JP2012256253A - Information processor, information processing method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent information leakage by controlling access to files stored in a client terminal without degrading accessibility.SOLUTION: An information processor can communicate with a server which determines whether to transmit a key for decrypting files stored in the information processor according to topology of the information processor to a network. The information processor detects the topology to the network, transmits a key acquisition request including the detected topology to the server, and acquires a decryption key transmitted from the server, then decrypts the files stored in the information processor by using the decryption key.

Description

  The present invention relates to a technique for controlling access to a file.

  In recent years, information leakage from information processing devices that store confidential information has increased, and measures to prevent this include taking information processing devices outside and prohibiting connection to external networks. . However, depending on the business form, it is often necessary to take out the information processing apparatus to the outside or to connect to a network, and uniform measures cause inconveniences such as a reduction in business efficiency.

  Therefore, Patent Document 1 discloses a method for enciphering and taking out confidential information and restricting decryption depending on the use area.

JP 2008-141581 A

  However, in the system described in Patent Document 1, a network device is required for specifying a use area, and it is difficult to flexibly cope with external use. Further, when the management server cannot be used, the confidential file cannot be used.

  Furthermore, when unauthorized use due to impersonation occurs due to leakage or theft of credential information, all keys for encrypting files must be updated, resulting in great costs.

  Accordingly, the present invention has been made to solve the above-described problems, and an object thereof is to provide a mechanism capable of preventing information leakage without reducing convenience.

  The present invention is capable of connecting to a network, and based on the information indicating the connection form included in the decryption key request transmitted by the decryption key request transmitting means of the information processing device, a decryption key is assigned to the information processing device. An information processing apparatus that can be connected to an external server that determines whether or not to transmit, a detection unit that detects a connection form to a network, and a decryption key request that includes information indicating the connection form detected by the detection unit Is stored in the information processing apparatus using the decryption key request transmission means for transmitting to the external server, the decryption key acquisition means for acquiring the decryption key from the external server, and the decryption key acquired by the decryption key acquisition means And decrypting means for decrypting the file.

  Further, the present invention is capable of connecting to a network and decrypting the information processing apparatus based on information indicating a connection form included in the decryption key request transmitted by the decryption key request transmitting step of the information processing apparatus. An information processing method in an information processing apparatus connectable to an external server for determining whether or not to transmit a key, wherein the detection means of the information processing apparatus detects a connection form to a network, and the information A decryption key request transmission unit for transmitting a decryption key request including information indicating the connection form detected in the detection step to the external server; and a decryption key acquisition unit for the information processing device. A decryption key obtaining step for obtaining a decryption key from the external server, and a decryption unit of the information processing apparatus using the decryption key obtained by the decryption key obtaining step. Characterized in that it comprises a decoding step of decoding the files stored.

  Further, the present invention enables connection to a network and decrypts the information processing apparatus based on information indicating a connection form included in the decryption key request transmitted by the decryption key request transmission unit of the information processing apparatus. A program that can be executed by an information processing apparatus that can be connected to an external server that determines whether or not to transmit a key, the information processing apparatus being detected by a detection means that detects a connection form to a network, and the detection means A decryption key request transmitting means for transmitting a decryption key request including information indicating the connection form to the external server, a decryption key acquiring means for acquiring a decryption key from the external server, and a decryption acquired by the decryption key acquiring means It is made to function as a decoding means which decodes the file memorize | stored in the said information processing apparatus using the key.

  According to the present invention, it is possible to provide a mechanism capable of preventing information leakage without reducing convenience.

It is a figure which shows an example of a structure of a file access control system. It is a figure which shows an example of a hardware configuration. It is a figure which shows an example of the function of the key management server 103 shown in FIG. 1, and information processing apparatus (104,105,106). It is a flowchart which shows an example of the process at the time of encryption file opening. It is a flowchart which shows an example of the process at the time of a key management server issuing a key to information processing apparatus. It is a flowchart which shows an example of the process at the time of file writing. It is a flowchart which shows an example of the process at the time of file acquisition. It is a flowchart which shows an example of the process in the information processing apparatus at the time of file upload and deletion. It is a flowchart which shows an example of the process in the key management server at the time of file upload. It is a flowchart which shows an example of the process at the time of access rule information change. It is a figure which shows an example of the screen of a file management program. It is a figure which shows an example of the screen of a server management program. It is a figure which shows an example of a network definition list screen. It is a figure which shows an example of an access rule list screen. It is a figure which shows an example of an access rule setting screen. It is a figure which shows an example of a key transmission setting screen. It is a figure which shows an example of network definition information. It is a figure which shows an example of access rule information. It is a figure which shows an example of access control information. It is a figure which shows an example of key issue information. It is a figure which shows an example of holding | maintenance file information.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a diagram showing an example of the configuration of a file access control system according to an embodiment of the present invention.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  Note that the configuration of various terminals connected to the network 107 in FIG. 1 is merely an example, and it goes without saying that there are various configuration examples depending on applications and purposes.

  Reference numeral 101 denotes an LDAP (Lightweight Directory Access Protocol) server. The LDAP server 101 provides a directory service for managing directory information of organizations and individuals using a corporate network. Note that the directory service applicable to this embodiment is not limited to LDAP, and may be other services such as Active Directory.

  Reference numeral 102 denotes a file server. This file server has a function of storing confidential files and non-confidential files used in business.

  Reference numeral 103 denotes a key management server. The user of the system according to the present invention acquires a file via the key management server 103 without directly accessing the file server when acquiring the confidential file from the file server. This key management server has a file encryption / decryption function, a key issue function, and a user authentication function using the LDAP server 101.

  Reference numeral 104 denotes an information processing apparatus connected to the intra-organization network. This information processing apparatus performs file transmission / reception with the key management server 103, network connection form detection, key storage processing, and encryption file decryption processing by a dedicated program.

  An information processing apparatus 105 connected to a network outside the organization is an information processing apparatus having a function equivalent to that of the information processing apparatus 104 connected to the intra-organization network. The network outside the organization corresponds to any network such as a corporate network at another base, a personal network of the information processing apparatus owner, and a public network.

  Reference numeral 106 denotes an information processing apparatus that cannot be connected to the key management server 103, and is an information processing apparatus having the same function as the information processing apparatus 104. The information processing apparatus 106 includes not only an information processing apparatus that is not connected to a network but also an information processing apparatus that is connected to a network that cannot reach the key management server 103.

  Hereinafter, an example of the hardware configuration of the information processing apparatus applicable to the various servers (101, 102, 103) and the information processing apparatuses (104, 105, 106) illustrated in FIG. 1 will be described with reference to FIG.

  In FIG. 2, reference numeral 201 denotes a CPU that comprehensively controls devices and controllers connected to the system bus 204. Further, the ROM 203 or the external memory 211 is necessary to realize a BIOS (Basic Input / Output System) or an operating system program (hereinafter referred to as an OS), which is a control program of the CPU 201, or a function executed by each server or each PC. Various programs are stored.

  A RAM 202 functions as a main memory, work area, and the like for the CPU 201. The CPU 201 implements various operations by loading a program necessary for execution of processing from the ROM 203 or the external memory 211 into the RAM 202 and executing the loaded program.

  An input controller 205 controls input from the input device 209 or the like. A video controller 206 controls display on a display device 210 such as a liquid crystal display. The display device is not limited to a liquid crystal display, and may be a CRT display or the like. These are used by clients as needed.

  A memory controller 207 is connected to the hard disk (HD), flexible disk (FD), or PCMCIA card slot for storing a boot program, various applications, font data, user files, editing files, various data, etc. via an adapter. The access to the external memory 211 such as a compact flash (registered trademark) memory is controlled.

  A communication I / F controller 208 connects and communicates with an external device via a network (for example, the LAN 400 shown in FIG. 1), and executes communication control processing in the network. For example, communication using TCP / IP is possible.

  Note that the CPU 201 enables display on the display device 210 by executing outline font rasterization processing on a display information area in the RAM 202, for example. Further, the CPU 201 enables a user instruction with a mouse cursor (not shown) on the display device 210.

  Various programs that operate on the hardware are recorded in the external memory 211 and are executed by the CPU 201 by being loaded into the RAM 202 as necessary.

  It should be noted that not all devices have these configurations, and it is only necessary to provide necessary devices.

  FIG. 3 is a diagram illustrating an example of functions of the key management server 103 and the information processing apparatuses 104, 105, and 106 illustrated in FIG.

An access control management service 301 operates on the key management server 103 and provides functions of a network definition information management unit 302, an access rule information management unit 303, a key issue processing unit 304, and a communication control unit 305. .

  A network definition information management unit 302 provides a function for managing addition / change / deletion of a network connection mode assumed by the administrator.

  Reference numeral 303 denotes an access rule information management unit which provides a function for an administrator to define files and directories that are subject to access control, operations to be restricted, and users to be restricted.

  A key issue processing unit 304 provides functions for generating / transmitting keys and adding / deleting key issue information.

  A communication control unit 305 controls exchange of various information with the information processing apparatuses 104, 105, and 106.

  Reference numeral 306 denotes network definition information corresponding to the table shown in FIG.

  Reference numeral 307 denotes access rule information, which corresponds to the table shown in FIG.

  Reference numeral 308 denotes access control information, which corresponds to the table shown in FIG.

  Reference numeral 309 denotes key issue information, which corresponds to the table shown in FIG.

  Reference numeral 313 denotes a file management program that runs on the information processing apparatuses 104, 105, and 106, and provides functions of a key request processing unit 314, a file transmission / reception processing unit 315, a pre-processing unit 316, and a post-processing unit 317.

  A key request processing unit 314 provides a function of detecting a network connection form and requesting a key for decrypting the encrypted file to the key management server.

  A file transmission / reception processing unit 315 provides a function of acquiring a confidential file from the key management server and transmitting the confidential file to the key management server.

  Reference numeral 316 denotes a preprocessing unit that controls processing when an encrypted file is opened.

  Reference numeral 317 denotes a post-processing unit that controls processing at the time of file writing.

  Reference numeral 319 denotes retained file information, which corresponds to the table shown in FIG.

  Next, with reference to FIG. 4, processing when opening an encrypted file performed by the information processing apparatus (104, 105, 106) in the embodiment of the present invention will be described.

  Note that the process shown in the flowchart of FIG. 4 is a process in which the CPU 201 of the information processing apparatus reads and executes a predetermined control program.

  In step S401, the CPU 201 of the information processing apparatus accepts an open request for a file stored in the storage area of the information processing apparatus from the user.

  In step S402, the CPU 201 of the information processing apparatus calculates the hash value of the file that has received the open request in step S401. Note that the hash function is calculated using a hash function that is standardized throughout the system of the present invention using a known technique such as MD5 (Message Digest Algorithm 5).

  In step S403, the CPU 201 of the information processing apparatus determines whether or not the hash value calculated in step S402 is in the retained file information 319 (FIG. 21).

  If it is determined that it is step S403 (step S403: YES), the process proceeds to step S405.

  If it is determined that it is not step S403 (step S403: NO), the process proceeds to step S404.

  In step S404, the CPU 201 of the information processing apparatus determines that the file is not a confidential file managed by the key management server 103 because the hash value calculated in step S402 is not included in the retained file information. Delegate the open process to the OS. Then, the process shown in this flowchart is terminated.

  In step S405, the CPU 201 of the information processing apparatus determines whether the retained file information corresponding to the file that has received the open request from the user in step S401 includes the key information of the file.

  If there is key information (step S405: YES), the process proceeds to step S413.

  In step S413, the CPU 201 of the information processing apparatus confirms the expiration date of the key information and determines whether it is within the expiration date.

  If it is determined that it is within the expiration date (step S413: YES), the process proceeds to step S410.

  In step S410, the CPU 201 of the information processing apparatus determines that the file may be decrypted without confirming with the key management server 103, and decrypts the file using the key information. The encryption method used in the present invention is called a common key encryption method, and performs a unified encryption process for the entire system using a known technique such as AES (Advanced Encryption Standard).

  If it is determined that it is not within the expiration date (step S413: NO), the processing of this flowchart is terminated. At this time, a process of deleting key information from the retained file information may be executed.

  If there is no key information (step S405: NO), the process proceeds to step S406.

  In step S406, the CPU 201 of the information processing apparatus determines that a key request to the key management server 103 is necessary, tries to connect to the key management server 103, and determines whether connection is possible.

  If it is determined that connection to the key management server 103 is impossible (step S406: NO), it is determined that acquisition of key information is impossible, and a notification to that effect (such as displaying an error message) ) To end the processing shown in this flowchart.

  If it is determined that connection to the key management server 103 is possible (step S406: YES), the process proceeds to step S407.

  In step S407, the CPU 201 of the information processing apparatus detects a connection form to the network. As a method of detecting the network connection form, for example, detection is performed using a known technique such as a network configuration tool attached to the OS (ipconfig in the case of Windows (registered trademark), ifconfig in the case of Linux).

  In step S408, the CPU 201 of the information processing apparatus stores the file ID that can be acquired from the retained file information, the user information input by the user when the file management program 313 is started, and the network connection form information detected in step S407 in the key management server 103. Send.

  Here, referring to FIG. 5, the key management server 103 executes when the file ID, user information, and network connection form are transmitted from the information processing apparatus to the key management server 103 in step S408 of FIG. The key issuing process will be described.

  Note that the processing shown in the flowchart of FIG. 5 is processing in which the CPU 201 of the key management server 103 reads and executes a predetermined control program.

  In step S501, the CPU 201 of the key management server 103 receives the file ID, user information, and network connection form transmitted from the information processing apparatus.

  In step S502, the CPU 201 of the key management server 103 determines whether or not the received user information is valid. Specifically, for example, using the LDAP server 101 or the like, the determination is made based on whether or not the user information is registered.

  If it is determined to be valid (step S502: YES), the process proceeds to step S504.

  If it is determined that it is not valid (step S502: NO), the key transmission is rejected in step S503, and the processing shown in this flowchart is terminated.

  In step S504, the key management server 103 determines whether a key corresponding to the file ID received in step S501 has been issued to the user whose user information is determined to be valid. Specifically, the determination is made based on the user name and file ID registered in the key issuance information (FIG. 20).

  If it is determined that a key has been issued (step S504: YES), the process proceeds to step S505.

  If it is determined that the key has not been issued (step S504: NO), the key transmission is rejected in step S503, and the processing shown in this flowchart ends.

  In step S505, the key management server 103 acquires an entry corresponding to the user information and file ID acquired in step S501 from the key issue information (FIG. 20).

  In step S506, the key management server 103 determines whether the key expiration date of the entry acquired in step S505 has expired. Specifically, the determination is made by comparing the current time with the expiration date.

  If it is determined that the expiration date has expired (step S506: NO), the process of step S503 is executed, and the process shown in this flowchart is terminated.

  If it is determined that the expiration date has not expired (step S506: YES), the process proceeds to step S507.

  In step S507, the key management server 103 determines whether or not the network connection form received from the information processing apparatus in step S501 is in the network definition information 306 (FIG. 17).

  If it is determined that the network definition information is present (step S507: YES), the process proceeds to step S508.

  If it is determined that the network definition information does not exist (step S507: NO), it is determined that the connection is from a network that is not assumed by the administrator, and the process illustrated in this flowchart is terminated through the process of step 503.

  In step S508, the CPU 201 of the key management server 103 acquires an entry corresponding to the file ID received in step S501 from the access control information 308 (FIG. 19).

  In step S509, the CPU 201 of the key management server 103 acquires the user identified by the user ID acquired in step S501 based on the entry acquired in step S508 in step S501 in the network connection form acquired in step S501. It is determined whether the file identified by the file ID is accessible.

  If it is determined that access is possible (step S509: YES), the process proceeds to step S510.

  If it is determined that access is impossible (step S509: NO), the process of step S503 is executed, and the process shown in this flowchart is terminated.

In step S510, the CPU 201 of the key management server 103 specifies the file ID and the key from the user using the file determined to be accessible in step S509 and the key specified by the user (key issue information (FIG. 20)). ) And a list of operations permitted for the file by the access restriction information and the access rule ID are transmitted to the information processing apparatus. Then, the process shown in this flowchart is terminated.
Returning to the description of the flowchart shown in FIG.

  In step S409, the CPU 201 of the information processing apparatus determines whether there is a key information response from the key management server 103. Specifically, when the process of step S510 is executed, it is determined that there is a response from the key management server 103 (step S409: YES). On the other hand, when the process of step S503 is executed, it is determined that there is no response from the key management server 103 (step S409: NO).

  If there is a response from the key management server 103 (step S409: YES), the process proceeds to step S410.

  If there is no response from the key management server 103 (step S409: NO), the processing shown in this flowchart is terminated.

  In step S410, the CPU 201 of the information processing apparatus uses the key transmitted from the key management server 103 to decrypt the file requested to be opened in step S401.

  In step S411, the CPU 201 of the information processing apparatus starts an appropriate program for opening the file decrypted in step S410 as a child process.

  In step S412, the CPU 201 of the information processing apparatus records the correspondence between the key, the permitted operation list, and the file information received in step S409 and the process in the memory. The various information recorded here is used in a file writing process (FIG. 6) described later.

  Depending on the network to which the information processing apparatus is connected, it is determined whether or not a key for decrypting the file can be acquired by the processing of the flowcharts shown in FIGS. 4 and 5. Cannot be decrypted, and it is possible to reduce the possibility of information leakage or file tampering.

  In addition, once a decryption key is obtained, the file can be decrypted without obtaining the key from the server for a certain period of time, so the file can be used even when it cannot be connected to the network. Convenience can also be secured.

  Next, a file write process executed by the information processing apparatus (104, 105, 106) in the embodiment of the present invention will be described with reference to FIG.

  Note that the processing shown in the flowchart of FIG. 6 is processing in which the CPU 201 of the information processing apparatus reads and executes a predetermined control program.

  In step S601, the CPU 201 of the information processing apparatus detects writing of information to the file decrypted in step S410 by the child process managed and monitored in step S412.

  In step S602, the CPU 201 of the information processing apparatus determines whether writing to the file by the process activated in step S411 is permitted based on the permitted operation list recorded in step S412.

  If it is determined that it is permitted (step S602: YES), the process proceeds to step S604.

  If it is determined that it is not permitted (step S602: NO), the process proceeds to step S603.

  In step S603, the CPU 201 of the information processing apparatus stops the writing process by the process activated in step S411 and ends the process illustrated in this flowchart.

  In step S604, the CPU 201 of the information processing apparatus encrypts the file with the key corresponding to the process after the writing process by the process activated in step S411 is completed.

  In step S605, the CPU 201 of the information processing apparatus calculates the hash value of the file that has been encrypted in step S604.

In step S606, the CPU 201 of the information processing apparatus updates the hash value of the retained file information for the file whose hash value is calculated in step S605 to the hash value calculated in step S605.
Then, the process shown in this flowchart is terminated.

  By updating the retained file information to the file after the writing by the above processing, even when the writing process is performed on the file, the conventional method does not acquire the decryption key again from the server for a certain period. The file can be decrypted using the decryption key. This makes it possible to ensure the convenience of work while ensuring security even when the network cannot be connected.

  Next, referring to FIG. 7, the information processing apparatus (104, 105, 106) and key management when the information processing apparatus (104, 105, 106) acquires a file from the key management server 103 in the embodiment of the present invention. Processing of the server 103 will be described.

  Note that the processing of S701, S704, S705, S710, S711, and S714 to S716 shown in the flowchart of FIG. 7 is processing in which the CPU 201 of the information processing apparatus reads and executes a predetermined control program.

  The processes of S702, S703, S706 to S709, S712, and S713 are processes that the CPU 201 of the key management server 103 reads and executes a predetermined control program.

  In step S <b> 701, the CPU 201 of the information processing apparatus transmits qualification information (user identification information necessary for login to the key management server 103 such as a user name and a password) to the key management server 103.

  In step S <b> 702, the CPU 201 of the key management server 103 checks the qualification information transmitted from the information processing apparatus in step S <b> 701 using the LDAP server 101.

  In step S703, the CPU 201 of the key management server 103 determines whether the qualification information transmitted from the information processing apparatus in step S701 is valid based on the collation result using the LDAP server 101 (to the key management server 103). Whether or not the user is permitted to log in.

  If it is determined to be valid (step S703: YES), the result is transmitted to the information processing apparatus, and the process proceeds to step S706.

  If it is determined that it is not valid (step S703: NO), the result is transmitted to the information processing apparatus, and the process shown in this flowchart is terminated.

  In step S704, the CPU 201 of the information processing apparatus determines whether or not the login is successful from the result transmitted from the key management server 103 in step S703.

  If the login is successful (step S704: YES), the process proceeds to step S705.

  If the login has failed (step S704: NO), the processing shown in this flowchart is terminated.

  In step S <b> 705, the CPU 201 of the information processing apparatus transmits a file acquisition request to the key management server 103. This file acquisition request includes information for specifying the file to be acquired (file ID, file path, etc.) and information on whether or not key information is requested.

  In step S706, the CPU 201 of the key management server 103 receives an acquisition request from the information processing apparatus.

  In step S707, the CPU 201 of the key management server 103 determines whether or not the file requested for acquisition from the information processing apparatus in step S706 can be acquired from the file server 102, and transmits the result to the information processing apparatus. .

  Whether or not the file can be acquired in step S707 is determined according to the access rule set for the file by the file creator, the server, the department administrator, or the like. For example, if an access rule “prohibit file acquisition by general users” is set for a file, it is determined that the file cannot be acquired if the login user is a general user. Depending on the setting, there may be a plurality of rules. In this case, if at least one rule permits the file acquisition, the file can be acquired.

  If it is determined that the file can be acquired (step S707: YES), the process proceeds to step S708.

  If it is determined that file acquisition is not possible (step S707: NO), the processing shown in this flowchart is terminated.

  In step S708, the CPU 201 of the key management server 103 creates an encryption key for encrypting the file, and updates the key issuance information 309 (FIG. 20). Then, the file is encrypted with the encryption key.

  Note that when creating an encryption key, the same key must not be decrypted so that it does not overlap with previously issued ones.

  In step S709, the CPU 201 of the key management server 103 transmits the file encrypted in step S708 to the information processing apparatus.

  In step S <b> 710, the CPU of the information processing apparatus receives the acquisition permission result transmitted from the key management server 103 in step 707, and determines whether acquisition is possible.

  If it is determined that the file can be acquired (step S710: YES), the process proceeds to step S711.

  If it is determined that the file cannot be obtained (step S710: NO), the processing shown in this flowchart is terminated.

  In step S711, the CPU 201 of the information processing apparatus receives the encrypted file transmitted from the key management server 103 in step S709.

  In step S712, the CPU 201 of the key management server 103 includes the request for the key information included in the file acquisition request transmitted from the information processing apparatus in step S705, and the user who has made the acquisition request for the requested file. Is determined based on the access control information (FIG. 19). Then, the determination result is transmitted to the information processing apparatus.

  If there is permission to transmit key information (step S712: YES), the process proceeds to step S713.

  If the transmission of key information is not permitted (step S712: NO), the processing shown in this flowchart is terminated.

  In step S713, the CPU 201 of the key management server 103 transmits key information to the information processing apparatus.

  In step S714, the CPU 201 of the information processing apparatus receives the determination result on whether or not to transmit the key information transmitted from the key management server 103 in step S712, and determines whether or not the key information can be acquired.

  If it is determined that the key information can be acquired (step S714: YES), the process proceeds to step S715.

  When acquisition of key information is impossible, or when acquisition of key information is not requested in step S705 (step S714: NO), the process proceeds to step S716.

  In step S715, the CPU 201 of the information processing apparatus acquires and stores the key information transmitted in step S713. When the received key information is stored, a configuration may be adopted in which security is enhanced by separately requesting the user of the information processing apparatus to input a password or the like and encrypting it.

  In step S716, the CPU 201 of the information processing apparatus updates the holding information file (FIG. 8) with the key information acquired in step S715. Then, the process shown in this flowchart is terminated.

  With the above processing, the file acquired from the server is also encrypted, so that the file can also be a target of the access control system in the present invention.

  Next, with reference to FIG. 8, in the embodiment of the present invention, processing when the information processing apparatus (104, 105, 106) uploads a file to the key management server 103 and processing when the file is deleted are described. explain.

  Note that the process shown in the flowchart of FIG. 8 is a process in which the CPU 201 of the information processing apparatus reads and executes a predetermined control program.

  In step S <b> 801, the CPU 201 of the information processing apparatus determines whether the user's operation on the file is deletion of the file or upload to the key management server 103.

  If the file is to be deleted (step S801: delete), the process proceeds to step S805.

  If the file is to be uploaded (step S801: upload), the process proceeds to step S802.

  In step S <b> 802, the CPU 201 of the information processing apparatus transmits the uploaded file and qualification information to log in to the key management server 103 to the key management server 103.

  In step S803, the CPU 201 of the information processing apparatus receives from the key management server 103 the result of the transmission process transmitted in step S802 (whether or not the transmission was successful).

  In step S804, the CPU 201 of the information processing apparatus determines the result of the transmission process received in step S803.

  If the transmission has failed (step S804: NO), the processing shown in this flowchart is terminated.

  If the transmission is successful (step S804: YES), the process proceeds to step S805.

  In step S805, the CPU 201 of the information processing apparatus deletes the file that has been transmitted or has been deleted by the user from the storage area of the information processing apparatus.

  In step S806, the CPU 201 of the information processing apparatus determines whether the retained file information 319 includes information regarding the file deleted from the storage area in step S805.

  If it is determined that there is any (step S806: YES), the process proceeds to step S807.

  If it is determined that there is not (step S806: NO), the processing shown in this flowchart is terminated.

  In step S807, the CPU 201 of the information processing apparatus deletes information on the file deleted from the storage area in step S805 from the retained file information 319.

  In step S <b> 808, the CPU 201 of the information processing apparatus transmits a key issue information deletion request for the file to the key management server 103. Then, the process shown in this flowchart is terminated.

  The key management server 103 may delete the key issuance information as requested from the information processing apparatus, or may rewrite only the expiration date in order to save the key issuance history.

  Next, a process at the time of uploading a file in the key management server 103 in the embodiment of the present invention will be described with reference to FIG.

  The process shown in the flowchart of FIG. 9 is a process in which the CPU 201 of the key management server 103 reads and executes a predetermined control program.

  In step S901, the CPU 201 of the key management server 103 receives the file and qualification information transmitted from the information processing apparatus in step S802.

  In step S902, the CPU 201 of the key management server 103 inquires of the LDAP server 101 whether or not the user is a valid user using the qualification information received in step S901.

  In step S903, the CPU 201 of the key management server 103 determines whether the user is a valid user based on the result inquired in step S902.

  If the user is a valid user (step S903: YES), the process proceeds to step S905.

  If the user is not valid (step S903: NO), the process proceeds to step S904.

  In step S904, the CPU 201 of the key management server 103 notifies the information processing apparatus that the file upload has failed, and the process shown in this flowchart ends.

  In step S905, the CPU 201 of the key management server 103 determines whether the user who has been determined to be a valid user in step S903 has the write authority for the storage destination of the file to be uploaded.

  If there is a write authority (step S905: YES), the process proceeds to step S906.

  If there is no writing authority (step S905: NO), the process proceeds to step S904, a notification that the file upload has failed is sent to the information processing apparatus, and the process shown in this flowchart is terminated.

  In step S906, the CPU 201 of the key management server 103 determines whether the file exists at the write destination. That is, it is determined whether an existing file has been uploaded or a new file has been uploaded.

  When it is determined that there is a file at the write destination (that is, when an existing file is uploaded) (step S906: NO), the process proceeds to step S907.

  When it is determined that there is no file to be written (that is, when a new file is uploaded) (step S906: YES), the process proceeds to step S910.

  In step S907, the CPU 201 of the key management server 103 acquires key information for the user and the existing file from the key issue information 309.

  In step S908, the CPU 201 of the key management server 103 determines whether key issuance information has been acquired in step S907.

  If the key issuance information has been acquired (step S908: YES), the process proceeds to step S909.

  If the key issuance information cannot be acquired (step S908: NO), the process proceeds to step S904, a notification that the file upload has failed is sent to the information processing apparatus, and the process shown in this flowchart is performed. Exit.

  In step S909, the CPU 201 of the key management server 103 decrypts the file with the corresponding key.

  In step S910, the CPU 201 of the key management server 103 determines whether the write destination of the uploaded file corresponds to the access rule.

  If it is determined that the access rule is met (step S910: YES), the process proceeds to step S911.

  If it is determined that the access rule does not apply (step S910: NO), the process proceeds to step S912.

  In step S911, the CPU 201 of the key management server 103 creates new access restriction information for the uploaded file and additionally registers it in the access restriction information (FIG. 19).

  In step S912, the CPU 201 of the key management server 103 saves the file in the write destination file server 102.

  In step S913, the CPU 201 of the key management server 103 notifies the information processing apparatus that the file has been successfully uploaded. Then, the process shown in this flowchart is terminated.

  Next, an access rule change process in the key management server 103 in the embodiment of the present invention will be described with reference to FIG.

  Note that the processing shown in the flowchart of FIG. 10 is processing in which the CPU 201 of the key management server 103 reads and executes a predetermined control program.

  In step S1001, the CPU 201 of the key management server 103 receives an access rule change request from the information processing apparatus.

  In step S1002, the CPU 201 of the key management server 103 reflects the change of the access rule received in step S1002 in the access rule information 307 (FIG. 18).

  In step S1003, the CPU 201 of the key management server 103 acquires the access rule added and changed in step S1002 from the access rule information 307 (FIG. 18), and obtains information on the file specified in the rule and the file in the directory. get.

  Then, the processing from step S1005 to S1008 is repeated (step S1004).

  In step S1005, the CPU 201 of the key management server 103 determines whether there is access control information for the file to be processed in steps S1005 to S1008.

  If it is determined that access control information exists (step S1005: YES), the process proceeds to step S1007.

  If it is determined that access control information does not exist (step S1005: NO), the process proceeds to step S1006.

  In step S1006, the CPU 201 of the key management server 103 creates new access control information for the file to be processed, and shifts to repetitive processing for the next file.

  In step S1007, the CPU 201 of the key management server 103 determines whether the access rule ID changed in step S1002 is included in the access rule ID of the access control information confirmed in step S1005.

If it is determined that the file is included (step S1007: YES), the process proceeds to a repetition process for the next file.

  If it is determined that it is not included (step S1007: NO), the process proceeds to step S1008.

  In step S1008, the CPU 201 of the key management server 103 adds the ID of the access rule changed in step S1002 to the access control information confirmed in step S1005. Then, the process shifts to a repetition process for the next file.

Through the above processing, even when an access restriction rule is changed or added, it is possible to apply the new changed / added rule to the file.
Next, each screen shown in FIGS. 11 to 16 will be described.

  FIG. 11 is an example of a file management program screen executed by the information processing apparatus.

  The screen 1100 includes an area (1101) for displaying a management file system on the server side, an area (1102) for displaying a list of files in the directory selected in 1101, an area (1103) for displaying a local file system, and 1103 An area for displaying a list of files in the selected directory (1104), a button for accepting a download instruction from the server (1105), a button for accepting an instruction to upload to the server (1106), and whether or not to receive a key It consists of a check box (1107) to accept.

  When the user selects a file from the area 1102 for displaying a list of files in the directory, the check box 1107 is checked as necessary, and the download instruction button 1105 is pressed, the processing of the flowchart shown in FIG. 7 is executed. The

  When the user selects a file from the area 1104 for displaying the list of files in the directory and presses the upload instruction button 1106, the process of the flowchart shown in FIG. 9 is executed.

  When the user selects a file from the area 1104 for displaying a list of files in the directory and issues a deletion instruction, the process of the flowchart shown in FIG. 8 is executed.

  When the user selects a file from the area 1104 for displaying a list of files in the directory and issues a file open instruction, the processing of the flowchart shown in FIG. 4 is executed.

  FIG. 12 is a screen example of a server management program executed by the key management server 103.

The screen 1200 includes an area (1201) for displaying the file system of the file server managed by the key management server 103, an area (1202) for displaying a list of files in the directory selected by the user in the area 1201, and a network definition list screen. It consists of a menu item (1203) for displaying and a menu item (1204) for displaying the access rule list screen.
FIG. 13 is an example of a network definition list screen.

  This screen is displayed in response to a user operation on the menu item 1203 shown in FIG.

  The screen 1300 includes an area for displaying the current network definition list (1301), a button for accepting an instruction for adding a new network definition (1302), a button for accepting editing of an existing network definition (1303), and an instruction for deleting an existing network definition Button (1304) for accepting changes, a button (1305) for accepting instructions for reflecting the changed contents in the network definition information 306, and a button (1306) for accepting instructions for discarding the changed contents.

  When the administrator presses the add network definition button 1302, a new line is added to the network definition list display area 1301, and a new network definition is added by editing this.

  When the administrator presses the edit button 1303 in a state where the network definition in the network definition list display area 1301 is selected, the selected network definition is changed, and the existing network definition can be edited by editing this. Is edited.

When the administrator presses the delete button 1304 while the network definition in the network definition list display area 1301 is selected, the selected network definition is deleted.
FIG. 14 is an example of an access rule list screen.

  The access rule list screen shown in FIG. 14 is displayed by operating the menu item 1204 in FIG.

  A screen 1400 is an area for displaying a list of current access rules (1401), a button for accepting addition of a new access rule (1402), a button for accepting editing of an existing access rule (1403), and a button for accepting deletion of an existing access rule (1404), a button (1405) for receiving an instruction to reflect the changed contents in the access rule information 307, and a button (1406) for receiving an instruction to discard the changed contents.

  When the administrator presses the add access rule button 1402 or presses the edit acceptance button 1403 while the access rule in the area 1401 is selected, an access rule setting screen 1500 (FIG. 15) described later is displayed. The

  When the administrator selects an access rule in the area 1401 and presses the delete button 1404, the selected access rule is deleted.

When the administrator presses 1405 after editing the access rule, the processing of the flowchart of FIG. 14 is executed.
FIG. 15 is a diagram illustrating an example of an access rule setting screen.

  The screen 1500 displays a combo box (1501) that accepts selection of a connection form, an area (1502) that accepts selection of access restriction contents, a combo box (1503) that accepts selection of a user to be accessed, and a target file / directory. A display area (1504), a button (1505) for accepting addition of a target file / directory, a button (1506) for accepting deletion of an existing target file / directory, and a button (1507) for confirming the contents ), And a button (1508) for accepting an instruction to discard the contents.

Note that the content of 1501 is created from the network definition information 306.
FIG. 16 is a diagram illustrating an example of a key transmission setting screen.

  The key transmission setting screen shown in FIG. 16 is displayed when a file is selected from the file list display area 1202 in FIG. 12 and a key transmission setting operation is performed.

  On the screen 1600, a check box (1601) for accepting selection of permission / inhibition of transmission, an area (1602) for displaying a list of users / departments to be authorized, and a button (1603) for accepting addition of permission objects are selected. A button (1604) for receiving an instruction to delete the permitted object, a button (1605) for receiving an instruction to reflect the setting, and a button (1606) for receiving an instruction to discard the setting.

  Information to be permitted is selected by acquiring information from the LDAP server 101. When the administrator edits the content and presses the reflection button 1605, the key transmission permission / inhibition and the permission target of the access control information 308 are changed.

  With the above configuration, an appropriate access right can be given to a file only with a reliable network connection designated by the administrator, without limiting the use location of the information processing apparatus.

  Also, files that are specifically authorized by the administrator can be stored in the information processing device, so even if the service is unavailable due to a failure or the network is not reachable, Can be used.

  In addition, since the key is managed for each user, even if the credential information of a specific user is leaked, the user's key information is invalidated until a countermeasure is taken, and the key is issued to the user. By stopping the process, it is possible to prevent acquisition and browsing of a confidential file and spoofing of a file in the file server by impersonation from the permitted network without affecting other users.

  It should be noted that the configuration and contents of the various data described above are not limited to this, and it goes without saying that the various data and configurations are configured according to the application and purpose.

  Moreover, the program in this invention is a program which a computer can perform the processing method of FIGS. The program according to the present invention may be a program for each processing method of each apparatus shown in FIGS.

  As described above, a recording medium that records a program that implements the functions of the above-described embodiments is supplied to a system or apparatus, and a computer (or CPU or MPU) of the system or apparatus stores the program stored in the recording medium. It goes without saying that the object of the present invention can also be achieved by reading and executing.

  In this case, the program itself read from the recording medium realizes the novel function of the present invention, and the recording medium recording the program constitutes the present invention.

  As a recording medium for supplying the program, for example, a flexible disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, DVD-ROM, magnetic tape, nonvolatile memory card, ROM, EEPROM, silicon A disk or the like can be used.

  Further, by executing the program read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (operating system) operating on the computer based on an instruction of the program is actually It goes without saying that a case where the function of the above-described embodiment is realized by performing part or all of the processing and the processing is included.

  Furthermore, after the program read from the recording medium is written to the memory provided in the function expansion board inserted into the computer or the function expansion unit connected to the computer, the function expansion board is based on the instructions of the program code. It goes without saying that the case where the CPU or the like provided in the function expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

  The present invention may be applied to a system constituted by a plurality of devices or an apparatus constituted by a single device. Needless to say, the present invention can be applied to a case where the present invention is achieved by supplying a program to a system or apparatus. In this case, by reading a recording medium storing a program for achieving the present invention into the system or apparatus, the system or apparatus can enjoy the effects of the present invention.

  Furthermore, by downloading and reading a program for achieving the present invention from a server, database, etc. on a network using a communication program, the system or apparatus can enjoy the effects of the present invention. In addition, all the structures which combined each embodiment mentioned above and its modification are also included in this invention.

101 LDAP server 102 File server 103 Key management server 104 Information processing apparatus (inside organization)
105 Information processing equipment (outside the organization)
106 Information processing device (network not connected)
107 LAN
108 WAN

Claims (5)

Whether or not to transmit a decryption key to the information processing apparatus based on information indicating a connection form included in the decryption key request transmitted by the decryption key request transmission means of the information processing apparatus is possible. An information processing apparatus that can be connected to an external server for determining whether
Detecting means for detecting a connection form to the network;
Decryption key request transmission means for transmitting a decryption key request including information indicating a connection form detected by the detection means to the external server;
Decryption key obtaining means for obtaining a decryption key from the external server;
Decryption means for decrypting the file stored in the information processing apparatus using the decryption key obtained by the decryption key obtaining means;
An information processing apparatus comprising: Decryption key storage means for storing the decryption key acquired by the decryption key acquisition means;
Determination means for determining whether or not a decryption key corresponding to a file stored in the information processing apparatus is stored in the decryption key storage means;
The information processing apparatus according to claim 1, wherein the decrypting unit decrypts the file by using the decryption key when the determination unit determines that the decryption key is stored. The decryption key storage means further stores the decryption key acquired by the decryption key acquisition means in association with the validity period of the decryption key,
When it is determined by the determination means that a decryption key is stored, it further comprises a validity period determination means for determining whether or not the decryption key is within the validity period,
The information processing apparatus according to claim 1, wherein the decryption unit decrypts the file by using the decryption key determined to be within the valid period by the valid period determination unit. Whether or not to transmit a decryption key to the information processing device based on information indicating a connection form included in the decryption key request transmitted by the decryption key request transmission step of the information processing device is possible. An information processing method in an information processing apparatus connectable to an external server for determining
A detection step in which the detection means of the information processing apparatus detects a connection form to the network;
A decryption key request transmission means for transmitting a decryption key request including information indicating the connection form detected in the detection step to the external server;
A decryption key obtaining step of obtaining a decryption key from the external server by the decryption key obtaining means of the information processing apparatus;
A decryption step of decrypting the file stored in the information processing device using the decryption key obtained by the decryption key obtaining step by the decryption means of the information processing device;
An information processing method comprising: Whether or not to transmit a decryption key to the information processing apparatus based on information indicating a connection form included in the decryption key request transmitted by the decryption key request transmission means of the information processing apparatus is possible. A program that can be executed by an information processing apparatus that can be connected to an external server,
The information processing apparatus;
Detecting means for detecting a connection form to the network;
Decryption key request transmission means for transmitting a decryption key request including information indicating a connection form detected by the detection means to the external server;
Decryption key obtaining means for obtaining a decryption key from the external server;
A program for causing a file stored in the information processing apparatus to function as a decryption unit using the decryption key acquired by the decryption key acquisition unit.

Images