Abstract: A terminal device 4 transmits a certificate issue request including a communication ID thereof and a sub ID to a certificate issuing device 7 via a NW1 (a first network). The certificate issuing device 7 inquires of a communication ID (identifier) checking device 5 whether or not the communication ID included in the certificate issue request is in use or not and inquires of a communication ID/sub ID checking device 6 whether or not the communication ID and the sub ID are associated with each other. If both the check results are OK, the certificate issuing device 7 generates a certificate including the ID of the certificate issuing device 7, the communication ID, the sub ID and a validity period and transmits the certificate to the terminal device 4. In this way, a certificate with a short validity period can be issued only based on the access to the NW1 using the communication ID and the sub ID.

Abstract: At the user authentication apparatus 30, an identifier of a certification authority (CA) certificate that a CA information disclosure server 20 discloses in advance is registered in an identifier list of the CA. At the user terminal 10, a key pair consisting of a terminal public key and a terminal secret key is generated, the terminal signature is generated for information containing the terminal public key using the CA secret key acquired in advance, and a self-signed certificate of the same form as the certificate issued from CA, that is, a terminal certificate containing at least a terminal public key, a terminal signature, and a CA identifier, is created and stored, and registered in the user authentication apparatus 30.

Abstract: At user registration, a client device obtains a signature for a user ID, a password, and a public key by using a private key, and sends user information that includes the signature and the above-described information items to a service providing apparatus. The service providing apparatus verifies the signature by using the public key and stores the user information by which the password and the public key are associated with each other. When a request for a service is made, the client device allows authentication processing by sending to the service providing apparatus an authentication response that includes the user ID together with password authentication information, a signature for a challenge sent from the service providing apparatus, or a signature for the password and the challenge, irrespective of whether the authentication method for the service is password authentication, public key authentication, or public-key-and-password combination authentication.

Abstract: A secret key of a second apparatus is stored in a relay apparatus. A first apparatus specifies secret information used to identify a common key, generates encrypted secret information by encrypting the secret information by using a public key of the second apparatus, and transmits the encrypted secret information to the relay apparatus. Then, the relay apparatus decrypts the encrypted secret information by using the secret key of the second apparatus to extract the secret information. The relay apparatus transmits the encrypted secret information to the second apparatus. The second apparatus decrypts the encrypted secret information by using the secret key of the second apparatus to extract the secret information. Finished messages corresponding to communication log information and the secret information are exchanged between the first apparatus and the relay apparatus and between the second apparatus and the relay apparatus.

Abstract: A terminal device 4 transmits a certificate issue request including a communication ID thereof and a sub ID to a certificate issuing device 7 via a NW1. The certificate issuing device 7 inquires of a communication ID checking device 5 whether or not the communication ID included in the certificate issue request is in use or not and inquires of a communication ID/sub ID checking device 6 whether or not the communication ID and the sub ID are associated with each other. If both the check results are OK, the certificate issuing device 7 generates a certificate including the ID of the certificate issuing device 7, the communication ID, the sub ID and a validity period and transmits the certificate to the terminal device 4. In this way, a certificate with a short validity period can be issued only based on the access to the NW1 using the communication ID and the sub ID.

Abstract: At the user authentication apparatus 30, an identifier of a certification authority (CA) certificate that a CA information disclosure server 20 discloses in advance is registered in an identifier list of the CA. At the user terminal 10, a key pair consisting of a terminal public key and a terminal secret key is generated, the terminal signature is generated for information containing the terminal public key using the CA secret key acquired in advance, and a self-signed certificate of the same form as the certificate issued from CA, that is, a terminal certificate containing at least a terminal public key, a terminal signature, and a CA identifier, is created and stored, and registered in the user authentication apparatus 30.

Abstract: An address allocated to a user by an authentication server is used as an IP address of a packet which is transmitted from a user terminal, preventing an illicit use if the IP address were eavesdropped. An authentication server 100 performs an authentication of a user based on a user authentication information which is transmitted from the user terminal, and upon a successful authentication, allocates an address to the user terminal, and issues a ticket containing the address to be returned to the user terminal. The user terminal sets up the address contained in the ticket as a source address, and transmits the ticket to the application server 300, requesting a session to be established. After verifying that the ticket is authentic, the server 300 stores the ticket and establishes a session with the user terminal. The user terminal transmits a service request packet containing the source address to the server 300 utilizing the session.

Abstract: A secret key of a second apparatus is stored in a relay apparatus. A first apparatus specifies secret information used to identify a common key, generates encrypted secret information by encrypting the secret information by using a public key of the second apparatus, and transmits the encrypted secret information to the relay apparatus. Then, the relay apparatus decrypts the encrypted secret information by using the secret key of the second apparatus to extract the secret information. The relay apparatus transmits the encrypted secret information to the second apparatus. The second apparatus decrypts the encrypted secret information by using the secret key of the second apparatus to extract the secret information. Finished messages corresponding to communication log information and the secret information are exchanged between the first apparatus and the relay apparatus and between the second apparatus and the relay apparatus.

Abstract: In a user authentication system according to the present invention, at user registration, a client device obtains a signature for a user ID, a password, and a public key by using a private key corresponding to the public key, and sends user information that includes the signature and the above-described information items to a service providing apparatus. The service providing apparatus verifies the signature by using the public key and stores the user information by which the password and the public key are associated with each other.

Abstract: When a packet is received from a counterpart apparatus 3 connected to the Internet 2, it is determined by a decryption determination part 16 whether to decrypt or bypass the received packet by referring to a filter information storage part 15 based on a sending source and sending destination IP addresses and port numbers and a protocol. If it is determined that decryption is to be performed, then the received packet is decrypted based on cryptographic communication channel information agreed in advance between the counterpart apparatus 3 and a terminal 5 which does not have an IPSec function, in a cryptographic communication channel information storage part 12, and sent to the terminal 5.

Abstract: When a packet is received from a counterpart apparatus 3 connected to the Internet 2, it is determined by a decryption determination part 16 whether to decrypt or bypass the received packet by referring to a filter information storage part 15 based on a sending source and sending destination IP addresses and port numbers and a protocol. If it is determined that decryption is to be performed, then the received packet is decrypted based on cryptographic communication channel information agreed in advance between the counterpart apparatus 3 and a terminal 5 which does not have an IPSec function, in a cryptographic communication channel information storage part 12, and sent to the terminal 5.

Abstract: An address allocated to a user by an authentication server is used as an IP address of a packet which is transmitted from a user terminal, preventing an illicit use if the IP address were eavesdropped. An authentication server 100 performs an authentication of a user based on a user authentication information which is transmitted from the user terminal, and upon a successful authentication, allocates an address to the user terminal, and issues a ticket containing the address to be returned to the user terminal. The user terminal sets up the address contained in the ticket as a source address, and transmits the ticket to the application server 300, requesting a session to be established. After verifying that the ticket is authentic, the server 300 stores the ticket and establishes a session with the user terminal. The user terminal transmits a service request packet containing the source address to the server 300 utilizing the session.