JP2005197912A - Method and program for information disclosure control and tamper resistant instrument - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide information while performing safe information management by an information management server for performing information management. <P>SOLUTION: The information management server 2 manages information and provides information according to requests from other apparatuses. In the tamper resistant instrument 2T of the information management server performs management including a procedure for encrypting information by an encryption means, a procedure for storing the encrypted information in an information storage portion 20, a procedure for receiving a request message concerning the use of information from the other apparatus, a procedure for decrypting encrypted information contained in the request message using a decryption means corresponding to the encryption means in the resistant instrument 2T of the information management server, and a procedure for providing the decrypted information. Incidentally, the encryption means and decryption means are implemented by a common key in a common key encryption system for example. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to an information disclosure control method, an information disclosure control program, and a tamper resistant apparatus.

  Mainly on the Internet, information such as video content is provided from an information management server that manages the information to a terminal of an information user via a network. A service has been realized that distributes information to be used only to the terminals of specific users (for example, terminals used by users who have paid usage fees) instead of the terminals of an unspecified number of users. Yes. In that case, various technologies are used to distinguish between a terminal that uses information and a terminal that does not use information.

For example, when the information to be provided is application software, there is a method of notifying a user's terminal of a predetermined license key and using the application software on the user's terminal side using the predetermined license key (for example, non-application software). Patent Document 1). As a result, it is possible to prevent the user who does not know the predetermined license key from using the application software.
Vector Co., Ltd., “About Vector Registrar Service License Key”, [online], [October 8, 2003 Search], Internet <URL: http://www.vector.co.jp/swreg/ man / help / key.html>

  However, there is a risk that an information management server that manages information is always invaded by unauthorized users. If an intruder illegally gains access to the information management server and intrudes and steals information stored in the information management server or information for making that information available (license key in the above case), the information management server The stored information is used illegally.

  As a security means against intrusion due to unauthorized access, for example, a firewall that blocks specific traffic specified in advance is used. However, the firewall blocks traffic accessing the information management server from the network via the network. For example, unauthorized access from an internal LAN that is trusted (firewall is not applied), information management, etc. It has been difficult to deal with physical theft of the server casing.

  Therefore, the main object of the present invention is to solve the above-described problems and to provide information while managing information safely for an information management server that manages information.

In order to solve the above problem, the information disclosure control method according to claim 1 is an information disclosure control method by an information management server that manages information and provides the information in response to a request from another device, Information management server
In the tamper resistant device of the information management server, a procedure for encrypting information by encryption means;
A procedure for storing the encrypted information in an information storage unit;
A procedure for receiving a request message regarding use of information from the other device;
In the tamper resistant device of the information management server, a procedure for decrypting the encrypted information included in the request message by a decryption unit corresponding to the encryption unit;
Providing the decrypted information; and
It is characterized by including.

The information disclosure control method according to claim 2 is an information disclosure control method by an information management server that manages information and provides the information in response to a request from another device, wherein the information management server includes:
Receiving a request for registration of the information;
In the tamper resistant device of the information management server, a procedure for encrypting the information with a common key for information storage;
A procedure for storing the encrypted information in an information storage unit;
In the tamper resistant device of the information management server, a procedure for creating information storage information including a pointer indicating the storage location of the information and specific information of the information manager;
A procedure for transmitting the information storage common key and the information storage information from the information management server to the other device;
A procedure for receiving a request message regarding the use of the information from the other device;
In the tamper resistant device of the information management server, the specific information of the information manager is obtained from the information storage information included in the request message, and the request is based on the public key corresponding to the information manager. To verify the signature attached to the message
In the tamper-proof device of the information management server, when the signature verification result is acceptable, a procedure for decrypting the information encrypted by the information storage common key included in the request message;
In the tamper resistant device of the information management server, a procedure for decrypting the encrypted information included in the request message by decryption means corresponding to the encryption means;
Providing the decrypted information; and
It is characterized by including.

  The information disclosure control method according to claim 3 is the information disclosure control method according to claim 2, wherein the information management server sends the information storage common key and the information storage information from the information management server. The procedure of transmitting to the other device includes a procedure of encrypting the information storage common key and the information storage information with a key management common key in the tamper resistant device of the information management server. The procedure for receiving a request message regarding the use of information is to decrypt the information storage common key encrypted with the key management common key and the information storage information in the tamper resistant device of the information management server. It includes a procedure.

The information disclosure control method according to claim 4 is the information disclosure control method according to claim 3, wherein the request message includes usage permission information created by an administrator of information corresponding to the information storage information. And the information management server obtains information specific to the user of the information from the usage permission information included in the request message in the tamper resistant device of the information management server, and the information user Verifying a signature attached to the request message based on a public key corresponding to
A procedure for prohibiting the provision of the information when the verification of the signature fails;
It is characterized by including.

The information disclosure control method according to claim 5 is the information disclosure control method according to claim 4, wherein the request message includes information acquisition information created by a user of the information, A procedure in which the information management server verifies whether the information acquisition information matches the usage permission information in the tamper resistant device of the information management server;
If the information acquisition information does not conform to the usage permission information, a procedure for prohibiting the provision of the information;
It is characterized by including.

The information disclosure control program according to claim 6 is an information disclosure control program used for an information management server that manages information and provides the information in response to a request from another device. To the information management server,
In the tamper resistant device of the information management server, encrypting information by encryption means;
Storing the encrypted information in an information storage unit;
Receiving a request message regarding use of information from the other device;
Decrypting encrypted information included in the request message in a tamper resistant device of the information management server by a decryption unit corresponding to the encryption unit;
Providing the decrypted information;
It is characterized by being executed including.

An information disclosure control program according to claim 7 is the information disclosure control program according to claim 6, and is used for an information management server that manages information and provides the information in response to a request from another device. An information disclosure control program, wherein the information disclosure control program
Receiving a request for registration of the information;
Encrypting the information with an information storage common key in the tamper resistant device of the information management server;
Storing the encrypted information in an information storage unit;
In the tamper-proof device of the information management server, creating information storage information including a pointer indicating the storage location of the information and specific information of the information manager;
Transmitting the information storage common key and the information storage information from the information management server to the other device;
Receiving a request message regarding the use of the information from the other device;
In the tamper resistant device of the information management server, the specific information of the information manager is obtained from the information storage information included in the request message, and the request is based on the public key corresponding to the information manager. Verifying the signature attached to the message of
Decrypting information encrypted with the information storage common key included in the request message when the signature verification result is acceptable in the tamper resistant device of the information management server;
Decrypting the encrypted information in the tamper-proof device of the information management server by decryption means corresponding to the encryption means included in the request message;
Providing the decrypted information;
It is characterized by being executed including.

An information disclosure control program according to claim 8 is the information disclosure control program according to claim 7, wherein the information disclosure control program is provided to the information management server.
The step of transmitting the information storage common key and the information storage information from the information management server to the other device includes the information management common key using the key management common key in the tamper resistant device of the information management server. And a step of receiving a request message regarding use of information from the other device is encrypted with the common key for key management in the tamper resistant device of the information management server. The information storage common key and the information storage information are decrypted and executed.

The information disclosure control program according to claim 9 is the information disclosure control program according to claim 8, wherein the request message includes usage permission information created by an administrator of information corresponding to the information storage information The information disclosure control program obtains information specifying the user of the information from the use permission information included in the request message in the tamper resistant device of the information management server. And verifying a signature attached to the request message based on a public key corresponding to the user of the information;
Prohibiting the provision of the information if the signature verification fails;
It is characterized by being executed including.

The information disclosure control program according to claim 10 is the information disclosure control program according to claim 9, wherein the request message includes information acquisition information created by a user of the information, The information disclosure control program verifies to the information management server whether the information acquisition information matches the usage permission information in the tamper resistant device of the information management server;
Prohibiting the provision of the information if the information acquisition information does not match the usage permission information;
It is characterized by being executed including.

  The tamper resistant device according to claim 11 is a tamper resistant device used for an information management server that manages information and provides the information in response to a request from another device, wherein the tamper resistant device is An information storage unit for storing information, an information storage common key used when encrypting and decrypting the information, and an information storage common key used when encrypting and decrypting the information storage common key A cryptographic processing unit that performs cryptographic processing using the key management common key, a key storage unit that stores the key management common key, and a signature that verifies a signature attached to a request message received from the other device A processing unit and a usage condition verification unit that verifies a usage condition included in a request message received from the other device are included.

  The tamper resistant device according to claim 12 is a tamper resistant device used in a device used when requesting provision or registration of the information to an information management server that manages information, the tamper resistant device. Includes a data storage unit for storing received data, a key storage unit for storing a secret key used for adding a signature, and a signature processing unit for adding a signature to the data to be transmitted with the secret key. It is characterized by being configured.

  According to such an information disclosure control method, the information to be provided is stored in the information storage unit of the information management server after being subjected to the encryption process. Even if it is eavesdropped, it cannot be used illegally. Further, the common key (encryption means) used for the encryption process is used in the tamper resistant apparatus for the encryption process, so that it is not illegally used. Therefore, the information management server can provide information while safely managing the information.

  Hereinafter, a first embodiment of an information disclosure control system to which the present invention is applied will be described in detail with reference to the drawings. First, the configuration of the information disclosure control system of this embodiment will be described with reference to FIGS. 1 and 2.

  FIG. 1 is a configuration diagram of an information disclosure control system according to the first embodiment of the present invention. The information disclosure control system stores information registered from the information management client 4 and manages information registered in the information management server 2 and the information management server 2 that provides information according to access from the information use client 6 The information management client 4 and the information use client 6 for using the information registered in the information management server 2 are configured, and each device is connected by a network. Furthermore, the information management server 2 has an information storage unit 20 that stores information to be accessed by the information use client 6.

  In addition, each device of the information disclosure control system holds a tamper resistant device that conceals data processed internally from the outside. That is, the information management server 2 is the tamper resistant device 2T of the information management server, the information management client 4 is the tamper resistant device 4T of the information management client, and the information use client 6 is the tamper resistant device 6T of the information use client. Hold each one. Note that the tamper resistant device is constituted by, for example, a recording medium (such as an IC card) that can be attached to and detached from each device (such as the information management server 2). The tamper-resistant device is tamper-resistant to the data stored inside, so even if it is physically lost or stolen, the data stored inside (for example, a license key of a predetermined application software) There is an advantage that it is less likely to be misused. These tamper resistant devices are expected to be held by each user with the spread of the Basic Resident Register card.

  The outline of processing of the information disclosure control system is as follows. First, the information management client 4 registers information to be accessed by other devices in the information management server 2. Here, since the information management server 2 performs control so as to provide information to be accessed only by the information use client 6 that is permitted to use, it is necessary to protect the information that is accessed from other devices that are not permitted to use. Therefore, the information management server 2 encrypts information to be accessed in the tamper resistant apparatus 2T and stores it in the information storage unit 20.

  Further, the information management server 2 generates information storage information 100 including a pointer indicating a storage location in order to manage the stored information to be accessed. The information storage information 100 also includes information for specifying the owner of the stored information to be accessed.

  Next, the information management client 4 gives the information use client 6 permission to use the information. That is, the information management client 4 accepts the input of the use permission information 102 indicating the use permission of the information to be accessed by the information use client 6, and uses the use permission information 102 including the identification information of the information use client 6 as the information use client 6. Notify Note that the usage permission information 102 is, for example, that a predetermined information user (such as a doctor who belongs to B dentistry) has a predetermined number of times (up to 20 times or the like) at a predetermined time (such as the end of February 2004). This information indicates that the use of the information is permitted only for a predetermined purpose (such as medical work).

  Then, the information use client 6 makes an information use request to the information management server 2. That is, the information use client 6 receives input of information acquisition information 104 indicating a use request for information to be accessed by the information use client 6 and notifies the information management server 2 together with the notified use permission information 102. The information management server 2 collates the usage permission information 102 and the information acquisition information 104 to provide information to the information utilization client 6 when the collation is possible.

  FIG. 2 is a detailed configuration diagram of the information disclosure control system according to the first embodiment of the present invention. First, the tamper resistant device 2T of the information management server includes a key storage unit 22 that stores the key management common key 120, and an encryption processing unit that performs encryption processing using the information storage common key 110 and the key management common key 120. 24, a signature processing unit 26 that verifies a signature attached to data received from the information use client 6, and a use condition verification unit 28 that verifies use conditions received from the information use client 6. . Next, the tamper resistant device 4T of the information management client includes a data storage unit 40 that stores the received data, a key storage unit 42 that stores the information management client private key 130, and a signature process that adds a signature to the received data. And the unit 44. Further, the tamper resistant device 6T of the information use client includes a data storage unit 60 that stores the received data, a key storage unit 62 that stores the information use client private key 140, and a signature processing unit that adds a signature to the received data. 64.

  Next, cryptographic techniques applied to the information disclosure control system will be described. First, the encryption processing unit 24 generates and uses an information storage common key 110 used for encryption and decryption of information stored in the information storage unit 20. As a result, even if an unauthorized intruder who does not have the information storage common key 110 intrudes into the information management server 2 and acquires information from the information storage unit 20, the information is encrypted. Therefore, falsification and unauthorized use of information can be prevented.

  Next, the key storage unit 22 stores a key management common key 120 used for encryption and decryption of the information storage common key 110. Thus, when the information storage common key 110 is distributed from the device of the information management server 2 to another device, the information storage common key 110 is encrypted by the key management common key 120. Eavesdropping and unauthorized use of the common key 110 can be prevented.

  The key storage unit 42 stores an information management client private key 130 used for adding a signature of the information management client 4. The information management client public key 132 used for verifying the signature of the information management client 4 corresponding to the information management client private key 130 in the public key cryptosystem is stored in, for example, a public key server. As a result, the information management client 4 signs the data to be transmitted to the other device using the information management client private key 130, and the other device uses the information management client public key 132 obtained from the public key server. Use to verify the signature. Therefore, even if a device other than the information management client 4 spoofs data transmitted from the information management client 4, the other device can detect the spoofing.

  Further, the key storage unit 62 stores an information use client private key 140 used for adding a signature of the information use client 6. Further, the information use client public key 142 used for verifying the signature of the information use client 6 corresponding to the information use client private key 140 in the public key cryptosystem is stored in, for example, a public key server. As a result, the information use client 6 attaches a signature to the data to be transmitted to the other device using the information use client private key 140, and the other device uses the information use client public key 142 obtained from the public key server. Use to verify the signature. Therefore, even if a device other than the information use client 6 spoofs data transmitted from the information management client 4, the other device can detect the spoofing.

  The configuration of the information disclosure control system has been described above. Next, the operation of the information disclosure control system of this embodiment will be described with reference to FIGS. 3 to 6 with reference to FIGS. 1 and 2.

  FIG. 3 is a flowchart showing information registration processing in the information disclosure control system according to the first embodiment of the present invention.

  First, the information management client 4 authenticates a user (information registrant) (S101). The authentication process is performed in order to take correspondence between the information to be registered and the registrant of the information. For example, a predetermined information registrant uses a plurality of information management clients 4 to register. When managing target information, it is performed to authenticate that a plurality of information management clients 4 are operated by the same information registrant. Next, the information management client 4 makes an information storage request (S102) to the information management server 2 in accordance with an instruction from the user (information registrant).

  Then, the information management server 2 performs policy verification (S103). Here, the policy is permission information for the information management server 2 to perform information operations (such as registration and deletion) for the information management client 4. The policy is expressed by, for example, which information management client 4 is permitted to operate (the subject of the operation), how much information is registered (data capacity of information), and the like. Then, the information management server 2 performs verification by comparing a preset policy with an information operation from the information management client 4. If an operation that does not conform to the policy is input to the information management server 2, for example, an error message is returned to the information management client 4.

  Further, the tamper resistant device 2T of the information management server creates an information storage common key 110 corresponding to the information by using the encryption processing unit 24 (S104), and encrypts the information using the information storage common key 110. (S105). Then, the tamper resistant device 2T of the information management server stores the information in the information storage unit 20 of the information management server 2 (S106). Further, the tamper resistant device 2T of the information management server creates the information storage information 100 corresponding to the information (S107). Then, the tamper resistant device 2T of the information management server uses the key management common key 120 stored in the key storage unit 22 to create the “information storage common key 110 (created by the encryption processing unit 24) and the information. The storage information 100 ″ is encrypted (S108).

  Then, the information management server 2 transmits the encrypted “information storage common key 110 and information storage information 100” to the information management client 4 (S109). Note that the capacity of the encrypted “information storage common key 110 and information storage information 100” does not include the main body of information to be used, and can be as small as about 256 bytes. Further, the information management client 4 stores the received encrypted “information storage common key 110 and information storage information 100” in the data storage unit 40 of the tamper resistant device 4T of the information management client (S110).

  FIG. 4 is a flowchart showing information usage permission processing in the information disclosure control system according to the first embodiment of the present invention.

  First, the information management client 4 receives the input of the usage permission information 102 (S201). Here, the use permission information 102 is information such as a use permission (license key) granted to the data user by the data registrant. Further, the usage permission information 102 is described in a format according to, for example, XACML (eXtensible Access Control Markup Language) which is a standard technology.

  Next, the tamper resistant device 4T of the information management client adds a signature to the “use permission information 102” using the information management client private key 130 stored in the key storage unit 42 via the signature processing unit 44 ( S202) is performed. Since a registrant of predetermined data can give use permission information 102 to a plurality of data users, the use permission information 102 includes information for identifying a user of data to be used. Then, the information management client 4 used by the user of the data designated by the usage permission information 102 adds a signature that identifies the identity of the data user using the information management client private key 130. As a result, since the third party who illegally stolen the usage permission information 102 is not the user of the data to be used, it is difficult to use the stolen usage permission information 102 as it is. Since only a legitimate user having the information management client private key 130 can add a signature, it is possible to prevent a third party who illegally steals the usage permission information 102 from impersonating a legitimate user.

  Then, the information management client 4 sends the encrypted “information storage common key 110 and information storage information 100” (obtained from the data storage unit 40) and the signed “use permission information 102” to the information use client. 6 (S203). Compared to the method of distributing the information main body from the information management client 4 to the information using client 6, the method of distributing the license information 102 corresponding to the information main body uses the usage permission information 102 for the information main body. Since it is small, the capacity of the tamper-resistant device as a storage destination can be reduced. Further, by separating the main body of information from the license information 102 corresponding to the main body of information, it is possible to efficiently update the main body of information without using the information management client 4. Become.

  Furthermore, the information use client 6 sends the received encrypted “information storage common key 110 and information storage information 100” and signed “use permission information 102” to the tamper resistant device 6T of the information use client. The data is stored in the data storage unit 60 (S204).

  FIG. 5 is a flowchart showing information use processing in the information disclosure control system according to the first embodiment of the present invention. First, the information use client 6 authenticates a user (information user) (S301).

  Next, the information use client 6 creates the information acquisition information 104 (S302). Note that the information acquisition information 104 describes a desire regarding the use of information, and is set by a data user. Therefore, the information acquisition information 104 is configured by, for example, an information use subject (who uses it), an information use period, an information use purpose, and the like. Then, the tamper resistant device 6T of the information use client adds a signature to the “information acquisition information 104” using the information use client private key 140 stored in the key storage unit 62 via the signature processing unit 64 (S303). )I do. Further, the information use client 6 includes the encrypted “information storage common key 110 and information storage information 100” (obtained from the data storage unit 60) and the signed “use permission information 102” (obtained from the data storage unit 60). The signed “information acquisition information 104” is transmitted to the information management server 2 (S304).

  Then, the tamper resistant device 2T of the information management server uses the key management common key 120 stored in the key storage unit 22 from the received data to encrypt “the information storage common key 110 and the information storage information 100”. "Is decrypted (S305). Further, the tamper resistant apparatus 2T of the information management server uses the signature processing unit 26 to verify the signature (S306). Then, the tamper resistant apparatus 2T of the information management server verifies the use permission (S307) using the use condition verifying unit 28 from the received use permission information 102 and information acquisition information 104. The use permission is verified by checking whether the range of use of the user described in the information acquisition information 104 is within the range of use conditions described in the use permission information 102. For example, if the information acquisition information 104 describes that “information X permits the user A to use only for one year in 2003”, the usage permission information 102 indicates “user A If it is described that the information X is desired to be used from June to October 2003 as a period, the use is permitted because the information X falls within the range of use conditions.

  Further, the tamper resistant device 2T of the information management server decrypts the information using the information storage common key 110 (S308). Here, the information management server 2 does not store the information storage common key 110 in the information management server 2 itself, but uses the information storage common key 110 transmitted from the information use client 6 to decrypt the information. I do. As a result, the information management server 2 does not always have to store the information storage common key 110, and therefore prevents the information storage common key 110 from being stolen against entry into the information management server 2 or physical theft. be able to.

  Then, the information management server 2 transmits information to the information use client 6 (S309), and the information use client 6 uses the received information (S310). It should be noted that various methods can be used for the form of information transmission and information utilization (corresponding to “providing information” in the claims). For example, when the information to be used is still image content, the still image content is distributed by one-way communication from the information management server 2 to the information use client 6. When the information to be used is a moving image content, a streaming connection is connected between the information management server 2 and the information using client 6, and then the moving image is distributed through the connection. In this case, since operations (fast forward, stop, etc.) from the information use client 6 may be performed, bidirectional communication is performed. Further, when the information to be used is an application procedure in the administrative service (application document data relating to the procedure), data of the application document that is not filled in is transmitted from the information management server 2 to the information use client 6, and the information use client 6 Data of the application document that has been entered in the information management server 2 is returned. That is, communication is performed a plurality of times in both directions.

  FIG. 6 is a flowchart showing signature verification processing in the information disclosure control system according to the first embodiment of the present invention.

  First, the tamper resistant device 2T of the information management server causes the information management server 2 to acquire the information management client public key 132 corresponding to the information registrant designated by the information storage information 100 (S401). The information management server 2 acquires the information management client public key 132 from, for example, a key storage unit (see FIG. 2) of the public key server. Next, the tamper resistant device 2T of the information management server performs signature verification (S402) on the signed “use permission information 102” using the information management client public key 132. Then, the tamper resistant device 2T of the information management server determines whether the signature of the usage permission information 102 has been successfully verified (S403). If the signature verification is not successful (S403, N), it is considered that the third party who is not the information registrant has forged the use permission information 102, and the signature verification fails (S408).

  Further, the tamper resistant apparatus 2T of the information management server causes the information management server 2 to acquire the information use client public key 142 specified by the use permission information 102 (S404). The information management server 2 acquires the information use client public key 142 from, for example, a key storage unit (see FIG. 2) of the public key server. Then, the tamper resistant apparatus 2T of the information management server performs signature verification (S405) on the signed “information acquisition information 104” using the information use client public key 142. Thus, since the sender of the information acquisition information 104 can be specified, the information management server 2 can record the information acquisition information 104 and the sender in association with each other as a log. Even when it is done, tracking becomes possible. Further, the tamper resistant device 2T of the information management server determines whether or not the signature verification of the information acquisition information 104 has succeeded (S406). If the verification of the signature is not successful (N in S406), it is considered that the third party who is not the information user has forged the information acquisition information 104, and the verification of the signature is failed (S408). On the other hand, when the signature verification is successful (S406, Y), the tamper resistant apparatus 2T of the information management server regards that the signature verification is successful (S407), and advances the processing to S307 in FIG.

  When the information management server 2 fails the signature verification (S408), instead of ending all the processing, the information management server 2 identifies the shortage information when providing the information and inputs the shortage information. The information management server 2 may make a request to the information use client 6 so as to prompt the user. When the information management server 2 receives the shortage information from the information use client 6, the information management server 2 may perform the verification of the signature received as the shortage information by omitting the verification process of the signature that has been previously verified. Note that the shortage information includes, for example, a signature on the information acquisition information 104 when the information acquisition information 104 is not signed.

  The operation of the information disclosure control system has been described above. Next, a second embodiment of the information disclosure control system to which the present invention is applied will be described in detail with reference to the drawings. The second embodiment shows an example in which the information disclosure control system described in the first embodiment is applied to a semantic web system described later.

  FIG. 7 is a configuration diagram of a semantic Web system to which the information disclosure control system according to the first embodiment of the present invention is applied. The semantic web system 1A has a function of solving a problem using data on the web. The semantic web system 1A accepts access from the service provider terminal 8A and the user terminal 9A via the network. For this reason, the semantic web system 1A includes a service data processing unit 10A that processes data used for providing a service, a content recording unit 20A that records content used for providing a service, and a mechanical corresponding to the content. A metadata recording unit 30A that records metadata that can be processed, a user data processing unit 60A that processes data registered by the user, and an opt-in recording unit that records opt-in that is data related to distribution permission registered by the user 70A, a personal information recording unit 80A for recording personal information of a user registered by the user, an ontology dictionary processing unit 110A for processing dictionary data in which a set of concepts and a mutual relationship between the concepts are defined, and a set of concepts And dictionary data that defines the relationship between concepts Ontology dictionary recording unit 120A for recording, data collating unit 150A for collating data registered by the user with data used for service provision, and collation target data recording unit for recording data collated by the data collating unit 160A and the collation result recording part 170A which records the result collated by the data collation part.

  Here, for content recorded in the content recording unit 20A, for example, a service such as video data (when the service is distribution of video data) is provided in one direction from the semantic Web system 1A to the user terminal 9A only. In addition, a case in which a service such as application form data (when the service is an application procedure related to administration) is realized by bidirectional exchange between the semantic Web system 1A and the user terminal 9A is also supported.

  Further, the metadata recorded in the metadata recording unit 30A describes the content recorded in the content recording unit 20A. For example, when the content is book data, the metadata is bibliographic information that describes the book data.

  Furthermore, the opt-in recorded in the opt-in recording unit 70A is data relating to the distribution permission registered by the user. For example, the opt-in is information indicating that “permission of distribution of medical information out of administrative information” is designated by the user. As a result, the user registers his intention to the service he is interested in. The opt-in is used for selecting a service provided from the semantic web system 1A to the user terminal 9A.

  The personal information of the user recorded in the personal information recording unit 80A is used for selecting a service provided from the semantic Web system 1A to the user terminal 9A. The personal information of the user is also used for the purpose of changing the contents of the service provided according to the personal information of the user.

  The semantic web system 1A described above can apply the present invention as follows. The application format can be classified into two types of cases by an administrator of information to be protected from unauthorized access.

  First, the first case is a case where the semantic web system 1A protects information registered in the semantic web system 1A via the user terminal 9A by a user who receives a service. In this case, the information management server 2 in the first embodiment corresponds to the semantic Web system 1A, the information management client 4 in the first embodiment provides the user terminal 9A, and the information use client 6 in the first embodiment provides the service. Correspond to the terminal 8A of the person. The information storage unit 20 that stores information to be protected is applied to at least one of the opt-in recording unit 70A and the personal information recording unit 80A. Further, the tamper resistant device 2T of the information management server that processes the information to be protected is applied to the user data processing unit 60A.

  On the other hand, the second case is a case where the semantic web system 1A protects information registered in the semantic web system 1A by the service provider who provides the service via the service provider's terminal 8A. In this case, the information management server 2 in the first embodiment corresponds to the semantic Web system 1A, the information use client 6 in the first embodiment provides the user terminal 9A, and the information management client 4 in the first embodiment provides the service. Correspond to the terminal 8A of the person. The information storage unit 20 that stores information to be protected is applied to at least one of the content recording unit 20A and the metadata recording unit 30A. Further, the tamper resistant device 2T of the information management server that processes the information to be protected is applied to the service data processing unit 10A.

  Heretofore, the second embodiment of the information disclosure control system to which the present invention is applied has been described. This makes it possible to protect information stored in the semantic web system 1A from unauthorized access.

  The present invention described above can be widely modified without departing from the spirit of the invention.

  For example, a private key / public key pair (information management client private key 130 and information management client public key 132, information use client private key 140 and information use client public key 142) by public key cryptography is used for data Since it is used for the purpose of authenticating the identity of the sender, it can be replaced by other techniques for authenticating the identity of the sender of the data. An alternative technique may be, for example, a method of identifying a sender of data and adding a digital watermark that is hidden so as not to be noticed by referring to the contents of the data to the transmitted data.

  In addition, the information management server 2 collectively performs encryption processing (S105) and decryption processing (S305) of information registered in the information storage unit 20, but the processing burden is concentrated on the information management server 2. The problem of end up occurs. Therefore, the information management client 4 may perform the information encryption process, and the tamper resistant apparatus 2T of the information management server may perform the information encryption process (S305). In this case, the information management server 2 generates the information storage common key 110 shared by the information encryption and decryption (S104), instead of the public key encryption method used for the information encryption. It is also possible to create a key and a secret key in a public key cryptosystem used for decrypting information, and use the public key for information encryption processing by the information management client 4.

  Furthermore, instead of distributing the information storage common key 110 (S109), the information management server 2 may distribute the information storage common key 110 after performing a predetermined reversible conversion process. In this case, when using the information storage common key 110 (S305), the information management server 2 performs a conversion process corresponding to a predetermined reversible conversion process and extracts the information storage common key 110 for use.

  Further, instead of distributing the information storage common key 110 (S109), the information management server 2 stores the information storage common key 110 in the information storage unit 20 and can specify the information storage common key 110. Information may be distributed. Then, the information management server 2 stores the correspondence information between the information storage common key 110 and the identifiable information in the information storage unit 20. In this case, when using the information storage common key 110 (S305), the information management server 2 refers to the information storage unit 20 and searches for the information storage common key 110 from identifiable information. To do.

It is a block diagram of the information disclosure control system regarding 1st Embodiment of this invention. It is a detailed block diagram of the information disclosure control system regarding the first embodiment of the present invention. It is a flowchart which shows the registration process of the information in the information disclosure control system regarding 1st Embodiment of this invention. It is a flowchart which shows the use permission process of the information in the information disclosure control system regarding 1st Embodiment of this invention. It is a flowchart which shows the utilization process of the information in the information disclosure control system regarding 1st Embodiment of this invention. It is a flowchart which shows the verification process of the signature in the information disclosure control system regarding 1st Embodiment of this invention. It is a block diagram of the semantic web system to which the information disclosure control system regarding 2nd Embodiment of this invention is applied.

Explanation of symbols

2 Information Management Server 2T Tamper Resistant Device of Information Management Server 4 Information Management Client 4T Tamper Resistant Device of Information Management Client 6 Information Utilizing Client 6T Tamper Resistant Device of Information Utilizing Client 20 Information Storage Unit 22 Key Storage Unit 24 Cryptographic Processing Unit 26 Signature Processing unit 28 Usage condition verification unit 40 Data storage unit 42 Key storage unit 44 Signature processing unit 60 Data storage unit 62 Key storage unit 64 Signature processing unit 100 Information storage information 102 Usage permission information 104 Information acquisition information 110 Information storage common key 120 Common key for key management 130 Information management client private key 132 Information management client public key 140 Information use client private key 142 Information use client public key

Claims (12)

An information disclosure control method by an information management server that manages information and provides the information in response to a request from another device, wherein the information management server includes:
In the tamper resistant device of the information management server, a procedure for encrypting information by encryption means;
A procedure for storing the encrypted information in an information storage unit;
A procedure for receiving a request message regarding use of information from the other device;
In the tamper resistant device of the information management server, a procedure for decrypting the encrypted information included in the request message by a decryption unit corresponding to the encryption unit;
Providing the decrypted information; and
An information disclosure control method comprising: An information disclosure control method by an information management server that manages information and provides the information in response to a request from another device, wherein the information management server includes:
Receiving a request for registration of the information;
In the tamper resistant device of the information management server, a procedure for encrypting the information with a common key for information storage;
A procedure for storing the encrypted information in an information storage unit;
In the tamper resistant device of the information management server, a procedure for creating information storage information including a pointer indicating the storage location of the information and specific information of the information manager;
A procedure for transmitting the information storage common key and the information storage information from the information management server to the other device;
A procedure for receiving a request message regarding the use of the information from the other device;
In the tamper resistant device of the information management server, the specific information of the information manager is obtained from the information storage information included in the request message, and the request is based on the public key corresponding to the information manager. To verify the signature attached to the message
In the tamper-proof device of the information management server, when the signature verification result is acceptable, a procedure for decrypting the information encrypted by the information storage common key included in the request message;
In the tamper resistant device of the information management server, a procedure for decrypting the encrypted information included in the request message by decryption means corresponding to the encryption means;
Providing the decrypted information; and
An information disclosure control method comprising:   The procedure in which the information management server transmits the information storage common key and the information storage information from the information management server to the other device is performed by using the key management common key in the tamper resistant device of the information management server. Including a procedure for encrypting the information archiving common key and the information archiving information, and a procedure for accepting a request message regarding the use of information from the other device includes the key management in the tamper resistant device of the information management server. 3. The information disclosure control method according to claim 2, further comprising a step of decrypting the information storage common key encrypted with the common key and the information storage information. The request message includes usage permission information created by an administrator of information corresponding to the information storage information, and the information management server sends the request message in the tamper resistant device of the information management server. Obtaining specific information of the user of the information from the use permission information included in the information, and verifying a signature attached to the request message based on a public key corresponding to the user of the information;
A procedure for prohibiting the provision of the information when the verification of the signature fails;
The information disclosure control method according to claim 3, wherein the information disclosure control method is executed. The request message includes information acquisition information created by a user of the information, and the information management server includes the information acquisition information in the tamper resistant device of the information management server. A procedure to verify conformance;
If the information acquisition information does not conform to the usage permission information, a procedure for prohibiting the provision of the information;
The information disclosure control method according to claim 4, further comprising: An information disclosure control program used for an information management server that manages information and provides the information in response to a request from another device, the information disclosure control program,
In the tamper resistant device of the information management server, encrypting information by encryption means;
Storing the encrypted information in an information storage unit;
Receiving a request message regarding use of information from the other device;
Decrypting encrypted information included in the request message in a tamper resistant device of the information management server by a decryption unit corresponding to the encryption unit;
Providing the decrypted information;
An information disclosure control program characterized by being executed. An information disclosure control program used for an information management server that manages information and provides the information in response to a request from another device, the information disclosure control program,
Receiving a request for registration of the information;
Encrypting the information with an information storage common key in the tamper resistant device of the information management server;
Storing the encrypted information in an information storage unit;
In the tamper-proof device of the information management server, creating information storage information including a pointer indicating the storage location of the information and specific information of the information manager;
Transmitting the information storage common key and the information storage information from the information management server to the other device;
Receiving a request message regarding the use of the information from the other device;
In the tamper resistant device of the information management server, the specific information of the information manager is obtained from the information storage information included in the request message, and the request is based on the public key corresponding to the information manager. Verifying the signature attached to the message of
Decrypting information encrypted with the information storage common key included in the request message when the signature verification result is acceptable in the tamper resistant device of the information management server;
Decrypting the encrypted information in the tamper-proof device of the information management server by decryption means corresponding to the encryption means included in the request message;
Providing the decrypted information;
The information disclosure control program according to claim 6, wherein the information disclosure control program is executed. The information disclosure control program, the information management server,
The step of transmitting the information storage common key and the information storage information from the information management server to the other device includes the information management common key using the key management common key in the tamper resistant device of the information management server. And a step of receiving a request message regarding use of information from the other device is encrypted with the common key for key management in the tamper resistant device of the information management server. The information disclosure control program according to claim 7, wherein the information disclosure control program is executed including a step of decrypting the information storage common key and the information storage information. The request message includes usage permission information created by an administrator of information corresponding to the information storage information, and the information disclosure control program sends a tamper resistant device of the information management server to the information management server. The information of the user of the information is acquired from the use permission information included in the message of the request, and the signature attached to the message of the request is verified based on the public key corresponding to the user of the information And steps to
Prohibiting the provision of the information if the signature verification fails;
The information disclosure control program according to claim 8, wherein the information disclosure control program is executed. The request message includes information acquisition information created by a user of the information, and the information disclosure control program sends the information acquisition server to the information management server in the tamper resistant device of the information management server. Verifying that the information conforms to the license information;
Prohibiting the provision of the information if the information acquisition information does not match the usage permission information;
The information disclosure control program according to claim 9, wherein the information disclosure control program is executed.   A tamper resistant device used for an information management server that manages information and provides the information in response to a request from another device, wherein the tamper resistant device includes an information storage unit that stores the information, and the information Encryption process using information storage common key used when performing encryption and decryption of data, and key management common key used when performing encryption and decryption of the information storage common key An encryption processing unit that performs the key management, a key storage unit that stores the key management common key, a signature processing unit that verifies a signature attached to a request message received from the other device, and a request received from the other device. A tamper resistant device, comprising: a usage condition verification unit that verifies the usage conditions included in the message.   A tamper resistant device used in a device used when requesting provision or registration of the information to an information management server that manages information, wherein the tamper resistant device stores a received data A tamper-resistant device comprising: a key storage unit that stores a secret key used for adding a signature; and a signature processing unit that adds a signature to the data to be transmitted using the secret key .

Images