JP2008243064A - Information transmission terminal device and computer program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To suppress information leakage while maintaining convenience at computer-to-computer communication, and furthermore to restrict the scattering of electronic files. <P>SOLUTION: The information transmission terminal device generates an electronic file by dividing the file into message data and format data. The information transmission terminal device accepts an input of policy information deciding a reception policy of a receiver of the electronic file, and transmits the format data and the policy information to a prescribed information reception terminal device. The reception terminal device holds the policy information and the format data, and requests message data including a part or all of the information and the format data when the receiver browses the file. The information transmission terminal determines whether the request is proper or not comparing it with the policy information, and when the policy information is proper from the determination result the transmission of the message data to the information reception terminal device is performed, and prescribed data including the message data can be browsed by a viewer. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to information security technology, and more particularly to information processing technology for suppressing information leakage due to communication, unauthorized duplication of information, and the like.

Information communication technology is very useful for transmitting and sharing information, and is convenient, but it is in contradiction with the problem of information leakage.
As an example of convenience, for example, when transmitting predetermined information via a computer network, the predetermined information is processed into an electronic file and transmitted. A person who receives the electronic file may receive the electronic file.
However, for example, if the prevention level of information leakage is improved, troublesome settings are required for the information sender, or information must be received under various function restrictions at the information receiving terminal.

In general, the recipient of the electronic file is not under the sender's control over the management of the electronic file. For this reason, the electronic file is illegally copied regardless of whether or not the recipient intends, and the copied file may be leaked.
As a technique for suppressing such information leakage, there is a technique described in Patent Document 1.

JP 2007-26385 A

  In this patent document, storage means for storing electronic data in a server, confidential flag storage means for storing electronic data in association with a confidential flag, and reading electronic data from the storage means only when a terminal ID is received from a terminal When the electronic data is read out, the confidentiality determining means for determining whether the electronic data is confidential information based on the confidential flag storage means, and the terminal ID of the terminal from which the electronic data is read out when the electronic data is determined as confidential information The terminal ID storage means for storing the electronic data ID in association with each other, the processing information receiving means for receiving the processing for the electronic data that is confidential information from the terminal, and the processing for the electronic data received by the processing information receiving means in the terminal ID storage means A technology of an information leakage prevention system configured to include a history update unit to reflect is disclosed.

Convenience of browsing and suppression of information leakage are in a trade-off relationship.
The technology described in Patent Document 1 describes an information leakage prevention system that achieves both security and convenience. This is an invention realized on the condition that a wirelessly readable IC tag is provided. Yes, it is hard to say that the technology is applied to communication in a normal computer-to-computer network.
Therefore, the problem to be solved by the present invention is to provide a technique capable of suppressing information leakage while ensuring convenience in inter-computer communication and further restricting the spread of electronic files.

An object of the invention described in claims 1 to 6 is to provide an information transmission terminal device capable of suppressing information leakage while ensuring convenience in inter-computer communication and further restricting the scattering of electronic files. That is.
An object of the invention described in claims 7 to 12 is to provide a computer program capable of suppressing information leakage while ensuring convenience in computer-to-computer communication and further restricting the scattering of electronic files. is there.

(Claim 1)
The invention according to claim 1 is an electronic file dividing means for dividing and creating an electronic file to be transmitted into message data that is a content part in the electronic file and format data that is a part other than the content; Policy information setting means for accepting input of policy information for defining a reception policy for a recipient of the electronic file, format / policy transmission means for sending the format data and the policy information to a predetermined information receiving terminal device, and the format Message request receiving means for receiving a request for message data including part or all of the policy information from the information receiving terminal device that has received the data and the policy information, and whether the policy information received by the message request receiving means is valid To judge When the policy determination means and the policy determination means are valid, the message data transmission means for transmitting message data to the information receiving terminal device, and the received message data can be displayed by the viewer. The present invention relates to an information transmission terminal device comprising viewer display data disclosure means for enabling browsing of predetermined data including the message data.

(Glossary)
The “terminal device” is a terminal device related to a user including not only a personal computer but also a workstation, a PDA, a mobile phone, and the like.
“Message data” refers to main data that is an actual part of an electronic file.
“Format data” refers to a “header” in an electronic file. Here, the “header” includes an electronic file name, file information, such as a file type (text, image, document, etc.), a file size, and the like.

“Policy information” refers to the authority of the recipient with respect to the electronic file received by the information receiving terminal device. The authority includes “electronic file readable”, “electronic file rewritable”, “electronic file readable / writable”, “electronic file storable”, “electronic file readable / writable”. The setting of policy information can be changed as appropriate by the operation of the sender.
“Message related data” refers to data comprising format data and policy information or a message list.

(Function)
When an electronic file to be transmitted to an information receiving terminal device that is a terminal device related to a recipient is created in an information transmitting terminal device that is a terminal device related to the information sender, the electronic file dividing means sends the electronic file to the message Divide into data and format data.
When the policy information corresponding to the recipient is set in the information transmitting terminal device, the policy information setting means creates the policy information (S104).
Also, when the information transmission terminal device issues a policy information transmission instruction, the format / policy transmission means transmits the policy information and the format data to the information reception terminal device.
When receiving the policy information and the format data, the information receiving terminal device stores the policy information and the format data in the message list.
When the receiver instructs browsing from the message list by the information receiving terminal device, the information receiving terminal device requests message data including part or all of it.
When the information transmission terminal apparatus receives the request for the policy information and the message data, the policy determination unit determines whether the request is valid.
When this policy information is valid, the message data is transmitted to the information receiving terminal device, and the message display means can display the message data by the viewer in the information receiving terminal device. It is possible to browse predetermined data including data.

That is, the information transmitting terminal device indicates to the receiver that the information receiving terminal device can browse without transmitting the actual message data. Furthermore, by restricting data retention at the time of browsing, it is possible to prevent electronic files from being scattered which can cause information leakage between computers.
In addition, since authority such as viewing, writing, and saving of electronic files is set according to the policy information, the sender can provide information according to the receiver. Even in the information receiving terminal device, browsing, writing, saving, and the like can be realized as normal processing only by using the same software as the information transmitting terminal device. Therefore, the convenience such as the ease with which the sender sends information to the receiver and the ease with which the receiver receives information from the sender is ensured.

(Claim 2)
The invention according to claim 2 limits the information transmitting terminal device according to claim 1.
In other words, when message data displayed on the viewer by the information receiving terminal device is deleted from the storage means in the information receiving terminal device, it is provided with an erasure notification receiving means for receiving the erasure. .
In the information receiving terminal device, the trigger information for deleting the message data from the storage means is acquired by, for example, the end of a scroll bar prepared on the message browsing screen or a button for confirming that reading has been completed.

(Function)
When the browsing of the message data is started by the viewer, the information transmitting terminal device is notified of this, and the browsing of the message data is managed in the information receiving terminal device. When the browsing of the message data by the recipient is completed, the message data stored in the storage means in the information receiving terminal device is deleted. When erasure is performed from the storage means, the information transmission terminal device is notified of this, and the information transmission terminal device receives the erasure notification.
In the information receiving terminal device, the message is deleted, so that the possibility of copying is reduced. In addition, since the information transmission terminal device can acquire the data for confirming that it has been deleted by receiving the deletion notification, it can manage the disclosure status of the data with certainty, thereby preventing the scattered electronic files. Can do.

(Claim 3)
The invention according to claim 3 limits the information transmission terminal device according to claim 1 or claim 2.
That is, when the information receiving terminal device that has received the format data and the policy information creates and saves a list of message data to be received from the format data and the policy information, the information receiving terminal device receives the fact that the data has been saved. A list storage / reception unit is provided.

(Function)
When receiving the policy information and the format data (S107), the information receiving terminal device stores the policy information and the format data in the message list (S108). Then, the information transmission terminal apparatus is notified that the message list has been saved. The information transmitting terminal device receives a message list storage notification (S109).

(Claim 4)
The invention according to claim 4 limits the information transmission terminal device according to claim 2 or claim 3.
That is, when the viewer display data disclosure means determines whether the information receiving terminal device is browsing message data, and when the message data is being browsed by the browsing determination means And an erasure request transmitting means for requesting forced termination of browsing, wherein the erasure notification receiving means erases the message data from the storage means in the information receiving terminal device that has received the forced termination from the quit request transmitting means. The fact is received.

(Function)
The information transmitting terminal device checks whether or not the information receiving terminal device is browsing the message data. If the information receiving terminal device is browsing, the information transmitting terminal device requests the information receiving terminal device to forcibly terminate the message data. When the information receiving terminal device receives the forced termination request, the browsing is forcibly terminated and the message data is deleted from the storage means. When the message data is deleted from the storage means of the information receiving terminal device, this is received by the information transmitting terminal device.
With the above functions, even when the time when it is inappropriate to browse or when there is a need to update the information for browsing, even if the information is being browsed, It becomes possible. In other words, the information subject that is the sender can control all the disclosure of information.

(Claim 5)
The invention according to claim 5 limits the information transmission terminal device according to claim 4.
That is, when the message data is not browsed as a result of the judgment by the browsing judgment means, the message related data related to the message data is deleted from the information receiving terminal device that can browse the message data. Related data deletion requesting means for requesting that the deletion notification receiving means indicate that the message related data has been deleted from the storage means in the information receiving terminal device that has received the deletion request from the related data deletion requesting means. It is characterized by receiving.

(Function)
Whether the information receiving terminal device is browsing the message data or not is confirmed by the information transmitting terminal device. If the information receiving terminal device is not browsing, the information receiving terminal device is requested to delete the message related data. The message related data is data including format data and policy information or a message list. When receiving the message related data deletion request, the information receiving terminal device deletes the message list and notifies the information transmitting terminal device of the deletion.
With the functions as described above, it is possible to appropriately respond to the information receiving terminal device when it becomes inappropriate to use it for browsing or when it becomes necessary to update the information used for browsing. .

(Claim 6)
The invention according to claim 6 limits the information transmission terminal device according to any one of claims 1 to 5.
That is, the policy information is formed from reading, writing, saving, and file display.

(Function)
In the information receiving terminal device, the handling of the electronic file is controlled by the policy information.
Mainly, the recipient is permitted to read only, the recipient is permitted to read / write, and the recipient is permitted to read / write / save.
It is also possible to add recipients who are only allowed to display electronic files.
In this way, the electronic file can be managed in the information transmission terminal device according to the title and attributes of the recipient.

(Claim 7)
According to the seventh aspect of the present invention, there is provided a computer program for a transmitting side that transmits an electronic file to perform information management of the electronic file.
The program divides an electronic file to be transmitted into message data that is a content part in the electronic file and format data that is a part other than the content, and an electronic file division procedure that creates the electronic file. Policy information setting procedure for accepting input of policy information that defines a reception policy for the recipient,
A format / policy transmission procedure for transmitting the format data and the policy information to a predetermined information receiving terminal device, and a part or all of the policy information from the information receiving terminal device that has received the format data and the policy information. A message request reception procedure for receiving a request for message data, a policy determination procedure for determining whether the policy information received by the message request reception procedure is valid, and receiving the information when the policy determination procedure is valid Message data transmission procedure for transmitting message data to the terminal device, and viewer display data disclosure procedure for allowing predetermined data including the message data to be browsed so that the received message data can be displayed by the viewer And on the computer A computer program and thereby row.

(Claim 8)
The invention according to claim 8 limits the computer program according to claim 7.
That is, when the message data displayed on the viewer by the information receiving terminal device is erased from the storage means in the information receiving terminal device, the information receiving terminal device has a deletion notification receiving procedure for receiving the deletion. .

(Claim 9)
The invention according to claim 9 limits the computer program according to claim 7 or claim 8.
That is, when the information receiving terminal device that has received the format data and the policy information creates and saves a list of message data to be received from the format data and the policy information, the information receiving terminal device receives the fact that the data has been saved. A list storage reception procedure is provided.

(Claim 10)
The invention according to claim 10 limits the computer program according to claim 8 or claim 9.
That is, when the viewer data is browsed by the browsing judgment procedure for judging whether or not the information receiving terminal device is browsing the message data by the viewer display data disclosure procedure, and the browsing judgment procedure The erasure request receiving procedure for requesting forcible termination of browsing, wherein the erasure notification receiving procedure is such that the message data is erased from the storage means in the information receiving terminal device that has received the forced termination from the termination request transmission procedure. The fact is to be received.

(Claim 11)
The invention according to claim 11 limits the computer program according to claim 10.
That is, when the message data is not browsed as a result of the judgment by the browsing judgment procedure, the message-related data related to the message data is deleted from the information receiving terminal device that can browse the message data. A deletion request receiving procedure for requesting to delete the message, and the deletion notification receiving procedure indicates that the message related data has been deleted from the storage means in the information receiving terminal device that has received the deletion request from the related data deletion request procedure. To receive.

(Claim 12)
The invention described in claim 12 limits the computer program described in claims 7-11.
That is, the policy information is formed from reading, writing, saving, and file display.

The computer program according to claims 7 to 12 can be provided by being stored in a recording medium. Here, the “recording medium” is a medium that can carry a program that cannot occupy space by itself. For example, a flexible disk, hard disk, CD-R, CD-RW, MO (magneto-optical disk), DVD ± R, DVD-RW, flash memory, and the like. It is also possible to transmit from a computer storing the program according to the present invention to another terminal device through a communication line.
For example, a computer in which the computer program according to claim 7 is installed constitutes the information transmission terminal device according to claim 1.

According to the first to sixth aspects of the present invention, there is provided an information transmission terminal device capable of suppressing information leakage while ensuring convenience in computer-to-computer communication and further restricting the scattering of electronic files. I was able to.
According to the invention described in claims 7 to 12, it is possible to provide a computer program capable of suppressing information leakage while ensuring convenience in computer-to-computer communication and further restricting the scattering of electronic files. did it.

Hereinafter, the present invention will be described in more detail based on embodiments and drawings. The drawings used here are FIGS. 1 to 16. FIG. 1 is a conceptual diagram schematically showing the flow of data between a transmission side terminal and a reception side terminal, and FIGS. 2 and 3 are block diagrams showing the hardware configuration of each terminal device. 4 is a conceptual diagram showing the data structure of the format data, FIG. 5 is a graphical user interface in the P2P software activated on the transmission side terminal, and FIG. 6 shows each function that the P2P software can provide. FIG. 7 is a flowchart showing the flow of data in the transmission side terminal and the reception side terminal.
FIGS. 8 to 16 are diagrams showing processing for transmitting real data and dummy data so that real data cannot be specified from the outside.

(overall structure)
FIG. 1 shows a transmission side terminal (information transmission terminal device) 10 that transmits an electronic file, and a reception side that is controlled by setting policy information such as browsing, writing, and rewriting text data of the electronic file to the recipient. FIG. 2 is a diagram showing a form of data transmission / reception with a terminal (information receiving terminal device) 20. P2P (peer-to-peer) software is used for transmission / reception of electronic files in this embodiment, and the purpose of this software is to prevent information leakage of electronic files and to ensure convenience.

That is, the text data input by the sender is stored in a memory as an electronic file, and is divided into message data that is a content portion in the electronic file and format data that is a portion other than the content, and the format data and policy information Is transmitted to the receiving terminal 20, and the text data body is not transmitted.
First, each terminal device will be described.

(Configuration of terminal device)
FIG. 2 is a block diagram illustrating a hardware configuration of the transmission side terminal 10.
The transmission side terminal 10 is a CPU 11 that controls the whole transmission side terminal 10 and performs various arithmetic processes, a RAM 12 that temporarily expands and stores various data when writing various data, an operating system, application software, various data, and the like Storing unit 13, an input unit 14 such as a mouse or keyboard, a display unit 15 such as a display, a communication unit 16 connectable to an electric communication line such as the Internet or an intranet, and an output capable of outputting various data to a printer or the like And an input / output port 18 which is an input / output unit for various data.

  Further, the receiving terminal 20 has the same basic configuration as the transmitting terminal 10 described above. That is, as shown in FIG. 3, a CPU 21, a RAM 22, a storage unit 23, an input unit 24, a display unit 25, a communication unit 26, an output unit 27, and an input / output port 28 are configured. Computer programs are installed in the storage units of the transmission side terminal 10, the reception side terminal 20, and the non-reception side terminal 30.

(Format data)
FIG. 4 is a diagram illustrating a data structure of format data transmitted from the transmission side terminal 10 to the reception side terminal 20.
“Format data” is a header in an electronic file. The header includes version information, packet type (document), packet type (element), binary information capacity, and binary information. By transmitting this format data header and policy information to the receiving side terminal 20, it is monitored whether or not the receiver is taking the action defined in the policy information.

(GUI)
FIG. 5 is a graphical user interface (hereinafter referred to as GUI) in the P2P software activated on the transmission side terminal 10.
“A” is a tree view showing the group information in a hierarchical structure, “B” is a detailed list view displaying details of the attached file published by the sender, and “C” is the published attached file. Is an icon list view that displays the icon, and “D” is a message box that displays the published message. “E” is a viewer that displays a file selected from the icon list view.
The sender performs a desired operation while viewing the GUI displayed on the transmission side terminal 10. The operation content of the P2P software is shown in FIG.

As shown in FIG. 6, tree view functions include “group creation / deletion” for adding / deleting groups,
"User creation / deletion" to add / delete users (only the parent user who created the group)
"Group" to display parent users, child users, shared files stored in groups,
"Parent user" to display the transmission and reception stored in the parent user,
"Child user" to display the transmission and reception stored in the child user,
"Shared file" to display the transmission and reception stored in the shared file,
"Send" to display information of transmission candidates (parent user, child user, shared file, common),
"Receive" to display received information (parent user, child user, shared file, common),
An operation called “Send Wizard”, which takes you to the Send Wizard screen in a new window, is possible.

List view functions include “Subject input” to enter the subject,
"Subject display" to display the subject of the transmission candidate or received information,
Sort subject by using the heading as a key "Sort subject"
"Select subject" to display information for the selected subject,
"Attachment file input" to attach files on the HDD,
"Attached file icon display" to display the attached file as an icon,
"Attachment policy display" to display the policy of the selected attachment,
"Attachment policy setting" to set attachment policy,
"Attached file viewer" that transitions to the viewer screen in a new window,
The operation of “save attached file” to save the attached file is possible.

In addition, text box (message box) functions include “message input” for entering text in the text box,
"Message display" to display text in the text box,
"Message cut" to delete any part of the text in the text box and import it to the clipboard,
"Message copy" to import any part of text box text to the clipboard,
An operation called “Paste Message” can be used to paste a sentence on the clipboard at an arbitrary position of a sentence in the text box.

In addition, as a function of batch processing, “tree view regular update” that periodically updates the tree view status against the XML file,
"List view regular update", which periodically updates the list view status against the XML file,
“Text box regular update”, which periodically updates the text box status against the XML file,
A process called “policy violation operation monitoring” is performed to monitor an operation that violates the policy and invalidate the operation when the operation is violated.

(Program overview)
FIG. 7 is a flowchart showing each process when the P2P software is activated between the transmission-side terminal 10 related to the sender of the electronic file and the reception-side terminal 20 related to the receiver and data is actually transmitted and received. is there.
First, an electronic file that the sender of the electronic file transmits to the recipient is created (S501). The electronic file is divided into message data and format data (S502). Message data is an entity when an electronic file is created, that is, text data. The format data is a header of the electronic file.
When the sender sets the policy information corresponding to the receiver (S503), the policy information is created (S504). The policy information is various authorities for the electronic file and includes reading, writing, saving, and the like.

When a transmission instruction is issued by the sender (S505), the policy information and the format data are transmitted to the receiving terminal 20 (S506).
When receiving the policy information and the format data (S507), the receiving side terminal 20 stores the policy information and the format data in the message list (S508). Then, the transmission side terminal 10 is notified that the message list has been saved. The transmission side terminal 10 receives the message list storage notification (S509).

When the receiver browses the message list (S510) and performs a browsing instruction operation (S511), the receiving terminal 20 transmits a request for message data including policy information to the transmitting terminal 10 (S512). .
When receiving the policy information and the message data request (S513), the transmitting terminal 10 determines whether or not the received policy information is valid (S514 / S515).
If this policy information is valid, message data is transmitted to the receiving terminal 20 (S516). When receiving the message data (S517), the receiving side terminal 20 expands the message data on the memory in the receiving side terminal 20 (S518), and displays it on the viewer used for browsing the message data (S519).

  When message data can be browsed by the viewer, the fact is notified to the transmitting side terminal 10, and the message data is browsed by the recipient (S520). When the browsing of the message data is completed (S521), the message data stored in the memory in the receiving terminal 20 is deleted (S522), and when the memory is deleted, this is notified to the transmitting terminal 10 (S523).

Subsequently, the transmission side terminal 10 issues a message data deletion instruction (S524). First, it is confirmed whether or not the receiving terminal 20 is browsing the message data (S525). If the receiving terminal 20 is browsing, the receiving terminal 20 is requested to forcibly terminate the message data (S526). . Upon receiving the forced termination request, the receiving terminal 20 forcibly terminates browsing (S527), and the message data is deleted from the memory (S528). When the message data is erased from the memory of the receiving side terminal 20, this is notified to the transmitting side terminal 10.
On the other hand, when the receiving terminal 20 confirms whether or not the message data is being browsed (S525), if it is not being browsed, a deletion request is made to delete the message list (S529). When receiving the deletion request, the receiving side terminal 20 deletes the message list (S530), and notifies the transmitting side terminal 10 of the deletion.

That is, the transmission side terminal 10 enables browsing by the reception side terminal 20 without transmitting the actual message data. Therefore, information leakage between computers can be prevented.
In addition, since authority such as viewing, writing, and saving of electronic files is set according to the policy information, the sender can provide information according to the receiver. For the receiver side, browsing, writing, saving, and the like can be realized as normal processing only by using the same software, so that the convenience that is concerned is also ensured.

(Information security system)
As shown in FIG. 8, the information security system according to the present invention is a system configured to transmit and receive a predetermined file between a plurality of terminal devices 10, 20, and 30, and the confidentiality and anonymity of the file are improved. The purpose is to secure.
In this information security system, in order to send and receive files, a “group” in which a plurality of terminal devices can participate is created, and terminal devices not registered in this “group” are included in the network of the information security system. Cannot participate. The file is transmitted and received in the created intra-group network. At this time, it is possible to ensure the anonymity of the sender user and the confidentiality of the file transmitted by the sender user.

In addition, as a plurality of terminal devices in the present embodiment, a terminal device that transmits the above-mentioned file is a “transmitting terminal”, a terminal device that is designated as a receiver of the file is a “receiving terminal”, and a file receiver A terminal device that is not designated as “non-receiving terminal” is defined. The “transmission side terminal” and the “reception side terminal” are as described in FIG. 2 and FIG.
The basic configuration of the non-reception side terminal 30 is the same as that of the “transmission side terminal” and the “reception side terminal”. That is, as shown in FIG. 9, a CPU 31, a RAM 32, a storage unit 33, an input unit 34, a display unit 35, a communication unit 36, an output unit 37, and an input / output port 38 are configured. Computer programs (P2P software) are installed in the storage units of the transmission side terminal 10, the reception side terminal 20, and the non-reception side terminal 30. The features and functions of this system will be described in detail below.

(Program overview)
FIG. 11 is a flowchart showing a form of data transmission / reception in the transmission side terminal 10, the reception side terminal 20, the non-reception side terminal 30, and the non-reception side terminal 40.
The non-receiving side terminal 40 is a terminal device having the same configuration as the non-receiving side terminal 30.
First, in order to share a group public key created at the time of creating a group in advance, the transmission-side terminal 10 performs a group public key sharing transmission process (S101). This is a unicast process for a group created in advance, and all of the terminal devices specified in the group receive it.

  In addition, the transmission side terminal 10 performs the transmission process of the personal public key sharing (S102). This is the transmission side terminal 10 periodically transmitting to all the terminal devices of the reception side terminal 20, the non-reception side terminal 30, and the non-reception side terminal 40. That is, the personal public key data is transmitted to the intra-group network by broadcasting. This personal public key data is formed with the same data structure as the real data that the transmitting terminal 10 wishes to transmit to the receiving terminal 20. That is, it also functions as dummy data. The transmission interval of the personal public key data can be freely set in advance. Although shortening the transmission interval is preferable in terms of security, it is desirable to set it to a level that does not cause congestion on the intra-group network.

The transmission side terminal 10 creates data for transmission to be transmitted to the reception side terminal 20 (S103).
The transmission data created here is double-encrypted (S104) (S105). Details of the encryption α and encryption β will be described later.
The transmission data encrypted by the encryption α and the encryption β is transmitted by randomly determining any one of the reception side terminal 20, the non-reception side terminal 30 and the non-reception side terminal 40 in the group (S106). .

In this embodiment, that is, in the example of FIG. 11, it is assumed that the non-reception side terminal 30, the reception side terminal 20, and the non-reception side terminal 40 are transmitted in this order.
First, the non-reception side terminal 30 receives the transmission data transmitted from the transmission side terminal 10 (S107), and decrypts the received transmission data (S108) (S109). Details of the decoding β and the decoding α will be described later.
The non-reception side terminal 30 determines whether or not the real data in the transmission data can be acquired as a result of decoding the received transmission data (S110). Here, it suffices if the data can be acquired. However, since the non-reception side terminal 30 is not the receiving party designated by the transmission side terminal 10, it cannot be decrypted. For this reason, data cannot be acquired. When it is determined that the data acquisition is impossible due to the failure in decryption, the non-reception-side terminal 30 transmits the data for transmission received from the transmission-side terminal 10 to other data such as the reception-side terminal 20 and the non-reception-side terminal 40 A terminal is randomly determined and transmitted (S111).

Next, it is assumed that the terminal determined at random is the receiving terminal 20.
The reception side terminal 20 receives the transmission data transmitted from the non-reception side terminal 30 via the transmission side terminal 10 (S112), and decrypts the received transmission data (S113) (S114). As a result of decoding the transmission data received here, it is determined whether or not the real data in the transmission data can be acquired (S115).
Since the receiving side terminal 20 is a real receiving party designated by the transmitting side terminal 10, the receiving side terminal 20 acquires real data in order to succeed in decoding (S116). In the unlikely event that acquisition fails, the transmission data is discarded.

When the real data is acquired, the reception side terminal 20 transmits the reception data indicating that the real data acquisition is successful to the transmission side terminal 10 (S117).
The transmission side terminal 10 receives the reception data transmitted from the reception side terminal 20 (S118), and confirms that acquisition of real data has succeeded (S119). Then, transmission / reception is completed (S120).

  Note that the receiving terminal 20 continues processing thereafter. That is, after transmitting the reception data to the transmission side terminal 10, the transmission data is double-encrypted (S121) (S122), and the transmission destination is randomly determined and transmitted from other terminals in the group ( S123). Here, assuming that the data is transmitted to the non-reception side terminal 40, the transmission data transmitted from the reception side terminal 20 is received (S124), and the received transmission data is decrypted (S125) (S126). . As a result of decoding the transmission data received here, it is determined whether or not the real data in the transmission data can be acquired (S127). Of course, since it is the non-reception side terminal 40, real data cannot be obtained, so the transmission destination of the received transmission data is determined at random from other terminals and transmitted (S128).

  That is, the sender is concealed in a state where the personal public key data is broadcast on the intra-group network. Then, even after the transmission data randomly transmitted from the transmission side terminal 10 reaches the original receiver and the real data is acquired, each terminal device continues to perform the random transmission process. For this reason, it is very difficult to determine from the outside when the data is transmitted from which terminal. Therefore, it contributes to the construction of an extremely advanced security system.

(Loop avoidance)
In the above-described processing, the transmission data transmission processing becomes an infinite loop, which may cause congestion on the network. For this, the number of times of random transmission may be set.
For example, after the receiving terminal 20 acquires real data, random transmission is continued up to 10 times. Random transmission may be continued up to 100 times, or a predetermined range may be set such as 10 to 50 times.

(Grouping process)
Next, details of each process will be described.
As shown in FIG. 12, the grouping process is formed by a group parent and a group child (plurality). The group parent creates a group (S201). This group creates a group to which only the parent himself belongs (S202).
Here, a user list is created (S203). For example, if there are 10 people in the same department in the company, the user list may be a group of 10 people (one of whom is a parent).

Subsequently, the group child (2) creates the public key [2] and the secret key <2> (S204), and transmits the personal public key [2] to the group parent (S205).
The group parent obtains the personal public key [2] transmitted from the group child (2) (S206). Further, it is selected whether to add a group child (S207).
Here, when the addition of the group child is selected, the user is added to the list (S208). On the other hand, if add is not selected, the data is discarded.

  The group parent periodically repeats the above processing (S205 to 208) and shares the group key (S209). That is, it is checked whether security is maintained with the group child added to the list. If there is no response from the group child for a predetermined time, it is deleted from the user list (S210).

(Group key sharing process)
The group key sharing process is a process for creating a shared key to be used for a group. As shown in FIG. 13, after obtaining the personal public key [2] transmitted from the group child (2), the group parent creates a group public key G and a private key <G> for the group (S301). Then, the secret key <G> is added to the transmission data G (S302). Then, after creating the shared key (g) (S303), the transmission data is encrypted with the shared key (g) (S304). Subsequently, the shared key (g) is encrypted (encrypted γ) with the personal public key [2] (S305), and these data are concatenated (S306). Then, the encrypted concatenated data is transmitted to the group child (1) and the group child (2) (S307).

When the group child (1) receives the concatenated data (S308), decoding is attempted. However, since the personal public key [2] necessary for decryption of the encryption α is not owned, it cannot be decrypted (S309), and the data is discarded (S310).
On the other hand, when the group child (2) receives the concatenated data (S311), it tries decoding (decoding γ). Since the group child (2) possesses the personal public key [2], it can be decrypted. That is, after the concatenated data is divided (S312), the presence / absence of the personal public key [2] is determined (S313). If there is the personal public key [2], this is decrypted with the secret key <2> and then the common key ( g) is extracted (S314). Subsequently, decryption is performed with the common key (g), and data for transmission is extracted (S315). Further, the group public key G and the secret key <G> are disassembled (S316), and the group public key G and the secret key <G> are stored (S317).

(Encryption processing)
The encryption process is a two-stage process of encryption α and encryption β. First, as described above, the group parent creates a group public key G and a secret key <G> for the group (S401), and transmits the created group public key G to the group child (1) that is the sender. (S402).
The group child (1) obtains the group public key G (S403). Also, the group child (2) who is the data receiver for transmission creates the public key [2] and the secret key <2> (S404), and transmits the created public key [2] to the group child (1). (S405). The group child (1) obtains the public key [2] (S406).

Next, transmission data is prepared (S407). Here, a hash function is used for data verification for real data. Further, random numbers are used for the dummy data.
When the transmission data is ready, as a process of encryption α, the group child (1) as the sender creates a common key (1) (S408) and uses the common key (1) to transmit the transmission data. Is encrypted (S409). Subsequently, the created common key (1) is encrypted with the personal public key [2] obtained from the group child (2) designated as the recipient (S410). These encrypted data are concatenated to form concatenated data (S411). The data structure of the concatenated data includes a personal public key [2], an encrypted common key (1 ′), and encrypted transmission data.

  Further, the encryption β processing is as follows. First, a common key (g) is created (S412), and the concatenated data is encrypted using the created common key (g) (S413). Subsequently, the common key (g) is encrypted with the group public key G (S414). These encrypted data are concatenated to form concatenated data (S415). The data structure of the concatenated data includes a group public key G, an encrypted common key (g ′) and encrypted transmission data.

  Next, the group child (1) as the sender randomly transmits the encrypted concatenated data to the users in the group (S416). Here, when a group parent not designated as a recipient has received, after receiving the concatenated data (S417), since the group public key G is owned, decryption β is possible (S418), Since the personal public key [2] is not owned, decryption α is impossible (S419), and the concatenated data is discarded (S420).

(Decryption process)
On the other hand, as shown in FIG. 14, since the group child (2) is a valid recipient, it can be decrypted. In this decoding process, when the concatenated data transmitted from the group child (1) is received (S501), the concatenated data is divided (S502). First, in order to perform decryption β, the presence / absence of the group public key G is determined (S503). Since the group public key G is owned, the common key (g) is extracted using the secret key [G] (S504). Further, decryption is performed with the common key (g), and data is extracted (S505). At this time, it is not possible to distinguish between real data and dummy data.

  Subsequently, the process of decoding α is performed. This divides the data extracted by the decryption β (S506), and determines whether or not the personal public key [2] exists (S507). Since the group child (2) owns the personal public key [2], the group child (2) decrypts it with the secret key <2> and extracts the common key (1) (S508). Further, decryption is performed using this common key (1), and data is extracted (S509). The extracted data is divided (S510), and the hash value is compared with real data or dummy data (S511). If the hash values are different and dummy data, the dummy data is discarded (S512). On the other hand, the data with the matched hash value is extracted as real data (S513).

  That is, the encryption processing of the present embodiment is a format in which the hybrid encryption method is multiplexed, and the confidentiality is enhanced.

(Client / server type)
FIG. 15 shows a mode in which the above-described security program is downloaded from a server and used by each terminal device.
Normally, in order to operate the above-described security program, it is installed in the storage unit of each terminal device. In the form of FIG. 9, this security program is installed from the server 40 to each terminal device. It is a type. Each terminal device is installed in the terminal device by connecting to the server via the Internet or an intranet.
In this way, even if the security program is not installed in the terminal device used by the user, the operation becomes possible, so that it can be used without selecting a place. For this reason, versatility increases.

(ASP type)
As shown in FIG. 16, the server may be provided by an ASP (Application Service Provider) operator.
In other words, if each terminal device has an Internet usage environment and web browser software, the security program provided by the server 50 can be used.

With such a configuration, even if the security program is not installed in the terminal device used by the user, it can operate. For this reason, it can be used without selecting a place, and versatility is enhanced. In addition, for example, considering system use in the company, system management becomes easy. In addition, as a usage form, a method of providing a security program by a rental system or the like can be considered.
Furthermore, when used as an ASP type, it can also be used as a trial before implementing security programs or as a test operation.

It is the conceptual diagram which showed typically the flow of the data in the P2P software which operate | moves between a transmission side terminal and a reception side terminal. It is the block diagram which showed the hardware constitutions of the transmission side terminal. It is the block diagram which showed the hardware constitutions of the receiving side terminal. It is the conceptual diagram which showed the data structure of format data. It is the graphical user interface in the P2P software started by the transmission side terminal. It is the figure which showed each function which P2P software can provide. The flowchart which showed the form of the data transmission / reception in which the transmission side terminal 10 and the reception side terminal 20 used P2P software. It is the conceptual diagram which showed typically the flow of the data between the terminal devices grouped. It is the block diagram which showed the hardware constitutions of the non-receiving side terminal. It is the flowchart which showed the data transmission between each terminal device. It is the flowchart which showed each process in group creation. It is the flowchart which showed creation of the group key. It is the flowchart which showed the encryption process by the transmission side terminal. It is the flowchart which showed the decoding process by the receiving side terminal. It is the conceptual diagram which showed the form which each terminal device installs and uses a security program from a server. It is the conceptual diagram which showed the form in the case of providing a security program by ASP type.

Explanation of symbols

10 Sending terminal (terminal equipment)
11, 21, 31 CPU
12, 22, 32 RAM
13, 23, 33 Storage unit 14, 15, 34 Input unit 15, 25, 35 Display unit 16, 26, 36 Communication unit 17, 27, 37 Output unit 18, 28, 38 Input / output port 20 Receiving side terminal (terminal device) )
30 Non-receiving terminal (terminal device)
40 server 50 ASP server

Claims (12)

An electronic file dividing means for dividing an electronic file to be transmitted into a message data that is a content part in the electronic file and a format data that is a part other than the content;
Policy information setting means for accepting input of policy information defining a reception policy in the recipient of the electronic file;
A format / policy transmission means for transmitting the format data and the policy information to a predetermined information receiving terminal device;
Message request receiving means for receiving a request for message data including part or all of the policy information from the information receiving terminal device that has received the format data and the policy information;
Policy determination means for determining whether or not the policy information received by the message request reception means is valid;
Message data transmitting means for transmitting message data to the information receiving terminal device when the policy judging means is valid;
An information transmitting terminal device comprising: a viewer display data disclosing unit that enables browsing of predetermined data including the message data so that the received message data can be displayed by the viewer.   The information receiving terminal device further comprises an erasure notification receiving means for receiving a message that the message data displayed on the viewer is erased when the message data is erased from the storage means in the information receiving terminal device. 1. The information transmission terminal device according to 1.   When the information receiving terminal device that has received the format data and the policy information creates and saves a list of message data to be received from the format data and policy information, a list save that receives the save The information transmission terminal device according to claim 1, further comprising a reception unit. Browsing judgment means for judging whether or not the information receiving terminal device is browsing message data by the viewer display data disclosure means;
When browsing of the message data is performed by the browsing determination unit, the browsing determination unit includes a termination request transmission unit that requests a forced termination of browsing,
4. The erasure notification receiving means receives that the message data has been erased from the storage means in the information receiving terminal device that has received the forced termination from the termination request transmitting means. The information transmission terminal device according to claim 1. As a result of the determination by the browsing determination means, when message data is not browsed, the message receiving data related to the message data is deleted from the information receiving terminal device capable of browsing the message data. Related data deletion request means for requesting,
5. The information transmission according to claim 4, wherein the erasure notification receiving means receives from the storage means in the information receiving terminal device that has received the deletion request from the related data deletion request means that the message related data has been deleted. Terminal device.   The information transmission terminal apparatus according to claim 1, wherein the policy information is formed from reading, writing, saving, and file display. A transmission side for transmitting an electronic file is a computer program for managing information on the electronic file,
The program divides an electronic file to be transmitted into message data that is a content part in the electronic file and format data that is a part other than the content,
A policy information setting procedure for accepting input of policy information for defining a reception policy in the recipient of the electronic file;
A format / policy transmission procedure for transmitting the format data and the policy information to a predetermined information receiving terminal device;
A message request receiving procedure for receiving a request for message data including a part or all of the policy information from the information receiving terminal device that has received the format data and the policy information;
A policy determination procedure for determining whether the policy information received by the message request reception procedure is valid;
A message data transmission procedure for transmitting message data to the information receiving terminal device when the policy determination procedure is valid;
Viewer display data disclosure procedure for enabling browsing of predetermined data including the message data so that the received message data can be displayed by the viewer;
A computer program that causes a computer to execute.   The information receiving terminal device includes a deletion notification receiving procedure for receiving a message indicating that the message data displayed on the viewer is deleted when the message data is deleted from the storage means in the information receiving terminal device. 8. The computer program according to 7.   When the information receiving terminal device that has received the format data and the policy information creates and saves a list of message data to be received from the format data and policy information, a list save that receives the save 9. The computer program according to claim 7, further comprising a reception procedure. A browsing determination procedure for determining whether the information receiving terminal device is browsing message data by the viewer display data disclosure procedure;
When message data is being browsed according to the browsing determination procedure, it has a termination request transmission procedure for requesting forced termination of browsing,
10. The erasure notification receiving procedure according to claim 8, wherein the message data is erased from the storage means in the information receiving terminal device that has received the forced termination from the termination request transmission procedure. A computer program according to the above. When the message data is not browsed as a result of the judgment by the browsing judgment procedure, the message related data related to the message data is deleted from the information receiving terminal device that can browse the message data. With a related data deletion request procedure,
11. The computer program according to claim 10, wherein the erasure notification receiving procedure receives from the storage means in the information receiving terminal device that received the deletion request from the related data deletion request procedure that the message related data has been deleted. .   12. The computer program according to claim 7, wherein the policy information is formed from reading, writing, saving, and file display.

Images