JP4799239B2 - Information leakage prevention method and removable media - Google Patents

Description

  The present invention is an information leakage prevention method capable of preventing confidential information taken out from being leaked to a third party outside the organization even when it is necessary to take out the confidential information in various organizations such as companies and organizations. And related to removable media.

Information leakage countermeasures have become an important issue for organizations such as companies due to the “Personal Information Protection Law” enforced since 2005.
As a countermeasure, information that should not be leaked outside the company is basically prohibited to be stored on removable media or portable computers and taken outside the company. If it is unavoidably taken, it must be encrypted. A system designed to do this has been developed.
Further, as disclosed in Patent Document 1 below, when using information stored in a removable medium, a memory system that refers to individual information of the removable medium has been proposed.
JP2000-112824

In a procedure for storing confidential information in a removable medium, a method of starting an encryption program, encrypting confidential information using the program, and storing the encrypted information in a removable medium is common. In general, in the procedure for decrypting encrypted confidential information, a method of starting a decryption program, decrypting the confidential information using the program, and storing it outside the removable medium is generally used. It is conceivable to use a method that does not permit easy decryption of encrypted confidential information by performing control that allows the program to be started only on a specific client computer.
However, if confidential information is stored on a removable medium without using an encryption program, it will be stored in plain text. As a result, confidential information on unauthorized client computers will be stored without using a decryption program. Storage is possible. This includes a risk that confidential information leaks outside the organization in the case of a usage mode in which decryption is permitted only within the organization.

  An object of the present invention is to provide an information leakage prevention method capable of preventing information leakage due to a non-encrypted plaintext file stored in a removable medium, and a removable medium used to implement the method.

In order to achieve the above object, an information leakage prevention method according to the present invention is a method for preventing information leakage by a removable medium connected to an information terminal device,
A first step in which the information terminal device recognizes an externally connected removable medium and activates information leakage monitoring means by a control program stored in a read-only area of the removable medium;
The activated information leakage monitoring means checks whether a plain text file is stored in the readable / writable area of the removable medium, and if it is stored, deletes the plain text file and then stores it in the readable / writable area. A second step of displaying a protected file group other than the stored plaintext file format on the display means of the information terminal device; and at the end of the monitoring of the information leakage monitoring means, the plaintext file is in a readable / writable area of the removable medium A third step of ending the monitoring process after deleting the plaintext file if the stored plaintext file is deleted.
The protected file group other than the plain text file format stored in the readable / writable area includes an encrypted program file that encrypts a file stored in the information terminal device and stores the encrypted file in the readable / writable area of the removable medium; A decryption program file for decrypting a file encrypted by the encryption program into the information terminal device, and a data file encrypted by the encryption program.
Further, the information leakage monitoring means checks whether the file is a plaintext file or a protection target file based on identification information set in advance for each file of the protection target file group.

The removable media according to the present invention is a removable media having a read-only area and a readable / writable area,
The read-only area of the removable media is activated by connecting the removable medium to the information terminal device, and at the time of activation and termination, checks whether a plain text file is stored in the readable / writable area, If stored, a control program for forming an information leakage monitoring means for deleting the plaintext file is stored, and the readable / writable area has a format other than the plaintext file format protected by the information leakage monitoring means. The protected file can be stored.
In the readable / writable area, at least an encrypted program file that encrypts a file stored in the information terminal device and stores the encrypted file in the readable / writable area of the removable medium, and the encrypted program file A decryption program file for decrypting the file in the information terminal device is stored.

  According to the present invention, even if a plain text file is stored in a readable / writable area in the removable medium, the plain text file is detected and started when the information leakage monitoring means is started and terminated. Is deleted. As a result, the plaintext file cannot be taken out of the organization while being stored in the removable media, or the plaintext file stored in the removable media cannot be stored on an unauthorized information terminal device. Can be prevented from leaking.

Hereinafter, the present invention will be described in detail with reference to the drawings.
FIG. 1 is a block diagram showing an outline of the internal configuration of a removable medium (hereinafter referred to as USB memory) 1 according to the present invention, and a read-only first storage area (virtual CD-ROM area) 2 and read / write A possible second storage area (removable area section) 3 is provided, and the first storage area 2 stores a launcher program 6, a system file list 7, and various control files 8.
The USB memory 1 having this configuration is connected to a client computer (information terminal device) constituted by a personal computer or the like, and is used as an external storage device of the client computer.

The launcher program 6 identifies a launcher display process 13 for displaying a launcher screen on the display unit of the client computer to which the USB memory 1 is connected and a legitimate user, and the second storage area 3 described below. A password authentication process 14 for canceling the protection and a plain text file deletion process 15 for deleting the plain text file when the second storage area 3 includes the plain text file are provided.
In this block diagram, a password authentication process 14 and a plain text file deletion process 15 are provided in the launcher program 13. However, in the first storage area 2, the launcher program 13 is provided as a separate program instead of the launcher program 6. Also good.

  In the second storage area 3, a system file group 4 such as an encryption program 9, a decryption program 10, and various control files 11 is stored. The second storage area 3 also stores a data file group 5 such as an encrypted file 12 created by the encryption program 9. In this block diagram, the system file group 4 is arranged in the second storage area 3, but the system file group 4 may be arranged in the first storage area 2.

  The first storage area 2 is configured, for example, as a virtual CD-ROM area, and in this case, as shown in FIG. 2, the operating system 21 recognizes the USB memory 1 as a CD-ROM. Therefore, when the USB memory 1 is connected to the client computer 20, the operating system 21 of the client computer 20 recognizes that the USB memory 1 is connected, and then automatically launches the launcher program 6 in the first storage area 2. It is possible to start with.

  The second storage area 3 is configured as, for example, a removable area, and this area is protected by a password, and the release / setting of protection can be controlled by a program from outside the area. For example, as shown in FIG. 2, when the launcher program 6 in the first storage area 2 is started, a password input screen 22 is displayed, and an appropriate password is input by the user on the screen. Only the second storage area 3 is protected, and the storage area 3 can be used.

The encryption program 9 has a function of encrypting a plain text file in an area outside the USB memory 1 (for example, in the client computer 20) and storing it in the second storage area 3.
The decryption program 10 has a function of decrypting an encrypted document file stored in the second storage area 3 and a function of storing it in an area outside the USB memory 1 (for example, in the client computer 20).

FIG. 2 is a system configuration diagram showing an embodiment of an information system to which the present invention is applied.
When the USB memory 1 is connected to the client computer (information terminal device) 20, the operating system 21 in the client computer 20 recognizes that the USB memory 1 is connected, and the operating system 21 recognizes the CD-ROM area 2 of the USB memory 1. The launcher program 6 is automatically activated.

The launcher program 6 displays a password input screen 22 on the display unit of the client computer 20 after startup, and protects the second storage area 3 of the USB memory 1 if the user inputs an appropriate password on the screen. At the same time, the launcher screen 23 is displayed.
The user can start a program in the second storage area 3 by selecting a program to be operated from the launcher screen 23 (for example, the encryption program 9).
In addition, it can replace with the user authentication by a password and can perform user authentication using biometric information, such as a finger vein, a fingerprint, and an iris.

FIG. 3 shows a case where the plain text file 30 in the client computer 20 is encrypted by the USB memory 1, or conversely, the encrypted file 12 in the second storage area 3 is decrypted and stored in the client computer 20. It is a figure which shows an example of a form.
When the user selects the encryption program 9 using the launcher program 6, the encryption program 9 is activated by the client computer 20. Therefore, when the plain text file 30 in the client computer 20 is selected on the encryption program 9, the plain text file 30 can be encrypted and stored in the second storage area 3 of the USB memory 1.
Here, it is assumed that the decryption program 10 that converts the encrypted file 12 into the plaintext file 30 is controlled so that it cannot be activated only by a client computer that is permitted to perform decryption. That is, when the user selects the decryption program 10 using the launcher program 6, the decryption program 10 is activated. At the time of activation, the decryption program 10 makes a decryption permission determination to the operating system 21 of the client computer 20. Do. In this determination, it is determined whether or not decoding is possible for the client computer 20.
When it is determined that decryption is possible, when the user selects the encrypted file 12 using the decryption program 10, the encrypted file 12 can be decrypted and stored in the client computer 20.

  As for the decryption permission determination method, here, the unique information 31 of the client computer 20 is acquired from the operating system 21 in advance and registered in the USB memory 1, and each time the decryption program 10 is started, the client computer 20 This is realized by querying the operating system 21 for the unique information 31 and comparing it with the unique information 32 registered in the USB memory 1, but this determination method is an example, and other methods are used. It can be realized.

FIG. 4 shows an example of a usage form when an attempt is made to decrypt and save the encrypted file 12 in the second storage area 3 in the client computer 20 by the USB memory 1 in the client computer 20 that is not permitted to decrypt. FIG.
When the user activates the decryption program 9 in the second storage area 3 using the launcher program 6, the decryption program 9 stores the unique information 32 registered in the USB memory 1, and the operating system of the client computer 20. It is determined whether or not it matches the specific information 33 of 21. In this determination, if the unique information 32 and the unique information 33 do not match, the decryption process is not executed, and as a result, the encrypted file 12 cannot be decrypted into a plain text file.

However, as shown in FIG. 5A, since the protection of the second storage area 3 is released while the launcher program 6 is activated, the user does not use the encryption program 9. The plain text file 30 in the client computer 20 can be stored in the second storage area 3 as it is.
As a result, as shown in FIG. 5B, the plain text file 30 in the second storage area 3 can be taken out and stored in the client computer 20 where decryption is not permitted. It becomes possible to take out information in a format.
The present invention is configured as described with reference to FIG. 6 in order to prevent information leakage due to taking out information in the form of a flat file.

FIG. 6 is a diagram illustrating an example of a usage pattern in the case where the plaintext file 30 is deleted by the launcher program 6 when the plaintext file 30 exists in the second storage area 3.
As shown in FIG. 6, after the protection release to the second storage area 3 at the time of launching the launcher program 6 (after log-in) and before the protection setting of the second storage area 3 just before the launcher program 6 ends (logout) If a plain text file 30 exists in the second storage area 3 before, a process of deleting the file is performed. Note that the system file group 4 and the encrypted file 12 illustrated in FIG. 2 are not deleted.

FIG. 7 is a flowchart showing a process for detecting and deleting the plain text file 30 when the launcher program 6 in FIG. 6 is started.
The launched launcher program 6 first prompts the user to input a password in order to confirm whether the user has a proper use authority for the USB memory 1.
If the password is input by the user, the password is accepted, and the password is authenticated depending on whether or not it matches the password embedded in the USB memory 1 (steps 101 and 102). After the authentication is successful, the protection of the second storage area 3 is released and the plain text file check process is performed (step 103).
As a result of performing the plain text file check process, it is determined whether or not the file to be deleted exists (step 104), and if it exists, a process for deleting the file is performed (step 105). Thereafter, it is determined whether or not all the system file groups 4 are prepared in the second storage area 3 (step 106). ) Is started (step 107), and the process is terminated. If not, an error message is displayed on the display unit of the client computer 20 (step 108), and the process ends.

The error message is, for example, “Unavailable because the encryption / decryption program has been deleted. Please re-register the correct encryption / decryption program”.
When determining whether or not all the system file groups 7 are prepared, whether or not all the system file groups 7 are prepared is stored in the system file information registered in the system file list 7 of the first storage area 2 and the system file group 4. The determination is made based on whether the system file shortage flag, which is the result of comparison with the number of system files, is ON or OFF.
The system file shortage flag will be described in detail with reference to FIG.
By performing this determination, for example, when the encryption program 9 in the system file group 4 has been deleted by a malicious user, the plaintext file is stored in the second storage area 3 without being encrypted. And can be taken out.

FIG. 8 is a flowchart showing a process for detecting and deleting the plain text file 30 at the end of the launcher program 6 in FIG.
When the launched launcher program 6 is terminated, first, the launcher program 6 performs a plain text file check process (step 103). As a result of performing the plain text file check process, it is determined whether or not the file to be deleted exists (step 104), and if it exists, a process for deleting the file is performed (step 105). Thereafter, it is determined whether or not all the system file groups 4 are prepared in the second storage area 3 (step 106). If they are prepared, the protection setting of the second storage area 3 is performed, and then the launcher program 6 is executed. The processing ends (step 201). If not, an error message is displayed (step 108), the protection setting of the second storage area 3 is performed, the launcher program is terminated (step 201), and the process is terminated.

The error message is, for example, “The encryption / decryption program has been deleted and cannot be used anymore. Please re-register the correct encryption / decryption program”.
Here, the protection setting of the second storage area 3 is to prevent the user of the client computer 20 from recognizing that the second storage area 3 exists. Specifically, the system file group 4 and the data file group 5 in the second storage area 3 displayed on the display unit of the client computer 20 are deleted.
Also, releasing the protection setting of the second storage area 3 means that the user of the client computer 20 can recognize that the second storage area 3 exists. Specifically, the system file group 4 and the data file group 5 in the second storage area 3 are displayed on the display unit of the client computer 20.

FIG. 9 is a flowchart showing plain text file check processing in the flowcharts of FIGS.
When executing the plain text file check process, first, the drive path of the second storage area 3 to be checked is acquired (step 301). Further, the system file list 7 in the first storage area 2 is acquired (step 302). The system file list 7 is a file in which file information of the system file group 4 in the second storage area 3 is stored. Thereafter, a deletion target file search process is performed (step 303). In this deletion target file search process, the drive path information of the second storage area 3 obtained in step 301 is passed, and after the deletion target file search process is executed, the deletion target file list and the second The number of system files existing in the storage area 3 is returned. Thereafter, the number of system files registered in the system file list 7 acquired in step 302 is compared with the number of system files returned by executing the deletion target file search process in step 303. If they match as a result of the comparison, the deletion target file list is returned to the caller (step 306), and the process is terminated. If they do not match, a system file shortage flag is set (step 305), the deletion target file list is returned to the caller (step 306), and the process is terminated.

FIG. 10 is a flowchart showing the deletion target file search process in step 303 in the flowchart of FIG.
In this process, first, the search path passed from the caller is set as the search start position (step 401). Subsequent processing is repeated for the number of files / folders existing in the search path (steps 402 and 410).
In the repetitive processing, first, file / folder information is acquired (step 403). Next, it is determined whether or not the file / folder information has been acquired (step 404). If the file / folder information cannot be acquired, the loop process 402 is exited and the process ends.
If the file / folder information has been acquired, it is next determined whether or not the file / folder information (step 405). If it is not a file but a folder, the path of the folder is used as a search path (step 411), and the deletion target file search process is recursively called.
If it is a file, it is determined whether or not it is an encrypted file 12 created by the encryption program 9, and if it is an encrypted file 12, the search position is advanced (step 409).

If it is not the encrypted file 12, it is next determined whether or not the file currently being searched is a system file based on the system file list 7 acquired in step 302 of FIG. 9 (step 407). ).
If it is a system file, the system file count is incremented by 1 (step 412), and the search position is advanced to the next (step 409).
If it is not a system file, the file is added to the deletion target file list, and the search position is advanced to the next (step 409).

FIG. 11 is a view showing an example of the system file list 7 stored in the first storage area 2 and the file stored in the second storage area 3 based on the files registered in the system file list 7. An example is shown.
In the system file list 7, for each file of the system file group 4, the file name is described in a form including a relative path from the ROOT of the second storage area 3.
Since the drive path of the second storage area 3 is dynamically allocated when the USB memory 1 is connected to the client computer 20, it is not described in the system file list 7 and is shown in step 301 of FIG. Shall be acquired.

  Here, in the flowchart of FIG. 10, there are other methods for giving information identifying the file to the file in the determination of whether it is an encrypted file (step 406) and the determination of whether it is a system file (step 407). It is done.

FIG. 12 shows an example of a method for giving information for identifying a file to be protected, such as an encrypted file or a system file.
A hash calculation is performed based on the information of the protected file 2001 such as an encrypted file or a system file and the unique information 2002 of the USB memory 1 (step 2003), and the obtained hash value 2004 is assigned to the protected file 2001.
Here, the unique information 2002 of the USB memory 1 is used as the source of the hash calculation, but it is desirable that the information cannot be acquired from the user or is difficult to acquire. Therefore, for example, a secret key used for encryption / decryption processing can be used.

FIG. 13 is a flowchart showing processing for embedding identification information in the protect file 2001.
First, the unique information 2002 of the USB memory 1 is acquired. (Step 3001).
Next, a hash value 2004 is calculated based on the information of the protect file 2001 in which the identification information is embedded and the unique information 2002 acquired in step 3001 (step 3002). The hash value 2004 acquired by the calculation in step 3002 is added to the header of the protect file 2001 (step 3003).

FIG. 14 is a flowchart showing processing for determining whether the file is a protected file 2001.
First, the identification information given to the target file is extracted (step 4001).
Next, the unique information 2002 of the USB memory 1 is acquired (step 4002), and a hash value is calculated based on the unique information and the file from which the identification information is removed in step 4001 (step 4003). The identification information acquired in step 4001 is compared with the hash value calculated in step 4003 (step 4004). If they match, it is determined that the file is protected (step 4005). If they do not match, the file is not protected. That is, it is determined as a plain text file (step 4006).

In the file determination method using the identification information given to the protected file 2001, it is possible not only to determine whether the file is the protected file 2001, but also to determine whether the protected file 2001 has not been tampered with. .
In addition, when a user stores a file having the same name as the system file in the second storage area 3, it may be recognized as a system file and not deleted, but the user can store the information by embedding identification information. The file with the same name as the created system file can be surely deleted.

In the flowcharts of FIGS. 7 and 8, whether all the system files are prepared is checked before determining whether there is a plain text file. If all the system files are not found, an error message is displayed. Then, it can be configured to end without disclosing the file in the second storage area.
In such a configuration, the user cannot know at all what is stored in the second storage area, and therefore the removable medium in which the encryption / decryption program is deleted or altered by a malicious user. It is possible to reliably prevent the stored data from being taken out from the inside.

It is a functional block diagram which shows the structural example of the removable medium which concerns on this invention. FIG. 2 is a system configuration diagram illustrating an embodiment of an information system to which the removable medium of FIG. 1 is applied. It is a figure which shows the example which encrypts and preserve | saves the plaintext file in a client computer in USB memory, and the example which decrypts the encrypted file in USB memory as a plaintext file in the permitted client computer. It is a figure which shows the example which cannot decrypt the encryption file in a USB memory as a plaintext file in the client computer which is not permitted. It is a figure which shows the example which preserve | saves the plaintext file in a client computer as a plaintext file in USB memory, and the example which preserve | saves the plaintext file in a USB memory as a plaintext file in a client computer. It is a figure which shows the example which deletes the plaintext file in USB memory with a launcher program. It is a flowchart which shows the procedure which deletes the plaintext file in USB memory at the time of starting of a launcher program. It is a flowchart which shows the procedure which deletes the plaintext file in USB memory at the time of completion | finish of a launcher program. FIG. 9 is a flowchart showing a continuation of FIG. 7 and FIG. 8. 10 is a flowchart showing a continuation of FIG. 9. It is a figure which shows the example of the system file list used when deleting a plaintext file. It is a figure which shows the method to provide identification information to a protect file. It is a flowchart which shows the procedure which provides identification information to a protect file. It is a flowchart which shows the procedure which takes out identification information from the protect file to which identification information was given, and confirms it.

Explanation of symbols

1 USB memory 2 First storage area (CD-ROM area)
3 Second storage area (removable area)
4 System File Group 5 Data File Group 6 Launcher Program 7 System File List 8 Various Control Files 9 Encryption Program 10 Decryption Program 11 Various Control Files 12 Encrypted File 13 Launcher Display Process 14 Password Authentication Process 15 Plain Text File Deletion Process 20 Client Computer DESCRIPTION OF SYMBOLS 21 Operating system 22 Password input screen 23 Launcher screen 30 Plain text file 31 Specific information of client computer permitted to decrypt 32 Specific information of registered client computer permitted to decrypt 33 Specific information of client computer not permitted to decrypt 1001 System File list 2001 Protect file 2002 Unique information 2005 Protect given identification information File

Claims (5)

A method for preventing information leakage due to removable media connected to an information terminal device,
A first step in which the information terminal device recognizes an externally connected removable medium and activates information leakage monitoring means by a control program stored in a read-only area of the removable medium;
The activated information leakage monitoring means checks whether a plain text file other than the plain text system file is stored in the readable / writable area of the removable media, and if so, deletes the plain text file A second step of displaying on the display means of the information terminal device a system file in plain text format stored in the readable and writable area and a protection target file group other than the plain text file format;
At the end of the monitoring of the information leakage monitoring means, it is checked whether a plain text file other than the plain text system file is stored in the readable / writable area of the removable medium, and if so, the plain text file is deleted. And a third step of ending the monitoring process.   The protected file group other than the plain text file format stored in the readable / writable area includes an encrypted program file that encrypts a file stored in the information terminal device and stores the encrypted file in the readable / writable area of the removable medium; 2. The information leakage prevention according to claim 1, wherein the file is a decryption program file for decrypting a file encrypted by an encryption program into the information terminal device, and a data file encrypted by the encryption program. Method. The information leakage monitoring means extracts the hash value calculated based on the data content of the file attached to the identification target file of the protection target file group and the unique information of the removable medium, and then the unique information of the removable medium Hash value is calculated from the data contents of the identification target file and the calculated hash value is compared with the hash value attached to the identification target file. 3. The information leakage prevention method according to claim 1, wherein the information leakage is identified as a file . A removable medium having a read- only area and a readable / writable area,
The removable medium read-only area is activated by connecting the removable medium to the information terminal device, and at the time of activation and termination , a plain text file other than a plain text system file is stored in the readable / writable area. If it is stored, a control program for forming an information leakage monitoring means for deleting the plaintext file is stored, and the readable / writable area is stored by the information leakage monitoring means. Removable media characterized in that files to be protected other than the plain text file format to be protected can be stored.   In the readable / writable area, at least an encrypted program file for encrypting a file stored in the information terminal device and storing it in the readable / writable area of the removable medium, and a file encrypted by the encryption program are stored. 5. The removable medium according to claim 4, wherein a decryption program file to be decrypted is stored in the information terminal device.

Images