Abstract: A client apparatus receives a message including a random number from a server apparatus during the handshake of agreement process, creates a biometric negotiation message including the biometric authentication method information and sends the biometric negotiation message to the server apparatus. Then, the client apparatus executes a biometric authentication based on biometric authentication method information notified from the server apparatus and encrypts the random number based on the private key. In addition, the client apparatus generates an authenticator from a result of the biometric authentication, the biometric authentication method information, the encrypted random number, and the client certificate, and sends to the server apparatus an authentication context including these. The server apparatus verifies the authentication context and establishes a secure session in one handshake.

Abstract: According to one embodiment, a deriving operation control device obtains derivation control information and a derivation attribute. A deriving operation propriety determination unit extracts the number of times of previously-performed derivation from the derivation attribute. The deriving operation propriety determination unit extracts the upper limit number of times enabling derivation from the derivation control information and determines that a deriving operation is possible when the number of times of previously-performed derivation is equal to or below the upper limit number of times enabling derivation. A deriving operation execution unit executes the deriving operation.

Abstract: A configuration including, in authentication contexts, function unit identification information unique to the function unit that has executed an authentication subprocess in entity devices permits an authentication apparatus to specify the function unit that has executed the authentication subprocess in the entity devices. The verifier, therefore, can verify the legitimacy of the authentication subprocess from the authentication context even in the presence of a plurality of function units capable of executing the same authentication subprocess in the entity devices.

Abstract: According to one embodiment, a deriving operation control device obtains derivation control information and a derivation attribute. A deriving operation propriety determination unit extracts the number of times of previously-performed derivation from the derivation attribute. The deriving operation propriety determination unit extracts the upper limit number of times enabling derivation from the derivation control information and determines that a deriving operation is possible when the number of times of previously-performed derivation is equal to or below the upper limit number of times enabling derivation. A deriving operation execution unit executes the deriving operation.

Abstract: According to one embodiment, the ID provider device stores pieces of policy information for each service provider ID. The ID provider device outputs a policy evaluation request including the user ID used in the log-in processing and the service provider ID in the authentication federation request when the log-in processing is successful. The ID provider device reads the policy information in accordance with the service provider ID in the policy evaluation request. The ID provider device judges whether to permit the transmission of the service data in accordance with whether environmental conditions of the user for the execution of a service conform to the read policy information.

Abstract: A root-account management apparatus generates an electronic signature based on a survival condition and a secret key when an authentication result of a user of a client apparatus is proper, and transmits derived-account credence element information including the survival condition, the electronic signature and a public key certificate to a derived-account management apparatus. The derived-account management apparatus creates derived-account information which becomes valid when the survival condition is satisfied so that the derived-account information includes both the derived-account credence element information which becomes invalid when a validity term of the public key certificate expires and a biometric information template of the user which is valid regardless of this validity term. Accordingly, even if an authentication element as a root (public key certificate) becomes invalid, a derived authentication element (biometric information template) can be prevented from becoming invalid.

Abstract: According to one embodiment, a deriving operation control device obtains derivation control information and a derivation attribute. A deriving operation propriety determination unit extracts the number of times of previously-performed derivation from the derivation attribute. The deriving operation propriety determination unit extracts the upper limit number of times enabling derivation from the derivation control information and determines that a deriving operation is possible when the number of times of previously-performed derivation is equal to or below the upper limit number of times enabling derivation. A deriving operation execution unit executes the deriving operation.

Abstract: According to one embodiment of the present invention, the first authentication context includes the template certificate indicative of the validity of a template and the first apparatus evaluation certificate indicative of the validity of the first apparatus evaluating information while the second authentication context includes the second apparatus evaluating certificate indicative of the validity of the second apparatus evaluating information. And the template certificate and the first and second evaluation certificates are verified when verifying the first and second authentication contexts. Thus, the validity of the template used for authentication or the apparatus evaluating information included in the authentication context can be verified.

Abstract: A client apparatus transmits environmental information acquired from an environmental information acquisition device as well as a biometric authentication information matching result to a server apparatus. The server apparatus verifies the validity of the environmental information such as a luminance as well as the validity of the biometric authentication information matching result. If an environment is problematic, the server apparatus notifies the client apparatus that the environmental information is problematic. The client apparatus overcomes the problem of the environment such as the luminance based on the notification from the server apparatus and then retries a biometric authentication. The possibility of re-failure due to the environmental problem can be reduced during a retry of the biometric authentication.

Abstract: According to one embodiment, a deriving operation control device obtains derivation control information and a derivation attribute. A deriving operation propriety determination unit extracts the number of times of previously-performed derivation from the derivation attribute. The deriving operation propriety determination unit extracts the upper limit number of times enabling derivation from the derivation control information and determines that a deriving operation is possible when the number of times of previously-performed derivation is equal to or below the upper limit number of times enabling derivation. A deriving operation execution unit executes the deriving operation.

Abstract: A client apparatus transmits environmental information acquired from an environmental information acquisition device as well as a biometric authentication information matching result to a server apparatus. The server apparatus verifies the validity of the environmental information such as a luminance as well as the validity of the biometric authentication information matching result. If an environment is problematic, the server apparatus notifies the client apparatus that the environmental information is problematic. The client apparatus overcomes the problem of the environment such as the luminance based on the notification from the server apparatus and then retries a biometric authentication. The possibility of re-failure due to the environmental problem can be reduced during a retry of the biometric authentication.

Abstract: A client apparatus transmits environmental information acquired from an environmental information acquisition device as well as a biometric authentication information matching result to a server apparatus. The server apparatus verifies the validity of the environmental information such as a luminance as well as the validity of the biometric authentication information matching result. If an environment is problematic, the server apparatus notifies the client apparatus that the environmental information is problematic. The client apparatus overcomes the problem of the environment such as the luminance based on the notification from the server apparatus and then retries a biometric authentication. The possibility of re-failure due to the environmental problem can be reduced during a retry of the biometric authentication.

Abstract: An apparatus for performing a channel-to-channel delay correction and frame synchronization with low latency includes, on each of a plurality of channels, a clock-and-data recovery circuit, a frequency divider circuit, a circuit for detecting the phase difference between the phase of the frequency-divided clock signal and the phase of a clock signal, a serial-to-parallel converter circuit, a register array for holding the parallel output of the serial-to-parallel converter circuit, and a frame-head detector for detecting a frame head from the output of the register array and outputting a frame detection signal. A last-frame-head detector receives the frame detection signals from each of the channels and detects a channel on which the frame head was detected last. The frame head detected last, the phase of the internal clock signal, and the phase of a frequency-divided clock of a retiming clock of the channel are adjusted to substantially coincide.

Abstract: Upon receiving server side entity information and a principal confirmation profile request data from a server side entity device, a consolidation apparatus transmits an entity information transmission request to each of a plurality of client side entity devices and receives client side entity information from each of the client side entity devices. Then, it determines the principal confirmation profile ID in each piece of client side entity information and the principal confirmation profile ID in the server side entity information according to the principal confirmation profile ID request information having the highest priority in the principal confirmation profile request data and prepares a routing table information associating the processing capability IDs and the entity IDs corresponding to the determined principal confirmation profile ID, which routing table information is then stored in a memory.

Abstract: Disclosed is a serial-to-parallel converter/parallel-to-serial converter/FIFO unified circuit which includes a register, a selector and a counter. The register receives serial input data and converts the serial data into parallel data based on frequency-divided multi-phase clock signals from a counter. The selector receives the parallel data from the register to select one of the data in accordance with a control signal. The counter generates the control signal for the selector so that plural items of data will be output serially from the selector in the sequence in which the plural items data have been serially supplied to the register.

Abstract: A client apparatus receives a message including a random number from a server apparatus during the handshake of agreement process, creates a biometric negotiation message including the biometric authentication method information and sends the biometric negotiation message to the server apparatus. Then, the client apparatus executes a biometric authentication based on biometric authentication method information notified from the server apparatus and encrypts the random number based on the private key. In addition, the client apparatus generates an authenticator from a result of the biometric authentication, the biometric authentication method information, the encrypted random number, and the client certificate, and sends to the server apparatus an authentication context including these. The server apparatus verifies the authentication context and establishes a secure session in one handshake.

Abstract: According to one embodiment of the present invention, the first authentication context includes the template certificate indicative of the validity of a template and the first apparatus evaluation certificate indicative of the validity of the first apparatus evaluating information whilst the second authentication context includes the second apparatus evaluating certificate indicative of the validity of the second apparatus evaluating information. And the template certificate and the first and second evaluation certificates are verified when verifying the first and second authentication contexts. Thus, the validity of the template used for authentication or the apparatus evaluating information included in the authentication context can be verified.

Abstract: In a file-access control system according to an embodiment of this invention, control data in accordance with actions made is imparted, as an obligation-type policy, to a document file. Next, a policy evaluation control unit evaluates and executes the obligation-type policy imparted to the document file in accordance with the action to the document file. The execution of the obligation-type policy includes the controlling of a document application on the basis of an obligation fulfillment action. Therefore, an active control can be performed in accordance with any manipulation made to the document, and the access to the document can be changed.

Abstract: A root-account management apparatus generates an electronic signature based on a survival condition and a secret key when an authentication result of a user of a client apparatus is proper, and transmits derived-account credence element information including the survival condition, the electronic signature and a public key certificate to a derived-account management apparatus. The derived-account management apparatus creates derived-account information which becomes valid when the survival condition is satisfied so that the derived-account information includes both the derived-account credence element information which becomes invalid when a validity term of the public key certificate expires and a biometric information template of the user which is valid regardless of this validity term. Accordingly, even if an authentication element as a root (public key certificate) becomes invalid, a derived authentication element (biometric information template) can be prevented from becoming invalid.