JP2002041347A - Information presentation system and device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enable only a person having an access right via a network to browse confidential information in a data base constructed on the existing Web server similar to a general page without altering the existing Web server and without depending on hardware structure of a device such as a client computer at a requesting origin. SOLUTION: This system is provided with a repeater to accept a transfer request from the device at the requesting origin to presentation object data held by a computer via the network, to authenticate the access right of the device at the requesting origin itself or a user at the requesting origin, to acquire the presentation object data from the computer according to the result of the authentication and to transfer the data to the device at the requesting origin.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention transfers (or distributes) information stored on a computer arranged on a network, for example, a Web server in response to a request from a terminal device such as a client computer, and browses the information by a user. More particularly, the present invention relates to an information providing system and an apparatus that allow confidential information to be viewed without leaking to anyone other than those who have a legitimate access right.

[0002]

2. Description of the Related Art As the demand for the Internet increases, there is a need to protect information transmitted and received on the Internet. For example, in a general company,
A database that stores confidential information, such as customer information and personnel management information, is built on a Web server, making it easy to use the Internet to easily view only those who have been granted special authority within the company. can do. However, on the Internet, there is a risk that confidential information may be stolen by eavesdropping on a line or illegally accessing a database storing confidential information.
In addition, there has been a case in which a privileged person who is allowed to access the confidential information accesses the confidential information, copies the confidential information, and leaks it to a third party. In view of the above, there is a strong demand for a system capable of browsing confidential information stored in a Web server or the like on the Internet without leaking to anyone other than a person having a legitimate access right.

[0003] Conventionally, as a system for managing confidential information and preventing leakage, for example, a system disclosed in Japanese Patent Application Laid-Open No. 11-328120 is known. JP-A-11-32812
The device described in Japanese Patent Publication No. 0 sets an access right to a database in which confidential information is stored in advance according to the configuration of input / output devices of a terminal device and data of a user or the like, thereby preventing leakage of confidential information in the database. Network system for

More specifically, referring to FIG. 40, upon receiving a communication request from a terminal device A05, a host computer A02 causes a collating unit A09 to store a user identifier storage unit A0.
8 is compared with the user identifier registered. When the collation results match, the terminal device A05 is requested for hardware configuration information. When the hardware configuration information is received from the terminal device A05, the collation unit A09 performs collation with the hardware configuration information stored in the terminal configuration information storage unit A10. The determination unit A13 determines whether or not there is an access right to A12. The control unit A15, which has received the determination result from the determination unit A13, is a system that permits the terminal device A05 to use the database to which the access right is applied.

On the other hand, services for charging digital contents and delivering them to users have already been tried on the Web. For example, there is a method in which a user accesses a digital content distribution page such as a virtual mall using a web browser, and downloads digital content placed in the virtual mall using a web browser. In this method, a user registers in advance with a management company of a site that distributes digital content to receive a digital content distribution service. Registration can be made on the Web using information such as a credit card, or by mailing the application form. When the registration is completed, an ID and a password for accessing the digital content are issued by the site management company. Digital content is stored on a web server and must be accessed via a proxy server to access digital content. At the time of access, the user is authenticated by the Proxy server using the ID and password, and if the authentication is successful, the user can access the digital content.

[0006] However, as a serious problem in this system, there is a possibility that a user illegally uses and redistributes digital contents. In other words, save the digital content downloaded with a web browser as a file and post the file on the homepage
Alternatively, it is an act of distributing using FTP, mail, or the like. By such an act, a user who can use the digital content appears even though the content fee is not paid, and the digital content billing service is not established.

[0007] As a solution to this problem, a method of adding a digital watermark to digital contents can be considered.
For example, in the case of image content, there are a visible digital watermark that embeds a unique logo in image data, and an invisible digital watermark that embeds information in an inconspicuous manner in image data using a change in luminance. Japanese Patent Application No. 10-190343 discloses a technique for embedding a digital watermark in a work and detecting the same as a conventional technique for preventing secondary use and illegal redistribution in violation of the usage conditions of the content. Have been.

[0008]

However, the method described in Japanese Patent Application Laid-Open No. H11-328120, when applied to a database constructed on a general Web server 11, modifies an existing Web server. There is a problem that it takes time to apply it to a database on a general Web server currently in operation. Also,
In general, a Web server also has pages that are generally viewed in addition to confidential information, and cannot cope with such general pages. In addition, since the download of confidential files is permitted according to the hardware configuration, confidential files cannot be viewed unless appropriate hardware conditions are met, and the viewed confidential information data is temporarily stored on the terminal. There is no mechanism to keep it.

On the other hand, there are some problems in the method for preventing the secondary use and redistribution of digital contents by the above-mentioned digital watermark. First, there is a possibility that the watermark will be removed before distribution. In the case of a visible digital watermark, there is no solution to this threat, and it can only be said that a deterrent effect is expected. Although it is difficult to remove a watermark from an invisible digital watermark, it is generally considered to be weak against processing such as rotation processing and partial cutout of image data. There have been reports of cases where it has become undetectable. Further, in order to detect unauthorized secondary use and redistribution, it is necessary to detect whether or not there is a watermark in image data on the Internet, but an effective method for detection has not been established. Furthermore, the effect of the watermark cannot be expected at all when the digital content is recorded on a recording medium and distributed offline. Therefore, it can be said that prevention of secondary distribution using a digital watermark is a passive method that expects a deterrent effect.

[0010] A first object of the present invention is to transfer confidential information in a database constructed on an existing Web server to an existing Web server.
b Like a general page, it can be viewed only by those who have access authority via a network without modifying the server and without depending on the hardware configuration of the request source device (or terminal) such as a client computer. An object of the present invention is to provide an information providing system and an information providing apparatus.

A second object of the present invention is to provide an information providing system and an information providing apparatus which can store and manage confidential information viewed in a request source device so as not to leak to a third party. A third object of the present invention is that a user who downloads digital content can use the digital content only on the machine used for downloading, and can prevent unauthorized secondary use and redistribution of the downloaded digital content. An object of the present invention is to provide an information providing system and an apparatus.

[0012]

In order to achieve the first object described above, the present invention provides a requesting device (for example, a client) for data to be provided held by a computer (for example, a Web server) via a network. Computer), authenticates the access right of the requesting device itself or the requesting user, obtains the data to be provided from the computer according to the result of the authentication, and sends the data to the requesting device via the network. And a relay device for transferring the data. Further, the computer holds first provision target data that requires authentication of access authority and second provision target data that does not require authentication, and the relay device stores the first provision target data. When the transfer request is accepted, the access right is authenticated. Further, the relay device includes means for encrypting the first provision target data to be transferred to the request source device using an encryption key unique to the request source device or the request source user. The request source device may further include an encrypted first device received from the relay device.
Processing means for decrypting the data to be provided by the apparatus or a decryption key corresponding to the encryption key unique to the requesting user, first display means for displaying the decrypted first data to be provided, and relay apparatus And a second display unit for displaying the second provision target data received from the third party.
The request source device determines whether the data is the first data to be provided or the second data to be provided based on an identifier added to the data received from the relay device,
Means for activating the first display means if the data is the first provision target data, and means for deleting the first provision target data received from the relay device if the first display means cannot be normally activated. It is characterized by having.

[0013] In order to achieve the second object, the request source device generates a key information unique to the own device based on information unique to the own device; Encrypting the first data to be provided using one or both of the encryption keys unique to the original user, and
Means for storing in a secondary storage device. Further, the request source device includes a unit for prohibiting a hard copy of the first provision target data output to the first output unit. Further, the request source device monitors input / output from the application in the request source device to the secondary storage device, and prohibits access to the first data to be provided without the first output means. Storage access control means. Further, the request source device is characterized in that the request source device comprises means for prohibiting the hard copy and means for not activating the first output means unless both the secondary storage access control means are operating normally. The relay device and the request source device each include first storage means storing access right determination information for authenticating the access right of a user of the request source device. In addition, the request source device accesses the first storage unit in the relay device each time the access to the first provision target data stored in the secondary storage device is performed or at a predetermined time. Means for acquiring the authority determination information and updating the access authority determination information stored in the first storage means in the own device to the latest version. It is characterized in that it is determined whether or not there is an access right to the first provision target data stored in the next storage device. The relay device acquires user identification information from a request source device and authenticates an access right. Further, the relay device includes means for encrypting the digital content to be transferred to the requesting device using a unique key generated based on the confidential information of the requesting user. Further, the request source device includes a decryption processing unit that decrypts the encrypted digital content received from the relay device with a unique key generated based on confidential information of the request source user; And a means for prohibiting a hard copy of the output digital content. Further, the request source device includes means for encrypting the digital content using a unique key generated based on confidential information of the request source user and storing the encrypted digital content in a secondary storage device.

In order to achieve the third object, the request source device according to the present invention comprises: means for generating key information unique to the device based on information unique to the device; and key information generated by the means. And means for encrypting the first data to be provided using one or both of the encryption keys unique to the requesting user and storing the encrypted data in the secondary storage device. Further, the relay device includes means for encrypting the digital content to be transferred to the requesting device using a unique key generated based on the confidential information of the requesting user. Further, the request source device includes a decryption processing unit that decrypts the encrypted digital content received from the relay device with a unique key generated based on confidential information of the request source user; And a means for prohibiting a hard copy of the output digital content. Further, the request source device includes means for encrypting the digital content using a unique key generated based on confidential information of the request source user and storing the encrypted digital content in a secondary storage device.

The information providing relay device of the present invention receives a transfer request from a request source device for data to be provided held by the computer via a network, and authenticates an access right of the request source device or the user. Means for acquiring the data to be provided from the computer in accordance with the authentication result of the access right, and transferring the data to the requesting apparatus via a network. In addition, there is provided a means for encrypting the first provision target data to be transferred to the request source device using an encryption key unique to the request source device or the request source user. Also,
There is provided a means for encrypting digital content to be transferred to the requesting device using a unique key generated based on confidential information of the requesting user.

Further, the information processing apparatus constituting the request source apparatus has a first output means for outputting first provision target data requiring authentication of access authority, and a second output means which does not require authentication of access authority. Output means for outputting data to be provided by the relay apparatus, means for transmitting a transfer request for data to be accessed to the relay apparatus, and access via the relay apparatus in accordance with a result of authentication of access authority in the relay apparatus It is characterized by comprising means for receiving target data, and means for activating and outputting the first output means if the received data is the first provision target data.
Further, the first data to be provided is encrypted using an encryption key unique to the requesting device or the requesting user, and the first data to be provided is decrypted after decrypting the encrypted first data to be provided. A decoding processing means for outputting the data to the first output means. Further, the first provision target data is obtained by encrypting the digital content with a unique key generated based on the confidential information of the requesting user, and decrypts the encrypted first provision target data. Later the first
And decoding means for outputting to the output means. A secondary storage device for storing the encrypted first data to be provided; a means for prohibiting a hard copy of the first data to be provided output to the first output means; Secondary storage access control means for monitoring input / output from the application to the secondary storage device and prohibiting access to the first data to be provided without the first output means. . A means for inhibiting the hard copy;
The apparatus further comprises means for not activating the first output means unless both the next storage access control means are operating normally. A means for generating key information unique to the own apparatus based on information unique to the own apparatus; and the first information using one or both of the key information generated by the means and an encryption key unique to the requesting user. Means for encrypting the data to be provided and storing the encrypted data in the secondary storage device. Further, the apparatus further comprises means for encrypting the first data to be provided using a unique key generated based on the confidential information of the requesting user and storing the encrypted data in the secondary storage device.

[0017]

DESCRIPTION OF THE PREFERRED EMBODIMENTS One embodiment of the present invention will be described below in detail with reference to the drawings. FIG. 1 is an overall configuration diagram showing a first embodiment of an information providing system according to the present invention, which is roughly divided into a Web server 11, a router 12, a network 13, and a client computer (hereinafter referred to as Cli).
ent) 14 and a Proxy server 20. The Client 14 includes a Browser 15, a hard copy prohibition module 16, a secondary storage device 17, a secondary storage device access control unit 18, an access token 19, a communication hook module 30, and an external Viewer 40.

The Web server 11 provides a confidential file (first provision target data) 50 that requires authentication of access authority.
And a non-confidential file (second provision target data) 51 that does not require access right authentication. This We
The b server 11 and the Proxy server 20 are arranged on the same segment and are isolated from the network 13 by the router 12. Therefore, in order to access the confidential file 50, it is necessary to go through the Proxy server 20 without fail. When the client 14 accesses the confidential file 50, the confidential file 50 is temporarily downloaded to the Proxy server 20, and is dynamically encrypted using a common key prepared for each client 14.

There is no need to store the confidential file 50 on the Web server 11 in advance by encrypting it. The encrypted confidential file 50 is sent to the Client 14 and decrypted by the communication hook module, and then the dedicated external viewer is used.
It is displayed on (first display means) 40. In the Client 14, access control is performed at the OS level such that a corresponding user logs in to the system in a folder provided for each user, and can be accessed only by the dedicated external Viewer 40. Therefore, it can be said that the system has a mechanism capable of managing confidential files for each user.

Next, each component will be described. Web
The server 11 processes a file download request sent from the client 14 via the proxy server 20 according to the HTTP protocol or the FTP protocol.
14 has a function of transferring a file, and also performs user authentication at the same time. The router 12 performs filtering by the destination IP address of the IP packet, and is set to pass only the IP packet transmitted to the Proxy server 20. Therefore, Web server 1
All access to 1 is performed via the Proxy server 20. The proxy server 20 analyzes the access from the client 14, and in the case of accessing the confidential file 50, encrypts the downloaded confidential file 50 using a common key prepared for each client 14, and transfers it to the client 14. The Browser 15 is an application for displaying or executing a file or a program downloaded from the Web server 11, and is used when browsing a general file 51 other than the confidential file 50.

The communication hook module 30 adds a Client machine identifier for authenticating the Client 14 to the Proxy server 20 and sends a GET request for a file.
The downloaded encrypted confidential file 50 is decrypted. The external viewer 40 is activated by the communication hook module 30 when the confidential file 50 is downloaded, displays the decrypted confidential file 50, and
A process of storing and reading out in the next storage device 17 is performed.
Here, the external viewer 40 does not implement a display data copy function (selection with a mouse cursor or copy with Drag & Drop). Hard copy prohibition module 16
Is a module that is activated at the same time as the external viewer 40 is activated, and is terminated at the same time as the termination, and uses a function to hook a system call (for example, Wi-Fi).
ndows NT uses Win32 Hooks), and has a function to prohibit hard copy.

The secondary storage device access control unit 18
Is loaded when the application accesses the secondary storage device 17. The input / output request issued when the application accesses the secondary storage device 17 is caught and analyzed in the middle, an access request file and an access request application are determined, and the External Vi when accessing files
Restriction so that only ewer 40 can be accessed. A folder is prepared for each confidential file viewer, and the secondary storage device access control unit 18 has a function of restricting access to each folder for each user account by checking the access token 19. The access token 19 is an object generated inside the OS when the user logs in to the client 14, manages the user's login information in the OS, and
It is also used for restricting access for each user to a file having the function of S.

FIG. 2 shows a Proxy server 20 according to the present invention.
FIG. 3 is a block diagram of the configuration of FIG. Proxy server 20 is a Client
A client-proxy communication control unit 21 that controls communication between the Web server 14 and the proxy server 20; a confidential file URL registration unit 22 in which the URL of the confidential file 50 stored on the web server 11 is registered; A client machine identifier database 23 storing a client machine identifier for authenticating the client 14 having the client 30;
The data received from the client 14 is analyzed by analyzing the data transmitted from the client 14 and determining whether or not the confidential file 50 is accessed.
A Client machine authentication unit 25 that determines whether there is a Client machine identifier, a Web-Proxy communication control unit 26 that manages communication between the Web server 11 and the Proxy server 20, and a file transmitted from the Proxy server 20 to the Client 14 is confidential. A confidential file identifier adding unit 27 for adding an identifier for notifying the client 14 that the file 50 is encrypted; a confidential file encrypting unit 28 for encrypting the confidential file 50 downloaded from the Web server 11; It is composed of a common key database 29 that manages a common key prepared for each Client 14 for the purpose of conversion.

FIG. 3 is a block diagram of the communication hook module 30 provided in the client 14. In FIG. 3, the communication control unit 31 between the Proxy and the communication hook module is used.
Is a part that governs communication between the Proxy server 20 and the communication hook module 30. The confidential file identifier storage unit 32 stores the confidential file 50 in the Proxy server 20.
This is a part in which a copy of the identifier is stored in advance in order to collate the confidential file identifier added to. The received data analysis unit 35 analyzes the data received by the communication hook module 30 and checks whether or not the data includes a confidential file identifier indicating the encrypted confidential file 50. If the confidential file identifier exists, the received data analysis unit 35 passes the received data to the encrypted file decryption unit 33. If the confidential file identifier does not exist, the received data is transmitted to the internal application.
It is passed to the communication hook module communication control unit 37.

The encrypted file decryption unit 33 decrypts the encrypted confidential file 50 using the common key unique to the Client 14 stored in the common key storage unit 34. The transmission data analysis unit 36 checks the transmission destination URL of the GET request, and in the case of transmission to the Proxy server 20, passes the transmission data to the Client machine identifier addition unit 38. The Client machine identifier adding unit 38 adds a unique
Add Client machine identifier. Upon receiving the request from the encrypted file decryption unit 33, the external viewer activation processing unit 39
Activate the external viewer 40 and notify the encrypted file decryption unit 33 of whether or not the external viewer 40 has been activated.

FIG. 4 shows an external viewer 4 provided in the client 14.
FIG. 2 is a block diagram showing the configuration of a block 0. In FIG. 4, the communication hook module-viewer communication control unit 41 controls communication between the communication hook module 30 and the external viewer 40. The confidential file display unit 42 displays the confidential file 50 cached in the confidential file cache unit 43. The confidential file cache unit 43 is a place where the confidential file 50 transferred to the external viewer 40 is temporarily stored. The confidential file access / save processing unit 44 stores the confidential file 50 cached in the confidential file cache unit 43 in the secondary storage device 17 or stores the confidential file 50 stored in the secondary storage device 17 Or access.

The external viewer activation judging unit 47 accesses the hard copy prohibition module activation processing unit 45 and the secondary storage device access control unit activation processing unit 46 to activate the hard copy prohibition module 16 and to execute the secondary storage device. It checks whether or not the access control unit 18 is activated, and notifies the communication hook module 30.

Next, a description will be given of the flow of processing and the relationship between the modules in the present embodiment. Figure 5 shows Proxy Server 2
0 shows a flowchart of the process at 0.
When there is an access from the Client 14 (Step 501), the Proxy server 20 receives data in the Proxy
The received data is analyzed to check the URL of the access request file and the presence or absence of the client machine identifier (step 502). The URL of the access request file and the confidential file UR in the confidential file URL registration unit 22
Based on the data of L, it is checked whether the request is an access request to the confidential file 50 (step 503). If the access is not to the confidential file 50, the received data
If there is a machine identifier, it is removed, and if not, it is transferred to the Web server 11 as it is.

The Web server 11 performs user authentication. If the authentication is successful, the Web server 11 sends the non-confidential file 5
1 is downloaded (step 511). afterwards,
Download the non-confidential file 51 to Client
14 (step 512).

In the case of access to the confidential file 50 that requires authentication of the access right, if a Client machine identifier is detected, the received data analysis unit 24 in the Proxy sends the Client machine identifier to the Client machine authentication unit 25. The client machine authentication unit 25 performs Client machine authentication based on the Client machine identifier database 23 (step 504). Client machine identifier is Client14
If it is not added to the data received from the client, it is determined that the access is not from the legitimate Client 14 in the system of the present invention, and the access to the confidential file 50 is rejected. Also, when the Client machine is not authenticated by the Client machine authentication unit 25, access to the confidential file 50 is similarly rejected (step 506).

When the Client machine identifier is verified and the Client 14 that has made the access request is authenticated as a valid Client machine registered in advance in the Client machine identifier database 23, a notification is received from the Client machine authentication unit 25. The in-proxy received data analysis unit 24 transfers the received data from which the Client machine identifier has been removed to the Web server 11, and downloads the corresponding confidential file 50 from the Web server 11 (step 507).

Thereafter, the confidential file encryption unit 28
The downloaded confidential file 50 is encrypted using the common key corresponding to the Client 14 in the common key database 29 (step 508), and the confidential file identifier is added to the confidential file encrypted by the confidential file identifier adding unit 27. Later (step 509), the encrypted confidential file to which the identifier is added
(Step 510). The search for the common key corresponding to the Client 14 in the common key database 29 is performed based on the Client 14 authentication result obtained from the Client machine authentication unit 25. The common key in the common key database 29 and the client machine identifier are associated one-to-one.

FIG. 6 is a flowchart describing a series of processing at the time of data transmission in the communication hook module 30 in the Client 14. First, when data is transmitted from the Browser 15 to the network 13, the internal application-communication hook module communication control unit 37 receives the data (Step 601), and the transmission data analysis unit 36 analyzes the transmission data and transmits the data. The end is Proxy server 2
It is checked whether it is 0 (step 602). Proxy
If the transmission is not to the server 20, the transmission data is directly transferred to the network 13 (step 604). Prox
If the transmission is to the y server 20, the client machine identifier is added to the transmission data by the client machine identifier adding unit 38 (step 605), and then the transmission data is transferred to the proxy server 20 (step 606).

FIG. 7 is a flowchart of a process when the communication hook module 30 receives data. The communication hook module 30 receives Cl from the network 13 by the Proxy-communication hook module communication control unit 31.
When the data sent to the client 14 is received (step 701), the received data analysis unit 35 analyzes whether or not the received data has a confidential file identifier (steps 702 and 703). If the confidential file identifier is not detected from the received data, the received data is transferred to Browser 15 as it is (step 709). However, if a confidential file identifier is detected, the confidential file identifier is removed by the encrypted file decrypting unit 33, and the encrypted file is encrypted using the common key unique to the Client 14 stored in the common key storage unit 34. The confidential file 50 is decrypted (step 704). If the external viewer 40 has not been activated by the external viewer 40 activation processing unit 39, the external viewer 40 is activated and the external viewer 40 is activated.
It is confirmed whether the ewer 40 has started normally (steps 705 and 706). If the external viewer 40 has been activated but has not been activated, the received data is deleted (step 707). If the external viewer 40 has been activated normally, the decrypted data of the confidential file 50 is transferred to the external viewer 40 and displayed (step 708).

FIG. 8 shows the secondary storage device access control unit 18.
9 is a flowchart of a process when a confidential file is accessed in FIG. It is assumed that the secondary storage device 17 has a special folder for storing confidential files prepared for each user.
This folder is registered in the secondary storage device access control unit 18 together with each user's account.
Based on this registration data, the secondary storage device access control unit 1
Step 8 determines whether the user logged in to the Client 14 can access this folder. Client14
When there is an access request to the confidential file 50 stored in a specific folder of the secondary storage device 17 from an application in the system, an I / O access request to the confidential file 50 is issued within the system, and the secondary storage is performed. The secondary storage device access control unit 18 sends the I / O
An access request is hooked halfway and its contents are analyzed (step 801). By this analysis, the application making the I / O access request and the access request folder are checked. The secondary storage device access control unit 18 accesses the access token 19 and acquires login user information (Step 802).

When the access request application is an external view
er40, and determines whether or not the access-requested folder corresponds to the login user, and determines whether or not to access a confidential file in the access-requested folder. It is determined in advance whether or not the access-requested folder corresponds to the login user.
The determination is made by searching a database (not shown) in the next storage device access control unit 18 in which the paired data of the path to the confidential file storage folder and the user account of the user who can access the folder is registered. (Step 803). If so, the access to the confidential file 50 is permitted and an I / O access request is passed to the device driver of the secondary storage device 17 (step 805). If it is determined that access is impossible, access to the confidential file 50 is prohibited (step 80).
6).

The condition for judging access to the confidential file 50 stored in the secondary storage device 17 is that the application requesting access is the external viewer 40, and the confidential file storage folder to be accessed is set to the login user. Access shall be permitted only when it is supported. In other words, even if the confidential file storage folder corresponds to the login user,
In a state where 40 has not been activated, access to the confidential file 50 stored in the secondary storage device 17 is not permitted.
Even if the external viewer 40 is running, access is not permitted even if the confidential file storage folder does not correspond to the login user.

FIG. 9 is a flowchart of the received data display processing in the external viewer 40. External Viewer 40
Receives an activation request from the communication hook module 30,
Alternatively, upon receiving a start request from the user (step 90)
1) The secondary storage device access control unit activation processing unit 46
It is checked whether the secondary storage device access control unit 18 is operating (step 902). If it is not operating, the external viewer 40 activation determination unit 47 notifies the communication hook module 30 of an error (step 903), and the external viewer
The activation of 40 is ended (step 904). If so, the external viewer 40 attempts to activate the hard copy prohibition module 16 in the hard copy prohibition module activation processing unit 45 (step 905). If it does not start,
The viewer activation determination unit 47 notifies the communication hook module 30 of the error (step 909), and stops the activation of the external viewer 40 (step 910). When the hard copy prohibition module 16 is activated, the communication hook module 30
Receives the decrypted confidential file 50 (step 9).
07), and displays the received data (step 90).
8).

As described above, when the external viewer 40 is started, it is determined whether or not the hard copy prohibition module 16 is started, and further, it is confirmed that the secondary storage device access control unit 18 is operating normally. Viewer4
When displaying the data of the confidential file 50 where 0 is decrypted, it is possible to prevent a hard copy of the confidential data from being taken. Furthermore, it is possible to ensure that a confidential file stored in a confidential file storage folder registered in advance in the secondary storage device access control unit 18 cannot be copied to another folder. The confidential file storage folder contains the external viewer 40
Therefore, the confidential file stored in the confidential file storage folder by another application cannot be accessed. Also, external Viewer
If the communication hook module 30 does not start, the communication hook module 30 deletes the decrypted confidential file. Therefore, other applications in the client 14 have no means for accessing the confidential file 50, and the confidential data does not leak outside. .

When the user activates the external viewer 40, no error notification is made to the communication hook module in steps 903 and 909.

As described above, the information providing system of the present embodiment includes the confidential file 50 and the non-confidential file 51.
When there is a request from the Client 14 to access the confidential file 50 to the Web server 11 storing the
The client 14 authenticates the Client 14 based on the Client machine identifier added to the access request (transfer request) transmitted from the Web server 4 and downloads the requested confidential file 50 from the Web server 11 if the Client 14 has the access right. And then sends the confidential file to Client 1
4 is encrypted using a unique common key, a confidential file identifier indicating that the file is an encrypted file is added, and the
It is characterized by having.

With such a configuration, the confidential information in the database constructed on the existing Web server can be transferred to the existing Web server.
b Like a general page, it can be viewed only by those who have access authority via a network without modifying the server and without depending on the hardware configuration of the request source device (or terminal) such as a client computer. be able to.

In the Client 14, the Web server 1
Browsing to browse the general non-confidential file 51 on
ser 15, an external viewer 40 having means for browsing the confidential file 50 and storing it in the secondary storage device 17,
A means for relaying communication between an arbitrary application in the network 14 and the network 13 and activating the external viewer 40 when the encrypted confidential file 50 is received, and deleting the confidential file 50 if the encrypted confidential file 50 cannot be activated;
a means for adding a client machine identifier to transmission data when transmitting data to the y server 20; and a means for identifying an encrypted confidential file transmitted from the proxy server 20 to the client.
Means for decrypting a confidential file encrypted with a decryption key unique to
When a file other than 0 is transferred, the communication hook module 30 having means for judging the transfer and transferring the data to the Browser 15, the access token 19 storing login user information, and storing confidential information. Storage device 17, a means for acquiring login user information from the access token 19, and monitoring I / O to the secondary storage device 17 from an application in the client 14 to make a file access request. A secondary storage device access control unit 18 including means for specifying the application and its access request file, and means for prohibiting access to a specific folder other than accessing a specific login user with the external viewer 40.
And a hard copy prohibition module 16 having means for prohibiting a hard copy of a screen displayed on the external viewer 40 while the external viewer 40 is running. Further, the external viewer 40 is characterized in that the external viewer 40 includes a unit that does not start unless both the hard copy prohibition module 16 and the secondary storage device access control unit 18 operate normally.

With such a configuration, the access request source is prevented from leaking the viewed confidential file 50 to a third party.
It can be stored and managed in the Client 14. Further, the confidential file 50 is encrypted using the common key determined for each Client 14 and transmitted to the requesting Client 14, so that there is no possibility of eavesdropping on the communication line between the Client 14 and the Proxy server 20. The downloaded confidential file 50 is securely stored in a predetermined folder for each user, and the stored confidential file 50 is stored in an external folder.
Since it cannot be accessed by an application other than the Viewer 40, it is not copied and taken out. Furthermore, since the hard copy prohibition module 16 is activated while the external viewer 40 is running, it is not possible to take a hard copy of the confidential data displayed on the external viewer 40, and even if the user has an access right, It is impossible to copy and take it outside.

Although the client machine identifier is added to the access request to the Proxy server 11, it can be combined with the user identifier or only the user identifier depending on the authentication method in the Web server 11. Further, the encryption key and the decryption key for encrypting or decrypting the confidential file are not unique to the Client 14, but may correspond to individual users or user groups who access the file. An encryption key and a decryption key for encrypting or decrypting a confidential file are key information generated based on information (MAC address, IP address, CPU serial number, etc.) unique to the client 14 itself, or the user himself / herself. Sensitive information (for example, credit numbers)
May be used.

Next, a second embodiment of the present invention will be described. FIG. 10 is an overall configuration diagram showing the second embodiment. The information providing system according to the second embodiment includes a Web server storing a confidential file 50 and a non-confidential file 51.
The server 11 and the access authority to the confidential file 50 are determined, and the confidential file 50 is downloaded and encrypted from the Web server 11 in accordance with the user and machine authentication and the access request from the Client 14 to the confidential file 50, and the access request source is encrypted. It comprises a Proxy server 20 for transferring an encrypted confidential file 50 to a Client 14, a router 12, a network 13, and a plurality of Clients 14. Each Client 14 is a Proxy server 20
The viewer 60 removes the file name of the encrypted confidential file sent from the server, caches it, decrypts it and displays it, the Browser 61 displays the non-confidential file 51, and a user-specific decryption key for decrypting the encrypted confidential file 50 And a policy management module 64 having a function of managing a user-specific decryption common key and a policy for applying the decryption common key, and a policy database 63.

In this embodiment, similarly to the first embodiment, the Web server 11 and the Proxy server 20 are arranged on the same segment, and are connected to the external network 13 only through the router 12. Have been. The router 12 performs filtering based on the destination IP address of the IP packet.
Only the IP packets transmitted to are passed. In addition, each Cl
ient14 is based on the file extension of Viewer6
Browser 61 that activates the browser 0 is installed.

FIG. 11 shows the client 14 in this embodiment.
FIG. 3 is a block diagram of the configuration of FIG. Client14 is Viewer60,
It has a Browser 61, a decryption common key database 62, a secondary storage device 67, hardware specific information 65, a network side communication control unit 66, a policy database 63, and a policy management module 64. Among them, Viewer60
Is a Viewer start determination unit 6011, hardware unique information for authentication in Viewer 6012, an encrypted confidential file cache unit 6013, a confidential file name data removing unit 6014, an encrypted confidential file decryption unit 6015, a confidential file display unit 6016, and Decryption common key cache unit 60
17 is provided.

The Viewer activation determining unit 6011 stores in-viewer authentication hardware unique information 6012 registered in advance.
And the hardware specific information 65 which is data specific to the hardware of the Client 14 (for example, a MAC address, externally attached hardware, special data stored in an IC card and which cannot be altered). And 2
If the two data match, the viewer 60 is activated, and if not, the viewer 60 is determined not to be activated. The encrypted confidential file cache unit 6013
When the encrypted confidential file 50 is transferred from the Browser 61, the encrypted confidential file 50 is temporarily cached. When a file is stored in the secondary storage device 67 by the Viewer 60, data cached in the encrypted confidential file cache unit 6013 is stored. As a result, the confidential file 50 is stored in the secondary storage device 67 while being encrypted. When referring to the stored confidential file 50, the confidential file 5
A decryption common key unique to the user used for encrypting 0, a Viewer 60 for decryption, and policy data in a decryptable setting are required. Therefore, the encrypted confidential file 50 stored in the secondary storage device 67 is
14, the user-specific decryption common key to be stored in the decryption common key database 62,
Without the Viewer 60 and the policy management module 64, the encrypted confidential file 50 cannot be browsed, and confidential information does not leak outside.

The confidential file name data removing unit 6014
This module removes the file name data of the encrypted confidential file 50 when the encrypted confidential file 50 whose file name has been changed to indicate that it is the confidential file 50 at the Proxy server 20 is transferred from the Browser 61. The encrypted confidential file decryption unit 6015
Using the user-specific decryption common key cached in the internal decryption common key cache unit 6017, the encrypted confidential file 50 from which the file name data has been removed is decrypted. Common key cache unit for decryption in Viewer 6017
Is to temporarily cache the user-specific decryption common key passed from the policy management module 64.
The Browser 61 determines the confidential file 50 sent from the Proxy server 20 from its file name, and
To launch the encrypted confidential file 50
Transfer to The hardware unique information 65 is information unique to the hardware configuration of the Client 14 machine, such as a MAC address, separately attached hardware, and confidential data in an IC card. Network side communication control unit 66
Is a communication control module for connecting the client 14 to the network 13. The policy database 63
The access policy (information for judging the access right) to the confidential file 50 managed by the Proxy server 20 is downloaded, encrypted and stored, and the encryption stored in the secondary storage device 67 is performed. In order to view the encrypted confidential file 50, it is updated by communicating with the Proxy server 20 when the Viewer 60 and the policy management module 64 are activated.

FIG. 12 is a block diagram of the Proxy server 20 in this embodiment. Proxy server 20 is C
lient-Proxy communication control unit 201, confidential file list and access policy registration unit 202, requested file access determination unit 203, received data analysis unit 204, user authentication unit 205, encryption common key selection unit 206, confidential file encryption unit 207 , Web-Proxy communication control unit 208, confidential file cache unit 209, confidential file URL transmission unit 2
10, a common key database for encryption 211, and a confidential file name changing unit 212.

The client-proxy communication control unit 201
This module controls communication with the ent14. A confidential file list and access policy registration unit 202 that manages a set of a user ID and a password of a user permitted to access the confidential file 50;
It stores a list of confidential files 50 on the Web server 11, a table for managing the user's access authority to each file 50, and version information of the table.
Also, in response to a policy version inquiry from the client 14, the policy version is compared, and the proxy server 2
If the policy version of 0 is newer, a function of transmitting the policy data to the client 14 is provided.
The reception data analysis unit 204 is a module that analyzes data received from the client 14 and checks the URL of the access request file. Request file access determination unit 203
Is to determine whether the access request file is the confidential file 50 from the URL of the access request file acquired by the received data analysis unit 304, the confidential file list, and the URL list of the confidential file registered in the access policy registration unit 202. In the case of access to the confidential file 50, the user authentication unit 205 sends the user / client machine authentication unit 64 in the policy management module 64 of the client 14.
2 (FIG. 13), a request to display a dialog box for inputting user information on the display of the client 14 is transmitted, the user ID and password input by the user are received, and user authentication is performed based on the user information. Perform Based on the result of the user authentication, the requested file access determination unit 203 determines whether to permit access to the confidential file 50. If access to the confidential file 50 is permitted, the requested file access determination unit 20
3 requests the Web server 11 to download the confidential file 50.

When accessing the encrypted confidential file 50 stored in the secondary storage device 67 of the Client 14,
The policy management module 64 in the client 14 queries the Proxy server 20 for the policy version.
The user authentication unit 205 of the oxy server 20 performs user authentication based on the user ID and the password transmitted from the policy management module 64 at the time of communication based on a policy version inquiry from the policy management module 64.

The common key database for encryption 211 is
It stores a user-specific encryption common key prepared for each user who can access the confidential file 50 on the server 11. The encryption common key selection unit 206 searches the encryption common key database 211 for the encryption common key corresponding to the user after the user authentication, extracts the key, and transfers it to the confidential file encryption unit 207. The confidential file encryption unit 207
Confidential file 50 downloaded from server 11
This is a module for encrypting the file for each file name using a common encryption key unique to the accessing user. The confidential file name changing unit 212
A file name is given to the file encrypted in step (1), and the file is sent to the confidential file cache unit 209. The confidential file cache unit 209 temporarily caches the encrypted confidential file 50. If there is an access from an authenticated user, the confidential file 50
Send to Client14. Web-Proxy communication control unit 208
Is a module that controls communication between the Proxy server 20 and the Web server 11.

FIG. 13 shows the client 14 in this embodiment.
3 is a block diagram of a policy management module 64 in FIG. The policy management module 64 includes a communication control unit 641,
User / Client machine authentication unit 642, decryption common key cache unit in policy management module 643, decryption common key policy determination unit 644, Viewer-policy management module communication control unit 645, policy encryption / decryption unit 646, policy cache Unit 647, hardware specific information for authentication 6
48.

The communication control section 641 is a module for controlling communication between the policy management module 64 and the network-side communication control section 66. The user / client machine authentication unit 642 includes a user and a client required for applying the policy.
Authenticates the machine and caches user information. Cl
At the time of the machine authentication, the hardware unique information 65 of the machine is referred to and collated with the hardware unique information 648 for authentication. The decryption common key cache unit 643 in the policy management module temporarily caches the user-specific decryption common key retrieved from the decryption common key database 62 based on the user ID. Policy encryption / decryption unit 646
Then, the encrypted policy data read from the policy database 63 is decrypted. Proxy server 2
The policy data to be newly updated transmitted from 0 is encrypted and stored in the policy database 63.

The policy cache section 647 is a module for temporarily caching policy data. The decryption common key policy determination unit 644 determines whether to transmit the decryption common key to the Viewer 60 based on the user information cached in the user / client machine authentication unit 642 and the policy data cached in the policy cache unit 647. I do.

FIG. 21 is a configuration diagram of the confidential file list and the access policy data table stored in the access policy management unit. The table 21A stores the Web server 11
And the identification number 2 of the user who can access each confidential file.
102 and policy version 2 of this table 21A
103 is set. Also, the table 21B
User ID 21 of the user who can access the confidential file
05, a password 2106, and an assigned identification number 2104.

Next, the flow and the relationship between the modules in the present embodiment will be described with reference to flowcharts. FIG. 14 shows a flowchart of the process in the Proxy server 20. Proxy server 20 is a Cli
When an access request is received from ent14 (step 14
00), proceed to Proxy server initial routine (step 1)
401). This routine is executed when the Client 14
It is determined whether the proxy server 20 is accessed to access the confidential file 50 or the non-confidential file 51 on the first server or the proxy server 20 is accessed by the policy management module 64 for a policy version inquiry. It is a routine. This Proxy server initial routine (step 1401) will be described later with reference to FIG.

If it is determined in this routine that the access is to the confidential file 50 or the non-confidential file 51 on the Web server 11, the process proceeds to step 1402 in FIG. Check the URL of the access request file. Thereafter, the request file access determination unit 203 determines whether the access is to the confidential file 50 (step 14).
03). If the access is not to the confidential file 50, the request file access determination unit 203 downloads the access request file from the Web server 11 (step 1).
404), and transmits the downloaded file to the access requesting Client 14 without performing any processing (step 1405).

If the access request file of the Client 14 is the confidential file 50, the Proxy server 20
It communicates with the policy management module 64 at t14, and acquires the user ID and password of the user who has issued the access request. The obtained user information (user ID and password) is compared with the confidential file list and the user information registered in the access policy registration unit 202 to authenticate the user in the user authentication unit 205 (step 1406). ). As a result of the authentication, if the user is not authenticated as having a valid access right, the access to the confidential file 50 is rejected (step 1409). However, if the user is authenticated, a user-specific key is selected from the encryption common key database 211 (step 1407), and the confidential file 50 is downloaded from the Web server 11 (step 1408).
Using the key, the confidential file encryption unit 207 encrypts the confidential file 50 with a file-specific common key for encryption (step 1410). In addition, as a method of registering a user-specific encryption common key in the encryption common key database 211, a method for a user to view a confidential file is required.
When registering a user with the Client 14 and the Proxy server 20, the key is communicated with the Proxy server 20 and the key is exchanged between the Client 14 and the Proxy server 20.
A method of creating the data in both the servers 20 is adopted.

The Proxy server 20 communicates with the policy management module 64, and the user Cl of the policy management module 64
A dialog box for prompting the input of a user ID and a password is displayed on the machine authentication unit 642, and based on the user ID and the password transmitted from the policy management module 64 to the proxy server 20, the user authentication is performed by the proxy server 20. Do.

The file name of the encrypted confidential file 50 is changed by the confidential file name change unit 212 (step 1411), and the confidential file cache unit 20 is changed.
9 is cached. Then, based on the changed file name, the confidential file URL transmission unit 210 sends a U.S.C.
Generate an RL and send it to Client 14 (step 141)
2). Upon receiving the URL, the Browser 61 downloads the confidential file 50 from the Proxy server 20 (Step 1413).

FIG. 16 shows a flowchart of the proxy server 20 initial routine (step 1401 in FIG. 14). It is determined whether the access from the client 14 is an access for a policy version inquiry from the policy management module 64 (step 1601).
As this determination method, for example, at the time of access to an inquiry, a header of data transmitted to the Proxy server 20 includes:
There is a method of explicitly inserting a specific bit string and detecting this bit string. If this access is not an access for a policy version inquiry, it is an access request to the Web server 11, so the process returns to Step 1402 of the Proxy server process in FIG. 14 (Step 1605).

If the access is for the policy version inquiry, the policy version of the client 14 as the inquiry source and the policy of the proxy server 20 are used using the version data of the policy data in the client 14 transmitted from the client 14 at the time of the access for the inquiry. The versions are compared (step 1602). If the policy versions are equal, the policy management module 64 is notified that the policy versions are equal (step 1606),
The process ends. If the policy versions are not the same, the policy database 63 of the client 14 needs to be updated, so the policy data of the Proxy server 20 is transmitted to the policy management module 64 (step 160).
4).

As a result, the policy data in the policy database 63, that is, the data for judging the access right, is updated to the latest data managed in the Proxy server 20.

FIG. 17 shows a flowchart of the processing in the Client 14 when referring to a file on the Web server 11. Client 14 is a Proxy server 20
(Step 170)
1) The Browser 61 refers to the file name and determines whether the confidential file 50 has been received (step 17).
02). If the confidential file 50 has not been received,
The ser 61 displays the file using its own display function (step 1708). However, if the received file is a confidential file 50, the Browser 61
Starts the Viewer 60 (step 1703). Viewer
60 checks the hardware unique information 65 in the Viewer start determination unit 6011 (step 1704), checks it against the hardware unique information 6012 for authentication in the Viewer, and confirms that the Viewer 60 is installed in the specific Client 14. If the hardware unique information 6012 for authentication in the Viewer registered in the Viewer 60 and the actually read hardware unique information 65 do not match, it is determined that the Viewer 60 has been illegally copied and installed, and Vi
The ewer 60 ends (step 1709). If they match, the Browser 61 sends the confidential file 5 to the Viewer 60.
0 is transferred (step 1706), and the encrypted confidential file 50 is cached in the encrypted confidential file cache unit 6013 (step 1707).
Thereafter, the file name is removed by the confidential file name data removing unit 6014 (step 1710), and the file name is decrypted by the encrypted confidential file decrypting unit 6015 (step 1).
711), the decrypted confidential file 50 is displayed on the confidential file display unit 6016 (step 1712).

When downloading the confidential file 50 in the Web server 11, the policy management module 64 generates a dialog box for user authentication in the Proxy server 20, and requests the user to input a user ID and a password. Based on the input value, the policy management module 64 uses the common key database 6
From 2, search for the corresponding user-specific common key, and
Common key cache unit 601 for decryption in Viewer 60 of Viewer 60
Transfer to 7. The common key used for decryption in step 711 is the common key cached in the common key cache unit 6017.

FIG. 19 is a flowchart showing the processing in the Client 14 when referring to the confidential file 50 stored in the secondary storage device 67. When the user accesses the confidential file 50 stored in the secondary storage device 67, first, the Viewer 60 is started (Step 190).
1). Viewer 60 activates policy management module 64,
The name of the confidential file to be accessed is transmitted to the policy management module 64 (step 1902). The policy management module 64 is a user / client machine authentication unit 6
At 42, the user is requested to input a user ID and password, and at the same time, the hardware unique information 65 of the Client machine is accessed, and machine authentication is performed using the authentication hardware unique information 648 (step 1903).

The policy management module 64 transmits the user ID and password and the version data of the policy of the Client 14 to the Proxy server 20 in a secure manner, and makes an inquiry about the policy version. Then, the policy management module 64 sends the user / Client in the Proxy server 20.
It waits for a result of machine authentication and a response to the policy version inquiry (step 1904). Proxy server 2
If the user / client authentication at 0 is denied, or if there is no response from the Proxy server 20 due to communication failure, the policy management module 64 notifies the viewer 60 of no response (step 1909). Thus, the Viewer 60 does not display the confidential file 50 (Step 1910).

If there is a response from the proxy server 20 and the contents of the response do not have the same policy version, the latest policy data is transmitted from the proxy server 20 and the policy database 6 is generated based on the data.
3 is updated (steps 1906 and 1907). If the versions are equal, the policy data of Client 14 is left as it is. The decryption common key policy determination unit 644 determines whether access to the confidential file 50 is possible based on the user ID and the name of the confidential file to be accessed using the latest version of the policy data (step 190).
8, 1911). If the determination result is unacceptable, the decryption common key policy determination unit 644 returns an error of denial of access to the confidential file 50 to the Viewer 60 (Step 1915). Upon receiving the error, the Viewer 60 displays the error on the confidential file display unit 6016 without performing the decryption process on the encrypted confidential file 50, and ends the process (Step 19).
16).

If the policy determination result is acceptable, the decryption common key policy determination unit 644 searches the decryption common key database 62 for a decryption common key unique to the user, and sends the decryption common key to the Viewer 60. Send (Step 191)
2). After deleting the file name, the Viewer 60 decrypts the confidential file 50 using the user-specific decryption common key (Step 1913), and displays the data on the confidential file display unit 6016 of the Viewer 60 (Step 1914).

As described above, the information providing system according to the second embodiment includes a P
An roxy server 20 intervenes, and in this proxy server 20, a confidential file 5 on the web server 11
In accordance with the access request to the client 14, the communication with the policy management module 64 in the Client 14 is performed to authenticate the user and the Client machine. W
confidential file 5 downloaded from eb server 11
0 is encrypted for each file name using a common key for encryption corresponding to the requesting user, and the file name is changed.
The modified confidential file is configured to be transferred to the client 14.

As a result, without changing the settings of the existing Web server 11, the access authority for each user can be set for the confidential file 50, the confidential file 50 can be safely downloaded, and the confidential file 5 can be safely downloaded.
0 can be safely stored in the Client 14. Also, since the access authority to the confidential file 50 is set for each user, even if the confidential file 50 is eavesdropped when downloaded, a user without the access authority to the confidential file 50 cannot browse it. . Also,
The authentication of the access right of each confidential file 50 is dynamically applied, and when the access right is changed in the Proxy server 20, the access right is changed to Client1 from the time of the change.
4 also applies to the confidential file 50 stored in the confidential file 4.
Therefore, for example, when the user A of the Client 14 belonging to the HR department is relocated to the sales department due to a personnel change, the access authority list of the personnel information file, which is confidential to the personnel other than the HR staff in the Proxy server 20, is used. By deleting User A, Client1 used by User A
4 are reflected in the processing of steps 1601 to 1604 in FIG. 16 even in the policy database 63 in FIG. 4, and even if the user A uses the same Client 14 machine as before the personnel change, the user A browses confidential personnel information. Becomes impossible. Furthermore, the confidential file 50 is encrypted in advance, and
Since it is not necessary to register in the server 11, the confidential file 50 dynamically generated in the Web server 11 can be managed.

In the Client 14, if the Viewer 60 provided exclusively for displaying the confidential file 50 is improperly installed, this Viewer 60
Since the confidential file 60 is closed and the confidential file is not displayed, it is possible to effectively cope with an illegal act such as an unauthorized installation and to prevent the confidential file 50 from being leaked.

When accessing the confidential file 50 stored in the secondary storage device 67, the proxy server 20
In each case, the access right version is queried, and the access right is authenticated with the latest access right determination information. Therefore, the confidential file 50 stored in the secondary storage device 67 is copied by the person whose access right has been revoked. Protect against unauthorized access. The access authority version inquiry process is performed in the secondary storage device 67.
Confidential file 50
If the confidentiality is low, the number of inquiries may be reduced, for example, at predetermined time intervals. This can contribute to reducing network traffic.

Although the hard copy prohibition module is not provided in the second embodiment, it can be provided in the same manner as in the first embodiment. The encryption and decryption keys used to encrypt or decrypt confidential files are
Information unique to the device itself of nt14 (MAC address, IP
Key information generated based on an address, a CPU serial number, or the like, or key information generated from user's own confidential information (eg, a credit number) may be used.

Next, a third embodiment of the present invention will be described in detail. FIG. 22 is an overall configuration diagram showing the third embodiment of the present invention. The system according to this embodiment includes a content server 2202 that is a Web server that stores content 2207 such as map data and image data such as photographs, articles of newspapers and magazines, access authentication and access using user IDs and passwords of users. Content distribution proxy 2203 that performs log management and encryption processing so that content data is not stolen at the time of content distribution, and dedicated viewers 2206a to 2206-2 for browsing the content
Clients 22 each installed with 206n
05a to 2205n. The content distribution company 2201 manages the content server 2202 and the content distribution proxy 2203, aggregates access logs, and charges a user for a fee for downloaded content. A user who wishes to distribute content can use the dedicated viewer 2206a via the Internet 2204.
The content 2207 is downloaded by using the content 2207n. In order to access the content server 2202, it is necessary to pass through the content distribution proxy 2203 without fail. Therefore, the content server 2
Direct unauthorized access to 202 can be prevented.

Next, the internal configuration of each component in the third embodiment of the present invention, and the processing between each component and the components will be described. FIG. 23 shows the third embodiment of the present invention.
FIG. 14 is a client configuration diagram according to the embodiment. The client 2205 (2205a to 2205n) includes a dedicated viewer 2206, a user unique key DB 22051, client unique data 22053, and a secondary storage device 220.
52. As the client-specific data 22053, data that cannot be falsified in the IC card, data in special hardware, data assigned to the CPU, and the like can be used.

The dedicated viewer 2206 will be described in detail. The dedicated viewer 2206 includes a display unit 22066, a hard copy prohibition module 22067, a decryption unit 22063,
Decryption data cache unit 22064, encryption / decryption unit 2
2065, key search unit 22061, and key generation unit 2206
Consists of two. A display portion 22066 is a portion for developing and displaying the content. The decryption unit 22063 converts the encrypted content transmitted from the content distribution proxy 2203 into the user unique key DB 220 by the key search unit 22061.
This is a part to be decrypted with the user-specific key retrieved from 51. The key generation unit 22062 generates a client-specific key for encryption / decryption when storing content based on the client-specific data 22053 read when the dedicated viewer 2206 is started. Key search unit 22061
Extracts a user-specific key by searching the user-specific key DB 22051 based on the user ID / password information. The user ID / password information is stored in the dedicated viewer 22
06 in advance, or display a dialog when accessing the content distribution proxy 2203 using the dedicated viewer 2206 or when accessing encrypted content stored in the secondary storage device 22052. Get it by inputting it to The user unique key DB 22051 is a part for managing a key unique to each user. The user's key is encrypted by using the user's password as a key, and the client 22
Stored safely in 05. A method of storing in an IC card or another hardware may be used.

The encryption / decryption unit 22065 is the key generation unit 22
062 and a key unique to the user from the key search unit 22061, respectively.
Encrypts or decrypts content using two keys. The hard copy prohibition module 22067 hooks and prohibits the OS system call used when the capture tool makes a hard copy, and a message in the system issued when a key for taking a hard copy is pressed. Is a module that prohibits the hard copy of the displayed screen by prohibiting the use of the data copy destination memory by hooking. This module prevents the user from displaying the content on the display screen, taking a hard copy of the content and secondary distributing it.

FIG. 24 is a configuration diagram of the content distribution proxy 2203 in this embodiment. The content distribution proxy 2203 includes a proxy server 22031, a management application 22032, a user information / unique key DB 22
033 and a log data storage unit 22034. The user information / unique key DB 22033 is a database that stores the user ID, password, key data, and URL information of the accessible content, and is set in the user information / unique key DB 22033 by the management application 22032. Information is registered, deleted, and changed. Proxy server 22031
Is the content server 2202 of the client 2205
Is a program that relays and processes access to content, and stores an access log to content in a log data storage unit 2203
Write to 4.

The description now turns to the proxy server 22031 in detail. The proxy server 22031 includes a content cache unit 22035, a user authentication unit 22036, a received data analysis unit 22037, and a content encryption unit 22038. The access request transmitted from the client 2205 includes the URL of the access request content and the user ID.
And a password.
031 designates the received access request as the received data analysis unit 22
Analyze at 037. User information acquired by the received data analysis unit 22037 and URL of access request content
Based on the user information / unique key DB 22033,
User authentication and determination as to whether access to the content is possible is performed. If the authentication is successful, a request from the client 2205 is transmitted to the content server 2202, the downloaded content data is encrypted with a user-specific key retrieved from the user information / unique key DB 22033, and transmitted to the client 2205.

FIG. 25 is a schematic configuration diagram of content access log data stored in the content distribution proxy 2203 in this embodiment. This is a data entry recorded in the log data storage unit 22034 of the content distribution proxy 2203, and has the transaction number 2
501, user ID 2502, access date and time 2503,
Access content URL 2504, charging flag 250
5. The transaction number 2501 is a value serving as a key of the table, and is assigned every time the client 2205 accesses the content 2207.
The access content URL 2504 is the URL of the content 2207 accessed by the user. The charging flag 2505 is a flag indicating whether or not to charge for the transaction, and is used, for example, in the case of a service in which the same user does not charge for the second and subsequent accesses to the same content.

FIG. 26 shows the user information and
FIG. 12 is a schematic configuration diagram showing user information of accessible users recorded in a unique key DB 22033. Each entry in this table has a user ID 2601 and a password 26
02, service registration date 2603, service expiration date 2
604, unique key data 2605, and accessible content URL 2606. The service registration date 2603 is the date when the user has registered with the content distribution service via the Web, and the service usage expiration date 2603
Reference numeral 4 denotes a date when the user can give and receive the distribution service. The unique key data 2605 is an item in which key data unique to the user is registered. Also, accessible content UR
L2606 is the UR of the content accessible to the user
A pointer to the L list 2607 is registered, and corresponds to the content selected by the user to receive the distribution service. The above entry is prepared for each registered user, and the content distribution proxy 22
03 registration / deletion /
Make changes.

FIG. 27 is a diagram showing, in chronological order, the overall flow of the content distribution service in the present embodiment. With reference to this figure, a series of flows from a user's request for a content distribution service to processing of a service and payment of a service fee will be described. The user accesses the site of the content distribution service of the content distribution company 2201 and uses the dedicated viewer 2 necessary for displaying the content.
206 is downloaded and installed in the client 2205 (step 2701). The user requests content distribution via the Web using the dedicated viewer 2206 (step 2702). Content distribution company 220
The management application 22032 of the first content distribution proxy 2203 registers setting information such as the user's user ID, password, and accessible content URL in the user information / unique key DB 22033 (step 2703). In addition, the key data unique to the user used at the time of content distribution generated at this time is also stored in the user information / user information.
Unique key data entry 2605 in unique key DB 22033
Register with. Then, the registered unique key is distributed to the user by a secure method such as encrypting communication (step 2704).

Next, the distribution service is performed, and the flow will be described. First, the user uses the dedicated viewer 220
6 to access the content 2207 (step 2705). The content distribution company 2201 collects an access log for access to the content 2207 to perform a charging process for the user (step 2).
706). Then, the access-requested content is distributed to the user (step 2707). This flow is repeated every time the user accesses the content 2207.
Finally, the content distribution company 2201 performs settlement for each user at the end of a predetermined period (step 270).
8) The user is charged for the content usage fee via the credit card company (step 2709). The user pays for the content usage fee as requested (step 2710).

FIG. 28 is a flowchart when the content 2207 is downloaded and viewed by the dedicated viewer 2206. Hereinafter, the flow of the processing will be described according to the flowchart. The user accesses the content distribution proxy 2203 using the dedicated viewer 2206 installed in the client 2205 (Step 2801). As a method of access, the user uses an interface of the dedicated viewer 2206 (see FIG. 30 described later).
In the edit box 3001 for inputting the URL of the content in the above, the URL of the content to be browsed is input and an access request is transmitted. When transmitting the URL of the content, the user ID and the password registered in advance in the dedicated viewer 2206 or input by the user by displaying a dialog box are also displayed.
The content is transmitted to the content distribution proxy 2203 together with the RL (step 2802).

The content distribution proxy 2203 analyzes the request transmitted from the dedicated viewer 2206, and
The user information / unique key DB 22033 is searched based on the transmitted user ID, password, and URL of the content, and user authentication and content access permission determination are performed (step 2803). If the authentication / access permission determination is not successful, the proxy server 22031 transmits data indicating that the content cannot be used to the client 2205 (step 2806), and ends the processing. If successful, the proxy server 22031 downloads the content from the content server 2202, encrypts it using the unique key registered in the user information / unique key DB 22033 (step 2804), Send it to the viewer 2206. The dedicated viewer 2206 decrypts and displays the encrypted content using the unique key retrieved from the user unique key DB 22051 (step 2805).

FIG. 29 is a flowchart showing the processing performed by the dedicated viewer when content data is stored in the client 2205. Hereinafter, the processing flow will be described in detail with reference to this flowchart. The dedicated viewer 2206 starts the client-specific data 2
2053 is acquired in the application (step 2
901). Then, the acquired client-specific data 2
The key generation unit 22062 generates a client-specific key based on the 2053 (step 2902). next,
The dedicated viewer 2206 displays a dialog box and asks the user to input a user ID and a password to be used when downloading the content.
Alternatively, if it is registered in the dedicated viewer 2206 in advance, it is read (step 2903). Then, based on the received user information, the dedicated viewer 22
The key search unit 22061 in 06 searches for and extracts a key unique to the user (step 2904). This generation
Using the extracted two keys, the dedicated viewer 2206
The content data is encrypted by the encryption / decryption unit 22065 (step 2905). Finally, the encrypted content data is stored in the secondary storage device 22052 (step 2906). The same procedure is used when decrypting and displaying the content data stored in the secondary storage device 22052. In this manner, two keys for encrypting and decrypting the content are transmitted to the client 22 respectively.
05 and the user, it is not possible to copy and display the stored content data to another client in which the dedicated viewer 2206 is installed. Therefore, it is possible to prevent secondary distribution by a user who holds the access right to the distributed content.

FIG. 31 is a diagram showing the transition of the interface when registering the digital content distribution service using the dedicated viewer 2206. The user first accesses the digital content distribution registration page 3101 using the dedicated viewer 2206 downloaded from the site of the content distribution company 2208. The digital content distribution registration page 3101 is used to input personal information such as name, gender, address, e-mail address, credit card number, user ID and password desired by the user to use the distribution service, and content items to receive the distribution service. Consists of a form.
The user fills out these forms and presses the "OK" button. To return the form input to a blank page, press the "Cancel" button. When the “OK” button is pressed, a page 3102 for input information confirmation is displayed. This page 3
At 102, the user confirms the previously entered information. If the input information is correct, press the "Send" button. If the input information is incorrect or the registration of the content distribution service is to be canceled, the user presses a “return” or “stop” button, respectively. When the “transmit” button is pressed, the input information is transmitted to the content distribution proxy 2203. Then, a key unique to the user is generated by the management application 22032 and registered in the user information / unique key DB 22033 together with the user ID, password, and user information. After that, the unique key data is transferred to the content distribution proxy 2203.
The data is transmitted to the dedicated viewer 2206 in the client 2205. At this time, a screen 3103 indicating the data transmission status is displayed on the client 2205 as shown in FIG. When the transmission of the user's unique key is completed, a registration completion page 3104 shown in FIG. 32 is displayed. On this page 3104, the user ID information of the registered user is displayed. The password information is separately sent to the user by e-mail. Thus, the user also checks the registered password information.

FIG. 33 is an overall configuration diagram showing a fourth embodiment of the present invention. The content distribution service is provided between a client 3303, a content distribution company 3301, and a credit card company 3302. The content distribution company 3301 manages a content 3306 and a content server 3305 which is a Web server storing the content 3306. The content distribution proxy 3307 is managed by the credit card company 3302, and the client 3303 has a dedicated viewer 33.
08 is installed. Each party communicates via the Internet 3304. It is assumed that only the content distribution proxy 3307 can access the content server 3305 and the communication is secure. For example, the content server 3305 performs communication after authenticating the content distribution proxy 3307 using a method such as connection between the two via a dedicated line or SSL client authentication communication. In the present embodiment, it is assumed that the content server 3305 and the content distribution proxy 3307 perform communication using the SSL client authentication method.

FIG. 34 shows a configuration diagram of the client 3303 in the present embodiment. Client 3
303 includes a secondary storage device 3401, credit card data 3402, and a dedicated viewer 3308. The credit card data 3402 is credit card number information and is stored in the client 3303 as plain text or as a password by the user in the dedicated viewer 330.
8 shall be input. The dedicated viewer 3308 includes a decrypted data cache unit 3403, a display unit 3404, a hard copy prohibition module 3405, and an encryption / decryption unit 34.
06, key generation unit 3407, and hash generation unit 3408
It consists of. A key for encrypting / decrypting the content data transmitted from the content distribution proxy 3307 is calculated by the hash generation unit 3408, which calculates the hash value of the credit card data 3402, and is generated by the key generation unit 3407 based on the hash value. Stored temporarily. This key generation is performed every time the dedicated viewer 3308 is activated. The key stored in the key generation unit 3407 is deleted when the process of the dedicated viewer 3308 ends. Encryption
The decryption unit 3406 is a module that encrypts and decrypts content data based on a cached key. The decrypted data cache unit 3403, the display unit 3404, and the hard copy prohibition module 3405 have the same configurations and functions as in the first embodiment.

FIG. 35 shows a configuration diagram of the content distribution proxy 3307 in the present embodiment. The content distribution proxy 3307 is a proxy server 35
011, management application 3502, user information
It comprises a unique key DB 3503 and a log data storage unit 3504. The user information / unique key DB 3503 is a database that stores a credit card number of a user who can access the content, a hash value of the credit card number, key data unique to the user, and URL information of the accessible content.
At 502, setting information is registered, deleted, and changed.
The proxy server 3501 is a program that relays and processes access of the client 3303 to the content server 3305, and writes an access log to the content 3306 in the log data storage unit 3504. Unlike the third embodiment, in the present embodiment, instead of user authentication using a user ID and a password, user authentication of a user is performed using a hash value of credit card data. This is because the credit card company manages the content distribution proxy 3307, so that the credit card number and the user can be associated one-to-one, and the identification of the user by the credit card number is more charged. This is because it is convenient for processing. In addition, the management application 35
02 generates a key for encrypting the content for each user, and this key is generated in the same manner as the method for generating it in the dedicated viewer 3308, that is, the credit card data 3
A hash value is obtained from 402 and a key is generated based on the value. When the hash value of the credit card number is sent from the dedicated viewer 3308 to the content distribution proxy 3307 for user authentication, it is necessary to perform encryption processing so that the hash value is not stolen on the Internet 3304.

Next, the proxy server 3501 will be described in detail. The proxy server 3501 includes an SSL communication control unit 3505, a user authentication unit 3506, a received data analysis unit 3507, a content encryption unit 3508, and a communication control unit 3509. SSL communication control unit 3505
Is a module for realizing SSL client authentication communication as communication between the content server 3305 and the content distribution proxy 3307. As a result, the content server 3305 can be accessed only via the content distribution proxy, and leakage of content data during communication from the content server 3305 to the content distribution proxy 3307 by a communication eavesdropper is prevented. Received data analysis unit 3507, user authentication unit 3506
The content encryption unit 3508 has the same configuration and function as the third embodiment. A communication control unit 3509 controls communication between the proxy server 3501 and the client 3303.

FIG. 36 is a diagram showing the flow of the entire content distribution service in chronological order. Hereinafter, the flow of the entire service will be described with reference to FIG. Content distribution company 33
01 requests the credit card company 3302 in advance for charging processing in the content distribution service, and both the credit card company 3302 and the content distribution company 3301 make a contract for the charging service (step 3).
601). When contract is established, credit card company 3
302 installs a content distribution proxy 3307 and starts a content distribution service. Users who want to receive the content distribution service are credit card companies 330
2 and a credit card is obtained, and a credit card is obtained (step 3602). In order to receive the content distribution service, the user accesses the site of the content distribution company 3301, downloads the dedicated viewer 3308, and implements the content distribution service using the dedicated viewer 3308 (step 3603). Payment is made at regular intervals (step 3604), and the content fee is paid by the content distribution company 3301 on behalf of the user.
(Step 3605). Then, the credit card company 3302 bills the user for the content fee (step 3606), and the user pays the content fee for the bill (step 360).
7).

FIG. 37 shows a flowchart when the content 3306 is downloaded and viewed by the dedicated viewer 3308. First, the user can use the special viewer 33
08 to access the content distribution proxy 3307 via the Internet 3304 (step 37).
01). After the connection with the content distribution proxy 3307 is established, the hash value of the credit card number is encrypted and transmitted from the dedicated viewer 3308 to the content distribution proxy 3307 (step 3702). The proxy server 3501 analyzes the transmission data from the client 3303, and the user authentication unit 3506 performs user authentication of the user and access permission determination based on the hash value of the credit card (step 3703). If the user authentication is successful, the proxy server 3501 establishes an SSL client authentication connection with the content server 3305 (step 3704).
Download and encrypt 306 (step 370)
5). The encrypted content 3306 is transmitted to the client 3303, and the encrypted content is decrypted and displayed by the dedicated viewer 3308 (step 370).
6). However, if user authentication is not successful,
An unusable page is displayed on the client 3303 (step 3707).

FIG. 38 is a flowchart of a process performed by the dedicated viewer 3308 when storing content data in the client 3303. The dedicated viewer 3308 acquires the credit card data 3402 at the time of activation (step 3801). Then, the hash generation unit 340
In step 8, the hash value of the credit card data 3402 is calculated (step 3802). Further, the key generation unit 3407 generates a key unique to the user based on the hash value (step 3803). The generated key is stored in the key generation unit 3407. When storing the content data, the content data is encrypted based on the generated key (step 3804), and the encrypted data is stored in the secondary storage device 3401 (step 38).
05).

The features of this embodiment different from those of the third embodiment are as follows. First, when saving the content data downloaded by the dedicated viewer,
There is a point that content data is encrypted based on a credit card number that a user cannot disclose to other people. By adopting this method, in order for the malicious user to secondarily distribute the downloaded content to a third party, he or she must take the risk of disclosing his or her own credit card number. Normally, it is not conceivable to take such a risk, and as a result, secondary distribution to a third party can be suppressed. Also,
In the third embodiment, the content can be used only by the client downloaded and stored,
In this embodiment, the user can use the data by copying the data encrypted and stored in another machine and inputting a password or writing the credit card data in a predetermined location of the copy destination machine.

In the first to fourth embodiments described above, the content delivered from the content providing server to the client has been described as being visible data to be displayed on a dedicated viewer. The distribution data that can be produced include not only still images such as documents, newspapers, magazines, photographs, paintings, etc. It also includes data such as digitized documents issued by public institutions (resident's card, seal certificate, etc.), and receipts corresponding to locker keys for receiving articles from storage at unmanned article pick-up stations. . Also,
Control data for reproducing as a mechanical operation is also included. As the data to be reproduced as a mechanical operation, for example, data that causes the nursing care robot to perform a specific operation such as cleaning or washing can be considered. Therefore, the dedicated viewer is not limited to the display that displays the visualization data,
It includes a device that reproduces and outputs sound and music, or a device that reproduces mechanical movement.

Further, in each of the embodiments, the example has been described in which the user receives the content distribution service directly from the content server. Good. FIG. 39 is a block diagram showing an example of the configuration, in which clients 3904a to 3904 provided with a dedicated viewer 3907
n makes a content distribution request via the Internet 3903 to the secondary distribution service organizations 3902a to 3902n of the relay points a to n divided for each area. Secondary distribution service organization 3902a- of relay points a to n that received the request
In the content distribution proxy 3906 of 3902n, if the requested content is cached, it is distributed to the requesting client. If it is not cached, it requests the content server 3903 of the content distribution company 3091 via the relay server 3905, and distributes the acquired content to the requesting client.

[0102]

As described above, according to the present invention,
The confidential information in the database built on the existing Web server can be used by the general public without modifying the existing Web server and without depending on the hardware configuration of the requesting device (or terminal) such as a client computer. Like a page, it can be viewed only by a person having access authority via a network. In addition, the confidential information that has been viewed can be stored and managed in the request source device so as not to leak to a third party. Further, in a service for charging and distributing digital content, the digital content distributed to the user is prevented from being secondary distributed,
It is possible to maintain a legitimate billing mechanism for digital content distribution services and contribute to preventing collapse of the management base in the distribution service industry due to unauthorized copying.

[Brief description of the drawings]

FIG. 1 is an overall configuration diagram showing a first embodiment of an information providing system according to the present invention.

FIG. 2 is a block diagram of a Proxy server in the embodiment of FIG. 1;

FIG. 3 is a block diagram of a communication hook module in the embodiment of FIG. 1;

FIG. 4 is a block diagram of an external viewer in the embodiment of FIG. 1;

FIG. 5 is a flowchart illustrating processing of a Proxy server in the embodiment of FIG. 1;

FIG. 6 is a flowchart showing a process at the time of data transmission of the communication hook module in the embodiment of FIG. 1;

FIG. 7 is a flowchart showing a process when the communication hook module receives data in the embodiment of FIG. 1;

FIG. 8 is a flowchart showing a process at the time of accessing a confidential file of the secondary storage device access control unit in the embodiment of FIG. 1;

FIG. 9 is a flowchart showing a received data display process of the external viewer in the embodiment of FIG. 1;

FIG. 10 is an overall configuration diagram showing a second embodiment of the information providing system of the present invention.

11 is a block diagram of a Client in the embodiment of FIG.

FIG. 12 is a block diagram of a Proxy server in the embodiment of FIG. 10;

13 is a block configuration diagram of a policy management module in a client in the embodiment of FIG.

FIG. 14 is a flowchart showing processing of a Proxy server in the embodiment of FIG.

FIG. 15 is a flowchart showing a continuation of FIG. 14;

FIG. 16 is a flowchart illustrating an initial routine of a Proxy server in the embodiment of FIG. 10;

FIG. 17 is a flowchart showing processing in the Client when referring to a file on the Web server in the embodiment of FIG. 10;

FIG. 18 is a flowchart showing a continuation of FIG. 17;

FIG. 19 is a flowchart showing processing in the Client when referring to a confidential file stored in the secondary storage device in the embodiment of FIG. 10;

FIG. 20 is a flowchart showing a continuation of FIG. 19;

21 is a configuration diagram of a confidential file list and an access policy data table stored in an access policy management unit in the embodiment of FIG. 10;

FIG. 22 is an overall configuration diagram showing a third embodiment of the present invention.

FIG. 23 is a diagram illustrating a client configuration according to the third embodiment.

FIG. 24 is a configuration diagram of a content distribution proxy in the third embodiment.

FIG. 25 is a schematic configuration diagram of content access log data stored in a content distribution proxy in the third embodiment.

FIG. 26 is a schematic configuration diagram of user information of an accessible user recorded in the user information / unique key DB in the third embodiment.

FIG. 27 is a diagram showing, in chronological order, the overall flow of a content distribution service in the third embodiment.

FIG. 28 is a flowchart when a content is downloaded and viewed with a dedicated viewer in the third embodiment.

FIG. 29 is a flowchart of a process performed by a dedicated viewer when storing content data in a client in the third embodiment.

FIG. 30 is a diagram of a dedicated viewer interface according to the third embodiment.

FIG. 31 is a diagram illustrating transition of an interface when registering a digital content distribution service using a dedicated viewer in the third embodiment.

FIG. 32 is a view illustrating a sequel to FIG. 31;

FIG. 33 is an overall configuration diagram showing a fourth embodiment of the present invention.

FIG. 34 is a configuration diagram of a client according to the fourth embodiment.

FIG. 35 is a configuration diagram of a content distribution proxy in the fourth embodiment.

FIG. 36 is a diagram showing, in chronological order, the flow of the entire content distribution service in the fourth embodiment.

FIG. 37 is a flowchart of the entire system when a content is downloaded and viewed with a dedicated viewer in the fourth embodiment.

FIG. 38 is a flowchart of a process performed by a dedicated viewer when content data is stored in a client in the fourth embodiment.

FIG. 39 is an overall configuration diagram illustrating an example of a case where a distribution service is performed via a relay server.

FIG. 40 is a configuration diagram of a conventional system.

[Explanation of symbols]

11 Web server, 12 Router, 13 Network, 14 Client, 15, 61 Browser, 16 Hard copy prohibition module, 17 Secondary storage device, 18
Secondary storage device access control unit, 19 access token, 20 Proxy server, 22 confidential file URL registration unit, 23 Client 14 machine identifier database, 2
4 ... Received data analysis unit in Proxy, 25 ... Client machine authentication unit, 27 ... Confidential file identifier adding unit, 28 ... Confidential file encryption unit, 29 ... Common key database, 30 ... Communication hook module, 32 ... Confidential file identifier storage Unit, 33: encrypted file decryption unit, 34: common key storage unit, 35: reception data analysis unit, 36: transmission data analysis unit, 38: Client machine identifier addition unit, 39: Viewer start processing unit, 40: external Viewer 42, a confidential file display unit, 43, a confidential file cache unit, 44, a confidential file access / save processing unit, 45, a hard copy prohibition module activation processing unit, 46, a secondary access control unit activation processing unit, 47, an external viewer Start-up determination unit, 50: confidential file, 51: non-confidential file, 60: Viewer, 62: decryption common key database, 65: hardware A specific information,
Reference numeral 63: policy database, 64: policy management module, 6011: Viewer start determination unit, 6014: confidential file name data removal unit, 6015: encrypted confidential file decryption unit, 6016: confidential file display unit, 202: confidential file list and access Policy management unit, 203: request file access determination unit, 205: user authentication unit, 20
6, a common key selection unit for encryption; 207, a confidential file encryption unit; 210, a confidential file URL transmission unit; 211, a common key database for encryption; 212, a confidential file name change unit; 646: Policy encryption / decryption unit, 2201: Content distribution company, 2
202 ... Content server, 2203 ... Content distribution proxy, 2204 ... Internet, 2205a-2
205n, 2205: Client, 2206, 220
6a to 2206n: dedicated viewer, 2207: content, 22051: user unique key DB, 22052: secondary storage device, 22053: client unique data, 22
061 ... key search unit, 22062 ... key generation unit, 22063
... Decryption unit, 22065 ... Encryption / decryption unit, 22067 ...
Hard copy prohibition module, 22031 ... proxy server, 22032 ... management application, 22033
... User information / unique key DB, 22034 ... Log data storage unit, 22036 ... User authentication unit, 22037 ... Reception data analysis unit, 22038 ... Content encryption unit, 330
22 credit card company, 3303 client, 3305 content server, 3306 content, 3307 content distribution proxy, 3308 dedicated viewer, 3401 secondary storage device, 3402 credit card data, 3405 hard copy prohibition module, 3406 encryption / decryption unit, 3407 key generation unit, 3408 hash generation unit, 3501 proxy server, 3502 management application, 3503 user information / unique key DB, 3504 log data storage unit
3505: SSL communication control unit, 3506: user authentication unit, 3507: received data analysis unit, 3508: content encryption unit.

Claims (27)

[Claims] 1. An information providing system for transferring data to be provided held by a computer to a request source device via a network, comprising: a request source for the data to be provided held by the computer via a network. Accepts a transfer request from the device, authenticates the access authority of the requesting device itself or the requesting user, acquires the provided data from the computer according to the authentication result, and sends the requesting device via the network to the requesting device. An information providing system comprising a relay device for transferring. 2. The computer according to claim 1, wherein the computer holds first provision target data that requires authentication of an access right and second provision target data that does not require authentication. 2. The information providing system according to claim 1, wherein when the transfer request for the data to be provided is received, the access right is authenticated. 3. The relay device according to claim 1, further comprising means for encrypting the first data to be provided to be transferred to the requesting device using an encryption key unique to the requesting device or the requesting user. Item 2. The information providing system according to Item 2. 4. The decryption processing means, wherein the request source device decrypts the encrypted first provided data received from the relay device with a decryption key corresponding to an encryption key unique to the device itself or the request source user. And first output means for outputting the decrypted first data to be provided, and second output means for outputting the second data to be provided received from the relay device. 3. The information providing system according to 3. 5. The request source device determines whether the data is the first data to be provided or the second data to be provided, based on an identifier added to the data received from the relay device. Means for activating the first output means when the data is the data to be provided, and means for deleting the first data to be provided received from the relay apparatus if the first output means cannot be started normally. 5. The information providing system according to claim 4, wherein: 6. The request source device generates a key information unique to the own device based on information unique to the own device, and any one of the key information generated by the device and an encryption key unique to the requesting user. 6. The information providing system according to claim 4, further comprising means for encrypting the first data to be provided using one or both of them and storing the encrypted data in a secondary storage device. 7. The request source device according to claim 4, further comprising: a unit that prohibits a hard copy of the first data to be provided output to the first output unit. Information providing system described in section. 8. The request source device monitors input / output from / to an application in the request source device to / from the secondary storage device, and prohibits access to first provision target data that does not involve the first output means. 8. The information providing system according to claim 7, further comprising a secondary storage access control unit that performs the operation. 9. The request source device includes means for prohibiting the hard copy and means for not activating the first output means unless both of the secondary storage access control means are operating normally. The information providing system according to claim 8, wherein 10. The relay device and the request source device each include first storage means storing access right determination information for authenticating the access right of a user of the request source device. Item 6. The information providing system according to Item 6. 11. The request source device stores the first provision target data stored in the secondary storage device in the first storage means in the relay device every time or at a predetermined time. Means for acquiring the obtained access right determination information, and updating the access right determination information stored in the first storage means in the own device to the latest version,
11. The information providing system according to claim 10, wherein the presence / absence of the access right to the first data to be provided stored in the secondary storage device is determined based on the updated access right determination information. 12. The relay apparatus according to claim 1, wherein the relay apparatus authenticates an access right based on request source apparatus identification information added to a transfer request from the request source apparatus.
10. The information providing system according to any one of claims 9 to 9. 13. The information providing system according to claim 1, wherein the relay device acquires user identification information from a request source device and authenticates an access right. 14. The relay device according to claim 1, further comprising: a unit that, when the requesting user accesses the digital content, collects an access record for charging for the access. Information providing system described in. 15. The relay device according to claim 15, further comprising means for encrypting the digital content to be transferred to the requesting device using a unique key generated based on confidential information of the requesting user. 2. The information providing system according to 2. 16. The decryption processing means for decrypting the encrypted digital content received from the relay device with a unique key generated based on confidential information of the requesting user; 16. The information providing system according to claim 15, further comprising: means for outputting digital content data; and means for prohibiting a hard copy of the output digital content. 17. The request source device includes means for encrypting digital content using a unique key generated based on confidential information of a request source user and storing the encrypted digital content in a secondary storage device. The information providing system according to claim 16. 18. A device for transferring data to be provided held by a computer to a request source device via a network, wherein the data is transmitted from the request source device for the data to be provided held by the computer via the network. Means for receiving the transfer request and authenticating the access right of the requesting device or user, acquiring the provided data from the computer according to the result of the authentication of the access right, and transferring the data to the requesting device via the network. An information providing relay device comprising: 19. The information according to claim 18, further comprising means for encrypting the first provided data to be transferred to the requesting device using an encryption key unique to the requesting device or the requesting user. Offer relay device. 20. The information providing apparatus according to claim 18, further comprising means for encrypting the digital content to be transferred to the requesting device using a unique key generated based on the confidential information of the requesting user. Relay device. 21. An information processing apparatus for accessing and outputting via a relay apparatus for authenticating an access right to data held by a computer on a network, wherein the first information processing apparatus requires authentication of the access right. A first output unit for outputting the data to be provided, a second output unit for outputting the second data to be provided which does not require authentication of the access right, and a transfer request for the data to be accessed is transmitted to the relay device. Means for receiving data to be accessed via the relay device in accordance with the authentication result of the access right in the relay device, and means for receiving the first data to be provided if the received data is the first data to be provided. Means for starting and outputting the output means. 22. The first data to be provided is encrypted by using an encryption key unique to the requesting device or the requesting user, and the encrypted first data to be provided is decrypted. 22. The information processing apparatus according to claim 21, further comprising decoding processing means for outputting the data to the first output means later. 23. The first data to be provided is obtained by encrypting digital content with a unique key generated based on confidential information of a requesting user, and
22. The information processing apparatus according to claim 21, further comprising decoding processing means for decoding the data to be provided and outputting the data to the first output means. 24. A secondary storage device for storing the encrypted first data to be provided, means for prohibiting a hard copy of the first data to be provided output to the first output means, Secondary storage access control means for monitoring input / output to / from the secondary storage device from an application in the own device and prohibiting access to the first data to be provided without intervening the first output means. The information processing apparatus according to claim 23, characterized in that: 25. The apparatus according to claim 24, further comprising: means for not activating said first output means unless both said means for prohibiting hard copy and said secondary storage access control means are operating normally. Information processing device. 26. A means for generating key information unique to the own device based on information unique to the own device, and using one or both of the key information generated by the means and an encryption key unique to the requesting user. 25. The information processing apparatus according to claim 24, further comprising: means for encrypting the first data to be provided and storing the encrypted data in the secondary storage device. 27. A system comprising: means for encrypting the first data to be provided using a unique key generated based on confidential information of a requesting user and storing the encrypted data in a secondary storage device. Item 25. The information processing device according to item 24.