JP2007004609A - Share forming method and device, and restoration method and device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To minimize a management cost increased according to increase in data quantity of secret information, in distributed storage of secret information by applying a secret distribution method, while holding the secrecy. <P>SOLUTION: In the share forming method, a division part 13 divides secret information S to S<SB>1</SB>, S<SB>2</SB>to S<SB>t</SB>in processing units. A correlation generation part 14 correlates S<SB>i</SB>and S<SB>i+1</SB>with each other by correlation forming functions g<SB>1</SB>and g<SB>2</SB>. A distributed processing part 15 forms, for each of divided data S<SB>1</SB>', S<SB>2</SB>' to S<SB>t</SB>', äS<SB>11</SB>, S<SB>12</SB>to S<SB>1n</SB>}, äS<SB>21</SB>, S<SB>22</SB>to S<SB>2n</SB>} and äS<SB>t1</SB>, S<SB>t2</SB>to S<SB>tn</SB>} as intermediate shares. The intermediate shares formed from divided data S<SB>1</SB>' are stored in a special management storage part 18 with a management level higher than those of other shares since they are information essential for final restoration of the other shares. The other divided shares are stored in a general storage part 17. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a secret sharing technique in which confidential information is distributed to a plurality of pieces so that the original information cannot be restored from each piece of shared information (share), and more particularly to a share creation method and a restoration method. .

  In recent years, information leakage from companies has become serious. In a company, browsing confidential documents on file servers and receiving important documents attached to e-mails are carried out on a daily basis in the course of work. Are often stored temporarily or permanently. Information stored in the client is easily taken out by duplication to a portable medium such as a CD (Compact Disc) / DVD (Digital Versatile Disc) or USB (Universal Serial Bus) memory. Is expensive. There are methods to prevent leakage, such as restricting the use of information and encrypting information, but it is difficult to prevent outside distribution by authorized employees, and sensitive information has been encrypted In this case, it is necessary to periodically update the encryption key, and its management is very troublesome.

  In order to solve this problem, the confidential information is divided into a plurality of pieces of fragment information (shares) that cannot be restored at all unless a predetermined number is collected by the secret sharing method, and is stored in the client storage and made permanent. There is a way. That is, even if an authorized employee takes out a file in the PC, it is a part of the divided information, and if the required number is not collected, the original information cannot be obtained at all. Moreover, since the original information can be restored if the required number is collected, there is no need to manage the encryption key which is complicated.

  One secret sharing method is the (k, n) threshold type secret sharing method called the Shamir method (Non-patent Document 1). As other methods, there are methods described in Patent Document 1 and Patent Document 2.

Originally, the secret sharing method is often used for the purpose of distributing and storing a key for encrypting confidential information, and if the processing performance capable of distributing a secret key of about 1 to several kilobytes at the maximum is satisfied. Was good. However, confidential documents have a very large file size compared to the secret key, and it is often difficult to apply the secret sharing method as it is. For example, when the Shamir method is to be implemented in a prime field, it is difficult in practical time to prepare a prime number that can use the entire confidential document as a processing unit, and it is practical time to perform a large number of remainder operations. Since it is difficult to do so, it is not realistic (Non-Patent Document 2). For this reason, in the implementation of the secret sharing method described above, a confidential document is divided into appropriate processing units (this divided data is called divided data), and a share is created by applying the secret sharing method for each divided data. (This share is referred to as an intermediate share), and finally a process of creating a share (referred to as a final share) to be distributed and stored in another medium or terminal is performed. It is also conceivable that the intermediate shares are transmitted to the storages of other terminals one after another via a network or the like, and the final share is created on the other terminals.
A. Shamir, “How to Share a Secret”, Communications of the ACM, Vol. 22, 11, 1979 "Wide area distributed file system using secret sharing method", http: // www. kochi-tech. ac. jp / library / ron / 2002 / g5 / info / 10551115. pdf JP 2004-213650 A JP 2003-188867 A

  By the way, as described above, the intermediate share is temporarily or semi-permanently stored in a storage area such as a memory or a hard disk of a terminal that performs distributed processing, or transmitted via a network and stored in another terminal. At this time, there is a possibility that intermediate shares may be leaked due to unauthorized access to the storage area or wiretapping on the network. Then, with respect to the divided data portion from which the intermediate share has flowed out, the number of shares that must be obtained in order to restore the original confidential information is reduced, and the risk of leakage of confidential information increases. Furthermore, there is a possibility that information related to the entire confidential document may leak from the location where the original confidential information was restored due to the leakage of the intermediate share. There is a risk of leakage (see FIG. 10).

  Therefore, when confidential information is distributed and stored by applying the secret sharing method, it is necessary to manage all intermediate shares at the same security level in order to avoid the risk of leakage of the entire confidential information. In addition, as the amount of confidential information increases, the intermediate share that needs to be managed increases, so the management cost increases.

  The object of the present invention is to reduce the management cost, which increases as the amount of confidential information increases, while keeping confidentiality, and keep it to a minimum when confidential information is distributed and stored by applying the secret sharing method. It is an object of the present invention to provide a share creation method and apparatus, and a restoration method and apparatus that make it possible.

  The share creation method of the present invention includes a step of dividing a file obtained by digitizing confidential information into processing units for performing secret sharing processing, a step of giving a correlation between divided data divided into processing units, and a correlation A step of creating a share by applying a secret sharing method to the divided data provided with one of the shares, and one of the shares created from the divided data essential for solving the generated correlation among the created shares, Alternatively, a plurality or all of them are stored in a special management storage unit placed under special management, and shares other than the shares are stored in a normal storage unit placed under normal management.

  Further, the restoration method of the present invention is a restoration method for restoring the original confidential information from the share created by the share creation method, the step of restoring the divided data before performing the secret sharing process from the share; The method includes a step of solving the correlation between the restored divided data and a step of restoring the original confidential information by combining the divided data after the correlation is released.

  When storing confidential information based on the secret sharing method, instead of strictly managing the entire final share, managing other intermediate shares by storing a part of the share, that is, the intermediate share particularly strictly Without increasing the level, it is possible to reduce the management cost of the final share while preventing the risk of confidential leakage as a whole.

  For example, when implementing a large-scale file distribution management system on multiple servers using the secret sharing method, to reduce the risk of leakage of the final share distributed on multiple servers, it is uniform for all storage on all servers. However, by applying the present invention, a part of storage of all servers or a part of servers is strictly controlled as tamper-resistant storage, and other than that, it is normal. Even under management, it is possible to reduce the risk of leakage of confidential information while reducing the management cost compared to the conventional method.

  It is also effective for a secure file transmission system that divides confidential information and transmits it by separate routes. In a conventional file transmission system using a secret sharing method, for example, when confidential information is sent separately to multiple routes of a portable medium such as an email and a CD or a USB memory, if an intermediate share leaks in the middle of a certain route, The number of intermediate shares that need to be obtained in order to restore the divided data of the confidential information is reduced. For example, in the case of Shamir's (k, n) threshold method, k = 2 and n = 3, a small share is obtained. In the case of restoring original information, the impact on the risk of leakage of confidential information was great, and it was necessary to reconfigure the share immediately. However, if the present invention is applied, even if one intermediate share is lost in the middle, the number of shares that need to be obtained to restore confidential information is reduced, and the safety level is lowered, the management level is high. Unless the intermediate share is obtained, it is difficult to restore the original confidential data split data. Since the divided data of the original confidential information is computationally safe, the necessity for urgent reconfiguration is low compared to the conventional method. Therefore, information that is essential for restoring the original confidential information, that is, the intermediate share stored in the special management storage unit, is securely handed using a USB memory, etc., and other intermediate shares are sent via a network such as e-mail. Transmission from the other route transmission from the other route transmission by normal secret sharing is not lowered from the viewpoint of security of confidential information. Even if an intermediate share is wiretapped during mail transmission and the number of shares required for restoration is collected, if the intermediate share required for restoration stored in the USB memory is not obtained, it will be calculated to restore the original confidential information This is because it is difficult quantitatively.

  Next, embodiments of the present invention will be described with reference to the drawings.

[First Embodiment]
FIG. 1 is a block diagram showing a configuration of a share creation apparatus according to an embodiment of the present invention. The share creation device 10 is a device that creates a share by the share creation method of the present invention. The control unit 11 controls the entire share creation device 10. The storage unit 12 stores the created share. The normal storage unit 17 is realized by a normal HD (Hard Disc) or the like. The special management storage unit 18 is a storage part such as a tamper resistant device that can realize an environment that cannot be easily accessed. The dividing unit 13 divides confidential information having a large data size into processing units for performing secret sharing processing. The correlation generation unit 14 gives a correlation between the divided data when the confidential information is divided for each processing unit. The distributed processing unit 15 performs distributed processing on the divided data to which the correlation is added according to the secret sharing method. The communication unit 16 communicates with the outside and receives a distribution request.

  FIG. 2 is a block diagram showing the configuration of the restoration apparatus according to the embodiment of the present invention. The restoration device 20 is a device that restores the original confidential information from the share created by the share creation device 10. The control unit 21 controls the entire restoration device 20. The storage unit 22 is a part where shares are stored, the normal storage unit 27 is realized by a normal HD or the like, and the special management storage unit 28 is an environment that cannot be easily accessed, such as a tamper resistant device. This is a realizable storage part. When the share creation device 10 and the restoration device 20 are in the same terminal, 21, 22, 27, and 28 have the same functions as 11, 12, 17, and 18, respectively. The combining unit 23 combines the divided data whose correlation has been solved. The correlation cancellation unit 24 solves the correlation between the divided data. The restoration processing unit 25 restores original data from the share. According to the share creation method of the present invention, since there is a correlation between the restored data, the original confidential information cannot be obtained at this point. The communication unit 26 receives a restoration request from the outside.

The distribution of confidential information by the share creation device 10 will be described based on the flowchart of FIG. 3 and the explanatory diagram of FIG.
(1) Let S be confidential information (step 101).
(2) dividing unit 13, S _1, S ₂ confidential information S in the processing unit,., Dividing the S _t (step 102).
(3) The correlation generation unit 14 gives the following relationship between S _i and S _{i + 1} by using the correlation generation functions g1 and g2 (step 103).

S ₁ '= g1 (S ₁ )
S _i ′ = g 2 (S _i−1 , S _i ) (i ≧ 2)
(4) the distributed processing unit 15, the divided data _{S 1 ', S 2',} ···, respectively for each of S _t ', as an intermediate share _{{S 11, S 12, ···} , S 1n} _{, {S 21, S 22,} ···, S 2n}, ··· {S t1, S t2, ···, S tn} to create a (step 104). Since the intermediate share created from the divided data S ₁ ′ is essential information for finally restoring other shares, the management level is raised above the other shares and stored in the special management storage unit 18. At the same time, it is transferred to the restoration device 20 and stored in the special management storage unit 28. Other divided shares are stored in the normal storage unit 17, transferred to the restoration device 20, and stored in the normal storage unit 27.

Next, restoration of confidential information by the restoration apparatus 20 will be described based on the flowchart of FIG. 4 and the explanatory diagram of FIG.
(1) The restoration processing unit 25 restores S ₁ ′,..., _St ′ from the intermediate share S _ij (step 201).
(2) the inverse function g1 correlation release portion 24 correlation creation functions g1, g2 ', g2', the divided data S _1, S _2, · · ·, to restore the S _t (step 202).

S ₁ = g1 ′ (S ₁ ′)
S _i = g2 (S _i−1 , S _i ′) (i ≧ 2)
(3) The combining unit 23 combines the divided data S _i (i = 1, 2,..., T) to restore the confidential information S (step 203).

That is, in the present invention, even if a sufficient share for restoring a certain divided data S _i ′ is collected, the divided data S _i cannot be restored. To restore, g1, it is necessary to solve the correlation defined by g2, always divided data S ₁ is required. That is, the obtaining the overall final security information, it is equal to quantitatively calculate to obtain divided data S _1. Therefore, raising the management level of the intermediate shares created from the divided data S _1, by the following equivalent split data S ₁ the management level for the share of non-divided data S _1, while ensuring safety management Costs can be reduced.

An example of applying the share creation method of the present invention to the Shamir secret sharing method will be described with reference to FIG. In this application example, it is assumed that the Shamir method is implemented on the prime field GF (P), and the processing unit for performing the secret sharing process is a fixed length (l: | P | ≧ l).
(1) A confidential document file desired to be kept secret is regarded as one number and set to S (step 301).
(2) It is determined whether or not the data size | S | of S is an integral multiple of a prescribed processing unit l for performing secret sharing processing (step 302).
(3) If it is not an integral multiple of l, end padding is performed until it becomes an integral multiple (step 303).
(4) S is divided by the processing unit l, the divided data S _1, S _2, ···, and S _t (step 304).
(5) The following steps are executed for i = 1, 2,... T (step 305).

      (1) It is determined whether i = 1 (step 306).

(2) In the case of yes, S ₁ = g ₁ (S ₁ ) is set using the correlation function g ₁ (step 307). g1 is arbitrary, and an input value may be output as it is, XOR of random numbers R and S ₁ , or S ₁ may be encrypted with key K.

(3) When i = 1 is not satisfied, S _i = g 2 (S _i−1 , S _i ) is set using the correlation function g 2 (step 308). g2 is also arbitrary, and a method such as outputting an XOR of S _i and S _i-1 or encrypting S _i-1 as an encryption key of S _i may be adopted.

(4) divided by the Shamir secret sharing scheme from the S _i share _{S ij (j = 1,2, ···} , n) to create a (step 309).
(6) The final share S _j (j = 1, 2,... N) is created from the divided shares S _ij (j = 1, 2,... T, j = 1, 2,... N). (Step 310).

In (5), g1 and g2 are arbitrary. If desired, a secret key or random number is not required separately, such as outputting the input value as g1 and outputting the XOR of S _i and S _i-1 'as g2, and an easy to obtain inverse function Should be a function that creates a correlation.

  FIG. 8 shows the configuration of a large-scale file distribution management system to which the share creation method of the present invention is applied.

This system includes a plurality of file storage servers 3 _{1 to} 3 _n including a share creation device 10 and a restoration device 20 and a plurality of client terminals 4 ₁ to 4 _m .

The client terminal 4 ₁ transmits the file to be saved to the file storage server 3 _1. The file storage server 3 ₁ create as many shares by creating a share certain of the present invention, among the intermediate shares created in the process, only the intermediate share as essential to restore, etc. tamper-resistant storage device It is stored in the special management storage unit 29 configured, and other intermediate shares are stored in the normal storage unit 19.

  In this system, by raising the management level of the special management storage unit 29, there is a possibility of leakage of confidential information stored as a whole without raising the management level of the normal storage unit 19 in which other shares are stored. Can be suppressed.

  FIG. 9 shows the configuration of a data transmission / reception system to which the share creation method of the present invention is applied.

  This system includes a transmission terminal 51 having the configuration of the share creation device 10 and a reception terminal 52 having the configuration of the restoration device 20.

  The transmission terminal 51 creates a predetermined number of shares, and among the intermediate shares created in the process, only the intermediate share that is indispensable for restoration is passed to the reception terminal 52 through another route placed under strict management. Other intermediate shares are sent via regular routes such as e-mail. In FIG. 7, all the intermediate shares that are essential for restoration are passed by another route, but only a part of the intermediate shares that are essential for restoration may be delivered by another route according to the required cost reduction degree. .

  The receiving terminal 52 restores the original confidential information from the intermediate share received through different routes.

  In this system, the risk of leakage of confidential information transmitted as a whole can be suppressed without raising the management level of the transmission route of other shares by raising the management level of the intermediate share passed through another route. Is possible.

  In addition, the functions of the transmission terminal and the reception terminal can be installed in one terminal, and depending on circumstances, it can be the transmission terminal side or the reception terminal.

  The functions of the share creation device and the restoration device are those in which a program for realizing the function is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read by the computer and executed. It may be. The computer-readable recording medium refers to a recording medium such as a flexible disk, a magneto-optical disk, and a CD-ROM, and a storage device such as a hard disk device built in a computer system. Further, the computer-readable recording medium is a medium that dynamically holds the program for a short time (transmission medium or transmission wave) as in the case of transmitting the program via the Internet, and in the computer serving as a server in that case Such as a volatile memory that holds a program for a certain period of time.

It is a block diagram which shows the structure of the share production apparatus of one Embodiment of this invention. It is a block diagram which shows the structure of the decompression | restoration apparatus of one Embodiment of this invention. It is a flowchart which shows the process at the time of the share creation in a share creation apparatus. It is a flowchart which shows the process at the time of restoration in a restoration device. It is explanatory drawing of the process of share creation. It is explanatory drawing of the process of a restoration | restoration. It is a figure which shows the example of application to the secret sharing method of Shamir. It is a figure which shows the example of application to a large-scale file distribution management system. It is a figure which shows the example of application to the transmission / reception system of confidential information. It is explanatory drawing of the problem of a prior art.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Share production apparatus 11 Control part 12 Storage part 13 Dividing part 14 Correlation generation part 15 Distributed processing part 16 Communication part 17, 19 Normal storage part 18 Special management storage part 20 Restoration apparatus 21 Control part 22 Storage part 23 Coupling part 24 Correlation relationship releasing portion 25 restoring unit 26 communication unit 27 accessible storage unit 29 specially managed storage unit 3 ₁ to 3 _n file storage server 4 ₁ to 4 _m client terminal 51 transmits terminal 52 receiving terminal 101～105,201～203, 301-310 steps

Claims (7)

A share creation method based on the secret sharing method,
Dividing a file obtained by digitizing confidential information into processing units for performing secret sharing processing;
A step of correlating the divided data divided into processing units;
Applying a secret sharing method to the correlated divided data and creating a share;
Of the created shares, one, multiple, or all of the shares created from the division data required to solve the generated correlation are stored in a special management storage unit under special management. And storing a share other than the share in a normal storage unit placed under normal management.   The share creation method according to claim 1, wherein in the step of providing a correlation, a correlation creation function using XOR is provided between the divided data. A restoration method for restoring original confidential information from a share created by the share creation method according to claim 1 or 2,
Restoring the divided data before performing the secret sharing process from the share;
A step of solving a correlation between the restored divided data;
Reconstructing the original confidential information by combining the divided data that has been uncorrelated. A share creation device based on the secret sharing method,
Means for dividing a file obtained by digitizing confidential information into processing units for performing secret sharing processing;
Means for providing a correlation between the divided data divided into processing units;
A means of creating a share by applying a secret sharing method to the correlated divided data;
A special management storage unit under special management that stores one, a plurality, or all of the shares created from the divided data essential for solving the generated correlation among the created shares. And a normal storage unit under normal management for storing shares other than the share,
And a means for receiving a secret sharing request from the outside. A restoration device for restoring the original confidential information from the share created by the share creation device according to claim 4,
Means for restoring the divided data before performing the secret sharing process from the share;
Means for solving the correlation between the restored divided data;
A restoration device having means for restoring the original confidential information by combining the divided data whose correlation has been broken.   One or a plurality of client terminals and one or a plurality of file storage servers, each of the file storage servers being one of the shares created from the divided data essential for restoring the original confidential information 5. A file management system comprising: a special management storage unit under special management, and a normal normal storage unit for storing shares other than the share, according to claim 4, wherein a plurality or all of them are stored.   In the method for transmitting confidential information between terminals, the share creation method according to claim 1 or 2, wherein one, a plurality, or all of the shares created from the divided data essential for restoring the original confidential information is obtained. A method for transmitting confidential information, characterized in that transmission / reception is performed by another route under strict management, and other shares are transmitted / received by a normal route such as mail.

Images