ACCOUNT MANAGEMENT SYSTEM, ROOT-ACCOUNT MANAGEMENT APPARATUS, DERIVED-ACCOUNT MANAGEMENT APPARATUS, AND PROGRAM

US 20090327706A1
Filed: 07/10/2009
Published: 12/31/2009
Est. Priority Date: 09/11/2007
Status: Active Grant

First Claim

Patent Images

1. An account management system comprising a root-account management apparatus which manages root-account information for certifying the identity of a user, and a derived-account management apparatus which manages derived-account information generated based on the root-account information, wherein the respective account management apparatuses capable of communicating with a client apparatus of the user,the root-account management apparatus comprising:

a root-account storage device which stores the root-account information comprising an initial authentication element field in which initial authentication element information is stored and a derived-account credence element field in which derived-account credence element information is stored;

a root-account key storage device in which a secret key of the root-account management apparatus and a public key certificate corresponding to this secret key are stored;

a survival condition setting device to set, in advance, a survival condition including a plurality of validity terms for the derived-account credence element information;

an initial authentication device configured to authenticate the user of the client apparatus based on the initial authentication element information;

a device configured to generate an electronic signature based on the secret key of the root-account management apparatus for credence element identification information, root-account management apparatus identification information, derived-account management apparatus identification information, root-account information reference information, and the survival condition, when an authentication result of the initial authentication device is proper;

a device configured to store, in the derived-account credence element information field, the derived-account credence element information consisting essentially of the credence element identification information, the root-account management apparatus identification information, the derived-account management apparatus identification information, the root-account information reference information, the survival condition, the electronic signature and the public key certificate; and

a device configured to transmit the derived-account credence element information inside the root-account storage device to the derived-account management apparatus,the derived-account management apparatus comprising;

a derived-account storage device configured to store the derived-account information comprising a derived-account credence element field in which the derived-account credence element information is stored and a derived authentication element field in which derived authentication element information is stored;

a device configured to verify the electronic signature inside the derived-account credence element information based on the public key certificate inside the relevant derived-account credence element information, upon receiving the derived-account credence element information from the root-account management apparatus;

a device configured to verify whether or not the survival condition inside the derived-account credence element information is satisfied when the electronic signature is proper as a result of this verification;

a device which creates the derived-account information including the derived-account credence element information in the derived-account credence element field and writes this derived-account information in the derived-account storage device when the survival condition is satisfied as a result of this verification;

a device configured to acquire biometric information of the user from the client apparatus, and to create a biometric information template from this biometric information;

a device which writes the derived authentication element information including the biometric information template in the derived authentication element field of the derived-account information inside the derived-account storage device;

a device configured to verify the electronic signature inside the relevant derived-account credence element information based on the public key certificate inside the derived-account credence element information in the derived-account information inside the derived-account storage device, upon receiving an access request to the derived-account information after the derived authentication element is written;

a device configured to verify whether or not the survival condition inside the relevant derived-account credence element information is satisfied when the electronic signature is proper as a result of the verification; and

a device configured to deny the access request and to invalidate the derived-account information when the survival condition is not satisfied as a result of this verification.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A root-account management apparatus generates an electronic signature based on a survival condition and a secret key when an authentication result of a user of a client apparatus is proper, and transmits derived-account credence element information including the survival condition, the electronic signature and a public key certificate to a derived-account management apparatus. The derived-account management apparatus creates derived-account information which becomes valid when the survival condition is satisfied so that the derived-account information includes both the derived-account credence element information which becomes invalid when a validity term of the public key certificate expires and a biometric information template of the user which is valid regardless of this validity term. Accordingly, even if an authentication element as a root (public key certificate) becomes invalid, a derived authentication element (biometric information template) can be prevented from becoming invalid.

26 Citations

View as Search Results

9 Claims

1. An account management system comprising a root-account management apparatus which manages root-account information for certifying the identity of a user, and a derived-account management apparatus which manages derived-account information generated based on the root-account information, wherein the respective account management apparatuses capable of communicating with a client apparatus of the user,the root-account management apparatus comprising:
- a root-account storage device which stores the root-account information comprising an initial authentication element field in which initial authentication element information is stored and a derived-account credence element field in which derived-account credence element information is stored;
  
  a root-account key storage device in which a secret key of the root-account management apparatus and a public key certificate corresponding to this secret key are stored;
  
  a survival condition setting device to set, in advance, a survival condition including a plurality of validity terms for the derived-account credence element information;
  
  an initial authentication device configured to authenticate the user of the client apparatus based on the initial authentication element information;
  
  a device configured to generate an electronic signature based on the secret key of the root-account management apparatus for credence element identification information, root-account management apparatus identification information, derived-account management apparatus identification information, root-account information reference information, and the survival condition, when an authentication result of the initial authentication device is proper;
  
  a device configured to store, in the derived-account credence element information field, the derived-account credence element information consisting essentially of the credence element identification information, the root-account management apparatus identification information, the derived-account management apparatus identification information, the root-account information reference information, the survival condition, the electronic signature and the public key certificate; and
  
  a device configured to transmit the derived-account credence element information inside the root-account storage device to the derived-account management apparatus,the derived-account management apparatus comprising;
  
  a derived-account storage device configured to store the derived-account information comprising a derived-account credence element field in which the derived-account credence element information is stored and a derived authentication element field in which derived authentication element information is stored;
  
  a device configured to verify the electronic signature inside the derived-account credence element information based on the public key certificate inside the relevant derived-account credence element information, upon receiving the derived-account credence element information from the root-account management apparatus;
  
  a device configured to verify whether or not the survival condition inside the derived-account credence element information is satisfied when the electronic signature is proper as a result of this verification;
  
  a device which creates the derived-account information including the derived-account credence element information in the derived-account credence element field and writes this derived-account information in the derived-account storage device when the survival condition is satisfied as a result of this verification;
  
  a device configured to acquire biometric information of the user from the client apparatus, and to create a biometric information template from this biometric information;
  
  a device which writes the derived authentication element information including the biometric information template in the derived authentication element field of the derived-account information inside the derived-account storage device;
  
  a device configured to verify the electronic signature inside the relevant derived-account credence element information based on the public key certificate inside the derived-account credence element information in the derived-account information inside the derived-account storage device, upon receiving an access request to the derived-account information after the derived authentication element is written;
  
  a device configured to verify whether or not the survival condition inside the relevant derived-account credence element information is satisfied when the electronic signature is proper as a result of the verification; and
  
  a device configured to deny the access request and to invalidate the derived-account information when the survival condition is not satisfied as a result of this verification.

2. A root-account management apparatus which can communicate with a derived-account management apparatus which manages derived-account information generated based on root-account information for certifying the identity of a user and a client apparatus of the user, and manages the root-account information, comprising:
- a root-account storage device which stores the root-account information comprising an initial authentication element field in which initial authentication element information is stored and a derived-account credence element field in which derived-account credence element information is stored;
  
  a root-account key storage device in which a secret key of the root-account management apparatus and a public key certificate corresponding to this secret key are stored;
  
  a survival condition setting device to set, in advance, a survival condition including a plurality of validity terms for the derived-account credence element information;
  
  an initial authentication device configured to authenticate the user of the client apparatus based on the initial authentication element information;
  
  a device configured to generate an electronic signature based on the secret key of the root-account management apparatus for credence element identification information, root-account management apparatus identification information, derived-account management apparatus identification information, root-account information reference information, and the survival condition, when an authentication result of the initial authentication device is proper;
  
  a device configured to store, in the derived-account credence element information field, the derived-account credence element information consisting essentially of the credence element identification information, the root-account management apparatus identification information, the derived-account management apparatus identification information, the root-account information reference information, the survival condition, the electronic signature and the public key certificate; and
  
  a device configured to transmit the derived-account credence element information inside the root-account storage device to the derived-account management apparatus,the root-account management apparatus enabling the derived-account management apparatus to create the derived-account information which becomes valid when the survival condition is satisfied so that the derived-account information includes both the derived-account credence element information which becomes invalid when a validity term of the public key certificate expires, and a biometric information template of the user which is valid regardless of this validity term.
- View Dependent Claims (3)
- - 3. The root-account management apparatus according to claim 2, wherein the survival condition includes an extended survival condition to the effect that in creating the derived-account information, the survival is permitted when approval is obtained from a predetermined third-party apparatus.

4. A derived-account management apparatus which can communicate with a root-account management apparatus which manages root-account information for certifying the identity of a user, and a client apparatus of the user, and manages derived-account information generated based on the root-account information, comprising:
- a receiving device configured to receive, from the root-account management apparatus, derived-account credence element information consisting essentially of credence element identification information, root-account management apparatus identification information, derived-account management apparatus identification information, root-account information reference information, a survival condition including a plurality of validity terms, an electronic signature, and a public key certificate corresponding to the secret key, when the root-account management apparatus transmits the derived-account credence element information by the relevant root-account management apparatus generating the electronic signature based on the secret key of the root-account management apparatus for the credence element identification information, the root-account management apparatus identification information, the derived-account management apparatus identification information, the root-account information reference information, and the survival condition if a result of authentication of the user based on initial authentication element information inside the root-account information in the root-account management apparatus is proper;
  
  a derived-account storage device configured to store the derived-account information comprising a derived-account credence element field in which the derived-account credence element information is stored and a derived authentication element field in which derived authentication element information is stored;
  
  a device configured to verify the electronic signature inside the derived-account credence element information based on the public key certificate inside the derived-account credence element information, upon receiving the derived-account credence element information from the root-account management apparatus;
  
  a device configured to verify whether or not the survival condition inside the derived-account credence element information is satisfied when the electronic signature is proper as a result of this verification;
  
  a device which creates the derived-account information including the derived-account credence element information in the derived-account credence element field, and writes this derived-account information in the derived-account storage device when the survival condition is satisfied as a result of this verification;
  
  a device configured to acquire biometric information of the user from the client apparatus, and to create a biometric information template from this biometric information;
  
  a device which writes the derived authentication element information including the biometric information template in the derived authentication element field of the derived-account information inside the derived-account storage device;
  
  a device configured to verify the electronic signature inside the relevant derived-account credence element information based on the public key certificate inside the derived-account credence element information in the derived-account information inside the derived-account storage device, upon receiving an access request to the derived-account information after the derived authentication element is written;
  
  a device configured to verify whether or not the survival condition inside the relevant derived-account credence element information is satisfied when the electronic signature is proper as a result of the verification; and
  
  a device configured to deny the access request and to invalidate the derived-account information when the survival condition is not satisfied as a result of this verification.
- View Dependent Claims (5)
- - 5. The derived-account management apparatus according to claim 4, wherein the survival condition includes an extended survival condition to the effect that in creating the derived-account information, the survival is permitted when approval is obtained from a predetermined third-party apparatus.

6. A program stored in a computer-readable storage medium for use in a root-account management apparatus which can communicate with a derived-account management apparatus which manages derived-account information generated based on root-account information for certifying the identity of a user and a client apparatus of the user, and manages the root-account information, comprising:
- a program code which causes the root-account management apparatus to sequentially perform processing of writing, in a root-account storage device of the root-account management apparatus, the root-account information comprising an initial authentication element field in which initial authentication element information is stored and a derived-account credence element field in which derived-account credence element information is stored;
  
  a program code which causes the root-account management apparatus to sequentially perform processing of writing, in a root-account key storage device of the computer, a secret key of the root-account management apparatus and a public key certificate corresponding to this secret key;
  
  a program code which causes the root-account management apparatus to sequentially perform survival condition setting processing for setting a survival condition including a plurality of validity terms for the derived-account credence element information in advance;
  
  a program code which causes the root-account management apparatus to sequentially perform initial authentication processing of authenticating the user of the client apparatus based on the initial authentication element information;
  
  a program code which causes the root-account management apparatus to sequentially perform processing of generating an electronic signature based on the secret key of the root-account management apparatus for credence element identification information, root-account management apparatus identification information, derived-account management apparatus identification information, root-account information reference information, and the survival condition, when an authentication result of the initial authentication device is proper;
  
  a program code which causes the root-account management apparatus to sequentially perform processing of storing, in the derived-account credence element information field, the derived-account credence element information consisting essentially of the credence element identification information, the root-account management apparatus identification information, the derived-account management apparatus identification information, the root-account information reference information, the survival condition, the electronic signature and the public key certificate; and
  
  a program code which causes the root-account management apparatus to sequentially perform processing of transmitting the derived-account credence element information inside the root-account storage device to the derived-account management apparatus,wherein the program enables the derived-account management apparatus to create the derived-account information which becomes valid when the survival condition is satisfied so that the derived-account information includes both the derived-account credence element information which becomes invalid when a validity term of the public key certificate expires, and a biometric information template of the user which is valid regardless of this validity term.
- View Dependent Claims (7)
- - 7. The program according to claim 6, wherein the survival condition includes an extended survival condition to the effect that in creating the derived-account information, the survival is permitted when approval is obtained from a predetermined third-party apparatus.

8. A program stored in a computer-readable storage medium for use in a derived-account management apparatus which can communicate with a root-account management apparatus which manages root-account information for certifying the identity of a user and a client apparatus of the user, and manages derived-account information generated based on the root-account information, comprising:
- a program code which causes the derived-account management apparatus to sequentially perform receiving processing of receiving, from the root-account management apparatus, derived-account credence element information consisting essentially of credence element identification information, root-account management apparatus identification information, derived-account management apparatus identification information, root-account information reference information, a survival condition including a plurality of validity terms, an electronic signature, and a public key certificate corresponding to the secret key, when the root-account management apparatus transmits the derived-account credence element information by the relevant root-account management apparatus generating the electronic signature based on the secret key of the root-account management apparatus for the credence element identification information, the root-account management apparatus identification information, the derived-account management apparatus identification information, the root-account information reference information, and the survival condition if a result of authentication of the user based on initial authentication element information inside the root-account information in the root-account management apparatus is proper;
  
  a program code which causes the derived-account management apparatus to sequentially perform processing of verifying the electronic signature inside the derived-account credence element information based on the public key certificate inside the derived-account credence element information, upon receiving the derived-account credence element information from the root-account management apparatus;
  
  a program code which causes the derived-account management apparatus to sequentially perform verifying whether or not the survival condition inside the derived-account credence element information is satisfied when the electronic signature is proper as a result of this verification;
  
  a program code which causes the derived-account management apparatus to sequentially perform processing of creating the derived-account information including the derived-account credence element information in the derived-account credence element field and writing this derived-account information in a derived-account storage device when the survival condition is satisfied as a result of this verification;
  
  a program code which causes the derived-account management apparatus to sequentially perform processing of acquiring biometric information of the user from the client apparatus, and creating a biometric information template from this biometric information;
  
  a program code which causes the derived-account management apparatus to sequentially perform processing of writing derived authentication element information including the biometric information template in a derived authentication element field of the derived-account information inside the derived-account storage device;
  
  a program code which causes the derived-account management apparatus to sequentially perform processing of verifying the electronic signature inside the relevant derived-account credence element information based on the public key certificate inside the derived-account credence element information in the derived-account information inside the derived-account storage device, upon receiving an access request to the derived-account information after the derived authentication element is written;
  
  a program code which causes the derived-account management apparatus to sequentially perform processing of verifying whether or not the survival condition inside the relevant derived-account credence element information is satisfied when the electronic signature is proper as a result of this verification; and
  
  a program code which causes the derived-account management apparatus to sequentially perform processing of denying the access request and invalidating the derived-account information when the survival condition is not satisfied as a result of this verification.
- View Dependent Claims (9)
- - 9. The program according to claim 8, wherein the survival condition includes an extended survival condition to the effect that in creating the derived-account information, the survival is permitted when approval is obtained from a predetermined third-party apparatus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Toshiba Solutions Corporation (Toshiba Corporation)
Original Assignee
Kabushiki Kaisha Toshiba (Toshiba Corporation), Toshiba Solutions Corporation (Toshiba Corporation)
Inventors
IKEDA, Tatsuro, Fujii, Yoshihiro, Takamizawa, Hidehisa, Okada, Koji, Nishizawa, Minoru, Morijiri, Tomoaki, Yamada, Asahiko

Granted Patent

US 8,499,147 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/33   using certificates

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/60   Digital content management,...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

ACCOUNT MANAGEMENT SYSTEM, ROOT-ACCOUNT MANAGEMENT APPARATUS, DERIVED-ACCOUNT MANAGEMENT APPARATUS, AND PROGRAM

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

9 Claims

Specification

Use Cases

Quick Links

Others

ACCOUNT MANAGEMENT SYSTEM, ROOT-ACCOUNT MANAGEMENT APPARATUS, DERIVED-ACCOUNT MANAGEMENT APPARATUS, AND PROGRAM

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

9 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others