JP2002297606A - Method and system for access to database enabling concealment of inquiry contents - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a method and a system for database access which enable a user to use information providing service while concealing a desired retrieval condition to be concealed. SOLUTION: A data relay server 100 connected between a client computer 10 and a database server 119 generates an inquiry message by ciphering a retrieval condition specified by the client computer and sends the message to the database server. The database server ciphers a specific data item that the retrieval condition read out of the database 126 specifies, retrieves service information meeting the retrieval condition by matching ciphered data against one another, and sends the retrieval result as an answer to the data relay server.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method and system for accessing a database, and more particularly, to a database in which the contents of a query for data retrieval given from a user or an application program can be hidden from a database administrator. The present invention relates to an access method and a data search system, particularly to a data relay server and a database server system.

[0002]

2. Description of the Related Art With the advancement and spread of network technologies such as the Internet, many computers have been connected to networks. Along with this, an information providing service for providing various information to a user via a network has been widely used. For example, a patent information search service and a gene sequence information search service are good examples.

[0003] Users who use these information providing services are provided by various computers (terminals) via a network.
Access a computer that provides information services. In the following description, a computer (terminal) operated by a user is called a client computer, and a computer that provides an information service is called a server computer or a DB server. At present, workstations, personal computers, small portable terminals and mobile phones are used as client computers, and mainframes and UNIs are used as server computers.
X (registered trademark) servers and PC servers are often used.

[0004] In accessing the information providing service described above, each user uses dedicated software or a WEB browser on the client computer. On the other hand, data management and retrieval on a server computer that provides an information service is performed by a database management system (hereinafter, DBMS).
It is usually done by

In accessing an information providing service,
For example, when searching for gene sequence information or patent information,
It is desirable for the user to be able to hide who accessed the information under what conditions, that is, to maintain the anonymity of the access and the confidentiality of the search content. This is because, in gene sequence search and patent keyword search, the conditions specified in the query are subject to confidentiality. Therefore, performing information search while concealing these confidentialities will promote product development and R & D. It is important above.

In the conventional security technology, for example,
(1) Protection of communication information against eavesdropping on the network, (2) User authentication on the server side to prevent unauthorized access, and the like are realized.

[0007] The security can be realized by, for example, using an encryption protocol such as SSL (Secure Socket Layer) between a client computer and a server computer that communicate with each other, or as shown in FIG. From the computer 10, the encrypted query 2
02 to the server computer 205 which provides the information service via the network 203, and
In 5, the encrypted inquiry 202 received by the network interface unit 206 is sent to the inquiry decryption unit 210, and the encrypted inquiry is decrypted by the inquiry decryption unit 210.
A method is known in which the DBMS 208 searches the database 211 according to the decrypted query condition.
The search result 207 is encrypted if necessary, and then the network interface 206 and the network
3 and is returned to the client computer 10.

However, in the conventional method described above,
Although the query content 202 is transmitted in an encrypted state on the network, the search process is executed in the server computer 205 in a state where the query content is decrypted. It is not hidden from the server computer. For this reason, there is a risk that search contents, which are confidential information, may leak to a malicious server-side administrator. In other words, in conventional database access via a network, the security of information is guaranteed on the assumption that the server can be trusted. If the search conditions specified in the query are subject to confidentiality, these confidential It has been difficult to perform a search while hiding it from others other than the user.

Japanese Patent Application Laid-Open No. H11-259512 discloses a "data search system" (Reference 1). In response to a query condition input by a user, (1) a condition relating to a confidential item registered in advance is deleted, and (2) Using the inclusion relation (concept hierarchy) of the condition value, the condition value is replaced with a similar word or a broader concept word, (3) the input search condition is divided, and (4) the data search device and the data search server A system is provided in which a proxy server installed in the server is made to perform access to the data search server, thereby protecting the confidential information such as the location of the user and search conditions from the history data of the database trace of the search server.

According to the conventional technique disclosed in the above-mentioned document 1, a part of the user's confidential information can be hidden from the server, but there is a problem that the search condition is acquired by the server. In a field where it is difficult to replace the value of a search condition such as a person's name or a gene sequence with another term due to the inclusion relation, there is a problem that the search condition cannot be sufficiently hidden.

In the "Basic Resident Register File System" of Japanese Patent Application Laid-Open No. 64-14665 (Reference 2), when the basic resident register data is input, the basic resident register data is encrypted and the encrypted data is stored in a data file. This prevents a malicious party from accessing the resident register file and acquiring personal information. In the related art disclosed in the above-mentioned Reference 2, when matching the registration data of the resident register file with the inquiry data of the user, the encrypted data stored in the data file is decrypted. It is not hidden on the server side. Therefore, there is a problem that if the server administrator has malicious intent, the contents of the inquiry will be known.

In Japanese Patent Application Laid-Open No. 11-272681, "Personal Information Recording Method and Recording Medium" (Reference 3), the retrieval processing efficiency associated with data decryption is reduced with respect to the method of Reference 2, and the encryption method is used. Understand that there is a problem that some search conditions may not be available, and (1)
A basic information file for storing basic data items,
The data is divided into attribute information files for storing other data, (2) a special code for associating the two files with each other is used as a personal code for specifying personal information, and There has been proposed a method for recording personal information that does not require encrypting the entire file data by encrypting the personal code. However,
In this conventional technique, similarly to the technique of Reference 2, since the search condition specified by the user is not encrypted, there is a risk that the above condition is leaked on the server side.

US Pat. No. 5,963,642, “METHOD AND APPARA
TUS FOR SECURE STORAGE OF DATA ”(Reference 4) converts the data stored in the database into bitmaps,
The user's query is converted to a similar bitmap and searched, so that the search is performed without decoding the query. However, in the conventional technique disclosed in the above-mentioned Document 4, it is necessary to encode all the data stored in the server into a bitmap in advance, and it is difficult to apply this method to an existing database. .

[0014]

As described above, according to the prior art, when using an information providing service running on a server computer from a client computer via a network, the user inputs data at the client computer. It was difficult to receive an information service while hiding the confidential search conditions.

[0015] A first object of the present invention is to provide a database access method and system that can use an information providing service while hiding a search condition that a user wants to keep confidential. A second object of the present invention is to provide a protocol that can provide an information service while hiding information search conditions. Further, a third object of the present invention is to provide a data relay server and a database search server capable of concealing search conditions that a user wants to protect and realizing an information providing service.

[0016]

In order to achieve the above object, according to the present invention, an encryption query in which a data item to be concealed included in a search condition is encrypted is transmitted to a server computer. The data search is performed by encrypted data matching while decrypting the search target data in the same manner as the secret data item without decrypting the encrypted search condition.

Another feature of the present invention is that a query input by a user is concatenated with another query, query conversion such as dividing one query into a plurality of queries is performed, and the converted query is transmitted to a DB server. The transmission is to change the correspondence between the content of the query remaining as history data in the DB server and the query content input by the user.

The query conversion is performed by a data relay server connected between the client computer and the DB server. For example, when one query is divided into a first query and a second query, the first query is D from the first data relay server that has received the query from the client computer.
The second inquiry transmitted to the B server is transmitted to the DB server via the second data relay server operating in cooperation with the first data relay server. In this case, the search result for the second query is transferred to the first data relay server via the second data relay server. In addition to the encryption of the search condition, the conversion of the content of the inquiry and the distribution of the request source of the inquiry to the DB server in this way make it difficult for the DB server administrator to analyze the user confidential information.

[0019]

DESCRIPTION OF THE PREFERRED EMBODIMENTS A computer network system for realizing an information providing service according to the present invention comprises at least one client computer (hereinafter, referred to as a client) for receiving a data search request (query) from a user, and a search request from a client. At least one server computer (hereinafter, referred to as a DB server) for searching a database for an information service in accordance with
It comprises a network for connecting to the B server, and at least one data relay server that is located between the client and the DB server and that modifies a search request from the client and transfers it to the DB server.

The basic configuration of the data relay server is as follows:
A query analysis unit for analyzing a query from the client,
An encrypted query generation unit for encrypting a part of the analyzed query; an encryption program generation unit for generating an encryption program for reading data from the database by the DB server and encrypting data of a specific attribute; A query message generation unit for generating a query message including a query and adding an encryption program as necessary, and transmitting the query message to an appropriate DB server; And a search result processing unit for performing a search again and an integration process of a plurality of search results.

The data relay server converts a plurality of queries output from the query analysis unit into one combined query, and converts one query output from the query analysis unit into cooperation with the data relay server. And a query conversion unit that converts the data into a plurality of distribution queries in order to distribute to a plurality of data relay servers. Further, the data relay server includes: a cache database for holding a part of the database storage data of the DB server as a copy;
A search execution unit that searches for data in the cache database in response to an inquiry from the client.

A DB server to which the present invention is applied includes a database for holding data to be provided to a user, and a data management and management system for managing the database and receiving an inquiry.
It includes a search unit and a data access unit that reads data from the database according to the content of the inquiry. The data management search unit passes the encrypted program received from the data relay server or the encrypted program server to the data access unit when a part of the search condition indicated by the received query is encrypted. In this case, the data access unit reads out the stored data having the attribute corresponding to the encrypted search condition while encrypting the data, thereby detecting the match with the search condition by encrypted data matching.

FIG. 1 shows an embodiment of a computer network system according to the present invention. In FIG. 1, the client computers 10 (10A and 10B) are connected to the data relay server 100-1 via the network 21.
The data relay server 100-1 is connected to another data relay server 100-2 which cooperates with each other via the network 22.
These data relay servers are connected to the BD server 11 via the network 23. Like the data relay server 100-1, the data relay server 100-2 is connected to a plurality of client computers (not shown). The network 21 is, for example,
Ethernet, optical fiber or FDDI
Local area network (LAN) connected by
Alternatively, a wide area network (WAN) including the Internet, which is slower than a LAN, may be used.

Normally, the user operates the client computer 10
Since a query is issued to the database system using the dedicated program or browser running on the above and the result of the above query is obtained, in the following description, the issuer of the query and the destination of the final result will be described. It is assumed that the client computer 10 is used.

The client computer 10 is, for example,
Personal computers such as HitachiFLORA of Hitachi, Ltd. and Hitac of Hitachi, Ltd.
An arbitrary computer system such as a hi3500 workstation, a portable terminal such as Persona of Hitachi, Ltd., or a portable telephone having an inquiry interface may be used.

Further, the data relay servers 100-1 and 100-2 to which the client computers are connected and the DB server 119 for providing the information providing service are provided by an arbitrary computer system such as a Hitachi 3500 workstation of Hitachi, Ltd. Composed of
Further, the data management search unit 124 operating for the information providing service on the DB server 119 is, for example,
General purpose database management system (DBMS) products such as Hitachi HiRDB, Oracle's Oracle8, and IBM's DB2 can be used.

Data relay server 100-1, 100-2
A network 22 that connects them, and a network 23 that connects these data relay servers and the DB server 119,
For example, a local area network (LAN) connected by Ethernet, optical fiber, or FDDI, or a wide area network (WAN) including the Internet, which is slower than the LAN, may be used.

Here, the networks 21, 22, 23
Are independent networks, but these may be the same network. Two client computers are connected to the data relay server 100-1, but the number of client computers is arbitrary.
Further, the number of data relay servers connected to the network 22 is also arbitrary.

In this embodiment, a case is considered in which the client computer cannot be equipped with an extra processing capacity due to the limitation of the storage device capacity, calculation capacity or battery capacity, such as a small portable terminal or a mobile phone. Although the data relay server is arranged between the client computer and the DB server, some or all of the functions of the data relay server described below may be provided in the client computer.

According to the present invention, the inquiry message 103 issued from the client 10A (or 10B) is received by the data relay server 100-1, and after encrypting a part of the search condition, the encrypted inquiry 115 The data is transferred to the server 119. At this time, the encryption program 116 is generated in the data relay server 100-1 as needed, and transferred to the DB server 119 together with the encryption inquiry 115.

The DB server 119 comprises a network interface 120 connected to the network 23, a data management search unit 124, and a database 126.
A data search is performed in response to the inquiry 115, and a response message 118 indicating the search result is sent to the data relay server 10.
Send to 0-1. The data relay server 100-1 performs predetermined processing on the search result indicated by the response message 118, and transmits the result to the requesting client computer 10A as the search result 104 corresponding to the inquiry 103.

FIG. 2 is a block diagram showing a detailed configuration of the data relay server 100-1, and FIG. The inquiry message 103 issued from the client computer includes a client ID 11, a security priority 12, and an inquiry content 13 in a data portion, and a predetermined header information determined by a communication protocol of the network 21 is added thereto. It has become.

The query content 13 is, for example, an attribute (data item name) 13S of data to be selected from the database.
, File name 13F to be accessed, and search condition 13
W. The search condition 13W includes a plurality of definitions 13w-1 to 13W- in order to specify a data entry to be searched.
n and confidential display 13E-1 prepared corresponding to each definition
To 13E-n.

The query 103 issued by the client computer 10A is received by the network interface 101 and analyzed by the query analysis unit 106, and the cache database 1 of the data relay server 100-1 is provided.
It is determined whether search processing is possible with the stored data of 28. For the analysis and determination, see, for example,
A method using a partial replica disclosed in Japanese Patent Application No. 09758 (Japanese Patent Application No. 11-285164) may be applied.

If a search process can be performed on the data stored in the cache database 128, the search unit 113 searches the cache database 128 for data that matches the search conditions. The search result is stored in the search result processing unit 111
The message is edited into a response message, and transmitted to the requesting client computer via the network interface 101. If there is no cache database in the data relay server 100-1, or if it is determined that the inquiry cannot be answered with the data stored in the cache database, the inquiry message 103 is sent to the inquiry conversion unit 107.

The operation of the inquiry conversion unit 107 will be described with reference to the flowchart of FIG. After receiving the query (step 602), the query conversion unit 107 determines whether or not to perform query concatenation (step 603). Query concatenation refers to a process for concatenating a plurality of queries and converting them into one query in order to keep the contents of the query confidential, and is not only a query issued from the same client computer but also issued from a different client computer. The inquired query is also subject to consolidation.

For example, the data provided by the information providing system on the DB server 119 is the savings amount of the customer, and the data is stored in the database 126 in correspondence with the customer ID 802 as shown in FIG. It is assumed that a savings balance table 801 indicating the bank branch name 803 in which is stored and the savings amount 804 is stored.

Now, an inquiry Q1 (805) shown in FIG. 7B is issued from the client computer 10A, and an inquiry Q2 shown in FIG. 7C is issued from the client computer 10B.
It is assumed that (806) has been issued. In this case, Q1 and Q2
7D, for example, as shown by 807 in FIG. 7D, the selection target item (attribute) of Q1 {customer ID, branch, savings amount} and the selection target item of Q2 {customer I
D, the savings amount}, which is the union of {customer ID, branch, savings amount}, is selected, and the search condition of the inquiry Q1 {savings amount> = 1,000,000} and the search condition of the inquiry Q2 {savings amount <
= 10,000} as the search condition. Whether or not to perform the inquiry connection is determined based on whether or not another inquiry message that can be connected has been received.

After the necessity determination of the query connection, it is determined whether or not the query distribution is performed (steps 604 and 605). The query distribution is to divide one query into a plurality of queries in order to hide the relationship between the user who issued the query and the content of the query from the data providing system on the DB server 119 side,
This means that an inquiry is transmitted to the DB server 119 from a plurality of data relay servers cooperating with each other.

For example, the connection query 807 shown in FIG.
It is assumed that 0-2 cooperates with the data relay server 100-1 to transfer the distribution inquiry message to the DB server 119. In this case, the query 807 is divided into, for example, a distribution query DQ1 (808) shown in FIG. 7E and a distribution query DQ2 (809) shown in FIG. 100-1 to DB
The data is transmitted to the server 119, and the distribution inquiry DQ2 is transmitted to the DB server 119 via the data relay server 100-2.

In this way, among the search results for the inquiry 807, the record in which branch = Shinjuku is
The data relay server 100-1 receives the response as a response to the distribution inquiry DQ1, and records other than that are received as a response to the distribution inquiry DQ2.
2 and transferred to the data relay server 100-1. By dividing one query into a plurality of distribution queries in this way, it is possible to hide the search condition and issue source indicated by the query 807 from the information providing system running on the DB server 119.

Inquiries to be distributed may be those before connection. The necessity of query distribution is determined based on the security priority 12 of the received query message 103. If the security priority 12 does not instruct concealment of the query, the query distribution is not performed.

When both the query concatenation and the query distribution are performed (the determination results in steps 603 and 604 are Yes), the query conversion unit 107 generates a concatenation / distribution query (step 607), and performs the search management shown in FIG. After registering a new entry in the table 114 (step 610), the query conversion process ends.

When the query is linked but the query distribution is not performed (No in step 604), a linked query is generated (step 606), and then step 610 is performed.
Execute No query concatenation (step 603 is N
o), perform only query distribution (step 605 is Ye)
In the case of s), after generating a distribution inquiry (step 608), step 610 is executed. When neither query concatenation nor query distribution is performed (No in Step 605), Step 610 is executed without performing query conversion.

As shown in FIG. 5, in the search management table 114, a plurality of entries EN-1, EN-2,... Corresponding to the inquiry message received or transmitted by the data relay server 100-1.・ Is registered. Each entry includes a client ID 1141, original query content 1142, and converted query content 1143.
And a conversion type 1144 that indicates the type of query conversion, and 1 that indicates whether the relationship between the search definition encrypted by the encrypted query generation unit 108 described below and the original search definition is 1: 1. 1: 1 conversion flag.

When two inquiry messages M1 and M2 are linked, the entry EN corresponding to the message M1
-1 and an entry EN-2 corresponding to the message M2
Contain the same content in field 1143. The content of one inquiry message M1 is two messages m1, m
2, the two entries EN-1 and EN-2 including the same contents are generated in the field 1142, the message m1 is stored in the field 1143 of the entry EN-1, and the message m1 is stored in the field 1143 of the entry EN-2. Is set to the message m2.

When the distribution inquiry message is received from another data relay server 100-2, for example, the client ID included in the received message and the transmission source (data relay server 100-
The relationship with the address in 2) is stored in a transfer message management table (not shown).

Returning to FIG. 2, the query processed by query converter 107 is transferred to encrypted query generator 108, and a part of the query content is encrypted. If a new encryption method for the DB server is used to encrypt the above inquiry, the encryption program generation unit 109
Thus, an encryption program corresponding to the encryption method is generated. The encrypted query and the encrypted program are edited by the query message generator 110 into an encrypted query message addressed to the DB server 119.
The encryption inquiry message is transmitted to the network 23 via the network
The B server 119 receives it.

The operations of the encrypted query generator 108 and the encrypted program generator 109 will be described with reference to FIGS. 8, 9 and 10. The encrypted query generation unit 108
As shown in (3), when an inquiry message is received from the inquiry conversion unit 107 (step 402), it is determined whether or not there is an item to be concealed in the inquiry condition (step 403). The client 10
3 can be determined by checking the confidential displays 13E-1 to 13E-n provided for each search definition in the inquiry message 103 of FIG. 3 received from (10A, 10B).

If the concealment target item does not exist, the process of the encrypted query generation unit 108 ends without encrypting the query and generating the encrypted program. If there is an item to be concealed, the data indicated by the condition definition 13W-i specified in the concealment display 13E-i is transferred to a predetermined encryption function fe.
An encryption query including the encrypted data and the encryption function is generated according to () (step 404).

For example, the DB server 119 stores the gene sequence table 901 shown in FIG.
It is assumed that the encrypted query generation unit 108 receives the query message Q3 (905) including the array structure = 'atcg' as a search condition, as shown in FIG. 9B. The array structure = 'atcg' is described in the first condition definition 13W-1 of the inquiry message Q3.
If the concealment display 13E-1 instructs the concealment of the condition definition 13W-1, the data "atcg" is the concealment target item.

In this case, in step 404, the data “atcg” designated as the item to be concealed is encrypted with a predetermined encryption function fe (). For example, as shown in FIG. An encryption query Q4 in which “$ 2aSzE” is used as a search condition and “array structure” is added as a new data item to the acquisition target data specified in the SELECT statement
(906) is generated. This is because the data value before encryption “atcg” and the data value after encryption “$ 2aSzE”
Are not guaranteed to have a 1: 1 relationship,
For the search result received from the B server, the data relay server side uses the array structure = “atcg” as a search condition,
This is because it is necessary to search again.

When the search condition to be concealed includes “=” (equals condition) or “≠” (not equals), the original data value can be converted by an arbitrary encryption function. However, when the search condition to be concealed includes an inequality sign such as “<”, “≦”, “>”, or “≧”, it is necessary to use an encryption method capable of maintaining the magnitude relation.

Encrypt search conditions (generate encrypted query)
If so, it is determined whether or not encryption program generation is necessary (step 405). Data relay server 100-1
Uses an existing encryption program registered in the encryption program server 129, or
If the encryption program used in step 04 has already been notified to the DB server, it is not necessary to generate the encryption program. In this case, the process proceeds to step 407 without generating an encryption program.

If it is necessary to notify the DB server of the encryption program, an encryption program is generated in cooperation with the encryption program generation unit 109 (step 406), and then step 407 is executed. In step 407,
A flag indicating whether 1: 1 conversion is performed, that is, whether data before encryption and data after encryption have a 1: 1 relationship is set in a 1: 1 conversion flag field 1145 of the search management table 114. Record the value.

The encryption program will be described with reference to FIG. The concealment target item (concealment target attribute) is Tc, the function used for encryption is fe (), and the data value before encryption is v
b, if the data value after encryption is expressed as va, the conversion of the query condition by encryption is schematically shown in FIG. At this time, the encryption program generated by the encryption program generation unit 109 is used by the data access unit 125 included in the data management search unit (DBMS) 124 of the DB server 119, and the encryption function fe ()
Is a program for performing data conversion processing corresponding to.

The above-mentioned encryption program is stored in the DBMS 124
However, for example, like HiRDB of Hitachi, Ltd.,
If it has a plug-in interface, a program that satisfies the above interface specifications may be used. Further, when the DBMS has an execution engine of a programming language included therein, a program described in the above programming language may be used.

Returning to FIG. 2, encrypted query generation unit 108
Transmits a query message in which a part of the search condition is encrypted and the acquisition target data item is changed as necessary, together with the function identifier (encryption program identifier) applied to the encryption, to the DB inquiry message generation unit 110. . If the search condition is not encrypted, the inquiry message received from the inquiry conversion unit 107 is passed to the DB inquiry message generation unit 110. When the encryption program is generated, the encryption program
The encrypted program is passed to the inquiry message generator 110.

Based on the data received from encrypted query generator 108, DB query message generator 110
For example, as shown in FIG.
D: an inquiry message (DB inquiry message) 115 addressed to the DB server 119 including the inquiry contents 14 and the encrypted function identifier 15 and the encrypted function identifier 15 is created, and the DB server 119 is transmitted via the network interface unit 112. To send to. When the encryption program has been generated, the DB inquiry message 115 includes the encryption program 1
6 is added.

If the received message from the encrypted inquiry generating unit 108 has the same client ID as the immediately preceding received message, the DB inquiry message generating unit 110 determines that this is a message for distribution inquiry and is designated in advance. Is transmitted to the associated cooperative server, for example, the data relay server 100-2.

Next, an inquiry process performed by the DB server 119 will be described with reference to FIGS. DB
In the server 119, the network interface unit 12
0, the DB inquiry message 115 received by the DBMS
Analysis is performed by 124 (step 502), and if the DB inquiry message includes the encryption program 16, this is set in the data access unit 125.

The DBMS 124 stores the data corresponding to the encrypted search condition in the DB inquiry message 115 as follows:
It is checked on the DB server 119 side (database 126) whether or not the data exists as encrypted data that can be compared with the search condition (step 505).

If the encrypted data already exists, the DB
The MS 124 instructs the data access unit 125 to read the concealment target item indicated by the search condition of the DB inquiry message, and executes the data search processing requested by the DB inquiry message using the encrypted data (step). 506). If there is no encrypted data,
The DBMS 124 specifies the concealment target item indicated by the search condition of the DB inquiry message and the encryption function identifier 15,
The data access unit 125 is instructed to read the data entry.

The data access unit 125 encrypts the items to be concealed in the data read from the database 126 with an encryption program corresponding to the encryption function identifier 15, and converts the other data items into a normal data format. To output. The DBMS 208 determines the data read from the database according to the search condition of the inquiry message, and searches for a data record that satisfies the search condition while comparing the encrypted data with the search condition for the concealment target item (step 507).

For example, when the inquiry message 115 includes the encrypted inquiry Q4 and the encrypted program fe1 () shown in FIG.
4, a search process is executed without decrypting the encrypted data included in the query Q4, and when the sequence structure 904 is read from the gene sequence table 901 stored in the database 126, the sequence structure is stored in the data access unit 125. The data is output in a form encrypted by the function fe1 (), and a record that matches the array structure indicated by the search condition = “$ 2aSzE” is searched.

The DBMS 208 generates a response message including the search result (step 508), and sends the response message to the data relay server 100-1 or 100-2, which is the transmission source of the inquiry message 115 (step 509). Then, the inquiry processing ends. The response message generated by the DBMS 124 is shown in FIG.
As shown by, the data is transferred to the data relay server via the network interface 120 to the network.

The response message may be generated in such a manner that the unencrypted data items among the data items included in the search result are automatically encrypted by the DBMS 124. Further, in the embodiment, the search condition and the encryption program are transmitted simultaneously by the inquiry message 115, but only the search condition and the function identifier applied to the encryption are transmitted in the inquiry message 115, and the DB server 119 side transmits the function It is checked whether or not the encryption program corresponding to the identifier is already stored. If the necessary encryption program is not stored, the DB server 1
19, the source server 100 of the inquiry message 115
-1 or 100-2 may be requested to transmit the encrypted program.

The data relay server 100-1 processes the response message (search result) received via the network interface 112 in the search result processing unit 111. FIG. 12 shows a search result processing routine 701 executed by the search result processing unit 111.

The search result processing unit 111 refers to the transfer message management table based on the client ID included in the received response message, and determines whether or not the response message is a response to the inquiry requested from another cooperative server. A determination is made (step 702). If the received response message is a response message to the inquiry requested by another cooperative server, the response message is transferred to the address of the data relay server specified by the transfer message management table (step 703), and this routine is executed. finish.

When the received response message is a response to the inquiry generated by the data relay server 100-1, based on the client ID included in the received response message, the search management table 114 shown in FIG.
, It is checked whether or not the search result includes an encrypted data item (step 704). If an encrypted data item is included, the encrypted data item is decrypted (step 705).

Next, with reference to the search management table 114, it is checked whether or not the reception response message is a response to the connection inquiry (step 706). If the reception response message is a response to the connection inquiry, the original inquiry content 1142 of the search management table 114
A re-search is executed by applying the search condition before the concatenation conversion indicated by (1), and a correct search result for the query issued from each client computer is generated (step 710). Thereafter, a response message addressed to the requesting client computer included in the re-search result is created (step 712), and the response message is transmitted to the network 21 via the network interface 101 (step 713).

If the received response message is not a response to the connection inquiry, it is checked whether the received response message is a response to the distribution inquiry (step 707). If the reception response message is a response to the distribution inquiry, it is checked whether all the responses (search results) to the distribution inquiry are completed (step 70).
8) If all answers have been collected, step 710
The original query content 1142 of the search management table 114
The search is executed again by applying the search condition before the distribution conversion indicated by. If all the answers to the distribution query are not prepared, the search result is stored in the temporary storage area of the distribution query search result prepared on the work memory (step 709),
This routine ends. The check performed in step 708 is performed with reference to the temporary storage area of the distribution query search result.

If the decision result in the step 707 is NO,
This means that the search result is a response to the query for which the conversion process by the query conversion unit 107 has not been performed. In this case, it is checked whether the encryption function applied to the search condition of the query is for 1: 1 conversion (step 711).

If the encryption function is not for one-to-one conversion, it means that two or more data having different values become the same value data by encryption. The obtained search result is a larger solution set than the search result obtained under the search condition without encryption. In this case, the original query content 1142 of the search management table 114 is added to the search result notified from the DB server.
A re-search is executed by applying the pre-encryption search condition indicated by (1) (step 710), and a correct search result for the query issued from the client computer is generated.

If the encryption function is for 1: 1 conversion, according to the search result notified from the DB server,
A response message addressed to the requesting client computer is created (step 712), and the response message is transmitted to the network 21 (step 713).

As is clear from the above embodiment, according to the present invention, it is possible to provide an information providing service in which confidentiality of confidential conditions included in a user inquiry is highly assured. Further, according to the present invention, the user of each client computer can receive the information providing service while hiding the conditions that he / she wants to protect, and can protect the confidentiality of the user from the malicious DB server administrator. it can.

[0077]

The data relay server according to the present invention can be applied to, for example, an inquiry mediation service method for selectively transferring an inquiry from a user only to an information providing server capable of guaranteeing confidentiality of confidential conditions included in the inquiry. . In addition, the data relay server of the present invention collects, for example, service billing information from a plurality of information providing servers, collects and pays a fee, allocates the billing information to each client, and charges each client. It can also be applied to information services.

[Brief description of the drawings]

FIG. 1 is a diagram showing an example of the overall configuration of a database access system according to the present invention.

FIG. 2 is a block diagram showing a configuration of a data relay server 100-1 shown in FIG.

FIG. 3 shows a client computer 10 (10
A, 10B) is a diagram showing an example of an inquiry message transmitted from the data relay server 100-1 to the data relay server 100-1.

FIG. 4 is a view showing one embodiment of an inquiry message transmitted from the data relay server 100-1 shown in FIG. 1 to the DB server 119;

FIG. 5 is a diagram showing a configuration of a search management table provided in the data relay server 100-1.

FIG. 6 is a query converter 1 of the data relay server 100-1.
7 is a flowchart showing a function of the control unit 07.

FIG. 7 shows an example (A) of the contents of a database provided in the DB server 119, an example (B, C) of two queries Q1 and Q2 for the database, and a query conversion unit 107.
FIG. 9 is a diagram showing an example (D) of a connection query and one example (E, F) of a distribution query generated in FIG.

FIG. 8 is a flowchart showing the function of the encrypted query generation unit of the data relay server 100-1.

FIG. 9 shows an example (A) of the contents of a database, an example (B) of a query Q3 to the database, and a query Q
FIG. 6 is a diagram showing an example (C) of an encrypted query obtained from No. 3;

FIG. 10 is a view for explaining an encryption program generated by an encryption program generation unit 109 of the data relay server 100-1.

FIG. 11 is a flowchart illustrating an example of an inquiry process performed by the DB server 119;

FIG. 12 is a flowchart showing functions of a search result processing unit 111 of the data relay server 100-1.

FIG. 13 is a view for explaining a conventional data search system using an encrypted inquiry.

[Explanation of symbols]

10: client computer, 21, 22, 23: network, 100: data relay server, 101, 112: network interface, 106: query analyzer, 107: query converter, 10
8: encrypted query generation unit, 109: encrypted program generation unit, 100: DB inquiry message generation unit, 111: search result processing unit, 113: search unit, 114: search management table, 119: DB server, 120: network Interface, 124: data management search unit, 129: encryption program server.

 ────────────────────────────────────────────────── ─── Continuing on the front page (72) Inventor Takahiko Shintani 1-280 Higashi Koigakubo, Kokubunji-shi, Tokyo F-term in Central Research Laboratory, Hitachi, Ltd. 5B017 AA07 BA07 CA16 5B075 KK07 ND20 PQ05 QP10 QS20 5B082 GA08 GA11 HA08 5J104 AA01 PA07

Claims (11)

[Claims] A data relay server for accessing a database server via a communication network in accordance with a database inquiry request received from a client computer, for encrypting search condition data included in the inquiry request received from the client computer. A first means, and a second means for generating an inquiry message addressed to the database server including the search condition encrypted by the first means.
Means, third means for transmitting the inquiry message generated by the second means to the communication network, and the encryption searched by the encrypted data matching from the database server via the communication network. Fourth means for receiving data conforming to the search condition as a search result, and generating a response message addressed to the client computer based on the search result received by the fourth means, and transferring the response message to the client which has issued the inquiry request A data relay server comprising: 2. An inquiry request received from the client computer specifies a data item to be answered as a search result, and the inquiry message generated by the second means is a data item to be answered as a search result. 2. The data relay server according to claim 1, further comprising, in addition to the data item specified by the inquiry request from the client computer, a data item corresponding to the encrypted search condition. 3. The data relay server according to claim 1, wherein the inquiry message generated by the second means includes identification information of an encryption program for encrypting the search condition. 4. The data relay server according to claim 1, wherein the inquiry message generated by the second means includes an encryption program for encrypting the search condition. 5. The fifth means has means for re-searching a search result received by the fourth means with a search condition included in an inquiry request received from the client computer, wherein the search result is addressed to the client computer. 3. The response message of claim 2 indicates a result of the re-search.
2. The data relay server according to 1. 6. A sixth means for converting at least two query requests received from different client computers into one concatenated query collectively and supplying said concatenated query to said first means, Means for re-searching, from the search results for the linked query received from the database server, data matching the search condition indicated by the original query issued by each client computer, and sending a response message addressed to each client computer. The data relay server according to claim 1, wherein the data relay server generates the data. 7. A sixth means for converting one inquiry request received from a client computer into at least two distribution queries and supplying the distribution inquiry to the first means, wherein the second means comprises: One of the distribution queries including the search condition encrypted by the first means is converted into a query message addressed to the database server, and the other distribution query is a query message addressed to another data relay server designated in advance. Wherein the fifth means selects the client terminal from a search result for the one distribution query received from the database server and a search result for the other distribution query received from the other data relay server. Re-search for data that matches the search conditions indicated by the original query issued by, and generate a response message addressed to the client terminal. Data relay server according to claim 1 or claim 2, characterized in that. 8. A database server for executing an information search in response to an inquiry message received from a communication network, wherein the database server stores service information and a search condition specified by the inquiry message from the database. A database management system for searching for service information, wherein the database management system, when the inquiry message includes encrypted search condition data, a specific data item included in the search condition read from the database Means for searching for service information that meets the above search conditions by matching between encrypted data, and transmitting a response message including the searched service information to the transmission source of the inquiry message. Having means A database server characterized by the following. 9. The query message includes identification information of an encryption program, and the search means encrypts a specific data item read from the database by the encryption program specified by the identification information. The database server according to claim 8, wherein: 10. Encrypting at least a part of a search condition designated by a client, transmitting an inquiry message including the at least partly encrypted search condition to a server provided with a database, Encrypt a specific data item included in the search condition read from the database, search for service information that matches the search condition by matching between encrypted data, and send the inquiry message from the server to the transmission source of the inquiry message. A method of accessing a database, comprising transmitting service information that meets the above search conditions as a search result. 11. The method according to claim 11, further comprising the step of re-searching the search result received from the server in accordance with a search condition specified by the client at the source of the inquiry message, wherein the search result received from the server includes 11. The database access method according to claim 10, wherein data items corresponding to the retrieved search conditions are included.