JP2002111650A - Code processing device, code processing method and recording medium with code processing program recorded thereon - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a code processing device and method which enables a coding process (encoding or decoding) of specific partial tree documents of document information having a tree structure, and to provide a recording medium in which the program of the code processing is recorded. SOLUTION: A section processing unit 12 forms an evaluation result holding unit having a same tree structure as a code processing object document in a tree structure information holding unit 13. The authenticity value of the evaluation result holding unit formed in the tree structure information holding unit 13 is initialized as 'False'. Then a branch node processing unit 14 is started to practice the branch node process. When the branch node process is finished, the authenticity value of the evaluation result is evaluated and, in the tree structure information holding unit, the code processing object document corresponding to a partial tree leaf mode with the authenticity value 'True' of the evaluation result is encoded or decoded by a key, determined by a key ID obtained from definition unit information and obtained from the key management unit 5.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a cryptographic processing apparatus and method for encrypting only a specific subtree document of document information having a tree structure, and a recording medium storing the program.

[0002]

2. Description of the Related Art In recent years, document information is stored in HTML (Hyper
XML (Extensible markup language) that evolved from the xt Markup Language (XML) and whose structure can be represented by a tree structure
ge) is very popular. HTM
The document information in L or XML describes the structure of the document using a mark called a tag indicating the definition of the document. In particular, in HTML, the types and meanings of tags that can be used are determined in advance, but in XML, users can define them independently. Therefore, a device has been devised which defines this tag independently between related companies and facilitates data exchange between the companies.

[0003]

However, when a document having a tree structure is distributed between a plurality of companies (subjects) having different authorities, even if the document is the same, the information that can be viewed is different for each subject. Therefore, when exchanging the same document between a plurality of companies (subjects), it is necessary to encrypt information for each part related to each subject and to limit the viewable part of the tree structure document. To encrypt the part related to the subject,
It is necessary to access the corresponding document information in the entire document information. Conventionally, there is the following request to access arbitrarily necessary document information of such a document information having a tree structure described in XML or the like, but has the following problems. First, in response to a request for fine-grained access control according to the contents of the tree structure, access control for each element of the tree structure could not be performed. Further, when the access control mechanism is described using a program, the description of the program must be changed according to the structure of the document, and there is a problem in versatility. Further, in order to set the access right for each element (node) of the tree structure, it is necessary to set the access right for each document and each node because the tree structure has a recursive structure. There was a problem that it became complicated. Therefore, conventionally, there is a means for encrypting the entire document, but there is no means for accessing and encrypting only a portion of the document which satisfies a specific condition.

SUMMARY OF THE INVENTION The present invention has been made in view of the above-described problems, and has been made in consideration of the above-described problems. An encryption process (encryption or decryption thereof) of document information having a tree structure can be performed only on a specific subtree document. It is intended to provide a device. More specifically, from information having a tree structure, using a definition body information describing a condition for each user, a subtree document satisfying the condition specified by the definition body is subjected to encryption processing (encryption, encryption, It is an object of the present invention to provide a cryptographic processing apparatus and method for performing the above-mentioned decryption, and a recording medium storing the program.

[0005]

In order to solve the above-mentioned problems, the present invention restricts the disclosure of all or a part of document information having a tree structure to other than the user according to the information of the user. Processing device for performing encryption processing (encryption or decryption thereof) for restricting the disclosure of document information to anyone other than the user in accordance with the given user information and document information In order to convert to a document having a tree structure corresponding to the document to be encrypted / decrypted, the definition body information for specifying the position to be encrypted / decrypted by the flag on the tree structure is
Encrypting a specific position part (subtree document) on the tree structure indicated by the definition body information extracted by the definition body information management means and the definition body information extracted by the definition body information management means; Alternatively, a subtree encryption processing means for decrypting is provided. With the above configuration, it is possible to easily specify the position of the document information to be encrypted or decrypted by using the definition body information.

According to the present invention, a key for designating a key required for encryption or a key required for decrypting an encrypted document to the subtree encryption processing means is provided to the cryptographic processing apparatus. A management means is further provided. With the above configuration, it is possible to perform encryption or decryption on the document information indicated by the definition body information using the designated key.

According to the present invention, in the above cryptographic processing apparatus, the subtree cryptographic processing means searches the tree structure information of the document information according to the tree structure information indicated by the definition body, and encrypts or decrypts the information on the definition body information. Means for encrypting or decrypting a node on the document information corresponding to the node indicating the encryption using a key. With the above configuration, it is possible to proceed with encryption or decryption of the document information indicated by the definition body information according to the tree structure.

According to the present invention, the cryptographic processing apparatus further includes a definition body interpreting means for interpreting a tree structure of the definition body information extracted by the definition body information managing means, wherein the subtree encryption processing means comprises: A node on the document information obtained as a result of comparing the tree structure of the definition body information interpreted by the interpreting means with the tree structure of the document information is used as a means for encrypting or decrypting using the key, A tree structure information holding unit having an area for holding an evaluation result of each node corresponding to the tree structure, a tree structure information holding unit in which an evaluation result is set to a false value as an initial value, and a terminal node of the tree structure being a leaf node; The value of the designated leaf node of the tree structure is compared with the value of the designated leaf node of the tree structure of the document information. If the two match, the true value is sent to the tree structure information holding means as the leaf node evaluation result. Node processing means for recording A node lower than the node to be processed is set as a child node, the evaluation result of the child node including the leaf node is logically synthesized, and the result of the logical synthesis is recorded in the tree structure information holding unit as the evaluation result of the node to be processed. Node node processing means, and the same node as the node constituting the tree structure of the definition body information is searched from the document information, and the branch node processing means is started. A section processing unit that evaluates a subtree document located on a branch and encrypts or decrypts, using a key, partial document information corresponding to a node of the subtree containing only true values, and a section process And a rule processing means for activating the means and executing section processing for all sections. Thereby, a tree structure of the definition body information that describes a conversion rule for converting the document information into document information that restricts disclosure to a user other than the user,
By comparing the tree structure of the document information, all or a part of the document information specified by the definition information can be subjected to encryption processing using the key specified by the definition information.

According to the present invention, in the above-mentioned encryption processing device, the subtree encryption processing means encrypts the input document information by a signal instructing encryption from outside or a signal instructing decryption. It is characterized in that it decides which one of the decryption is to be performed on the decrypted document. With the above configuration, the encryption processing device can be used as either an encryption device that encrypts input document information or a decryption device that decrypts encrypted document information. .

According to the present invention, in the above-mentioned cryptographic processing apparatus, the definition body information includes an element or a value to be subjected to cryptographic processing,
Markup is described in a markup language that includes an identifier specified by a symbol called a tag having the meaning of a tag, and a constraint condition specifying an encryption processing condition for an element or a value specified by the identifier. A cryptographic process is performed on a specified subtree document of document information described in a language.

According to the present invention, in the above cryptographic processing device, the markup language is XML (Extensible markup language).
The cryptographic processing device according to claim 6, wherein ge).

According to the present invention, encryption processing (encryption or decryption thereof) for restricting disclosure to all or a part of document information having a tree structure in accordance with user information to a user other than the user. A cryptographic processing method for converting document information into document information whose disclosure is restricted to anyone other than the user in accordance with given user information and document information.
A process of extracting definition body information having a tree structure corresponding to the document to be decrypted and specifying a position to be encrypted / decrypted by a flag on the tree structure from a definition body information database; 0 indicated by the extracted definition body information
And encrypting or decrypting a specific position part (subtree document) on the tree structure.

According to the present invention, encryption processing (encryption or decryption thereof) for restricting disclosure to all or a part of document information having a tree structure according to user information to users other than the user. Recording medium for recording a program used in a cryptographic processing method for performing the following, according to a given user information and document information, converting the document information into document information that restricts disclosure to a user other than the user. Therefore, it has a tree structure corresponding to the document to be encrypted / decrypted,
A process of extracting definition body information for specifying a position to be decoded by a flag on the tree structure from a definition body information database, and a process of extracting zero or more tree structures indicated by the definition body information extracted by the definition body information management process And a process for encrypting or decrypting a specific position portion (subtree document).

[0014]

Embodiments of the present invention will be described below with reference to the drawings. First, an embodiment of the present invention will be described with reference to FIGS. FIG. 1 is a block diagram illustrating a configuration of a cryptographic processing device according to an embodiment of the present invention. In FIG. 1, reference numeral 1 denotes a subtree document of the input document information according to the specified definition body information.
A subtree encryption processing unit that performs encryption or decryption. Reference numeral 2 denotes a definition body information management unit that extracts definition body information from a definition body information database from document information to be subjected to encryption processing input from outside and user ID information, and specifies a key ID of the definition body information. It is. Reference numeral 3 denotes a definition body information database in which definition body information is recorded in advance corresponding to a document to be subjected to encryption processing. Reference numeral 4 denotes a definition body interpretation processing unit that interprets the tree structure of the specified definition body information. Reference numeral 5 denotes a key management unit that manages a public key required for encrypting a specified subtree document or a secret key required for decrypting the document in association with a key ID.

The subtree encryption processing unit 1 includes a rule processing unit 11, a section processing unit 12, a tree structure information holding unit 13, a branch node processing unit 14, and a leaf node processing unit 15. I have. The rule processing unit 11 corresponds to a plurality of subtree documents desired to be subjected to encryption processing specified in the definition body information provided by the definition body interpretation processing unit 4 and performs section processing until encryption processing of all subtrees is completed. Processing unit 12
And outputs the input subtree as a subtree encrypted document. The section processing unit 12 creates an evaluation result holding unit in the tree structure information holding unit 13 in which a structure recording unit that records a plurality of elements has the same tree structure as the tree structure of the given document information. Further, the same node as the node constituting the tree structure of the definition body information is searched from the document information, the branch node processing unit 14 is started, and after the evaluation of the branch node processing unit 14, the branch below the node is added to the branch node processing unit 14. Evaluate the located subtree document. If the encryption / decryption instruction signal externally instructs encryption, the subtree document corresponding to the leaf node whose true value is recorded in the evaluation result is encrypted. When the encryption / decryption instruction signal externally instructs decryption, the partial tree document corresponding to the leaf node whose true value is recorded in the evaluation result is decrypted. The tree structure information holding unit 13 is a recording unit including a structure recording unit that records a plurality of elements. The tree structure information holding unit 13 logically synthesizes, accumulates and holds the evaluation results of the plurality of subtrees in the branch node processing unit 14. Buffer The branch node processing unit 14 logically synthesizes the evaluation results of the child nodes including the leaf nodes, which are located on the lower branch in the tree structure, and generates the tree structure information holding unit 1.
Record to 3. The leaf node processing unit 15 compares the value of the terminal part of the tree structure of the specified definition body information with the value of the terminal part of the tree structure of the specified document information. The result of the node evaluation is recorded in the tree structure information holding unit 13.

The tree structure information holding unit 13 of the subtree encryption processing unit 1, the definition body information database 3, and the key management unit 5 are each provided with a non-volatile memory such as a hard disk device, a magneto-optical disk device, or a flash memory. Sexual memory,
A read-only recording medium such as a CD-ROM, RA
Volatile memory such as M (Random Access Memory),
Alternatively, it is configured by a computer-readable and writable recording medium by a combination of these.

The rule processing unit 11, the section processing unit 12, and the branch node processing unit 14 of the subtree encryption processing unit 1
, A leaf node processing unit 15 and a definition body information management unit 2
The definition body interpretation processing unit 4 may be realized by dedicated hardware in the subtree encryption processing unit 1, the definition body information management unit 2, and the definition body interpretation processing unit 4, respectively. Further, the function may be realized by loading a program for realizing the function of each unit described above into the memory and executing the program by including a memory and a CPU (Central Processing Unit).

The cryptographic processing device according to the present embodiment includes:
It is assumed that an input device, a display device, and the like (both not shown) are connected as peripheral devices. Here, the input device refers to an input device such as a keyboard and a mouse. The display device refers to a CRT (Cathode Ray Tube) display device, a liquid crystal display device, or the like.

Next, the operation of the embodiment of the present invention will be described with reference to FIGS. First, an XML expression and a tree structure expression of a document to be subjected to encryption processing and definition body information will be described with reference to FIGS. FIG. 2 is a schematic diagram showing an example of a document to be encrypted which will be described in the embodiment. FIG. 3 shows a storage unit for storing an evaluation result of the document to be encrypted which is configured in the tree structure information storage unit 13. FIG. In FIG. 2, <A> and <B> represent one node (seam), and <B> and <B> described between tags represented by the same symbol such as <A> and </A>. The tag of <Cid> represents a branch node or a leaf node located below that node. Also, in FIG. 3, the evaluation result holding unit of the document to be subjected to the encryption processing, which is configured in the tree structure information holding unit, has structure recording units D01 to D20 arranged corresponding to the respective nodes shown in FIG. Is composed. FIG. 4
Is the recorded content of the evaluation result holding unit created in the tree structure information holding unit 13 by the section processing unit 12, and the structure recording unit holds the link to the document to be encrypted and the truth value of the evaluation result. FIG. 5 is a schematic diagram showing an example of definition body information described in the embodiment. In the definition body information,
A block (<se
ction key>). The cryptographic processing device of the present invention provides a tag <section_key for each section.
<C id described between> and </ section>
> Encrypt or decrypt the leaf node under the public key or private key specified by the key ID of the tag. The relationship between the key ID and the key to be used is specified by the recorded contents of the key management unit shown in FIG. Further, the definition body information is represented by, for example, an identifier “*” indicating a part to be encrypted or decrypted, and a constraint describing the encryption processing condition.

Based on the above, the operation of the subtree encryption processing unit 1 will be described with reference to the flowcharts of FIGS. First, the subtree encryption processing unit 1 is provided with the definition body information having the key ID determined from the given user ID information in the form of a tree structure via the definition body interpretation processing unit 4. And It is also assumed that document information has been given in advance. FIG. 7 shows the rule processing unit 1 of the subtree encryption processing unit 1.
3 is a flowchart illustrating the operation of FIG. First, the rule processing unit 11 activates the section processing unit 12 to execute section processing (step S1). When the execution of the section processing for one section is completed, it is determined whether or not all sections have been evaluated (step S2). If the evaluation of all sections has not been completed, the process returns to step S1 to execute the evaluation of the next section (NO in step S2). If all sections have been evaluated (YES in step S2), the encryption processing ends.

FIG. 8 is a flowchart for explaining the operation of the section processing section 12 of the subtree encryption processing section 1. Section processing unit 12 started from rule processing unit 11
First obtains the key ID described in the tag <C id> of the definition body information (step S11). Then, from the key management unit 5, a public key is obtained in the case of encryption, or a key K which is a secret key in the case of decryption is obtained (step S1).
2). Next, an evaluation result holding unit having the same tree structure as the encryption target document shown in FIG. 3 is created in the tree structure information holding unit 13 (step S13). The Boolean value of the created evaluation result holding unit of the tree structure information holding unit 13 is initialized to "False" (step S14). When the initialization of the tree structure information holding unit 13 is completed, <sect>
A child node having the same name as the tag described at the highest level between “ion_key>” and </ section> is searched as one section to be subjected to encryption processing (step S15).
Next, it is determined whether a node corresponding to the document to be encrypted is found (step S16). If the node is not found (NO in step S16), the section processing is terminated without doing anything. I do. If a corresponding node is found in step S16 (YES in step S16), the branch node processing unit 14 is activated to execute branch node processing (step S17). When the branch node processing is completed, the subtree document constituting the section is encrypted or decrypted. The contents of the encryption / decryption instruction signal instructed from the outside are determined (step S18). If the encryption is instructed (YES in step S18), the evaluation result of the node located on the branch below the node is evaluated. Is encrypted using the key K with respect to the document corresponding to the leaf node of the subtree in which is a true value (True) (step S19). If decoding has been instructed in step S18 (N in step S18)
O), decryption is performed using the key K on the document corresponding to the leaf node of the subtree in which the evaluation result of the node located on the branch below the node is a true value (True) (step S2)
0).

FIG. 9 is a flowchart for explaining the operation of the branch node processing unit 14 of the subtree encryption processing unit 1. Branch node processing unit 14 started from section processing unit 12
Creates a boolean value holding unit that holds the boolean value of the child node located below itself in the branch node processing unit 14 (step S21). The true / false value holding units are created in the number corresponding to all types (names) of the child nodes described in the corresponding branch node of the definition body information. The boolean value of the created boolean value holding unit is initialized to "False" (step S2).
2). Next, it is determined whether the child node located below itself is a branch node having more branches below that node, or a leaf node having no value below it and having only a value ( Step S23). If the child node has no value below it and is a leaf node having only a value (NO in step S23), the leaf node processing unit 15 is activated to execute leaf node processing (step S32). .
When the execution of the leaf node processing ends, the result of the leaf node processing is returned to the caller (step S33), and the processing ends.
If the child node is a branch node having a node below it (YES in step S23), branch node processing is further performed (step S24). When the execution of the branch node process called in step S24 is completed, a boolean value corresponding to the type (name) of the currently processed child node is acquired from the boolean value holding unit, and the logical value with the result of the branch node process is obtained. The sum is calculated, and the result is written back to the same true / false value holding unit (step S25). Next, it is determined whether or not all child nodes have been evaluated (step S26). If the evaluation has not been completed for all the child nodes, step S2
3 and evaluate the next child node (step S
26 NO). If the evaluation has been completed for all child nodes (YES in step S26), it is determined whether or not the true / false value holding units of all types (names) of child nodes are “True” (step S27). ). If step S
27, the true / false value holding units of all types (names) of child nodes are "
True "(YES in step S27),
To the corresponding branch node in the tree structure information holding unit 13, “Tru
"e" is set (step S28), and "True" is returned to the caller (step S29), and the process ends.In step S27, one of the true / false value holding units of the child node is set to "False". (Step S
27 (NO), "False" is set to the corresponding branch node (step S30). Then, "F
"alse" is returned (step S31), and the process is terminated. All kinds (names) of the child nodes described in the corresponding branch node of the definition body information and the truth value of the evaluation result of each child node are returned.

(Equation 1) When the child node of the above-mentioned branch node is a branch node having a node further below it, the evaluation processing is expressed by the following equation.

(Equation 2) Here, the logical sum of the above equation corresponds to step S25, and the logical product corresponds to step S27.

FIG. 10 is a flowchart for explaining the operation of the leaf node processing unit 15 of the subtree encryption processing unit 1. Leaf node processing unit 15 started from branch node processing unit 14
First, it is determined whether or not a conditional expression for specifying a value is set at a position corresponding to a leaf node of the definition body information (step S41). If the conditional expression for specifying the value of the leaf node is not set (N in step S41)
O) Assuming that the condition is satisfied, the process passes the judgment step S42 of the conditional expression and proceeds to step S43. If the conditional expression for specifying the value of the leaf node is set (YES in step S41), it is determined whether or not the value of the leaf node satisfies the conditional expression set in the definition information (step S41). S42). If the value of the leaf node does not satisfy the conditional expression (NO in step S42), the Boolean value of the tree structure information holding unit 13 corresponding to the leaf node is set to “Fals
e ”(step S47). After setting the Boolean value of the tree structure information holding unit 13, the calling source is set to“ Fals ”.
e "is returned (step S48), and the processing ends. If the value of the leaf node satisfies the conditional expression (Y in step S42).
ES), it is determined whether or not an identifier is set in the definition body information (step S43). If the identifier is set in step S43 (Y in step S43)
ES), the true / false value of the tree structure information holding unit 13 corresponding to the subtree below the corresponding leaf node is set to “True” (step S44). Next, when the truth value of the tree structure information holding unit 13 is set, “True” is returned to the caller (step S45), and the processing ends. If the identifier is not set in step S43 (NO in step S43), the true / false value of the tree structure information holding unit 13 corresponding to the corresponding leaf node is set to “True” (step S4).
6). Next, after setting the truth value of the tree structure information holding unit 13, "True" is returned to the caller (step S
45) End.

As described above, the rule processing unit 11 to the section processing unit 12, the section processing unit 12 to the branch node processing unit 14, the branch node processing unit 14 to the branch node processing unit 14, or the leaf node processing unit 15 Each section tree is activated, the specified subtree is evaluated, and the evaluation result is returned to the caller. When the operation of the section processing unit is completed once, a group of subtree documents to be subjected to cryptographic processing is extracted from the document to be cryptographically processed. (Section) encrypted documents,
Or a decrypted document is obtained. In the rule processing, the encryption or decryption of the document to be encrypted is repeated by the number of sections specified in the definition body information. FIG. 11 shows an example of an encrypted document obtained from the document to be encrypted shown in FIG. In the above description, for the sake of simplicity, the portion that performs encryption or decryption has a true value (Tru) as a result of evaluation of a node located on a branch below the processing target node.
e) is a leaf node of the subtree, but encryption or decryption is performed on all subtrees whose evaluation result of a node located on a branch below the processing target node is a true value (True). The partial document information to be encrypted or decrypted is not limited to leaf nodes.

Next, an embodiment using the cryptographic processing apparatus described in the above embodiment will be described with reference to FIGS.
3 will be described. This embodiment describes a case where information is distributed and distributed between a plurality of companies using the cryptographic processing device of the present invention. FIG. 12 is a schematic diagram illustrating an example of the present embodiment. In FIG.
Is an information distribution side using a cryptographic processing device. Sign 2
Reference numeral 11 denotes a key management unit of the cryptographic processing device. In the key management unit, a public key created in advance by the information receiving side is recorded in association with the key ID described in the definition body information. In FIG. 12B, reference numeral 22 denotes a company B on the information receiving side using the cryptographic processing device, and reference numeral 23 denotes a company C on the information receiving side using the cryptographic processing device. Reference numeral 221 denotes a key management unit B of the cryptographic processing device, which manages a secret key of the company B. Reference numeral 231 denotes a key management unit C of the cryptographic processing device, which manages a secret key of the company C.

Now, the information is distributed to the cryptographic processing unit 21 by the company B and the company C to which the document information and the information are distributed.
When the ID is input and the encryption is instructed, the key ID specified from the ID information of the company B or the company C is used for “% USER_NAME%” of the definition body information shown in FIG.
The input document is encrypted. In the encryption process, the public key corresponding to the key ID of each company is obtained from the key management unit 211, and the public key corresponding to each of the company B and the company C To obtain an encrypted document. Next, when the company B, which is the information receiving side, inputs the encrypted document and the ID information of the company B to the encryption processing device B22 and issues a decryption instruction, the definition body information shown in FIG. Then, the input encrypted document is decrypted. In the definition body information shown in FIG. 13A, the key ID of the company B is specified by the input ID information of the company B, and the key management unit B22
1, the private key of the company B is obtained, and a decrypted document obtained by decrypting the individual subtree document for the company B is obtained. Similarly, in the company C on the information receiving side, the encryption processing device C2
When the encrypted document and the ID information of the company C are input to 3 and a decryption instruction is issued, the input encrypted document is decrypted using the definition body information shown in FIG. FIG.
In the definition body information shown in FIG.
The information specifies the key ID of the company C, obtains the secret key of the company C from the key management unit C231, and obtains a decrypted document obtained by decrypting the individual subtree document for the company C.

Each of the cryptographic processing apparatuses described in the above embodiments and the cryptographic processing apparatuses, the cryptographic processing apparatuses B and C described in the embodiments has a program for realizing its function. The functions of the above-described devices may be realized by recording the program on a computer-readable recording medium and causing the computer system to read and execute the program recorded on the recording medium.

Here, the “computer system” includes an OS and hardware such as peripheral devices.
If a WW (World Wide Web) system is used, a homepage providing environment (or display environment) is also included. The "computer-readable recording medium" is a floppy (registered trademark) disk, a magneto-optical disk, a ROM, a CD-ROM.
And a storage device such as a hard disk built in a computer system. Further, a “computer-readable recording medium” refers to a medium that dynamically stores a program for a short time, such as when a program is transmitted through a computer network such as the Internet or a communication line such as a telephone line. (Transmission medium or transmission wave), in which case a program holding a program for a certain period of time, such as a volatile memory in a computer system serving as a server or a client, is also included.

Further, the above-mentioned program may be for realizing a part of the above-mentioned functions, and may be for realizing the above-mentioned functions in combination with a program already stored in the computer system, so-called, It may be a difference file (difference program).

In the above-described embodiment, a program recorded on the "computer-readable medium" is distributed / distributed together with the encrypted document between the companies, whereby a document distribution / distribution system between the companies is provided. May be constructed.

[0031]

As described above, according to the present invention, encryption processing (encryption processing) for restricting disclosure to all or a part of document information having a tree structure according to information of a user other than the user. The subtree cryptographic processing means included in the cryptographic processing device that performs the encryption or decryption thereof has an area for holding the evaluation result of each node corresponding to the tree structure of the document information, and the evaluation result is set to false as an initial value. A tree structure information holding unit having a set value, a leaf node at a terminal node of the tree structure, and a value of a designated leaf node of the tree structure of the definition body information and a value of a designated leaf node of the tree structure of the document information And a leaf node processing unit that records a true value in the tree structure information holding unit as a leaf node evaluation result when both match, and a node lower than the processing target node is set as a child node. Evaluation of child nodes containing Node processing means for logically synthesizing the result, and recording the result of the logical synthesis in the tree structure information holding means as an evaluation result of the node to be processed, and the same node as the node constituting the tree structure of the definition body information as a document Retrieve from information, activate branch node processing means, and after completion of evaluation by the branch node processing means, evaluate subtree documents located in branches below the node and correspond to nodes of subtrees containing only true values Section processing means for encrypting or decrypting a document obtained by using a designated key, and rule processing means for activating the section processing means and executing section processing for all sections. Was. This allows
Compares the tree structure of the definition information with the conversion rule for converting the document information into document information that restricts disclosure to anyone other than the user, and the document information specified by the definition information by comparing the tree structure of the document information Can be subjected to encryption processing on all or a part of the key by the key specified by the definition body information.

Further, according to the present invention, in the above-mentioned cryptographic processing apparatus, the subtree cryptographic processing means performs encryption on the input document information by a signal for instructing encryption from outside or a signal for instructing decryption. It is configured to determine which of the decryption of the encrypted document is to be executed.
This makes it possible to use the encryption processing device as either an encryption device that encrypts input document information or a decryption device that decrypts encrypted document information. Therefore, when the document information of the part related to the subject in the document information having the tree structure described in XML or the like is accessed and the encryption process is performed, the access control mechanism, which is a conventional problem, is added to the document. This eliminates the need to write a program according to each structure, and eliminates the need to set access rights for each element (node) of the tree structure. The access control can be performed on an element-by-element basis, so that only a portion of the document that satisfies a specific condition can be accessed and encrypted or decrypted.

[0033]

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating a configuration of an embodiment of the present invention.

FIG. 2 is a schematic diagram showing an example of an encryption target document described in the embodiment.

FIG. 3 is a schematic diagram for explaining an evaluation result holding unit for a document to be encrypted, which is configured in a tree structure information holding unit.

FIG. 4 is a schematic diagram illustrating an example of recorded contents of an evaluation result holding unit.

FIG. 5 is a schematic diagram showing an example of definition body information described in the embodiment.

FIG. 6 is a schematic diagram illustrating an example of recorded contents of a key management unit.

FIG. 7 is a flowchart illustrating an operation of a rule processing unit according to the embodiment.

FIG. 8 is a flowchart illustrating an operation of a section processing unit according to the embodiment.

FIG. 9 is a flowchart illustrating an operation of a branch node processing unit according to the embodiment;

FIG. 10 is a flowchart illustrating an operation of a leaf node processing unit according to the embodiment.

FIG. 11 is a schematic diagram showing an example of an encrypted document described in the embodiment.

FIG. 12 is a schematic diagram illustrating an example of the same embodiment.

FIG. 13 is a schematic diagram illustrating definition body information on the information receiving side described in the embodiment.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 1 Subtree encryption processing part 2 Definition body information management part 3 Definition body information database 4 Definition body interpretation processing part 5 Key management part 11 Rule processing part 12 Section processing part 13 Tree structure information holding part 14 Branch node processing part 15 Leaf node processing Unit 21 cryptographic processing device 22 cryptographic processing device B 23 cryptographic processing device C 211 key management unit 221 key management unit B 231 key management unit C

 ────────────────────────────────────────────────── ─── Continuing from the front page (72) Inventor Shuichiro Yamamoto 2-3-1 Otemachi, Chiyoda-ku, Tokyo F-term in Nippon Telegraph and Telephone Corporation (reference) 5B009 TB13 5B017 AA03 BA07 CA15 CA16 5B082 EA11 GA11 5J104 AA16 AA33 AA37 CA02 DA02 EA04 EA26 NA02 NA05 PA14

Claims (9)

[Claims] 1. An encryption process (encryption or decryption thereof) for restricting disclosure to a user other than the user according to the information of the user, on all or a part of the document information having a tree structure. A cryptographic processing apparatus, which converts a document according to a given user information and the document information into document information whose disclosure is restricted to a user other than the user. A definition body information management unit that extracts from a definition body information database definition body information that specifies a position to be encrypted / decrypted by a flag on the tree structure, and that has been extracted by the definition body information management unit. Encryption processing means for encrypting or decrypting a specific position part (subtree document) in the zero or more tree structure indicated by the definition body information. apparatus. 2. The apparatus according to claim 1, further comprising a key management unit for designating a key required for encryption or a key required for decrypting an encrypted document. The cryptographic processing device according to claim 1, wherein: 3. The subtree encryption processing means searches for tree structure information of the document information according to the tree structure information indicated by the definition field, and searches the node indicating encryption or decryption on the definition field information. 3. The apparatus according to claim 2, further comprising means for encrypting or decrypting a node on the corresponding document information using the key. 4. The cryptographic processing apparatus further comprises: a definition body interpreting means for interpreting a tree structure of the definition body information extracted by the definition body information managing means; Means for encrypting or decrypting a node on the document information obtained as a result of comparing the tree structure of the definition body information interpreted by the definition body interpreting means with the tree structure of the document information using the key A tree structure information holding unit in which an evaluation result of each node is held in correspondence with the tree structure of the document information, and a tree structure information holding unit in which the evaluation result is set to a false value as an initial value; Comparing the value of the designated leaf node in the tree structure of the definition information with the value of the designated leaf node in the tree structure of the document information; As a result the tree structure Leaf node processing means for recording a true value in the report holding means; a node lower than the node to be processed as a child node; logically synthesizing the evaluation results of the child nodes including the leaf node; A branch node processing unit that records in the tree structure information holding unit as an evaluation result of a node to be processed; and a branch node that searches the same node as a node configuring the tree structure of the definition body information from the document information. After the processing means is started and the evaluation of the branch node processing means is completed, the subtree document located on the branch below the node is evaluated, and the partial document information corresponding to the node of the subtree including only the true value is evaluated. ,
Section processing means for performing encryption or decryption using the key; and rule processing means for activating the section processing means and executing the section processing for all sections. The cryptographic processing device according to claim 3. 5. The subtree encryption processing means encrypts input document information and decrypts an encrypted document by a signal instructing encryption from outside or a signal instructing decryption. 5. The method according to claim 1, further comprising determining which of the following is executed.
The cryptographic processing device according to any one of the above. 6. The definition body information includes: an identifier for specifying an element or a value to be subjected to encryption processing by a symbol called a tag having a tag meaning; and an element or value specified by the identifier. 2. A description is given in a markup language including: a constraint condition for specifying a condition for encryption processing; and performing encryption processing on a specified subtree document of the document information described in markup language. The cryptographic processing device according to claim 5. 7. The apparatus according to claim 6, wherein the markup language is XML (Extensible markup language). 8. An encryption process (encryption or decryption thereof) for restricting disclosure to all or a part of document information having a tree structure according to information of a user in accordance with the information of the user. An encryption processing method, according to a given user information and said document information, for converting said document information into document information whose disclosure is restricted to other users, corresponding to a document to be encrypted / decrypted. Extracting, from a definition body information database, definition body information that specifies a position to be encrypted / decrypted by a flag on the tree structure; and the definition body extracted in the definition body information management process. A process of encrypting or decrypting a specific position part (subtree document) on the tree structure of zero or more indicated by the information. 9. All or a part of document information having a tree structure is subjected to an encryption process (encryption or decryption thereof) for restricting disclosure to a user other than the user according to information of the user. A recording medium recording a program used for an encryption processing method, wherein the program converts the document information into document information that restricts disclosure to a user other than the user according to given user information and the document information. A tree structure corresponding to the document to be encrypted / decrypted, and a process of extracting definition body information specifying a position to be encrypted / decrypted by a flag on the tree structure from a definition body information database; Encrypting or decrypting a specific position part (subtree document) on the zero or more tree structure indicated by the definition body information extracted in the definition body information management processing, by a computer. A computer-readable recording medium to be executed.