JP4820620B2 - Data distribution management system - Google Patents

Description

  The present invention relates to a data distribution management system, and in particular, distributed management of data of an administrator system (server) in a server centralized operation model, access control to a recording area of a recording system (client), and data distribution management using these It is related to technology effective when applied to.

Conventionally, when secret information is stored on a server, there are threats of loss or destruction of secret information and threats of leakage of secret information. There is a secret sharing method as a means to deal with these problems. One of them is the (k, n) threshold secret sharing method. If any k (k ≦ n) pieces of distributed information are prepared, the secret information A can be restored. Even if the information is complete, the secret information A cannot be restored [see, for example, JP 2000-172548 A (Patent Document 1)].
JP 2000-172548 A

  In the background art described above, a recording system having n pieces of information to be distributed is determined, where n is the number of distributions according to the (k, n) threshold secret sharing scheme. That is, it is assumed that the recording system is always operating in an administrator system that distributes and records n pieces of secret information A.

  However, when using computers used in the office as a recording system, it is possible to assume that many computers are running during working hours, but some computers are not running. There can be.

  Therefore, an object of the present invention is to prepare an expensive backup center (encrypted data is stored in a plurality of centers in a multiplexed manner, or data distributed by the secret sharing method is stored in a plurality of centers). Instead of taking advantage of the excess recording area of a personal computer used in offices, etc., it is possible to take measures against the threat of loss or destruction of confidential information and the threat of leakage of confidential information at a low investment cost. It is to provide a distributed data management system.

  The background art described above is a data management system for the purpose of countermeasures against information leakage, and does not take much consideration on countermeasures against a threat that some recording systems are destroyed by a disaster or the like.

  Therefore, another object of the present invention is to make a personal computer a thin client (Server-based Computing), thereby preventing information leakage due to theft of the personal computer and simultaneously using the personal computer recording device as a backup area. An object of the present invention is to provide a data distribution management system capable of taking measures against a threat that a part of the recording system is destroyed due to a disaster or the like.

  Of the inventions disclosed in the present application, the outline of typical ones will be briefly described as follows.

  A data distribution management system according to the present invention includes an administrator system and a plurality of recording systems connected to the administrator system via a network and writing divided data based on commands from the administrator system. The administrator system includes recording system detection means for confirming whether or not the recording system connected to the network is in a writable state, and distribution for dividing the data to be recorded into a predetermined number n of divided data. And a recording system determining means for selecting an arbitrary n from the N writable recording systems (N ≧ n) and recording an identifier of the selected n recording systems in association with the data. Update means for sending a command comprising identification information and divided data to n recording systems. Than is.

  Among the inventions disclosed in the present application, effects obtained by typical ones will be briefly described as follows.

  According to the present invention, it is possible to take measures against threats such as loss or destruction of secret information and leakage of secret information at a low investment cost by using an excess recording area of a personal computer used in an office or the like. It becomes possible.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. Note that components having the same function are denoted by the same reference symbols throughout the drawings for describing the embodiment, and the repetitive description thereof will be omitted.

<Configuration of data distribution management system>
A configuration of a data distribution management system according to an embodiment of the present invention will be described with reference to FIGS. FIG. 1 is a configuration diagram showing a configuration of a data distribution management system according to an embodiment of the present invention, and FIGS. 2 to 4 show detailed configurations of respective parts constituting the data distribution management system according to an embodiment of the present invention. 2 is a configuration diagram showing the configuration of the main file system, FIG. 3 is a configuration diagram showing the configuration of the distributed file manager system, and FIG. 4 is a configuration diagram showing the configuration of the client system. 5 to 7 are diagrams showing an example of a management file used in the data distribution management system according to the embodiment of the present invention, FIG. 5 is a storage location management file, FIG. 6 is a deletion target data management file, FIG. 7 shows a client management file.

  In FIG. 1, a data distribution management system includes a main file system 100 that stores secret information data A, and a distributed file manager system (administrator system) that divides data A into n and distributes it to n recording systems. 110, composed of N (N ≧ n) client systems (recording systems) 120 for recording the divided data, and each device is connected via a network 140 such as the Internet, public network, private network, etc. Has been.

  There are various connection methods between the systems. For example, by providing a separate dedicated network between the main file system 100 and the distributed file manager system 110, security can be improved. The main file system 100 and the distributed file manager system 110 do not need to be physically separated from each other, and may coexist in the same apparatus.

  As shown in FIG. 2, the main file system 100 exchanges information via a network with a control unit 102 in which a backup program or the like operates, a recording unit 103 for storing data of N client systems, and the like. Communication unit 101.

  In the control unit 102, a backup program 211 and a server program 212 for a server base computer operate. The recording unit 103 records data for N client systems (201, 202,..., 205).

  As shown in FIG. 3, the distributed file manager system 110 is a control unit 112 that operates a program for dividing the secret information data A into n pieces and sending it to the client system, and is a destination for sending the divided data. Storage location management file 301 for storage locations of n client systems, deletion target data management file 302 for managing deletion targets of divided data stored in n client systems, and client management for managing a plurality of client systems A recording unit 113 for storing the file 303 and a communication unit 111 for exchanging information via the network are provided.

  In the control unit 112, a client detection program (recording system detection means) 311 capable of storing data (accessible via a network to a client and having a free space enough to record divided data), A client determination program (client determination means) 312 for selecting a data storage target such as selecting a client having a large free space, a secret distribution program (distribution means) 313 that divides the secret information data A into n pieces, and secret information data A And a storage data update program (update means) 314 for updating data recorded in the past when.

  The recording unit 113 includes a storage location management file 301 for managing the storage location of the divided data, a deletion target data management file 302 for managing target data to be deleted at the time of update, and a client PC. The client management file 303 is recorded.

  As shown in FIG. 4, the client system 120 includes a recording unit 123 that stores divided data, a control unit 122 that operates an access control program for the recording unit 123, and a communication unit that exchanges information via a network. 121 and an input unit 124 such as a keyboard.

  In the control unit 122, an access control program 411 for the recording unit 123 and a client program 412 for a server-based computer operate.

  Further, the recording unit 123 records divided data (401, 402,...). This divided data (401, 402,...) Has the client system 120 in which the divided data (401, 402,...) Is recorded and the client number of the client system 120 in which the divided data is created. Data with a client number (i) is represented as divided data (ik), and data with a client number (j) of the client system 120 in which the divided data is created is represented as divided data (jk).

  Further, the divided data recorded in the recording unit 123 of the client system 120 is managed by a storage location management file 301 recorded in the recording unit 113 of the distributed file manager system 110 as shown in FIG. The divided file to be deleted is managed by, for example, a deletion target data management file 302 as shown in FIG. 6, and the divided file specified when the client system 120 is activated is deleted. .

  Further, the client system 120 is managed by a client management file 303 recorded in the recording unit 113 of the distributed file manager system 110 as shown in FIG. 7, for example, and statistical values of installation location, free space, and operation time Such information can be grasped by the distributed file manager system 110 side.

<Operation of data distribution management system>
Next, the operation of the data distribution management system according to the embodiment of the present invention will be described with reference to FIGS. 8 and 10 to 13 are flowcharts showing the operation of the data distribution management system according to the embodiment of the present invention. FIG. 8 shows that the distributed file manager system has received a backup application from the main file system. 10 is a flowchart showing data update processing in the client system, FIG. 11 is a flowchart showing data restoration processing in the distributed file manager system, and FIGS. 12 and 13 store divided data. It is a flowchart which shows the client selection algorithm for this. FIG. 9 is a data structure diagram of commands used in the data distribution management system according to the embodiment of the present invention.

  First, the processing when the distributed file manager system receives a backup application from the main file system will be described with reference to FIG.

  First, the backup program 211 of the main file system 100 is a program that activates a backup function at a fixed time, for example, and requests the distributed file manager system 110 to perform backup processing.

  In step S601, the distributed file manager system 110 receives a backup processing request from the main file system 100. At this time, the main file system 100 designates which data of the client system data (201, 202,..., 205) of the recording unit 103 is to be backed up.

  In step S603, the distributed file manager system 110 operates the client detection program 311 that can store data, and obtains a client list that can store data.

  For example, a list of clients that are managed by managing the IP addresses of the clients under the management of the distributed file manager system 110 and the recording capacity of each client, sending a PING command to the IP address of the client, and the response Is generated.

  Further, the distributed file manager system 110 operates the client determination program 312 for storing data in step S604, and selects only n items having a large free space from the client list obtained in step S603 from the top. The storage location of the data divided into n pieces is determined.

  At this time, the storage location information determined in step S604 is recorded in the storage location management file 501 of the recording unit 113. As shown in FIG. 5, the client number 511 of the storage location management file 501 is client system data (201, 202,..., 205) recorded in the recording unit 103 of the main file system, and the storage location identification number 512. Is the identifier of the file of the client that recorded the divided data of the data (divided into four in the example of FIG. 5).

  That is, the first line of the storage location management file indicates that the data for the client system 1 is divided and recorded in four clients 2, 4, 6, and 8. The above-described storage location determination method is merely an example, and a determination method that takes into account a disaster or the like, and a storage location determination method when a client PC that is not guaranteed to operate at all times is used as a storage location will be described later.

  Next, in step S605, the information on the storage location where the data for the client to be backed up is stored is moved to the deletion target data management file 502 of the recording unit 113. For example, as shown in FIG. 6, when backing up the data of the client number 2 in the storage location management file 501, 4 is added to the column of the number of data 521 of the data management file 502 to be deleted, and the column of the identification number 522 “2-1”, “2-5”, “2-7”, and “2-k” are additionally written.

  This deletes data recorded in the past that became unnecessary in the subsequent processing (steps S607 and S608), but the client system in which the file to be deleted is recorded is not activated at the time of deletion. Because it is assumed that the number of unnecessary files and the identification number of the file are registered in the data management file 502 to be deleted, and unnecessary files are deleted when access to the corresponding client system becomes possible. is there.

  As a result, a new backup process can be performed even when the client system storing the past backup data at the time of backup is not operating.

  Next, in step S606, the distributed file manager system 110 operates the secret sharing program 313, divides the data A of the client system to be backed up into the determined n pieces, and creates n pieces of divided data. One of the methods for creating the divided data is the (k, n) threshold secret sharing method. If the (k, n) threshold secret sharing method is used, if any k (k ≦ n) pieces of distributed information are arranged. The original data (secret information) A can be restored, but the original data A cannot be restored even if up to k−1 pieces of distributed information are prepared.

  The division number n may be a fixed value, or may be dynamically set according to the amount of data to be divided and the number of clients that can be recorded. Further, the partitioning method is not limited to the secret sharing method, and a suitable effect can be obtained even with different algorithms as long as the partitioning method has appropriate redundancy.

  In step S607, the deletion target data management file 502 is read out. In step S608, a deletion target file deletion command is created and transmitted to the client system 120.

  Next, in step S609, the distributed file manager system 110 operates the storage data update program 314 by secret sharing to create a write command. The write command is composed of at least authentication information and divided data. When the authenticity of the authentication information (the validity of the write command) is confirmed in the client system, and the validity of the command is confirmed, Writing to the client system is allowed. The data structure of the command will be described later.

  The write command created in step S609 is sent to the client system 120, and the client system 120 determines whether to accept this command. Then, the client system 120 returns the determination result data to the distributed file manager system 110.

  In step S610, the distributed file manager system 110 receives the result data of the client system 120. If the writing fails (if the command is not accepted), the process proceeds to step S603 to determine the storage location of the divided data. Again.

  Although it is considered that writing may fail in step S608, the failure of the recording apparatus or the network as the cause is a failure of a general computer system and is taken as a countermeasure separately from the present invention. I will omit it.

  Here, the information of the client management file 303 and the data structure of the command for determining the data storage location in step S604 will be described.

  As shown in FIG. 7, the client management file 303 includes a client number 702, an installation location identifier 703, a free space 704, and an operating time statistical value 705. Previously, as an example of determining the data installation location, the example of selecting from the ones that can be accessed at the time of writing and has a large free space has been described. Although this selection method is reasonable, from the viewpoint of protecting data from disasters such as earthquakes and fires, the data should be distributed and stored in a recording device in Tokyo, for example, and a recording device in Osaka, etc. Is desirable.

  Therefore, identifiers are assigned to the installation locations so that the selected recording devices are distributed to a number of locations.

  That is, when the kth selected recording apparatus is installed in area A, the k + 1st selected recording apparatus selects the area with the largest free capacity 704 among the areas other than area A. If the (k, n) threshold secret sharing method is used, the original data (secret information) A can be restored if any k (k ≦ n) pieces of distributed information are prepared. Even if the recording device is destroyed by a disaster, the original data A can be restored if k pieces of divided data remain in the recording devices installed in other areas.

  The installation location generally indicates a geographical position, but may be further subdivided depending on the resistance to disaster.

  The operating time statistical value 705 is obtained by, for example, measuring the actual operating time and calculating the average value for the operating start time and the operating end time.

  As shown in FIG. 9, the command data structure includes signature data 801, command type 802, recording device identification number 803, file name 804, data length 805, and data portion 806. . The signature data 801 is authentication information for the access control program 411 of the client system 120 to determine whether to accept a command, and secret information known only by the distributed file manager system 110 is described therein.

  The signature data 801 may be information obtained by encrypting secret information with the secret key of the distributed file manager system 110 (giving an electronic signature by a public key cryptosystem). Further, a hash value of the command may be included to ensure that the command has not been tampered with.

  The command type 802 describes the operation for the recording area, and there are three types: write (WR), delete (DL), and read (RD). The recording device identification number 803 is the number of the client system that performs data writing or the like. The file name 804 is an identifier given to the distributed file, and corresponds to the storage location identification number 512 of the storage location management file 501. A data length 805 indicates the data size of the data portion 806.

  Next, data update processing in the client system 120 will be described with reference to FIG.

  First, in step S901, the client system 120 receives a command from the distributed file manager system 110, and verifies the validity of the command in step S902. The validity of the command is to verify that the signature data 801 shown in FIG. 9 is issued by the distributed file manager system 110. For example, the signature data is a secret key of the distributed file manager system 110. If the electronic signature is given (encrypted), the public key of the distributed file manager system 110 is obtained and the authenticity of the signature data is confirmed.

  If the validity of the command cannot be confirmed in step S902, the command is invalidated and “failure” is returned in step S910. If the validity can be confirmed in step S902, the command part is separated into elements in step S903.

  Next, in step S904, it is confirmed whether the command is “read (RD)”. If the command is “read (RD)” in step S904, the file name 804 and the data length 805 are set in step S905. Use this to read the divided data and send it back to the distributed file manager system 110.

  If the command is not “read (RD)” in step S904, it is confirmed in step S906 whether the command is “write (WR)”. In step S906, the command is “write (WR)”. In step S908, the divided data is recorded in the recording unit 123 using the file name 804, the data length 805, and the data unit 806.

  If the command is not “write (WR)” in step 906, the command is “delete (DL)”. Therefore, in step S 907, the divided data that has become unnecessary using the file name 804 and the data length 805 is used. Is deleted.

  After the processing in step S905, step S908, and step S907 ends, in step S911, “success” is returned to the distributed file manager system as result data.

  Next, data restoration processing in the distributed file manager system 110 will be described with reference to FIG.

  First, in step S1001, the location data storing the data of the client system 120 to be restored is read. That is, the storage location identification number 512 corresponding to the client number 511 is read using the storage location management file 501. At this time, the counter (x) is set to zero.

  Next, a read command is created in step S1002. That is, according to the command format shown in FIG. 9, “read (RD)” is set in the command type 802, the recording device number of the storage location identification number 512 is set in the recording device number 803, and the storage location identification is set in the file name 804. The number 512 is set. In the case of a read command, the data length 805 and the data part 806 are not necessary.

  Also, digital signature data for the above data is added to the signature data 801. For example, in the storage location management file shown in FIG. 5, when restoring the data of the client system 120 whose client number 511 is “2”, the read command for the file 2-1 recorded in the client system 1 (120) first. Will be created.

  In step S1003, when a read command is transmitted to the client system 1 (120), the file 2-1 is returned from the client system 1 (120). At this time, one counter (x) is added.

  Next, in step S1004, it is confirmed whether all the divided data for restoring the data of the client system 2 (120) is read. If all the divided data are not read in step S1004, step S1002, step S1003 are read. And the reading process for the file 2-1, the file 2-5, the file 2-7, and the file 2-k is repeated.

  If all the divided data have been read in step S1004, it is checked in step S1005 whether k pieces of divided data necessary for restoration have been read. If in step S1005, k or more pieces of divided data have been prepared. Restores the data of the client system 2 (120) by restoring the divided data corresponding to step S606 of FIG.

  Conversely, if the counter x <k in step S1005, the data of the client system 2 (120) cannot be restored, and an error message is displayed in step S1007.

  If the divided data is created by the (k, n) threshold secret sharing method, the original data (secret information) A can be restored if any k (k ≦ n) pieces of distributed information are prepared. Therefore, it is not necessary to read out all the divided data described in the storage location management file 501, and it is only necessary to select and read any accessible k pieces.

  Next, a client selection algorithm for storing divided data will be described with reference to FIGS.

  First, as a precondition, the total number of clients is N, and the area where these clients are installed is M locations (for example, M in the case of 8 locations in Sapporo, Sendai, Tokyo, Nagoya, Osaka, Okayama, Fukuoka, Kagoshima) = 8). In step S1105, counters a = 1 and f = 1 are set.

  Next, in step S1110, the identification number of the client system 120 to be backed up (unique identification numbers are assigned to all client systems 120 in order from 1) is set in the variable b.

  In addition, a name for identifying the client system 120 is recorded in F (1) (when one of the divided data is necessarily recorded in the client system 120 to be backed up).

  In addition, the number of the area where the client system 120 is installed is set in the variable c (M areas are assigned consecutive identification numbers).

  Next, 1 is added to the value of the variable b in step S1115. When the variable b exceeds the total number N of client systems by this addition (that is, when b = N + 1), there is no client system 120 corresponding to this identification number, so the variable b is set to 1 in step S1120. To do.

  In step S1125, the number of the area where the client system 120 with the identification number b is installed is set in the variable d. When the variable c is M, the variable c is set to zero.

  If variable d = c + 1 in step S1130, the process proceeds to subroutine AA shown in FIG. 13. If d ≠ c + 1, the process returns to step S1115. The client system 120 installed in a different area can be selected by the loop from step S1115 to step S1130.

  Next, in step S1205 shown in FIG. 12, subroutine processing for selecting a client is started.

  First, in step S1210, the operation start time of the client system 120 with the identification number b (hereinafter abbreviated as client b) is set to the variable e1, and the operation end time is set to the variable e2.

  Here, the operation start time and the operation end time are the average values of the start time and end time of each client (for example, the past 10 days). Further, it is assumed that the constant t1 is the start time, the constant t2 is the end time, and the backup process and the restoration process from the backup are performed between t1 and t2 (that is, the regular working hours).

  Next, in step S1215, the operating time of the client b is compared with the constants t1 and t2, and the client b is operating at all times in the regular working hours (e1 ≦ t1 and t2 ≦ e2). If the client b is not operating at all times in the regular working hours, the process proceeds to step S1220.

  In step S1220, it is identified that the client b has been operating before the start time but has ended before the end time. In this case, the end time e2 is set to t2 in step S1235, and the process proceeds to step S1245. Transition.

  Further, in step S1225, the case where the client b is operating after the closing time but is operating after the starting time is identified. In this case, the starting time e1 is set to t1 in step S1240, and the process proceeds to step S1245. To do.

  If neither is true, that is, if t1 ≦ e1 and e2 ≦ t2, the subroutine ends in step S1230, and the process returns to step S1130 shown in FIG.

  In step S1245, a name for identifying the client b is recorded in F (f).

  Further, in step S1250, if the counter a is equal to the division number n, the process is terminated in step S1255, otherwise 1 is added to the variable a, the subroutine is terminated in step S1265, and step S1130 shown in FIG. Return processing to.

  With the subroutine processing shown in FIG. 13, it is possible to select a combination in which any client system 120 is operating at all times in the regular working hours.

  In the processing described above, the case where only the divided data is recorded in the recording unit 123 of the client system 120 has been described. However, the recording unit has an area that can be written from the input unit of the client itself. However, it is only necessary that an access-controlled area that cannot be deleted without permission is set.

  As mentioned above, the invention made by the present inventor has been specifically described based on the embodiment. However, the present invention is not limited to the embodiment, and various modifications can be made without departing from the scope of the invention. Needless to say.

  The present invention relates to a distributed data management system, and in particular, to a distributed management of data of an administrator system (server) in a server centralized operation model, access control to a recording area of a recording system (client), and data distribution using these. Applicable to management.

It is a block diagram which shows the structure of the data distribution management system which concerns on one embodiment of this invention. It is a block diagram which shows the structure of the main file system which comprises the data distribution management system which concerns on one embodiment of this invention. It is a block diagram which shows the structure of the distributed file manager system which comprises the data distribution management system which concerns on one embodiment of this invention. It is a block diagram which shows the structure of the client system which comprises the data distribution management system which concerns on one embodiment of this invention. It is a figure which shows an example of the storage location management file used with the data distribution management system which concerns on one embodiment of this invention. It is a figure which shows an example of the deletion object data management file used with the data distribution management system which concerns on one embodiment of this invention. It is a figure which shows an example of the client management file used with the data distribution management system which concerns on one embodiment of this invention. It is a flowchart which shows the process at the time of the data distribution management system concerning one embodiment of this invention receiving the application for backup from the main file system. It is a data structure figure of the command used with the data distribution management system concerning one embodiment of the present invention. It is a flowchart which shows the update process of the data in the client system of the data distribution management system which concerns on one embodiment of this invention. 6 is a flowchart showing data restoration processing in the distributed file manager system according to the embodiment of the present invention. It is a flowchart which shows the client selection algorithm for storing the division | segmentation data of the data distribution management system which concerns on one embodiment of this invention. It is a flowchart which shows the client selection algorithm for storing the division | segmentation data of the data distribution management system which concerns on one embodiment of this invention.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 100 ... Main file system, 101 ... Communication part, 102 ... Control part, 103 ... Recording part, 110 ... Distributed file manager system, 111 ... Communication part, 112 ... Control part, 113 ... Recording part, 120 ... Client system, 121 ... Communication part 122 ... Control part 123 ... Recording part 124 ... Input part 140 ... Network 211 ... Backup program 212 ... Server program 301 ... Storage location management file 302 ... Delete target data management file 303 ... Client management file, 311 ... Client detection program capable of storing data (recording system detection means), 312 ... Client determination program for data storage (recording system determination means), 313 ... Secret sharing program (distribution means), 314 ... Secret sharing Stored data update process Grams (updating means) 411 ... Access control program, 412 ... client program 501 ... location managing file, 502 ... deleted data management file, 511 ... client number, 512 ... location identification number.

Claims (4)

An administrator system and a data distribution management system having a plurality of recording systems connected to the administrator system via a network and writing divided data based on a command from the administrator system,
The administrator system includes a recording system detection unit for confirming whether or not the recording system connected to the network is in a writable state, and a distribution for dividing the data to be recorded into a predetermined number n of the divided data. And any n number of writable recording systems (N ≧ n) are selected based on the information of the management file including the means, the installation location of the recording system, the free space, and the statistical value of the operation time. A recording system determining unit that records the identifiers of the selected n recording systems in association with the data, and sends a command including identification information and the divided data to the selected n recording systems. possess and update means,
The recording system detection means generates first information for confirming whether or not the recording system is in a writable state, and sends the first information to all the recording systems managed by the administrator system. Receiving second information corresponding to the first information from the recording system, and checking whether the recording system is in a writable state based on the second information. Data distribution management system. The data distribution management system according to claim 1,
When the n recording systems are selected, the n recording systems to be selected are selected based on statistical information on the operating time of the recording system in the information of the management file. A data distribution management system, wherein one of the recording systems is selected so as to operate at all times during the regular working hours . The data distribution management system according to claim 1,
When the n recording systems are selected, the recording system determining unit selects a number of installation locations of the n recording systems to be selected based on information on the installation locations of the recording system in the information of the management file . A data distribution management system characterized by selecting to be distributed to locations . The data distribution management system according to claim 1,
It said dispersion means, data distribution management system, characterized by dividing the data by using the secret sharing method and recorded.

Images