JP2008026925A - File management program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a file management program for consolidating files without impairing the convenience of users. <P>SOLUTION: The file management program has a file specifying section 21 receiving specification of an original file to be managed; a policy formulating section 22 for formulating a policy in using the original file; and a package section 23 for packaging a policy file created based on a common key created for every original file and the policy, and the original file encrypted with the common key, to create a package file. The package file is created such that only the user meeting the use conditions of the policy can develop the common key in the policy file and the right to use the original file on a temporary memory of a terminal 4 of the user, develop the original file encrypted with the common key only on the temporary memory and use the original file within the scope of the use right. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

The present invention relates to a file management program, and more particularly, to a file management program for setting a use condition to package a file and using the packaged file within the range of the use condition.

  Conventionally, as a distribution system that sets use conditions and distributes data and software to users, there has been a distribution system as disclosed in Patent Document 1.

  In the distribution system disclosed in Patent Document 1, the distribution server encrypts data with usage agreement, software, and usage conditions by an encryption processing unit using an encryption key corresponding to the client terminal of the distribution destination, and further by a package unit. Send it after packaging. The client terminal decrypts the use conditions using the encryption key in the encryption processing unit, and decrypts and installs the data and software when the use conditions are available.

  According to such a distribution system, it is configured to add and encrypt usage conditions and distribute them in a format that can be executed on the client terminal without recompiling data and software. In addition, software can be easily created and distributed to users, and users can easily use data and software with usage agreements.

  However, such a distribution system has the following technical problems.

JP 2002-189526 A

  In the distribution system disclosed in Patent Document 1, since the usage conditions are encrypted with a key for each client terminal that uses data and software, a package file is naturally generated for each terminal client.

  Therefore, if you want to use data and software for multiple users, for example, inside or outside the company, it is necessary to create as many package files as the number of users, and data cannot be shared among multiple users. Centralized management was difficult.

The present invention has been made in view of such conventional problems, and the object of the present invention is to provide a file management program capable of centralized file management without losing user convenience. It is to provide.

The invention of claim 1
A file management program having a file package program that is stored and executed in a user terminal and performs central management of an original file created by an arbitrary user, the file package program specifying an original file to be managed A file designating unit that accepts the policy, a policy formulating unit that formulates a policy for using the original file, a common key generated for each original file, a policy file generated based on the policy, and the common key And a package unit that generates a package file by packaging the original file encrypted with the above, and only a user who satisfies the use conditions of the policy has the common key in the policy file and the use right of the original file. It can be expanded on a temporary memory of the user's terminal, and Only it can expand the original file decoded by passing the key on the temporary memory, a file management program available in the original file in the range of the usage authorization to generate the package file as possible.

The invention of claim 2
The file management program further includes a search unit that searches for information related to a package history of the package file and information related to a user's access history to the package file.

  According to the first and second aspects of the invention, all types of files are encrypted with a common key generated for each file, and then packaged together with the policy file. A mechanism for granting the right to use the user and a mechanism for checking the access history of the user are provided to the user.

  Moreover, the user who packages the original file generates one package file regardless of the number of users to whom the usage authority is given, and stores it in a storage medium that can be accessed by the user terminal of the user who has given the usage rights. It is possible to share the original file among a plurality of users simply by setting it.

  That is, it is possible to perform centralized file management while maintaining a high security level and without impairing the convenience of the user when generating a package file.

The invention of claim 3
A notification unit for generating a package file in the package unit and notifying generation of the package file or sending the package file by mail attachment to a user terminal of a user who is authorized to use the original file It is a file management program.

  According to the invention of claim 3, it is possible to prevent the user terminal of the user who is not given the authority to use the original file from inadvertently knowing the existence of the package file in which the original file is packaged. Rather, the user who has been given usage rights can immediately use the original file.

The invention of claim 4
A file management program having a file usage program for restoring and using the original file packaged by the file package program stored and executed in the user terminal and integrated with the original file created by an arbitrary user The file utilization program includes a file designation unit that accepts designation of a package file in which an original file to be used is packaged among package files, and utilization of a policy constituting the policy file in the package file. Performing a condition check, and when the use of the original file is use within the range of the use condition, a common key generated for each of the original files, the decryption key of the original file used for encryption, The use permission of the original file is set as the policy file. A decryption key decryption unit that obtains the decryption key and the usage authority on the temporary memory of the user terminal, and the original file encrypted in the package file by the obtained common key. Is a file management program that includes a decryption unit that decrypts the file and expands it on a temporary memory of the user terminal, and a file usage control unit that controls the use of the original file based on the acquired usage right.

  According to the invention of claim 4, since the use authority of the original file and the decryption key of the original file are included in the package file so that they can be decrypted only when the use conditions are satisfied, the user can Only when the use conditions of the policy included in the above are satisfied, a mechanism is provided in which the use authority of the original file is granted and the user who is not given the use authority cannot use the original file. That is, the file management program 1 allows the user who has been given usage authority to use the original file while maintaining a high security level.

  In addition, if the usage authority is limited to authority other than editing and saving, users other than the user who created the original file cannot change the original file. The same original file will be shared. This has the same effect even when the package file is stored in the user terminal of the user who has been given the authority to use it by a method such as mail attachment.

  That is, the user can share the same original file with other users as a result without accessing a user terminal other than the user terminal. In this way, the same original file can be shared with other users because the original file is encrypted with a common key generated for each original file, and one original file is 1 regardless of the number of users. This is also due to the generation of one package file.

The invention of claim 5
The file usage control unit controls the corresponding software of the original file, and performs API hooking that performs a function call instruction based on the acquired usage authority from the corresponding software to the OS or middleware of the user terminal It is a file management program.

  According to the fifth aspect of the present invention, it is possible to use the existing original file compatible software while using the existing original file compatible software without creating dedicated software for performing browsing, printing, editing, saving, etc. corresponding to any original file. Control can be performed.

The invention of claim 6
Further, when the encrypted original file in the package file is decrypted and the original file is edited based on the user's usage rights, the edited original file is packaged again with the policy file, This is a file management program having a repackage unit for updating the package file.

  According to the invention of claim 6, the package file is updated, whereby the unified management of the original file is continuously performed, and the originality of the original file that is shared among a plurality of users is determined. Is also retained.

The invention of claim 7
When the original file is repackaged, the file management program includes a notification unit that notifies the user terminal or server of the user who created the original file that the repackage has been performed.

  According to the seventh aspect of the present invention, the user or server that created the original file can immediately confirm that the original file has been updated.

The invention of claim 8
A usage database that can update the usage status of the original file by the user terminal every time the user terminal tries to use the original file in the package file can be read and updated by a user terminal other than the user terminal. It is a file management program which has a database production | generation part produced | generated in the said user terminal in the state which does not exist.

  According to the invention of claim 8, by generating the usage status database in the user terminal, it is possible to prevent and detect the unauthorized use of the original file in the user terminal other than the user terminal.

The invention of claim 9
Part or all of the policy file is stored in a server, and the file usage program is a file management program that requests the server to check usage conditions in the policy file.

  According to the ninth aspect of the present invention, by placing a part or all of the policy file on the server, it is possible to further prevent illegal acts such as falsification of the policy file.

The invention of claim 10
The policy file is encrypted with a key replaced by a replacement table generated for each server, and the replacement table stores the file management program in the user terminal and the user terminal. File management program.

  According to the invention of claim 10, unauthorized use of the package file alone can be prevented.

The invention of claim 11
In the policy file, usage conditions are described in association with a plurality of policy objects. When the usage conditions corresponding to an arbitrary policy object are satisfied, a key for opening another policy object is used. A chained data structure that can obtain the decryption key and the usage authority only when all policy object keys are finally opened and all usage conditions are satisfied. Is a file management program.

  According to the eleventh aspect of the present invention, it becomes more difficult to extract the decryption key and the use authority from the policy file and use it illegally.

The invention of claim 12
It has an authentication interface for authenticating whether or not it is a registered user of the file management program or whether or not the user is permitted to use the original file included in the use conditions, and the authentication interface is determined by a request from the user The second password of the user output from the authentication device or the authentication device determined in advance on the authentication interface side, and the type of the authentication device are sent from the user terminal to the server together with the login ID and password of the file management program. A file management program that transmits and requests collation with data already stored in the server.

The invention of claim 13
If the authentication device includes encryption logic, the authentication interface acquires template data corresponding to the login ID from template data stored in the server or the user terminal, and the user The file management program obtains the second password by verifying and decrypting the signature using the PKI certificate and requesting collation with the data already stored in the server.

According to the twelfth and thirteenth inventions, the server or the user terminal can perform the user authentication regardless of the type of the authentication device, and the user can perform the user authentication. Numbers and combinations can be changed arbitrarily.

  According to the file management program of the present invention, all types of files are encrypted with a common key generated for each file and then packaged together with a policy file so that only the user who satisfies the use conditions can use the original file. A mechanism for giving authority and a mechanism for confirming the access history of the user are provided to the user.

  Moreover, the user who packages the original file generates one package file regardless of the number of users to whom the usage authority is given, and stores it in a storage medium that can be accessed by the user terminal of the user who has given the usage rights. It is possible to share the original file among a plurality of users simply by setting it.

  Also, since the usage rights of the original file and the decryption key of the original file are included in the package file so that they can be decrypted only when the usage conditions are satisfied, the user can use the policy included in the package file. Only when the conditions are satisfied, a mechanism is provided in which the use authority of the original file is given and the user who is not given the use authority cannot use the original file.

  In other words, the file management program enables centralized management and use of files while maintaining a high security level and without losing the convenience of the user when generating a package file. .

  In addition, if the usage authority is limited to authority other than editing and saving, users other than the user who created the original file cannot change the original file. The same original file will be shared. This has the same effect even when the package file is stored in the user terminal of the user who has been given the authority to use it by a method such as mail attachment.

That is, the user can share the same original file with other users as a result without accessing a user terminal other than the user terminal. In this way, the same original file can be shared with other users because the original file is encrypted with a common key generated for each original file, and one original file is 1 regardless of the number of users. This is also due to the generation of one package file.

  DESCRIPTION OF EXEMPLARY EMBODIMENTS Hereinafter, preferred embodiments of the invention will be described in detail with reference to the accompanying drawings. The file management program 1 according to the present invention allows information contained in a document file (hereinafter, simply referred to as a file) such as a document, an image (a moving image or a still image) to be browsed, printed, edited, It is used to prevent unauthorized use by leaking to someone who does not have usage rights such as storage, and by setting file usage conditions (policy), the safety of the file is improved. It is a program for.

  The following description will be made on the assumption that the file management program 1 of the present invention is used inside and outside a general company, but this is only an example and is used by homes and individuals. Also good.

  The file management program 1 is a program that is stored and executed in the user terminal 4 so that an arbitrary user can create a package file from a file created by an arbitrary user in the user terminal 4 and perform centralized management of the file. The file package program 2 and a user other than the file creation user are roughly divided into a file use program 3 for restoring the original file from the package file and using the file at the user terminal 4. Here, “use of file” refers to actions such as viewing, printing, editing, and saving of a file.

  As shown in FIG. 1, these user terminals 4 are connected to each other via a network 6 such as a LAN 6a inside the company, and are connected to an internal server 5 via a network 6 such as the Internet 6b outside the company. The The in-house user terminal 4a is connected to the network when accessing outside the company, requesting various authentications, registering various information, and downloading the file management program 1 of the present invention or using the file management program 1. 6 to the server 5. The external user terminal 4b is also connected to the server 5 via the network 6 at the same time as described above.

  The user terminal 4 has a configuration (CPU, temporary memory 43, external storage device such as a hard disk 44, communication device, input / output device, etc.) necessary for storing, executing, and using these programs. Any ordinary computer may be used.

  In order to use the file management program 1 of the present invention, the user and the user terminal 4 perform user registration with the server 5 and register information about the user and the user terminal 4 in the server 5. In this embodiment, the user and the user terminal 4 are associated one-to-one, and one user ID is given to a set of one user and one user terminal 4.

  Therefore, for example, when a user owns two user terminals 4 regardless of whether they are inside or outside the company, and the file management program 1 is used in each user terminal 4, two user IDs are assigned to the user. Shall be. One user ID may be given to one user regardless of the user terminal 4, and one user ID may be given to one user terminal 4 regardless of the user.

  The server 5 has a configuration similar to that of the user terminal 4 and may be a normal server computer provided with server software. In this embodiment, the server 5 includes a user database 55 that stores information such as user information and hardware information of the user terminal 4, an authentication database 57 that stores authentication information necessary for user authentication, Various databases such as a history database 56 that stores history information such as access history and package file creation history.

  In addition, only the administrator of the server 5 or a user who has given a predetermined authentication permission has the authority to perform operations such as browsing, printing, editing, and saving information stored in the database in the server 5. Others (including the Service-to-Self) can not illegally abuse its authority (for example, built-in firewall, database encryption, connection to authentication system, installation of proxy server, etc.) It is assumed that the server 5 is provided.

  Next, the configuration of the file package program 2 will be described with reference to FIG. First, the file package program 2 is stored in the user terminal 4 and used in the user terminal 4, but the program storage method is not limited. For example, the file package program 2 may be downloaded from the server 5 to the user terminal 4 together with the installer. Alternatively, it may be copied to the user terminal 4 from a storage medium such as a CD-ROM.

  The file package program 2 is mainly composed of functional blocks of a file designation unit 21, a policy formulation unit 22, a package unit 23, and a search request unit 24.

  The file designating unit 21 is a unit that accepts designation of a file to be managed among files stored in a storage medium that can be accessed by the user terminal 4. For example, the file designation unit 21 displays on the screen of the user terminal 4 identification information (title, creation date, creation user, file type (extension, etc.)) of the file that can be managed by the user terminal 4 at that time. , File data size, etc.) is displayed, and the input device such as a keyboard or a mouse selects any of the information, thereby accepting the designation of the file.

  The policy formulation unit 22 is a unit that formulates a policy for using a file (hereinafter referred to as an original file) that has been designated by the file designation unit 21. In the present embodiment, the established policy is transmitted to the server 5 together with the identification information of the original file, but these are not necessarily transmitted to the server 5.

  A policy is, for example, authentication of whether or not a user is permitted / denied to use the original file, password and other authentication, the number of times the file can be used, the expiration date of the original file, the number of files that can be accessed simultaneously, the access time, etc. Usage conditions and usage authority given when these usage conditions are satisfied (for example, usage modes such as viewing, printing, editing, and saving of the original file).

  Here, as shown in FIG. 2, the server 5 includes a key generation unit 51 and a policy file generation unit 52 as functional blocks.

  The key generation unit 51 is means for generating an encryption key (decryption key) for encrypting (decrypting) the original file. In the present invention, file encryption and decryption are performed by a common key encryption method. That is, the encryption key and the decryption key are common, and only one type is generated for each original file. Therefore, in the following description, the encryption key is also referred to as a decryption key.

  In the present embodiment, the decryption key generated by the key generation unit 51 is a random number generated every time a policy is formulated by the policy formulation unit 22 (and for each original file), but is different for each policy. As long as the key is generated in this way, it is not necessarily a random number.

  Here, the common key cryptosystem is employed for file encryption and decryption because the processing time required for the user terminal 4 to encrypt and decrypt the file uses the public key cryptosystem. This is because it is shorter than the encryption / decryption processing time and the burden on the user terminal 4 is small.

  However, using the common key encryption method, for example, when the encryption key generated by the server 5 is used for file encryption, or the encrypted file is decrypted only by a specific user with the same decryption key as the encryption key In general, the key delivery method often becomes a problem. As long as the encryption key and decryption key are the same, once the key is known to a third party, anyone can decrypt the encrypted file, and the meaning of encrypting the file is lost. is there.

  Therefore, in the present invention, even if the file is encrypted with the common key, the encrypted file cannot be decrypted only by knowing the key. Only when the usage conditions are satisfied, a mechanism that can acquire the decryption key of the encrypted file and the authority to use the file is adopted.

  Here, the policy file generation unit 52 is a unit that generates a policy file based on the policy formulated by the policy formulation unit 22 and the decryption key generated by the key generation unit 51. The policy file is, for example, data in XML format and describes a decryption key and a policy. In detail, the usage conditions in the policy are described in association with a plurality of policy objects. When the usage conditions corresponding to the policy object are satisfied, the key for opening another policy object can be obtained, and finally the keys of all policy objects are opened, that is, all policy objects are opened. The chained data structure allows the decryption key and the usage authority to be extracted only when the usage conditions are satisfied.

  With such a data structure, it becomes more difficult to extract the decryption key and the usage authority from the policy file and use it illegally. Even if the decryption key and the usage authority are obtained from other than the policy file acquisition path, the decryption key decrypting unit 34 described later does not use the decryption key and the usage authority decrypted from the policy file. The encrypted original file cannot be decrypted and the original file cannot be used.

  The generated policy file is stored in the user database 55 storing user information with the policy file identification ID assigned to each user, and is also transmitted to the user terminal 4. At this time, the decryption key generated by the key generation unit 51 may also be stored in the user database 55 and transmitted to the user terminal 4.

  An identification ID is also assigned to each policy object, and a key for opening the policy object is generated by the key generation unit 51, and these pieces of information are also stored in the user database 55.

  Further, when the user terminal 4 is not connected to the server 5, the policy file generation unit 52 may be included as a functional block of the file package program 2 stored in the user terminal 4. The terminal 4 does not transmit the policy to the server 5 but generates a policy file by itself and assigns and stores the policy file identification ID in the user terminal 4.

  Returning to the description of the configuration of the file package program 2, the package unit 23 encrypts the original file with the decryption key generated by the key generation unit 51, and generates the encrypted original file and the policy file generation unit 52. The policy file and the file basic information are packaged together in one package, and a header is added to generate a new file (referred to as a package file). FIG. 3 shows a conceptual diagram when the package unit 23 generates a package file.

  As shown in FIG. 3, by packaging the encrypted original file and the policy file, the encrypted original file cannot be taken out or used alone. It can be used only by interlocking.

  That is, only when all the usage conditions are satisfied, the usage authority can be acquired and the encrypted file can be decrypted, so that the decryption key is transmitted to the user terminal 4 alone. Even if it is known, the encrypted original file cannot be decrypted unless the package file itself is available and all policy usage conditions are satisfied. The security of the encrypted file is ensured.

  In addition, since the decryption key is included in the policy file and packaged with the encrypted original file, the user is not aware of the key delivery, which is a problem of the common key encryption method, and can safely Done.

  Conventionally, a public key cryptosystem has been adopted in order to give a file use authority only to a specific user while maintaining a high security level. However, in the case of the public key cryptosystem, it takes time and effort to generate a public key and a private key, to obtain a public key of a user who is authorized to use the file, and to encrypt a file with a public key for each user. It was. Since the file management program 1 of the present invention uses a common key cryptosystem, such a trouble does not occur, and the security level is high only by a simple procedure of file designation, policy formulation, and packaging. File management will be realized.

  The basic file information includes the original file identification information, such as the title, creation date, creation user, original file type (extension, etc.), original file data size, etc. / A disallowed user list is included. Further, the title, which is the identification information of the package file, the creation (package date and time), the creation user (the person who packaged), the type of the package file, the data size of the package file, and the like may be included.

  Here, the encryption of the file basic information is arbitrary, and basically the contents of the file basic information can be known even by a user who does not have the authority to use the original file. This is because the right at the time of filing this application allows all users to know the use / non-permission of the original file.

  The search request unit 24 is a unit that requests the search unit 53 in the server 5 to search the history information of the file package stored in the history database 56 and the information related to the access history to the package file. The history database 56 may store the same data stored in the user database 55, or the history information stored in the user database 55 may be searched.

  Further, when the file creation user himself / herself wants to retrieve his / her own file package history and / or other user's access history to the shared storage medium in his / her user terminal 4, the search request unit 24 displays the user of the file creation user. It may be a means for accessing history information stored in a database in the terminal 4 (for example, a usage status database 33a described later).

  For example, the search request unit 24 designates a search condition and transmits the search condition to the server 5. The search unit 53 of the server 5 extracts the history information that matches the search condition from the history database 56 and transmits it to the user terminal 4. Here, on the user terminal 4 side, the policy formulation unit 22 can further change the policy based on the retrieved history, and the file designation unit 21 can change the file. If any change is made, the package unit 23 repackages the file. This procedure is the same as the procedure for newly creating a file package, as described above.

  The history database 56 also stores a user access history to the package file. Therefore, the user who has packaged the file can confirm from the search request section 24 who has accessed which package file from when.

  According to the configuration of the file package program 2 in the file management program 1 described above, all types of files are encrypted with a common key generated for each file, and then packaged together with the policy file to satisfy the usage conditions. The user is provided with a mechanism for granting the authority to use the original file only to the user who confirms it, and a mechanism for confirming the access history of the user.

  In addition, the user who packages the original file generates one package file regardless of the number of users to whom the use authority is given, and stores it in a storage medium that can be accessed by the user terminal 4 of the user who has given the use authority. It is possible to share the original file among multiple users just by keeping it.

  In other words, the file management program 1 can perform centralized file management while maintaining a high security level and without impairing the convenience of the user when generating a package file.

  Next, the configuration of the file use program 3 will be described with reference to FIG. First, the file use program 3 is stored in the user terminal 4 and used in the user terminal 4 like the file package program 2, but the program storage method is not limited, for example, the user terminal together with the installer from the server 5 is used. 4 may be downloaded to the user terminal 4 or may be copied from a storage medium such as a CD-ROM to the user terminal 4. Further, the file use program 3 may be programmed together with the file package program 2, and in that case, stored in the user terminal 4 as the file management program 1.

  However, among the functions provided by the file management program 1, it is necessary for each user who uses only the file use function on the file use program 3 side, and for each user who uses only the file package function and history search function on the file package program 2 side. Only a simple program may be stored in the user terminal 4.

  The file use program 3 is mainly composed of functional blocks of a file designation unit 31, an authentication request unit 32, a database generation unit 33, a decryption key decryption unit 34, a decryption unit 35, a file use control unit 36, and a repackaging unit 37. The

  The file designation unit 31 is a unit that accepts designation of a package file in which an original file to be used is packaged among package files stored in a storage medium accessible by the user terminal 4. For example, the file designating unit 31 displays, on the screen of the user terminal 4, basic file file information (package file or original file title, creation date, creation user, file type (extension, etc.), and use of the original file. (Allowed / non-permitted user) and the input device such as a keyboard or a mouse selects any of the information, so that the specification of the package file can be accepted.

  In order to prevent the user terminal 4 of the user not authorized to use the original file from inadvertently knowing the existence of the package file in which the original file is packaged, the basic file information is stored in the user terminal. 4, for example, only when a package file is attached to an e-mail and sent to the user terminal 4 of a user who is authorized to use the original file, or in a designated storage location. The user terminal 4 can access the package file only when a document such as an email notifying that the original file in the file can be used is transmitted to the user terminal 4. It may be.

  In other words, in this case, the file package program 2 generates a package file in the package unit 23 and notifies the user terminal 4 of the user who is given the authority to use the original file to notify the generation of the package file or the package file. Is sent by mail attachment. This not only prevents the user terminal 4 of the user not authorized to use the original file from inadvertently knowing the existence of the package file in which the original file is packaged, but also grants the use authority. The user can immediately use the original file.

  In this embodiment, the authentication request unit 32 is means for requesting the server 5 to authenticate a user who intends to use the file use program 3. When one user ID is assigned to one user and one user terminal 4, the user terminal 4 is not authenticated unless the user terminal 4 requests an authentication from the server 5.

  Note that the authentication request unit 32 does not necessarily require the server 5 to authenticate, and may be a means for authenticating the user with the user terminal 4 itself. This will be described later in the embodiment.

  The database generation unit 33 can update the usage status (for example, the number of usages) of the original file by the user terminal 4 every time the user tries to use the original file in the package file at the user terminal 4. 33a is a means for generating the user terminal 4 in a state in which it cannot be read and updated by the user terminal 4 other than the user terminal 4 of the user.

  Of the policy usage conditions formulated by the policy formulation unit 22, usage conditions that do not require updating of the usage status of the original file each time the original file is used (for example, whether or not the user is permitted / unauthorized to use the original file). If the policy is generated only by the authentication, password and other authentication, the expiration date of the original file, the number of simultaneous access to the same package file, the accessible time, etc.), the database generation unit 33 is not necessarily the usage status database. There is no need to generate 33a.

  Further, the database corresponding to the usage status database 33 a is not necessarily generated in the user terminal 4 and may be generated in the server 5. In this case, the database generation unit 33 is not necessary in the file package program 2.

  The decryption key decryption unit 34 checks the use conditions of the policies in all policy objects constituting the policy file in the package file, and acquires the decryption key of the encrypted original file and the user's use authority. These means for extracting the decryption key and the usage authority onto the temporary memory 43 of the user terminal 4 include a verification / update unit 34a for verifying the usage conditions and updating the usage status.

  The collation / update means 34a, for example, collates the usage conditions with the usage status stored in the usage status database 33a for the policy that requires the usage conditions and the usage status of the original file to be verified. A key that updates the usage status in the usage status database 33a and opens another policy object only when the usage conditions are not violated (for example, the usage status is 3 times with respect to the usage condition of 10 usages), or Extract the decryption key of the encrypted original file.

  In this case, either the server 5 or the user terminal 4 needs a program (for example, counting means, timing means, etc.) for updating the contents of the usage status database 33a. The generation location of the usage status database 33a and the usage status update method may be stored in the policy file.

  Further, the collation / update means 34a may request the server 5 for collation between the usage conditions that do not require updating the usage status of the original file and the usage status (current status), or the user terminal 4 can also be performed.

  Further, even when a part or all of the policy object is stored in the server 5, the collation / update means 34a accesses the server 5 to request collation between the usage conditions and the usage status, The collation result and the key of the policy object to be opened next are received from the server 5.

  The server 5 can encrypt the verification result and key to the user terminal 4 with the user's public key generated in advance and transmit the encrypted result to the user terminal 4. Thereby, since the encrypted verification result and key are decrypted only by the user's private key, the security at the time of transmitting the verification result and the key is further increased.

  The decryption unit 35 is means for decrypting the encrypted original file in the package file using the decryption key decrypted by the decryption key decrypting unit 34 and taken out to the temporary memory 43 of the user terminal 4. Further, the decrypting unit 35 may be a means for decrypting other encrypted data in conjunction with the decryption key decrypting unit 34 in addition to decrypting the encrypted original file.

  The file usage control unit 36 is means for controlling the usage of the decrypted original file based on the usage authority decrypted by the decryption key decrypting unit 34. The file usage control unit 36 may also serve as means for starting the corresponding software 42 for opening the original file based on the file identification information of the original file. The corresponding software 42 may be prepared in the file use program 3. For example, viewer-specific software that can browse all types of original files may be used on the user terminal 4.

  The file usage control unit 36 may be a means for performing API (Application Program Interface) hooking. Specifically, when all or a part of functions such as a viewer in the corresponding software 42 of the original file is realized by calling a function provided by the OS or middleware, the file usage control unit 36 controls the corresponding software 42 and issues a function call instruction based on the acquired use authority from the corresponding software 42 to the OS or middleware. As a result, it is possible to control the usage authority while using the existing corresponding software 42 without creating dedicated software for browsing, printing, editing, saving, etc. corresponding to any original file. Become.

  It should be noted that the decryption unit 35 and the file usage control unit 36 only use the decryption key and the usage authority extracted to the temporary memory 43 through the normal decryption process in the decryption key decryption unit 34 to encrypt the original file. It can be decrypted or used. For example, when a decryption key or a use authority that is input independently is about to be decrypted or used, the decryption unit 35 or the file use control unit 36 determines the decryption or use process. Can be canceled on the spot. Thereby, unauthorized use of the original file can be prevented.

  When the encrypted original file in the package file is decrypted and the original file is edited based on the user's usage authority, the repackage unit 37 packages the edited original file together with the policy file again. Means.

  After the edited original file is packaged and a package file is generated, the repackage unit 37 exchanges the original package file (or overwrites or updates the original package file). As a result, the original package file is deleted and the package file is updated.

  The basic difference between the original package file and the repackaged package file is only the difference in the data capacity of the original file, and related data such as file basic information may be updated along with repackaging. There is no change in the file name and the decryption key of the original file. Further, for example, when a falsification or unauthorized use detection mechanism is adopted based on the hash value of the original file, the hash value also needs to be updated.

  By renewing the package file by the repackaging unit 37, the original management of the original file is continued, and the originality of the original file that is shared among multiple users is also maintained. .

  Note that the repackage unit 37 only needs to function when the editing of the original file is permitted among the usage rights, and when the editing of the original file is not included in the usage rights in the first place. In this case, the repackage unit 37 is unnecessary. Furthermore, in this embodiment, the policy file cannot be edited by a user who is permitted to edit the original file. This is to prevent the original file from being used illegally by editing the policy file.

  In addition, when the original file is repackaged, the file utilization program 3 having the repackage unit 37 notifies the user terminal 4 or the server 5 of the original file creation user that the repackage has been performed. You may have a notification part (not shown). As a result, the user or server that created the original file can immediately confirm that the original file has been updated.

  According to the configuration of the file use program 3 in the file management program 1 described above, the use authority of the original file and the decryption key of the original file are included in the package file so that they can be decrypted only when the use conditions are satisfied. Therefore, the user can only use the original file if the user satisfies the policy usage conditions included in the package file, and the original file cannot be used by a user who has not been granted the usage right. Will be provided. That is, the file management program 1 allows the user who has been given usage authority to use the original file while maintaining a high security level.

  In addition, if the usage authority is limited to authority other than editing and saving, users other than the user who created the original file cannot change the original file. The same original file will be shared. This has the same effect even when the package file is stored in the user terminal of the user who has been given the authority to use it by a method such as mail attachment.

That is, the user can share the same original file with other users as a result without accessing a user terminal other than the user terminal. In this way, the same original file can be shared with other users because the original file is encrypted with a common key generated for each original file, and one original file is 1 regardless of the number of users. This is also due to the generation of one package file.

  Here, the details of the usage status database 33a will be described. Reading and updating of the information in the usage status database 33a is performed only in the decryption process of the decryption key and the use authority by the decryption key decryption means. In other cases, the update and falsification by the user and the Service-to-Self are performed. It will not be done.

  Therefore, the usage status database 33a generated in the user terminal 4 is encrypted by a one-way function such as a hash value of the identification information (MAC address, BIOS serial number, hard disk 44 serial number, etc.) of the user terminal 4. It may be.

  In addition, it is possible to detect the usage status in the usage status database 33a without permission update, falsification, unauthorized use, and the like using a known hash (one-way) function technique or the like. For example, the consistency of whether or not it was encrypted with the correct hash value at the time of the next update or reading, such as by always encrypting the usage status with the hash value of the usage status at the time of the last update or reading Check.

  If an illegal read or update has been performed, the next time you try to perform a normal read or update, the usage status is not encrypted with the original hash value, or you can get the correct decryption key. Since it is not possible, the encrypted original file cannot be decrypted.

  Also, for example, the usage status can be updated only by a predetermined number, for example, by reducing it by one, for example, and the usage status should be updated from 2 to 3 times. It can be made impossible to tamper with.

  In this way, in the event that unauthorized reading or falsification is made, the operation of the file use program 3 and the decryption of the decryption key are stopped on the spot, or they are backed up by encrypting them in a registry or the like. The correct usage situation is read, and the altered usage situation database 33a is restored to the original state.

  In order to be able to generate the usage status database 33a only in the user terminal 4 of the user, a program that can generate the usage status database 33a only when a new user tries to open the package file for the first time is provided. Before downloading, the server 5 recognizes the identification information (MAC address, BIOS serial number, hard disk 44 serial number, etc.) of the user terminal 4 in advance, and encrypts the usage situation database 33a with the hash value of the identification information. In a terminal having other identification information, a program for preventing the encrypted usage status database 33a from being decrypted is provided.

  Next, in order to disable the use status database 33a from being read by a terminal other than the user terminal 4 that was initially generated, when the decryption key decryption means collates the use conditions with the use status, the server 5 side It is confirmed whether or not the usage status database 33a is generated in the user terminal 4 having the identification information registered in the above. If the usage status database 33a is not found, the original file is used in a terminal other than the user terminal 4. It is assumed that this is the case, the method of canceling the use of the original file, the usage status database 33a is encrypted with the hash value of identification information unique to each user terminal 4, and the hash value of the identification information of other terminals Then, there is a method for preventing the usage status database 33a from being decrypted.

  Furthermore, an embodiment in which the usage status database 33a is used for purposes other than the usage status update will be described.

  For example, the identification information of the user terminal 4 is added as one condition in the usage conditions generated in advance, and when the usage conditions and the usage status are collated, the usage status of the user terminal 4 that is actually used is used. A method may be used in which the identification information is checked and the use of the original file is stopped if the identification information does not match the identification information of the user terminal 4 of the user who is originally given the use right as the use condition. It should be noted that this usage condition naturally varies from user to user, so that if the policy file needs to be shared, the usage conditions and key of the policy object relating to the usage condition are stored in the server 5. May be.

Further, by encrypting the usage status database 33a with the identification information of the user and the user terminal 4 and a unique key, even if the usage status database 33a is substantially empty, the decryption key decryption unit 34 If the existence of the usage status database 33a is confirmed, the user and the user terminal 4 are automatically authenticated, and the unauthorized use by the user and the user terminal 4 who do not have the authority to use the original file is prevented. More effective.

  An example of the data structure of the package file is shown in FIG. Referring to FIG. 5, the package file includes, under the root directory, a key acquisition path directory that indicates the acquisition path and acquisition order of the decryption key and usage authority, a usage condition directory that indicates the usage conditions for each policy object, It consists of a file directory for storing the encrypted original file and four directories for file basic information.

  The key acquisition path directory and the usage condition directory correspond to the policy file. The package unit 23 packages the policy file, the encrypted original file, and the file basic information. It will be a file.

  A plurality of policy objects are arranged in order under the key acquisition path directory, and the usage authority and the decryption key that can be finally acquired are also included. Each policy object includes a key for starting the collation / update means 34a and opening the next policy object.

  In FIG. 5, the policy object and usage conditions in the portion surrounded by the dotted line frame are not actually included in the policy file but are stored in the server 5. As described above, part or all of the policy file can be acquired from the server 5. Placing a part or all of the policy file in the server 5 can further prevent fraud such as falsification of the policy file.

  Also, under the use condition directory, initial values of use conditions are included according to the type of the policy object generated, and the database generation unit 33 is used when the user terminal 4 uses the original file for the first time. The initial value of the usage condition is copied or moved to the usage status database 33a. The generation location of the usage status database 33a and the usage status update method may also be stored in the usage condition directory.

  As described above, the policy object that requires the initial value of the usage conditions is updated each time the file is used, such as the number of times the original file can be used, and updated when the file is used next time. It is the kind which compares with the used usage situation. A policy object that does not require an initial value is a type that compares a usage condition and a usage situation that does not require updating, such as a usage period of an original file.

  Here, for example, the initial value of the usage condition regarding the number of times of use is, for example, 10 times if it is 10, but the numerical value stored in the usage status database 33a is “0” or “10”. Become.

  If “10 times” is stored, the usage status database 33a is updated to reduce the number of times once each time the original file is used, and when the original file becomes “0”, Can no longer be used, so the collating operation in the collating / updating means 34a is substantially unnecessary.

  On the other hand, when “0 times” is stored, the collation / update means 34a performs an update operation in the use state database 33a to increase the number of uses and performs a collation operation with the use conditions (10 times or less). It is necessary to make a decision).

  That is, as shown in FIG. 6, the collation / update means 34a in the decryption key decryption unit 34 searches the location of the usage status database 33a corresponding to the key from the usage condition directory according to the type of usage conditions, The usage status database 33a is updated to obtain the next key. In some cases, the corresponding use condition is searched from the use condition directory, and the use condition and the use status are collated. And it plays a role which mutually connects the key stored in each branched directory in the policy file shown in FIG.

Since the package file including the policy file has a tree structure as shown in FIG. 5, the usage authority and the decryption key are not acquired unless they are in a normal order. Also, if the data in one directory does not correspond to the data in the other directory, the decryption key cannot be decrypted, so only a part of the directory is copied or the storage location or path name of one of the directories changes. In addition, since the linkage with the decryption key decryption means is not performed, there is an effect that unauthorized use is difficult to be performed.

  Next, FIG. 8 to FIG. 15 show an example of a process when a user A packages a file using the file management program 1 and then another user B uses the file included in the package file. This will be described in detail with reference to the flowchart of FIG. 1 and the configuration diagrams of FIG. 1, FIG. 2, FIG. 4, and FIG.

  still. In this embodiment, it is assumed that the file management program 1 cannot be used without a server information storage file to be described later. Accordingly, the server information storage file is stored in the user terminal 4 simultaneously with the installation of the file management program 1, or the installer enables the installation of the file management program 1 on condition that the server information storage file exists. It is desirable to be configured.

  First, both users A and B who use the file management program 1 must complete user registration after agreeing to the terms of use of the file management program 1.

  An example of this user registration flow will be described below with reference to the flowchart of FIG. The following user registration flow is the same for both users A and B, and it does not matter whether the user or the user terminal 4 is different.

  In order to access the user registration home page stored in the computer such as the server 5 via the network 6, the user terminal 4 inputs the URL of the user registration home page and transmits it to the server 5 (S110).

  The server 5 transmits the user registration home page data in the URL received from the user terminal 4 to the user terminal 4 (S115).

  The server 5 displays the user registration screen in the user registration home page on the user terminal 4. On the user registration screen, the user inputs registration information such as user identification information and user terminal 4 identification information, and transmits it to the server 5 (S120). Note that the identification information and the like of the user terminal 4 may be automatically extracted from the user terminal 4 and transmitted to the server 5 without being input by the user.

  The server 5 checks the registration information received from the user terminal 4 (S125), and if there is a defect such as omission of input (S130), the server 5 transmits an error message to the user terminal 4 (S135). It should be noted that the user's e-mail address included in the registration information is already registered in the user database 55 of the server 5 (S140), and a part of the registration information is not registered with the already registered registration information. If they are different, it is determined that the registration information has been updated, and the registration information in the user database 55 of the server 5 is updated (S145).

  If there is no fear of incomplete registration or double registration in the registration information, the server 5 generates a pair of the user's public key and private key and stores it in the user database 55 of the server 5 (S150). The public / private key pair generated here is used later when the user terminal 4 and the server 5 transmit / receive some data or when the user terminal 4 itself authenticates the user. Key generation is not mandatory.

  Furthermore, the server 5 generates a unique ID (user UID) for each user and a unique ID (user terminal UID) for each user terminal 4, and stores registration information in the user database 55 together with these (S155), Along with the registration completion message, the stored registration information, the generated public key and secret key, the user UID, and the user terminal UID are transmitted to the user terminal 4 (S160). If the public key and the private key are not generated, it is not necessary to transmit the key.

  If there is a problem with the security of the transmission of the public key and the private key, these keys are encrypted with the private key of the server 5 and a signature of the server 5 is attached. Encryption can be performed with unique identification information such as a MAC address so that the key can be known only at the user terminal 4 that has been registered.

  The user terminal 4 stores the registration information in a predetermined location (for example, a predetermined location in the registry) in the user terminal 4 designated by the server 5 (S165). The predetermined location may be a usage status database 33a generated in advance.

  Next, an example of a flow in which a user A who has registered as a user packages an arbitrary file will be described below with reference to the flow from FIG. 9 to FIG. 11. As a premise of this, the user A has registered the user in the server 5 as described above, and has installed the file package program 2 as shown in FIG. 2 on the user terminal A of the user A. And

  The user terminal A activates the installed file package program 2 by double-clicking an icon on the screen (S210).

  As shown in FIG. 16, a login screen for the file package program 2 appears on the screen of the user terminal A, so that the user terminal A authenticates whether or not the user is a registered user (or requests the server 5). Therefore, input of the login ID and password is accepted from an input device such as a keyboard (S215). In this embodiment, the login ID is the user's email address registered at the time of user registration, and the password is specified by the user at the time of user registration and stored in the authentication database 57 of the server 5 in association with the login ID. It is a character string.

  Furthermore, in this embodiment, in order to improve the authentication accuracy of the registered user, in addition to authenticating with the previously input password, authentication with the second password is also performed. Here, the second password is an authentication result obtained from an authentication device that can be arbitrarily designated by the user.

  The authentication device may be any type as long as it is connected to the user terminal A. Authentication device authentication methods are roughly classified into password-based authentication, property authentication (IC card, IC card using PKI certificate, USB key, USB token, etc.), biometric authentication (fingerprint, voiceprint, voiceprint, handwriting, (Face, vein, etc.).

  In the present embodiment, in order to enable the server 5 or the user terminal A to perform user authentication no matter what kind of authentication device is used, the user can set the number and combination of user authentications. The server 5 or the user terminal A has an authentication interface that can be changed arbitrarily. The authentication interface is in the user terminal A when the user does not access the server 5 and requests authentication in the user terminal A.

  The authentication interface uses the above-described authentication methods as follows: (1) Cryptographic logic is included (some IC cards, USB keys, biometrics and other PKI are used), (2) Authentication result YES / NO binary only Something to output (partial biometric authentication, password-based authentication), (3) Some kind of character string output (partial USB key, MAC address, device having device ID such as BIOS serial number) The authentication data is classified according to the type of output data (second password), and the login ID, password, second password, and authentication type of the second password are associated with each other and stored in the server 5 or the user terminal A.

  In the case of the authentication method including the encryption logic of (1), in addition to the login ID, password, second password, and second password authentication type, the second password is the user's public key based on the PKI certificate (hereinafter referred to as the authentication method). The data (template data) encrypted with the PKI public key and signed with the user's private key (hereinafter referred to as the PKI private key) is stored in the server 5 or the user terminal A.

  The authentication interface is an authentication device determined by a request from the user, or the user's second password output from the authentication device determined in advance on the authentication interface side, and the type of the authentication device, along with the login ID and password. Received from A and collated with data already stored.

  If the authentication device includes encryption logic, the authentication interface receives template data corresponding to the login ID among the template data already stored in the server 5 or the user terminal A, and receives the user's PKI. The certificate is used for signature verification and decryption to obtain a second password, which is collated with already stored data.

  In the authentication interface, only the login ID and the second password may be verified, or the password verification may be omitted.

  If the authentication interface configured in this way is provided in the server 5 or the user terminal 4, the user can request user authentication by arbitrarily performing the number and combination of authentication types, Since user authentication can be performed with the determined number and combination of authentication types, the server 5 or the user terminal 4 can flexibly cope with the case where an authentication device is added. Further, since the authentication is not performed using only one type of password, the authentication accuracy is improved, and it is not necessary to maintain the confidentiality of the password completely, and the password itself can be stored in the user terminal 4.

  Returning to the description of the flowchart of FIG. 9, the authentication interface acquires the second password from an arbitrary authentication device as described above (S220).

  Here, the user A selects either user authentication (local login) at the user terminal A or user authentication (server login) at the server 5 (S225).

  In order to perform local login, a pair of public key and private key of user A is generated in the user registration flow of FIG. 8, and the login ID, password, and second password are associated with each other. And stored in the user terminal A, and further, stored in the user terminal A in a state where the generated secret key is encrypted by the second password.

  When local login is selected, the authentication interface displays user information (login ID, password, second password, authentication type, public / private key pair, second key required for user authentication on the user terminal A). It is confirmed whether or not a secret key encrypted with a password is registered (S230). If any one of the user information is not registered, the process proceeds to the server login flow of FIG. 9B. Also, when the local login is not selected, the process proceeds to B of FIG.

  If the user information is registered, the authentication interface collates the acquired user information with the user information stored in the user terminal A, and among the user information, the secret key encrypted with the second password. Is decrypted with the second password acquired by the authentication interface, and the decrypted secret key is collated with the secret key already stored in the user terminal A (S235).

  The secret key verification method in this embodiment will be described in detail below. In this embodiment, at the time of user registration, it is determined whether or not to perform local login. When it is determined that local login is to be performed, the usage status database 33a is generated in the user terminal A, and the usage status database 33a The user information including the public key and the secret key of the user A is stored.

  Further, at the time of user registration, after the user A's private key is replaced with another key by the replacement table, the usage status database 33a is encrypted.

  The replacement table is a kind of cryptanalysis table generated with random numbers and the like, and is a table showing the correspondence before and after replacement. In this embodiment, as will be described later, the policy file is also encrypted using this replacement table. This prevents the policy file from being directly touched by the user or the Service-to-Self, making it difficult for the policy file to be decrypted or used illegally.

  The replacement table is stored in the server information storage file. The server information storage file is a file generated for each server 5, that is, a file for identifying the server 5. Therefore, when the URL of the server 5 accessed by the user terminal A is changed, the server information storage file itself is also changed.

  The server information storage file includes a replacement table, a range of user IDs that the server 5 corresponding to the server information storage file allows to use the file management program 1, a URL of the program on the server 5 side, a user terminal A, A key for communication with the server 5 (for example, a public key of the server 5) is included. Here, the range of the user ID may be a start value and a mask value (range) of the user ID.

  The URL of the program on the server 5 side and the key for communication between the user terminal A and the server 5 initialize the program on the server 5 side when the user terminal A accesses the server 5 and load the server 5 In addition, the encrypted communication from the user terminal A is decrypted.

  In the present embodiment, when the user A stores the file management program 1 in the user terminal A, the server information storage file is stored together, and the server information storage file must be stored together. Thus, the file management program 1 cannot be stored. As a result, unauthorized use of the package file alone can be prevented.

  The authentication interface decrypts the encrypted secret key with the second password obtained from the authentication device to obtain the secret key (S235), and further replaces the secret key with the replacement table in the server information storage file. The encrypted usage situation database 33a is decrypted. If there is no problem by comparing the user information stored in the decrypted usage status database 33a with the user information acquired by the authentication interface, the user A has succeeded in authentication (login) ( S240, S245).

  When the user A successfully logs in, information such as name and affiliation name among the user information stored in the usage status database 33a is displayed on the screen of the user terminal A (this is called user information recovery). .

  If there is a problem such as no replacement table, no decryption, or an incorrect collation result in the login process so far, the login fails (S250) and the subsequent procedure cannot be performed.

  Next, the flow in the case of server 5 login will be described with reference to the flowchart of FIG. The authentication interface confirms whether the user terminal UID is registered in the user terminal A (S310). In this embodiment, whether or not the user terminal UID is registered is confirmed by whether or not the usage status database 33a is generated in the user terminal A and the user terminal UID is stored in the usage status database 33a. I can do it. In addition, identification information such as the MAC address of the user terminal A is detected from the user terminal A itself, and it is also confirmed by a method such as whether the usage status database 33a encrypted with the identification information can be decrypted. I can do it.

  If the user terminal UID is not registered, the authentication interface transmits the identification information of the user terminal A to the server 5 (S315). The server 5 generates and registers the user terminal UID based on the identification information of the user terminal A (S320).

  If the user terminal UID is registered in the user terminal A, the authentication interface transmits the login ID, password, second password, and second password authentication type of the user A to the server 5 (S325).

  The server 5 collates the transmitted information with the information stored in the authentication database 57 in the authentication unit 54 shown in FIG. 2 (S330), and if there is no problem, the user stored in the user database 55 Information is transmitted to the user terminal A (S335). At this time, the server 5 can also transmit the mail address list of other registered users and the public key list together with the user information of the user terminal A.

  If there is a problem during the verification, an error message is transmitted to the user terminal A (S340).

  Receiving user information from the server 5 means that user A has successfully logged in (S345). Based on this user information, the user terminal A displays information such as the user name and affiliation name on the screen (referred to as user recovery).

  From here, it demonstrates, referring the block diagram of FIG. 2, and the flowchart figure of FIG. The user terminal A displays the file package screen of the file package program 2 for the user who has logged in. 17 and 18 show examples of file package screens.

  The user A can validate the functional block in the file package program 2 by clicking an arbitrary button on the file package screen.

  In the present embodiment, first, the file designation unit 21 receives designation of a file to be managed from the user A (S410). In FIG. 17, a reference button for specifying an encryption target file, and in FIG. 18, a file addition button corresponds to file specification reception.

  Next, the policy formulation unit 22 receives from the user A policy formulation when another user uses the file specified by the file specification unit 21 (hereinafter referred to as the original file) (S420). In FIG. 17, the input on the security policy setting screen and the input on the policy setting screen in FIG. 18 correspond to acceptance of policy formulation.

  In this embodiment, the user / group (for example, user B, development group A, etc.) who is given the authority to use the original file, the expiration date of the original file, the number of times the original file has been used, the password for using the original file, Develop policies such as the usage rights (usage form) of the original file.

  In FIG. 17, the policy is composed of selection of permitted users / groups, selection of permitted operations (printing, editing, saving, browsing), and selection of browsing conditions (period, number of times, file password). , Setting of operation (view, print, save, edit), setting of period and number of times (period, time limit, number of times), setting of user and group, server check (right is checked by server 5 every time or fixed) The server 5 checks the right or limits the number of clients (terminals) that can be used) and password settings.

  In this embodiment, the user who is given the authority to use the original file is limited to the registered user, and the user terminal A selects the user based on the registered user's mail address list received from the server 5 in advance. . For example, the user may be selected in a batch for each group. FIG. 22 shows an example of an authorized user / group selection screen in the screen of FIG. As shown in FIG. 22, an authorized user / group is designated by clicking or the like from the address book displayed on the left side of the screen, and is displayed in the allowed user / group column on the right side.

  The policy formulation unit 22 generates an XML sentence based on the policy formulated by the user A on the user terminal A (S425). Note that the XML sentence is generated here in order to clarify the structure of the established policy and facilitate the generation of a policy file including a policy object, a usage right, a decryption key, and a usage condition. However, the XML statement is not necessarily generated.

  The generation of the XML sentence may be performed, for example, when the encryption button is clicked in FIG. 17, or may be performed when the button for saving the policy is clicked in FIG.

  Here, the user A selects whether to generate a policy file on the user terminal A (local package) or to generate a policy file on the server 5 (server package) (S430).

  When the local package is selected by the user A, as will be described later, a key is generated at the user terminal A, and the generated key is used when the user B uses the original file. 5 is not saved. Therefore, the authentication method of the authorized user of the original file is naturally only compatible with local login.

  Therefore, the user terminal A obtains a public key that is generated in advance for each authorized user (here, user B) of the original file (S435). The public key acquisition method is arbitrary. For example, when the user A logs in to the server, the public key list of the registered user may be received from the server 5 when the login is successful. Further, when user A performs user registration, a similar public key list may be received. Moreover, you may access the server 5 each time and acquire a public key of a use permission user. In the present embodiment, since the local login cannot be performed when the original file is used for the user who has not disclosed the public key, the user terminal A can perform only the server package.

  Here, it is assumed that the user terminal A that has selected the local package has the same functional block as the key generation unit 51 included in the server 5 in FIG. Therefore, the key generation unit 51 of the user terminal A generates, in addition to the random number decryption key for encrypting the original file, as many keys as the number of policy objects for opening the policy object of the policy file generated later. (S440).

  Further, the key generation unit 51 or the encryption unit (not shown) of the user terminal A obtains each use permission obtained previously from the key generated by the key generation unit 51 for opening the policy object. Encryption is performed with the user's public key (S445). This is because only the use-permitted user can use the original file by making it possible to decrypt the key only with the private key of the use-permitted user.

  The user terminal A is assumed to have the same functional blocks as the policy file generation unit 52 included in the server 5 in FIG. Therefore, the policy file generation unit 52 of the user terminal A integrates the use conditions, the use authority, the decryption key, and the key for opening the policy object, so that the policy file having the directory structure as shown in FIG. Is generated (S450). In this embodiment, the policy file is also generated in the XML format, like the established policy. Here, the policy file may be replaced by a predetermined replacement table.

  On the other hand, when the user A selects a package method other than the local package, that is, the server package in S430, the previously generated XML policy is transmitted from the user terminal A to the server 5 ( S455).

  The server 5 receives the policy and analyzes the policy structure included in the XML statement (S460). Here, a plurality of policy objects may be generated based on the policy.

  Based on the received policy, the key generation unit 51 of the server 5 generates a random number decryption key for encrypting the original file and keys as many as the number of policy objects (S465).

  The policy file generation unit 52 of the server 5 stores the package history of the original file in the history database 56 based on the key generated by the key generation unit 51 (S470), the key generated by the key generation unit 51, the policy A policy file is generated based on the policy formulated by the formulation unit 22 (S475). The policy file may be replaced by a predetermined replacement table.

  The server 5 transmits the generated policy file to the user terminal A (S480).

  The package unit 23 of the user terminal A encrypts the original file with a decryption key based on the policy file generated by the user terminal A in the case of a local package or the policy file generated by the server 5 in the case of a server package. At the same time, the encrypted original file and the policy file are packaged to generate a package file (S485). A series of steps from S425 to S485 may be performed with the click of the encryption button in FIG. 17 or the policy setting button in FIG.

  Note that the user A may add a signature to the generated package file so that a user other than the user A can detect that the original file has been tampered with. The signature is attached to the package file after encrypting the hash value of the original file to be detected for alteration with the private key of user A.

  The package file is stored in a predetermined storage location designated by the user A. The package file stored in the predetermined storage location is generated so that the authorized user can open it immediately, and at the same time, as shown in FIG. 19, it is attached to the email addressed to the authorized user and transmitted. Also good. Further, as shown in the lower part of FIG. 19, information on a policy set for a use-permitted user may be displayed in the mail body.

  Further, the search request unit 24 of the user terminal A can search the history of the package file created by the user A based on the history database 56. 20 and 21 show an example of a package history search screen displayed on the user terminal A. By using such a package history search screen, the user A can grasp for which user and under what usage conditions the original file has been packaged. It is also possible to review the policy and repackage the original file accompanying the policy modification.

  Next, an example in which the user B uses the original file in the package file packaged in the user terminal A of the user A will be described with reference to the configuration diagram of FIG. 4 and the flowcharts of FIGS. explain. It is assumed that the file use program 3 is installed in the user terminal B of the user B.

  The user B first designates a package file stored in a storage medium that can be accessed by the user terminal B by double-clicking on the user terminal B (S510).

  Note that the user B receives a notification from the user A that the original file usable by the user B has been packaged, or, as shown in FIG. 19, the user terminal A completes the packaging of the original file. The user terminal A may automatically transmit an email with the package file attached to the user terminal B. Alternatively, the file use program 3 may be activated first, and the file designation unit 31 may accept the designation of a package file that the user B wants to use.

  In the present embodiment, the user terminal B is configured to start the installed file usage program 3 in conjunction with the specification of the package file. First, the file usage program 3 executes the file of the specified package file. The format is checked (S515).

  Further, the file utilization program 3 extracts information (ID space information) on the range of user IDs that can use the package file from the package file (S520), and the file utilization program 3 retrieves the extracted ID space. It is confirmed whether the server information storage file and the replacement table corresponding to the information are stored in the user terminal B (S525). Here, if there is no replacement table, the package file is a file that cannot be used by the user B by the file use program 3, so an error notification is sent to the user terminal B (S530).

  If the replacement table exists, the file use program 3 extracts the file basic information from the package file (S535).

  Based on the extracted file basic information, the file use program 3 displays a user list of users who are permitted / not permitted to use the original file on the screen of the user terminal B (S540).

  Based on the screen display of the user terminal B, the user B confirms that it is included in the use permission user of the original file, and then logs in to the file use program 3 (S545). An example of the flow of log-in to the file use program 3 is the same as that described for log-in to the file package program 2 in the flowcharts of FIGS.

  At the time of logging in the file use program 3, not only authentication as to whether the user B is a registered user of the file management program 1, but also authentication as to whether the user B has the authority to use the original file may be performed. In that case, and when performing server login, the identification information of the package file or the original file is transmitted from the user terminal B to the server 5 together with the authentication information of the user B, and the authentication unit 54 of the server 5 Based on whether the received information is stored in the authentication database 57, the user B is authenticated.

  Further, whether or not the user B is a user who has the authority to use the original file may be one of the usage conditions of the policy, and the decryption key decryption unit 34 may authenticate when the usage conditions are collated. As an authentication method, it is also possible to check whether or not the usage status database 33a encrypted with the identification information of the authorized user or the identification information described therein is generated in the user terminal B.

  The flow after successful login will be described with reference to the flowcharts of FIGS. 13 to 15 and the configuration diagrams of FIGS. In this embodiment, when the specific package file is used for the first time, the database generation unit 33 generates the usage status database 33a in the user terminal B. It is assumed that the policy file contains three policy objects, and these three policy objects are chain-connected in the policy file and encrypted to the policy object that contains the usage conditions that will be checked at the end. It is assumed that the original file decryption key and the original file usage authority are connected.

  When the user B successfully logs in, the decryption key decryption unit 34 included in the file use program 3 is activated and starts decrypting the policy file (S610). Here, when the policy file included in the package file is encrypted (S615), the decryption key decryption unit 34 (or decryption unit 35) decrypts the encrypted policy file, so that the user The replacement table stored in terminal B is extracted (S620).

  Here, it is assumed that the policy file is encrypted with a key B obtained by replacing an arbitrary key A with a replacement table as shown in FIG.

  The decryption key decryption unit 34 (or decryption unit 35) extracts the key A stored in the file information of the server information storage file or the package file (S630), and uses the replacement table as a key for the key A. Replace with B (S635). Here, if the replacement from the key A to the key B is not performed, the replacement table is falsified, and the falsification is detected and the subsequent steps are not allowed to proceed (S640). The replaced key B is expanded on the temporary memory 43 (S645).

  The decryption key decryption unit 34 (or decryption unit 35) decrypts the encrypted policy file using the key B (S710). Here, if the encrypted policy file is not decrypted, it means that the key B has been tampered with by someone, so that tampering is detected and it is not possible to proceed to the subsequent steps. (S715).

  Since the policy file has been decrypted, the collation / update means 34a of the decryption key decryption unit 34 shown in FIG. 6 takes out the use condition 1 corresponding to the policy object 1 out of the three policy objects constituting the policy file. (S720). Note that the first verification / update unit 34a may be activated by, for example, the key 0 (shown in FIG. 6) sent from the server 5 when the user B has successfully logged in, or the password or identification It may be performed by inputting the symbol.

  As described above, all or a part of the usage conditions and keys may be stored in a storage medium such as the server 5 or a CD-ROM where data cannot be rewritten. It may be issued to user B as a separate file.

  In particular, when the policy includes usage conditions that require a legitimate evaluation and judgment, such as the date and time, the number of keys and usage conditions, all or part of the usage conditions are stored in the server 5, or the policy file It is more effective to prevent unauthorized use of the original file if it is a separate file. However, if a key or usage conditions are stored on the server 5 side, the user terminal 4 must access the server 5 each time the original file is used, and the network connection burden increases accordingly. Attention should be paid to the design of 5.

  The collation / update means 34a checks whether or not the usage status 1 corresponding to the extracted usage condition 1 exists in the usage status database 33a in the user terminal B (S725). The usage condition 1 of the present embodiment is a usage condition that requires comparison and collation with data stored in the usage status database 33a in the user terminal B. However, there are naturally usage conditions that can be verified by the user terminal B and usage conditions that can be verified by the server 5. In this case, the generation of the usage status database 33a is not essential.

  When the usage status database 33a itself or the usage status 1 does not exist in the user terminal B, the user terminal 4 other than the user terminal B indicates that the original file is likely to be used illegally. Do not proceed to the step (S730).

  It is also possible to detect falsification of the policy file, usage conditions, and usage status by taking the hash value of the policy file, usage conditions, and usage status in the verification / update means 34a.

  When the usage status 1 exists in the user terminal 7 (S725), the collation / update means 34a corresponds to the usage status 1 satisfying the usage rule 1, that is, the usage within the range of the usage rule 1. It is confirmed whether or not (S735).

  For example, the usage condition 1 is “the usage limit number is 10”, and if the usage status 1 stored in the user terminal B is “the current usage count is 3”, the usage condition 1 is satisfied. To do. On the other hand, if the usage status 1 is the current usage count of 10, it is determined that the usage condition 1 has not been satisfied, and the subsequent steps are not allowed to proceed (S740). As described above, FIG. 23 shows an example of an error screen displayed on the user terminal B when the process cannot proceed to the subsequent steps.

  When the usage condition 1 and the usage status 1 are verified, the usage status 1 is updated, and the key 1 necessary for proceeding to the next verification / updating means 34b is taken out (S745).

  For example, when the corresponding usage condition is related to “number of times”, the usage status is updated automatically by adding 1 to the cumulative usage count or subtracting 1 from the remaining usage count. Is done.

  Even if the usage conditions are permanent usage rights such as indefinite or unlimited number of times, the contents are empty to prevent unauthorized use of the original file by users who do not have usage rights. Alternatively, a process of generating the usage status database 33a composed of meaningless data in the user terminal and confirming the existence of the usage status database 33a is always performed when the usage conditions and the usage status are collated.

  The key 1 extracted from the policy object 1 opens the next policy object 2 and the usage condition 2 corresponding to the policy object 2 is extracted (S810).

  The collation / update unit 34b of the decryption key decryption unit 34 confirms with the server 5 whether or not the user B satisfies the use condition 2 (S815). For example, if the usage condition 2 is the expiration date of the original file, the decryption key decryption unit 34 transmits the usage condition 2 to the server 5 and receives information on the current date and time from the server 5, or the server In step 5, the current date and time are compared with the use condition 2, and the result is transmitted.

  Further, if the usage condition 2 is, for example, the number of simultaneous accesses to the package file, the decryption key decryption unit 34 transmits the usage condition 2 to the server 5, and the login access history from the server 5 to the package file, etc. Receive information about the number of simultaneous accesses based on the information.

  If the user B does not satisfy the use condition 2, the use process of the original file is stopped on the spot (S820). If the user B satisfies the use condition 2, the key 2 included in the policy object 2 is taken out, and the policy object 3 is opened by the key 2. Then, the use condition 3 corresponding to the policy object 3 is extracted (S825).

  Then, the same procedure as S815 to S825 is taken for the use condition 3, and the decryption key decryption unit 34 finally obtains the decryption key and the use authority of the user B (S830). These decryption keys and usage rights are expanded in the temporary memory 43 of the user terminal B so as not to be used illegally, but are not stored in a storage medium such as the hard disk 44.

  The decryption unit 35 extracts the encrypted original file from the package file, and decrypts the encrypted original file using the previous decryption key (S835).

  The decrypted original file is expanded on the temporary memory 43 instead of the hard disk 44 of the user terminal B, as in the previous decryption key and usage authority, and the original file can be used on the temporary memory 43. The reason why the original file is not stored in the hard disk 44 of the user terminal B is to prevent the use of the original file ignoring the use conditions once stored in the hard disk 44. .

  The file use control unit 36 activates the corresponding software 42 corresponding to the type of the decrypted original file on the user terminal B (S840), and enables the use of the original file on the corresponding software 42. At that time, the operation of the corresponding software 42 is controlled based on the acquired use authority (S845). For example, when the use authority acquired by the user B is only to view the original file, the save button and the print button appearing on the screen of the corresponding software 42 are not displayed. In addition, the file usage control unit 36 detects the operation and cancels the use of the original file when the user B tries to use (for example, printing or saving) outside the usage authority acquired. Or a warning display may be performed on the screen of the user terminal B.

  The corresponding software 42 may be prepared in the user terminal B according to the type of the original file, or may be multi-compatible software that does not depend on the type of the original file. Corresponding software 42 may be included in the file use program 3.

  When the user B finishes using the original file, if the corresponding software 42 is closed on the user terminal B, the data such as the decryption key, the use authority, the original file, etc. that are expanded in the temporary memory 43 are deleted. Only the original package file remains in the storage medium accessible by the user terminal B. Even when the user B uses the original file thereafter, the original file can be used within the range of the use conditions and the use authority through the same decryption key decryption process as before.

  It should be noted that moving, copying, and duplicating the storage location of the package file set is optional. In addition, as an aspect of the usage authority, when the original file is allowed to be saved or edited, the original file itself can be saved in the hard disk 44. Once the original file is stored in the hard disk 44, the original file can be used by starting the corresponding software 42 without starting the file use program 3 thereafter.

  Next, a procedure for updating the package file when editing of the original file is permitted as one aspect of the usage authority will be described below. The file usage program 3 includes the repackaging unit 37 from the beginning. However, if the usage authority acquired by the decryption key decryption unit 34 does not include editing, the repackaging unit 37. It is desirable to be controlled so as not to operate.

  First, when the original file is edited on the user terminal B of the user B who has acquired the use authority to edit the original file, the repackaging unit 37 confirms that the original file has been edited from the corresponding software 42. Get notified.

  Therefore, the repackaging unit 37, after finishing editing (for example, displaying the “repackage button” on the screen of the user terminal B and detecting that it has been clicked, etc.), edits the edited original file before editing. The original file is encrypted with the same decryption key that was encrypted and packaged together with the policy file and basic file information to generate a package file. The generated package file is overwritten on the original package file. That is, the original package file is deleted, and the new package file is stored in the storage location of the original package file.

  The policy file is basically the same as the original policy file, but the file basic information may be used for repackaging in a state where the contents are partially updated.

When the original file is repackaged, the user who created the original file may be notified to that effect. In addition, since the access history and repackage history of the user B to the server 5 are sequentially stored in the history database 56 of the server 5, the user A who created the original file can search the search unit 53 of the server 5 from the search request unit 24. The user B may be requested to search the original file usage history. Thereby, the user A can perform tracking and management after creating the original file.

  Each means and database in the present invention are logically distinguished from each other in function, and may be physically or virtually the same area. Needless to say, a data file may be used instead of the database, and the description of the database includes the data file.

  In carrying out the present invention, the present invention is also realized by supplying a storage medium recording a software program for realizing the functions of the present embodiment to the system, and reading and executing the program stored in the storage medium by the computer of the system. Is done.

  In this case, the program itself read from the storage medium realizes the functions of the above-described embodiments, and the storage medium storing the program constitutes the present invention.

  The program of the present invention is supplied mainly by a method of downloading to a computer via the network 6 such as the LAN 6a or the Internet 6b. In addition, supply to a computer from a portable storage medium such as a magnetic disk, an optical disk, a magneto-optical disk, a magnetic tape, and a nonvolatile memory card is also possible.

Further, by executing the program read by the computer, not only the functions of the above-described embodiments are realized, but also an operating system running on the computer is one of the actual processes based on the instructions of the program. A case where the function of the above-described embodiment is realized by performing part or all of the processing and the processing is also included in the present invention.

It is a figure which shows one Example of the connection structure of the user terminal which installed the file management program, and a server. It is a figure which shows one Example of a structure of a file package program and a server. It is a conceptual diagram which shows the outline process which produces | generates a package file. It is a figure which shows one Example of a structure of a file utilization program, and a structure of a user terminal. It is a figure which shows one Example of the data structure of a package file. It is a block diagram which shows the other Example of a structure of a user terminal. It is a conceptual diagram which shows the general | schematic process of encrypting a policy file. It is a flowchart figure which shows an example of the flow of the process of this invention. It is a flowchart figure which shows another example of the flow of the process of this invention. It is a flowchart figure which shows another example of the flow of the process of this invention. It is a flowchart figure which shows another example of the flow of the process of this invention. It is a flowchart figure which shows another example of the flow of the process of this invention. It is a flowchart figure which shows another example of the flow of the process of this invention. It is a flowchart figure which shows another example of the flow of the process of this invention. It is a flowchart figure which shows another example of the flow of the process of this invention. It is a figure which shows an example of a login screen. It is a figure which shows an example of the screen for file packages. It is a figure which shows another example of the screen for file packages. It is a figure which shows an example of a mail transmission screen. It is a figure which shows an example of a package history search screen. It is a figure which shows another example of a package history search screen. It is a figure which shows an example of the selection screen of an authorized user / group. It is a figure which shows an example of an error screen.

Explanation of symbols

1: File management program 2: File package program 21: File specification unit 22: Policy formulation unit 23: Package unit 24: Search request unit 3: File use program 31: File specification unit 32: Authentication request unit 33: Database generation unit 33a : Usage situation database 34: Decryption key decryption units 34a, 34b, 34c: Verification / update means 35: Decryption unit 36: File usage control unit 37: Repackage unit 4: User terminal 42: Corresponding software 43: Temporary memory 44: Hard disk 5: Server 51: Key generation unit 52: Policy file generation unit 53: Search unit 54: Authentication unit 55: User database 56: History database 57: Authentication database 6: Network

Claims (13)

A file management program having a file package program for centralized management of an original file stored and executed in a user terminal and created by an arbitrary user,
The file package program is:
A file specification section that accepts the specification of the original file that you want to manage,
A policy formulation unit that formulates a policy for using the original file;
A package unit that generates a package file by packaging a common key generated for each original file, a policy file generated based on the policy, and an original file encrypted with the common key;
Only users who satisfy the policy usage conditions can expand the common key in the policy file and the authority to use the original file on the temporary memory of the user's terminal, and further decrypted with the common key A file management program that generates the package file so that the original file can be expanded only on the temporary memory, and the original file can be used within the range of the use authority.
The file package program further includes:
The file management program according to claim 1, further comprising: a search unit that searches for information related to a package history of the package file and information related to a user's access history to the package file.
The file package program is:
A notification unit for generating a package file in the package unit and notifying generation of the package file or sending the package file by mail attachment to a user terminal of a user who is authorized to use the original file The file management program according to claim 1, wherein the file management program has a file management program.
A file management program having a file usage program for restoring and using the original file packaged by the file package program stored and executed in the user terminal and integrated with the original file created by an arbitrary user Because
The file utilization program is:
Among the package files, a file specification part that accepts specification of the package file in which the original file you want to use is packaged,
When the usage conditions of the policy constituting the policy file in the package file are checked, and the usage of the original file is usage within the range of the usage conditions, a common key generated for each original file is used. Then, the decryption key of the original file used for encryption and the authority to use the original file are acquired from the policy file, and the decryption key and the authority to use are expanded on the temporary memory of the user terminal. A decryption key decryption unit,
A decryption unit that decrypts the encrypted original file in the package file with the acquired common key, and expands it on a temporary memory of the user terminal;
A file management program, comprising: a file usage control unit that controls usage of the original file based on the acquired usage right.
The file usage control unit
It is means for performing API hooking by controlling the corresponding software of the original file and performing a function call instruction based on the acquired use authority from the corresponding software to the OS or middleware of the user terminal. The file management program according to claim 4.
The file utilization program further includes:
When the encrypted original file in the package file is decrypted and the original file is edited based on the user's usage rights, the edited original file is packaged together with the policy file again, and the original package The file management program according to claim 4, further comprising a repackage unit that updates a file.
The file utilization program is:
The information processing apparatus according to claim 6, further comprising: a notification unit that notifies the user terminal or server of a user who created the original file that the repackage has been performed when the original file is repackaged. File management program.
The file utilization program is:
A usage database that can update the usage status of the original file by the user terminal every time the user terminal tries to use the original file in the package file can be read and updated by a user terminal other than the user terminal. The file management program according to any one of claims 4 to 7, further comprising: a database generation unit that generates the user terminal in such a state that the user terminal does not exist.
Part or all of the policy file is stored on the server,
The file utilization program is:
The file management program according to any one of claims 4 to 8, wherein the server requests the server to collate usage conditions in the policy file.
The policy file is encrypted with a key replaced by a replacement table generated for each server,
The file management program according to any one of claims 1 to 9, wherein the replacement table stores the file management program in the user terminal as well as the file management program.
The policy file is
The usage conditions are described in association with a plurality of policy objects,
When the usage conditions corresponding to any policy object are satisfied, the key to open another policy object can be obtained, and finally all policy objects are opened and all usage conditions are The file according to any one of claims 1 to 10, wherein the file has a chain data structure in which the decryption key and the use authority can be extracted only when the condition is satisfied. Management program.
The file management program is:
An authentication interface for performing authentication as to whether or not the user is a registered user of the file management program or whether or not the user is permitted to use the original file included in the use condition;
The authentication interface is
The second password of the user output from the authentication device determined by the request from the user or the authentication device predetermined on the authentication interface side, and the type of the authentication device, the login ID and password of the file management program The file management program according to any one of claims 1 to 11, wherein the file management program is transmitted from the user terminal to a server and requested to collate with data already stored in the server.
The authentication interface is
If the authentication device includes encryption logic, the template data corresponding to the login ID is acquired from the template data stored in the server or the user terminal, and the user's PKI certificate is used. The file management program according to claim 12, wherein the second password is obtained by performing signature verification and decryption, and a verification with data already stored in the server is requested.

Images