JP2007336441A - Computer data protection system by encryption - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a means for preventing information from being stolen even when a physical key and a personal computer are stolen at the same time in a system wherein a physical key for permitting use of a software program for encryption/decryption is provided in addition to use of a physical key and encryption/decryption of data for taking countermeasures against leakage, missing or a theft of confidential data such as personal information. <P>SOLUTION: The means above disclosed herein is a data encryption/decryption system comprising an encryption/decryption program, a computer for installing the program, an external connection element to the computer for permitting the decryption of the program, and a program for providing a decryption operation permission right to the external connection element. Entry of decryption operation permission password of the encryption/decryption program can be requested, entry of connection of the external connection element to the computer for installing the right provision program or entry of the connection and right provision program operation permission password can be requested. Various conditions can be provided to a decryption operation permission key. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a computer data protection system for preventing leakage and theft of data stored in various storage media such as a hard disk, DVD (registered trademark), and CD (registered trademark) used in a computer such as a personal computer.

  In recent years, management of confidential data such as personal information has become important, and measures against leakage and loss and theft measures have become important. In particular, management of data stored in a large-capacity storage medium such as a hard disk in a personal computer (hereinafter referred to as a personal computer) or a portable hard disk is regarded as important.

  One of the methods widely used for such security measures is the use of a physical key (physical key). This is because a physical key is given to the external connection element connected from the outside to the personal computer body, and the personal computer can be operated only when this physical key is connected to the personal computer. is there. However, with this method, there is a problem that the physical key must be removed every time the user leaves the personal computer, and the physical key must be connected every time it is reused. In addition, if the PC and key are stolen together, there is a problem that the data inside the PC is not secured. Further, when the user loses the key, the personal computer itself cannot be used, which is very inconvenient.

  Another common security measure for computer data is data encryption / decryption. Famous encryption and decryption techniques are common key cryptography and public key cryptography. The common key cryptography is a method in which encryption and decryption are performed using the same key when an encryption person and a decryption person perform respective operations. Public key cryptography, on the other hand, is a method of encryption and decryption using a pair of a private key and a public key. Data encrypted with one of the keys does not use the other key. And cannot be decrypted. (See JP 2001-308443 A.)

  In general, encryption and decryption are performed by generating random numbers from a certain arithmetic process or combination of functions by software in a computer, and performing encryption and decryption based on the random numbers. Such random numbers are called pseudo-random numbers, and regularity for generation remains. Therefore, the random number generation method can be estimated and there is a problem with robustness. In order to solve such a problem of robustness, an encryption / decryption system using a physical random number generator that generates a random number by a physical variation outside the computer, for example, thermal noise or vibration, in a mechanism for generating a random number, An encryption / decryption system using pseudorandom numbers using a chaotic neural network has been devised. (See JP-A-2005-173197, JP-A-2003-76272, and JP-A-2001-144746.)

  However, even if the data is encrypted, if the decryption program is always usable on the same personal computer, if the personal computer itself is stolen, information is stolen. Therefore, a system having a physical key for giving permission to use software for encryption and decryption is commercially available. Even in this system, an external connection element connected from the outside to the personal computer main body is used as the physical key, and encryption and decryption are possible only when this physical key is connected to the personal computer. This method is more convenient than a method in which the personal computer itself is locked using a physical key because functions other than the encryption and decryption functions can be used without a key. Even if the personal computer itself is stolen, if data with high confidentiality is encrypted, it cannot be decrypted without a physical key, so that information leakage can be prevented.

  However, even in such a system, if the physical key and the PC are stolen at the same time, for example, if the PC is stolen while the physical key is connected while using the PC on the go. Has the disadvantage of not being able to protect the information.

JP 2001-308443 A JP 2005-173197 A JP 2003-76272 A JP 2001-144746 A

  In view of the above situation, the present invention makes it easy even if a personal computer and a physical key are stolen together in the physical key for an encryption / decryption program when the personal computer is stolen. Provides a means to prevent information from being retrieved.

  The present invention is a system for encrypting or decrypting files and data stored in a storage medium, and a program for performing the encryption and decryption (hereinafter referred to as an encryption / decryption program). A computer (hereinafter referred to as an encryption / decryption computer) in which the encryption / decryption program is installed (a process for introducing the program into a computer; the same applies hereinafter) and the decryption operation of the encryption / decryption program External connection element (hereinafter referred to as encryption / decryption program operation permission key) to the encryption / decryption computer that plays the role of permission key, and authorization as a key to the encryption / decryption program operation permission key The encryption is characterized in that it is constituted by a program that performs the following (hereinafter referred to as an authorization program). It is by computer data protection system.

  In the present invention, in addition to the first feature, an external connection element (hereinafter referred to as an authorization program operation permission key) that plays the role of a key for permission of the authorization operation is used in the authorization program. A computer data protection system using encryption characterized in that the above-mentioned authorization operation can be performed by being connected to a computer (hereinafter referred to as an authorization computer) in which an authorization program is installed. .

  In addition to the second feature, the present invention is configured such that the authorization program operation permission key is connected to the authorization computer when the authorization program requests the activation program during start-up or operation. This is a computer data protection system using encryption characterized by the third feature.

  According to the present invention, in addition to the second or third feature, the privilege grant program is configured to connect the privilege grant program operation permission key to the privilege grant computer and input the privilege grant program operation permission password. A computer data protection system using encryption, characterized in that the authorization operation can be performed.

  In addition to the first feature, the present invention provides the encryption / decryption program operation permission key when the encryption / decryption program requests the activation / deactivation of the encryption / decryption program. A computer data protection system using encryption characterized by being connected to an encryption / decryption computer.

  In addition to the connection of the encryption / decryption program operation permission key to the encryption / decryption computer, the present invention, in addition to the first or fifth feature, by inputting the encryption / decryption program operation permission password, According to a sixth aspect of the computer data protection system using encryption, the decryption operation of the encryption / decryption program can be performed.

  In addition to any one of the first to sixth features, the present invention sets an upper limit on the number of times the authority granting program performs decryption on the encryption / decryption program operation permission key. When the number of times reaches the upper limit, the computer data protection system by encryption is characterized by having a function of not permitting decryption thereafter.

  According to the present invention, in addition to any one of the first to sixth features, the authority granting program imposes a time restriction that can be performed on the encryption / decryption program operation permission key to perform decryption. An eighth feature of the computer data protection system using encryption is that it has a function that does not permit decryption during a period set as being incapable of being implemented.

  According to the present invention, in addition to the sixth feature, the authority granting program sets an upper limit of an allowable number of input mistakes of the encryption / decryption program operation permission password for the encryption / decryption program operation permission key. A ninth feature of the computer data protection system by encryption is that it has a function of not permitting decryption when a password input error exceeding the upper limit occurs.

  According to the tenth aspect of the present invention, in addition to any one of the first to ninth features, the authority granting program can invalidate an authority as a key of the encryption / decryption program operation permission key. This is a computer data protection system using encryption.

  According to the present invention, in addition to any one of the seventh to tenth features, the authority granting program grants the authority to permit decryption to the encryption / decryption program operation permission key that cannot be decrypted. An encryption computer data protection system according to an eleventh feature that can be provided.

  The encryption / decryption program operation permission key and the authorization program operation permission key include an external element connected via a USB (Universal Serial Bus) (registered trademark) compliant connector, an infrared communication device, and SD (Secure Digital) (registered trademark). , IEEE 1394, PC Card (registered trademark), COMPACTFLASH (registered trademark), Smart Media (registered trademark), MEMORY STICK (registered trademark), xD-Picture Card (registered trademark), FeliCa (registered trademark), ISO / IEC IS 18092 Alternatively, a Bluetooth (registered trademark) compliant device or the like is used.

  According to the first feature of the present invention, when there is a high risk of the personal computer being stolen, such as when going out with a personal computer, the personal computer goes out with the encryption / decryption program operation permission key K1 and performs encryption / decryption. Data theft can be prevented by restricting the authority that can be decrypted by the authority grant program P2 for the program operation permission key K1.

  According to the second feature of the present invention, without the authorization program operation permission key K2, the restriction on the encryption / decryption program operation permission key K1 cannot be changed. Data theft can be prevented even if the program operation permission key K1 and the personal computer are stolen at the same time.

  According to the third feature of the present invention, without the authorization program operation permission key K2, the restriction on the encryption / decryption program operation permission key K1 cannot be changed. Data theft can be prevented even if the program operation permission key K1 and the personal computer are stolen at the same time.

  According to the fourth aspect of the present invention, the number of people who know the authorized program operation permission password W2 can be limited, and thus the number of people who can use the authorized program operation permission key K2 (for example, the administrator) is limited. Since the right to grant authority to the encryption / decryption program operation permission key K1 can be given only to a specific person, the data management within the company, the group within the company, or the organization is efficiently performed. Can do. In addition, even if all of the encryption / decryption program operation permission key K1, the authorization program operation permission key K2, and the personal computer are stolen at the same time, security can be maintained.

  According to the fifth aspect of the present invention, the encryption / decryption program operation permission key K1 can be provided without the encryption / decryption. Therefore, even if the personal computer is stolen, Theft can be prevented.

  According to the sixth feature of the present invention, security can be maintained even if both the encryption / decryption program operation permission key K1 and the personal computer are stolen at the same time.

  According to the seventh feature of the present invention, even if both the encryption / decryption program operation permission key K1 and the personal computer are stolen at the same time, since the decryption can be performed only up to the set upper limit number of times, the data theft is minimized. To the limit.

  According to the eighth feature of the present invention, even if both the encryption / decryption program operation permission key K1 and the personal computer are stolen at the same time, the data cannot be stolen because the decryption cannot be performed after the time limit has passed. Can be minimized.

  According to the ninth feature of the present invention, even if both the encryption / decryption program operation permission key K1 and the personal computer are stolen at the same time, the encryption decryption program operation permission password W1 is missed more than the specified number of times. If this happens, data can not be decrypted, and data theft can be minimized.

  According to the tenth feature of the present invention, the encryption / decryption program operation permission key K1 is invalid when there is a very high risk of theft or when it is absolutely necessary to take highly confidential data or information into a personal computer. Therefore, even if both the encryption / decryption program operation permission key K1 and the personal computer are stolen at the same time, the data cannot be stolen because it cannot be decrypted.

  According to the eleventh feature of the present invention, data and information can be extracted again by enabling the encryption / decryption program operation permission key K1 when it becomes necessary to decrypt the data. Furthermore, with this function, decryption cannot be permitted due to the upper limit of the number of times of decryption, the time limit that can be decrypted, and the limit of the number of password input mistakes. Since the encryption / decryption program operation permission key K1 that has been invalidated as a key can be re-enabled, the convenience of using the encryption / decryption program operation permission key K1 can be improved.

  The encryption / decryption program operation permission key K1 and the authorization program operation permission key K2 include an external element, an infrared communication device, and an SD (Secure Digital) (registered) connected by a USB (Universal Serial Bus) (registered trademark) compliant connector. Trademark), IEEE 1394, PC Card (registered trademark), COMPACTFLASH (registered trademark), Smart Media (registered trademark), MEMORY STICK (registered trademark), xD-Picture Card (registered trademark), FeliCa (registered trademark), ISO / IEC If a device conforming to IS 18092 or Bluetooth (registered trademark) is used, the encryption / decryption program operation permission key K1 and the authorization program operation permission key K2 can be easily carried. Can, it is possible to improve the convenience.

  Examples of the present invention will be described below.

  Examples of the present invention are shown below. The encryption / decryption computer C1 is a notebook personal computer that is easy to carry, and the encryption / decryption computer C1 is installed with a program P1 for performing encryption / decryption. The encryption / decryption program P1 of this embodiment performs encryption and decryption by an encryption / decryption system using pseudorandom numbers using a chaotic neural network.

  FIG. 1 is a schematic system configuration diagram of an embodiment of the present invention. Referring to FIG. 1, the present embodiment is an encryption / decryption computer C1, an encryption / decryption program operation permission key K1, an encryption / decryption program operation permission password W1 (not shown), an authorization computer C2, and an authorization. It consists of a program operation permission key K2 and an authorized program operation permission password W2 (not shown). The encryption / decryption computer C1 is installed with an encryption / decryption program P1 and operates on the computer. The encryption / decryption program operation permission key K1 is an external connection element having a USB (UNIVERSAL SERIAL BUS) (registered trademark) connector or the like, and an external element connection portion (connection) such as a USB (UNIVERSAL SERIAL BUS) (registered trademark) connector or the like. Port) is detachably connected to the encryption / decryption computer C1. When the encryption / decryption program operation permission password W1 is obtained from the encryption / decryption program P1, the input device such as a keyboard connected to the encryption / decryption computer C1 (in addition to the keyboard as the input device, Input buttons, a mouse, etc. can be used. An authorization program P2 is installed in the authorization computer C2, and operates on the computer. The encryption / decryption program operation permission key K1 and the authorization program operation permission key K2 are external connection elements including a USB (universal SERIAL BUS) (registered trademark) connector or the like, and a USB (universal SERIAL BUS) (registered trademark) connector. Are connected so as to be removable. The authorization program operation permission password W2 is input from an input device such as a keyboard connected to the authorization computer C2 when it is obtained from the authorization program P2.

  In order to operate the decryption by the encryption / decryption program P1, that is, to return the encrypted file to the original file, the encryption / decryption program operation permission key K1 is connected to the encryption / decryption computer C1. There is a need. Furthermore, in order to operate the decryption by the encryption / decryption program P1, the password W1 is set to be input. On the other hand, the authority granting computer C2 is given a role as a key for permitting the operation of the encryption / decryption program P1 to the encryption / decryption program operation permission key K1, that is, the authority as a key is given. An authorization program P2 is installed. The encryption / decryption program operation permission key K1 is attached to the authority granting computer C2, and the authority grant program P2 grants the authority to grant the operation permission of the encryption / decryption program P1 to the encryption / decryption program operation permission key K1.

  At this time, the authority grant program P2 can assign various conditions to the authority as a key to be given to the encryption / decryption program operation permission key K1. Specifically, there are an upper limit of the number of times that decryption can be performed, a limit of a time zone during which decryption can be performed, and a limit of the number of erroneous inputs of the password W1 for enabling the encryption / decryption program P1. Also, the authority granting program P2 can unconditionally invalidate the encryption / decryption program operation permission key K1, and can also cancel the invalidation state of the invalidated encryption / decryption program operation permission key K1. .

  For example, when the encryption / decryption computer C1 is extremely unlikely to be stolen, and the stationary user uses the encryption / decryption program P1 as a daily work, the encryption / decryption program operation permission key K1 is used. Can be decrypted at any time, that is, by giving the authority that the encryption / decryption program operation permission key K1 is valid as a key at any time, the encryption / decryption program P1 can be used without stress. When the minimum necessary decryption is permitted, such as when the encryption / decryption computer C1 is lent to an external person, the decryption can be performed only the minimum necessary number of times by the encryption / decryption program operation permission key K1. By giving the operation permission with the above conditions, the effect of prohibiting the taking out of unexpected data can be obtained. If the encryption / decryption program operation permission key K1 is given a restriction on the time that can be used as a key, decryption outside the set time can be prohibited, so that the effect of prohibiting unexpected data export can be obtained. When the possibility of theft is very high, such as when the computer P1 is taken outside on a business trip or the like, data theft can be prevented by placing many restrictions on the authority given to the encryption / decryption program operation permission key K1. it can. For example, if the encryption / decryption program operation permission key K1 is limited in number so that important data required during a business trip can be decrypted only once, it should be encrypted with the encryption / decryption computer C1. Even if the decryption program operation permission key K1 is stolen together, the damage of data theft can be minimized. In addition, a time for using the encryption / decryption program P1 is set in advance, and the information is input to the encryption / decryption program operation permission key K1 to limit the authority of the encryption / decryption program operation permission key K1. Therefore, the damage of data theft can be suppressed. For example, when confidential data used in a meeting or the like is stored in the encryption / decryption computer C1 and carried, if the meeting time is from 1 pm to 3 pm on a specific day, this time of the day If the encryption / decryption program operation permission key K1 is given authority with the condition that decryption is possible only within the encryption / decryption computer C1 and the encryption / decryption computer C1 Even if the encryption program operation permission key K1 is stolen, decryption is not permitted, that is, the encryption / decryption program operation permission key K1 does not already have the authority as a key, so there is no fear of data being stolen. When the upper limit of the number of erroneous input of the encryption / decryption program operation permission password W1 is set and the password W1 is erroneously input a certain number of times, the subsequent decryption operation is not permitted, that is, the encryption / decryption program operation is permitted. By giving the encryption / decryption program operation permission key K1 a restriction that the key K1 is invalidated, it is possible to prevent data theft more firmly. Some data must be carried in the encryption / decryption computer C1, but if there is no particular plan to use the data itself, the encryption / decryption program operation permission key K1 is invalidated by the authorization program P2. You can do it. If the decryption cannot be performed due to the above-mentioned number limit, time limit, or incorrect password limit, that is, if the encryption / decryption program operation permission key K1 becomes invalid, the authorization computer is re-enabled. It can be used again as a key of the encryption / decryption program P1 by attaching it to C2 and granting authority by the authority granting program P2.

  In order to authorize the authority granting operation of the authority granting program P2, it is desirable to prepare an authority granting program operation permission key K2, which is an external connection element to the authority granting computer C2, as shown in FIG. Further, in order to permit the operation of granting authority, it is set so as to require the input of the grant program operation permission password W2.

  FIG. 2 is a schematic system configuration diagram of the authorization computer C2 in the second embodiment of the present invention. The description of FIG. 1 is valid as it is for portions other than the authorization computer C2. In the embodiment in FIG. 1, the encryption / decryption program operation permission key K1 and the authority program operation permission key K2 are separately connected to the two external element connection portions (connection ports) in the authority computer C2. Then, the authority granting program operation permission key K2 has a connection part to which the encryption / decryption program operation permission key K1 can be attached, and the encryption / decryption program operation permission key K1 is authorized via the authority granting program operation permission key K2. It is configured to connect to the grant computer C2. The setting relating to the authority given to the encryption / decryption program operation permission key K1 is changed only when the encryption / decryption program operation permission key K1 is connected to the authority computer C2 via the authority program operation permission key K2. By making it possible, security can be further improved. It should be noted that the encryption / decryption program operation permission key K1 includes a connection part to which the authority granting program operation permission key K2 can be attached, and the authority granting program operation permission key K2 is authorized through the encryption / decryption program operation permission key K1. It may be configured to be connected to the computer C2, that is, in FIG. 2, K1 and K2 may be arranged in reverse.

  FIG. 3 is a schematic system configuration diagram of the authorization computer C2 in the third embodiment of the present invention. The description of FIG. 1 is valid as it is for portions other than the authorization computer C2. In FIG. 3, as a modified example different from FIGS. 1 and 2, the authorization program operation permission key K <b> 2 is a large device. The encryption / decryption program operation permission key K1 is preferably small so that it can be carried, and the authorization program operation permission key K2 is preferably small from the viewpoint of storage. However, since there is a risk of being stolen easily if the size is reduced, the authority granting program operation permission key K2 is set to a device that can be placed on a table and is fixed with a chain or the like. As a result, theft can be prevented.

  FIG. 4 is a schematic system configuration diagram of the authorization computer C2 in the fourth embodiment of the present invention. The description of FIG. 1 is valid as it is for portions other than the authorization computer C2. In FIG. 4, as a modified example different from those of FIGS. 1, 2, and 3, the authority grant program operation permission key K <b> 2 itself incorporates the authority grant program P <b> 2 and the authority grant program P <b> 2 operating device. By configuring in this way, the authorization computer C2 is not necessary, and this system can be used at low cost.

  FIG. 5 is a schematic system configuration diagram of the fifth embodiment of the present invention. Referring to FIG. 5, in this embodiment, the encryption / decryption computer C1, the encryption / decryption program operation permission key K1, the encryption / decryption program operation permission password W1 (not shown), and the authorization program operation permission key K2 are described. And an authorization program operation permission password W2 (not shown). The encryption / decryption computer C1 is installed with an encryption / decryption program P1 and an authorization program P2, and operates on the computer. The encryption / decryption program operation permission key K1 and the authorization program operation permission key K2 are external connection elements including a USB (universal SERIAL BUS) (registered trademark) connector and the like, and a USB (universal SERIAL BUS) (registered trademark) connector. It connects so that it can attach or detach to the encryption / decryption computer C1 provided with external element connection parts. In FIG. 5, the encryption / decryption program operation permission key K1 and the authority grant program operation permission key K2 are connected to different connection units. However, as shown in FIG. The permission key K1 may be connected to the encryption / decryption computer C1 via the authorization program operation permission key K2, and the authorization program operation permission key K2 is connected via the encryption / decryption program operation permission key K1. It may be connected to the encryption / decryption computer C1. The encryption / decryption program operation permission password W1 is input from an input device such as a keyboard connected to the encryption / decryption computer C1 when it is obtained from the encryption / decryption program P1. The authorization program operation permission password W2 is input from an input device such as a keyboard connected to the encryption / decryption computer C1 when it is obtained from the authorization program P2. This embodiment can be said to be a modified example in which the authorization computer C2 may not be used, similar to the embodiment in FIG. In this embodiment, after the authority as the key of the encryption / decryption program P1 is set in the encryption / decryption program operation permission key K1 by the authority program P2, the authority program operation permission key K2 is encrypted / decrypted by the computer. Theft of data can be prevented by removing it from C1 and storing it separately.

  The embodiment shown in FIG. 1 to FIG. 4 is suitable for an organization such as a company where an administrator manages taking out computers, etc., and the embodiment shown in FIG. Suitable for preventing.

  In all the embodiments described above, a certain authorization program operation permission key K2 is effective only for a specific authorization program P2, and a certain authorization program P2 also permits a specific encryption / decryption program operation. Authority can be given only to the key K1, and a certain encryption / decryption program operation permission key K1 is set to be effective only for a specific encryption / decryption program P1. For example, the authorization program operation permission key K2 with serial number 1 is valid only for the authorization program P2 with serial number 1, and is valid as a key for the authorization program P2 with other serial numbers (numbers other than 1). Does not work. The authorization program P2 with the serial number 1 is valid only for the encryption / decryption program operation permission key K1 with the serial number 1, and the encryption / decryption program operation permission key K1 with the serial number 1 is encrypted with the serial number 1. Valid only for the decryption program P1. If not set in this way, for example, when a third party separately obtains the authorization program P2 and the authorization program operation permission key K2 (another authorization program P2 and authorization program operation). When the set of the permission key K2 is purchased, for example, the authority can be given to another encryption / decryption program operation permission key K1 by using this set. Therefore, the encryption / decryption program P1 This is because the data can be encrypted and decrypted.

  However, it can be set so that one key is effective for a plurality of programs and one program is effective for a plurality of keys. For example, the authorization program P2 with the serial number 1 can be set to be effective for the encryption / decryption program operation permission key K1 with the serial numbers 1 to 5. By doing so, a plurality of encryption / decryption program operation permission keys K1 can be collectively managed, which is effective for data management in an organization such as a company.

  As mentioned above, although the structure of the Example of this invention was demonstrated according to FIG. 1 thru | or 5, this invention is not restricted to the above-mentioned case. For example, in this embodiment, an encryption / decryption program using a chaos neural network is used, but any program may be used as the encryption / decryption program. The encryption / decryption computer C1 can be applied to any type of personal computer, such as a desktop computer, in addition to a notebook computer. The encryption / decryption program operation permission key K1 and the authority grant program operation permission key K2 may be any elements as long as they can be externally connected to the personal computer. For example, an external element connected by a USB (Universal Serial Bus) (registered trademark) compliant connector, an infrared communication device, SD (Secure Digital) (registered trademark), IEEE 1394, PC Card (registered trademark), COMPACTFLASH (registered trademark), Smart Media (registered trademark), MEMORY STICK (registered trademark), xD-Picture Card (registered trademark), FeliCa (registered trademark), ISO / IEC IS 18092 or Bluetooth (registered trademark) compliant devices can be used as keys. It is. The password is preferably set in order to ensure safety, but it is not necessary to set the password, and when it is not present, the convenience is improved and the usability is improved.

  Also, when performing the encryption operation using the encryption / decryption program P1, the encryption / decryption program operation permission key K1 and the encryption / decryption program operation permission password are the same as when performing the decryption operation. W1 may be requested. In the above, in the case of performing the encryption operation using the encryption / decryption program P1, the necessity of the encryption / decryption program operation permission key K1 and the encryption / decryption program operation permission password W1 is not particularly mentioned. In terms of security, when performing an encryption operation, an operation permission key and an operation permission password are not required. Rather, it is more convenient and user-friendly if it can be used at any time without using a key or password. However, although the convenience is reduced by the above, it is useful for preventing encryption due to carelessness of the user and preventing encryption due to mischief of others.

  It should be noted that when the encryption / decryption program operation permission key K1 is requested to be connected to the encryption / decryption computer C1 when the encryption operation is performed, the encryption / decryption program operation permission key K1 receives data. A storage function is added to store information related to encrypted data, such as file name, encryption time, file and data size, history of past encryption and decryption, etc. The encrypted information can be managed by separately preparing a program for browsing this information or setting this data to be viewable for the authorization program P2. it can. When the encryption / decryption program operation permission key K1 is not requested to be connected to the encryption / decryption computer C1 during the encryption operation, the encryption is performed and then the encryption / decryption computer C1 is requested. When the encryption / decryption program operation permission key K1 is connected, information related to encrypted data when encryption is performed in advance may be stored in the encryption / decryption program operation permission key K1. By providing such a storage function, an administrator can view information on encrypted data in a plurality of personal computers used by a plurality of users in the organization, so that it is effective for information management in the organization.

  Furthermore, the present invention provides a part of the function for performing encryption and decryption operations on the physical key side in the conventional encryption / decryption system having a physical key as disclosed in Patent Document 2. It can be applied to the system.

  FIG. 6 is a flowchart of the operation permission authentication process of the encryption / decryption program P1 in the embodiment of the present invention. The operation permission authentication process of the encryption / decryption program P1 will be described with reference to FIG. 6. When the encryption / decryption program P1 is executed, the encryption / decryption program operation permission key K1 is externally connected to the encryption / decryption computer C1. Check that it is connected to the unit. If it is not connected, it waits until the connection is confirmed or terminates (in the case of termination, not shown). When the connection is confirmed, the information related to the permission of operation written in the encryption / decryption program operation permission key K1 is read. If the encryption / decryption program operation permission password W1 is set after confirming the operation permission, next, an input of the password is requested and the input is awaited. When the password is input via an input device such as a keyboard, it is confirmed whether the input password is correct as compared with the encryption / decryption program operation permission password W1. If the input password is incorrect, wait for the correct password to be entered. When the upper limit of the number of possible input mistakes for the password W1 is set, the number of password entry mistakes is incremented by 1, and information on the operation permission authority written in the encryption / decryption program operation permission key K1 is read again. Confirm the operation permission again, and if the operation is permitted, request the password again and wait for the input. If the number of password input mistakes exceeds the limit range, the encryption / decryption program P1 is terminated. When a correct password is input, encryption or decryption is performed.

  FIG. 7 is a flowchart of the operation permission authentication process of the second encryption / decryption program P1 in the embodiment of the present invention. The operation permission authentication process of the encryption / decryption program P1 will be described with reference to FIG. 7. When the encryption / decryption program P1 is executed, the encryption / decryption program operation permission key K1 is connected to the external connection of the encryption / decryption computer C1. Check that it is connected to the unit. If it is not connected, it waits until the connection is confirmed or terminates (in the case of termination, not shown). If the connection is confirmed and the encryption / decryption program operation permission password W1 is set, next, input of the password is requested and the input is waited for. When the password is input via an input device such as a keyboard, it is confirmed whether the input password is correct as compared with the encryption / decryption program operation permission password W1. If the input password is incorrect, wait for the correct password to be entered. When the input password is not correct and the upper limit of the number of possible input mistakes for the password W1 is set, 1 is added to the number of password input mistakes, and the process waits until the correct password is input. If the correct password is entered, go to the next step. The encryption / decryption program P1 checks the authority given to the encryption / decryption program operation permission key K1. If the encryption or decryption operation is not possible depending on the given authority, the encryption / decryption program P1 ends as it is. If the authority to encrypt or decrypt is given, encryption or decryption is performed. Note that the order of the connection confirmation of the encryption / decryption program operation permission key K1 and the determination of whether the encryption / decryption program operation permission password W1 is correct may be reversed.

  FIG. 8 is a flowchart of the operation permission authentication process of the authority grant program P2 in the embodiment of the present invention. The operation permission authentication process of the authorization program P2 will be described with reference to FIG. 8. When the authorization program P2 is executed, it is confirmed whether the authorization program operation permission key K2 is connected to the external connection unit of the authorization computer C2. To do. If it is not connected, it waits until the connection is confirmed or terminates (in the case of termination, not shown). If it is connected and the authorization program operation permission password W2 is set, next, input of the password is requested and waiting for input. When the password is input, it is confirmed whether the input password is correct as compared with the authorization program operation permission password W2. If the input password is not correct, the system waits until the correct password is input or terminates (in the case of termination, not shown). If the correct password is entered, go to the next step. The authority grant program P2 accepts input of authority information for the encryption / decryption program operation permission key K1. Then, an operation for granting authority is executed based on the input content via an input device such as a keyboard or a stored storage medium, and an operation for writing information on the authority to the key K1 is executed. Note that the order of the confirmation of the connection of the authorization program operation permission key K2 and the right / wrong determination of the authorization program operation permission password W2 may be reversed. The encryption / decryption program operation permission key K1 is connected to the external connection unit of the authority-giving computer C2 at any stage between the start and the writing of authority information to the encryption / decryption program operation permission key K1. (Not shown).

  FIG. 9 is a block diagram showing the process when the encryption / decryption program operation permission key K1 is set to be used in the data encryption process in the embodiment of the present invention. The data encryption process will be described with reference to FIG. 9. First, the encryption / decryption program P1 confirms whether or not the encryption / decryption program operation permission key K1 is connected. When the connection is confirmed, the information related to the permission of operation written in the encryption / decryption program operation permission key K1 is read. If the encryption / decryption program operation permission password W1 exists after the operation permission confirmation, as shown in FIG. 6, authentication of the password and a password input via an input device such as a keyboard is performed (the foregoing, Operation X). Then, the encryption / decryption program P1 reads the data D1 from the storage medium such as a hard disk drive (HDD) according to the condition of the read authority information, encrypts the encrypted data A1 and the storage medium such as the hard disk drive (HDD). (Or a storage device; the same applies hereinafter). After encryption, the data D1 may be left, but it is desirable to delete it for security. Further, the encrypted data A1 may be overwritten on the data D1. At this time, the encryption / decryption program operation permission key K1 includes a file name related to the encrypted data, an encryption time, a size of the file and data, a history of encryption and decryption, and the like. It can be memorized. By storing such information, it is possible to browse what information is encrypted and stored in the encryption / decryption computer C1. This function is useful for confirming the state of information security in the event that the encryption / decryption computer C1 is stolen.

  FIG. 10 is a block diagram showing the data decoding process in the embodiment of the present invention. The data decryption process will be described with reference to FIG. 10. First, the encryption / decryption program P1 confirms whether or not the encryption / decryption program operation permission key K1 is connected. When the connection is confirmed, the information regarding the permission of the operation permission written in the encryption / decryption program operation permission key K1 is read. If the encryption / decryption program operation permission password W1 exists after the operation permission confirmation, as shown in FIG. 6, authentication of the password and the password input via an input device such as a keyboard is performed ( That ’s it. The encryption / decryption program P1 reads data A1 that has already been encrypted from a storage medium such as a hard disk drive (HDD) in accordance with the conditions of the read authority information, and decrypts the data D1 that has been in a state before encryption. Writing to a storage medium such as a hard disk drive (HDD) (the operation B).

  FIG. 11 is a block diagram showing a process of granting authority information to the encryption / decryption program operation permission key K1 in the embodiment of the present invention. The authority information granting process will be described with reference to FIG. 11. First, the authority granting program P2 confirms whether or not the authority granting program operation permission key K2 is connected. When the connection is confirmed, input of authority information to be written to the encryption / decryption program operation permission key K1 is permitted. At this time, if the authority granting program operation permission password W2 exists, as shown in FIG. 8, the password and the password input via the input device such as a keyboard are authenticated (the operation α). Then, the authority grant program P2 writes the input authority information into the encryption / decryption program operation permission key K1 (the operation β).

The system block diagram of 1st Example of this invention. The system block diagram of the authorization computer in 2nd Example of this invention. The system block diagram of the authorization computer in 3rd Example of this invention. The system block diagram of the authorization computer in 4th Example of this invention. The system block diagram of 5th Example of this invention. The flowchart of the key and password authentication process of the encryption / decryption program of the 1st thru | or 5th Example of this invention. The 2nd flowchart of the key and password authentication process of the encryption / decryption program of the 1st thru | or 5th Example of this invention. The flowchart of the permission of the authority grant program in the Example of this invention and an authority information provision process. The figure which shows the encryption process in the Example of this invention. The figure which shows the decoding process in the Example of this invention. The figure which shows the authorization process in the Example of this invention.

Explanation of symbols

A1 Encrypted data C1 Encryption / decryption computer C2 Authorized computer D1 Original data K1 Encryption / decryption program operation permission key K2 Authorization program operation permission key W1 Encryption / decryption program operation permission password W2 Authorization program operation permission password P1 Encryption / decryption program P2 Authorization program

Claims (11)

A system for encrypting and decrypting data stored in a storage medium,
A program P1 for executing the encryption and decryption;
A computer C1 in which the program P1 is installed, and an external connection element K1 to the computer C1 that plays a key role in permitting the decryption operation of the program P1;
A computer data protection system by encryption, characterized by comprising a program P2 for granting authority as a key to the external connection element K1. In the program P2 for granting authority as a key to the external connection element K1, the external connection element K2 serving as a key for permitting the authorization operation is connected to the computer C2 in which the program P2 is installed. 2. The computer data protection system using encryption according to claim 1, wherein the authorization operation can be performed by the above. 3. The computer data protection by encryption according to claim 2, wherein the external connection element K2 is connected to the computer C2 when the program P2 requests when the program P2 is activated or in operation. system. The program P2 can perform the authorization operation by inputting the operation permission password W2 of the program P2 in addition to the connection of the external connection element K2 to the computer C2. Computer data protection system with the described encryption. 2. The computer data protection by encryption according to claim 1, wherein the external connection element K1 is connected to the computer C1 when the program P1 makes a request when the program P1 is activated or in operation. system. In addition to the connection of the external connection element K1 to the computer C1, the program P1 can execute the decryption operation of the program P1 by inputting the decryption operation permission password W1 of the program P1. 6. The computer data protection system by encryption according to claim 1 or 5. The program P2 has a function of setting an upper limit of the number of times of decoding to the external connection element K1 and not permitting decoding thereafter when the number of times of decoding reaches the upper limit. A computer data protection system by encryption according to any one of claims 1 to 6. The program P2 has a function of adding a time limit for enabling decoding to the external connection element K1 and not permitting decoding in a period set that decoding cannot be performed. Item 7. A computer data protection system using encryption according to any one of Items 1 to 6. The program P2 sets an upper limit of the number of possible input errors of the operation permission password W1 of the program P1 for the external connection element K1, and when an input error of the password W1 exceeding the upper limit occurs, 7. The computer data protection system by encryption according to claim 6, further comprising a function that does not permit decryption thereafter. 10. The computer data protection system by encryption according to claim 1, wherein the program P2 can invalidate an authority as a key of the external connection element K1. The computer according to any one of claims 7 to 10, wherein the program P2 can give an authority to permit the decryption to the external connection element K1 that cannot permit the decryption. Data protection system.

Images