JP2005182275A - Data management method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an effective personal information protection method accomplished by an easy procedure. <P>SOLUTION: This data management method comprises: a step 207 for dividing data into a plurality of pieces of partial data; a step 207 for allocating an identifier uniquely defining correlation between the plurality of pieces of partial data to each the partial data; a step 208 for encrypting the identifier to generate an encryption identifier; a step for storing the plurality of pieces of partial data and the encryption identifier added to each the partial data constituting the plurality of pieces of partial data and encrypted, into a storage means; and a step for decrypting the encryption identifier stored in the storage means to the identifier, and restoring the plurality of pieces of partial data stored in the storage means to the data before the division by use of the correlation defined by the decrypted identifier. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates generally to data protection, and more specifically, data so that personal information as a whole is protected even when part or all of data including personal information is leaked to a third party. The present invention relates to a method for encrypting and managing a file.

  The importance of data security need not be pointed out, but the importance of protecting personal information has been attracting attention in recent years. In the current situation where processing of data containing personal information is performed by multiple people at multiple locations, an unspecified number of people have the opportunity to access personal information directly and are held in various locations in various forms. This is because personal information is always at risk of leakage. In fact, companies and organizations that deal with personal information are subject to serious social accusations when their personal information is lost or leaked, and it is very easy to lose the long-standing social credibility. And it is usually difficult to recover lost social trust. Therefore, protection of personal information is an important issue, especially for companies, sometimes prioritizing the pursuit of short-term profits. Traditionally, personal information handling personnel through access restrictions, authentication, log management, etc. There have been restrictions on the scope and authority that the person in charge can exercise. These measures have certain effects, and should be taken continuously as improvements are attempted within each measure.

  However, such conventional measures may not be useful. For example, when a company conducts a campaign for a new product, it is widely used to present premiums related to the new product and to invite viewers and readers to apply for postcards on advertising media such as television and magazines. ing. In order to tabulate the campaign, it may be necessary to convert the applicant's personal information written on the application postcard into electronic data. In such a case, the key puncher that performs the electronic data conversion operation manually inputs the data by actually viewing the personal information written on the application postcard. Part of the work may be automated by using a scanner, etc., but at present, it is impossible to fully automate the conversion of handwritten characters into electronic data, so the key puncher is inevitable. Pancha can access personal information very easily. A similar situation can be seen in the counting and input of receipts created by medical institutions, and the scoring and counting of exam answer sheets at various stages of school.

  In the data management method according to the present invention, the new protection method is achieved by paying attention to the property of personal information. One person's personal information is generally composed of a plurality of items. That is, Mr. A's personal information can be grasped as a set of a plurality of items such as name, gender, address, postal code, and telephone number. Now, of the multiple items that make up Mr. A's personal information, for example, if only the address separated from all other items is known to a third party, who is the address? It only has one address that you don't know, and it is not valuable as information. This is because an address has value as information only when it is associated with, for example, a resident (name), telephone number, income, family structure, and the like. The individual items belonging to the personal information, not limited to the address, have meaning only after the mutual relationship, particularly the mutual relationship with the subject (Mr. A in the above example) indicating who the attribute is. The present invention is based on specific observations regarding the nature of such personal information.

  In the data management method according to the present invention, it is noted that if only one item among a plurality of items constituting the personal information of a person is known, the information of the one item alone is less important. . Then, a method for inputting and managing data by dividing a plurality of items constituting personal information of a single person into predetermined units is proposed. Data cannot be used if the relationship between the divided items is unknown. However, if the relationship between items can be easily estimated, there is no point in dividing. The data management method according to the present invention solves these problems using block ciphers and proposes a simple and effective method for protecting personal information.

  According to the present invention, (a) the step of dividing the data into a plurality of partial data, and (b) the partial data constituting the plurality of partial data, the partial data and the plurality of partial data being configured Assigning an identifier indicating a relationship with the partial data; (c) encrypting the identifier to generate an encrypted identifier; and (d) configuring the plurality of partial data and the plurality of partial data. Storing the encrypted identifier assigned to each partial data in the storage means; (e) decrypting the encrypted identifier stored in the storage means into the identifier; Restoring the plurality of stored partial data to data before division using the relationship indicated by the decoded identifier. Data management method is provided. In the embodiment described later, the identifier here corresponds to the serial number SER added as each file name. The encryption identifier corresponds to the encryption serial number ESER. This is because the serial number SER has a function of identifying a relationship between parts generated as a result of division.

  The data management method according to the present invention further includes (f) converting the plurality of partial data stored in the storage means into a plurality of partial data having other forms, and converting the plurality of parts having other forms. The method may further include the step of storing data in the storage unit or another storage unit together with the encrypted identifier before conversion. As an example of converting multiple partial data into multiple partial data having other forms, the key puncher displays the image data of the handwritten character itself on the postcard on the display, May be converted to data.

  Further, the data management method according to the present invention includes (g) encrypting the encrypted identifier before storing the plurality of partial data and the encrypted identifier in step (d) after encrypting in step (c). The method may further include a step of rearranging a set of the plurality of partial data and the encryption identifier using as a key. This rearrangement is performed for the purpose of making it difficult to restore the data by avoiding the storage in which the order and time stamp when the data is divided remain clear. In an embodiment to be described later, rearrangement (sorting) is performed using the encrypted encrypted identifier as a key.

  In addition, the data management method according to the present invention includes (h) an encryption key used for encryption and decryption in step (c) and step (e), different from the storage means in which partial data and an encryption identifier are stored. It may further comprise the step of storing in a separable storage means. A separable storage device is a memory that can be easily removed from a computer that is working, such as a USB memory or a memory stick. For example, by storing data and an encryption key separately, authority can be stored. Decoding by a person who is not present can be made difficult. When a subcontracted computer company is requested to manage a database system that handles personal information, an example of leakage of personal information has been reported and has become a social problem. We are trying to deal with such a problem by managing separately.

  In the data management method according to the present invention, the data is information that is configured from a plurality of items and identifies a target. The target refers to, for example, an individual or a company. The data may be, for example, personal information, and the plurality of partial data constituting the data may be one or a plurality of items included in the personal information. Items include, for example, name, gender, age, family structure, address, telephone number, tax payment amount, health status, and the like, but there may be various items other than this. The data management method according to the present invention is not applied only to specific data as a principle idea, but is applied to arbitrary data including accounting data, health data, etc. It was with protection in mind. Examples described below are also explained in accordance with the protection of personal information.

  When the data management method according to the present invention includes step (f), the plurality of partial data may be image data, and the conversion in step (f) may be conversion from image data to text data. This also applies to the example of a new product campaign by a beer company described below.

  Further, in consideration of embodiments described later, according to the present invention, (a) a step of dividing each of n pieces of image data into m pieces of partial image data, where n and m are natural numbers, and (b) ) Assigning an identifier indicating which partial image data is the partial image data in the nm partial image data to each of the nm partial image data generated as a result of the division in step (a). And (c) encrypting the identifier to generate an encrypted identifier, and rearranging nm sets of the partial data and the encrypted identifier using the encrypted identifier as a key, and the partial data and the Storing in the storage means the rearranged nm pairs with the encryption identifier; and (d) the nm partial image data and the encryption identifier stored in the storage means. And the nm partial image data are converted into nm partial text data composed of partial text data corresponding to each partial image data, and the converted nm partial text data are converted into the above-mentioned nm partial text data. (E) storing the encrypted identifier together with the encryption identifier in the storage unit, the other storage unit, or another storage unit; and (e) storing the encryption identifier in the storage unit, the other storage unit, or the further storage unit. The encrypted identifier is decrypted into the identifier, and the partial text data of nm stored in the storage means, the other storage means, or the further storage means is divided by using the decrypted identifier. (F) Steps (a) to (e) are different from each other. (F) Steps (a) to (e) are different from each other. It can be executed in a computer that.

  When the key puncher visually converts the image data obtained by converting handwritten characters on a postcard into electronic data using a scanner and converts it into text data, if the image data is divided, the key puncher contains the entire personal information as personal information. Since the meaning of the image data is unknown, personal information does not leak. This is the starting point of the present invention. In reality, this text data conversion requires a lot of manpower and is often outsourced to outside contractors. In that case, data may be transmitted to another computer via a communication network. The above (f) that the steps (a) to (e) can be executed in different computers is thus the possibility that the steps constituting the data management method of the present invention are executed in a plurality of computers. It is mentioned.

  When the present invention is more specifically grasped as a form including data transmission to the outside, the present invention (a) divides each of n pieces of image data into m partial image data, where n and m are natural numbers. Step (b) For each of the nm partial image data generated as a result of the division in step (a), which partial image data is the partial image data in the nm partial image data. (C) generating an encrypted identifier by encrypting the identifier, and rearranging nm sets of the partial data and the encrypted identifier using the encrypted identifier as a key; Storing the rearranged nm sets of the partial data and the encryption identifier in a storage unit; and (d) the nm partial image data stored in the storage unit. Transmitting the nm partial image data from the first computer to which the steps (a) to (d) are executed to another second computer, and (e) the second computer in the second computer nm partial image data is received, the nm partial image data is converted into nm partial text data composed of partial text data corresponding to each partial image data, and the converted nm partial image data (F) reading the converted nm pieces of partial text data stored in the further storage means, and reading the second computer from the second computer. Transmitting to the first computer, and (g) in the first computer, the converted nm partial texts. Receiving data, decrypting the encrypted identifier stored in the storage device or in another storage device into the identifier, and using the decrypted identifier for the nm partial text data received Thus, it can be grasped as a data management method comprising the step of restoring to n text data corresponding to n image data before division.

  The data management method according to the present invention can be grasped as a computer program as a total of instructions for causing a computer to execute each step for realizing data management.

  In FIG. 1, a data processing procedure in the data management method according to the present invention is shown in time series as five stages from (1-1) to (1-5). In the first stage (1-1), the personal information of n persons is composed of five items: name, sex, address, postal code, and telephone number. For example, a campaign application postcard in which the personal information of the applicant is handwritten is read by a scanner and is filed for each postcard. In the second stage (1-2), the name + gender is divided into the item group a, the address + postal code is divided into the item group b, and the telephone number is divided into the item group c. In this state, even if one item group can be known, it has little meaning as personal information. For example, even if the item group a is leaked to a third party, only the gender of a person having a name is known, and the address and telephone number of the person are not known. Also, if item b leaks, it is only known that there is an address with a certain zip code. If item c is leaked, it only knows that it is the phone number of someone on that list.

  In this way, even if individual items are known to a third party if personal information is divided into a plurality of items and data is input and managed in a state where the mutual relationship between items is not clearly shown As a whole, serious leakage of personal information is unlikely to occur. Of course, since the data cannot be used in the divided state, the association between the item groups must be made clear. Therefore, next, a method for inputting and managing data associated with the item groups while being protected by the block cipher AES256 will be considered.

  Here, AES is an abbreviation for Advanced Encryption Standard. The AES (Rijndael) cipher is defined as a data block of 128 bits, but the Rijndael cipher itself can handle 256 bits. Therefore, in this application, the Rijndael cipher having a data block of 256 bits and a key size of 256 bits used in the data management method according to the present invention will be referred to as AES256. For AES (Rijndael) ciphers, Joan Daemen and Vincent Rijmen: The Design of Rijndael, Springer-Verlag, New York, Jan. 2002 and Advanced Encryption Standard, FIPS-197; http://csrc.nist.gov/CryptoToolkit/ Detailed information is provided at aes /. FIGS. 5 to 11 show an example in which the serial number, which is the identifier of the item group obtained as a result of the division, is actually encrypted using AES256.

  Hereinafter, embodiments of a data management method according to the present invention will be described in detail with reference to the accompanying drawings. Assume that a party that sells peels, etc. is conducting a campaign where prizes will be awarded if they collect stickers and apply using postcards. The beer company entrusts the campaign aggregation work to another company, and the campaign aggregation company further entrusts the data input of the postcard including personal information to the outsourced data input company.

  Outline of the campaign aggregation procedure until the campaign aggregation company receives application postcards from campaign participants from the data input request company (peel company), converts the personal information on those postcards into electronic data, and returns it to the data input request company Are shown in FIG. 2 (scheme A) and FIG. 3 (scheme B).

  In step 201 of FIG. 2, the campaign aggregation company receives n postcards from a beer company that is a data input requesting company. In step 202, a key K (256 bits) used in the encryption in step 208 is prepared. In step 203, a key K2 (256 bits) used in the encryption in step 219 is prepared. In step 204, a key K3 (256 bits) used in the encryption in step 216 is prepared. However, as the key K3, a different key is used for each divided item group, and therefore, a different key is required for the number of item groups. In this embodiment, description will be made using AES256, which is one of block encryption methods. However, the present invention can be realized using other encryption methods. In other words, the present invention does not propose a new encryption algorithm itself, and the encryption method used is not limited to AES256.

  In step 205, n postcards are read by a scanner, and the data on the postcards are converted into image files. Since one file corresponds to one postcard (card), a total of n files are generated from n cards. In step 206, 176-bit basic serial numbers SER (1) to SER (n) are assigned to each of the n image files obtained by the division. This result is the stage shown as (1-1) in FIG. The structure of this basic serial number is as follows: input request company code (16 bits), card type code (24 bits), date code (64 bits), data input company code (8 bits), classification code (16 bits), bundle number (24 bits) and in-bundle serial number (24 bits), a total of 176 bits.

  The n image files generated in this way are divided into item groups in step 207, and separate files are generated. How to set the item group is determined according to the purpose, but is arbitrary, and the basic idea of the present invention can be achieved by dividing into any item group. In this embodiment, as shown in FIG. 1 and described above, it is divided into a name + gender item group a, an address + postal code item group b, and a telephone number item group c. In step 207, serial numbers SER (1a) to SER (nc) are assigned as file names to 3n item groups, that is, files. Here, the assigned serial numbers SER (1a) to SER (nc) function as an identifier for distinguishing each divided file from another file. This step 207 corresponds to the stage (1-2) in FIG. The serial number is 256 bits obtained by adding an item group number (16 bits), a spare item (0 bits), and a random number R (64 bits) to 176 bits of the basic serial number. In the future, by reducing the number of bits of the random number R, the number of bits of the spare item can be increased. The random number R is for increasing the randomness of the value after encryption, and is different for each postcard and for each item group.

  Next, in step 208, for all 3n image files, the 256-bit serial number SER as the file name is encrypted by the block encryption method AES256 using the key K prepared in step 202. Furthermore, an unencrypted 32-bit additional code (encryption method code (8 bits) + spare code (8 bits) + item group number (16 bits) is added to the head of the obtained 256-bit encrypted serial number. ) To obtain a 288-bit encrypted serial number ESER. Note that the added encryption method code allows future change of the encryption method and enables the SER and ESER formats to be changed. By this step 208, as shown in (1-3) of FIG. 1, the file name of the image file is changed from the serial number SER (1a) to SER (nc) to the encrypted serial number ESER (1a) to ESER. Converted to (nc).

  However, at this time, the encrypted serial numbers ESER (1a) to ESER (nc) may be arranged in the order in which they were read by the scanner in step 205. Therefore, in step 209, sorting is performed using the values of the encrypted serial numbers ESER (1a) to ESER (nc) that can be seen as random numbers as keys. The result is (1-4) in FIG. In (1-4) of FIG. 1, the encrypted serial number after sorting is simply expressed as ESER. Even after sorting, the time stamps of the files may be in the order in which the postcards were scanned in step 205. Therefore, in step 210, the time stamps of all 3n image files are set to the same date and time. change. The date after the change may be the same as the date in the serial number SER.

  In the example of a new product campaign of a beer company described here, 3n image files having a 288-bit encrypted serial number ESER generated by the above process as a file name are connected to a secure communication line such as VPN. Via, it is transmitted to the data input meeting (step 211). The purpose is to convert the contents of image data into electronic data at a data input company. In addition, three keys K3 equal to the number of divided item groups prepared in advance in step 204, that is, three keys K3 are transmitted to the data input company via a secure communication line such as VPN (step 212).

  On the data input company side, 3n image files having the 288-bit encrypted serial number ESER as the file name are received via the communication line (step 213). In the data input company, the key puncher views the displayed image and manually inputs the contents (step 214). The file name converted into text data is the same ESER (288 bits) as the image file.

  Here, when the data is input, the key puncher sees 3n images to which the encrypted serial number ESER is added as a file name, that is, an identifier. More specifically, it is an image of name + gender, address + postal code and telephone number of handwritten campaign applicants divided into three item groups, each consisting of n items. However, since ESER is an encrypted identifier, for example, it is impossible to guess which name + gender corresponds to which address. Conventionally, the key puncher views the postcard itself or the image in which the postcard itself is converted into image data as it is, and the input work is performed. In such a situation, if the key puncher and the people around it had the intention, personal information was easily leaked.

  Even if the postcard is converted into image data, encrypted, and transmitted via a communication line with considerable security considerations, it is a manual process for inputting actual data, considering the current state of handwritten character pattern recognition technology. Since it is inevitable to intervene, naked personal information has been exposed to the eye during actual data entry work. However, when the data management method according to the present invention is used, since the relationship between a plurality of items constituting personal information is encrypted and unknown, it is meaningful to be able to touch fragments of personal information. Personal information cannot be touched. This point meant that the image file was divided into item groups in step 207.

  When the text file is obtained in step 214, the data input company consolidates n files in each of the three item groups into one file (step 215). That is, 3n files are grouped for each item group and converted into three files. This situation is shown in (1-5) of FIG. Next, the three files obtained in step 215 are encrypted by the block cipher AES 256 using three different keys K3 (256 bits) (step 216). Steps 215 and 216 are completely closed in the server of the data input company.

  The three files generated as described above are transmitted from the data input company to the campaign aggregation company via a secure line such as VPN (step 217). Each encrypted file is decrypted by the block cipher AES 256 using the three keys K3 (256 bits) (step 218). The three decrypted files are encrypted by the block cipher AES256 using the key K2 (256 bits) prepared in step 203 different from K3 for the storage in the storage medium in the campaign aggregation company. (Step 219), the three encrypted encrypted files are stored in the storage medium (Step 220). This storage medium is delivered to the data input requesting company (step 221).

  The point of ensuring security in the method A shown in the flowchart of FIG. 2 described above is to increase the number n of postcards (cards). n is desirably 1000 or more.

  In this method A, the serial number SER for determining the relationship between the item groups is converted to the encrypted serial number ESER using the block cipher AES256 in order to hide it from the outsourced data input company. In recent block ciphers including AES, even if the encryption and decryption software is released, it is difficult to decrypt the plaintext from the ciphertext if only the key is stored securely, so if only the key is kept secret It is good and very easy to use.

  However, in order to ensure the security of the ciphertext, it is necessary to increase the bit size of the key and plaintext (ciphertext). As a result, the encrypted serial number ESER becomes as long as 288 bits, and there is a disadvantage that 288 bits of data are attached every time in each processing step. Actually, all that is required for data input in step 214 of method A is the order in each item group after the rearrangement in step 209. A method B based on this feature is shown in the flowchart of FIG.

  The feature of the method B is that, as in the method A, the protection of the security information is realized as simple and effective, but the data amount to be processed is changed from the 288 bits of the ESER to the LIST as compared with the case of the method A. It is in the point which can be remarkably reduced to 64 bits. Furthermore, even if the outsourced data input company can learn the key K, the contents of ESER (288 bits) can be protected. In the system B as well, it is desirable to increase the number of postcards (cards) to, for example, 1000 or more in order to ensure security.

  Steps 301 to 304 in FIG. 3 correspond to steps 201 to 204 in FIG. 2, and the same operation is performed. Next, in step 305, a serial number SER (256 bits) for each image file in the divided item group is prepared. The configuration of the SER is the same as that of the method A. The image file is divided in step 312. In this embodiment, too, if divided into three item groups as in the case of method A, n postcards are divided into three, so 3n Serial number SER will be prepared.

  In step 306, 3n serial numbers SER (256 bits) are encrypted by the block cipher AES256 using the key K (256 bits), and an additional 32-bit code is added as in the case of the method A, 3n encrypted serial numbers ESER (288 bits) are generated. The file name of the image file is changed to ESER. Then, a correspondence table between the 256-bit serial number SER and the 288-bit encrypted serial number ESER is created. This correspondence table has n rows and 2 columns.

  Next, in step 307, the correspondence table between the serial number SER and the encrypted serial number ESER obtained in step 306 is rearranged (sorted) using the value of the encrypted serial number ESER that also appears as a random number as a key. Here, a 64-bit list number LIST which is a serial number is attached to the first to nth rows of the sorted correspondence table (step 308). In this way, three correspondence tables of SER, ESER, and LIST are obtained. That is, this correspondence table has n rows and 3 columns.

  In the list (64 bits), the same encryption method code (8 bits), spare code (8 bits) and item group number (16 bits) as ESER are written in the upper 32 bits (step 309). Then, the correspondence table (n rows and 3 columns) is rearranged using the SER (256 bits) value as a key (step 310).

  In step 311, n postcards are read by a scanner, and the data on the postcards are converted into image files. Since one file corresponds to one postcard (card), a total of n files are generated from n cards. In step 312, the n image files generated in this way are divided into item groups, and one file is generated for one item group. As already described regarding the method A, how to set the item group is determined according to the purpose, but is arbitrary, and the basic idea of the present invention is divided into what item group. Is also achieved. Also in this embodiment, as shown in FIG. 1 and described above, it is divided into a name + gender item group a, an address + postal code item group b, and a telephone number item group c. Then, a LIST number (64 bits) is assigned as a file name after division.

  At this point after step 311, a plurality of files in each item group may be arranged in the order they were read by the scanner. Therefore, in step 313, rearrangement (sorting) is performed using the value of the list number LIST (64 bits) that can be seen as a random number as a key. This result is shown in FIG. Even after sorting, the time stamp of each file may be in the order in which the postcards were scanned in step 311. Therefore, in step 314, the time stamps of all 3n image files are set to the same date and time. change.

  The 3n image files having the 64-bit list number LIST generated by the above process as a file name are transferred via a secure communication line such as VPN in order to convert the contents of the image data into electronic data. It is transmitted to the input meeting (step 315). Further, three keys K3 equal to the number of the divided item groups prepared in advance in step 304, that is, three keys K3 are transmitted to the data input company through a secure communication line such as VPN (step 316).

  On the data input company side, 3n image files having the 64-bit list number LIST as the file name are received via the communication line (step 317). Then, the key puncher sees the displayed image and manually inputs the contents (step 318). The file name converted into text data has the same list number LIST (64 bits) as the image file. As in the case of method A, there is no possibility of leakage of meaningful personal information when inputting data.

  When the text file is obtained in step 318, the data input company consolidates n files in each of the three item groups into one file (step 319). That is, 3n files are grouped for each item group and converted into three files. This is shown in FIG. Next, the three files obtained in step 319 are encrypted by the block cipher AES 256 using three different keys K3 (256 bits) (step 320). The processing of steps 319 and 320 is performed completely closed in the server of the data input company.

  The three files generated as described above are transmitted from the data input company to the campaign aggregation company via a secure line such as VPN (step 321). Each encrypted file is decrypted by the block cipher AES 256 using the three keys K3 (256 bits) (step 322). Based on the correspondence table (n rows and 3 columns) between the three SER (256 bits), ESER (288 bits), and LIST (64 bits) obtained in step 310, LIST (64 bits) in the file is converted to ESER. Conversion to (288 bits) (step 323).

  The three converted files are encrypted with the block cipher AES256 using the key K2 (256 bits) prepared in step 303 different from K3 for the storage in the storage medium in the campaign aggregation company. (Step 324), the three encrypted encrypted files are stored in a storage medium such as a CD-R (Step 325). This storage medium is delivered to the data input requesting company (step 326).

  As already described, in method B, personal information protection is achieved by a simple method, as in method A, while reducing the amount of processing data. The data amount of the list number LIST used in method B is shown in FIG.

  Furthermore, FIG. 12 shows a flowchart of a new database utilization method for utilizing the data management method according to the present invention. First, the personal information manager writes the key K and key K2 in the USB memory (step 1201). Next, three encrypted files obtained by using the data management method according to the present invention are prepared in a storage medium such as a CD or a hard disk (step 1202). Then, the three encrypted files are decrypted by AES256 using the key K2 (step 1203). However, this decoding operation is performed in the main memory. The 288-bit encrypted serial number ESER in the decrypted three files is decrypted by AES256 using the key K to obtain a 256-bit serial number SER (step 1204). A table is created by combining data having the same SER and stored (in main memory) (step 1205).

According to this method, since the key is stored in the USB memory, complete personal information cannot be obtained in the CD or the hard disk with the USB memory removed. The idea is that personal information managers manage encryption keys separately to ensure the protection of personal information. If this method is used, personal information protection can be realized even if the maintenance is outsourced to another company by removing the USB memory at the time of maintenance (during failure or maintenance) of the data pace system.
[The invention's effect]

In the above, the beer company's campaign postcard was taken as an example, and the specific processing procedure of personal information was shown. These procedures according to the present invention are techniques that can be used for arbitrary personal information.
Recently, it is not uncommon to outsource part of the company's business to an external specialist company in order to reduce costs. The outsourced data may include confidential data. Of course, it is natural to conclude a non-disclosure agreement with a subcontracted company so that contract liability can be pursued if confidentiality is leaked. However, as described above, particularly when personal information of customers and the like is leaked, there is a risk that damage that cannot be recovered by post-processing alone may occur. Therefore, by using the data management method according to the present invention, it is possible to achieve a certain level of protection even when it is difficult to cope with various conventional security protection measures.

  As described above, by using the data management method according to the present invention, it is possible to minimize the risk of confidential leakage due to the outsourcing of confidential data processing. And the effect of eliminating the trade-off relationship that exists between the low-cost, but high-risk outsourcing process can be achieved.

  Abstractly speaking, the core of the data management method according to the present invention is (1) dividing arbitrary data into a plurality of partial data and storing them (the mode of division is arbitrary, but as a practical matter, after dividing (2) In order to reconstruct the data before the division from the partial data, it is preferable to divide the partial data of the data before the division. An identifier for determining the interrelation between data is given to the partial data, and this identifier is encrypted. (3) The data itself is not encrypted. Considering the above, this specification mainly describes the protection of personal information. However, the data management method according to the present invention is not limited to personal information, and can be applied to various confidential data.

  In addition, the above explanation regarding the new product campaign by the beer company emphasized the point that a large number n of application postcards was the key. Indeed, if there is only one postcard, personal information cannot be protected no matter how it is divided. However, considering the case of dividing arbitrary data at an abstract level, the data management method according to the present invention can be applied even when the object of division is one data.

An intermediate stage in which the data management method according to the invention is carried out is shown. It is a flowchart which shows the detailed procedure of the suitable Example of the system A which is one of the data management methods by this invention. Note that FIG. 8 relates to the method A. FIG. 3 is a flowchart showing a detailed procedure of a method B of the method B in which the method A of FIG. 2 is modified to reduce the amount of processing data. It is an example of five image files obtained by reading five application postcards with a scanner. A state in which serial numbers SER are assigned to the five image files in FIG. 4 is shown. It is shown that the serial number SER is encrypted by AES256 and becomes the encrypted serial number ESER. A state is shown in which ESERs that have been in the order at the time of division are sorted. Each item group is shown together. A state in which the LIST is assigned in the method B is shown. This corresponds to FIG. In the method B, the state in which the respective item groups are collected is shown. It is a figure which shows the structure of basic SER, SER, ESER, and LIST. It is a flowchart in the case of memorize | storing an encryption key in USB memory.

Claims (8)

(A) dividing the data into a plurality of partial data;
(B) assigning, to each partial data constituting the plurality of partial data, an identifier indicating a relationship between the partial data and other partial data constituting the plurality of partial data;
(C) encrypting the identifier to generate an encrypted identifier;
(D) storing the plurality of partial data and an encrypted identifier assigned to each partial data constituting the plurality of partial data in a storage unit;
(E) Decrypting the encrypted identifier stored in the storage means into the identifier, and dividing the plurality of partial data stored in the storage means using the relationship indicated by the decrypted identifier Step to restore to data,
A data management method comprising: The data management method according to claim 1,
(F) Converting the plurality of partial data stored in the storage means into a plurality of partial data having other forms, and converting the plurality of partial data having other forms together with the encrypted identifier before conversion The data management method further comprising the step of storing in the storage means or another storage means. In the data management method of Claim 1 or Claim 2,
(G) After the encryption in step (c) and before storing the plurality of partial data and the encryption identifier in step (d), the plurality of partial data using the encryption identifier as a key The data management method further comprising the step of rearranging the pair with the encryption identifier. In the data management method according to any one of claims 1 to 3,
(H) A data management method further comprising the step of storing the encryption key used for encryption and decryption in step (c) and step (e) in a separable storage means different from the storage means. .   The data management method according to any one of claims 1 to 4, wherein the data is information including a plurality of items and specifying a target.   6. The data management method according to any one of claims 2 to 5, wherein the plurality of partial data are image data, and the conversion in step (f) is conversion from image data to text data. A data management method characterized by the above. (A) dividing n image data into m partial image data, where n and m are natural numbers;
(B) For each of the nm partial image data generated as a result of the division in step (a), an identifier indicating which partial image data in the nm partial image data is the partial image data. Assigning steps,
(C) encrypting the identifier to generate an encrypted identifier, and rearranging the n sets of the partial data and the encrypted identifier using the encrypted identifier as a key, and the partial data and the encrypted Storing the reordered nm pairs with identifiers in storage means;
(D) The nm partial image data and the encryption identifier stored in the storage unit are read out, and the nm partial image data are composed of partial text data corresponding to each partial image data. And converting the converted nm pieces of partial text data together with the encryption identifier into the storage means, the other storage means, or yet another storage means,
(E) Decrypting the encrypted identifier stored in the storage unit, the other storage unit or the further storage unit into the identifier, and the storage unit, the other storage unit or the further storage Restoring the nm partial text data stored in the means to n text data corresponding to the n image data before the division using the decoded identifier;
Contains
(F) A data management method characterized in that steps (a) to (e) can be executed in different computers. A computer program for causing a computer to execute the steps included in the data management method according to any one of claims 1 to 7.

Images