Browse Prior Art Database

A mechanism to prevent illegal application in an online application system and a mechanism for an in-house person in charge to apply online as a proxy in an online application system

IP.com Disclosure Number: IPCOM000016428D
Original Publication Date: 2003-Feb-24
Included in the Prior Art Database: 2003-Jun-21
Document File: 4 page(s) / 226K

Publishing Venue

IBM

Abstract

Disclosed is a mechanism to prevent illegal application in an online application system. Also disclosed is a mechanism for an in-house person in charge to apply online as a proxy in an online application system.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 30% of the total text.

Page 1 of 4

  A mechanism to prevent illegal application in an online application system and a mechanism for an in-house person in charge to apply online as a proxy in an online application system

Disclosed is a mechanism to prevent illegal application in an online application system.

When an applicant uses an online application system, it is usual to access governmental office's server and register himself/herself first. In an online application system, since the users are general public including people, companies, and corporations, it needs to allow anyone to register or apply online. However, if an access to the web page that submits data to the server is unlimited, hackers can send an excessive amount of data and cause the server to crash. Especially, governmental office's servers are said to be common targets for hackers.

In an online application system that Japanese government promotes it is necessary to digitally sign the application form, and the certificate used for this digital signature must be issued from one of the CAs that the government authorized. In other words, a certificate issued from general CAs or a self-signed certificate is not accepted. The mechanism disclosed here utilizes this condition to solve the problem. The devised mechanism is when an applicant register himself/herself or apply online, the certificate used for the digital signature is submitted to the server first, and only after the server ensures the applicant's certificate to be correct it accepts the following data from the client.

In this way, it can prevent attacks from hackers. A part of this mechanism can be implemented by SSL client authentication. However, a certification issued from one of the CAs the government authorized, is different from SSL client authentication in that the former is based on the assumption that it will be used for digital signature, where as the latter does not specify a unique user. In this point, the latter does not fully meet the requisite. The mechanism is described as follows.

[1. user registration]
(1) The applicant acquires a certificate, in advance, issued from a CA mutually authenticated with a bridge CA, such as Registrar of Tokyo Legal Affairs Bureau or Japan Certification Services.
(2) The governmental office's server registers all the root certificates of the CAs that are mutually authenticated with a bridge CA beforehand.
(3) The applicant accesses the governmental office's server through a browser and enters user information in the user registration form. When the "Sign & Register" button is clicked, the applet transforms the user information into XML and digitally signs it with the applicant's secret key (XML signature).
(4) The applet sends the certificate used for the signature to the server.
(5) The server checks the received certificate whether it is issued from a CA whose root certificate is registered with the server beforehand. If not, the certificate is invalid and therefore the following data is rejected at...