ACCESS CONTROL SYSTEM AND A USER TERMINAL
First Claim
1. An access control system including a user terminal, a data storage unit and a service providing server mutually connected via a network,the user terminal comprising:
- a key set generation unit configured to generate a key set including a public key, a master key, and a public parameter as a parameter opened, by using an ID-based signature scheme based on seed information;
a key set storage to store the key set;
an ID generation unit configured to generate an ID including an identifier of a service, an issue date and a validity period of a secret key corresponding to a service provided by the service providing server;
a first ID storage to store the ID;
a secret key generation unit configured to generate the secret key based on the master key and the ID; and
a first transmit unit configured to transmit the ID and the secret key to the service providing server, and to transmit the public key, the public parameter and a revocated ID to the data storage device;
the service providing server comprising;
a signature data generation unit configured to generate signature data based on the ID and the secret key;
a second ID storage to store the ID;
a secret key storage to store the secret key;
a data request generation unit configured to generate a data request command including a data request, the signature data and the ID; and
a third transmit unit configured to transmit the data request command to the data storage device;
the data storage device comprising;
a first data storage to store measurement data measured from a measurement target device;
a revocated ID list storage to store the revocated ID;
a public key storage to store the public key and the public parameter;
a revocated ID list storage controller configured to decide whether the ID is same as the revocated ID;
a signature verification unit configured to verify the data request based on the signature data, the public key and the public parameter; and
a second transmit unit configured to transmit the measurement data to the service providing server, when the ID is not same as the revocated ID and when authenticity of the data request is verified;
wherein, in the user terminal,the ID generation unit generates a new ID including an identifier of a new service, an issue date and a validity period of a new secret key corresponding to the new service,the secret key generation unit generates the new secret key based on the master key and the new ID, andthe first transmit unit transmits the new ID and the new secret key to the service providing server,wherein, in the service providing server,the second ID storage stores the new ID, andthe secret key storage stores the new secret key.
1 Assignment
0 Petitions
Accused Products
Abstract
In a user terminal, a public key, a master key and a public parameter are generated. An ID including an identifier, an issue date and a validity period of a secret key for service is generated. The secret key is generated based on the master key and the ID. The ID and the secret key are transmitted to a service providing server. The public key and the public parameter are transmitted to a data storage device. In the service providing server, signature data is generated based on the ID and the secret key. A data request, the signature data and the ID are transmitted to the data storage device. In the data storage device, the data request is verified based on the signature data, the public key and the public parameter. When the data request is verified, measurement data of a target device is transmitted to the service providing server.
11 Citations
3 Claims
-
1. An access control system including a user terminal, a data storage unit and a service providing server mutually connected via a network,
the user terminal comprising: -
a key set generation unit configured to generate a key set including a public key, a master key, and a public parameter as a parameter opened, by using an ID-based signature scheme based on seed information; a key set storage to store the key set; an ID generation unit configured to generate an ID including an identifier of a service, an issue date and a validity period of a secret key corresponding to a service provided by the service providing server; a first ID storage to store the ID; a secret key generation unit configured to generate the secret key based on the master key and the ID; and a first transmit unit configured to transmit the ID and the secret key to the service providing server, and to transmit the public key, the public parameter and a revocated ID to the data storage device; the service providing server comprising; a signature data generation unit configured to generate signature data based on the ID and the secret key; a second ID storage to store the ID; a secret key storage to store the secret key; a data request generation unit configured to generate a data request command including a data request, the signature data and the ID; and a third transmit unit configured to transmit the data request command to the data storage device; the data storage device comprising; a first data storage to store measurement data measured from a measurement target device; a revocated ID list storage to store the revocated ID; a public key storage to store the public key and the public parameter; a revocated ID list storage controller configured to decide whether the ID is same as the revocated ID; a signature verification unit configured to verify the data request based on the signature data, the public key and the public parameter; and a second transmit unit configured to transmit the measurement data to the service providing server, when the ID is not same as the revocated ID and when authenticity of the data request is verified; wherein, in the user terminal, the ID generation unit generates a new ID including an identifier of a new service, an issue date and a validity period of a new secret key corresponding to the new service, the secret key generation unit generates the new secret key based on the master key and the new ID, and the first transmit unit transmits the new ID and the new secret key to the service providing server, wherein, in the service providing server, the second ID storage stores the new ID, and the secret key storage stores the new secret key.
-
-
2. A user terminal connected with a data storage device and a service providing server via a network, the user terminal comprising:
-
a key set generation unit configured to generate a key set including a public key, a master key and a public parameter as a parameter opened, by using an ID-based signature scheme based on seed information; a key set storage to store the key set; an ID generation unit configured to generate an ID including an identifier of a service, an issue date and a validity period of a secret key corresponding to a service provided by the service providing server; a first ID storage to store the ID; a secret key generation unit configured to generate the secret key based on the master key and the ID; and a first transmit unit configured to transmit the ID and the secret key to the service providing server, and to transmit the public key, the public parameter and a revocated ID to the data storage device;
whereinthe ID and the secret key are used for generating signature data by the service providing server, the signature data, the ID and a data request are included in a data request command by the service providing server and transmitted to the data storage device, the ID included in the data request command is decided whether to be same as the revocated ID by the data storage device, the signature data, the public key and the public parameter are used for verifying the data request included in the data request command by the data storage device, measurement data measured from a measurement target device is stored in the data storage device, and when the ID is not same as the revocated ID and when authority of the data request is verified, the measurement data is transmitted to the service providing server.
-
-
3. An access control system including a user terminal, a data storage unit and a service providing server mutually connected via a network,
the user terminal comprising: -
a key set generation unit configured to generate a key set including a public key, a master key and a public parameter as a parameter opened, by using an ID-based signature scheme based on seed information; a key set storage to store the key set; an ID generation unit configured to generate an ID including an identifier of a service, an issue date and a validity period of a secret key corresponding to a service provided by the service providing server; a third ID storage to store the ID; a secret key generation unit configured to generate the secret key based on the master key and the ID; and a fourth transmit unit configured to transmit the ID, the public key and a MAC generation request to the data storage device; the data storage device comprising; a third data storage to store measurement data measured from a measurement target device; a public key storage to store the public key and the public parameter; a public key storage controller configured to decide whether the public key is same as the latest public key; a MAC generation and verification unit configured to generate a MAC based on the MAC generation request and the ID when the public key is same as the latest public key; a signature verification unit configured to verify a data request; and a fifth transmit unit configured to transmit the MAC to the user terminal; wherein, in the user terminal, the fourth transmit unit transmits the ID, the secret key and the MAC to the service providing server, the service providing server comprising; a signature data generation unit configured to generate signature data based on the ID and the secret key; a fourth ID storage to store the ID; a secret key storage to store the secret key; a data request generation unit configured to generate a data request command including the data request, the signature data, the ID and the MAC; and a sixth transmit unit configured to transmit the data request command to the data storage device; wherein, in the data storage device, the MAC generation and verification unit verifies the MAC based on the ID, the signature verification unit verifies the data request based on the signature data and the public key, and the fifth transmit unit transmits the measurement data to the service providing server, when authenticity of the MAC is verified and when authenticity of the data request is verified.
-
Specification