Abstract: Upon receiving a medium storage request from a client apparatus, an information management server apparatus according to an embodiment evaluates, based on at least one policy file read out based on at least one parent management ID in the medium storage request and user information in the medium storage request, whether medium storage responding to the medium storage request is possible. Upon evaluating that the medium storage is possible, the information management server apparatus creates composite access control which do not violate any management rules included in the at least one policy file.

Abstract: According to one embodiment, a setting delivery device includes an initial setting unit sets a setting card, a setting switching unit switch content of the setting card, and a setting deliver unit delivers the setting card to the mobile terminals. The mobile terminal includes a setting acceptance unit accepts the setting card, a policy creation unit for creating a policy when the setting card indicates setting of the master, a policy delivery unit for delivering the policy to a different mobile terminal, a policy acceptance unit accepts the policy delivered from an other mobile terminal, when the setting card indicates setting of the slave, and a terminal controller configured to restrict a function according to the policy accepted.

Abstract: An authentication device receives each authentication context including an output information block, an input information block, and an authenticator block. The output information block includes a process result and process result identification information. The input information block includes a process result and process result identification information. The authentication device verifies each authenticator block. The authentication device searches for the output information block having the same value of process result identification information as the value of process result identification information in the input information block from other authentication contexts based on process result identification information in the input information block included in each authentication context.

Abstract: Upon receiving a medium storage request from a client apparatus, an information management server apparatus according to an embodiment evaluates, based on at least one policy file read out based on at least one parent management ID in the medium storage request and user information in the medium storage request, whether medium storage responding to the medium storage request is possible. Upon evaluating that the medium storage is possible, the information management server apparatus creates composite access control which do not violate any management rules included in the at least one policy file.

Abstract: A verification device transmits challenge information to a first entity device, and for each authentication context received in return, verifies that challenge information identical to the challenge information transmitted in advance is described, to thereby confirm that the authentication context is the current one. As a result, a repetitive attack in which the past authentication context is repeatedly used is prevented and the security against repetitive attacks is improved.

Abstract: A client apparatus receives a message including a random number from a server apparatus during the handshake of agreement process, creates a biometric negotiation message including the biometric authentication method information and sends the biometric negotiation message to the server apparatus. Then, the client apparatus executes a biometric authentication based on biometric authentication method information notified from the server apparatus and encrypts the random number based on the private key. In addition, the client apparatus generates an authenticator from a result of the biometric authentication, the biometric authentication method information, the encrypted random number, and the client certificate, and sends to the server apparatus an authentication context including these. The server apparatus verifies the authentication context and establishes a secure session in one handshake.

Abstract: According to one embodiment, an information management server device determines whether to permit the duplicating of the original data selected in the duplication source selection information. The information management server device reads the management ID of the original data related to the management ID in the duplication request and the electronic data body related to the entity ID with reference to the first and second storage units when the determination result for the original data has shown that the duplicating is permitted and creates duplicated original data by giving a new management ID to duplicated data obtained by duplicating the electronic data body.

Abstract: According to one embodiment, a deriving operation control device obtains derivation control information and a derivation attribute. A deriving operation propriety determination unit extracts the number of times of previously-performed derivation from the derivation attribute. The deriving operation propriety determination unit extracts the upper limit number of times enabling derivation from the derivation control information and determines that a deriving operation is possible when the number of times of previously-performed derivation is equal to or below the upper limit number of times enabling derivation. A deriving operation execution unit executes the deriving operation.

Abstract: A configuration including, in authentication contexts, function unit identification information unique to the function unit that has executed an authentication subprocess in entity devices permits an authentication apparatus to specify the function unit that has executed the authentication subprocess in the entity devices. The verifier, therefore, can verify the legitimacy of the authentication subprocess from the authentication context even in the presence of a plurality of function units capable of executing the same authentication subprocess in the entity devices.

Abstract: According to one embodiment, a deriving operation control device obtains derivation control information and a derivation attribute. A deriving operation propriety determination unit extracts the number of times of previously-performed derivation from the derivation attribute. The deriving operation propriety determination unit extracts the upper limit number of times enabling derivation from the derivation control information and determines that a deriving operation is possible when the number of times of previously-performed derivation is equal to or below the upper limit number of times enabling derivation. A deriving operation execution unit executes the deriving operation.

Abstract: According to one embodiment, an information management server device determines whether to permit the duplicating of the original data selected in the duplication source selection information. The information management server device reads the management ID of the original data related to the management ID in the duplication request and the electronic data body related to the entity ID with reference to the first and second storage units when the determination result for the original data has shown that the duplicating is permitted and creates duplicated original data by giving a new management ID to duplicated data obtained by duplicating the electronic data body.

Abstract: A root-account management apparatus generates an electronic signature based on a survival condition and a secret key when an authentication result of a user of a client apparatus is proper, and transmits derived-account credence element information including the survival condition, the electronic signature and a public key certificate to a derived-account management apparatus. The derived-account management apparatus creates derived-account information which becomes valid when the survival condition is satisfied so that the derived-account information includes both the derived-account credence element information which becomes invalid when a validity term of the public key certificate expires and a biometric information template of the user which is valid regardless of this validity term. Accordingly, even if an authentication element as a root (public key certificate) becomes invalid, a derived authentication element (biometric information template) can be prevented from becoming invalid.

Abstract: According to one embodiment, an information management server apparatus transmits processing result information that includes management register information including a child management ID when traceable duplication request information received from an information medium controller satisfy an access control policy and a permission policy. On the basis of the processing result information, the information medium controller outputs document print data that includes the child management ID tag and an electronic data body, and management register data including the management register information. When a paper document printed by the document print data is collected after being distributed, the information medium controller transmits a collection completion update request including the child management ID read from the paper document by an exclusive reader.

Abstract: According to one embodiment, even when the information media controlling apparatus which requests replication registration of electronic data and the information media controlling apparatus which acquires a child management file generated by replication registration are separate apparatuses, the information management server apparatus registers a child management ID of electronic data and a post office box ID of the acquisition destination of a child management file, in the post office box management table based on replication registration request information received from one information media controlling apparatus, and has the other information media controlling apparatus which is the acquisition destination acquire the child management file based on the post office box management table.

Abstract: According to one embodiment, a deriving operation control device obtains derivation control information and a derivation attribute. A deriving operation propriety determination unit extracts the number of times of previously-performed derivation from the derivation attribute. The deriving operation propriety determination unit extracts the upper limit number of times enabling derivation from the derivation control information and determines that a deriving operation is possible when the number of times of previously-performed derivation is equal to or below the upper limit number of times enabling derivation. A deriving operation execution unit executes the deriving operation.

Abstract: According to one embodiment, a document management system in the embodiments, includes an information acquisition unit that acquires a management ID, acquires, using the management ID, document type information, and outputs the document type information. The document management system in the embodiments of the invention, includes a policy selection evaluation unit that acquires operation information, user information, and the document type information, selects policy information defining an operation extent of user based on the document type information, and evaluates whether or not that a user defined in the user information is authorized to perform an operation defined in the operation information in accordance with a definition of the selected policy information.

Abstract: According to one embodiment of the present invention, the first authentication context includes the template certificate indicative of the validity of a template and the first apparatus evaluation certificate indicative of the validity of the first apparatus evaluating information while the second authentication context includes the second apparatus evaluating certificate indicative of the validity of the second apparatus evaluating information. And the template certificate and the first and second evaluation certificates are verified when verifying the first and second authentication contexts. Thus, the validity of the template used for authentication or the apparatus evaluating information included in the authentication context can be verified.

Abstract: A client apparatus transmits environmental information acquired from an environmental information acquisition device as well as a biometric authentication information matching result to a server apparatus. The server apparatus verifies the validity of the environmental information such as a luminance as well as the validity of the biometric authentication information matching result. If an environment is problematic, the server apparatus notifies the client apparatus that the environmental information is problematic. The client apparatus overcomes the problem of the environment such as the luminance based on the notification from the server apparatus and then retries a biometric authentication. The possibility of re-failure due to the environmental problem can be reduced during a retry of the biometric authentication.

Abstract: According to one embodiment, a deriving operation control device obtains derivation control information and a derivation attribute. A deriving operation propriety determination unit extracts the number of times of previously-performed derivation from the derivation attribute. The deriving operation propriety determination unit extracts the upper limit number of times enabling derivation from the derivation control information and determines that a deriving operation is possible when the number of times of previously-performed derivation is equal to or below the upper limit number of times enabling derivation. A deriving operation execution unit executes the deriving operation.

Abstract: According to one embodiment, an information management server apparatus transmits processing result information that includes management register information including a child management ID when traceable duplication request information received from an information medium controller satisfy an access control policy and a permission policy. On the basis of the processing result information, the information medium controller outputs document print data that includes the child management ID tag and an electronic data body, and management register data including the management register information. When a paper document printed by the document print data is collected after being distributed, the information medium controller transmits a collection completion update request including the child management ID read from the paper document by an exclusive reader.