JP2010224655A - Database processing method, database processing program and encryption device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a database system, capable of balancing the security intensity and the processing load of encryption for a database with security varied depending on the position of data. <P>SOLUTION: The map encryption device 2 is configured to determine, for each cell position of plain text table data 71, whether to encrypt a data value of the cell position based on information for necessity of encryption described in encryption definition information 76; to store, when data of the cell position is encrypted, a predetermined value in a cell position of encrypted table data 73, and also add an encrypted value that is a result of encryption of the data value of the cell position of the plain text table data 71 to an encrypted sequence 75 of a row containing the cell position; and to copy, when the data of the cell position is not encrypted, the data value of the cell position of the plain text table data 71 to the cell position of the encrypted table data 73. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a database processing method, a database processing program, and a technology of an encryption device.

  Conventionally, as a technology for encrypting data stored in a database device, there is a technology called Transparent Data Encryption disclosed in Non-Patent Document 1. This Transparent Data Encryption technology is a technology that encrypts data stored in a database, and is a technology that can be used transparently by the database user, that is, without being aware that the data is encrypted. .

  In Transparent Data Encryption technology, when data is written into a column of a pre-specified table when data is written, the encrypted data is stored in a method specific to the database device, and when reading the data in that column, The data stored in the encrypted state is decrypted and read as plain text data (see, for example, Non-Patent Document 1: Figure 3-1 Transparent Data Encryption Overview).

Oracle, Oracle (R) Database Advanced Security Administrator ’s Guide 11g Release 1 (11.1), August 2008

Even in the case of data existing in the same table, there are many cases where the confidentiality varies (non-uniform) depending on the position of the data. For example, the location information of the guest room is an example of low-sensitive information because the visitor needs to grasp it, and the location information of the conference room is a place where a confidential development meeting is held. It is an example of high information.
In that case, it is effective to distinguish between encryption processing for low-sensitive data and encryption processing for high-sensitive data. In other words, the encryption process according to the confidentiality can balance the security strength and the encryption processing load, and provide a highly convenient encryption database system.

On the other hand, with Transparent Data Encryption technology, data in one row in the same table is encrypted and data in other rows is not encrypted, such as not encrypting data in other rows. Mixing is not considered.
For this reason, excessive encryption processing is performed on data with low confidentiality, which increases the processing load of encryption, and the strength of encryption processing is insufficient for data with high confidentiality. Cases where the strength cannot be maintained sufficiently occur.

  Therefore, the present invention provides a database system that solves the above-described problem and that can balance the security strength and the processing load of encryption for a database that is non-uniform depending on the position of data. Main purpose.

In order to solve the above problems, the present invention encrypts plaintext table data stored in a database to create encrypted table data, and decrypts the encrypted table data to obtain the plaintext table data. A database processing method by a database system using a decryption device,
The encryption device is
Reading the plaintext table data from storage means;
Reading cipher definition information indicating the necessity of encryption of the data value existing at the cell position of the plaintext table data from the storage means;
The cell position is indicated by a combination of each row and each column constituting the plaintext table data,
For each cell position of the plaintext table data, based on the encryption necessity information described in the encryption definition information, determine whether to encrypt the data value of the cell position,
When encrypting the cell position data, a predetermined value is stored in the cell position of the encryption table data, and the data value of the cell position of the plaintext table data is encrypted in the encrypted column of the row including the cell position. Add the resulting cipher value,
When not encrypting the data of the cell position, copy the data value of the cell position of the plaintext table data to the cell position of the encryption table data,
The decoding device
When the predetermined value is stored in the cell position of the encryption table data, the encryption value is decrypted from the cipher column in the row including the cell position. The predetermined value stored in the position is overwritten.
Other means will be described later.

  According to the present invention, it is possible to provide a database system that can balance the security strength and the processing load of encryption with respect to a database whose confidentiality is not uniform depending on the position of data.

It is a block diagram which shows the map information database system regarding one Embodiment of this invention. It is a block diagram which shows the hardware constitutions of each apparatus which comprises the map information database system regarding one Embodiment of this invention. It is a block diagram which shows an example of each data (plaintext table data, encryption table data, encryption definition information) of the map information regarding one Embodiment of this invention. It is explanatory drawing which shows the plaintext table data of the result of having decrypted the encryption table data of FIG. 3 regarding one Embodiment of this invention for every user. It is a flowchart which shows the process of the map information database system of FIG. 1 regarding one Embodiment of this invention. It is a flowchart which shows the detail of the encryption process which produces encryption table data from plaintext table data which the encryption process part regarding one Embodiment of this invention performs. It is a block diagram which shows the map information database system which changed the decoding process of FIG. 1 regarding one Embodiment of this invention from the map browsing apparatus to the map decoding apparatus. It is a flowchart which shows the process of the map information database system corresponding to the structure of FIG. 7 regarding one Embodiment of this invention.

  Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings.

FIG. 1 is a configuration diagram showing a map information database system. The map information database system handles indoor maps. This indoor map is an example of data in which information that can be disclosed to an unspecified number of people and information that should be disclosed only to a viewer who has a specific authority are mixed.
Indoor map data is only an example of data handled by the database system. Besides, outdoor map, name, address, telephone number, e-mail address, medication history, medical history, genetic information, medical record, receipt, educational background, work history Computer system management information, network management information, documents, moving images, still images, audio data, music data, and the like are applicable as data handled by the database system.

The map information database system is connected to a map encryption device 2, a map storage device 3, a map distribution device 4, a map browsing device 5, and a key management device 9 via a network 1.
The map encryption apparatus 2 includes an encryption key storage unit 83 that stores an encryption key 81, an encryption processing unit 11, plaintext table data 71, and encryption definition information 76.

  The plaintext table data 71 is data that configures an indoor map as map information as plaintext (in an unencrypted state). The plaintext table data 71 may be created by the map encryption device 2 or input from another device or the like. The plain text table data 71 may be tabular data to be processed by a DBMS (DataBase Management System), or text data converted (exported) from the tabular data into a CSV (Comma Separated Values) format.

  The encryption processing unit 11 creates the encryption table data 73 by encrypting the plaintext table data 71 using the encryption key 81 in accordance with the definition described in the encryption definition information 76. Then, the encryption processing unit 11 transmits the created encryption table data 73 to the map storage device 3.

Here, by using CSV data exported from tabular data handled by the database processing unit 17 as the plaintext table data 71, the encryption processing of the encryption processing unit 11 and the query search processing of the database processing unit 17 However, the encryption processing unit 11 can execute the encryption process independently of the data format that can be processed by the database processing unit 17.
On the other hand, as plain text table data 71, by using the table format data handled by the database processing unit 17 as it is without using CSV data, export processing becomes unnecessary, which is excellent in that the processing load is reduced. .

The map storage device 3 includes encryption table data 73 and a database processing unit 17.
The cipher table data 73 is table data having a structure in which a cipher string 75 (see FIG. 3) is added to the structure (schema) of the plaintext table data 71.
The database processing unit 17 is a DBMS (DataBase Management System) that processes the encryption table data 73. That is, the database processing unit 17 executes a query process (such as a map search process) described in SQL or the like using the encryption table data 73 as a processing target.

Thus, the map storage device 3 holds not the plaintext table data 71 but the encrypted table data 73 encrypted from the plaintext table data 71. The encryption table data 73 is not permitted to be decrypted by the administrator of the map storage device 3. Thereby, the risk that the plaintext data of the encrypted part leaks from the map storage device 3 does not substantially occur.
Furthermore, since the encryption definition information 76 exists in the map encryption device 2, the access control condition indicated by the encryption definition information 76 (to which user the data in which position in the plaintext table data 71 is shown) Set by the encryption device 2. The change of the access control condition indicated by the encryption definition information 76 (change from unviewable to viewable, etc.) is not permitted to the administrator of the map storage device 3. Thereby, when viewed from the map encryption device 2, the access control condition set in the own device can be forced to the map storage device 3. If the map browsing device 5 has the appropriate decryption key 86, the map is browsed after being decrypted. If not, the decryption fails and browsing is impossible, so that access control is substantially realized. .

The map distribution device 4 includes a query reception unit 14, an encrypted index decryption processing unit 15, and an encrypted index 16.
When the query receiving unit 14 receives a query (such as a map browsing request) from the query requesting unit 13, the query receiving unit 14 requests the database processing unit 17 to perform the query processing, and the result (encryption row corresponding to the query in the encryption table data 73). Data 74) is returned to the query request unit 13 (eg, map distribution processing).
The encrypted index decryption processing unit 15 receives a request from the query reception unit 14 and executes query processing for the encrypted string 75 in the encryption table data 73 instead of the database processing unit 17.
The encryption index 16 is index data indicating the data content of the encryption table data 73 referred to in the query process executed by the encryption index decryption processing unit 15. The encrypted index 16 is obtained by encrypting index data for realizing query processing of the plaintext table data 71 at high speed using the encryption key 81. The index data of the plaintext table data 71 is, for example, a plaintext as a list of cell positions (such as the i-th row and j-th column) of the table storing the cell values for each table cell value constituting the plaintext table data 71. Created from the table data 71.

The map browsing apparatus 5 includes a decryption processing unit 12, a query request unit 13, and a decryption key storage unit 88 that stores a decryption key 86.
The query requesting unit 13 requests a query (such as a map browsing request) from the query receiving unit 14, and receives the encrypted row data 74 as a query response.
The decryption processing unit 12 receives a request from the query request unit 13 and executes a decryption process of the query response (encrypted row data 74) using the decryption key 86. Then, the map browsing device 5 displays a map of the decrypted encrypted row data 74.

  The key management apparatus 9 includes an encryption key generation unit 82 that generates the encryption key 81 and a decryption key generation unit 87 that generates the decryption key 86 in order to manage the encryption key 81 and the decryption key 86. The key management device 9 distributes the encryption key 81 to the map encryption device 2 and distributes the decryption key 86 to the map browsing device 5.

  FIG. 2 is a configuration diagram showing a hardware configuration of each device constituting the map information database system.

  Each device of the map information database system includes a CPU 91, a RAM 92, an external storage device 93, a reading device 94 for reading a storage medium 95, an input device 96, a display device 97, a communication device 98, an interface 99, It is comprised as a computer (electronic computer) provided with.

The CPU 91 embodies each processing unit (encryption processing unit 11 and the like) illustrated in FIG. 1 as a process by executing a program loaded on the RAM 92.
The RAM 92 functions as a work area for the CPU 91.
The external storage device 93 is configured by a hard disk device or the like, and stores a program of each processing unit shown in FIG. 1 and data (such as plain text table data 71) handled by each processing unit.
The reading device 94 is a device that reads data from the storage medium 95.
The storage medium 95 is a portable medium such as a CD-ROM or FD. The storage medium 95 stores a program for each processing unit executed by the CPU 91.
The input device 96 is composed of a keyboard, a mouse, and the like.
The display device 97 includes a display.
The communication device 98 is a communication interface for communicating with other devices via a network. The communication device 98 downloads a program for each processing unit executed by the CPU 91.
The interface 99 is an internal bus that controls data transmission / reception between components in the apparatus.

  FIG. 3 is a configuration diagram illustrating an example of each piece of data (plain text table data 71, encryption table data 73, encryption definition information 76) indicating map information.

The plaintext table data 71 is data indicating an indoor map. In general, spatial data is described as a set of features. Here, a feature is an object or phenomenon that is directly or indirectly associated with information about a position. In the case of an indoor map, for example, a room or a corridor is an example of a feature.
In the plaintext table data 71, one row corresponds to one feature. The plaintext table data 71 is configured by associating “ID string”, “geometry”, “connection relationship”, “name”, and “capacity” for each feature.
The “ID string” is a key string for uniquely identifying a feature, is not subject to encryption processing, and is defined by an integer type or the like.
“Geometry” represents the position and shape of a feature as a set of vertex positions (x, y) and is defined by a character string type or the like.
The “connection relationship” indicates whether or not each object can move to each other, and is defined by a set of integer types (ID columns).
“Name” indicates the name of each feature and is defined by a character string type or the like.
The “capacity” indicates the number of persons that can be accommodated in each feature, and is defined by an integer type or the like. In addition, “NULL” of “capacity” indicates a predetermined value that is not 0 but is undefined (data size is 0).

  Note that the configuration of the plaintext table data 71 shown in FIG. 3 is merely an example, and other columns may be included that indicate attributes such as facilities of various features, usage purposes, and restrictions. Furthermore, a column representing a relationship other than the connection relationship between the features, for example, an inclusion relationship may be included. As the data type of each item, for example, a dedicated type for expressing the geometry may be defined and used. Further, instead of using the plaintext table data 71 as one table data, the plaintext table data 71 may be expressed as a set of a plurality of table data associated with each other using an “ID column” as a key.

The encryption table data 73 is a result of encrypting at least part of the plaintext table data 71. The column on the left side of the encryption table data 73 (ID column to the number of persons accommodated) is in common with the plaintext table data 71. The right column (encrypted column 75) of the encrypted table data 73 is a column newly added from the plaintext table data 71. The cipher string 75 stores the encrypted result of the corresponding plaintext table data 71.
For example, the encryption table data 73 of FIG. 3 is encrypted with the column “name” and the column “capacity” in the ID column “002” and the ID column “003” in comparison with the plaintext table data 71. It can be seen from the fact that the column “name” is encrypted because each data value is “NULL”.
The encrypted column 75 of these encrypted rows stores the text of the encrypted result (in the figure, the text result of binary data, which is itself human-readable data). ing. That is, data obtained by encrypting data of one or more columns (items) to be encrypted among the data included in each row is stored in the encryption column 75 of the row.
On the other hand, since the ID column “001” and the ID column “004” have no encryption target columns, “NULL” is stored in the encryption column 75. That is, “NULL” in the encrypted column 75 indicates that no data value in the corresponding data column is encrypted, but “NULL” in the data column indicates that the data value in the data column is encrypted. Indicates that

Therefore, when one or more encrypted values are stored in the cipher string 75, a specific encoding method (for example, base64 format, XML format, BER, CER, DER specified in ASN.1 (Abstract Syntax Notation One)) According to another encoding format or the like, the encoded text data may be added to the cipher string 75 one by one as XML data surrounded by a tag indicating which item (column name) is encrypted.
In this way, by creating the cipher string 75, the type of encrypted data stored in the cipher string 75 (for example, the integer type, the character string type, the date type, etc.) For example, a character string type) can be unified. Furthermore, even if the original plaintext data includes data of a plurality of columns (items) and the data types of these columns are different, the encrypted data stored in the encrypted column 75 It becomes possible to unify the types.

The encryption definition information 76 is information that defines the content of encryption processing for each cell (combination of rows and columns) when generating the encryption table data 73 from the plaintext table data 71. The ID column of the encryption definition information 76 is a key column that is common to the plaintext table data 71 and the encryption table data 73.
In the other columns of the encryption definition information 76, “encryption” is stored when it is an encryption target, and a blank is stored for each row when it is not an encryption target. Furthermore, for the cell storing “encryption” of the encryption definition information 76, information specifying a user who can decrypt the encryption process (in other words, a user having the decryption key 86) may be stored.
For example, since the cell values in the “name” column of the “ID column = 002” row are encrypted with the encryption keys 81 of the user A and the user B, the decryption keys 86 of the user A and the user B are used. Although it is possible to decrypt (view), only the decryption key 86 of the user A can decrypt (view) the cell value in the “capacity” column of the “ID column = 002” row. Thus, in the encryption definition information 76, the data stored in the encryption column 75 of each row may be data obtained by encrypting different columns (items) for each row, or a plurality of columns (items) included in each row. ) May be encrypted data.
By defining the encryption definition information 76 in this way, it is possible to easily set encryption conditions that are difficult to set by the conventional technology. For example, with respect to a column designated in advance, it is possible to mix encryption target data and non-target data so that data of a certain row is encrypted and data of other rows is not encrypted.

  Furthermore, the encryption definition information 76 may specify an encryption algorithm to be used for each cell. Hereinafter, an example of an encryption algorithm executed by the encryption processing unit 11 and the decryption processing unit 12 will be described.

First, either the common key encryption or the public key encryption is designated as the encryption algorithm of the encryption definition information 76.
The common key encryption method uses the same key for the encryption key 81 and the decryption key 86. For example, an algorithm such as DES, AES, or MUGI is specified. When this common key cryptosystem is used, it is superior in that the processing load is generally small as compared with the public key cryptosystem.
Public key cryptography is a scheme in which different keys are used for the encryption key 81 and the decryption key 86. For example, algorithms such as RSA and elliptic curve cryptography are designated. When this public key cryptosystem is used, even if the same key is used for different plaintext table data 71, there is no possibility that the confidentiality of each plaintext table data 71 is impaired. Excellent.

Next, either a deterministic encryption method or a probabilistic encryption method is designated as the encryption algorithm of the encryption definition information 76.
The deterministic encryption method is an encryption method in which ciphertexts obtained when the same plaintext is encrypted using the same encryption key are always the same.
A probabilistic encryption method is an encryption method in which different ciphertexts may be obtained even if the same plaintext is encrypted using the same encryption key.

FIG. 4 is an explanatory diagram showing plain text table data 71 (partially extracted) as a result of decrypting the encryption table data 73 of FIG. 3 for each user. All the decryption results other than the extracted portions of the plaintext table data 71 can be browsed by each user. Furthermore, in FIG. 4, the indoor map displayed on the screen according to the decryption result of the plaintext table data 71 is illustrated on the right side.
The portion that is not “NULL” in the plaintext table data 71 is a portion that was not originally encrypted, or a portion that was successfully decrypted but encrypted (that is, an access right is set for the user who attempted the decryption). Is the place).
The portion of the plaintext table data 71 that is “NULL” is a portion that has been encrypted and has failed to be decrypted, and is a portion in which no access right is set for the user who has attempted decryption.

First, in the decryption result of the user A shown in FIG. This is because “user A” is described in all places where “encryption” is described in the encryption definition information 76.
Next, in the decryption result of the user B shown in FIG. 4B, a part of the plaintext table data 71 (ID column = capacity number column of 002) cannot be viewed (NULL). This is because there is a portion that is not described as “user B” among the portions that are described as “encrypted” in the encryption definition information 76.
Further, in the decryption result of the user C shown in FIG. 4C, a part of the plaintext table data 71 (ID column = 002 name column and capacity table, ID column = 003 name column) cannot be viewed (NULL ). This is because the portion described as “user C” among the portions described as “encrypted” in the encryption definition information 76 does not exist.

  Hereinafter, two methods for generating the encryption key 81 by the encryption key generation unit 82 and for using the encryption key 81 by the encryption processing unit 11 to reflect the access right for each user shown in FIGS. The method is illustrated. These two methods are designated as the encryption algorithm of the encryption definition information 76.

Here, the following description is used to indicate the encryption key 81 and the data encrypted with the encryption key 81.
{Cleartext data to be encrypted} ← Encryption key 81
For example, the following description shows the result of encrypting “internal meeting room A”, which is the name string of ID string = 002 of the plaintext table data 71, with the encryption key 81 of the user A.
{Internal meeting room A (ID string = 002 name string)} ← User A

  As a first method of reflecting the access right for each user, the corresponding portion of the plaintext table data 71 for which “encryption” is specified in the encryption definition information 76 is encrypted with the encryption key 81 for each user who is given the access right. The method of becoming is mentioned.

The following encrypted data is stored in the encryption string 75 (part described as A3bxt $ 35) of the ID string = 002 of the encryption table data 73.
{Internal meeting room A (ID string = 002 name string)} ← User A
{Internal meeting room A (ID string = 002 name string)} ← User B
{10 (ID string = 002 capacity column)} ← User A
Then, the map browsing device 5 of the user A can decrypt “internal meeting room A” and “10” using his / her decryption key 86. The map browsing device 5 of the user B can decrypt “internal meeting room A” using his / her decryption key 86.

The following encrypted data is stored in the encryption string 75 (part described as 5 # 971yQ) of ID string = 003 of the encryption table data 73.
{Internal meeting room B (ID string = 003 name string)} ← User A
{Internal meeting room B (ID string = 003 name string)} ← User B

  As a second method of reflecting the access right for each user, the corresponding part of the plaintext table data 71 for which “encryption” is specified in the encryption definition information 76 is encrypted with a session key common to each user, and the session key Is encrypted with the encryption key 81 for each user to whom the access right is given. This method is a method disclosed in Japanese Patent Application Laid-Open No. 2007-251921, and is also referred to as a selectively disclosed encryption method. Specifically, each column of the plaintext table data 71 in which “encryption” is designated is used as a unit of division in the selective disclosure encryption method, and the obtained ciphertext is data stored in the cipher value column.

The following encrypted data is stored in the encryption string 75 (part described as A3bxt $ 35) of the ID string = 002 of the encryption table data 73.
{Department meeting room A (ID string = 002 name string)} ← Session key K1
{10 (ID string = 002 capacity column)} ← session key K2
{Session Key K1} ← User A
{Session Key K1} ← User B
{Session Key K2} ← User A
Then, the map browsing device 5 of the user A can acquire the session keys K1 and K2 by using his / her decryption key 86, and decrypt “internal meeting room A” and “10”, respectively. The map browsing device 5 of the user B can acquire the session key K1 using his / her decryption key 86 and decrypt “internal meeting room A”.

The following encrypted data is stored in the encryption string 75 (part described as 5 # 971yQ) of ID string = 003 of the encryption table data 73.
{Internal department room B (ID string = 003 name string)} ← Session key K3
{Session Key K3} ← User A
{Session Key K3} ← User B

  As described above, the selective disclosure encryption method is a method of encrypting plaintext data in a state in which a different portion can be disclosed for each user who browses. In one method of selective disclosure encryption method, plaintext data is first divided into units having different disclosure conditions, and an encryption key in a common key encryption method (hereinafter referred to as a partial data encryption key) is divided into each divided part. It is generated as a random number and encrypted using this partial data encryption key. Next, the partial data encryption key is encrypted using the public key of the user who can view the part, and is held as header information.

  At this time, when a plurality of (n) users can view the location, the portion is encrypted using each public key (therefore, the header information includes n pieces of data). Data obtained by combining (combining) the ciphertext of each part and the header information is referred to as a ciphertext obtained as a result of encryption according to an encryption method that can be selectively disclosed.

  When decrypting, each information included in the header information is first decrypted using a secret key (in the public key cryptosystem) owned by the viewing user. When the partial data encryption key is obtained after successful decryption, the ciphertext of the part is decrypted with the partial data encryption key to obtain the plaintext of the part.

  According to the selective disclosure encryption method described above, different columns can be encrypted for each row, and encryption can be performed so that different data can be viewed by different users in each column in the same row. .

  FIG. 5 is a flowchart showing processing of the map information database system of FIG.

As S 101, the map browsing device 5 receives the decryption key 86 from the decryption key generation unit 87 of the key management device 9 and stores it in the decryption key storage unit 88.
As S <b> 102, the map encryption device 2 receives the encryption key 81 from the encryption key generation unit 82 of the key management device 9 and stores it in the encryption key storage unit 83.
As S103, the encryption processing unit 11 of the map encryption device 2 creates the encryption table data 73 by encrypting the plain text table data 71 based on the encryption key 81, and stores the encryption table data 73 on the map. Transmit to device 3. Details of the process of S103 will be described later with reference to FIG.
As S104, the map storage device 3 receives the encrypted encryption table data 73 and stores it in the external storage device 93 in the device itself.

As S <b> 111, the query request unit 13 of the map browsing device 5 transmits a map browsing request query to the query receiving unit 14 of the map distribution device 4. The map browsing request is, for example, transmitting the current position information of the map browsing device 5 and requesting a map around the current position. In this case, for example, the map browsing device 5 may include positioning means using GPS (Global Positioning System) as means for acquiring current position information.
As S112, the query receiving unit 14 of the map distribution device 4 requests the database processing unit 17 of the map storage device 3 for a data search request for the received query.
As S113, the database processing unit 17 of the map storage device 3 receives the data search request, and executes a search process on the encryption table data 73 stored in S104.

In S121, the database processing unit 17 of the map storage device 3 returns the encrypted data (encrypted row data 74 corresponding to the query search condition in the encrypted table data 73) to the query receiving unit 14 as the search result in S113. .
As S122, the query reception unit 14 of the map distribution device 4 transmits the encrypted data returned in S121 to the query request unit 13 as a response to the query of S111.
As S123, the query request unit 13 of the map browsing device 5 receives the query response transmitted in S122.

As S131, the decryption processing unit 12 of the map browsing device 5 decrypts the encrypted data (encrypted row data 74) of the query response received in S123. At this time, the decryption processing unit 12 uses the decryption key 86 stored in S101.
It should be noted that the decryption processing unit 12 is included in the cipher string 75 of the cipher row data 74 by using the decryption key 86 of the user of the map browsing device 5 to which the decryption processing unit 12 belongs in the decryption processing of the cipher row data 74. Try to decrypt one or more data values one by one. First, when the decryption is successful, the plaintext row data 72 is obtained from the encrypted row data 74 by replacing the data value with the “NULL” value at the corresponding cell position of the encrypted row data 74.

On the other hand, when the decryption fails, the user of the map browsing device 5 is not given the access right to the data value, so “NULL” is output as the data value of the cell position. Here, the decryption processing unit 12 is given the access right by referring to the supplementary information included in the cipher string 75 instead of actually trying the decryption process of the data value to which the access right is not given. You may skip the decoding process of the data value which is not. For this purpose, the encryption processing unit 11 may encrypt the data including the supplementary information in addition to the data in the column to be encrypted, and store it in the encrypted column 75 at the time of encryption.
The supplementary information is, for example, information stored in the encryption definition information 76, information for identifying which column is encrypted (for example, column name), data type information of the column to be encrypted, etc. Composed.

  As mentioned above, the map browsing apparatus 5 can browse the map of the part permitted to the own apparatus by the process of the map browsing request demonstrated with reference to FIG.

  In S113, when the database processing unit 17 executes the search process on the encryption table data 73, it is difficult to evaluate the plaintext query search condition as it is for the encrypted data value. is there. Therefore, the plain text query search condition can be evaluated for the encrypted data value by one of the following two methods.

The first evaluation method is a method of encrypting a plain text query search condition and evaluating the encrypted data value.
First, in the encryption process of S103, encryption is performed by a deterministic encryption method.
Next, the database processing unit 17 acquires the encryption key 81 from the key management device 9 or another device (such as the map encryption device 2 or the map browsing device 5) in the search process for the encryption table data 73 in S113.
Then, the database processing unit 17 encrypts a parameter (for example, a character string to be searched) included in the query search condition with the acquired encryption key 81.
Further, the database processing unit 17 evaluates the query search condition by comparing the encrypted cell value in the encryption table data 73 with the encrypted value of the parameter included in the query search condition. For example, when both values match each other, the database processing unit 17 determines that the query search condition is met. That is, by using a deterministic encryption method, the result of encrypting the same data value with the same encryption key 81 is always the same encrypted value, so the query search condition is evaluated without performing decryption processing. can do.

The second evaluation method is a method of evaluating a plaintext query search condition using an index generated from plaintext data before encryption. Therefore, the map encryption device 2 in FIG. 1 creates an encryption index 16 for each encryption key 81 in advance. The created encrypted index 16 is held in the map storage device 3 of FIG. 1 and is used as needed (for example, when the map distribution device 4 receives a query from the map browsing device 5), as shown in FIG. 4 is transmitted. Further, the map distribution device 4 has an encryption index decryption processing unit 15. When creating the encryption index 16 for each encryption key 81, one encryption index 16 may be created with the session key of the selectively disclosed encryption method, and the session key may be encrypted for each encryption key 81.
First, in S112, when the query reception unit 14 requests the database processing unit 17 for the received query data search request, for the encrypted row data 74, the received query data search request is encrypted index decryption. The processing unit 15 is requested.
Next, the encrypted index decryption processing unit 15 obtains the encrypted index 16 encrypted with the encryption key 81 of the map browsing device 5 to which the query request unit 13 to which the query request has been made in S111 from the user of the map browsing device 5. Decryption is performed with the decryption key 86, and query processing is executed based on the decrypted index data.
In step S <b> 122, the query reception unit 14 transmits the encrypted row data 74 corresponding to the query to the query request unit 13 as the processing result of the encryption index decryption processing unit 15.

  FIG. 6 is a flowchart showing details of the encryption process (S103) for creating the encryption table data 73 from the plain text table data 71, which is executed by the encryption processing unit 11.

In S201, the encryption processing unit 11 acquires the plain text table data 71 and the encryption definition information 76 from the external storage device 93 of the own device.
In S202, a loop for selecting each row (each record) constituting the plaintext table data 71 one by one is started. Hereinafter, the selected line is described as “selected line”.
In S203, “NULL” is set as the initial value of the encrypted column 75 of the selected row.
In S204, a loop for selecting each column constituting the plaintext table data 71 one by one is started. Hereinafter, the selected column is described as “selected column”, and the table element specified by the selected column in the selected row is described as “selected cell”.
In S205, the encryption definition information 76 is referred to and it is determined whether or not the selected cell is to be encrypted. If Yes in S205, the process proceeds to S207, and if No, the process proceeds to S206.

In S206, the data value of the selected cell in the plaintext table data 71 is copied as it is to the data value of the selected cell in the encryption table data 73.
In S207, the data value of the selected cell in the plaintext table data 71 is encrypted according to the encryption method described in the selected cell in the encryption definition information 76, and the resulting encrypted value is encrypted in the encrypted column 75 of the selected row. Add to
In S208, “NULL” is written in the data value of the selected cell in the encryption table data 73. If the data type of the column to be encrypted does not allow NULL, other values that can be used as substantially meaningless data (for example, 0000/00 in the date type of yyyy / mm / dd) / 00 etc.) may be used.
In many data types, NULL is allowed as substantially meaningless data. Therefore, by replacing with NULL, it becomes possible to prevent encrypted data from affecting other devices. The other device is, for example, another device connected to one of the devices constituting the map information database system, and refers to the data stored in the map information database.

In S209, the loop of the selected column from S204 is terminated.
In S210, the cipher string 75 of the selected row updated in S203 and S207 is written in the cipher table data 73.
In S211, the loop of the selected row from S202 is terminated.
In S212, the created encryption table data 73 is transmitted to the map storage device 3.

  The embodiment described above can be modified as shown below.

  In the following modified embodiment, the processing load of the map browsing device 5 can be reduced by changing the device that executes the decryption processing of the encrypted data from the map browsing device 5 to the map decrypting device 6. . As a result, the map browsing device 5 can be applied to a device (such as a mobile phone) having a low processing capability, and the convenience for the user is improved.

Furthermore, not only the decoding process but also the process using the decoded data can be performed in the map distribution device 4. For example, the map distribution device 4 may perform processing for generating image data representing a map based on the plaintext line data 72 after decryption.
Thereby, in the map browsing apparatus 5, since the map can be browsed if it has a display means for the image data generated by the map distribution apparatus 4, many portable terminals (map browsing apparatus 5) have already been used. It is also preferable to be able to browse the map using the provided web browser from the viewpoint of reducing the trouble of developing a program for browsing newly operating on the map browsing device 5.

  FIG. 7 is a configuration diagram showing a map information database system in which the decoding process of FIG. 1 is changed from the map browsing device 5 to the map decoding device 6. Hereinafter, the configuration of FIG. 7 will be described with a focus on differences from FIG.

In the map information database system, a map decoding device 6 is newly added.
First, the map decryption device 6 is provided with a decryption key storage unit 88 for storing the decryption processing unit 12 and the decryption key 86 provided in the map browsing device 5 of FIG. Since the decryption key storage unit 88 corresponds to a plurality of map browsing devices 5, it is preferable to store a plurality of decryption keys 86 for each map browsing device 5.
Next, the map decryption device 6 includes an encrypted index decryption processing unit 15 and an encrypted index 16 provided in the map distribution device 4 of FIG.
Then, when the decoding processing unit 12 of the map decoding device 6 performs the decoding process of the map browsing device 5, it authenticates the map browsing device 5 that has requested the proxy (that is, transmitted the query request). It is preferable to have This authentication means is realized by one of the following two methods, for example.

As the first authentication means, input information for authentication such as an apparatus-specific ID (such as a MAC address) of the map browsing apparatus 5 and user-specific information (such as a user ID and biometric information) of the map browsing apparatus 5 is input. This is a technique for accepting an input from the device 96 and authenticating it. When the map decoding device 6 receives the authentication input information, the map decoding device 6 authenticates the authentication directory by making an inquiry of the authentication directory using LDAP (Lightweight Directory Access Protocol) or the like.
The input information for authentication may be transmitted directly from the map browsing device 5 to the map decoding device 6, or may be transmitted from the map browsing device 5 to the map decoding device 6 via the map distribution device 4.

  In the case where biometric information that is generally considered difficult to be copied or counterfeited is transmitted as the second authentication means, authentication may be performed using this. Alternatively, user authentication may be performed using an encryption technique. Specifically, for example, it may be realized by using a client authentication method in SSL (Secure Sockets Layer) communication or TLS (Transport Layer Security) communication.

FIG. 8 is a flowchart showing the processing of the map information database system corresponding to the configuration of FIG. Since many processes are common in the process of FIG. 8 and the process of FIG. 5, it demonstrates paying attention to the difference of each process in the following description.
As S101, the decryption processing unit 12 is relocated from the map browsing device 5 to the map decryption device 6, and the decryption key 86 is received and stored on the map decryption device 6 side.
The search result notification process (S122 to S123) is replaced with the following S124 to S128.
As S124, the query reception unit 14 of the map distribution device 4 instructs the map decryption device 6 to decrypt the encrypted data (encrypted row data 74) received in S121.
In S125, the decryption processing unit 12 of the map decryption device 6 obtains the plaintext line data 72 by decrypting the designated encrypted line data 74.
In S126, the decryption processing unit 12 of the map decryption device 6 returns the decrypted plaintext line data 72 to the query reception unit 14 of the map distribution device 4.
As S <b> 127, the query receiving unit 14 of the map distribution device 4 transmits plain text line data 72 as a query response to the query requesting unit 13 of the map browsing device 5.
As S128, the query requesting unit 13 of the map browsing device 5 receives a query response. The plain text line data 72 included in the received query response can be displayed on the display device 97 of the map browsing device 5 as it is.
In addition, the decoding process by the map browsing apparatus 5 side of S131 becomes unnecessary.

  1 and FIG. 7, the components in the illustrated apparatus, the number of each apparatus, etc. are merely examples, and modifications such as those shown below are possible. It is.

For example, each device of the map information database system may be present one by one, or there may be a plurality of devices as illustrated below.
A plurality of map decoding devices 6 may exist.
A plurality of key management devices 9 may exist and data may be transmitted / received to / from one or more map decoding devices 6.
A plurality of map distribution devices 4 may exist and data may be transmitted / received to / from one map decoding device 6.
A plurality of map storage devices 3 may exist. In this case, the map distribution device 4 may make a query by selecting an appropriate device from a plurality of map storage devices according to the contents of the map browsing request in S112. For example, if the map data held by each map storage device is divided by region, such as divided by prefecture, if the content of the map browsing request requests information in Kanagawa Prefecture The map storage device that manages Kanagawa Prefecture data may be queried.

Each device of the map information database system may operate on an independent computer, or a plurality of devices may operate on a single computer as illustrated below.
-You may comprise the map delivery apparatus 4 and the map decoding apparatus 6 as the same computer.
-You may comprise the map decoding apparatus 6 and the key management apparatus 9 as the same computer.

  Although the case where the decryption key 86 of the map browsing device 5 is first in the key management device 9 and is transmitted to the map browsing device 5 in S101 has been described as an example, a configuration different from this may be used.

The key management device 9 having the encryption key generation unit 82 and the decryption key generation unit 87 may substitute the processing unit for generating the key with another processing unit. For example, the map browsing device 5 includes an encryption key generation unit 82 and a decryption key generation unit 87, and each generation unit generates a key pair including a decryption key 86 and an encryption key 81, and the decryption key 86. Is stored in the decryption key storage unit 88, and the encryption key 81 is stored in the encryption key storage unit 83.
In this way, the decryption key 86 exists only in the map browsing device 5, which is preferable from the viewpoint of security.

  Each device of the map information database system may be connected by one network 1 or may be connected by a plurality of networks. For example, the map browsing device 5 and the map distribution device 4 may be connected via a mobile phone network. Of these devices, a network may not be provided between devices that do not need to exchange data with each other. As an example of a combination of devices that do not need to exchange data with each other, a combination of the map encryption device 2 and the map browsing device 5 may be included.

In the embodiment described above, each row of the table stored in the database includes a column (encryption column 75) for storing an encryption value, and the data of the column (item) to be encrypted among the data included in each row is stored. The encrypted data is stored in the encryption column 75 of the row, and the data in the column to be encrypted is rewritten to data meaning NULL (blank).
This makes it possible to mix encryption target data and non-target data in such a way that, for a column designated in advance, data in a certain row is encrypted and data in other rows is not encrypted.

1 Network 2 Map encryption device (encryption device)
3 Map storage device 4 Map distribution device 5 Map browsing device (decoding device)
6 Map decoding device (decoding device)
DESCRIPTION OF SYMBOLS 9 Key management apparatus 11 Encryption process part 12 Decryption process part 13 Query request part 14 Query reception part 15 Encryption index decryption process part 16 Encryption index 17 Database process part 71 Plain text table data 72 Plain text line data 73 Encryption table data 74 Encryption row data 75 Encryption string 76 Encryption definition information 81 Encryption key 82 Encryption key generation unit 83 Encryption key storage unit 86 Decryption key 87 Decryption key generation unit 88 Decryption key storage unit 91 CPU
92 RAM
93 External storage device 94 Reading device 95 Storage medium 96 Input device 97 Display device 98 Communication device 99 Interface

Claims (12)

Database processing by a database system using an encryption device that encrypts plaintext table data stored in a database to create encrypted table data, and a decryption device that decrypts the encrypted table data and obtains the plaintext table data A method,
The encryption device is:
Reading the plaintext table data from storage means;
Reading cipher definition information indicating the necessity of encryption of the data value existing at the cell position of the plaintext table data from the storage means;
The cell position is indicated by a combination of each row and each column constituting the plaintext table data,
For each cell position of the plaintext table data, based on the encryption necessity information described in the encryption definition information, determine whether to encrypt the data value of the cell position,
When encrypting the cell position data, a predetermined value is stored in the cell position of the encryption table data, and the data value of the cell position of the plaintext table data is encrypted in the encrypted column of the row including the cell position. Add the resulting cipher value,
When not encrypting the data of the cell position, copy the data value of the cell position of the plaintext table data to the cell position of the encryption table data,
The decoding device
When the predetermined value is stored in the cell position of the encryption table data, the encryption value is decrypted from the cipher column in the row including the cell position. A database processing method, wherein the predetermined value stored in the position is overwritten. When encrypting data at a cell position, the encryption device adds an encryption value to the cipher column in a row including the cell position, and also adds the encryption definition information describing the encryption processing together with the encryption Add to the column,
Whether the decryption device decrypts each cipher value with reference to the cipher definition information included in the cipher string when one or more cipher values are decrypted from the cipher string The database processing method according to claim 1, wherein: In addition to the encryption necessity information for each cell position, the encryption definition information includes the type of encryption algorithm for executing the encryption process when encryption is required. ,
The encryption device, when encrypting the data of the cell position, according to the encryption algorithm described in the encryption definition information, to perform an encryption process on the data value of the cell position,
The encryption algorithm described in the encryption definition information includes at least one of a common key encryption method, a public key encryption method, a deterministic encryption method, and a probabilistic encryption method. The database processing method according to claim 1, wherein the database processing method is configured as one method. When the decryption device receives a query search process for the encryption table data, when executing the query search process for an encrypted data value in the encryption table data,
Using the encryption key when the encryption value included in the encryption column of the encryption table data is encrypted, the parameter included in the query search condition is encrypted,
Determining whether or not the query search condition is satisfied by collating an encryption value included in the encryption column of the encryption table data with an encryption value of a parameter included in the query search condition; The database processing method according to any one of claims 1 to 3. When the decryption device receives a query search process for the encryption table data, when executing the query search process for an encrypted data value in the encryption table data,
It is determined whether or not the query search condition is satisfied by collating a search index indicating the plaintext table data that is the generation source of the encryption table data with a parameter included in the query search condition. The database processing method according to any one of claims 1 to 3, wherein: In addition to the encryption necessity information for each cell position, the encryption definition information includes a list of users who are permitted to perform the decryption process,
When encrypting the data at the cell position, the encryption device encrypts the data value at the cell position with an encryption key for each user that permits the decryption process, and creates an encrypted value for each user. The database processing method according to claim 1, wherein an encrypted value is added to the cipher string. In addition to the encryption necessity information for each cell position, the encryption definition information includes a list of users who are permitted to perform the decryption process,
When encrypting cell location data, the encryption device creates a first encrypted value by encrypting the cell location data value with the session key common to each user, and permits a decryption process 6. The session key is encrypted with each encryption key to create a second encryption value, and the first encryption value and the second encryption value are added to the encryption string. The database processing method according to any one of the above. The database processing method according to any one of claims 1 to 7, wherein the decryption device is incorporated in a data browsing device for each user who transmits the query search condition. The decryption device is configured as a device different from the data browsing device for each user that transmits the query search condition, and the plaintext is derived from the encryption table data accompanying the query search condition from a plurality of the data browsing devices. The database processing method according to any one of claims 1 to 7, wherein decryption processing to table data is executed. The encryption device has a value of 0 indicating undefined or a data value stored in the cell position out of a possible range as the predetermined value to be written to the cell position of the encryption table data. The database processing method according to any one of claims 1 to 9, wherein a value is written.   A database processing program for causing each device of the database system to execute the database processing method according to any one of claims 1 to 10. Encryption of a database system using an encryption device that encrypts plaintext table data stored in a database to create encryption table data, and a decryption device that decrypts the encryption table data to obtain the plaintext table data A device,
Reading the plaintext table data from storage means;
Reading cipher definition information indicating the necessity of encryption of the data value existing at the cell position of the plaintext table data from the storage means;
The cell position is indicated by a combination of each row and each column constituting the plaintext table data,
For each cell position of the plaintext table data, based on the encryption necessity information described in the encryption definition information, determine whether to encrypt the data value of the cell position,
When encrypting the cell position data, a predetermined value is stored in the cell position of the encryption table data, and the data value of the cell position of the plaintext table data is encrypted in the encrypted column of the row including the cell position. Add the resulting cipher value,
When the data at the cell position is not encrypted, the data value at the cell position of the plaintext table data is copied to the cell position of the encryption table data.

Images