News Column

Patent Application Titled "Data Reference System and Application Authentication Method" Published Online

June 17, 2014



By a News Reporter-Staff News Editor at Information Technology Newsweekly -- According to news reporting originating from Washington, D.C., by VerticalNews journalists, a patent application by the inventor SHIMONO, Akio (Yokohama, JP), filed on September 25, 2013, was made available online on June 5, 2014.

The assignee for this patent application is Fujitsu Limited.

Reporters obtained the following quote from the background information supplied by the inventors: "Users use services provided via a network, such as the Internet. The users access, via the network, the services managed by the side that provides the services (hereinafter, referred to as the 'service provider side').

"There is a known method in which users directly access services via, for example, browsers. Data on each user is managed by the service provider side. When a user uses a service provided via the network, the service provider side provides the service in accordance with the content included in information, such as access permission, that is individually set on the basis of the data on the user.

"Furthermore, there is a known method in which users access services via applications. With this method, because applications are not always created on the service provider side, the service provider side performs, in addition to authentication with respect to permission for a user to connect to a service by using an application, authentication with respect to permission to access the application.

"With the authentication with respect to application access permission, when the service provider side permits access from the application, the service provider side issues an ID and a password that identify the application. Then, the service provider side performs authentication by using this ID and password, which identify the application when a user connects to the service via the application. After the completion of the authentication, the service provider side issues a token and then the application accesses, by using the token, the service in accordance with operations performed by the user. This type of authentication with respect to an application is known as OAuth (for example, Patent Document 1).

"However, in general, because services need to always be used in combination with data that is created in accordance with the services, the service provider side manages the data. Consequently, even though the data is itself derived from a user, the user is not able to freely use data related to a service, is not able to conceal data from the service provider, and is not able to reliably dispose of data.

"Consequently, with the method in which the service provider side manages data, even though the data is, for example, input or edited by a user, it is difficult to use or access the data from another service that is provided via the network. Furthermore, even if access from another service is permitted, it is difficult to use the data from that service while sufficiently maintaining the security of that service and the data from that service.

"Accordingly, there is a technology that, by separating services from data, enables users to control and centrally manage their own data by themselves (for example, Patent Document 2).

"Patent Document 1: Japanese Laid-open Patent Publication No. 2012-194722

"Patent Document 2: International Publication Pamphlet No. WO 2012077223

"However, if, by separating services from data, users control and centrally manage their own data by themselves, the application that uses the service still needs to access, in order to access the data, the location in which the data is stored in addition to accessing the service provider source. With the method in which the service provider side manages data, there is only a need for an application to deliver authentication related information to only the service provider side. However, if the service provider source is separated from the location in which the data is stored, the authentication related information needs to be delivered to both the service provider source and the location in which the data is stored.

"Furthermore, if authentication related information on an application leaks, with the method of managing data on the service provider side, misuse can be prevented by the service provider side taking action. However, if the service provider source is separated from the location in which the data is stored, the effect due to the leakage is great.

"Consequently, for example, if authentication related information on an application leaks into a data store location that is maliciously created, there is a problem in that an illegitimate application is created by using the authentication related information on the application. The data store location mentioned here is referred to as, for example, a 'data store'.

"In the following, this problem will be described with reference to FIG. 13. FIG. 13 is a schematic diagram illustrating a problem in which authentication related information on an application leaks into a data store that is created with malicious intent. As illustrated in FIG. 13, by separating the service from the data store, users U1 and U2 can control and centrally manage their own data by themselves. Here, it is assumed that a data store 1 is a normal data store, the user U2 is a malicious user, and information obtained by a data store 2 can be used.

"If the malicious user U2 accesses the malicious data store 2 by using an application A, the application A performs, on the malicious data store 2, authentication by using the ID and the password that identify the application A. At this point, the application A uses, as the authentication related information, the ID and the password that identify the application A.

"Consequently, the data store 2 can create an illegitimate application A.sub.m by using the ID and the password that identify the application A. If the application A.sub.m is created, because the application A.sub.m can use the authentication related information on the application A to access another data store or a service, the application A.sub.m can pretend to be the application A. In other words, this state in which authentication related information on the application A can be obtained via the data store is undesirable in terms of security.

"In contrast, in a case in which the service provider side manages data, because the access destination of an application is only a service and because the subject service authenticates the application, there is no occurrence of the state, in a normal use state, in which the authentication related information on the application is used by a person other than the service provider. Furthermore, because the authentication related information on the application is only used for the subject service, the service provider side can cope with the leakage of authentication related information."

In addition to obtaining background information on this patent application, VerticalNews editors also obtained the inventor's summary information for this patent application: "According to an aspect of an embodiment, a data reference system includes a first information processing apparatus and a second information processing apparatus. The first information processing apparatus includes an authentication unit and an issuing unit. The authentication unit authenticates, when an access is received that is made via an application, the legitimacy of the application on the basis of information related to the application. The issuing unit issues, when the legitimacy of the application has been authenticated, signature information that includes processing unit information that indicates an information processing apparatus that stores therein data that is accessed by the application. The second information processing apparatus includes a determining unit and a control unit. The determining unit determines, when an access that includes the signature information is received via the application, whether the processing unit information included in the signature information indicates the second information processing apparatus. The control unit permits, when the processing unit information is associated with the second information processing apparatus, the application to access the data.

"The object and advantages of the invention will be realized and attained by means of the elements and combinations particularly pointed out in the claims.

"It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are not restrictive of the invention, as claimed.

BRIEF DESCRIPTION OF DRAWINGS

"FIG. 1 is a block diagram illustrating the overall configuration of a server system according to a first embodiment;

"FIG. 2 is a schematic diagram illustrating an example of the content of an application authentication token;

"FIG. 3 is a schematic diagram illustrating an example of the content of a data access token;

"FIG. 4 is a flowchart illustrating the flow of a process performed on the terminal device side according to the first embodiment;

"FIG. 5 is a flowchart illustrating an application authentication process performed by an application server according to the first embodiment;

"FIG. 6 is a flowchart illustrating the authentication process performed by the data server according to the first embodiment;

"FIG. 7 is a block diagram illustrating the overall configuration of a server system according to a second embodiment;

"FIG. 8 is a flowchart illustrating the flow of a process performed on the terminal device side according to the second embodiment;

"FIG. 9 is a flowchart illustrating the flow of an authentication process performed by a data server according to the second embodiment;

"FIG. 10 is a block diagram illustrating the overall configuration of a server system according to a third embodiment;

"FIG. 11 is a flowchart illustrating the flow of a process performed on the terminal device side according to a third embodiment;

"FIG. 12 is a flowchart illustrating the flow of an application authentication process performed by an application server according to the third embodiment; and

"FIG. 13 is a schematic diagram illustrating a problem in which authentication related information on an application leaks into a data store that is created with malicious intent."

For more information, see this patent application: SHIMONO, Akio. Data Reference System and Application Authentication Method. Filed September 25, 2013 and posted June 5, 2014. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=99&p=2&f=G&l=50&d=PG01&S1=20140529.PD.&OS=PD/20140529&RS=PD/20140529

Keywords for this news article include: Fujitsu Limited, Information Technology, Information and Data Server.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Information Technology Newsweekly


Story Tools






HispanicBusiness.com Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters