JP2003271782A - Personal information management system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a personal information management system which can maintain high safety against a leak and loss of information and prevent the service quality from decreasing owing to the concentration of loads. <P>SOLUTION: Personal information on a user is held secret by storing the personal information on a plurality of data storage terminals 20 on a network 1 while dividing the information into fragments, loads concerned with the storage of the information are decentralized, and at the same time, safety in case of data loss is secured. Further, respective items of the personal information are so ciphered that only information of items that the user allows is disclosed on a personal information managing terminal 40 and a service providing terminal 30, thereby preventing information from leaking by cracking, etc., from outside and inside the system. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

TECHNICAL FIELD The present invention relates to an improvement of a personal information management system installed on a network.

[0002]

2. Description of the Related Art As a service for centrally managing and distributing user's personal information on a network, it has already been disclosed in Japanese Patent Laid-Open No.
There has been proposed a personal information management device as disclosed in Japanese Patent Laid-Open No. 001-5777, a personal information management system as disclosed in Japanese Patent Laid-Open No. 2001-344143 and the like.

When the personal information of the user such as address, name, credit card number, bookmark of web page, personal schedule information, etc. is stored in the server by using such personal information management service, the user can access the network. The personal information required for the service can be retrieved from the interface of the personal information management service and used whenever necessary.

For example, let us consider a case where user A searches a hotel reservation site B for an empty room in a hotel. At this time, if the user A trusts the hotel reservation site B,
The user ID and password for accessing his / her own personal information and the access right to the personal schedule information are passed to the hotel reservation site B.

The hotel reservation site B receives the user I
Using the password D and the password, the schedule information to which the access right is given is acquired from the personal information of the user A from the personal information management service, and the information on the vacant room is displayed on the terminal screen of the user A based on the travel schedule of the user A. Can be displayed on.

The other hotel reservation site C trusted by the user A can also use the schedule information of the user A by using the personal information management service.

[0007] When making a reservation from the hotel reservation site C, the hotel reservation site C grants the user the right to access the address, credit card number, etc. required for the reservation, so that the hotel reservation site C can manage the personal information. You can get the information you need from.

As described above, the hotel reservation sites B and C cannot refer to the personal information of the user A indefinitely,
Only the items that the user A has given the access right and permitted can be acquired, and the data flowing on the network is encrypted, so it can be said to be safe in terms of security.

By such processing operation, the user does not need to register the user for each service or repeatedly input similar personal information, and can use various services by sharing personal information on the network. Will be able to. Also, by placing the personal information on the network, there is an advantage that the same personal information can be accessed regardless of the terminal used.

[0010]

On the other hand, on the other hand,
There is a problem in centrally storing and managing personal information with a specific personal information management service.

The first problem is information leakage. Even if a confidentiality agreement is signed with the personal information management service, there is a risk of information leakage due to intrusion from the outside and personal information leakage due to malicious members inside the personal information management service that operates the system. .

The second problem is the problem of information loss. This kind of personal information prevents information loss due to system down or breakdown by measures such as duplication of data in the personal information management service, but unexpected large-scale disaster, terrorism, personal information management company It will be very costly to take sufficient measures against the loss due to bankruptcy.

The third problem is a load problem. When handling a large number of personal information with one personal information management service, a large amount of resources are required for load balancing.
Further, if sufficient resources are not prepared, it may take a very long time to refer to the profile information or the reference itself may be impossible.

[0014]

SUMMARY OF THE INVENTION Therefore, an object of the present invention is to provide a high degree of security against leakage or loss of information while preventing the deterioration of service quality due to the concentration of load while making the most of the convenience of managing personal information on a network. The purpose is to provide a personal information management system that can do this.

[0015]

According to the present invention, there is provided a network of a user terminal, a service providing terminal for providing a service to the user by utilizing the personal information of the user, a personal information management terminal, and a plurality of data storage terminals. In order to achieve the above object, in particular, the user terminal is provided with a means for dividing personal information of a user held by the user terminal, and a personal information management system for connecting the divided personal information. Means for transferring fragments to a plurality of data storage terminals, means for storing fragments of personal information requested to be stored by the user terminal are provided in the data storage terminal, and the personal information management terminal is provided with the A means for collecting fragmented personal information of the user designated by the service providing terminal from the plurality of data storage terminals is provided, and the service providing terminal is provided with the user. The means for requesting the personal information management terminal to collect the personal information of the user based on the personal information use permission from the terminal, and the items of the personal information collected by the personal information management terminal that the user has permitted to browse And a means for utilizing only this.

With such a configuration, the user terminal divides the personal information of the user held by the user terminal and transfers the personal information fragmented by the division to a plurality of data storage terminals via the network. Then, each data storage terminal stores a piece of personal information requested to be stored by the user terminal. Further, when the user terminal inputs a personal information license to the service providing terminal to receive the service using the personal information, the service providing terminal collects the personal information of the user based on the personal information license. Request to the personal information management terminal. On the other hand, the personal information management terminal requested to collect the personal information collects fragmented personal information about the user designated by the service providing terminal from a plurality of data storage terminals and passes it to the service providing terminal via the network. . Upon receiving this, the service providing terminal provides the user with a predetermined service by using only the items that the user has permitted to browse among the personal information collected by the personal information management terminal. As described above, since the user's personal information is stored in multiple data storage terminals in a fragmented state due to division, the user's personal information is centrally stored and managed by a specific personal information management service. Compared with the conventional system, the security of confidentiality of personal information is improved, and at the same time, the load related to the storage of personal information is distributed. Moreover, since the service providing terminal cannot refer to items other than the items that the user has permitted to browse among the collected personal information, there is no concern that the personal information of the user is used by the service providing terminal without limitation.

Further, it is desirable that the user terminal is configured to encrypt the personal information when dividing the personal information of the user held by the user terminal.

By encrypting the personal information, the security of confidentiality of the personal information can be greatly improved.

In addition to the above configuration, a function of encrypting the storage location of the fragment of personal information with a key issued from the personal information management terminal and passing it to the service providing terminal is added to the user terminal,
In addition, the service providing terminal is provided with a function of passing the encrypted storage location to the personal information managing terminal,
The encryption of the storage location of the personal information may be decrypted with the key issued to the user to collect the pieces of the personal information.

When such a configuration is applied, only the personal information management terminal capable of decrypting the encryption of the storage destination can know the storage destination of the fragmented and stored personal information, The service providing terminal cannot specify the storage location of the user's personal information. Therefore, even if there is a malicious member inside the company that operates the service providing terminal, it is difficult to illegally operate the service providing terminal to obtain the personal information of the user, and the confidentiality of the personal information is Guaranteed. Also in this case, similarly to the above, by additionally applying the configuration for performing encryption when dividing the personal information, it is possible to significantly improve the security of the confidentiality of the personal information.

Also, when the personal information is divided, each item constituting the personal information is encrypted with a different key for each item, and only the key for decrypting the item permitted to be browsed is passed to the service providing terminal. May be provided in the user terminal, and the personal information collected by the personal information management terminal may be decrypted by the service providing terminal.

When such a configuration is applied, the personal information management terminal merely collects the fragmented and stored personal information and passes it to the service providing terminal, and the personal information management terminal itself provides the personal information. It cannot be decrypted. Therefore, even if there is a malicious member inside the company that operates the personal information management terminal, it is difficult to illegally operate the personal information management terminal to obtain the personal information of the user.
Improves security regarding confidentiality of personal information. The service providing terminal uses the key passed from the user terminal to decrypt the user's personal information, but the key passed from the user terminal is limited to only the keys of the items that the user has permitted to view. There is no concern that the user's personal information will be used indefinitely via the terminal. Also in this case, as in the above case, the function of encrypting the storage location of the fragment of personal information with the key issued from the personal information management terminal and passing it to the service providing terminal is added to the user terminal, and the encrypted storage location is added. The service providing terminal has a function of passing the personal information to the personal information managing terminal, and the personal information managing terminal collects a fragment of the personal information by decrypting the encryption of the storage location of the personal information with the key issued to the user. It is possible to apply.

Further, when the personal information is divided, each item constituting the personal information is encrypted with a different key for each item, and only the key for decrypting the item permitted to be browsed from the user terminal to the service providing terminal. It is also possible that the personal information is passed to the personal information management terminal via the personal information management terminal and the personal information collected by the personal information management terminal is decrypted by the personal information management terminal itself.

When such a configuration is applied, the personal information management terminal itself, which collects the fragmented and stored personal information, decrypts the personal information. However, the personal information management terminal can decrypt the personal information. Are restricted to the items that are allowed to browse. Therefore, even if there is a malicious member inside the company that operates the personal information management terminal, there is no concern that the personal information of the user will be used indefinitely. Also in this case, as in the above case, the function of encrypting the storage location of the fragment of personal information with the key issued from the personal information management terminal and passing it to the service providing terminal is added to the user terminal, and the encrypted storage location is added. The service providing terminal has a function of passing the personal information to the personal information managing terminal, and the personal information managing terminal collects a fragment of the personal information by decrypting the encryption of the storage location of the personal information with the key issued to the user. It is possible to apply.

Further, means for encrypting the personal information of the user with a different key for each item and then for encrypting the entire personal information, and data storage so that only the personal information management terminal can decrypt it The user terminal is provided with means for passing the encrypted data obtained by encrypting the destination and the key for decrypting the item permitted to be browsed to the service providing terminal, and the encrypted data is sent to the personal information managing terminal via the service providing terminal. The encrypted data is decrypted by the personal information management terminal, the fragments of the user's personal information are collected from the data storage destination and restored with the entire encryption key, and each item remains encrypted. The personal information restored in step 1 is passed from the personal information management terminal to the service providing terminal, and the service providing terminal
Only the items permitted to be browsed may be decrypted and used by using the key sent from the user terminal.

In this case, the personal information of the user is encrypted by the user terminal with a different key for each item, and further with the entire encryption key for encrypting the entire personal information. Also,
The encrypted data obtained by encrypting the data storage destination is passed from the user terminal to the personal information management terminal via the service providing terminal, and the key for decrypting the items permitted to be browsed is passed from the user terminal to the service providing terminal. It is stored in the service providing terminal. Then, the personal information management terminal, which receives the request from the service providing terminal, decrypts the encrypted data to specify the storage location of the personal information, collects the fragmented personal information from each data storage terminal, and encrypts the entire data. Restore with key. However, at this stage, personal information remains encrypted with a different key for each item. The personal information management terminal passes the restored personal information to the service providing terminal, and the service providing terminal receiving this uses the key passed from the user terminal,
Only the items that are permitted to browse are decrypted, and some or all items of the user's personal information are used for the service. As described above, the personal information of the user is doubly encrypted with the key for each item and the entire encryption key for encrypting the entire personal information, so the security of confidentiality of the personal information is extremely high. Also, since the key for decrypting the items that are allowed to be browsed is not passed to the personal information management terminal, it is virtually impossible to obtain the user's personal information due to unauthorized use of the personal information management terminal. Also, since the service providing terminal cannot decrypt the items other than the items permitted to be browsed, it is virtually impossible to extract the personal information of the user who is not permitted to browse. In other words, unless the company that operates the personal information management terminal and the company that operates the service provision terminal simultaneously conduct malicious acts, the user's personal information is almost certainly safe.

[0027]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Next, embodiments of the present invention will be described in detail with reference to the drawings. FIG. 1 shows the configuration of an embodiment of the present invention.

The personal information management system of the present embodiment includes a network 1 such as the Internet, a plurality of user terminals 10 (11 to 13) connected to the network 1,
Also, a plurality of data storage terminals 20 (21 to 23) for storing the personal information of the user, and one or more service providing terminals 30 (31 to 33) for providing services such as selling goods and providing information to the user. , And one or more personal information management terminals 40 (41 to 4) that manage the personal information of the user.
3) and.

However, these terminals may have a plurality of roles at the same time. In particular, it is conceivable to construct the personal information management terminal 40 and the service providing terminal 30 with the same terminal.

Then, each terminal exposes to the network 1 an interface (15, 25, 35, 45) for managing personal information common to each role. Even if the internal processing of each terminal is an original implementation, the interface open to the other terminals on the network 1 for the purpose of personal information management complies with the standard convention.

Of these, the interface 15 of the user terminal 10 substantially doubles as a means for dividing the personal information of the user and a means for transferring a fragment of the personal information to a plurality of data storage terminals. Further, the interface 25 of the data storage terminal 20 serves as a means for storing a fragment of personal information requested to be stored by the user terminal in an auxiliary storage device or the like, and the interface 35 of the service providing terminal 30 uses the personal information from the user terminal. Functions as a means for requesting the personal information management terminal to collect the user's personal information based on the permission, and as a service providing means for using only the items the user has permitted to browse among the personal information collected by the personal information management terminal. To do. Interface 4 of personal information management terminal 40
5 functions as a means for collecting fragmented personal information of the user designated from the service providing terminal from a plurality of data storage terminals.

These interfaces (15, 25, 3
5, 45) is an application program directly mounted on each terminal or an application program published on the network 1 by using CGI or the like. The function of each interface will be described later with reference to the drawings such as a flowchart.

FIG. 2 shows the structure of personal information held by the user in this embodiment. Personal information 500 is the user's own name 501, gender 502, date of birth 503, blood type 50
4, occupation 505, address 506, telephone number 507, credit card number 508, schedule information 509, favorite site (bookmark) 510. Of course, the items that make up personal information are not limited to this, and items that are necessary for the service can be added or deleted freely.

FIG. 3A shows the structure of user account information in this embodiment. Account information 52
0 is passed from the user ID 521, the entire encryption key 522, the item encryption key list 550 that stores the correspondence between each item of personal information and the encryption key, the contracted personal information management terminal and each personal information management terminal. A key ring 540 that stores the correspondence relationship with the information administrator encryption key, personal information storage destination information 523 that stores the storage location of personal information fragmented by division, and a contracted individual that stores the contracted personal information management terminal The information management terminal information 524 and the disclosure item information 530 storing whether or not each item of personal information can be browsed.

Of these, the item encryption key list 550 is a list of pairs of individual information items 551 and item encryption keys 552 for the items, as shown in FIG. 3B.
It is necessary for the user to determine the entire encryption key 522 and the item encryption key 552 in advance. The item encryption key 552 may be automatically generated from the whole encryption key 522 based on a random number, or may be automatically generated based on main data given by the user in advance. However, a method of generating the item encryption key 552 that can be easily guessed from another item encryption key 552 or the overall encryption key 522 is avoided.

As shown in FIG. 3D, the key ring 540 is composed of a set of a contract personal information management terminal ID 541 and an information manager encryption key 542 passed from each personal information management terminal.

In this embodiment, a common key cryptosystem in which an encryption key and a decryption key are the same is assumed for encryption,
In the following description, both the key used for encryption and the key used for decryption are described as encryption keys. However, for example, the information manager encryption key 542 can be a public key cryptosystem, and in that case, the public key of the personal information management terminal is stored as the information manager encryption key 542.

The disclosure item information 530 refers to the setting status of the previous disclosure item when the user accesses the service providing terminal 30 via the user terminal 10 or the item for which browsing is permitted in advance for each service providing terminal. This is not always an essential item and may be inquired to the user each time the service providing terminal is accessed.

The structure of the disclosure item information 530 is shown in FIG.
As shown in (1), it is a list of a set of an application service ID 531 for identifying a service providing terminal and a disclosure item 532 of personal information that the service providing terminal is permitted to browse.

The account information 520 including these is recorded in a storage medium such as a terminal used by the user, a memory card, an IC card or the like as information for the user to access the personal information.

Next, the personal information management service in this embodiment will be described. In the following description, a case where an authorized user A who uses the user terminal 11 uses the service providing terminal 31 will be described as an example.

First, the user A uses the personal information management terminal 40 (41 to 43) before using the personal information management service.
Select the personal information management terminal with which you subscribe. At this time, a contract may be made with a plurality of personal information management terminals or a single personal information management terminal may be contracted. In the following example, it is assumed that the user A has a contract with a plurality of personal information management terminals, and that the personal information management terminal 41 is included therein. The personal information management terminal 4 that made the contract
The information administrator encryption key issued from No. 1 is automatically recorded in the key ring 540 of the account information 520 together with the personal information management terminal ID.

Further, the user A uses the user terminal 11 to previously encrypt and divide the personal information 500 with the item encryption key for each item and the overall encryption key. The data storage terminal 20 (21-
23) Transfer to a plurality of data storage terminals selected from 23) and request storage.

The following example will be described on the assumption that the data storage terminal 21 is included in the selected data storage terminals. The operations of the user A and the user terminal 11 at that time will be described with reference to FIG.

First, if there is personal information 500 already distributed and stored at this stage, the user terminal 11 refers to the personal information storage destination information 523 and the fragment of the personal information 500 of the user A from the data storage terminal. The entire encryption key 5
22 and the item encryption key 552 to decrypt the personal information 5
00 is restored (step S1001).

Next, the user terminal 11 displays the personal information 50.
Each item of 0 is individually encrypted with another item encryption key 552 for each item (step S1002), and further, the entire individually encrypted personal information is collectively encrypted with the overall encryption key 522 (step S1003). ).

Then, the user terminal 11 divides the encrypted personal information into a plurality of pieces (step S1004),
Each piece of personal information fragmented by division is transferred to the interfaces 25 of a plurality of data storage terminals to request storage (step S1005).

In the present embodiment, as the division method used in the processing of step S1003, by adding redundancy and parity information for restoration, the original data can be restored even if data loss occurs in some data storage terminals. The encryption process is performed as follows. How much redundancy and parity information should be given depends on the security required by the user. RA is an example of a method that enables such division.
It is possible to apply a decentralized storage device technology called an ID.

Means required for encryption, division and transfer of personal information are pre-installed in the interface 15 of the user terminal 11 as a program.

On the other hand, the data storage terminal 21, which has received the fragment of the personal information of the user A, sets the user ID 521 stored in the account information 520 of the user A, the set of the contract personal information management terminal 524, and the received personal information. It records it by connecting it with the fragment of. The data storage terminal 21 stores a user (user having a user ID 521) who is the person who stored the personal information management terminal, or a personal information management terminal with which the user has a contract (account information of the user), for the recorded pieces of personal information. 520 contract personal information management terminal 524
It is designed to allow access only from the personal information management terminal stored in the column.

In this way, the personal information is sent to the network 1
After registering above, the user A may, if necessary, access the service providing terminal 3 on the network 1 via the user terminal 11 or the like.
Use 1 to receive services such as purchasing goods and obtaining information. The service providing terminal 31 requests the user terminal 11 of the user A to use the personal information when it is necessary to obtain the personal information 500 of the user A in order to ship a product, make a payment, or check a delivery date.

When it is determined that the service providing terminal 31 to be used is reliable, the user A operates the user terminal 11 to generate the personal information use license 600, and the personal information use license 600 is generated. 600 is transmitted to the interface 35 of the service providing terminal 31. The configuration of the personal information use permission 600 will be described with reference to FIG.

As shown in FIG. 5A, the personal information use permission 600 includes a user ID 601, a record list 610 for information managers, and personal information items and item encryption keys for permitting information browsing. The disclosure item encryption key list 620 indicating the correspondence is included.

Of these, the information manager record list 610 stores as many information manager records 611 as the number of contracted personal information management terminals. Further, as shown in FIG. 5B, the information manager record 611 includes a personal information management terminal ID 612 and an encrypted portion 615. The encrypted portion 615 includes the personal information storage destination information 613, the entire encryption key 614, and the acquisition expiration date 616.
Is a part encrypted with the information manager encryption key issued from the personal information management terminal at the time of contract. The acquisition expiration date 616 is a time limit for allowing the service providing terminal 31 to acquire information. Only the user A himself and the system administrator who operates the personal information management terminal contracted by the user A can know the contents of the encrypted portion 615,
Even if the service providing terminal 31 is operated, the contents cannot be known. As shown in FIG. 5C, the disclosure item encryption key list 620 is a list of a set of a personal information item 621 that is permitted to be viewed by the service providing terminal 30 and an item encryption key 622 corresponding to the item. is there.

Next, the procedure for generating the personal information license 600 will be described with reference to FIG.

First, the user terminal 11 copies the personal information storage destination information 523 by the number of the personal information management terminals 40 with which the user A has a contract (step S1501), and stores one personal information from these copies. The destination information 523 is taken out (step S1502).

Next, the information manager encryption key 542 corresponding to one personal information management terminal ID 541 registered in the key ring 540 is taken out (step S1503), and the personal information storage destination information taken out in step S1502 and the entire cipher The pair of the key 522 and the acquisition expiration date is encrypted with the information administrator encryption key 542 extracted in step S1503 to generate an encrypted part 615 (step S1504), and the private information extracted in this encrypted part 615 in step S1503. The management terminal ID is added and added to the record list 610 for information managers (step S1505). The means required for encryption of the storage location of personal information is incorporated in the interface 15 of the user terminal 11 as a program in advance.

Then, steps S1501 to S1505 are performed with different information administrator encryption keys for all the copies.
Is repeatedly executed (step S1506), and the personal information license 600 is generated from the item encryption key and the user ID for the list of the records for information managers thus generated and the items of the personal information permitted to be browsed. ,
This personal information license 600 is transmitted to the interface 35 of the service providing terminal 31 (step S150).
7).

On the other hand, the service providing terminal 31 having received the personal information use permission 600 generates the personal information collection request 700 shown in FIG. Personal information collection request 70
0 consists of an encrypted part 615 and a user ID 701.

The service providing terminal 31 generates this personal information collection request according to the procedure shown in FIG. 8 and sends it to the interface 45 of the personal information management terminal. Here, a process related to the generation of the personal information collection request will be described.

The service providing terminal 31 first retrieves one record 611 for the information manager from the personal information use permission 600 received from the user terminal 11 (step S
3001), the personal information collection request 700 shown in FIG. 7 is generated from the encrypted portion 615 and the user ID 601 extracted from the information manager record 611 (step S3).
002). Then, the personal information collection request 700 is transmitted to the interface 45 of the personal information management terminal identified by the personal information management terminal ID 612 (step S300).
3). Further, the procedure of steps S3001 to S3003 is repeatedly executed for all records for information managers (step S3004).

Then, the personal information management terminal 41, which has received the personal information collection request 700 from the service providing terminal 31,
Personal information is collected according to the procedure shown in FIG.

First, the personal information management terminal 41 displays the user I
The encrypted portion 615 is decrypted with the information administrator encryption key issued at the time of the contract with the user A identified in D701, the acquisition expiration date 616 is taken out (step S4001), and it is checked whether it is within the expiration date (step S4002). . If the expiration date has not passed, the service provider terminal 3 reports an acquisition error.
It returns to 1 (step S4003).

If it is within the expiration date, personal information storage destination information 613 is obtained from the decrypted encrypted portion 615 (step S4004). Next, the user ID 701 is notified to the data storage terminal specified by the acquired personal information storage destination information 613, and the fragmented personal information of the user is collected (step S4005). After the fragment information collected from all the data storage terminals specified by the personal information storage destination information 613 is combined, the fragment information is decrypted and restored by the whole encryption key 614 to obtain personal information in which each item remains encrypted ( Step S4006). Then, the personal information is returned to the service providing terminal 31 which is the transmission source of the personal information collection request (step S4007).

In the personal information restored by the personal information management terminal 41 and returned to the service providing terminal 31, each item remains encrypted with the item encryption key. In this embodiment, the item encryption key is the personal information management terminal. Since the information is not passed to 41, even the system administrator operating the personal information management terminal 41 cannot know the content of the personal information.

Next, the operation of the service providing terminal 31 having received the personal information returned from the personal information managing terminal 41 will be described with reference to FIG.

The service providing terminal 31 returns the personal information management terminal which has made the earliest response among the plurality of personal information management terminals that transmitted the personal information collection request 700 in the processing of step S3003 described above, that is, the personal information is returned first. The personal information of the user A is received from the personal information management terminal (step S3011), and the personal information items permitted to be viewed using the disclosure item encryption key list 620 of the personal information license 600 sent from the user A. Only this is decrypted and used for the service (S3012).

The user A changes the data storage destination every time the service ends or every fixed period according to the procedure described in FIG. As a result, the safety against leakage of personal information can be further enhanced.

Next, an example of processing for enhancing the reliability of the data extraction operation in the service providing terminal will be described with reference to FIG. This process can be used instead of the process of FIG. 10 described above.

In this case, the service providing terminal is n (n ≦ N) of the N personal information management terminals that have transmitted the personal information collection request 700 in the processing of step S3003 described above.
Waits for a response from the personal information management terminal (step S31)
01). Next, one is extracted from the received personal information, and the disclosure item encryption key list 6 of the personal information license 600.
Only items of personal information that are permitted to be browsed are decrypted using 20 (step S3102).

Then, the process of step S3102 is executed for the n pieces of received personal information (step S310).
3) Compare the information decrypted from the n pieces of personal information item by item to check if there is any contradiction (step S
3104). As a result, the service is used only when there is no contradiction (step S3105), and when there is a contradiction, a security error is issued to the user terminal 1 of the user A.
1 to the personal information management terminal 40 (step S3)
106).

Here, n is a personal information collection request 7 from 1
It is an integer between the total number N of the personal information management terminals 40 that transmitted 00. When n is increased, reliability increases, but system responsiveness deteriorates. n is the load of the entire system,
Dynamically or statically determined from the trade-off between reliability and responsiveness.

In each of the above-described embodiments, the personal information that has been encrypted for each item is transmitted from the personal information management terminal 41 to the service providing terminal 31, and then each item of personal information is sent to the service providing terminal 31 side. However, as another embodiment, the personal information management terminal 4 executes processing related to the extraction of items required by the service providing terminal 31 as another embodiment.
It is possible to do it on the side of 1.

Next, a brief description will be given of an embodiment in which each item of personal information is decrypted on the side of the personal information management terminal 41 and then delivered to the service providing terminal 31. First, the configuration of the personal information use license 650 generated by the user A on the user terminal 11 in this embodiment will be described with reference to FIG.

The personal information use permission 650 is shown in FIG.
As shown in FIG. 5, it is composed of a set of a user ID 651 and a record list 660 for information managers. The record list 660 for the information manager, as shown in FIG.
It is a list of records 661 for information managers,
This is the personal information management terminal ID 662 and the encrypted portion 66.
It consists of 5. The encrypted portion 665 includes personal information storage destination information 663 encrypted with a corresponding information administrator encryption key, an overall encryption key 664, an acquisition expiration date 666, and a disclosure item encryption key list 620.

Next, the procedure for generating the personal information use license 650 in the user terminal 11 will be described with reference to FIG.

The user A uses the user terminal 11 to copy the personal information storage destination information 523 by the number of personal information management terminals with which the user has a contract (step S1551).
Then, one piece of personal information storage destination information is extracted from these copies. (Step S1552). Then, the information manager encryption key 542 and the corresponding personal information management terminal ID 541 are extracted from the key ring 540 (step S
1553). Next, the personal information storage destination information extracted in step S1552, the acquisition expiration date, the entire encryption key 522,
The set of the item encryption key list 620 for the item of personal information permitted to be browsed is encrypted with the information administrator encryption key 542 extracted in step S1553 to generate the encrypted portion 665 (step S1554). And the encrypted part 6
The personal information management terminal ID 541 extracted in step S1553 is added to 65 and added to the record list 660 for information managers (step S1555).

Further, the processes of steps S1551 to S1555 are repeatedly executed for all the copies with each information manager encryption key corresponding to the personal information management terminal ID (step S1556). Then, a personal information license 650 is generated from the list of records for information managers and the user ID thus generated, and the personal information license 6 is generated.
50 is transmitted to the interface 35 of the service providing terminal 31 (step S1557).

On the other hand, the service providing terminal 31 having received the personal information use permission 650 generates a personal information collection request.

Next, in this embodiment, the service providing terminal 3
The configuration of the personal information collection request 710 generated by No. 1 will be described with reference to FIG. The personal information collection request 710 includes an encrypted portion 66.
5 and a user ID 711.

When the service providing terminal 31 receives the personal information use license 650 from the user, the service providing terminal 31 requests the personal information collection 71.
The operation of generating 0 will be described with reference to FIG.

The service providing terminal 31 first retrieves one record 661 for the information manager from the personal information license 650 received from the user terminal 11 (step S
3101), the personal information collection request 710 is generated from the encrypted part 665 and the user ID 651 extracted from the record for information manager (step S3102). And
Personal information collection request 7 to the interface 45 of the personal information management terminal specified by the personal information management terminal ID662.
10 is transmitted (step S3103). Further, the procedure of S3101 to S3103 is repeatedly executed for all the personal information management terminals of the records 661 for information managers (step S3104).

The difference from the above-described embodiment (FIG. 8) is that the personal information collection request sent from the service providing terminal 31 to the personal information managing terminal includes the item encryption key list 620 for the items of personal information permitted to be browsed. That is the point.

Then, the personal information management terminal 41 that has received the personal information collection request 710 from the service providing terminal 31
Collects personal information in the procedure of FIG.

First, the personal information management terminal 41 displays the user I
The encrypted portion 665 is decrypted by the information administrator encryption key issued to the user A identified in D711, the acquisition expiration date 666 is extracted (step S4101), and it is checked whether it is within the expiration date (step S4102). here,
If the expiration date has not passed, an acquisition error is returned to the service providing terminal 31 (step S4103). If it is within the expiration date, the personal information storage destination 663 is obtained from the decrypted encrypted portion 665 (step S4104).

Next, the user ID 711 is notified to the data storage terminal specified by the acquired personal information storage destination 663 and the fragmented personal information of the user is collected (step S4105). After combining fragment information collected from all the personal information storage destinations specified by the personal information storage destination 663, the fragment information is decrypted and restored by the whole encryption key 664 to obtain personal information in which each item remains encrypted ( Step S410
6).

Further, further, the item permitted to be browsed by the item encryption key in the disclosure item encryption key list 620 of the encrypted portion 665 is decrypted (step S4107), and the content of the decrypted item is collected as personal information. A reply is sent to the service providing terminal 31 which is the sender of the request (step S410).
8).

Similar to each of the above-described embodiments, the service providing terminal provides the service to the user using the item information of the personal information returned from the personal information managing terminal. However, in this embodiment, since each item of personal information has already been decrypted, it is not necessary to perform the process related to the decryption of the cipher on the service providing terminal side.

For the personal information extraction processing on the side of the service providing terminal, only the information from the personal information management terminal that has returned the earliest may be used (see FIG. 10).
Alternatively, it may be used after verifying the replies from a plurality of personal information management terminals (see FIG. 11).

[0090]

According to the personal information management system of the present invention, the personal information of the user is stored in a plurality of data storage terminals on the network in a state where the personal information of the user is fragmented by division. Compared to the conventional system that centrally stores and manages the personal information management service, the security of confidentiality of personal information is improved, and the load related to the storage of personal information is distributed, resulting in data loss. The safety of time is also guaranteed. Moreover, the service providing terminal cannot refer to the collected personal information other than the items that the user has permitted to browse, so that the personal information of the user is unlimited by the system administrator or other employee who operates the service providing terminal. There is no worry that it will be used.

Further, since the user terminal is configured to perform the encryption process when dividing the user's personal information held by the user terminal, the security of the confidentiality of the personal information is greatly improved. be able to.

Further, since the storage location of the fragment of the personal information is encrypted by the processing on the user terminal side using the key issued from the personal information management terminal, the storage of the fragmented and stored personal information Only the personal information management terminal can know the destination, and the service providing terminal cannot specify the storage destination of the personal information of the user. Therefore, even if there is a malicious member inside the company that operates the service providing terminal, it is difficult to illegally operate the service providing terminal to obtain the personal information of the user, and the confidentiality of the personal information is Guaranteed.

Further, when the personal information is divided, each item constituting the personal information is encrypted with a different key for each item, and only the key for decrypting the item permitted to be viewed is passed to the service providing terminal, Since the service providing terminal decrypts the personal information collected by the personal information managing terminal, the personal information managing terminal simply collects the fragmented and stored personal information and passes it to the service providing terminal. The personal information cannot be decrypted by the information management terminal itself, and even if there is a malicious member inside the company that operates the personal information management terminal, the personal information management terminal is illegally operated and the user's personal Information is difficult to obtain, and the security of confidentiality of personal information is improved. At this time, the service providing terminal can decrypt the user's personal information by using the key of the item passed from the user terminal, but the key passed from the user terminal is limited to the items the user has permitted to browse. Therefore, there is no concern that the user's personal information will be used indefinitely via the service providing terminal.

Further, when the personal information is divided, each item constituting the personal information is encrypted with a different key for each item, and only the key for decrypting the item permitted to be browsed from the user terminal to the service providing terminal. If the personal information management terminal itself applies a configuration in which personal information collected by the personal information management terminal is decrypted by the personal information management terminal itself, the personal information collected in fragmented form is collected. The management terminal itself will decrypt the personal information, but the personal information management terminal can only decrypt the items that the user has permitted to browse, so it may be malicious inside the company that operates the personal information management terminal. Even if there is a member, there is no concern that the user's personal information will be used indefinitely.

Further, the personal information of the user is encrypted with a different key for each item, and then encrypted with the entire encryption key that encrypts the entire personal information, and the data storage destination is encrypted so that only the personal information management terminal can decrypt it. While passing the encrypted data that has been encrypted to the personal information management terminal through the service providing terminal, the service providing terminal retains the key for decrypting the items that the user has permitted to browse, and the personal information managing terminal side processes the encrypted data. Decrypts the encrypted data, collects a fragment of the user's personal information from the data storage destination, restores it with the entire encryption key, and further restores the personal information restored in the state where each item is encrypted, to the personal information management terminal. When the configuration is applied in which only the items that are permitted to be viewed are decrypted by the processing on the service providing terminal side from the user, the user's personal information is the key for each item and the entire encryption key. Weight in than is encrypted, safety of confidential personal information is very high. Moreover, since the key for decrypting the items permitted to be browsed is not passed to the personal information management terminal, the personal information of the user cannot be obtained due to unauthorized use of the personal information management terminal, and the service cannot be obtained. Since the providing terminal cannot decrypt the items other than the items that are permitted to browse, the personal information of users who are not permitted to browse cannot be retrieved, and the confidentiality of the user's personal information can be guaranteed at a high level. It has become possible.

As described above, the personal information of the user is fragmented and distributed and stored by the plurality of data storage terminals, and only the information of the items permitted by the user is stored in each of the personal information management terminal and the service providing terminal. The disclosure can reduce the possibility of information leakage and information loss due to cracking from outside or inside the system. Also, since the data is stored in a distributed manner, it is possible to avoid concentration of load on a specific data storage terminal,
At the same time, the response speed of communication and the reliability of the received data can be increased by using a plurality of personal information management terminals together, so that the service quality of the service that requires browsing of personal information is improved. Furthermore, it is not necessary for one data storage terminal to handle the personal information of all users, and a simple free storage area of the existing storage device can be created by simply providing the existing storage device with a storage application having a predetermined interface. Since it can be effectively utilized, it becomes unnecessary to use a large-scale facility for storing personal information. For example, it is possible to effectively utilize a surplus or fragmented free storage area that has occurred during the data warehouse business.

[Brief description of drawings]

FIG. 1 is a block diagram showing an embodiment of a personal information management system to which the present invention is applied.

FIG. 2 is a conceptual diagram showing a configuration of personal information in the same embodiment.

FIG. 3 is a conceptual diagram showing a configuration of user account information in the same embodiment.

FIG. 4 is a flowchart showing an outline of encryption and division processing of personal information executed by the user terminal in the embodiment.

FIG. 5 is a conceptual diagram showing a configuration of personal information use permission transmitted from the user terminal of the embodiment.

FIG. 6 is a flowchart showing an outline of a procedure for generating a personal information use permission by the user terminal of the embodiment.

FIG. 7 is a conceptual diagram showing a configuration of a personal information collection request sent from the service providing terminal of the embodiment.

FIG. 8 is a flowchart showing an outline of a procedure for generating a personal information collection request by the service providing terminal of the embodiment.

FIG. 9 is a flowchart showing an outline of a procedure for collecting personal information by the personal information management terminal of the embodiment.

FIG. 10 is a flowchart showing an outline of a decoding process by the service providing terminal of the embodiment.

FIG. 11 is a flowchart showing an example of processing for improving reliability of data extraction operation in the service providing terminal.

FIG. 12 is a conceptual diagram showing a configuration of personal information use permission required when a process related to item extraction is performed on the personal information management terminal side.

FIG. 13 is a flowchart showing an outline of a personal information use permission generation procedure required when a process related to item extraction is performed at the personal information management terminal side.

FIG. 14 is a conceptual diagram showing a configuration of a personal information collection request required when the processing related to the extraction of items is performed on the personal information management terminal side.

FIG. 15 is a flowchart showing an outline of a procedure for generating a personal information collection request, which is required when the processing related to the item extraction is performed on the personal information management terminal side.

FIG. 16 is a flowchart showing an outline of a personal information collection procedure required when the processing related to the item extraction is performed on the personal information management terminal side.

[Explanation of symbols]

1 Network 10 (11 to 13) User Terminal 15 Interface 20 (21 to 23) Data Storage Terminal 25 Interface 30 (31 to 33) Service Providing Terminal 35 Interface 40 (41 to 43) Personal Information Management Terminal 45 Interface 500 Personal Information 501 Name (one item of personal information) 502 Gender (one item of personal information) 503 Date of birth (one item of personal information) 504 Blood type (one item of personal information) 505 Occupation (one item of personal information) 506 Address ( Personal information item 507 Telephone number (personal information item) 508 Credit card number (personal information item) 509 Schedule information (personal information item) 510 Favorite site (personal information item) 520 Account information 521 User ID 522 Overall encryption key 523 Personal information Storage location information 524 Contract personal information management terminal 530 Disclosure item information 531 Applied service ID 532 Disclosure item 540 Key ring 541 Contract personal information management terminal ID 542 Information administrator encryption key (key passed from personal information management terminal) 550 item encryption Key list 551 Personal information item 552 Item encryption key 600 Personal information license 601 User ID 610 Information manager record list 611 Information manager record 612 Personal information management terminal ID 613 Personal information storage destination 615 Encrypted portion 614 Whole encryption key 616 Acquisition expiration date 620 Disclosure item encryption key list 650 Personal information usage license 651 User ID 660 Record list 661 for information manager Record 662 for information manager Personal information management terminal ID 663 Personal information storage destination information 664 Whole encryption key 665 Encryption Min 666 acquires the expiration date 700 personal information collection request 701 user ID 710 personal information collection request 711 user ID

─────────────────────────────────────────────────── ─── Continuation of front page (51) Int.Cl. ⁷ Identification code FI theme code (reference) G09C 1/00 660 G09C 1/00 660D F term (reference) 5B017 AA07 BA07 BA10 CA16 5B075 KK44 ND03 UU08 5J104 AA16 DA02 EA08 EA15 FA06 MA05

Claims (6)

[Claims] 1. A user terminal, a service providing terminal for providing a service to a user by using personal information of the user,
A personal information management system in which a personal information management terminal and a plurality of data storage terminals are connected via a network, wherein the user terminal divides the personal information of the user held by the user terminal, A means for transferring the divided pieces of personal information to a plurality of data storage terminals, wherein the data storage terminal has means for storing the pieces of personal information requested to be stored by the user terminal, and the personal information management terminal Has means for collecting fragmented personal information of the user designated by the service providing terminal from the plurality of data storage terminals, and the service providing terminal is based on a personal information use license from the user terminal. Means for requesting the personal information management terminal to collect the personal information of the user, and the personal information collected by the personal information management terminal A personal information management system characterized by having a means for using only items that the user has permitted to browse. 2. The user terminal is configured to encrypt the personal information of the user held by the user terminal when the personal information is divided.
Described personal information management system. 3. The user terminal encrypts a storage location of a fragment of personal information with a key issued from a personal information management terminal and passes it to the service providing terminal, and the service providing terminal stores the encrypted storage. The method of claim 1, wherein the destination is passed to the personal information management terminal, and the personal information management terminal collects a fragment of the personal information by decrypting the encryption of the storage location with the key issued to the user. The personal information management system described in 2. 4. The user terminal, when dividing the personal information, encrypts each item constituting the personal information with a different key for each item, and only the key for decrypting the item permitted to be browsed. The information is passed to a service providing terminal, and the service providing terminal decrypts the personal information collected by the personal information managing terminal with a key of an item permitted to be browsed. Three
Described personal information management system. 5. The user terminal, when dividing personal information, encrypts the items constituting the personal information with a different key for each item, and uses only the key for decrypting the items permitted to be browsed as the service. To the providing terminal, the service providing terminal passes to the personal information management terminal a key for decrypting the browsing-permitted item passed from the user terminal, and the personal information management terminal collects the collected personal information. The personal information management system according to claim 2 or 3, wherein the personal information management system is decrypted with the key of the item that is permitted to be browsed and is passed to the service providing terminal. 6. The user terminal, when dividing personal information, encrypts the items constituting the personal information with a different key for each item, and then encrypts the entire personal information with an entire encryption key. And means for passing to the service providing terminal the encrypted data obtained by encrypting the data storage destination so that only the personal information management terminal can decrypt and the key for decrypting the item permitted to be browsed, The service providing terminal includes means for passing the encrypted data to the personal information management terminal, and the personal information management terminal extracts a fragment of the personal information of the user from a data storage destination obtained by decrypting the encrypted data. A means for collecting, a means for restoring personal information in which each item remains encrypted from the collected fragments with the entire encryption key, and a means for passing the restored personal information to the service providing terminal, The personal information management system according to claim 1 or 2, wherein the service providing terminal includes means for decrypting only the item permitted to be browsed by the key for decrypting the item permitted to be browsed. .