP) and each of other C(J) in which the U is registered (Here, J is an integer greater than or equal to 2). UM (APP) sends a request of tpw issuance associated with the tpw received from the C(1), to the C(J). The C(J) receives the request of tpw issuance associated with the tpw. The C(J), without newly issuing tpw, sends the tpw related to the received request of tpw issuance to each Si(J) registered in the C(J). The C(J) receives the response including eMesi(J) from each Si(J). And, the C(J) sends the response including {eMesi(J)}M (M=sysIDi(J)εSYSIDPart) to the UM (APP), and the UM (APP) receives the response.


Thus, the UM (APP) notifies the tpw to each of all C(J) except for the C(1) (sends a request of tpw issuance associated with the tpw), and receives, from each of all the C(J) except for the C(1), the response including {eMesi(J)}M. In the case where this series of processes is finished, the U, during the day, using an identical tpw, can log in to (receive service from) any Si(j) registered to any C(j) (here, j is an integer greater than or equal to 1). Here, in the case where an error occurs in the communication to any C(j) in which the U is registered except for the C(1), the process may be re-started from the flow for tpw issuance between the UM (APP) and the C(1).


Embodiment 3

In the following, we describe Embodiment 3. Then, we mainly describe the difference from Embodiment 1 or 2, and omit or simplify the description for similarities with Embodiment 1 or 2.


In Embodiment 2, since the UM (APP) needs to send a request of tpw issuance to each C(j), the number of communication that the UM (APP) performs gets increased.


Then, in Embodiment 3, the number of communication that the UM (APP) performs can be decreased according as C(j) exchanges data (For example, the UM (APP) has only to communicate only to the C(1) among two or more C(j)).


In the following, we describe Embodiment 3 in detail. Then, for simplicity of description, we adopt the following notation rules.

    • SIDGroup(j)SYSIDPart,aID: The set consisting of all sysIDx(j) (εSYSIDPart) for which AID is aID (x means that the value of i may be any);
    • AIDSYSIDPart: The set consisting of AID for each sysIDx(x) εSYSIDPart⊂SYSIDGroup in pList;
    • PassSYSIDPart,aID: The set consisting of PASS for all account for which SYSID is an element in SYSIDPart, for which AID is aID.



FIG. 18 shows an example of the flow for tpw issuance at Embodiment 3.


(Step 1801) the U chooses SYSIDPart (C SYSIDGroup), and inputs reqPw and SYSIDPart to UM (APP). Then, we suppose that AIDSYSIDPart is {aID1, . . . , aIDN}. In the following, one aIDW is taken as an example (1≦W≦N). Let “JW” be the j corresponding to aIDW. The UM (APP) chooses one account having aIDW, computes tReqPwW (=hJW(RAND, SYSID)) (where we suppose SYSID=sysIDIW(JW) and RAND=RandW for the account), and obtains PASS (PASSIW(JW) εPassSYSIDPart,aIDW). Let PassW be the obtained PASS. After that, the UM (APP) sends SYSIDPart and {tReqPwW, PassW}1≦W≦N to some C(JW) (here, let it be C(J1)).


(Step 1802) C(J1) judges whether PassW is valid or not.


(Step 1803) In the case where the judgements at Step 1802 is positive, C(J1) refers to aList(J1), and obtains MID (mIDi(J1)) for each account which has the same AID with aIDJ1 included in Pass1, and for which SYSID (sysIDi(J1)) is an element in SYSIDPart. In the case where the judgements at Step 1802 is negative, the C(J1) sets the value sti(J1) of the state to be “false” for each of all sysIDi(J1) εSYSIDGroup(J1)SYSIDPart,aIDJ1. C(J1) manages sti(J1) for every Si(J1). sti(J1) means whether the registration of tpw is successful (true) or not (false).


(Step 1804) The C(J1) issues tpw, and, sends the tpw and the mIDi(J1) to each Si(J1) identified in the case where the judgement at Step 1802 is positive.


(Step 1805) The Si(J1) that receives the tpw and the mIDi(J1), identifies the account to which mIDi(J1) is registered from uListi(J1), determines tpwInfoi(J1), and generates mesi(J1) including the tpwInfoi(J1). The Si(J1) registers, to the identified account, the received the tpw as TPW, and registers the determined tpwInfoi(J1) as TPWINFO. Also, the Si(J1) sets the value of sti(J1) to be “true”. Here, in case, for example, that there does not exist any concerned the U in Si(J1), the value of sti(J1) is set to be “false”.


(Step 1806) Each Si(J1) (εSYSIDPart) obtains SUKEY (suKeyi(J1)) registered for the concerned account, and sends the value sti(J1) of the state and eMesi(J1)=EncSUKEY (mesi(J1)), to the C(J1) (SUKEY=suKeyi(J1)). At this stage, the C(J1) turns out to have received the values of stx(x) and eMesx(x) from all Si(J1) (εSYSIDPart) registered in C(J1). After that, the C(J1) executes the following for 2≦W≦N. Here, we suppose that JW≠J1 for each W (≠1). In the cast where there exists a W with JW=J1, C(J1) itself has only to do the process from Step 1802 to Step 1806 using the identical tpw without newly issuing a tpw.


(Step 1807) The C(J1) sends SYSIDGroup(JW)SYSIDPart,aIDJW, tReqPwW and PassW, to C(JW).


(Step 1808) C(JW) judges whether PassW is valid or not. In the case where this judgement is positive, the C(JW) identifies the account in aList(JW) using aIDW included in PassW, obtains MID ({mIDi(JW)}B) (B=SYSIDεSYSIDGroup(JW)SYSIDPart,aIDJW), and temporarily sets the value of sti(JW) to be “true”. In the case where PassW is invalid, for all service systems (in the case where MID cannot be obtained with some reason, for service systems for which MID cannot be obtained), the C(JW) sets the value of sti(JW) to be “false”.


(Step 1809) The C(JW) generates an access token (tokeni(JW)) for each Si(JW) εSYSIDGroup(JW)aIDW such that sti(JW)=true. C(JW) sends tokeni(JW), sti(JW) and mIDi(JW) to the C(J1) (tokeni(JW) may include sti(JW) and mIDi(JW)). At this stage, C(J1) has received {sti(JW), mIDi(JW), tokeni(JW)}B from each of C(J2), . . . , C(JN) (B=SYSIDεSYSIDGroup(JW)SYSIDPart,aIDJW).


(Step 1810) The C(J1) sends mIDi(JW), tpw and tokeni(JW) only to Si(JW) such that sti(JW)=true.


(Step 1811) Each Si(JW) receiving mIDi(JW), tpw and tokeni(JW), judges whether tokeni(JW) is valid or not. In the case where this judgement is positive, Si(JW) identifies the account for which mIDi(JW) is registered, determines tpwInfoi(JW) and generates mesi(JW) including the tpwInfoi(JW). Si(JW) registers, to the identified account, the received tpw as TPW, and registers the determined twpInfoi(JW) as TPWINFO. Si(JW) generates eMesi(JW)=EncSUKEY(mesi(JW)) (SUKEY=suKeyi(JW)). Si(JW) sets the value of sti(JW) to be “true”. Si(JW) returns sti(JW) and eMesi(JW) to C(J1). Here, in case, for example, that tokeni(JW) is invalid, Si(JW) may set the value of sti(JW) to be “false”, and may return the sti(JW) to the C(J1).


(Step 1812) The C(J1) receives, from Si(JW), the response including sti(JW) and eMesi(JW).


(Step 1813) The C(J1), in case of receiving the response including sti(JW) and eMesi(JW) from each Si(JW) εSYSIDGroup(JW)aIDw (2≦w≦N), returns the tpw issued at Step 1804 and all (sti(JW), eMesi(JW)) to the UM (APP).


According as the UM (APP) decrypts each eMesi(JW), the U can obtain tpw which is available for all Si(JW) ⊂SYSIDPart and tpwInfoi(JW) sent by each Si(JW) ⊂SYSIDPart (information including the expiration date etc.).


We show, in FIG. 19, a concrete example of the flow for tpw issuance shown in FIG. 18. That is, in the case where the U is registered to C(1), C(2), S1(1) and S2(2), and that the U sends a request of issuance for tpw (a common 1-day password) for S1(1) and the S2(2) (SYSIDPart={S1(1), S2(2)}), the exchange among the UM (APP), the C(1), the C(2), the S1(1) and the S2(2) follows as FIG. 19 (The same step numbers with the step numbers mentioned in FIG. 18 are used). In FIG. 19, the C(J1) is supposed to be the C(1), and C(JW) is supposed to be the C(2).


Embodiment 4

In the following, we describe Embodiment 4. Then, we mainly describe the difference from Embodiments 1 to 3, and omit or simplify the description for similarities with Embodiments 1 to 3.


In Embodiment 4, concerned with an issuance of a common password (tpw) for plural Si(JW) registered in plural C(JW), the C(J1) entrusts other C(JW) with the registration process for Si(JW) registered in the C(JW).



FIG. 20 shows an example of the flow for tpw issuance at Embodiment 4. We describe mainly the difference from FIG. 19. Then, C(J1) is set to be C(1), and C(JW) is set to be C(2).


The same process with Steps 1801 to 1806 (Steps 2001 to 2006). The C(1) sends tpw besides sysID2(2), tReqPw(2) and Pass2(2), to the C(2) (Step 2007), and the C(2) receives tpw, sysID2(2), tReqPw(2) and Pass2(2) from the C(1), and judges whether Pass2(2) is valid or not (Step 2008). In the case where the judgement is positive, the C(2) sends tpw and mID2(2) to the S2(2) (Step 2009). The S2(2) registers the tpw and the tpwInfo2(2) to uList2(2) (Step 2010), and returns st2(2) and eMes2(2) to C(2) (Step 2011). The C(2) sends the st2(2) and the eMes2(2) to C(1) (Step 2012). Namely, st2(2) and eMes2(2) are sent from S2(2) to C(1) via C(2). After that, the C(1) returns tpw, (st1(1), eMes1(1)) and (st2(2), eMes2(2)) respectively received from S1(1) and S2(2), to the UM (APP) (Step 2013).


Since Si(JW) (JW≠J1) is not service systems registered to C(J1), the C(J1) cannot primarily register tpw to Si(JW). Then, in Embodiment 3 described above, C(JW) issues an access token (tokeni(JW)) for enabling tpw registration to Si(JW) registered in its own sList(JW), and sends it together with mIDi(JW) to C(J1). According as a secret key cKeyi(JW) is shared by C(JW) and each Si(JW), mIDi(JW) can be, in encrypted style, sent to C(J1). The tokeni(JW) may be a one-time signature, but its expiration date for tokeni(JW), restriction on authority etc. may be related to tokeni(JW), in which case C(J1) can use, even after the next time, the sysIDi(JW), mIDi(JW) and tokeni(JW) received first. Therefore, the communication between C(J1) and C(JW), and, the communication between C(JW) and Sx(JW), can be abbreviated.


Embodiment 5

In the following, we describe Embodiment 5. Then, we describe mainly the difference from Embodiments 1 to 4, and omit or simplify the description for similarities with Embodiments 1 to 4.


Whereas in Embodiments 3 and 4, a method based on so-called ID cooperation is adopted (mID shall be cooperated among control center machines), in Embodiment 5, a method base on single sign-on such as SAML (Security Assertion Markup Language) is adopted. S2(2) (Si(JW)) has the function as Policy enforcement point 2100.



FIG. 21 shows an example of the flow for tpw issuance at Embodiment 5. We mainly describe the difference from FIG. 19.


The same processes with Steps 1801 up to 1806 are performed (Step 2101 up to Step 2106). C(1) sends sysID2(2), tReqPw(2) and Pass2(2) to C(2) (Step 2107). The C(2) receives sysID2(2), tReqPw(2) and Pass2(2) from C(1), and judges whether Pass2(2) is valid or not (Step 2108).


In the case where the judgement at Step 2108 is positive, the C(2) sends an assertion (data including mID2(2)) such as authentication state, attributes (mID2(2) etc.) and authority (for such as password registration) to S2(2) (Step 2109). In other words, the C(2) (C(JW)) does not have to notify mID2(2) (mIDi(JW)) registered in uList2(2) (uListi(JW)), to C(1) (C(J1)).


The S2(2) judges whether the assertion is valid with Policy enforcement point 2100 (Step 2110). The S2(2), in the case where the judgement is positive, may notify the judgement (OK) to the C(1), and may keep the judgement without notifying to the C(1).


The C(1) notifies tpw to the S2(2) (Step 2111). For example, the C(1), knowing the information necessary for communication with the S2(2) corresponding to sysID2(2), may send the notification to the S2(2) using that information, and the C(2), at the timing such as when it sends the assertion to the S2(2), may notify the information necessary for communication with the S2(2) to the C(1). Also, the tpw notification from the C(1) to the S2(2) may be performed responding the judgement above from the S2(2), and may be performed, for example, periodically, without the judgement above from the S2(2). The S2(2), in case of receiving tpw from the C(1), determines tpwInfo2(2), and registers tpw and tpwInfo2(2) to uList2(2) (step 2112). This registration is performed in the case where that the judgement at Step 2110 is positive.


After that, the S2(2) returns st2(2) and eMes2(2) to the C(1) (Step 2113) The C(1) returns tpw, (st1(1), eMes1(1)) and (st2(2), eMes2(2)) received from the S1(1) and the S2(2) respectively, to the UM (APP) (Step 2113).


Embodiment 6

In the following, we describe Embodiment 6. Then, we mainly describe the difference from Embodiments 1 to 5, and omit or simplify the description for similarities with Embodiments 1 to 5.


In Embodiments 1 to 5, tpw issuance is performed. In Embodiment 6, instead of or besides tpw issuance, another controls for tpw such as tpw alternation and tpw deletion, is performed. Specifically, for example, a request of tpw issuance is an example of requests of tpw control. An example of tpw control is tpw issuance, and an example of control center machine (identification code control apparatus or identification code control system) is a control center machine. The information elements that are related to the request of tpw control, may be the same with the information elements that are related to the request of tpw issuance. APP is used also for tpw control other than tpw issuance besides tpw issuance. In the following, as another example of requests of tpw control, taking tpw deletion as an example, we describe tpw control. Here, “tpw deletion” means “to nullify tpw so that anyone including U disable to log in until the next request of tpw issuance is performed”.



FIG. 22 shows an example of the flow for tpw deletion at Embodiment 6.


(Step 2201) The UM (APP) performs a similar process with Step 1401 in FIG. 14. However, in this embodiment, a request of tpw deletion instead of a request of tpw issuance is sent.


(Step 2202) The C(1) receives a request of tpw deletion from the UM (APP), responds the request, and judges whether Passi(1) related to the request is valid or not.


(Step 2203) The C(1), in the case where the judgement at Step 2202 is positive, refers to the aList(1), and identifies all the account that has AID coinciding with the aID(1) in the Passi(1) judged to be valid and that has SYSID coinciding with some sysIDi(1) in SYSIDPart related to the request of tpw deletion. The C(1) obtains the respective MID (mIDi(1)) for all the identified accounts.


(Step 2204) C(1) performs the following for each sysIDi(1) (εSYSIDPart). In the description for Steps 2204 to 2207, one sysIDi(1) is taken as an example. The C(1) sends a request of tpw deletion associated with mIDi(1) corresponding to the Si(1), to Si(1) corresponding to Si(1).


(Step 2205) The Si(1) receives the request of tpw deletion associated with the mIDi(1) from the C(1). The Si(1) identifies the account for which MID coinciding with the mIDi(1) related to the received request is registered. The Si(1) deletes the information elements of tpw and tpwInfo for the identified account.


(Step 2206) The Si(1) sends the response for the completion of deletion.


(Step 2207) The C(1), in the case where it receives the responses from all the Si(1) corresponding to sysIDi(1) (εSYSIDPart), sends the response for the request of tpw deletion, to the UM (APP). The UM (APP) receives the response from the C(1).


According to Embodiment 6, it is possible to control on tpw for all the Si(1) corresponding to all the accounts with the same aID(1) with the aID(1) corresponding to the chosen Passi(1). For example, tpw deletion seems to be effective in the case where, instead of tpw, a password with no restriction for the expiration date or the frequency of possible use is registered as the common password (Namely, whereas in the embodiment, the adopted password is a common 1-day password, not only such a password but also a password with no restriction for the expiration date or the frequency of possible use may be adopted).


Embodiment 7

In the following, we describe Embodiment 7. Then, we describe mainly the difference from Embodiments 1 to 6, and omit or simplify the description for similarities with Embodiments 1 to 6.


In Embodiment 7, at least one Si(j) sends Infoi(j) to a certain control center machine. The “certain control center machine” is, for example, the control center machine that the Si(j) is registered to, the control center machine that is the sender of the prescribed information elements (such as tpw or mIDi(j)), or that control center machine the receives the request of tpw control from UM (APP). “Infoi(j)” is the data output from the issuer Si(j) of Infoi(j), and is data including data which may be published to service systems except for Si(j) (The data include in Infoi(j) has only to be data that is permitted to be so public by U). Infoi(j) may be include, for example, in the response from Si(j) (the response at Step 1203 in FIG. 12, the response at Step 1303 in FIG. 13, etc.) at Pre-registration, and in the response from Si(j) in a control such as tpw issuance (the response at Step 1406 in FIG. 14, the response at Step 1812 in FIG. 18, the response at at least one of Step 2011 and Step 2012 in FIG. 20, Step 2113 in FIG. 21, etc.). Then, as shown in FIG. 23, The issued Infoi(j) is registered to uListi(j) in Si(j) that has issued Infoi(j) (INFO). Also, Infoi(j) assemble to a certain control center machine, and Infoi(j) shall be registered in aList(j) in the control center machine. Infoi(j) may include data on the permitted publishing destination service system (such as sysIDi(j) and the name of the company offering the service system) and the publishing period, etc.


Si(j), receiving an application from the U, in the case where a certain type of information is necessary for the process for the application, may send a query on the certain type of information (for example, a query associated with mIDi(j) corresponding to the applicant U), to the certain control center machine (or, C(j) that Si(j) receiving the application is registered in) (The query may be transfer from C(j) receiving the query from Si(j) to the certain control center machine above). The control center machine receiving the query, as the response for the application, may send the information that is data in Infoi(j) corresponding to mIDi(j), and is permitted to be so published (for example, a resume, a resident card, etc.), to the query origin Si(j).


Embodiment 8

In the following, we describe Embodiment 8. Then, we describe mainly the difference from Embodiments 1 to 7, and omit or simplify the description for similarities with Embodiments 1 to 7. Here, Embodiment 8 may be an example of variants or a specific example for Embodiment 7.


Each service system to which the U is registered manages U's personal information (for example, a certificates of graduation, a certificates of qualification, a resume, a medical record, the personal identity number (and its accompanying data), etc.). The progress for convenience can be expected as the U's personal information comes to be cooperated among service systems at least while the U permits. Also, whereas the cooperated information may be other types of information on the U instead of or besides the U's personal information, at least according to the types of information being the target of cooperation, at least a part of the information being the cooperation target must not be shown to the unidentified (for example, anyone except for the U and entities permitted to which the U permits (such as the cooperation origin and the cooperation destinations)).


In Embodiment 8, information can be cooperated among service systems without being shown to the unidentified.


Also, in Embodiment 8, in the registration flow, the U can know the information being registered to Si(j).


Also, Embodiment 8, existing specification on transfer of authorization data such as OAuth can be applied.


In the following, we describe an example of each of the flow for registration and the flow for information cooperation (Information Sharing) at Embodiment 8.



FIG. 31 shows an example of the flow for registration at Embodiment 8. Here, for simplicity of description, we suppose that only the C(1) exists as C(j) (FIG. 31 shows only S1(1) among plural Si(1)).


At the time of finishing the registration flow, the information elements below are stored in the UM. The information elements below are registered in pList. Also, at least one of the information elements below may be stored after being encrypted using data including the UM specific data as the key.

    • Passi(1): request data for the approval for request to send to C(1) (a request pass);
    • suKeyi(1): shared key necessary for communication with Si(1).


At the time of finishing the registration flow, the information elements below are stored in Si(1). The information elements below are registered in uListi(1). At least one of the information elements below may be stored after being encrypted.

    • uIDi(1): user ID for use of Si(1) and data shared by U and Si(1);
    • authInfoi(1): authentication data for U (for example, a password except for TempPw (such as a fixed password));
    • verAuthInfoi(1): data to verify authInfoi(1);
    • mIDi(1): ID for management in Si(1) and data shared by C(1) and Si(1) (distinct for each U). Here, at information sharing, mIDi(1) for the sharing origin or the sharing destination is stored;
    • suKeyi(1): shared key necessary for communication with UM;
    • verRegToken: data to verify a checking token for registration completed (regToken);
    • TempPw: temporary password (such as tpw);
    • TempPwInfo: information on restriction for TempPw, including at least one of the expiration date (period), the frequency of use (TempPwTimes) and the frequency of possible use (TempPwTimesMax);
    • sID: sharing ID. It is an ID used at information sharing, and is an ID for uniquely identifying the sharing;
    • AttListi(1): list of attribution data (att) (the details are described later).


At the time of finishing the registration flow, the information elements below are registered in the C(1). The information elements below are registered in at least aList(1) among aList(1), sList(1) and cList(1). At least one of the information elements below may be stored after being encrypted.

    • mIDi(1): ID for management in Si(1) and data shared by C(1) and Si(1) (distinct for each U). Here, at information sharing, mIDi(1) for the sharing origin and mIDi(1) for the sharing destination are stored;
    • verTicket: data necessary to verify a registration ticket (ticket) for an account in aList(1);
    • aID(1): ID for APP. As described above, plural distinct aID(1) may exist for one C(j) and one APP;
    • tReqPw: password for requests;
    • verPassi(1): data necessary to verify Passi(1) (device authentication for UM);
    • sID: sharing ID;
    • sysIDi(1): ID for the service system Si(1);
    • att: attribution data (such as the name, the mail address, etc.) Offerable att and acceptable att are stored as att. Data including one or more values of att (the values following att) is a sharing target data (Info);
    • eInfo: sharing target data (Info) after being encrypted;
    • AccessToken: access token at OAuth, that is, a token used for communication between C(1) and Si(1).


The registration flow, as shown in FIG. 31, is following.


The registration flow consists of First registration procedure that is a procedure between the U and the Si(1) and the Second registration procedure that is a procedure between the U and the C(1). The First registration procedure is constructed with the following (R1) up to (R6), and Second registration procedure is constructed with the following (R7) to (R10).


(R1) The UM (such as APP) sends user data along the policy of the Si(1), and determines uIDi(1) and authInfoi(1) for logging in to the Si(1).


(R2) The Si(1) converts the user data received at (R1), and stores it.


(R3) The Si(1) sends a request of account addition associated with sysIDi(1) and a registration password (rpw), to the C(1). Here, the rpw may be a data that the U itself determines and that is notified to the Si(1) by the UM (or the UP), and may be a data that determined by the Si(1). The C(1) receives the request of account addition associated with sysIDi(1) and rpw.


(R4) The C(1), responding to the request of account addition, performs the following process. Namely, the C(1) makes one account (for example, adds an account in the aList(1)), and assigns (registers) the mIDi(1) to the account. Furthermore, the C(1) generates a registration ticket (ticket) for the account. After that, the C(1) registers the assigned mIDi(1), the received sysIDi(1) and verTicket (data necessary for verifying the validity of the registration ticket) to its own database (such as the aList(1)). In the ticket, data for identifying the corresponding account is included. C(1) sends the assigned mIDi(1) and the generated ticket, to the Si(1). The Si(1) receives the mIDi(1) and the ticket.


(R5) The Si(1) adds one account (adds one account in the uListi(1)), determines a key suKeyi(1) necessary for communication with UM, and registers uIDi(1), mIDi(1) and suKeyi(1) to the account. Furthermore, the Si(1) generates a checking token for registration completed (regToken), and registers the data necessary to verify it (verRegToken) to the concerned account.


(R6) The Si(1) sends the ticket, the suKeyi(1) and the regToken to the UM. The UM receives the ticket, the suKeyi(1) and the regToken. Here, in the case where the U itself determines rpw, the Si(1) sends also the rpw to the UM. Also, it is not compulsory to determine and send regToken.


(R7) The UM sends a registration request associated with the ticket, the suKeyi(1), the rpw, the regToken and the reqPw, to the C(1). The C(1) receives the registration request associated with the ticket, the suKeyi(1), the rpw, the regToken and the reqPw. The ticket, the suKeyi(1), the rpw and the regToken may be data received from the Si(1), and may be data input by the U. The reqPw may be data determined by the U or the APP.


(R8) The C(1), in response to the registration request, performs the successive process. Namely, the C(1), using verTicket (and rpw), verifies the validity of ticket. In the case where the ticket is valid, the C(1) identifies the account with ticket, generates aID(1) and Passi(1), and registers them. Also, the C(1) registers, to the identified account, the aID(1) and the data necessary for verifying Passi(1) and reqPw related to the registration request (verTReqPw (data necessary for verifying tReqPw) and verPassi(1) (data necessary for verifying Passi(1))). In the Passi(1), data for identifying an account in the C(1) (such as aID(1)), and data for U's identifying a registration destination Si(1) (such as sysIDi(1)) are included. Here, at (R8), we may make the U perform OAuth authentication, and may register AccessToken based on the authentication result after being encrypted, to the account.


(R9) The C(1) sends the mIDi(1) and the regToken to the Si(1). The Si(1) receives the mIDi(1) and the regToken, and verifies the regToken using verRegToken for the account that the received mIDi(1) is registered to. In the case where the regToken is valid, the Si(1) recognizes that the account gets enable to use authentication among three entities.


(R10) The C(1) sends the Passi(1) to the UM. The UM receives the Passi(1) and stores the Passi(1) and the suKeyi(1).


The aforementioned is the description for the registration flow at Embodiment 8. Here, in Embodiment 8, for the registration flow, any registration flow at other embodiments may be adopted instead of the registration flow described referring to FIG. 31. Or, the registration flow at Embodiment 8 may be adopted at any other embodiments. Also, whereas OAuth may be adopted at any other embodiments instead of or besides Embodiment 8, at least, OAuth is not mandatory for the present invention.



FIG. 25 shows an example of the flow for authentication and sharing at Embodiment 8. Here, in the following description, we suppose that, as Si(j), there are plural Si(1) including S1(1) and S2(1). Also, in the following description, we suppose that in use of Si(1) (Service A), data which S1(1) desires is the same with the data kept in S2(1) (Service B), and hence U wants to offer the data kept in S2(1) to S1(1). Thus, S2(1) is the sharing origin service system, and S1(1) is the sharing destination service system. Also, in the following description, processes with “(Authentication)” at the beginning are processes executed only in case of issuance of TempPw such as tpw. Processes with “(Sharing)” at the beginning are processes executed only in case of information sharing. Processes with neither “(Authentication)” nor “(Sharing)” are processes executed in any case of TempPw issuance and information sharing.


(P1)


The UM (APP) receives the choice of op from the U. “op” is the type of operation for the target of the request, and specifically, for example, authentication, information sharing, or both of them. In the case where “authentication” is chosen, hereafter, the processes with “(Authentication)” at the beginning is supposed to be performed. In the case where “information sharing” is chosen, hereafter, the processes with “(Sharing)” at the beginning is supposed to be performed. In the case where “both of them” is chosen, hereafter, the processes with “(Authentication)” and the processes with “(Sharing)” at the beginning, is supposed to be performed. Here, for the overlap between the processes with “(Authentication)” at the beginning and the processes with “(Sharing)” at the beginning, once it has been performed at the one process, it may not be performed at the other process. UM (APP) displays the list of sysIDi(1) identified with all Passi(1) stored in UM.


(Authentication): The UM (APP) receives the choice of aID(1)A (or sysID1(1)) from the displayed list. aID(1)A is aID(1) for the account that sysID1(1) for S1(1) (Service A) that U makes be the login destination is registered to.


(Sharing): The UM (APP) receives the choices of aID(1)A (or sysID1(1)) and aID(1)B (or sysID2(1)). The aID(1)A is aID(1) for the account that sysID1(1) of the information sharing destination the S1(1) is registered in. The aID(1)B is aID(1) for the account that sysID2(1) of the information sharing origin S2(1) is registered in.


The UM (APP) sends a request associated with the chosen op, Pass for the chosen accounts (at least Pass1(1) out of Pass1(1) and Pass2(1)) and tReqPw, to C(1). The tReqPw is reqPw input by the U at (P1), or is a data based it on. The C(1) receives the request associated with op, Pass and tReqPw.


(P2)


The C(1), in response to the received request, performs the successive process. Namely, the C(1) verifies the validities of tReqPw and Pass using verPass and verTReqPw for the account that the received Pass and tReqPw are registered to (hereafter, the target account). In the case where those are valid, the C(1) finds mID1(1) (and mID2(1)) corresponding to aID(1)A (and aID(1)B) identified with Pass, in the account(s) (such as aList(1)).


(Sharing): The C(1), for the S1(1) corresponding to aID(1)A (mID1(1), inquires the list (AttList1(1)) of the acceptable attribution data (att), and for the S2(1) corresponding to aID(1)B (mID2(1)), inquires the list (AttList2(1)) of the offerable attribution data. “AttListi(1)” is a list of attribution data (att), including at least one out of acceptable att and offerable att. The AttListi(1) includes both of acceptable att and offerable att, and may be narrowed down to one of acceptable att and offerable att, in being offered in responding the inquiry from the C(1). The AttListi(1) may be a list pre-registered from the Si(1), and in that case, the inquiry procedure may be omitted. The Si(1), as described above, stores offerable att and acceptable att in advance.


(P3)


(Sharing): The C(1) sends the intersection (att) of AttList1(1) and AttList2(1) to the UM, and the UM displays the intersection (att). UM, from the U, receives the choice of the attribution data att to be shared, and sends the chosen att to the C(1). The C(1) receives the chosen att.


(P4)


(Authentication): The C(1) generates tpw for the target account. Here, we suppose that the tpw is generated, but TempPw of the type other than tpw may be generated.


(Sharing): The C(1) generates a unique sID for the information sharing executed in the flow for this authentication/sharing.


(P5)


(Sharing): The C(1) sends a request (a data offer request) associated with sID and mID2(1) generated at (P4), att received at (P3), and sysID1(1) for the sharing destination S1(1), to the sharing origin S2(1). At that time, the C(1) may send also AccessToken for OAuth, to the sharing destination S2(1). In the AccessToken for OAuth, attribution data (att) that may be sent to the S1(1) without authInfo1(1) may be described. The sharing origin S2(1) receives the request associated with sID, mID2(1), att and sysID1(1) (and AccessToken).


(P6)


(Sharing): The sharing origin S2(1), responding to the request, performs the successive process. Namely, the sharing origin S2(1) encrypts the sharing target data Info including the value if att corresponding to mID2(1) (the value following att) with a key with which the sharing destination S1(1) can decrypt. Here, we denote the Info by “InfoB”, according to the meaning that it is data shared from Service B (the S2(1)), and denote the encrypted InfoB by “eInfoBA” according to the meaning that it is data to be shared to Service A (S1(1)). The sharing origin S2(1) encrypts InfoB with suKey2(1). We denote the encrypted InfoB by “eInfoUB” according to the meaning that it is encrypted with the key shared with the U. The S2(1) sends sID, eInfoBA and eInfoUB to the C(1). The C(1) receives sID, eInfoBA and eInfoUB. The C(1) may store the received sID, eInfoBA and eInfoUB to the storage unit 511.


(P7)


(Authentication): The C(1) sends a request associated with mID1(1) and tpw, to the S1(1). The S1(1) receives the request associated with the mID1(1) and the tpw.


(Sharing): The C(1) sends a request associated with the mID1(1) and sID, to the sharing destination S1(1). At that time, the S1(1) may send AccessToken for OAuth to the S1(1), too. The sharing destination S1(1) receives the request associated with the mID1(1) and sID (and AccessToken).


(P8)


(Authentication): The S1(1) registers, to the account corresponding to the mID1(1), the tpw and the tpwInfo for the tpw (such as period, tpwTimesMax), encrypts data including tpw and tpwInfo with suKey1(1), and returns the encrypted data eTpwInfo to the C(1).


(Sharing) The S1(1) registers the sID and the mID1(1) to the corresponding account in a database (such as the uList1(1)).


(P9)


(Authentication): The C(1) sends eTpwInfo (including the encrypted tpw) to the UM.


(Sharing): The C(1) sends eInfoUB to the UM.


(P10)


The UM encrypts the data received at (P9) (at least one out of eTpwInfo and eInfoUB) with suKey2(1), and displays the decrypted data.


(Sharing): The displayed data is the sharing target data. The UM (APP) may receive the reply whether the sharing for the sharing target data should be approved (OK) or cancelled (NG), and may notify the received reply to the C(1). The U has only to reply “NG” in the case where there is an error in at least a part of the sharing target data, or that the U gets urged not to share, etc. In the case where the reply means “NG” (cancelled), the C(1) is supposed to cancel the sharing, namely, disable the sharing target data to be obtained by the sharing destination S1(1). Specifically, for example, the C(1), in case of receiving the reply “NG”, deletes eInfoUB (and eInfoBA, sID) from the storage unit 511. Or, the C(1) excludes the sharing destination S1(1) from the access permission for the sharing target data.


(P11)


The UP accesses to the S1(1), for example to login, inputs uID1(1) and authInfo1(1) to the S1(1).


(Authentication): the UP, in addition, inputs tpw to the S1(1).


(P12)


In the case where the input data (uID1(1) and authInfo1(1)) is correct, the S1(1) permits the UP to log in.


(P13)


(Sharing): The S1(1) sends the sID for the sharing process addressed to the mID1(1) registered to the S1(1), to the C(1). The C(1) sends eInfo (such as eInfoBA) associated with the sID, to the S1(1). The S1(1) receives and decrypts the eInfo (such as eInfoBA) (thus, InfoB is obtained).


According to the information sharing flow described above, information sharing becomes executable by the request (permit) from the U. Also, any of the sharing target data, the sharing origin and the sharing destination can be designated by the U. Therefore, the sharing target data, the sharing origin and the sharing destination can be restricted in scope the U permits.


Also, according to the information sharing flow described above, the sharing target data is, in encrypted state, stored in the storage unit 511 managed by an entity except for the sharing origin or the sharing destination, and the data is decrypted by the sharing destination S2(1). Hence, it is possible to prevent the unidentified from inspecting the sharing target data.


Here, in the information sharing flow described above, the C(1) may store, besides eInfoBA, a certificate guaranteeing that the eInfoBA is a data coming from Service B (the S2(1)), in the storage unit 511. Instead of or besides it, the C(1) may send, besides eInfoBA, a certificate guaranteeing that the eInfoBA is a data coming from Service B (the S2(1)), to the S1(1).


Also, at least a part of the shared data may be a link such an access key (like URL) for Service system being the sharing origin, instead of or besides the data displayed to the user terminal (at least one out of the UP and the UM). Also, the link may be at least a part of the displayed data.


Also, the sharing origin and the sharing destination, not limited to be of 1:1 such as the example above, may be of 1:N (N is an integer greater than or equal to 2), and may be of M:1 (M is an integer greater than or equal to 2).


Also, eInfo is sent from the S2(1) to the S1(1) via the C(1) (the storage unit 511), but besides, any one out of the following (a) to (c) may be adopted:


(a) the C(1) requests the S2(1) to send InfoB to Service A (the S1(1)). The S2(1), in response to the request, sends eInfo (or InfoB (non-encrypted sharing target data)) to the S1(1);


(b) the C(1) requests the S2(1) to obtain Info from Service B (the S2(1)). The S1(1), is response to the request, obtains eInfoBA (or InfoB) from S2(1);


(c) S2(1) sends the link representing the address at which eInfoBA (or InfoB) exists (a storage apparatus inside or outside of the S2(1)), to the C(1). The C(1), in accordance with the link, obtains eInfoBA (or InfoB), and sends the eInfoBA (or InfoB) to the S1(1), or, the C(1) sends the link to the S1(1), and the S1(1), in accordance with the link, obtains eInfoBA (or InfoB).


Information sharing at Embodiment 8 can be expected to be applied to various cases such as submitting U's certificate (for example, a certificates of graduation, a certificates of qualification, a certificate of tax payment, a property register book, etc.) from the university or the organization managing the certificate to a company etc., delivering medical records among hospitals, delivering personal identity numbers (and their accompanying data) among companies, etc.


According to Embodiment 8, it can be expected that U can rely on the information sharing. Because, Si(1) can be expected to be registered to C(1) in case of being recognized in view of the credibility etc.


At at least one out of Embodiments 7 and 8, at least one of the following (01) up to (05) may be adopted.


(01) At least a part of sharing target data may be non-encrypted. Whether to be encrypted at least a part of sharing target data, may be determined by the user (for example, at Step 2501, the user may determine whether to encrypt or not, for each sharing target data), and whether to be encrypted by the sharing origin service system may be controlled according to the importance or the classification of the sharing target data.


(02) EK1(1) (encryption key) for the sharing target data may be the public key of the S1(1), and DK1(1) (decryption key) of the sharing target data may be the secret key of the S1(1). Also, the encryption key/decryption key may a key of other type such as a shared key etc. instead of the public key/secret key. Also, the key may be delivered between the S1(1) and the S2(1) via the user terminal (Specifically, for example, it may be sent from the S2(1) to the C(1), sent from the C(1) to the UM (displayed to the screen of the UM by UM), input to the UP, and sent from the UP to the S1(1)), may be delivered between the S1(1) and the S2(1) without via the user terminal (Specifically, for example, it may be sent from the S2(1) to the S1(1) via (or without via) the C(1)), and may be shared between the S1(1) and the S2(1) in advance.


(03) For example, in the case where at least a part of the sharing target data is non-encrypted, the C(1) may check whether the sharing target data is innocuous or not (for example, whether it may be displayed or not), that is, the presence of malware (such as virus or remote manipulate program, etc.)


(04) In Embodiment 8, a request of tpw issuance can combine a request of information sharing (a request for sharing data among service systems), but the request of information sharing may become independent of the request of tpw issuance. Namely, UM, at another timing than issuing a request of rpw issuance, may send a request of information sharing (such as a request of sharing data from Service A (the S1(1)) to Service B (the S2(1))). In that case, as the response to the request of information sharing, the information sharing above may be performed.


(05) In Embodiment 8, both the sharing origin and the sharing destination are chosen by the U, but at least one out of the sharing origin and the sharing destination may be all of the systems the U can use (all service system that the C(1) can identify for the U in the aList(1)).


In the following, we summarize Embodiments 1 to 8. Here in the description of the summaries, we can appropriately add new descriptions of modified examples etc. for at least one among Embodiments 1 to 8.


According to Embodiments 1 to 8, Si(j), in case of receiving mIDi(j) and tpw from C(j), becomes of a state possible to receive a request for service (such as a log in request) from the U, and in the case where the expiration date of tpw has passed, becomes of a state impossible to receive a request for service (such as a log in request) from the U. The former state is a state in which the authentication shutter is open, and the latter state is a state the authentication shutter is closed. “An authentication shutter” is a logical shutter to control acceptance of authentication requests. If the authentication shutter is open, then Si(j), in case of receiving an authentication request with uIDi(j) and tpw, performs the judgement (authentication) of whether the uIDi(j) and the tpw are correct or not. On the other hand, if the authentication shutter is closed, then without doing judgement of whether the uIDi(j) and the tpw are correct or not, Si(j) rejects the authentication request. Being bygone for the expiration date of tpw means that the state of the authentication shutter turns from open to closed, but the change from open to closed of the authentication shutter may be performed responding to the request from the U.



FIG. 26 shows an example of the abstract of the identification code management.


In FIG. 26, “TempPw” has the meaning of temporary passwords as described above, is of the concept including general otp (one-time password), not limited to tpw. According to FIG. 26, we can see the relationship between TempPw and the control system.


In the case where TempPw is needed, the type of TempPw shall vary according to whether the period for possible use (the period until the expiration data) is short (for example, for a few minutes) or long (for example, longer than the period for the “short”), and according to whether the frequency of possible use is fixed or unlimited. Specifically, for example, in the case where the period for possible use is “short” and that the frequency of possible use is “fixed”, the TempPw used may be a general otp (such as an otp for which the frequency of possible use is limited to once). In the case where the period for possible use is “long” and that the frequency of possible use is “unlimited”, the TempPw used is acceptable to be tpw described above.


TempPw is not always necessary. There is a case in which TempPw is not necessary. In that case, it does only with the control using the authentication shutter described above. Combination of an authentication shutter and TempPw is also possible.


In the following, we describe the control of the authentication shutter for which TempPw (such as tpw) is not used. Here, in the following, for readability of description, we suppose that only C(1) is provided as C(j), and that plural Si(1) including the S1(1) and the S2(1) are provided as Si(j).


As shown in Reference code 2700-1 in FIG. 27, Si(1) has plural functions of Shutter management server 2701-i that controls the switch of the authentication shutter, Service server 2702-i that provides service in the case where the authentication is successful, and Authentication server 2703-i that performs authentication. Namely, S1(1) has Shutter management server 2701-1, Service server 2702-1 and Authentication server 2703-1, and S2(1) has Shutter management server 2701-2, Service server 2702-2 and Authentication server 2703-2.


Out of Shutter management server 2701-i, Service server 2702-i and Authentication server 2703-i, any of Shutter management server 2701-i and Authentication server 2703-i can be shared by plural S1(1).


Specifically, for example, as shown in Reference code 2700-2 in FIG. 27, Authentication server 2703 may exist outside the S1(1) and the S2(1), and Authentication server 2703 may be shared by the S1(1) and the S2(1). Furthermore, as shown in Reference code 2700-3 in FIG. 27, Shutter management server 2701 also may exist outside the S1(1) and the S2(1), and Shutter management server 2701 may be shared by the S1(1) and the S2(1).


In the following, taking the construction shown by Reference code 2700-1 as the example, we describe the control of the authentication shutter. Here, in the following description, we take, as the example, the S1(1) out of the S1(1) and the S2(1).


In the control of the authentication shutter, Registration procedure #1, Registration procedure #2, Authentication shutter operation procedure and Login procedure are performed.


In Registration procedure #1, the flow shown in Reference code 2800-1 in FIG. 28 is performed.


Namely, UP sends a request (Req_S) to Service server 2702-1 (Step 2801). The service server 2702-1, responding to the request, sends a request of user addition to the C(1) (Step 2802).


The C(1) generates a unique mID (mID1), generates a digital signature Sign for sysID1(1) and data on the concerned account (U's account) (for example, invariant data that is for the concerned account and that is stored in a list the C(1) keeps, such as the date of the account generation, etc.), and generates an application pass for authentication shutter controls (Pass=(mID, sysID, Sign)). Furthermore, C(1) generates a key, and encrypts Pass using the key. Pass after being encrypted is denoted by E(Pass). Here, since it is only once at this moment that the C(1) encrypts Pass, since it is the C(1) itself to decrypt the encrypted Pass, and since Pass itself is of not so large size, Vernam cipher may be adopted with one-time keys.


Also, the C(1), to the concerned account, sets the value of ust (the state of the U) to be “halfway” (on the way through registration). ust (the state of the U), for example, may be included in OTHERS in aListi(1). The C(1), associating with sn, stores mID, key and ust in aList(1). The C(1) sends sn, mID and E(Pass) to the service server 2702-1 (Step 2803).


The service server 2702-1 registers, in the uList1(1), uID1(1) and mID, sets the value of sst (the state of the authentication shutter) to be “closed” (the value meaning the state of closed), and sets the value of period (the time when the authentication shutter becomes of the state closed) to be “undefined”. sst and period are included in at least one out of TPWINFO and OTHERS. After that, the service server 2702-1 sends sn and E(Pass) to UP (Step 2804).


In the registration procedure #2, the flow shown in Reference code 2800-3 in FIG. 28 is performed.


The sn and E(Pass) that the UP receives are input, by the U, to the UM. For the input to the UM for data the UP receives, two-dimensional bar codes etc. may be used, and manual input may be used. The sn and the E(Pass) are input to the UM such as the APP.


After that, by the U, the authentication shutter control password (reqPw) is input to UM. Here, in this description, for simplicity, we suppose that there is one control center machine (C(1)), and that tReqPw=reqPw. The U M sends the sn, the reqPw and the E(Pass) to the C(1) (Step 2811). The C(1) identifies the account with sn, and in only case that ust registered as the account data is “halfway”, obtains Pass decrypting E(Pass) using the key for the concerned account. After that, the C(1) verifies the validity of Pass, and in the case where it is valid, sets the value of hreqPw to be “h(reqPw)” (the value being applied to an irreversible transformation process for reqPw), and the value of ust to be “active” (a value meaning being registered) (Step 2812). In addition to ust, hreqPw also may be included in, for example, OTHERS in aList(1). Here, in the case where ust is already “active”, or in the case where Pass is invalid, the C(1) may stop the procedure to be failure at that time.


In the case where Pass is valid, the C(1) sends the Pass to the UM (Step 2813). The UM stores the received Pass after encrypting it with the key of UM specific data (such as MAC address, UUID, etc.) (Step 2814).


At Authentication shutter operation procedure (when the U opens or closes the authentication shutter), the flow shown at Reference code 2800-3 in FIG. 28.


The UM, with the UM specific data, decrypts the encrypted data such as Pass. The UM receives the input of sysID1(1) (the system ID for the service system (the system ID for S1(1)) whose authentication shutter is operated), the operation content (open or close (O/C)) and reqPw from U, and sends those data and Pass to C(1) (Step 2821).


The C(1) identifies the account with mID included in Pass, and verifies the validities of Pass and reqPw. In the case where those are valid (and correct, respectively), the C(1) sends mID and the operation content (O/C), to the shutter management server 2701-1 (Step 2822).


The shutter management server 2701-1, if the operation content is open, determines the time to close the authentication shutter, and sets the value of period for the U (period identified with the key of mID) to be “t”. Because the timing to open the authentication shutter seems to be the time when the U intends to use the S1(1) from now, “t” may be the time after a few minutes later since the operation content is received. The shutter management server 2701-1, if the operation content is close, sets the value of period for U to be “Undefined”.


After that, the shutter management server 2701-1 updates set and period for the U, and returns period to the C(1) (Step 2823). The C(1) sends the period to the UM (Step 2824).


In Login procedure, the flow shown in FIG. 29 is performed.


The UP, responding to the instruction from the U, sends uID1(1) and pw to the service server 2702-1 (Step 2901). The pw may be a fixed password or TempPw. The service server 2702-1 sends an inquiry associated with uID1(1) (an inquiry for the state of the authentication shutter for the U), to The shutter management server 2701-1 (Step 2902).


The shutter management server 2701-1 identifies sst and period with the key of uID1(1). In the case where the time is not after period, the shutter management server 2701-1 returns the value of sst (“open” or “closed”) to the service server 2702-1 (Step 2903). In the case where the time is after period, the shutter management server 2701-1 returns “closed” as the value of sst to the service server 2702-1. Also, in the case where the uID1(1) does not exist, or in the case where the value of period is “Undefined”, the shutter management server 2701-1 returns “closed” as the value of sst to Service server 2702-1.


The service server 2702-1, in only case that “open” is returned as the value of sst, inquiries (the uID1(1), the pw) to the authentication server 2703-1 (Step 2904). In the case where “open” is not retuned as the value of sst, the service server 2702-1 may finish the procedure recognizing the login authentication to be failed.


The authentication server 2703-1, responding to (the uID1(1), the pw), returns Yes or No to the service server 2702-1 (Step 2905).


The Service server 2702-1, in only case that Yes is returned, provides service for the UP (for example, recognizes the login authentication to be successful).


As many a Web application, in the case where the authentication gets successful, delivers Cookie to the browser of the U, also in the control of authentication shutters, according as the service server 2702-1 delivers Cookie to the UP in the case where the authentication gets successful, the UP does not have to do the Authentication procedure for every moving inside the site. In case of the authentication succeeded (in the case where Yes is returned), according as the service server 2702-1 sends a request for closing the authentication shutter to the shutter management server 2701-1, spoofed login by others can be prevented after the U has logged in.



FIG. 30 shows examples of the screen transition at the UM or the UP.


Reference code 3000-1 is an example of the screen transition in the case where the period for possible use of tpw is short and that the frequency of possible use is fixed. In this case, as described above, general otp can be used. Hence, for example, according to the U, to the display of UM, tReqPw(1) (reqPw, accurately) and the designated service system (Service A), OTP “1234” that is available only for Service A is issued by the C(1), and the OTP is displayed to the UM.


Reference code 3000-2 is an example of the screen transition in the case where the period for possible use of tpw is long and that the frequency of possible use is unlimited. In this case, as described above, a shared tpw is used, but Reference code 3000-2 shows an example in which passwords distinct for every service system are issued. For example, according as the U inputs tReqPw(1) and one or more service systems (Service A and Service C) to the display of the UM, the passwords “1234” and “5678” corresponding to Service A and Service C respectively are issued by the C(1), and those passwords are displayed to the UM.


Reference code 3000-3 is an example of the screen transition in the case where the period for possible use of tpw is long and that the frequency of possible use is unlimited. In this case, as described above, the pw is used. For example, according as the U, to the display of the UM, inputs tReqPw(1) and one or more service systems (Service A and Service C) to which sharing tpw is designated, tpw “1234” that is shared by Service A and Service C is issued by the C(1), and the tpw is displayed to UM. At that time, as shown by the figure, the expiration date that is represented by period included in tpwInfo associated with tpw, and uID included in tpwInfo (uID for every service system chosen by the U) may be displayed.


Reference code 3000-4 is an example of the screen transition for the case of switching the authentication shutter. For example, according as the U, to the display of the UM, inputs tReqPw(1), the operation content (for example, Close) and one or more service systems (Service A and Service C), the state of each authentication shutter for the U out of Service A and Service C is set to be as the operation content, and the result is displayed to the UM. At that time, as shown by the figure, in addition to period, tpwInfo including uID for every service system the user chooses may be sent to UM, and uID included in the tpwInfo (uID for every service system chosen by the U) may be displayed, too.


Reference code 3000-5 is an example of the screen transition for authentication/sharing. For example, as shown in Reference code 3000-5, the U inputs (or chooses), to the display of the UM, the sharing origin service system (From) (such as the S2(1) at FIG. 25), the sharing destination service system (To) (such as S1(1) at FIG. 25) and the sharing target data (for example, “Certificate X”), and the UM (APP) sends those to the C(1). Here, “Certificate X” is the sharing target data, and is also the value of att in information sharing. Namely, in the example at this figure, the sharing target data is the value of one att. Thus, the desired att may be designated by the U, and for the att, both check of offerability and acceptability may be performed. The UM (APP) displays, in addition to tpw from the C(1), uID, at least a part of the sharing target data and the replay button (OK button and NG button). In the case where the key for the sharing target data is delivered via the user terminal, the key also may be displayed by the UM (APP). In the case where OK button is pushed, the U, using the UP, may access to the sharing destination service system.


Thus, whereas we have described some embodiments, the present invention is never restricted to those embodiments.


For example, in the case where authentication using bio-information with mobile terminals is generalized, by combining it, two-factor authentication without information by memory, or three-factor authentication can be expected. For example, in the case where the UM gets available via biometrics authentication (such as fingerprint authentication or iris authentication) with UM, the bio-information of the U (such as fingerprint authentication or iris authentication) may be used for generation of tReqPw(1) by the UM. For example, instead of or besides reqPw, bio-information of the U may be used. The used bio-information may be data detected by the UM, and may be data pre-registered in the UM.


Also, tpwInfoi(j) may include digital object (such as text or image) for identity certificate to be displayed on the screen that Si(j) provides for the U (for example, the screen for receiving application such as login screen, the screen for receiving an input of bank account numbers etc.). The object for identity certificate in tpwInfoi(j) may be displayed to the display 211 by UM (APP). U, before inputting data to the screen provided by Si(j), compares the object for identity certificate on the screen with the identity certificate code displayed to the touch panel type display 211 by the UM (the object for identity certificate in tpwInfoi(j)). If those coincide, then we can see that the screen provided by UM is, indeed, the screen provided by Si(j). Thus, it can be prevented for the U to offer data to unauthorized systems (for example, to became a victim by phishing).


Also, sysIDi(j) related to a request of tpw control such as a request of tpw issuance, may be all (or a part of) sysIDi(j) that are registered in pList and that are automatically chosen by UM (APP), instead of sysIDi(j) for the service systems manually chosen by the U.


Also, at least one of the restrictions for tpw (for example, at least one out of the expiration date and the frequency of possible use) may be determined by the control center machine issuing tpw, instead of the service system. Taking the expiration date as the example, it is as follows. Namely, the expiration date is determined by the control center machine, the expiration data determined by the control center machine sends to the service system via or without via another control center machine. Specifically, for example, the C(1) determines the expiration date for every sysIDi(j) in SYSIDPart (die example, at any one among Steps 1402 to 1404). The expiration date may be identical for all sysIDi(j) in SYSIDPart, and may be distinct for every sysIDi(j) in SYSIDPart. For example, the expiration date (Period1(1)) corresponding to the S1(1) under the management by the C(1) that determines the expiration date for tpw is sent from the C(1) to the S1(1). Also, for example, the expiration date (Period1(2)) corresponding to the S1(2) under the management by another control center machine the C(2) other than the C(1) is sent from the C(1) to the S1(2) via or without via the C(2). Si(j) registers the received expiration date for tpw (Periodi(j)) in uListi(j) as at least a part of tpwInfoi(j) (for example, Step 1405). The process above may be applied to a restriction other than the expiration date for tpw (such as the frequency of possible use).


Also, at least one of the restrictions for tpw (for example, at least one out of the expiration date and the frequency of possible use) may be determined by the user instead of the service system. Taking the expiration date as the example, it is as follows. The expiration date is input to the UM (APP) by the U, is sent from the UM (APP) to the control center machine, and is sent from the control center machine to the service system via or without via another control center machine. Specifically, for example, the UM (APP) receives the input on the expiration date for tpw (Periodi(j)) for each sysIDi(j) in SYSIDPart, from the U (for example, Step 1401). The expiration date may be identical for all sysIDi(j) in SYSIDPart, and may be distinct for every sysIDi(j) in SYSIDPart. The expiration date for tpw (Periodi(j)) for each sysIDi(j) in SYSIDPart is sent from the UM (APP) to C(1) (for example, Step 1401). After that, for example, the expiration date for tpw (Period1(1)) corresponding to the S1(1) under the management by the C(1) that receives the expiration date for tpw from the UM, sent from the C(1) to the S1(1). Also, for example, the expiration date for tpw (Period1(2)) corresponding to the S1(2) under the management by another control center machine C(2) other than the C(1), sent from the C(1) to the S1(2) via or without via the C(2). Si(j) registers the received expiration date for tpw (Periodi(j)) in uListi(j) as at least a part of tpwInfoi(j) (for example, Step 1405). The process above may be applied to a restriction other than the expiration date for tpw (such as the frequency of possible use).


Also, at least a part of the process described above that each of C(j), Si(j), the UP and the UM does, as described above, is performed according as a processor executes computer programs. Also, “servers” described above may be physical server machines instead of functions executed by computer systems (such as virtual servers). C(j) and Si(j) are, typically, owned or managed by different entities, but may be owned or managed by the identical entity.


Also, the exchange between the U and Si(j) at least registration phases may be performed on paper base not limited to on Web base. Here, in the description above, according to the table operations at the processes performed by responding to a request from Si(j) to C(j), a record (an account) is added in the table, and data is registered to the record by the table operation at the process performed responding to the request from UM to C(j).


Also, a key such as aID(j) for aggregating plural service systems may be stored in at least one out of the UM and C(j).


Also, aID(j) is not mandatory. For example, since mIDi(j) are distinct for the identical Si(j) if the U are distinct, mIDi(j) may be used as aID(j). However, since, in the case where the number of Si(j) U uses is large, it is possible to assign two or more Si(j) U uses with the identical aID(j), we can expect efficiency by the existence of aID(j).


Also, in tpwInfoi(j) UM receives, the link (such as URL) to the service system may be included for every service system (for example, for every service system being an issuance destination of tpw, or, for every service system being a sharing destination for sharing target data). UM (or UP) may access to the service system designating the link in tpwInfoi(j). Here, in the link (URL) included in tpwInfoi(j), data for identifying U may be included. The service system accessed from UM (or UP) designating the link, may provide a screen in which data (for example, uID and authentication data) shall be input to the input field, to the access origin UM (or UP).


Also, at least one of the embodiments at which tpw is used, in a request sent from the UP (or the UM) to Si(j) (such as login request), in addition to tpw, a password specific to the Si(j) may be used. Also, at at least one of the embodiments, digital signatures are not mandatory.


REFERENCE SIGNS LIST




  • 101 . . . Control center machine, 103 . . . Service system, 105 . . . User terminal


Claims
  • 1. A server system designed to communicate with plural user terminals and plural service systems, comprising: a storage unit configured to store management information; anda processor coupled to the storage unit, whereinthe management information includes one or more information element groups for each user, each of the one or more information element groups includes mID being an ID which is shared by a server system and a service system and which is distinct for every user,the processor is configured to (A) receive a request from a user terminal,(B) identify, on the basis of the received request, one or more mIDs respectively corresponding to one or more service systems, from the management information, for the user for the user terminal,(C) send, to each of the one or more service systems, a request associated with the mID(s) corresponding to the service system among the identified one or more mIDs, and control content(s) for the service system.
  • 2. The server system according to claim 1, wherein each of the information element groups, for each user, includes a sysID which is an ID for a service system that the user may use, andan aID which is an ID shared by the service system and a user terminal for the user,the request received at (A) is a request on a control of an identification code, and is an identification code control request associated with an aID,the processor is configured to, at (B), identify, from the management information, one or more mIDs which corresponds to aID with which the received identification code control request are associated, andthe processor is configured to, at (C), sends, to each of the one or more service systems, for an identification code common among the one or more service systems, a request associated with the mID(s) corresponding to the service system among the identified one or more mID, and a control content(s) for the identification code.
  • 3. The server system according to claim 2, wherein the request received at (A) is associated with a sysID for a service system chosen by a user, andthe processor is configured to, at (B), identify, from the management information one or more mIDs corresponding to an aID and a sysID with which the received identification code control request is associated.
  • 4. The server system according to claim 2, wherein an aID with which the identification code control request is associated, is associated with a digital permit that is issued for the user terminal at a registration phase for registering a service system,the received identification code control request is associated with tReqPw which is a password input to the user terminal by a user or a password based on the input password, and which is a password for authentication for the request, andthe processor is configured to perform a first judgement of whether the tReqPw identified with the received identification code control request is valid or not, and a second judgement of whether a permit with which the received identification code control request is associated is correct or not, and perform (B) in the case where both judgement result are positive.
  • 5. The server system according to claim 4, wherein the processor is configured to, in the registration phase, (a) receive a sysID for the service system from the service system, sends an mID corresponding to the user and the service system, and cID being an ID for the server system, to the service system, and registers an information element group including the received sysID and the sent mID, to the management information,(b) in response to a request from the user terminal, add an aID and a tReqPw which is a password input by the user for the user terminal or which is a password generated based on the input password, to the information element group registered at (a), and send a permit including an SN being an ID for the information element group registered at (a), an aID registered to the information element group, and a cID, to the user terminal,the first judgement is a judgement of whether a tReqPw in an information element group identified with a permit with which the received identification code control request is associated, and a tReqPw identified with the received identification code control request, coincide with each other, or not, andthe second judgement is a judgement of whether data obtained from an information element group identified with the permit with which the received identification code control request is associated, and data obtained from the permit with which the identification code control request is associated, coincide with each other, or not.
  • 6. The server system according to claim 4, wherein the tReqPw is a password generated using a password input by the user and a random number determined by the user terminal or the processor.
  • 7. The server system according to claim 4, wherein an aID for at least one information element group out of two or more information element group including an identical aID, is an aID generated by the processor in the registration phase corresponding to the information element group, and the processor is configured to send the aID generated in the registration phase to the user terminal, andan aID for at least one other information element group out of the two or more information element group, is an aID which the processor receives from the user terminal in the registration phase corresponding to the information element group, and is an aID which the user terminal has already stored.
  • 8. The server system according to claim 2, wherein the received identification code control request is an identification code issuance request which is a request of issuance of an identification code,the processor is configured to, at (C), generate a common identification code among the one or more service systems,the request sent at (C) is associated with the common identification code,the control content(s) in the request sent at (C) is registration for the common identification code,the common identification code is an identification code input by the user terminal or another user terminal, for any service systems among the one or more service systems.
  • 9. The server system according to claim 2, wherein the processor is configured to receive, from each of the one or more service system, an encrypted uID being a uID registered to the service system (a user ID) encrypted with an suKey (encryption/decryption key) common among the service system and the user terminal, at the timing of a request at (C) or at another timing other than it, andthe processor is configured to send one or more encrypted uIDs respectively received from the one or more service system, to the user terminal.
  • 10. The server system according to claim 2, comprising: a first identification code control apparatus comprising the storage unit and the processor; anda second identification code control apparatus which can communicate with the first identification code control apparatus and plural service systems, whereinthe plural service systems includes a first service system registered to the first identification code control apparatus, and a second service system registered to the second identification code control apparatus,an identification code control request received by the first identification code control apparatus, is an identification code issuance request being a request of issuance of an identification code,one or more sysIDs with which the identification code issuance request is associated, includes at least sysID for the second service system, andthe first or the second identification code control apparatus is configured to send a request on a common identification code issued by the first identification code control apparatus, to the second service system corresponding to a sysID with which the identification code issuance request is associated.
  • 11. The server system according to claim 10, wherein the first identification code control apparatus is configured to send a sysID corresponding to the second service system out of sysIDs with which the identification code issuance request is associated, to the second identification code control apparatus, receive an mID corresponding to the second service system from the second identification control apparatus, and send a request associated with the received mID and the common identification code, to the second serviced system corresponding to the mID.
  • 12. The server system according to claim 10, wherein the first identification code control apparatus is configured to send a sysID corresponding to the second service system out of sysIDs with which the identification code issuance request is associated and the common identification code, to the second identification code control apparatus, andthe second identification code control apparatus is configured to send a request associated with an mID corresponding to the second service system and the common identification code, to the service system corresponding to the second service system.
  • 13. The server system according to claim 10, wherein the first identification code control apparatus is configured to send a sysID corresponding to the second service system out of sysIDs with which the identification code issuance request is associated, to the second identification code control apparatus,the second identification code control apparatus is configured to send an assertion being data including an mID corresponding to the second service system, to the second service system, andthe first identification code control apparatus is configured to send a request associated with the common identification code, to the second service system.
  • 14. The server system according to claim 1, wherein a response for a request sent to the service system, received from the service system, is data kept by the service system, and includes information elements that are permitted to be published to other service systems.
  • 15. The server system according to claim 1, wherein a request received at (A) represents an information sharing being to share sharing target data in a sharing origin service system with a sharing destination service system, andin the case where the request received at (A) represents an information sharing, one or more mIDs identified at (B) includes mIDs for sharing destination service systems for sharing target data, andthe processor is configured to, at (C), send a request being a request of sharing target data, and being associated with an ID for a sharing origin service system, to a sharing origin service system.
  • 16. The server system according to claim 15, wherein the processor is configured to (P) receive sharing target data from the sharing origin service system,(Q) send the sharing target data received, before the sharing destination service system gets able to obtain the sharing target data, to the user terminal,(R) in response to an NG response for sharing the sharing target data received, disable for the sharing target data to be obtained by the sharing destination service system.
  • 17. The server system according to claim 16, wherein the processor is configured to in the case where the sharing target data received is encrypted, store or send without decrypting the sharing target data, andin the case where the sharing target data received is not encrypted, check the presence of malware.
  • 18. The server system according to claim 1, wherein the control content(s) with which each of one or more requests is associated, sent at (C), is open or close for an authentication shutter.
  • 19. A system comprising: a server system designed to communicate with plural service systems, andan APP being a application program executed in a user terminal, and communicating with the server systems, whereinthe server system is configured to store management information including one or more information element groups, each of the one or more information element groups including mID(s) that is shared the server system and a service system, and that is different for each user, andthe server system is configured to (A) receive a request from the APP,(B) identify, on the basis of the received request received one or more mIDs respectively corresponding to one or more service systems, from the management information for, a user for the user terminal,(C) send, to each of the one or more service systems, a request associated with an mID corresponding to the service system among the identified one or more mIDs and control content(s) for the service system.
  • 20. A method comprising: keeping management information including one or more information element groups for each user, each of the one or more information element groups including an mID which is an ID that is shared by a server system and a service system and that is different for each user,receiving a request from a user terminal,identifying, on the basis of the received request, one or more mIDs respectively corresponding to one or more service system, from the management information, for a user for the user terminal, andsending, to each of the one or more service systems, a request associated with an mID for the service system among the identified one or more mIDs and control content(s) for the service system.
Priority Claims (4)
Number Date Country Kind
2014-240462 Nov 2014 JP national
2015-006662 Jan 2015 JP national
2015-033330 Feb 2015 JP national
2015-187644 Sep 2015 JP national
PCT Information
Filing Document Filing Date Country Kind
PCT/JP2015/082991 11/25/2015 WO 00