JP2010092288A - File management method, management terminal, information processing terminal, file management system, and file management program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a file management method for monitoring the operation of a file taken out of company. <P>SOLUTION: A management server 1 receives from a mobile PC 6 a log-in ID and a temporary password necessary for opening an encrypted file inside the mobile PC 6, and holds them as a monitor file list. When the mobile PC 6 detects operation for opening the encrypted file, it transmits a use application including a file identifier of the encrypted file and a user's log-in ID. When the management server 1 receives the use application, it refers to a list of files which can be taken out where file identifiers of encrypted files which can be taken out of an internal network are associated with log-in ID of users who are accessible to the encrypted files and, when it is determined that these are not associated, the management server 1 transmits a response to the mobile PC 6 to the effect that the encrypted file whose use has been applied is not allowed to use. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a file management method for preventing information leakage from an information processing terminal.

  2. Description of the Related Art Conventionally, employees access a company network using a mobile PC (Personal Computer) or the like outside the company. However, when performing user authentication via the Internet, there is a risk of eavesdropping or impersonation by a third party. On the other hand, in Patent Document 1 below, access to the inside of a firewall is performed by using a security card having an authentication function such as terminal login authentication or VPN (Virtual Private Network) authentication at the time of remote access to a mobile PC. Restricted.

JP 2006-215784 A

  However, the conventional technology does not consider unauthorized use performed after the mobile PC is authenticated. For example, even if an employee takes a file out of the company based on legitimate authority, if the employee leaves the office while operating the PC that stored the file outside the company, the third party may remove the PC. It can be operated freely. For this reason, there is a risk that a malicious third party may steal information in the PC or falsify a file in the PC. That is, there is a problem that security measures are not taken when a file is taken out.

  The present invention has been made in view of the above, and an object of the present invention is to obtain a file management method for monitoring the operation of a file taken outside the company.

  In order to solve the above-described problems and achieve the object, the present invention includes a management terminal connected to an internal network for managing files and an information processing terminal connected to the internal network via an external network. A file management method executed in a file management system provided, wherein the management terminal is effective between a login ID for a file agent function for a user to operate an encrypted file and the start and end of the file agent function. A file that receives a temporary password required to open an encrypted file in the information processing terminal from the information processing terminal and holds a monitoring file list that is information relating the login ID and the temporary password A monitoring preparation step, and the information processing terminal When the operation for opening the file is detected, a use application step of sending a use application of the encrypted file including the file identifier of the encrypted file and the login ID of the user who uses the encrypted file, and the management terminal, When a use application is received, refer to a file list that can be taken out from the internal network and a file list that can be taken out of the file identifier of a user who can use the encrypted file and a login ID of the user. When it is determined that the login ID and the file identifier included in the use application are associated with each other, and the management terminal determines that the login ID and the file identifier are not associated by the execution of the exportability determination step. However, the information indicating that the use of the encrypted file for which the use application has been made is not permitted is indicated in the above information. Characterized in that it comprises a Unavailable response sending sense terminal.

  According to the present invention, it is possible to monitor the operation of a file taken outside the company.

  Embodiments of a file management method according to the present invention will be described below in detail with reference to the drawings. Note that the present invention is not limited to the embodiments.

Embodiment.
FIG. 1 is a diagram illustrating a configuration example of a file management system. 1 includes a management server 1, a management terminal 2, a firewall 3, a LAN 4 connecting the management server 1, the management terminal 2 and the firewall 3, an external network 5 such as the Internet, a mobile PC 6, Is provided. The management server 1, the management terminal 2 and the firewall 3 exist on the in-house network. The management server 1 monitors the operation of an encrypted file (described later) taken out from the company. The management terminal 2 manages the management server 1. The firewall 3 monitors access between the corporate network and the Internet 5. The mobile PC 6 can be connected to the Internet 5 via a wireless or wired encrypted communication path. Further, the mobile PC 6 is permitted to connect to the management server 1 connected on the in-house network. In the file management system of this embodiment, in order to improve security, it is assumed that a file is encrypted as necessary and stored in a file server (not shown) on an in-house network.

  FIG. 2A is a block diagram illustrating a configuration example of the management server 1. The management server 1 includes a communication unit 10, a storage unit 11, an authentication unit 12, an encryption unit 13, and a packet monitoring unit 14. The communication unit 10 controls data transmission / reception with the management terminal 2 or the mobile PC 6. The storage unit 11 is a memory and holds a user authentication table that is information that associates a login ID and password of a user who can log in to the management server 1. In addition, the storage unit 11 holds a file table that can be taken out, which is information that associates an identifier (file identifier) of an encrypted file that can be taken out from the company and a login ID of a user who can use the file. In addition, the storage unit 11 holds a monitoring file list that is a file that is managed by associating a login ID with a temporary password. Furthermore, the storage unit 11 holds a common key for each encrypted file for decrypting the encrypted file. The authentication unit 12 authenticates the user based on information transmitted from the user. The encryption unit 13 encrypts the key held by the storage unit 11. The packet monitoring unit 14 includes a timer (not shown), periodically transmits a permission packet for allowing the file operation to be continued to the mobile PC 6, and receives a response to the permission packet from the mobile PC 6. Receive a report packet.

  FIG. 2-2 is a block diagram illustrating a configuration example of the mobile PC 6. The mobile PC 6 includes a communication unit 20, a storage unit 21, a file operation monitoring unit 22, an encryption / decryption unit 23, a file operation unit 24, and a packet monitoring unit 25, and realizes a file agent function. . The communication unit 20 controls data transmission / reception with the management server 1. The storage unit 21 is a memory and holds various data and files. The file operation monitoring unit 22 monitors the operation of the encrypted file by the user. The encryption / decryption unit 23 decrypts the encrypted common key received from the management server 1 and decrypts the encrypted file that is the operation target. The file operation unit 24 opens the operation target file when receiving permission from the management server 1 and closes the operation target file when detecting the end operation by the user. When receiving a stop packet, which is a packet for notifying that the file operation is stopped, from the management server 1, the file is forcibly terminated. The packet monitoring unit 25 includes a timer (not shown), receives the permission packet from the management server 1, and periodically transmits a reception report packet that is a response to the permission packet. Further, the packet monitoring unit 25 holds the encrypted file opened in the mobile PC 6 as an operation file list.

  Next, operations in the file management system configured as described above will be described. Hereinafter, the user of the mobile PC 6 sets the above-described encrypted file as an operation target. That is, in the present embodiment, it is assumed that the user saves an arbitrary encrypted file on the mobile PC 6 and takes it out in an environment where the file is encrypted and managed on the in-house network.

  FIG. 3 is a flowchart showing the operation of the mobile PC 6 regarding the user's file operation. First, the user turns on the power and activates the mobile PC 6 (step S1). Then, when the user is authenticated by the OS (Operating System), the BIOS (Basic Input Output System), etc., and logs in to the mobile PC 6, each function unit (file agent function) in FIG. 2-2 is activated (step S2). . Next, the file agent function performs user login authentication processing (step S3). Thereafter, the file agent function performs a file open process (step S4) and a file monitor process (step S5) while the user performs an encrypted file operation. When the user shuts down the mobile PC 6 (step S6), the file agent function ends and the processing of the mobile PC 6 ends. Although simplified in FIG. 3, the file open process and the file monitoring process can execute a plurality of files in parallel.

Next, the login authentication process (step S3), the file open process (step S4), and the file monitoring process (step S5) will be described in detail.
(1) Login authentication process The login authentication process is executed when the file agent function is activated. FIG. 4 is a sequence diagram illustrating the login authentication process. First, the file operation monitoring unit 22 of the mobile PC 6 outputs a screen requesting login to the file agent function to the user using a display unit (not shown) in preparation for the encrypted file operation. The user inputs a predetermined login ID and password on the output screen (step S10). The file operation monitoring unit 22 stores the login ID and password (hereinafter also referred to as “login information”) whose input has been confirmed in a buffer within the file ID and outputs the same to the communication unit 20. The communication unit 20 transmits login information to the management server 1 (step S11).

  When receiving the login information, the communication unit 10 of the management server 1 outputs the login information to the authentication unit 12. The authentication unit 12 accesses the user authentication table in the storage unit 11 and performs user authentication by searching for an entry whose content matches the received login information (step S12). If the corresponding entry exists, an authentication result (authentication OK) including that the login information is valid is transmitted to the mobile PC 6 (step S13). On the other hand, if the corresponding entry does not exist, an authentication result (authentication NG) including that the login information is not valid is transmitted to the mobile PC 6. Here, in the case where there is no corresponding entry, there is an entry with a matching login ID but a different password, and no pre-registration has been performed, so there is no entry with a matching login ID. Etc. The file operation monitoring unit 22 of the mobile PC 6 determines whether the authentication is OK or NG based on the authentication result received via the communication unit 20 (step S14). If the file operation monitoring unit 22 is authenticated NG (step S14: No), the process of step S10 is performed again.

  If the authentication is OK (step S14: Yes), the file operation monitoring unit 22 of the mobile PC 6 stores the login information stored in its own buffer in the storage unit 21. Next, a screen requesting input of a temporary password is output to the user. Here, the temporary password is a temporary password input by the user in order to execute the file open process (step S4) in FIG. 3, and is valid from the start to the end of the file agent function. The user inputs an arbitrary temporary password for the screen (step S15). When the input is confirmed, the file operation monitoring unit 22 transmits this temporary password to the management server 1 via the communication unit 20 (step S16).

  When receiving the temporary password, the communication unit 10 of the management server 1 outputs the temporary password to the authentication unit 12. The authentication unit 12 registers the received temporary password in the monitoring file list in the storage unit 11 in association with the login ID received in Step S11 (Step S17). Then, the authentication unit 12 transmits a registration confirmation response to the mobile PC 6 (step S18). Upon receiving this, the file operation monitoring unit 22 of the mobile PC 6 presents the fact that the temporary password has been registered to the user by screen output or the like (step S19). This completes the login authentication process of FIG. Note that if the login authentication process fails, the user cannot use the file agent function.

(2) File Open Process FIG. 5 is a sequence diagram illustrating the file open process. When the user who has completed the login authentication process starts an operation on the encrypted file in the mobile PC 6, the file open process starts. When the file operation monitoring unit 22 of the mobile PC 6 detects that the user has attempted to open the encrypted file (step S20), it reads the login information stored in the storage unit 21, and the user performs an open operation. The file identifier of the file is acquired from the performed encrypted file (step S21). Then, the file operation monitoring unit 22 transmits an application for using the encrypted file including the login information and the file identifier to the management server 1 (step S22).

  When receiving the use application via the communication unit 10, the authentication unit 12 of the management server 1 acquires login information and a file identifier included in the use application, stores them in the self, and obtains a login ID from the login information. Then, the authentication unit 12 refers to the file table that can be taken out in the storage unit 11 and determines whether or not the file indicated by the received file identifier is permitted to be taken out with respect to the acquired login ID (Step S1). S23). When it is determined that the login ID is not registered for the file identifier and the take-out is not permitted (step S23: No), the authentication unit 12 responds to the mobile PC 6 that it cannot be used. (Step S24). In this case, the file operation monitoring unit 22 of the mobile PC 6 presents to the user that the file cannot be opened, and ends the file opening process.

  On the other hand, when it is determined that the login ID is registered for the file identifier and the takeout is permitted (step S23: Yes), the authentication unit 12 reads the monitoring file list from the storage unit 11, The file identifier is added to the login ID in the monitoring file list and stored in the storage unit 11 (step S25). Hereinafter, the files described in the monitoring file list are referred to as “monitoring target files”. Next, the authentication unit 12 transmits an application confirmation response, which is a response indicating that the use application has been accepted, to the mobile PC 6 (step S26).

  When receiving the application confirmation response, the file operation monitoring unit 22 of the mobile PC 6 outputs a screen requesting input of a temporary password to the user. The user inputs the same temporary password as the temporary password input in step S15 on the screen (step S27). The file operation monitoring unit 22 transmits the temporary password whose input is confirmed to the management server 1 via the communication unit 20 (step S28). When the authentication unit 12 of the management server 1 receives the temporary password via the communication unit 10, the authentication unit 12 refers to the monitoring file list in the storage unit 11 updated in step S25, and the received temporary password is described in the monitoring file list. It is determined whether or not it matches the temporary password that has been set (step S29). If it is determined that they do not match (step S29: No), the authentication unit 12 responds to the mobile PC 6 with the determination result (step S30). The file operation monitoring unit 22 of the mobile PC 6 performs processing such as presenting the determination result to the user and executing the processing from step S28 again, or ending the file opening processing. On the other hand, when it determines with matching (step S29: Yes), the authentication part 12 outputs the instruction | command which transmits a temporary password and a key to the encryption part 13. FIG. Receiving this, the encryption unit 13 reads the common key for the monitoring target file from the storage unit 11. Then, the encryption unit 13 encrypts the common key using the output temporary password (step S31), and transmits it to the mobile PC 6 via the communication unit 10 (step S32).

  When the encryption / decryption unit 23 of the mobile PC 6 receives the encrypted common key via the communication unit 20, first, the temporary password and the monitoring target file are read from the storage unit 21. Then, the encryption / decryption unit 23 decrypts the encrypted common key using the read temporary password. Also, the encryption / decryption unit 23 copies the monitoring target file and stores it in the storage unit 21 as a hidden file. Then, the encryption / decryption unit 23 decrypts the monitoring target file using the common key obtained by decryption, and notifies the file operation unit 24 of the decryption (step S33). Receiving this, the file operation unit 24 performs control to open the decrypted file. As a result, the user can access the file for which the open operation has been performed. The file operation unit 24 describes the file identifier of the monitoring target file in the operation file list in the storage unit 21.

  Moreover, the encryption part 13 of the management server 1 will notify that to the packet monitoring part 14, if the common key encrypted in step S32 is transmitted. Upon receiving this notification, the packet monitoring unit 14 starts transmitting a permission packet to the mobile PC 6 (step S34). The permission packet includes all file identifiers for the login ID described in the monitoring file list in the storage unit 11. When the packet monitoring unit 25 of the mobile PC 6 receives the permission packet via the communication unit 20, as a response to this, the file identifier in the operation file list in the storage unit 21 and the operation log (open, overwrite) of the monitored file are received. A reception report packet including a log of operations such as saving and closing is transmitted (step S35). The operation log is written by the file operation unit 24 to the storage unit 21 as needed. Thereafter, the permission packet and the reception report packet are transmitted at regular time intervals, and the user can access the file while the mobile PC 6 continues to receive the permission packet. Here, the fixed time interval is the time from the transmission of a permission packet to the transmission of the next permission packet when viewed from the management server 1 side, until a certain time elapses from the transmission of the permission packet. If the reception report packet is not received during this period, the next permission packet is not transmitted. The same applies to the mobile PC 6 side. In FIG. 5, the processes of steps S34 and S35 are described after step S33, but are actually performed in parallel.

  The file open process in FIG. 5 as described above is performed in the same manner for all encrypted files that are opened after the file agent function is activated. When there are a plurality of files in the monitoring file list in step S34, transmission of the permission packet is performed after the next transmission timing of the permission packet that has already started transmission. That is, in the next transmission of the permission packet, the packet monitoring unit 14 of the management server 1 refers to the monitoring file list and transmits a permission packet including all file identifiers described for the login ID. Upon receiving this, the packet monitoring unit 25 of the mobile PC 6 acquires the file identifier described with reference to the operation file list, and transmits a reception report packet including all the file identifiers and the operation log. As a result, it is possible to monitor all the monitoring target files operated on the mobile PC 6 with a set of permission packets and reception report packets.

  The certain time interval can be determined in advance. Alternatively, the determination may be made based on the time from when the management server 1 transmits the permission packet in step S34 until the reception report packet is received in step S35, that is, in consideration of the communication environment at that time. Here, if the time interval is short, the file operation is frequently interrupted when a network delay or the like occurs, and the convenience of the user is hindered. If the time interval is long, the security tolerance decreases, so the security in the file operation and the user's convenience Consider the balance. Hereinafter, the time interval used in transmission of the permission packet and transmission of the reception report packet is described as “T”.

(3) File monitoring process After the file opening process is completed, the management server 1 and the mobile PC 6 continue to transmit and receive the permission packet and the reception report packet, and the user can operate the monitoring target file. Further, the administrator of the management terminal 2 monitors file operations by the user by monitoring the management server 1. Here, in the file monitoring process, a plurality of cases where the file operation ends may occur. Hereinafter, these cases will be described.

(3-1) Termination by Interrupt from Management Terminal Here, a case where the file operation is terminated by an interruption from the management terminal 2 will be described. FIG. 6A is a sequence diagram for explaining the end of the file operation due to the interruption. The administrator of the management terminal 2 monitors the operation log included in the reception report packet received by the management server 1. If it is determined that the file operation should be stopped, a user (login ID) and a monitoring target file are specified, a file operation stop command is issued, and the file operation is transmitted to the management server 1. Here, when it is determined that the file operation is to be stopped, for example, when an administrator or a superior user of the mobile PC 6 determines that the opening should be prohibited, the operation log is suspicious. For example, when it is determined that editing should be prohibited. In the file operation stop command, a plurality of monitoring target files can be specified, and all monitoring target files can be specified by specifying a user (login ID).

  When the packet monitoring unit 14 of the management server 1 receives the file operation stop command transmitted as described above via the communication unit 10, it detects that a file operation stop interrupt has occurred (step S40). In this case, the packet monitoring unit 14 transmits a stop packet to the mobile PC 6 (step S41). The stop packet includes a file identifier for specifying the monitoring target file to be stopped.

  When the packet monitoring unit 25 of the mobile PC 6 receives a stop packet via the communication unit 20, it determines that a stop interrupt has occurred (step S42). In this case, the packet monitoring unit 25 notifies the file operation unit 24 of the fact and the file information. The file operation unit 24 closes the monitoring target file specified by the notified file identifier by forced termination (step S43). Then, the file operation unit 24 deletes the monitoring target file and replaces it with a hidden file that is a copy of the original encrypted file stored in the storage unit 21. Then, the common key of the monitored file is deleted from the storage unit 21 (step S44). Further, the file identifier of the monitored file is deleted from the operation file list in the storage unit 21.

  On the other hand, the packet monitoring unit 14 of the management server 1 performs processing for ending monitoring of the monitoring target file. Specifically, the file identifier of the monitoring target file is deleted for the login ID of the monitoring file list in the storage unit 11 (step S45).

  In FIG. 6A, the process is described only for the monitoring target file in which the file operation stop interrupt has occurred, but the transmission and reception of the permission packet and the reception report packet are performed in parallel. If all the file identifiers for the login ID are deleted from the monitoring file list in the storage unit 11 of the management server 1 by the process in step S45, the packet monitoring unit 14 ends the transmission of the permission packet to the mobile PC 6. . Similarly, since all the file identifiers are deleted from the operation file list of the mobile PC 6, the packet monitoring unit 25 ends the transmission of the reception report packet.

(3-2) Termination Due to Non-arrival of Reception Report Packet Here, a case will be described where the file operation is terminated because the reception report packet has not reached the management server 1 within a predetermined time. FIG. 6B is a sequence diagram for explaining the end of the file operation due to the reception report packet failure.

  Transmission / reception of the permission packet and the reception report packet is continued between the management server 1 and the mobile PC 6, and the packet monitoring unit 14 of the management server 1 transmits the permission packet (step S50) and receives the received mobile PC 6 Packet monitoring unit 25 transmits a reception report packet (step S51). Here, due to disconnection of the mobile PC 6 from the external network 5, delay or disconnection of the network, etc., the reception report packet transmitted in step S51 is transmitted until T time elapses after transmission of the permission packet in step S50. It is assumed that the management server 1 has not been reached. In this case, the packet monitoring unit 14 of the management server 1 does not receive the next reception report packet until the timer notifies that the time T has elapsed since the transmission of the permission packet in step S50. A process of determining and ending monitoring of all monitoring target files on the mobile PC 6 is performed. Specifically, the file identifiers of all the monitoring target files associated with the login ID are deleted from the monitoring file list in the storage unit 11, and transmission of the permission packet is stopped (step S52).

  On the other hand, since the packet monitoring unit 25 of the mobile PC 6 does not receive the next permission packet until the timer notifies that the time T has elapsed since the transmission of the reception report packet in step S51, the packet monitoring unit 25 determines that the permission packet has timed out. This is notified to the file operation unit 24. The file operation unit 24 closes all the monitoring target files on the mobile PC 6 by forced termination (step S53). Then, the file operation unit 24 deletes all the monitoring target files and replaces them with a hidden file that is a copy of the original encrypted file stored in the storage unit 21. Further, the common key of all the monitoring target files is deleted from the storage unit 21 (step S54).

(3-3) Termination Due to Non-delivery of Permission Packet Here, a case where the file operation is terminated when the permission packet does not reach the mobile PC 6 within a predetermined time will be described. FIG. 6C is a sequence diagram for explaining the end of the file operation due to the failure of the permission packet.

  Transmission / reception of the permission packet and the reception report packet is continued between the management server 1 and the mobile PC 6, and the packet monitoring unit 25 of the mobile PC 6 transmits the reception report packet (step S60). The packet monitoring unit 14 transmits a permission packet (step S61). Here, due to disconnection of the mobile PC 6 from the external network 5, delay or disconnection of the network, etc., the permission packet transmitted in step S61 is not received until T time elapses after transmission of the reception report packet in step S60. It is assumed that the mobile PC 6 has not been reached. In this case, since the packet monitoring unit 25 of the mobile PC 6 does not receive the next permission packet until the timer notifies that the time T has elapsed since the transmission of the reception report packet in step S60, the packet monitoring unit 25 determines that the permission packet has timed out. This is notified to the file operation unit 24. The file operation unit 24 closes all the monitoring target files on the mobile PC 6 by forced termination (step S62). Then, the file operation unit 24 deletes all the monitoring target files and replaces them with a hidden file that is a copy of the original encrypted file stored in the storage unit 21. Further, the common key of all the monitoring target files is deleted from the storage unit 21 (step S63).

  On the other hand, since the packet monitoring unit 14 of the management server 1 does not receive the next reception report packet until the timer notifies that the time T has elapsed since the transmission of the permission packet in step S61, it is determined that the reception report packet has timed out. Then, the process of ending the monitoring of all the monitoring target files on the mobile PC 6 is performed. Specifically, the file identifiers of all monitoring target files associated with the login ID are deleted from the monitoring file list in the storage unit 11, and transmission of the permission packet is stopped (step S64).

(3-4) Termination by File Close Operation Here, a case where the file operation is terminated by the user performing the close operation will be described. FIG. 6-4 is a sequence diagram for explaining the end of the file operation by the close operation. When the user detects an operation for closing the monitoring target file (step S70), the file operation unit 24 of the mobile PC 6 closes the monitoring target file. Then, the file operation unit 24 notifies the encryption / decryption unit 23 of the file identifier of the monitored file and the encryption command. Receiving this, the encryption / decryption unit 23 encrypts the closed monitoring target file with the common key, stores it in the storage unit 21, and deletes the hidden file of the monitoring target file. Further, the file operation unit 24 deletes the common key of the monitoring target file from the storage unit 21 (step S71), and deletes the file identifier from the operation file list.

  Here, transmission / reception of the permission packet and the reception report packet is performed in parallel, and the packet monitoring unit 25 of the mobile PC 6 acquires all the file identifiers in the operation file list and receives the file identifier and the operation log. A report packet is transmitted (step S72). Receiving this, the packet monitoring unit 14 of the management server 1 acquires all the file identifiers included in the reception report packet and does not include the file identifier of the monitoring target file that has been processed in step S70. Recognizes that the target file has been closed. In this case, the packet monitoring unit 14 performs processing for ending monitoring of the monitoring target file. Specifically, the deleted file identifier is deleted from the file identifier associated with the login ID of the monitoring file list in the storage unit 11 (step S73). Then, the next permission packet is transmitted based on the new monitoring file list.

  If the monitored file is the only encrypted file that is operated on the mobile PC 6, all the file identifiers are deleted from the operation file list after the process of step S71. End transmission of the reception report packet. As a result, the packet monitoring unit 14 of the management server 1 does not receive the next reception report packet until it is notified from the timer that the time T has elapsed since the last transmission of the permission packet, and therefore it is determined that the reception report packet has timed out. Then, the process of ending the monitoring of all the monitoring target files on the mobile PC 6 is performed. Specifically, the file identifiers of all the monitoring target files associated with the login ID are deleted from the monitoring file list in the storage unit 11, and transmission of the permission packet is stopped.

  As described above, in the cases (3-1) to (3-4), the file operation ends and the file monitoring process ends.

  As described above, in the present embodiment, file operations on encrypted files taken out from the internal network to the external network are monitored, and file opening by users who are not allowed to take out is prohibited. This improves security for file operations and prevents leakage of confidential information. Further, packets are periodically transmitted and received between the management terminal and an information processing terminal such as a mobile PC. As a result, if the information processing terminal is disconnected from the network and the management terminal cannot monitor the information processing terminal, the encrypted file cannot be operated. Further improvement can be achieved. The information processing terminal transmits a packet including an operation log of the encrypted file. As a result, it is possible to monitor the contents including the operation contents, and it is possible to manage the file by grasping the situation. In addition, the file operation by the information processing terminal can be stopped from the outside by transmitting a stop packet from the management terminal. As a result, it is possible to flexibly prohibit file operations even during operation, or to prohibit file operations when unauthorized or suspicious operations are monitored.

  The management terminal 1 shown in FIG. 2A is a general computer system capable of realizing the file management function in the present embodiment. For example, the authentication unit 12, the encryption unit 13, and the packet monitoring unit 14 include The storage unit 11 operates as a part of a memory unit including a RAM, a ROM, and the like. In addition to the control unit and the memory unit, the computer system further includes, for example, a display unit, an input unit, a CD-ROM drive unit, a disk unit, an external I / F unit, etc. Connected via system bus.

  The control unit executes processing for realizing the file management function of the present embodiment. The memory unit stores a program to be executed by the control unit (dedicated software for realizing the file management function of the embodiment), data obtained in the course of processing, and the like. The display unit is composed of a CRT, LCD (liquid crystal display panel) or the like, and displays various screens to the user of the computer system. The input unit includes, for example, a keyboard and a mouse, and is used by a computer system user to input various information. Here, as an example, a program describing processing for realizing the name resolution function of the present embodiment is stored in a CD-ROM and provided.

  The mobile PC 6 shown in FIG. 2B is a general computer system capable of realizing the file agent function in the present embodiment. For example, the file operation monitoring unit 22, the encryption / decryption unit 23, the file operation And the packet monitoring unit 25 operate as a control unit including a CPU, and the storage unit 21 operates as part of a memory unit including a RAM, a ROM, and the like. In addition to the control unit and the memory unit, the computer system further includes, for example, a display unit, an input unit, a CD-ROM drive unit, a disk unit, an external I / F unit, etc. Connected via system bus.

  The control unit executes processing for realizing the file agent function of the present embodiment. The memory unit stores a program to be executed by the control unit (dedicated software for realizing the file agent function of the embodiment), data obtained in the course of processing, and the like. The display unit is composed of a CRT, LCD (liquid crystal display panel) or the like, and displays various screens to the user of the computer system. The input unit includes, for example, a keyboard and a mouse, and is used by a computer system user to input various information. Here, as an example, a program describing processing for realizing the name resolution function of the present embodiment is stored in a CD-ROM and provided.

  In the above configuration, in the computer system of FIGS. 2-1 and 2-2, first, a program is installed in the disk unit from the CD-ROM set in the CD-ROM drive unit. Then, the program read from the disk unit when starting the computer system is stored in the memory unit. In this state, the control unit executes the processing shown in the present embodiment in accordance with the program stored in the memory unit. This program operates as a resident program in the computer system. In the above description, the program is provided on the CD-ROM. However, the recording medium that provides the program is not limited to this, and any program such as a DVD may be used depending on the computer constituting the system. Media may also be used.

  As described above, the file management method according to the present invention is useful when a file taken from an in-house network is operated in an external network, and is particularly suitable for a system for monitoring an illegal operation of a file.

It is a figure which shows the structural example of a file management system. It is a block diagram which shows the structural example of a management server. It is a block diagram which shows the structural example of mobile PC. It is a flowchart which shows operation | movement of the mobile PC regarding a user's file operation. It is a sequence diagram explaining login authentication processing. It is a sequence diagram explaining a file open process. It is a sequence diagram explaining the end of file operation by interruption. It is a sequence diagram explaining the end of file operation by reception report packet non-delivery. It is a sequence diagram explaining the end of file operation by permission packet non-delivery. It is a sequence diagram explaining the end of file operation by close operation.

Explanation of symbols

1 management server 2 management terminal 3 firewall 4 LAN
5 External network 6 Mobile PC
DESCRIPTION OF SYMBOLS 10 Communication part 11 Storage part 12 Authentication part 13 Encryption part 14 Packet monitoring part 20 Communication part 21 Storage part 22 File operation monitoring part 23 Encryption / decryption part 24 File operation part 25 Packet monitoring part

Claims (31)

A file management method executed in a file management system comprising: a management terminal connected to an internal network for managing files; and an information processing terminal connected to the internal network via an external network,
In order for the management terminal to open the encrypted file in the information processing terminal that is valid from the start to the end of the log-in ID and the file agent function for the file agent function for the user to operate the encrypted file A file monitoring preparation step of receiving a necessary temporary password from the information processing terminal and holding a monitoring file list which is information relating the login ID and the temporary password;
When the information processing terminal detects an operation to open an encrypted file, a usage application that transmits a usage application for the encrypted file including the file identifier of the encrypted file and the login ID of the user who uses the encrypted file Steps,
When the management terminal receives the use application, it is possible to take out information that associates a file identifier of an encrypted file that can be taken out from the internal network and a login ID of a user who can use the encrypted file. A take-out determination step for referring to the file list and determining whether or not the login ID and the file identifier included in the use application are associated;
If it is determined by the execution of the export enablement determination step that the association is not associated, the management terminal sends an unusable response to the information processing terminal not permitting the use of the encrypted file for which the use application has been made. An unavailable response step to send;
A file management method comprising: When it is determined by the execution of the export enablement determination step, the management terminal adds the file identifier of the encrypted file for which the use application has been made to the monitoring file list, and the use application An application confirmation response step for transmitting an application confirmation response to the information processing terminal, which is a response indicating that
When the information processing terminal receives an application confirmation response, the temporary password transmission step that requests the user to input a temporary password and transmits the temporary password input by the user to the management terminal;
When the management terminal receives a temporary password, it determines whether or not the temporary password matches the temporary password associated with the login ID in the monitoring file list. Using the temporary password, encrypting the common key of the encrypted file for which the application for use has been made, and transmitting the encrypted shared key to the information processing terminal;
When the information processing terminal receives the encrypted common key, the common key is decrypted using the temporary password input in the temporary password transmission step, and the common key is obtained. Create a hidden file that is a copy of the encrypted file for which you have applied, use the common key to decrypt and open the encrypted file, and monitor the file identifier of the encrypted file A file open step described in the operation file list which is a list of file identifiers of the target file;
The file management method according to claim 1, further comprising: After the common key transmission step, the management terminal includes a permission packet for allowing the file operation by the information processing terminal to be continued, including all file identifiers associated with the login ID of the monitoring file list. A permission packet transmission step for transmission;
When the information processing terminal receives a permission packet, a reception report packet transmission step of transmitting a reception report packet, which is a response to the permission packet, including all file identifiers described in the operation file list; ,
Further including
3. The file management method according to claim 2, wherein thereafter, the permission packet transmission step and the reception report packet transmission step are repeatedly executed at predetermined time intervals. In the reception report packet transmission step,
4. The reception report packet is transmitted by further including an operation log which is a log of operation contents for each monitoring target file specified by all file identifiers described in the operation file list. File management method described in 1. If the permission packet does not reach the information processing terminal within the predetermined time interval, the information processing terminal forcibly terminates all the monitoring target files indicated by all the file identifiers described in the operation file list. Then, delete each monitored file with the hidden file created in the file open step, delete the common key for each monitored file, and delete all file identifiers from the operation file list An allow packet non-delivery step to
When the reception report packet does not reach the management terminal within the predetermined time interval, the management terminal deletes all the file identifiers associated with the login ID in the monitoring file list and corresponds to the login ID Receiving report packet non-delivery step for ending monitoring of all monitored files to be performed,
The file management method according to claim 3, further comprising: Stop when the management terminal detects a file operation stop interrupt, and transmits a stop packet for stopping the file operation to the information processing terminal including the file identifier of the file specified by the file operation stop interrupt A packet transmission step;
A monitoring end step in which the management terminal deletes the file identifier for the login ID from the monitoring file list and ends the monitoring;
When the information processing terminal receives the stop packet, the monitoring target file indicated by the file identifier included in the stop packet is forcibly terminated, and the monitoring target file and the common key corresponding to the monitoring target file are deleted. Replacing the hidden file created in the file open step, and deleting the file identifier included in the stop packet from the operation file list;
The file management method according to claim 3, 4 or 5, further comprising: When the information processing terminal detects an operation to close the monitoring target file, the information processing terminal performs control to close the monitoring target file, encrypts and stores the monitoring target file with the common key of the monitoring target file, and opens the file A file operation end step of deleting the hidden file and the common key created in the step, and deleting the file identifier of the monitored file from the operation file list;
The file management method according to claim 3, further comprising: A file management method executed by the management terminal in a file management system comprising: a management terminal connected to an internal network for managing files; and an information processing terminal connected to the internal network via an external network. And
A login ID for a file agent function for a user to operate an encrypted file, a temporary password that is valid from the start to the end of the file agent function and is necessary for opening the encrypted file in the information processing terminal, A file monitoring preparation step for holding a monitoring file list, which is information relating the login ID and the temporary password,
When a use application including a file identifier and a login ID of an encrypted file is received from the information processing terminal, a file identifier of the encrypted file that can be taken out from the internal network and a login of a user who can use the encrypted file A take-out possible determination step for determining whether or not a login ID and a file identifier included in the use application are associated with each other by referring to a take-out available file list which is information associated with an ID;
When it is determined not to be associated in the take-out availability determination step, an unusable response step of transmitting to the information processing terminal an unusable response indicating that the use of the encrypted file for which the use application has been made is not permitted;
A file management method comprising: When it is determined that it is not associated by executing the export enablement determination step, the file identifier of the encrypted file for which the use application has been made is added to the monitoring file list, and a response that the use application has been accepted An application confirmation response step of transmitting an application confirmation response to the information processing terminal;
When a temporary password is received from the information processing terminal, it is determined whether the temporary password matches the temporary password associated with the login ID in the monitoring file list. Using the temporary password, encrypting the common key of the encrypted file for which the application for use has been made, and transmitting the encrypted common key to the information processing terminal; and
The file management method according to claim 8, further comprising: A permission packet transmission step of transmitting a permission packet for allowing file operation by the information processing terminal to be continued, including all file identifiers associated with the login ID of the monitoring file list;
If the reception report packet that is a response to the permission packet from the information processing terminal is not received within a predetermined time interval, all the file identifiers associated with the login ID in the monitoring file list are deleted, and the login ID A reception report packet non-delivery step for ending monitoring of all monitored files corresponding to
The file management method according to claim 9, further comprising: A stop packet transmission step of transmitting a stop packet for stopping the file operation to the information processing terminal when the file operation stop interrupt is detected, including the file identifier of the file specified by the file operation stop interrupt;
A monitoring end step of deleting the file identifier for the login ID from the monitoring file list and ending monitoring;
The file management method according to claim 10, further comprising: In a file management system comprising a management terminal connected to an internal network for managing files and an information processing terminal connected to the internal network via an external network, a file management method executed by the information processing terminal There,
The management terminal is a login ID for a file agent function for a user to operate an encrypted file, a temporary password that is valid from the start to the end of the file agent function and is necessary for opening the encrypted file, If you have a monitoring file list that is information that is associated with
A use application step for transmitting a use application for the encrypted file including a file identifier of the encrypted file and a login ID of a user who uses the encrypted file when an operation to open the encrypted file is detected;
Temporary password that requests the user to enter a temporary password and sends the temporary password entered by the user to the management terminal when receiving an application confirmation response that is a response to the acceptance of the use application from the management terminal Sending step;
When an encrypted common key is received from the management terminal, the common key is decrypted using the temporary password input in the temporary password sending step to obtain a common key, and used in the use application step Create a hidden file that is a copy of the encrypted file that you applied for, control the decrypted file to open using the common key, and control the file identifier of the encrypted file to be monitored A file open step described in the operation file list which is a list of file identifiers of the file;
A file management method comprising: A reception report packet for transmitting a reception report packet that is a response to the permission packet including all file identifiers described in the operation file list when a permission packet for allowing the file operation to be continued is received. Send step,
The file management method according to claim 12, further comprising:   14. The reception report packet further includes an operation log which is a log of operation contents for each monitored file specified by all file identifiers described in the operation file list. File management method described in 1. If the permission packet is not received within a predetermined time interval, all the monitored files indicated by all the file identifiers described in the operation file list are forcibly terminated and then deleted, and in the file open step Replace each monitoring target file with the created hidden file, delete the common key for each monitoring target file, and further delete the permission packet non-delivery step for deleting all file identifiers from the operation file list,
The file management method according to claim 13 or 14, further comprising: When a stop packet for stopping a file operation is received from the management terminal, the monitoring target file indicated by the file identifier included in the stop packet is forcibly terminated, and the monitoring target file and the monitoring target file are shared. A file operation stop step of deleting a key and replacing it with a hidden file created in the file open step, and deleting a file identifier included in the stop packet from the operation file list;
The file management method according to claim 13, 14 or 15, further comprising: When an operation for closing the monitoring target file is detected, the monitoring target file is controlled to be closed, the monitoring target file is encrypted with a common key and stored, and the hidden file and the common key created in the file open step are stored. And a file operation end step of deleting the file identifier of the monitored file from the operation file list,
The file management method according to claim 13, further comprising: A management terminal in a file management system comprising: a management terminal connected to an internal network for managing files; and an information processing terminal connected to the internal network via an external network,
Storage means for storing a file list that can be taken out, which is information relating a file identifier of an encrypted file that can be taken out from the internal network and a login ID for a file agent function for a user to operate the encrypted file; ,
A communication means for receiving an application for use of the encrypted file including a file identifier and a login ID of the encrypted file from the information processing terminal;
When a use application is received, the file list that can be taken out is referred to, and if the login ID and file identifier included in the use application are associated with each other, the application is a response indicating that the use application has been accepted. Control to send a confirmation response to the information processing terminal, and if not associated, control to send to the information processing terminal an unusable response indicating that use of the encrypted file for which the use application has been made is not permitted Authentication means;
A management terminal comprising: An encryption means for encrypting the common key of the encrypted file;
Further comprising
The storage means is valid for the login ID and the file agent function from the start to the end and is associated with a temporary file required to open an encrypted file, and a monitoring file list and an encrypted file. Memorize the common key further,
The communication means further receives a login ID and a temporary password from the information processing terminal,
The authentication unit further determines whether or not the temporary password matches the temporary password associated with the login ID in the monitoring file list when the login ID and the temporary password are received. In such a case, the encryption unit is controlled to encrypt the common key of the encrypted file for which the application for use has been made using the temporary password, and the encrypted common key is transmitted to the information processing terminal. 19. The management terminal according to claim 18, wherein when the use application is received, the file identifier is added to the monitoring file list. Packet monitoring for performing control to transmit a permission packet for enabling file operation by the information processing terminal to be transmitted at a predetermined time interval including all file identifiers associated with the login ID in the monitoring file list means,
Further comprising
The management terminal according to claim 19, wherein the communication unit further receives a reception report packet that is a response to the permission packet from the information processing terminal. The authentication means includes
If the reception report packet is not received within the predetermined time interval, all file identifiers associated with the login ID in the monitoring file list are deleted, and monitoring of all monitoring target files for the login ID is performed. The management terminal according to claim 20, wherein the management terminal is terminated. The authentication means includes
When detecting a file operation stop interrupt specifying a login ID and a monitoring target file, control is performed to transmit a stop packet for stopping the file operation to the information processing terminal including the file identifier of the monitoring target file, The management terminal according to claim 21, wherein the monitoring terminal is terminated by deleting the file identifier of the monitoring target file from the monitoring file list to the login ID. An information processing terminal in a file management system comprising: a management terminal connected to an internal network for managing files; and an information processing terminal connected to the internal network via an external network,
Control that sends application for use of encrypted file including file identifier and login ID for file agent function for user to operate encrypted file, effective from start to end of file agent function and encryption A communication means for performing a control for transmitting a temporary password necessary for opening a file, and a control for receiving an encrypted common key from the management terminal;
A file operation monitoring means for performing a control for transmitting a use application including the login ID and the file identifier of the encrypted file, and a control for transmitting a temporary password when an operation for opening the encrypted file is detected;
Decrypt the common key received from the management terminal using a temporary password, create a hidden file that is a copy of the encrypted file for which the application for use has been made, and decrypt the encrypted file using the common key Encryption / decryption means;
Control to open the decrypted encrypted file, and file operation means for describing the file identifier of the encrypted file in the operation file list, which is a list of file identifiers of the monitoring target file;
An information processing terminal comprising: The communication means further receives a permission packet for allowing the file operation to be continued from the management terminal,
further,
A packet monitoring means for performing control to transmit a reception report packet, which is a response to the permission packet, including all file identifiers described in the operation file list at a predetermined time interval;
The information processing terminal according to claim 23, comprising: The packet monitoring means includes
25. The reception report packet is transmitted by further including an operation log that is a log of operation contents for each monitoring target file specified by all file identifiers described in the operation file list. Information processing terminal described in 1. The file operation means includes
If the permission packet does not reach the information processing terminal within the predetermined time interval, delete all the monitoring target files indicated by all the file identifiers described in the operation file list, 26. The method according to claim 24, wherein each monitored file is replaced with the hidden file, a common key for each monitored file is deleted, and all file identifiers are deleted from the operation file list. The information processing terminal described. The file operation means includes
When a stop packet for stopping the file operation is received, the monitoring target file indicated by the file identifier included in the stop packet is forcibly terminated, and the monitoring target file and the common key corresponding to the monitoring target file are deleted. 27. The information processing terminal according to claim 24, 25 or 26, wherein the information is replaced with the hidden file and the file identifier included in the stop packet is deleted from the operation file list. The file operation means includes
When an operation to close the monitoring target file is detected, the monitoring target file is controlled to be closed, the monitoring target file is encrypted and stored with the common key of the monitoring target file, and the hidden file and the common key are deleted. The information processing terminal according to any one of claims 24 to 27, wherein a file identifier of the monitoring target file is deleted from the operation file list. The management terminal according to claim 18;
An information processing terminal according to claim 23;
A file management system comprising:   A file management program for causing a computer to execute the file management method according to any one of claims 8 to 11.   A file management program for causing a computer to execute the file management method according to any one of claims 12 to 17.

Images