JP2008250369A - Management method of secrete data file, management system and proxy server therefor - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To simultaneously attain reduction in management load and maintenance of security for secret data, in use of an external storage service, by effectively preventing information leak on a network or information leak by a server manager's illicit action. <P>SOLUTION: A proxy server 3 to which a terminal device 5 used by a user is connected through an internal network Ni, and n-pieces (n≥3) of file servers 4 are connected through an external network No has functions of receiving a secret data file from the user terminal 5 together with user information; generating a file name encryption key using the user information to encrypt a file name; redundantly dividing the secret data file to three or more sub-data; generating file content encryption keys using the file name encryption key to encrypt the plurality of sub-data, respectively; and storing the encrypted plurality of sub-data and the encrypted file names in the plurality of file servers 4, respectively, through the external network No. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention provides a confidential data file by a proxy server to which one or more terminal devices used by a user are connected via an internal network and n (n ≧ 3) file storage devices are connected via an external network. The present invention relates to a management system, a management system capable of executing the method, and a proxy server.

  Conventionally, management and operation of a database (DB) storing confidential information such as personal information held by local governments and companies is often outsourced to specialized external organizations and private companies. In this case, in order to prevent information leakage due to fraud, measures such as data encryption and access restriction to the DB server are taken.

  As an information security technique, redundant distribution of data using RAID (Redundant Arrays of Inexpensive Disks) has been put into practical use. However, since this RAID is processed at the file level, not the database, all data can be read if the file is accessed, and is not effective as a security measure. RAID is premised on redundant distribution at the same site, and practical performance cannot be obtained via a network, so it is not suitable for distributed management in a wide area. There is a similar problem in so-called mirroring (RAID-1).

  In addition, there is a mechanism for encrypting physical files, but unless the entire file is decrypted and saved in memory, individual data cannot be processed, resulting in the need to encrypt individual files. It is not suitable for databases that handle records and items.

  In view of these points, the present applicant has proposed a mechanism for realizing strong security by combining data encryption, decentralization, and redundancy as a method for managing confidential data in Patent Document 1 below. . According to the invention of this Patent Document 1, leakage of confidential information can be effectively prevented by a method in which databases are distributed in a redundant manner. In other words, because redundant distribution is performed in consideration of individual records and items, not the entire database, even if each sub-data is wiretapped due to unauthorized access to some storage devices or illegal actions of file server administrators It is impossible to make it. Even if some of the sub data can be decrypted, the file contents cannot be decrypted unless all the sub data are acquired and decrypted. As a result, the security of the confidential data can be dramatically improved.

  In addition to this Patent Document 1, for example, the following Patent Documents 2 and 3 are useful as a method for managing confidential data.

JP 2006-228202 A JP 11-102262 A JP 2000-76207 A

  By the way, in the conventional data management method, when the confidential data file created by the file management consignor is sent to the host computer of the consignor and redundantly distributed, the data (plaintext) before encryption is stored. It may flow on an open network such as the Internet, and confidential data may be leaked. In this regard, it is conceivable to connect the terminal device of the consignor or the in-house management computer and the host computer of the consignor via a dedicated line.

  However, since file management trustees usually accept business outsourcing from a large number of consignors, it is costly and management burden to build a dedicated network individually with each consignor. Not realistic in terms. In the first place, the merit of outsourcing management of confidential information to storage service providers on open networks is to reduce the management load and cost within the outsourcer. Will be significantly reduced.

  In addition, since the administrator of the host computer of the trustee can obtain information such as the confidential data file and the encryption key received from the trustee, there is a possibility that the secret data may be leaked by the manager's fraud.

  The present invention has been made to solve such problems, and even when using a storage service provided on an external network where security is not maintained, information leakage on the network and the server administrator's An object of the present invention is to provide a data management method, a data management system, and a server device that can effectively prevent information leakage due to fraud and can simultaneously reduce the management load of confidential data and maintain security.

  According to the first main aspect of the present invention, one or more specific terminal devices used by a specific user are connected via an internal network, and n (n ≧ 3) file storage devices are opened. A method for managing a confidential data file by a proxy server connected via an external network, wherein the proxy server sends a confidential data file to be managed from a user terminal device via the internal network to the user information A confidential data file receiving step received together with the received user information, generating a file name encryption key, and encrypting the file name of the confidential data file with this encryption key; and Using a file splitting process that splits redundantly into three or more sub-data and the file name encryption key A file content encryption key generating step for generating a file content encryption key, a file content encryption step for encrypting each of the plurality of divided sub-data with the file content encryption key, and encryption via an external network And a distributed storage step of storing a plurality of sub-data in association with the encrypted file name in the plurality of file storage devices, respectively.

  According to the second main aspect of the present invention, one or more terminal devices used by a user are connected via an internal network, and the proxy server is connected to the proxy server via an external network. A confidential data file management system having a file storage device (n ≧ 3), and receives confidential data files to be managed together with the user information from the user terminal device via the internal network A file receiving means, a file name encryption key for generating a file name encryption key using the received user information, and encrypting the file name of the confidential data file with this encryption key; File division means for redundantly dividing data, and file content encryption key using the file name encryption key A file content encryption key generating means for generating, a file content encryption means for encrypting the plurality of divided sub data with the file content encryption key, and a plurality of encrypted sub data via an external network. A confidential data file management system is provided that executes distributed storage means for storing each of the plurality of file storage devices in association with an encrypted file name.

  According to the third main aspect of the present invention, one or more terminal devices used by a user are connected via an internal network, and n (n ≧ 3) file storages via an external network. A confidential data file receiving unit, which is a proxy server for a confidential data file management system to which a device is connected, and receives a confidential data file to be managed together with information about the user from a user terminal device via an internal network A file name encryption unit that generates a file name encryption key using the received user information, encrypts the file name with this encryption key, and a file that redundantly divides the confidential data file into three or more sub-data Dividing means and file content encryption key generating means for generating a file content encryption key using the file name encryption key A file content encryption unit that encrypts each of the plurality of divided sub-data with the file content encryption key, and associates the plurality of encrypted sub-data with an encrypted file name via an external network. There is provided a proxy server comprising distributed storage means for storing each of the plurality of file storage devices.

  According to the above configuration, the confidential data is divided and encrypted by the server device connected to the internal network where security is maintained, and then distributed to a plurality of storage devices (file servers, etc.) on the external network. At the same time, the encryption key in this case is generated based on the file name and the file contents. Therefore, even if a third party such as a file server administrator obtains an encrypted file name and file data by unauthorized access to the file server or the like on an external network, it must be decrypted. I can't. Thereby, leakage of confidential data can be effectively prevented.

  Also, when the user wants to restore the distributed data, the server device is notified of the file name, so that the divided data distributed in a plurality of storage devices is collected using the encrypted file name as a key. The The original data can be restored by decrypting these divided data with the decryption key based on the file contents and then merging them. Since such a series of processing is performed by a server device (such as a proxy server) on the internal network, there is no risk of information leakage.

  Furthermore, the server device on the internal network only stores the encrypted file name and the like, and not the content of the confidential data, nor significant information such as the encryption key. Therefore, even if information is leaked due to unauthorized access to the server device, confidential data is not restored.

  According to the present invention, even when using a storage service provided on an external network where security is not maintained, information leakage on the network and information leakage due to a server administrator's fraud can be effectively prevented, and confidentiality is prevented. It is possible to obtain a data management method, a data management system, and a server device that can simultaneously reduce data management load and maintain security.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
FIG. 1 is a network configuration diagram of an embodiment of the present invention. The data management system denoted by reference numeral 1 is connected to a proxy server (server device) 3 that can be connected to an internal network Ni of a user 2 such as a company or a local government, and the proxy server 3 through an external network No. that is a public line network. The proxy server 3 is connected to a plurality of user terminal devices (user terminals) 5 and 5 via an internal network Ni.

  In the following, description will be made assuming an example of managing confidential data created by an employee of a company. In addition, the user in this specification includes the company that is the contractor of the storage service, the employee who created or processed the confidential data file (creator user), and the proxy server that is responsible for managing confidential data in the company. 3 administrators (server administrators) and viewers authorized by the creator user or server administrator to view some or all confidential data (executive employees, employees in specific departments, employees of specific other companies) , Police agencies, government agencies, etc., hereinafter referred to as “browser users”). The information browsing authority of an individual user is registered for each confidential data file or for each user in a browsing authority table 26 described later.

  The internal network Ni is configured by a LAN or a dedicated line network, and when accessing the terminal device 5 from outside the network, connection authority is strictly managed by a firewall (not shown) or an authentication function of the proxy server 3 described later. . Further, in principle, transmission of confidential data from the terminal device 5 is prohibited. Such an in-house information management method is well known in the art and will not be described in detail.

  The proxy server 3 is a dedicated computer system specialized for file transfer, and has a function of connecting to each user terminal 5 via a dedicated line (internal network Ni) in the company using a predetermined file transfer protocol. is there. The proxy server 3 further has a function of connecting to the file server 4 via the external network No and transmitting / receiving an encrypted file using a predetermined file transfer protocol.

  As a protocol for file transfer between the proxy server 3 and each user terminal 5 and the file server 4, WEBDAV (Web-based Distributed Authoring and Versioning), FTP (File Transfer Protocol), SMB (Server Message Block) and the like are appropriately used. Can be used.

Further, the proxy server 3 specifically has the following functions.
(1) Basic data management function This function is based on the premise of realizing the following functions: user information management (browsing authority authentication, etc.), operation status management and monitoring of a plurality of file servers 4, and this file This is a function for controlling communication with the server 4.
(2) Function for saving confidential data file When a confidential data file is acquired online from the user's terminal device 5, a function for dividing the acquired data, a function for generating an encryption key, and encrypting the divided file with the encryption key And a function of transferring data to the file server 4.
(3) Function for Restoring / Outputting Confidential Data File This is a search key when the user terminal 5 acquires user information (such as login information to the proxy server 3) and the output target file name and receives an output request. A function for generating an encryption key, a function for collecting target data from a plurality of file servers 4 according to a search key, a function for merging collected sub-data, a function for generating a decryption key and decrypting and restoring the file, and a restoration This is a function for outputting a file to the user terminal 5.
(4) Failure response function When a specific file server 4 stops functioning (downs) due to a disaster or communication failure, or temporarily communicates with a specific file server 4 in which unauthorized access or virus intrusion is discovered If the history information of processing such as modification of the confidential file executed during the stop is accumulated for the confidential data stored in the file server 4 when the file server 4 is restored, This function is to synchronize data between the restored file server 4 and other file servers 4 that have functioned normally based on the history information. Since this function is described in detail in Patent Document 1 cited as the prior art, only an outline will be described in this specification.

  Here, as will be described later, no confidential data file, encryption key, or the like is stored in the proxy server 3, and there is no possibility that confidential data will be leaked even if unauthorized access is performed from the outside. Therefore, this proxy server 3 can be installed in the internal network Ni of the user company, or a specific user terminal 5 can also be used.

  The file server 4 is composed of a dedicated server machine (computer system) installed by a provider providing storage services on an open network, and automatically stores and outputs data by a computer program in accordance with instructions from the proxy server 3 To be executed. From the viewpoint of managing (sharing) a large number of data entrusted by a plurality of users, the file server 4 also has a database server function.

  The file server 4 allocates a part or all of the storage area of the built-in large-capacity auxiliary storage device (HDD or the like) to a user (company) who is a contractor of the service. Note that a part or all of the file storage device can be configured by a recording medium such as an external storage device. Further, a part of the plurality of file servers 4 may be shared by the proxy server 3 or the user terminal device 5. In this case, even if a part of confidential data is leaked due to unauthorized access to the proxy server 3 or the like, the confidential data is encrypted after being distributed (divided) into a plurality of files as described later. It is almost impossible for the acquirer to acquire the encryption key, decrypt the contents of the file, and decrypt the contents of the entire file.

  The plurality of file servers 4 and 4 are installed in a plurality of physically separated areas as a countermeasure against a communication failure or disaster. For example, disasters such as earthquakes, business activity area of user 2, type and attribute of confidential data (degree of confidentiality, personal information or business trade secret, data volume, frequency of information inquiry and expected inquirer's In consideration of the location, communication environment, etc.), it is set in multiple areas in prefectures such as municipalities, in units of prefectures, and in units of regions (Tohoku, Kanto, Kinki, etc.).

  Further, the number n of file servers 4 is set to 3 or more because redundant processing of confidential data and division processing including blank data are performed as will be described later. In the following description, an example in which four file servers 4 are mainly installed (n = 4) and the number of divisions (F: n− (number of servers that can be downed: 1)) is set to three. explain. That is, in the following example, even if one of the four servers goes down due to a communication failure or the like, normal operation can be continued if the other three servers are operating normally.

  Next, a specific configuration of the proxy server 3 will be described with reference to the functional block diagram of FIG. Each function of the proxy server 3 described above is realized by cooperation of hardware of the proxy server (computer) 3 and software installed in a storage device (HDD, ROM, etc.) of the computer. Specifically, a storage device (main storage and auxiliary storage) such as a RAM 13, a ROM 14, and an HDD 15 and an input / output interface (I / F) 16 are connected to a CPU 11 built in the proxy server 3 via a system bus 12. The input / output I / F 16 includes an output device 17 such as an LED display, an input device 18 such as a keyboard and a mouse, and a communication device 19 such as a modem. In the storage devices (13 to 15), a data storage area 21 and a program storage area 22 are secured.

  In such a hardware configuration, the administrator of the proxy server 3 operates the input device 18 to input various commands (external commands, etc.), and the user 2 can perform various commands from the user terminal 5 via the internal network Ni. When a command is transmitted, this software program is called and executed by the CPU 11 in the work area of the RAM 13 to perform the functions of the present invention in cooperation with the OS (operation system). The above program can also be introduced from a removable recording medium such as a CD-ROM or DVD-ROM. Moreover, you may utilize a part of function of OS.

  The data storage area 21 includes a user information storage unit 25 for registering login information (user ID and password) when connecting to the proxy server 3 and each file server 4, and a list of file names that can be browsed by each user by a user ID. Information on the addition, correction and deletion of confidential data to be stored in the storage device (A) when a failure occurs in the browsing authority table 26 registered in association with one or more storage devices (A) ) Is temporarily stored.

  Here, as log-in information to the file server 4, common information given to the user company that is the contracting entity and identification information of a specific individual user or user terminal 5 permitted to connect to the file server 4 ( Employee ID or terminal ID) or a combination thereof. In this embodiment, since confidential data files are distributed and arranged in four file servers 4, a total of five types of login information (one proxy server and four file servers) are registered.

  On the other hand, since the user ID in the browsing authority table 26 may reduce security if the browsing authority common to the entire user company is set, the user ID in this case is identification information (employee ID, etc.) of an individual user. It is preferable to manage.

  In practice, the user information storage unit 25 stores a list of user ID and password hash values. The proxy server 3 does not store any confidential data file, encryption key, file division pattern, or the like acquired from the user terminal 5. As a result, even if only the setting file of the proxy server 3 is viewed, even the administrator of the file server 4 cannot decrypt the encryption key of the file. It is possible to effectively prevent leakage of confidential data.

  A computer program for realizing the above-described functions of the proxy server 3 is installed in the program storage area 22. Specifically, request receiving means 30 (confidential data file receiving means, file output request receiving means), user information management means 31 (viewing authority storage means, authentication means), file dividing means 32, encryption key generating means 33 (file Content encryption key generation means, search key generation means), encryption processing means 34 (file name encryption means, file content encryption means), file transfer means 35 (distributed storage means), data deletion means 36, sub-data search means 37, a file restoration processing means 38 (file decryption means, file merge means), and update information storage / write means 39 (update information storage means, update information writing means). Each of these means is actually an independent computer program or a specific module or subroutine (segment) therein. Hereinafter, each means will be described in order.

  First, the request receiving unit 30 receives the confidential data file to be managed together with the user information from the creator user's terminal device 5 via the internal network Ni, and the internal data Ni. It has a file output request receiving function that acquires user information and a file name from the terminal device 5 of the creator user or the viewer user and receives a request for outputting a confidential data file. Here, the request receiving means 30 receives login information to the proxy server 3 and login information to the plurality of file servers 4 as user information when acquiring the confidential data file. Any of these pieces of information may be received.

  The user information management means 31 includes a function for authenticating a user's authority to use a service, a viewer user ID, and a file name when the request acceptance means 30 accepts a storage request for a confidential data file. Alternatively, the browsing authority registration function that is acquired from the information management manager of the user company and stored in the browsing authority table 26, and when the request receiving unit 30 receives a file output request, the acquired user information and file name are And a function of performing verification of browsing authority by comparing with the browsing authority table 26.

The file dividing unit 32 divides the confidential data file into n ₀ types (n> n ₀ ) based on a predetermined distribution pattern calculated according to the number of distributed confidential data files (distribution number: 3 to n) and the redundancy. ≧ 2) is redundantly divided into three or more sub-data. In this embodiment, the sub-data is distributed and arranged in four file servers 4 and, as will be described later, in one file server 4, empty data or NULL data (hereinafter referred to as “blank data”). Is stored, the number of divisions is three. Further, since the redundant arrangement is made in the three file servers 4, there are three types of sub-data. Such a distribution pattern depends on the total number of file servers 4, the number of servers 4 that store blank data, the redundancy of sub data (how many sub-data can be used to restore a file) Calculated automatically. This distribution pattern is appropriately set according to the level of security required from the file attributes, the management cost, the network environment, and the like. Note that distributed processing is executed only for file contents, not for file names. That is, the encrypted file name is not divided and distributed, and the same encrypted file name is stored in all the file servers 4.

  The encryption key generation unit 33 generates a file name encryption key by calculating a hash value of the login information of the user when a file storage request is received from the creator user's terminal 5 and the file name. A function for generating a file content encryption key by calculating an encryption key and a hash value of a file name, and when a file output request is received from the terminal 5 of the viewer user, a hash value of the login information of the user is calculated. And a function for generating a file name encryption key as a search key for sub data and a function for generating a file content decryption key by calculating the file name encryption key (search key) and a hash value of the file name. Since the hash function includes an irreversible one-way function, the original text (file name, etc.) cannot be reproduced from the calculated hash value. In addition, since it is extremely difficult to create different data having the same hash value, it is preferable to use the hash value as an encryption key in terms of maintaining security. The generated key is stored in the data area of the RAM 13 until the encryption / decryption process is completed, but is deleted after the process is completed.

  Here, the file name encryption key and the sub-data search key are, for example, four known hash functions such as MD5, SHA-1, SHA-256, SHA-384, SHA-512, RIPEMD, Whirlpool, and Tiger. Substituting the user ID (1111, 2222...) And password (aaaa, bbbb...) For connecting to the file server 4 and the user ID (9999) and password (zzzz) for connecting to the proxy server 3. Calculate the hash value. Similarly, the file content encryption key and the file content decryption key are calculated by substituting the login information, the file name encryption key, and the sub data search key into the hash function.

  When a file output request is received from a user terminal 5 other than the creator user, the encryption key generation unit 33 refers to the browsing authority table 26 and identifies user identification information (employee) related to the file output request. The hash value of the login information of the creator user is identified from the ID etc., and the file name encryption key is generated using the creator user information.

  The encryption processing unit 34 (file name encryption unit, file content encryption unit) has a function of encrypting the name of the file with the generated file name encryption key when the confidential data file is stored (distributed arrangement). And a function of encrypting the plurality of divided sub-data with the file content encryption key. Since both file name and file content encryption methods are well known in the art, a detailed description thereof will be omitted.

  The file transfer means (distributed storage means) 35 transmits the plurality of encrypted sub-data together with the encrypted file names to the plurality of file servers 4 via the external network No. for storage. . As described above, in this embodiment, three types of sub-data that are redundantly divided and encrypted are stored in the three file servers 4, and the blank data is stored in the other one file server 4. Is stored.

Here, in the redundant arrangement, for example, arbitrary three servers 4 (n ₀ = 3) are selected using random numbers among the four file servers 4 (n = 4). Different types of divided data are stored in three arbitrary locations selected from four locations, and blank data is stored in the other one location (n−n ₀ = 1).

  The data deleting means 36 stores the confidential data file and the generated file received from the terminal device 5 of the creator user after the plurality of sub-data are transferred to the file server 4 and the distributed storage process is completed when the confidential data file is stored. The function of deleting the name encryption key, the file content encryption key, and all the sub-data from the storage device (13 to 15) of the proxy server, and after the restoration file is transferred to the user terminal 5 when the confidential data is output, The restoration file and the decryption key information are deleted from the storage device of the proxy server 3. In the case of a general volatile memory (RAM 13 or the like), the stored contents are automatically deleted when the proxy server 3 is turned off. However, if the proxy server 3 is operated for a long time, confidential data is not stored. Since it is not erased for a long time, it is not preferable in terms of security. In the case of some nonvolatile memories, an active erasing process such as electrical erasure or ultraviolet erasure by the data erasing means 36 is required.

The sub data search means 37 searches the n-1 sub data distributedly stored in n- ₀ file servers 4 through the external network No. using the search key.

  The file restoration processing means 38 (file decryption means, file merge means) combines these sub-data into one file with reference to a virtual file obtained by combining all the searched sub-data with OR conditions. is there. Here, when blank data is included in a plurality of acquired sub-data, the function of merging other sub-data into one file and using the generated file content encryption key And a function of decrypting the merged file. The file restored in this way is transferred to the user terminal device 5 by the file transfer means 35.

  Finally, the update information storage / write unit 39 that performs the failure handling function is information on addition, correction, and deletion of confidential data acquired from the user terminal 5 when a failure occurs in one or more storage devices (A). (Update information) and information to be stored in the storage device (A) is stored in the update information storage unit 27 in association with the identification information (file name, serial number, etc.) of the confidential data file. When the storage device (A) is restored or an alternative storage device (A ′) is installed, the stored update information is synchronized with the other storage devices (B, C...) And stored. Write to the device (A or A ′).

(Example of dividing and redundancy of confidential data file)
Next, an example in which the file dividing unit 32 redundantly divides the confidential data file will be described with reference to FIG.
First, the conditions of the confidential data file division and redundancy processing in this example are shown below.
• The distribution unit is 8 bits (1 byte). This is to facilitate real-time distributed processing. Each row in FIG. 3 is a distribution unit, and one square indicates one byte.
The distribution pattern is automatically calculated according to the distribution number 3 to n and the redundancy. In the example shown in the figure, the number of distributions is 4, and it is assumed that the original file can be restored by collecting data from three file servers (redundancy: 3/4).

In accordance with such conditions, distributed processing is performed as follows. It is assumed that distributed processing is executed in order from the top of the row in FIG.
(1) The first distribution (first line) is obtained by acquiring bits at any four points (indicated by “*” in the table of FIG. 3) (1-1 to 1-4), and the remaining four bits Fill with zeros.
(2) The second dispersion (second line) selects arbitrary 2 bits (2-1, 2-2) from the 4 bits (1-1 to 1-4) selected in the first dispersion, Arbitrary 2 bits (2-3, 2-4) are selected from 4 bits that are not selected in the first distribution (“0” is recorded in the first row).
(3) In the third distribution (third line), any two bits (3-1, 3-2) are selected from the four bits selected in the first distribution, and any one of the first and second distributions is selected. However, 2 bits (3-3, 3-4) which are not selected ("0" is recorded in both the first and second rows) are selected.
(4) In the fourth dispersion (fourth line), four bits (4-1 to 4-4) selected only once in the first to third dispersion are selected.
(5) The above processing is repeated in units of bytes, and the entire confidential data file is distributed.

(Example of file format)
Next, the format of the file name and file contents will be described with reference to FIG.
(1) Encrypted file As shown in FIG. 4A, in a state where the file name is encrypted, a hash value of a fixed-length file name is described in the header, and a variable-length encrypted file is written in the body. Name is described.

  Next, in a state where the file contents are encrypted, as shown in FIG. 4B, a file hash header composed of hash values from the Length header to the first body block is described in the header, and the body The contents of the encrypted file of variable length are described according to the length of the file.

  Here, the body portion is configured as shown in FIG. 4C. That is, the length header describes the length of each fixed-length block, the original file name information describes the variable-length encrypted file name, and the first body block has variable-length encryption. The first n bytes of data are described, and the remaining variable-length data is also described in the second body block.

(2) Sub-data to be distributed (FIG. 4D)
In all sub-data, “header distribution result” is described in the header, and “encrypted file content distribution result” is described in the body. This sub data is stored in three file servers.

(Processing flow)
Next, processing steps of the proxy server 3 according to this embodiment will be described together with detailed functions with reference to the flowcharts of FIGS. In the following, the confidential data file storage process and output process will be described separately. Note that the failure handling function can be executed in the same manner as the processing disclosed in Patent Document 1 described above, and thus detailed description thereof is omitted.

(Flow when storing (transferring) confidential data files)
In this process, first, the request receiving means 30 of the proxy server 3 acquires login information to the proxy server 3 and the file server 4 from the creator user's terminal 5 via the internal network Ni, and receives a request for storing confidential data. (Step S1), the user information management means 31 authenticates the service use authority of this user (Step S2). Since it is conceivable that the authority to connect to the proxy server 3 is restricted to executive employees or employees in a specific department within the user company, it is determined whether or not there is an authority to connect to the proxy server 3. If a positive authentication is obtained, an authentication result is returned to the user terminal 5, and a confidential data file to be stored is acquired from the user terminal 5 (step S3). If the authentication is denied, this process is terminated.

  Next, the encryption key generation unit 33 calculates the hash value of the user login information (ID, password) acquired in step S1 to generate the encryption key of the name of the file related to the request (step S4). The processing means 34 encrypts the file name using this encryption key (step S5). Then, the file dividing means 32 divides this file content into three sub data (step S6). The encryption key generation means 33 calculates the file name encryption key and the hash value of the file name to generate a file content encryption key (step S7). Using the file content encryption key, the encryption processing means 34 encrypts each of the three sub data (step S8). The file division process can be executed in parallel with the encryption key generation process for the file name and file contents.

  Next, the file transfer unit 35 transfers the three encrypted sub data and one blank data to the four file servers 4 via the external network No (step S9), and the user terminal 5 Is notified of the transfer completion (step S10). Here, when the ID of another user who is permitted to view the confidential data file is received from the terminal 5 such as the creator user or the administrator user (step S11), the user information management means 31 The received information of all users who are permitted to browse (hash values such as login information and employee ID) is associated with the file name and stored in the browsing authority table 26 (step S12).

  Finally, the data deletion unit 37 deletes the confidential data file, all sub-data, file name encryption key, file content encryption key, and distribution pattern information from the storage device (13-15) and ends this process. (Step S13).

  As a result of the above processing, the divided and encrypted sub-data is distributed and arranged in a random distribution pattern in the file server 4, so that even if data leaks from some file servers 4, the original It is virtually impossible to restore data or analyze its meaning. In particular, since blank data is stored in one or more file servers 4, restoration and analysis of data become more difficult. In addition, since the confidential data file before encryption flows only to the internal network Ni in which security is firmly maintained, the information before encryption is not leaked to the outside.

  Furthermore, since the encryption key of the sub data is generated using the user login information, the encryption key is different for each user. Thereby, even if the file name is the same, if the user is different, it can be managed as a different file. That is, since the encryption key is generated from the file name, the user ID, and the password, the uniqueness can be improved. Therefore, it is impossible to obtain an encryption key from the file server 4, and it is not necessary to prepare and manage user IDs and passwords by the number of file servers. Further, since the proxy server 3 does not store the confidential data file, as well as the divided sub-data, encryption key, and information on the distribution pattern, the proxy server 3 may be accessed by unauthorized access to the proxy server 3 or by the server administrator's unauthorized actions. , Confidential data file information never leaks.

  In addition, by simultaneously encrypting the file name and file contents and performing redundant division into a plurality of file servers, it is possible to simultaneously realize emergency response due to redundancy and improved security. Furthermore, since the file management method is based on the proxy server 3 installed between the file server 4 and the user terminal device 5, it is possible to smoothly transition to a system with improved security while maintaining the current network environment.

(Flow when outputting (receiving) confidential data files)
Next, with reference to FIG. 6, the flow at the time of outputting a confidential data file to the user terminal 5 will be described.
In this process, first, when the request receiving unit 30 acquires the name of the file to be output and the login information of the user from the terminal 5 of the viewer user or the creator user and receives a file output request (step S15), The user information management means 31 collates the acquired information with the information in the browsing authority table 26 and executes authentication of browsing authority for the file (step S16). If the authentication is positive, the encryption key generation means 33 calculates a hash value of this user information and generates an encryption key (step S17). In the case of an output request from a viewer user, login information of the creator user is specified from a file name or the like, and a file name encryption key is generated using this creator user information. On the other hand, if the authentication is denied, the authentication result is returned to the user terminal 5 and the process is terminated.

  Next, the encryption processing means 34 encrypts the file name related to the request with the file name encryption key (step S18). This is a search key for sub data. This search key is transferred to the sub data search means 37, and data is collected from the four file servers 4 (step S19). The collected data includes three sub data and one blank data.

  Further, the encryption key generation means 33 generates a decryption key for sub-data using the hash value of the user information (step S20). In parallel with this, the file restoration processing means 38 merges the three sub-data excluding blank data into one file on the basis of the virtual file synthesized under the OR condition (step S21). When the files are merged, the file restoration processing means 38 decrypts the encrypted file with the decryption key (step S22). The decrypted file is transferred to the user terminal 5 by the file transfer means 35 (step S23).

  Finally, the data deleting means 36 decrypts the confidential data file, all collected sub-data (including blank data), the generated file name encryption key (search key), file content encryption key, and distribution The pattern information is erased from the storage devices (13 to 15), and this process is terminated (step S24).

  With such a configuration, when collecting the sub-data stored in the file server 4 through the external network No., it is acquired in an encrypted state, so that there is no possibility of leaking confidential information even through the external network No. . In addition, since the decryption key of the encrypted file is generated according to the information of the creator user, there is no problem in outputting information even if the viewing authority is expanded.

  Here, even when one file server 4 cannot be used due to a communication failure or a site-side failure, the original data can be restored by accumulating the data of the other three servers 4. That is, since redundant arrangement is performed, even if one of the collected data is empty data, the original data can be restored with data acquired from the other two places. For the same reason, even if all the file servers 4a to 4d are operating normally, the data to be searched can be restored by acquiring data from arbitrary three locations. When dummy data is stored instead of blank data, or when wrong data is stored in one place for some reason, the original data may be restored by majority of the acquired data.

  Due to such data redundancy / distribution, for example, even if all the data of one specific base (file server 4) is wiretapped, it is impossible to analyze or restore the meaning of individual confidential data files. Leakage due to unauthorized access or taking out of media can be effectively prevented. Even when a file server at one site goes down due to a natural disaster or the like, the original data can be restored by accumulating data at other sites. Further, even if the proxy server 3 is illegally accessed, since no significant information such as the original data, the encryption key of the confidential data, and the file division pattern is stored, the confidential data is not leaked. Even when the proxy server 3 and the user terminal 5 also serve as the file server 4, since only a part of the divided and encrypted data is stored, the security of the confidential data can be secured similarly.

(Other features)
In addition to the above, the invention according to the present embodiment can also implement the following function for checking whether the target file has been tampered with when a file output request is received from the user terminal. For example, after saving the sub-data to the file server, if the network server is hijacked while the sub-data is being transferred to the file server, or the sub-data is saved (saved) Therefore, it is effective to have a function for detecting such tampering at an early stage.

(1) File name decryption check function This function uses the fact that the above-mentioned tampering trace may exist in the header portion of the “file name encryption” format. This is a function to detect falsification at an early stage by checking the file name. Specifically, when a confidential data file named “ABCD.doc” is distributed and stored in a plurality of file servers, the file name is obtained from the user terminal 5 and a request for data output is received. The server uses this function to create an encrypted file name (body part) of the file using “ABCD.doc + login information of each server”. Then, a sub data file including the encrypted file name (body part) is obtained from each file server. At this time, the hash part of the file name acquired from the file server is compared with the generated hash value of “ABCD.doc” to check for falsification. When it is confirmed that the file has been tampered with, an alarm to that effect can be sent to the user terminal 5, the terminal of the network manager, a file server, etc. to encourage the response.

(2) File content decryption check function This function is used to merge the above-described Length header, original file name information, and encrypted first body before merging and decrypting a plurality of sub-data collected from the file server. This is a function for checking the alteration of the file contents by decrypting only the first n bytes of the block first and comparing with the hash value of the file name of the request. In other words, if the hash contents of the two do not match, the file contents may have been tampered with on the server side. In that case, the file name is changed to the user terminal without decrypting the requested file. Then, an error message “Decoding failed” is output, and an alarm is output to the terminal of the person in charge of network management. Only when the hash header portion of the target file matches the value of the collected sub-data, it is determined that the file has been successfully decrypted, that is, has not been tampered with. As a result, file alteration can be detected at an early stage, and reverse spying that misunderstands a file after alteration as a regular file can be prevented. This function can be executed either before or after merging a plurality of sub-data collected from the file server, but when executed before merging, it is also possible to specify a server that has been tampered with. In this case, it is necessary to add a hash value of the body part suitable for each file server without distributing the header part of the file.

  In addition, this invention is not limited to said embodiment, A various deformation | transformation is possible in the range which does not change the summary of invention.

  For example, the number of file servers, the number of divisions, and the like can be variously changed without depending on the above example, depending on the type and sensitivity of the confidential data, the contract between the consignor and the trustee, and the like. Various algorithms such as encryption, division, and search can be changed.

  The present invention can also be combined with a multipath routing technology that has been developed recently. That is, the confidential data file is divided into a plurality of sub data, and communication is performed by changing a communication route for transferring each sub data to the file server by a multipath routing technique. As a result, in order to eavesdrop on the sub data, data on the network must be collected at the same time through a plurality of routes, and wiretapping becomes virtually impossible.

  Further, when the file list is acquired, a list of the file names individually decrypted with the “file name encryption key” may be returned to the terminal device.

FIG. 1 is a network configuration diagram of an embodiment of the present invention. FIG. 2 is a functional block diagram showing the configuration of the proxy server. FIG. 3 is a diagram illustrating an example in which a confidential data file is divided redundantly. FIG. 4 is a diagram showing a file name and a file content format. FIG. 5 is a flowchart showing the processing steps when storing (transferring) the confidential data file. FIG. 6 is a flowchart at the time of outputting (receiving) the confidential data file.

Explanation of symbols

Ni ... Internal network No ... External network 1 ... Data management system 2 ... User 3 ... Proxy server 4 (4a-4d) ... File server 5 ... User terminal device 11 ... CPU
12 ... System bus 13 ... RAM
14 ... ROM
15 ... HDD
16 ... I / O interface (I / F)
DESCRIPTION OF SYMBOLS 17 ... Output device 18 ... Input device 19 ... Communication device 21 ... Data storage area 22 ... Program storage area 25 ... User information storage part 26 ... Browsing authority table 27 ... Update information storage part 30 ... Request reception means 31 ... User information management means 32 ... File division means 33 ... Encryption key generation means 34 ... Encryption processing means 35 ... File transfer means 36 ... Data deletion means 37 ... Sub data search means 38 ... File restoration processing means 39 ... Update information storage / writing means

Claims (21)

One or more specific terminal devices used by a specific user are connected via an internal network, and n (n ≧ 3) file storage devices are confidential by a proxy server connected via an open external network. A method for managing data files,
The proxy server is
A confidential data file receiving step for receiving a confidential data file to be managed together with the information of the user from the terminal device of the user via the internal network;
Using the received user information to generate a file name encryption key, and encrypting the file name of the confidential data file with this encryption key;
A file dividing step for redundantly dividing the confidential data file into three or more sub-data;
A file content encryption key generating step for generating a file content encryption key using the file name encryption key;
A file content encryption step for encrypting each of the divided sub-data with the file content encryption key;
A distributed storage step of storing the plurality of encrypted sub data in the plurality of file storage devices in association with the encrypted file names via an external network, respectively. The method of claim 1, wherein
Further, the proxy server is
A file output request receiving step for acquiring user information and a file name from the terminal device of the user via an internal network and receiving a request for confidential data file output;
A search key generation step of generating a search key by encrypting a file name related to the request with the file name encryption key;
A sub-data search step of connecting to a plurality of file storage devices via an external network and searching a plurality of sub-data distributed and stored in these file storage devices with the search key, respectively;
A file merging step of merging all the searched sub-datas into a single file;
A file decryption step of generating a file content encryption key using the file name encryption key and the file name associated with the request, and decrypting the merged file using the file content encryption key;
A file transfer step of transferring the decrypted file to the user terminal device. The method of claim 2, wherein
Further, the proxy server is
The first user information (A) received in the confidential data file receiving step and the second user information (B) permitted to view the confidential data file to be managed are identified with the confidential data file. A browsing authority storage step of storing in the browsing authority table in association with information;
An authentication step of authenticating browsing authority by comparing the acquired user information (A or B) and file name with the browsing authority table when a request for confidential data file output is received;
The file name encryption step specifies the first user information (A) from the browsing authority table when the authentication is positive, and uses the first user information (A) to encrypt the file name. A method characterized by generating a key. The method of claim 2, wherein
The file merging step synthesizes the sub-data into one file on the basis of a virtual file obtained by combining all the sub-data retrieved by the OR condition. The method of claim 2, wherein
The file dividing step redundantly divides the confidential data file into n ₀ types (n> n ₀ ≧ 2) of sub-data,
In the distributed storage step, n ₀ types of sub-data are stored in any n ₀ file storage devices, respectively, and empty data or NULL data (hereinafter “blank data”) is stored in n−n ₀ other file storage devices. ”), And
The sub-data search step searches n−1 sub-data distributed in n−n ₀ file storage devices.
The file merging step is to execute a process in which, when blank data is included in a plurality of acquired sub data, the other sub data is merged and combined into one file. . The method of claim 1, wherein
The file dividing step divides the confidential data file into three or more sub-data based on a distribution pattern calculated according to the number of distributions (3 to n) and redundancy. The method of claim 1, wherein
The confidential data file receiving step receives, as user information, at least one of login information to a proxy server and login information to a plurality of storage devices,
The file name encryption step calculates a hash value of the login information to obtain a file name encryption key. The method of claim 1, comprising:
Further, the proxy server receives the confidential data file received from the terminal device of the user in the confidential data file reception step before the distributed storage step is completed, the file name encryption key generated in the file name encryption step, A method comprising: deleting from the storage device of the proxy server the three or more sub-data divided in the file division step and the file content encryption key generated in the file content encryption key generation step. The method of claim 1, comprising:
Further, the proxy server is
Update information for storing, in the update information storage section, information (update information) on addition, correction and deletion of confidential data to be stored in the storage device (A) when a failure occurs in one or more storage devices (A) A storage process;
When the storage device (A) is restored or when an alternative storage device (A ′) is installed, the stored update information is synchronized with the other storage devices (B, C...) An update information writing step for writing to a storage device (A or A ′). The method of claim 1, comprising:
A part of the plurality of storage devices is provided in a proxy server and / or a user terminal device. A confidential server comprising a proxy server to which one or more terminal devices used by a user are connected via an internal network, and n (n ≧ 3) file storage devices connected to the proxy server via an external network A data file management system,
A confidential data file receiving means for receiving a confidential data file to be managed together with the user's information from the user's terminal device via the internal network;
A file name encryption unit that generates a file name encryption key using the received user information and encrypts the file name of the confidential data file with the encryption key;
File dividing means for redundantly dividing the confidential data file into three or more sub-data;
File content encryption key generation means for generating a file content encryption key using the file name encryption key;
File content encryption means for encrypting each of the plurality of divided sub-data with the file content encryption key;
And a distributed storage means for storing the plurality of encrypted sub data in the plurality of file storage devices in association with the encrypted file names via an external network, respectively. Management system. The system of claim 1, wherein
further,
File output request accepting means for obtaining user information and file name from the terminal device of the user via the internal network, and accepting a request for confidential data file output;
Search key generation means for generating a search key by encrypting a file name related to the request with the file name encryption key;
Sub data search means for searching a plurality of sub data distributedly stored in a plurality of file storage devices with the search key via an external network,
A file merging means for merging all the searched sub-data and combining them into one file;
File decryption means for generating a file content encryption key using the file name encryption key and the file name related to the request, and decrypting the merged file using the file content encryption key;
A confidential data file management system, comprising: a file transfer means for transferring the decrypted file to the user terminal device via an internal network. The system of claim 12, wherein
further,
The first user information (A) received by the confidential data file receiving means and the second user information (B) permitted to view the confidential data file to be managed are identified. Browsing authority storage means for storing in the browsing authority table in association with information;
An authentication means for authenticating browsing authority by comparing the obtained user information (A or B) and file name with the browsing authority table when a request for confidential data file output is received;
The file name encryption means specifies the first user information (A) from the browsing authority table when the authentication is positive, and uses the first user information (A) to encrypt the file name. A secret data file management system characterized by generating a key. The system of claim 12, wherein
The file merging means synthesizes these sub-data into one file on the basis of a virtual file obtained by combining all the searched sub-data with an OR condition. The system of claim 12, wherein
The file dividing means divides the confidential data file redundantly into n ₀ types (n> n ₀ ≧ 2) of sub-data,
The distributed storage means stores n ₀ types of sub-data in arbitrary n ₀ file storage devices, and also stores empty data or NULL data (hereinafter “blank data” in other n−n ₀ file storage devices. ”), And
The sub-data search means is for searching n−1 sub-data distributed in n−n ₀ file storage devices,
The file merging means merges the other sub-data into a single file when blank data is included in the acquired plurality of sub-data. Management system. The system of claim 11, wherein
The file dividing means divides the confidential data file into three or more sub-data based on the distribution pattern calculated according to the distribution number (3 to n) and the redundancy. Management system. The system of claim 11, wherein
The confidential data file receiving means receives, as user information, at least one of login information to a proxy server and login information to a plurality of storage devices,
The secret data file management system, wherein the file name encryption means obtains a file name encryption key by calculating a hash value of the login information. The system of claim 11, comprising:
Further, the secret data file received from the terminal device of the user by the secret data file receiving means until the distributed storage processing of the sub data by the distributed storage means is completed, and the file name encryption key generated by the file name encrypting means Confidential data comprising means for deleting from the storage device of the proxy server the three or more sub-data divided by the file dividing means and the file content encryption key generated by the file content encryption key generating means File management system. The system of claim 11, comprising:
further,
An update information storage unit that stores information (update information) on addition, correction, and deletion of confidential data to be stored in the storage device (A) when a failure occurs in one or more storage devices (A);
When the storage device (A) is restored or when an alternative storage device (A ′) is installed, the stored update information is synchronized with the other storage devices (B, C...) An update information writing means for writing to a storage device (A or A ′). The system of claim 11, comprising:
A confidential data file management system, wherein a part of the plurality of storage devices is provided in a proxy server and / or a user terminal device. A proxy for a confidential data file management system in which one or more terminal devices used by a user are connected via an internal network and n (n ≧ 3) file storage devices are connected via an external network A server,
A confidential data file receiving means for receiving a confidential data file to be managed together with the user's information from the user's terminal device via the internal network;
A file name encryption means for generating a file name encryption key using the received user information and encrypting the file name with this encryption key;
File dividing means for redundantly dividing the confidential data file into three or more sub-data;
File content encryption key generating means for generating a file content encryption key using the file name encryption key;
File content encryption means for encrypting each of the plurality of divided sub-data with the file content encryption key;
A proxy server, comprising: a distributed storage unit that stores a plurality of encrypted sub-data in association with an encrypted file name in the plurality of file storage devices via an external network.

Images