JP2002217980A - Devices and methods, for relaying data, sending data, and approving sending - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent approved electronic documents from being transmitted incorrectly, in a transmitting system for transmitting electronic documents. SOLUTION: A mail sender terminal 3 sends electronic documents to a mail check device 1; the mail check device 1 and a mail approver terminal 4 approve the electronic documents and generate a hash value from the electronic documents, and notify the generated hash value to a mail filter device 2, that records the notified hash value; and the mail sender terminal 3 sends the approved electronic documents to the mail filter device 2 that, generates a hash value from the sent electronic documents and compares the generated hash value with the recorded hash value, to certify the data of the electronic documents and transfers the electronic documents to a mail receiver terminal 6, when it is certified as approved.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a system for electronically transmitting an electronic document, and more particularly to a system for preventing an authorized electronic document from being illegally transmitted.

[0002]

2. Description of the Related Art FIG. 13 is a block diagram showing a conventional message transmission acknowledgment system disclosed in Japanese Patent Application Laid-Open No. 6-205043. In FIG. 13, the creator-side terminal device 7 sets the approval attribute to “necessary” when the created message requires approval, and sets the approval attribute to “unnecessary” when approval is unnecessary, and sets the subject, destination, The data is added to the message data as cover data together with the data of the creator and the approver, and transmitted to the approver-side terminal device 9. In the approver-side terminal device 9, the receiving unit 9-1 receives the message data transmitted for approval from the creator-side terminal device 7. The received message data is displayed on the display unit 9-3 by the message management unit 9-4, and in accordance with the approver's instruction, the message editing unit 9-7 converts the data input from the input unit 9-8. , Compose a message,
Edit messages such as corrections. The approval unit 9-5 changes the approval attribute to "completed" when the message data can be approved, and changes it to "impossible" when the message data cannot be approved. The check unit 9-9 instructs the transmission unit 9-10 to transmit the message data to the destination terminal device 8 only when the approval attribute of the cover data added to the message data is “unnecessary” or “done”. . The transmitting unit 9-10 transmits the message data whose approval attribute has been checked by the checking unit 9-9 to the transmission destination specified by the checking unit 9-9.

[0003]

In the message transmission approval system as described above, the creator determines whether or not the message needs to be approved, and adds necessary or unnecessary data to the message and adds the data to the approver. You are sending a message to For this reason, in a system that filters electronic documents based on a preset security policy, even if an approved electronic document cannot be transmitted if it violates the security policy, Each time an approval document is sent, the security policy is changed, and there is a problem that operation is not easy.

SUMMARY OF THE INVENTION The present invention has been made to solve the above-described problem. In a system for filtering an electronic document based on a preset security policy, even if the security policy is violated. It is possible to obtain a mail inspection filter system capable of transmitting an approved document.

[0005]

A data relay device according to the present invention receives transmission data transmitted from a data transmission device to a data reception device, and transmits the received transmission data to the data reception device. A data relay device that performs data authentication on predetermined transmission data among received transmission data, and determines whether to transmit the predetermined transmission data to the data receiving device based on a result of the data authentication, A transmission data receiving unit for receiving transmission data from the data transmission device; an authentication target data determination unit for determining authentication target data requiring data authentication from the transmission data received by the transmission data reception unit; Authentication for receiving first authentication information used for data authentication of the authentication target data determined by the authentication target data determination unit Notification receiving means, using at least a part of the authentication target data determined by the authentication target data determining means, authentication information generating means for generating second authentication information used for data authentication of the authentication target data, Using the first authentication information received by the authentication information receiving means and the second authentication information generated by the authentication information generating means, perform data authentication of the authentication target data, and perform authentication by data authentication. Transmission permission / rejection determining means for determining transmission of the authentication target data to the data receiving apparatus.

The data relay device is connected to a transmission acknowledgment device that authorizes the data transmission device to transmit specific transmission data from the data transmission device to the data reception device. The determination unit determines the approval transmission data transmitted from the data transmission device based on the approval by the transmission approval device as the data to be authenticated. The authentication information receiving unit transmits the approval transmission data from the transmission approval device. Receiving the first authentication information used for data authentication, the authentication information generating means generates at least a part of the approval transmission data, and generates second authentication information used for data authentication of the approval transmission data. Wherein the transmission permission / refusal determining means generates the first authentication information received by the authentication information receiving means and the authentication information generating means. Using the obtained second authentication information, performing data authentication of the approval transmission data, and determining transmission of the approval transmission data authenticated by the data authentication to the data receiving device. .

[0007] The data relay device determines whether or not to transmit received transmission data to the data receiving device based on a predetermined permission criterion. Whether the specified transmission data is transmitted to the data receiving device regardless of whether or not the data is transmitted, and the transmission permission / rejection determining means determines whether the approved transmission data has been authenticated by data authentication. In contrast, transmission to the data receiving device is determined regardless of whether the permission criterion is met.

The authentication information receiving means receives, as the first authentication information, a hash value generated from at least a part of the data to be authenticated, and the authentication information generating means outputs the hash value as the second authentication information. And generating a hash value from at least a part of the authentication target data.

A data transmitting apparatus according to the present invention generates transmission data to be transmitted to a data receiving apparatus, performs data authentication on predetermined transmission data among the generated transmission data, and performs the data authentication based on a result of the data authentication. A data transmission device that determines whether to transmit predetermined transmission data to the data reception device, the transmission data generation unit generating the transmission data, and the transmission data generation unit generating the transmission data. An authentication target data determining unit that determines authentication target data requiring data authentication, and an authentication information receiving unit that receives first authentication information used for data authentication of the authentication target data determined by the authentication target data determining unit. Using at least a part of the authentication target data determined by the authentication target data determining unit, Authentication information generating means for generating second authentication information used for data authentication of the data, the first authentication information received by the authentication information receiving means and the second authentication generated by the authentication information generating means And transmission permission / non-permission determining means for performing data authentication of the data to be authenticated using the information, and determining transmission of the data to be authenticated authenticated by the data authentication to the data receiving device. .

[0010] The data transmitting apparatus is connected to a transmission acknowledgment apparatus for authorizing the data transmitting apparatus to transmit specific transmission data from the data transmitting apparatus to the data receiving apparatus. The determining unit determines, as the data to be authenticated, approval transmission data that has been approved for transmission to the data receiving device by the transmission approval device, and the authentication information receiving unit transmits the approval transmission data of the approval transmission data from the transmission approval device. Receiving first authentication information used for data authentication, the authentication information generating means, using at least a part of the approval transmission data, to generate second authentication information used for data authentication of the approval transmission data,
The transmission permission / non-permission determining unit uses the first authentication information received by the authentication information receiving unit and the second authentication information generated by the authentication information generating unit to perform data authentication of the transmission authorization data. And performing transmission to the data receiving device for the approved transmission data authenticated by the data authentication.

[0011] A transmission acknowledgment device according to the present invention authorizes a data transmission device to transmit specific transmission data to a data reception device and, based on the acknowledgment of transmission to the data reception device, transmits the data transmission device. A transmission approval device that performs data authentication on the approval transmission data based on a request from a data authentication request device that requests data authentication for the approval transmission data transmitted from the device, and receives the transmission data from the data transmission device. Data reception means, transmission data approval means for approving, to the data transmission apparatus, transmission of the specific transmission data among the transmission data received by the data reception means, to the data reception apparatus; By using at least a part of the transmission data approved by the data approval unit,
First authentication information generating means for generating first authentication information used for data authentication of the approval transmission data; and data authentication for requesting data authentication of the approval transmission data including the approval transmission data from the data authentication request device. A data authentication request receiving unit that receives a request, and using at least a part of the approval transmission data included in the data authentication request received by the data authentication request reception unit, for use in data authentication of the approval transmission data Second authentication information generating means for generating second authentication information; the first authentication information generated by the first authentication information generating means; and the second authentication generated by the second authentication information generating means. Data authentication means for performing data authentication of the approval transmission data using the information and notifying the data authentication request device of the data authentication result. And wherein the Rukoto.

[0012] The transmission approval apparatus further includes an authentication information registration unit that sets a registration number in the first authentication information generated by the first authentication information generation unit and registers the first authentication information. Wherein said data authentication request receiving means comprises:
Receiving a data authentication request including the registration number set by the authentication information registration means, the data authentication means,
Based on the registration number included in the data authentication request,
The first authentication information is obtained from the authentication information registration unit, and the approval transmission is performed using the obtained first authentication information and the second authentication information generated by the second authentication information generation unit. Data authentication of data is performed.

A data relay method according to the present invention receives transmission data transmitted from a data transmission device to a data reception device, transmits the received transmission data to the data reception device, and transmits the received transmission data to the data reception device. A data relay method of performing data authentication on predetermined transmission data, and determining whether to transmit the predetermined transmission data to the data receiving device based on a result of the data authentication,
A transmission data receiving step of receiving transmission data from the data transmission device; an authentication target data determining step of determining authentication target data requiring data authentication from the transmission data received in the transmission data receiving step; An authentication information receiving step of receiving first authentication information used for data authentication of the authentication target data determined by the target data determination step, and at least a part of the authentication target data determined by the authentication target data determination step An authentication information generating step of generating second authentication information used for data authentication of the authentication target data using the first authentication information and the authentication information generating step received by the authentication information receiving step. The data of the authentication target data using the second authentication information Authenticate, and having a transmission permission determining step of determining the transmission to the data receiving device for the authenticated authentication object data by the data authentication.

The authentication information receiving step receives, as the first authentication information, a hash value generated from at least a part of the data to be authenticated, and the authentication information generating step includes, as the second authentication information, And generating a hash value from at least a part of the authentication target data.

The data transmission method according to the present invention generates transmission data to be transmitted to a data receiving device, performs data authentication on predetermined transmission data among the generated transmission data, and performs the data authentication based on a result of the data authentication. A data transmission method for determining whether or not to transmit predetermined transmission data to the data receiving device, comprising: a transmission data generation step of generating the transmission data; and a transmission data generation step of generating the transmission data. An authentication target data determining step of determining authentication target data requiring data authentication, and an authentication information receiving step of receiving first authentication information used for data authentication of the authentication target data determined by the authentication target data determining step; , At least a part of the authentication target data determined in the authentication target data determining step An authentication information generating step of generating second authentication information used for data authentication of the authentication target data using the first authentication information and the authentication information generating step received by the authentication information receiving step. Using the second authentication information, performing data authentication of the data to be authenticated, and determining whether to transmit the data to be authenticated by the data authentication to the data receiving device. It is characterized by having.

A transmission acknowledgment device according to the present invention authorizes a data transmission device to transmit specific transmission data to a data reception device and, based on the acknowledgment of transmission to the data reception device, transmits the data transmission device. A transmission approval method for performing data authentication on the approval transmission data based on a request from a data authentication requesting device requesting data authentication on the approval transmission data transmitted from the device, wherein the transmission data is received from the data transmission device. A data reception step; a transmission data approval step of approving, to the data transmission apparatus, transmission of the specific transmission data among the transmission data received in the data reception step to the data reception apparatus; By using at least a part of the transmission data approved by the data approval step, A first authentication information generating step of generating first authentication information used for data authentication of the approval transmission data, and data authentication requesting data authentication of the approval transmission data including the approval transmission data from the data authentication request device. A data authentication request receiving step of receiving a request, and using at least a part of the approval transmission data included in the data authentication request received in the data authentication request reception step, for use in data authentication of the approval transmission data A second authentication information generating step of generating second authentication information; the first authentication information generated by the first authentication information generating step; and the second authentication generated by the second authentication information generating step. Using information and
Performing a data authentication of the approval transmission data and notifying a result of the data authentication to the data authentication requesting device.

[0017]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiment 1 FIG. 1 is a diagram showing a configuration of a mail inspection filter system according to the present embodiment including a data transmission device, a data relay device, and a transmission approval device. In FIG. 1, reference numeral 1 denotes an approval request mail including an electronic document requiring approval from the sender terminal 3, checks the received approval request mail, and converts the received approval request mail into an approval request mail received in accordance with an instruction from the mail approver terminal 4. This is a mail inspection device that approves an electronic document included. 2 determines whether the mail sent from the mail sender terminal 3 matches a predetermined security policy (permission criteria), and forwards only the mail that matches the security policy to the mail receiver terminal 6 It is a filter device (data relay device). Reference numeral 3 denotes a sender terminal (data transmission device) that sends a mail to the mail receiver terminal 6. Reference numeral 4 denotes a mail approver terminal used by a mail approver who determines whether or not to approve an electronic document requiring approval contained in the approval application mail received by the mail inspection apparatus 1. Reference numeral 5 denotes a mail transfer device that transfers mail transmitted from the mail sender terminal 3. 6
Is a mail receiver terminal (data receiving device) that receives a mail transmitted from the mail sender terminal 3. In addition,
The mail inspection device 1 and the mail approver terminal 4 are collectively referred to as a transmission approval device. The mail approver terminal 4 corresponds to a transmission data approval unit of the transmission approval device.

Next, the operation of the mail inspection filter system according to the present embodiment will be briefly described. When sending a mail including an electronic document that does not match a predetermined security policy (permission criteria) set in the mail filter device 2 to the mail receiver terminal, first, the mail sender terminal 3 obtains approval for transmission. Therefore, an approval application mail including an electronic document requiring approval is transmitted to the mail inspection device. The approval application mail transmitted from the mail sender terminal 3 reaches the mail inspection device 1 via the mail transfer device 5. The email approver who approves the electronic document,
The mail inspection apparatus 1 is operated from the mail approver terminal 4 to perform approval processing, and the hash value generated from the approved electronic document is notified to the mail sender terminal 3. Further, the mail inspection device 1 also notifies the mail filter device 2 of the hash value generated from the approved electronic document.

Next, the mail sender terminal 3 receives a hash value, which is information indicating that the electronic document has been approved, from the mail inspection device 1, and attaches the approved electronic document and the received hash value. Send the approved email to the email recipient. The mail transfer device 5 transfers the approved mail transmitted from the mail sender terminal 3 to the mail filter device 2, and the mail filter device 2 generates a hash value generated from an electronic document included in the transferred approved mail. Then, data authentication of the electronic document is performed based on the hash value notified from the mail inspection device 1. As a result of the data authentication, if it is confirmed that the electronic document is approved by the mail approver terminal 4, the mail is transferred to the mail receiver terminal 6, and the transferred mail is sent to the mail transfer device 5. The mail arrives at the mail receiver terminal 6 via the terminal.

Next, each device constituting the mail inspection filter system shown in FIG. 1 will be described. FIG.
2 shows a configuration of a mail sender terminal 3. Also, the mail receiver terminal 6 has the same configuration. 3-1 in the figure
Is a mail sending / receiving means. Mail sending / receiving means 3-1
Has a function of sending and receiving e-mails to and from arbitrary addresses and attaching arbitrary data (including electronic documents) to the e-mails. Reference numeral 3-2 denotes an approval application mail including an electronic document requiring approval (also referred to as a transmission document). 3-3 is a hash value transmitted from the mail inspection device 1 when the transmission of the electronic document is approved by the mail inspection device 1 and the mail approver terminal 4. 3-4 is an approved mail (approval transmission data) transmitted from the mail sender terminal 3 to the mail receiver terminal 6 after the transmission of the electronic document is approved by the mail inspection device 1 and the mail approver terminal 4. And includes the approved electronic document and the hash value transmitted from the mail inspection device 1. The approved mail transmitted from the mail sender terminal 3 reaches the mail filter device 2 via the mail transfer device 5, and after the mail filter device 2 authenticates the approved mail, the mail receiver terminal 6 is transmitted. Although not shown, the mail sender terminal 3 naturally includes mail generation means (transmission data generation means) for generating mail.

FIG. 3 shows the configuration of the mail approver terminal 4. The mail approver terminal 4 includes an electronic document browsing means (browser, communication software, etc.) 4-1, an input unit 4-2, a display unit 4-3, and an input / output device. The electronic document browsing unit 4-1 performs browsing of an electronic document, a notification function of an approval result, acquisition of an input from an input unit, and output of display data to a display unit. The input unit 4-2 transfers input data from an input device (keyboard or mouse) connected to the mail approver terminal 4 to the electronic document browsing unit 4-1. The display unit 4-3
The data passed from the electronic document browsing means 4-1 is displayed on an output device (such as a display monitor) connected to the mail approver terminal 4.

FIG. 4 shows the configuration of the mail transfer device 5.
The mail transfer device 5 includes a mail transmitting unit 5-1 and a mail receiving unit 5-2. Mail transmission means 5-1
Sends to the destination mail address described in the mail. The mail receiving unit 5-2 performs a mail receiving process.

FIG. 5 shows the configuration of the mail filter device 2. The mail filter device 2 includes a mail receiving unit 2-1,
E-mail management means 2-2, security policy management means 2-3, security policy inspection means 2-4, security policy recording means 2-5, hash value generation means 2
-6, a mail transmission means 2-7. The mail receiving means 2-1 receives the mail transmitted from the mail sender terminal 3 and transferred by the mail transfer device 5. That is, the mail receiving unit 2-1 functions as a transmission data receiving unit. The mail management means 2-2 accumulates the mail obtained from the mail receiving means 2-1 and transfers the mail to the security policy checking means 2-4 when requested by the security policy checking means 2-4. The security policy management means 2-3 adds the approved mail rule 2-5-2 to the security policy 2-5 in response to a request from the mail inspection device 1. The security policy management means 2-3 receives a hash value (first authentication information) or the like used for data authentication of the approved mail from the mail inspection device 1, and converts the received hash value or the like into an approved mail rule 2-5. Add to -2. Therefore, the security policy management unit 2-3 functions as an authentication information receiving unit. The security policy checking unit 2-4 compares the rules stored in the security policy recording unit 2-5 with the characteristics of the received mail (sender address, recipient address, mail size, presence / absence of attachment, etc.) and finds a match. If so, perform the action defined in the rule. That is, the security policy checking means 2-4 determines the approved mail from the received mail, performs data authentication on the determined approved mail, and converts the approved mail into a mail receiver terminal based on the result of the data authentication. 6 is determined. Therefore, the security policy inspection unit 2-4 functions as an authentication target data determination unit and a transmission permission / rejection determination unit. The security policy recording means 2-5 accumulates rules defining conditions and operations for filtering mail. The hash value generation unit 2-6 generates a hash value using the electronic document included in the received mail. This hash value is used as second authentication information at the time of data authentication of the approved mail by the security policy checking means 2-4. Therefore, the hash value generation unit 2-6 functions as an authentication information generation unit. The mail transmitting means 2-7 transmits the mail to the mail transfer device 5 in order to transfer the mail to the recipient address of the mail.

FIG. 6 shows the configuration of the mail inspection apparatus 1.
The mail checking device 1 includes a mail receiving unit 1-1, a transmission document management unit 1-2, a transmission document management area 1-3, a transmission document browsing unit 1-4, a transmission approval unit 1-5, a hash value generation unit 1--1. 6. E-mail transmission means 1-7 and security policy registration means 1-8. The mail receiving means (data receiving means) 1-1 receives the approval request mail transmitted from the mail sender terminal 3 and transferred by the mail transfer device 5, and receives the approval request mail received by the transmission document managing means 1-2. give. The transmission document management means 1-2 accumulates the approval request mail in the transmission document management area 1-3 and adds it to the approval waiting mail list 1-3-1. When the transmission document management unit 1-2 receives the request for obtaining the approval application mail from the transmission approval unit 1-5, the transmission document management unit 1-2 sends the requested approval application mail and sends the mail from the transmission document management area 1-3. Then, the corresponding item in the mail list 1-3-1 waiting for approval is deleted. The transmission document management area 1-3 stores the received approval request mail 1-3-2 and approval waiting mail list 1-3.
Store -1. According to a request from the electronic document browsing means 4-1 of the mail approver terminal 4, the transmitted document browsing means 1-4 receives an approval waiting mail list 1-3-1 and a requested approval application mail 1-3-2. Sending document management means 1
-2 and transmitted to the mail approver terminal 4. Further, the transmission document browsing means 1-4 obtains the approval result from the electronic document browsing means 4-1 of the mail approver terminal 4, and passes it to the transmission approval means 1-5. When the approval result is passed from the transmission document browsing means 1-4, the transmission approval means 1-5 performs processing according to the approval result. If the approval result is "approved"
The corresponding approval application mail is obtained from the transmission document management unit 1-2, the attached electronic document is extracted, passed to the hash value generation unit 1-6, and the hash value is obtained from the hash value generation unit 1-6. The transmission approval unit 1-5 passes the obtained hash value, the sender mail address and the receiver mail address extracted from the approval application mail to the security policy registration unit 1-8, and transmits the hash value to the mail sender terminal. Then, the hash value is passed to the mail transmission means 1-7 for transmission to E-mail 3. Hash value generation means 1-6
Calculates a hash value using a hash function algorithm (MD4, MD5, SHA-1, etc.) from the electronic document passed from the transmission approval unit 1-5, and
Pass the hash value to -5. The mail transmitting unit 1-7 transmits the notification mail to the mail transfer device 5 to transmit the notification mail for notifying the hash value to the mail sender terminal 3. The security policy registration unit 1-8 generates a rule from the sender mail address, the receiver mail address, and the hash value passed from the transmission approval unit 1-5, and passes the rule to the mail filter device 2.

Next, the operation of the mail inspection filter system according to this embodiment will be described. As a precondition, the mail filter device 2 stores the mail transfer control rule 2-5-1 for overseas to the security policy recording unit 2.
It is assumed that the data is accumulated in -5 (FIG. 5). In the overseas mail transfer control rule 2-5-1, a condition 1 in which the recipient's mail address includes a character string indicating an overseas mail address, a condition 2 in which an electronic document is attached, a condition 1 and When the condition 2 is satisfied, an operation of not forwarding the mail is defined as an operation of the rule.

Under the above prerequisites, in order for the mail sender to send mail to the mail receiver terminal 6 overseas,
The mail sender first needs to obtain approval by the mail inspection device 1 and the mail approver terminal 4. For this reason, as shown in FIG.
2 is transmitted from the mail sender terminal 3 to the mail inspection device 1. The approval application mail 3-2 includes an electronic document to be approved (electronic document for overseas), a sender mail address, and a receiver mail address. Mail sending / receiving means 3-1
Sends the approval request mail 3-2 to the mail transfer device 5 in order to send the mail to the mail inspection device 1.

The mail receiving means 1-1 of the mail inspection device 1 shown in FIG. 6 acquires the approval request mail 3-2 from the mail transfer device 5 at regular intervals. The mail receiving unit 1-1 that has received the approval request mail passes the approval request mail to the transmission document management unit 1-2. The transmission document management unit 1-2 places the obtained approval application mail in the transmission document management area 1-3, and creates an approval waiting mail list 1-3-1. The approval waiting mail list 1-3-1 is created by extracting the reception date and time, the applicant name, the applicant mail address, the receiver name, the receiver mail address, and the application document name from the obtained approval application mail.

The mail approver connects to the mail inspection device 1 from the mail approver terminal 4 using the electronic document browsing means 4-1 (FIG. 3), and activates the transmission document browsing means 1-4 shown in FIG. I do. The transmission document browsing means 1-4 acquires the approval waiting mail list 1-3-1 from the transmission document management means 1-2 and displays it on the electronic document browsing means 4-1. The mail approver selects a document to be viewed for performing approval processing from the mail waiting list 1-3-1 displayed on the mail approver terminal 4 by pressing a browse button. FIG. 7 is a screen example of the mail approver terminal displaying the mail list waiting for approval 1-3-1. The sent document browsing unit 1-4 acquires an approval application mail from the sent document managing unit 1-2 by pressing the browse button by the mail approver, extracts an electronic document from the mail, and displays it from the electronic document browsing unit 4-1. Output to the output unit and display on the output device. FIG. 8 is a screen example of the mail approver terminal 4 displaying the electronic document to be viewed. After viewing the electronic document, the mail approver returns to the mail list screen and presses the approval YES button to approve transmission of the viewed electronic document to the mail receiver terminal 6. If the e-mail approver does not approve transmission of the viewed electronic document to the e-mail receiver terminal 6 after viewing the electronic document,
Return to the mail list screen and press the approval NO button.

Upon confirming that the mail approver has pressed the approval YES button for the viewed electronic document, the transmission document browsing means 1-4 confirms the approval result indicating the approval, the electronic document, the sender address and the receiver address. To the transmission approval means 1-5. Further, the transmission document browsing means 1-4 includes:
When confirming that the mail approver has pressed the approval NO button of the viewed electronic document, the mail approver sends an approval result indicating that the approval is not given and the sender address to the transmission approval unit 1-5.

When the approval result is not approved, the transmission approval means 1-5 uses the mail transmission means 1-7 to send a notification mail including a message indicating that the requested electronic document is not approved to the sender address. And send. The transmission approval unit 1-5 passes the approved electronic document to the hash value generation unit 1-6 when the approval result is approval. The hash value generation means 1-6 is a hash function algorithm (MD
4, MD5, SHA-1, etc.), and calculates a hash value from the approved electronic document, and returns the hash value to the transmission approval unit 1-5. The transmission approval unit 1-5 transmits a message indicating that the requested electronic document has been approved and a notification mail including a hash value to the sender address using the mail transmission unit 1-7. The transmission approval unit 1-5 stores the hash value, the sender address, and the recipient address of the electronic document in the security policy registration unit 1.
Hand over to -8. Security policy registration means 1-8
The hash value, the sender address and the recipient address are stored in the security policy management means 2 of the mail filter device.
Hand over to 3.

The security policy management means 2-3 of the mail filter device 2 transmits a condition 1, based on the notification from the security policy registration means 1-8 of the mail inspection device 1, that the sending mail address is an approved sender address, Condition 2 in which the received mail address is an approved recipient address, Condition 3 with an attached file, and Condition 4 in which the hash value calculated from the electronic document included in the mail matches the hash value recorded in the rule condition. If the conditions 1, 2, 3, and 4 are met, an approved mail rule 2-5-2 defining an operation of transferring the mail is added to the security policy recording means 2-5. This rule is recorded in the security policy recording unit 2-5 as a rule having a higher priority than other rules stored in the security policy. E-mail that matches the conditions of both rules is accepted by the security policy management means 2-3 by the approved mail rule 2-5-5 with high priority.
2 is performed.

On the other hand, in the mail inspection device 1, the mail transmission means 1-7 which has received the notification mail from the transmission approval means 1-5 transmits the notification mail to the mail transfer device 5.

The mail sender uses the mail sending / receiving means 3-1 of the mail sender terminal 3 to acquire the notification mail transferred from the mail transfer device 5. The mail sender confirms that the applied electronic document has been approved based on the contents of the notification mail. Further, the mail sender extracts the hash value from the notification mail using the mail transmitting / receiving means 3-1. Thereafter, the mail sender transmits the approved mail including the hash value and the approved electronic document to the mail receiver terminal 6 using the mail transmitting / receiving means 3-1.

The mail transfer device 5 includes the mail sender terminal 3
The received approved mail is forwarded to the mail filter device 2.

Mail receiving means 2 of mail filter device 2
-1 receives the approved mail transferred from the mail transfer device 5, and stores the received approved mail in the mail management means 2-
Hand over to 2. The security policy checking unit 2-4 of the mail filter device 2 acquires a specific mail from the plurality of mails stored in the mail management unit 2-2, and the mail is recorded in the security policy recording unit 2-5. Checks whether the rule matches. That is, it is determined whether or not the obtained mail is an approved mail requiring data authentication. Security policy checking means 2-4
Acquires the sender address and the recipient address from the acquired mail. Security policy checking means 2
-4 examines the rules recorded in the security policy recording means 2-5 for rules having conditions matching the sender address and the recipient address obtained from the mail. Here, the approved mail transmitted from the mail sender terminal 3 is the condition 1 of the approved mail rule 2-5-2,
Conditions 2 and 3 are met, that is, condition 1 where the outgoing mail address is the approved sender address, condition 2 where the received mail address is the approved receiver address, and condition 3 where the attached file exists.

The acquired mail is the approved mail rule 2
After it is confirmed that the conditions 1, 2, and 3 of -5-2 are matched, the security policy checking unit 2-4 converts the approved mail into a hash value generating unit 2-6 to perform data authentication of the approved mail. Pass to. The hash value generation means 2-6 includes:
Using the hash function algorithm, a hash value is calculated from the electronic document included in the approved mail, and the calculated hash value is passed to the security policy checking unit 2-4. The security policy checking means 2-4 outputs the hash value recorded in the condition 4 of the approved mail rule 2-5-2 (the hash value generated by the mail checking apparatus 1 and acquired by the security policy managing means 2-3). Value) and a hash value generated from the electronic document included in the approved mail. Here, rule 2-5 for approved mail
The hash value recorded in -2 is the first authentication information, and the hash value generated from the electronic document included in the approved mail is the second authentication information. If the hash values match, the condition 1 of the approved mail rule 2-5-2,
2, 3, and 4, the security policy checking means 2-4 checks the approved mail rule 2-5-2.
As an operation of, the approved mail is sent to the mail receiver terminal 6.
Using the mail sending means 2-7 to transfer to
The message is transmitted to the mail transfer device 5.

The mail transfer device 5 transfers the approved mail to the mail receiver terminal 6.

The mail receiver receives mail from the mail transfer device 5 at the mail receiver terminal 6 using the mail transmitting / receiving means 3-1.

As described above, by the mail inspection device,
Because the rules for forwarding approved emails could be updated automatically, even in systems that filter electronic documents based on pre-set security policies, Any approved document can be sent. In addition, the mail filter device compares the hash value created by the mail inspection device at the time of approval application with the hash value generated from the approved electronic document included in the approved mail, so the mail sender Even if the electronic document is falsified, the falsification can be checked.

Embodiment 2 FIG. 9 is a diagram showing a configuration of a mail inspection filter system according to the present embodiment,
FIG. 3 is a diagram specifically illustrating a configuration of the mail sender terminal 3 in detail.
In the figure, 3-1 to 3-4 are the same as those described in the first embodiment. In the present embodiment, a mail checking means 3-5 is newly added.
Also, as in the first embodiment, although not shown, the mail sender terminal 3 naturally includes a mail generation unit (transmission data generation unit) for generating a mail.

The mail checking means 3-5, from the mail generated by the mail generating means, the mail (data to be authenticated) requiring data authentication, that is, the mail is checked by the mail checking apparatus 1 and the mail approver terminal 4 for approval. An approved mail (approval transmission data) including the electronic document that has been sent is determined. Then, data authentication of the determined approved mail is performed, and only the approved mail authenticated by the data authentication is transmitted to the mail receiver terminal 6. The mail checking unit 3-5 includes a hash value checking unit 3-6, a hash value generating unit 3-7, and a mail transferring unit 3-8. The hash value inspection means 3-6 acquires the mail from the mail transmission / reception means 3-1 and determines an approved mail from the acquired mail. Also, data authentication is performed on the determined approved mail using the hash value. As a result of the data authentication, when the approved mail is authenticated, that is, when it is confirmed that the electronic document attached to the approved mail has been approved,
Allow sending authenticated approved emails. For this reason,
The hash value inspection unit 3-8 functions as an authentication target data determination unit and a transmission permission / rejection determination unit. The hash value generation means 3-7 is provided with a hash function algorithm (MD4, MD4).
5, SHA-1, etc.) to calculate a hash value from the electronic document attached to the approved mail. Therefore, the hash value generation unit 3-7 functions as an authentication information generation unit. The mail transfer unit 3-8 transfers the mail to the mail transfer device 5.

Next, the operation of the mail inspection filter system according to the present embodiment will be described. The first half of the operation is the same as that of the first embodiment.
Is an approval application mail 3-2 containing an electronic document requiring approval
Is transmitted to the mail inspection apparatus 1. If the electronic document is approved as a result of the inspection of the mail inspection device 1 and the mail approver terminal 4, the mail sender terminal 3 is connected to the mail transmission / reception unit 3-
1 to obtain a notification mail from the mail transfer device 5. As in the first embodiment, the notification mail includes a hash value (first authentication information) 3-3 generated from the approved electronic document. For this reason, the mail transmitting / receiving means 3-1 has a hash value 3-3 as the first authentication information.
Function as an authentication information receiving means for receiving the password. The mail sender confirms that the applied electronic document has been approved based on the contents of the notification mail. Further, the mail sender extracts the hash value from the notification mail using the mail transmitting / receiving means 3-1. The mail sender instructs the mail receiver terminal 6 to transmit the approved mail 3-4 including the hash value extracted from the notification mail and the approved electronic document to the mail receiver terminal 6 using the mail transmitting / receiving means 3-1. Based on the transmission instruction from the mail sender, the mail sending / receiving means 3-1 sends the approved mail to the mail checking means 3- on the mail sender terminal 3.
Hand over to 5.

In the mail checking means 3-5, the hash value checking means 3-6 determines whether or not the acquired mail is an approved mail based on whether or not the obtained mail includes a hash value. If it is determined that the mail is not the approved mail, the mail is passed to the mail transfer means 3-8 as it is. on the other hand,
If it is determined that the mail has been approved, the electronic document and the hash value attached to the approved mail are extracted. The extracted electronic document is passed to the hash value generation unit 3-7.
The hash value generation means 3-7 calculates a hash value from the given electronic document and passes it to the hash value inspection means 3-6. The hash value inspection unit 3-6 compares the hash value generated by the hash value generation unit 3-7 with the hash value attached to the approved mail. Here, the hash value attached to the approved mail is the first authentication information, and the hash value generated by the hash value generation unit 3-7 is the second authentication information. If the hash values match, the mail transfer means 3-8 transfers the mail to the mail transfer device 5. If the hash values do not match, the mail transfer means 3-8 sends to the mail transfer device 5 a message notifying that the electronic document attached to the sender is not an approved document,
Discard the email.

As described above, by inspecting the electronic document attached to the e-mail by the e-mail inspection means on the e-mail sender terminal, before sending the e-mail to the e-mail filter device, the data indicating whether or not the e-mail has been approved Can be authenticated. That is, data authentication of the approved mail performed by the mail filter device can be performed in advance on the mail sender terminal. For this reason, unnecessary mail transfer is not performed, and the load on the mail filter device and the mail inspection device can be reduced.

Embodiment 3 FIGS. 10, 11 and 12
It is a figure showing the composition of the mail inspection filter system concerning this embodiment. FIG. 10 shows the configuration of the mail sender terminal 3. In the figure, 3-1 and 3-2 are the same as those described in the first embodiment. 3-9 is the registration number of the hash value notified from the mail inspection device 1. As described later, the mail inspection device 1 sets a registration number to a hash value generated from the approved electronic document,
The hash value is registered, and the registration number 3-9 is the registration number of the hash value set by the mail inspection device 1. Reference numeral 3-10 denotes an approved mail including the registration number 3-9.

FIG. 11 shows the configuration of the mail filter device 2. Each component shown in FIG. 11 is the same as that shown in the first embodiment. However, the approved mail rule is not recorded in the security policy recording unit 2-5. Also, FIG. 11 does not include the security policy management unit 2-3 and the hash value generation unit 2-6 included in FIG. 5 described in the first embodiment.

FIG. 12 shows the configuration of the mail inspection apparatus 1. In the figure, 1-1 to 1-7 are the same as those described in the first embodiment. In the present embodiment, a hash value registration table 1-9, a hash value inspection unit 1-10, a hash value search unit 1-11, and a hash value registration unit 1-12 are newly added. The hash value registration means 1-12 is provided with a hash value generation means 1-
The registration number 1-9-1 is set to the hash value generated in step 6 and registered in the hash value table 1-9. Therefore, the hash value registration unit 1-12 functions as an authentication information registration unit. The hash value registration table 1-9 is
The registration number 1-9-1 and the hash value 1-9-2 set by the hash value registration unit 1-12 are registered in association with each other. The hash value inspection unit 1-10 receives a data authentication request including a specific approved mail from the mail filter device 2, and performs data authentication of the approved data based on the received data authentication request. Specifically, the hash value 1-9 registered in the hash value registration table 1-9
Using -2 and the hash value generated from the electronic document included in the approved mail, data authentication of the approved mail is performed. Therefore, the hash value inspection unit 1-10 functions as a data authentication request receiving unit and a data authentication unit. The hash value search unit 1-11 searches the hash value registration table 1-9 to obtain a specific hash value.

Next, the operation will be described. As in the first embodiment, as a prerequisite, the mail filter device 2 has an overseas transfer control rule 2-5-1 set in the security policy recording unit 2-5. This rule is based on the condition 1 that includes a character string indicating that the mail address of the mail recipient is an overseas mail address, the condition 2 where an electronic document is attached, and the mail that matches the conditions 1 and 2 The operation of (1) is to transfer the mail to the mail inspection device 1, determine whether or not to transfer the mail to the mail receiver terminal 6 based on the inspection result, and define the operation of performing the mail transfer process.

First, as in the first embodiment, the mail sender terminal 3 sends an approval request mail 3-2 including an electronic document requiring approval to the mail inspection device 1. The mail inspection device 1 displays the electronic document included in the approval application mail on the mail approver terminal 4. When the mail approver approves transmission of an e-mail to the recipient after viewing the electronic document, the e-mail approver displays a screen of the e-mail waiting for approval 1-3-1.
Press the approval YES button. The transmission document browsing means 1-4 includes:
After confirming that the e-mail approver presses the approval YES button for the viewed electronic document, the approved electronic document,
Sending approval means 1 for sender address and receiver address
Send to -5. The transmission approval unit 1-5 passes the approved electronic document to the hash value generation unit 1-6. The hash value generation means 1-6 uses a hash function algorithm,
A hash value is calculated from the electronic document, and the calculated hash value is returned to the transmission approval unit 1-5. In this case, the hash value generation unit 1-6 functions as a first authentication information generation unit. The transmission approval unit 1-5 passes the hash value to the hash value registration unit 1-8. The hash value registration unit 1-8 generates a registration number 1-9-1 for managing the hash value, and uses the registration number 1-9-1 and the hash value 1-9-1 as one data as the hash value registration table 1. Add to -9. The hash value registration unit 1-8 passes the registration number 1-9-1 to the transmission approval unit 1-5. The transmission approval unit 1-5 transmits a notification mail including a message indicating that the requested electronic document has been approved to the sender address using the mail transmission unit 1-7. This notification mail includes the registration number 1-9-1 of the hash value 1-9-2 registered in the hash value registration table 1-9. Mail sending means 1-7
Is sent to the mail transfer device 5 with the registration number 1-9-
Send a mail that contains 1.

As shown in FIG. 10, the mail sender obtains a notification mail from the mail transfer device 5 by using the mail transmitting / receiving means 3-1 of the mail sender terminal 3. The mail sender confirms that the applied electronic document has been approved based on the contents of the notification mail. Further, the mail sender extracts the registration number 3-9 from the notification mail using the mail transmitting / receiving means 3-1. The mail sender transmits the approved mail 3-10 including the retrieved registration number 3-9 and the approved electronic document 3-2 to the mail receiver terminal 6 using the mail transmitting / receiving means 3-1. I do. The mail transfer device 5 transfers the received approved mail to the mail filter device 2.

As shown in FIG. 11, the mail receiving means 2-1 of the mail filter device 2 transfers the received approved mail to the mail managing means 2-2. The security policy checking means 2-4 of the mail filter device 2 acquires the mail stored in the mail management means 2-2 and checks whether the mail matches the rules of the security policy 2-5. The security policy checking unit 2-4 acquires a sender address and a recipient address from the acquired mail. The security policy checking means 2-4 checks the rules held in the security policy recording means 2-5 for rules having conditions matching the sender address and the recipient address obtained from the mail. Since the recipient address is an overseas address and there is an attached file,
This matches the transfer control rule for overseas mail 2-5-1. Therefore, the security policy checking means 2-4
Sends a data authentication request of the approved mail to the inspection device 1. This data authentication request includes an approved mail (electronic document and registration number) to be authenticated.

Next, as shown in FIG. 12, the hash value checking means 1-10 of the mail checking device 1 receives the data authentication request from the mail filter device 2, and receives the approved data authentication request included in the received data authentication request. The registration number is obtained from the mail, and the obtained registration number is passed to the hash value search means 1-11. The hash value search means 1-11 searches the hash value registration table 1-9 using the registration number as a key. If a matching registration number is found in the hash value registration table 1-9, the hash value searching means 1-11 checks the hash value 1-9-2 registered with the registration number 1-9-1.
And passes it to the hash value checking means 1-10. If there is no matching registration number in the hash value registration table 1-9, a null value is passed to the hash value checking means 1-10 as a search error. When a null value is returned from the hash value search unit 1-11, the hash value check unit 1-10 determines that the corresponding mail has not been registered, and returns an error to the mail filter device 2 as a check result. When the hash value is returned from the hash value searching means 1-11, the hash value checking means 1-10 passes the electronic document attached to the approved mail to the hash value generating means 1-6. The hash value generation unit 1-6 calculates a hash value from the electronic document using a hash function algorithm (MD4, MD5, SHA-1, etc.) and returns the calculated hash value to the hash value inspection unit 1-10. . The hash value generating means 1-6 in this case functions as a second authentication information generating means. The hash value inspection unit 1-10 includes a hash value (first authentication information) passed from the hash value search unit 1-11 and a hash value (second authentication information) generated from the electronic document by the hash value generation unit 1-6. Information) to perform data authentication. If the hash values match, a normal result is returned to the mail filter device 2 as the inspection result. If the hash values do not match, an error is returned to the mail filter device 2 as a check result.

The mail filter device 2 acquires the inspection result of the approved mail from the mail inspection device 1. If the inspection result is normal, the mail is transferred to the mail transfer device 5 to the mail receiver terminal 6. The mail transfer device 5 transfers the mail to the mail receiver terminal 6. The mail receiver receives the mail from the mail transfer device 5 at the mail receiver terminal 6 using the mail transmitting / receiving means 3-1. If the check result indicates an error, the mail transmitting device 5 transmits a mail to the mail sender terminal 3 to notify that the mail cannot be transmitted.

As described above, since the electronic document attached to the mail is checked on the mail checking device, the load on the mail filter device can be reduced. In addition, since the rules stored in the security policy of the mail filter device are not changed, the risk of lowering the security level due to frequent changes in the security policy of the mail filter device can be reduced.

In the first to third embodiments, the data relay device, the data transmission device and the transmission approval device according to the present invention have been described. However, the data relay method, the data relay method, and the data It is also possible to realize a transmission method and a transmission approval method.

Here, the features of the present invention described above are summarized as follows. The mail inspection filter system according to the present invention is a system for filtering an electronic document to be transmitted based on a security policy set in advance.In the transmission of an electronic document requiring approval, a hash function of the approved electronic document is used. A hash value is calculated, and the hash value is compared with the hash value of the transmitted electronic document. When the hash values match, a mail is transmitted.

[0057]

As described above, according to the present invention, the rule for forwarding approved mail can be automatically updated by the mail inspection apparatus, and therefore, the mail inspection apparatus can automatically update the rule based on a preset security policy. Thus, even in a system for filtering an electronic document, even if the document violates the security policy, the document can be transmitted as long as the document is approved. In addition, the mail filter device compares the hash value created by the mail inspection device at the time of approval application with the hash value generated from the approved electronic document included in the approved mail, so the mail sender Even if the electronic document is falsified, the falsification can be checked.

As described above, according to the present invention, the electronic document attached to the mail is checked by the mail checking means on the mail sender terminal, so that the mail is sent to the mail filter device before being sent to the mail filter device. Data authentication of whether or not has been completed. That is, data authentication of the approved mail performed by the mail filter device can be performed in advance on the mail sender terminal. For this reason, unnecessary mail transfer is not performed, and the load on the mail filter device and the mail inspection device can be reduced.

As described above, according to the present invention, since the electronic document attached to the mail is checked on the mail checking device, the load on the mail filter device can be reduced. In addition, since the rules stored in the security policy of the mail filter device are not changed, the risk of lowering the security level due to frequent changes in the security policy of the mail filter device can be reduced.

[Brief description of the drawings]

FIG. 1 is a diagram showing a configuration of a mail inspection filter system.

FIG. 2 is a diagram showing a configuration of a mail sender terminal.

FIG. 3 is a diagram showing a configuration of a mail approver terminal.

FIG. 4 is a diagram showing a configuration of a mail transfer device.

FIG. 5 is a diagram showing a configuration of a mail filter device.

FIG. 6 is a diagram showing a configuration of a mail inspection device.

FIG. 7 is a view showing a display example of an approval waiting mail list displayed on a mail approver terminal;

FIG. 8 is a view showing a display example of a browsed electronic document displayed on a mail approver terminal.

FIG. 9 is a diagram showing a configuration of a mail sender terminal.

FIG. 10 is a diagram showing a configuration of a mail sender terminal.

FIG. 11 is a diagram showing a configuration of a mail filter device.

FIG. 12 is a diagram showing a configuration of a mail inspection device.

FIG. 13 is a diagram showing a configuration of a conventional technique.

[Explanation of symbols]

1 mail inspection device, 2 mail filter device, 3 mail sender terminal, 4 mail approver terminal, 5 mail transfer device, 6 mail receiver terminal, 7 creator side terminal device,
8 Approver terminal device, 9 Destination terminal device.

Claims (12)

[Claims] 1. A transmission data transmitted from a data transmission device to a data reception device is received, and the received transmission data is transmitted to the data reception device. A data relay device that determines whether or not to transmit the predetermined transmission data to the data receiving device based on a result of the data authentication, wherein the transmission device receives the transmission data from the data transmission device. Data receiving means, authentication target data determining means for determining authentication target data requiring data authentication from the transmission data received by the transmission data receiving means, and the authentication target data determined by the authentication target data determining means Authentication information receiving means for receiving first authentication information used for data authentication, and said authentication target data determining means An authentication information generation unit that generates second authentication information used for data authentication of the authentication target data by using at least a part of the authentication target data determined by the authentication target data; Using one authentication information and the second authentication information generated by the authentication information generating means, perform data authentication of the authentication target data, and receive the data for the authentication target data authenticated by the data authentication. A data relay device comprising: transmission permission / rejection determination means for determining transmission to the device. 2. The data relay device is connected to a transmission acknowledgment device that authorizes the data transmission device to transmit specific transmission data from the data transmission device to the data reception device. The target data determination unit determines the approval transmission data transmitted from the data transmission device based on the approval by the transmission approval device as the authentication target data, and the authentication information receiving unit determines the approval from the transmission approval device by the transmission approval device. Receiving first authentication information used for data authentication of transmission data, the authentication information generation unit uses at least a part of the approval transmission data to generate second authentication information used for data authentication of the approval transmission data. The transmission permission / non-permission determining unit generates the first authentication information received by the authentication information receiving unit and the authentication information generating unit. Using the generated second authentication information, performs data authentication of the approval transmission data, and determines transmission to the data receiving device for the approval transmission data authenticated by the data authentication. The data relay device according to claim 1, wherein: 3. The data relay device determines whether or not to transmit received transmission data to the data receiving device based on a predetermined permission criterion, and the transmission approval device determines whether the specific transmission data is Acknowledging that the specific transmission data is transmitted to the data receiving apparatus irrespective of whether or not the data satisfies the permission criterion; For transmitted data,
The data relay device according to claim 2, wherein transmission to the data receiving device is determined regardless of whether or not the permission criterion is satisfied. 4. The authentication information receiving unit receives, as the first authentication information, a hash value generated from at least a part of the data to be authenticated, and the authentication information generating unit executes the second authentication. The data relay device according to any one of claims 1 to 3, wherein a hash value is generated from at least a part of the authentication target data as information. 5. Generating transmission data to be transmitted to a data receiving device, performing data authentication on predetermined transmission data among the generated transmission data, and converting the predetermined transmission data to the data based on a result of data authentication. What is claimed is: 1. A data transmission device that determines whether or not to transmit to a receiving device, comprising: a transmission data generation unit that generates the transmission data; and an authentication target requiring data authentication among the transmission data generated by the transmission data generation unit. Authentication target data determining means for determining data; authentication information receiving means for receiving first authentication information used for data authentication of the authentication target data determined by the authentication target data determining means; and the authentication target data determining means Using at least a part of the authentication target data determined by Authentication information generating means for generating authentication information, and using the first authentication information received by the authentication information receiving means and the second authentication information generated by the authentication information generating means, A data transmitting device, comprising: transmission permission / rejection determining means for performing data authentication of target data and determining transmission of the authentication target data authenticated by the data authentication to the data receiving device. 6. The data transmitting apparatus is connected to a transmission acknowledgment apparatus for authorizing the data transmitting apparatus to transmit specific transmission data from the data transmitting apparatus to the data receiving apparatus; The target data determination unit determines, as the authentication target data, the approval transmission data that has been approved for transmission to the data reception device by the transmission approval device, and the authentication information receiving unit transmits the approval transmission from the transmission approval device. Receiving first authentication information used for data authentication of data, the authentication information generating means generates second authentication information used for data authentication of the approval transmission data, using at least a part of the approval transmission data. The transmission permission / refusal determination unit is configured to generate the first authentication information received by the authentication information receiving unit and the authentication information generation unit Using the second authentication information, performing data authentication of the transmission approval data, and determining transmission of the approval transmission data authenticated by the data authentication to the data receiving device. 6. The data transmission device according to 5. 7. Approving a data transmission device to transmit specific transmission data to a data reception device, and acknowledgment transmission transmitted from the data transmission device based on acknowledgment of transmission to the data reception device. A transmission approval device that performs data authentication on the approval transmission data based on a request from a data authentication request device that requests data authentication for data, wherein the data reception unit receives transmission data from the data transmission device; and Transmission data approval means for approving, to the data transmission apparatus, transmission of the specific transmission data among the transmission data received by the reception means to the data reception apparatus; Using at least a part of the transmission data, a second one used for data authentication of the approval transmission data. First authentication information generating means for generating authentication information, and data authentication request receiving means for receiving, from the data authentication request device, a data authentication request including the approval transmission data and requesting data authentication of the approval transmission data, A second authentication unit that generates, using at least a part of the approval transmission data included in the data authentication request received by the data authentication request receiving unit, second authentication information used for data authentication of the approval transmission data; Information generation means, using the first authentication information generated by the first authentication information generation means and the second authentication information generated by the second authentication information generation means, A data authentication unit that performs data authentication and notifies a result of the data authentication to the data authentication requesting device. 8. The authentication information registration, further comprising: setting a registration number in the first authentication information generated by the first authentication information generation means, and registering the first authentication information. Means, the data authentication request receiving means receives a data authentication request including the registration number set by the authentication information registration means, and the data authentication means receives the registration included in the data authentication request. Based on the number,
The first authentication information is obtained from the authentication information registration unit, and the approval transmission is performed using the obtained first authentication information and the second authentication information generated by the second authentication information generation unit. The transmission approval device according to claim 7, wherein data authentication of data is performed. 9. Receiving transmission data transmitted from the data transmission device to the data reception device, transmitting the received transmission data to the data reception device, and transmitting a predetermined transmission data among the received transmission data. A data relaying method for determining whether or not to transmit the predetermined transmission data to the data receiving device based on a result of the data authentication. A data receiving step; an authentication target data determining step of determining authentication target data requiring data authentication from the transmission data received in the transmission data receiving step; and the authentication target data determined by the authentication target data determining step An authentication information receiving step of receiving first authentication information used for data authentication of An authentication information generating step of generating, using at least a part of the authentication target data determined in the target data determining step, second authentication information used for data authentication of the authentication target data; and receiving the authentication information in the authentication information receiving step. Using the obtained first authentication information and the second authentication information generated by the authentication information generating step, perform data authentication of the authentication target data, for the authentication target data authenticated by data authentication A transmission permission / rejection determining step of determining transmission to the data receiving apparatus. 10. The authentication information receiving step receives, as the first authentication information, a hash value generated from at least a part of the data to be authenticated, and the authentication information generating step includes: 10. The data relay method according to claim 9, wherein a hash value is generated from at least a part of the authentication target data as information. 11. Generating transmission data to be transmitted to a data receiving device, performing data authentication on predetermined transmission data among the generated transmission data, and converting the predetermined transmission data to the data based on a result of data authentication. A data transmission method for determining whether or not to transmit to a receiving device, comprising: a transmission data generation step of generating the transmission data; and an authentication target requiring data authentication among the transmission data generated by the transmission data generation step. An authentication target data determining step of determining data; an authentication information receiving step of receiving first authentication information used for data authentication of the authentication target data determined in the authentication target data determining step; and the authentication target data determining step Using at least a part of the authentication target data determined by Information generating step of generating second authentication information used for data authentication of the data, the first authentication information received by the authentication information receiving step, and the second authentication generated by the authentication information generating step And information, using the information, to perform data authentication of the data to be authenticated, and a transmission permission / rejection determining step of determining transmission of the data to be authenticated authenticated by the data authentication to the data receiving device. Data transmission method. 12. Approving a data transmission device to transmit specific transmission data to a data reception device, and acknowledgment transmission transmitted from the data transmission device based on acknowledgment of transmission to the data reception device. A transmission approval method for performing data authentication on the approval transmission data based on a request from a data authentication request device that requests data authentication for data, wherein the data reception step includes receiving transmission data from the data transmission device; A transmission data approval step of approving transmission to the data reception apparatus for the specific transmission data among the transmission data received in the reception step; and a transmission data approval step of approving the transmission data approval step. Using at least a part of the transmission data, the data of the approval transmission data is used. First authentication information generating step of generating first authentication information used for data authentication, and data receiving a data authentication request from the data authentication request device, the data authentication request including the approval transmission data and requesting data authentication of the approval transmission data. An authentication request receiving step, and using at least a part of the approval transmission data included in the data authentication request received in the data authentication request receiving step, second authentication information used for data authentication of the approval transmission data Using the first authentication information generated by the first authentication information generation step and the second authentication information generated by the second authentication information generation step A data authentication step of performing data authentication of the approval transmission data and notifying a result of the data authentication to the data authentication request device And a transmission approval method.