JP2010287002A - Device, system, method and program for managing storage medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To manage a storage medium, such as a USB memory which moves among a plurality of bases. <P>SOLUTION: A user registers in advance to a management server, identification information physically added to the USB memory and a use location of the USB memory without using a data holding function of the USB memory itself to be carried out. Then, the management server generates a pair of asymmetrical encryption key/decryption key for encrypting/decrypting data in the USB memory, and issues only the encryption key to the user. The user performs encryption of the data on a user terminal using the issued encryption key, and performs when carrying out of the USB memory, automatic recording of entry/exit history of a use location to the management server. When using the USB memory, the management server checks an entry/exit history each time, issues the decryption key, and transmits the decryption key to the user. The user releases encryption using the decryption key. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a storage medium management apparatus, and more particularly to a storage medium management apparatus that manages a storage medium that moves between a plurality of locations.

  At present, many measures for strengthening information management have been carried out with respect to the information leakage problem of enterprises, and management enhancement is also being carried out as one of the measures for portable items such as USB (Universal Serial Bus) memory.

  However, problems due to human error such as carelessness of users continue to occur even after strengthening management.

  For example, when storing data in a USB memory and taking it out, even if a rule is set such as recording in the management ledger or encrypting the data stored in the USB memory, the encrypted password is inadvertently noticed by the user. There is a risk that it becomes difficult to track if the USB memory leaks or the USB memory is lost, and a mechanism for reducing the occurrence of human error is necessary.

  As described above, in the conventional method, when data is stored in the USB memory and taken out, the information security management is enhanced by recording the data in the management ledger or encrypting the data stored in the USB memory. However, it depends on the responsibility and management of the individual who uses the USB memory, and it is difficult to keep track of when the encrypted password is leaked or the USB memory is lost due to carelessness of the user. There is a risk.

  Japanese Unexamined Patent Application Publication No. 2007-025870 (Patent Document 1) discloses an external storage device management system and an external storage device. In this related technology, the external storage device wirelessly transmits a tag ID, receives the availability of wireless transmission by an RFID (Radio Frequency Identification) reader / writer, and receives from the program of the user terminal to which the external storage device is connected. Access to the information storage area in the external storage device is granted according to availability. The RFID reader / writer receives a tag ID that is wirelessly transmitted from the external storage device, transmits the tag ID to the authentication device together with the reader ID, and wirelessly transmits to the external storage device whether or not the authentication device can use it. The authentication device receives the tag ID and the reader ID from the RFID reader / writer, obtains the availability corresponding to the combination of the tag ID and the reader ID from the usage authority information, and returns it.

  Japanese Patent Laid-Open No. 2008-197902 (Patent Document 2) discloses an access control system and a storage device. In this related technique, the USB memory encrypts and stores data. When the USB memory is connected to the computer, the computer is connected to the management server by a program stored in the USB memory. The management server transmits an encryption key to the computer after executing authentication when the information indicating whether access is permitted or not stored in the management server indicates permission of access. The computer transfers the transmitted encryption key to the USB memory, and the USB memory decrypts the encryption using the encryption key. The decrypted data can be read from the computer.

JP 2007-025870 A JP 2008-197902 A

  It is an object of the present invention to issue a decryption key after confirming whether or not the use location and time of the storage medium conform to predetermined conditions each time the encrypted data stored in the storage medium is decrypted A storage medium management apparatus is provided.

  The storage medium management device of the present invention includes a key generation unit that generates a pair of encryption key and decryption key used when encrypting and decrypting data stored in a storage medium, and the storage medium from the first base. When moving to the second base, the storage medium identification information physically added to the storage medium without using the data holding function of the storage medium itself and the use of the storage medium from the first communication terminal at the first base Receive and record available location information indicating a possible location, request the key generation means to generate an encryption key and a decryption key, send the encryption key to the first communication terminal, and The storage medium identification information is received from the two communication terminals, the available location information corresponding to the received identification information is referenced, and if the second location is an available location, the decryption key is transmitted to the second communication terminal. Storage medium management means. In addition, the case where the 1st communication terminal and the 2nd communication terminal are not only a user terminal but the gate (entrance / exit gate) provided in the entrance / exit of each base can also be considered.

  The storage medium management system according to the present invention is located at the first site, and indicates storage medium identification information physically added to the storage medium without using the data holding function of the storage medium itself, and an available location of the storage medium. A first communication terminal for transmitting available location information; a second communication terminal at a second base for transmitting storage medium identification information; and a storage medium management device capable of communicating with the first communication terminal and the second communication terminal Including. When the storage medium moves from the first base to the second base, the storage medium management device stores the storage physically added to the storage medium from the first communication terminal without using the data holding function of the storage medium itself. Means for receiving and recording medium identification information and usable location information indicating a usable location of the storage medium, and a pair of encryption key and decryption key used when encrypting and decrypting data stored in the storage medium Generating means, means for transmitting the encryption key to the first communication terminal, means for receiving the storage medium identification information from the second communication terminal, and reference to the available location information corresponding to the received identification information And means for transmitting a decryption key to the second communication terminal if the second base is an available place.

  In the storage medium management method of the present invention, when the storage medium moves from the first base to the second base, the first communication terminal at the first base stores the data without using the data holding function of the storage medium itself. The storage medium identification information physically added to the medium and the usable place information indicating the usable place of the storage medium are received and recorded. Next, a pair of encryption key and decryption key used when encrypting and decrypting the storage data of the storage medium is generated. Next, the encryption key is transmitted to the first communication terminal. Next, storage medium identification information is received from the second communication terminal at the second base. Next, reference is made to the available location information corresponding to the received identification information. Next, if the second site is an available location, the decryption key is transmitted to the second communication terminal.

  The storage medium management program of the present invention does not use the data retention function of the storage medium itself from the first communication terminal at the first base when the storage medium moves from the first base to the second base. Receiving and recording the storage medium identification information physically added to the storage medium and the usable location information indicating the usable location of the storage medium; and at the time of encrypting and decrypting the storage data of the storage medium Generating a pair of encryption key and decryption key to be used; transmitting the encryption key to the first communication terminal; receiving storage medium identification information from the second communication terminal at the second base; For causing the computer to execute a step of referring to the available location information corresponding to the received identification information and a step of transmitting the decryption key to the second communication terminal if the second site is an available location. Is a program.

  In addition to restricting the use place and time of the storage medium, it is not necessary for the user to manage the password of the storage medium himself / herself, and the risk of leakage of the password and stored data can be reduced.

It is a block diagram which shows the example of whole structure of the network system in an organization in this invention. It is a sequence diagram which shows the process at the time of a user saving data on a storage medium and encrypting at a 1st base. It is a sequence diagram which shows the process at the time of a user saving data on a storage medium and encrypting at a 1st base. It is a sequence diagram which shows the process at the time of a user carrying a storage medium and leaving a 1st base. It is a sequence diagram which shows the process at the time of a user carrying a storage medium and entering a 2nd base. It is a sequence diagram which shows the process at the time of a user decoding the encryption data preserve | saved at the 2nd base | sauce at the storage medium. It is a sequence diagram which shows the process at the time of a user decoding the encryption data preserve | saved at the 2nd base | sauce at the storage medium.

<First Embodiment>
Hereinafter, a first embodiment of the present invention will be described with reference to the accompanying drawings.
In the present invention, a USB (Universal Serial Bus) memory to be taken out and its use location are pre-registered, and when taking out, the entry / exit history is automatically recorded, and at the time of use, the decryption key is issued by comparing with the entry / exit history. To cancel encryption.

  Although a USB memory is assumed here, the USB memory is only an example. In practice, the present invention can also be implemented using removable media other than USB memory. Examples of removable media other than USB memory include other flash memories such as SD memory card (Secure Digital memory card), floppy disk (registered trademark), MO (magneto-optical disk), CD-R / RW, and DVD- A storage medium such as R / RW, a removable hard disk drive case, an external hard disk, a mobile notebook PC (personal computer), a portable terminal, and the like are conceivable. However, actually, it is not limited to these examples.

  As shown in FIG. 1, the in-house network system according to the present invention includes a base 100, a base 200, and a management server 10.

  The base 100 includes a user terminal 110, a gate 120, and a USB memory 30.

  The base 200 includes a user terminal 210 and a gate 220.

  In the in-house network system according to the present invention, the user terminal 110 and gate 120 installed in the base 100, the user terminal 210 and gate 220 installed in the base 200, and the management server 10 are connected via the network 20. Has been.

  The management server 10 plays a role as a storage medium management device of the present invention.

  Examples of the user terminal 110 and the user terminal 210 include a PC (personal computer), a thin client terminal, a workstation, a home game machine, an interactive television, a digital tuner, a digital recorder, an information home appliance, and OA (Office Automation). ) Equipment is considered. However, actually, it is not limited to these examples.

  As an example of the management server 10, a PC, a thin client server, a workstation, a mainframe, a supercomputer, and the like can be considered. However, actually, it is not limited to these examples.

  Examples of the network 20 include the Internet, a LAN (Local Area Network), a wireless LAN (Wireless LAN), a cable TV (CATV) line, a fixed telephone network, a mobile phone network, a leased line, a serial communication line, and the like. It is done. However, actually, it is not limited to these examples.

  The USB memory 30 can be connected to the user terminal 110 and the user terminal 210 through a USB interface.

  The USB memory 30 may be a removable medium other than the USB memory. Examples of removable media other than USB memory are as described above. The removable media other than the USB memory may be connected to the user terminal 110 and the user terminal 210 according to a standard other than USB.

  An RFID (Radio Frequency Identification) tag is attached to the USB memory 30. The RFID tag is a minute wireless IC (Integrated Circuit) chip used for identifying an object. The gate 120 and the gate 220 can read the RFID tag of the USB memory 30 wirelessly. In other words, although not shown, each of the gate 120 and the gate 220 includes at least a mechanism for reading the RFID tag of the USB memory 30 in a contact / non-contact manner and a mechanism for communicating via the network 20. Actually, the identification medium added to the USB memory 30 is not limited to the RFID tag, and may be one having the same function as the RFID tag or one having the same effect as the RFID tag. good.

  The user terminal 110 and the user terminal 210 are terminals used by a user to connect the USB memory 30 and store, encrypt, and decrypt data to be taken out.

  The user terminal 110 and the user terminal 210 are also used when registering information of the USB memory 30 taken out of the base in the management server 10 and when requesting an encryption key and a decryption key from the management server 10.

  That is, the user terminal 110 and the user terminal 210 register information on the USB memory 30 in the management server 10 and request an encryption key from the management server 10 when the USB memory 30 taken out of the base is connected by the user. Then, the taken-out data is stored and encrypted with respect to the connected USB memory 30. Further, when the user terminal 110 and the user terminal 210 acquire encrypted data from the connected USB memory 30, the user terminal 110 and the user terminal 210 request the decryption key from the management server 10 and decrypt the encrypted data.

  The gate 120 and the gate 220 are installed at locations where the user passes when carrying the USB memory 30 and entering or leaving (entering or leaving) the base. The gate 120 and the gate 220 read the RFID tag of the USB memory 30 and transmit the read information to the management server 10.

  The management server 10 includes a USB memory management unit 11, a key generation unit 12, a gate pass recording unit 13, and an information verification unit 14.

  The USB memory management unit 11 records registration information of the USB memory 30 sent from the user terminal 110 and the user terminal 210, and includes an encryption key used when encrypting and decrypting data stored in the USB memory 30 The decryption key is transmitted to the user terminal 110 and the user terminal 210.

  In addition, the USB memory management unit 11 requests the key generation unit 12 to generate an encryption key and a decryption key.

  In addition, the USB memory management unit 11 provides the available location information of the USB memory 30 to the information matching unit 14. The usable location information of the USB memory 30 is information indicating a location where the USB memory 30 can be used or a location where the USB memory 30 is scheduled to be used. Note that the USB memory management unit 11 may acquire the usable location information of the USB memory 30 as one of the registration information of the USB memory 30 sent from the user terminal 110 and the user terminal 210.

  In response to a request from the USB memory management unit 11, the key generation unit 12 generates an encryption key and a decryption key used when encrypting and decrypting data stored in the USB memory 30, and the encryption key and the decryption key To the USB memory management unit 11.

  Here, the key generation unit 12 generates a one-to-one asymmetric key as the encryption key and the decryption key.

  The gate passage recording unit 13 records the passage information of the USB memory 30 sent from the gate 120 and the gate 220 and accumulates the information as a passage history.

  Further, the gate passage recording unit 13 provides the latest passage information to the information matching unit 14.

  The information collation unit 14 collates the available location information sent from the USB memory management unit 11 with the latest passage information sent from the gate passage recording unit 13 and determines whether or not a decryption key can be issued.

<Description of operation>
2A to 5B, the user who uses the USB memory 30 stores the data in the USB memory 30 and encrypts it at the base 100, and then moves to the base 200 to decrypt the data. The processing when taking out will be described.

  First, with reference to FIG. 2A and FIG. 2B, a process when the user stores data in the USB memory 30 and encrypts it at the base 100 will be described.

(1) Step A1
A user at the base 100 connects the USB memory 30 to the user terminal 110 and stores data in the USB memory 30. That is, the user terminal 110 stores data in the USB memory 30 when the USB memory 30 is connected by a user at the site 100.

(2) Step A2
Next, the user terminal 110 automatically communicates with the management server 10 via the network 20 in response to a user operation or when the connection of the USB memory 30 or the storage of data in the USB memory 30 is detected. The connection is made, and the ID information (identification information) of the USB memory 30 and the available location information of the USB memory 30 are transmitted to the management server 10. The ID information of the USB memory 30 is ID information recorded on an RFID tag attached to the USB memory 30. At this time, the user terminal 110 registers the ID information of the base 100 and the base 200 as the available place in the available place information. The ID information of the base 100 and the base 200 may be ID information of the user terminal 110 and the user terminal 120 or ID information of the gate 120 and the gate 220.

  Here, the user terminal 110 transmits the ID information and the usable location information of the USB memory 30 directly or indirectly input by the user to the management server 10. It should be noted that the ID information and the available location information of the USB memory 30 can be used by the user terminal 110 itself, a local server on the LAN of the base 100, or the user so that the user can view / use the user terminal 110. May be electronically recorded on the ID card (employee ID card, etc.). Alternatively, the user terminal 110 uses the RFID tag reading device mounted on or connected to the user terminal 110 to record the ID information and available location information of the USB memory 30 recorded on the RFID tag itself attached to the USB memory 30. May be read and transmitted to the management server 10.

(3) Step A3
Next, the USB memory management unit 11 of the management server 10 receives information from the user terminal 110 and records the ID information and the available location information of the USB memory 30.

(4) Step A4
Next, the user terminal 110 requests the management server 10 to issue an encryption key in order to encrypt data stored in the USB memory 30 in response to a user operation or automatically.

(5) Step A5
Next, when the USB memory management unit 11 of the management server 10 receives an encryption key issue request from the user terminal 110, the USB memory management unit 11 requests the key generation unit 12 to generate an encryption key and a decryption key.

(6) Step A6
Next, when receiving the key generation request, the key generation unit 12 generates an encryption key and a decryption key as a pair of asymmetric keys.

(7) Step A7
The key generation unit 12 transmits the generated encryption key and decryption key to the USB memory management unit 11.

(8) Step A8
Next, when receiving the encryption key and the decryption key from the key generation unit 12, the USB memory management unit 11 records the encryption key and the decryption key together with the recorded ID information and available location information of the USB memory 30. . Here, the USB memory management unit 11 records the ID information, the usable location information, the encryption key, and the decryption key of the USB memory 30 in association with each other.

(9) Step A9
The USB memory management unit 11 transmits only the encryption key to the user terminal 110.

(10) Step A10
Next, the user terminal 110 automatically uses the encryption key issued by the management server 10 in response to the user's operation or when receiving the encryption key, and stores the data stored in the USB memory 30. Encrypt.

  Note that when the user terminal 110 encrypts the data stored in the USB memory 30 (for example, when the encryption is completed), the user terminal 110 encrypts the ID information of the USB memory 30 and the data stored in the USB memory 30. The management server 10 may be notified of the time (date and time) performed. In this case, the USB memory management unit 11 of the management server 10 records the time (date and time) at which the data stored in the USB memory 30 was encrypted together with the ID information and the available location information of the USB memory 30. . As a result, the USB memory management unit 11 can later confirm whether or not the data stored in the USB memory 30 has been encrypted.

(11) Step A11
The user removes the USB memory 30 from the user terminal 110.

  Next, a process when the user carries the USB memory 30 and leaves the base 100 through the gate 120 (exit) will be described with reference to FIG.

(1) Step B1
The management server 10 registers the ID information of the gate 120 in the gate passage recording unit 13 in advance as a gate installed at the base 100. The gate passage recording unit 13 stores the ID information of the gate 120 as a gate installed at the base 100.

(2) Step B2
The gate 120 reads RFID tag information added to the USB memory 30 when the user passes through the gate 120. The RFID tag information includes ID information of the USB memory 30.

(3) Step B3
The gate 120 transmits the read ID information of the USB memory 30, information about the time (date and time) passed through the gate 120, and the ID information of the gate 120 to the management server 10.

(4) Step B4
The gate passage recording unit 13 stores the ID information of the USB memory 30 received from the gate 120, information about the time (date and time) passed through the gate 120, and the ID information of the gate 120 as a gate passage record.

  Next, a process when the user carries the USB memory 30 and enters the base 200 through the gate 220 (entrance) will be described with reference to FIG.

(1) Step C1
The management server 10 registers the ID information of the gate 220 in the gate passage recording unit 13 in advance as a gate installed at the base 200. The gate passage recording unit 13 stores the ID information of the gate 220 as a gate installed at the base 200.

(2) Step C2
The gate 220 reads the RFID tag information added to the USB memory 30 when the USB memory 30 passes through the gate 220.

(3) Step C3
The gate 220 transmits the read ID information of the USB memory 30, information about the time (date and time) when the USB memory 30 passes through the gate 220, and the ID information of the gate 220 to the management server 10.

(4) Step C4
The gate passage recording unit 13 of the management server 10 receives the ID information of the USB memory 30, the information about the time (date and time) passed through the gate 220, and the ID information of the gate 220 from the gate 220 and stores them as a gate passage record. To do.

  At this time, when storing the gate pass record, the USB memory management unit 11 does not overwrite the pass record of the gate 120 saved in step B4 in FIG. To accumulate.

  Next, processing when the user decrypts the encrypted data stored in the USB memory 30 at the base 200 will be described with reference to FIGS. 5A and 5B.

(1) Step D1
In order to determine whether or not the decryption key is issued, the information matching unit 14 sets in advance an effective time from the gate passage time to the decryption key issuance request time.

(2) Step D2
Next, the user at the site 200 connects the USB memory 30 to the user terminal 210.

(3) Step D3
Next, the user terminal 210 automatically connects to the management server 10 via the network 20 in response to a user operation or when the connection of the USB memory 30 is detected. A decryption key issuance request (decryption key issuance request) for decrypting the encrypted data stored in the USB memory 30 is transmitted to the management server 10. At this time, the user terminal 210 may transmit the ID information of the user terminal 210 to the management server 10 together with the ID information of the USB memory 30.

  Here, the user terminal 210 transmits the ID information of the USB memory 30 and the available location information input directly or indirectly by the user to the management server 10. It should be noted that the ID information and available location information of the USB memory 30 can be used by the user terminal 210 itself, a local server on the LAN of the base 200, or the user so that the user can browse / use the user terminal 210 using the user terminal 210. May be electronically recorded on the ID card (employee ID card, etc.). Alternatively, the user terminal 210 uses the RFID tag reader mounted on or connected to the user terminal 210 to record the ID information and available location information of the USB memory 30 recorded on the RFID tag itself attached to the USB memory 30. May be read and transmitted to the management server 10.

(4) Step D4
Next, the USB memory management unit 11 of the management server 10 receives the ID information of the USB memory 30 and the decryption key issuance request, and receives the ID information of the USB memory 30, the available location information of the USB memory 30, and the decryption key. Information relating to the time (date) when the issue request is received is transmitted to the information matching unit 14. Then, the USB memory management unit 11 transmits a data verification request (data verification request) to the information verification unit 14.

(5) Step D5
The information collation unit 14 receives the ID information of the USB memory 30, the available location information of the USB memory 30, and information (decryption key issuance request time) related to the time (date and time) when the decryption key issuance request is received. Further, when receiving the data verification request, the information verification unit 14 transmits the ID information of the USB memory 30 requested to issue the decryption key to the gate pass recording unit 13, so that the latest gate pass recording of the USB memory 30 is performed. Request.

(6) Step D6
Next, based on the ID information of the USB memory 30 received from the information matching unit 14, the gate passage recording unit 13 stores the latest recording when the USB memory 30 passes through the gate in the accumulated and stored gate passage recording. Search from within.

(7) Step D7
Next, when the gate passage recording unit 13 finds a record when the USB memory 30 passes through the gate 220 as the latest gate passage record from the accumulated gate passage records, the gate passage recording unit 13 detects the record when the gate 220 is installed. Information on a certain base 200 (latest base information) and information (gate passage time) about the time (date and time) passed through the gate 220 are transmitted to the information collating unit 14. The latest base information indicates the base where the USB memory 30 is currently located (the current location of the USB memory 30). The information of the base 200 may be ID information of the gate 220.

(8) Step D8
Next, the information collation unit 14 collates the information received from the USB memory management unit 11 with the information received from the gate passage recording unit 13 and uses the USB memory 30 at a usable location where decoding is registered in advance. Check if it is done.

(9) Step D9
First, in order to confirm whether the latest location of the USB memory 30 is included in the pre-registered available locations, the information matching unit 14 uses the available location information received from the USB memory management unit 11, the gate The latest base information received from the passage recording unit 13 is collated.

  Here, since the base 200 is registered as an available place and the information of the base 200 is received as the latest base information, the information matching unit 14 determines that the matching result is OK. That is, the information matching unit 14 determines that the base 200 notified as the latest base information is registered as an available place.

(10) Step D10
Next, the information collation unit 14 calculates a difference time (gate) between the decryption key issue request time received from the USB memory management unit 11 and the gate passage time (time passed through the gate 220) received from the gate passage recording unit 13. It is confirmed whether the time from the transit time to the decryption key issue request time is within the valid time set in advance in step D1.

  This is because if the gate passage time is considerably older than the decryption key issuance request time, the location at the time of passing the gate may not match the location at the time of requesting the decryption key issuance. This is to avoid the risk of information leakage by not issuing a decryption key when a decryption key issuance request is not issued.

  At this time, the information collation unit 14 determines that the difference time between the latest gate passage time (time passed through the gate 220) and the latest previous gate passage time (time passed through the gate 120) is an effective time. You may make it confirm whether it is in.

  Further, the information collation unit 14 determines that the difference time between the decryption key issuance request time received from the USB memory management unit 11 and the latest previous gate passage time (the time that has passed through the gate 120) is within the valid time. You may make it confirm.

  In these cases, in step D6, the gate passage recording unit 13 determines the latest recording and the latest recording when the USB memory 30 passes through the gate based on the ID information of the USB memory 30 received from the information matching unit 14. The previous record is retrieved from the accumulated gate-pass records. In step D7, the gate passage recording unit 13 updates the latest base information (information about the base 200), the latest gate passage time (the time passed through the gate 220), and the previous base information (the base 100 information). Information) and the previous gate passage time (time when the gate 120 is passed) are transmitted to the information matching unit 14.

  Actually, there may be a case where the base 200 is an individual home or the like and the gate 220 does not exist. In this case, the latest gate passing record is a record when the USB memory 30 passes the gate 120. The USB memory management unit 11 acquires the ID information of the user terminal 210 and transmits it to the information verification unit 14. The gate passage recording unit 13 transmits information (gate passage time) on the time (date and time) passed through the gate 120 to the information matching unit 14. The information matching unit 14 treats the ID information of the user terminal 210 as the latest base information (base 200 information), and receives the decryption key issue request time received from the USB memory management unit 11 and the gate passage time (passes through the gate 120). Confirm that the time of the difference with the time is within the valid time.

(11) Step D11
Next, when the information collation unit 14 determines that the decryption key issuance request is made from the available location within a certain time (within the valid time) after passing through the gate as a result of the collation in Step D9 and Step D10, the information collation unit 14 determines the collation result OK The data is transmitted to the memory management unit 11.

(12) Step D12
Next, when receiving the collation result OK, the USB memory management unit 11 transmits the decryption key recorded in step A8 in FIG. 2B to the user terminal 210.

  At this time, it is preferable that the USB memory management unit 11 records the ID information of the USB memory 30, the ID information of the user terminal 210, and the time (date and time) when the decryption key is transmitted to the user terminal 210 in association with each other. . When the ID information of the user terminal 210 is unknown, the USB memory management unit 11 uses the IP address of the transmission source (user terminal 210) of the decryption key issue request (decryption key issue request) as the ID of the user terminal 210. It may be used as information. As a result, the USB memory management unit 11 can later confirm to which user terminal the decryption key has been transmitted.

(13) Step D13
Next, the user terminal 210 uses the decryption key issued by the management server 10 automatically in response to a user operation or when a decryption key is received, and the encryption stored in the USB memory 30 Decrypt data. As a result, the user can use the data at the base 200.

  When the user terminal 210 decrypts the data stored in the USB memory 30 (for example, when decryption is completed), the user terminal 210 ID information, the user terminal 210 ID information, and the USB memory 30 The management server 10 may be notified of the time (date and time) at which the data stored in is decrypted. In this case, the USB memory management unit 11 of the management server 10 associates the ID information of the USB memory 30, the ID information of the user terminal 210, and the time (date and time) when the data stored in the USB memory 30 was decrypted. Record. As a result, the USB memory management unit 11 can later confirm at which user terminal the data stored in the USB memory 30 has been decrypted.

(14) Step D14
Note that the information collation unit 14 determines whether the base notified as the latest base information is not registered as an available place as a result of the collation in steps D9 and D10, or the gate passage received from the gate passage recording unit 13 If the time is not within the preset valid time, the verification result NG is transmitted to the USB memory management unit 11. In this case, the USB memory management unit 11 does not transmit the decryption key recorded in step A8 in FIG. 2B to the user terminal 210. At this time, the USB memory management unit 11 may notify the user terminal 210 that the collation result is NG.

  As described above, according to the present invention, a user is registered in advance in the management server, and a pair of asymmetric encryption / decryption keys for encrypting / decrypting data in the USB memory is generated at that time. Then, only the encryption key is issued to the user. Then, when the data is encrypted using the issued encryption key and the USB memory is taken out, information on the entry / exit time (date / time) at the place of use is automatically recorded. When decrypting data, the management server issues a decryption key to the user after confirming the location and time of use.

  According to the present invention, when the user registers the use location in advance in the management server and decrypts the encrypted data, the decryption key is issued from the management server after confirming the use location and time each time. In addition to restricting the place and time of use, users do not need to manage passwords themselves and can reduce the risk of leakage.

  In addition, since the time and place information when the USB memory is carried and entered / exited (entrance / exit) is automatically recorded, tracking is facilitated by referring to the history when it is lost.

<Second Embodiment>
The second embodiment of the present invention will be described below.
In the first embodiment of the present invention, the case where the USB memory 30 moves between a plurality of bases has been described. However, as another embodiment, a case where the user terminal 110 and the user terminal 210 themselves are portable is also conceivable. In such a case, the user terminal 110, the user terminal 210, and the USB memory 30 are the same.

<Third Embodiment>
The third embodiment of the present invention will be described below.
A case where the user terminal 110 and the user terminal 210 simultaneously function as the gate 120 and the gate 220 can be considered.

  For example, when the USB memory 30 moves from the base 100 to the base 200 as in the first embodiment, the user terminal 110 reads an RFID tag attached to the USB memory 30, and the USB memory 30 is read from the user terminal 110. When the USB memory 30 is removed, the ID information (RFID tag information) of the USB memory 30, the information about the time (date and time) when the USB memory 30 is removed from the user terminal 110, and the ID information of the base 100 are transmitted to the management server 10. To do.

  The time (date / time) when the USB memory 30 is removed from the user terminal 110 corresponds to the time (date / time) when the USB memory 30 passes through the gate 120. The ID information of the base 100 is used instead of the ID information of the gate 120. The ID information of the base 100 is information that does not depend on the user terminal 110 itself. As an example of the ID information of the base 100, a serial number or an IP address of a relay device (router or the like) in the base 100 used for communication between the user terminal 110 and the management server 10 can be considered. However, actually, it is not limited to these examples.

  Further, the user terminal 210 reads the RFID tag added to the USB memory 30, and when the USB memory 30 is connected to the user terminal 210, the ID information of the USB memory 30 and the USB memory 30 are transferred to the user terminal 210. Information regarding the connected time (date and time) and ID information of the base 200 are transmitted to the management server 10.

  The time (date / time) when the USB memory 30 is connected to the user terminal 210 corresponds to the time (date / time) when the USB memory 30 passes through the gate 220. The ID information of the base 200 is used instead of the ID information of the gate 220. The ID information of the base 200 is information that does not depend on the user terminal 210 itself. As an example of the ID information of the base 200, a serial number or an IP address of a relay device (router or the like) in the base 200 used for communication between the user terminal 210 and the management server 10 can be considered. However, actually, it is not limited to these examples.

  In such a case, the user terminal 110 and the gate 120 are the same. Further, the user terminal 210 and the gate 220 are the same.

<Fourth embodiment>
The fourth embodiment of the present invention will be described below.
In the first embodiment of the present invention, a passive tag is assumed as the RFID tag. However, when the USB memory 30 itself has a power source, the RFID tag added to the USB memory 30 is An active tag may be used.

  Further, when the USB memory 30 itself has a power source, a transmitting device that transmits a predetermined signal itself may be added to the USB memory 30 instead of the RFID tag. In this case, the gate 120 and the gate 220 receive a predetermined signal from the transmitting device added to the USB memory 30, and identify the USB memory 30 based on the received signal.

<Fifth Embodiment>
The fifth embodiment of the present invention will be described below.
In the first embodiment of the present invention, an example in which an RFID tag is added to the USB memory 30 has been described. However, as another embodiment, for example, a QR code (Quick Response code) (registered trademark) or the like is used instead of the RFID tag. A case where the two-dimensional code is added to the surface of the USB memory 30 is also conceivable. At this time, it is assumed that a reading device for a two-dimensional code is mounted on the gate 120 and the gate 220.

  That is, in the present invention, the USB memory 30 is physically added with identification information regardless of the data holding function of the USB memory 30 itself. Here, even if another storage medium storing the identification information of the USB memory 30 such as an RFID tag is added to the USB memory 30, it is assumed that the identification information is physically added.

  Essentially, the gate 120 and the gate 220 may have a function of recognizing identification information physically added to the USB memory 30 when the USB memory 30 passes. For example, the gate 120 and the gate 220 are used as identification information of the USB memory 30 when a special pattern is added to the surface of the USB memory 30 or when the shape of the USB memory 30 is specially processed. These patterns and processing may be recognized as identification information of the USB memory 30.

  Note that the above embodiments can be implemented in combination. For example, the gate 120 and the gate 220 may correspond to each embodiment.

  As mentioned above, although embodiment of this invention was explained in full detail, actually, it is not restricted to said embodiment, Even if there is a change of the range which does not deviate from the summary of this invention, it is included in this invention.

DESCRIPTION OF SYMBOLS 10 ... Management server 11 ... USB memory management part 12 ... Key generation part 13 ... Gate passage recording part 14 ... Information collation part 20 ... Network 30 ... USB memory 100, 200 ... Base 110, 210 ... User terminal 120, 220 ... Gate

Claims (21)

Key generation means for generating a pair of encryption key and decryption key used when encrypting and decrypting data stored in the storage medium;
When the storage medium is moved from the first base to the second base, the first communication terminal at the first base is physically connected to the storage medium without using the data holding function of the storage medium itself. Receiving and recording the added storage medium identification information and the usable place information indicating the usable place of the storage medium, requesting the key generation means to generate the encryption key and the decryption key, and An encryption key is transmitted to the first communication terminal, the storage medium identification information is received from the second communication terminal at the second base, and the available location information corresponding to the received identification information is referred to And a storage medium management unit that transmits the decryption key to the second communication terminal if the second base is an available place. The storage medium management device according to claim 1,
When the storage medium management unit receives the encryption key and the decryption key from the key generation unit, the storage medium management unit records the storage medium identification information, the available location, the encryption key, and the decryption key in association with each other. . The storage medium management device according to claim 1 or 2,
When the storage medium moves from the first base to the second base, the storage medium is identified from the first gate when the storage medium passes through the first gate at the first base. Receiving the information, the transit time of the storage medium, and the identification information of the first gate, and when the storage medium passes through the second gate at the second base, from the second gate to the storage medium Gate passage recording means for receiving identification information, passage time of the storage medium, and identification information of the second gate, and recording and storing information received from the first gate and the second gate as passage history;
The storage medium management means receives the storage medium identification information, the available location information, and a decryption key issuance request time indicating a time when the decryption key issuance request is received from the second communication terminal. Based on the latest passage history recorded in the gate passage recording means, the second base can be used when the latest passage history includes the identification information of the second gate. It is confirmed whether it is included in the location information, and if the second location is included in the available location information, the time from the time when the storage medium passes through the second gate to the decryption key issue request time Information verification means for confirming whether the verification result is within the valid time range, and if within the valid time range, the verification result OK is notified to the storage medium management means,
The storage medium management unit transmits the decryption key to the second communication terminal according to the collation result OK. The storage medium management device according to claim 3,
The information collating unit refers to the latest passage history and the latest previous passage history based on the storage medium identification information, and the latest passage history includes the identification information of the second gate, When the latest previous passage history includes the identification information of the first gate, it is confirmed whether the second location is included in the available location information, and the second location is If it is included in the available location information, it is confirmed whether the time from the time when the storage medium passes through the first gate to the time when the storage medium passes through the second gate is within the valid time range, If it is within the time range, the verification result OK is notified to the storage medium management means. The storage medium management device according to claim 3,
The information collating unit receives the identification information of the second communication terminal together with the storage medium identification information, the usable location information, and the decryption key issue request time from the storage medium management unit, and the storage medium identification information The latest passage history recorded in the gate passage recording means, and when the latest passage history includes the identification information of the first gate, the identification information of the second communication terminal As the identification information of the second base, confirms whether the second base is included in the usable location information, and if the second base is included in the usable location information, It is confirmed whether the time from the time when the storage medium passes through the first gate to the decryption key issuance request time is within the valid time range. If the time is within the valid time range, the verification result OK is stored in the storage medium management means. Notification storage medium management apparatus. The storage medium identification information physically added to the storage medium without using the data holding function of the storage medium itself and the available place information indicating the available place of the storage medium are transmitted at the first base A first communication terminal that
A second communication terminal located at a second site and transmitting the storage medium identification information;
A storage medium management device capable of communicating with the first communication terminal and the second communication terminal;
The storage medium management device includes:
When the storage medium moves from the first base to the second base, the storage physically added to the storage medium from the first communication terminal without using the data holding function of the storage medium itself Means for receiving and recording medium identification information and usable location information indicating the usable location of the storage medium;
Means for generating a pair of encryption key and decryption key used when encrypting and decrypting data stored in the storage medium;
Means for transmitting the encryption key to the first communication terminal;
Means for receiving the storage medium identification information from the second communication terminal;
Means for referencing available location information corresponding to the received identification information;
A storage medium management system comprising: means for transmitting the decryption key to the second communication terminal if the second site is an available location. The storage medium management system according to claim 6,
The storage medium management device includes:
A storage medium management system further comprising means for recording the storage medium identification information, the available location, the encryption key, and the decryption key in association with each other when the encryption key and the decryption key are generated. The storage medium management system according to claim 6 or 7,
A first gate at the first location;
A second gate at the second base,
The storage medium management device includes:
When the storage medium moves from the first base to the second base, when the storage medium passes through the first gate, the storage medium identification information, the storage medium Means for receiving a transit time and identification information of the first gate;
Means for receiving the storage medium identification information, the passage time of the storage medium, and the identification information of the second gate from the second gate when the storage medium passes through the second gate;
Means for recording and accumulating information received from the first gate and the second gate as a passage history;
When receiving a decryption key issuance request from the second communication terminal, the storage medium identification information, the available location information, and a decryption key issuance request time indicating the time when the decryption key issuance request is received from the second communication terminal Means to refer to
Based on the storage medium identification information, means for referring to the latest passage history among the accumulated passage histories;
Means for confirming whether the second location is included in the available location information when the identification information of the second gate is included in the latest passage history;
Means for confirming whether the time from the time when the storage medium passes through the second gate to the decryption key issuance request time is within the valid time range if the second location is included in the available location information; ,
A storage medium management system further comprising means for determining that the verification result is OK within the valid time range and transmitting the decryption key to the second communication terminal. The storage medium management system according to claim 8,
The storage medium management device includes:
Means for referring to the latest passage history and the latest previous passage history based on the storage medium identification information;
When the latest passage history includes the identification information of the second gate, and the latest previous passage history includes the identification information of the first gate, the second base can be used. A means to check if it is included in the location information,
If the second location is included in the available location information, the time from the time when the storage medium passes through the first gate to the time when the storage medium passes through the second gate is an effective time. A means to check if it is within range,
A storage medium management system further comprising means for notifying the storage medium management apparatus of the collation result OK within the valid time range. The storage medium management system according to claim 8,
The storage medium management device includes:
Means for receiving the identification information of the second communication terminal together with the storage medium identification information, the available location information, and the decryption key issue request time;
Means for referring to the latest passage history based on the storage medium identification information;
When the latest passage history includes the identification information of the first gate, the identification information of the second communication terminal is used as the identification information of the second base, and the second base can be used. A means to check if it is included in the location information,
Means for confirming whether the time from when the storage medium passes through the first gate to the decryption key issuance request time is within the valid time range if the second location is included in the available location information; ,
A storage medium management system further comprising means for notifying the storage medium management apparatus of the collation result OK within the valid time range.   A storage medium used in the storage medium management system according to any one of claims 6 to 10. When the storage medium moves from the first base to the second base, it is physically added to the storage medium from the first communication terminal at the first base without using the data holding function of the storage medium itself. Receiving and recording the recorded storage medium identification information and the usable location information indicating the usable location of the storage medium;
Generating a pair of encryption and decryption keys to be used when encrypting and decrypting data stored in the storage medium;
Transmitting the encryption key to the first communication terminal;
Receiving the storage medium identification information from a second communication terminal at the second base;
Referring to available location information corresponding to the received identification information;
A storage medium management method comprising: transmitting the decryption key to the second communication terminal if the second location is an available location. A storage medium management method according to claim 12, comprising:
A storage medium management method further comprising: storing the encryption key and the decryption key in association with storage medium identification information, the available location, the encryption key, and the decryption key. The storage medium management method according to claim 12 or 13,
When the storage medium moves from the first base to the second base, the storage medium is identified from the first gate when the storage medium passes through the first gate at the first base. Receiving information, transit time of the storage medium, and identification information of the first gate;
When the storage medium passes through the second gate at the second base, the storage medium identification information, the passage time of the storage medium, and the identification information of the second gate are received from the second gate. And
Recording and storing information received from the first gate and the second gate as passage history;
When receiving a decryption key issuance request from the second communication terminal, the storage medium identification information, the available location information, and a decryption key issuance request time indicating the time when the decryption key issuance request is received from the second communication terminal And refer to
Based on the storage medium identification information, referring to the latest passage history among the accumulated passage histories;
If the latest passage history includes the identification information of the second gate, confirming whether the second location is included in the available location information;
If the second location is included in the available location information, confirming whether the time from when the storage medium passes through the second gate to the decryption key issue request time is within the valid time range; ,
A storage medium management method further comprising: determining that the collation result is OK if it is within the valid time range, and transmitting the decryption key to the second communication terminal. The storage medium management method according to claim 14,
Referring to the latest passage history and the latest previous passage history based on the storage medium identification information;
When the latest passage history includes the identification information of the second gate, and the latest previous passage history includes the identification information of the first gate, the second base can be used. Check if it ’s included in the location information,
If the second location is included in the available location information, the time from the time when the storage medium passes through the first gate to the time when the storage medium passes through the second gate is an effective time. Make sure it ’s within range,
A storage medium management method further comprising: notifying the storage medium management apparatus of the verification result OK if within the valid time range. The storage medium management method according to claim 14,
The storage medium management device includes:
Receiving the identification information of the second communication terminal together with the storage medium identification information, the available location information, and the decryption key issue request time;
Referring to the latest passage history based on the storage medium identification information;
When the latest passage history includes the identification information of the first gate, the identification information of the second communication terminal is used as the identification information of the second base, and the second base can be used. Check if it ’s included in the location information,
If the second location is included in the available location information, confirming whether the time from the time when the storage medium passes through the first gate to the time when the decryption key issuance request time is within the valid time range; ,
A storage medium management method further comprising: notifying the storage medium management apparatus of the verification result OK if within the valid time range. When the storage medium moves from the first base to the second base, it is physically added to the storage medium from the first communication terminal at the first base without using the data holding function of the storage medium itself. Receiving and recording the recorded storage medium identification information and the usable place information indicating the usable place of the storage medium;
Generating a pair of encryption key and decryption key used when encrypting and decrypting data stored in the storage medium;
Transmitting the encryption key to the first communication terminal;
Receiving the storage medium identification information from a second communication terminal at the second base;
Referring to available location information corresponding to the received identification information;
A storage medium management program for causing a computer to execute the step of transmitting the decryption key to the second communication terminal if the second location is an available location. A storage medium management program according to claim 17,
A storage medium management program for causing a computer to further execute a step of recording the storage medium identification information, the available location, the encryption key, and the decryption key in association with each other when the encryption key and the decryption key are generated. A storage medium management program according to claim 17 or 18,
When the storage medium moves from the first base to the second base, the storage medium is identified from the first gate when the storage medium passes through the first gate at the first base. Receiving information, transit time of the storage medium, and identification information of the first gate;
When the storage medium passes through the second gate at the second base, the storage medium identification information, the passage time of the storage medium, and the identification information of the second gate are received from the second gate. Steps,
Recording and accumulating information received from the first gate and the second gate as a passage history;
When receiving a decryption key issuance request from the second communication terminal, the storage medium identification information, the available location information, and a decryption key issuance request time indicating the time when the decryption key issuance request is received from the second communication terminal A step of referring to
Referring to the latest passage history among the stored passage histories based on the storage medium identification information;
If the latest passage history includes the identification information of the second gate, confirming whether the second location is included in the available location information;
If the second location is included in the available location information, confirming whether the time from when the storage medium passes through the second gate to the decryption key issuance request time is within the valid time range; ,
A storage medium management program for causing a computer to execute a step of determining that the collation result is OK and transmitting the decryption key to the second communication terminal if it is within the valid time range. A storage medium management program according to claim 19, comprising:
Referring to the latest passage history and the latest previous passage history based on the storage medium identification information;
When the latest passage history includes the identification information of the second gate, and the latest previous passage history includes the identification information of the first gate, the second base can be used. A step to check if the location information is included,
If the second location is included in the available location information, the time from the time when the storage medium passes through the first gate to the time when the storage medium passes through the second gate is an effective time. A step to check if it is within range,
A storage medium management program for causing a computer to further execute the step of notifying the storage medium management apparatus of the collation result OK if within the valid time range. A storage medium management program according to claim 19, comprising:
The storage medium management device includes:
Receiving the identification information of the second communication terminal together with the storage medium identification information, the available location information, and the decryption key issuance request time;
Referring to the latest passage history based on the storage medium identification information;
When the latest passage history includes the identification information of the first gate, the identification information of the second communication terminal is used as the identification information of the second base, and the second base can be used. A step to check if the location information is included,
If the second location is included in the available location information, confirming whether the time from when the storage medium passes through the first gate to the decryption key issue request time is within the valid time range; ,
A storage medium management program for causing a computer to further execute the step of notifying the storage medium management apparatus of the collation result OK if within the valid time range.

Images