US20070245146A1 - Apparatus and method for securely realizing cooperative processing - Google Patents

Apparatus and method for securely realizing cooperative processing Download PDF

Info

Publication number
US20070245146A1
US20070245146A1 US11/808,544 US80854407A US2007245146A1 US 20070245146 A1 US20070245146 A1 US 20070245146A1 US 80854407 A US80854407 A US 80854407A US 2007245146 A1 US2007245146 A1 US 2007245146A1
Authority
US
United States
Prior art keywords
signature
server
instruction
network
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/808,544
Inventor
Masanori Satake
Takanori Masui
Tatsuhiko Yokohama
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujifilm Business Innovation Corp
Original Assignee
Fuji Xerox Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fuji Xerox Co Ltd filed Critical Fuji Xerox Co Ltd
Priority to US11/808,544 priority Critical patent/US20070245146A1/en
Assigned to FUJI XEROX CO., LTD. reassignment FUJI XEROX CO., LTD. CHANGE OF ADDRESS Assignors: FUJI XEROX CO., LTD.
Publication of US20070245146A1 publication Critical patent/US20070245146A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations

Definitions

  • the present invention relates to a technology for realizing cooperative processing wherein processors present on a network cooperate, and in particular to a security technology associated with cooperative processing.
  • LAN Local Area Network
  • a facsimile machine such as a facsimile machine, a printer, a copier, and a multifunction device having these functions integrated so that these devices can communication with information processors such as personal computers or a mail server.
  • information processors such as personal computers or a mail server.
  • Examples of conventional workflow systems include those disclosed in, for example, Japanese Patent Laid-Open Publications Nos. Hei 8-123744, 2002-99686, and 2001-282970.
  • a request for a service in each of processors forming the flow is made by sequentially transmitting instruction data from one processor to another.
  • a risk of falsification or “spoofing” there may arise cases wherein the level of security cannot be maintained at a level required by the processor.
  • an external processor incorporated into the workflow include various processors such as, for example, a time stamp server for providing a presence authentication of data as a third party agent and an accounting server (for example, a settlement processor of a credit card company) for collecting money on behalf of a service provider.
  • processors such as, for example, a time stamp server for providing a presence authentication of data as a third party agent and an accounting server (for example, a settlement processor of a credit card company) for collecting money on behalf of a service provider.
  • an electronic signature system such as PKI (Public Key Infrastructure) is used.
  • PKI Public Key Infrastructure
  • Such an electronic signature system can be used for communication of instruction data between processors.
  • Certificate authorities in general include certificate authorities of various levels, and range from those that with a high level of public trust, such as those provided by national governments or recognized corporations such as the Verisign Corporation, to those especially built within a company or a division of a company.
  • CA Certificate authorities
  • the CA publicizes the public key certificate of each user (in PKI, each processor is also a user) through a web server or an LDAP (Lightweight Directory Access Protocol) server so that a party who wishes to verify an electronic signature obtains the public key certificate necessary for the verification from these servers.
  • LDAP Lightweight Directory Access Protocol
  • the system is configured such that a processor outside the company can obtain the public key certificate issued by the in-house CA
  • Japanese Patent Laid-Open Publication No. 2002-164884 discloses a signature proxy server used for providing electronic signature when documents are exchanged between devices within different intranets. On behalf of a device within the intranet, the signature proxy server provides an electronic signature on a document originating from a device within the intranet and verifies the electronic signature on a document from outside to a device within the intranet.
  • Japanese Patent Laid-Open Publication No. 2002-164884 does not, however, consider electronically signed documents within the intranet.
  • a device within the intranet does not attach an electronic signature to the data originating from the device and the signature proxy server attaches an electronic signature to the data to be transmitted from a device within the intranet to the outside without verifying the authenticity of the data.
  • an information processor for transmitting, to a job processor, instruction data having a process description for instructing a job process or data to be processed in a job process to instruct execution of the job process, the information processor comprising a selection unit for selecting one of a first signature key certified by a first certificate authority and a second signature key certified by a second certificate authority for signing instruction data or data to be processed; a signing unit for signing the instruction data or the data to be processed using the signature key selected by the selection unit; and transmitting unit for transmitting, to the job processor, the instruction data or the data to be processed signed by the signing unit.
  • a job processor comprising a key storage unit having separate signature keys, one for the inside of a network to which the job processor belongs and the other for the outside of the network; a receiver unit for receiving job flow instruction data which indicates process instruction to each of the job processors and the next job processor of each of the job processors; a signature verification unit for verifying an electronic signature attached to the job flow instruction data received at the receiver unit; a processor unit for identifying, from the job flow instruction data, a process instruction the job processor should execute when the verification by the signature verification unit is successful and for executing the process according to the process instruction; an instruction data creation unit for creating output job flow instruction data to be transmitted to a next job processor based on the received job flow instruction data when the process is executed by the processor unit; a judging unit for judging whether or not the next job processor is a device within the network; a signature processor unit for electronically signing the output job flow instruction data using the signature key for the inside when the next job processor is a device within the network and using the
  • an instruction data creating device for creating job flow instruction data which indicates a process instruction for each job processor and a next job processor for each job processor for a system for realizing a service by sequentially sending the job flow instruction data among the job processors and each job processor sequentially executing the process instruction for the job processor
  • the device comprising a key storage unit having a signature key for inside the network to which the instruction data creating device belongs and a signature key for outside the network; a judgment unit for judging whether or not there is a job processor outside the network in the group of job processors for the service; a signature processor unit for electronically signing the job flow instruction data using the signature for the outside when the judgment unit judges that there is a device which is outside the network in the group of job processors for the service and using the signature for the inside otherwise; and a transmitter unit for transmitting the job flow instruction data electronically signed by the signature processor unit to a first job processor among the group of job processors for the service.
  • a proxy device provided between an internal network and an external network, for intermediating exchange of documents between a device on the internal network and a device on the external network
  • the proxy device comprising a first signature verification unit for verifying an electronic signature attached to a document transmitted from the device on the internal network to the device on the external network; and a first signature conversion unit for, when it is determined in the verification by the first verification unit that the electronic signature attached to the document is signed using a signature key for the internal network, deleting the electronic signature from the document, re-attaching an electronic signature to the document using a signature key of the proxy device for the external network, and transmitting the electronically signed document to the device on the external network.
  • a proxy device provided between an internal network and an external network for intermediating exchange of documents between a device on the internal network and a device on the external network
  • the proxy device comprising a signature verification unit for verifying an electronic signature attached to a document transmitted from a device on the external network to a device on the internal network; and a signature conversion unit for deleting, when verification by the signature verification unit is successful, the electronic signature from the document, re-attaching an electronic signature to the document using a signature key of the proxy device for the internal network, and transmitting the document to the device on the internal network.
  • FIG. 1 is an explanatory diagram showing an example of a system configuration for realizing a cooperative service.
  • FIG. 2 is an explanatory diagram showing a structure of an application server in a system of FIG. 1 .
  • FIG. 3 is a diagram showing an example of description of a job flow instruction to which an electronic signature is attached.
  • FIG. 4 is an explanatory diagram showing another example structure of a system for realizing a cooperative service.
  • FIG. 5 is an explanatory diagram showing a structure of an instruction input device in an alternative embodiment of the present invention.
  • FIG. 6 is an explanatory diagram showing a system structure of an alternative embodiment of the present invention.
  • FIG. 7 is an explanatory diagram showing a structure of a signature proxy device in the alternative embodiment of the present invention shown in FIG. 6 .
  • FIG. 1 an example system configuration of a service providing system to which the present invention can be applied will be described.
  • the illustrated system comprises an instruction input device 10 and a plurality of application servers 20 .
  • An application server 20 is a server which provides a predetermined processing service in response to a request from another device.
  • Examples of such a server 20 includes, for example, a document database server, a mail server, and an image processing server for applying processes such as color conversion and rotation to image data.
  • the server 20 provides these processing services in the form of, for example, a web application service.
  • the instruction input device 10 is a device for inputting a user's processing instruction to the system.
  • a user can input, into the instruction input device 10 , an execution instruction of cooperative services as described above.
  • the instruction input device 10 can be constructed by, for example, incorporating into a personal computer a user interface program for receiving input instructions from the user. It is, however, preferable that, in consideration of document processing services in offices, a digital multifunction device which includes a function to read a paper document and convert the paper document into electronic data, in addition to information processing and communication functions, be used as the instruction input device 10 .
  • a digital multifunction device is a device which has functions of a scanner, printer, copier, facsimile transmission/reception, network communication, and so on.
  • a user inputs an execution instruction of a desired cooperative service to the instruction input device 10 .
  • the instruction input device 10 creates instruction data indicating the content of the cooperative service (this data will hereinafter referred to as a “job flow instruction”).
  • the job flow instruction 30 contains a description of the process each of the servers 20 is to execute for the cooperative service (this description is hereinafter referred to as an “individual instruction”) and information on the order of execution of the processes.
  • a specific structure of such a job flow instruction may be, for example, a structure in which individual server instructions 32 - 1 , 32 - 2 , and 32 - 3 are arranged according to the order of execution of the processes of the cooperative service.
  • the individual instruction 32 for each server 20 includes description of the name of the server 20 (this name is hereinafter referred to as a “service name”) or the like so that each server 20 can identify the individual instruction 32 within the job flow instruction 30 which is directed to the server 20 .
  • each server 20 can identify the server 20 which will perform the next process from the description of the service name of the individual instruction 32 following the individual instruction 32 directed to the server 20 . It is also possible to alternatively or additionally include a description of the next server 20 to perform a process (that is, the server to which the job flow instruction should be next transmitted) in the individual instruction 32 . In this manner, each server 20 can identify a description of the process directed to the server 20 from the job flow instruction 30 , execute a process according to the process description, and send the job flow instruction 30 to the next server 20 after completion of the process being performed.
  • a URL Universal Resource Locator
  • URI Uniform Resource Identifier
  • a cooperative service process starts when the job flow instruction 30 as described above is transmitted from the instruction input device 10 to a first server 20 - 1 of the cooperative service.
  • the server 20 - 1 identifies the individual instruction 32 - 1 directed to the server 20 - 1 from the job flow instruction 30 and executes a process accordingly.
  • the server 20 - 1 then deletes the individual instruction 32 - 1 directed to the server 20 - 1 from the job flow instruction 30 to create a new job flow instruction 30 a and transmits the new flow instruction 30 a to the next server 20 - 2 in the job flow.
  • the server 20 - 2 Upon receipt of the job flow instruction 30 a , the server 20 - 2 operates in a manner similar to that of the server 20 - 1 , deletes the individual instruction 32 - 2 directed to the server 20 - 2 from the job flow instruction 30 a to create a new job flow instruction 30 b , and transmits the job flow instruction 30 b to a next server 20 - 3 .
  • an electronic signature system is employed as a mechanism to allow verification, by each server 20 , of authenticity (i.e. the data is not falsified, etc.) of the job flow instructions 30 , 30 a , 30 b , . . . (hereinafter referred collectively as “job flow instruction 30”) received by the server 20 . More specifically, when the instruction input device 10 or the server 20 is to transmit the job flow instruction 30 , an electronic signature of the instruction input device 10 or of the server 20 is attached to the job flow instruction 30 and the server 20 receiving the job flow instruction 30 verifies the signature to judge the authenticity of the received job flow instruction 30 .
  • the server 20 - 1 and the 20 - 3 are located within the same company as the instruction input device 10 (that is, on the intranet of this company) and the server 20 - 2 is located outside the company (outside the intranet)
  • the job flow instruction 30 a sent from the server 20 - 1 to the server 20 - 2 is signed using a secret key corresponding to a public key certificate issued by a certificate authority (CA) within the company to which the server 20 - 1 belongs
  • CA certificate authority
  • public key certificates from a CA within the company (or division) to which the server 20 belongs (this CA is referred to as “in-house CA” hereinafter) and from a CA of a public organization such as a government or an entity such as Verisign Corporation (this CA is referred to as “public CA” hereinafter) are provided to each server 20 (the key pairs corresponding to the certificates need not be the same for the in-house CA and for the public CA).
  • each server 20 can attach two types of electronic signatures, one for in-house use and the other for external use, and selectively employ either of the two types of electronic signatures based on whether the destination device of the job flow instruction is within or outside the company.
  • the in-house CA authenticates a public key of only particular users belonging to the company or the division (here, “user” includes not only an individual, but also a group of people or a device), whereas the public CA authenticates public keys of many unspecified users.
  • FIG. 2 is a functional block diagram of a server 20 in this system.
  • FIG. 2 primarily shows portions of the functions of the server 20 related to the electronic signature.
  • the server 20 may contain other functions.
  • a network I/F (interface) unit 202 is a unit for controlling data communication between the server 20 and the local area network.
  • An instruction division/integration unit 204 is a unit for dividing a job flow instruction 30 received from a previous server 20 through the network I/F 202 and for assembling a job flow instruction 30 to be transmitted to a next server 20 .
  • the job flow instruction 30 is divided into a portion describing the content of the process and a portion describing the electronic signature. This process will now be described using a specific example job flow instruction as shown in FIG. 3 .
  • FIG. 3 shows an example job flow instruction written based on an XML-signature (extensible Markup Language-signature; RFC3275).
  • the job flow instruction contains a process content element 310 describing the content of the process of the server 20 and a signature element 320 describing information of electronic signature corresponding to the process content element 310 .
  • the process content element 310 contains individual instructions 312 and 314 directed to servers 20 .
  • the individual instructions 312 and 314 respectively contain service names 3122 and 3142 indicating the destination of the instruction, process names 3124 and 3144 indicating the type of process the destination service is to execute, and parameters 3126 for the process to be executed.
  • the signature element 320 contains a signature information element 322 indicating data such as the algorithm used for the electronic signature of the job flow instruction 30 and a hash value of the target element of the signature (in this case, the process content element 310 ), a signature value element 324 indicating a signature value determined from the signature target element using the algorithm, and a key information element 326 describing information for specifying a public key to be used for verification of the electronic signature.
  • the key information element 326 contains information necessary for specifying the public key certificate corresponding to the secret key used for calculation of the value of the electronic signature.
  • the XML-signature standards noted above can be referred to for details of each element within the signature element 320 .
  • the instruction division/integration unit 204 divides a job flow instruction 30 received from the previous sever 20 and having a structure as described into the process content element 310 and the signature element 320 .
  • the instruction division/integration unit 204 further divides the signature element 320 into a segment containing the signature information element 322 and the signature value element 324 and a segment containing the key information element 326 .
  • the process content element 310 is sent to an instruction processor unit 212 and to a signature verification unit 210
  • the key information element 326 is sent to a verification key selection unit 208
  • the signature information element 322 and the signature value element 324 are sent to the signature verification unit 210 .
  • a key storage unit 206 stores the secret key of the server 20 which is used for electronically signing the job flow instruction 30 to be sent to the next server, etc., and public keys of other servers 20 used for verification of signatures on the received job flow instructions 30 .
  • the key storage unit 206 stores, as the secret keys to be used for signing, an in-house secret key certified by the in-house CA and an external secret key certified by a public CA. These two secret keys may have the same value, but the corresponding public key certificates differ from each other in that one is for internal use and the other is for external use.
  • the verification key selection unit 208 obtains, from the key storage unit 206 , a public key indicated in the information of the key information element 326 sent from the instruction division/integration unit 204 and sends the public key to the signature verification unit 210 .
  • the signature verification unit 210 verifies the electronic signature attached to the job flow instruction 30 using the process content element 310 , the signature information element 322 and the signature value element 324 received from the instruction division/integration unit 204 , and a public key received from the verification key selection unit 208 .
  • the signature value indicated in the signature value element 324 is decoded using the public key received from the verification key selection section 208 (in this step, the algorithm shown in the signature information element 322 is used), and a hash value of the process content element 310 is calculated.
  • the signature verification unit 210 determines that verification is successful.
  • the verification fails, there is a possibility that the process content element 310 and/or the signature element 320 is falsified, and, thus, the server 20 executes a predetermined error process.
  • An instruction processor unit 212 is a unit for executing a process for the job flow instruction 30 .
  • the instruction processor unit 212 identifies an individual instruction 32 directed to its own device from the job flow instruction 30 and executes the process indicted in the individual instruction 32 .
  • the server 20 applies the indicated resolution conversion process to the image data received along with the job flow instruction 30 ; this image data is the processing target of the process corresponding to the instruction.
  • each server 20 deletes the individual instruction 32 directed to this server 20 upon completion of the process and transmits the job flow instruction 30 to the next server 20 as shown in FIG. 1
  • the individual instruction 32 at the leading end of the received job flow instruction 30 is the individual instruction directed to the server.
  • the instruction processor unit 212 terminates the process to the job flow instruction 30 because there is a possibility that the process content element 310 and/or the signature element 320 is falsified, and executes a predetermined error process.
  • an instruction creation unit 214 removes the individual instruction 32 directed to the server from the job flow instruction 30 received from the previous server 20 and creates a process content element 310 of a job flow instruction directed to the next server 20 (this instruction is hereinafter referred to as “output job flow instruction”).
  • this instruction is hereinafter referred to as “output job flow instruction”.
  • the parameters of the processes in the next server 20 or in the subsequent servers 20 may be determined based on the process of the server 20 . In these cases, parameters determined as the result of the process are written to the process content element 130 of the output job flow instruction.
  • a signature key selection unit 216 selects a signature key to be used for electronic signing of the process content element 310 of the output job flow instruction.
  • the key storage unit 206 stores two signature keys (secret keys) of the server 20 , one for use inside the company and the other for external use, and the signature key selection unit 216 selects the secret key to be used from these two types of keys. In this selection, it is judged whether the server 20 which is the destination of the output job flow instruction is within or outside the company, and, based on this judgment, the signature key selection unit 216 selects either an in-house signature key if the destination server 20 is within the company, or an external signature key if the destination server 20 is external to the company.
  • the judgment as to whether the destination server 20 is within or outside the company is based on the URL indicated in the service name of the individual instruction 314 to the destination server 20 .
  • This judgment based on the URL can be accomplished by, for example, inquiring and obtaining from a predetermined name server the IP address corresponding to the URL of the service name and then judging whether the server is within or outside the company based on the obtained IP address.
  • the signature key selection unit 216 reads the selected signature key from the key storage unit 206 and sends the selected signature key to a signature creation unit 218 .
  • the signature creation unit 218 creates an electronic signature for the process content element 310 received from the instruction creation unit 214 using the signature key obtained from the signature key selection unit 216 .
  • a hash value of the process content element 310 is calculated and a signature value is calculated by applying the signature key to the hash value.
  • the signature creation unit 218 creates a signature information element 322 describing the algorithm used for calculation of the signature value, a signature value element 324 containing the signature value, and a key information element 326 indicating the public key certificate corresponding to the used signature key, and sends these elements to the instruction division/integration unit 204 .
  • the instruction division/integration unit 204 adds the signature information element 322 , the signature value element 324 , and the key information element 326 created by the signature creation unit 218 to the process content element 310 created by the instruction creation unit 214 to create an output job flow instruction.
  • the created output job flow instruction is transmitted to the destination server 20 via the network I/F unit 202 .
  • a server 20 which executes a partial process within the cooperative service judges whether the server 20 to execute the next process is within or outside the company and attaches an electronic signature which can be verified using a public key certificate issued by a public CA when the next server 20 is outside.
  • the outside server 20 can verify the signature by obtaining a public key certificate of the in-house server 20 from a public CA.
  • in-house information such as, for example, organizational structure information contained in the public key certificate from the in-house CA.
  • the server 20 attaches an electronic signature that can be verified using a public key certificate from the in-house CA to the job flow instruction. Because of this, the next server 20 , which is within the company, can easily verify the signature without the necessity to obtain a public key certificate from a public CA on the Internet.
  • the signature key is selected based on whether the next server is an internal or external server.
  • This configuration is only one example, and the selection of the signature keys may, in another example, be realized based on whether or not the next server belongs to a particular division within the same company.
  • an electronic signature to be applied to a job flow instruction 30 has been described. It is also possible, using a similar mechanism, to apply an electronic signature corresponding to the destination for data to be transmitted along with the job flow instruction (for example, target data for a process in the next device).
  • the above-described electronic signature system can also be applied to a system having a structure as shown in FIG. 4 .
  • a system shown in FIG. 4 includes a job flow controller 25 in addition to the instruction input device 10 and the servers 20 .
  • the job flow controller 25 is a device that controls execution of processes in the servers 20 in this system. More specifically, the job flow controller 25 receives a job flow instruction 30 created by the instruction input device 10 , extracts individual instructions 32 for servers 20 from the job flow instruction 30 , and transmits the individual instructions 32 to the corresponding server 20 according to the order of the processes.
  • Each of the servers 20 receives the individual instruction 32 , executes the process according to the received individual instruction 32 , and returns the data of the processing result to the job flow controller 25 when the process is completed.
  • the job flow controller 25 receives this data and transmits the individual instruction 32 to the next server 20 . These steps are repeated so that one service flow can be realized by the cooperation of a plurality of servers 20 .
  • the job flow controller 25 is connected to an internal network within the same company as the instruction input device 10 .
  • the job flow controller 25 has a signature key certified by an in-house public key certificate and a signature key certified by an outside public key certificate.
  • the job flow controller 25 verifies the electronic signature attached to a job flow instruction 30 received from the instruction input device 10 .
  • the job flow controller 25 judges that the signature is a valid signature by the instruction input device 10
  • the job flow controller 25 extracts, from the process content element 310 of the job flow instruction 30 , individual instructions 32 ( 312 , 314 , etc.) directed to the servers 20 and transmits the individual instruction in order.
  • the job flow controller 25 judges whether the destination server 20 of the individual instruction 32 is a device directly connected to the internal network or one located outside the company, and attaches an electronic signature to the individual instruction 32 using a signature key corresponding to the in-house certificate if the destination server 20 is on the intranet, or using a signature key corresponding to an outside certificate if the destination server 20 is outside. With this configuration, it is possible to smoothly verify the signature regardless of whether the server 20 receiving the individual instruction 32 is part of, or external to, the company intranet.
  • the electronic signature of the in-house instruction input device 10 contained in the job flow instruction 30 from the instruction input device 10 is not transmitted to an outside server 20 .
  • individual server 20 judges whether the server 20 to which the job flow instruction 30 is next to be transmitted is internal or external to the company, and attaches an electronic signature using a signature key corresponding to the judgment.
  • This configuration is only an example of the present invention, and an alternative example such as, for example, the configuration which will be described below may be employed.
  • each server 20 creates a job flow instruction 30 to be sent to the next server 20 and attaches an electronic signature of its own device.
  • a job flow instruction created and electronically signed by the instruction input device 10 is transmitted from a server 20 to the next server 20 .
  • the instruction input device 10 in this embodiment judges whether each of the servers 20 to be used for the cooperative service requested by the user is a device internal or external to the company.
  • the instruction input device 10 attaches a signature to the job flow instruction using an outside signature key. Conversely, when all servers 20 used for the cooperative service are within the company, the instruction input device 10 electronically signs using an in-house signature key.
  • FIG. 5 is a functional block diagram showing a structure of an instruction input device 10 according to this embodiment.
  • an operation display unit 102 is a unit which displays a user interface through use of which a user can input an instruction which is received by the operation display unit 102 .
  • An execution instruction of a cooperative service from the user is input from the operation display unit 102 .
  • the operation display unit 102 displays a list of names of selectable cooperative services, allows the user to select a desired service, and, when appropriate, permits the user to input processing parameters.
  • An example of a processing parameter could be, for example, a mail destination address for a server providing an electronic mail transmission service.
  • a service DB (database) 104 contains templates of job flow instructions 30 corresponding to the cooperative services, the templates being correlated to the name of the cooperative services.
  • This template is a template of a portion, in the signed job flow instruction of FIG. 3 , corresponding to the process content element 310 .
  • the process content element 310 contains information for specifying the server 20 to be used such as, for example, the service name 3122 and 3142 .
  • An instruction creation unit 106 receives the user's selection of the cooperative service and the corresponding parameters from the operation display unit 102 , obtains a template of the job flow instruction corresponding to the selected cooperative service from the service DB 104 , and completes a process content element 310 of the job flow instruction by substituting the received parameters into the template.
  • the created process content element 310 is provided to an instruction integration unit 114 and a signature creation unit 112 .
  • the instruction creation unit 106 sends information on the service names 3122 and 3142 of the servers 20 contained in the process content element 310 to a signature key selection unit 110 .
  • a key storage unit 108 stores two types of keys for electronic signature to the job flow instruction 30 , one corresponding to a public key certificate issued by an in-house CA and the other corresponding to a public key certificate issued by a public CA.
  • the signature key selection unit 110 judges whether or not there any of the servers 20 are outside the company. When the signature key selection unit 110 judges that there is at least one outside server 20 , the signature key selection unit 110 selects an outside signature key and when the signature key selection unit 110 judges that there is no outside server 20 , the signature key selection unit 110 selects an in-house signature key. The signature key selection unit 110 retrieves the selected signature key from the key storage unit 108 and sends the key to the signature creation unit 112 .
  • the signature creation unit 112 creates a signature information element 322 , a signature value element 324 , and a key information element 326 in a manner similar to the above using the process content element 310 received from the instruction creation unit 106 and the signature key received from the signature key selection unit 110 , and sends the created elements to the instruction integration unit 114 .
  • the instruction integration unit 114 creates an output job flow instruction by adding the signature information element 322 , signature value element 324 , and key information element 326 created by the signature creation unit 112 to the process content element 310 created by the instruction creation unit 106 .
  • the created output job flow instruction is transmitted to a first server 20 in the cooperative service via a network I/F unit 102 .
  • each of the servers 20 verifies the electronic signature of the instruction input device 10 in the received job flow instruction 30 , and, when the verification is successful, the server 20 identifies an individual instruction 32 directed to itself from the instruction 30 , executes the process indicated in the individual instruction 32 , and transmits the received job flow instruction 30 to the next server 20 without any change.
  • a signature proxy device 40 is provided on a LAN 50 (or intranet) within the company, to which the instruction input device 10 and the servers 20 are connected.
  • the signature proxy device 40 is certified with public key certificates from an in-house CA and from a public CA.
  • an application server 60 is present outside the company (outside the intranet).
  • the instruction input device 10 and the servers 20 on the in-house LAN 50 need only have a secret key corresponding to a public key certificate issued by the in-house CA.
  • the instruction input device 10 and the server 20 electronically signs the job flow instruction 30 to be sent to the next server 20 using the in-house secret key.
  • the process in the server 20 is similar to those of the server 20 in the embodiment shown in FIG. 2 except that there is no selection of the key to be used for signing (that is, the in-house signature key is always used).
  • an IP address and name of the signature proxy device 40 are set as a proxy server to be used when the instruction input device 10 or the server 20 is to transmit the job flow instruction 30 to outside the intranet.
  • the instruction input device 10 and the servers 20 judge whether the destination server is within or outside the company, and, when the destination server is within the company, the instruction input device 10 or the server 20 directly transmits the signed instruction 30 to the destination server, and, when the destination server is outside the company, the instruction input device 10 or the server 20 transmits the signed instruction 30 to the signature proxy device 40 .
  • the server 20 - 2 judges that the next server 60 is an outside device and sends the signed job flow instruction 30 to the signature proxy server 40 .
  • the signature proxy device 40 receiving this job flow instruction 30 verifies the signature of the job flow instruction 30 , and, when the verification is successful, the signature proxy device 40 deletes the signature element 320 of the electronic signature of the server 20 - 2 (which uses the in-house signature key) from the job flow instruction 30 , creates a job flow instruction 35 by attaching an electronic signature to the process content element 310 appearing as a result of the deletion of the signature element 320 using a secret key corresponding to an outside public key certificate of the signature proxy device 40 , and transmits the job flow instruction 35 to the outside destination server 60 .
  • An in-house server 20 does not directly receive a job flow instruction from an outside server 60 .
  • a job flow instruction 37 directed to an in-house server 20 - 3 from an outside server 60 is first received by the signature proxy device 40 .
  • the signature proxy server 40 verifies the electronic signature attached to the job flow instruction 37 , and, when the verification is successful, the signature proxy device 40 deletes the signature element 320 of the electronic signature of the outside server 60 from the job flow instruction 37 , creates an in-house job flow instruction 30 by attaching an electronic signature to the process content element 310 appearing as a result of the deletion of the signature element using a secret key corresponding to an in-house public key certificate of the signature proxy device 40 , and transmits the in-house job flow instruction 30 to the destination server 20 - 3 .
  • the signature proxy device 40 replaces electronic signatures attached to instructions communicated from inside to outside the company, and instructions communicated to the inside of the company from outside.
  • the instruction input device 10 and servers 20 within the company are only required to be certified with a public key certificate from the in-house CA and to electronically sign the instruction using the in-house signature key regardless of whether the destination is internal or external to the company.
  • the signature proxy server 40 replaces the signature with a signature for outside use. In this manner, it is possible to detect any falsification or the like of the job flow instruction 30 between the in-house servers 20 and, at the same time, detect any falsification or the like of the job flow instructions between the inside and outside of the company.
  • the outside server 60 can verify the signature on the instruction 35 by merely obtaining an outside public key certificate of the signature proxy device 40 from the public CA, verification of a signature is a simple task.
  • the signature of the signed instruction 37 from the outside server 60 is verified by the signature proxy device 40 , and, when the verification is successful, the electronic signature on the job flow instruction 37 is replaced with an in-house electronic signature of the signature proxy device 40 and the job flow instruction 37 is sent to the destination in-house server 20 - 3 . Therefore, according to this configuration, the servers 20 within the company is only required to have a capability to verify signature using a public key certificate issued by the in-house CA, and there is no need for the in-house server 20 to be compatible with the public key certificate of an outside CA.
  • an instruction division/integration unit 404 upon reception of a job flow instruction 30 via a network I/F unit 402 , provides a process content element 310 extracted from the job flow instruction 30 to a signature verification unit 410 and a signature conversion controller unit 412 , a signature information element 322 and a signature value element 324 (refer to FIG. 3 ) extracted from the job flow instruction 30 to a signature verification unit 410 , and a key information element 326 extracted from the job flow instruction 30 to a verification key selection unit 408 .
  • the verification key selection unit 408 retrieves a public key indicated in the key information element 326 from a key storage unit 406 and sends the selected public key to the signature verification unit 410 .
  • the signature verification unit 410 executes a signature verification process similar to that in the embodiment shown in FIG. 2 using the public key. The result of this verification (successful or failure) is sent to the signature conversion controller unit 412 .
  • the signature conversion controller unit 412 instructs the signature key selection unit 416 to replace the signature on the job flow instruction 30 with an outside signature when the job flow instruction 30 is from a server 20 within the company.
  • the signature conversion controller unit 412 instructs the signature key selection unit 416 to replace the signature on the job flow instruction 30 with an in-house signature.
  • the judgment on whether the job flow instruction 30 is from a server 20 within the company or from an outside server 60 can be done by checking whether the public key used for the signature verification in the signature verification unit 410 is certified by an in-house CA or by an outside CA. Alternatively, the judgment can be made by the signature conversion controller unit 412 receiving information on the originating URL and IP address of the job flow instruction 30 from the network I/F unit 402 and deciding accordingly.
  • the signature proxy device 40 reviews not only the origin, but also the destination. Specifically, the signature conversion controller unit 412 judges that the signature should be replaced for instructions from the inside to the outside of the company and for instructions from the outside to the inside of the company and that the signature should not be replaced for instructions between devices within the company.
  • the destination of the job flow instruction 30 can be determined from the URL indicated in the service name 3122 of the individual instruction at the leading end of the process content element 310 of the job flow instruction 30 or from the destination IP address received from the network I/F unit 402 .
  • the signature key selection unit 416 selects a signature key (in-house or external) of the proxy device 40 corresponding to the instruction from the signature key conversion controller unit 412 from the key storage unit 406 and sends the selected key to a signature creation unit 418 .
  • the signature creation unit 418 calculates a value for an electronic signature corresponding to the process content element 310 using the sent signature key and sends a signature information element 322 , a signature value element 324 , and a signature information element 326 indicating the electronic signature to the instruction division/integration unit 404 .
  • the instruction division/integration unit 404 re-constructs a job flow instruction by combining the received elements 322 , 324 , and 326 into the received process content element 310 and transmits the created job flow instruction to the destination server via the network I/F unit 402 .
  • the signature conversion controller unit 412 judges that there is no need for replacement of a signature (for example, when the instruction is from an in-house device to another), this judgment is sent to the instruction division/integration unit 404 .
  • the instruction division/integration unit 404 receiving this information transmits the job flow instruction 30 received from the network I/F unit 402 to the destination server without any change.
  • the in-house server 20 uses only a signature key corresponding to a public key certificate certified by the in-house CA. There are, however, situations wherein the in-house server 20 is also certified by a public key certificate from an outside CA. In such a case, the signature proxy device 40 verifies the signature of a job flow instruction from the in-house server 20 to an outside server 60 and judges whether the signature attached to the instruction corresponds to the in-house or outside certificate. When the signature proxy device 40 judges that the signature corresponds to an in-house CA, the signature proxy device 40 replaces the signature, and when the signature proxy device 40 judges that the signature corresponds to an outside CA, the signature proxy device 40 skips the replacement step.
  • each server 20 within the company judges whether the destination of the job flow instruction 30 is inside or outside of the company and sends the job flow instruction 30 to the signature proxy device 40 when the destination is outside.
  • a signature proxy server 40 is provided as a gateway on the boundary between the in-house LAN 50 and the Internet and monitors the job flow instruction 30 which is to be sent from the in-house LAN 50 to the Internet.
  • the signature proxy device 40 verifies the electronic signature of a job flow instruction 30 which is found through the monitoring, and, when it is determined that the signature was created using a secret key corresponding to an in-house public key certificate, the signature proxy device 40 applies the signature replacement process as described above and transmits the job flow instruction 30 to the destination server on the Internet.
  • the signature proxy device 40 also monitors the job flow instructions which is to be sent into the in-house LAN 50 from the Internet, and, when the job flow instruction is signed using a secret key corresponding to an outside public key certificate, performs the signature replacement process as described above. With this configuration, advantages similar to the embodiment shown in FIGS. 6 and 7 can be obtained.
  • the signature proxy device 40 may be one of the application servers 20 , include a description of the process content of the signature proxy device 40 in the job flow instruction 30 , and for the signature proxy device 40 to perform the signature replacement process as described above according to the description of the process content.
  • the judgment as to whether the destination device to which the job flow instruction is to be transmitted next is internal or external to the company is made based on the URL of the destination device described in the job flow instruction.
  • the IP address, FQDN, and the electronic mail address of the destination device may be explicitly described in the job flow instruction or may be described in a packet header when the instruction is transmitted in the form of packets.
  • the server 20 and the job flow controller 25 can obtain destination information suitable in each case and can judge whether the destination is inside or outside the company from the obtained information.

Abstract

A device for facilitating verification of an electronic signature in an exchange of instructions between an in-house server and an outside server. Each server which is to execute a partial process of a cooperative service has, in a key storage unit (206), secret keys corresponding to public key certificates issued by an in-house CA and by an outside public CA. A signature key selection unit 216 judges whether a server which is to execute a process next is a device within or outside the company and selects an in-house secret key when the next server is an in-house device and an outside secret key when the next server is an outside device. A signature creation unit (218) calculates a value of an electronic signature for an job flow instruction to the next server using the selected secret key. An instruction division/integration unit (204) transmits to the next server the job flow instruction with the electronic signature value attached.

Description

  • This is a Continuation of application Ser. No. 10/653,191 filed on Sep. 3, 2003. The disclosure of the prior application is hereby incorporated by reference herein in its entirety.
  • BACKGROUND OF THE INVENTION
  • 1. Field of the Invention
  • The present invention relates to a technology for realizing cooperative processing wherein processors present on a network cooperate, and in particular to a security technology associated with cooperative processing.
  • 2. Description of the Related Art
  • Workflow systems are currently being proposed in which various services can be provided for office functions by connecting to a LAN (Local Area Network) devices such as a scanner, a facsimile machine, a printer, a copier, and a multifunction device having these functions integrated so that these devices can communication with information processors such as personal computers or a mail server.
  • In recent years, technologies allowing various web applications to cooperate with one other have been proposed. It is highly expected that, if an overall system can be constructed by connecting various application services and service providers accessible through the Internet and provided, the cost for developing a system can be significantly reduced because existing services can be utilized. In connection with this, languages such as XML (extensible Markup Language) or the like also are attracting attention as a common platform enabling such cooperative services.
  • Examples of conventional workflow systems include those disclosed in, for example, Japanese Patent Laid-Open Publications Nos. Hei 8-123744, 2002-99686, and 2001-282970.
  • In a workflow system, a request for a service in each of processors forming the flow is made by sequentially transmitting instruction data from one processor to another. Where there is a risk of falsification or “spoofing”, there may arise cases wherein the level of security cannot be maintained at a level required by the processor.
  • This problem becomes particularly significant when a processor located outside of an internal network(such as intranet) is to be incorporated into the workflow. Examples of an external processor incorporated into the workflow include various processors such as, for example, a time stamp server for providing a presence authentication of data as a third party agent and an accounting server (for example, a settlement processor of a credit card company) for collecting money on behalf of a service provider.
  • In order to prevent such falsification of data or spoofing, an electronic signature system such as PKI (Public Key Infrastructure) is used. Such an electronic signature system can be used for communication of instruction data between processors.
  • However, in the case when data is transmitted between a processor located inside an internal network and another processor located outside that network, verification of the electronic signature becomes difficult. This is due to the following reasons.
  • Certificate authorities (“CA”) in general include certificate authorities of various levels, and range from those that with a high level of public trust, such as those provided by national governments or recognized corporations such as the Verisign Corporation, to those especially built within a company or a division of a company. When a workflow combining processors within the intranet of a company and processors present on the Internet is to be performed, it is likely that the CAs issuing public key certificates to the processors differ from each other. In order to address this issue, the CA publicizes the public key certificate of each user (in PKI, each processor is also a user) through a web server or an LDAP (Lightweight Directory Access Protocol) server so that a party who wishes to verify an electronic signature obtains the public key certificate necessary for the verification from these servers. When instruction data electronically signed by a processor within a company (within an intranet) using a secret key of the public key certificate of a in-house CA is transmitted to a processor outside the company (outside the intranet), the external processor may sometimes be blocked by a firewall and be unable to obtain the public key certificate from the in-house CA.
  • If, on the other hand, the system is configured such that a processor outside the company can obtain the public key certificate issued by the in-house CA, a problem remains that the public key certificate issued by the in-house CA commonly includes information such as the name of the owner of the certificate and their job location. If this information is transmitted outside the company, the organization within the company may be made known.
  • In connection with these problems, Japanese Patent Laid-Open Publication No. 2002-164884 discloses a signature proxy server used for providing electronic signature when documents are exchanged between devices within different intranets. On behalf of a device within the intranet, the signature proxy server provides an electronic signature on a document originating from a device within the intranet and verifies the electronic signature on a document from outside to a device within the intranet.
  • Japanese Patent Laid-Open Publication No. 2002-164884 does not, however, consider electronically signed documents within the intranet. In other words, in the configuration disclosed in this reference, a device within the intranet does not attach an electronic signature to the data originating from the device and the signature proxy server attaches an electronic signature to the data to be transmitted from a device within the intranet to the outside without verifying the authenticity of the data.
  • SUMMARY OF THE INVENTION
  • According to one aspect of the present invention, there is provided an information processor for transmitting, to a job processor, instruction data having a process description for instructing a job process or data to be processed in a job process to instruct execution of the job process, the information processor comprising a selection unit for selecting one of a first signature key certified by a first certificate authority and a second signature key certified by a second certificate authority for signing instruction data or data to be processed; a signing unit for signing the instruction data or the data to be processed using the signature key selected by the selection unit; and transmitting unit for transmitting, to the job processor, the instruction data or the data to be processed signed by the signing unit.
  • According to another aspect of the present invention, there is provided a job processor comprising a key storage unit having separate signature keys, one for the inside of a network to which the job processor belongs and the other for the outside of the network; a receiver unit for receiving job flow instruction data which indicates process instruction to each of the job processors and the next job processor of each of the job processors; a signature verification unit for verifying an electronic signature attached to the job flow instruction data received at the receiver unit; a processor unit for identifying, from the job flow instruction data, a process instruction the job processor should execute when the verification by the signature verification unit is successful and for executing the process according to the process instruction; an instruction data creation unit for creating output job flow instruction data to be transmitted to a next job processor based on the received job flow instruction data when the process is executed by the processor unit; a judging unit for judging whether or not the next job processor is a device within the network; a signature processor unit for electronically signing the output job flow instruction data using the signature key for the inside when the next job processor is a device within the network and using the signature key for the outside otherwise; and a transmitter unit for transmitting the output job flow instruction data electronically signed by the signature processor unit to the next job processor.
  • According to another aspect of the present invention, there is provided an instruction data creating device for creating job flow instruction data which indicates a process instruction for each job processor and a next job processor for each job processor for a system for realizing a service by sequentially sending the job flow instruction data among the job processors and each job processor sequentially executing the process instruction for the job processor, the device comprising a key storage unit having a signature key for inside the network to which the instruction data creating device belongs and a signature key for outside the network; a judgment unit for judging whether or not there is a job processor outside the network in the group of job processors for the service; a signature processor unit for electronically signing the job flow instruction data using the signature for the outside when the judgment unit judges that there is a device which is outside the network in the group of job processors for the service and using the signature for the inside otherwise; and a transmitter unit for transmitting the job flow instruction data electronically signed by the signature processor unit to a first job processor among the group of job processors for the service.
  • According to still another aspect of the present invention, there is provided a proxy device provided between an internal network and an external network, for intermediating exchange of documents between a device on the internal network and a device on the external network, the proxy device comprising a first signature verification unit for verifying an electronic signature attached to a document transmitted from the device on the internal network to the device on the external network; and a first signature conversion unit for, when it is determined in the verification by the first verification unit that the electronic signature attached to the document is signed using a signature key for the internal network, deleting the electronic signature from the document, re-attaching an electronic signature to the document using a signature key of the proxy device for the external network, and transmitting the electronically signed document to the device on the external network.
  • According to still another aspect of the present invention, there is provided a proxy device provided between an internal network and an external network for intermediating exchange of documents between a device on the internal network and a device on the external network, the proxy device comprising a signature verification unit for verifying an electronic signature attached to a document transmitted from a device on the external network to a device on the internal network; and a signature conversion unit for deleting, when verification by the signature verification unit is successful, the electronic signature from the document, re-attaching an electronic signature to the document using a signature key of the proxy device for the internal network, and transmitting the document to the device on the internal network.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is an explanatory diagram showing an example of a system configuration for realizing a cooperative service.
  • FIG. 2 is an explanatory diagram showing a structure of an application server in a system of FIG. 1.
  • FIG. 3 is a diagram showing an example of description of a job flow instruction to which an electronic signature is attached.
  • FIG. 4 is an explanatory diagram showing another example structure of a system for realizing a cooperative service.
  • FIG. 5 is an explanatory diagram showing a structure of an instruction input device in an alternative embodiment of the present invention.
  • FIG. 6 is an explanatory diagram showing a system structure of an alternative embodiment of the present invention.
  • FIG. 7 is an explanatory diagram showing a structure of a signature proxy device in the alternative embodiment of the present invention shown in FIG. 6.
  • DESCRIPTION OF PREFERRED EMBODIMENTS
  • Preferred embodiments of the present invention will now be described referring to the drawings.
  • Referring to FIG. 1, an example system configuration of a service providing system to which the present invention can be applied will be described.
  • The illustrated system comprises an instruction input device 10 and a plurality of application servers 20.
  • An application server 20 is a server which provides a predetermined processing service in response to a request from another device. Examples of such a server 20 includes, for example, a document database server, a mail server, and an image processing server for applying processes such as color conversion and rotation to image data. The server 20 provides these processing services in the form of, for example, a web application service.
  • The instruction input device 10 is a device for inputting a user's processing instruction to the system. A user can input, into the instruction input device 10, an execution instruction of cooperative services as described above. The instruction input device 10 can be constructed by, for example, incorporating into a personal computer a user interface program for receiving input instructions from the user. It is, however, preferable that, in consideration of document processing services in offices, a digital multifunction device which includes a function to read a paper document and convert the paper document into electronic data, in addition to information processing and communication functions, be used as the instruction input device 10. A digital multifunction device is a device which has functions of a scanner, printer, copier, facsimile transmission/reception, network communication, and so on.
  • In this system, a user inputs an execution instruction of a desired cooperative service to the instruction input device 10. In response to the input instruction, the instruction input device 10 creates instruction data indicating the content of the cooperative service (this data will hereinafter referred to as a “job flow instruction”).
  • The job flow instruction 30 contains a description of the process each of the servers 20 is to execute for the cooperative service (this description is hereinafter referred to as an “individual instruction”) and information on the order of execution of the processes. A specific structure of such a job flow instruction may be, for example, a structure in which individual server instructions 32-1, 32-2, and 32-3 are arranged according to the order of execution of the processes of the cooperative service. The individual instruction 32 for each server 20 includes description of the name of the server 20 (this name is hereinafter referred to as a “service name”) or the like so that each server 20 can identify the individual instruction 32 within the job flow instruction 30 which is directed to the server 20. The service name is written in the form of, for example, a URL (Universal Resource Locator) or a URI (Uniform Resource Identifier). In this configuration, because the individual instructions 32 are arranged in the order of the processes, each server 20 can identify the server 20 which will perform the next process from the description of the service name of the individual instruction 32 following the individual instruction 32 directed to the server 20. It is also possible to alternatively or additionally include a description of the next server 20 to perform a process (that is, the server to which the job flow instruction should be next transmitted) in the individual instruction 32. In this manner, each server 20 can identify a description of the process directed to the server 20 from the job flow instruction 30, execute a process according to the process description, and send the job flow instruction 30 to the next server 20 after completion of the process being performed.
  • In the example configuration of FIG. 1, a cooperative service process starts when the job flow instruction 30 as described above is transmitted from the instruction input device 10 to a first server 20-1 of the cooperative service. Upon receipt of the job flow instruction 30, the server 20-1 identifies the individual instruction 32-1 directed to the server 20-1 from the job flow instruction 30 and executes a process accordingly. The server 20-1 then deletes the individual instruction 32-1 directed to the server 20-1 from the job flow instruction 30 to create a new job flow instruction 30 a and transmits the new flow instruction 30 a to the next server 20-2 in the job flow. Upon receipt of the job flow instruction 30 a, the server 20-2 operates in a manner similar to that of the server 20-1, deletes the individual instruction 32-2 directed to the server 20-2 from the job flow instruction 30 a to create a new job flow instruction 30 b, and transmits the job flow instruction 30 b to a next server 20-3.
  • In such a system, an electronic signature system is employed as a mechanism to allow verification, by each server 20, of authenticity (i.e. the data is not falsified, etc.) of the job flow instructions 30, 30 a, 30 b, . . . (hereinafter referred collectively as “job flow instruction 30”) received by the server 20. More specifically, when the instruction input device 10 or the server 20 is to transmit the job flow instruction 30, an electronic signature of the instruction input device 10 or of the server 20 is attached to the job flow instruction 30 and the server 20 receiving the job flow instruction 30 verifies the signature to judge the authenticity of the received job flow instruction 30.
  • In such a system, when, for example, the server 20-1 and the 20-3 are located within the same company as the instruction input device 10 (that is, on the intranet of this company) and the server 20-2 is located outside the company (outside the intranet), if the job flow instruction 30 a sent from the server 20-1 to the server 20-2 is signed using a secret key corresponding to a public key certificate issued by a certificate authority (CA) within the company to which the server 20-1 belongs, there may be problems such as that the outside server 20-2 cannot obtain, from the CA within the company, the public key certificate necessary for the verification of the signature, as already described above.
  • According to the present embodiment, public key certificates from a CA within the company (or division) to which the server 20 belongs (this CA is referred to as “in-house CA” hereinafter) and from a CA of a public organization such as a government or an entity such as Verisign Corporation (this CA is referred to as “public CA” hereinafter) are provided to each server 20 (the key pairs corresponding to the certificates need not be the same for the in-house CA and for the public CA). When a server 20 electronically signs the job flow instruction 30 to be transmitted to the next server 20, the server 20 judges whether the next server 20 is within or outside of the company, and electronically signs the job flow instruction 30 using a secret key corresponding to the public key certificate of the in-house CA when the next server 20 is within the company and electronically signs the job flow instruction 30 using the secret key corresponding to the public key certificate of the public CA when the next server 20 is located outside the company. In other words, in this example configuration, each server 20 can attach two types of electronic signatures, one for in-house use and the other for external use, and selectively employ either of the two types of electronic signatures based on whether the destination device of the job flow instruction is within or outside the company.
  • Here, the in-house CA authenticates a public key of only particular users belonging to the company or the division (here, “user” includes not only an individual, but also a group of people or a device), whereas the public CA authenticates public keys of many unspecified users.
  • FIG. 2 is a functional block diagram of a server 20 in this system. FIG. 2 primarily shows portions of the functions of the server 20 related to the electronic signature. The server 20 may contain other functions.
  • In FIG. 2, a network I/F (interface) unit 202 is a unit for controlling data communication between the server 20 and the local area network.
  • An instruction division/integration unit 204 is a unit for dividing a job flow instruction 30 received from a previous server 20 through the network I/F 202 and for assembling a job flow instruction 30 to be transmitted to a next server 20. In the division of the received job flow instruction 30, in effect, the job flow instruction 30 is divided into a portion describing the content of the process and a portion describing the electronic signature. This process will now be described using a specific example job flow instruction as shown in FIG. 3.
  • FIG. 3 shows an example job flow instruction written based on an XML-signature (extensible Markup Language-signature; RFC3275). The job flow instruction contains a process content element 310 describing the content of the process of the server 20 and a signature element 320 describing information of electronic signature corresponding to the process content element 310.
  • The process content element 310 contains individual instructions 312 and 314 directed to servers 20. The individual instructions 312 and 314 respectively contain service names 3122 and 3142 indicating the destination of the instruction, process names 3124 and 3144 indicating the type of process the destination service is to execute, and parameters 3126 for the process to be executed.
  • The signature element 320 contains a signature information element 322 indicating data such as the algorithm used for the electronic signature of the job flow instruction 30 and a hash value of the target element of the signature (in this case, the process content element 310), a signature value element 324 indicating a signature value determined from the signature target element using the algorithm, and a key information element 326 describing information for specifying a public key to be used for verification of the electronic signature. The key information element 326 contains information necessary for specifying the public key certificate corresponding to the secret key used for calculation of the value of the electronic signature. The XML-signature standards noted above can be referred to for details of each element within the signature element 320.
  • The instruction division/integration unit 204 divides a job flow instruction 30 received from the previous sever 20 and having a structure as described into the process content element 310 and the signature element 320. The instruction division/integration unit 204 further divides the signature element 320 into a segment containing the signature information element 322 and the signature value element 324 and a segment containing the key information element 326. After these division steps, the process content element 310 is sent to an instruction processor unit 212 and to a signature verification unit 210, the key information element 326 is sent to a verification key selection unit 208, and the signature information element 322 and the signature value element 324 are sent to the signature verification unit 210.
  • A key storage unit 206 stores the secret key of the server 20 which is used for electronically signing the job flow instruction 30 to be sent to the next server, etc., and public keys of other servers 20 used for verification of signatures on the received job flow instructions 30. In the present embodiment, the key storage unit 206 stores, as the secret keys to be used for signing, an in-house secret key certified by the in-house CA and an external secret key certified by a public CA. These two secret keys may have the same value, but the corresponding public key certificates differ from each other in that one is for internal use and the other is for external use.
  • The verification key selection unit 208 obtains, from the key storage unit 206, a public key indicated in the information of the key information element 326 sent from the instruction division/integration unit 204 and sends the public key to the signature verification unit 210.
  • The signature verification unit 210 verifies the electronic signature attached to the job flow instruction 30 using the process content element 310, the signature information element 322 and the signature value element 324 received from the instruction division/integration unit 204, and a public key received from the verification key selection unit 208. In this verification process, the signature value indicated in the signature value element 324 is decoded using the public key received from the verification key selection section 208 (in this step, the algorithm shown in the signature information element 322 is used), and a hash value of the process content element 310 is calculated. When the result of the decoding matches the calculated hash value, the signature verification unit 210 determines that verification is successful. When, on the other hand, the verification fails, there is a possibility that the process content element 310 and/or the signature element 320 is falsified, and, thus, the server 20 executes a predetermined error process.
  • An instruction processor unit 212 is a unit for executing a process for the job flow instruction 30. When verification by the signature verification unit 210 is successful, the instruction processor unit 212 identifies an individual instruction 32 directed to its own device from the job flow instruction 30 and executes the process indicted in the individual instruction 32. For example, when an individual instruction 32, within the job flow instruction 30, directed to the server 20 indicates an execution instruction of resolution conversion to image data, the server 20 applies the indicated resolution conversion process to the image data received along with the job flow instruction 30; this image data is the processing target of the process corresponding to the instruction.
  • In a configuration in which each server 20 deletes the individual instruction 32 directed to this server 20 upon completion of the process and transmits the job flow instruction 30 to the next server 20 as shown in FIG. 1, the individual instruction 32 at the leading end of the received job flow instruction 30 is the individual instruction directed to the server. In addition to this configuration, it is also possible to identify the individual instruction directed to the receiving server, for example, by referring to the description 3122 of the service name.
  • When verification fails in the signature verification unit 210, the instruction processor unit 212 terminates the process to the job flow instruction 30 because there is a possibility that the process content element 310 and/or the signature element 320 is falsified, and executes a predetermined error process.
  • When the signature verification is successful and the instruction processor unit 212 applies the process, an instruction creation unit 214 removes the individual instruction 32 directed to the server from the job flow instruction 30 received from the previous server 20 and creates a process content element 310 of a job flow instruction directed to the next server 20 (this instruction is hereinafter referred to as “output job flow instruction”). In some cases, the parameters of the processes in the next server 20 or in the subsequent servers 20 may be determined based on the process of the server 20. In these cases, parameters determined as the result of the process are written to the process content element 130 of the output job flow instruction.
  • A signature key selection unit 216 selects a signature key to be used for electronic signing of the process content element 310 of the output job flow instruction. As described earlier, the key storage unit 206 stores two signature keys (secret keys) of the server 20, one for use inside the company and the other for external use, and the signature key selection unit 216 selects the secret key to be used from these two types of keys. In this selection, it is judged whether the server 20 which is the destination of the output job flow instruction is within or outside the company, and, based on this judgment, the signature key selection unit 216 selects either an in-house signature key if the destination server 20 is within the company, or an external signature key if the destination server 20 is external to the company. The judgment as to whether the destination server 20 is within or outside the company is based on the URL indicated in the service name of the individual instruction 314 to the destination server 20. This judgment based on the URL can be accomplished by, for example, inquiring and obtaining from a predetermined name server the IP address corresponding to the URL of the service name and then judging whether the server is within or outside the company based on the obtained IP address. The signature key selection unit 216 reads the selected signature key from the key storage unit 206 and sends the selected signature key to a signature creation unit 218.
  • The signature creation unit 218 creates an electronic signature for the process content element 310 received from the instruction creation unit 214 using the signature key obtained from the signature key selection unit 216. In the signature creation process, a hash value of the process content element 310 is calculated and a signature value is calculated by applying the signature key to the hash value. Then, the signature creation unit 218 creates a signature information element 322 describing the algorithm used for calculation of the signature value, a signature value element 324 containing the signature value, and a key information element 326 indicating the public key certificate corresponding to the used signature key, and sends these elements to the instruction division/integration unit 204.
  • The instruction division/integration unit 204 adds the signature information element 322, the signature value element 324, and the key information element 326 created by the signature creation unit 218 to the process content element 310 created by the instruction creation unit 214 to create an output job flow instruction. The created output job flow instruction is transmitted to the destination server 20 via the network I/F unit 202.
  • As described, in the configuration of this embodiment, a server 20 which executes a partial process within the cooperative service judges whether the server 20 to execute the next process is within or outside the company and attaches an electronic signature which can be verified using a public key certificate issued by a public CA when the next server 20 is outside. Thus, when an outside server 20 receives a job flow instruction from an in-house server 20, the outside server 20 can verify the signature by obtaining a public key certificate of the in-house server 20 from a public CA. At the same time, it is possible to prevent leakage of in-house information such as, for example, organizational structure information contained in the public key certificate from the in-house CA.
  • On the other hand, in the present embodiment, when the next server 20 to execute a process is a server within the company, the server 20 attaches an electronic signature that can be verified using a public key certificate from the in-house CA to the job flow instruction. Because of this, the next server 20, which is within the company, can easily verify the signature without the necessity to obtain a public key certificate from a public CA on the Internet.
  • In the above embodiment, the signature key is selected based on whether the next server is an internal or external server. This configuration is only one example, and the selection of the signature keys may, in another example, be realized based on whether or not the next server belongs to a particular division within the same company.
  • Moreover, in the above embodiment, an electronic signature to be applied to a job flow instruction 30 has been described. It is also possible, using a similar mechanism, to apply an electronic signature corresponding to the destination for data to be transmitted along with the job flow instruction (for example, target data for a process in the next device).
  • The above-described electronic signature system can also be applied to a system having a structure as shown in FIG. 4.
  • A system shown in FIG. 4 includes a job flow controller 25 in addition to the instruction input device 10 and the servers 20. The job flow controller 25 is a device that controls execution of processes in the servers 20 in this system. More specifically, the job flow controller 25 receives a job flow instruction 30 created by the instruction input device 10, extracts individual instructions 32 for servers 20 from the job flow instruction 30, and transmits the individual instructions 32 to the corresponding server 20 according to the order of the processes. Each of the servers 20 receives the individual instruction 32, executes the process according to the received individual instruction 32, and returns the data of the processing result to the job flow controller 25 when the process is completed. The job flow controller 25 receives this data and transmits the individual instruction 32 to the next server 20. These steps are repeated so that one service flow can be realized by the cooperation of a plurality of servers 20.
  • In this embodiment, the job flow controller 25 is connected to an internal network within the same company as the instruction input device 10.
  • In a system as shown in FIG. 4 as described, the job flow controller 25 has a signature key certified by an in-house public key certificate and a signature key certified by an outside public key certificate. The job flow controller 25 verifies the electronic signature attached to a job flow instruction 30 received from the instruction input device 10. When the job flow controller 25 judges that the signature is a valid signature by the instruction input device 10, the job flow controller 25 extracts, from the process content element 310 of the job flow instruction 30, individual instructions 32 (312, 314, etc.) directed to the servers 20 and transmits the individual instruction in order. When transmitting the instruction, the job flow controller 25 judges whether the destination server 20 of the individual instruction 32 is a device directly connected to the internal network or one located outside the company, and attaches an electronic signature to the individual instruction 32 using a signature key corresponding to the in-house certificate if the destination server 20 is on the intranet, or using a signature key corresponding to an outside certificate if the destination server 20 is outside. With this configuration, it is possible to smoothly verify the signature regardless of whether the server 20 receiving the individual instruction 32 is part of, or external to, the company intranet.
  • Similar to the configuration described above, with this configuration, the electronic signature of the in-house instruction input device 10 contained in the job flow instruction 30 from the instruction input device 10 is not transmitted to an outside server 20.
  • In the system described above, individual server 20 judges whether the server 20 to which the job flow instruction 30 is next to be transmitted is internal or external to the company, and attaches an electronic signature using a signature key corresponding to the judgment. This configuration, however, is only an example of the present invention, and an alternative example such as, for example, the configuration which will be described below may be employed.
  • Specifically, in the example used to illustrate the above embodiment, each server 20 creates a job flow instruction 30 to be sent to the next server 20 and attaches an electronic signature of its own device. In another embodiment, a job flow instruction created and electronically signed by the instruction input device 10 is transmitted from a server 20 to the next server 20. In this configuration, attention is given to whether the instruction input device 10 uses a signature key corresponding to an in-house public key certificate or an external public key certificate for electronically signing the job flow instruction. In consideration of this point, the instruction input device 10 in this embodiment judges whether each of the servers 20 to be used for the cooperative service requested by the user is a device internal or external to the company. When the servers 20 include at least one external device, the instruction input device 10 attaches a signature to the job flow instruction using an outside signature key. Conversely, when all servers 20 used for the cooperative service are within the company, the instruction input device 10 electronically signs using an in-house signature key.
  • FIG. 5 is a functional block diagram showing a structure of an instruction input device 10 according to this embodiment. In this structure, an operation display unit 102 is a unit which displays a user interface through use of which a user can input an instruction which is received by the operation display unit 102. An execution instruction of a cooperative service from the user is input from the operation display unit 102. In order to allow input of execution instruction, for example, the operation display unit 102 displays a list of names of selectable cooperative services, allows the user to select a desired service, and, when appropriate, permits the user to input processing parameters. An example of a processing parameter could be, for example, a mail destination address for a server providing an electronic mail transmission service. A service DB (database) 104 contains templates of job flow instructions 30 corresponding to the cooperative services, the templates being correlated to the name of the cooperative services. This template is a template of a portion, in the signed job flow instruction of FIG. 3, corresponding to the process content element 310. The process content element 310 contains information for specifying the server 20 to be used such as, for example, the service name 3122 and 3142.
  • An instruction creation unit 106 receives the user's selection of the cooperative service and the corresponding parameters from the operation display unit 102, obtains a template of the job flow instruction corresponding to the selected cooperative service from the service DB 104, and completes a process content element 310 of the job flow instruction by substituting the received parameters into the template. The created process content element 310 is provided to an instruction integration unit 114 and a signature creation unit 112. In addition, the instruction creation unit 106 sends information on the service names 3122 and 3142 of the servers 20 contained in the process content element 310 to a signature key selection unit 110.
  • A key storage unit 108 stores two types of keys for electronic signature to the job flow instruction 30, one corresponding to a public key certificate issued by an in-house CA and the other corresponding to a public key certificate issued by a public CA.
  • Based on the information of the servers 20 used in the cooperative service provided from the instruction creation unit 106, the signature key selection unit 110 judges whether or not there any of the servers 20 are outside the company. When the signature key selection unit 110 judges that there is at least one outside server 20, the signature key selection unit 110 selects an outside signature key and when the signature key selection unit 110 judges that there is no outside server 20, the signature key selection unit 110 selects an in-house signature key. The signature key selection unit 110 retrieves the selected signature key from the key storage unit 108 and sends the key to the signature creation unit 112.
  • The signature creation unit 112 creates a signature information element 322, a signature value element 324, and a key information element 326 in a manner similar to the above using the process content element 310 received from the instruction creation unit 106 and the signature key received from the signature key selection unit 110, and sends the created elements to the instruction integration unit 114.
  • The instruction integration unit 114 creates an output job flow instruction by adding the signature information element 322, signature value element 324, and key information element 326 created by the signature creation unit 112 to the process content element 310 created by the instruction creation unit 106. The created output job flow instruction is transmitted to a first server 20 in the cooperative service via a network I/F unit 102.
  • From thereon, each of the servers 20 verifies the electronic signature of the instruction input device 10 in the received job flow instruction 30, and, when the verification is successful, the server 20 identifies an individual instruction 32 directed to itself from the instruction 30, executes the process indicated in the individual instruction 32, and transmits the received job flow instruction 30 to the next server 20 without any change.
  • Next, another alternative embodiment will be described. In this embodiment, as shown in FIG. 6, a signature proxy device 40 is provided on a LAN 50 (or intranet) within the company, to which the instruction input device 10 and the servers 20 are connected. The signature proxy device 40 is certified with public key certificates from an in-house CA and from a public CA. In this description, it is assumed that an application server 60 is present outside the company (outside the intranet).
  • In this system, the instruction input device 10 and the servers 20 on the in-house LAN 50 need only have a secret key corresponding to a public key certificate issued by the in-house CA. The instruction input device 10 and the server 20 electronically signs the job flow instruction 30 to be sent to the next server 20 using the in-house secret key. The process in the server 20 is similar to those of the server 20 in the embodiment shown in FIG. 2 except that there is no selection of the key to be used for signing (that is, the in-house signature key is always used).
  • In the instruction input device 10 and the server 20 within the company, an IP address and name of the signature proxy device 40 are set as a proxy server to be used when the instruction input device 10 or the server 20 is to transmit the job flow instruction 30 to outside the intranet. When sending a signed job flow instruction to the next server 20, the instruction input device 10 and the servers 20 judge whether the destination server is within or outside the company, and, when the destination server is within the company, the instruction input device 10 or the server 20 directly transmits the signed instruction 30 to the destination server, and, when the destination server is outside the company, the instruction input device 10 or the server 20 transmits the signed instruction 30 to the signature proxy device 40. In the embodiment shown in FIG. 6, the server 20-2 judges that the next server 60 is an outside device and sends the signed job flow instruction 30 to the signature proxy server 40.
  • The signature proxy device 40 receiving this job flow instruction 30 verifies the signature of the job flow instruction 30, and, when the verification is successful, the signature proxy device 40 deletes the signature element 320 of the electronic signature of the server 20-2 (which uses the in-house signature key) from the job flow instruction 30, creates a job flow instruction 35 by attaching an electronic signature to the process content element 310 appearing as a result of the deletion of the signature element 320 using a secret key corresponding to an outside public key certificate of the signature proxy device 40, and transmits the job flow instruction 35 to the outside destination server 60.
  • An in-house server 20 does not directly receive a job flow instruction from an outside server 60. A job flow instruction 37 directed to an in-house server 20-3 from an outside server 60 is first received by the signature proxy device 40. The signature proxy server 40 verifies the electronic signature attached to the job flow instruction 37, and, when the verification is successful, the signature proxy device 40 deletes the signature element 320 of the electronic signature of the outside server 60 from the job flow instruction 37, creates an in-house job flow instruction 30 by attaching an electronic signature to the process content element 310 appearing as a result of the deletion of the signature element using a secret key corresponding to an in-house public key certificate of the signature proxy device 40, and transmits the in-house job flow instruction 30 to the destination server 20-3.
  • In this manner, the signature proxy device 40 replaces electronic signatures attached to instructions communicated from inside to outside the company, and instructions communicated to the inside of the company from outside. With this replacement process, the instruction input device 10 and servers 20 within the company are only required to be certified with a public key certificate from the in-house CA and to electronically sign the instruction using the in-house signature key regardless of whether the destination is internal or external to the company. When the instruction is to be sent outside, the signature proxy server 40 replaces the signature with a signature for outside use. In this manner, it is possible to detect any falsification or the like of the job flow instruction 30 between the in-house servers 20 and, at the same time, detect any falsification or the like of the job flow instructions between the inside and outside of the company. In addition, because the outside server 60 can verify the signature on the instruction 35 by merely obtaining an outside public key certificate of the signature proxy device 40 from the public CA, verification of a signature is a simple task.
  • In addition, in this system, the signature of the signed instruction 37 from the outside server 60 is verified by the signature proxy device 40, and, when the verification is successful, the electronic signature on the job flow instruction 37 is replaced with an in-house electronic signature of the signature proxy device 40 and the job flow instruction 37 is sent to the destination in-house server 20-3. Therefore, according to this configuration, the servers 20 within the company is only required to have a capability to verify signature using a public key certificate issued by the in-house CA, and there is no need for the in-house server 20 to be compatible with the public key certificate of an outside CA.
  • An example structure of the signature proxy device 40 will now be described referring to FIG. 7.
  • In this device 40, an instruction division/integration unit 404, upon reception of a job flow instruction 30 via a network I/F unit 402, provides a process content element 310 extracted from the job flow instruction 30 to a signature verification unit 410 and a signature conversion controller unit 412, a signature information element 322 and a signature value element 324 (refer to FIG. 3) extracted from the job flow instruction 30 to a signature verification unit 410, and a key information element 326 extracted from the job flow instruction 30 to a verification key selection unit 408. The verification key selection unit 408 retrieves a public key indicated in the key information element 326 from a key storage unit 406 and sends the selected public key to the signature verification unit 410. The signature verification unit 410 executes a signature verification process similar to that in the embodiment shown in FIG. 2 using the public key. The result of this verification (successful or failure) is sent to the signature conversion controller unit 412.
  • The signature conversion controller unit 412 instructs the signature key selection unit 416 to replace the signature on the job flow instruction 30 with an outside signature when the job flow instruction 30 is from a server 20 within the company. On the other hand, when the job flow instruction 30 is from an outside server 60, the signature conversion controller unit 412 instructs the signature key selection unit 416 to replace the signature on the job flow instruction 30 with an in-house signature. The judgment on whether the job flow instruction 30 is from a server 20 within the company or from an outside server 60 can be done by checking whether the public key used for the signature verification in the signature verification unit 410 is certified by an in-house CA or by an outside CA. Alternatively, the judgment can be made by the signature conversion controller unit 412 receiving information on the originating URL and IP address of the job flow instruction 30 from the network I/F unit 402 and deciding accordingly.
  • In the above example, it is described that only instructions from the inside to the outside of the company or the instructions from the outside to the inside of the company are received by the signature proxy device 40. When, however, there is a possibility that an instruction from an in-house server 20 to another transmits through the signature proxy device 40, the signature proxy server 40 reviews not only the origin, but also the destination. Specifically, the signature conversion controller unit 412 judges that the signature should be replaced for instructions from the inside to the outside of the company and for instructions from the outside to the inside of the company and that the signature should not be replaced for instructions between devices within the company. The destination of the job flow instruction 30 can be determined from the URL indicated in the service name 3122 of the individual instruction at the leading end of the process content element 310 of the job flow instruction 30 or from the destination IP address received from the network I/F unit 402.
  • The signature key selection unit 416 selects a signature key (in-house or external) of the proxy device 40 corresponding to the instruction from the signature key conversion controller unit 412 from the key storage unit 406 and sends the selected key to a signature creation unit 418. The signature creation unit 418 calculates a value for an electronic signature corresponding to the process content element 310 using the sent signature key and sends a signature information element 322, a signature value element 324, and a signature information element 326 indicating the electronic signature to the instruction division/integration unit 404. The instruction division/integration unit 404 re-constructs a job flow instruction by combining the received elements 322, 324, and 326 into the received process content element 310 and transmits the created job flow instruction to the destination server via the network I/F unit 402.
  • When the signature conversion controller unit 412 judges that there is no need for replacement of a signature (for example, when the instruction is from an in-house device to another), this judgment is sent to the instruction division/integration unit 404. The instruction division/integration unit 404 receiving this information transmits the job flow instruction 30 received from the network I/F unit 402 to the destination server without any change.
  • In the above examples, the in-house server 20 uses only a signature key corresponding to a public key certificate certified by the in-house CA. There are, however, situations wherein the in-house server 20 is also certified by a public key certificate from an outside CA. In such a case, the signature proxy device 40 verifies the signature of a job flow instruction from the in-house server 20 to an outside server 60 and judges whether the signature attached to the instruction corresponds to the in-house or outside certificate. When the signature proxy device 40 judges that the signature corresponds to an in-house CA, the signature proxy device 40 replaces the signature, and when the signature proxy device 40 judges that the signature corresponds to an outside CA, the signature proxy device 40 skips the replacement step.
  • In the embodiment described with reference to FIGS. 6 and 7, each server 20 within the company judges whether the destination of the job flow instruction 30 is inside or outside of the company and sends the job flow instruction 30 to the signature proxy device 40 when the destination is outside. Alternatively, it is also possible to employ a configuration wherein the in-house server 20 does not perform such judgment. In such a case, a signature proxy server 40 is provided as a gateway on the boundary between the in-house LAN 50 and the Internet and monitors the job flow instruction 30 which is to be sent from the in-house LAN 50 to the Internet. The signature proxy device 40 verifies the electronic signature of a job flow instruction 30 which is found through the monitoring, and, when it is determined that the signature was created using a secret key corresponding to an in-house public key certificate, the signature proxy device 40 applies the signature replacement process as described above and transmits the job flow instruction 30 to the destination server on the Internet. The signature proxy device 40 also monitors the job flow instructions which is to be sent into the in-house LAN 50 from the Internet, and, when the job flow instruction is signed using a secret key corresponding to an outside public key certificate, performs the signature replacement process as described above. With this configuration, advantages similar to the embodiment shown in FIGS. 6 and 7 can be obtained.
  • It is also possible for the signature proxy device 40 to be one of the application servers 20, include a description of the process content of the signature proxy device 40 in the job flow instruction 30, and for the signature proxy device 40 to perform the signature replacement process as described above according to the description of the process content.
  • In the above-described embodiments, the judgment as to whether the destination device to which the job flow instruction is to be transmitted next is internal or external to the company is made based on the URL of the destination device described in the job flow instruction. Alternatively, it is also possible to base this judgment on an IP address, a FQDN (Fully Qualified Domain Name), an e-mail address, or any other appropriate information associated with the destination device. The IP address, FQDN, and the electronic mail address of the destination device may be explicitly described in the job flow instruction or may be described in a packet header when the instruction is transmitted in the form of packets. In either case, the server 20 and the job flow controller 25 can obtain destination information suitable in each case and can judge whether the destination is inside or outside the company from the obtained information.
  • Although specific embodiments of the invention have been described, it will be understood by those having skill in the art that changes can be made to these specific embodiments without departing from the spirit and scope of the invention. The scope of the invention is not to be restricted, therefore, to the specific embodiments, and it is intended that the appended claims cover any and all such applications, modifications, and embodiments within the scope of the present invention.

Claims (8)

1. An information processor for instructing a job processor to execute a job process, the information processor comprising:
a selection unit for selecting one of a first signature key certified by a first certificate authority and a second signature key certified by a second certificate authority for signing instruction data having a process description for instructing a job process or data to be processed in a job process;
a signing unit for signing the instruction data or the data to be processed using the signature key selected by the selection unit; and
a transmitter unit for transmitting, to the job processor, the instruction data or the data to be processed signed by the signing unit,
wherein the selection unit selects the first signature key when the job processor is located within a predetermined network and selects the second signature key otherwise.
2. An information processor according to claim 1, wherein
the certificate authority certifying the first signature key is a certificate authority which certifies users within the predetermined network, and
the certificate authority certifying the second signature key is a certificate authority which certifies other users outside the predetermined network.
3. An information processing method executed by an information processor for instructing a job processor to execute a job process, the method comprising the steps of;
selecting one of a first signature key certified by a first certificate authority and a second signature key certified by a second certificate authority for signing instruction data having a process description for instructing a job process or data to be processed in a job process;
electronically signing the instruction data or the data to be processed using the signature key selected the selection step;
transmitting, to the job processor, the instruction data or the data to be processed which is electronically signed in the electronically signing, step,
wherein the selecting selects the first signature key when the job processor is located within a predetermined network and selects the second signature key otherwise.
4. A proxy device provided between an internal network and an external network, for exchanging documents between a device on the internal network and a device on the external network, the proxy device comprising:
a first signature verification unit that verifies a first electronic signature attached to a document transmitted from a device on an internal network to a device on an external network is signed using a signature key for the internal network, and
a first signature conversion unit that deletes the first electronic signature once the signature is verified by the first verification unit and attaches a second electronic signature to the document using a signature key of the proxy device for the external network, the signature key for the internal network and the signature key for the external network being separately generated and exclusive of each other, and
a transmitter unit for transmitting the electronically signed document to the device on the external network.
5. A proxy device according to claim 4, further comprising:
a second signature verification unit that verifies a third electronic signature attached to a document transmitted from a device on the external network to a device on the internal network is signed using a signature key for the external network, and
a second signature conversion unit that deletes the third electronic signature once the signature is verified by the second signature verification unit and attaches a fourth electronic signature to the document using a signature key of the proxy device for the internal network, the signature key for the external network and the signature key for the internal network being separately generated and exclusive of each other, and
a transmitter unit for transmitting the electronically signed document to the device on the internal network.
6. A method for exchanging, in a proxy device provided between an internal network and an external network, documents between a device on the internal network and a device on the external network, the method comprising the steps of:
verifying a first electronic signature attached to a document transmitted from a device on the internal network to a device on the external network;
deleting the first electronic signature from the document when it is determined in the verification that the first electronic signature attached to the document is signed using a signature key for the internal network;
attaching a second electronic signature to the document from which the first electronic signature has been deleted using a signature key of the proxy device for the external network, the signature key for the internal network and the signature key for the external network being separately generated and exclusive of each other, and
transmitting the document to which an electronic signature is re-attached using the signature key for the external network to the device on the external network.
7. A proxy device provided between an internal network and an external network for exchanging documents between a device on the internal network and a device on the external network, the proxy device comprising:
a signature verification unit that verifies a first electronic signature attached to a document transmitted from a device on the external network to a device on the internal network is signed using a signature key for the external network;
a signature conversion unit that deletes the first signature once the signature is verified by the the signature verification unit and attaches a second electronic signature to the document using a signature key of the proxy device for the internal network, the signature key for the external network and the signature key for the internal network being separately generated and exclusive of each other, and
a transmitter unit for transmitting the document to the device on the internal network.
8. A method for changing, in a proxy device provided between an internal network and an external network, documents between a device on the internal network and a device on the external network, the method comprising the steps of:
verifying a first electronic signature attached to a document transmitted from a device on the external network to a device on the internal network;
deleting the first electronic signature from the document when the verification is successful;
attaching a second electronic signature to the document from which the first electronic signature is deleted using a signature key of the proxy device for the internal network, the signature key for the external network and the signature key for the internal network being separately generated and exclusive of each other, and
transmitting the document having an electronic signature re-attached using the signature key for the internal network to the device on the internal network.
US11/808,544 2003-03-25 2007-06-11 Apparatus and method for securely realizing cooperative processing Abandoned US20070245146A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11/808,544 US20070245146A1 (en) 2003-03-25 2007-06-11 Apparatus and method for securely realizing cooperative processing

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2003-082612 2003-03-25
JP2003082612A JP4470384B2 (en) 2003-03-25 2003-03-25 Information processing apparatus, job processing apparatus, instruction data creation apparatus, and signature proxy apparatus
US10/653,191 US7246241B2 (en) 2003-03-25 2003-09-03 Apparatus and method for securely realizing cooperative processing
US11/808,544 US20070245146A1 (en) 2003-03-25 2007-06-11 Apparatus and method for securely realizing cooperative processing

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US10/653,191 Continuation US7246241B2 (en) 2003-03-25 2003-09-03 Apparatus and method for securely realizing cooperative processing

Publications (1)

Publication Number Publication Date
US20070245146A1 true US20070245146A1 (en) 2007-10-18

Family

ID=32985009

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/653,191 Expired - Fee Related US7246241B2 (en) 2003-03-25 2003-09-03 Apparatus and method for securely realizing cooperative processing
US11/808,544 Abandoned US20070245146A1 (en) 2003-03-25 2007-06-11 Apparatus and method for securely realizing cooperative processing

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US10/653,191 Expired - Fee Related US7246241B2 (en) 2003-03-25 2003-09-03 Apparatus and method for securely realizing cooperative processing

Country Status (4)

Country Link
US (2) US7246241B2 (en)
JP (1) JP4470384B2 (en)
KR (1) KR100502741B1 (en)
CN (1) CN1290024C (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080068640A1 (en) * 2006-09-19 2008-03-20 Canon Kabushiki Kaisha Data-processing device, data-processing method, and computer program
US20090282417A1 (en) * 2008-05-12 2009-11-12 Canon Kabushiki Kaisha Workflow executing apparatus, workflow executing method, and storage medium
US20090327735A1 (en) * 2008-06-26 2009-12-31 Microsoft Corporation Unidirectional multi-use proxy re-signature process

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
HUP0103350A2 (en) * 2001-08-17 2003-04-28 Péter Ladányi Electronic writing device for generating electronic signature of enhanced security
FR2875977A1 (en) * 2004-09-29 2006-03-31 France Telecom CRYPTOGRAPHIC SYSTEM AND METHOD WITH A PUBLIC KEY AND CERTIFICATION SERVER, MEMORIES ADAPTED FOR THIS SYSTEM
JP4723909B2 (en) * 2005-05-27 2011-07-13 株式会社日立製作所 Data exchange method, data exchange management device, and data exchange management program
JP4591870B2 (en) * 2005-08-24 2010-12-01 富士ゼロックス株式会社 Cooperation processing method, cooperation processing device, external cooperation system, program
JP5108285B2 (en) * 2006-11-30 2012-12-26 株式会社日立製作所 Signature method, information processing apparatus, and signature program
JP6226197B2 (en) * 2014-05-23 2017-11-08 パナソニックIpマネジメント株式会社 Certificate issuing system, client terminal, server device, certificate acquisition method, and certificate issuing method
JP6056811B2 (en) * 2014-07-14 2017-01-11 コニカミノルタ株式会社 Workflow system, workflow execution device, workflow execution method, and workflow execution program
CN106557285B (en) * 2015-09-25 2020-07-24 腾讯科技(深圳)有限公司 Printing method and apparatus
US10339299B1 (en) * 2016-03-08 2019-07-02 Kashmoo, Inc. Runtime management of application components
JP6745933B2 (en) * 2018-03-26 2020-08-26 三菱電機インフォメーションシステムズ株式会社 Individual signature system
US11886434B1 (en) 2019-08-05 2024-01-30 Bildr, Inc. Management of application entities

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5642420A (en) * 1994-03-03 1997-06-24 Fujitsu Limited Cryptoinformation repeater, subscriber terminal connected thereto, and cryptocommunication method
US6157721A (en) * 1996-08-12 2000-12-05 Intertrust Technologies Corp. Systems and methods using cryptography to protect secure computing environments
US6178505B1 (en) * 1997-03-10 2001-01-23 Internet Dynamics, Inc. Secure delivery of information in a network
US20020138577A1 (en) * 2000-12-22 2002-09-26 Teng Joan C. Domain based workflows
US6567913B1 (en) * 1998-12-24 2003-05-20 Pitney Bowes Inc. Selective security level certificate meter
US20030120610A1 (en) * 2001-12-20 2003-06-26 Au-System Aktiebolag Secure domain network
US6772341B1 (en) * 1999-12-14 2004-08-03 International Business Machines Corporation Method and system for presentation and manipulation of PKCS signed-data objects

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH08123744A (en) 1994-10-26 1996-05-17 Hitachi Ltd Work flow system
JP2001282970A (en) 2000-03-29 2001-10-12 Hitachi Software Eng Co Ltd Work flow managing system
JP4299447B2 (en) 2000-09-12 2009-07-22 インターナショナル・ビジネス・マシーンズ・コーポレーション Workflow system, information processing apparatus, and storage medium
JP3629516B2 (en) 2000-11-02 2005-03-16 インターナショナル・ビジネス・マシーンズ・コーポレーション Proxy server, electronic signature system, electronic signature verification system, network system, electronic signature method, electronic signature verification method, and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5642420A (en) * 1994-03-03 1997-06-24 Fujitsu Limited Cryptoinformation repeater, subscriber terminal connected thereto, and cryptocommunication method
US6157721A (en) * 1996-08-12 2000-12-05 Intertrust Technologies Corp. Systems and methods using cryptography to protect secure computing environments
US6178505B1 (en) * 1997-03-10 2001-01-23 Internet Dynamics, Inc. Secure delivery of information in a network
US6567913B1 (en) * 1998-12-24 2003-05-20 Pitney Bowes Inc. Selective security level certificate meter
US6772341B1 (en) * 1999-12-14 2004-08-03 International Business Machines Corporation Method and system for presentation and manipulation of PKCS signed-data objects
US20020138577A1 (en) * 2000-12-22 2002-09-26 Teng Joan C. Domain based workflows
US20030120610A1 (en) * 2001-12-20 2003-06-26 Au-System Aktiebolag Secure domain network

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080068640A1 (en) * 2006-09-19 2008-03-20 Canon Kabushiki Kaisha Data-processing device, data-processing method, and computer program
US8120794B2 (en) * 2006-09-19 2012-02-21 Canon Kabushiki Kaisha Data-processing device, data-processing method, and computer program
US20090282417A1 (en) * 2008-05-12 2009-11-12 Canon Kabushiki Kaisha Workflow executing apparatus, workflow executing method, and storage medium
US8601478B2 (en) * 2008-05-12 2013-12-03 Canon Kabushiki Kaisha Division, linking and sequential execution of workflows based on the fewest number of divided partitions
US20090327735A1 (en) * 2008-06-26 2009-12-31 Microsoft Corporation Unidirectional multi-use proxy re-signature process

Also Published As

Publication number Publication date
CN1532711A (en) 2004-09-29
US20040193889A1 (en) 2004-09-30
CN1290024C (en) 2006-12-13
KR100502741B1 (en) 2005-07-21
US7246241B2 (en) 2007-07-17
JP2004297109A (en) 2004-10-21
JP4470384B2 (en) 2010-06-02
KR20040086106A (en) 2004-10-08

Similar Documents

Publication Publication Date Title
US20070245146A1 (en) Apparatus and method for securely realizing cooperative processing
JP4339240B2 (en) Method for providing document services
Santesson et al. X. 509 internet public key infrastructure online certificate status protocol-OCSP
US7734910B2 (en) Managed device, management system, method for controlling a managed device and medium
US6515988B1 (en) Token-based document transactions
JP3928589B2 (en) Communication system and method
US6981139B2 (en) Digital certificate management system, digital certificate management apparatus, digital certificate management method, update procedure determination method and program
US8171526B2 (en) Service providing system, information processing apparatus, service providing server and service providing method
US6601102B2 (en) Secure token-based document server
US8261080B2 (en) System and method for managing digital certificates on a remote device
GB2418112A (en) Device providing encryption services for Internet fax machines
EP1372293A2 (en) Authentication and authorization infrastructure system with notification function for issuance of certificate revocation list
KR20230093077A (en) Platform and method for certifying an electronic contract for electronic identification and trust services (eidas)
JP2000057112A (en) Method for executing remote procedure call on network, and network system capable of executing remote procedure call
EP1897325B1 (en) Secure data communications in web services
GB2391438A (en) Electronic sealing for electronic transactions
KR102462411B1 (en) Platform and method for authenticating electronic announcements for electronic identification and authentication services (EDS)
US9258125B2 (en) Generating evidence of web services transactions
US20040138910A1 (en) Service providing apparatus, service providing method and computer-readable storage medium
JP2004213067A (en) Service providing device, image forming device, service providing method and unauthorized use prevention method
Malpani et al. X. 509 Internet public key infrastructure online certificate status protocol-ocsp
JP4304956B2 (en) Job processing control apparatus and job processing control method
Standard Devices profile for web services version 1.1
OUT et al. Devices Profile for Web Services
Hallam-Baker Trust Assertion XML Infrastructure

Legal Events

Date Code Title Description
AS Assignment

Owner name: FUJI XEROX CO., LTD., JAPAN

Free format text: CHANGE OF ADDRESS;ASSIGNOR:FUJI XEROX CO., LTD.;REEL/FRAME:019599/0518

Effective date: 20070726

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION