JP5011214B2 - Information equipment management system, information processing apparatus, and IC card - Google Patents

Description

  The present invention relates to a technology for controlling access to information recorded in an information device, and particularly provides portable information devices such as a notebook PC and means for preventing leakage of information recorded in a storage medium.

  Portable information devices have a high risk of theft and loss, and there is a high possibility of information leakage if confidential information is recorded inside.

  As a means for preventing information leakage, conventionally, a method of protecting data by encryption has been widely used. Furthermore, a method for classifying electronic files according to the level of confidentiality and the scope of disclosure and controlling access rights is known.

  Also, there is a method in which information is not stored in the portable PC itself, but all information is placed on a server and accessed via a communication line.

  Further, as a method for controlling the access authority to data according to the user's whereabouts, for example, in Patent Document 1, information on whereabouts is acquired from an IC card for managing entrance / exit owned by the user, and the information is used to obtain data. A method is disclosed in which access to data is controlled according to the location of the user by determining whether access to the data is possible.

  Furthermore, for example, Patent Document 2 discloses a method for controlling the reference of data stored in a portable device in accordance with an entrance / exit mode.

JP 2008-65376 A JP2008-9609

  In the conventional data encryption method, since the user performs encryption and decryption operations, there are problems that the operation is complicated and it is essentially difficult to eliminate operation errors. Furthermore, the effect of preventing the intentional take-out of confidential information, which accounts for the majority of serious information leaks, was not sufficient.

  In addition, the method of placing all information on a server and accessing it via a communication line has a risk that the operability greatly depends on the quality of the communication line and the necessary information cannot be accessed when necessary.

  In the method disclosed in Patent Document 1, the file access management terminal device connected to the terminal device via a network is set by the file access management terminal device connected to the terminal device via a network. Protection against decryption such as access could not be realized, and data in the device could not be kept safe from loss or theft of a portable information processing device.

  Further, the method disclosed in Patent Document 2 changes whether or not the entire portable device is accessible, and cannot classify according to the level of confidentiality of data or the disclosure range and control the access authority. Furthermore, since a means for changing whether or not access is possible when the power of the portable device is off is not disclosed, it is not guaranteed that the data in the portable device is kept safe when the power is off, and convenience for the user is impaired. There was a risk of being lost.

  Of the inventions disclosed in this application, the outline of typical ones will be briefly described as follows. The information processing apparatus has a recording medium for recording data, and the IC card records an encryption key and information indicating whether or not the encryption key can be used in association with each other. Data recorded on the recording medium is encrypted using an encryption key, and information indicating whether or not the encryption key can be used is set based on a command transmitted from the IC card reader.

  According to the present invention, when taking an information device to the outside, it is possible to make it impossible to decrypt confidential information without complicated operations by the user, and even when the information device is stolen or lost. It is possible to prevent leakage of confidential information.

  Furthermore, by using a non-contact IC card that can operate even when the information device is not operating, it is possible to change the encryption key to an impossible state without turning on the power of the PC, for example. Thereby, the process at the time of carrying out can be performed in a short time.

  Before describing this embodiment, features of the present invention will be described. In the data access control method according to the present invention, whether or not the information recorded in the portable information device can be decrypted is controlled in conjunction with take-out management of the information device.

  Specifically, a non-contact IC card is attached to the information device, and a key for encryption / decryption of information is stored in the IC card. When taking information equipment outside, the IC card reader installed at the exit gate is used to make the encryption key unavailable. This makes it impossible to access data that should be kept secret without depending on the user's operation, and it is possible to prevent leakage of confidential information even if the information device is lost.

  Further, the non-contact IC card is configured to be operable by supplying power from the non-contact IC card reader even when the information device is not operating. Thereby, it is possible to guarantee the safety of data even when the information device is not in operation and to improve the convenience for the user.

  Further, the encryption key for decrypting the confidential data is stored in a tamper-resistant IC card attached to the information device. As a result, security can be ensured against decryption of an encryption key using physical means such as opening, current observation by needle contact, and unauthorized use.

  Furthermore, the electronic information in the information device is classified according to the level of confidentiality and the range that can be disclosed, and a different label is assigned to each type, and encryption is performed using different encryption keys. When there is confidential information to be provided to a specific partner in the information equipment to be taken outside, an encryption key for decrypting the information is made available. Thereby, it becomes possible to prevent leakage of confidential information that is not a subject of disclosure while ensuring convenience.

  FIG. 1 shows a configuration of a PC, a contactless IC card reader, and a server according to an embodiment of the present invention.

  The PC 1 includes a non-contact IC card 108. The non-contact IC card 108 includes an antenna 107 for performing non-contact communication with an IC card reader, an RF circuit 113, and a non-volatile memory 115. The non-volatile memory 115 includes a card identifier 116, an authentication key 117, and a device identifier 118. Record. Further, the security mode 119, the trusted site authentication key 120, the plurality of encryption keys 121 to 123, and the availability flags 124 to 126 corresponding to the encryption keys are recorded. Here, the high-reliability site authentication key 120 is a criterion for receiving a security mode change command from the IC card reader and determining whether the security mode can be changed to the normal mode. This is to distinguish whether it is a highly secure site in the IC card.

  The non-contact IC card has a power generation circuit 112 and can operate by wireless power supply from the IC card reader 2 even when the PC is not turned on. The non-contact IC card 108 is also connected to the PC power source 106 and can operate by supplying power from the PC power source. The non-contact IC card 108 executes the processing described with reference to FIGS. 3 and 6 by operating the CPU 110 and the memory control circuit 111 in the controller 109 with these power supplies.

  The PC 1 has a hard disk device 102 (denoted as HDD) for recording information, and a main board 101 for controlling access of information recorded in the hard disk device, and records various electronic files 104 in the HDD 102. Each electronic file 104 is provided with a label 103, and is encrypted and recorded with an encryption key corresponding to each label.

  The IC card reader 2 communicates with the antenna 201 for performing communication with the IC card 108 by non-contact communication, the RF circuit 202, the controller 203 for controlling operation, the nonvolatile memory 204 for storing the control program and data, and communication with the server. It has a communication interface 205 for performing.

  The server 3 has an information device take-out procedure DB 301 and an information device management DB 307. Each entry in the information device take-out procedure DB 301 includes a user ID 302, a device ID 303, a take-out permission period 304, a label 305, and a status 306. Here, the label 305 is attribute information of data based on the level of confidentiality of data and the range that can be disclosed. Each label is associated with one or more data. The status 306 indicates a history such as whether or not the information device has been taken out. The server 3 registers the authorization contents as each entry when the information device take-out application is approved. The information device take-out application can be performed by an electronic workflow, for example.

  Each entry in the information device management DB 307 includes a device ID 308, a status 309, and a latest reading reader ID 310, and the information is updated when the IC card reader reads the IC card attached to the information device.

  FIG. 2 is a diagram showing the concept of operation of the portable information device according to the present invention.

  A gate for entering / exiting management is provided between the office where the user normally operates and the outside, and the opening / closing of the gate is controlled by authenticating the entering / exiting person. For example, a non-contact IC card is used to authenticate the entrance / exit.

  When a user carries a PC when leaving the room, the IC card attached to the PC is read by an IC card reader. As a result, the PC is set to the secure mode or the semi-secure mode.

  For example, when the user arrives at a location where pre-registered security is maintained, such as another department in the company, the IC card attached to the PC is read by the IC card reader at the entrance gate. As a result, the PC is changed to the normal mode, and the confidential information on the PC can be accessed. Here, the normal mode is a mode in which all information can be accessed, the secure mode is a mode in which only information permitted to be disclosed is accessible, and the semi-secure mode is information in which browsing is permitted. This mode can only be accessed.

  In addition, when confidential information is disclosed in a specific place (for example, a business trip destination), the secure mode is set when the user leaves the office, and the secure mode is applied when the specific location (eg a business trip destination) enters the room. Set to secure mode. Alternatively, when the reader reads the IC card attached to the PC when leaving, the reader can also set the PC to semi-secure mode. These mode settings are realized by the IC card reader reading the IC card and using information registered in the server in advance. Specifically, the PC to be taken out and the label of the target data are registered in the server in advance. Then, when the user leaves or enters the room, the setting can be changed to the semi-secure mode by reading the IC card with the IC card reader. In addition, when the IC card reader reads when the user leaves, the setting may be changed to the secure mode.

  In this way, when set to secure mode, it is impossible to access data that should be kept confidential regardless of user operations, and even if an information device is lost, leakage of confidential information can be prevented. become.

  In addition, when the semi-secure mode is set, when there is confidential information that should be provided to a specific partner among the information devices to be taken outside, the convenience is ensured and at the same time leakage of confidential information that is not subject to disclosure It becomes possible to prevent.

  FIG. 3 is a diagram showing a processing flow of the IC card when the IC card reader 2 reads the IC card 108 attached to the PC 1 when entering or leaving the room in FIG.

  When power is obtained from the reader's electromagnetic field, the IC card is first reset (310), and then performs mutual authentication with the reader (311). For mutual authentication between the IC card and the reader, for example, challenge-response type authentication using an encryption key is used.

  When the IC card confirms that the reader is a legitimate reader, it receives a command from the reader (312).

  When a command from the reader is received, it is checked whether it is a security mode change command (313). When the security mode change command is received, it is checked whether the requested security mode can be changed based on the trusted site authentication key or the like (314). If the transition is possible, the designated security mode is changed (315), and it is further checked whether there is a data label to be disclosed in the command (316). If there is a data label to be disclosed, the availability flag of the encryption key corresponding to the label is set to a “usable” state (317), and the process is stopped (318). If the command is not a security mode transition command, the IC card performs other processing based on the received command (319).

  If the requested security mode cannot be changed, the reader is notified of the security mode change failure (320). When the IC card reader receives a security mode change failure response, it issues a warning sound (321) and stops (322).

  FIG. 4 is a diagram showing a control flow of the IC card reader installed at the exit gate.

  In the standby state (401), when the IC card reader detects an IC card that can be read within the communicable range (402), it performs mutual authentication with the card (403). For mutual authentication between the IC card and the reader, for example, challenge-response type authentication using an encryption key is used.

  After confirming that the IC card is genuine, the information device take-out procedure DB is inquired (405), whether the target information device is permitted to be taken out (405), and the take-out application has been approved. In the case of, a change command to the secure mode or semi-secure mode is transmitted (407). Further, when there is a label of the data to be taken out, a command requesting to change the encryption key corresponding to the label to “available” is transmitted (409), and information is stored in the status 306 of the information equipment take-out procedure DB. Is registered and the process is terminated (411). If the IC card is not a legitimate IC card and the approval of the take-out procedure has not been completed, the reader emits a warning sound and returns an illegal status to the IC card (412), and the process ends (413).

  FIG. 5 shows a communication sequence between the IC card reader and the IC card at the exit gate.

  When the reader detects the IC card, the IC card and the reader perform mutual authentication (501). Thereafter, the reader inquires about the device ID and security mode of the IC card (502), and the IC card returns a response message (503).

  The reader inquires the server's take-out procedure DB of the device ID (504). The server searches the take-out procedure DB using the device ID (506), and when the take-out procedure is completed, returns the result including the label of the data to be disclosed to the reader (507).

  When the take-out procedure is completed, the reader transmits a security mode change command to the IC card (508). The IC card changes the security mode in accordance with the contents of the command (509), and when the change is correctly made, it responds completion (510).

  Further, when there is data to be disclosed, the reader transmits an encryption key availability flag change command for making the encryption key corresponding to the object data available (511). The IC card changes the encryption key availability flag (512). When the setting is completed, the IC card returns a completion response to the reader (513). The reader transmits a device status change record to the server (514), and the server updates the device management DB and the information device take-out procedure DB (515).

  FIG. 6 is a diagram showing a processing flow of the IC card attached to the PC when entering the premises.

  When power is obtained from the reader's electromagnetic field, the IC card is first reset (601), and then performs mutual authentication with the reader (602). For mutual authentication between the IC card and the reader, for example, challenge-response type authentication using an encryption key is used.

  When the IC card confirms that the reader is a legitimate reader, it receives a command from the reader (603).

  When a command from the reader is received, it is determined whether it is a security mode change command (604).

  If it is not a security mode transition command, the IC card performs other processing based on the received command (612). If the command is a security mode transition command, the IC card checks whether the security mode can be changed using the site identifier recorded in advance in the reader and transmitted and the authentication key held in the IC card (605). Specifically, when the site identifier corresponds to the trusted site authentication key, the IC card sets the security mode to “normal mode” (606) and ends the processing (607). If the site identifier corresponds to a pre-registered information disclosure destination authentication key, the IC card sets the security mode to “semi-secure mode” (608) and checks whether there is a label indicating the information to be disclosed. If there is data to be disclosed (609), the encryption key corresponding to the label is set to “available” (610), and the process is terminated (611). If it is determined that the site identifier does not belong to any of the above, it responds to the reader that the request is invalid (613) and stops (614).

  As described above, a non-contact IC card is attached to an information device, and an information encryption / decryption key is stored in the IC card. When taking information equipment outside, use an IC card reader installed at the exit gate to make the encryption key unavailable or use only a specific encryption key. This makes it impossible to access data that should be kept secret without depending on the user's operation, and it is possible to prevent leakage of confidential information even if the information device is lost.

  In addition, the non-contact IC card is configured to be operable by supplying power from the non-contact IC card reader even when the information device is turned off. Thereby, it is possible to guarantee the safety of data even when the information device is not in operation, and to reduce the load on the user.

  FIG. 7 is a diagram showing a processing flow of the IC card when a file containing confidential information is accessed on the PC. Note that communication between the PC and the IC card is performed via a communication path 111 in the PC.

  The IC card is reset by a command from the PC (701), and then performs mutual authentication with the PC (702). When a command from the PC is received (703), the content of the command is determined. When the command is an encryption key use request command (703), the current security mode is determined (704).

  In the normal mode, the requested encryption key is returned (706) and stopped (707). In the case of the semi-secure mode, the availability flag of the requested encryption key is referred to (705), and in the case of “usable”, the encryption key is returned to the PC (706) and stopped (707). If it is in the secure mode, and if the encryption key availability flag is “unusable” in the semi-secure mode, a message of “unusable encryption key” is returned to the PC (708), and then stopped (707) .

  In this way, when a file containing confidential information is accessed on a PC, it is possible to prevent leakage of confidential information by determining whether or not the encryption key can be used according to the security mode of the IC card. Become.

  FIG. 8 is a diagram showing a communication sequence between the PC and the IC card when a file containing confidential information is accessed on the PC.

  When an encrypted file containing confidential information is accessed on the PC (801), the PC resets the IC card (802), performs mutual authentication with the IC card (803), and encrypts the IC card. A key use request command is sent (804).

  The IC card determines the security mode (805), determines whether the encryption key corresponding to the label can be used (806), and supplies the encryption key to the PC (807). The PC receives the encryption key and decrypts the file (808).

  FIG. 9 shows a state transition diagram of the security mode of the PC according to the embodiment of the present invention. The PC has a “normal mode” (901), a secure mode (902), and a semi-secure mode (903). The PC is set to “normal mode” at a high-reliability site such as an office, and transitions to “secure mode” when the exit gate passes (904). When entering the high-reliability site, the mode changes again to the “normal mode” (906,907). When entering a pre-registered confidential information disclosure destination such as a visit destination, the mode transits to the “semi-secure mode” (908). The PC in the “semi-secure mode” is set to the “secure mode” again when leaving the visited site (905).

  In the above embodiment, the method of changing the security mode by reading the IC card installed in the PC to the IC card reader installed at the entrance / exit management gate was shown, but the change of the security mode is not limited to this. It is possible to take a method according to the surrounding environment, the method of entrance / exit management, and the like. For example, an IC card reader is placed in an office where normal business is performed, and when taking out the PC, the IC card reader loaded in advance is read by the IC card reader and changed to the secure mode. The IC card reader installed at the entrance / exit management gate can verify whether the secure mode is set, and can issue a warning if the secure mode is not set. By using an IC card reader in the office where normal operations are performed, user operability can be improved when changing the secure mode.

  For the transition between the secure mode and the semi-secure mode, in addition to the method of setting the “secure mode” when leaving from the visited site as described above, the time to be set to the “semi-secure mode” is determined in advance, It can also be configured to be set to the “secure mode” when a given time has elapsed. Thereby, safety can be ensured even if the information device is stolen or lost.

  As another method of changing the security mode, for example, a GPS (Global Positioning System) terminal can be connected to the PC, and when the PC is in a predetermined location, it can be configured to shift from the secure mode to the semi-secure mode. Is possible.

  In the above embodiment, the data storage medium is a hard disk device with a built-in PC. However, the present invention is not limited to this, and an external storage medium connected to the PC, such as an external hard disk device or a USB memory, may be used. Further, it may be a recording medium such as a CDROM or DVD accessed from a PC via a drive device.

  In the above-described embodiments, the method for controlling whether or not data access is possible according to whether or not the encryption key is used has been described. However, the data access control method is not limited to this. For example, the access authority information corresponding to the file label is stored in the IC card, and the file access processing is performed only when the file management system of the PC refers to the information in the IC card and is accessible when accessing the file. If the information in the IC card continues to be inaccessible, the processing can be suspended. As a result, data access can be speeded up.

  Also, in the above embodiment, when accessing an encrypted file on the PC, the PC reads the encryption key from the IC card and decrypts it. However, the present invention is not limited to this, and the PC is encrypted. It is also possible to send a file to the IC card and decrypt the file in the IC card. According to this method, since the encryption key is not read out of the IC card, safety can be improved.

  In addition, in the above embodiment, the encryption key for encrypting the data has shown a method for storing a different key in the IC card for each label which is the attribute information of the file. However, the present invention is not limited to this. It is also possible to have a single secret key and generate an encryption key from the label and the secret key. As a method for securely generating a file encryption key from a label and a secret key of an IC card, for example, an ID-based encryption method using elliptic curve pairing can be used. According to this method, since a different key for each label is generated at a necessary time, it is not necessary to store a large number of encryption keys in the IC card, and the use amount of the nonvolatile memory can be reduced.

  In the above example, a configuration in which a non-contact IC card is mounted on a PC is shown. However, the hardware configuration is not limited to this, and for example, a PC mounts a non-contact IC card reader in addition to a non-contact IC card. It is also possible to configure as described above.

  In another embodiment, the PC is provided with a non-contact IC card reader, and when the user has an IC card and accesses confidential information, the IC card reader mounted on the PC reads the IC card. It is also possible to do. The IC card can also be configured to serve as an IC card used for entrance / exit management.

  Further, the IC card can be configured to be built in a mobile phone, and the IC card can be configured to be able to communicate with the server via a communication line. In such a configuration, it is possible to safely change the security mode and set whether to use the encryption key from the server side via the communication line.

  Although the embodiments of the present invention have been described above, the present invention is not limited to the above-described embodiments, and various modifications can be made. It is possible to appropriately combine the above-described embodiments. It will be understood by the contractor.

The present invention can be used for a portable information device having an information recording function.

It is an example of the figure which shows the structure of PC, an IC card reader, and a server by a present Example. It is an example of the figure which shows the concept of the PC management method by a present Example. It is an example of the figure which shows the processing flow of the IC card with which PC was mounted | worn. It is an example of the figure which shows the processing flow of the IC card reader installed in the exit gate. It is an example of the figure which shows the communication sequence of an IC card and a reader in an exit gate. It is an example of another figure which shows the processing flow of the IC card with which PC was mounted | worn. It is an example of a diagram showing a processing flow of an IC card mounted on a PC when accessing a file on the PC. It is an example in the figure which shows the communication sequence of PC and IC card at the time of accessing the file on PC. It is an example of the figure which shows the state transition of the security mode of PC by a present Example.

Explanation of symbols

1 PC
2 IC card reader 3 Server 101 Main board 102 Hard disk device 106 Power supply 108 IC card

Claims (9)

An information processing apparatus having a recording medium for recording data;
IC card,
An IC card reader, and the IC card records an encryption key and information indicating the availability of the encryption key in association with each other,
The data is encrypted using the encryption key,
Information indicating whether the encryption key can be used is set based on a command transmitted from the IC card reader. In claim 1,
The information equipment management system further includes a server having a database that records the identifier of the information processing apparatus and the attribute information of the data in association with each other,
The IC card reader receives the information processing apparatus identifier from the IC card,
The server specifies attribute information of data corresponding to the identifier of the information processing device received from the IC card reader based on the database,
The information device management system, wherein the information indicating whether or not the encryption key is usable is changed when the command includes attribute information of the specified data. In claim 1,
An information device management system, wherein information indicating whether or not the encryption key can be used is rewritten using an IC card reader of an entry / exit management system using the IC card. In claim 1,
The information device management system, wherein the IC card is a non-contact IC card built in the information processing apparatus and wirelessly communicates with the IC card reader. In claim 1,
The information processing apparatus is characterized in that the information processing apparatus incorporates the IC card reader. A recording medium for recording data;
An IC card that records an encryption key and information indicating whether or not the encryption key can be used in association with each other,
The data is encrypted using the encryption key,
An information processing apparatus characterized in that the information indicating whether or not the encryption key can be used can be changed using an IC card reader. In claim 6,
The information processing apparatus, wherein the IC card is a contactless IC card that communicates with the IC card reader wirelessly. Record the encryption key and information indicating whether or not the encryption key can be used,
Data recorded on the recording medium of the information processing apparatus is encrypted using the encryption key,
An IC card, wherein information indicating whether or not the encryption key can be used is set based on a command transmitted from an IC card reader. In claim 8,
An IC card built in the information processing apparatus and having a function of performing wireless communication with a non-contact IC card reader.

Images