JP2003244124A - Security management system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a security management system easy to operate with sufficient security when a file is transmitted or received through a network. <P>SOLUTION: The security management system having a client terminal includes an install ID reception means, a hardware ID forming means, a client- side disclosed key forming means, a client-side secret key forming means, a client key transmitting means, a certification means for receiving an input of a user ID and the like, a client terminal personal key forming means, a user ID transmitting means for ciphering the user ID and a password and transmitting them, an ID-at-certification transmitting means for making the certification, a transmission key deciphering means, a file ciphering key forming means, a client terminal file ciphered key ciphering means, a file transmitting means for transmitting the file ciphered key and the file, a file ciphered key deciphering means, and a file deciphering means. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a security management system for transmitting information secretly from a third party other than a user on a network. Furthermore, the present invention relates to a security management system that enables a server managed by a third party to store files, programs, etc., and perform reading / writing while keeping information confidential from the third party.

[0002]

2. Description of the Related Art With the development of broadband network technology, it is possible to access computers in remote areas at the same speed as local networks. Therefore, in order to reduce the user's computer management burden, various databases, programs, and files (hereinafter collectively referred to as files) are stored on the server so that each user can use them via the network. The application service provider (ASP), the SSP (storage service provider), etc. that manages files such as backups on behalf of each user by storing the files that each user wants to save in the server via the network. There is a new service.

[0003]

[Problems to be Solved by the Invention] However, ASP, SSP
In the above services, there are anxieties about network security and restrictions on use necessary for avoiding them, and their spread to the general public is delayed at present.

That is, since security is not sufficiently secured on the network for convenience, a file is stored between the server storing the file and the computer terminal used by the user (hereinafter referred to as a client terminal). When sending and receiving information such as, etc., be aware of security vulnerabilities, or secure individual security (eg authentication by ID, password etc.) with each server There is nothing.

Therefore, it is reluctant to send and receive information such as important files via the network. Although there are security technologies for ensuring security, specialized knowledge is indispensable and cannot be easily used by individuals.

[0006]

In view of the above-mentioned problems, the present invention has invented a security management system which can be easily maintained by anyone while ensuring sufficient network security.

The inventions according to claims 1 to 3 are a client terminal, an authentication server, and a service server when a management key (described later) is not used, and by using these, data can be transmitted via a network. It becomes possible to sufficiently secure security when transmitting / receiving and storing files on the service server.

The inventions of claims 4 to 6 are cases in which the management key is not used, and a communication key is further created in the client terminal. As a result, it is not necessary to create a communication key in the authentication server, and it is possible to ensure sufficient security even when the authentication server and the service server have different operating entities.

The inventions according to claims 7 to 9 are a client terminal, an authentication server, and a service server when the management key is managed by the authentication server. When sending and receiving data and saving files on the service server,
It is possible to ensure sufficient security. Further, unlike the cases of claims 1 to 3, it becomes possible to improve maintainability by using the management key.

The invention described in claims 10 to 12 is a case where the management key is managed by the authentication server and a communication key is further created by the client terminal. As a result, it is not necessary to create a communication key in the authentication server, and it is possible to ensure sufficient security even when the authentication server and the service server have different operating entities. Furthermore, unlike the cases of claims 4 to 6, the maintainability can be improved by using the management key.

The thirteenth to fifteenth aspects of the present invention are a client terminal, an authentication server, and a service server in the case of managing the management key at the client terminal. It becomes possible to sufficiently secure security when transmitting / receiving data and storing files on the service server. Further, the maintainability can be further improved by using the management key in the client terminal, as compared with the cases of claims 1 to 3 and claims 7 to 9.

The invention described in claims 16 to 18 is a case where the management key is managed in the client terminal, and a communication key is further created in the client terminal. As a result, it is not necessary to create a communication key in the authentication server, and it is possible to ensure sufficient security even when the authentication server and the service server have different operating entities. Further, unlike the cases of claims 4 to 6 and claims 10 to 12,
By using the management key in the client terminal, the maintainability can be further improved.

Furthermore, since the present invention can be used as middleware on a computer, conventionally, when accessing a service server, authentication or the like must be performed each time, and a delay in processing time or the like occurs. Although invited, according to the present invention, if authentication is performed by the authentication server at the first time of network access of the client terminal (preferably when the client terminal is started), authentication is performed every time the client terminal is subsequently started. It is not necessary to perform it, and efficient processing can be performed.

As a matter of course, the authentication server and the service server are only logically distinguished and may be physically the same. Further, the management key, the authentication server public key, the authentication server secret key, the service server public key, and the service server secret key have been previously assigned to each.

[0015]

1 to 3 show examples of system configuration diagrams of an embodiment of a security management system 1 of the present invention. The difference between FIG. 1 and FIG. 3 lies in the usage of the management key. In FIG. 1, the management key is not used, in FIG. 2 the management key is managed by the authentication server 2, and in FIG. 4 shows the case of management on the four side. Here, the management key is a key for further encrypting the private key used when the file is encrypted and stored on the service server 3. Since the private key itself can be encrypted by providing the management key, it is possible to prevent the private key from being abused by a third party or the like, or being illegally accessed. Further, in this embodiment, the public key and the secret key mean the public key and the secret key of asymmetric encryption (public key cryptosystem). Asymmetric encryption refers to an encryption method in which a different key is used for encryption and decryption.

In this specification, the case where the file writing from the client terminal 4 to the service server 3 and the file reading from the service server 3 are performed will be described. However, writing / reading of a database, execution of a program, and writing It goes without saying that any of the above can be similarly realized. Therefore, in this specification, the file includes not only a file but also a database, a program and the like.

First, the security management system 1 in the case where the management key is not used, that is, the system configuration of FIG. 1 will be described. The security management system 1 has a service server 3 and an authentication server 2, and can send and receive data to and from a client terminal 4 owned by a user via a network.

The authentication server 2 includes a client key registration means 5, a user ID registration means 6, a communication key creation means 8, a communication key encryption means 9, a matching means 7, a client database 10, a user database 11, and an authentication server key database 12. And have.

At the time of installation, the client key registration means 5 receives from the client terminal 4 the installation ID, the hardware ID, and the client side public key encrypted with the authentication server public key, and pre-assigns them to the authentication server 2. The received installation ID with the authentication server private key stored in the cage authentication server key database 12,
This is means for decrypting the hardware ID and the client-side public key and registering them in the client database 10.

The user ID registration means 6 receives the user ID and the password from the client terminal 4 at the time of installation, and uses the authentication server secret key which is given to the authentication server 2 in advance and stored in the authentication server key database 12. It is a means for decrypting the received user ID and password and registering them in the user database 11.

At the time of authentication, the collating means 7 is a user ID encrypted by the authentication server public key from the client terminal 4,
The password, the hardware ID are received, and the received user ID, password, and hardware ID are stored using the authentication server secret key stored in the authentication server key database 12.
Is a means for decrypting, and collating with the client database 10 and the user database 11 to collate with the legitimate user.

The communication key creating means 8 uses a common key cryptosystem as a communication key for preventing data leakage during data transmission / reception among the authentication server 2, the service server 3, and the client terminal 4 at the time of authentication. It is a means to create. The common key cryptosystem refers to a cryptosystem in which a key used for encryption and a key used for decryption are common.

At the time of authentication, the communication key encryption means 9 encrypts the communication key created by the communication key creation means 8 with the client side public key which is the user's public key stored in the client database 10, It is means for transmitting a communication key encrypted with the client-side public key to the client terminal 4.

The client database 10 receives the installation ID and the hardware I received from the client terminal 4 and decrypted by the client key registration means 5.
D, a database that stores the client-side public key.

The user database 11 is a database that stores a user ID and a password received from the client terminal 4 and decrypted by the user ID registration means 6.

The authentication server key database 12 is a database that stores the authentication server secret key assigned to the authentication server 2 in advance.

The service server 3 includes access right checking means 13, file receiving means 14, file encryption key acquisition means 15, file encryption key encryption means 16, file acquisition means 17, service server file encryption means 18,
It has a file storage means 19. Here, the service server 3 may be any of a file server that provides files and the like to the client terminal 4, a program server that provides programs and the like, a database server that provides data such as a database, and the like.

The access right checking means 13 is means for judging whether or not the user has a right to access the file when writing or reading the file.

The file receiving means 14 receives the file encrypted with the file encryption key from the client terminal 4 together with the file encryption key encrypted with the private key, and stores it in the file storage means 19 when writing the file. Is.

The file encryption key acquisition unit 15 receives a file open request from the client terminal 4 at the time of reading a file, and the access right check unit 13 determines that the user has the file access right. , A means for acquiring the file encryption key encrypted with the user's private key from the file storage means 19.

The file encryption key encryption means 16 uses the communication key created by the authentication server 2 when the file is read, and the file encryption key acquisition means 15 uses the communication key created by the authentication server 2.
9 is a means for encrypting the file encryption key encrypted with the private key acquired from 9 and transmitting it to the client terminal 4.

The file acquisition means 17 is a means for receiving a file read request from the client terminal 4 at the time of reading a file and acquiring a file encrypted with the file encryption key from the file storage means 19.

Service server file encryption means 18
Is a means for further encrypting the file encrypted with the file encryption key acquired by the file acquisition means 17 using the communication key created by the authentication server 2 and transmitting the file to the client terminal 4 when reading the file.

The client terminal 4 has an installation ID
Reception means 20, hardware ID generation means 21, client side public key generation means 22, client side private key generation means 23, client key transmission means 24, user ID
Transmitting means 27, client terminal private key creating means 26,
Authentication means 25, authentication ID transmission means 28, communication key decryption means 29, file encryption key creation means 30, client terminal file encryption key encryption means 31, client terminal file encryption means 32, file transmission means 33, file encryption Key decryption means 34, file decryption means 35,
It has a client terminal key database 68.

The installation ID accepting means 20 is means for accepting an input of an installation ID given in advance and storing it in the client terminal key database 68 when installing on the client terminal 4 in order to use the security management system 1. is there. Installation ID
As an example, there is a number or the like which is given in advance by a manufacturer and recorded on a recording medium (CD-ROM or the like) in which the software of the client terminal 4 part of the security management system 1 is recorded. It is possible to confirm whether the user is a legitimate purchaser or a licensed person for use, and if the installation ID cannot be confirmed, the installation cannot be normally performed on the client terminal 4. Generally, restrictions such as being unusable on the client terminal 4 are added.

The hardware ID creating means 21 is a means for creating a hardware ID for identifying the client terminal 4. The hardware ID is an identifier that enables determination as to whether or not the client terminal 4 has usage authority, and is a BIOS-ID introduced in the hardware, software, etc. of the client terminal 4.
It is preferable to create it from (BIOS identifier), HDD-ID (identifier of hard disk drive), or the like.

The client side public key creating means 22 is a means for creating the public key of the user based on the installation ID, the hardware ID and the like. The client-side public key forms an asymmetric encryption with the client-side private key.

The client side private key creating means 23 is a means for creating the private key of the user based on the installation ID, the hardware ID and the like. The client-side private key forms an asymmetric encryption with the client-side public key. In this embodiment, the client-side public key and the client-side private key are created separately by the client-side public key creating means 22 and the client-side private key creating means 23, but they are created at the same time. Of course it is also good.

At the time of installation, the client key transmitting means 24 uses the authentication server public key to install I
It is a means for encrypting D, the hardware ID, and the client-side public key and transmitting them to the authentication server 2.

The authentication means 25 is means for accepting input of authentication information such as a user ID, which is an identifier for identifying a user, and a password at the time of installation or authentication.

The client terminal private key creating means 26
At the time of installation, the user ID, password, and hardware ID creation means 21 accepted by the authentication means 25
Is a means for creating a personal key based on the hardware ID created by. The private key is a key for encrypting a file stored on the service server 3, and is a key for each owner of the file (for each user ID).

The user ID transmitting means 27 is a means for encrypting the user ID and password with the authentication server public key at the time of installation and transmitting them to the authentication server 2.

At the time of authentication, the ID sending means 28 at the time of authentication makes the user ID, password, and hardware ID created by the hardware ID creating means 21 accepted by the authenticating means 25.
Is encrypted with the authentication server public key and is transmitted to the authentication server 2.

At the time of authentication, the communication key decryption means 29 decrypts the communication key encrypted by the client side public key received from the authentication server 2 with the client side secret key stored in the client terminal key database 68. Is a means to do.

The file encryption key creating means 30 is a means for creating a file encryption key which is a key for saving a user's file on the service server 3 when writing a file.

The client terminal file encryption key encryption means 31 encrypts the file encryption key created by the file encryption key creation means 30 with the private key created by the private key creation means when writing the file, and then decrypts the communication key. Conversion means 2
Reference numeral 9 is a means for further encryption with the decrypted communication key.

Client terminal file encryption means 32
Encrypts the file to be written on the service server 3 at the time of writing the file with the file encryption key created by the file encryption key creating means 30, and then the communication key decrypting means 29.
Is a means for further encrypting with the decrypted communication key.

The file transmitting means 33 is a client terminal file encryption key encryption means 3 when writing a file.
It is a means for transmitting the file key encrypted in 1 and the file encrypted by the client terminal file encryption means 32 to the service server 3.

The file encryption key decryption means 34 decrypts the encrypted file encryption key received from the service server 3 at the time of reading the file with the communication key decrypted by the communication key decryption means 29, and then, Further, it is means for decrypting with the private key created by the private key creating means.

The file decryption means 35 decrypts the encrypted file received from the service server 3 at the time of reading the file with the communication key decrypted by the communication key decryption means 29, and then further the file encryption key. Decoding means 3
Reference numeral 4 is a means for decrypting with the decrypted file encryption key.

[0051]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Next, an example of the process flow of the present invention in the system configuration of FIG. 1 is a flow chart of FIGS. 4 to 7, a conceptual diagram of each process of FIGS. 8 to 11 and a system configuration diagram of FIG. It will be described in detail using and. The processes are roughly classified into four processes, that is, installation, authentication, file writing, and file reading.

At the time of installation, in order to use the security management system 1 in the client terminal 4, the software of the client terminal 4 portion and the like are set to be usable in the client terminal 4.

At the time of authentication, when accessing the service server 3 from the client terminal 4, it is necessary to authenticate whether or not the user (or the client terminal 4) can use the service server 3. Say.

The writing of a file means writing (storing / saving) of a file from the client terminal 4 onto the service server 3, and the reading of a file means a file stored / saved on the service server 3. Is read to the client terminal 4.

First, an example of the process flow at the time of installation will be described with reference to the flowchart of FIG. 4 and the conceptual diagram of FIG.

A user who desires to use the security management system 1 activates the client terminal 4 by a known method, inputs the installation ID into the client terminal 4, and the installation ID acceptance means 20 of the client terminal 4 causes the installation ID to be accepted. Is input and registered in the client terminal key database 68 (S100).

The fact that the input of the installation ID is normally accepted means that the hardware ID creating means 21 has the proper authority to install and use the security management system 1 in the client terminal 4.
A hardware ID unique to the client terminal 4 is created from the BIOS-ID, HDD-ID, etc. of the client terminal 4, and the hardware ID is registered in the client terminal key database 68 (S110).

If the installation ID is not accepted in S100, it can be judged that the user does not have the proper authority. Therefore, it is preferable to prompt the re-input.

After the hardware ID is created in S110, the client-side public key creating means 22 and the client-side secret key creating means 23 use the installation ID, the hardware ID, etc. as the encryption key of the client terminal 4,
A client-side public key and a client-side private key are created (S120). After the creation in S120, the client side public key creating means 22 and the client side private key creating means 23 register the client side public key and the client side private key in the client terminal key database 68.

After the encryption key of the client terminal 4 is created in S120, the client key transmission means 24 receives the installation ID accepted by the installation ID acceptance means 20 and the hardware ID created by the hardware ID creation means 21. The client-side public key is encrypted with the authentication server public key assigned to the authentication server 2 in advance,
Send to the authentication server 2 via the network (S13
0). A conceptual diagram at this time is shown in FIG.

Install I encrypted by the authentication server public key transmitted from the client terminal 4 in S130
The client key registration means 5 of the authentication server 2 decrypts D, the hardware ID, and the client-side public key with the authentication server secret key previously assigned to the authentication server 2,
Register in the client database 10 (S14)
0).

After transmitting the client side public key and the like to the authentication server 2 in S130, the authentication means 25 accepts the input of authentication information such as the user ID and password of the user from the user (S150). After the authenticating means 25 accepts the input of the authentication information in S150, the client terminal private key creating means 26 creates a private key from the user ID, password and hardware ID and registers it in the client terminal key database 68 (S160). .

After the client terminal private key creating means 26 creates a private key, the user ID transmitting means 27 causes the authenticating means 2 to operate.
The user ID and password accepted by the server 5 are encrypted with the authentication server public key and transmitted to the authentication server 2 (S17).
0). A conceptual diagram in this case is shown in FIG. S160
And S170 may be in any order.

User I encrypted with the authentication server public key transmitted from the client terminal 4 in S170
The user ID registration means 6 of the authentication server 2 decrypts D and the password with the authentication server secret key and registers them in the user database 11 (S180). A conceptual diagram in this case is shown in FIG. Through the above process, the process at the time of installation can be performed.

Next, an example of the flow of the process at the time of authentication will be described with reference to the flowchart of FIG. 5 and the conceptual diagram of FIG.

The user inputs the user ID and password input in S150 (S200), and the authentication means 2
The user ID and password in which 5 is input are accepted.
The user ID and password accepted in S200 and the hardware ID registered in the client terminal key database 68 are encrypted by the authentication time ID transmitting means 28 with the authentication server public key and transmitted to the authentication server 2 (S2).
10). A conceptual diagram at this time is shown in FIG. At this time, the hardware ID is also transmitted together with the user ID and the password. This is to confirm whether the operation is performed from the legitimate client terminal 4 and to improve the security. Therefore, only the user ID and password may be encrypted and transmitted to the authentication server 2 without transmitting the hardware ID.

User I encrypted by the authentication server public key transmitted from the client terminal 4 in S210
The collating means 7 of the authentication server 2 receives the D, the password and the hardware ID, and the collating means 7 decrypts them with the secret key of the authentication server and collates them with the client database 10 and the user database 11 so that the legitimate user is authorized. It is checked whether the operation is being performed from the client terminal 4 (S220).

If the collation is not confirmed in S220, the user is prompted to re-input, and if the collation is confirmed, the communication key used for communication between the client terminal 4 and the service server 3 is set as the communication key. Created by the creating means 8. Also, the communication key is registered in the authentication server key database 12.

The communication key encryption means 9 encrypts the created communication key with the client-side public key registered in the client database 10, and sends the encrypted communication key to the client terminal 4 (S230). A conceptual diagram at this time is shown in FIG. Further, at this time, the authentication server 2 transmits the communication key to the service server 3. At the time of this transmission, the communication key may be encrypted and transmitted.

The communication key decryption means 29 of the client terminal 4 receives the communication key transmitted in S230, and the communication key decryption means 29 receives the client terminal key database 6
The communication key is decrypted with the client-side private key stored in S8 (S240). A conceptual diagram at this time is shown in FIG. By performing the above process, the process at the time of authentication can be performed.

Next, an example of the process flow when writing a file will be described with reference to the flowchart of FIG. 6 and the conceptual diagram of FIG.

When the user writes a file on the service server 3 in the client terminal 4, the file encryption key creating means 30 creates a file encryption key, and the created file encryption key is used as the client terminal file encryption key. The encrypting means 31 encrypts with the private key registered in the client terminal key database 68, and at the time of authentication, S
Encryption is performed using the communication key decrypted in 240 (S30
0). That is, the file encryption key is doubly encrypted with the personal key and the communication key. At this time, the file encryption key creating means 30 preferably registers the file encryption key in the client terminal key database 68.

After completion of S300, the client terminal 4 is requested to open a file open request for a file to be written by using a known OS (operation software) function.
To the service server 3 (S310).

The access right checking means 13 of the service server 3 which has received the file open request in S310,
The user's access authority to the file in the file storage means 19 is checked (S320), and if the user is not authorized, the client terminal 4 is notified of that fact.

After the client terminal 4 sends a file open request to the service server 3, the file encryption means encrypts the file to be written with the file encryption key created in S300, and the communication key decrypted in S240 at the time of authentication. To encrypt (S330). That is, the file to be written is doubly encrypted with the file encryption key and the communication key.

After encrypting the file encryption key and the file in the client terminal 4, the file transmission means 33 transmits the communication key and the private key or the file encryption key and the file encrypted with the file encryption key to the service server 3. Do (S
340). A conceptual diagram at this time is shown in FIG.

File receiving means 14 of the service server 3
Receives the encrypted file encryption key and the file from the client terminal 4, and the file receiving means 14 acquires the communication key stored in the authentication server key database 12 of the authentication server 2 and stores the communication key. It is used to decrypt the file encryption key encrypted with the private key and the communication key, and the file encrypted with the file encryption key and the communication key. After the decryption, the file receiving means 14 registers and saves it in the file storing means 19 (S350). Figure 1 shows a conceptual diagram of this case.
It is shown in 0 (b). Therefore, in the file storage means 19, the file encryption key encrypted with the private key and the file encrypted with the file encryption key are registered. Through the above process, the process at the time of writing the file can be performed.

Next, an example of the process flow at the time of reading a file will be described in detail with reference to the flowchart of FIG. 7 and the conceptual diagram of FIG.

A user who reads a file from the service server 3 sends a file open request for a file to be read from the client terminal 4 to the service server 3 using a known OS function (S400).

Upon receipt of the file open request, the access right checking means 13 of the service server 3 checks the user's access authority to the file in the file storage means 19 (S410). Notify the terminal 4.

After the access authority check in S410, if the user has the access authority, the file encryption key acquisition means 15 acquires the file encryption key encrypted with the private key from the file storage means 19 ( S42
0).

The file encryption key encryption means 16 encrypts the file encryption key encrypted with the private key obtained in S420 with the communication key and sends it to the client terminal 4 (S430). A conceptual diagram at this time is shown in FIG.

The file encryption key decrypting means 34 of the client terminal 4 decrypts the file encryption key encrypted by the communication key and the private key received from the service server 3 in S430 in S240 at the time of authentication. Decryption using the communication key, and the client terminal key database 68
It is decrypted with the private key registered in (S440).

After the file encryption key is decrypted, the file read request for the file to be read is transmitted from the client terminal 4 to the service server 3 by using the known OS function (S450).

Upon receiving the file read request, the file acquisition means 17 of the service server 3 acquires the file encrypted by the file encryption key from the file storage means 19 (S460). The service server file encryption means 18 encrypts the file encrypted with the obtained file encryption key with the communication key and sends it to the client terminal 4 (S470). A conceptual diagram at this time is shown in FIG.
Shown in.

Upon receiving the file encrypted with the communication key and the file encryption key, the file decryption means 35 of the client terminal 4 decrypts using the communication key decrypted in S240 at the time of authentication, and further decrypts in S440. The file is decrypted with the file encryption key (S480). A conceptual diagram at this time is shown in FIG. Through the above process, the process at the time of reading the file can be performed.

At the time of authentication in FIGS. 5 and 9,
The communication key may be created in the client terminal 4 instead of the authentication server 2. An example of the system configuration in this case is shown in FIG. Although FIG. 2 is suitable when the authentication server 2 and the service server 3 are realized by the same subject, there are reasons such as different subjects or reduction of the load on the authentication server 2. In some cases, it may be created by the client terminal 4.

In FIG. 24, the communication key created by the client terminal 4 is directly transmitted to the service server 3.

An example of the process flow at the time of authentication using this method will be described in detail with reference to the flowchart of FIG. 25 and the conceptual diagram of FIG.

The user inputs the user ID and password input in S150 (S1100), and the authentication means 25 accepts the input user ID and password. The user ID and password accepted in S1100 and the hardware ID registered in the client terminal key database 68 are encrypted by the authentication time ID transmitting means 28 with the authentication server public key and transmitted to the authentication server 2 (S1110). ). A conceptual diagram at this time is shown in FIG. At this time, the hardware ID is also transmitted together with the user ID and the password, in order to confirm whether the operation is performed from the legitimate client terminal 4,
This is to improve security. Therefore, only the user ID and password may be encrypted and transmitted to the authentication server 2 without transmitting the hardware ID.

The collating means 7 receives the user ID, password, and hardware ID encrypted by the authentication server public key transmitted from the client terminal 4 in S1110, and the collating means 7 uses the authentication server secret key. Decrypt and client database 10 and user database 11
By collating with, it is collated whether the legitimate user is operating from the legitimate client terminal 4 (S
1120).

If the collation is not confirmed in S1120, the user is prompted to re-input, and if the collation is confirmed, the communication key used for communication between the client terminal 4 and the service server 3 is set to the client. The client terminal communication key creating means 66 of the terminal 4 creates it (S113).
0). Also, the communication key is registered in the client terminal key database 68.

The client terminal communication key encryption means 67 encrypts the created communication key with the service server public key,
The encrypted communication key is transmitted to the service server 3 (S1
140). A conceptual diagram at this time is shown in FIG. The service server public key is a public key given to the service server 3 in advance when transmitting / receiving data to / from the service server 3 via a network, and corresponds to the service server secret key of the service server 3. .

The service server communication key decrypting means 65 of the service server 3 uses the communication key transmitted in S1140.
Is received, and the communication key is decrypted with the service server secret key (S1150). A conceptual diagram at this time is shown in FIG. Through the above process, the communication key can be transmitted and received between the client terminal 4 and the service server 3, and the process at the time of authentication can be performed. When the process flow at the time of authentication shown in FIG. 25 is performed, the communication key is directly registered in the service server 3 and the encryption / decryption process is performed.

[0095]

[Embodiment 2] Next, FIG. 2 shows an example of a system configuration in the case where a management key, which is another embodiment of the security management system 1, is managed by the authentication server 2. The same parts as those in the first embodiment will be omitted for simplification. In the second embodiment, the case where the management key is given to the authentication server 2 and the service server 3 in advance will be described.

The authentication server 2 includes a client key registration means 5, an authentication server management user ID registration means 36, a personal key registration means 37, a communication key creation means 8 and a communication key encryption means 9.
Authentication server management time collating means 38, client database 10, authentication server management user database 39
And an authentication server key database 12.

The private key registration means 37 decrypts the private key received from the client terminal 4 and encrypted with the authentication server public key with the authentication server private key, and further with the management key given in advance, This is a means for registering a private key in the user database 39 when managing the authentication server.

User ID registration means 36 when managing the authentication server
Receives the user ID and password encrypted with the authentication server public key from the client terminal 4, decrypts them with the authentication server secret key, and registers the decrypted user ID and password in the authentication server management user database 39. Is a means to do.

The authentication server management time collating means 38 receives the user ID, the password, and the hardware ID encrypted with the authentication server public key from the client terminal 4, decrypts them with the authentication server secret key, and decrypts them. It is a means for collating the ID, the password, and the hardware ID with the client database 10 and the user database 39 for managing the authentication server, and collating with the authorized user.

Authentication server management user database 39
Is a database that stores the user ID and password received from the client terminal 4 and decrypted by the user ID registration means 6, and the private key received by the private key registration means 37 and encrypted by the management key.

The service server 3 has access right check means 13, private key acquisition means 40, and private key decryption means 4.
1, service server file encryption key creation means 42, service server file encryption key encryption means 43, authentication server management time file decryption means 44, authentication server management time service server file encryption means 45, service server file encryption key registration means 46, file storage means 19, private key decryption means 47 for reading, file encryption key acquisition means 1
5, authentication server management file encryption key encryption means 48,
It has a file acquisition means 17 and a service server file encryption means 18. Here, the service server 3 is either a file server that provides files or the like to the client terminal 4, a program server that provides programs or the like, or a database server that provides data such as a database, as in the first embodiment. Is also good.

The private key acquisition means 40 is a file owner (user) encrypted with a management key when writing a file.
Is a means for acquiring the private key of the above from the user database 39 at the time of managing the authentication server of the authentication server 2.

The private key decryption means 41 is means for decrypting the private key encrypted with the management key acquired by the private key acquisition means 40 with the management key when writing the file.

Service server file encryption key creating means 4
2 is a means for creating a file encryption key for encrypting a user's file stored on the service server 3.

The service server file encryption key encryption means 43 encrypts the file encryption key created by the service server file encryption key creation means 42 with the private key decrypted by the private key decryption means 41 when writing the file. Is a means to do.

Authentication server management time file decryption means 44
Is a means for receiving a file encrypted with the communication key from the client terminal 4 when writing the file, and decrypting the received file with the communication key.

The authentication server management service server file encryption means 45 encrypts the file decrypted by the authentication server management time file decryption means 44 with the file encryption key created by the file encryption key creation means 30 when writing the file. It is a means to turn into.

Service server file encryption key registration means 4
A file storage unit 6 stores the file encrypted by the authentication server management service server file encryption unit 45 and the file encryption key encrypted by the private key by the service server file encryption key encryption unit 43 when writing the file. It is a means to register and save in.

The read personal key decryption means 47 receives the file open request from the client terminal 4 at the time of reading the file and stores the personal key of the user of the file owner in the authentication server management user database 39 of the authentication server 2. It is a means for decrypting with the management key.

At the time of managing the authentication server, the file encryption key encrypting means 48 encrypts the file encryption key encrypted by the private key acquired by the file encryption key acquiring means 15 and the private key with the communication key, and the client. It is a means for transmitting to the terminal 4.

The client terminal 4 has an installation ID
Reception means 20, hardware ID generation means 21, client side public key generation means 22, client side private key generation means 23, client key transmission means 24, user ID
-Private key transmission means 49, client terminal private key creation means 26, authentication means 25, authentication ID transmission means 28, communication key decryption means 29, authentication server management client terminal file encryption means 50, authentication server management file It has a transmitting means 51, an authentication server management file encryption key decrypting means 52, a file decrypting means 35, and a client terminal key database 68.

At the time of installation, the user ID-individual key transmitting means 49 encrypts the user ID and password and the individual key created by the client terminal individual key creating means 26 with the authentication server public key, and sends them to the authentication server 2. It is a means.

The authentication server management client terminal file encryption means 50 is means for encrypting a file stored on the service server 3 with a communication key when writing a file.

Authentication server management time file transmission means 51
Is a means for transmitting the file encrypted by the client terminal file encryption means 50 during the authentication server management to the service server 3 when writing the file.

At the time of reading the file, the authentication server management file encryption key decryption means 52 decrypts the private key and the file encryption key encrypted by the private key using the communication key decrypted at the time of authentication, and further This is means for decrypting the file encryption key with the private key decrypted with the communication key.

Next, an example of the process flow of the present invention in the system configuration of FIG. 2 will be described with reference to the flowcharts of FIGS. 5 and 12 to 14, and the conceptual diagrams and views of the processes of FIGS. 9 and 15 to 17. 2 will be described in detail with reference to FIG. Similar to the first embodiment, the processes are roughly classified into four processes, that is, installation, authentication, file writing, and file reading.

First, the flowchart of FIG. 12 and FIG.
An example of the process flow at the time of installation will be described with reference to the conceptual diagram of FIG.

A user who desires to use the security management system 1 activates the client terminal 4 by a known method, inputs the installation ID into the client terminal 4, and the installation ID acceptance means 20 of the client terminal 4 causes the installation ID acceptance means 20 to install the installation ID. Is input and registered in the client terminal key database 68 (S500).

The fact that the input of the installation ID has been normally accepted means that the hardware ID creating means 21 has the proper authority to install and use the security management system 1 in the client terminal 4.
A hardware ID unique to the client terminal 4 is created from the BIOS-ID, HDD-ID, etc. of the client terminal 4, and the hardware ID is registered in the client terminal key database 68 (S510).

[0120] Further, it can be judged that the user does not have the proper authority that the input of the installation ID is not accepted in S500, so it is preferable to prompt the re-input.

After the hardware ID is created in S510, the client-side public key creating means 22 and the client-side secret key creating means 23 are the encryption key of the client terminal 4 based on the installation ID, the hardware ID, etc.
A client-side public key and a client-side private key are created (S520). After the creation in S520, the client side public key creating means 22 and the client side private key creating means 23 register the client side public key and the client side private key in the client terminal key database 68.

After the encryption key of the client terminal 4 is created in S520, the client key transmission means 24 receives the installation ID accepted by the installation ID acceptance means 20 and the hardware ID created by the hardware ID creation means 21. The client-side public key is encrypted with the authentication server public key assigned to the authentication server 2 in advance,
Send to the authentication server 2 via the network (S53
0). A conceptual diagram at this time is shown in FIG.

Install I encrypted by the authentication server public key transmitted from the client terminal 4 in S530
The client key registration means 5 of the authentication server 2 decrypts D, the hardware ID, and the client-side public key with the authentication server secret key previously assigned to the authentication server 2,
Register in the client database 10 (S54
0).

After transmitting the client side public key or the like to the authentication server 2 in S530, the authentication means 25 accepts the input of the authentication information such as the user ID and password of the user from the user (S550). After the authenticating means 25 accepts the input of the authentication information in S550, the client terminal private key creating means 26 creates a private key from the user ID, the password and the hardware ID and registers it in the client terminal key database 68 (S560). .

After the client terminal private key creating means 26 creates a private key, the user ID-private key transmitting means 49 sends the user ID and password accepted by the authenticating means 25 and the individual created by the client terminal private key creating means 26. The key and the authentication server public key are encrypted and transmitted to the authentication server 2 (S570). A conceptual diagram in this case is shown in FIG. S560 and S570 may be in any order.

User I encrypted with the authentication server public key received from the client terminal 4 in S570.
The user ID registration means 6 of the authentication server 2 decrypts D and the password with the authentication server secret key and registers them in the user database 11 (S580).

Further, the private key registration means 37 decrypts the private key received from the client terminal 4 and encrypted with the authentication server public key with the authentication server private key and further with the management key given in advance. It is registered in the user database 11 (S590). A conceptual diagram in this case is shown in FIG.
Shown in. Through the above process, the process at the time of installation can be performed.

The flow of the process at the time of authentication is the same as that of the first embodiment, and therefore its explanation is omitted.

Next, an example of the process flow at the time of writing a file will be described with reference to the flowchart of FIG. 13 and the conceptual diagram of FIG.

When the user writes a file on the service server 3 at the client terminal 4, the client terminal 4 uses a known OS (operation software) function to issue a file open request for the file to be written. It is transmitted from the client terminal 4 to the service server 3 (S600).

Upon receiving the file open request from the client terminal 4, the access right check means 13 of the service server 3 checks the user's access right to the file in the file storage means 19 (S610).
If the user is not authorized, the client terminal 4
To notify.

If the user is an authorized user, the private key acquisition means 40 acquires the private key of the file owner (user) encrypted with the management key from the authentication server management user database 39 of the authentication server 2. Then, the private key decryption means 41 decrypts the acquired private key with the management key (S62).
0).

The service server file encryption key creating means 42 creates a file encryption key, and the created file encryption key is used by the service server file encryption key encrypting means 4
3 is encrypted with the private key decrypted by the private key decryption means 41 (S630).

The client terminal 4 is the service server 3
After sending the file open request to the service server 3, the file to be written to the service server 3 is encrypted by the authentication server management client terminal file encryption means 50 with the communication key decrypted by the communication key decryption means 29 (S640), and the authentication server The management time file transmission means 51 transmits the file to the service server 3 (S650). A conceptual diagram at this time is shown in FIG.

Upon receiving the file encrypted with the communication key from the client terminal 4 in S650, the authentication server management file decryption means 44 decrypts the received file with the communication key (S660).

The authentication server managing service server file encryption means 45 processes the file decrypted in S660.
The service server file encryption key registration means 46, together with the file encryption key encrypted by the file encryption key created by the service server file encryption key creation means 42 and encrypted by the service server file encryption key encryption means 43, the file storage means 19 Register and save. Therefore, in the file storage means 19, the file encrypted with the file encryption key and the file encryption key encrypted with the private key are registered. The conceptual diagram at this time is shown in FIG.
Shown in. Through the above process, the process at the time of writing the file can be performed.

Next, an example of the process flow at the time of reading a file will be described in detail with reference to the flowchart of FIG. 14 and the conceptual diagram of FIG.

The user who reads a file from the service server 3 sends a file open request for a file to be read from the client terminal 4 to the service server 3 using a known OS function (S700).

Upon reception of the file open request, the reading private key decryption means 47 of the service server 3 acquires the private key of the user of the file owner from the authentication server management user database 39 of the authentication server 2 and uses the management key. Decrypt (S710).

After decrypting the private key with the management key, the access right check means 13 checks the user's access right to the file in the file storage means 19 (S72).
0) If the user is not authorized, the client terminal 4 is notified to that effect.

After the access authority check in S720, if the user has the access authority, the file encryption key acquisition means 15 acquires the file encryption key encrypted with the private key from the file storage means 19 ( S73
0).

The file encryption key encrypted with the private key acquired in S730 and the private key decryption means for reading 4
The private key decrypted by 7 is encrypted by the authentication server management file encryption key encryption means 48 with the communication key and transmitted to the client terminal 4 (S740). Figure 1 shows a conceptual diagram of this case.
7 (a).

The encrypted private key and the file encryption key received from the service server 3 in S740 are
The authentication server management file encryption key decryption unit 52 of the client terminal 4 decrypts the private key and the file encryption key encrypted with the private key using the communication key decrypted in S240 during authentication, and further The encryption key is decrypted with the private key decrypted with the communication key (S750).

After the file encryption key is decrypted, a file read request for the file to be read is transmitted from the client terminal 4 to the service server 3 using the known OS function (S760).

Upon receiving the file read request, the file acquisition means 17 of the service server 3 acquires the file encrypted with the file encryption key from the file storage means 19 (S770). The file encrypted by the file encryption key is transferred to the service server file encryption means 18
, Which is encrypted with the communication key and transmitted to the client terminal 4 (S780). A conceptual diagram at this time is shown in FIG.

Upon receiving the file encrypted with the communication key and the file encryption key, the file decryption means 35 of the client terminal 4 decrypts using the communication key decrypted in S240 at the time of authentication, and further decrypts in S750. The file is decrypted with the file encryption key (S790). A conceptual diagram at this time is shown in FIG. Through the above process, the process at the time of reading the file can be performed.

At the time of authentication shown in FIGS. 5 and 9,
The communication key may be created in the client terminal 4 instead of the authentication server 2. FIG. 27 shows an example of the system configuration in this case. Although FIG. 2 is suitable when the authentication server 2 and the service server 3 are realized by the same subject, there are reasons such as different subjects or reduction of the load on the authentication server 2. In some cases, it may be created by the client terminal 4.

In FIG. 27, the communication key created by the client terminal 4 is directly transmitted to the service server 3 and the management key is managed by the authentication server 2 (in the case of the system configuration of FIG. 2).

The flow of the process at the time of authentication when this method is used is the same as that of the first embodiment, and therefore its explanation is omitted.

[0150]

[Third Embodiment] FIG. 3 shows an example of a system configuration in the case where a client terminal 4 manages a management key which is another embodiment of the security management system 1. For the sake of simplification, the same parts as those in the first and second embodiments will not be described. In the third embodiment, the case where the management key is given to the client terminal 4 in advance will be described.

The authentication server 2 includes a client key registration means 5, an encrypted personal key registration means 53, a communication key creation means 8, a communication key encryption means 9 and a client terminal management collation means 5.
4, a client database 10, a client terminal management user database 55, and an authentication server key database 12.

The encrypted private key registration means 53 is installed by the user I encrypted from the client terminal 4 at the time of installation.
D, the password, and the private key are received, and the received user ID, password, and private key are decrypted with the private authentication server key that is pre-assigned to the authentication server 2 and stored in the authentication server key database 12. This is means for registering in the user database 55 when managing the client terminal.

The client terminal management collation means 54 is
User I that has received the user ID, the password, and the hardware ID encrypted with the authentication server public key from the client terminal 4, decrypts them with the authentication server private key, and decrypts them.
It is a means for collating the D, the password and the hardware ID with the client database 10 and the client terminal management user database 55 to collate with each other to determine whether the user is an authorized user.

The client terminal management user database 55 is a database that stores the user ID, password, and private key encrypted with the management key received from the client terminal 4 and decrypted by the user ID registration means 6. is there.

The service server 3 includes the access right check means 13, the encrypted personal key encryption means 56, the client terminal management time file reception means 57, the client terminal management time private key acquisition means 58, and the file encryption key acquisition means 1.
5, a client terminal management file encryption key encryption unit 59, a file acquisition unit 17, a service server file encryption unit 18, and a file storage unit 19. Here, the service server 3 is a file server that provides files and the like to the client terminal 4, a program server that provides programs and the like, and a database server that provides data such as a database, as in the first and second embodiments. Either may be used.

The encryption private key encryption means 56 encrypts the private key encrypted by the management key acquired by the private key acquisition means 58 at the time of client terminal management at the time of writing the file with the communication key, and then the client terminal 4 Is a means to send to.

The client terminal management file receiving means 57 is means for receiving the encrypted file from the client terminal 4 together with the file encryption key and storing it in the file storage means 19 when writing the file.

Private key acquisition means 5 when managing a client terminal
Reference numeral 8 denotes a means for receiving a file open request from the client terminal 4 when writing or reading a file, and acquiring from the authentication server 2 the private key of the user who has issued the file open request and encrypted with the management key. is there.

The client terminal management file encryption key encryption means 59 acquires the file encryption key encrypted by the private key acquired by the file encryption key acquisition means 15 and the client terminal management private key acquisition means 58. This is means for encrypting the personal key encrypted with the management key with the communication key and transmitting the encrypted private key to the client terminal 4.

The client terminal 4 has an installation ID
Reception means 20, hardware ID creation means 21, client side public key creation means 22, client side private key creation means 23, client key transmission means 24, client terminal private key creation means 26, authentication means 25, authentication time ID
Transmission means 28, client terminal private key encryption means 6
0, user ID-encrypted private key transmission means 61, communication key decryption means 29, file encryption key creation means 30, client terminal file encryption key encryption means 31, encrypted private key decryption means 62, client terminal 4 management The client terminal file encryption unit 32, the client terminal 4 management file transmission unit 33, the client terminal management file encryption key decryption unit 63, the client terminal management file decryption unit 64, and the client terminal key database 68. ing.

Client terminal private key encryption means 60
Is a means for encrypting the private key created by the client terminal private key creating means 26 at the time of installation with the management key previously given to the client terminal 4.

User ID-encrypted private key transmission means 61
At the time of installation, the user ID, the password, and the private key encrypted by the client terminal private key encryption means 60 are encrypted with the authentication server public key stored in the client terminal key database 68 and transmitted to the authentication server 2. It is a means.

The encrypted private key decryption means 62 requests the service server 3 to transmit the user's private key when writing the file, and the private key encrypted by the management key received from the service server 3 by this request. Is received, and the private key encrypted with the received management key is decrypted with the management key.

The client terminal management file encryption key decryption means 63 uses the encrypted file encryption key received from the service server 3 when reading the file.
This is means for decrypting with the communication key decrypted by the communication key decrypting means 29, then decrypting with the management key, and further decrypting the file encryption key with the decrypted private key.

The client terminal management file decryption means 64 decrypts the encrypted file received from the service server 3 at the time of reading the file with the communication key decrypted by the communication key decryption means 29, and then Further, it is means for decrypting with the file encryption key decrypted by the file encryption key decryption means 63 during client terminal management.

Next, an example of the process flow of the present invention in the system configuration of FIG. 3 will be described with reference to the flowcharts of FIGS. 5 and 18 to 20, and the conceptual diagrams and views of the processes of FIGS. 9 and 21 to 23. 2 will be described in detail with reference to FIG. Similar to the first and second embodiments, the processes are roughly divided into four processes of installation, authentication, file writing, and file reading.

First, the flowchart of FIG. 18 and FIG.
An example of the process flow at the time of installation will be described with reference to the conceptual diagram of FIG.

A user who desires to use the security management system 1 activates the client terminal 4 by a known method, inputs the installation ID into the client terminal 4, and the installation ID acceptance means 20 of the client terminal 4 causes the installation ID acceptance means 20 to install the installation ID. Is input and registered in the client terminal key database 68 (S800).

The fact that the input of the installation ID is normally accepted means that the hardware ID creating means 21 has the proper authority to install and use the security management system 1 in the client terminal 4.
A hardware ID unique to the client terminal 4 is created from the BIOS-ID, HDD-ID, etc. of the client terminal 4, and the hardware ID is registered in the client terminal key database 68 (S810).

If the installation ID is not accepted in S800, it can be judged that the user does not have the proper authority. Therefore, it is preferable to prompt the re-input.

After the hardware ID is created in S810, the client-side public key creating means 22 and the client-side secret key creating means 23 are the encryption key of the client terminal 4 based on the installation ID, the hardware ID, etc.
A client-side public key and a client-side private key are created (S820). After the creation in S820, the client side public key creating means 22 and the client side private key creating means 23 register the client side public key and the client side private key in the client terminal key database 68.

After the encryption key of the client terminal 4 is created in S820, the client key transmission means 24 receives the installation ID accepted by the installation ID acceptance means 20 and the hardware ID created by the hardware ID creation means 21. The client-side public key is encrypted with the authentication server public key assigned to the authentication server 2 in advance,
Send to the authentication server 2 via the network (S83
0). A conceptual diagram at this time is shown in FIG.

The installation I encrypted by the authentication server public key transmitted from the client terminal 4 in S830
The client key registration means 5 of the authentication server 2 decrypts D, the hardware ID, and the client-side public key with the authentication server secret key previously assigned to the authentication server 2,
Register in the client database 10 (S84
0).

After transmitting the client side public key and the like to the authentication server 2 in S830, the authentication means 25 accepts the input of the authentication information such as the user ID and password of the user from the user (S850). After the authenticating means 25 accepts the input of the authentication information in S850, the client terminal private key creating means 26 creates a private key from the user ID, password and hardware ID, and registers it in the client terminal key database 68.

After the client terminal private key creating means 26 creates a private key, the client terminal private key encrypting means 60
Encrypts the private key with the management key assigned to the client terminal 4 in advance (S860).

After encryption at the client terminal 4, the user I
The D-encrypted private key transmission means 61 encrypts the user ID and password accepted by the authentication means 25 and the private key encrypted by the client terminal private key encryption means 60 with the authentication server public key, and the authentication server 2 To (S87
0). A conceptual diagram in this case is shown in FIG. S86
0 and S870 may be in any order.

User I encrypted with the authentication server public key received from the client terminal 4 in S870.
The encrypted personal key registration means 53 of the authentication server 2 decrypts the D, the password, and the private key encrypted with the management key with the private key of the authentication server and registers them in the client terminal management user database 55 (S880). A conceptual diagram in this case is shown in FIG. Through the above process, the process at the time of installation can be performed.

The flow of the process at the time of authentication is the same as that of the first and second embodiments, and the description thereof will be omitted.

Next, an example of the flow of processes when writing a file will be described with reference to the flowchart of FIG. 19 and the conceptual diagram of FIG.

When the user writes a file on the service server 3 at the client terminal 4, the encrypted private key decryption means 62 sends a request to send the private key of the user to the authentication server 2. (S900).

Upon receiving the private key transmission request from the client terminal 4, the client terminal managing private key acquisition means 58.
Acquires the user's private key encrypted with the management key from the user database 55 when managing the client terminal of the authentication server 2 (S910).

The encrypted private key encryption means 56 encrypts the encrypted private key acquired by the private key acquisition means 40 with the communication key and sends it to the client terminal 4 (S92).
0).

Upon receiving the private key encrypted with the management key from the service server 3, the encrypted private key decryption means 62 decrypts the acquired private key with the management key (S930). A conceptual diagram at this time is shown in FIG.

Thereafter, the file encryption key creating means 30 of the client terminal 4 creates a file encryption key, and the created client terminal file encryption key encrypting means 31 is encrypted by the private key decrypting means 62 in the client terminal. It is encrypted with the decrypted private key, and further encrypted with the communication key decrypted by the communication key decryption means 29 (S940).

A file open request for a file to be written by the client terminal 4 is transmitted from the client terminal 4 to the service server 3 by using a known OS (operation software) function (S950).

Upon receiving the file open request from the client terminal 4, the access right check means 13 of the service server 3 checks the user's access right to the file in the file storage means 19 (S960),
If the user is not authorized, the client terminal 4
To notify.

The client terminal 4 is the service server 3
After the file open request is transmitted to the server, the file to be written to the service server 3 is encrypted by the client terminal file encryption means 32 when managing the client terminal 4 with the file encryption key created by the file encryption key creation means 30 and then further communicated. Encrypt with the key (S970).

When the client terminal 4 is managed, the client terminal file encryption means 32 encrypts the file and the client terminal file encryption key encryption means 31 encrypts the file encryption key. , To the service server 3 (S
980). A conceptual diagram at this time is shown in FIG.

File receiving means 1 that has received the file encrypted with the communication key from the client terminal 4 in S980.
4 registers and stores the received encrypted file and file encryption key in the file storage means 19 (S99).
0). Therefore, in the file storage means 19, the file encrypted with the file encryption key and the file encryption key encrypted with the private key are registered. A conceptual diagram at this time is shown in FIG. Through the above process, the process at the time of writing the file can be performed.

Next, an example of the process flow at the time of reading a file will be described in detail with reference to the flowchart of FIG. 20 and the conceptual diagram of FIG.

A user who reads a file from the service server 3 sends a file open request for a file to be read from the client terminal 4 to the service server 3 by using a known OS function (S100).
0).

[0192] The private key acquisition means 58 at the time of managing the client terminal of the service server 3 which has received the file open request
Acquires the private key encrypted with the management key of the file owner user from the client terminal management user database 55 of the authentication server 2 (S1010).

Private key acquisition means 5 when managing a client terminal
After obtaining the encrypted private key, the access right check unit 13 checks the user's access right to the file in the file storage unit 19 (S102).
0) If the user is not authorized, the client terminal 4 is notified to that effect.

After the access authority check in S1020, if the user has the access authority, the file encryption key acquisition means 15 acquires the file encryption key encrypted with the private key from the file storage means 19 ( S103
0).

The file encryption key encrypted with the private key acquired in S1030 and the encrypted private key acquired by the client terminal management private key acquisition means 58 are used as the client terminal management file encryption key. The encryption unit 59 encrypts the communication key and sends it to the client terminal 4 (S1040). A conceptual diagram at this time is shown in FIG.

[0196] The encrypted private key and file encryption key received from the service server 3 in S1040 are decrypted by the client terminal management file encryption key decryption means 63 of the client terminal 4 in S240 during authentication. The private key and the file encryption key encrypted with the private key are decrypted with the communication key, the decryption is performed with the management key, and the file encryption key is decrypted with the decrypted private key (S105).
0).

After decrypting the file encryption key, a file read request for the file to be read is sent from the client terminal 4 to the service server 3 using the function of the known OS (S1060).

Upon receiving the file read request, the file acquisition means 17 of the service server 3 acquires the file encrypted by the file encryption key from the file storage means 19 (S1070). The file encrypted by the file encryption key is transferred to the service server file encryption means 1
8 encrypts it with the communication key and sends it to the client terminal 4 (S1080). A conceptual diagram at this time is shown in FIG.

The client terminal management-time file decryption means 64 of the client terminal 4, which has received the file encrypted by the communication key and the file encryption key, performs S2 at the time of authentication.
It is decrypted using the communication key decrypted in 40, and further S10
The file is decrypted with the file encryption key decrypted in 50 (S1090). A conceptual diagram at this time is shown in FIG. Through the above process, the process at the time of reading the file can be performed.

At the time of authentication shown in FIGS. 5 and 9,
The communication key may be created in the client terminal 4 instead of the authentication server 2. FIG. 28 shows an example of the system configuration in this case. Although FIG. 2 is suitable when the authentication server 2 and the service server 3 are realized by the same subject, there are reasons such as different subjects or reduction of the load on the authentication server 2. In some cases, it may be created by the client terminal 4.

In FIG. 28, the communication key created by the client terminal 4 is directly transmitted to the service server 3 and the management key is managed by the client terminal 4 (in the case of the system configuration of FIG. 3).

The process flow at the time of authentication when this method is used is the same as that in the first and second embodiments, and the description thereof is omitted.

Each means and database in the present invention are as follows:
The functions are only logically distinct and may physically or virtually form the same area. Needless to say, a data file may be used instead of the database, and the description of the database also includes a data file.

In implementing the present invention, a storage medium recording a software program for realizing the functions of the present embodiment is supplied to the system, and the computer of the system reads and executes the program stored in the storage medium. It will be realized by

In this case, the program itself read from the storage medium realizes the functions of the above-described embodiments, and the storage medium storing the program naturally constitutes the present invention.

As a storage medium for supplying the program, for example, a magnetic disk, a hard disk, an optical disk, a magneto-optical disk, a magnetic tape, a non-volatile memory card or the like can be used.

Further, by executing the program read by the computer, not only the functions of the above-described embodiment are realized, but also based on the instruction of the program,
It goes without saying that this also includes the case where an operating system or the like running on a computer performs a part or all of the actual processing and the processing realizes the functions of the above-described embodiments.

Furthermore, after the program read from the storage medium is written in the nonvolatile or volatile storage means provided in the function expansion board inserted into the computer or the function expansion unit connected to the computer, the program is then written. Based on the instruction of the above, it is obvious that the case where the arithmetic processing unit or the like provided in the function expansion board or the function expansion unit performs a part or all of the actual processing and the processing realizes the function of the above-described embodiment is included. Is.

[0209]

As described above, according to the present invention, it becomes possible to provide a security management system in which anyone can easily secure the network security. Furthermore, since the present invention can be used as middleware on a computer, conventionally, authentication or the like must be performed each time a service server is accessed, resulting in a delay in processing time. However, according to the present invention, if the authentication is performed by the authentication server at the first time of the network access of the client terminal (preferably when the client terminal 4 is started), the authentication is not performed every time the client terminal is subsequently started. However, it is possible to perform efficient processing.

[Brief description of drawings]

FIG. 1 is a system configuration diagram showing an example of a system configuration when a management key is not used.

FIG. 2 is a system configuration diagram showing an example of a system configuration when a management key is managed by an authentication server.

FIG. 3 is a system configuration diagram showing an example of a system configuration when a management key is managed by a client terminal.

FIG. 4 is a flowchart showing an example of a process flow at the time of installation when a management key is not used.

FIG. 5 is a flowchart showing an example of a process flow at the time of authentication.

FIG. 6 is a flowchart showing an example of a process flow when writing a file when a management key is not used.

FIG. 7 is a flowchart showing an example of a process flow when a file is read when a management key is not used.

FIG. 8 is a conceptual diagram at the time of installation when a management key is not used.

FIG. 9 is a conceptual diagram at the time of authentication.

FIG. 10 is a conceptual diagram at the time of writing a file when a management key is not used.

FIG. 11 is a conceptual diagram at the time of reading a file when a management key is not used.

FIG. 12 is a flowchart showing an example of a process flow at the time of installation when the management key is managed by the authentication server.

FIG. 13 is a flowchart showing an example of a process flow at the time of writing a file when managing the management key by the authentication server.

FIG. 14 is a flowchart showing an example of a process flow at the time of reading a file when a management key is managed by an authentication server.

FIG. 15 is a conceptual diagram at the time of installation when a management key is managed by an authentication server.

FIG. 16 is a conceptual diagram at the time of writing a file when managing a management key by an authentication server.

FIG. 17 is a conceptual diagram at the time of reading a file when a management key is managed by an authentication server.

FIG. 18 is a flowchart showing an example of a process flow at the time of installation when managing a management key with a client terminal.

FIG. 19 is a flowchart showing an example of a process flow at the time of writing a file when managing a management key by a client terminal.

FIG. 20 is a flowchart showing an example of a process flow at the time of reading a file when a management key is managed by a client terminal.

FIG. 21 is a conceptual diagram at the time of installation when a management key is managed by a client terminal.

FIG. 22 is a conceptual diagram at the time of writing a file when a management key is managed by a client terminal.

FIG. 23 is a conceptual diagram at the time of reading a file when a management key is managed by a client terminal.

FIG. 24 is a system configuration diagram showing an example of a system configuration when a communication key is created by a client terminal and a management key is not used.

FIG. 25 is a flowchart showing an example of a process flow at the time of authentication when a communication key is created by a client terminal.

FIG. 26 is a conceptual diagram at the time of authentication when a communication key is created by a client terminal.

FIG. 27 is a system configuration diagram showing an example of a system configuration when a communication key is created by a client terminal and a management key is managed by an authentication server.

FIG. 28 is a system configuration diagram showing an example of a system configuration when a communication key is created by a client terminal and a management key is managed by the client terminal.

[Explanation of symbols]

1: Security management system 2: Authentication server 3: Service server 4: Client terminal 5: Client key registration means 6: User ID registration means 7: Collation means 8: Communication key creation means 9: Communication key encryption means 10: Client database 11: User database 12: Authentication server key database 13: Access right checking means 14: File receiving means 15: File encryption key acquisition means 16: File encryption key encryption means 17: File acquisition means 18: Service server file encryption means 19 : File storage means 20: Installation ID acceptance means 21: Hardware ID creation means 22: Client side public key creation means 23: Client side private key creation means 24: Client key transmission means 25: Authentication means 26: Client terminal private key creation Means 27: Yu The ID transmitting means 28: Authentication ID transmitting means 29: Communication key decrypting means 30: File encryption key creating means 31: Client terminal file encryption key encrypting means 32: Client terminal file encrypting means 33: File transmitting means 34: File encryption key decryption means 35: File decryption means 36: Authentication server management user ID registration means 37: Personal key registration means 38: Authentication server management verification means 39: Authentication server management user database 40: Personal key acquisition means 41: private key decryption means 42: service server file encryption key creation means 43: service server file encryption key encryption means 44: authentication server management file decryption means 45: authentication server management service server file encryption means 46: Service server file encryption key registration means 47: recovery private key recovery Encryption means 48: Authentication server management file encryption key encryption means 49: User ID-personal key transmission means 50: Authentication server management client terminal file encryption means 51: Authentication server management file transmission means 52: Authentication server management File encryption key decryption means 53: encrypted personal key registration means 54: client terminal management collation means 55: client terminal management user database 56: encrypted personal key encryption means 57: client terminal management file reception means 58: Client terminal management private key acquisition means 59: Client terminal management file encryption key encryption means 60: Client terminal private key encryption means 61: User ID-encrypted private key transmission means 62: Encrypted private key decryption means 63 : Client terminal management file encryption key decryption means 64: Cry Ant terminal management time file decryption means 65: service server communication key decryption means 66: client terminal communication key creation means 67: client terminal communication key encryption means 68: client terminal key database

   ─────────────────────────────────────────────────── ─── Continued front page    F-term (reference) 5B085 AE02 AE03 AE04 AE08 AE29                       BG03                 5J104 AA07 AA12 AA16 EA04 EA19                       JA21 KA02 KA05 MA01 MA05                       NA02 PA07

Claims (18)

[Claims] 1. A security management system via a network, wherein a client terminal is connected via a network to an authentication server for authenticating the client terminal and a service server for storing files of the client terminal. An installation ID receiving means for receiving an input of an installation ID assigned in advance,
Hardware ID creation means for creating a unique hardware ID for the client terminal, client side public key creation means for creating a client side public key based on the installation ID and hardware ID, installation ID and hardware ID Client-side secret-key creating means for creating a client-side private key based on the above, and client-key sending means for encrypting an installation ID, a hardware ID, and a client-side public key with an authentication server public key and sending the encrypted ID to the authentication server. And an authentication means for accepting the input of the user ID and the password, and the user ID
A client terminal private key creating means for creating a private key based on a password, a hardware ID, and a user I
A user ID transmitting means for encrypting D and a password with an authentication server public key and transmitting them to the authentication server; and a user I
Authentication ID for encrypting D, the password, and the hardware ID with the authentication server public key and transmitting them to the authentication server to authenticate the client terminal and / or the user.
The transmitting means, the communication key decrypting means for receiving the communication key encrypted with the client side public key from the authentication server, and decrypting the communication key with the client side private key, and the key of the file stored on the service server. A file encryption key creating means for creating a certain file encryption key; a client terminal file encryption key encrypting means for encrypting the created file encryption key with a private key and further encrypting it with a communication key;
A client terminal file encryption means for encrypting a file stored on the service server with a file encryption key, and further encryption with a communication key; and a file encryption key encrypted by the client terminal file encryption key encryption means. A file transmission means for transmitting the file encrypted by the client terminal file encryption means to the service server; and a file encryption key encrypted by the communication key and the private key from the service server, A file encryption key decryption means for decrypting with a personal key, a file encrypted with a communication key and a file encryption key is received from the service server, and a file is decrypted with the communication key and the decrypted file encryption key. A security management system, comprising: 2. A security management system via a network, comprising a client-side public key encrypted with an authentication server public key, an installation ID, and hardware I.
Client key registration means for receiving D and D from the client terminal owned by the user, decrypting with the authentication server private key, and registering the decrypted client-side public key, installation ID, and hardware ID in the client database; User ID registration means for receiving the user ID and password encrypted with the key from the client terminal, decrypting them with the authentication server secret key, and registering the decrypted user ID and password in the user database, and the authentication server disclosure A user ID, a password, and a hardware ID encrypted with a key are received from the client terminal, decrypted with an authentication server secret key, and the decrypted user ID, password, and hardware ID are stored in the client database and the user. Match the database and Means for verifying whether or not the user terminal is a user terminal, and a communication key for creating a communication key used for communication via the network between the client terminal and the service server storing the file of the client terminal And a communication key encryption unit that encrypts the created communication key with the client-side public key and sends the encrypted communication key to the client terminal and / or the service server. . 3. A security management system via a network, comprising access right checking means for checking a user's access right to a file when writing or reading the file, and in the client terminal when writing the file. File receiving means for receiving the file encrypted with the created file encryption key and the file encryption key encrypted with the private key created in the client terminal, and storing the file in the file storing means; Sometimes, a file encryption key obtaining means for obtaining a file encryption key encrypted with a private key from the file storing means, and an authentication server for authenticating the file encryption key encrypted with a private key to the client terminal Encrypted with the communication key created by File encryption key encryption means for transmitting to the terminal, file acquisition means for acquiring a file encrypted with the file encryption key from the file storage means, and a file encrypted with the file encryption key with the communication key A security management system comprising: a service server having a service server file encryption unit that encrypts and transmits to the client terminal. 4. A security management system via a network, wherein the client terminal is connected via a network to an authentication server for authenticating the client terminal and a service server for storing files of the client terminal, An installation ID receiving means for receiving an input of an installation ID assigned in advance,
Hardware ID creation means for creating a unique hardware ID for the client terminal, client side public key creation means for creating a client side public key based on the installation ID and hardware ID, installation ID and hardware ID Client-side secret-key creating means for creating a client-side private key based on the above, and client-key sending means for encrypting an installation ID, a hardware ID, and a client-side public key with an authentication server public key and sending the encrypted ID to the authentication server. And an authentication means for accepting the input of the user ID and the password, and the user ID
A client terminal private key creating means for creating a private key based on a password, a hardware ID, and a user I
A user ID transmitting means for encrypting D and a password with an authentication server public key and transmitting them to the authentication server; and a user I
Authentication ID for encrypting D, the password, and the hardware ID with the authentication server public key and transmitting them to the authentication server to authenticate the client terminal and / or the user.
Client terminal communication key creating means for creating a communication key used for communication between the sending means and the service server via the network, and the service server by encrypting the created communication key with a service server public key To the client terminal communication key encryption means, a file encryption key creation means for creating a file encryption key that is a key of a file saved on the service server, and the created file encryption key encrypted with a private key After that, the client terminal file encryption key encryption means for further encrypting with the communication key, and the client terminal file encryption means for further encrypting the file saved on the service server with the file encryption key A file encryption key encrypted by the client terminal file encryption key encryption means, File transmission means for transmitting the file encrypted by the ant terminal file encryption means to the service server, and the file encryption key encrypted by the communication key and the private key from the service server, and the communication key and the private key File encryption key decryption means for decrypting with the key,
A security management system comprising a file decryption means for receiving a file encrypted by a communication key and a file encryption key from the service server, and decrypting the file by the communication key and the decrypted file encryption key. . 5. A security management system via a network, comprising a client-side public key encrypted with an authentication server public key, an installation ID, and hardware I.
Client key registration means for receiving D and D from the client terminal owned by the user, decrypting with the authentication server private key, and registering the decrypted client-side public key, installation ID, and hardware ID in the client database; User ID registration means for receiving the user ID and password encrypted with the key from the client terminal, decrypting them with the authentication server secret key, and registering the decrypted user ID and password in the user database, and the authentication server disclosure A user ID, a password, and a hardware ID encrypted with a key are received from the client terminal, decrypted with an authentication server secret key, and the decrypted user ID, password, and hardware ID are stored in the client database and the user. Match the database and Security management system characterized in that an authentication server and a collating means that performs whether collation is over THE. 6. A security management system via a network, comprising a service server communication key decryption means for receiving a communication key encrypted with a service server public key from a client terminal and decrypting it with a service server private key. , An access right checking means for checking the user's access right to the file when writing or reading the file, and when writing the file,
Receiving a file encrypted with the file encryption key created in the client terminal and a file encryption key encrypted with the private key created in the client terminal, and saving the file in the file storage means Means, a file encryption key acquisition means for acquiring a file encryption key encrypted with a private key from the file storage means at the time of reading the file, and a file encryption key encrypted with the private key File encryption key encryption means for encrypting with a communication key and transmitting to the client terminal, file acquisition means for acquiring a file encrypted with the file encryption key from the file storage means, and encryption with the file encryption key File that is encrypted by the decrypted communication key and sent to the client terminal. Security management system characterized by having a service server and a server file encryption means. 7. A security management system via a network, wherein a client terminal is connected via a network to an authentication server for authenticating the client terminal and a service server for storing files of the client terminal, An installation ID receiving means for receiving an input of an installation ID assigned in advance,
Hardware ID creation means for creating a unique hardware ID for the client terminal, client side public key creation means for creating a client side public key based on the installation ID and hardware ID, installation ID and hardware ID Client-side secret-key creating means for creating a client-side private key based on the above, and client-key sending means for encrypting an installation ID, a hardware ID, and a client-side public key with an authentication server public key and sending the encrypted ID to the authentication server. And an authentication means for accepting the input of the user ID and the password, and the user ID
A client terminal private key creating means for creating a private key based on a password, a hardware ID, and a user I
User ID-personal key transmitting means for encrypting D, the password and the personal key with the authentication server public key and transmitting them to the authentication server, and the user ID, password and hardware ID with the authentication server public key for encryption and Authentication ID transmitting means for transmitting to the authentication server to perform authentication of the client terminal and / or user, and a communication key encrypted with the client side public key from the authentication server, and decrypted with the client side private key Communication key decryption means for encrypting, a client terminal file encryption means for managing an authentication server for encrypting a file stored on the service server with the decrypted communication key, and a file encrypted with the communication key for the service Authentication server management file transmission means to send to the server, private key encrypted with communication key, communication key and private key The encrypted file encryption key is received from the service server, the private key encrypted with the communication key, the file encryption key encrypted with the communication key and the private key are decrypted, and further encrypted with the private key. An authentication server management file encryption key decryption means for decrypting the encrypted file encryption key with the decrypted private key, and a file encrypted with the communication key and the file encryption key is received from the service server, A security management system comprising: a file decryption unit that decrypts the file with a communication key and the decrypted file encryption key. 8. A security management system via a network, comprising a client-side public key encrypted with an authentication server public key, an installation ID, and hardware I.
Client key registration means for receiving D and D from the client terminal owned by the user, decrypting with the authentication server private key, and registering the decrypted client-side public key, installation ID, and hardware ID in the client database; An authentication server management user who receives a user ID and password encrypted with a key from the client terminal, decrypts it with the authentication server secret key, and registers the decrypted user ID and password in the authentication server management user database. ID registration means and a private key encrypted with the authentication server public key are received from the client terminal, decrypted with the private key of the authentication server, the decrypted private key is encrypted with the management key, and the authentication server management user database Private key registration method to be registered in, and encrypted with the authentication server public key User ID, password, and hardware ID from the client terminal, decrypts them with the authentication server secret key, and decrypts the decrypted user ID, password, and hardware ID with the client database and the authentication server management user database. The authentication server management collating means for collating with the client terminal for collating whether the user is a legitimate user, and the communication between the service server storing the file of the client terminal and the client terminal via the network. A communication key creating means for creating a communication key to be used, the created communication key is encrypted with a client side public key, and the client terminal and / or
Alternatively, the security management system includes an authentication server having communication key encryption means for transmitting to the service server. 9. A security management system via a network, wherein an access right checking means for checking an access right to a user's file at the time of writing or reading the file, and the individual of the user encrypted with a management key. Private key acquisition means for acquiring a key from the user database when managing the authentication server of the authentication server; personal key decryption means for decrypting the private key encrypted with the acquired management key with the management key; and the service server Service server file encryption key creating means for creating a file encryption key which is a key of a file to be stored above, and service server file encryption key encrypting means for encrypting the created file encryption key with the decrypted private key When,
Authentication server management file decryption means for receiving a file encrypted with a communication key from a client terminal and decrypting it with the communication key, and an authentication server for encrypting the decrypted file with the created file encryption key Management time service server file encryption means, a file encrypted with a file encryption key, and a service server file encryption key registration means for storing a file encryption key encrypted with a private key in the file storage means, and an encryption with the management key The read private key decryption means for acquiring the encrypted personal key of the user from the user database when managing the authentication server of the authentication server and decrypting it with the management key, and the file encryption key encrypted with the private key. File encryption key acquisition means to be obtained from the file storage means, file encryption key encrypted with the private key, and the decrypted An authentication server management file encryption key encryption means for encrypting a personal key with a communication key and transmitting it to the client terminal; and a file acquisition means for acquiring a file encrypted with the file encryption key from the file storage means. , A service server having a service server file encryption means for further encrypting a file encrypted with a file encryption key with a communication key and transmitting the file to the client terminal. 10. A security management system via a network, wherein a client terminal is connected via a network to an authentication server for authenticating the client terminal and a service server for storing files of the client terminal, Install ID accepting means for accepting the input of the pre-assigned install ID, hardware ID creating means for creating a hardware ID unique to the client terminal, and install I
A client side public key creating means for creating a client side public key based on D and the hardware ID; a client side private key creating means for creating a client side private key based on the installation ID and the hardware ID; A client key transmitting unit that encrypts the ID, the hardware ID, and the client-side public key with the authentication server public key and transmits the encrypted ID to the authentication server;
Authentication means for accepting input of D and password, client terminal private key creation means for creating a private key based on the user ID, password and hardware ID, and authentication server public key for the user ID, password and private key User ID-personal key transmitting means for encrypting with and transmitting to the authentication server, a user ID, a password and a hardware ID encrypted with the authentication server public key and transmitted to the authentication server, and the client terminal and / or Authentication ID transmitting means for authenticating a user, client terminal communication key creating means for creating a communication key used for communication between the service server and the service server, and the created communication key for the service server A client terminal communication key encryption means for encrypting with a public key and transmitting to the service server; Authentication server management client terminal file encryption means for encrypting a file stored on a service server with a communication key, authentication server management file transmission means for transmitting a file encrypted with a communication key to the service server, and a communication key The private key encrypted by the communication key and the file encryption key encrypted by the communication key and the private key are received from the service server, and the private key, the communication key, and the private key encrypted by the communication key are received. Authentication server management file encryption key decryption means for decrypting the encrypted file encryption key and further decrypting the file encryption key encrypted with the private key with the decrypted private key, the communication key and the file A file recovery that receives a file encrypted with the encryption key from the service server, and decrypts the file with the communication key and the decrypted file encryption key. Security management system characterized by having a means. 11. A security management system via a network, wherein a client-side public key encrypted with an authentication server public key, an installation ID, and a hardware ID are received from a client terminal of a user,
Client key registration means for decrypting with the authentication server private key and registering the decrypted client side public key, installation ID and hardware ID in the client database, and a user ID and password encrypted with the authentication server public key Authentication server management user ID registration means for receiving from the client terminal, decrypting with the authentication server secret key, and registering the decrypted user ID and password in the authentication server management user database, and encryption with the authentication server public key A private key registration means for receiving the generated private key from the client terminal, decrypting it with the private key of the authentication server, encrypting the decrypted private key with the management key, and registering it in the user database when managing the authentication server; The user ID, password, and hardware ID encrypted with the key are described above. Whether it is a legitimate user by receiving it from the client terminal, decrypting it with the authentication server secret key, collating the decrypted user ID, password and hardware ID with the client database and the authentication server management user database. A security management system comprising an authentication server having an authentication server management time verification means for verifying the above. 12. A security management system via a network, comprising a service server communication key decryption means for receiving a communication key encrypted with a service server public key from a client terminal and decrypting it with a service server private key. , An access right checking means for checking the user's access right to the file at the time of writing or reading the file, and an individual who obtains the user's private key encrypted with the management key from the user database at the time of managing the authentication server of the authentication server A key acquisition unit, a personal key decryption unit that decrypts the private key encrypted with the acquired management key with the management key, and a file encryption key that is a key of a file saved on the service server are created. The service server file encryption key creating means and the created file encryption key are And the service server file encryption key encrypting means for encrypting a private key and Goka receives the encrypted file by the communication key from the client terminal, the authentication server management when the file decoding means for decoding a communication key,
An authentication server management service server file encryption means for encrypting the decrypted file with the created file encryption key, a file encrypted with the file encryption key, and a file encryption key encrypted with the private key. Service server file encryption key registration means to be stored in the file storage means, and the personal key of the user encrypted by the management key is obtained from the user database of the authentication server when the authentication server is managed and decrypted by the management key. Key decryption means, file encryption key acquisition means for obtaining a file encryption key encrypted with a private key from the file storage means, file encryption key encrypted with a private key, and the decrypted individual Authentication server management file encryption key encryption means for encrypting a key with a communication key and transmitting to the client terminal; File acquisition means for acquiring the file encrypted by the above from the file storage means, and service server file encryption means for further encrypting the file encrypted by the file encryption key with the communication key and transmitting it to the client terminal A security management system comprising: a service server having: 13. A security management system via a network, wherein the client terminal is connected via a network to an authentication server for authenticating the client terminal and a service server for storing files of the client terminal, Install ID accepting means for accepting the input of the pre-assigned install ID, hardware ID creating means for creating a hardware ID unique to the client terminal, and install I
A client side public key creating means for creating a client side public key based on D and the hardware ID; a client side private key creating means for creating a client side private key based on the installation ID and the hardware ID; A client key transmitting unit that encrypts the ID, the hardware ID, and the client-side public key with the authentication server public key and transmits the encrypted ID to the authentication server;
Authentication means for accepting the input of D and password, client terminal private key creation means for creating a private key based on the user ID, password and hardware ID, and client terminal private key for encrypting the private key with the management key Encryption means, a user ID-encrypted personal key transmission means for encrypting a user ID, a password, and a personal key encrypted with a management key with an authentication server public key, and transmitting the encrypted personal key to the authentication server.
A user ID, a password, and a hardware ID are encrypted with an authentication server public key and transmitted to the authentication server, and an authentication time ID transmission unit for authenticating the client terminal and / or the user, and the authentication server to the client side Communication key decryption means for receiving the communication key encrypted with the public key and decrypting it with the client-side secret key, and the private key encrypted with the management key from the service server, and managing the received private key Encrypted private key decryption means for decrypting with a key, file encryption key creating means for creating a file encryption key that is a key of a file saved on the service server, and the created file encryption key is encrypted with a private key After encryption, the client terminal file encryption key encryption means for further encryption with the communication key and the file saved on the service server After encrypting the encryption key, and a client terminal file encryption means for further encrypting the communication key,
The file encryption key encrypted by the client terminal file encryption key encryption unit and the file encryption unit that transmits the file encrypted by the client terminal file encryption unit to the service server, the communication key and the management key. The encrypted private key and the file encryption key encrypted with the communication key and the private key are received from the service server, the private key is decrypted with the communication key and the management key, and the communication key and the decryption are performed. The client terminal management file encryption key decryption means for decrypting the file encryption key with the private key, and the file encrypted with the communication key and the file encryption key is received from the service server, and the communication key and the file encryption key are received. A security management system, comprising: a client terminal management file decryption means for decrypting a file with a key. 14. A security management system via a network, wherein a client-side public key encrypted with an authentication server public key, an installation ID, and a hardware ID are received from a client terminal of a user,
Client key registration means for decrypting with the authentication server private key and registering the decrypted client side public key, installation ID, and hardware ID in the client database, user ID, password, and individual encrypted with the authentication server public key The key and the decrypted user I received from the client terminal and decrypted by the authentication server secret key.
Encryption personal key registration means for registering D, the password and the personal key in the user database when managing the client terminal;
The user ID, password, and hardware ID encrypted with the authentication server public key are received from the client terminal, decrypted with the authentication server private key, and the decrypted user ID, password, and hardware ID are stored in the client database. And a client terminal management collation unit that collates with the user database when the client terminal is managed to collate whether the user is a legitimate user, a service server that stores a file of the client terminal, and the client terminal. Communication key creating means for creating a communication key used in communication via a network, and communication key encryption for encrypting the created communication key with a client-side public key and transmitting the encrypted communication key to the client terminal and / or the service server And an authentication server having means. Security management systems. 15. A security management system via a network, wherein an access right checking means for checking an access right to a user's file at the time of writing or reading a file, and the user's individual encrypted with a management key. Client terminal management private key acquisition means for acquiring a key from a user database during client terminal management of an authentication server, and encryption for encrypting a private key encrypted with the acquired management key with a communication key and transmitting it to the client terminal Personalized key encryption means, a file encryption key encrypted with a private key received from the client terminal, and a file encrypted with the file encryption key are received from the client terminal and stored in the file storage means. File receiving means for managing client terminal and the file At the time of extension, the file encryption key acquisition means for acquiring the file encryption key encrypted with the private key from the file storage means, the file encryption key encrypted with the private key, and the encryption key with the management key File encryption key encryption means for managing a client terminal for encrypting a private key with a communication key and transmitting it to the client terminal, and file acquisition means for obtaining a file encrypted with the file encryption key from the file storage means And a service server having a service server file encryption means for encrypting a file encrypted with a file encryption key with a communication key and transmitting the encrypted file to the client terminal. 16. A security management system via a network, wherein the client terminal is connected via a network to an authentication server for authenticating the client terminal and a service server for storing files of the client terminal, Install ID accepting means for accepting the input of the pre-assigned install ID, hardware ID creating means for creating a hardware ID unique to the client terminal, and install I
A client side public key creating means for creating a client side public key based on D and the hardware ID; a client side private key creating means for creating a client side private key based on the installation ID and the hardware ID; A client key transmitting unit that encrypts the ID, the hardware ID, and the client-side public key with the authentication server public key and transmits the encrypted ID to the authentication server;
Authentication means for accepting the input of D and password, client terminal private key creation means for creating a private key based on the user ID, password and hardware ID, and client terminal private key for encrypting the private key with the management key Encryption means, a user ID-encrypted personal key transmission means for encrypting a user ID, a password, and a personal key encrypted with a management key with an authentication server public key, and transmitting the encrypted personal key to the authentication server.
Between the service server and the authentication ID transmitting means for encrypting the user ID, the password, and the hardware ID with the public key of the authentication server and transmitting them to the authentication server to authenticate the client terminal and / or the user. Client terminal communication key creating means for creating a communication key to be used for communication via a network, and client terminal communication key encrypting means for encrypting the created communication key with a service server public key and transmitting it to the service server. And receives the private key encrypted with the management key from the service server,
An encryption private key decryption unit that decrypts the received private key with a management key, a file encryption key creation unit that creates a file encryption key that is a key of a file saved on the service server, and a file encryption key After encrypting with your private key,
A client terminal file encryption key encryption means for further encrypting with a communication key, and a client terminal file encryption means for further encrypting a file saved on the service server with a file encryption key, The file encryption key encrypted by the client terminal file encryption key encryption unit and the file encryption unit that transmits the file encrypted by the client terminal file encryption unit to the service server, the communication key and the management key. The encrypted private key and the file encryption key encrypted with the communication key and the private key are received from the service server, the private key is decrypted with the communication key and the management key, and the communication key and the decryption key are decrypted. File encryption key decryption means at the time of client terminal management for decrypting the file encryption key with the private key Security management system characterized by having a encrypted received file from the service server, the client terminal management during file decoding means for decoding the files in the communication key and the file encryption key. 17. A security management system via a network, wherein a client-side public key encrypted with an authentication server public key, an installation ID, and a hardware ID are received from a client terminal of a user,
Client key registration means for decrypting with the authentication server private key and registering the decrypted client side public key, installation ID, and hardware ID in the client database, user ID, password, and individual encrypted with the authentication server public key The key and the decrypted user I received from the client terminal and decrypted by the authentication server secret key.
Encryption personal key registration means for registering D, the password and the personal key in the user database when managing the client terminal;
The user ID, password, and hardware ID encrypted with the authentication server public key are received from the client terminal, decrypted with the authentication server private key, and the decrypted user ID, password, and hardware ID are stored in the client database. A security management system comprising: an authentication server having a client terminal management collation means for collating with the client terminal management user database and collating whether or not the user is an authorized user. 18. A security management system via a network, comprising a service server communication key decryption means for receiving a communication key encrypted with a service server public key from a client terminal and decrypting it with a service server private key. , An access right checking means for checking the user's access right to the file at the time of writing or reading the file, and a client for acquiring the user's private key encrypted by the management key from the user database of the client terminal management of the authentication server A terminal private key acquisition unit, a private key encryption unit that encrypts the private key encrypted with the acquired management key with the communication key and sends the private key to the client terminal; File encryption key encrypted with private key and file encryption key A client terminal managing file receiving means for receiving an encrypted file from the client terminal and saving the file in the file storing means, and a file encryption key encrypted with a private key when reading the file from the file storing means. At the time of managing the client terminal, the file encryption key acquisition means to be acquired, the file encryption key encrypted with the private key, and the private key encrypted with the management key are encrypted with the communication key and transmitted to the client terminal. File encryption key encryption means, file acquisition means for acquiring a file encrypted by the file encryption key from the file storage means, and the client by encrypting the file encrypted by the file encryption key with the communication key A service server having a service server file encryption means for transmitting to the terminal, Security management system according to claim Rukoto.