JP2008124837A - Data management system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To appropriately restrict access even when a secondary data base is disclosed. <P>SOLUTION: The data management system is constituted by including a DB server 100 and a key management server 200. The key management server 200 is provided with: a DB use/registration request input port 206 which receives a registration request for registering a data base including data of a data base of the DB server 100 in the DB server 100 together with a use permission condition and a registration permission condition of the data base from a client terminal 300; a DB registration condition propriety judgment module 211 which judges whether or not the use permission condition and the registration permission condition meet a registration permission condition of a data base at an acquisition source; and an encryption key generation module 212 which generates and transmits an encryption key for registration for encrypting the data base for registration to the DB server 100 when the use permission condition and the registration permission condition are judged to meet the registration permission condition. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a data management system that manages a database stored in a database server in a secure and usable manner.

  Recently, there have been a series of incidents in which confidential databases are taken out without permission and put into a personal computer at home, and leaked to the Internet through file exchange systems, etc., and the protection of confidential data is at risk. ing. In order to prevent such a crisis, a technique for restricting the access right to the database and preventing the access to the database for those without the access right is used.

For example, as described in Patent Document 1, there is one using a security descriptor. However, in this method, there is a risk that the object is hacked by overwriting the security descriptor. Therefore, a method of protecting a confidential database by encrypting the database itself and giving an encryption key only to those who have access rights is used.
JP 2002-517854 A

  However, in the method of giving an encryption key only to those who have access rights, a person who has access rights decrypts the encrypted database and generates a secondary database containing the decrypted data. Once published, there was a problem that even those who did not have access to the original database could refer to it.

  The present invention has been made to solve the above problems, and appropriately restricts access even when a secondary database generated from data stored in the database is disclosed. An object of the present invention is to provide a data management system.

  In order to achieve the above object, a data utilization system according to the present invention is a data management system including a database server and a key management server connected to each other via a network. A database storage means for storing the converted database, a decryption means for decrypting the database stored in the database storage means with a server encryption key transmitted from the key management server, and a calculation procedure transmitted from the key management server. Based on the information shown, the operation means for performing an operation on the database decrypted by the decryption means, and the result data of the operation by the operation means are encrypted and output by the terminal encryption key transmitted from the key management server. The decryption means uses the server encryption key sent from the key management server. The key management server stores information indicating the use permission condition and registration permission condition of the database stored in the database server for each user and attribute of the database. A condition storage means for receiving, an acquisition request receiving means for receiving an acquisition request for data stored in a database stored in a database server and transmitted from a terminal, and information identifying a user related to the acquisition request; and a receiving means The use request determination unit that determines whether the data related to the received acquisition request can be used by the user by referring to the use permission condition stored in the condition storage unit, and the use determination unit determines When it is determined that such data can be used by the user, the database storing the data is decrypted. The encryption key for the server to be encrypted, the encryption key generation means for use for generating the encryption key for the terminal for encrypting the acquired data, the information indicating the calculation procedure for acquiring the data related to the acquisition request, and the encryption Along with the server encryption key and the terminal encryption key generated by the key generation means, the transmission request means for transmitting the data transmission request related to the acquisition request from the terminal to the database server, and the terminal responds to the transmission by the transmission request means. Registration request receiving means for receiving a registration request for registering the acquired data in the database server as a database together with information indicating the use permission condition and the registration permission condition for each user and attribute of the database, and receiving the registration request The data use permission condition and registration permission condition related to the registration request received by the A registration permission determination unit that determines whether or not the registration permission condition of the database is satisfied by referring to the registration permission condition stored in the condition storage unit, and the use permission condition of the data related to the registration request by the registration permission determination unit When the registration permission condition is determined to satisfy the registration permission condition of the database from which the data is acquired, a registration encryption key for encrypting the data for registration in the database server is generated. And a registration encryption key generation means for transmitting to the terminal.

  In the data utilization system according to the present invention, an acquisition request for data stored in the database of the database server is transmitted from the terminal to the key management server. The key management server generates two encryption keys for acquiring the data only when an acquisition request is made to the attribute data that satisfies the license condition from a user who satisfies the license condition of the database. The That is, in the terminal, only data having an attribute satisfying the use permission condition is acquired by a user who satisfies the use permission condition of the database.

  Further, when registering data acquired from a database stored in the database server as a new database in the database server, the following processing is performed in the key management server. That is, in the key management server, a registration encryption key for registration is generated only when the use permission condition and registration permission condition of the new database satisfy the registration permission condition of the database that is the acquisition source. As a result, even if a secondary database generated from the data stored in the database is registered and released on the database server, the secondary database license agreement is the database from which the data was acquired. Because the registration permission conditions are followed, it is possible to restrict access appropriately.

  The database server and the key management server are preferably configured integrally. According to this configuration, the data management system according to the present invention can be realized with a simpler configuration.

  The database server preferably further includes attribute information storage means for storing information indicating the attributes of the database stored in the database storage means. According to this configuration, the user can know what kind of database is stored in the database storage unit by referring to the information stored in the attribute information storage unit.

  In the present invention, when data acquired from a database stored in a database server is registered in the database server as a new database, the following processing is performed in the key management server. That is, in the key management server, a registration encryption key for registration is generated only when the use permission condition and registration permission condition of the new database satisfy the registration permission condition of the database that is the acquisition source. Therefore, according to the present invention, even if a secondary database generated from the data stored in the database is registered and released to the database server, the usage permission condition for the secondary database is the data Since it follows the registration permission condition of the database from which it is acquired, it is possible to restrict access appropriately.

  Hereinafter, preferred embodiments of a data management system according to the present invention will be described in detail with reference to the drawings. In the description of the drawings, the same elements are denoted by the same reference numerals, and redundant description is omitted.

  FIG. 1 shows an embodiment of a data management system 1 according to the present invention. As shown in FIG. 2, the data management system 1 according to the present embodiment includes a DB server (database server) 100, a key management server 200, and a client terminal 300. The data management system 1 is a system that manages a database stored in the DB server 100 so that it can be used. The DB server 100, the key management server 200, and the client terminal 300 are each connected to the network N and can exchange data with each other. Specifically, the network N corresponds to, for example, the Internet or an intranet.

  The DB server 100 stores a database and outputs data stored in the database in response to a request (use request) sent from the client terminal 300 via the key management server 200. The database stored in the DB server 100 is a relational database. As shown in FIG. 2, the DB server 100 includes, as functional components, a DB database 101 (database storage means), a DB thumbnail database 102 (attribute information storage means), and a DB / DB thumbnail storage. A module 103, an encryption key input port 104, a DB encryption module 105 (encryption means), a DB decryption module 106 (decryption means), a DB operation procedure input port 107, a DB operation processing control module 108, A database management module 109, a DB operation module 110 (calculation means), a DB / DB thumbnail input / output port 111, and a DB operation procedure storage module 112 are provided. The functions of these components will be described in the description of the processing described later. The DB server 100 includes hardware such as a CPU (Central Processing Unit), a memory, a hard disk, and a communication module, and the functional components described above are realized by the operation of these hardware according to a program or the like. The

  The key management server 200 is a device for managing the access rights of the database stored in the DB server 100. As shown in FIG. 3, the key management server 200 includes, as functional components, a DB registration database 201 (condition storage means), a DB server DB use / registration history database 202, and a client terminal DB use history database 203. DB server encryption key database 204, client terminal encryption key database 205, DB use / registration request input port 206 (acquisition request receiving means, registration request receiving means), database management module 208, DB calculation procedure A search module 209, a DB use execution availability determination module 210, a DB registration condition availability determination module 211 (registration availability determination means), an encryption key generation module 212 (use encryption key generation means, registration encryption key generation means), An encryption key transmission module 213 (transmission request means); It is constituted by a No. key output port 214. The functions of these components will be described in the description of the processing described later. The key management server 200 includes hardware such as a CPU, a memory, a hard disk, and a communication module, and the functional components described above are realized by the operation of these hardware according to a program or the like. Further, since the key management server 200 is a device that manages database access rights, it is desirable that the key management server 200 has a high tamper resistance.

  The client terminal 300 is a terminal used by a user, and is used for generation and reference of database data by a user operation. Specifically, the client terminal 300 corresponds to, for example, a PC (Personal Computer). In FIG. 1, only one client terminal 300 is illustrated, but the data management system 1 normally includes a plurality of client terminals 300.

  As shown in FIG. 4, the client terminal 300 includes, as functional components, a user interface 301, a DB registration request module 302, a DB use / registration request output port 303, a DB use request module 304, and a DB operation. A procedure generation module 305, an encryption key input port 306, a DB encryption module 307, a DB decryption module 308, a DB storage module 309, and a DB input / output port 310 are configured. The client terminal 300 is provided with hardware such as a CPU, a memory, a hard disk, and a communication module, and the functional components described above are realized by operating these hardware according to a program or the like.

  Subsequently, processing executed in the data management system 1 will be described. First, using the sequence diagram of FIG. 4, a process until a new database is created and registered in the DB server 100 in the client terminal 300 will be described.

  First, in the client terminal 300, the database is created by the user A using the user interface 301 of the client terminal 300 (S01) (hereinafter, the database created by the user A is referred to as DB (a)). . The user interface 301 is for receiving data input from a user such as a keyboard or a monitor and outputting the data so that it can be referred to by the user. DB (a) is a relational database. For example, DB (a) holds data related to sales of each employee of the company. Specifically, the table shown in FIG. 6A is held, and the data of each attribute (field) (“employee ID”, “responsible district”, “business performance”) is stored for each record in the table. Is stored. In addition to the above, for example, “name” may be included in the attribute of DB (a).

  Subsequently, in order to register the DB (a) in the DB server 100, the client terminal 300 stores the thumbnail (metadata) of the DB (a) (hereinafter referred to as DBth (a)), the use permission condition (hereinafter, referred to as “DBth (a)”). uC (a)) and registration permission conditions (hereinafter referred to as rC (a)) are generated.

  The thumbnail is information defined for “number of records, attribute name (field name), data format” in the database. By referring to this information, it is possible to know what data is stored in the database. For example, for DB (a) shown in FIG. 6A, {number of records: 9, attribute name: “employee ID” (character string), “responsible district” (category, category: A, B, C, “ A thumbnail DBth (a) of “business results” (positive integer, unit: 1,000 yen / week)} is generated. For example, this generation may be automatically performed with reference to the generated DB (a). Alternatively, it may be performed by an operation on the client terminal 300 of the user A.

  Further, the use permission condition is a condition indicating authority to use the database. The use permission condition is set for each attribute of the user and the database. Specifically, the information indicating the use permission condition is stored in a table as shown in FIG. The table holds data for each user specified by the user identifier in the row direction, and data of each attribute (“employee ID”, “responsible district”, “business results”) in the column direction. The license data for is held.

  The contents of the usage agreement are divided into “reading”, “totaling / calculation”, and “writing to secondary DB”. “Reading” refers to reading the data into the memory (of the DB server 100). “Aggregation / calculation” is to aggregate the data read into the memory by the above “reading” or to perform an operation on the data. The aggregated or calculated data is used as data constituting a new (secondary) database. “Write to secondary DB” is to write the data read into the memory by the above “read” as data constituting a new (secondary) database (to a disk or the like of the DB server 100). In the use permission condition table, the permitted contents are written for each item of “read”, “total / calculation”, and “write to secondary DB” for each user (identifier) and attribute (accordingly, therefore). , It will be blank for those not allowed). Regarding permitted contents, for example, “read” and “write to secondary DB” read “sequential” “random”, and “summation / calculation”, “other DB variables and The specific processing content for specifying the operation content such as “multiplication / division” is specified.

  For example, as shown in FIG. 7A, for “employee ID”, “Read” and “Write to secondary DB” are permitted for user B and user C, and for user D, Nothing is permitted. As for “business results”, “reading” and “aggregation / calculation” are permitted for user B and user C, and nothing is permitted for user D. The permitted content of “aggregation / calculation” is that user B is only allowed to calculate “standard deviation for each responsible area”, but for user C, “standard deviation for each responsible area”. In addition to the above calculation, derivation of “multiplication / division with other DB variables” and “standard deviation for each responsible area” is permitted.

  The registration permission condition indicates the range (upper limit) of the license condition to be set in the new database when the data acquired from the database becomes a component of the new (secondary) database. It is a thing. The registration permission condition rC (a) is also a range (upper limit) of the registration permission condition to be set in the new database. A secondary database in which usage permission conditions and registration permission requirements that permit usage modes that are not set in the registration permission conditions cannot be registered in the DB server 100. Specifically, the information indicating the registration permission condition is stored in a table as shown in FIG. 7B, similarly to the use permission condition.

  The use permission condition uC (a) and the registration permission condition rC (a) are created by the user A using the user interface 301 of the client terminal 300. The generated DBth (a), uC (a), and rC (a) are stored in the DB registration request module 302 as each piece of information related to DB (a).

  Subsequently, in the client terminal 300, the DB registration request module 302 adds uC (a) and rC (a) to DBth (a). Subsequently, DBth (a), uC (a), and rC (a) manage the key as a registration request (registration request) to the DB server 100 of DB (a) via the DB use / registration request output port 303. It is transmitted to the server 200 (S02). This registration request includes a user identifier that identifies user A. This process is performed with user A's operation on the client terminal 300 as a trigger.

  In the key management server 200, the transmitted registration request is received by the DB use / registration request input port 206. The received registration request is output to the DB registration module 207. Subsequently, the DB registration module 207 generates and assigns “ID: DB (a)”, which is an ID for identifying the database, to DBth (a). Subsequently, the DB registration module 207 sends information related to the ID and the registration request to the DB registration database 201 via the database management module 208 {“ID: DB (a)”, “User A”, “DBth (a ) ”,“ UC (a) ”,“ rC (a) ”} are stored (S03).

  Subsequently, the DB registration module 207 instructs the encryption key generation module 212 to create an encryption key. Upon receiving the instruction, the encryption key generation module 212 generates the encryption key K (a) for DB (a). This encryption key is a registration encryption key for encrypting the database when the database is registered in the DB server 100. The encryption key is a common key, and a database encrypted with the encryption key can be decrypted with the encryption key. The generated encryption key K (a) is stored in the DB server encryption key database 204 via the database management module 208. In this storage, the encryption key can be identified as being for DB (a), for example, by associating it with “ID: DB (a)” which is the ID of DB (a). The In order to improve security, the DB server encryption key database 204 and the client terminal encryption key database 205 in which encryption keys are stored are formed in a tamper-resistant area such as a special chip.

  The generated encryption key K (a) is output from the encryption key generation module 212 to the encryption key transmission module 213. Subsequently, the encryption key is transmitted from the encryption key transmission module 213 to the client terminal 300 that transmitted the registration request via the encryption key output port 214 (S04). This transmission is performed in a state protected by SSL (Secure Socket Layer) or the like in order to improve security. In addition to the transmission of the encryption key, the key management server 200 notifies the client terminal 300 of the ID “ID: DB (a)” of DB (a).

  In the client terminal 300 of the user A, the encryption key K (a) transmitted from the key management server 200 is received by the encryption key input port 306. Subsequently, DB (a) is encrypted with K (a) by the DB encryption module 307 (hereinafter, the encrypted database is referred to as “enDB”). The enDB (a) that is an encrypted database is stored in the DB storage module 309. After that, “ID: DB (a)” and DBth (a) are attached to enDB (a) and transmitted (uploaded) to the DB server 100 (S05).

  In the DB server 100, enDB (a) is received by the DB / DB thumbnail input / output port 111. The received enDB (a) is output to the DB / DB thumbnail storage module 103 and stored in the DB database 101 in association with “ID: DB (a)” by the DB / DB thumbnail storage module 103. The DBth (a) is stored in the DB thumbnail database 102 in association with “ID: DB (a)” by the DB / DB thumbnail storage module 103 (S06). The above is the processing from when a new database is created in the client terminal 300 and registered in the DB server 100.

  In the following description, the user B generates a database DB (b) by using a client terminal 300 different from the client terminal 300 of the user A, and enDB (b) is transferred to the DB server 100 by the same processing as described above. It shall be registered. DB (b) holds data relating to personnel of each employee of the same company as user A. Specifically, the table shown in FIG. 6B is held, and data of each attribute (“employee ID”, “address”, “HR evaluation”) is stored for each record in the table. Yes. In addition to the above, for example, “name” may be included in the attribute of DB (b). Further, the usage permission condition uC (b) of DB (b) is as shown in FIG. 8 (a), and the registration permission condition rC (b) of DB (b) is as shown in FIG. 8 (b). is there.

  Subsequently, using the sequence diagram of FIG. 9, the data of DB (a) and DB (b) is acquired from the DB server 100 by the client terminal 300 of the user C different from the user A and the user B, and new data Processing until the database is generated will be described.

  First, in the client terminal 300, a database reference request is transmitted to the DB server 100 by the operation of the user C on the user interface 301 (S11).

  In the DB server 100, the reference request transmitted from the client terminal 300 is received by the DB / DB thumbnail input / output port 111. The reference request is output to the DB / DB thumbnail storage module 103. Subsequently, the database thumbnail is acquired from the DB thumbnail database 102 by the DB / DB thumbnail storage module 103 and transmitted to the client terminal 300 of the user C via the DB / DB thumbnail input / output port 111 (S12). ). The transmitted thumbnail includes DBth (a) and DBth (b).

  In the client terminal 300 of the user C, the thumbnail transmitted from the DB server 100 is received, and an output such as a screen display is performed by the user interface 301 so that the user C can refer to the thumbnail. A database having a table as shown in FIG. 10 by acquiring data from DB (a) and DB (b) by user C based on DBth (a) and DBth (b) of the displayed thumbnails. Information indicating the calculation procedure F (c) for generating DB (c) is generated (S13).

  DB (c) holds data of “ability index” indicating appropriateness of personnel evaluation for each district in charge of employees of the same company as user A and user B. The “ability index” is a value calculated by dividing the numerical value of “HR evaluation” from the numerical value of “business performance” for each employee. For example, it is assumed that the user C is the president's office manager and is working on improving the personnel system and strengthening the sales system. Is there a noticeable divergence for each employee in the personnel evaluation of the sales performance from the database related to the sales created by user A who is the sales manager and the database related to the personnel created by user B who is the personnel manager? The DB (c) is generated when it is attempted to verify whether there is no problem in the arrangement of the sales staff members.

The calculation procedure F (c) is, for example, as follows.
(1) DB (a) [field {“employee ID”, “responsible district”, “business results”} × record {“n” (n = 1-9)}] is read sequentially.
(2) DB (b) [field {“employee ID”, “HR evaluation”} × record {“n” (n = 1-9)}] is read sequentially.
(3) “Ability index” = DB (a) {“Sales performance”} ÷ DB (b) {“Personnel evaluation”} is calculated using “Employee ID” as a key.
(4) Write “responsible district” and “skilled index” in DB (c) [field {“responsible district”, “skilled index”} × record {“m” (m = 1-9)}].
These calculation procedures F (c) are generated by, for example, SQL for performing operations on the relational database.

  The generation of F (c) is performed by the user C operating the user interface 301 of the client terminal 300, and the generated F (c) is stored in the DB calculation procedure generation module 305. Subsequently, using the operation of the user C as a trigger, the DB usage request module 304 acquires F (c) from the DB calculation procedure generation module 305, and DB (a) and DB (b) together with the F (c). A data acquisition request (use permission request) is transmitted to the key management server 200 via the DB use / registration request output port 303 (S14). Note that a user identifier that identifies the user C is attached to the acquisition request so that it can be identified that the request is from the user C.

  Subsequently, in the key management server 200, the acquisition request is received by the DB use / registration request input port 206. F (c) included in the acquisition request is output from the DB use / registration request input port 206 to the DB operation procedure search module 209 and the DB use execution availability determination module 210. The DB operation procedure search module 209 detects a database accessed by the F (c) based on F (c), and the DB operation procedure search module 209 detects the database with respect to the DB registration database 201 via the DB operation procedure search module 209. A request for acquisition of information related to the use permission condition is made. In the case of the above example, use permission conditions regarding DB (a) and DB (b), that is, acquisition requests for uC (a) and uC (b) are made. Information regarding the use permission condition acquired by the acquisition request is input from the database management module 208 to the DB use execution permission determination module 210.

  Subsequently, whether or not the data related to the acquisition request specified by F (c) can be used by the user C by the DB use execution possibility determination module 210 is referred to uC (a) and uC (b). Determination is made (S15). This determination is made by performing a logical operation. If it is determined that the data cannot be used, the key management server 200 notifies the client terminal 300 that data cannot be acquired (S16).

As shown in FIG. 7A and FIG. 8A, for user C,
(1) Sequential reading of “employee ID”, “responsible district”, “business results” of DB (a) (2) Sequential writing of “responsible district” of DB (a) (3) of DB (a) Multiplication / division of “business results” with other database variables (4) Sequential reading of “employee ID” and “HR evaluation” in DB (b) (5) Other “HR evaluation” in DB (b) Since multiplication and division with the variables of the database are permitted, it is determined that the data related to the acquisition request specified by F (c) can be used by the user C. If any of the above permissions is not granted, it is determined that the license cannot be used.

  When it is determined that the DB use execution possibility determination module 210 can use the database, the encryption key generation module 212 is notified. Subsequently, the encryption key generation module 212 generates a terminal encryption key k (c). The terminal encryption key is an encryption key for encrypting and decrypting DB (c) generated by F (c). Furthermore, an encryption key k1 (c) for re-encrypting DB (c) is generated. The generated encryption key k (c) / k1 (c) is output to the encryption key transmission module 213 and transmitted from the encryption key output port 214 to the client terminal 300 of the user C (S17). The generated encryption key k (c) / k1 (c) is stored in the client terminal encryption key database 205 via the database management module 208.

  The encryption key generation module 212 generates server encryption keys K (a) and K (b) for decrypting enDB (a) and enDB (b). The meaning of generation of the encryption keys K (a) and K (b) here is that the already generated encryption keys K (a) and K (b) are acquired from the DB server encryption key database 204 or the like. (Hereinafter the same). Furthermore, encryption keys K1 (a) and K1 (b) for re-encrypting the decrypted DB (a) and DB (b) are generated. The generated encryption keys k (c), K (a) / K1 (a), and K (b) / K1 (b) are output to the encryption key transmission module 213, and the encryption key output module 213 outputs the encryption key output port 214. (S18). The generated encryption keys K (a) / K1 (a) and K (b) / K1 (b) are stored in the DB server encryption key database 204 via the database management module 208.

  When the encryption key is transmitted to the DB server 100, the DB (c) generated by F (c) is stored in the user C together with F (c) indicating the calculation procedure for acquiring the data related to the acquisition request. A transmission request to be transmitted to the client terminal 300 is also transmitted to the DB server 100. When the transmission is performed, the fact that the acquisition request from the user C, the contents of F (c), K (a) / K1 (a), and K (b) / K1 (b) have been transmitted are DB servers. Stored in the use DB registration / registration history database 202 (S19). In addition, the fact of the acquisition request from the user C, the contents of F (c), and the transmission of k (c) / k1 (c) are stored in the client terminal DB usage history database 203 (S19).

  In the DB server 100, the transmitted encryption keys k (c), K (a) / K1 (a), and K (b) / K1 (b) are received by the encryption key input port 104 and include F (c). A transmission request is received by the DB operation procedure input port 107. Subsequently, the encryption keys K (a) and K (b) are output to the DB decryption module 106. The encryption keys k (c), K1 (a), and K1 (b) are output to the DB encryption module 105. Subsequently, the DB decryption module 106 acquires enDB (a) and enDB (b) from the DB database 101 via the DB / DB thumbnail storage module 103. Subsequently, enDB (a) and enDB (b) are decrypted by K (a) and K (b) by the DB decryption module 106, and DB (a) and DB (b) are stored in the arithmetic memory of the DB server 100. Be expanded.

  Subsequently, F (c) is input from the DB operation procedure input port 107 to the DB operation module 110 via the DB operation procedure storage module 112. The DB arithmetic module 110 performs arithmetic processing according to F (c) on DB (a) and DB (b) on the arithmetic memory of the DB server 100, and DB (c) is generated. The generated DB (c) is output to the DB encryption module 105 and encrypted with the encryption key k (c). The encrypted enDB (c) is transmitted to the client terminal 300 of the user C (S20).

  The decrypted DB (a) and DB (b) are also re-encrypted with the encryption keys K1 (a) and K1 (b) by the DB encryption module 105 and stored in the DB database 101 again. K (a) and K (b) are discarded. The database input / output processing is performed by the DB operation processing control module 108 and the database management module 109 based on the transmission request received by the DB operation procedure input port 107.

  On the other hand, the client terminal 300 receives the encryption key k (c) / k1 (c) transmitted from the key management server 200 through the encryption key input port 306. The received enDB (c) is output to the DB storage module 309. Further, enDB (c) transmitted from the DB server 100 is received by the DB input / output port 310. The encryption key k (c) is output to the DB decryption module 308, and the encryption key k1 (c) is output to the DB encryption module 307. Subsequently, enDB (c) is decrypted by the DB decryption module 308 and can be used in the client terminal 300 as DB (c). In the client terminal 300, when the DB (c) or its modified file is closed after use, the DB encryption module 307 re-encrypts with the encryption key k1 (c) (S21).

  In order to decrypt the re-encrypted DB (c), the key management server 200 is requested for k1 (c). In the key management server 200 that has received the request, the encryption keys k1 (c) and k2 (c) are generated and transmitted to the client terminal 300 (S22) as in the above-described process. In the key management server 200, the fact that the acquisition request from the user C, k1 (c) / k2 (c) has been sent, is stored in the client terminal DB usage history database 203 (S23). The above is the processing from the DB (a) and DB (b) data being acquired from the DB server 100 by the user C's client terminal 300 until a new database is generated.

  A system that performs simple re-encryption by omitting the above-described process of updating the encryption key and storing the encryption key k (c) in a tamper-resistant area and repeatedly using it can be considered. Certainly, even if the encryption key k (c) is hacked, there is little possibility that the damage will spread to the DB (c) and its modified files, and the DB (c) itself is also uC (a) and uC (b ), It is considered that the confidentiality is not so high.

  However, omitting the encryption update process does not increase the risk of encryption key hacking, and the database usage status at the client terminal 300 is not recorded in the history of the key management server 200. There is no difference in closing sex. Also, it should be noted that confidentiality is relative and may not be highly confidential for some access rights but may be high for other access rights.

  Conversely, if the above-described encryption key update process is secured, for example, user C transfers enDB (c) to user D's client terminal 300 and user D uses key management server 200. , And the key management server 200 refers to the “user D access right” based on the request to determine whether k1 (c) is issued. A file exchange system to be sent to the client terminal 300 of D can also be considered.

  However, if the user C wants to use the DB (c) for other users, the DB (c) may be registered in the key management server 200. It is not necessary to use the file exchange system as described above together. If it is used together, the system may be complicated and a security hole may be expanded.

  Subsequently, a process until the DB (c) generated as described above or its modified file is registered in the DB server 100 as a secondary database will be described using the sequence diagram of FIG.

  First, similarly to the above-described process, in the client terminal 300 of the user C, in order to register the DB (c) in the DB server 100, the thumbnail DBth (c) of the DB (c), the use permission condition uC (c), and A registration permission condition rC (c) is generated. FIG. 12A shows the use permission condition uC (c), and FIG. 12B shows the registration permission condition rC (c).

  Subsequently, in the client terminal 300, the DB registration request module 302 adds uC (c) and rC (c) to DBth (c). Subsequently, DBth (c), uC (c), and rC (c) are transmitted to the key management server 200 via the DB use / registration request output port 303 as a registration request to the DB server 100 of DB (c). (S41).

  In the key management server 200, the transmitted registration request is received by the DB use / registration request input port 206. The received registration request is output to the DB registration condition availability determination module 211. In the DB registration condition availability determination module 211, uC (c) and rC (c) use rC (a) of DB (a) and rC (b) of DB (b), which are the acquisition sources of DB (c). Whether or not it is satisfied is determined by referring to rC (a) and rC (b) stored in the DB registration database 201 (S42). This determination is made by performing a logical operation. In addition, DB (c) is generated based on data from DB (a) and DB (b), for example, refer to F (c) used when DB (c) is generated. To be judged. Note that only the attribute data that is used as is from DB (a) or DB (b) ("area in charge" in DB (c)) is subject to the above judgment. The newly generated attribute (“ability index” in DB (c)) is not subject to judgment.

  Since the “responsible district” of the attribute to be determined is acquired from the DB (a), the permission conditions relating to the “responsible district” of uC (c) and rC (c) shown in FIG. The permission conditions relating to the “area in charge” of rC (a) shown in (b) are compared. Regarding the data of “area in charge”, rC (a) does not permit users other than user C to “read”, “aggregate / calculate”, and “write to secondary DB”, and uC (c) and Since none of rC (c) is the data owner, users other than user A are not permitted to “read”, “aggregate / calculate”, and “write to secondary DB”. As a result of the comparison logical operation for each item, it is determined that the condition is satisfied.

  Here, for example, in uC (c) or rC (c), for user B, any one of “read”, “aggregation / calculation”, and “write to secondary DB” for the data related to “area in charge” Since rC (a) is not satisfied, it is determined that the condition is not satisfied as a result of the comparison logical operation. If it is determined in this way, the key management server 200 notifies the client terminal 300 that the DB (c) cannot be registered (S43).

  This determination is based on the fact that the DB (c) acquires data that the user who created the database from other databases wants to make it available only to those who have access rights. Is prevented from being disclosed.

  If it is determined that the condition is satisfied, the following processing is performed in the same manner as when the DB (a) is registered. First, the DB registration module 207 generates and assigns “ID: DB (c)”, which is an ID for identifying a database, to DBth (c). Subsequently, the database registration module 207 sends information related to the ID and the registration request to the DB registration database 201 via the database management module 208 {“ID: DB (c)”, “user C”, “DBth (c ) "," UC (c) "," rC (c) "} are stored (S44).

  Subsequently, the DB registration module 207 instructs the encryption key generation module 212 to create an encryption key. Upon receiving the instruction, the encryption key generation module 212 generates the encryption key K (c) for DB (c). This encryption key is a registration encryption key for encrypting the database when the database is registered in the DB server 100. The encryption key is a common key. The generated encryption key K (c) is stored in the DB server encryption key database 204 and the client terminal encryption key database 205 via the database management module 208.

  The generated encryption key K (c) is output from the encryption key generation module 212 to the encryption key transmission module 213. Subsequently, the encryption key is transmitted from the encryption key transmission module 213 to the client terminal 300 that transmitted the registration request via the encryption key output port 214 (S45). In addition to the transmission of the encryption key, the key management server 200 notifies the client terminal 300 of the ID “ID: DB (c)” of DB (c). When the above processing is performed, the fact that the registration request from user C, K (c) has been sent, is stored in the client terminal DB use history database 203 (S46).

  In the client terminal 300 of the user C, the encryption key K (c) transmitted from the key management server 200 is received by the encryption key input port 306. Subsequently, DB (c) is encrypted with K (c) by the DB encryption module 307. The enDB (c) that is an encrypted database is stored in the DB storage module 309. After that, “ID: DB (c)” and DBth (c) are attached to enDB (c) and transmitted (uploaded) to the DB server 100 (S47).

  In the DB server 100, enDB (c) is received by the DB / DB thumbnail input / output port 111. The received enDB (c) is output to the DB / DB thumbnail storage module 103, and stored in the DB database 101 in association with “ID: DB (c)” by the DB / DB thumbnail storage module 103. The DBth (c) is stored in the DB thumbnail database 102 in association with “ID: DB (c)” by the DB / DB thumbnail storage module 103 (S48). The above is the processing from when a new database is created in the client terminal 300 and registered in the DB server 100.

  When DB (c), which is a secondary database generated from DB (a) and DB (b) by the above processing, is registered and released in DB server 100, DB (a) and DB (b) Since the use permission condition that inherits the set authority is set, it is possible to appropriately restrict access.

  In this embodiment, since the database registered in the DB server 100 is always encrypted except when it is used, only those possessing the encryption key can be referred to, and high security is maintained. be able to. Further, since the encryption key is updated every time it is encrypted, it is not used for decryption even if the encryption key itself is hacked. Further, since the database usage and registration history remains in exchange for the encryption key, post-audit is easy.

  That is, according to the present embodiment, (1) a database once downloaded to the client terminal 300 and its modified file (overwrite, save with different names, saved with different identifiers, etc.) are put in memory and taken out Even if it is transferred over the Internet or output to a printer, it is encrypted and cannot be decrypted. (2) Even if it is an encrypted database, it is possible to obtain a desired secondary database by mutually performing arithmetic processing while keeping the contents secret. (3) Even if you try to open the database with a hacked encryption key, or save the encryption key once and try to open the database at another time, the database will always be reopened with the updated encryption key. It cannot be opened because it is encrypted.

  Further, as in the present embodiment, if the DB server 100 includes a DB thumbnail database 102 that stores thumbnails including information indicating attributes of the database stored in the DB database 101, the DB server 100 stores the thumbnails. Even though the database being encrypted is encrypted, the user of the client terminal 300 can know what database is stored in the database storage means as described above.

  In the present embodiment, the DB server 100 and the key management server 200 are configured separately, but they may be configured integrally. According to this configuration, the data management system 1 according to the present invention can be realized with a simpler configuration.

It is a figure which shows the structure of the data management system which concerns on embodiment of this invention. It is a figure which shows the structure of DB server which concerns on embodiment of this invention. It is a figure which shows the structure of the key management server which concerns on embodiment of this invention. It is a figure which shows the structure of the client terminal which concerns on embodiment of this invention. It is a sequence diagram which shows the process in the data management system which concerns on embodiment of this invention. It is a figure which shows the table of the database which concerns on embodiment. It is a figure which shows the use permission conditions and registration permission conditions of a database. It is a figure which shows the use permission conditions and registration permission conditions of a database. It is a sequence diagram which shows another process in the data management system which concerns on embodiment of this invention. It is a figure which shows the table of the database produced | generated from the some database. It is a sequence diagram which shows another process in the data management system which concerns on embodiment of this invention. It is a figure which shows the use permission conditions and registration permission conditions of a database.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Data management system, 100 ... DB server, 101 ... DB database, 102 ... DB thumbnail database, 103 ... DB / DB thumbnail storage module, 104 ... Encryption key input port, 105 ... DB encryption module, 106 ... DB decryption Module: 107 ... DB operation procedure input port, 108 ... DB operation processing control module, 109 ... Database management module, 110 ... Operation module, 111 ... DB / DB thumbnail input / output port, 112 ... DB operation procedure storage module, 200 ... Key management server, 201 ... DB registration database, 202 ... DB server DB use / registration history database, 203 ... Client terminal use history database, 204 ... DB server encryption key database, 205 ... Client Encryption key database for terminal, 206 ... DB use / registration request input port, 207 ... DB registration module, 208 ... Database management module, 209 ... DB operation procedure search module, 210 ... DB use execution availability determination module, 211 ... Registration condition availability Judgment module, 212 ... Encryption key generation module, 213 ... Encryption key transmission module, 214 ... Encryption key output port, 300 ... Client terminal, 301 ... User interface, 302 ... DB registration request module, 303 ... DB use / registration request output Port 304: DB usage request module 305 DB operation procedure generation module 306 Encryption key input port 307 DB encryption module 308 DB decryption module 309 DB storage module 310 Input / output port ... network.

Claims (3)

A data management system including a database server and a key management server connected to each other via a network,
The database server is
Database storage means for storing an encrypted database;
Decryption means for decrypting the database stored in the database storage means with a server encryption key transmitted from the key management server;
Based on information indicating a calculation procedure transmitted from the key management server, calculation means for performing calculation on the database decrypted by the decryption means;
Data obtained as a result of the calculation by the calculation means is encrypted and output by the terminal encryption key transmitted from the key management server, and is decrypted by the decryption means by the server encryption key transmitted from the key management server. An encryption means for re-encrypting the database,
The key management server
Condition storage means for storing information indicating the use permission condition and registration permission condition of the database stored in the database server for each attribute of the user and the database;
An acquisition request receiving means for receiving an acquisition request for data stored in a database stored in the database server and information identifying a user related to the acquisition request transmitted from a terminal;
Availability judgment means for judging whether or not the data related to the acquisition request received by the reception means can be used by the user by referring to the use permission condition stored in the condition storage means;
When it is determined that the data related to the acquisition request can be used by the user by the availability determination unit, the server encryption key for decrypting and encrypting the database in which the data is stored, and the acquired data A use encryption key generation means for generating a terminal encryption key to be encrypted;
Data indicating the calculation request for acquiring the data related to the acquisition request, and the data related to the acquisition request from the terminal together with the server encryption key and the terminal encryption key generated by the encryption key generation unit Transmission request means for transmitting the transmission request to the database server;
From the terminal, a registration request for registering the data acquired in response to transmission by the transmission request unit as a database to the database server is set as a usage permission condition and a registration permission condition for each user and attribute of the database. Registration request receiving means for receiving together with the indicated information;
Whether or not the use permission condition and the registration permission condition of the data related to the registration request received by the registration request receiving means satisfy the registration permission condition of the database from which the data is acquired. Registration permission determination means for determining by referring to the registration permission condition stored in
If the registration permission determination unit determines that the use permission condition and the registration permission condition of the data related to the registration request satisfy the registration permission condition of the database from which the data is obtained, the data is A data management system comprising: a registration encryption key generation unit that generates a registration encryption key to be encrypted for registration in a database server and transmits the registration encryption key to the terminal.   The data management system according to claim 1, wherein the database server and the key management server are integrally configured.   The data management system according to claim 1 or 2, wherein the database server further comprises attribute information storage means for storing information indicating attributes of the database stored in the database storage means.

Images