JP4835266B2 - Encrypted transfer device and program - Google Patents

Description

  The present invention relates to a technique for encrypting input information and transferring and storing the encrypted information to a specified storage location in order to disclose the encrypted information to a specific person.

  In recent years, network image forming apparatuses having a function called “ScanToServer” have appeared. This is a function for transferring and storing a scanned document image in a specified server directory. In such an apparatus, there is a risk that the scanned image is leaked to a third party on the transmission path or in the storage location of the transfer destination.

  On the other hand, Patent Document 1 discloses an apparatus that encrypts image data and transmits the image data when transmitting the image data to another apparatus via a network.

JP 2002-271553 A

  When image data is encrypted and transmitted as in the apparatus of Patent Document 1, it is necessary to encrypt the image data so that it can be decrypted at the transmission destination. In this case, for example, in the public key cryptosystem, encryption is performed using the public key of the transmission destination. However, in such public key system encryption, when there are a plurality of persons who disclose the encrypted data stored in the storage location, the public key of each person is specified to the encryption processing unit at the time of encryption. There is a need. For this reason, if the user designates one person to be disclosed one by one, the operation becomes very complicated, but Patent Document 1 does not show a solution to this, and even recognizes such a problem. Not shown.

  The present invention provides a technique for simplifying an operation for designating a disclosure destination user who discloses encrypted information in an apparatus that encrypts input information and stores it in a designated storage location.

In one aspect of the present invention, a designation accepting unit for accepting specification of storage location to store the input information from the user, a plurality of disclosee with access to the specified location with respect to the designation receiving unit, the Based on storage location management information indicating a plurality of disclosure destinations having access rights to the storage location, by using a disclosure destination specifying unit to be specified and a public key corresponding to each disclosure destination specified by the disclosure destination specifying unit , transfer unit for transferring the input information and the encryption unit that encrypts, as the user can decode the disclosures destination that is the specified, the encrypted information in which the encryption unit has generated the designated storage location And an encrypted transfer device.

In one aspect of the present invention, the encryption transfer apparatus further includes a correspondence location holding unit that holds a correspondence relationship between a storage location and a plurality of disclosure destinations having access rights to the storage location, and the disclosure destination identification The unit specifies a plurality of disclosure destinations having an access right to the storage location designated for the designation receiving unit from the correspondence held by the correspondence holding unit.

  In another aspect of the present invention, the encrypted transfer apparatus further includes a group information holding unit that holds a correspondence relationship between a group and a user belonging to the group, and the encryption unit corresponds to a designated storage location. When a group is registered in the correspondence holding unit as a disclosure destination, each user belonging to the group is obtained from the group information holding unit, and each user can be decrypted by using the public key of each user. The input information is encrypted.

  In another aspect of the present invention, the disclosure destination specifying unit includes a correspondence relationship holding unit located outside the encrypted transfer device that holds a correspondence relationship between a storage location outside the encrypted transfer device and a disclosure destination. The disclosure destination corresponding to the designated storage location is specified.

In another aspect of the present invention, the disclosure destination specifying unit refers to the disclosure destination information stored in the storage location designated for the designation receiving unit, and thereby has a plurality of access rights to the storage location. Specify the disclosure destination.

In another aspect of the present invention, the encrypted transfer apparatus acquires e-mail addresses of each of a plurality of disclosure destination users who have access rights to the storage location specified for the specified receiving unit, and stores the encrypted information. It further includes a mail transmitting unit that transmits an e-mail indicating that the e-mail is stored in the designated storage location to each e-mail address.

  Hereinafter, embodiments of the present invention (hereinafter referred to as “embodiments”) will be described with reference to the drawings.

  In this embodiment, storage location candidates for storing the encryption result of input data are determined in advance. Each candidate is managed by associating information on the public key of the user as the disclosure destination of the encryption result. When the storage location of the encrypted data is designated by the user, the public key of the disclosure destination user corresponding to the storage location is acquired, and those public keys are used for the input data. Encryptable only in the disclosed user (in principle).

  With this mechanism, when the user instructs to store the encrypted data, the disclosure destination user who discloses the encrypted result can decrypt it only by specifying the storage location for storing the encrypted result. It can be encrypted in such a way that it can.

  For example, in internal collaboration, various directories are created on the document server, each directory is assigned to an organizational unit (team or group) in the real world, and the data stored in the directory is shared by the corresponding organizational units. It is often done. Also, for example, when a directory and files in it are protected by an access right management system, and only those who have been given access rights can operate the files within the scope of the given access rights There are also many. Access rights to directories and files may be given to individual users, or groups of one or more users may be defined and given to groups. In consideration of such an existing operation, a user or group that uses a directory that is a storage location of an encryption result can be assumed as a disclosure destination of the encryption result. Therefore, if a directory for storing the encryption result is specified, a disclosure destination user or group registered in association with the directory can be obtained, and the disclosure destination user or the disclosure destination group can be obtained. The public key of each member belonging to can be acquired. Then, by using these public keys, it is possible to generate encrypted data that can be decrypted by the users and group members of each disclosure destination.

  A configuration example of a system to which the framework of the embodiment described above is applied is shown in FIG. The system shown in FIG. 1 includes an MFP 10 and an external server 40 that are connected to each other via a network 30 such as a LAN (Local Area Network) or the Internet.

  The external server 40 is a server that stores image data generated by the multifunction device 10 by scanning. Each user can access the external server 40 and acquire image data. The external server 40 may have a plurality of directories having a hierarchical structure. A user instructing a process (ScanToServer) for storing an image scanned by the multifunction machine 10 in a server designates a specific directory of the external server 40 as a storage location. Note that it is not essential to specify a directory, and there are cases in which only a server is specified as a storage location.

  The external server 40 may perform user authentication when receiving access from the user. In this case, since it is possible to determine from which user the access is based on user authentication, the external server 40 can perform access right management for stored data (for example, an image file accumulated by an instruction from the multifunction device 10). The external server 40 provides the stored data only to users who have access rights to the data. As a method for user authentication and access right management, a conventionally known method may be used. Note that the external server 40 may perform access authentication in response to a request for storing image data from the multifunction peripheral 10, but this is also within the scope of the prior art.

  Although only one external server 40 is shown in the figure, there may be a plurality of external servers 40. The user can specify one or more of the plurality of external servers 40 (or directories therein) as storage locations.

  In addition to the external server 40, the image scanned by the multifunction device 10 may be stored in the storage device of the multifunction device 10 itself, or may be stored in the storage device of another multifunction device. The “other multifunction device” in the latter case may be regarded as a kind of the external server 40. Some multifunction peripherals 10 create confidential boxes (sometimes referred to as security boxes) in a storage area, and protect each confidential box with a password. When image data is stored in the multi-function peripheral, for example, a confidential box is designated as the storage location.

  The multifunction device 10 is a device having functions such as a scanner, a printer, a copying machine, and a facsimile. The multifunction machine 10 includes an HDD (hard disk drive) 12, an encryption unit 14, a key verification unit 16, a scanner 18, an operation unit 20, a control unit 22, and a LAN interface (I / F) 24. Here, as an example, it is assumed that the image scanned by the scanner function is encrypted and stored in the external server 40. Therefore, among the various functions of the multi-function device 10, FIG. Only the elements related to the function for are shown.

  Various data handled by the multifunction machine 10 are stored in the HDD 12. 2 includes the user management table shown in FIG. 2, the group management table shown in FIG. 3, and the storage location management table shown in FIG.

  As shown in FIG. 2, a user ID, public key data, and an e-mail address are registered in the user management table for each registered user. The user ID is unique identification information of a registered user of the multifunction machine 10. The public key data is data including the public key of the user, for example, a public key certificate file. The e-mail address is the e-mail address of the user. This e-mail address is used when sending an e-mail notifying that the encrypted data has been uploaded to the external server 40 (details will be described later). Conversely, when such a method that does not transmit an e-mail is adopted, the user management table may not have an e-mail address column. Further, since the e-mail address is basically unique, a configuration using the e-mail address as the user ID is also conceivable.

  As shown in FIG. 3, the group management table includes a group name and a member list of the group for each group. The group name is group identification information and is unique at least in the multifunction machine 10. The member list is a list of user IDs of members (individuals) belonging to the group.

  In the storage location management table, as shown in FIG. 4, the storage location address information (“storage location”), an encryption flag indicating whether or not the data stored in the storage location is encrypted, and its storage A list of “disclosure destinations” that disclose the data stored in the place.

  In the illustrated example, the address information of the storage location is expressed by a combination of the IP address of the external server 40 and the path name of the storage location (directory in this case) in the server. However, this is merely an example, and any information can be used as address information of the storage location as long as the storage location can be uniquely specified on the network 30. For example, a unique server name on the network 30 may be used instead of the IP address. Further, a UUID (Universal Unique ID) that uniquely indicates the external server 40 or a directory therein may be used as the address information. Further, the URI (Uniform Resource Identifier) of the external server 40 or a directory therein may be used as the address information. Further, when the external server 40 as the image storage destination is a multifunction device, the storage location address information includes the server name or IP address of the multifunction device, and the box name or box number indicating the confidential box as the storage destination. It becomes a combination. The box name and box number are uniquely determined in the multifunction device.

  In the list of “disclosed”, the user ID of the user who is the disclosure destination of the data stored in the storage location or the group name of the group as the disclosure destination is listed. Of course, user IDs and group names may be mixed. In any case, the user or group included in the list is determined as the disclosure destination. This disclosure destination list is used when the scanned image data is encrypted. In other words, when the scanned image data is encrypted, the encryption is performed so that each user included in the disclosure destination list and the members of each group included in the disclosure destination list can decrypt the encryption result. To do. Therefore, the disclosure destination list is empty for the storage location where the flag of “encryption” is “not encrypted”.

  The data contents of each management table are registered and maintained, for example, by a system administrator who manages the multifunction machine 10.

  The various tables stored in the HDD 12 have been described above. Although the HDD is illustrated here, other types of nonvolatile storage devices (for example, nonvolatile RAM) may be used instead of the HDD.

  Returning to FIG. 1 again, the encryption unit 14 encrypts the image data read by the scanner 18. The key verification unit 16 verifies the validity of the public key used in the encryption process of the encryption unit 14. The scanner 18 optically reads a paper document set by a user and generates image data indicating an image of the document. The operation unit 20 is a user interface mechanism of the multifunction machine 20 and includes a display screen and an input device. Examples of the input device include a keyboard and various operation buttons. The operation unit 20 may include a liquid crystal touch panel as a screen and input device. An instruction for processing contents such as ScanToServer and a storage location are given from the user via the operation unit 20. The control unit 22 controls the overall operation of the multifunction machine 10. As processing particularly related to the embodiment, when the storage location of the scan image or the encryption result is instructed by the user, the control unit 22 stores the public key information of the disclosure destination user corresponding to the storage location in the HDD 12. It is acquired using various tables, and is passed to the key verification unit 16 for verification, or is passed to the encryption unit 14 for encryption processing. Further, the control unit 22 performs processing for transmitting the image data or the encryption result thereof to a designated storage location. The LAN I / F 24 is an interface mechanism that controls communication between the multifunction machine 10 and the network 30.

  Next, a processing procedure of the multifunction machine 10 when executing the ScanToServer process will be described with reference to FIG.

  When the ScanToServer function is selected, the operation unit 20 of the multifunction machine 10 displays a storage location input screen and asks the user to specify the storage location (S1). On the input screen, a list of address information of each storage location registered in the storage location management table (if the storage location name is registered in the storage location management table, the name may be displayed) is displayed. The user may be allowed to select a desired storage location. The address information and name of the storage location may be directly input using a keyboard or a software keyboard displayed on the screen.

  When the user designates the storage location, the control unit 22 of the multifunction machine 10 checks whether or not the designated storage location is registered in the storage location management table (S2, S3). This processing is processing when the user directly inputs the storage location address information from the keyboard or the like, and when the user selects the storage location from the storage location list, these processing is unnecessary (of course. Exists in that table). If it is determined in step S3 that the input storage location is not in the storage location management table, the control unit 22 displays an error message such as “no corresponding storage location” on the screen of the operation unit 20 ( S4).

  When the input storage location is in the storage location management table, the control unit 22 checks the “encryption” flag of the storage location in the table, and indicates that the flag indicates “not encrypted”. Causes the scanner 18 to scan a document, and transmits the image file obtained as a result to the designated storage location via the network 30 (not shown). When the “encryption” flag is “encrypt”, the control unit 22 refers to the disclosure destination list of the table to obtain a disclosure destination user, and public key data (certificate) of each user. Is acquired (S5). Specifically, the control unit 22 acquires a user ID and a group name from the disclosure destination list, and in the case of the group name, further refers to the group management table (FIG. 3) to obtain the user ID of the user belonging to the group. . Thereby, each user who becomes a disclosure destination of the file in the designated storage location can be specified. Then, the public key data of each user is acquired with reference to the user management table (see FIG. 2).

  Next, the control unit 22 causes the key verification unit 16 to verify whether the acquired public key data of each disclosure destination user is valid (S6). The key verification unit 16 determines whether or not the validity period of the public key data (certificate) has expired and / or whether or not the public key is on a CRL (revocation list) issued by the certificate authority. By determining, it is determined whether or not the public key data is valid. Since the determination of effectiveness is a conventional technique, further explanation is omitted. When there are a plurality of disclosure destination users, this verification is executed for each user.

  If at least one of the public key data of the disclosure destination users is invalid, the control unit 22 displays “the public key certificate of the user associated with the designated storage location” on the display screen of the operation unit 20. An error message such as "There is an invalid one" is displayed (S8), and the public key certificate is invalid for the subject's email address indicated in the public key certificate determined to be invalid. A message to that effect (a message prompting for certificate renewal may be included) or the like is transmitted by e-mail (S9).

  If it is determined in step S7 that all public key certificates of the disclosure destination user corresponding to the storage location are valid, the control unit 22 causes the scan 18 to scan the document (S10). Then, the control unit 22 passes the image data obtained as a result of the scan and the public keys of the respective disclosure destination users to the encryption unit 14. Using the public key, the encryption unit 14 encrypts the image data so that only those disclosure destination users can decrypt them (S11). In this encryption process, for example, image data is encrypted with a session key, and for each disclosure destination user, the session key is encrypted with the disclosure destination user's public key, and the resulting disclosure destination user is encrypted. The key is packaged into a single file together with the encrypted image data. The disclosure destination user can obtain a session key by decrypting any of the encrypted keys included in the encrypted file with his / her private key, and can decrypt the image data with the session key. For example, in a file format called PDF (Portable Document Format), a file that can be decrypted by one or more designated users can be created.

  When the encrypted file is created, the control unit 22 transfers the encrypted file to the designated storage location and stores it (S12). And the control part 22 calculates | requires the mail address of each disclosure destination user from a user management table, and transmits the email which notifies that the encrypted image file was shown to the storage location with respect to each of those mail addresses. (S13). This e-mail may indicate link information (for example, URL) to the file. The user who receives this mail accesses the storage location, acquires the encrypted file, decrypts it with his / her private key, and uses it.

  As described above, according to the present embodiment, the information of the disclosure destination user is registered in association with the candidate for the storage location of the encrypted file. Therefore, if the storage location is designated, the disclosure destination user is specified. can do. If the disclosure destination users are known, the public keys of the respective disclosure destination users can be acquired. By encrypting the image data using these public keys, it is possible to create an encrypted file that can be decrypted only by those disclosure destination users. As described above, according to the present embodiment, since the user does not need to designate individual disclosure destination users, there is an advantage that the operation burden is small.

  Moreover, even if a group is specified as a disclosure destination, the apparatus according to the present embodiment can identify a user belonging to the group and acquire information on the public key of the user. Therefore, in this embodiment, if a group is registered in the storage location management table as a disclosure destination, it is not necessary to register individual users belonging to the group, so that the workload for registering and correcting the storage location management table is reduced. Can be reduced.

  In the above example, the user management table, the group management table, and the storage location management table are each provided in the storage device in the multifunction device 10, but instead of these tables, all or a part of these tables are stored in the multifunction device. 10 may be provided in a server outside the server, and a table in the server may be used from the storage device. Of course, each table may be in a separate server. For example, information managed by an external LDAP (Lightweight Directory Access Protocol) server can be used as the user management table and / or the group management table. In many cases, a LDAP (Distinguished Name) as user identification information and a user's e-mail address are registered in the LDAP server. User information and group information stored in an existing user management server can also be used as the user management table and / or group management table.

  Further, each storage location has information indicating the disclosure destination corresponding to the storage location, and when the MFP 10 accumulates data in the storage location, the information on the disclosure destination (user of the disclosure destination) is stored from the storage location. ID or group name alone or public key certificate may be obtained), and the public key of each disclosure destination may be acquired based on this information.

  In the above example, three tables, ie, a user management table, a group management table, and a storage location management table are used. However, the implementation of the present invention is not limited to this. For example, a table in which these three types of tables are combined into one can be used. That is, for example, for each storage location, a table in which the public key data of each disclosed user associated with the storage location and the public key data of each member of the disclosure destination group associated with the storage location is prepared. And may be used.

  In the above example, one encrypted data that can be decrypted by each disclosure destination user is created. However, the present invention is not limited to this. For example, for each disclosure destination user, the input data is encrypted with the public key of the user, and the user Each piece of encrypted data may be created and stored in a storage location.

  In the above description, the multifunction peripheral is taken as an example, but the application of the present embodiment is not limited to the multifunction peripheral. For example, the present embodiment can also be applied to a system including a personal computer (abbreviated as PC) and a scanner device connected thereto. In this case, the various management tables described above are held in the PC. In addition, the above-described process of accepting designation of the storage location or encrypting the image read by the scanner device into a form that can be decrypted by each disclosure destination user corresponding to the designated storage location is performed by the PC. This is realized by executing a program describing the processing contents.

  In the above description, the case where the scanned image is encrypted and stored is taken as an example. However, the application of the present embodiment is not limited to the scanned image. For example, the processing of the above-described embodiment can be applied to a device that encrypts image data input from another device and stores it in a designated storage location. Of course, the method of the above embodiment can also be applied to an apparatus that stores various application data other than image data, such as document data and audio data, in a specified storage location after encryption. The data to be encrypted and stored may be generated within the device or received from another device.

It is a figure which shows the structural example of the system of embodiment. It is a figure which shows the example of the data content of a user management table. It is a figure which shows the example of the data content of a group management table. It is a figure which shows the example of the data content of a storage location management table. 10 is a flowchart illustrating a processing procedure of the multi-function peripheral when executing ScanToServer processing.

Explanation of symbols

  10 MFP, 12 HDD, 14 encryption unit, 16 key verification unit, 18 scanner, 20 operation unit, 22 control unit, 24 LAN I / F, 30 network, 40 external server.

Claims (8)

A designation receiving unit for accepting designation of a storage location for storing input information from a user;
Disclosure destination identification that identifies a plurality of disclosure destinations having access rights to a storage location designated for the designated receiving unit based on storage location management information indicating a plurality of disclosure destinations having access rights to the storage location And
An encryption unit that encrypts the input information so that a user of each specified disclosure destination can decrypt the input information by using a public key corresponding to each disclosure destination specified by the disclosure destination specifying unit ;
A transfer unit that transfers the encrypted information to the encryption unit has generated to the designated storage location,
An encryption transfer apparatus comprising: The encryption transfer device according to claim 1,
Further comprising a storage location, a plurality of disclosee with access to the storage location, the correspondence holding unit that holds the correspondence relationship, and
The disclosure destination specifying unit specifies a plurality of disclosure destinations having an access right to a storage location designated for the designation receiving unit from correspondence relationships held by the correspondence holding unit
An encryption transfer apparatus characterized by that. The encrypted transfer device according to claim 2, wherein
A group information holding unit for holding a correspondence relationship between the group and users belonging to the group;
When a group is registered in the correspondence relationship holding unit as a disclosure destination corresponding to a specified storage location, the encryption unit obtains each user belonging to the group from the group information holding unit, and discloses those users By using a key, the input information is encrypted so that each user can decrypt the input information.
An encryption transfer apparatus characterized by that. The encryption transfer device according to claim 1,
The disclosure destination specifying unit corresponds to a specified storage location from a correspondence relationship holding unit outside the encryption transfer device that holds a correspondence relationship between a storage location outside the encryption transfer device and a disclosure destination. Specify the disclosure destination,
An encryption transfer apparatus characterized by that. The encryption transfer device according to claim 1,
The disclosure destination specifying unit specifies a plurality of disclosure destinations having access rights to the storage location by referring to the disclosure destination information stored in the storage location specified for the designated receiving unit .
An encryption transfer apparatus characterized by that. The encryption transfer device according to claim 1,
An e-mail indicating that the e-mail address of each of a plurality of disclosure destination users who have access rights to the designated storage location for the designated receiving unit is obtained and the encrypted information is stored in the designated storage location A mail sending part to send to each of those email addresses
An encryption transfer apparatus further comprising: The computer,
A designation receiving unit for accepting designation of a storage location for storing input information from a user;
Disclosure destination identification that identifies a plurality of disclosure destinations having access rights to a storage location designated for the designated receiving unit based on storage location management information indicating a plurality of disclosure destinations having access rights to the storage location Part,
An encryption unit that encrypts the input information so that a user of each specified disclosure destination can decrypt the input information by using a public key corresponding to each disclosure destination specified by the disclosure destination specifying unit;
Transfer unit that transfers the encrypted information to the encryption unit has generated to the designated storage location,
Program to function as.   The encrypted transfer device according to claim 1,
  The validity of the public key corresponding to each of the disclosure destinations specified by the disclosure destination specifying unit is confirmed, and if even one of the public keys corresponding to each of the disclosure destinations is invalid, the encryption is performed. A control unit that controls the encryption of the input information by the unit and the transfer by the transfer unit not to be executed, and notifies the disclosure destination corresponding to the invalid public key that the public key is invalid, An encryption transfer apparatus further comprising:

Images