FR2982052A1 - METHOD AND DEVICE FOR DATABASE STORAGE AND CONSULTATION OF CONFIDENTIAL DATA - Google Patents

Abstract

According to the method of storing data in digital form and accessing stored data, the data represents structured information relating to a population of entities, each entity (10) corresponding to a group of data (15), in which data from each group of data are separated into at least two subgroups (11, 12) and: - each stored subgroup is signed (35, 36) by a unique numerical identifier (33, 34) associated with it, said unique digital identifier being a digital representation of an elementary tag (31, 32); a link for associating subgroups from the same group of data corresponding to an entity is formed by the coordinated implementation of the elementary tags (31, 32), the digital representations of which (33, 34) correspond to the unique numerical identifiers of said subgroups.

Description

The present invention belongs to the field of security of information and access to secure information. More particularly, the invention relates to a method and a device for storing and consulting a data set for which a high degree of confidentiality is required. When a lot of information has to be available for consultation, it is now widely used by computers implementing databases. The benefits of computers are well known. They are able to store a large amount of information in structured databases and quickly search for information that meets a set of criteria on an operator's instruction. In addition, the systems used for this purpose are accessible remotely and often with simple means from any point in a network to which they are connected. These advantages, however, are a weakness of these systems because the information that is stored in the databases can be hacked or damaged by malicious acts committed by penetrating the computers of the systems in question by the digital network such as the Internet. It is known to defend against such intrusions from using passwords and encryptions so that the information is accessible only by persons having passwords. However, this solution has shown its limits with respect to data piracy and furthermore it does not overcome the risk of seeing information accessed by persons having legitimate access to such data for unauthorized purposes. When the information relates to a group of objects or persons, that is to say a population, in which each object or person is characterized by a set of data, it is known to separate the data into different databases so that access to a single database is not sufficient to have all the data relating to an object or a person. However, the need at certain times to be able to access, in case of legitimate needs, all the data relating to an object or a person makes it necessary to create a link between the different bases. Whether the links are strong or weak, they always create a security gap in the protection of access to information by allowing all data relating to the same object or to the same person to be grouped together. For example, the sensitivity of data storage in databases of information relating to a natural person is today considered critical because it can be a source of risk of infringement of individual freedoms in case of unauthorized use of information. The present invention provides a method and apparatus for separating data relating to the same object or the same person without there being a logical connection in the databases and giving only to a rightholder the possibility of to gather all the data relating to an object or a person. For this, the method for storing data in digital form and for accessing data of the invention, in which the data process represents structured information relating to a population of entities, each entity corresponding to a group of data, and in wherein the data of each data group are separated into at least two subgroups, each subgroup being stored without logical link with another subgroup of the data group of which it is part, is characterized in that: each stored subgroup is signed by a unique digital identifier associated with it, and that this unique digital identifier associated with the subgroup in question is a digital representation of a single, non-reproducible physical element designated "elementary tag"; a link making it possible to associate different subgroups from the same group of data corresponding to an entity is formed by the coordinated implementation of the elementary tags whose digital representations correspond to the unique numerical identifiers of the said sub-elements. groups. Thus, the data relating to an entity are all stored and accessible by subgroups, where appropriate in the clear or, where appropriate, encrypted, in a database or in a set of databases without however being possible at a given time. unauthorized person who does not have the unique and non-reproducible physical elements corresponding to a group of data to group the data from this group of data due to the lack of a logical link between the subgroups of the database (s) data. The elementary tags needed to associate subgroups of the same group are held by an authority that can reconcile data contained in subgroups of the same group. This authority can be a single physical person who then holds the different elementary tags needed or a group of people who individually hold one or more elementary tags and who must then coordinate to associate the subgroups and reform the data group. Thus the reconciliation of the subgroups and the reconstruction of the original data group of an entity becomes possible only when the elementary tags bearing the unique identifiers corresponding to each subgroup are physically available, that these tags are held by a single entity. person or by different people. In one form of implementation, two or more elementary tags are defined in a single tag to form a meta-tag. This solution, which has a simplicity of form when the elementary tags must be held by the same person, also makes it possible to conceal the number of elementary tags that are defined in the meta-tag and to make the shape and structure determinable within the meta-tag. In addition, the elementary tags being physically indissociable within the meta-tag, their separation leading to the irremediable destruction of the elementary tags, their physical unit not only guarantees the unity of their place of reading, but also the unit of time to authorize the reconstruction of the data group.

To meet the requirement of uniqueness and non-reproducibility, as well as to enable production and reading by economically acceptable means, advantageously the elementary tags and or meta-tags are made by means of bubble codes. Although not exclusively, the method finds application when the stored data relates to entities that are physical persons or individuals and whose confidentiality must be protected. Subgroups may include: - administrative identity data of individuals in the population; - biometric fingerprint data of individuals in the population; 15 - personal medical data of individuals of the population. Other types of data may be stored by the method as soon as the data set of an entity is split into two or more subgroups. A subgroup may where appropriate be associated with more than one unique identifier, two different elementary tags or meta-tags, unique and non-reproducible, making it possible to identify the same subgroup, so that grouping rights can be duplicated or differentiated when allowed groupings can be limited which is possible when the group of data is split into three or more subgroups. The invention also relates to a device for storing and securely reading data stored in digital form in at least one database of a computer system, in which: the data represents structured information relating to a population of entities, each entity corresponding to a group of data; - the data of each data group is stored separately in at least two uncorrelated subgroups, each subgroup being stored in the database or databases without any logical link to another subgroup of the data group of which it is part ; and wherein: each subgroup has a storage field of a unique identifier in the device; the device comprises at least one unique and non-reproducible physical element reader, said tag, for creating at least one digital representation of an elementary tag intended to form the unique identifier of a subgroup; The device comprises at least one tag reader for reading the elementary tags when these tags have been used to create unique identifiers for the subgroups; a group of data is formed by the reconciliation of at least two subgroups identified by their unique numerical representations delivered by the tag reader during the coordinated reading of the elementary tags used for the creation of the unique identifiers of the said sub-groups. groups. The device thus makes it possible to create and consult accessible databases whose confidentiality is ensured in particular because of the absence of a logical link between the data of the database or databases and the physical protection that is provided by the elementary tags needed to rebuild the dataset. In a particular embodiment, the tag readers are arranged materially and logically to read tags arranged on a single physical medium and in an advantageous form for reading tags corresponding to non-separable parts of a meta-tag itself unique and non-reproducible. In a particularly economical embodiment to achieve, tag readers are arranged to read by optical means elementary tags or meta tags of the bubble code type. When several elementary tags are grouped together on the same physical medium in the same form. bubble code, the readers are arranged materially and logically to identify and read different selections of bubble code bubble subsets so as to identify the elementary tags carried by the bubble code. Other features and advantages of the invention will be better understood on reading the following description of nonlimiting embodiments of the invention with reference to the drawings which represent: FIG. 1: schematically the steps of the import data relating to an individual in two databases; Figure 2: schematically the steps of extracting data bases from data relating to an individual; Figure 3: an example of a meta-tag physical medium corresponding to an identity card; Figure 4: a synoptic representation of a device for creating and consulting data. The invention is directed to data manipulated in large numbers by digital processing means such as computers connected to digital communication networks. Although the invention applies to the most diverse entities of a population, for example objects or persons, which are defined by a set of attributes, which may be any number greater than two, the detailed description will be made as an illustration of the invention in the particular case for which the data relate to at least two attributes of natural persons or individuals. An individual 10 comprises in particular, as illustrated in FIG. 1, biological identification attributes and administrative identification attributes. Biological identification attributes are diverse and relate to the physics of life. They will be designated "biometric fingerprint" 11 thereafter. In this category there are, for example, morphological features such as those of the face 111, fingerprints 112, the retinal image, the genetic fingerprint ... The biometric fingerprint 11 of an individual 10 corresponds to one or more of these characteristics of the individual and some of these characteristics are considered, at least with a very high probability (probability substantially equal to 1), as unique on Earth. The attributes of administrative identification are, on the other hand, independent of the biology and correspond to administrative data such as the name of the individual 121, his first names, his date of birth, his address 122 ... and will be generically 12. An individual is arbitrarily characterized by his or her personal data in the example described by a biometric fingerprint 11 and an administrative identity 12. In this example, therefore, a population of individuals corresponds to a set 15 biometric fingerprints, the biometric fingerprints of each individual in the population, and a set of administrative identities, the administrative identities of each individual in the population. These personal data are thus structured in the sense that they are different from one individual to another but present the same organization for each individual of the population. According to the method of the invention, the personal data of an individual form a group of data to be stored, which includes the data of its biometric fingerprint forming a subgroup of the data group, and the data of its identity. another subgroup of the data group. The biometric fingerprints 11 of the population are stored in a biometric database 21, also marked DBb (for Biometric Data Base) in the figures, and the administrative identities 12 are stored in an administrative database 22, also marked DBa ( for Administrative Data Base) on the figures. The biometric 21 and administrative 22 databases may be physically separated, for example residing on separate computer systems more or less distant, or be joint and be implanted on the same computer system. Regardless of the organizational structure of the stored data, in the rest of the presentation, the biometric data will be declared as stored in a biometric database and the administrative data stored in an administrative database. Whatever the computer architecture, as in the example of Figure 4, on which the databases 21, 22 are installed, there is in the structure and content of the data of each of the databases no link that allows to associate the data of the biometric fingerprint 11 of an individual 10 with the data of his administrative identity 12. This lack of link is symbolized in Figure 1 by the relationship interrupted 23 between the databases then that a link exists, identified 13 in Figure 1, by the very fact of the existence of the individual 10 who bears the biometric fingerprint 11 and has the administrative identity 12. In other words, although the biometric databases 21 and administrative 22 taken sets contain all data relating to all individuals in the population relavant databases, nothing allows in the databases and in the computer system that hosts them to group in a proven way all the data relating to an individual. In this case, it is said that there is no logical connection between the two databases. We note that we are dealing here with databases of populations with a significant number of individuals, this number being sufficient to avoid an exploitable probability of random aggregation of data for a given individual, a probability that evolves as a result of the inverse of the number of individuals in the population that is high to the number of subgroups of data, ie squared in the example with two subgroups of data.

It should be noted, however, that databases may contain data relating to only one real individual (or to a small number of individuals) and data relating to many imaginary individuals, which leads to the same conclusion. for a small population. In order to be able to reassemble the data concerning the same individual in a subsequent database consultation step, the method 5 comprises a step of marking the data of the biometric fingerprint 11 on the one hand and the administrative identity 12 on the other hand. According to the method, each set of data constituting the biometric fingerprint 11 of an individual 10 of the biometric base 21 is associated with a unique and non-reproducible physical element that will be referred to as the generic term "tag" for the data. biometric a biometric tag 31. Likewise, each set of data of an individual of the administrative base is associated with a unique and non-reproducible physical element: an administrative tag 32. As stated, a tag is a physical element, and that is, an independent element of the biometric 21 and administrative databases 22. A tag is not part of the computer system (represented by its only databases in Fig. 1) that manipulates digital data. Such a tag is for example a three-dimensional object comprising foreign bodies of random shapes and arrangements in the object as described in the patent application published under the number FR 2804784, the number of foreign bodies and their shapes and forms. random layouts giving the tag its uniqueness and non-reproducibility criteria. In a preferred embodiment the tag is a bubble code as in the published patent application under the number FR 2860670. In the figures, the tags 31, 32 are illustrated in the form of a bubble code. To associate a tag 31, 32 to data of an individual 10, a digital representation 33, 34 of the tag is added 35, 36 to the considered data 30 of said individual so that the data is associated with the tag, ie signed by the tag or by its numerical representation (the two expressions being here taken in the same direction).

In the case of the invention, a digital representation 33 of the biometric tag 31 assigned to an individual 10 is incorporated in the biometric database 21 to the biometric fingerprint 11 of said individual, and a digital representation 34 of the administrative tag 32 is incorporated. in the administrative database 22 to the administrative identity 12 of said individual. Note that since all tags are unique, and the construction of their digital representations, which characterizes the distribution, sizes and shapes of the foreign bodies of the tag, is also unique, it must be deduced that a numerical representation of a given tag can only sign one biometric fingerprint or (exclusive) a single administrative identity to which it is associated by assigning the tag to the individual 10. It will also be noted that it is not created in this manner of link 23, in the computer system hosting the databases 21, 22, between the biometric fingerprint 11 of an individual 10 and his administrative identity 12, the signatures being different and independent. Thus, once the data of an individual 10 entered in the biometric 21 and administrative 22 bases signed with unique and different given tags, it becomes necessary, as illustrated in Figure 2, to have the biometric tag 31 AND the administrative tag 32 to be able to find in the biometric base 21 the biometric fingerprint 11 signed by the biometric tag and carrying the digital representation 33, also noted IDb in Figure 2, the biometric tag 31 and in the administrative database 22 the administrative identity 12 signed by the administrative tag and carrying the digital representation 34, different, also noted IDa in Figure 2, the administrative tag 32. In a preferred embodiment of the method, when the simultaneous identification of the biometric fingerprint 11 d 'an individual 10 and the administrative identity 12 of the same individual must be carried out by a single authorized person, the administrative tag if 34 and the biometric tag 33 are grouped together in a single medium held by the authorized person, which may be, for example, the individual himself. In practice it is not necessary that the administrative 32 and biometric 31 tags be physically separate. In fact, the complexity of a tag of sufficient dimensions makes it possible to define in said tag two or more different elementary tags totally uncorrelated apart from the fact that they are "registered" in a single tag.

Thus in practice the administrative tag 32 and the biometric tag 31 will both be contained in a single tag, a meta-tag 30. To associate the biometric fingerprint 11 and the administrative identity 12 of an individual 10 of the population considered and thus dispose of all of his personal data 15, it is then necessary to have the physical meta-tag 30 (unique and non-reproducible), which solution will be considered in the following detailed description of the exemplary embodiment, or elementary tags 31, 32 if they are distinct, which are the keys by which it is possible to determine the biometric fingerprint 11 of the biometric database 21 whose associated digital representation of biometric tag corresponds to the digital representation 33 of the biometric tag 31 carried by the meta-tag 30 and determining the administrative identity 12 of the administrative database 22 including the digital tag representation associated administrative code corresponds to the digital representation 34 of the administrative tag 34 carried by the meta-tag 30.

It should be noted that the separation shown in Figures 1 and 2 on the meta-tag 30 to distinguish the elementary tags 31 and 32 is drawn only for the sake of clarity and is not in practice materialized on the meta-tag 30. In a particularly sensitive application in terms of individual liberties, the meta-tag 30 is held by the individual 10, a natural person, for example incorporated in a personal card of the individual such as an identity card. or a passport or any other title or personal means of identification. In this case, an individual 10 is the only one able to reconstitute all the data concerning him and stored in the databases 21, 22. In an operational implementation of the method, the following steps are carried out.

In a preliminary step, in order to be able to enter the data relating to an individual 10 into the biometric 21 and administrative 22 databases, the data of the individual are collected in a conventional manner and transmitted to a treatment center.

For example, for the production of an identity document, the data are collected by an authorized body, such as a town hall, which verifies their consistency. This preliminary step is consistent with what is practiced in the collection of information for the production of administrative documents. In a second step, the collected data are transmitted to a data entry center on the one hand of the administrative identity data 12 intended for the administrative database 22 and, on the other hand, separately from the data of the fingerprint. biometric 11 for the biometric database 21. In a third step the treatment center assigns a meta-tag 30 to the individual 10. The meta-tag 30 assigned to this step is a blank tag, that is to say 15 which has not been used elsewhere, at least for the application in question. The meta-tag 30 is introduced into a suitable reader 41 which then delivers to a computer system 43 for managing the databases 21, 22 a digital representation 33 of the biometric tag 31, part of the meta-tag 30, and a digital representation 34 of the administrative tag 32, a different part of the meta-tag 30. Finally, the database management computer system 43 associates the digital representation 33 of the biometric tag with the data of the biometric fingerprint 11 and stores the biometric fingerprint as well. signed in a register 115 of the biometric database 21 corresponding to the subgroups 11. Similarly, the database management computer system 43 associates the digital representation 34 of the administrative tag with the data of the administrative identity. 12 and stores the administrative identity thus signed in a register 125 of the administrative database 22 30 corresponding to the subgroups 12. When these operations are performed, all the traces of the collected data in which data relating to the biometric fingerprint 11 and data relating to the administrative identity 12 are associated are destroyed or erased. From this destruction or erasure, the reconciliation of the biometric fingerprint 11 and the administrative identity 12 is only possible through the single meta-tag 30 carrying the administrative tag 32 and the biometric tag. 31, meta-tag 30 which is delivered to the rights holder, or where appropriate by the joint use of the administrative tag 32 and the biometric tag 31 if these two tags are distinct. Since the meta-tag is unique and non-reproducible, only the holder of the meta-tag 30 used to sign the subgroups of a group of data differently is able to reassemble the set of separate data in the data sets. second and third steps. It can be seen that in the databases constituted according to the invention, the data, for which data are not encrypted, are accessible by persons having access rights to the databases, which can be useful, for example for general population studies for statistical purposes or for epidemiological studies, or for access to insecure information such as an administrative identity which associates an individual's name and address, but confidentiality remains as soon as the assembly of data of different subgroups must receive the active assistance of the person or persons having the only non-reproducible material element allowing said assembly of data. This is the case, for example, of the biometric identity of an individual who can not be brought closer to his administrative identity without his agreement. The detailed example described above is not limiting of the invention. Those skilled in the art understand that the data relating to an individual can be divided into more than two databases. It is also understood that when the tags used for the data of the same individual are physically separated they can be held by more than one person. In this case, the grouping of signed data by tags held by different people requires that these people together produce the tags to identify the data in each of the databases.

In an embodiment in which more than one person must have the rights and the possibility of grouping the data of the same individual, a tag being unique and non-reproducible, each subgroup of data of the same group of data is signed by as many digital representations of different tags, elementary tags or meta-tags as appropriate, which will each be held by the person authorized to group subgroups of data of a given individual. In this case when the data is divided into more than two subgroups of data stored in as many databases, the persons allowed to group subgroups of data from the same data group do not necessarily have tags. allowing them to carry out the same consultations. For example, if a group of data is divided into three subgroups of data A, B and C, a first authorized person may have a meta-tag to group the three groups A + B + C to reconstitute the group. initial data, while another authorized person but with fewer rights can, given the tags or meta-tags that he holds, group only data A + B for example. The type of data processed according to the invention is not limited a priori and the data are not necessarily related to an individual. They may concern any type of entity to which are associated a set of at least two data items, which data, while remaining individually accessible, must be able to be associated globally for a given entity only in a secure manner by an authorized person with a proof of authenticity in the form of a unique and non-reproducible physical element. Examples of applications are numerous, particularly in the field of protected information about people. It is for example possible to make identity cards 50, as shown in Figure 3, impossible to reproduce or to falsify.

In such a card, in addition to the conventionally visible reproduction of information of a biometric nature such as a photograph 111 'and a fingerprint 112', and administrative information 12 ', the card incorporates a unique meta-tag and non-reproducible, which can be read by a tag reader, such as a tag of the bubble code type. The authenticity of the identity card 50 can be verified on the one hand by verifying the existence in the databases 21, 22 of the digital representations 33, 34 of the elementary tags 31, 32 that are contained in the metadata. tag 30 incorporated in the card 50 and secondly by controlling the coherence of the visible data of the card 50 with the data signed in the databases by the digital representations of the elementary tags of the card, as well as by the coherence with physical checks of the biometric characteristics of the individual carrying the card 50, for example reading a fingerprint.

We understand here that if a false card is made, even with readable tags, it will not be recognized when reading the tag (s) because the tag will not correspond to any digital tag representation in the databases and the tag. card will be detected as false from the first reading because unknown.

If a card 50 is modified fraudulently, the card will be recognized at first as having a legal existence because of the recognition of the elementary tags 31, 32. However, the comparison between the data of the databases signed by said elementary tags, grouped as a result of the recognition of said elementary tags, and the information reproduced on the card and those obtained from the physical person carrying the card, such as a fingerprint, lead to declare the card as fraudulent because of the differences detected, and it can be established whether the person holds a modified card or who does not belong to him.

Another example of application of the invention relates to so-called health cards. In this case the card makes it possible, as in the case of the identity card, to identify the patient with certainty, in particular to avoid fraud or even medical errors related to homonyms, but it also makes it possible to access his medical data stored on databases that can only be read in association with his identity with his consent by means of his health card and tag (s). These examples are not limiting the applications of the invention and illustrate to those skilled in the art the principles to be implemented to store data to be protected for the respect of their confidentiality.

Claims (14)

CLAIMS1 - A method for storing data in digital form and for accessing said data, wherein the data represents structured information relating to a population of entities, each entity (10) corresponding to a group of data (15), in wherein the data of each data group is separated into at least two subgroups (11, 12), each subgroup being stored without logical link with another subgroup of the data group of which it is part, said method being characterized in that: - each stored subgroup is signed (35, 36) by a unique numerical identifier (33, 34) associated therewith, said unique digital identifier being a digital representation of a unique and non-reproducible physical element , called elemental tag (31, 32); a link for associating subgroups from the same group of data corresponding to an entity is formed by the coordinated implementation of the elementary tags (31, 32), the digital representations of which (33, 34) correspond to the unique numerical identifiers of said subgroups. 2 - Method according to claim 1 wherein the elementary tags (31, 32) necessary for the association of subgroups (11, 12) of the same group (15) are held by an authority authorized to reconcile data contained in the said subgroups of the same group. 3 - Process according to claim 2 wherein two or more elementary tags (31, 32) are defined in a single tag so as to form a meta-tag (30). 4 - Process according to claim 2 or claim 3 wherein the elementary tags (31, 32) and or the meta-tags (30) are made by means of bubble codes. 5 - Process according to one of the preceding claims wherein the entities (10) are natural persons or individuals. The method of claim 5 wherein a data subgroup (12) includes administrative identity data of the individuals of the population. The method of claim 5 or claim 6 wherein a subgroup of data (11) includes biometric fingerprint data of individuals of the population. 8 - Process according to one of claims 5, 6 or 7 wherein a subgroup of data comprises personal medical data of individuals of the population. 9 - Device (40) for storing and securely reading data stored in digital form in at least one database (21, 22), in which the data represents structured information relating to a population of entities, each entity ( 10) corresponding to a group of data (15), in which device the data of each group of data are stored separately in at least two subgroups (11, 12), each subgroup being stored in the at least one database without logical connection to another subgroup of the group of data to which it belongs, said device being characterized: - in that each subgroup (11, 12) has a storage field (115, 125) d a unique identifier (33, 34) in the device; in that it comprises at least one reader (41) of unique and non-reproducible physical elements, called tags (30), for creating at least one digital representation of an elementary tag intended to form the unique identifier of a subgroup; in that it comprises at least one reader (42) for tags to read elementary tags that have been used to create unique identifiers; in that it realizes a reconstruction of a group of data by bringing together at least two subgroups of different categories identified by their unique identifiers delivered by the tag reader (42) during the coordinated reading of the elementary tags. used to create unique identifiers of said subgroups. 10 - Device according to claim 9 wherein the readers (41, 42) of tags are arranged physically and logically to read at least two tags arranged on a single physical medium. 11 - Device according to claim 10 wherein the tags readers (41, 42) are arranged materially and logically to read at least two elementary tags in a meta-tag itself unique and non-reproducible, arranged on a physical medium (50) . 12 - Device according to one of claims 9 to 11 wherein the readers (41, 42) of tags are arranged materially and logically to read elementary tags, or meta tags, type bubble codes. 13 - Device according to claim 12 taken in combination with claim 11 wherein the tags readers (41, 42) determine each elementary tag of a bubble code type meta-tag by different selections of subsets of bubbles of the bubble code. 14 - Device according to one of claims 9 to 13 wherein the subgroups (11, 12) are grouped by typology in different databases (21, 22).