JP2007188307A - Data file monitor apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a data file monitor apparatus which can simply prevent falsification of specific data files. <P>SOLUTION: If a read-only setting is released from file attributes of a data file to be monitored, the data file monitor apparatus 1 sets read-only access in the file attributes of the data file. In addition, if file operations, such as move, delete or file name change, are set for the monitor target data file, current operations for the file are suspended. Thereby, delete, move and file name change are not permitted for a specific data file to prevent its falsification. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a data file monitoring apparatus that monitors a specific data file stored in an information processing apparatus such as a personal computer and prevents tampering with the data file.

  Conventionally, changing the file contents of a data file has been prohibited by setting the file attribute of the data file stored in the data file storage means of the information processing apparatus to read-only.

  Various file monitoring apparatuses that monitor data files stored in the data file storage means of the information processing apparatus, detect whether the data files have been tampered with, and recover the tampered data files have been proposed. Yes. For example, the monitoring information for monitoring whether or not the data file has been tampered with is stored, the parameter value corresponding to the monitoring information is acquired for the data file to be monitored, and the parameter value is compared with the monitoring information to determine whether or not tampering has occurred. A file monitoring technique for recovering a data file to be monitored based on recovery information based on the determination that the file has been altered has been proposed (see, for example, Patent Document 1).

  Further, it has been generally performed conventionally that a data file stored in an information processing apparatus is encrypted to be a ciphertext file and is concealed to prevent information leakage.

JP 2004-13607 A

  However, the file attribute of the data file can be changed by operating the OS, processing of an application program, or the like, and the reading attribute can be canceled. Therefore, there is a possibility that the read attribute is canceled and the file contents of the data file are changed.

  Further, in the technique described in Patent Document 1 described above, since parameter values and monitoring information are compared to determine whether or not tampering has occurred, it is necessary to store monitoring information in advance, and a memory for this purpose. An area must be reserved. Therefore, in the case of a data file with a large amount of data, the equipment costs such as hardware resources increase, and it takes time for the recovery work, and there is a possibility that the data file cannot be used for a long time. Further, in order to compare the parameter value with the monitoring information, it is necessary to back up the monitoring information at predetermined intervals. Therefore, there is a problem that the backup work is complicated, the work cost increases, and the equipment cost of the backup equipment increases.

  And even if the ciphertext file that encrypted the data file cannot be decrypted and the contents cannot be understood, the ciphertext file itself can be deleted, part of the data can be deleted, the file name can be changed, It can be moved to another folder, etc., and may be altered by a third party.

  In view of these problems, the present invention has been made to solve the problems of the prior art, and an object of the present invention is to provide a data file monitoring device that can easily prevent alteration of a specific data file. is there.

  The data file monitoring device according to claim 1, which solves the above problem, includes a data file storage means for storing the data file and a file attribute set to read-only among the data files stored in the data file storage means. File content modification prohibition means that prohibits modification of the file contents of a data file that has been changed, and change of file attributes of a data file that is stored in the data file storage means and whose file attribute is set to read-only A file attribute change detecting means for detecting the data file, a monitoring object judging means for judging whether or not the data file whose file attribute change has been detected by the file attribute change detecting means is a preset data file to be monitored, The data file is monitored by the monitoring target judging means. The determination that a data file of the elephants, and having a file attribute read-only setting means for setting again the read-only file attribute of the data file.

  A data file monitoring device according to a second aspect of the present invention is a data file storage means for storing a data file, and a data file whose file attribute is set to read-only among the data files stored in the data file storage means The file content change prohibiting means for prohibiting the change of the file contents of the data file, the file operation setting means for specifying the data file and setting the file operation for the specified data file, and the file operation setting means Confirmation determination requesting means for determining whether or not the file attribute of the read data file is set to read-only, and requesting confirmation of whether to execute or cancel the file operation by determining that the file attribute is set to read-only In response to the confirmation judgment request from the confirmation judgment request means When the file operation execution instruction is given, the file operation is executed, and when the file operation stop instruction is given, the file operation is stopped, and the confirmation judgment request means requests the confirmation judgment. A confirmation judgment request detecting means for detecting whether or not the confirmation judgment request detecting means detects that the confirmation judgment request has been made, and the data file for which the confirmation judgment is requested is set in advance. A monitoring target determining unit that determines whether the data file is a target data file, and the file operation unit cancels the file operation when the monitoring target determining unit determines that the data file is the data file to be monitored. And a file operation stop selection means for giving the instruction.

  According to the first aspect of the present invention, when the file attribute of the data file stored in the data file storage means and the file attribute is set to read-only is changed and read-only is canceled, It is determined whether or not the data file is a data file to be monitored. Then, when it is determined that the data file is a monitoring target data file, a process for setting the file attribute of the data file to read-only again is performed.

  As a result, the file attribute of the data file being monitored can always be set to read-only. For example, even if read-only is canceled by an input from an input device or an application program, the file attribute is immediately reset to read-only. Can be set. Therefore, the change of the file content can be prohibited by the data file content change prohibiting means, and the alteration of the data file can be prevented.

  According to the invention of claim 2, when a data file is specified and a file operation is set for the data file, it is determined whether or not the file attribute is a data file set to read-only, In the case of a data file whose file attribute is set to read-only, it is requested to confirm whether to execute the file operation or cancel the file operation.

  Then, when it is detected that the confirmation judgment of the file operation is requested, it is judged whether or not the data file for which the confirmation judgment is requested is a preset data file to be monitored. In some cases, an instruction to stop the file operation is given to the file operation means to stop the file operation on the data file.

  As a result, the file operation on the data file whose file attribute is set to read-only and that is to be monitored can be stopped. Therefore, for example, file operations such as deletion, movement, and file name change for a specific data file are forcibly stopped, and falsification is prevented.

  In addition, a data file whose file attribute is set to read-only is prohibited from being changed by the file content change prohibiting unit, so that alteration of the data file can be prevented.

  Next, the data file monitoring apparatus according to the embodiment of the present invention will be described.

  FIG. 1 is a diagram for explaining a configuration of a data sharing apparatus 1 to which a data file monitoring apparatus according to the present embodiment is applied. FIG. 1 (a) is an overall view, and FIG. FIG. As shown in FIG. 1A, the data sharing apparatus 1 includes a USB token 2 that is an electronic key and a personal computer 3 that is an information processing apparatus.

  The USB token 2 has a housing 13 that houses the IC chip 11, the memory 12, and the like, and a connector 14 that protrudes from the housing 13 and can be inserted into the USB slot 3 a of the personal computer 3. The connector 14 of the USB token 2 is electrically connected to the personal computer 3 by being inserted into the USB slot 3 a of the personal computer 3 so that data can be transmitted and received between the IC chip 11 and the memory 12.

  The memory 12 of the USB token 2 stores an encrypted user key, serial number, confirmation code, shared code, standard code, and the like.

  The encrypted user key is one piece of key information necessary for creating an encryption key in the personal computer 3, and all the USB tokens 2 distributed to the users constituting the same group have the same key. Information is set and set differently for each group.

  The serial number is a unique number assigned to each USB token 2 in order to identify the USB token 2, and is composed of a combination of alphabets and numbers. The serial number of the USB token 2 can be easily seen from the outside. The housing 13 is also displayed by printing or the like.

  The confirmation code is used to confirm that the USB token 2 is an authorized owner, and is information that is determined by the owner of the USB token 2 and is known only to the owner. The confirmation code can be written from the personal computer 3 with the USB token 2 connected to the personal computer 3, and can be rewritten arbitrarily.

  When the confirmation code is input to the personal computer 3, the confirmation code is converted into a value such as a hash value by a one-way function such as a hash function in the personal computer 3, transmitted to the USB token 2, and stored in the memory 12 of the USB token 2. Written and not stored in the personal computer 3. Before the confirmation code is written by the personal computer 3, a temporary confirmation code common to each USB token 2 is written as a default.

  The shared code is information that defines a group to which the USB token 2 belongs, and is used when the personal computer 3 determines whether the USB token 2 belongs to the same group. Data cannot be decrypted using a so-called different group of USB tokens 2 with different shared codes.

  The standard code is information used to identify on the personal computer 3 side whether or not the USB token 2 connected to the personal computer 3 is the USB token 2 of the data sharing apparatus 1.

  The personal computer 3 includes a computer main body 3A having a CPU for performing arithmetic processing and the like, an internal memory such as a ROM and a RAM, an external storage device (data file storage means) such as a hard disk, and an input device 3B including a keyboard and a mouse. , A display device 3C such as a CRT or a liquid crystal display, and an OS (operation system) 20, a data sharing program 30, and an application program such as an editor are installed. In this embodiment, Windows (registered trademark) is installed as the OS 20 of the personal computer 3.

  FIG. 2 is a block diagram for explaining functions realized in the personal computer 3 by the OS 20 and the data sharing program 30.

  By the OS 20, a file content change prohibiting unit 21, an attribute change event output unit 22, a file operation setting unit 23, a confirmation determination request unit 24, and a file operation unit 25 are realized in the personal computer 3.

  The file content change prohibiting means 21 prohibits changing the file content of a data file whose file attribute is set to read-only among data files stored in the personal computer 3 such as an external storage device of the computer main body 3A. Process. As a result, for example, when an overwrite save operation is performed using an application program such as an editor for a data file whose file attribute is read-only, a confirmation message is displayed to save the file with a different file name. In addition, the process of forcibly canceling the file attribute read-only by the program and then overwriting it is performed.

  The attribute change event output unit 22 uses the information as an attribute change event when the process of changing the file attribute is performed on the data file stored in the personal computer 3, and the file monitoring unit 41 of the data sharing program 30. Process to give to.

  The file operation setting unit 23 performs processing for specifying a data file and setting a file operation for the specified data file. The specification of the data file can be performed, for example, by moving and clicking the mouse cursor on the data file icon displayed on the screen of the display device 3C. When setting the file operation, move the mouse cursor over the data file icon and click the right mouse button. As a sub-menu, items such as deletion and file name change can be selected. The file operation can be set by selecting.

  The confirmation determination request unit 24 determines whether or not the file attribute of the data file specified by the file operation setting unit 23 is set to read-only, and executes the file operation if it is set to read-only. A process for requesting confirmation of whether to cancel or cancel is performed.

  For example, when a read-only data file is specified by the file operation setting means 23 and one of the file operations of deletion, movement, and file name change is set, it is confirmed whether to execute or cancel the file operation. A confirmation window to be popped up is displayed on the display device 3C. In the confirmation window, a selection button for selecting either the execution of the file operation or the cancellation of the file operation is displayed.

  In response to the confirmation determination request from the confirmation determination requesting unit 24, the file operation unit 25 executes a file operation when an instruction to execute the file operation is given, and stops the file operation when an instruction to stop the file operation is given. Perform the process. For example, when an instruction to execute a file operation is received from the input device 3B, such as clicking the “Yes” button displayed in the confirmation window by the confirmation determination requesting unit 24, the original data file is deleted and the file operation of the data file is performed. Execute. When an instruction to cancel the file operation is received from the input device 3B or the pop-up monitoring means 42 of the data sharing program 30, such as clicking the “No” button displayed in the confirmation window, the data file is deleted, moved, Cancels the rename file operation.

  The data sharing program 30 is executed in response to the activation of the OS 20 and is resident with the OS 20.

  By executing the data sharing program 30, the administrator information registration means 31, user information registration means 32, USB token connection monitoring means 33, authentication means 34, encryption key creation means 35, encryption means 36, Decoding means 37, user database 38, file monitoring means 41, pop-up monitoring means 42, and log recording means 43 are realized as its internal functions.

  The administrator information registration means 31 performs a process for registering administrator information. When the USB token 2 is first connected to the personal computer 3 and the standard code and the shared code of the USB token 2 are authenticated, the personal computer 3 The administrator information registration screen is displayed on the display device 3C.

  The name input from the input device 3B according to the administrator information registration screen and the serial number acquired from the USB token by the authentication unit 34 are associated with each other as the administrator name and the serial number of the administrator USB token. Is stored in the user database 38.

  Then, the confirmation code input according to the administrator information registration screen is converted into a summary value by a one-way function, transmitted to the USB token 2, and stored in the memory 12 of the USB token 2. In this embodiment, a hash function is used as a one-way function.

  FIG. 3 is a diagram for explaining the configuration of user data created in the user database 38 by the administrator information registration means 31. As shown in FIG. 3, the user database 38 stores user data including a registration date, a serial number, a name, and a shared code.

  The user information registration unit 32 performs a user information registration process based on an input from an administrator and an input from a user who is a user of the USB token 2 and who is not the administrator. In the user information registration process, the name and serial number of the user are first registered by an input from the administrator, and then the confirmation code is registered by an input from the user.

  In registering the user's name and serial number, the user information registration means 32 displays a user information registration screen on the display device 3C in response to an input from the administrator using the administrator USB token 2, and follows the user information registration screen. The user name inputted from the input means 3B and the serial number of the user USB token 2 are stored in the user database 38 in association with each other. FIG. 4 shows an example of a user information registration screen displayed on the display device 3C. On the user information registration screen, the name of the administrator and user, serial number, registration date, and whether or not a permission flag described later is prohibited are displayed as a data table. Registration and deletion of this user information can be appropriately performed by an administrator.

  Next, registration of the confirmation code is performed when the user USB token 2 is connected to the personal computer 3 for the first time. Whether or not the user USB token 2 is connected to the personal computer 3 for the first time is determined based on whether or not the user information is registered in the personal computer 3. The confirmation code registration screen is displayed on 3C. Then, the confirmation code input from the user according to the confirmation code registration screen is converted into a hash value by a hash function, transmitted to the USB token 2, and stored in the memory 12 of the USB token 2.

  The USB token connection monitoring means 33 monitors whether or not the USB token 2 is connected to the personal computer 3, and if the USB token 2 is disconnected from the personal computer 3 with the permission flag set, the USB token connection monitoring means 33 Performs processing to clear the flag.

  The authentication unit 34 performs a USB token authentication process for authenticating the validity of the USB token 2 itself and a personal authentication process for authenticating that the USB token 2 is the owner's own USB token 2.

  The encryption unit 36 creates an encryption key using the encrypted user key stored in the memory 12 of the USB token 2 and the salt data that is unique information, and uses the encryption key to perform a predetermined encryption. A process for encrypting plaintext data by an algorithm to create ciphertext data, a process for adding salt data to the ciphertext data, and a process for setting the file attribute of the ciphertext file to read-only are performed.

  The encryption unit 36 creates an encryption key by performing an exclusive OR operation (EOR) between the encrypted user key acquired from the USB token 2 and the salt data, and the date and time when the plaintext data encryption process starts Information is converted by a hash function to create salt data. Note that the method of creating the salt data is not limited to the method based on the date / time information. For example, the salt data may be created based on the pseudo random number generated by the pseudo random number generator included in the encryption unit 36. . The salt data is added to the ciphertext data by creating a ciphertext file in which the encryption means 36 has the ciphertext data in the data area and the salt data used for creating the cipher key in the header area. Is called. The file attribute of the ciphertext file is set to read-only when the ciphertext file is created by the encryption unit 36.

  The decryption means 37 encrypts the salt data written in the header area of the ciphertext file by using the ciphertext data and the encrypted user key stored in the memory 12 of the USB token 2. Creates a key, decrypts the ciphertext data of the ciphertext file by a predetermined encryption algorithm using the encryption key, creates plaintext data, and creates a plaintext file having the plaintext data in the data area .

  The file monitoring means 41 is a file attribute change detection process (file attribute change detection means) that detects a change in the file attribute of a data file stored in the personal computer 3 and whose file attribute is set to read-only. ), A monitoring target determination process (monitoring target determination means) for determining whether the data file is a preset monitoring target data file, and the determination that the data file is a monitoring target data file. A file attribute read-only setting process (file attribute read-only setting means) is performed to set the file attribute of the file to read-only again.

  The pop-up monitoring means 42 receives a confirmation judgment request by the confirmation judgment request detection process (confirmation judgment request detection means) for detecting whether or not the confirmation judgment request is made by the confirmation judgment request means 24, and the confirmation judgment request detection process. If it is detected that the data file for which the confirmation determination is requested is a monitoring target data file that is set in advance, a monitoring target determination process (monitoring target determination means), and the monitoring target If it is determined by the determination process that the data file is to be monitored, a file operation stop selection process (file operation stop selection means) for giving a file operation stop instruction to the file operation means 25 is performed.

  The log recording unit 43 records the history information of the plaintext data encryption processing by the encryption unit 36, the history information of the decryption processing of the ciphertext data by the decryption unit 37, and the illegal file operation information, respectively. Based on a predetermined search condition, the recorded content is searched, and the search result is displayed on the display device 3C. The history information and the like are encrypted by the encryption means 26 and stored in the user database 38, and can be decrypted and displayed only by the administrator's USB token 2.

  Next, a series of operations of the data sharing apparatus 1 having the above configuration will be described below.

(USB token authentication)
First, when the OS 20 is activated and the data sharing program 30 is activated and resides in response to the activation of the OS 20 and the connector 14 of the USB token 2 is inserted into the USB slot 3a of the personal computer 3, the USB token connection monitoring is performed. The connection of the USB token 2 is detected by the means 33, and the USB token authentication process is executed by the authentication means 34 of the data sharing program 30.

  FIG. 5 is a flowchart for explaining USB token authentication processing.

  In the USB token authentication process, first, the standard code of the USB token 2 is authenticated. In the standard code authentication, the authentication unit 34 makes a standard code acquisition request to the USB token 2. In response to the standard code acquisition request from the authentication unit 34, the USB token 2 reads the standard code stored in the memory 12 of the USB token 2 and transmits it to the authentication unit 34. The authentication unit 34 determines whether or not the standard code received from the USB token 2 matches the standard standard code preset in the user database of the personal computer 3 (step S101).

  If it is determined that the standard codes do not match (NO in step S101), the USB token is unusable in the data sharing apparatus 1 and the authentication process is canceled and inserted into the personal computer 3. An error message indicating that the USB token cannot be used is displayed on the display device 3C (step S107).

  On the other hand, if it is determined that the standard codes match (YES in step S101), then the shared code is authenticated. In the authentication of the shared code, the authentication unit 34 makes a shared code acquisition request to the USB token 2. In response to the shared code acquisition request from the authentication unit 34, the USB token 2 reads the shared code stored in the memory 12 of the USB token 2 and transmits it to the authentication unit 34.

  The authentication unit 34 determines whether or not the shared code received from the USB token 2 matches the shared code registered in advance in the user database of the personal computer 3 (step S102).

  If it is determined that the shared codes do not match (NO in step S102), the authentication process is canceled as the USB token 2 belongs to another group, and the USB inserted into the personal computer 3 is stopped. An error message indicating that the token 2 cannot be used is displayed on the display device 3C (step S107).

  On the other hand, if it is determined that the shared codes match (YES in step S102), then serial number authentication is performed. In the serial number authentication, the authentication unit 34 makes a serial number acquisition request to the USB token 2. In response to the serial number acquisition request from the authentication unit 34, the USB token 2 reads the serial number stored in the memory 12 of the USB token 2 and transmits it to the authentication unit 34.

  The authentication unit 34 determines whether the serial number acquired from the USB token 2 is registered in the user database (step S103). If the serial number received from the USB token 2 is not registered in the user database 38 (NO in step S103), it is determined whether administrator information is registered (step S105). Whether or not the administrator information is registered is determined based on whether or not the administrator's name and the serial number of the USB token 2 owned by the administrator are registered in the user database 38.

  If the administrator information has already been registered (YES in step S105), the serial number of the USB token 2 is different from the serial number of the administrator USB token 2, so that it is not the administrator USB token 2, and Since it is an unregistered serial number in the user database 38, the authentication process is canceled as an unregistered USB token 2, and an error message indicating that the USB token 2 inserted into the personal computer 3 cannot be used is displayed on the display device 3C. (Step S107).

  If the administrator information is not registered (NO in step S105), the USB token 2 is regarded as the administrator USB token 2, and the administrator registration process by the administrator information registration unit 31 described above is performed. It is executed (step S108).

  On the other hand, when the serial number received from the USB token 2 is registered in the user database 38 (YES in step S103), the process proceeds to the personal authentication process (step S104).

(Personal authentication)
FIG. 6 is a flowchart for explaining the personal authentication process. The authentication unit 34 issues a confirmation code acquisition request to the USB token 2 (step S201), and the USB token 2 confirms the confirmation code stored in the memory 12 of the USB token 2 in response to the confirmation code acquisition request from the authentication unit 34. The code (hash value) is read and transmitted to the authentication means 34. The authentication unit 34 converts the confirmation code (hash value) acquired from the USB token 2 using a hash function (step S202). Therefore, the confirmation code (hash value) after being converted by the hash function is a hash value obtained by converting the original confirmation code twice by the hash function.

  Further, the authentication unit 34 displays a confirmation code input request screen on the display device 3C of the personal computer 3 (step S203). Then, the confirmation code input from the input device 3B is converted by the hash function, and the converted confirmation code (hash value) is further converted again by the hash function (step S204).

  The authentication unit 34 obtains the confirmation code (hash value) obtained from the USB token 2 and converted by the hash function, and the confirmation code (hash value) inputted from the input device 3B and converted twice by the hash function. Value) is the same (step S205).

  If both confirmation codes are the same (YES in step S205), the user is authenticated as the owner of the USB token 2, and the data stored in the storage means in the personal computer 3 is encrypted and decrypted. A permission flag for permitting conversion is set (step S206).

  On the other hand, if the two confirmation codes (hash values) are not the same (NO in step S205), whether or not the number of errors that have determined that the confirmation codes do not match is equal to or greater than a preset upper limit number n (for example, three times). Is determined (step S207). Here, if the number of errors is equal to or greater than the upper limit number n (YES in step S207), the person who entered the confirmation code from the input device 23 is considered not to be the owner of the USB token 2 and is authorized by the USB token. Processing for prohibiting flag setting is performed (step S210).

  If the number of errors is smaller than the upper limit number n (NO in step S207), 1 is added to the number of errors (step S208), and a confirmation code input error and the number of errors after the addition are displayed. An error message is displayed on the display device 3C (step S209), and the input of the confirmation code is requested again.

(Encryption processing)
FIG. 7 is a flowchart for explaining an encryption processing method by the encryption means 36. When receiving the input of the encryption instruction specifying the plain text data desired to be encrypted (step S301), the encryption unit 36 determines whether or not the permission flag is set by the authentication unit 34 (step S302). Note that the encryption instruction is performed by moving the cursor over the plain text file on the screen of the display device 3C and selecting the encryption from the menu displayed by right-clicking the mouse, This can be done by dragging and dropping a plain text file on the encryption icon displayed on the desktop screen.

  If the permission flag is not set (NO in step S302), the encryption process is terminated (step S308), and an error message indicating that the personal authentication is not authenticated is displayed on the display device 3C (step S308). S309).

  On the other hand, if the permission flag is set (YES in step S302), an encrypted user key is acquired from the USB token 2. The encryption unit 36 makes an encryption user key acquisition request to the USB token 2, and the USB token 2 is stored in the memory 12 of the USB token 2 in response to the encryption user key acquisition request from the encryption unit 36. The encrypted user key is read and transmitted to the encryption means 36.

  When the encryption means 36 receives and acquires the encrypted user key from the USB token 2, the encryption means 36 creates salt data (step S304), and creates an encryption key based on the salt data and the encrypted user key (step S305). ), Using the encryption key, the plaintext data of the plaintext file is encrypted by a predetermined encryption algorithm to create ciphertext data (step S306).

  The encryption means 36 includes a pseudo-random number generator, generates a pseudo-random number by the pseudo-random number generator based on the encryption key, and performs an exclusive OR operation on the pseudo-random number and the plaintext data. Create Since the generation of the pseudo random number and the exclusive OR operation are performed by the personal computer 3, the ciphertext data can be quickly generated without being affected by the communication time between the personal computer 3 and the USB token 2. Can do.

  Then, the created ciphertext data is written in the data area of the encrypted file, and the salt data used for creating the encryption key is written in the header area of the encrypted file to create an encrypted file (step S307).

(Decryption process)
FIG. 8 is a flowchart for explaining a method of decryption processing by the decryption means 37. When receiving the input of the decryption instruction specifying the ciphertext data desired to be decrypted (step S401), the decryption means 37 determines whether or not the permission flag is set by the authentication means 34 (step S402). . The decryption instruction method is the same as the encryption instruction method, and the description thereof is omitted.

  If the permission flag is not set (NO in step S402), the decryption process is terminated (step S408), and an error message indicating that the personal authentication is not authenticated is displayed on the display device 3C ( Step S409).

  On the other hand, if the permission flag is set (YES in step S402), an encrypted user key is acquired from the USB token 2. The decryption means 37 makes an encrypted user key acquisition request to the USB token 2, and the USB token 2 is stored in the memory 12 of the USB token 2 in response to the encrypted user key acquisition request from the decryption means 37. The encrypted user key is read and transmitted to the decryption means 37.

  When the decrypting means 37 receives and obtains the encrypted user key from the USB token 2, the decrypting means 37 extracts salt data from the header area of the ciphertext file (step S404), and obtains an encryption key for decrypting the ciphertext data. Create (step S405).

  The encryption key is created by performing an exclusive OR operation (EOR) on the encrypted user key acquired from the USB token 2 and the salt data extracted from the header area of the ciphertext file.

  Therefore, even if the USB token 2 is different in at least one of the serial number and the confirmation code, in other words, even if the USB token 2 is different from the USB token 2 used for encryption, if the encrypted user key is the same, the encryption is not performed. An encryption key identical to the used encryption key can be created.

  If the shared code of the USB token 2 used for encryption and the shared code of the USB token 2 used for decryption are not the same, the permission flag is not set, so an encryption key is created with a different encrypted user key. Thus, it is possible to prevent the decryption process from being performed with the encryption key.

  When the decryption means 37 creates the encryption key, the decryption means 37 decrypts the ciphertext data of the ciphertext file using a predetermined encryption algorithm using the encryption key to create plaintext data (step S406).

  The decryption means 37 includes a pseudo-random number generator, generates a pseudo-random number by the pseudo-random number generator based on the encryption key, and performs an exclusive OR operation on the pseudo-random number and the ciphertext data to obtain plaintext data. Create Then, the plain text data is written into the data area of the plain text file to create a plain text file (step S407).

(File monitoring process and popup monitoring process)
FIG. 9 is a flowchart for explaining the file monitoring process, and FIG. 10 is a flowchart for explaining the pop-up monitoring process.

  Upon receiving the attribute change event input from the attribute change event output means 22 (YES in step S501), the file monitoring means 41 sets whether or not the data file is a ciphertext file (step S502) and sets a permission flag. It is determined whether or not (step S503).

  If it is determined that the data file is a ciphertext file (YES in step S502) and the permission flag is not set (NO in step S503), the data file is a monitoring target whose file attribute is set to read-only. It is determined that the process of changing the file attribute and releasing the read attribute when the personal authentication is not authenticated is an illegal operation on the monitored data file, and the file attribute of the data file is changed. A file attribute read-only setting process for setting to read-only is performed (step S504).

  Thus, for example, when the read-only attribute of the file is forcibly released by an application program such as an editor for the purpose of overwriting and saving the ciphertext file, the file attribute is changed to read-only again. Therefore, when the personal authentication is unauthenticated, the ciphertext file that is a specific data file can be prevented from being overwritten, and the ciphertext file can be prevented from being falsified.

  On the other hand, if the data file is not a ciphertext file (NO in step S502), or if the USB token 2 is at least one authenticated as being owned by the owner (YES in step S503), File attribute read-only setting processing is not performed. Therefore, in such a case, the read-only ciphertext file can be canceled by the application program.

  When the file attribute read-only setting process is performed by the file monitoring unit 41, the information is recorded in the user database 38 as history information by the log recording unit 43 (step S505).

  When the pop-up monitoring unit 42 detects execution of the confirmation window pop-up display processing by the confirmation determination requesting unit 24 (YES in step S601), whether the data file is a ciphertext file (step S602) and the permission flag is set. It is determined whether it is set (step S603).

  If it is determined that the data file is a ciphertext file (YES in step S602) and the permission flag is not set (NO in step S603), the data file is a data file to be monitored, and the personal authentication is performed. A predetermined file operation when unauthenticated is determined to be an illegal operation for the data file to be monitored, and a file operation stop selection process for giving an instruction to stop the file operation to the file operation means 25 is performed (step S604).

  Thus, for example, when a file operation for deleting a ciphertext file is set, a process for selecting a file operation cancel selection button is performed, and the deletion of the data file by the file operation means 25 is cancelled. As a result, when the personal authentication is unauthenticated, it is possible to prevent a predetermined file operation on the ciphertext file, that is, deletion, movement, and change of the file name of the ciphertext file, and to prevent alteration of the ciphertext file.

  On the other hand, if the data file is not a ciphertext file (NO in step S602), or if the USB token 2 is authenticated as being owned by the owner (YES in step S603), File operation cancel selection processing is not performed. Therefore, in such a case, the ciphertext file can be deleted, moved, or renamed.

  When the file operation stop selection process is performed by the pop-up monitoring unit 42, the information is recorded in the user database 38 as history information by the log recording unit 43 (step S605).

  FIG. 11 shows an example of a log screen displayed on the display device 3 </ b> C by the log recording means 43. The log recording means 43 stores the user name, date, time, action, status, and resource that accessed the ciphertext file in the user database 38 in association with each other as history information. Then, by connecting the administrator USB token 2 to the personal computer 3 and searching the user database 38 based on these six types of search conditions, the search results can be displayed in a tabular format on the log screen. .

  For example, when a file attribute read-only setting process or a file operation stop selection process is performed, the date and time when these processes were performed are displayed, and “illegal” is displayed as the action in the action. In the status, “Change attribute” is displayed as an illegal file operation in the case of file attribute read-only setting processing, and “Delete”, “Move”, “Change file name” in the case of file operation stop selection processing. And the file name of the file on which these processes have been performed is displayed in the resource.

  According to the data sharing apparatus 1 having the above configuration, when an operation for canceling read-only operation is performed on a data file to be monitored, the file monitoring unit 41 sets the file attribute of the data file to read-only again. Processing to set is performed. Therefore, when the personal authentication is unauthenticated, the file content of the ciphertext file can be prevented from being changed, and the ciphertext file can be prevented from being falsified.

  Further, when a file operation such as movement, deletion, or file name change is set for a monitoring target data file, the pop-up monitoring means 42 performs processing for canceling the file operation. Therefore, when the personal authentication is unauthenticated, it is possible to prevent the ciphertext file from being deleted, moved, or renamed, and to be falsified.

  Also, according to the data sharing apparatus 1 having the above configuration, the encryption unit 36 creates unique salt data, and creates an encryption key using the salt data and the encrypted user key read from the USB token 2. Then, the plaintext data is encrypted using the encryption key to create ciphertext data. Then, the salt data used to create the encryption key is written in the header area of the encryption file and added to the ciphertext data.

  As a result, the encryption key used for encrypting plaintext data can be made different for each ciphertext data, and ciphertext data that is stronger than ciphertext data encrypted using the same encryption key is created. It is possible to increase the difficulty of decrypting the ciphertext data.

  Then, the decryption means 37 extracts the salt data from the header area of the ciphertext file, creates an encryption key using the extracted salt data and the encrypted user key read from the electronic key, and uses the encryption key as the encryption key. The decrypted ciphertext data is used to create plaintext data.

  Therefore, if the USB token 2 belongs to the same group with the same encrypted user key, even if the USB token 2 is different from the USB token 2 used for encryption, the USB token authentication and the personal authentication are used as conditions. An encryption key identical to the encryption key used to create the ciphertext data can be created, and plaintext data can be created by decrypting the ciphertext data.

  In addition, the encryption key created by the encryption means 36 and the decryption means 37 and the encrypted user key necessary for creating the encryption key are not stored in the personal computer 3, so the key by analysis of the personal computer 3 or the like Information leakage can be prevented, decryption of ciphertext data can be prevented, and high security can be achieved.

  Since the encryption process and the decryption process are performed on the personal computer 3 side, the communication speed between the personal computer 3 and the USB token 2 does not become a bottleneck, and the overall throughput of the data sharing apparatus 1 is improved. be able to.

  Further, according to the data sharing apparatus 1 described above, the shared code and serial number stored in advance in the user database 27 coincide with the shared code and serial number read from the USB token 2 and are input to the personal computer 3. When the confirmation code matches the confirmation code read from the USB token 2, the encryption and decryption of the data by the encryption unit 36 and the decryption unit 37 is permitted.

  Therefore, when the shared code stored in the personal computer 3 and the shared code stored in the USB token 2 do not match, the serial number stored in the personal computer 3 and the USB token 2 are stored in advance. When the serial number does not match, or when the confirmation code input to the personal computer 3 and the confirmation code stored in the USB token 2 do not match, or when at least one of the above three conditions does not match Cannot encrypt and decrypt data.

  Therefore, a decryption process is executed by the USB token 2 having a shared code and serial number different from the shared code and serial number stored in advance in the personal computer 3, or a confirmation code different from the confirmation code stored in the USB token 2 Can be prevented from being executed when the password is input to the personal computer 3.

  Further, according to the data sharing apparatus 1, the memory 12 of the USB token 2 stores a hash value obtained by converting the confirmation code by the hash function, and the authentication unit 34 of the personal computer 3 stores the hash value in the personal computer 3. If the hash value of the confirmation code input and converted twice by the hash function matches the hash value of the confirmation code read from the USB token 2 and converted once by the hash function, the data encryption Since the encryption and decryption are permitted, the confirmation code can be stored in the memory 12 of the USB token 2 as it is, rather than being stored as it is, and the difficulty in decrypting the ciphertext data can be increased. .

  The present invention is not limited to the above-described embodiment, and various modifications can be made without departing from the spirit of the present invention. For example, in the above-described embodiment, the authentication unit 34 performs both the USB token authentication using the shared code and the serial number and the personal authentication using the confirmation code. However, only one of them may be performed.

  In the above-described embodiment, the case where the file monitoring unit 41 and the pop-up monitoring unit 42 are incorporated in the data sharing apparatus 1 based on a plurality of USB tokens 2 has been described as an example. 2 may be used for an encryption device and a decryption device. In the above-described embodiment, the ciphertext file has been described as an example of the specific data file. However, an unencrypted data file may be used.

It is a figure explaining the structure of the data sharing apparatus concerning this Embodiment. It is a block diagram explaining the function implement | achieved in a personal computer. It is a figure explaining the structure of the user data produced in a user database. An example of a user information registration screen is shown. It is a flowchart explaining a USB token authentication process. It is a flowchart explaining a personal authentication process. It is a flowchart explaining the method of the encryption process by an encryption means. It is a flowchart explaining the method of the decoding process by a decoding means. It is a flowchart explaining a file monitoring process. It is a flowchart explaining a pop-up monitoring process. An example of a log screen is shown.

Explanation of symbols

1 Data sharing device (data file monitoring device)
2 USB token 3 Personal computer (information processing device)
12 Memory (memory means)
20 OS
21 File content change prohibition means 22 Attribute change event output means 23 File operation setting means 24 Confirmation determination request means 25 File operation means 31 Administrator information registration means 32 User information registration means 33 USB token connection monitoring means 34 Authentication means 36 Encryption means 37 Decoding means 38 User database 41 File monitoring means 42 Pop-up monitoring means 43 Log recording means

Claims (2)

Data file storage means for storing data files;
Among the data files stored in the data file storage means, for data files whose file attributes are set to read-only, file content change prohibiting means for prohibiting change of the file contents of the data file;
A file attribute change detection means for detecting a change in the file attribute of a data file stored in the data file storage means and having a file attribute set to read-only;
Monitoring target determination means for determining whether or not the data file whose file attribute change has been detected by the file attribute change detection means is a preset monitoring target data file;
And a file attribute read-only setting unit that sets the file attribute of the data file to read-only again when the monitoring object determination unit determines that the data file is the data file to be monitored. Data file monitoring device. Data file storage means for storing data files;
Among the data files stored in the data file storage means, for data files whose file attributes are set to read-only, file content change prohibiting means for prohibiting change of the file contents of the data file;
A file operation setting means for specifying a data file and setting a file operation for the specified data file;
It is determined whether or not the file attribute of the data file specified by the file operation setting means is set to read-only, and whether or not the file operation is executed or stopped is determined based on the determination that the file attribute is set to read-only. Confirmation judgment request means for requesting,
In response to the confirmation determination request from the confirmation determination request means, a file operation means is executed when the file operation execution instruction is given, and the file operation is stopped when the file operation stop instruction is given. When,
Confirmation determination request detection means for detecting whether confirmation determination request is made by the confirmation determination request means;
By detecting that the confirmation determination request is detected by the confirmation determination request detection means, it is determined whether the data file for which the confirmation determination is requested is a preset data file to be monitored. Monitoring object judgment means,
And a file operation stop selection means for giving the file operation stop instruction to the file operation means when the monitoring object determination means determines that the data file is the data file to be monitored. Data file monitoring device.

Images