JP2002351722A - Rental safe system of data - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a data rental safe system capable of keeping data safely physically and electronically by ciphering data on a user and transmitting it through a computer network. SOLUTION: The system consists of a user computer system which is connected to the network to which computers and portable information terminal are connected to and which is provided with access authentication server, a backup server system including at least an FTP server, a user terminal and a data backup unit connected with the user terminal. The user computer system is provided with a user authentication information reading means, a data ciphering means and a data backup means and performs reading processing of the user authentication information from an information storage medium having the user authentication information and a ciphering key stored thereon, processing for allowing the ciphering means to cipher data by using the ciphering key stored in the information storage medium, processing for authenticating access by transmitting the ciphered data to the backup server system, and processing for storing and keeping the data in the FTP server.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a data safe box system for encrypting user data and transmitting and storing the encrypted data via a computer network.

[0002]

2. Description of the Related Art In recent years, personal computers (P
Due to the cost reduction of C), the spread of the Internet and e-mail, and the advancement of hardware and software technologies such as user interfaces, the spread of PCs and workstations is remarkable. Under these circumstances, a data storage service has conventionally been provided in which data storage is entrusted to an external system administrator.

[0003]

Accordingly, problems such as data security have become commonplace, and measures against unauthorized access and the like and secure storage of confidential data are required. Unauthorized access can be broadly classified into two types: those from the outside and those caused by the inside. From the outside, peeping and tampering mainly through the Internet, which is a public network. It is possible that data is leaked from inside due to illegal copying. If no countermeasures are taken against such problems, even if data storage services such as data centers are used, if data is leaked or falsified, serious risks such as management risks Problems can occur. The data stored is
It is necessary to guarantee a security level that even the administrator of the storage system cannot peep without permission, and even internal persons such as companies can not peep unless authorized. There is. Further, a system is required that can easily perform data backup operation.

Accordingly, an object of the present invention is to solve the above-mentioned problems, provide a data safe box system for encrypting user data, transmitting and storing the data via a computer network, and physically storing the data. The idea is to keep it safe electronically. Accordingly, it is an object of the present invention to provide a system capable of preventing unauthorized access, leakage, and falsification, and storing and retrieving data when necessary. Furthermore, it is possible to schedule the date and time and files to be backed up, to be able to decrypt the backed up data at another site, and to give permission to decrypt the data by setting by department or position. Another object is to realize these yesterday with a simple operation.

[0005]

According to the first aspect of the present invention, in order to solve the above problems, an access authentication server and an FTP server are provided connected to a network to which a computer or a portable information terminal is connected. And a user computer system including a user terminal, and a data backup unit connected to the user terminal, wherein the user computer system includes a user authentication device. An information reading unit, a data encryption unit, and a data backup unit, and a process of reading the user authentication information from an information storage medium that stores the user authentication information and the encryption key; Encryption using the encryption key The processing stage is the encrypted data,
The data safe box system is characterized in that the encrypted data is transmitted to a backup server system, and an access authentication process and a process of storing and storing the data in the FTP server are performed.

According to a second aspect of the present invention, in order to solve the above-mentioned problem, in the first aspect of the present invention, the user computer system includes a user authentication information reading unit, a data encryption unit, and an encryption unit. Means,
A backup unit comprising: a data backup unit; and one or more computers such as a personal computer, a workstation, and a server that are connected to the backup unit in a wired or wireless manner. 1 is a data safe box system.

According to a third aspect of the present invention, in order to solve the above problems, the FT included in the backup server system according to the first or second aspect of the present invention is provided.
The P server is provided with a user storage area which is set for each user, and the user storage area includes
3. The data safe box system according to claim 1, wherein a storage area is provided for each predetermined time unit such as week or month.

According to a fourth aspect of the present invention, in order to solve the above problems, in the first to third aspects of the present invention, the information storage medium is an IC card, and the user authentication information reading means is An IC card reader / writer for encrypting and decrypting data stored or temporarily stored as a data file in a user computer system using an encryption key stored in an IC card, A data safe box system according to any one of claims 1 to 3.

According to a fifth aspect of the present invention, in order to solve the above-mentioned problems, in the first to fourth aspects of the present invention, the storage area of the information storage medium has a predetermined number of predetermined areas. A predetermined number of keys can be set for each area provided in advance, and a cryptographic key stored in the storage area includes a shared key that can be shared by a plurality of individuals, and an information storage medium. A different personal key is stored for each user, and decryption is possible when persons having different information storage media have the same shared key in the same area provided in the storage area of each information storage medium. It is a data safe box system according to any one of claims 1 to 4.

In order to solve the above-mentioned problems, in the invention according to claim 6, in the invention according to claims 1 to 5, the user computer system backs up in advance using the data backup means. By setting the date and time and file and storing it in the user computer system, it is possible to automatically encrypt and deposit data,
It is a data safe box system according to any one of claims 1 to 5.

According to a seventh aspect of the present invention, in order to solve the above-mentioned problems, in the first to sixth aspects of the present invention, the information storage medium storing user authentication information and an encryption key is used. By accessing the backup server system from a computer system having user authentication information reading means different from the user computer system, the backup data can be viewed or decrypted. It is a data safe deposit system according to any one of 1 to 6.

[0012] In order to solve the above-mentioned problems, the invention according to claim 8 transmits the encrypted data to the backup server system and transmits the encrypted data to the FTP server. It is a data safe box system characterized by storing and storing.

[0013]

Embodiments of the present invention will be described below with reference to the drawings. FIG. 1 is a system configuration diagram showing a basic configuration of a system according to the present invention. FIG.
1, reference numeral 1 denotes a user computer system, 2 denotes a server, and 3 denotes various computer devices. The computer terminal includes a control unit, a storage unit,
An input unit, an output unit, a display unit, and the like are provided. In a typical mode, the apparatus is provided with a function of transmitting and receiving data by connecting to a computer network represented by the Internet, and includes an application program such as a browser, e-mail software, and a word processor, and an operating system (OS). In addition, the computer terminal includes a wireless communication terminal such as a mobile phone equipped with a browser function connectable to the Internet, a portable information terminal, an Internet TV, a game machine, a video conference system, and other network connection functions. Broadly includes equipment such as home appliances equipped.

Reference numeral 4 denotes a backup unit which is connected to a computer network represented by the Internet and is connected to a backup server system. Computer networks include wired communication networks, wireless communication networks, intranets, and LAs.
N and any computer network. Reference numeral 5 denotes a computer network, 6 denotes a backup server system, 7 denotes an FTP server, and 8 denotes an access authentication server.

[0015] As described above, the data safe box system of the present invention is provided so as to be connected to a network to which a computer or a portable information terminal is connected.
A backup server system including at least an FTP server, a user terminal, and a user computer system provided with a data backup unit connected to the user terminal. The backup server system is composed of a system including a WWW server, a database server, and an application server as an example. As described above, the minimum includes the access authentication server and the FTP server. Each of these servers includes a form that is physically provided on the same device, a form that is physically composed of a plurality of devices, or a form that is physically composed of a plurality of devices connected via a network. Various forms are included as long as substantially the same functions are realized.

The server system of the present invention includes storage means, control means, input means, output means, display means and the like as required. CPU, RAM, RO
M and the like, and a control means including an OS and an application program stored in a storage means such as an HDD,
It also has a data transmitting / receiving means, a CRT, etc., receiving means for receiving data from the client computer, transmitting means for transmitting data to the client computer, display means and input means necessary for performing maintenance of the server computer and the database, and the like. It is composed of

The FTP server included in the backup server system is provided with a user storage area set for each user, and can manage data of a plurality of users such as different companies. The data is protected with high security. In addition, the FTP server or the like can be stored more safely by using a RAID system or the like by duplication. The data to be stored and stored is overwritten each time a backup process is performed, a form in which backup data is stored every predetermined period such as daily or weekly, or according to a preset condition such as every predetermined period,
A form that automates the backup process can be adopted. When performing data backup processing using a predetermined time unit such as day, week, month, etc., the user storage area is provided with a storage area for each predetermined time unit, such as day, week, month, etc. .

Next, the user's computer system is provided with data encryption means and data backup means, that is, an application program for performing encryption / decryption and call backup. FIG. 2 is a block diagram showing a basic configuration of the user computer system. In FIG. 2, reference numeral 10 denotes an information storage medium, 11 denotes a user authentication information reading unit, 12 denotes a data encryption unit, and 13 denotes a backup unit. The backup unit 4 includes a control unit, a storage unit, and a data transmission / reception unit 18 for connecting to a computer network represented by the Internet.
As an example, a typical mode is to include an application program for realizing these functions, an operating system (OS), a CPU, and the like.

The application program may be provided in a storage means in the server system, so that a user who accesses the backup server system via the computer network can use the application program by activating the program. As described in the above, by using the information storage medium storing the user authentication information and the encryption key, a computer system having a user authentication information reading unit different from the user computer system can be used as the backup server system. This is particularly convenient in a form in which the user can access and view or decrypt the backed-up data. Also, a service for using the application software stored in the server for a fee or the like, that is, ASP (Application Service Provide)
r) and the like. Or,
Both the user computer system and the backup server system can have application programs.

In the backup server system,
A program for authenticating access from users and an authentication database for managing user authentication information for each user are provided, and referencing the database based on the user authentication information sent from the user computer system for verification Is performed to determine whether access is possible.

Further, the user computer system is provided with user authentication information reading means. The information storage medium that stores the user authentication information and the encryption key read by the user authentication information reading means includes an external storage device, a CD-ROM, an MO, a DVD, a floppy (registered trademark) disk, various memory cards, and an IC card. ,
All other information recording media are included. When an IC card is used as the information storage medium, the user authentication information reading means is an IC card reader / writer, and is stored as a data file in a user computer system using an encryption key stored in the IC card. The encryption / decryption of the encrypted or temporarily stored data is performed.

A user authentication information reading means provided in the user computer system, a data encryption means,
The data backup means may be provided in each computer device. For example, user authentication information reading means for reading an information storage medium such as an IC card includes a device connected to a computer device through a serial terminal, a PCMC device, and the like.
Devices that connect to a notebook computer using an IA card or the like have been developed.

On the other hand, according to another desirable mode, for example, the user computer system includes a user authentication information reading unit, a data encryption unit, an encryption unit, a data backup unit. And a backup unit provided with the means. With one or a plurality of personal computers, workstations, servers, and other computer devices that are wired or wirelessly connected to the backup unit, the user can also use the system from a computer device connected to the company LAN.

When an IC card is used as an information storage medium, it can be used more than 20,000 times in normal use, and has the further advantage of tamper resistance (ability to prevent physical intrusion into the IC card). When an illegal act is performed, it can be immediately disabled. In addition, when writing user authentication information and an encryption key to an IC card, all information can be created using a black box. Since the encryption key is encrypted and written, the possibility of leakage is extremely high. Lower. In the case of user authentication, if the user authentication information and the password are combined with each other, even if the password is leaked, the user authentication information can be obtained.
Use is not possible without a C card.

Next, the encryption key stored in the information storage medium will be described. Various known encryption keys can be used as an encryption key stored and managed by an information storage medium such as an IC card. When sending data and restoring backup / backup data,
The encryption / decryption of the file and the encryption / decryption of the temporarily stored temporary data file in the clipboard are performed using the encryption key read by the user authentication information reading means. An example of the encryption algorithm used here is SXAL / MBAL of Laurel Intelligent Systems Co., Ltd., which has a reputation for being robust and fast. The algorithm was released to the public in December 1993, and was registered as the twelfth algorithm in the world with the International Standards Organization (ISO) via the IPA (Information Processing Promotion Corporation) in October 1995. The big feature is,
The length of data to be processed at one time is variable (DES
And most other algorithms are fixed at 8 bytes), and two types of algorithms, SXAL and MBAL, are combined to realize ultra-high speed and difficult to read.

The encryption strength of the above encryption method is 200
At the time of March 0, the decryption method of the cryptographic algorithm has not been found yet, but before the release, attacks were attempted with the famous differential cryptanalysis and linear cryptanalysis, but even the decryption characteristics were still found. Not. Since the key length of the encryption algorithm is 64 bits, the strength is extremely high, and the real key changes in file units, it is considered that it is almost impossible even if a malicious third party attempts to decrypt the encrypted file. In addition, audio, image files, executable files, and any file type of digital data can be encrypted with no restriction on file size. Since the file size at the time of encryption stores header information such as the date and time of encryption, the operator ID, and the verification value for decryption, it is 25 times smaller than the original size.
Although it increases between 6 bytes and 1279 bytes, it is effective from the viewpoint of management of the encryption date and time and data security.

According to the present invention, a predetermined number of areas are provided in a storage area provided in the information storage medium, and a predetermined number of encryption keys are predetermined for each area. It is possible to set. In the encryption key stored in the storage area, a shared key that can be shared by a plurality of individuals and a personal key that is different for each information storage medium are stored. When the same area has the same shared key in the same area of the storage area of the storage medium, decryption is possible. FIG. 3 is a conceptual diagram showing an example of the concept of setting an encryption key, in which a personal key set for each individual and a shared key that can be set to be shared or not for each department, job title, and the like are set. It can be set using the above-mentioned area. FIG. 4
FIG. 3 is a diagram showing an operation example of setting and managing an encryption key by using this.

Next, the basic processing flow of the system of the present invention will be described. FIGS. 5, 6, and 7 are flowcharts showing an example of the flow of the basic processing of the present invention. 5 and 6 show a process of performing encryption and backup, and FIG. 7 shows a process of decryption. Note that the processing flow shown here is an example, and the present invention is not limited to this.

First, a process of reading the user authentication information from the information storage medium storing the user authentication information and the encryption key will be described. The information storage medium,
Set in the user authentication information reading means (S10
0). The user authentication information reading means reads the user authentication information (personal key) (S101), and temporarily stores the user authentication information (personal key) before transmission (S10).
2). At this point, if the user authentication information is invalid, processing such as disallowing use of the application program can be performed.

Next, in the system of the present invention, backup is performed at predetermined intervals, or a file at a predetermined location is determined to be backed up. The backup process can be automatically performed by setting and storing the settings. In such a case, it is determined whether the automatic backup is set (S103). If the automatic backup is not set, select the backup menu (S10).
4), the backup unit is activated (S105), and settings of files to be backed up are made by operation (S10)
6). Here, it is determined whether or not to save the backup setting made by the user (S107), and if it is selected to save, the automatic backup setting file is stored (S108). If not, go to the next step,
The backup unit is activated (S109).

If the automatic backup is set in S103, the backup means is started (S110), and the backup means reads the automatic backup settings (date and time, file, etc.) (S1).
11).

Next, using the encryption key stored in the information storage medium, the encryption means performs a process of encrypting data. The encryption means is activated (S112),
Referring to the encryption key stored in the information storage medium (S1)
13) A process for encrypting the data file to be backed up using the encryption key is performed (S114).

Next, the process of transmitting the encrypted data to the backup server system and performing the access authentication process and the process of storing and storing the data in the FTP server will be described. The server is connected to a computer network represented by the Internet (S115), and accesses the backup server system (S116). The process of transmitting data for backup is the process of uploading to the FTP server. From the user computer system, the user authentication information reading means transmits the user authentication information read and temporarily stored (S
117) The access authentication server of the backup server system performs an access authentication process (S1).
18).

If the authentication is performed normally, the data can be backed up. However, since the FTP server can store the data of a plurality of users, the corresponding user storage information can be stored based on the user authentication information. The area is determined (S119). The user storage area is a storage area for storing data for each authenticated user. Next, the encrypted data is transmitted (S12).
0), the encrypted data is received by the backup server system (S121).

Here, the setting conditions and the like when the automatic backup is set or when the setting is performed by a user operation are determined. For example, it is determined whether or not to overwrite and save (S122), or it is also determined whether or not a time-based storage area is set (S123). Even if the storage area in units of time is not set, if it is desired to store backup data divided by time units such as day, week, month, etc., the storage area in unit of time is set in the FTP server here ( S12
4).

The backup is executed according to the above settings (S125). The backup is completed (S12).
6) If access to the backup server system is terminated and automatic backup is not set (S127), the process is terminated as described above (S12).
8).

If the backup has been completed (S127), access to the backup server system has been terminated, and automatic backup has been set such that backup is automatically performed periodically (S128), the user computer The system periodically refers to the backup setting file (S129), and determines whether the automatic backup setting conditions are met (S130).
If the automatic backup setting conditions are met (S130), such as the date and time when the setting for performing the backup has been made (S130), the process returns to S100 and the backup processing is performed. It should be noted that the computer device of the user computer system is not always activated at the date and time of backup, or the information storage medium for user authentication is not always provided. Rather, the information storage medium should not always be provided from the viewpoint of security. Therefore, when the set conditions such as the date and time for backing up data have arrived, the backup unit automatically starts up and displays a notification to perform the backup on the user's computer device, or notifies by voice. Can be performed, and processing such as prompting for user authentication can be performed.

Next, the restoration process of the backed up data will be described with reference to FIG. First, the information storage medium is set in the user authentication information reading means (S2).
00). By the user authentication information reading means,
Read the user authentication information (personal key) (S20
1) Temporarily store user authentication information (personal key) (S202). The user selects a menu for restoring backup data (S203), and the backup means (restoration) is activated (S204).

Next, the user computer system connects to the computer network (S205) and accesses the backup server system (S20).
6). The user authentication information is transmitted (S207), and an access authentication process is performed by the access authentication server (S207).
208). In the case where a shared key that can be shared among a plurality of individuals and a personal key that is different for each information storage medium are stored in the encryption key stored in the storage area as described in claim 5, For example, it is determined whether or not the decryption is permitted according to the level of each department or post.

The data to be restored is determined / selected based on the user authentication information in the user storage area where the data to be restored is located (S209), and then the data file to be restored is selected by the user (S209). S210). When the user makes a selection and instructs to execute data restoration, data to be restored is received by the user computer system via the computer network (S211). The encryption means (decryption) is activated (S21
2), refer to the encryption key stored in the information storage medium (S2
13), the data is decrypted by using the encryption key (S214).

[0041]

As described above in detail, according to the present invention, it is possible to provide a data safe box system for encrypting user data and transmitting and storing the encrypted data via a computer network. With the system of the present invention, data can be safely stored both physically and electronically. Since the data is encrypted, unauthorized access, leakage, and tampering can be prevented, and data cannot be decrypted even at a site that manages the data. It can be operated for a further 24 hours and can be stored and retrieved when needed. Further, according to the present invention, it is possible to schedule the date and time to be backed up and files, and the stored data can be further backed up and the history can be managed. If you use automatic backup,
It becomes possible to automatically encrypt, deposit, and retrieve data. Also, using the same encryption key stored in the information storage medium, the backed up data can be decrypted at another location,
Alternatively, it is possible to give permission to decrypt data after setting by department or position.

[Brief description of the drawings]

FIG. 1 is a system configuration diagram showing a basic configuration of a system according to the present invention.

FIG. 2 is a block diagram illustrating a basic configuration of a user computer system.

FIG. 3 is a conceptual diagram showing an example of a concept of setting an encryption key.

FIG. 4 is a diagram illustrating an operation example of setting and managing an encryption key.

FIG. 5 is a flowchart showing an example of the flow of a basic process of the present invention, showing a process of performing encryption and backup.

FIG. 6 is a flowchart illustrating an example of the flow of a basic process of the present invention, illustrating a process of performing encryption and backup.

FIG. 7 is a flowchart illustrating an example of the flow of a basic process according to the present invention, illustrating a process of decoding.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 1 User computer system 2 Server 3 Various computer devices 4 Backup unit 5 Computer network 6 Backup server system 7 FTP server 8 Access authentication server 10 Information storage medium 11 User authentication information reading means 12 Data encryption means 13 Backup means 14 Input means 15 Display means 16 control means 17 storage means 18 data transmission / reception means

──────────────────────────────────────────────────続 き Continued on the front page (51) Int.Cl. ⁷ Identification symbol FI Theme coat ゛ (Reference) G06F 12/16 310 G06F 12/16 310M 5J104 15/00 310 15/00 310A 5K030 17/60 132 17/60 132 342 342 510 510 512 512 G06K 17/00 G06K 17/00 L G09C 1/00 660 G09C 1/00 660D H04L 9/32 H04L 12/22 12/22 9/00 675D F-term (reference) 5B017 AA03 BA05 BA07 CA16 5B018 GA04 HA03 MA24 5B058 CA01 KA02 KA04 KA08 KA31 KA35 YA20 5B082 DE06 GA11 HA08 5B085 AC18 AE12 AE13 AE23 AE29 BG07 5J104 AA01 AA07 KA01 MA01 NA02 PA07 5K030 GA15 HA08 HC01 KA01 LD08

Claims (8)

[Claims] 1. A backup server system including at least an access authentication server and an FTP server, which is provided to be connected to a network to which a computer or a portable information terminal is connected, a user terminal, and a connection to the user terminal. A system comprising a user computer system provided with a data backup unit, wherein the user computer system includes a user authentication information reading unit, a data encryption unit, and a data backup unit. From an information storage medium storing information and an encryption key,
A process of reading the user authentication information, a process of encrypting the data by the encryption means using an encryption key stored in the information storage medium, and transmitting the encrypted data to a backup server system And performing an access authentication process and a process of storing and storing the data in the FTP server. 2. The backup system according to claim 1, wherein the user computer system includes a user authentication information reading unit, a data encryption unit, an encryption unit, and a data backup unit. The data safe box system according to claim 1, further comprising one or more personal computers, workstations, servers, and the like connected to the backup unit by wire or wirelessly. 3. The method according to claim 1, wherein
The FTP server provided in the backup server system has a user storage area set for each user, and the user storage area has a day, week,
3. The data safe box system according to claim 1, wherein a storage area is provided for each predetermined time unit such as a month. 4. The information storage medium according to claim 1, wherein said information storage medium is an IC card, and said user authentication information reading means is an IC card reader / writer, said information storage medium being stored in said IC card. The data safe box system according to any one of claims 1 to 3, wherein data stored or temporarily stored as a data file in the user computer system is encrypted / decrypted using the encryption key. . 5. A storage area of the information storage medium according to claim 1, wherein a predetermined number of areas are provided, and a predetermined number of keys are set for each area. It is possible to
In the encryption key stored in the storage area, a shared key that can be shared by a plurality of individuals and a personal key that is different for each information storage medium are stored. The data safe box system according to any one of claims 1 to 4, wherein decryption is possible when the same shared key is held in the same area provided in the storage area of the storage medium. 6. The user computer system according to claim 1, wherein a date and time and a file to be backed up are set in advance and stored in the user computer system using the data backup means. The data safe box system according to any one of claims 1 to 5, wherein data can be automatically encrypted and deposited. 7. The user authentication information reading means according to claim 1, wherein the information storage medium storing the user authentication information and the encryption key is used, which is different from the user computer system. The backup server system can be accessed from a computer system including a computer to browse or decrypt the backed-up data.
Data safe box system according to any of the above. 8. A data safe box system according to claim 1, wherein the encrypted data is transmitted to a backup server system and stored and stored in an FTP server.