Abstract: A secret information server 300 on a network 10 and a client apparatus 100 constitute an authentication information generating system. The secret information server 300 has a function to confirm the validity of a user in accordance with user identification information received from the client apparatus 100 and a function to hold the secret information database of each user and to send the secret information database of a user whose validity has been confirmed to the client apparatus 100 of the user. The client apparatus 100 has a main memory 120 having a domain A where an application or a main OS is executed and a domain B which has a program execution environment mutually independent of that for the domain A. The secret information database received from the secret information server 300 is saved in the domain B, and authentication information is generated by using the secret information database.

Abstract: A terminal device 4 transmits a certificate issue request including a communication ID thereof and a sub ID to a certificate issuing device 7 via a NW1 (a first network). The certificate issuing device 7 inquires of a communication ID (identifier) checking device 5 whether or not the communication ID included in the certificate issue request is in use or not and inquires of a communication ID/sub ID checking device 6 whether or not the communication ID and the sub ID are associated with each other. If both the check results are OK, the certificate issuing device 7 generates a certificate including the ID of the certificate issuing device 7, the communication ID, the sub ID and a validity period and transmits the certificate to the terminal device 4. In this way, a certificate with a short validity period can be issued only based on the access to the NW1 using the communication ID and the sub ID.

Abstract: At the user authentication apparatus 30, an identifier of a certification authority (CA) certificate that a CA information disclosure server 20 discloses in advance is registered in an identifier list of the CA. At the user terminal 10, a key pair consisting of a terminal public key and a terminal secret key is generated, the terminal signature is generated for information containing the terminal public key using the CA secret key acquired in advance, and a self-signed certificate of the same form as the certificate issued from CA, that is, a terminal certificate containing at least a terminal public key, a terminal signature, and a CA identifier, is created and stored, and registered in the user authentication apparatus 30.

Abstract: At user registration, a client device obtains a signature for a user ID, a password, and a public key by using a private key, and sends user information that includes the signature and the above-described information items to a service providing apparatus. The service providing apparatus verifies the signature by using the public key and stores the user information by which the password and the public key are associated with each other. When a request for a service is made, the client device allows authentication processing by sending to the service providing apparatus an authentication response that includes the user ID together with password authentication information, a signature for a challenge sent from the service providing apparatus, or a signature for the password and the challenge, irrespective of whether the authentication method for the service is password authentication, public key authentication, or public-key-and-password combination authentication.

Abstract: A secret key of a second apparatus is stored in a relay apparatus. A first apparatus specifies secret information used to identify a common key, generates encrypted secret information by encrypting the secret information by using a public key of the second apparatus, and transmits the encrypted secret information to the relay apparatus. Then, the relay apparatus decrypts the encrypted secret information by using the secret key of the second apparatus to extract the secret information. The relay apparatus transmits the encrypted secret information to the second apparatus. The second apparatus decrypts the encrypted secret information by using the secret key of the second apparatus to extract the secret information. Finished messages corresponding to communication log information and the secret information are exchanged between the first apparatus and the relay apparatus and between the second apparatus and the relay apparatus.

Abstract: A terminal device 4 transmits a certificate issue request including a communication ID thereof and a sub ID to a certificate issuing device 7 via a NW1. The certificate issuing device 7 inquires of a communication ID checking device 5 whether or not the communication ID included in the certificate issue request is in use or not and inquires of a communication ID/sub ID checking device 6 whether or not the communication ID and the sub ID are associated with each other. If both the check results are OK, the certificate issuing device 7 generates a certificate including the ID of the certificate issuing device 7, the communication ID, the sub ID and a validity period and transmits the certificate to the terminal device 4. In this way, a certificate with a short validity period can be issued only based on the access to the NW1 using the communication ID and the sub ID.

Abstract: A secret information server 300 on a network 10 and a client apparatus 100 constitute an authentication information generating system. The secret information server 300 has a function to confirm the validity of a user in accordance with user identification information received from the client apparatus 100 and a function to hold the secret information database of each user and to send the secret information database of a user whose validity has been confirmed to the client apparatus 100 of the user. The client apparatus 100 has a main memory 120 having a domain A where an application or a main OS is executed and a domain B which has a program execution environment mutually independent of that for the domain A. The secret information database received from the secret information server 300 is saved in the domain B, and authentication information is generated by using the secret information database.

Abstract: At the user authentication apparatus 30, an identifier of a certification authority (CA) certificate that a CA information disclosure server 20 discloses in advance is registered in an identifier list of the CA. At the user terminal 10, a key pair consisting of a terminal public key and a terminal secret key is generated, the terminal signature is generated for information containing the terminal public key using the CA secret key acquired in advance, and a self-signed certificate of the same form as the certificate issued from CA, that is, a terminal certificate containing at least a terminal public key, a terminal signature, and a CA identifier, is created and stored, and registered in the user authentication apparatus 30.

Abstract: An address allocated to a user by an authentication server is used as an IP address of a packet which is transmitted from a user terminal, preventing an illicit use if the IP address were eavesdropped. An authentication server 100 performs an authentication of a user based on a user authentication information which is transmitted from the user terminal, and upon a successful authentication, allocates an address to the user terminal, and issues a ticket containing the address to be returned to the user terminal. The user terminal sets up the address contained in the ticket as a source address, and transmits the ticket to the application server 300, requesting a session to be established. After verifying that the ticket is authentic, the server 300 stores the ticket and establishes a session with the user terminal. The user terminal transmits a service request packet containing the source address to the server 300 utilizing the session.

Abstract: A secret key of a second apparatus is stored in a relay apparatus. A first apparatus specifies secret information used to identify a common key, generates encrypted secret information by encrypting the secret information by using a public key of the second apparatus, and transmits the encrypted secret information to the relay apparatus. Then, the relay apparatus decrypts the encrypted secret information by using the secret key of the second apparatus to extract the secret information. The relay apparatus transmits the encrypted secret information to the second apparatus. The second apparatus decrypts the encrypted secret information by using the secret key of the second apparatus to extract the secret information. Finished messages corresponding to communication log information and the secret information are exchanged between the first apparatus and the relay apparatus and between the second apparatus and the relay apparatus.

Abstract: An address notification device is provided with: a link information list storage part 106 for storing link information list composed of link information including an own address, an address of a communicating party, and process information about processing of communication information to be communicated between the own address and the communicating party address; a change information registration part 132 for adding the link information selected by a link information select part 130 with change information representing the content of the change; a link change information sending part 136 for sending link change information representing a change of the link information to a destination indicated by the communicating party address contained in the link information added with the change information; and a link information change part 138 for changing the link information on the basis of the change information added thereto in response to response information sent from the communicating party in response to the s

Abstract: In a user authentication system according to the present invention, at user registration, a client device obtains a signature for a user ID, a password, and a public key by using a private key corresponding to the public key, and sends user information that includes the signature and the above-described information items to a service providing apparatus. The service providing apparatus verifies the signature by using the public key and stores the user information by which the password and the public key are associated with each other.

Abstract: A mediating apparatus is provided on an IP network, and stores an access control list (ACL) retained in a VPN gateway unit. The mediating apparatus: receives a retrieval request from a VPN client unit; acquires a private IP address of a communication unit by reference to ACL; searches DNS to acquire therefrom an IP address of the VPN gateway unit; generates a common key that is used for authentication between the VPN client unit and the VPN gateway unit and for encrypted communication therebetween; sends the IP address of the VPN gateway unit, the private IP address of the communication unit, and the common key to the VPN client unit; and sends the IP address of the VPN client unit and the common key to the VPN gateway unit.

Abstract: A recipient identifier and communication condition information stored in a recipient-identifier storing unit are encrypted by an identifier-for-disclosure creating unit of a recipient terminal to create an identifier-for-disclosure. An identifier-for-disclosure notifying unit notifies a sender terminal of the identifier-for-disclosure. When a communication request using the identifier-for-disclosure is sent from the recipient terminal, a restoring unit of a relay system extracts the communication condition information from the identifier-for-disclosure. Only when communication conditions included in the communication condition information are satisfied, communication between the recipient terminal and the sender terminal is established.

Abstract: A mediating apparatus is provided on an IP network, and stores an access control list (ACL) retained in a VPN gateway unit. The mediating apparatus: receives a retrieval request from a VPN client unit; acquires a private IP address of a communication unit by reference to ACL; searches DNS to acquire therefrom an IP address of the VPN gateway unit; generates a common key that is used for authentication between the VPN client unit and the VPN gateway unit and for encrypted communication therebetween; sends the IP address of the VPN gateway unit, the private IP address of the communication unit, and the common key to the VPN client unit; and sends the IP address of the VPN client unit and the common key to the VPN gateway unit.

Abstract: A recipient identifier and communication condition information stored in a recipient-identifier storing unit are encrypted by an identifier-for-disclosure creating unit of a recipient terminal to create an identifier-for-disclosure. An identifier-for-disclosure notifying unit notifies a sender terminal of the identifier-for-disclosure. When a communication request using the identifier-for-disclosure is sent from the recipient terminal, a restoring unit of a relay system extracts the communication condition information from the identifier-for-disclosure. Only when communication conditions included in the communication condition information are satisfied, communication between the recipient terminal and the sender terminal is established.

Abstract: An address notification device is provided with: a link information list storage part 106 for storing link information list composed of link information including an own address, an address of a communicating party, and process information about processing of communication information to be communicated between the own address and the communicating party address; a change information registration part 132 for adding the link information selected by a link information select part 130 with change information representing the content of the change; a link change information sending part 136 for sending link change information representing a change of the link information to a destination indicated by the communicating party address contained in the link information added with the change information; and a link information change part 138 for changing the link information on the basis of the change information added thereto in response to response information sent from the communicating party in response to the s

Abstract: An address allocated to a user by an authentication server is used as an IP address of a packet which is transmitted from a user terminal, preventing an illicit use if the IP address were eavesdropped. An authentication server 100 performs an authentication of a user based on a user authentication information which is transmitted from the user terminal, and upon a successful authentication, allocates an address to the user terminal, and issues a ticket containing the address to be returned to the user terminal. The user terminal sets up the address contained in the ticket as a source address, and transmits the ticket to the application server 300, requesting a session to be established. After verifying that the ticket is authentic, the server 300 stores the ticket and establishes a session with the user terminal. The user terminal transmits a service request packet containing the source address to the server 300 utilizing the session.