Access privilege transferring method
First Claim
1. An access privilege transferring method for safely transferring access privileges between clients, and between clients and servers, over an object space in which at least one server for providing objects and at least one client requiring the objects are connected to one another by a network, and access to each of the objects complying with privilege information held by each of the clients is allowed, comprising:
- holding user information and secret information by each of a plurality of clients;
holding, in a server, the user information and the secret information of at least a first of the plurality of clients;
generating privilege information by the at least the first of the plurality of clients;
applying a predetermined calculating operation to information comprising at least the privilege information and the secret information, thereby generating protected privilege information by the at least the first of the plurality of clients;
transmitting the user information, the privilege information and the protected privilege information from the at least the first of the plurality of clients to at least a second of the plurality of clients;
retransmitting, from the at least the second of the plurality of clients, the user information, the privilege information and the protected privilege information to the server, thereby making a request to access an object;
checking, by the server, whether the privilege information received from the at least the second of the plurality of clients is valid;
applying a predetermined calculating operation to information comprising at least the privilege information and the secret information, thereby generating protected privilege information by the server;
comparing the protected privilege information received by the server with the protected privilege information generated by the server; and
allowing access to an object in response to the coincidence of the received protected privilege information and the generated protected privilege information based on the results of the comparison.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed herein is an access privilege transferring method for safely transmitting privilege information about each object between subjects (users) over an object space in which service objects are scattered. User information and secret information of clients are shared between the clients and servers. A client that transfers privilege information generates privilege information weakened in its own contents of privilege. Further, the client applies a one-way function or an encryption function to a bit string obtained by joining the generated privilege information and the secret information to each other, thereby generating protected privilege information with which a third party who does not know the secret information is not capable of tampering. Utilizing the protected privilege information makes it possible to safely transfer access privileges. Further, the server analyzes the protected privilege information by using the secret information to thereby make it possible to safely confirm whether a client that makes an object request is authorized.
64 Citations
8 Claims
-
1. An access privilege transferring method for safely transferring access privileges between clients, and between clients and servers, over an object space in which at least one server for providing objects and at least one client requiring the objects are connected to one another by a network, and access to each of the objects complying with privilege information held by each of the clients is allowed, comprising:
-
holding user information and secret information by each of a plurality of clients; holding, in a server, the user information and the secret information of at least a first of the plurality of clients; generating privilege information by the at least the first of the plurality of clients; applying a predetermined calculating operation to information comprising at least the privilege information and the secret information, thereby generating protected privilege information by the at least the first of the plurality of clients; transmitting the user information, the privilege information and the protected privilege information from the at least the first of the plurality of clients to at least a second of the plurality of clients; retransmitting, from the at least the second of the plurality of clients, the user information, the privilege information and the protected privilege information to the server, thereby making a request to access an object; checking, by the server, whether the privilege information received from the at least the second of the plurality of clients is valid; applying a predetermined calculating operation to information comprising at least the privilege information and the secret information, thereby generating protected privilege information by the server; comparing the protected privilege information received by the server with the protected privilege information generated by the server; and allowing access to an object in response to the coincidence of the received protected privilege information and the generated protected privilege information based on the results of the comparison. - View Dependent Claims (2, 3)
-
-
4. An access privilege transferring method for safely transferring access privileges between clients, and between clients and servers, over an object space in which at least one server for providing objects and at least one client requiring the objects are connected to one another by a network and access to each of the objects complying with privilege information held by each of the clients is allowed, comprising:
-
holding user information and secret information by each of a plurality of clients; holding, in a server, the user information and the secret information of at least a first of the plurality of clients; generating privilege information by the at least the first of the plurality of clients; applying a predetermined calculating operation to information comprising at least the privilege information and the secret information, thereby generating first protected privilege information by the at least the first of the plurality of clients; transmitting the user information, the privilege information and the first protected privilege information from the at least the first of the plurality of clients to at least a second of the plurality of clients; receiving, by the at least the second of the plurality clients, a challenge character string from the server; applying the predetermined calculating operation to information comprising at least the challenge character string and the first protected privilege information, thereby generating second protected privilege information by the at least the second of the plurality clients; transmitting the user information, the privilege information and the second protected privilege information from the at least the second of the plurality clients to the server, thereby making a request to access an object; checking, by the server, whether the privilege information received by the server is valid; applying the predetermined calculating operation to information comprising at least the privilege information and the secret information, thereby generating first protected privilege information by the server; applying the predetermined calculating operation to information comprising at least the challenge character string and the generated first protected privilege information, thereby generating second protected privilege information; comparing the received second protected privilege information with the generated second protected privilege information; and allowing access to the object in response to the coincidence of the received second protected privilege information and the generated second protected privilege information based on the results of the comparison. - View Dependent Claims (5, 6)
-
-
7. An access privilege transferring method for safely transferring access privileges between clients, and between clients and servers, over an object space in which at least one server for providing objects and at least one client requiring the objects are connected to one another by a network and access to each of the objects complying with privilege information held by each of the clients is allowed, comprising:
-
holding user information and secret by each of a plurality of clients; holding, in a server, the user information and the secret information of at least a first of the plurality of clients; generating privilege information by the at least the first of the plurality of clients; encrypting the generated privilege information by applying a predetermined calculating operation to information comprising at least the generated privilege information and the secret information, thereby generating protected privilege information by the at least the first of the plurality of clients; transmitting, from the at least the first of the plurality of clients;
the user information and the protected privilege information to at least a second of the plurality of clients;retransmitting, by the at least the second of the plurality of clients, the user information and the protected privilege information to the server, thereby making a request to access an object; decrypting the protected privilege information by using the secret information corresponding to the user information, thereby generating privilege information by the server; checking, by the server, whether the privilege information generated by the server is valid; and allowing access to an object in accordance with the result of the validity check.
-
-
8. An access privilege transferring method for safely transferring access privileges between clients, and between clients and servers, over an object space in which at least one server for providing objects and at least one client requiring the objects are connected to one another by a network and access to each of the objects complying with privilege information held by each of the clients is allowed, comprising:
-
holding user information and secret information by each of a plurality of clients; holding, in the server, the user information and the secret information of at least a first of the plurality of clients; generating privilege information by the at least the first of the plurality of clients; encrypting the generated privilege information by applying a predetermined calculating operation to information comprising at least the generated privilege information and the secret information, thereby generating first protected privilege by the at least the first of the plurality of clients; transmitting the user information, the privilege information and the first protected privilege information from the at least the first of the plurality of clients to at least a second of the plurality of clients; receiving, by the at least the second of the plurality of clients, a challenge character string from the server, encrypting the challenge character string by applying the predetermined calculating operation to information comprising at least challenge character string and the first protected privilege information, thereby generating second protected privilege information by the at least the second of the plurality of clients; retransmitting, by the at least the second of the plurality of clients, the user information, the privilege information and the second protected privilege information to the server, thereby making a request to access an object; checking, by the server, whether the privilege information received by the server is valid; encrypting the privilege information by applying a predetermined calculating operation to information comprising at least the privilege information and the secret information, thereby generating first protected privilege information by the server; encrypting the challenge character string by applying a predetermined calculating operation to information comprising at least the challenge character string and the first protected privilege information generated by the server, thereby generating second protected privilege information by the server; comparing the received second protected privilege information with the generated second protected privilege information; and allowing access to an object in response to the coincidence of the received second protected privilege information and the generated second protected privilege information based on the results of the comparison.
-
Specification