CN1612521A

CN1612521A - File security management system and identificaton server, user's machine and program

Info

Publication number: CN1612521A
Application number: CN200410086263.5A
Authority: CN
Inventors: 大池洁
Original assignee: MULTI-ELEMENT NETWORK Co Ltd
Current assignee: MULTI-ELEMENT NETWORK Co Ltd
Priority date: 2003-10-31
Filing date: 2004-10-29
Publication date: 2005-05-04
Also published as: JP2005158022A; JP4246112B2

Abstract

A file former (client device 30a) sets and registers an use authority for permitting a file to be encrypted and a user thereof by use of an exclusive viewer 32. A user (client device 30b) which received the encrypted file receives the authentication by the authentication server 20 by use of the exclusive viewer 32, whereby the encrypted file can be decoded and used within the range of the use authority permitted to the user. Accordingly, since a key and the decoded file are never left in the user, the safety can be improved. Since the authentication server transmits a warning to the file former or the like when the authentication result is negative, a person involved can immediately investigate the cause.

Description

The security management system of file and certificate server, client computer and program thereof

Technical field

The present invention relates to prevent security management system, certificate server, client computer, program and the recording medium of illegal use of the file of recording digital content, the security management system and certificate server, client computer and the program that particularly relate to file, wherein the security management system of this document is made up of client computer and certificate server, the user of the encrypt file that this certificate server is made using the user that set by this client computer and the licensed rights of using of user authenticates, and the key management of information that this encrypt file is decrypted.

Background technology

Follow in recent years the information processing technology and the development of communication network technology, by the various digital contents (being called " digital information " below) of network selling document, figure, image, database etc.; Or belong to a plurality of people of enterprises tissue or certain project, and when utilizing the digital information of making mutually, commence business with file format, become very universal.

But these digital informations have following problem, that is, duplicate easily, even and duplicate repeatedly for several times, information can variation yet, does not obtain legal rights of using, can illegally make duplicate easily yet, goes forward side by side to exercise and uses.In addition, also has following problem, promptly, in the digital information in enterprise, a large amount of information with height confidentiality are arranged, and to steal the behavior of confidential information be possible and invade network in the enterprise, and perhaps the related personnel in the enterprise takes the outside to after can easily confidential information being duplicated.Even, also have following problem, that is,, between the related personnel, send when receiving these digital informations, as long as can from network, steal this digital information just have the third party of certain knowledge at communication network by network etc.

In order to tackle in such problem, developed various technology, wherein, most encryption technologies that adopt digital information.And developed the various encryption algorithms that are used for this purpose, the encryption technology that generally is widely used is common original text to be transformed to the ciphertext that adds that can't understand easily, or it is recovered original text.The conversion of encryption/decryption processing (being also referred to as " processing of redeeming a vow to a god ") realizes by the encryption algorithm of cipher controlled.

As representational encryption mode, be the mode of a kind of being called as " asymmetric open key is encrypted ".The disclosure key cipher mode is that each one (or each terminal) makes a pair of encryption key at every turn and key is handled in reduction, with encrypting key open (being also referred to as " PKI "), carries out the secret keeping and key (being also referred to as " private key ") is handled in reduction.Want send to encrypt the document person to A side, the disclosed PKI of all available A (encrypted code) is transformed to original text and adds ciphertext.The addressee A that only has private key (reduction handle key) can add ciphertext to this and reduce processing.Therefore, in this mode, needn't allot key.

In addition, also have following using method, use the non-object cipher mode of identical shared key during with decryption processing, digital information of encrypting and encrypted shared key of while are sent to the user, only know that the user of shared key just can understand in encryption.In addition, be called the mode of digital sign in addition, in this mode, carry out the encryption and the authentication of information simultaneously.That is, the sender utilizes the privately owned reduction of oneself to handle key to carry out encryption, and then the PKI by the addressee, carries out encryption and sends.The addressee is by oneself private key, reduces processing, is decrypted processing by messenger PKI again.

But, state in the use when adopting these encryption algorithms that digital information is carried out the mode of encryption, no matter be to use the method for shared key, still adopt the method for PKI and private key, the management that necessary key is handled in encryption and reduction all is important problem.That is, if the file of having encrypted that the producer of the file of digital-information recording, user's authentication and between transmit and the miscarriage of key can't guarantee that then file is the confidentiality of digital information.

Such as, as shown in figure 14,1. producer A makes the file of recording digital content, and it is carried out encryption, and when allowing user B to use, 3. producer A sends the encrypt file C that has encrypted by network and other mode to user B.At this moment, can 4. pass through other channel, will be used for that encrypt file is reduced the key D that handles and send user B to.User B utilizes the key D that receives by other channel, the encrypt file that has received is reduced processings, also use of the file that producer A can have been made reduction.In addition, producer A is 2. own manages key.In such mode, 5. in the hand of user B, can preserve key D and as-reduced fileinfo.Therefore, can not get rid of the danger that key and as-reduced file flow out to the malice third party from the hand of user B.This situation also is essentially identical when adopting the cipher mode of PKI and private key, and difference only is that private key just is kept at the hand of user B from beginning at first.

So, in TOHKEMY 2001-144745 document, following digital certificate mode is disclosed, promptly, be provided as the key center of third party office, make it between each user of documenting person and user, by the key center, each user is being carried out on personal authentication's the basis, the documenting person of intermediary is to the transmission of user's key.That is, in the disclosed digital certificate mode of TOHKEMY 2001-144745 document, between each user, be provided as the certifying authority at key center, take respectively that the personal authentication is the used information registering of 1. user in the key center; 2. when user A (documenting person) sends to user B (file user) with file, A will send to the key center with key (employed key during encryption) to the communication of B side; 3. user A will send to user B with the file that key carries out encryption by communication; 4. key center and user B get in touch, and user B is authenticated; 5. the key center is after the authentication of user B is passed through, and the communication of giving B side that A is prestored sends to B with key; 6. user B uses the communication key obtain from the key center, and the file (carrying out encryption by communicating by letter with key) that receives from A is reduced processing.

But, in the disclosed digital certificate mode of TOHKEMY 2001-144745 document, the key center is between documenting person and file user, after authentification of user is carried out at the key center, the key that will be prestored by documenting person (be used for to encrypt file reduce the key of handling) sends to the file user, though because of between this, having added the step of authentification of user, make function of keeping secret more or less improve, but because at the still residual file that password is arranged and deciphered in user place, can't be so still have from solving the described problem of Figure 14 in essence.

The general introduction of invention

The present invention proposes for the problem that solves above-mentioned prior art, the objective of the invention is to security management system at file, the system and certificate server, client computer and the program that improve function of keeping secret are provided, the security management system of this document is made of client computer and certificate server, the user of the encrypt file that this certificate server is made using the user that set by this client computer and the licensed rights of using of user authenticates, and the key management of information that this encrypt file is decrypted.

In addition, wish between the client of this secrecy system, under the situation of mutual covert user profile, also can utilize this security services simultaneously.Perhaps,, also this security services can be used, then its convenience can be improved if can and not add between the third party of service the client of this security services.Therefore, the 2nd purpose of the present invention is the scope that can exceed client is provided and secrecy system and certificate server, client computer and the program of file of carrying out the use of the encryption of file and encrypt file.

In order to address the above problem, according to one of form of the present invention, can provide a kind of and reach the file security management system that constitutes by the connected a plurality of client computer with dedicated reader of network by certificate server, this system is made of following client computer and certificate server;

Above-mentioned client computer has Sealing mechanism and authentication registration unit, when file is carried out encryption, this Sealing mechanism is passing through dedicated reader, set user of this document and the rights of using that this user is allowed to, thereby this document is carried out encryption, and the identifying information of the file of having encrypted, the user who has set and rights of using information are registered by this authentication registration unit in certificate server;

In addition, this client computer has authentication request mechanism and restoring component, when using the encrypt file that has received, this authentication request mechanism is by above-mentioned dedicated reader, to above-mentioned certificate server request authentication, this restoring component is by above-mentioned dedicated reader, according to the rights of using information and the key information that are sent by certificate server, the above-mentioned encrypt file that has received reduced processing;

Above-mentioned certificate server has authentication information database, file management database, with certification authority, registration has the user that pair file encrypts and/or uses the user of encrypt file in this authentication information database, in above-mentioned file management database, store and be used for encrypt file is reduced the key information of handling, and the identifying information that comes from the encrypt file that is registered of above-mentioned client computer, user and rights of using information, above-mentioned certification authority is meant the authentication request that has according to from client computer, with reference to above-mentioned database, the certification authority that user and the above-mentioned user who has set are authenticated, when authentication result was passed through, above-mentioned certificate server can send to above-mentioned client computer with rights of using information and the key information of setting at above-mentioned encrypt file.

In addition,, can provide a kind of and be connected with a plurality of client computer that have by the connected dedicated reader of network, and carry out the certificate server of the authentication of file security management as other forms according to the present invention;

Wherein, above-mentioned client computer has Sealing mechanism and authentication registration unit, when file is carried out encryption, this Sealing mechanism passes through dedicated reader, set user of this document and the rights of using that this user is allowed to, thereby this document is carried out encryption, and identifying information, the user who has set and the rights of using information of the file of having encrypted is registered by this authentication registration unit to certificate server;

And, above-mentioned client computer and above-mentioned certificate server can transmit information mutually, and above-mentioned client computer has authentication request mechanism and reduction processing mechanism, when using the encrypt file that has received, this authentication request mechanism is by above-mentioned dedicated reader, and to above-mentioned certificate server request authentication, this restoring component is by above-mentioned dedicated reader, according to the rights of using information and the key information that transmit by certificate server, the above-mentioned encrypt file that receives is reduced processing;

Above-mentioned certificate server has authentication information database, file management database, with certification authority, registration has the user that pair file encrypts and/or uses the user of encrypt file in this authentication information database, store in the above-mentioned file management database and be used for encrypt file is reduced the key information of handling, and from the identifying information of the encrypt file of above-mentioned client computer registration, user and rights of using information, above-mentioned certification authority is according to the authentication request from client computer, with reference to above-mentioned database, user and the above-mentioned user who has set are authenticated, when authentication result was passed through, above-mentioned certificate server can send to above-mentioned client computer with rights of using information and the key information that above-mentioned encrypt file is set.

In addition, as other forms according to the present invention, can provide a kind of make its in computer as a kind of functional programs;

The aforementioned calculation machine is made of above-mentioned certificate server, and, above-mentioned client computer and above-mentioned certificate server can transmit information mutually, and above-mentioned client computer has authentication request mechanism and reduction processing mechanism, when using the encrypt file that has received, this authentication request mechanism is by above-mentioned dedicated reader, to above-mentioned certificate server request authentication, this restoring component is by above-mentioned dedicated reader, according to the rights of using information and the key information that transmit by certificate server, the above-mentioned encrypt file that receives is reduced processing;

And above-mentioned functions is meant, according to authentication request from client computer, with reference to authentication information database and file management database, the function that user and the above-mentioned user who is set are authenticated as certification authority, registration has the user that pair file encrypts and/or uses the user of encrypt file in this authentication information database, stores in the above-mentioned file management database to be used for encrypt file is reduced the key information handled and from identifying information, user and the rights of using information of the encrypt file of above-mentioned client computer registration;

When authentication result is passed through, this program enforcement sends rights of using information and key information to function from above-mentioned encrypt file setting to above-mentioned client computer.

In addition, according to other forms of the present invention, can provide a kind of client computer, this client computer has dedicated reader, and by network, links with the certificate server that carries out the file security administrative authentication;

Can transmit information mutually between this client computer and the certificate server, this certificate server has authentication information database, file management database, and certification authority, this authentication information database registration has pair file to carry out the user of encryption and/or uses the user of the file of encrypting, above-mentioned file management database stores and is used for encrypt file is reduced the key information of handling, and the identifying information that comes from the registered encrypt file of above-mentioned client computer, and user and rights of using information, and above-mentioned authentication function is meant according to the authentication request from client computer, with reference to above-mentioned database, user and the above-mentioned user who has set are authenticated; When authentication result is passed through, above-mentioned certificate server will send to above-mentioned client computer to rights of using information and the key information that encrypt file is set;

This above-mentioned client computer has Sealing mechanism and authentication registration unit, when file is carried out encryption, this Sealing mechanism passes through dedicated reader, user to this document sets with the rights of using that this user is allowed to, thereby this document is carried out encryption, and identifying information, the user who has set and the rights of using information of the file of having encrypted is registered by this authentication registration unit to certificate server;

And, when the encrypt file that use is received, this client computer also has authentication request mechanism and deciphering mechanism, this authentication request mechanism is by above-mentioned dedicated reader, to above-mentioned certificate server request authentication, this restoring component is meant by above-mentioned dedicated reader, according to rights of using information that is sent by certificate server and key information, the above-mentioned encrypt file that has received is decrypted processing.

In addition, according to other forms of the present invention, can provide a kind of make its in computer as a kind of functional programs;

The aforementioned calculation machine by and certificate server between the client computer that communicates constitute, and this certificate server has authentication information database, file management database, and certification authority, the registration of this authentication information database has user that pair file encrypts and/or the user who uses encrypt file, above-mentioned file management database stores encrypt file is reduced used key information when handling, and from the identifying information of the registered encrypt file of above-mentioned client computer, user and rights of using information, above-mentioned certification authority is according to the authentication request from client computer, with reference to above-mentioned database, user and the above-mentioned user who has been set are authenticated, and when authentication result is passed through, will send to above-mentioned client computer to rights of using information and the key information that this encrypt file sets;

And above-mentioned function is meant, when file is encrypted, this Sealing mechanism passes through dedicated reader, user to this document sets with the rights of using that this user is allowed, thereby to the function as Sealing mechanism that this document carries out encryption, the conduct that reaches identifying information, the user who has set and the rights of using information of the file of having encrypted to the certificate server registration authenticates the function of registration unit;

And, when using the encrypt file that has received, by above-mentioned dedicated reader, function to above-mentioned certificate server request authentication as authentication request mechanism, and by above-mentioned dedicated reader, according to the rights of using information and the key information that send by certificate server, the above-mentioned encrypt file that has received is reduced the function of handling as restoring component.

In addition, according to the 2nd form of the present invention, provide the certificate server that communicates between a kind of and the client computer;

Above-mentioned client computer has Sealing mechanism and authentication registration unit, when file is carried out encryption, this Sealing mechanism passes through dedicated reader, set user of this document and the rights of using that this user is allowed to, thereby this document is carried out encryption, and identifying information, the user who has set and the rights of using information of the file of having encrypted is registered by this authentication registration unit to certificate server;

Above-mentioned certificate server has authentication information database, file management database, with certification authority, registration has the user that pair file encrypts and/or uses the user of encrypt file in this authentication information database, store in the above-mentioned file management database and be used for encrypt file is reduced the key information of handling, and from the identifying information of the encrypt file of above-mentioned client computer registration, user and rights of using information, above-mentioned certification authority is according to the authentication request from client computer, with reference to above-mentioned database, user and the above-mentioned user who has set are authenticated;

And, above-mentioned certificate server has a plurality of authentication information database that are provided with corresponding to each client, and file management database, has charging mechanism in addition, this charging mechanism discerns the client under the client computer of logining in certificate server, handle according to this authentication information database, the file management database that meet, and each client is chargeed.

And identification sends the client under the client computer of authentication request, the function of the conduct charging mechanism that each client is chargeed.

In addition, according to the 3rd form of the present invention, can provide a kind of security management system of file, the security management system of this document is by certificate server, and connects by network, and a plurality of client computer with dedicated reader constitute;

Above-mentioned certificate server has authentication information database, personal address book's database, file management database and certification authority, the registration of this authentication information database has user that pair file encrypts and/or the user who belongs to the client who uses encrypt file, above-mentioned personal address book's database storage is useful on above-mentioned user carries out the per user registration to the user of encrypt file personal address book, this document management database stores and is used for encrypt file is reduced the key information of handling, come from above-mentioned customer facility registration the identifying information of encrypt file, user and rights of using information, above-mentioned certification authority is according to the authentication request from client computer, with reference to above-mentioned database, carry out user and the above-mentioned user's who has set authentication, when authentication result was sure, rights of using information and the key information that will set at encrypt file sent to above-mentioned client computer.

And above-mentioned functions is meant, according to authentication request from client computer, with reference to authentication information database, personal address book's database and file management database, the function that user and the above-mentioned user who has set are authenticated as certification authority, above-mentioned this authentication information database, register the user that file is encrypted and/or belonged to the client's who uses encrypt file user, above-mentioned personal address book's database storage is useful on the personal address book that above-mentioned user carries out the per user registration to the user of encrypt file, and this document management database stores and is used for encrypt file is reduced the key information of handling, come from above-mentioned customer facility registration the identifying information of encrypt file, user and rights of using information;

When authentication result was sure, rights of using information and the key information that will set at encrypt file sent to above-mentioned client computer.

Can transmit information mutually between this client computer and the certificate server, above-mentioned certificate server has authentication information database, personal address book's database, file management database and certification authority, the registration of this authentication information database has user that pair file encrypts and/or the user who belongs to the client who uses encrypt file, above-mentioned personal address book's database storage is useful on above-mentioned user carries out the per user registration to the user of encrypt file personal address book, this document management database stores and is used for encrypt file is reduced the key information of handling, come from above-mentioned customer facility registration the identifying information of encrypt file, user and rights of using information, above-mentioned certification authority is according to the authentication request from client computer, with reference to above-mentioned database, carry out user and the above-mentioned user's who has set authentication, when authentication result was sure, rights of using information and the key information that will set at encrypt file sent to above-mentioned client computer;

This client computer has Sealing mechanism, authentication registration unit and user registration unit, when carrying out encryption, this Sealing mechanism is set with the rights of using that this user is allowed by the user of dedicated reader to this document, thereby this document is carried out encryption, identifying information, the user who has set and the rights of using information of the file of having encrypted is registered by this authentication registration unit to certificate server, the user of the used file of having encrypted registers in this user registration unit in personal address book's database;

This client computer also has authentication request mechanism and restoring component, when using the encrypt file that has received, this authentication request mechanism is by above-mentioned dedicated reader, to above-mentioned certificate server request authentication, this restoring component is by above-mentioned dedicated reader, according to the rights of using information and the key information that send by certificate server, the above-mentioned encrypt file that has received is reduced processing.

In addition, other forms according to the present invention, can provide a kind of make its in computer as a kind of functional programs;

The aforementioned calculation machine by and certificate server between the client computer that communicates constitute, this certificate server has authentication information database, personal address book's database, file management database, and certification authority, the registration of this authentication information database has the user that pair file encrypts and/or belongs to the client's of the file that use encrypted user, above-mentioned personal address book's database storage is useful on above-mentioned user carries out the per user registration to the user of encrypt file personal address book, this document management database stores and is used for encrypt file is reduced the key information of handling, come from above-mentioned customer facility registration the identifying information of encrypt file, user and rights of using information, above-mentioned certification authority is according to the authentication request from customer facility, with reference to above-mentioned database, user and the above-mentioned user who has set are authenticated, when authentication result is sure, will send to above-mentioned client computer at rights of using information and the key information that encrypt file is set;

Above-mentioned functions is meant, when file is encrypted, this Sealing mechanism passes through dedicated reader, set user of this document and the rights of using that this user is allowed, thereby this document is carried out the function as Sealing mechanism of encryption, and the identifying information of the file encrypted to the certificate server registration of above-mentioned authentication registration unit, the function of the conduct authentication registration unit of user who has set and rights of using information;

As required, the user's of the file of encrypting the function as user registration unit is used in registration in personal address book's database;

When using the encrypt file that has received, this authentication request mechanism is by above-mentioned dedicated reader, function to above-mentioned certificate server request authentication as authentication request mechanism, and above-mentioned restoring component is by above-mentioned dedicated reader, according to the rights of using information and the key information that send by certificate server, the above-mentioned encrypt file that has received is reduced the function of handling as restoring component.

In addition, according to the 4th form of the present invention, can provide between a kind of and following client computer and communicate certificate server, promptly, this client computer has Sealing mechanism and authentication registration unit, when file is carried out encryption, this Sealing mechanism passes through dedicated reader, set user of this document and the rights of using that this user is allowed to, thereby this document is carried out encryption, and identifying information, the user who has set and the rights of using information of the file of having encrypted is registered by this authentication registration unit to certificate server;

And, this client computer also has authentication request mechanism and deciphering mechanism, when using the encrypt file that has received, this authentication request mechanism is by above-mentioned dedicated reader, to above-mentioned certificate server, request authentication, this deciphering mechanism is by above-mentioned dedicated reader, according to the rights of using information and the key information that send from above-mentioned certificate server, the encrypt file of above-mentioned reception is reduced processing;

This certificate server has certification authority, this certification authority comprises authentication information database, personal address book's database, file management database, with certification authority, this authentication information database has been registered file has been carried out the user of encryption and/or the user of the file that use has been encrypted, above-mentioned personal address book's database storage is useful on above-mentioned user carries out the per user registration to the user of encrypt file personal address book, this document management database stores and is used for encrypt file is reduced the key information of handling, come from above-mentioned customer facility registration the identifying information of encrypt file, user and rights of using information, above-mentioned certification authority is according to the authentication request from customer facility, with reference to above-mentioned database, user and the above-mentioned user who has set are authenticated;

And above-mentioned certificate server also has, a plurality of authentication information database, file management databases that are provided with corresponding to each client, personal address book's the personal address book's database that stores each user who belongs to each client, and charging mechanism, this charging mechanism discerns the client under the client computer of logining in certificate server, handle according to this authentication information database, the file management database that meet, and each client is chargeed.

And above-mentioned functions is meant, according to authentication request from client computer, corresponding client is with reference to authentication information database, personal address book's database and file management database, the function that user and the above-mentioned user who has set are authenticated as certification authority, above-mentioned this authentication information database, register the user that file is encrypted and/or belonged to the client's who uses encrypt file user, above-mentioned personal address book's database storage is useful on the personal address book that above-mentioned user carries out the per user registration to the user of encrypt file, and this document management database stores and is used for encrypt file is reduced the key information of handling, come from above-mentioned customer facility registration the identifying information of encrypt file, user and rights of using information;

The present invention since have above-mentioned scheme obtained below effect preferably.That is, according to first form of invention, documenting person's (producer side's client computer) sets the file of encrypting by dedicated reader, sets the rights of using that user and user were allowed to of using encrypt file, and it is registered in the certificate server.The user's (user side's client computer) who has received encrypt file passes through dedicated reader, receive the authentication of certificate server, and this certificate server on the dedicated reader in user's licensed rights of using, the reduction of carrying out encrypt file is handled and is used.Therefore, can not leave the key information of reduction in user's hand, in addition, only to the user also in the reading authority of original, in user's the hand in addition the file of having deciphered all can not preserve, therefore, function of keeping secret improves greatly.In addition, certificate server perhaps when authentication result is to negate, can give a warning to documenting person and/or file management person at the authentication request from the user, and thus, the related personnel can investigate the cause rapidly.Therefore, in this certificate server, gratifying is the authentication historical data base with authentication history of user, rights of using that the producer preserves the registration encrypt file.

In addition, documenting person sets user and its rights of using that allow to use file, it is registered in the certificate server, this certificate server is in the scope of its rights of using, allow the user use file, for example, the rights of using that will give the user in advance are set at can only read declassified document, allow to preserve, a plurality of Permission Levels of permission editor preservation etc., just Permission Levels that can need to the user of needs, in addition, even be the Permission Levels that to read, as setting frequency of reading, read the concrete power limit of valid expiration date etc., by preestablishing the minimum reading time limit, even if other people can become the user, and the authentication of access authentication server, still can be with the damage control that is subjected in minimum degree.

In addition, about the invention of another form, can provide the certificate server and program, client computer and the program thereof that relate to the file security management system that constitutes the 1st kind of form.

In addition, about the invention of the present invention's the 2nd form, can provide the certificate server with valuation function and the program thereof of the invention that relates to the 1st form.

In addition, invention about the present invention's the 3rd form, owing to have the authentication information data server that belongs to the user of user that file is encrypted and/or the client who uses the file of encrypting to the certificate server registration, and store and be used for above-mentioned user carries out the personal address book of per user registration to the user of encrypt file personal address book's database, so according to belonging to different clients' user in the personal address book, the user of registration encrypt file, can reciprocally use the security services of the file that the present invention is correlated with, improve convenience.In addition, owing to can make authentication information database other client's separation relatively of the authentication information that contains each client, so the information of client inside can not leak into the outside.

In addition, about the invention of another form, can provide the certificate server and program, client computer and the program thereof that relate to the file security management system that constitutes the 3rd kind of form.

In addition, about the invention of the present invention's the 2nd form, can provide the certificate server with valuation function and the program thereof of the invention that relates to the 3rd form.

Brief description of drawings:

Fig. 1 is the rendering of expression about the basic function of file security management system of the present invention;

Fig. 2 is the block diagram of expression about the composition of a kind of form of the enforcement of file security management system of the present invention;

Fig. 3 is the flow chart of the treatment step of the client computer of documenting person one side in the presentation graphs 2 and certificate server;

Fig. 4 is the flow chart of the treatment step of the client computer of file user one side in the presentation graphs 2 and certificate server;

Fig. 5 is the block diagram of expression about the composition of the another kind of form of the enforcement of the security management system of file of the present invention;

Fig. 6 is the block diagram of expression about the composition of another form of the enforcement of the security management system of file of the present invention;

Fig. 7 is the schematic diagram of the composition of authentication information database 22 in the presentation graphs 6 and personal address book's database 40;

Fig. 8 is the flow chart of past personal address book's database 40 register step in the presentation graphs 6;

Fig. 9 is the figure to the composition of certificate server login screen in the presentation graphs 6;

Figure 10 is the flow chart of the treatment step of the client computer of documenting person one side in the presentation graphs 6 and certificate server;

Figure 11 is illustrated in the step of Figure 10, the exemplary plot of an example of the operation screen of representing on dedicated reader;

Figure 12 is the flow chart of the treatment step of the client computer of file user one side in the presentation graphs 6 and certificate server;

Figure 13 is when being illustrated in the file user and not adding the service of certificate server, the flow chart of user one side's the client computer and the treatment step of certificate server;

Figure 14 is the schematic diagram of the citation form of the general security management according to encrypt file of expression.

The explanation of label:

The security management system of label 10 expression files;

Label 12 expression in-house networks;

Label 14 expression the Internets;

Label 20 expression certificate servers;

Label 21 expression server programs;

Label 22 expression authentication information database;

Label 23 expression file management databases;

Label 24 expression authentication historical data bases;

Label 25 expression certification authorities;

Label 26 expression warning transmitting mechanisms;

Label 27 expression version checking mechanisms;

Label 28 expression database controlling organizations;

Label 29 expression charging mechanisms;

Label 30a, 30b represent client computer;

Label 31 expression client programs;

Label 32 expression dedicated readers;

Label 34 expression authentication registration unit;

Label 35 expression authentication request mechanisms;

Label 36 expression Sealing mechanisms;

Label X～Y represents client.

The specific descriptions of invention

With reference to the accompanying drawings, the form of implementation of implementing the best of the present invention is described.But following form of implementation is that for example expression is used for LCD that technical conceive of the present invention is specialized, does not mean that the present invention is only specific to be this LCD the form of implementation of other that the present invention is equally applicable to that the claim scope comprised.

The associated documents security management system of a kind of form of enforcement of the present invention, shown in the rendering of Fig. 1,1. producer A makes the file of recording digital content, and it is carried out encryption, and when allowing user B to use, producer A passes through dedicated reader, login in certificate server 20, when the file of encryption is carried out in appointment, set the user B and the rights of using thereof that allow to use this document, for example, restriction user B can only read rights of using such as file one time, thereby file is carried out encryption.In addition, 2. to certificate server 20, identifying information (filename etc.) and the user and the rights of using information thereof of the file of send encrypting, be used for encrypt file C is reduced the key information D of processing, and certificate server 20 with these information registering in database.In addition, 3. producer A sends to user B by Email or other mode with encrypt file C.

The key information D that is registered in the certificate server 20 is variant because of the cipher mode that native system adopted, in addition, also can adopt when producer A carries out encryption to file, mode by certificate server 20 distribution keys, in this kind mode, producer A does not need to send the key information D to certificate server 20.

4. user B when using the encrypt file C that receives, by dedicated reader, logins in certificate server 20, and request authentication.In certificate server 20, has the user authentication data storehouse that is used to authenticate users such as user B or producer A, in addition, the file management database that also has the identifying information of the encrypt file of storing producer A registration and the user that this encrypt file C is set and rights of using information, key information D; With reference to above-mentioned each database, if 5. the user of user B and user authenticate by the time, can be with the rights of using information of the encrypt file C registration that meets at this and the dedicated reader that the key information D is given to user one side's client computer.

6. user B can be according to this, on dedicated reader, encrypt file is reduced processing, and can use this document of having deciphered.When the authority that is allowed to the user only is limited to the reading of this document, according to from certificate server 20, send to the rights of using information of the client computer of user B, the operation of restriction dedicated reader, be disabled because Printing Qptions, file save options, override function such as save options, thus, the user can't preserve as-reduced file in the place.Equally, the key information D that reduction is handled is by dedicated reader, only encrypt file C reduced processing, and user B can not participate in the restoring operation to encrypt file C, and user B also can't implement this key information D is kept at the operation of client computer in addition.Therefore, the file C that can prevent to have deciphered, and the key information D from the danger of user B to external leaks.

In addition, though do not show among Fig. 1, certificate server 20 in the authentication result of user B whether regularly, i.e. expression has certain ill-considered situation, just can send warning message to documenting person A and/or manager.The manager who sends warning is the system operator that carries out the native system holistic management, or the network manager in the enterprise under documenting person A, the user B, or serves as the manager etc. of the department of IT environmental inspection.Thus, relative can be investigated the reason of improper situation.For this reason, gratifying in certificate server 20 is to be provided with to preserve the historical authentication historical data base of authentication.

Fig. 2 is the block diagram of the composition of the security management system of the file among expression the present invention.As shown in Figure 2, the security management system 10 of file of the present invention is that 30b etc. constitute by the mode of network linking by certificate server 20 and client computer 30a.In Fig. 2, certificate server 20 is that representation is for providing the application program of security management system to client X by ASP provider (Application Service Provider) operation.Therefore, client computer 30a, the in-house network 12 of 30b and LAN etc. links, and links with certificate server 20 by the Internet 14.(schematic diagram omission) gateway that is provided with fire compartment wall is between this in-house network 12 and the Internet 14.Native system is not limited only to these forms, and also can be used as 1 and be closed in the system in the client and operate, at this moment certificate server 20 and client computer 30a, 30b constitutes according to the mode that links with in-house network 12.

In certificate server 20, server program 21 is installed, have storage and use client computer 30a, the authentication information database (authentication information database) 22 of the authentication information of the registered user ID of the user of 30b (the user B of documenting person, encrypt file), password etc.; And be provided with file management database (file management database) 23, store the user of the identifying information (filename) of each encrypted file and the information of rights of using relatively; Also be provided with by authentication historical data base (authentication historical data base) 24, storage is from the historical data of the authentication of user's's (client computer) authentication request.

The computer that constitutes certificate server 20 is implemented the function of certification authority 25, warning transmitting mechanism 26, version checking mechanism 27, database controlling organization 28 by server program 21.In addition, the communication interface function of communicating by letter with client computer 30a, 30b by Internet 14 etc. is omitted in diagram.

Client computer 30a, 30b are the producer A of file, and the user of user B etc. uses, and their structure is identical, and client program 31 is installed.Constitute client computer 30a, the reader 32 of the computer of 30b by operating by client program 31 communicates with certificate server 20.In addition, computer is realized the function of authentication registration unit 34, authentication request mechanism 35, Sealing mechanism 36, restoring component 37 by client program 31.These functions comprise needed function when the producer of file uses, needed function when using with the user of file.Therefore, client program can also provide separately as program except as documenting person's usefulness and the file user usefulness.

In addition, by in-house network 12, the Internet 14, communication interface function that communicates usefulness with certificate server 20 etc. is omitted in diagram.Dedicated reader 32 communicates between the server of the application program of carrying out appointment and client computer, from the client computer input information and will pass it and give server, perhaps shows or prints from the information of server reception, also is referred to as " browser ".Producer A at file uses client computer 30a below, and the user B of file (file that producer A has encrypted) uses the situation of client computer 30b to be described.

Make the file of recording digital content at producer A, it is carried out encryption, and when allowing user B to use, producer A uses client computer 30a, logins in certificate server 20 by dedicated reader 32, in the file of specifying encryption, set the user B and the rights of using thereof that allow to use this document, such as, read rights of using such as file only for user B, thereby file is carried out encryption.At this moment, at the dedicated reader picture, show login screen, the identifying information (filename) of input user ID, password, the file encrypted sends it to certificate server 20, omits in the diagram about this program.

Certificate server 20 is with reference to authentication information database 22, carry out authentification of user, if authentification of user is by (authentication result is sure), then producer A sets the hurdle the user of dedicated reader 32, rights of using are set in the hurdle, the rights of using that input user B and user B are allowed.Rights of using are, for example, only allow the reading of user to file, allow the user can preserve also original, allow the user that original is also upgraded and a plurality of Permission Levels such as preservation.Best, setting in the picture in detail, but can set reading number of times or useful life.

The encryption of appointed file is undertaken by Sealing mechanism 36 according to the cipher mode that system adopted.In addition, by authentication registration unit 34, register identifying information (filename etc.) and the user and the rights of using information of the file of encrypting to certificate server 20, with the key information that is used for encrypt file C is reduced.In addition, producer A is by Email or other mode, and the identifying information of encrypt file and encrypt file is sent to user B.

The key information that certificate server 20 is stored from identifying information (filename etc.) and the user and the rights of using information of the file of client computer 30a transmission in file management database 23 and is used for encrypt file C is reduced.The retrieval key of this document management database 23 is the identifying information of file.

User B uses client computer 30b when using the encrypt file that has received, with dedicated reader 32, in certificate server 20, logins, and by authentication request mechanism 35 request authentication.At this moment, in the picture of dedicated reader 32, show login screen, the identifying information (filename) of input user ID, password, the encrypt file that will use sends it to certificate server 20.

This certificate server 20 by database controlling organization 28, with reference to authentication information database 22, according to certification authority 25, carries out the personal authentication according to personal authentication's information of the user ID that transmits from client computer 30b, password etc.If obtain authentication, then, from file management database 23, read the rights of using information and the key information that are registered in the user B in this document and allow user B to use according to the identifying information of file.At this moment, if user B and personal authentication's user ID is inconsistent, authentication result is negative, can be with this advisory client computer 30b.In addition, this certificate server 20 will transmit for documenting person or manager and show that the not warning of the visit information of access authentication is once arranged by warning transmitting mechanism 26.If authentication result is sure, then rights of using information, key information are sent to client computer 30b.

Client computer 30b is on dedicated reader 32, rights of using information, key information that reception transmits from certificate server 20, this dedicated reader 32 is according to key information, function by restoring component 37, when encrypt file is reduced processing, make the operation of user B only effective in the rights of using range of information that user B is allowed to, the operation of the user B in the scope beyond the rights of using is then invalid.For example, the rights of using that user B is allowed be restricted to can only read in, above-mentioned dedicated reader 32, user B shows that the operation of the demonstration of the file deciphered is effectively, but prints the Printing Qptions of the file that has shown, to its saving options of preserving, all invalid to its operation of carrying out that the editing options of edit operation, the renewal that preservation was edited and override to file save options etc.

So user B only in the scope of the rights of using that producer A has set, uses the encrypt file that receives from producer A., the file of having deciphered can't be stored among the client computer 30b for can only read the time in the authority that offers user B, in addition, key information encrypt file reduced use when handling, and user B needn't directly be carried out restoring operation on dedicated reader 32.Dedicated reader 32 does not have restore option that key information is operated etc., and user B also can't carry out key information is kept at operation among the client computer 30b.Therefore, can reduce the possibility that encrypt file or the key information third party beyond user B is leaked, can further improve confidentiality.

In above-mentioned treatment step, user B is by client computer 30b, start dedicated reader 32, when in certificate server 20, logining, the version information of this dedicated reader 32 is sent to certificate server 20, certificate server 20 checks whether be the dedicated reader of latest edition by version checking mechanism 27.If not latest edition, the rights of using information that certificate server 20 can will further limit the rights of using of user B sends to client computer 30b.Such as, when rights of using are to allow the authority of preservation of the file deciphered, rights of using are further limited, become the rights of using that only allow reading.By the way, because of certain reason, make when producing leak (security weakness) in the maintaining secrecy of dedicated reader 32, can and take countermeasure rapidly dedicated reader 32 upgradings.

Fig. 3 and Fig. 4 are the flow chart of the above-mentioned treatment step of expression, and Fig. 3 is the client computer 30a of expression producer A and the flow chart of the treatment step of certificate server 20, and Fig. 4 is the flow chart of the treatment step of the client computer 30b that represents user B and certificate server 20.

Producer A makes the file of recording digital content, and it is carried out encryption, and when allowing user B to use, producer A uses client computer 30a, at first, and at step S10 place, producer A starts dedicated reader 32, and in step S11, login on certificate server 20.That is,, then show login screen if start dedicated reader 32, in this input field, input user ID, password, and send it to certificate server 20.Certificate server 20 is with reference to authentication information database 22, contrast with the authentication information of being registered (user profile), carry out the personal authentication of producer A, if authentication is passed through, then producer A is at step S12, from next picture (not shown) of dedicated reader 32, the file that needs encryption is specified in input.Then, producer A is at step S13, and input allows to use the user B of this document, at step S14, sets the rights of using that user B is allowed to, such as, restriction user B can only read inferior rights of using.

When input user B, producer A can be by to the operating with reference to option of dedicated reader 32, and with reference to the authentication information database 22 of certificate server 20, select and set the user from the user profile of being registered.Authentication information database 22 provided with reference to information except each user, can also comprise group information, for example, after group member's grouping of the portion of appointment, class, project, the group information of registration.If the use group information can be once be set at the user with a plurality of people of same group.

Then, client computer 30a is at step S15 place, carry out encryption by 36 pairs of the Sealing mechanisms file of appointment,, the file of having encrypted is preserved at step S16 place, at step S17 place, the identifying information (filename) of encrypt file is sent to certificate server 20,, send user and rights of using information thereof at step S18 place, at step S19 place, send and to be used for encrypt file is reduced the key information of handling.

Certificate server 20 is at step S33～S35, identifying information (filename), user and the rights of using information thereof of the encrypt file that reception sends from client computer 30a, be used for encrypt file is reduced the key information of handling, at step S36, it is stored in file management database 23.In addition, producer A is at step S20 place, and Sheraton goes out from certificate server 20, at step S21 place, closes dedicated reader 32.Then, the encrypt file that will preserve of producer A sends to user (the user B that sets at step S13 place).Load mode to the encrypt file of user B is not limited to network (Email etc.), also can utilize medium such as floppy disk to transmit.

To the flow chart of reference Fig. 4, user B is by client computer 30b below, and use is described from the step of the encrypt file that producer A receives.User B by client computer 30b, at step S41, starts dedicated reader 32 using the encrypt file that receives in step S40 when, at step S42, and login on certificate server 20.The personal authentication that certificate server 20 carries out user B, if authentication is passed through, then user B is at step S43, enter next picture (not shown) of dedicated reader 32, and the identifying information (filename) of the input encrypt file that will use, client computer 30b passes through authentication request mechanism 35, and the identifying information of file is sent to certificate server 20, at step S44, user's authentication request is sent to certificate server 20.

Whether consistent with user B certificate server 20 at step S51, with reference to file management database 23, is read user and rights of using information that this document is registered when receiving the identifying information of file, at step S52, confirm user's authentication processing.User's authentication result in step S53, when user B and personal authentication's user ID was inconsistent, the authentication authorization and accounting result was (NO) that negates, and just gave client computer 30b with this context notification.Whether in addition, certificate server 20 is recorded in authentication historical data base 24 at step S56 with this verify data, at step S57, by warning transmitting mechanism 26, once had the warning of the visit information of access authentication to send to documenting person A or manager expression.

If authentication result is sure (YES), then certificate server 20 is at step S54, and S55 sends to client computer 30b with rights of using information, key information.Client computer 30b is at step S45, and S46 is on dedicated reader 32, rights of using information, key information that reception sends from certificate server 20, dedicated reader 32 is at step S47, according to key information, by the function of restoring component, encrypt file is reduced processing.In addition, user B can be at step S48, the as-reduced file of reading.At this moment, as mentioned above, on dedicated reader 32, the operation beyond the efficient in operation of user B in the rights of using range of information that is allowed to, rights of using is then invalid.

Such as, the rights of using that allowed at user B are restricted to and can only read, in dedicated reader 32, the operation that shows the Show Options of the file that user B has encrypted is effective, but, the Printing Qptions that the file that shows is printed, to its saving options of preserving, to its carry out edit operation editing options, that the file of editing is override the operation that the renewal of preservation saves options is invalid.At this moment, user B can't preserve the file of having deciphered.If user B finishes the use of as-reduced file in the scope of the rights of using that producer A sets, then at step S49, Sheraton goes out from certificate server 20, at step S60, closes dedicated reader 32, and end process.In addition, in this flow chart, the diagram of the version checking of dedicated reader 32 and the treatment step relevant with it is all omitted.

Fig. 5 is the figure of another form of the security management system of expression file of the present invention.In the present embodiment, certificate server 20 provides the mode of security services application program to constitute according to a plurality of client X～Z.Each client Y, Z have identical formation with client X, certificate server 20 comprises charging mechanism 29, and each database of authentication information database 22, file management database 23, authentication historical data base 24 is according to dividing corresponding to the client, and distinguishes the mode of storing after each client's the data and constitute.Other structure is identical with the embodiment of Fig. 1, and the explanation of this part is omitted.Charging method is the charging of quota, any in the charging of charging, both dual-purposes of system according to quantity, charging mechanism 29 is in the charging of making according to quantity, certificate server 20 preferably can be to the client computer (producer of client X～Y, the user) goes up the number of times of logining, and calculate, and can amount to each client from logining Zhi service time that Sheraton goes out etc.

According to the scheme of Fig. 5, can constitute by provider (Application Service Provider) operation certificate server 20, and a plurality of clients be provided the commerce model of service of the security management system of file.Thus, when client X～Y relies on the common system user of other client, can reduce the development cost volume that ASP provider is born.In addition, providing in program of the present invention is that when being undertaken by software supplier, this software supplier can serve easier expansion production marketing client by the ASP that ASP provider is provided.

The file security management system of the foregoing description is for to the client (system that the file between each internal customer of X～Z) carries out security management.But,, carry out the security management service of file if can exceed client.For example, between as the client's of client X A and the E as the client of client Y, the service of adopting certificate server 20 to be provided can be carried out the communication of the higher file of secret degree, and then client Yu will be more useful.That is, if between the client of the service that adds the security management that certificate server 20 of the present invention provided, business transaction is arranged, between both sides' client, can accept same service, then do not worry the leakage of information, can carry out the communication of more important file, improve convenience., preferably whole clients' authentication information database is used as shared information, but in this case, client's separately customer information will be disclosed mutually for this reason.That is, when adopting this method, will be leaked, therefore be difficult to client and accept, so need take the measure that addresses this problem as client practitioner's information of client.

Fig. 6 represents the schematic diagram of composition of another form of the enforcement of file security management system 10 of the present invention.The security management system 10 of Fig. 6 represents according to the scope that can exceed client, the block diagram of the system that the mode of the management service of use file security constitutes.For the ease of understanding, in Fig. 6, with Fig. 2, the part that Fig. 5 is identical has adopted identical label.In this security management system 10, in certificate server 20, personal address book's database (database) 40 is set, at client computer 30a, in the client program 31 of 30b side, user registration unit 38 is set, this point is different with the security management system 10 of embodiment 2.

Promptly, in the security management system 10 of Fig. 6, with (employed authentication information database 22 was different when X～Z) carried out this client's authenticated client to each client, in certificate server 20, be provided with, at each client, can utilize personal address book's database 40 of phase the other side of this security management service by this client's registration.In the present embodiment,, allow the other side of each client's registration, use this security services by this personal address book's database 40.At this, the composition of authentication information database 22 and personal address book D40 is described.

Fig. 7 (A) is the composition of authentication information database 22 for the schematic diagram of the composition of expression authentication information database 22 and personal address book's database 40, (B) is the figure of the composition of expression personal address book database.Shown in Fig. 7 (A), in authentication information database 22, the subregion of each client X～Y of accepting the file security service of certificate server 20 is independently, registers each client's client (user) A～C, E～F, I～K.Each user's register information is address name, affiliated function, affiliated project etc. " group ", " user ID ", " password ", " addresses of items of mail " etc.In addition, can also add out of Memory such as position in addition.

On the other hand, in personal address book's database 40, each client (user) A～C of each client X～Y, the subregion of E～F, I～K are independently, and client (user) A～C, E～F, I～K can register respectively and wish to carry out phase the other side of file communication by this security services.When registration, client A logins in certificate server 20, and calls personal address book's database 40, by user registration unit 38, and in the personal address book 40 of A itself, registration the other side's information.Data registered, for example, as the other side's of registrant name, addresses of items of mail.Addresses of items of mail be and the individual between 1 pair 1 information corresponding, in addition, carry out the transmission of encrypt file by this addresses of items of mail, become verify data when using this encrypt file, therefore be must registration data.

To the secrecy system 10 of the file that uses Fig. 6, between different clients' client (user), carry out the making of encrypt file below, the situation of use is described.For example, the client A of client X and the client E of client Y are a member of trading item, the higher file of confidentiality that A makes carries out encryption by certificate server 20, and be set at the rights of using that to read, send it to E, E logins on certificate server 20 and the situation when reading encrypt file.

The client A of client X at first started dedicated reader 32 before using certificate server 20, login in the certificate server 20.In the process of login, certificate server 20 is with reference to authentication information database 22, and according to the authentication information of client X, assert that client A be the formal client of client X, then can the display menu picture, and from menu screen, selection personal address book's registration process.If select the registration process on personal address book's database 40, then certificate server 20 allows client A to personal address book's access of database, client A in registration personal address book database 40 (user partitions of client A), registers client E by user registration unit 38.Shown in Fig. 7 (B), data registered is for being registered user's (client) the name or the addresses of items of mail of ID and Email.

Fig. 8 represents, the flow chart of the step when everyone registration in personal address book's database 40 allows to use the other user of file of its encryption.At first, client A starts dedicated reader 32 at step S61, at step S62, and input user ID, password, login on certificate server 20.Login screen can be used the composition identical with the login screen of common server as shown in Figure 9.Then, client A calls personal address book's database 40 at step S63, and at step S64, registration allows the user's name of use and the addresses of items of mail of Email.

If registration is finished, then client computer A makes file (also can be the file of having made), starts dedicated reader 32, login on certificate server 20.The step of this login authentication is identical with above-mentioned registration process the time.Then, the file of client A in being shown in menu screen specified in the hurdle, and specifying needs encrypt file, then, follows the switching of menu screen, selects personal address book's database 40 of authentication information database 32 or client A, so that the user of enactment document.At this, client A selects personal address book's database 40, the client E of the step registration before specifying in.Then, follow the switching of menu screen, set the rights of using of client E.Here, carry out at E, setting can only be read the rights of using of encrypt file.In addition, in above-mentioned step, the appointment of file is to carry out in the initial step that menu screen carried out, and still, also can carry out the step of specified file after user and rights of using setting thereof.

If these appointments are finished, then on the computer (client computer 30a) of client A, cipher mode according to the rules carries out encryption to the file that client A makes, and preserves.In addition, certificate server 20 in file management database 23, filename (file identification information), user, the rights of using of the cryptographic object file of appointment in the step before being registered in.Then, client A sends to client E by Email with the file of having encrypted.

The client E that has received Email starts dedicated reader 32, login on certificate server 20, and access authentication.Here, because client E is the registration client of client Y, so certificate server 20 with reference to authentication information database 22, carries out authentification of user.This step is identical with the authenticating step of client A.In addition, if client E is in computer (client computer 30b), specify the encrypt file that has received, then filename (file identification information) is sent to certificate server 20, this certificate server is with reference to file management database 23, after user, the rights of using set are checked, the key information of rights of using information and reduction is sent to client E (30b).

Client computer 30b receives the key information of rights of using information and deciphering, dedicated reader 32 is according to according to key information, realize the function of restoring component 37, encrypt file is reduced processing, and restriction user E is the efficient in operation in the rights of using range of information that it was allowed to only, and the operation of the user E beyond the rights of using is then invalid.For example, the rights of using that user E is allowed are for reading, then in dedicated reader 32, show that user E shows the efficient in operation of the Show Options of declassified document, but print the Printing Qptions of the file that has shown, to its saving options of preserving, that it is carried out the operation that renewal that the editing options of edit operation, the file that will edit override preservation saves options is invalid.

Figure 10 is the flow chart of the above-mentioned treatment step of expression, is the flow chart of the treatment step of the client computer 30a of expression producer A and certificate server 20.In addition, Figure 11 is illustrated in the step of Figure 10, the ideograph that an example that is shown in the operation screen in the dedicated reader 32 writes down in the lump in the mode of medelling.Producer A makes the file of recording digital content in input, and it is carried out encryption, and when allowing user E to use, producer A passes through client computer 30a, at first, and at step S70, producer A starts dedicated reader 32, at step S71, and login on certificate server 20.That is, if start dedicated reader 32, then show login screen, in its input field, input user ID, password send it to certificate server 20.Certificate server 20 is with reference to authentication information database 22, the authentication information (user profile) of being registered is checked, and carry out the personal authentication of producer A, if authentication is passed through, then producer A is at step S72, advance in next picture (not shown) of dedicated reader 32 input information and specify the file of need encrypting (with reference to the step 1) of Figure 11.Then, producer A is at step S73, and the user E that input allows use this document to use at step S74, sets the rights of using that user B is allowed to, and for example, restriction user B reads rights of using (with reference to the step 2 of Figure 11) such as file.Then, in the end, operate by " encryption " button bottom picture, thereby obj ect file is carried out encryption.

When input user E, producer A operates with reference to button dedicated reader 32, thus, with reference to personal address book's database 40 of certificate server 20, from the user profile of being registered, selects and set user E.Then, at step S75, client computer 30a carries out encryption to the file by Sealing mechanism 36 appointments, at step S76, the file of having encrypted is preserved, at step S77, the identifying information (filename) of encrypt file is sent to certificate server 20,, send the information of user and rights of using at step S78, at step S79, send and to be used for encrypt file is reduced the key information of handling.

Certificate server 20 is at step S93～S95, the information of identifying information (filename), user and the rights of using of the encrypt file that reception transmits from client computer 30a, be used for encrypt file is reduced the key information of handling, at step S96, they are stored in the file management database 23.Then, producer A is at step S80, and Sheraton goes out from certificate server 20, at step S81, closes dedicated reader 32.Then, at step S82, the encrypt file that producer A will preserve sends to user E (the user E that sets) in step S73.The load mode of the encrypt file of user E is not limited to network (Email etc.), the transmission of medium that also can be by floppy disk etc.

In addition, user E uses the step of the encrypt file that receives from producer A shown in the flow chart of Figure 12.In the flow chart of Figure 12, carry out in the processing (step S122) of the authentication of user E at certificate server 20, except reference authentication information database 22, and personal address book's database 40, carry out user E authentication outside, other treatment step is identical with the step of flow chart shown in Figure 4.In addition, user E by Email when producer A receives encrypt file, on the desktop (desk top) of the client computer 30b of user E, show the icon that is marked as encrypt file, user E is to can be by operating this icon, and start dedicated reader 32, if constitute in a manner mentioned above, can form the good system of operability.

User E is the client E that adds the client Y in this security services in the step of Figure 10 and Figure 12, still, if can and not add between the individual in the security services, provides identical service, has then more improved convenience.For example, be following occasion, wherein, between the client A of client X and individual arbitrarily (adding service) M, carry out the communication of encrypt file.At this moment, client A is according to the step of Fig. 8, at the user partition of the A of personal address book's database 40, registration user M.This step is identical with the situation that client E is registered as the user.Like this, client A is according at the flow chart of Figure 10 and the step of describing is carried out encryption to file, and the mode by mail etc., and encrypt file is transferred to registered user M.At this moment, must send the URL of certificate server 20 to user M as necessary information.Its reason is: user M is not the client of this secrecy system, so must allow it login in certificate server 20.

Thus, if certificate server 20 is from client A, reception encrypt file name, user and authority information etc. (the step S93 of the flow process of Figure 10～S94), user M then to having set, set the URL of certificate server 20, the user ID of registration usefulness, interim password, these information are sent on the mailbox of the user M that is registered in personal address book's database 40.The transmission of these information also can be at the step S96 of the flow chart of Figure 10, carries out when being stored in the information of encrypt file in the file management database 24, also can be at step S93, and S94 from client A, carries out when receiving encrypt file name, user and authority information.In addition, the user ID of the URL of the certificate server 20 of user M, registration usefulness, the notification of information of interim password are not limited to as previously mentioned relatively, from certificate server 20, method to user M transmission, also can adopt these information are notified to client A, when client A sends encrypt file to user M, the mode of notifying as additional information.

On the other hand, adopt in the encrypt file that producer A receives,, handle according to the step of flow chart shown in Figure 13 at user M.That is, Figure 13 is illustrated in the client in the client of this service and is not between the individual who originally serves customers, when using this service, and the flow chart of the treatment step of user side.At first, if user M at step S131, receives encrypt file from A, then at step S132, the URL according to receiving with the letter links with certificate server 20, and in the input picture shown by this URL, input address name, addresses of items of mail.At step S151, the information that the address name that certificate server 20 will have been imported, the information of addresses of items of mail and client A are registered in personal address book's database 40 is checked, check whether client A is registered user, when being the registration user, at step S152, dedicated reader 32 is sent to user M, at step S133, user M receives dedicated reader 32, and finishes the download of dedicated reader.

If the download of this dedicated reader 32 is finished, then user M starts dedicated reader 32, logins on certificate server, in the rights of using that client A sets, encrypt file is reduced handle and use this document.At this moment, except the authentication of certificate server 20 for user M, carry out in addition with reference to the processing (step S155) of personal address book's database 40, other treatment step of the flow chart of Figure 13, step S134～step S143 (the treatment step S153～step S160 that comprises certificate server 20) is identical with the step of flow process shown in Figure 12.

In addition, when the personal accomplishment user in unregistered this service of adding registered by aforesaid mode, the operator of operation certificate server 20 can increase the client of the client X under 1 registered client A, in proper order client X is chargeed.Thus, the charging mechanism 29 of Fig. 6, when carrying out user's authentication, according to the reference results of personal address book's database 40, the mode of chargeing constitutes.

In the above among the embodiment 3 of Miao Shuing, owing to set everyone personal address book's database 40 as client, even client is a Virtual network operator, there is tens of thousands of people's user to add under such situation, because of needn't using huge user list etc., and utilizes personal address book's database, thus, even under the situation that shows list, still can only show everyone register information, improve ease of use.In addition, personal address book's of the present invention data singly do not refer to the data of registered electronic mail address, so long as can specify the user information data all can, used data when e-mail address can also be communicated by letter with client A etc., certificate server 20 etc. as registered user.

In addition, at Fig. 1, in the form of implementation of Fig. 5, in the client computer 30a of documenting person side, file is carried out encryption, and the key information of using when the user reduced to encrypt file, identifying information with encrypt file, user and rights of using information are registered in the certificate server 20 together, but the security management system of file of the present invention is not limited to aforesaid way, for example, can use following mode, from the client computer 30a of documenting person side, by dedicated reader 32, login in certificate server 20, specify the file that needs encryption, certificate server 20 issues are encrypted, reduce needed password, and with file identification information, user and rights of using information are registered in the file management database.

In addition, also can adopt following scheme, wherein, cipher mode uses a pair of PKI and private key, in the client computer 30a of documenting person side, when user that the setting permission is used and rights of using, adopt user's PKI, file is carried out encryption, and in certificate server 20, the key information of registration documents reduction usefulness is to adopt the situation of user's PKI.Client computer 30b in user side passes through dedicated reader 32, login on certificate server 20, and during request authentication, certificate server 20 is with key information, send to client computer 30b with rights of using information, the client computer 30b of user side can be to from key information, oneself the PKI that identifies that encryption used, thus encrypt file is reduced processing.

As mentioned above, the cipher mode of the security management system of file of the present invention can adopt known various cipher modes to constitute.

Claims

1. file security management system that constitutes by certificate server and by the connected a plurality of client computer of network with dedicated reader, this system is made of following client computer and certificate server, it is characterized in that:

2. one kind is connected with a plurality of client computer that have by the connected dedicated reader of network, and carries out the certificate server of the authentication of file security management, it is characterized in that:

One kind make its in computer as a kind of functional programs, it is characterized in that:

4. client computer, this client computer has dedicated reader, and by network, links with the certificate server that carries out the file security administrative authentication, it is characterized in that:

6. the certificate server that communicates between a kind and the client computer is characterized in that:

8. the security management system of a file, the security management system of this document be by certificate server, and connect by network, and a plurality of client computer with dedicated reader constitute, and it is characterized in that:

9. one kind is connected with a plurality of client computer that have by the connected dedicated reader of network, and carries out the certificate server of the authentication of file security management, it is characterized in that:

11. a client computer, this client computer has dedicated reader, and by network, links with the certificate server that carries out the file security administrative authentication, it is characterized in that:

12. one kind make its in computer as a kind of functional programs, it is characterized in that:

13. communicate certificate server between one kind and the following client computer, it is characterized in that:

This client computer has Sealing mechanism and authentication registration unit, when file is carried out encryption, this Sealing mechanism passes through dedicated reader, set user of this document and the rights of using that this user is allowed to, thereby this document is carried out encryption, and identifying information, the user who has set and the rights of using information of the file of having encrypted is registered by this authentication registration unit to certificate server;

14. one kind make its in computer as a kind of functional programs, it is characterized in that: