JP2005242740A - Program, storage medium and information processor in information security system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide the technology of an information security system which can sufficiently prevent illegal action especially such as furtive glance or acquisition of data by insiders and can be easily and inexpensively applied to many existing information processing systems to secure these systems. <P>SOLUTION: A program in the information security system is applied to protection targets which are many information processing systems each of which has a client 1 in/from which a user inputs/outputs data and servers (an ASP server 2 and a DB server 3) for storing data in a DB. The program comprises: functions (an HTTP proxy 12 and a cipher management server 4) for encrypting/decrypting data so that the data are in an encrypted state on the server side by interfering in the I/O communication of data on the back of a Web browser 11 in the client 1 and functions (an SQL proxy 31 and a policy management server 5) for confirming the setting of access right of data in each user and in each prescribed data and accessing the database on the basis of the confirmed result by interfering in the I/O communication of data on the front stage of a server side database. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a program for an information security system, and more particularly to a technique for preventing fraud by using an information processing system such as a Web base that has a client and a server and stores data in a database as a protection target.

  In the current general Web-based information processing system, there are various problems relating to information security, such as data wiretapping and tampering. When an information processing system having a general three-tier client / server configuration including a client (user client), an ASP server (Web application providing server), and a DB server (database server) is taken as an example, for example, between a client and an ASP server There is a possibility of data falsification due to session hijacking. In the ASP server, there is a possibility of data snooping by an insider such as an ASP server administrator. In addition, there is a possibility of unauthorized data acquisition as an authorized user between the ASP server and the DB server. In the DB server, there is a possibility that backup data is taken out by an insider such as a DB server administrator.

  For the above problems, the following technical measures are usually taken to ensure security. For example, the client-ASP server is protected by an encryption communication method such as SSL / TLS (Secure Socket Layer / Transport Layer Security) to prevent a user ID or password from leaking or an external attack. In addition, with regard to access to the DB server, strict database access restriction management such as setting appropriate access authority for each column (row), record (row), etc. in the database is performed to prevent unauthorized access to the database. . In addition, an encrypted database, that is, a technique for encrypting data stored in the database so that it cannot be read is introduced to prevent the information in the database from being seen or taken out.

  In recent years, in information processing systems such as intranets where a predetermined information security system has been installed, techniques for preventing attacks due to external access have spread, but fraud by insiders who use or manage protected systems is particularly problematic. It has become to. In a Web-based information processing system in which a predetermined information security system for preventing fraud as described above is installed, it is necessary to pay attention to the following points when it is assumed that there are unauthorized persons inside. At present, it is common to deal with thorough policies outside the information security system, such as entry / exit management of server rooms where ASP servers and DB servers are located, and strict management of database backup data. is there.

  For example, regarding unauthorized access from an ASP server, the ASP server administrator can steal data transmitted from the client side, and therefore uses the user ID and password of a user who has been granted a high level of authority. Once the database is accessed, it is easy to tamper with data or obtain customer data. As for unauthorized access to the database, Unix (R) user authentication (user name and password authentication) is often used for access to the database, so unauthorized access is relatively easy from within the intranet. It is. If fraud is performed by the database administrator, fraud cannot be prevented unless the data itself in the database is encrypted and protected. In addition, regarding the outflow of database backup data, the backup data is often stored on a tape medium, an optical disk medium, or the like, but there is a risk of taking out the entire medium.

  As described above, conventionally, in an information processing system in which an information security system is installed, an insider, for example, an information system member, has an architecture that allows data such as customer data to be seen or illegally obtained. The information system staff handling the data is required to have a high morality as an information handler, and there is a mental burden. In addition, high costs are required, such as the cost of hiring information system staff with high morals and the cost of introducing a new information security system.

  Although there is a technique such as the above-mentioned encrypted database, since it is only encryption in the DB server, a key for decrypting encrypted data (hereinafter referred to as “encrypted data”) in the database. Information is likely to be stored in the vicinity of the DB server in many cases due to the system configuration, and is easily read by an insider or the like. If the key information is illegally obtained by an insider or the like, the encrypted data in the database is decrypted by this key information, and the data is read and illegally obtained. Thus, the security of data protection is not sufficient even in the conventional encrypted database.

  In the prior art, in a client / server configuration information processing system, centralized management of user data on the server side to improve efficiency was the main point of view for system designers. Encrypting has not been pursued deeply, for example because data retrieval is inconvenient and difficult to handle. In addition, for the construction of an information security system, the configuration tends to be complicated, for example, it is necessary to provide various modules on the server side.

  As described above, in the prior art, in the information processing system in which the information security system is installed, there are insufficient measures to prevent fraud by the insider, particularly for example, stealing or obtaining customer information or employee information, with respect to data to be handled. It can be said that there was a big defect. In addition, there is a problem that the system configuration tends to be complicated and the cost is increased.

  The present invention has been made in view of the above problems, and an object of the present invention is to provide an information security system that mainly protects an information processing system such as a Web base having a client and a server, particularly by an insider. To provide technology that can sufficiently prevent fraud such as data stealing and acquisition, and that can be easily applied to many information processing systems that have already been constructed and secured at low cost. It is in.

  Of the inventions disclosed in the present application, the outline of typical ones will be briefly described as follows.

  (1) In order to achieve the above object, an information security system program according to the present invention protects an information processing system including a client from which a user inputs and outputs data and a server that stores the data in a database. Intervene in the input / output communication of the data in the client or between the client and the server, the data is encrypted on the server side, stored as encrypted data in the database, and output in the decrypted state on the client side As described above, the computer is caused to execute an encryption function for encrypting / decrypting the data. Information is confidentialized by reversible encryption / decryption of the data on the client side, not the server side. This encryption function functions transparently between the client input / output interface unit (such as a Web browser) and the server side (such as an ASP server), that is, without the user being aware of the encryption / decryption processing. When inputting (accumulating) the data from the client side to the database on the server side, the data is encrypted by the encryption function and then passed to the server side, and the encrypted data is stored in the database. When outputting (extracting) encrypted data from the database on the server side to the client side, the encrypted data is decrypted by the encryption function and then output to the input / output interface unit. The data is data to be protected in order to prevent unauthorized use by unauthorized persons, particularly internal unauthorized persons. The data to be encrypted is data that is to be prevented from being illegally used, including information relating to privacy such as customer information and employee information. By this data encryption / decryption process, only the authorized user on the client side can handle the data as it is in a readable format.

  (2) In the information security system program according to (1), when the data is input, the data input / output interface unit to the server side in the client or between the client and the server. A procedure for determining the necessity of encryption of the data by intervening in the communication, and the data so that the data is in an encrypted state on the server side and stored as encrypted data in the database when it is determined that encryption is necessary; A procedure for transmitting a request for encryption of data, a procedure for performing encryption of the data using a predetermined encryption algorithm and encryption key based on the request, and returning encrypted data, and a server for receiving the encrypted data And at the time of outputting the data, the data is transmitted within the client or between the client and the server. Between the server side and the communication from the server side to the input / output interface unit, the procedure for determining whether the data needs to be decrypted, and when the data is determined to be decrypted, the data is transferred to the client side input / output interface unit A procedure for transmitting a request for decrypting the data so that the data is output in a decrypted state, and decrypting the data based on the request using a predetermined encryption algorithm and decryption key. It has a procedure for returning data and a procedure for receiving the decrypted data and transmitting it to the input / output interface unit.

  (3) The information security system program according to the present invention is a program for an information security system that protects an information processing system having a client in which a user inputs and outputs data and a server that stores the data in a database. In the client, the data input / output communication with the server side is intervened around the data input / output interface unit or in some elements in the client, and the data is encrypted on the server side starting from this processing. A first process (HTTP proxy process) for encrypting / decrypting the data so that it is stored in the database as encrypted data and is output in a decrypted state at the input / output interface unit on the client side. It is made to perform. A program module for this processing is interposed between the client side and the server side (such as an ASP server) behind the input / output interface unit, and automatically intervenes in communication such as HTTP for input / output of the data. Using this as a processing starting point, an operation for encrypting / decrypting the target data is performed. This intervention is performed when data stored in the database on the server side is transmitted from the client side or received from the server side.

  (4) Further, the present invention is based on the request from the first process for managing the key information used for the encryption / decryption of the data in the information security system program of (3). Causing the computer to execute a second process (encryption management server process) for performing an encryption / decryption process on the data using the key information and returning the encrypted / decrypted data. Features. In this process, correspondence between the data ID of the data to be encrypted / decrypted, key information used for encryption / decryption, and the like is managed.

  (5) Further, according to the information security system program of (3), the present invention intervenes in communication for inputting / outputting the data to / from the database, and receives user authentication information from the client side or the server side. Based on the user authentication process and the policy setting including the setting of the access authority in the user unit for the data and the predetermined data unit in the database, and based on this, the access target area or data to the database is limited and the inquiry is made. And an access restriction function for performing the processing to be performed.

  (6) In the information security system program of (5), the present invention is based on reception of user authentication information from the client side at the time of access for input / output of the data from the client side to the server side. A procedure for performing user authentication processing, and user authentication processing based on reception of user authentication information from the server side at the time of database access for input / output of the data in the previous stage of the database after passing user authentication, the data A procedure for confirming the access authority in a predetermined data unit in the user unit and the database about the procedure, a procedure for obtaining a result from the database by making an inquiry by limiting the access target area or data to the database based on the confirmation of the access authority, It is characterized by having. In the user authentication process, a connection ticket for permitting a database connection to the user is issued based on the authentication result, and is presented as authentication information in the subsequent database connection session.

  (7) Further, according to the information security system program of (5), the present invention intervenes in the data input / output communication with the database, and the user is based on reception of user authentication information from the client side or the server side. Authentication processing and processing for checking the policy settings including the setting of access authority for each user in the database and the predetermined data unit in the database, and inquiring by limiting the access target area or data to the database based on this policy setting And causing the computer to execute a third process (SQL proxy process).

  (8) In the information security system program according to (7), the present invention manages a policy setting including a setting of access authority in units of users and a predetermined data unit in the database for the data; A fourth process (policy management server process) for performing user authentication based on reception of user authentication information from the client side or server side and a process for confirming policy settings based on a request from the third process. The computer is executed. In this process, policy settings including access authority settings in predetermined data units such as columns, records, cells, tables, etc., are managed for each user who uses this system. In addition, the access authority of the corresponding user is confirmed at the time of user authentication processing or the like, and the access permission area or data ID for the database is narrowed down. The access authority to the database can be set by combining user authentication based on PKI and setting of access authority in a predetermined data unit.

  (9) The information security system program according to the present invention includes a client in which a user inputs / outputs data through an input / output interface unit, and an application server that processes the data with predetermined business logic in response to access from the client. An information processing system having a database server that inputs / outputs the data to / from the database through the application server is a protection target, and communication of the data input / output is performed in the client around the data input / output interface unit or in some elements The data is stored in encrypted form on the server side and stored as encrypted data in the database, and conversely output to the input / output interface unit in the decrypted state. Based on a request from a first process (HTTP proxy process) for performing encryption / decryption, a process for managing key information used for encryption / decryption of the data, and the first process on the client side A second process (encryption management server process) that performs a process of encrypting / decrypting data with the key information and returning the encrypted / decrypted data, and a preceding stage or a partial element of the server-side database Intervene in the data input / output communication with the database in the database, and confirm the policy setting including the access authority setting for the data in the user unit and the predetermined data unit in the database. Alternatively, a third process (SQL proxy process) for making an inquiry with limiting data and a user for the data Processing for managing policy settings including setting of access authority in units of data units and in a predetermined data unit, user authentication based on reception of user authentication information from the client side or server side, and requests from the third processing A fourth process (policy management server process) for performing a process for confirming the policy setting based on the process is executed by a computer. The second process (encryption management server process) and the fourth process (policy management server process) are arranged as a server at an arbitrary secure location, and manage the key information, policy setting information, and the like at a high security level. .

  (10) Further, in the information security system program according to (3), the present invention uses a search condition specified on the client side as a search function for searching encrypted data stored in the database. Encrypted or one-way hashed through the first process, and the encrypted or one-way hashed search condition is set as a specific search condition for database query in the previous stage of the database on the server side, and the database query The computer has a function of performing search result narrowing processing on the encrypted data group extracted thereby, decrypting the search result through the first processing, and then outputting the result to the input / output interface unit of the client It is made to perform.

  (11) Further, the present invention is characterized in that the information security system program of (3) has a search function for searching encrypted data stored in a database. As this search function, a search condition including a search key (search word) input by a client is determined and encrypted, and the server side makes an inquiry to the database using the encrypted search key, and from this, A function of causing the computer to execute a function of decrypting the extracted encrypted data and outputting it to the input / output interface unit of the client as a search result is provided.

  (12) Further, in the information security system program of (10), the present invention is characterized in that the search function has an encrypted data search function using a hash value. In this function, when a search processing request is generated on the client side, a search processing mode such as complete match search or partial match search is determined, and processing corresponding to that is performed. In particular, a search using a hash value is performed during a partial match search. At the time of inputting the data from the client side, in addition to encrypting the data by the first and second processes, a hash value is generated for the data by a predetermined one-way hash function, and this is encrypted. In the process of associating with the received data, at the time of the search, a hash value is generated by the one-way hash function for the search key input by the client and transmitted to the server side. A process for searching for the hash value associated with the encrypted data in the target and extracting the encrypted data corresponding to the area where the values match, and decrypting the encrypted data of the extraction result to obtain the original search key Select the included items and return them to the client as search results. And it features. Information about the generated hash value is stored in association with the data ID and the like. On the server side, the encrypted data received from the client side is stored and managed so that both hash values of the original data of the encrypted data can be referred to in preparation for retrieval. The extraction result from the database may include an area of encrypted data that does not correspond to the original search key, so decrypt the candidate encrypted data and check if the original search key is included. Select only the area containing the search key and return it to the client as the search result in the encrypted data state. The search result is decoded by the first and second processes and then output to the input / output interface unit.

  (13) Further, the present invention provides the information security system program according to (12), wherein when the search function inputs the data from the client side to the database, the data is encrypted. A process of generating a hash value for each divided data by a predetermined one-way hash function and associating it with the encrypted data so that it can be referred to when searching in the database It is made to perform.

  (14) Further, in the information security system program according to any one of (1) to (13), the present invention reads an authentication token holding user certificate information when accessing the data. It is characterized in that authentication information is generated from this, thereby causing a computer to execute a process for confirming user authentication and policy setting based on an arbitrary user authentication method such as an authentication method based on PKI (public key infrastructure). To do. A user authentication process based on a known PKI or the like is adopted for user authentication for identifying an authorized user who is qualified to access the database and handle data, and this is used for data encryption / decryption on the client side. This is done at the time of processing or just before the database inquiry on the server side. Thereby, safe operation is possible. On the client side, authentication information is generated and provided on the basis of reading of user certificate information from an authentication token serving as a user access permit, thereby performing user authentication.

  (15) Further, according to the present invention, in the information security system program according to any one of (1) to (14), data stored in a database is judged and only a specific type of data is encrypted. It is characterized by causing a computer to execute processing to be processed / decoded. For example, encryption is performed on input data such as a name, an address, and a telephone number in a specific field in an HTML input form. It is not always necessary to encrypt all of the data stored in the database, only the specific type of data necessary and sufficient for the intended protection is determined by judging the data to be input / output. Perform processing.

  The present invention provides a program for realizing each of the processes (first process to fourth process) and a search function in units of modules, and the information security system from a necessary minimum to a maximum security configuration. Will be introduced according to the configuration status of the existing information processing system. A storage medium such as a CD-ROM storing the program of the present invention is also provided. In addition, an information processing apparatus such as a client apparatus or a server apparatus in which the program of the present invention is arranged can be provided, whereby an information processing system such as a Web base can be configured.

  Among the inventions disclosed in the present application, effects obtained by typical ones will be briefly described as follows.

  According to the present invention, the configuration is such that data is encrypted / decrypted on the client side rather than the server side on the information processing system so that the server side is in an encrypted data state. It is possible to effectively prevent data snooping and acquisition by using. In addition, a general Web browser can handle an encryption system, and a user can handle data using an application without needing to be particularly aware of data encryption / decryption. An insider who uses or manages the information processing system, for example, an information system member or the like, can handle encrypted data since he / she handles encrypted data.

  Also, in an information processing system having a client and a server, an encryption function can be realized only by placing the information security system program of the present invention mainly on the client side, so that the modification of the existing Web-based information processing system can be minimized. It can be easily secured while limiting. Furthermore, the access restriction function can be realized by placing the program of the present invention between the database and the ASP server on the server side, and similarly, it can be secured while minimizing the modification of the existing Web-based information processing system. .

  In addition, the search function for encrypted data provided by the present invention enables search processing including partial match search even for data that is encrypted and stored in the database. The method of setting the state can be made more effective. In addition, the search speed of the encrypted data can be improved by performing a search using the hash value when searching for the encrypted data.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. Note that components having the same function are denoted by the same reference symbols throughout the drawings for describing the embodiment, and the repetitive description thereof will be omitted.

  FIG. 1 shows the overall configuration of an information security system according to an embodiment of the present invention. 2 and 3 are explanatory diagrams regarding data and management information handled by the information security system according to the embodiment of the present invention. 4 to 8 are sequence diagrams showing processing operations of the information security system in the embodiment of the present invention. FIG. 9 is an explanatory diagram showing a data state in the encrypted data search processing using the hash value, in particular, in the present embodiment.

  First, the configuration of the information security system according to the present embodiment will be described with reference to FIG. The information security system according to the present embodiment is a software system introduced to a Web-based information processing system having a client 1, an ASP server 2, and a DB server 3. An HTTP proxy 12 in the client 1 and a DB server 3 has a SQL proxy 31, a cryptographic management server 4, and a policy management server 5 as main components. An encryption function is realized by the HTTP proxy 12 and the encryption management server 4. Further, an access restriction function is realized by the SQL proxy 31 and the policy management server 5.

  The information security system according to this embodiment is configured on a Web-based information processing system having a general three-tier client / server configuration. The client 1 includes a Web browser 11 that is a part where a user inputs / outputs data to / from the server side and serves as a data input / output interface. The input / output data is stored in the database in the DB server 3 through processing in the ASP server 2. The ASP server 2 is a Web application providing server that processes predetermined business logic in the ASP unit 21. The DB server 3 performs input / output, that is, accumulation and extraction of the data to / from a database in a predetermined DBMS (database management system) 32.

  In the present embodiment, the client 1 corresponds to various Web client devices such as PCs and mobile terminals used by the user, the ASP server 2 corresponds to the ASP server device, and the DB server 3 corresponds to the DB server device. The hardware is divided into three computers. The configuration of the Web-based information processing system used in the present invention is based on a general conceptual model of a three-tier client / server, and is limited to a configuration divided by three hardware as described above. It is not a thing. For example, a function corresponding to the ASP server 2 for processing business logic can be implemented on the client device side or the DB server device side.

  In the information security system, an HTTP proxy 12 is arranged between the Web browser 11 of the client 1 and the ASP server 2, particularly in the client 1 behind the Web browser 11, compared to the Web-based information processing system. The SQL proxy 31 is arranged between the ASP server 2 and the DBMS 32, particularly in the DB server 3 and before the DBMS 32. In addition, the ASP server 2 has a partially related code (a code for processing identification tag addition processing described later) in addition to the existing ASP unit (application). As the Web browser 11, the ASP unit 21, the DBMS 32, etc., the existing ones that have been used before the introduction of the information security system can be used as they are.

  The client 1 and the ASP server 2 are connected for communication using the HTTP protocol. The ASP server 2 and the DB server 3 are communicatively connected by a unique protocol in which a processing identification tag related to the present invention is added to SQL. The HTTP proxy 12 is connected to the encryption management server 4 and the policy management server 5 by secure communication using, for example, the SSL protocol. The SQL proxy 31 is connected to the encryption management server 4 and the policy management server 5 by secure communication using, for example, the SSL protocol.

  Based on the PKI, a user certificate 7, an ASP certificate 8, and a DB certificate 9 are issued with the certificate authority 10, respectively. Each certificate is information for proving the user, the ASP server 2, and the DB server 3, and is verified with the certificate authority 10 as necessary at the time of authentication. The user certificate 7 is stored in an authentication token 6 which is a user access permit. By the user authentication process using the user certificate 7 as authentication information, the user who uses the information processing system can be identified and verified. By performing user authentication in the policy management server 5, it is confirmed that the user is permitted access to the system, particularly database access. Similarly, the integrity of the ASP server 2 can be confirmed by the authentication of the ASP certificate 8, and it is guaranteed that the ASP server 2 is not operated by an unauthorized person. Similarly, the integrity of the DB server 3 can be confirmed by authenticating the DB certificate 9, and it is guaranteed that the database is not operated by an unauthorized person.

  In the client 1, one or more Web client devices corresponding to the client 1 are arranged at an arbitrary position where the user can use. This includes the configuration of network access from a remote terminal. The ASP server 2 and the DB server 3 are arranged in a predetermined server room, for example. The encryption management server 4 and the policy management server 5 are arranged at arbitrary secure positions. For example, it may be arranged in a server room such as a security service company or a data center that guarantees a predetermined security level.

  The client 1 has a Web browser 11 and an HTTP proxy 12. The HTTP proxy 12 is independent of the Web browser 11 and transparently performs encryption / decryption processing operations behind it. Between the HTTP proxy 12 and the authentication token 6, user information such as the user certificate 7 stored in the authentication token 6 is exchanged as necessary.

  The user operates the Web browser 11 on the client 1 to obtain HTML data from the Web application of the ASP server 2. The client 1 reads the information of the authentication token 6 and passes the user authentication in the policy management server 5 to obtain a connection ticket to the database. The user inputs and outputs data as necessary in the Web browser 11. Data input is to access the DB server 3 and accumulate data in the database, and data output is to access the DB server 3 and extract data from the database.

  The ASP server 2 includes an ASP unit 21 and an SQL proxy driver 22. The ASP unit 21 is an existing Web application, and processes business logic corresponding to a predetermined information processing task in an intranet or the like. The ASP server 2 includes an HTTP server module, and responds to a request from the Web browser 11 of the client 1 via the HTTP proxy 12 and returns HTML data. The ASP server 2 performs a process of adding a process identification tag (control information), a data ID, and the like indicating that it is related to the process of the present invention to the data to be encrypted / decrypted. The SQL proxy driver 22 is a database client module, and is a module that issues an SQL command for inquiring and controlling data to the DBMS 32 via the SQL proxy 31.

  The DB server 3 includes an SQL proxy 31 and a DBMS 32. In this embodiment, the relational database and the query language SQL are handled.

  When the SQL proxy 31 is interposed between the ASP server 2 and the DBMS 32 and receives the SQL command and the processing identification information (control information) for processing related to the present invention from the SQL proxy driver 22 of the ASP server 2, the policy management server 5 Communication is performed, the access authority of the corresponding user is confirmed, an appropriate inquiry condition corresponding to the user is set, and an SQL command is transmitted to the DBMS 32.

  The DBMS 32 is a database management system that manages a relational database. The DBMS 32 performs database control, data manipulation, extraction, and the like according to an SQL command received through the SQL proxy 31, and returns a result. Specifically, there are database connection (corresponding SQL instruction is “CONNECT”), data addition (“INSERT”) or change (“UPDATE”), acquisition of designated data, data search (“SELECT”), and the like. The DBMS 32 performs predetermined operation management such as database backup processing. Since encrypted data is stored in the database, the backup data is also in the form of encrypted data. Even if this is taken out by an unauthorized person, key information necessary for decryption is managed by the encryption management server 4. So it doesn't make sense.

  The encryption management server 4 is a server that manages encryption processing for data to be stored in the database of the DB server 3, and performs data encryption / decryption processing in response to a request from the HTTP proxy 12. Encryption / decryption is performed using a predetermined encryption algorithm. When the user inputs data to the database, the target data input from the Web browser 11 by the client 1 is encrypted based on a request from the HTTP proxy 12 and returned to the server side (the ASP server 2). , DB server 3). In addition, when data is output from the database by the user, the target data is decrypted based on a request from the HTTP proxy 11 to return the data, which is passed to the Web browser 11. A key used for encryption / decryption is created and stored as necessary when a data ID is received from the policy management server 5.

  The encryption management server 4 securely manages key information at the time of encryption / decryption. The encryption management server 4 manages the correspondence between the data ID of the target data and the encryption / decryption key for the data as encryption management information. This key management is separated from the Web-based information processing system. A configuration in which the key management is not separated and operated near the ASP server 2 or the DB server 3 is also possible, and this depends on a policy in system operation.

  The policy management server 5 is a server that manages policy settings for each user. This setting includes setting of access authority for a predetermined data unit such as a table, record, column, cell, etc. in the database. The policy management server 5 sets the data ID for data that needs to be encrypted in a predetermined data unit. Further, the policy management server 5 performs user authentication processing with the user authentication token 6. As the policy, for data stored in the database, which users can read which data, what operations are allowed for data, such as unintended use of data, external intrusion, leakage of information security, etc. Establish a policy to prevent By setting the access authority, accessible data can be divided for each user. For example, in a hospital electronic medical record system, a nurse who handles a group of patients, for example, a surgical patient, sets a policy to allow access only to the electronic medical record data of the surgical patient, and is responsible for another group of internal medicine patients. The nurse is set so that access is permitted only for the electronic medical record data of the internal medicine patient.

  In response to a request from the HTTP proxy 12 or the SQL proxy 31, the policy management server 5 performs user authentication based on PKI, policy setting confirmation processing including setting of user access authority, and authority assignment to the corresponding access user. . In particular, when a request for confirming and granting access authority is received from the SQL proxy 31, the user generates and returns information describing conditions for restricting the area or data to which access is permitted in the database. The policy management server 5 manages the correspondence between a user ID that uniquely identifies a user and a data ID that uniquely identifies data as policy management information. A user who can access data identified by a certain data ID is associated with the user ID. After the user authentication process with the authentication token, the policy management server 5 issues a connection ticket, which is information indicating permission of connection to the database, to a user who has successfully passed the authentication. Authentication and confirmation are performed based on this connection ticket. The HTTP proxy 12 presents information on the issued connection ticket as necessary to access the server side.

  The HTTP proxy 12 automatically intervenes in communication using the HTTP protocol and related protocols between the Web browser 11 of the client 1 and the ASP server 2, and encrypts / decrypts data stored in the database of the DB server 3. The encryption management server 4 performs encryption / decryption processing after determining necessity. When the HTTP proxy 12 determines that the target data received from the Web browser 11 / ASP server 2 needs to be encrypted / decrypted, it requests the encryption management server 4 to encrypt / decrypt the target data. Therefore, encryption / decryption processing of the target data is performed using appropriate key information, and the encrypted / decrypted data is obtained and returned to the ASP server 2 / Web browser 11.

  The HTTP proxy 12 reads the information of the communication unit with the Web browser 11, the communication unit with the ASP server, the communication unit with the encryption management server 4, the communication unit with the policy management server 5, and the authentication token 6 to read the policy management server 5. An unillustrated program such as an authentication processing unit that performs an authentication process with an encryption processing unit, an encryption processing unit that determines data encryption, a decryption processing unit that determines data decryption, a search processing unit that determines data search, etc. It has modules and processes them in cooperation. A computer corresponding to the client 1 has the program modules constituting the HTTP proxy 12 on a memory, and various processes are realized by reading them by a processor and executing processing instructions.

  Note that a general “HTTP proxy” refers to proxying communication processing by HTTP protocol from one or more Web clients for Web browsing, but the HTTP proxy 12 in the present embodiment is simply proxying communication processing. In addition to this, encryption / decryption of target data and related processing are performed behind the Web-based information processing system.

  FIG. 2 is an explanatory diagram showing a state of data encryption / decryption on the information processing system. d1 to d5 indicate states related to certain data. d1 and d2 indicate data in a normal state (unencrypted state or decrypted state) that can be read by the user, and d3, d4, and d5 indicate encrypted data in an encrypted state. The encryption / decryption processing for the data d1 input in the Web browser 11 of the client 1 is arranged in a secure position with the HTTP proxy 12 operating behind the Web browser 11 in the client 1 and management of encryption processing and key information This is performed through an encryption function by the encryption management server 4 that performs the above. When the data d1 is input (stored) from the Web browser 11 of the client 1 to the database of the DBMS 32 on the server side, the data d2 is encrypted by the encryption function to be in the state of the encrypted data d3. It is passed to the server side (ASP server 2). The ASP server 2 handles the state of the encrypted data d4. Further, the DB server 3 stores the encrypted data d5 in the database of the DBMS 32. When data (that is, encrypted data d5) is output (extracted) from the database on the server side to the client 1 side, the encrypted data d3 is transmitted by the encryption function when the encrypted data d4 is transmitted to the client 1 side through the ASP server 2. Is restored to the original data d2, and is output in the state of data d1 by the Web browser 11. In this way, encrypted data that cannot be read on the server side is handled, and only the authorized user on the client 1 side can output the target data in a form that can be read as it is. Even if the encrypted data is obtained by an unauthorized person on the server side, the key information for decryption is managed by the secure encryption management server 4 and cannot be obtained, so it does not make sense. As shown in FIG. 2, the authorized user has a function of restricting access by the policy management server 5 and the SQL proxy 31, and performs user authentication and user base access based on communication with the preceding stage of the DBMS 32 and the HTTP proxy 12. Restrictions are made.

  The SQL proxy 31 is a processing unit having a function of restricting access to the database of the DBMS 32 by the user. When the SQL proxy 31 receives an SQL command from the SQL proxy driver 22 when accessing the DBMS 32 through the ASP server 2, the SQL proxy 31 communicates with the policy management server 5 and performs a user access to the database. Authentication is performed, and the policy including the access authority of the user set in the policy management server 5 is confirmed. The database access of the corresponding user is permitted by the normal pass of the user authentication, and the database access authority for the corresponding user is given based on the policy confirmation, and the access area or data to the database is narrowed down. In the session after the user connects to the database, the access area or the condition for narrowing down the data is added to the SQL command every time the database is accessed. In addition, the SQL proxy 31 communicates with the encryption management server 4 during an encrypted data search process to be described later, and causes the search support function to perform a search process. In the present embodiment, the SQL proxy 31 is arranged in front of the DBMS 32 in the DB server 3, but may be arranged anywhere as long as it is interposed between the ASP server 2 and the DBMS 32.

  The SQL proxy 31, the policy management server 5, and the encryption management server 4 are connected by secure communication using SSL or the like when necessary. In the present embodiment, the IP packet proxy 311 is arranged at an arbitrary position between the SQL proxy 31 and the policy management server 5 and the encryption management server 4. The IP packet proxy 311 has a function of hiding the address of the SQL proxy 31 and improving security. A plurality of SQL proxies 31 corresponding to the number of constructed information security systems are connected to the policy management server 5 and the cipher management server 4, but each SQL proxy is protected by the address concealment function in the IP packet proxy 311. Since 31 can be handled uniformly, the security of communication with the SQL proxy 31 can be further increased. This IP packet proxy 311 is not an essential element, and it is of course possible to adopt a configuration in which it is not arranged as another embodiment. The IP packet proxy 311 may be introduced according to the security level required in the information processing system to be applied.

  The arrangement positions of the cryptographic management server 4 and the policy management server 5 are arbitrary, but in order to increase security, in this embodiment, the cryptographic management server 4 that manages key information and the policy management server 5 that manages policies are targeted Webs. Managed in a domain different from the base information processing system, maintains the state in which the SQL proxy 31 accessing the encryption management server 4 and policy management server 5 is securely authenticated while being concealed by the IP packet proxy 311 To do.

  An authentication token 6 that functions as an access permit to the system is given to a user who is permitted to use the information processing system based on a predetermined policy setting. The authentication token 6 is a cryptographic operation unit implemented by software or hardware having tamper resistance, and holds information unique to the user (such as a secret key). In the present embodiment, the authentication token 6 is a module having a hardware configuration, and is an information storage medium having a predetermined shape having a memory and a processor. The memory in the authentication token 6 holds the user certificate 7, private key information in the PKI, and the like. In the authentication token 6, in addition to providing the user certificate 7, processing such as generation of a digital signature is performed by the processor. The authentication token 6 takes the form of a USB token or an IC card, for example. In this embodiment, the policy management server 5 performs user authentication processing using the information of the user certificate 7 by reading the information of the authentication token 6 in the client 1. The user certificate 7 and the user ID managed by the policy management server 5 correspond to each other, and access authority management for each user is performed using this. If the user authentication in the policy management server 5 is successful, the user's database access is permitted and a connection ticket is issued to the user. This connection ticket is obtained by encrypting and saving valid information in one authentication session, and has information such as an expiration date as saved information in order to protect it from a retry attack or the like. The client 1 informs that it is a regular user and has access authority by presenting this connection ticket to the server side.

  FIG. 3A shows encryption management information managed in the encryption management server 4. As encryption management information, correspondence between a data ID 41 for identifying target data, key information 42 used for encryption / decryption of the data, hash information 43, processing contents 44, and the like, which will be described later, is a table. Hold on. The data ID 41 is created for the target data by the policy management server 5 and has a correspondence relationship with the user ID. The key information 42 is information on the reference destination address that holds the key value or the key value itself. The hash information 43 is information used for encrypted data search processing, which will be described later, and manages a hash value by a predetermined one-way hash function for target data. The hash information 43 is information such as a reference address that holds the hash value or the hash value itself. The processing attribute 44 is various information such as processing contents such as encryption or one-way hashing with respect to the target data by the key information 41, a processing state, a type of the target data, and whether or not to be encrypted. In addition, information of a user ID corresponding to the data ID 41 may be provided.

  The encryption processing method in the HTTP proxy 12 and the encryption management server 4 is not particularly limited, and the encryption and decryption keys are collectively shown as one key 42 without being distinguished. When a plurality of keys are used according to the encryption processing method, a plurality of necessary key information is managed by the encryption management server 4.

  FIG. 3B shows policy management information managed in the policy management server 5. The correspondence between the user ID 51 that identifies the user corresponding to the information of the user certificate 7 and the data ID 52 that identifies the data that the user is permitted to access is managed in the table. The data ID 52 is generated as necessary by the policy management server 5 and assigned to the target data. This corresponds directly to the data ID 41 in the encryption management information of FIG. A form in which the data ID 41 or the data ID 52 for the target data is generated / assigned from another module such as the encryption management server 4 is also possible. In FIG. 3B, only correspondence between the user ID 51 and the data ID 52 is shown as the policy management information. May be stored and used.

  The encryption management server 4 provides a search support function for searching for encrypted data stored in the database, in addition to the encryption / decryption processing function as described above. If the search key (search word) input by the user is used as it is, it is not possible to search for encrypted data in the database. Therefore, the search key is encrypted by the encryption management server 4 and a database inquiry is made with the encrypted search key. A search result can be obtained by performing a complete match search by encrypting the search key with the same key as the encryption key of the target data.

  When the Web browser 11 designates the search and the search condition for the encrypted area in the database, the HTTP proxy 12 recognizes it and enters the encrypted data search processing mode. The encryption management server 4 receives the search key included in the search condition of the encrypted data search based on the encrypted data search request from the HTTP proxy 12, and encrypts the search key (or one-way hash). The encrypted search key is returned to the HTTP proxy 12, and the HTTP proxy 12 passes the encrypted search key to the ASP server 2. The SQL proxy driver 22 of the ASP server 2 appropriately sets “SELECT”, which is a data search SQL command, using the encrypted search key, and transmits an inquiry to the DB server 3. In the SQL proxy 31, the policy management server 5 confirms the access authority of the user and assigns a database access area narrowing condition, and then gives an SQL command to the DBMS 32. In the DBMS 32, data search is performed using the encrypted search key, and a list of encrypted data as a search result is obtained by the SQL proxy 31. The SQL proxy 31 transmits the search result to the ASP server 2 after performing processing such as narrowing down and data complementing if necessary. The ASP server 2 transmits the search result HTML to the Web browser 11. The HTTP proxy 12 intervenes in this manner, and sends the decryption request for the encrypted data included in the search result to the encryption management server 4 so that the decryption is performed. After replacing with the original data, it is returned to the Web browser 11 for output. A processing method for transmitting the search condition designated on the client side to the DBMS 32 on the server side is possible in addition to the above procedure.

  Although the basic processing of the encrypted data search is as described above, it is necessary to consider the case where the search result is a large amount of data, and therefore a processing method for improving the search efficiency is provided. The search support function of the encryption management server 4 provides a search process using a hash value as a process for realizing efficient search. When a search processing request is generated, a search processing mode such as complete match search or partial match search is determined, and processing corresponding to that is performed. In particular, it is effective to perform a search using a hash value in a partial match search.

  Search processing using a hash value will be described. In this embodiment, when data is input from the client 1 side to the database, the encryption management server 4 encrypts the target data, and in addition to encrypting the target data with a predetermined one-way hash function, Generate a hash value. Hashing is irreversible encryption, and the hash value is data of a fixed bit size. Information about the generated hash value is stored in association with the data ID 41 and others as hash information 43 in the encryption management information. The DB server 3 stores the encrypted data and manages the hash value of the original data of the encrypted data so that both can be referred to in preparation for the search.

  When performing a search process using a hash value when searching for encrypted data, the HTTP proxy 12 requests the encryption management server 4 to hash the search key with a predetermined one-way hash function to generate a hash value. Make it. The HTTP proxy 12 gives this hash value as a search key to the server side, and causes the database to be searched. The database search is performed so that the hash value of the original data corresponding to the encrypted data in the database is targeted. A region of matching values in the database is extracted based on the hash value serving as the search key. Since this extraction result includes a region that does not correspond to the original search key, only the region corresponding to the original search key is extracted after confirmation in a later process (search process by the search support function). For this list of extraction results, the SQL proxy 31 makes a request to the search support function of the encryption management server 4 and executes a search processing session. In this search processing session, the encrypted data corresponding to the area of the value that matches the hash value of the search key is decrypted, and only the area that matches the original search key is selected and used as the search result in the state of the encrypted data. return. The search result is output to the Web browser 11 after being decrypted by the HTTP proxy 12 and the encryption management server 4 via the ASP server 2. Since the amount of information handled by performing a search using a hash value is reduced, the search speed can be improved.

  Next, processing operations in the information security system according to the present embodiment will be described in order in the following (1) to (5) with reference to the sequences shown in FIGS.

  (1) User authentication and connection ticket acquisition: First, the flow of a connection ticket acquisition process for user authentication and database access will be described with reference to the sequence of FIG. First, the ASP 1 is accessed from the Web browser 11 of the client 1 by the HTTP GET method. HTML data corresponding to the access request is returned from the ASP server 2 (steps S101 to S103). Here, it is assumed that the existing ASP unit 21 in the ASP server 2 performs a process of confirming the access right for each user to the Web application by the authentication of the user ID and the password. The HTTP proxy 12 intervenes in this, analyzes the HTML header, and returns an input form to the Web browser 11. Next, when user information such as a user ID and password or information read from the authentication token 6 is input through the Web browser 11, the user information is transmitted to the server side (S105 to S107).

  The HTTP proxy 12 receives user information from the Web browser 11 side and makes a user authentication request to the policy management server 5. In response to the user authentication request, the policy management server 5 transmits an authentication challenge to the HTTP proxy 12. The HTTP proxy 12 generates authentication information for user authentication and transmits it to the policy management server 5. Specifically, the authentication information is generated and transmitted by generating a digital signature in the authentication token 6 and sending it to the policy management server 5 side (S108 to S111). When the policy management server 5 receives the authentication information from the HTTP proxy 12, the policy management server 5 performs a process of verifying the authentication information. A user who does not have a valid authentication token 6 cannot pass the authentication because it cannot generate a digital signature. The policy management server 5 searches the information of the user certificate 7 and confirms it by having the certificate authority verify the validity of the authentication token 6 based on the PKI. Then, the user authentication result is returned to the HTTP proxy 12. When the user is identified from the authentication information from the client 1, the connection ticket to the database and session information are returned simultaneously. The session information is control information for identifying the user's database connection session (S112, S113).

  The HTTP proxy 12 receives the user authentication result from the policy management server 5, and when access is permitted and the connection ticket is received, generates the POST data in the HTTP including the user authentication result information, and uses this as the ASP. It transmits to the server 2. The ASP server 2 returns HTML data corresponding to passing authentication to the Web browser 11 side (S114 to S117). The data input of the user ID and password in the client 1 is a process performed for compatibility with the existing Web application, and even the process of extracting and authenticating the information of the user certificate 7 from the authentication token 6 is performed. This is a process that can be omitted.

  (2) Connection to Database: Next, a database connection process will be described with reference to the sequence of FIG. First, when accessing the ASP server 2 from the Web browser 11 using the GET method, HTML data for a user information request is transmitted from the ASP server 2. The HTTP proxy 12 performs HTML header analysis and returns an input form to the Web browser 11. When data is input through the Web browser 11, the user information is transmitted to the ASP server 2 (S201 to S207). Then, the HTTP proxy 12 intervenes, generates POST data including the connection ticket obtained in the user authentication and connection ticket acquisition process of (1), and transmits it to the ASP server 2 as authentication information. The ASP server 2 receives the authentication information from the HTTP proxy 12, and transmits connection information for database connection including user information, session information, an authentication ticket, and the like to the SQL proxy 31 (S208 to S210).

  When receiving the connection information from the ASP server 2, the SQL proxy 31 transmits authentication information including user information and a connection ticket to the policy management server 5. The policy management server 5 verifies the connection ticket as an authentication process, confirms whether the user is qualified for database connection, and returns an authentication result to the SQL proxy 31 (S211 to S213). When it is determined that the user is a legitimate user, the SQL proxy 31 transmits “CONNECT” which is an SQL command for database connection to the DBMS 32 (S214). The DBMS 32 performs database connection processing and returns the result to the SQL proxy 31 (S215), and the SQL proxy 31 returns the connection result to the ASP server 2. The ASP server 2 returns the connection result HTML data to the Web browser 11 (S216 to S218).

  (3) Data encryption: Next, with reference to the sequence of FIG. 6, data encryption processing, that is, processing when the user inputs data from the client 1 side and adds / changes it to the database on the server side explain. First, the Web browser 11 of the client 1 accesses the ASP server 2 using the HTTP GET method, and HTML data describing an input form for data input and related data are returned (S301 to S303). The HTTP proxy 12 analyzes the HTML header and determines the structure of the input form, particularly the attributes of the fields (input items, input fields), etc. (S304). For example, the ASP server 2 performs processing related to the present invention, that is, encryption / decryption processing is added to the HTML input form (adding a processing identification tag), and the name in the input form In addition, a description instructing that a specific field such as a telephone number or an address is to be subject to data encryption is provided. Thus, the HTTP proxy 12 and the encryption management server 4 determine that data input to a specific field such as a name is to be encrypted.

  When the input form is transmitted from the HTTP proxy 12 to the Web browser 11, the user inputs data to be stored in the database through the display of the input form on the Web browser 11, and the transmission submit button is pressed, and the input data is transferred to the ASP server 2. (S305 to S307).

  The HTTP proxy 12 intervenes in the input data transmitted from the Web browser 11 to the ASP server 2, and uses this as a starting point for processing to encrypt the input data. First, the HTTP proxy 12 transmits authentication information including the connection ticket obtained in the sequence (1) and the information of the user certificate 7 to the encryption management server 4 for authentication. The encryption management server 4 simply confirms the authentication information and transmits it to the policy management server 5. The policy management server 5 verifies the connection ticket based on the received authentication information (S308 to S310), and returns the authentication result to the encryption management server 4. The encryption management server 4 returns the authentication result to the HTTP proxy 12 (S311 and S312).

  Here, for user authentication, the procedure is to connect to the policy management server 5 once via the encryption management server 4, but a procedure to connect directly to the policy management server 5 and perform authentication is also possible.

  When the HTTP proxy 12 passes authentication in the policy management server 5, the HTTP proxy 12 transmits a data encryption request for the target data to the encryption management server 4. At the same time, field information indicating which field in the input data is to be encrypted is transmitted (S313). At this time, the target data included in the data encryption request is protected by SSL communication. When the encryption management server 4 receives the data encryption request and the target data, the encryption management server 4 assigns a data ID to the target data or confirms the data ID that has been assigned, and uses a predetermined encryption algorithm and encryption key. Encryption processing is performed (S314), and the encrypted data is returned to the HTTP proxy 12 by SSL communication. The encryption processing related information such as the data ID of the target data, the encryption key and the decryption key, and the processing result are stored in the encryption management server 4 as the encryption management information in FIG.

  Note that this encryption processing may be performed in the HTTP proxy 12. In this case, the encryption management server 4 confirms or provides encryption management information such as the key information 42 during the encryption process, and the HTTP proxy 12 encrypts the target data with a predetermined encryption algorithm and encryption key. The encryption and key management methods use predetermined techniques.

  When the HTTP proxy 12 acquires the encrypted data of the target data through communication with the encryption management server 4, the HTTP proxy 12 generates HTML POST data including the encrypted data and the connection ticket, and the ASP server 2 uses the HTTP POST method. (S316, S317). When the ASP server 2 receives the POST data including the encrypted data, the SQL server 22 sends the SQL format additional change information including the encrypted data, the session information, and the connection ticket for adding and changing the data to the database. To the SQL proxy 31 (S318).

  When the SQL proxy 31 receives the additional change information from the ASP server 2 side, it sends authentication information including a connection ticket to the policy management server 5 to perform authentication before passing it to the DBMS 32. The policy management server 5 verifies the connection ticket and confirms the access authority, confirms that the user is qualified to input data into the database, and returns the authentication result to the SQL proxy 31 (S319 to S321). After authentication, the SQL proxy 31 transmits an “INSERT” / “UPDATE” or the like, which is an SQL command for setting an appropriate database inquiry condition to the DBMS 32 and instructing data addition / change (S322). The DBMS 32 performs an additional change process of the target encrypted data to the database and returns an additional change result (S323). The SQL proxy 31 returns the addition change result to the database to the ASP server 2, and the ASP server 2 returns the HTML data of the addition change result to the Web browser 11 (S324 to S326).

  (4) Data Decryption: Next, with reference to the sequence of FIG. 7, data decryption processing, that is, processing when the user extracts and acquires data from the server side database and outputs it to the client 1 side. explain. First, the Web browser 11 of the client 1 accesses the ASP server 2 using the HTTP GET method, and returns HTML data and related data of an input form for data output (S401 to S403). The HTTP proxy 12 analyzes the HTML header and determines the structure of the input form, particularly the attribute of the field (S404). The data acquisition process from the database is a search process (a process based on the SQL command “SELECT”) in a broad sense, and the basic process is common to an encrypted data search process described later.

  When the input form is transmitted from the HTTP proxy 12 to the Web browser 11, the user inputs an instruction for data to be acquired from the database through the display of the input form on the Web browser 11, and the transmission submit button is pressed to input data (acquirement). Target instruction data) is transmitted to the ASP server 2 (S405 to S407). The HTTP proxy 12 intervenes in input data transmitted from the Web browser 11 to the ASP server 2 side. As in the case of data encryption, the HTTP proxy 12 first transmits authentication information including the connection ticket obtained in the sequence of (1) to the encryption management server 4, and the encryption management server 4 transmits the authentication information. It transmits to the policy management server 5. The policy management server 5 verifies the connection ticket based on the received authentication information, returns the authentication result to the encryption management server 4, and the encryption management server 4 returns the authentication result to the HTTP proxy 12 (S408 to S412).

  After authentication, the HTTP proxy 12 generates HTML GET data including the instruction data (data ID and the like) of the encryption data to be acquired, and transmits it to the ASP server 2 using the HTTP GET method (S413, S413). When the ASP server 2 receives the GET data including the instruction data from the HTTP proxy 12, the SQL server 22 acquires the acquisition information in the SQL format including the instruction data, the session information, and the authentication ticket for acquiring data from the database. To the SQL proxy 31 (S415).

  When the SQL proxy 31 receives the acquisition information from the ASP server 2 side, it sends authentication information including the connection ticket to the policy management server 5 to perform authentication. The policy management server 5 verifies the connection ticket and confirms the access authority, confirms that the user is qualified to output data from the database (S416, S417), and returns the authentication result. The policy management server 5 transmits the authentication result including information on the WHERE clause that is a database access area narrowing condition corresponding to the access authority of the user. The information of the WHERE phrase is instruction information for limiting a region or a data ID that the user is allowed to access in the database. After authentication by the policy management server 5, the SQL proxy 31 sets an appropriate database query condition for the DBMS 32, and adds the information of the WHERE clause as the narrowing condition to “SELECT” that is a SQL command for data extraction. It transmits in the form (S418). It should be noted that the SQL proxy 31 may be used to create the information of the WHERE clause that is the narrowing-down condition. In that case, a narrowing-down condition is created based on the access authority confirmation in the policy management server 5. The DBMS 32 performs processing for extracting and acquiring the encrypted data to be acquired from the database, and returns the result (S419, S420). The SQL proxy 31 returns the acquisition result from the database to the ASP server 2, and the ASP server 2 returns the HTML data of the acquisition result to the Web browser 11 (S421, S422).

  The HTTP proxy 12 intervenes and receives the acquired HTML data transmitted from the ASP server 2 to the Web browser 11 and analyzes the HTML header to determine the necessity of data decoding. When it is determined that the target encrypted data needs to be decrypted, a data decryption request is transmitted to the cipher management server 4. At the same time, field information indicating which field in the obtained encrypted data is to be decrypted is transmitted (S423, S424).

  Upon receiving the data decryption request and the target encrypted data, the cryptographic management server 4 decrypts the target encrypted data using a predetermined decryption algorithm and decryption key while referring to the cryptographic management information. Processing is performed (S425), and the decrypted data is returned to the HTTP proxy 12. When returning the decrypted data, the data is protected by SSL communication. Information related to decryption processing, processing results, and the like are stored in the cryptographic management server 4 as cryptographic management information. The HTTP proxy 12 returns the decrypted and restored data to the Web browser 11 and outputs it in a form that can be read by the Web browser 11 (S426, S427).

  Note that, as in the case of the encryption process, the decryption process may be performed in the HTTP proxy 12. In that case, the cryptographic management server 4 confirms or provides the cryptographic management information, and the HTTP proxy 12 decrypts the target encrypted data with a predetermined decryption algorithm and decryption key. The decryption and key management scheme uses a predetermined technique.

  (5) Data Search: Next, referring to FIG. 8 and FIG. 9, data search processing, that is, a search condition is input from the client 1 side, data in the server side database is searched and output to the client 1 side. The processing in this case will be described. When searching for encrypted data, the client 1 informs the server side, the encryption management server 4 and the policy management server 5 that it is a special search process, and performs a process according to the search mode.

  As the search mode, first, when the encryption / decryption key for data is single (in the case of PKI, a set of a public key and a private key) and when a complete match search is performed, the hash value is used. Thus, the search processing can be performed by encrypting the search key with the same key as the encryption key of the target data. Here, the exact match search is a case where the unit of the search key corresponds to the unit of encryption of the input data, that is, the field unit in the input form in this embodiment. When a plurality of encryption keys for data (a plurality of sets) are used and a complete match search is performed, a search process using the hash value is performed. The case where a plurality of encryption keys for data is used is a case where the strength of security is increased by performing encryption with different keys on the same data, for example. For example, the key for encrypting the name of a group such as a surgical patient in the electronic medical record system may be different from the key for encrypting the name of a patient such as a medical department. When performing a partial match search regardless of the number of encryption keys, a hash value set is generated for data obtained by dividing input data into search minimum units, and search processing using this is performed. Here, the partial match search is a case where the search key unit is smaller than the input data encryption unit.

  FIG. 9 is an explanatory diagram showing the data state in the encrypted data search process using the hash value in the information security system according to the present embodiment. Assume that there is an address input field as a certain field in the HTML input form. The data input by the user in this field is, for example, A = “Shinjuku 3-chome, Shinjuku-ku, Tokyo”. At the time of encryption processing in the HTTP proxy 12 and the encryption management server 4, encryption is performed with a predetermined encryption key using the data A in this field as an encryption unit, and the encrypted data is set to E (A). The one-way hash function is H, and the hash value of data A is represented as H (A). The encryption management server 4 generates encrypted data E (A) for new input data A to the database, and also generates a hash value H (A) of the data A to prepare for encrypted data search. A is associated with the encrypted data E (A). In the database of the DBMS 32, the encrypted data E (A) is stored, and the hash value H (A) is also associated and can be referred to. When searching for encrypted data, a search key, for example, A, is hashed, and a hash value area corresponding to the encrypted data in the database is searched using the search key hash value H (A). As a result, an area whose value matches H (A) is hit, and the encrypted data area corresponding to that area is extracted as a candidate group.

  The encryption management server 4 divides the input data A into predetermined units and performs a process of hashing each of the divided data in order to enable partial match search for the data A input in the field. Data obtained by dividing the data A into n pieces is assumed to be {A1, A2,..., An}. Each is hashed to generate a set of hash values S = {H (A1), H (A2),..., H (An)} and associate them with the data A and the encrypted data E (A) on the database side. Thus, this hash value set S is set in a searchable state. As an example of input data division, the data A is divided such that A1 = “Tokyo”, A2 = “Shinjuku-ku”, A3 = “Shinjuku”, A4 = “3-chome”. This is the minimum search unit.

  At the time of data search, if the search key is A2 = “Shinjuku-ku”, a search for the area including the hash value set S on the database side is performed using the hash value H (A2). The encrypted data area corresponding to the area whose value matches the hash value H (A2), for example, X is extracted as a candidate group. Since the hash value is used, the candidate group may include encrypted data that does not correspond to the search key A2. The encrypted data extracted from the database as a candidate group is decrypted on the HTTP proxy 12 and the cryptographic management server 4 side, and it is confirmed whether or not the decrypted data includes the search key A2. Only the data area including the search key A2 is set as a search result. For example, it is assumed that encrypted data X, Y, and Z are obtained as a candidate group from a database, and data A, B, and C are obtained by decrypting them. Since the data A and B are data including the search key A2, this is used as a search result, and the data C is discarded because it is irrelevant data not including the search key A2.

  Hereinafter, the flow of processing in the case of performing search processing using the hash value in the case of performing the partial match search will be described. In FIG. 8, first, in order to perform a data search from the Web browser 11 of the client 1 to the ASP server 2, an access is made using the HTTP GET method. The ASP server 2 returns HTML data including an input form for data search and related data (S501 to S503). The HTTP proxy 12 analyzes the HTML header and recognizes that it is a search process, and transmits the input form to the Web browser 11 (S504, S505).

  When an input form is transmitted from the HTTP proxy 12 to the Web browser 11, a search key serving as a search condition for data that the user wants to search from the database is displayed through the display of the input form on the Web browser 11, and a submit submission button Is pressed and a search key as input data is transmitted to the ASP server 2 side. The HTTP proxy 12 intervenes in the input data transmitted from the Web browser 11 to the ASP server 2 and acquires the search key data (S506, S507).

  The HTTP proxy 12 first transmits authentication information including the connection ticket obtained in the sequence (1) to the encryption management server 4, and the encryption management server 4 transmits the authentication information to the policy management server 5. The policy management server 5 verifies the connection ticket based on the received authentication information (S508 to S510), returns the authentication result to the encryption management server 4, and the encryption management server 4 returns the authentication result to the HTTP proxy 12 ( S511, S512).

  After passing the authentication, the HTTP proxy 12 transmits a data search request including the search key data to the encryption management server 4 (S513). When receiving the data search request from the HTTP proxy 12, the encryption management server 4 generates search information to be used as a search condition on the server side (S514). As search information generation, the search key data is encrypted or hashed according to the processing mode, and a search session is generated. The processing result is stored as encryption management information. Here, a hash value of the search key data is generated, and this search key hash value is set as a search key on the server side. The encryption management server 4 transmits the search information including the generated search key hash value to the HTTP proxy 12 (S515).

  When receiving the search information including the search key hash value from the encryption management server 4, the HTTP proxy 12 generates HTML POST data for data search, and transmits it to the ASP server 2 using the HTTP POST method (S516). , S517). When the ASP server 2 receives the POST data of the search information including the search key hash value from the HTTP proxy 12, the search data (search key hash value), session information, connection ticket, Search information in the SQL format including is transmitted from the SQL proxy driver 22 to the SQL proxy 31 (S518).

  When the SQL proxy 31 receives the search information in the SQL format from the ASP server 2 side, the SQL proxy 31 transmits authentication information including a connection ticket to the policy management server 5 to perform authentication. The policy management server 5 verifies the connection ticket and confirms the access authority to confirm that the user is eligible for data retrieval from the database (S519, S520), and narrows down the database access area corresponding to the user's access authority. An authentication result including information on the condition WHERE clause is returned (S521). It should be noted that the search information generation process in step S505 may be performed after the SQL proxy 31 receives search information in the SQL format from the ASP server 2 side. In this case, at this time, the SQL proxy 31 requests the encryption management server 4 to encrypt or hash the search key and acquire the search information.

  After authentication by the policy management server 5, the SQL proxy 31 sets an appropriate database query condition for the DBMS 32, and adds the information of the WHERE clause as the narrowing condition to “SELECT” that is a SQL command for data search. It transmits in the form (S522). The DBMS 32 performs a search using the search key hash value while including a hash value set corresponding to the encrypted data as a target from the database, and extracts an area of the encrypted data corresponding to an area whose value matches this as a candidate group. The process is performed and the result is returned (S523). This candidate group of extraction results may include an encrypted data area that does not correspond to the original search key before hashing. As an example, as shown in FIG. 9, when the search key is the data A2 = “Shinjuku-ku”, the hash value set corresponding to the encrypted data E (A) in the database is obtained by the search key hash value H (A2). By performing a search including the S area as a target, the area of the encrypted data corresponding to the area whose value matches the hash value H (A2) is hit.

  The SQL proxy 31 is the result of extraction from the database, and the encrypted data area group (for example, X, Y, Z) corresponding to the area whose value matches the search key hash value (for example, H (A2)), In order to extract the one corresponding to the original search key (A2), a search processing request is made to the search support function of the encryption management server 4 to execute a search session (S524). The SQL proxy 31 passes the extracted encrypted data (X, Y, Z) to the encryption management server 4.

  The search support function of the encryption management server 4 receives the search processing request from the SQL proxy 31, and the key information in the encryption management information for all of the encrypted data extracted from the database or sequentially one by one. 42, decryption is performed with an appropriate decryption key, the decrypted data is retrieved with the original retrieval key (A2), and encrypted data corresponding to the data including the retrieved data is selected as a retrieval result and SQL Return to the proxy 31 (S525, S526). Here, the encrypted data corresponding to the original search key is returned as the search result, and the decrypted data is not passed. When receiving the encrypted data of the search result from the encryption management server 4, the SQL proxy 31 extracts the data of the other field corresponding to the encrypted data of the search result from the database of the DBMS 32 and complements it if necessary. For example, the encrypted data of the search result is configured in a predetermined data unit such as a record unit. Then, the search result is transmitted to the ASP server 2 (S527). Various forms of search processing are possible, such as executing a search session from the SQL proxy 31 to the encryption management server 4 including the other field data.

  The ASP server 2 receives the search result including the encrypted data from the SQL proxy 31, and returns it to the Web browser 11 of the client 1 as the HTML data of the search result. The HTTP proxy 12 intervenes and receives the search result HTML data transmitted from the ASP server 2 to the Web browser 11 and analyzes the HTML header to determine the necessity of data decoding. If it is determined that the encrypted data as the search result needs to be decrypted, the data decryption request and the encrypted data to be decrypted are transmitted to the cipher management server 4 (S528 to S530). When the encryption management server 4 receives the data decryption request and the encrypted data to be decrypted, the encryption management server 4 decrypts the target encrypted data using a predetermined decryption algorithm and decryption key while referring to the encryption management information. The decrypted data is returned to the HTTP proxy 12. When returning the decrypted data, the data is protected by SSL communication. Information related to the decryption processing, processing results, and the like are stored in the cryptographic management server 4 as cryptographic management information.

  When receiving the decrypted data from the encryption management server 4, the HTTP proxy 12 replaces the encrypted data portion in the HTML data of the search result with the decrypted data and transmits it to the web browser 11. Search results are output in a possible form (S531 to S533). The processing sequence is as described above.

  Another embodiment of the present invention will be described. First, as described above, when encrypting / decrypting data, the HTTP proxy 12 sends a data encryption / decryption request to the encryption management server 4, and the encryption management server 4 performs encryption / decryption processing. However, the data encryption / decryption processing may be performed by the HTTP proxy 12 instead of the encryption management server 4. In this case, the HTTP proxy 12 is arranged in the client 1, and the HTTP proxy 12 encrypts / decrypts the target data using a predetermined encryption algorithm and key information. At this time, the encryption management server 4 may confirm the key information necessary for encryption / decryption and provide it to the HTTP proxy 12, or both the HTTP proxy 12 and the encryption management server 4 may be provided in the client 1. It may be configured to perform encryption / decryption processing by arranging and operating functions. Similarly, the search support function by the encryption management server 4 in the encrypted data search process, that is, the decryption of the result extracted from the database and the search process with the original search key (the process of S525) are similarly performed. A configuration in which processing is performed by the proxy 12 is possible.

  In addition to the configuration in which the Web browser 11 and the HTTP proxy 12 are independent, the web browser 11 and the HTTP proxy 12 may be configured in the client 1 as the same application without being independent. For example, the functions of the Web browser 11 and the HTTP proxy 12 (and the encryption management server 4) are configured as the same Web browsing application by operating a program such as a Java application (script) on the Web browser.

  Similarly, in addition to the configuration in which the SQL proxy 31 and the DBMS 32 are independent, the DBMS 32 and the SQL proxy 31 may be configured on the server side as the same application.

  In addition, in the encryption / decryption of the data stored in the database, all data may be encrypted and stored. However, some specific types of data are encrypted by judging from field information and the like. Thus, efficient data input / output can be performed while protecting the data as necessary and sufficiently. It is only necessary to encrypt only data of a predetermined property so that confidentiality for privacy protection and the like is realized sufficiently. As to what kind of data is to be encrypted, for example, a method of describing an encryption or non-encryption instruction for field information in an HTML input form is used at the time of system application. In the case of the above-described embodiment, field information in the HTML input form is determined, and data input to fields such as name, address, and telephone number is encrypted.

  As an example of dividing the input data into the minimum search unit, for example, the data A is divided for each character such as {A1 = “east”, A2 = “Kyo”, A3 = “city”,. It is also possible to adopt a processing form in which each is hashed. In this processing mode, for example, if the search key is “Shinjuku ward”, a data string including the hash values “H (“ new ”), H (“ hotel ”), H (“ ku ”)” is searched in the database. Thus, it is possible to determine whether or not “Shinjuku-ku” is included in the hit result without decoding.

  In addition, regarding the division of the input data into the minimum search unit, how many bits the hash value size is, whether the data (hash value) obtained by the division is stored in order or stored in random order, etc. Various processing forms are possible. Regarding the processing mode for such a search, when this information security system is applied to an information processing system, data division and hashing such as input data division method, division size, hash value size, data store order, etc. Determine the rules.

  In the encrypted data search process, an example of searching for an integer value string such as a name or an address has been shown. However, it is desirable that a search can be performed for a real value or an integer value. In the case of an exact match search, it can be realized by the same hashing method as in the case of the integer value sequence. However, a separate device is required for the comparison search for comparing the magnitudes of values. A processing form devised with respect to generation of a hash value in order to perform a comparison search for a real value or an integer value is shown below. Regarding hashing, if the target expression interval is considered as C, Y that defines a restriction interval in which almost normal values are included can be considered. This is expressed by the following formula (1). The abnormal value is X if it is smaller than X in equation (1), and Y if it is larger than Y in equation (1). Some kind of evaluation formula is applied to this and it maps to the integer space. For example, if the distribution of the original data is uniform, it is only necessary to perform linear mapping, and the following equations (2) and (3) are obtained. And let B be a hash value. At this time, the smaller Z is, the more information can be concealed, but the search speed decreases. Conversely, the larger the Z is, the easier it is to leak information, but the search speed can be increased. For this, an appropriate value is set according to the characteristics of the application. Since the hash value obtained in this way has characteristics that it is difficult to infer the original data and the vertical relationship is not reversed, a comparative search is possible.

X <C <Y (1)
B = (C−X) × Z / (Y−X) (B and Z are integers) (2)
0 <B <Z (3)
Further, if the encrypted data stored in the database is stored in a form in which a management ID for processing identification is added, it is possible to immediately refer to the management ID when decrypting the encrypted data. The decryption key can be determined and decrypted. Specifically, when encryption is performed on the input data by the HTTP proxy 12 and the encryption management server 4, a management ID, a process identification tag, and the like are generated and attached as header information of the encrypted data together with the encryption process. Perform processing. It is possible to determine the decryption key from various information such as the data ID and the user ID by referring to the encryption management information at the time of decryption other than the processing mode in which the management ID is assigned to the encrypted data. . Also, the identification information indicating the distinction between the encrypted area and the unencrypted area, the encrypted area address information, etc. are held in the DB server 3 and other modules so that the encrypted area and the unencrypted area in the database can be distinguished. It is also possible to use it.

  In the present embodiment, the encryption management server 4 and the policy management server 5 create and manage the key for data encryption / decryption as necessary, but the authentication token 6 is not particularly limited. Information such as a user's private key held in the server may be used for encryption / decryption processing of the target data.

  Further, the policy management server 5 may be configured so as not to be provided or integrated with the encryption management server. A corresponding example is a case where database access authority is not set for each user or for a predetermined data unit. For example, a policy setting in which all users can access only the same area of the database is used. In this case, the processing for adding the access area narrowing condition in the SQL proxy 31 is unnecessary.

  Further, the database system handled by the DB server 3 is not limited to a relational database, and any other system such as an object-oriented database may be used as long as it can be stored in an encrypted state with respect to a predetermined data unit. You can also.

  The configuration and processing when a general unspecified number of users, not a specific user having a user ID, access the information processing system are as follows (1) and (2), for example. (1): In the client 1, a cryptographic processing application corresponding to the HTTP proxy 12 is operated on the Web browser 11 using a program such as Java® Applet or ActiveX. When a general user accesses, the data is encrypted by the encryption processing application and the encryption management server 4, and the encrypted data is transmitted to the ASP server 2. (2): A common HTTP proxy server for general unspecified users is arranged on the network. Access of a user who does not have a key for data encryption / decryption is handled by the proxy server, and data encryption / decryption is performed through processing there.

  An example of using the information security system of this embodiment will be described. As an example, an electronic medical record system in a hospital can be considered. Since information related to patient privacy is described in the electronic medical record, protection of confidentiality is important, and at the same time, a data search function is necessary for medical work. A nurse or doctor as a user is given a predetermined database access authority according to the policy setting in the policy management server 5. For example, access authority is set in units of surgery, internal medicine, and the like. Also, the electronic medical record data stored in the database is accessed using the authentication token 6 and the computer serving as the client 1. The ASP server 2 provides an application for electronic medical chart operation. When the user makes an access request to the electronic medical record data from the Web browser 11 of the client 1, the HTTP proxy 12 intervenes, the user authentication is performed by the policy management server 5, and the necessity of data encryption / decryption is determined. If necessary, the encryption management server 4 performs data encryption / decryption processing. When data is input to the electronic medical record, the input data in the client 1 is encrypted by the HTTP proxy 12 and the encryption management server 4 and then passed to the server side, and the encrypted data is stored in the database. When data such as patient data is output from the electronic medical record data stored in the database, the corresponding data is encrypted on the server side, and the encrypted data is acquired and decrypted by the HTTP proxy 12 and the encryption management server 4 After processing, it is output by the Web browser 11. Similarly, when searching for electronic medical record data, when an appropriate search key is input by the client 1, the search key is encrypted by the HTTP proxy 12 and the encryption management server 4, and the database is searched by using the encrypted search key. Is done. The partial match search in the field is also possible by the search using the hash value, and the search result is decrypted by the HTTP proxy 12 and the cryptographic management server 4 and then passed to the Web browser 11 and output in a legible state. .

  With the information security system in the embodiment of the present invention described above, encryption / decryption is performed by the encryption function at the gateway of data from the Web browser 11 of the client 1 to the server side (ASP server 2). Information is kept confidential so that only encrypted data flows. Thereby, it is possible to effectively prevent fraud such as snooping or obtaining data by insiders. Secure access by restricting database access based on user authentication and policy confirmation including access authority at the entrance from the client 1 to the server side (ASP server 2) and the entrance to the database (DBMS 32). Has been realized. Data encryption / decryption is transparently performed behind the Web browser 11 starting from the HTTP proxy 12, so that the user can read it using a Web application without having to be aware of the data encryption / decryption. Can handle data in various formats. In addition, an authentication method based on PKI or the like is adopted for user authentication, and it can be safely operated by user ID-based authentication.

  In addition, a search function for encrypted data stored in the database is also provided. If the user inputs a search condition in a normal readable format on the client 1 side, the HTTP proxy 12 and the encryption management server 4 are provided. Through the search support function, the search result extracted from the database and decrypted can be obtained. Further, by performing a search process using a hash value, a partial match search can be made particularly in the field, and the search speed of encrypted data can be improved.

  Further, in the Web-based information processing system, the database access authority can be set by combining user authentication by PKI or the like and authority setting in a predetermined data unit. It is possible to construct a detailed security policy such as cell unit.

  In addition, when only the HTTP proxy 11 is arranged in the client 1 by arranging the SQL proxy 31 between the ASP server 2 and the DBMS 32 and confirming user authentication and access authority with the policy management server 5. A higher security level can be established. Even if an unauthorized person passes the ASP server 2, it is necessary to pass authentication related to database access from the SQL proxy 31 as a process starting point, so that the system is more secure.

  In addition, since the functions of each process such as the HTTP proxy 12, the SQL proxy 31, the encryption management server 4, and the policy management server 5 can be provided in units of modules, the necessary minimum to maximum are adapted to the information processing system to be applied. Security can be ensured.

  As mentioned above, the invention made by the present inventor has been specifically described based on the embodiment. However, the present invention is not limited to the embodiment, and various modifications can be made without departing from the scope of the invention. Needless to say.

  The present invention can be used for all information processing systems that handle information to be protected, such as customer data and employee data.

It is a figure showing the whole information security system composition in one embodiment of the present invention. It is explanatory drawing which shows the state of the encryption / decryption of data on an information processing system with the information security system in one embodiment of this invention. It is a figure shown about the information which the information security system in one embodiment of this invention manages, (a) is the encryption management information which a encryption management server manages, (b) is the policy management information which a policy management server manages Show. It is a sequence diagram which shows the flow of a process of user authentication and a connection ticket acquisition as a processing operation of the information security system in one embodiment of this invention. It is a sequence diagram which shows the flow of a database connection process as a process operation of the information security system in one embodiment of this invention. It is a sequence diagram which shows the flow of the data encryption process at the time of data input as a processing operation of the information security system in one embodiment of this invention. It is a sequence diagram which shows the flow of the data decoding process at the time of data output as a processing operation of the information security system in one embodiment of this invention. It is a sequence diagram which shows the flow of the encryption data search process using the hash value at the time of a data search as a processing operation of the information security system in one embodiment of this invention. It is explanatory drawing which shows the state of the data in the encryption data search process using a hash value with the information security system in one embodiment of this invention.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Client, 2 ... ASP server, 3 ... DB server, 4 ... Encryption management server, 5 ... Policy management server, 6 ... Authentication token, 7 ... User certificate, 8 ... ASP certificate, 9 ... DB certificate, 10 ... Certificate Authority, 11 ... Web Browser, 12 ... HTTP Proxy, 21 ... ASP Unit, 22 ... SQL Proxy Driver, 31 ... SQL Proxy, 32 ... DBMS, 311 ... IP Packet Proxy, d1, d2 ... Data, d3, d4 d5 ... encrypted data, 41, 52 ... data ID, 42 ... key information, 43 ... hash information, 44 ... processing attribute, 51 ... user ID.

Claims (17)

A program of an information security system for protecting an information processing system having a client for a user to input and output data and a server for storing the data in a database,
Intervene in the input / output communication of the data within the client or between the client and the server, the data is in an encrypted state on the server side, stored as encrypted data in the database, and conversely decrypted on the client side A program for an information security system, which causes a computer to execute an encryption function for encrypting / decrypting the data so that the data is output in an encrypted state. The information security system program according to claim 1,
At the time of inputting the data, it is determined whether the data needs to be encrypted by intervening in communication from the input / output interface unit for the data of the client to the server side in the client or between the client and the server. And the steps to
A procedure for transmitting an encryption request for the data so that the data is encrypted on the server side and stored as encrypted data in the database when it is determined that encryption is necessary;
A procedure of performing encryption of the data based on the request using a predetermined encryption algorithm and an encryption key and returning encrypted data;
And receiving the encrypted data and transmitting it to the server side,
A procedure for determining whether the data needs to be decrypted by intervening in communication from the server side to the input / output interface unit of the client in the client or between the client and the server at the time of outputting the data; ,
A procedure for transmitting a decryption request for the data so that the data is output in a decrypted state to the input / output interface unit on the client side when it is determined that decryption is necessary;
A step of decrypting the data based on the request using a predetermined encryption algorithm and a decryption key and returning the decrypted data;
A program for an information security system, comprising: receiving the decrypted data, and transmitting the decrypted data to the input / output interface unit for output. A program of an information security system for protecting an information processing system having a client for a user to input and output data and a server for storing the data in a database,
In the client, the data input / output communication with the server side is intervened around the data input / output interface unit or in some elements, and the data is in an encrypted state on the server side using this as a processing start point. Information that causes a computer to execute a first process for encrypting / decrypting the data so that the data is stored in the database as encrypted data and is output in a decrypted state on the client side. Security system program. An information security system program according to claim 3,
A process for managing key information used for encryption / decryption of the data, and an encryption / decryption process using the key information for the data based on a request from the first process. A program for an information security system, which causes a computer to execute a second process for performing a process of returning decrypted data. In the information security system program according to claim 3,
Intervening in communication for input / output of the data to / from the database, user authentication processing based on reception of user authentication information from the client side or server side, a user unit for the data, and a predetermined data unit in the database And making the computer execute an access restriction function for checking the policy setting including setting of the access right in the database and performing a query by restricting the access target area or data to the database based on the policy setting. An information security system program. In the information security system program according to claim 5,
A procedure for performing user authentication processing based on reception of user authentication information from the client side at the time of access for input / output of the data from the client side to the server side;
Performing user authentication processing based on reception of user authentication information from the server side at the time of database access for input / output of the data in the previous stage of the database after passing the user authentication, A procedure for confirming access authority in a predetermined data unit in the database;
A program for an information security system, comprising: a step of making an inquiry by limiting an access target area or data to the database based on the confirmation of the access authority and obtaining a result from the database. In the information security system program according to claim 5,
Policy setting including intervention of data input / output communication with the database in the previous stage or a part of the server-side database, and setting of access authority for each user in the database and for a predetermined data unit in the database A program for an information security system, which causes a computer to execute a third process of confirming and restricting an access target area or data to the database based on this and making an inquiry. The information security system program according to claim 7,
Processing for managing policy settings including setting of access authority in units of users and predetermined data units in the database, user authentication based on reception of user authentication information from the client side or server side, and A program for an information security system, which causes a computer to execute a fourth process for performing a process for confirming policy setting based on a request from a third process. A client in which a user inputs / outputs data through an input / output interface unit, an application server that processes the data with a predetermined business logic in response to access from the client, and a database in which the data is input / output to / from the database through the application server And an information security system program for protecting an information processing system having a server,
Intervene in the input / output communication of the data with the application server in the client around the data input / output interface unit or in a part of the data, and the data is encrypted on the server side using this as a processing start point. A first process for encrypting / decrypting the data so that the data is stored in the database as encrypted data and conversely output to the input / output interface unit in the decrypted state on the client side;
The data is encrypted / decrypted by encrypting / decrypting the data with the key information based on a request from the process for managing the key information used for encryption / decryption of the data and the first process. A second process for performing a process of returning data;
Policy setting including intervention of data input / output communication with respect to the database at a preceding stage or a part of the database of the database server, and setting of access authority for each user in the data base and a predetermined data unit in the database And a third process for making an inquiry by restricting the access target area or data to the database based on this,
Processing for managing policy settings including setting of access authority in units of users for the data and predetermined data units in the database, user authentication based on reception of user authentication information from the client side or server side, and the first 4. A program for an information security system, which causes a computer to execute a fourth process for performing a process for confirming the policy setting based on a request from the process 3. In the information security system program according to claim 3,
As a search function for searching the encrypted data stored in the database, the search condition designated on the client side is encrypted or one-way hashed through the first processing, and the encryption or one-way hashing is performed. In the preceding stage of the database on the server side, the specified query condition is set as a specific query condition for the database query, the database query is performed, and the search result narrowing process is performed on the extracted encrypted data group. A program for an information security system that causes a computer to execute a function of decrypting the search result through the first process and outputting the result to the input / output interface unit of the client. The information security system program according to claim 10,
As the search function, the search condition specified by the client is judged, the search key is encrypted by the first processing, and the encrypted search key is transmitted to the server side. An inquiry is made to the database by using the converted search key, and the encrypted data extracted from the database is transmitted to the client side, and this is decrypted by the first processing to input / output interface of the client A program for an information security system, which causes a computer to execute a function of outputting a search result to a computer. The information security system program according to claim 10,
At the time of inputting the data from the client side, in addition to encrypting the data by the first processing, a hash value is generated for the data by a predetermined one-way hash function, and this is used as the encrypted data Processing to associate with
At the time of search, a hash value is generated by the one-way hash function for the search key input by the client and transmitted to the server side, and the server side stores the hash value of the search key in the database. A process of searching for a hash value associated with the encrypted data and extracting the encrypted data corresponding to the area where the values match,
A program for an information security system, which causes a computer to execute processing for decrypting the encrypted data of the extraction result and selecting the one containing the original search key and returning it to the client as a search result . The information security system program according to claim 12,
When inputting the data from the client side to the database, in addition to encrypting the data by the first processing, the data is divided into predetermined units, and a predetermined one-way hash is assigned to each divided data A program for an information security system, which causes a computer to execute a process of generating a hash value by a function and storing it in association with the encrypted data so that it can be referred to when searching in the database. In the information security system program according to any one of claims 1 to 13,
When accessing the data, the client reads an authentication token holding user certificate information and generates the authentication information therefrom, thereby confirming the user authentication and policy setting based on a predetermined authentication method. A program for an information security system, which causes a computer to execute processing to be performed. In the information security system program according to any one of claims 1 to 14,
A program for an information security system, characterized in that data stored in the database is judged and a process to be encrypted / decrypted is executed only for specific types of data in the database.   A storage medium storing the information security system program according to any one of claims 1 to 15. An information processing apparatus that reads and executes the information security system program according to any one of claims 1 to 15.

Images