JP2016151797A - Information processing system, control method thereof, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a mechanism configured to reduce the risk of leakage of confidential information which has been stored and to be transmitted.SOLUTION: A personal information service server 101 divides confidential information into multiple pieces of tally data, to be stored in a storage server 102. On receipt of a request from a user application server 112, the personal information service server 101 acquires multiple pieces of tally data from the storage server 102, to restore the confidential information. The restored confidential information is encrypted, and divided into multiple pieces of tally data, according to the number of communication paths, to be transmitted on the communication paths.SELECTED DRAWING: Figure 4

Description

  The present invention relates to an information processing system capable of reducing the risk of leakage of stored secret information and leakage of transmitted secret information, a control method thereof, and a program.

  Conventionally, leakage of confidential information such as information capable of identifying a specific individual (hereinafter referred to as personal information) and confidential information of a company has been a problem. In particular, since such information is stored and managed by a computer, a malicious person may leak the information if the security of the computer is not perfect.

  Therefore, there is a mechanism disclosed in Patent Document 1 as a mechanism that allows only appropriate users to use personal information or the like. In Patent Document 1, information for a user is encrypted using a public key, and when a user's IC card is detected, the encrypted information is stored using a secret key corresponding to the IC card. A mechanism that can be decrypted is disclosed.

JP 2010-237850 A

  If it is certainly encrypted information, even if the communication is intercepted, it will not be easily decrypted, but it will be encrypted even if a malicious person enters the key to decrypt it. Will also leak information.

  Information leakage is not only caused by communication, but an administrator who manages the information may acquire information from the computer and leak it. This is so-called internal leakage. In this case, even if the information is encrypted, since it is known which key can be used for decryption, the information is easily decrypted and the information is leaked.

  That is, unless the risk of information leakage due to communication and the risk of internal leakage of information stored in the computer are reduced, security cannot be improved.

  Therefore, an object of the present invention is to provide a mechanism capable of reducing the risk of leakage of stored secret information and leakage of transmitted secret information.

  In order to achieve the above object, an information processing system according to the present invention stores a first data dividing means for dividing secret information into a plurality of data, and a plurality of data divided by the first data dividing means. Storage means, first secret information restoration means for restoring the secret information using a plurality of data stored in the storage means, and encryption of the secret information restored by the first secret information restoration means An encryption unit; a second data division unit that divides the secret information encrypted by the encryption unit into a plurality of pieces of data according to the number of communication paths; and a plurality of pieces of data divided by the second data division unit Transmission means for transmitting each of the data via a plurality of communication paths.

  ADVANTAGE OF THE INVENTION According to this invention, it becomes possible to reduce the risk by leakage of the confidential information memorize | stored and the leakage of the confidential information transmitted.

It is a figure which shows an example of the system configuration | structure of an information processing system. It is a figure which shows an example of the hardware constitutions of the various apparatuses in an information processing system. It is a figure which shows an example of a function structure of the various apparatuses in an information processing system. It is a figure which shows the outline | summary of this embodiment. 4 is a flowchart showing a flow of a series of processes for dividing personal information into tally data and transmitting it to the storage server 102. It is a flowchart which shows the flow of a series of processes which transmit a personal information list | wrist in response to the request from the user application server. It is a flowchart which shows the flow of a detailed process of a personal information restoration process. It is a flowchart which shows the flow of a series of processes which receive tally data and acquire a personal information list. It is a figure which shows an example of a table structure of the personal information list 900 and the tally data management table 910.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a diagram illustrating an example of a system configuration of an information processing system according to the present embodiment. The information processing system of the present embodiment is divided into a personal information service domain 100 and a user domain 110, which are connected to each other via a WAN 120 so as to communicate with each other. Note that WAN is an abbreviation for Wide Area Network.

  In the personal information service domain 100, a personal information service server 101, a storage server 102, and a restoration service server 103 are connected via a LAN 104 so that they can communicate with each other. In the user domain 110, a tally service server 111 and a user application server 112 are connected to each other via a LAN 113 so that they can communicate with each other.

  Note that the configuration of various terminals or servers connected to the network in FIG. 1 is an example, and there are various configuration examples depending on applications and purposes.

  The personal information service server 101 is a server that provides a service for storing personal information of users. In response to a request from the user application server 112, the personal information service server 101 provides personal information stored in a device in the user domain 110. In the present embodiment, personal information is described as an example, but the present invention is not limited to personal information. Any information that can be leaked to a third party (for example, confidential information such as confidential information of a company, payment information such as a credit card, a password, etc.) may be used.

  The storage server 102 is a server that stores personal information of users. Personal information stored in the storage server 102 is divided by the personal information service server 101 and distributed and stored in a plurality of storages (external memory 211 described later). In the present embodiment, data divided by the personal information service server 101 is referred to as tally data. The storage server 102 may be a physically different server, or may be a server logically divided by a virtualization technique. Further, a form in which a plurality of storages are physically provided in one or a plurality of servers may be employed. In the present embodiment, four storage servers 102 and four storages corresponding to these are used. However, the number of storage servers 102 is not limited to this.

  The restoration service server 103 is a server that provides a service for restoring damaged / erased tally data when any of the tally data stored in the storage server 102 is damaged / erased. The storage server 102 stores parity data generated from tally data. Parity data is data calculated by exclusive OR (ie, XOR) of all tally data generated by dividing certain personal information. That is, by calculating the exclusive OR of all tally data other than corrupted / lost tally data and parity data, the tally data that has been corrupted / lost can be restored.

  The tally service server 111 is a server for receiving tally data transmitted from the personal information service server 101 and transmitting it to the user application server 112 in response to a request from the user application server 112. The personal information service server 101 transmits tally data to the tally service server 111 and the user application server 112, respectively. That is, security is enhanced by providing a plurality of communication paths.

  The user application server 112 is an application server owned by a user who uses the service of the personal information service server 101. The user application server 112 transmits a request to the personal information service server 101 and the tally service server 111 to transmit a list of personal information stored by the user (hereinafter referred to as a personal information list). In response to this, the personal information list is acquired by combining tally data transmitted from the personal information service server 101 and the tally service server 111.

  Each server described above may be a single server or a plurality of servers. Moreover, it is good also as a structure different from the system structure shown in FIG. 1 because another server equips with a part or all of the function of a certain server. Therefore, the information processing system in the present invention is not limited to a mechanism that operates by a plurality of devices (servers), but also includes a mechanism that operates by a single device (server).

  FIG. 2 is a diagram illustrating an example of a hardware configuration of each server in the present embodiment.

  The CPU 201 comprehensively controls each device and controller connected to the system bus 204.

  Further, the ROM 202 or the external memory 211 stores a BIOS (Basic Input / Output System) that is a control program of the CPU 201 and an operating system program (hereinafter referred to as OS). The external memory 211 stores various programs necessary for realizing the functions executed by each server. The RAM 203 functions as a main memory, work area, and the like for the CPU 201.

  The CPU 201 implements various operations by loading a program necessary for execution of processing into the RAM 203 and executing the program.

  The input controller 205 controls input from an input device 209 such as a keyboard or a pointing device such as a mouse.

  The video controller 206 controls display on a display device such as the display 210. The display device may be a CRT or a liquid crystal display.

  The memory controller 207 controls access to an external memory 211 such as a hard disk, a flexible disk, or a card type memory connected to the PCMCIA card slot via an adapter. The external memory 211 (storage means) stores a boot program, browser software, various applications, font data, user files, editing files, various data, and the like.

  The communication I / F controller 208 is connected to and communicates with an external device via a network, and executes communication control processing on the network. For example, Internet communication using TCP / IP is possible.

  Note that the CPU 201 enables display on the display 210 by executing outline font rasterization processing on a display information area in the RAM 203, for example. Further, the CPU 201 enables a user instruction with a mouse cursor (not shown) on the display 210.

  Various programs and the like used for each server of the present invention to execute various processes described later are recorded in the external memory 211, and are executed by the CPU 201 by being loaded into the RAM 203 as necessary. Furthermore, definition files and various information tables used by the program according to the present invention are stored in the external memory 211.

  FIG. 3 is a diagram illustrating an example of a functional configuration of each server in the present embodiment. Note that the functional configuration shown in FIG. 3 is an example, and there are various configuration examples depending on the application and purpose.

  The personal information service server 101 functions as a transmission / reception control unit 301, a personal information temporary storage unit 302, a division control unit 303, a parity data control unit 304, a public key storage unit 305, a combination control unit 306, and a personal information list generation control unit. 307 and an encryption control unit 308.

  The transmission / reception control unit 301 is a functional unit for transmitting / receiving various data to / from other servers. Via the communication I / F controller 208 of the personal information service server 101, various data is transmitted to other servers or received from other servers.

  The personal information temporary storage unit 302 is a functional unit for temporarily storing a personal information list transmitted for storage from a user. The personal information temporary storage unit 302 temporarily stores the received personal information list in the RAM 203 and deletes it from the RAM 203 when predetermined processing is completed.

  The division control unit 303 is a functional unit for dividing the personal information list temporarily stored by the personal information temporary storage unit 302 into personal information. The division control unit 303 divides the personal information into the tally data described above. The number of tally data to be divided is determined according to a predetermined setting. The division control unit 303 is a functional unit for dividing the personal information list encrypted by the encryption control unit 308 into tally data.

  The parity data control unit 304 is a functional unit for generating parity data using the tally data divided by the division control unit 303. Further, it is a functional unit for acquiring parity data corresponding to tally data as necessary.

  The public key storage unit 305 is a functional unit for storing a public key corresponding to the private key held by the restoration service server 103 and a public key corresponding to the private key held by the user application server 112.

  The combination control unit 306 is a functional unit for acquiring all tally data constituting certain personal information from the storage server 102 and combining them. Thus, the personal information is restored from the tally data divided.

  The personal information list generation control unit 307 is a functional unit for generating a personal information list that is a list including a plurality of personal information restored by combining tally data by the combination control unit 306.

  The encryption control unit 308 acquires a public key corresponding to the secret key held by the user application server 112 from the public key storage unit 305, and uses this to generate a personal information list generated by the personal information list generation control unit 307. It is a functional part for encrypting.

  The storage server 102 includes a transmission / reception control unit 311 and a tally data storage unit 312.

  The transmission / reception control unit 311 is a functional unit for transmitting / receiving various data to / from the personal information service server 101. Various data is transmitted to or received from the personal information service server 101 via the communication I / F controller 208 of the storage server 102.

  The tally data storage unit 312 (storage means) is a functional unit for storing tally data transmitted from the personal information service server 101 in storage, that is, in the external memory 211. In response to a request from the personal information service server 101, the stored tally data is acquired and transmitted to the personal information service server 101.

  The restoration service server 103 includes a transmission / reception control unit 321, a secret key storage unit 322, a decryption control unit 323, and a restoration control unit 324 as functional units.

  The transmission / reception control unit 321 is a functional unit for transmitting / receiving various data to / from the personal information service server 101. Various data is transmitted to the personal information service server 101 or various data is received from the personal information service server 101 via the communication I / F controller 208 of the restoration service server 103.

  The secret key storage unit 322 is a functional unit for storing a secret key corresponding to the public key held by the personal information service server 101.

  The decryption control unit 323 obtains a secret key corresponding to the public key held by the personal information service server 101 from the secret key storage unit 322, and uses this to decrypt the parity data encrypted by the personal information service server 101. It is a functional part for.

  The restoration control unit 324 is a functional unit for restoring tally data that has been damaged or lost using the parity data decoded by the decoding control unit 323 and the tally data acquired from the personal information service server 101. . In order to restore, an exclusive OR of parity data and tally data may be obtained.

  The tally service server 111 includes a transmission / reception control unit 331, a tally data storage unit 332, and a storage period control unit 333 as functional units.

  The transmission / reception control unit 331 is a functional unit for transmitting / receiving various data to / from the personal information service server 101 and the user application server 112. Various data is transmitted to each server or received from each server via the communication I / F controller 208 of the tally service server 111.

  The tally data storage unit 332 is a storage unit for temporarily storing tally data transmitted from the personal information service server 101. Further, when the storage period managed by the storage period control unit 333 is exceeded after the tally data is stored, the tally data is deleted.

  The storage period control unit 333 checks whether the tally data transmitted from the personal information service server 101 has been stored by the tally data storage unit 332 and whether the storage period has been exceeded. This is a functional unit for instructing the storage unit 332 to delete.

  The user application server 112 includes a transmission / reception control unit 341, a request control unit 342, a combination control unit 343, a secret key storage unit 344, a decryption control unit 345, and a personal information list storage unit 346 as functional units.

  The transmission / reception control unit 341 is a functional unit for transmitting / receiving various data to / from the personal information service server 101 and the tally service server 111. Various data is transmitted to or received from each server via the communication I / F controller 208 of the user application server 112.

  The request control unit 342 is a functional unit for requesting the personal information service server 101 and the tally service server 111 to acquire personal information and tally data.

  The combination control unit 343 is a functional unit for combining a plurality of tally data acquired in response to a request from the request control unit 342. Thus, the encrypted personal information list divided by the personal information service server 101 is restored.

  The secret key storage unit 344 is a functional unit for storing a secret key corresponding to the public key held by the personal information service server 101.

  The decryption control unit 345 obtains a secret key corresponding to the public key held by the personal information service server 101 from the secret key storage unit 344, and uses this to decrypt the personal information list encrypted by the personal information service server 101. It is a functional part for doing.

  The personal information list storage unit 346 is a functional unit for storing the personal information list decrypted by the decryption control unit 345. The above is an example of the functional configuration of each server in the present embodiment.

  Next, an overview of processing in the present embodiment will be described with reference to FIG.

  First, the personal information service server 101 acquires a personal information list temporarily stored in the RAM 203, and divides it into a predetermined number of tally data for each personal information. Here, for example, one piece of personal information is divided into three tally data (tally data A, tally data B, tally data C) (401 in FIG. 4). Then, parity data is generated using the divided tally data (tally data A, tally data B, tally data C). If there are three divided tally data, the exclusive OR of these three tally data (tally data A, tally data B, tally data C) is calculated, and the parity data corresponding to these three tally data Is generated. Then, it is encrypted with a public key corresponding to the private key of the restoration service server 103 (402 in FIG. 4).

  Then, the tally data and the parity data are transmitted to the storage server 102, and the data is distributed and stored for each storage (403 in FIG. 4). This management improves security. That is, to obtain one piece of personal information, tally data must be acquired from a plurality of storages, and the acquired tally data must be combined. Also, by storing parity data, even if any storage or tally data is damaged or lost, it can be restored. Furthermore, since the parity data is encrypted with the public key corresponding to the private key of the restoration service server 103, it cannot be decrypted unless the restoration service server 103 is used, which further improves security.

  If any storage or tally data is damaged or lost, the restoration service server 103 restores using parity data (404 in FIG. 4). For example, when tally data C is lost among tally data A, tally data B, and tally data C, the parity data corresponding to these is decrypted using the secret key of the restoration service server 103. To do. Then, three exclusive ORs of tally data A, tally data B, and parity data are calculated to generate tally data C. In this way, the damaged / lost tally data is restored.

  Now, when the personal information service server 101 accepts a personal information acquisition request stored as tally data, the tally data stored in the storage server 102 is acquired. Then, the obtained tally data is combined and restored to the state before the division (405 in FIG. 4). At this time, as the tally data to be acquired, tally data corresponding to the requested personal information is acquired.

  Then, the personal information service server 101 encrypts the personal information list including the restored personal information with the public key corresponding to the private key of the user application server 112, and communicates the encrypted personal information list. The number is divided according to the number of routes (406 in FIG. 4). Here, since the divided personal information list is transmitted using two communication paths, the personal information list is divided into two. That is, two tally data (tally data D and tally data E) are generated.

  When two tally data are generated, they are transmitted to the tally service server 111 and the user application server 112 (407 in FIG. 4). At this time, it is desirable to increase security by constructing a virtual circuit by SSL-VPN (Secure Socket Layer Private Private Network) and transmitting tally data using this circuit.

  When receiving the tally data, the user application server 112 transmits a request for acquiring the other tally data to the tally service server 111. In response to this, the tally service server 111 transmits the tally data received by itself to the user application server 112. Then, the user application server 112 combines the received two tally data and decrypts it with the private key of the user application server 112 (408 in FIG. 4). In this way, a personal information list is acquired. In this way, security is enhanced by dividing and transmitting the encrypted one.

  Conventionally, a plurality of tally data is transmitted as it is to the user application server 112, and this is combined and restored, or an encrypted personal information list is transmitted and decrypted at the transmission destination. Was raised. However, when the information to be stored is personal information, it is necessary to increase security or to confirm data corruption or loss. Therefore, in this embodiment, the personal information service server 101 confirms whether restoration is possible before sending the tally data, and if it can be restored without any problem, it is encrypted and divided into a plurality of communication paths. By sending, the security is further improved. Hereinafter, the processing outline of FIG. 4 will be described in detail using a flowchart.

  FIG. 5 is a flowchart showing a flow of a series of processes for dividing personal information into tally data and transmitting it to the storage server 102. Note that the processing flow shown in the flowchart of FIG. 5 is merely an example, and the present invention is not limited to this.

  In step S <b> 501, the CPU 201 of the personal information service server 101 acquires personal information from the personal information list stored in the RAM 203 by the personal information temporary storage unit 302. The personal information service server 101 receives a personal information list from the user application server 112 in advance.

  An example of the personal information list (secret information list) is shown in FIG. The personal information list 900 includes an employee number 901 and a personal number 902, for example. The employee number 901 is an employee identification number indicated by the personal number. The personal number 902 is a number (so-called my number) for identifying an individual. Such a personal information list is temporarily stored in the RAM 203 of the personal information service server 101, and is acquired in step S501. The personal information in this embodiment is described as a personal number 902, but it may be one record of the personal information list, or one of the employee number 901 and the personal number 902.

  In step S502, the CPU 201 of the personal information service server 101 divides the personal information acquired in step S501 according to a predetermined rule by the function of the division control unit 303 (first data division unit). As a result, the personal information is divided into a plurality of tally data. For example, if the personal information is divided into 3 tally data with 12 digits, it is divided every 4 digits, or the nth, n + 1, n + 2 digits are extracted and divided into 3 The number of digits is extracted and divided into three tally data. Since there are various methods for the predetermined rule for dividing, the administrator of the personal information service server 101 may determine in advance, or the user who stores the personal information may determine.

  In step S503, the CPU 201 of the personal information service server 101 uses the function of the parity data control unit 304 to generate parity data using all the divided tally data (parity data generating means). Parity data corresponding to the tally data is generated using all tally data generated by dividing one piece of personal information. The method for generating parity data is as described above.

  In step S504, the CPU 201 of the personal information service server 101 encrypts the parity data generated in step S503 with the public key stored in the public key storage unit 305 and corresponding to the private key of the restoration service server 103. To do. Encrypting the parity data prevents a malicious person from restoring the tally data that is insufficient between the parity data and the tally data.

  In step S <b> 505, the CPU 201 of the personal information service server 101 transmits the generated tally data and parity data to the storage server 102 by the function of the transmission / reception control unit 301. At this time, the employee number 901 corresponding to the tally data and the parity data is transmitted together. The tally data and the parity data transmitted in step S505 are received by the storage server 102 and stored in different storages in association with the received employee number 901.

  FIG. 9 shows an example of the table configuration of the tally data management table 910 stored in the storage server 102. The storage server 102 manages the received tally data and parity data in association with the employee number 901 as shown in the tally data management table 910. The employee number 911 is an item in which information corresponding to the employee number 901 is stored. The stored data 912 is an item indicating tally data or parity data stored in the storage. In this embodiment, tally data and parity data are distributed and managed in four storages. In FIG. 9, this is shown in the four tally data management tables 910 from storage 1 to storage 4. In storage 1 to storage 3, tally data of personal number 902 is stored in storage data 912, respectively. In the storage 4, parity data calculated from tally data is stored in the storage data 912.

  In step S506, the CPU 201 of the personal information service server 101 determines whether or not the processing in steps S501 to S505 has been completed for all personal information included in the personal information list. If it is determined that the processing has been completed for all personal information, this series of processing ends. If not, that is, if there is unprocessed personal information, the process returns to step S501, and the processes of steps S501 to S505 are performed on the unprocessed personal information.

  In this way, the personal information included in the personal information list is divided as tally data, and is distributed and stored in a plurality of storages.

  FIG. 6 is a flowchart showing a flow of a series of processes for transmitting a personal information list in response to a request from the user application server 112. Note that the processing flow shown in the flowchart of FIG. 6 is merely an example, and the present invention is not limited to this.

  In step S <b> 601, the CPU 201 of the personal information service server 101 determines whether a personal information list acquisition request (request) has been received from the user application server 112 by the function of the transmission / reception control unit 301. If it is determined that a request has been received from the user application server 112, the process proceeds to step S602. If not, wait until the request is accepted.

  In step S602, the CPU 201 of the personal information service server 101 acquires the requested personal information from the storage server 102 and executes a process of restoring it by combining it (first secret information restoring means). Details of the personal information restoration process are shown in FIG.

  In step S603, the CPU 201 of the personal information service server 101 determines whether or not the personal information has been successfully restored by the personal information restoration process executed in step S602. Whether or not the personal information has been successfully restored is determined to have been successfully restored if personal information has been generated as a result of the personal information restoration process. Otherwise, it has not been restored, so it is determined that restoration has failed. If it is determined that the personal information has been successfully restored, the process proceeds to step S604. If it is not determined that the restoration of the personal information is successful, that is, if it is determined that the restoration has failed, the process proceeds to step S605.

  In step S604, the CPU 201 of the personal information service server 101 adds the restored personal information to the personal information list by the function of the personal information list generation control unit 307. If the personal information list does not exist, the personal information is generated by the function of the personal information list generation control unit 307 and added. Also, when adding, it is added in association with the requested employee number.

  In step S605, the CPU 201 of the personal information service server 101 fails to restore the personal information, and adds it to the personal information list so that it can be understood. For example, a record is generated in the personal information list, but restoration fails by entering “NULL”, which is an empty meaning, or by directly entering the character string “error” in each item of the record. Notify that it has been done. The error notification method is not limited to this.

  In step S606, the CPU 201 of the personal information service server 101 determines whether or not the processing in steps S602 to S605 has been completed for all personal information requested to be acquired. If it is determined that processing has been completed for all personal information, the process proceeds to step S607. If not, that is, if there is unprocessed personal information, the process returns to step S602.

  In step S607, the CPU 201 of the personal information service server 101 encrypts the generated personal information list with the public key stored in the public key storage unit 305 and corresponding to the private key of the user application server 112. (Encryption means). By encrypting in this way, even if all the personal information lists divided by a malicious person in the process described later are obtained and combined, they cannot be released without a secret key. it can.

  In step S608, the CPU 201 of the personal information service server 101 divides the personal information list encrypted in step S607 by the function of the division control unit 303, and generates tally data (second data division unit). At this time, the number of divisions is equal to the number of communication paths for transmission from the personal information service server 101 to the user application server 112. In this embodiment, since there are two communication paths, it is divided into two. In the present embodiment, the number of communication paths is divided, but the number of transmission paths may be divided. That is, when two tally data are transmitted for each of the two communication paths, it is divided into four.

  In step S609, the CPU 201 of the personal information service server 101 transmits predetermined tally data among the tally data generated in step S608 to the user application server 112 by the function of the transmission / reception control unit 301 (transmission unit). In this embodiment, since it is divided into two tally data, one tally data is transmitted to the user application server 112.

  In step S610, the CPU 201 of the personal information service server 101 transmits to the tally service server 111 tally data that was not transmitted in step S609 among the tally data generated in step S608, by the function of the transmission / reception control unit 301 ( Transmission means). In this embodiment, since it is divided into two tally data, not the tally data transmitted in step S609 but the other tally data is transmitted to the tally service server 111.

  In step S611, the CPU 201 of the personal information service server 101 deletes the encrypted personal information list when the transmission of the personal information list in steps S609 and S610 is completed. Although it is encrypted, it is deleted because decryption leads to leakage of personal information.

  In this way, it is possible to confirm whether or not the personal information is in a state before division by combining tally data stored in the storage server 102 and restoring the personal information. Furthermore, in consideration of the possibility of communication being intercepted, security is enhanced by dividing and transmitting the encrypted personal information list.

  FIG. 7 is a flowchart showing a detailed process flow of the personal information restoration process. Note that the processing flow shown in the flowchart of FIG. 7 is merely an example, and the present invention is not limited to this. In addition, broken line arrows on the flowchart shown in FIG. 7 indicate the flow of data.

  In step S <b> 701, the CPU 201 of the personal information service server 101 transmits a tally data and parity data acquisition request corresponding to the requested personal information to the storage server 102 by the function of the transmission / reception control unit 301. For example, when a request including an employee number is received, a tally data and parity data acquisition request corresponding to the employee number is transmitted to the storage server 102. In response to this, the tally data and the parity data transmitted from the storage server 102 are received. Since the storage server 102 manages the employee number and the stored data in association with each other in the tally data management table 910, the tally data and the parity data may be acquired using this and transmitted to the personal information service server 101. .

  In step S702, the CPU 201 of the personal information service server 101 determines whether all tally data constituting the requested personal information has been acquired by the processing in step S701. Alternatively, it is determined whether any tally data constituting the requested personal information is not damaged. If the number of divisions is three, three tally data should have been acquired, so if all three are acquired, it is determined that all have been acquired, otherwise it is determined that they have not been acquired. Alternatively, tally data is checked to see if it has been corrupted by the prior art. If it is determined that all the tally data constituting the requested personal information has been acquired, the process proceeds to step S703. Otherwise, the process proceeds to step S704. Alternatively, if it is determined that the tally data is not damaged, the process proceeds to step S703, and if it is determined that the tally data is damaged, the process proceeds to step S704.

  In step S703, the CPU 201 of the personal information service server 101 restores the personal information by combining all the tally data acquired in step S701 by the function of the combination control unit 306. When the restoration of personal information is completed, the personal information restoration process ends.

  In step S704, the CPU 201 of the personal information service server 101 determines whether or not the tally data can be restored because there is a missing tally data or damaged tally data. If there is one missing tally data or corrupted tally data, and other tally data and parity data exist, it is determined that restoration is possible. If it is determined that the missing tally data or damaged tally data can be restored, the process proceeds to step S705. If not, that is, if it is determined that restoration is not possible, the personal information restoration processing is terminated.

  In step S705, the CPU 201 of the personal information service server 101 transmits the tally data and parity data acquired in step S701 to the restoration service server 103 by the function of the transmission / reception control unit 301, and requests restoration of the tally data.

  In step S706, the CPU 201 of the restoration service server 103 receives the tally data and parity data transmitted from the personal information service server 101 by the function of the transmission / reception control unit 321. A tally data restoration request using these is also received.

  In step S707, the CPU 201 of the restoration service server 103 decrypts the received encrypted parity data with the private key stored in the private key storage unit 322 and corresponding to the public key of the personal information service server 101. .

  In step S708, the CPU 201 of the restoration service server 103 restores damaged / erased tally data using the received tally data and decoded parity data by the function of the restoration control unit 324. The method for restoring tally data is as described above.

  In step S709, the CPU 201 of the restoration service server 103 transmits the tally data restored in step S708 to the personal information service server 101 by the function of the transmission / reception control unit 321.

  In step S710, when transmission of the restored tally data is completed, the CPU 201 of the restoration service server 103 deletes the tally data received in step S706, the parity data restored in step S707, and the tally data restored in step S708. To do. By deleting these from the restoration service server 103, a malicious person cannot acquire a plurality of tally data that can restore personal information from the restoration service server 103.

  In step S <b> 711, the CPU 201 of the personal information service server 101 receives the tally data transmitted from the restoration service server 103 by the function of the transmission / reception control unit 301.

  In step S 712, the CPU 201 of the personal information service server 101 transmits the tally data received in step S 711 to the storage server 102 by the function of the transmission / reception control unit 301. That is, since the tally data that has been damaged or lost in the storage server 102 must be supplemented with the received tally data, this is executed. When the storage server 102 receives the tally data, the storage server 102 stores the received tally data instead of the tally data that could not be acquired.

  In step S713, the CPU 201 of the personal information service server 101 restores the personal information by combining the tally data acquired in step S701 and the tally data received in step S711 by the function of the combination control unit 306. When the restoration of personal information is completed, the personal information restoration process ends.

  As described above, if all tally data constituting the requested personal information can be acquired, the personal information is restored using these tally data. Also, if the tally data stored in the storage server 102 cannot be obtained because it has been damaged or lost, the restoration service server 103 restores the necessary tally data and then restores the personal information. That is, the redundancy is improved and the tally data can be restored.

  FIG. 8 is a flowchart showing a flow of a series of processes for receiving tally data and acquiring a personal information list. Note that the processing flow shown in the flowchart of FIG. 8 is merely an example, and the present invention is not limited to this. Also, the broken-line arrows on the flowchart shown in FIG. 8 indicate the flow of data.

  In step S801, the CPU 201 of the user application server 112 uses the function of the request control unit 342 to send a personal information acquisition request (request) instructed by the user storing personal information to the personal information service server 101. Send. Step S601 described above determines whether this request has been accepted. The request transmitted in step S801 includes an employee number corresponding to personal information to be acquired.

  In step S802, the CPU 201 of the user application server 112 receives the tally data of the personal information list transmitted from the personal information service server 101 in response to the request by the function of the transmission / reception control unit 341 (receiving unit). This is the tally data transmitted in step S609 described above. The received tally data is stored in the tally data storage unit 332.

  In step S803, the CPU 201 of the user application server 112 transmits, to the tally service server 111, an acquisition request for other tally data constituting the personal information list together with the tally data received in step S802, by the function of the request control unit 342. . In the present embodiment, since the encrypted personal information list is divided into two tally data, the tally service server 111 is requested to obtain the other tally data different from the tally data received in step S802. .

  In step S804, the CPU 201 of the tally service server 111 receives the tally data of the personal information list transmitted from the personal information service server 101 by the function of the transmission / reception control unit 331. This is the tally data transmitted in step S610 described above.

  In step S805, the CPU 201 of the tally service server 111 starts a timer for deleting the tally data received in step S804 by the function of the retention period control unit 333. If the tally service server 111 does not receive the received tally data, the tally data remains in the tally service server 111 forever, which is a security problem. For this reason, a storage period is determined by a timer and is deleted when the timer reaches zero. It is desirable to set a timer for each tally data received.

  In step S806, the CPU 201 of the tally service server 111 determines whether the timer started in step S805 has reached 0, that is, whether the storage period has expired, by the function of the storage period control unit 333. If it is determined that the storage period has expired, the process proceeds to step S807. Otherwise, the process proceeds to step S808.

  In step S807, the CPU 201 of the tally service server 111 deletes the tally data whose storage period has expired.

  In step S808, the CPU 201 of the tally service server 111 determines whether or not the tally data acquisition request (request) transmitted from the user application server 112 has been received by the function of the transmission / reception control unit 331. The request transmitted from the user application server 112 is the request transmitted in step S803 described above. If it is determined that the tally data acquisition request has been received, the process proceeds to step S809. Otherwise, the process returns to step S806.

  In step S809, the CPU 201 of the tally service server 111 acquires the target tally data according to the received acquisition request by the function of the transmission / reception control unit 331, and transmits this to the user application server 112. If the storage period has expired and the target tally data could not be acquired, or if the target tally data could not be acquired due to some error, a message to that effect is sent to the user application server 112. In this way, the request result is transmitted to the user application server 112.

  In step S810, the CPU 201 of the tally service server 111 deletes the transmitted tally data because transmission of the tally data has been completed. In this way, tally data can be deleted without waiting for the storage period to expire, leading to improved security.

  In step S811, the CPU 201 of the user application server 112 receives the request result transmitted from the tally service server 111 by the function of the transmission / reception control unit 341 (reception unit).

  In step S812, the CPU 201 of the user application server 112 determines whether tally data is included in the request result received in step S811, that is, whether tally data has been received. If tally data is included, tally data acquisition is successful. If it is determined that tally data has been received, the process proceeds to step S813. If not, an error is notified to the user of the user application server 112, and this series of processing ends.

  In step S813, the CPU 201 of the user application server 112 restores the encrypted personal information list by combining the tally data received in step S802 and step S811 with the function of the combination control unit 343 (the second personal information list). Secret information restoration means).

  In step S814, the CPU 201 of the user application server 112 stores the restored encrypted personal information list with the private key stored in the private key storage unit 344 and corresponding to the public key of the personal information service server 101. Decrypt (decoding means). By doing so, the user application server 112 can acquire a personal information list including the requested personal information.

  In step S815, the CPU 201 of the user application server 112 stores the personal information list decrypted in step S814 in the external memory 211. If stored in the external memory 211, the personal information list is stored semi-permanently in the external memory 211, and may be stored in the RAM 203.

  As described above, according to the present embodiment, it is possible to reduce the risk of leakage of stored secret information and leakage of transmitted secret information.

  The present invention can be implemented as a system, apparatus, method, program, storage medium, or the like, and can be applied to a system including a plurality of devices. You may apply to the apparatus which consists of one apparatus.

  Note that the present invention includes a software program that implements the functions of the above-described embodiments directly or remotely from a system or apparatus. The present invention also includes a case where the system or the computer of the apparatus is achieved by reading and executing the supplied program code.

  Therefore, in order to realize (executable) the functional processing of the present invention by a computer, the program code itself installed in the computer also realizes the present invention. In other words, the present invention includes a computer program itself for realizing the functional processing of the present invention.

  In that case, as long as it has the function of a program, it may be in the form of object code, a program executed by an interpreter, script data supplied to the OS, and the like.

  Examples of the recording medium for supplying the program include a flexible disk, hard disk, optical disk, magneto-optical disk, MO, CD-ROM, CD-R, and CD-RW. In addition, there are magnetic tape, nonvolatile memory card, ROM, DVD (DVD-ROM, DVD-R), and the like.

  As another program supply method, a browser on a client computer is used to connect to an Internet home page. The computer program itself of the present invention or a compressed file including an automatic installation function can be downloaded from the homepage by downloading it to a recording medium such as a hard disk.

  It can also be realized by dividing the program code constituting the program of the present invention into a plurality of files and downloading each file from a different homepage. That is, a WWW server that allows a plurality of users to download a program file for realizing the functional processing of the present invention on a computer is also included in the present invention.

  In addition, the program of the present invention is encrypted, stored in a storage medium such as a CD-ROM, distributed to users, and key information for decryption is downloaded from a homepage via the Internet to users who have cleared predetermined conditions. Let It is also possible to execute the encrypted program by using the downloaded key information and install the program on a computer.

  Further, the functions of the above-described embodiments are realized by the computer executing the read program. In addition, based on the instructions of the program, an OS or the like running on the computer performs part or all of the actual processing, and the functions of the above-described embodiments can also be realized by the processing.

  Further, the program read from the recording medium is written in a memory provided in a function expansion board inserted into the computer or a function expansion unit connected to the computer. Thereafter, the CPU of the function expansion board or function expansion unit performs part or all of the actual processing based on the instructions of the program, and the functions of the above-described embodiments are realized by the processing.

  Note that the above-described embodiments are merely examples of implementation in carrying out the present invention, and the technical scope of the present invention should not be construed in a limited manner. That is, the present invention can be implemented in various forms without departing from the technical idea or the main features thereof.

100 personal information service domain 101 personal information service server 102 storage server 103 restoration service server 104 LAN
110 User domain 111 Tally service server 112 User application server 113 LAN
120 WAN
201 CPU
202 RAM
203 ROM
204 System bus 205 Input controller 206 Video controller 207 Memory controller 208 Communication I / F controller 209 Input device 210 Display 211 External memory

Claims (8)

First data dividing means for dividing the secret information into a plurality of data;
Storage means for storing a plurality of data divided by the first data dividing means;
First secret information restoring means for restoring the secret information using a plurality of data stored in the storage means;
Encryption means for encrypting the secret information restored by the first secret information restoration means;
Second data dividing means for dividing the secret information encrypted by the encryption means into a plurality of data according to the number of communication paths;
An information processing system comprising: a transmission unit configured to transmit a plurality of data divided by the second data division unit through a plurality of communication paths. The information processing system includes:
Receiving means for receiving a plurality of data transmitted by the transmitting means;
Second secret information restoring means for restoring secret information encrypted by the encrypting means using a plurality of data received by the receiving means;
2. The information according to claim 1, further comprising: decryption means that decrypts the secret information restored by the second secret information restoration means and encrypted by the encryption means. Processing system. Parity data generating means for generating parity data using a plurality of data divided by the first data dividing means,
The first secret information restoring means, when the secret information cannot be restored with the plurality of data stored in the storage means, the parity data generated by the parity data generating means and the plurality of data stored in the storage means The information processing system according to claim 1, wherein necessary data is restored using the data. The encryption means encrypts the secret information restored by the first secret information restoration means with a public key,
The information processing system according to claim 2, wherein the decryption unit decrypts the secret information encrypted by the encryption unit with a secret key corresponding to the public key. The encryption means encrypts a secret information list including a plurality of secret information restored by the first secret information restoration means,
The said 2nd data division | segmentation means divides | segments the secret information list encrypted by the said encryption means into several data according to the number of communication paths. Information processing system described in 1.   6. The information processing system according to claim 1, wherein the storage unit stores a plurality of pieces of data divided by the first data division unit in a plurality of storages. . First data dividing means for dividing the secret information into a plurality of data;
A control method of an information processing system comprising storage means for storing a plurality of data divided by the first data dividing means,
A first secret information restoring step in which the first secret information restoring means of the information processing system restores the secret information using a plurality of data stored in the storage means;
An encryption step in which the encryption means of the information processing system encrypts the secret information restored in the first secret information restoration step;
A second data dividing step in which the second data dividing means of the information processing system divides the secret information encrypted in the encryption step into a plurality of data corresponding to the number of communication paths;
A control method for an information processing system, comprising: a transmission step for transmitting a plurality of data divided in the second data division step through a plurality of communication paths, respectively. First data dividing means for dividing the secret information into a plurality of data;
A program capable of executing a control method of an information processing system comprising storage means for storing a plurality of data divided by the first data dividing means,
The information processing system;
First secret information restoring means for restoring the secret information using a plurality of data stored in the storage means;
Encryption means for encrypting the secret information restored by the first secret information restoration means;
Second data dividing means for dividing the secret information encrypted by the encryption means into a plurality of data according to the number of communication paths;
A program for causing a plurality of data divided by the second data dividing means to function as transmitting means for transmitting the data through a plurality of communication paths.

Images