JP5014977B2 - Terminal device, data management device, and computer program - Google Patents

Description

  The present invention relates to a terminal device, a data management device, and a computer program.

  Conventionally, as an information concealment technique, for example, a secret sharing method described in Non-Patent Document 1 is known. The secret sharing method is a method for securely storing original secret information by distributing and storing secret information by several people. The (k, n) threshold secret sharing method described in Non-Patent Document 1 is a kind of secret sharing method, and the secret information is divided into n pieces of divided information (shares) and stored, and k pieces of them are stored. If the above division information can be obtained, the original secret information can be restored.

In the prior art described in Patent Document 1, when certain data is shared, first, the data (M _G ) to be shared within the group is encrypted using a common key cryptosystem (E) using an encryption key (K _M ). _KM (M _G )). Then, K _M is encrypted (E _pk1 (K _M ),... With the public key (pk ₁ , ..., pk _N ) owned by all members (U ₁ , ..., U _N ) of the group. ., E _pkN (K _M )), list it, and store it on the server together with E _KM (M _G ). The group member (U _i ) who refers to the data obtains K _M (E _pki (K _M )) and E _KM (M _G ) encrypted with its own public key (pk _i ) from the list, and encrypts it. by decoding using its own secret key (sk _i) reduction has been K _M, obtaining a K _M. Then, E _KM (M _G ) is decrypted with K _M to obtain original data M _G.
A. Shamir, “How to share a secret”, Communications of the ACM, Vol. 22, No. 11, pp. 612-613, 1979 Japanese Patent Application Laid-Open No. 2005-223953

  However, in the technique described in Patent Document 1, when sharing data is disclosed, it is necessary to perform public key encryption processing for the number of group members (N), that is, N times, and the processing load on the data publisher increases. . In addition, when a terminal device owned by a group member is stolen or used by a malicious third party, there is a possibility that a secret key used for encrypting shared data may be leaked from the terminal device. is there. In this case, the leakage damage can be suppressed by updating the secret key, but the public key encryption process is performed N times as in the case of sharing data sharing, and the processing load is heavy.

  The present invention has been made in consideration of such circumstances, and its purpose is to contribute to ensuring the safety of shared data when a key leaks from a terminal device owned by a group member, and to share data. It is an object to provide a terminal device, a data management device, and a computer program that can reduce processing load at the time of disclosure.

  In order to solve the above problems, a terminal device according to the present invention includes a member terminal device belonging to a group sharing data among members, and a data management device connected to the terminal device via a communication line. The terminal device in the data sharing system having, generating a common share from a common share key common within the group and a master share unique to the own terminal, and the common share and its own terminal identifier to the data management device Terminal registration means for sending registration request, encrypting shared data by a common key cryptosystem using an encryption key, generating an encryption key share from the encryption key and the master share, the encrypted data, encryption key share and Data storage means for sending the terminal identifier of the terminal device to the data management device and requesting storage, encrypted data from the data management device and encryption for own use A data reference means for acquiring a share, restoring the encryption key using the encryption key share and the master share, and decrypting the encrypted data acquired from the data management device using the encryption key; It is characterized by.

  The data management device according to the present invention provides the data management in a data sharing system comprising: a terminal device of a member belonging to a group that shares data between members; and a data management device connected to the terminal device via a communication line A terminal registration unit that records a shared share and a terminal identifier that are requested to be registered by the terminal device, and encrypted data that is requested to be stored by the terminal device, an encryption key share, and a terminal identifier. A data storage unit that records a pair of an encryption key share and a terminal identifier in association with each other, encrypted data stored in the data storage unit requested to be referenced from the terminal device, and an encryption key for the requesting terminal device Data reference means for sending the share to the requesting terminal device.

  In the data management device according to the present invention, when the encryption key share for the terminal device of the data reference request source is not recorded in association with the encrypted data to be referred to, the data reference means stores the encrypted data to be referred to Generates the encryption key share for the terminal device of the data reference request source from the encryption key share for the arbitrary terminal device recorded in association with the common share of the terminal device and the common share of the terminal device of the data reference request source The encryption key share for the terminal device that is the data reference request source is recorded in association with the encrypted data to be referred to.

  In the terminal device according to the present invention, the shared data to be updated is encrypted by the common key encryption method using the encryption key, the encryption key share is generated from the encryption key and the master share, the encrypted data, the encryption key Data update means for sending a share and its own terminal identifier to the data management device and requesting an update is provided.

  The data management device according to the present invention is characterized by comprising data updating means for rewriting the storage data to be updated with the encrypted data to be updated, encryption key share and terminal identifier received from the terminal device.

  In the data management apparatus according to the present invention, the data updating unit updates an unupdated encryption key share recorded in association with the encrypted data to be updated to an encryption key share corresponding to the updated encryption key. It is characterized by that.

  In the data management apparatus according to the present invention, the data update means collectively updates the encryption key share.

  In the data management device according to the present invention, the data update means updates the encryption key share at the time of data reference for each terminal device.

  The data management device according to the present invention is characterized in that it comprises an environment transition means for erasing all data relating to terminal devices that have expired as terminal devices of members belonging to the group.

A computer program according to the present invention is provided in the terminal device of a data sharing system including a terminal device of a member belonging to a group that shares data among members, and a data management device connected to the terminal device via a communication line. A computer program for performing data sharing processing, wherein a common share is generated from a common share key common within the group and a master share unique to the own terminal, and the data management is performed on the common share and the own terminal identifier. A terminal registration function that sends a registration request to the device, and encrypts the shared data by a common key encryption method using the encryption key, generates an encryption key share from the encryption key and the master share, and the encrypted data, encryption key A data storage function for sending a share and its own terminal identifier to the data management device and requesting storage; Obtaining encrypted data and a self-use encryption key share from the device, restoring the encryption key using the encryption key share and the master share, and obtaining the encrypted data obtained from the data management device using the encryption key A data reference function for decoding is realized by a computer.
As a result, the terminal device described above can be realized using a computer.

The computer program according to the present invention provides the data management device of a data sharing system comprising: a terminal device of a member belonging to a group that shares data among members; and a data management device connected to the terminal device via a communication line A computer program for performing a data sharing process in which a terminal registration function that records a common share and a terminal identifier requested to be registered in association with a terminal device, encrypted data requested to be stored from the terminal device, and encryption key share And a terminal identifier, a data storage function for associating and recording a set of encryption key shares and terminal identifiers with respect to encrypted data, encrypted data stored in the data storage means requested for reference from the terminal device, Data reference function for sending encryption key share for requesting terminal device to requesting terminal device , Characterized in that to realize the computer.
As a result, the data management apparatus described above can be realized using a computer.

  According to the present invention, it is possible to contribute to ensuring the safety of shared data when a key leaks from a terminal device owned by a group member, and to reduce the processing load when the shared data is disclosed. can get.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
FIG. 1 is a block diagram showing the overall configuration of a data sharing system according to an embodiment of the present invention. In FIG. 1, a group member terminal 1 is a member terminal device belonging to a group that shares data among members. FIG. 1 shows N group member terminals 1-1 to N. A group member terminal (hereinafter referred to as a terminal) 1 can access the storage server 2 via the communication network 4 and send / receive data to / from the storage server 2. The communication network 4 may be a wireless network or a wired network. For example, the communication network 4 may be composed of the Internet, a fixed telephone network, a mobile telephone network, and the like.

  The terminal 1 may be a device that can be used while moving (for example, a portable device), or may be a device that is used fixedly (for example, a stationary device such as a personal computer). . Examples of the portable terminal device include a mobile communication network terminal device provided by a mobile communication carrier (for example, a mobile phone having a data communication function, a data communication terminal device, etc.), a PDA (Personal Digital Assistants: personal). Information equipment). In the case of a PDA, a communication unit may be built in or a communication unit may be connected from the outside.

  The terminal 1 includes an arithmetic processing unit, a storage unit, a communication unit, an input unit, a display unit, an external interface, and the like. The arithmetic processing unit includes a CPU (central processing unit), a memory, and the like. The storage unit is, for example, a hard disk device, a magneto-optical disk device, an optical disk device such as a DVD (Digital Versatile Disk), a nonvolatile memory such as a flash memory, a volatile memory such as a DRAM (Dynamic Random Access Memory), etc. It is comprised by a memory | storage device or those combination. The storage unit stores various data such as a computer program executed by the CPU. The communication unit performs data communication via the communication network 4. The input unit includes input devices such as a keyboard, a numeric keypad, and a mouse, and performs data input according to user operations. The display unit includes a display device such as a CRT (Cathode Ray Tube) or a liquid crystal display device, and performs data display. The external interface directly transmits / receives data to / from an external device by wire or wireless.

  The terminal 1 implements a data sharing function when the CPU executes a computer program. The computer program for realizing the data sharing function may be fixedly installed in the terminal 1, or may be downloaded via a communication line when the computer program on the server is necessary.

  The storage server 2 includes an arithmetic processing unit including a CPU and a memory, a storage unit including a storage device such as a hard disk device, a communication unit, and the like. The storage unit stores various data such as data sent from the terminal 1. The data storage function of the storage server 2 is realized by the CPU of the storage server 2 executing a computer program for realizing the data storage function.

  The key management server 3 includes an arithmetic processing unit including a CPU and a memory, a storage unit including a storage device such as a hard disk device, and the like. The storage unit stores various data related to key management. The key management function of the key management server 3 is realized by the CPU of the key management server 3 executing a computer program for realizing the key management function. The key management server 3 may have a communication unit and be connected to the communication network 4, or may not have the communication unit and be not connected to the communication network 4. When connected to the communication network 4, the key management server 3 can send and receive data between the terminal 1 and the storage server 2 via the communication network 4. The key management server 3 transmits and receives data between the terminal 1 and the storage server 2 via the external device 5 when not connected to the communication network 4. The external device 5 is a recording medium capable of writing and reading data. As the external device 5, for example, a memory card, an IC card, a USB (Universal Serial Bus) memory, or the like can be used.

  Hereinafter, the operation of the data sharing system shown in FIG. 1 will be sequentially described in detail.

[Member terminal registration stage]
First, the member terminal registration process will be described with reference to FIG.
FIG. 2 is a sequence chart showing the procedure of the member terminal registration stage of the data sharing process according to the present embodiment. In Figure 2, the group members (user identifier (user ID) = UID _i) of the terminal 1-i (terminal identifier (terminal ID) = ID _i) is to be registered.

Step P1-0; key management server 3 generates a common share key CK _G in advance for the group.
Step P1-1; key management server 3 to the terminal 1-i, to distribute a common share key CK _G. This key distribution method may be distributed via a secure communication path or may be distributed via the external device 5. Further, the key management server 3 sends the user ID (UID _i ) of the member of the terminal 1-i and the authentication information AUTH _i to the storage server.

Step P1-2: The terminal 1-i randomly generates a master share MS _i . The master share MS _i is calculated by the following formula.
MS _i = (X _{MS, i} , Y _{MS, i} )
X _{MS, i} = h (ID _i )
Here, h is a hash function. Y _{MS, i} is generated randomly. Here, the absolute values of _{XMS, i} and _{YMS, i} are not more than the key length b of the common key cryptosystem.

Step P1-3; terminal 1-i from the key CK _G and the master share MS _i for the common share generates a common share CS _i. The common share CS _i is calculated by the following formula.
CS _i = (X _{CS, i} , Y _{CS, i} )
X _{CS, i} = h (ID _i || r ₁ )
Y _{CS, i} = f _i (X _{CS, i} )
However, “ID _i || r ₁ ” is concatenated data of ID _i and r ₁ . r ₁ is a random number. f _i (x) is a polynomial such that “f _i (x) = {(Y _{MS, i} −CK _G ) / X _{MS, i} } × x + CK _G mod (2 ^b −1)”. x mod (y) is a value obtained by taking modulo y with respect to x.

Step P1-4: The terminal 1-i prompts the user to input authentication information. The user inputs a user ID (UID _i ) and authentication information AUTH _i ′ as information for user authentication.
Step P1-5: The terminal 1-i transmits the terminal ID (ID _i ), user ID (UID _i ), authentication information AUTHi ′, and common share CS _i to the storage server 2.

Step P1-6: The storage server 2 verifies the user ID (UID _i ) and authentication information AUTHi ′ received from the terminal 1-i based on the user ID and authentication information received from the key management server 3. When the storage server 2 can confirm that the user of the terminal 1-i is a valid user, the storage server 2 records the terminal ID (ID _i ) and the common share CS _i received from the terminal 1- _i in association with each other.

Step P1-7; terminal 1-i deletes the key CK _G and the common share CS _i for the common share. Incidentally, if the common share key CK _G is distributed via the external device 5, also erases the common share key CK _G in the external device 5.
The terminal 1-i holds a terminal ID (ID _i ) and a master share MS _i .

[Data storage stage]
Next, the data storage stage process will be described with reference to FIG.
FIG. 3 is a sequence chart showing the procedure of the data storage stage of the data sharing process according to the present embodiment. In FIG. 3, the user performs an operation for saving the shared data _MG in the storage server 2 using the terminal 1-i.

Step W1-1; user, generates a shared data M _G by operating the terminal 1-i.
Step W1-2; terminal 1-i is a cryptographic key K _d randomly generated by encrypting the shared data M _G by a common key encryption method using an encryption key K _d, the encrypted data E _Kd (M _G) Is generated. After encryption, the shared data _MG is deleted.

Step W1-3: The terminal 1-i generates an encryption key share S _{Kd, i} using the master share MS _i . The encryption key share S _{Kd, i} is calculated by the following equation.
S _{Kd, i} = (X _{Kd, i} , Y _{Kd, i} )
X _{Kd, i} = X _{CS, i}
Y _{Kd, i} = g _d (X _{Kd, i} )
Here, g _d (x) is a polynomial that becomes “g _d (x) = {(Y _{MS, i} −K _d ) / X _{MS, i} } × x + K _d mod (2 ^b −1)”. Master share MS _i = (X _{MS, i} , Y _{MS, i} ).

Step W1-4: The terminal 1-i prompts the user to input authentication information. The user inputs a user ID (UID _i ) and authentication information AUTH _i ′ as information for user authentication.
Step W1-5; the terminal 1-i has a terminal ID (ID _i ), a user ID (UID _i ), authentication information AUTHi ′, encrypted data E _Kd (M _G ), encryption key share S _{Kd, i,} and data label L _d is transmitted to the storage server 2 to request data storage.

The encrypted data E _Kd (M _G ) may be transmitted at a timing different from the transmission timing of the encryption key share S _{Kd, i} , such as when the terminal is idle or when large capacity communication is available. Good.

Step W1-6: The storage server 2 verifies the user ID (UID _i ) and authentication information AUTHi ′ received from the terminal 1-i based on the user ID and authentication information received from the key management server 3. When the storage server 2 can confirm that the user of the terminal 1-i is an authorized user, the storage server 2 receives the terminal ID (ID _i ), the encrypted data E _Kd (M _G ), the encryption received from the terminal 1-i. The key share S _{Kd, i} and the data label L _d are recorded in association with each other. Furthermore, a data identifier (data ID) “DID _d ” is assigned to the recording data, and the recording data is associated with the data ID (DID _d ). Further, the time T _{S, d} at the time of recording is added to the recording data as the last update time of the recording data.
Note that the data label is a name representing the content and form of data, for example, a file name.

Step W1-7: The storage server 2 transmits a response (ACK) message including the data ID (DID _d ) and the last update time T _{S, d} to the terminal 1-i to notify that the data storage is completed. .
Step W1-8; terminal 1-i deletes receives the ACK message from the storage server 2, encryption key K _d and the encryption key shares S _Kd, the _i. Further, a new entry of the shared data is created in the local data list, and the data ID (DID _d ), the last update time T _{S, d} , the encrypted data E _Kd (M _G ), and the data label L _d are combined. Store. However, the last update time T _{S, d} notified from the storage server 2 is stored as the last reference time (T _{i, d} = T _{S, d} ). FIG. 4 shows the configuration of the terminal storage unit.

The encrypted data E _Kd (M _G ) may be erased without being held in the terminal 1-i. With regard to erasure of the encrypted data E _Kd (M _G ), it may be set to be erased or not by a setting file or the like.

  FIG. 5 shows the configuration of the storage unit of the storage server 2. A data record shared by the group is stored in association with the identifier (GID) of the group sharing the data. Each data record is given a data ID (DID). FIG. 6 shows the structure of the data record. The data record includes a data label, last update time, encrypted data, terminal ID, and encryption key share. The terminal ID and encryption key share are data for each terminal.

FIG. 7 shows a key distribution diagram according to this embodiment. 7, the key management server 3 stores the common share key CK _G. Key CK _G for the common share is distributed to the terminal 1-1~N of members belonging to the data sharing group via the external device 5 and the like. The terminal 1-i (i = 1 to N) has its own master share MS _i . The storage server 2 stores the common share CS _i of the terminal 1-i. Further, the storage server 2 records the encryption key share S _{Kd, i} of the terminal 1-i in association with the encrypted data to be shared.

[Data reference stage]
Next, the data reference stage process will be described with reference to FIG.
FIG. 8 is a sequence chart showing the procedure of the data reference stage of the data sharing process according to the present embodiment. In FIG. 8, the user performs an operation for referring to the encrypted data E _Kd (M _G ) stored in the storage server 2 for the first time using the terminal 1-j.

  Step R1-0: The storage server 2 transmits a data list to each terminal 1. FIG. 9 shows the structure of the data list. In the data list, information (data label, data ID, and last update time) of all data records shared by the group to which the destination terminal 1 belongs is described.

  Note that the data list transmission timing may be when the data list is updated, or when the data list is requested.

Step R1-1: The user operates the terminal 1-j to designate a data ID (DID _d ) of a desired data label in the data list and make a data reference request. The terminal 1-j prompts the user to input authentication information in response to a data reference request from the user. The user inputs a user ID (UID _j ) and authentication information AUTH _j ′ as information for user authentication.
Step R1-2: The terminal 1-j receives the data ID (DID _d ), the terminal ID (ID _j ), the user ID (UID _j ), and the authentication information AUTHj ′ related to the encrypted data E _Kd (M _G ) to be referenced. It is included in the data request message and transmitted to the storage server 2.

Step R1-3: The storage server 2 verifies the user ID (UID _j ) and authentication information AUTHj ′ received from the terminal 1-j based on the user ID and authentication information received from the key management server 3.
Step R1-4: The storage server 2 refers to the data record corresponding to the data ID (DID _d ) received from the terminal 1-j when it can be confirmed that the user of the terminal 1-j is a valid user. Then, it is checked whether there is an encryption key share S _{Kd, j of} the terminal 1-j. Here, since it is the first reference, the encryption key share S _{Kd, j} of the terminal 1-j is not included in the data record.

Step R1-5: When the storage server 2 confirms that the encryption key share S _{Kd, j} of the terminal 1-j is not included in the data record, the encryption key share of any terminal 1-i in the data record S _{Kd, i} , the common share CS _i of the terminal 1- _i and the common share CS _j of the terminal 1- _j are acquired. Then, the encryption key share S _{Kd, j} of the terminal 1- _j is generated using the acquired encryption key share S _{Kd, i} and the common shares CS _i and CS _j . The encryption key share S _{Kd, j} is calculated by the following equation.
S _{Kd, j} = (X _{Kd, j} , Y _{Kd, j} )
X _{Kd, j} = X _{CS, j}
Y _{Kd, j} = Y _{CS, j} + (L _i / L _j ) × (Y _{Kd, i} −Y _{CS, i} ) mod (2 ^b −1)
However, Lr = X _{MS, r} / (X _{MS, r} −X _{CS, r} ) mod (2 ^b −1). The common share CS _i = (X _{CS, i} , Y _{CS, i} ).

Step R1-6: The storage server 2 transmits the encrypted data E _Kd (M _G ), the last update time T _{S, d} and the encryption key share S _{Kd, j} in the data record to the terminal 1-j. Further, the storage server 2 adds the terminal ID (ID _j ) and encryption key share S _{Kd, j} of the terminal 1-j to the data record and records them.

Step R1-7; terminal 1-j is the encryption key shares S _Kd received from the storage server _2, using _j and its master share MS _j, to recover the encryption key K _d. The encryption key _Kd is calculated by the following equation.
K _d = Y _{MS, j} × X _{Kd, j} / (X _{Kd, j} −X _{MS, j} ) + Y _{Kd, j} × X _{MS, j} / (X _{MS, j} −X _{Kd, j} ) mod (2 ^b − 1)
However, the master share MS _j = (X _{MS, j} , Y _{MS, j} ).
Step R1-8: The terminal 1-j decrypts the encrypted data E _Kd (M _G ) using the encryption key K _d to obtain shared data M _G.

Step R1-9; terminal 1-j after data referenced deletes the encryption key K _d, the encryption key shares S _Kd, the _j and shared data M _G. Terminal 1-j is the entry in the local data list related to the shared data M _G, last update time notified from the storage server 2 T _S, the last reference time by _{d (T j, d = T} S, d) as Update. Note that regarding the erasure of the encrypted data E _Kd (M _G ), it may be set to be erased or not by a setting file or the like.

Next, the second and subsequent data reference stages will be described with reference to FIG.
FIG. 10 is a sequence chart showing the procedure of the data reference stage after the second time of the data sharing processing according to the present embodiment. In FIG. 10, the user performs an operation for referring again to the encrypted data E _Kd (M _G ) stored in the storage server 2 using the terminal 1-i.

Step R2-0: The storage server 2 transmits a data list to each terminal 1.
Step R2-1: The user operates the terminal 1-i to make a data reference request by designating a desired data label (data ID (DID _d )) in the data list. The terminal 1-i prompts the user to input authentication information in response to a data reference request from the user. The user inputs a user ID (UID _j ) and authentication information AUTH _j ′ as information for user authentication.
Step R2-2: The terminal 1-i receives the data ID (DID _d ), terminal ID (ID _i ), user ID (UID _i ), and authentication information AUTHi ′ related to the encrypted data E _Kd (M _G ) to be referenced. It is included in the data request message and transmitted to the storage server 2.

Step R2-3: The storage server 2 verifies the user ID (UID _i ) and authentication information AUTHi ′ received from the terminal 1-i based on the user ID and authentication information received from the key management server 3.
Step R2-4: The storage server 2 refers to the data record corresponding to the data ID (DID _d ) received from the terminal 1-i when the user of the terminal 1-i can be confirmed as a valid user. Then, it is checked whether there is an encryption key share S _{Kd, i of} the terminal 1-i. Here, since it is the second and subsequent references, the encryption key share S _{Kd, i} of the terminal 1-i is included in the data record.

Step R2-5: When the storage server 2 confirms that the encryption key share S _Kd, i of the terminal 1-i is included in the data record, the storage server 2 uses the encryption key share S _{Kd, of the} terminal 1-i from the data record _{. i} , the encrypted data E _Kd (M _G ) and the last update time T _{S, d} are acquired. Then, the obtained encryption key share S _{Kd, i} , encrypted data E _Kd (M _G ), and last update time T _{S, d} are transmitted to the terminal 1-i.

Step R2-6; terminal 1-i is the encryption key shares S _Kd received from the storage server _2, using a _i and its master share MS _i, to recover the encryption key K _d. The encryption key _Kd is calculated by the following equation.
K _d = Y _{MS, i} × X _{Kd, i} / (X _{Kd, i} −X _{MS, i} ) + Y _{Kd, i} × X _{MS, i} / (X _{MS, i} −X _{Kd, i} ) mod (2 ^b − 1)
However, the master share MS _i = (X _{MS, i} , Y _{MS, i} ).
Step R2-7: The terminal 1-i decrypts the encrypted data E _Kd (M _G ) using the encryption key K _d to obtain shared data M _G.

Step R2-8; terminal 1-i after data referenced deletes the encryption key K _d, the encryption key shares S _{Kd, i} and shared data M _G. Terminal 1-i is an entry in the local data list related to the shared data M _G, last update time notified from the storage server 2 T _S, the last reference time by _{d (T i, d = T} S, d) as Update. Note that regarding the erasure of the encrypted data E _Kd (M _G ), it may be set to be erased or not by a setting file or the like.

[Data update stage]
Next, processing in the data update stage will be described with reference to FIG.
FIG. 11 is a sequence chart showing the procedure of the data update stage of the data sharing process according to the present embodiment. In FIG. 11, the user performs an operation for updating the encrypted data E _Kd (M _G ) stored in the storage server 2 using the terminal 1-j.

Step W2-1: The user operates the terminal 1-j to specify the data label to be updated (data ID (DID _d )) and generate the shared data M _G2 .
Step W2-2; terminal 1-j is the encryption key K _d2 generated at random, it encrypts the shared data M _G2 by a common key encryption method using an encryption key K _d2, encrypted data E _Kd2 (M _G2) Is generated. After encryption, the shared data _MG2 is deleted.

Step W2-3: The terminal 1-j generates an encryption key share S _{Kd2, j} using the master share MS _j . The encryption key share S _{Kd2, j} is calculated by the following equation.
S _{Kd2, j} = (X _{Kd2, j} , Y _{Kd2, j} )
X _{Kd2, j} = X _{CS, j}
Y _{Kd2, j} = g _d2 (X _{Kd2, j} )
However, g _d2 (x) is a polynomial that becomes “g _d2 (x) = {(Y _{MS, j} −K _d2 ) / X _{MS, j} } × x + K _d2 mod (2 ^b −1)”.

Step W2-4: The terminal 1-j prompts the user to input authentication information. The user inputs a user ID (UID _j ) and authentication information AUTH _j ′ as information for user authentication.
Step W2-5; the terminal 1-j updates the data ID (DID _d ), terminal ID (ID _j ), user ID (UID _j ), authentication information AUTHj ′, encrypted data E _Kd2 (M _G2 ), The encryption key share S _{Kd2, j} and the data label L _d2 are transmitted to the storage server 2 to request data update.

Step W2-6: The storage server 2 verifies the user ID (UID _j ) and authentication information AUTHj ′ received from the terminal 1-j based on the user ID and authentication information received from the key management server 3. When the storage server 2 can confirm that the user of the terminal 1-j is a valid user, the storage server 2 rewrites the data record of the data ID (DID _d ) to be updated. In this data record rewriting, the data label and the encrypted data are rewritten to the data label L _d2 and the encrypted data E _Kd2 (M _G2 ), respectively. Further, the encryption key share of the terminal ID (ID _j ) is rewritten to the encryption key share S _{Kd2, j} . Further, the last update time is rewritten to the current time T _{S, d2} .

Step W2-7: The storage server 2 transmits a response (ACK) message including the data ID (DID _d ) and the last update time T _{S, d2} to the terminal 1-j in order to notify that the data update is completed. .
Step W2-8; terminal 1-j receives the ACK message from the storage server 2 deletes the encryption key K _d2 and the encryption key shares S _{Kd2, j.} Further, the entry of the shared data in the local data list is rewritten with the last reference time (T _{i, d} = T _{S, d2} ), the encrypted data E _Kd2 (M _G2 ), and the data label L _d2 .

Step W2-9; storage server 2 relates another terminal 1-i other than the terminal 1-j, encryption key shares corresponding to the encryption key K _d for before updating the data records of the data ID of the update target (DID _d) If S _{Kd, i} exists, the encryption key share is updated to the encryption key share S _{Kd2, i} corresponding to the updated encryption key K _d2 . The encryption key share S _{Kd2, i} is calculated by the following equation.
S _{Kd2, i} = (X _{Kd2, i} , Y _{Kd2, i} )
X _{Kd2, i} = X _{CS, i}
Y _{Kd2, i} = Y _{CS, i} + (L _j / L _i ) × (Y _{Kd2, j} −Y _{CS, j} ) mod (2 ^b −1)
However, Lr = X _{MS, r} / (X _{MS, r} −X _{CS, r} ) mod (2 ^b −1).

  The update of the encryption key share of the terminal 1-i other than the terminal 1-j may be performed when the other terminal 1-i requests access to the data record. In this case, information indicating the update status (unupdated / updated) of the encryption key share is included in the data record.

[Environmental transition stage]
Next, processing in the environment transition stage will be described with reference to FIG.
FIG. 12 is a sequence chart showing the procedure of the environment transition stage of the data sharing process according to the present embodiment. The environment transition stage is for shifting the environment of the terminal to another terminal when the user loses the terminal or the like. In FIG. 12, the user shifts the environment of the terminal 1-i to another terminal 1-i ′. The terminal ID of the terminal 1-i ′ is ID _{i ′} .

Step RE1-1: The user operates the terminal 1-i ′ to notify the key management server 3 that the environment of the terminal 1-i is to be shifted to the terminal 1-i ′. This environment transition notification may be performed offline.
Step RE1-2; key management server 3 to the terminal 1-i ', for distributing a common share key CK _G for the group to which the terminal 1-i belongs. Distribution of this common share key CK _G may be distributed through a communication channel reserved for security, or may be distributed through the external device 5. Furthermore, the key management server 3 notifies the storage server 2 that the terminal 1-i has expired as a member terminal belonging to the group.

Step RE1-3: The storage server 2 erases all data (such as encryption key share) related to the terminal 1-i.
Step RE1-4: The terminal 1-i ′ generates a master share MS _{i ′} at random. The master share MS _{i ′} is calculated by the following formula.
MS _{i '} = (X _{MS, i'} , Y _{MS, i '} )
X _{MS, i '} = h (ID _i' )
Here, h is a hash function. Y _{MS, i ′} is randomly generated. Here, the absolute values of X _{MS, i ′} and Y _{MS, i ′} are less than or equal to the key length b of the common key cryptosystem.

Step RE1-5; terminal 1-i ', the key CK _G and the master share MS _i for the common _share' from generates a common share CS _{i '.} The common share CS _{i ′} is calculated by the following formula.
CS _{i '} = (X _{CS, i'} , Y _{CS, i '} )
X _{CS, i '} = h (ID _i' || r ₁ )
Y _{CS, i '} = f _i' (X _{CS, i '} )
However, “ID _{i ′} || r ₁ ” is concatenated data of ID _{i ′} and r ₁ . r ₁ is a random number. f _{i ′} (x) is a polynomial that becomes “f _{i ′} (x) = {(Y _{MS, i ′} −CK _G ) / X _{MS, i ′} } × x + CK _G mod (2 ^b −1)”.

Step RE1-6: The terminal 1-i ′ prompts the user to input authentication information. The user inputs a user ID (UID _i ) and authentication information AUTH _i ′ as information for user authentication.
Step RE1-7: The terminal 1-i ′ transmits the terminal ID (ID _{i ′} ), the user ID (UID _i ), the authentication information AUTHi ′, and the common share CS _{i ′} to the storage server 2.

Step RE1-8: The storage server 2 verifies the user ID (UID _i ) and authentication information AUTHi ′ received from the terminal 1-i ′ based on the user ID and authentication information received from the key management server 3. When the storage server 2 can confirm that the user of the terminal 1-i ′ is a valid user, the storage server 2 associates the terminal ID (ID _{i ′} ) and the common share CS _{i ′} received from the terminal 1-i ′. Record.

Step RE1-9; terminal 1-i 'is the common share key CK _G and the common share CS _i' to erase. Incidentally, if the common share key CK _G is distributed via the external device 5, also erases the common share key CK _G in the external device 5.
The terminal 1-i ′ holds a terminal ID (ID _{i ′} ) and a master share MS _{i ′} .

  The above is the description of the operation of the data sharing system according to the present embodiment.

According to the embodiment described above, the following effects can be obtained.
(1) Since the encryption key used for encryption of shared data cannot be restored without the encryption key share stored in the storage server, the terminal was handed over to someone other than the group member due to theft or loss. However, the effect of preventing the leakage of shared data can be obtained. In addition, even if the terminals of a plurality of members belonging to the same group reach the hands of persons other than the group members, the encryption key cannot be restored in the same manner, which can contribute to ensuring the safety of the shared data. . In addition, even if the common share and encryption key share stored in the storage server are leaked, the encryption key cannot be restored without the terminal-specific master share held in the terminal, which contributes to ensuring the safety of the shared data. be able to.

(2) Since it can be realized only by the (2, 2) threshold secret sharing method and the common key encryption method without using the public key encryption method, the processing load of the entire data sharing system can be reduced. In addition, the intra-group data sharing function can be easily realized.

  Note that the (k, n) threshold secret sharing method is a kind of secret sharing method, which divides secret information into n pieces of divided information (shares) and stores each of them in k pieces or more. If the division information can be obtained, the original secret information can be restored. The secret sharing method is a method for securely storing original secret information by distributing and storing secret information by several people.

In addition, the program for realizing each step shown in FIGS. 2, 3, 8, 10 to 12 is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into a computer system and executed. By doing so, data sharing processing may be performed. Here, the “computer system” may include an OS and hardware such as peripheral devices.
“Computer-readable recording medium” refers to a flexible disk, a magneto-optical disk, a ROM, a writable nonvolatile memory such as a flash memory, a portable medium such as a DVD (Digital Versatile Disk), and a built-in computer system. A storage device such as a hard disk.

Further, the “computer-readable recording medium” means a volatile memory (for example, DRAM (Dynamic DRAM) in a computer system that becomes a server or a client when a program is transmitted through a network such as the Internet or a communication line such as a telephone line. Random Access Memory)), etc., which hold programs for a certain period of time.
The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.
The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

  As mentioned above, although embodiment of this invention was explained in full detail with reference to drawings, the specific structure is not restricted to this embodiment, The design change etc. of the range which does not deviate from the summary of this invention are included.

1 is a block diagram showing an overall configuration of a data sharing system according to an embodiment of the present invention. It is a sequence chart which shows the procedure of the member terminal registration step of the data sharing process which concerns on the embodiment. It is a sequence chart which shows the procedure of the data preservation | save stage of the data sharing process which concerns on the embodiment. It is a structural example of the memory | storage part of the terminal 1 shown in FIG. It is a structural example of the memory | storage part of the storage server 2 shown in FIG. 6 is a configuration example of a data record shown in FIG. It is a key distribution chart concerning one embodiment of the present invention. It is a sequence chart which shows the procedure of the data reference step of the data sharing process which concerns on the embodiment. It is a structural example of the data list which concerns on the same embodiment. It is a sequence chart which shows the procedure of the data reference step after the 2nd time of the data sharing process which concerns on the embodiment. It is a sequence chart which shows the procedure of the data update step of the data sharing process which concerns on the embodiment. It is a sequence chart which shows the procedure of the environment transfer stage of the data sharing process which concerns on the embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Group member terminal (terminal device), 2 ... Storage server (data management device), 3 ... Key management server, 4 ... Communication network, 5 ... External device

Claims (10)

The terminal device in a data sharing system having a terminal device of a member belonging to a group sharing data between members and a data management device connected to the terminal device via a communication line,
A terminal registration unit that generates a common share from a common share key that is common within the group and a master share that is unique to the terminal, sends the common share and the terminal identifier of the terminal to the data management device, and requests registration.
The shared data is encrypted by a common key cryptosystem using an encryption key, an encryption key share is generated from the encryption key and the master share, and the encrypted data, the encryption key share, and its own terminal identifier are stored in the data management device. Data storage means for sending and requesting storage;
Obtaining encrypted data and a self-use encryption key share from the data management device, restoring the encryption key using the encryption key share and the master share, and obtaining the encryption from the data management device using the encryption key Data reference means for decoding the encrypted data;
A terminal device comprising: The data management device in a data sharing system comprising: a terminal device of a member belonging to a group that shares data between members; and a data management device connected to the terminal device via a communication line;
A terminal registration means for recording the common share and the terminal identifier requested to be registered from the terminal device in association with each other;
Data storage means for recording the encryption data, encryption key share, and terminal identifier requested to be stored from the terminal device in association with the encrypted data and a pair of the terminal identifier and the encrypted data;
Data reference means for sending the encrypted data stored in the data storage means requested to be referred to from the terminal device and the encryption key share for the requesting terminal device to the requesting terminal device ;
If the encryption key share for the terminal device that is the data reference request is not recorded in association with the reference target encrypted data, the data reference means is an arbitrary terminal recorded in association with the reference target encrypted data Generating an encryption key share for the terminal device of the data reference request source from the encryption key share for the device, the common share of the terminal device, and the common share of the terminal device of the data reference request source, and the terminal of the data reference request source Record the device's encryption key share in association with the reference encryption data.
A data management apparatus characterized by that.   Encrypt shared data to be updated by a common key cryptosystem using an encryption key, generate an encryption key share from the encryption key and the master share, and store the encrypted data, the encryption key share, and the terminal identifier of the self The terminal device according to claim 1, further comprising a data update unit that sends a data update request to the data management device.   3. The data management apparatus according to claim 2, further comprising a data updating unit that rewrites the storage data to be updated with the encrypted data to be updated, the encryption key share, and the terminal identifier received from the terminal device. Wherein the data updating means, the un-updated encryption key shares are recorded in association with the updated encrypted data, updating the encryption key shares corresponding to the encryption key updated to claim 4, wherein The data management device described. The data management apparatus according to claim 5 , wherein the data update unit collectively updates the encryption key share. 6. The data management apparatus according to claim 5 , wherein the data update unit updates the encryption key share at the time of data reference for each terminal apparatus. The data according to any one of claims 2, 4 , 5, 6, and 7, further comprising environment transition means for erasing all data relating to terminal devices that have expired as terminal devices of members belonging to the group. Management device. A computer for performing data sharing processing in a terminal device of a data sharing system having a terminal device of a member belonging to a group sharing data between members and a data management device connected to the terminal device via a communication line A program,
A terminal registration function for generating a common share from a common share key common within the group and a master share unique to the terminal, sending the common share and the terminal identifier of the terminal to the data management device, and requesting registration,
The shared data is encrypted by a common key cryptosystem using an encryption key, an encryption key share is generated from the encryption key and the master share, and the encrypted data, the encryption key share, and its own terminal identifier are stored in the data management device. A data storage function to send and request storage,
Obtaining encrypted data and a self-use encryption key share from the data management device, restoring the encryption key using the encryption key share and the master share, and obtaining the encryption from the data management device using the encryption key A data reference function for decrypting encrypted data;
A computer program for causing a computer to realize the above. Data sharing processing in the data management device of a data sharing system having a terminal device of a member belonging to a group sharing data between members and a data management device connected to the terminal device via a communication line A computer program,
A terminal registration function that records the common share and the terminal identifier requested to be registered from the terminal device;
A data storage function for recording the encryption data, the encryption key share, and the terminal identifier that are requested to be stored from the terminal device, by associating the encryption data with a set of the encryption key share and the terminal identifier
A data reference function for sending to the computer the encrypted data stored in the data storage function requested by the terminal device and the encryption key share for the requesting terminal device to the requesting terminal device. A computer program for realizing,
If the encryption key share for the terminal device that is the data reference request source is not recorded in association with the reference target encrypted data, the data reference function is any terminal that is recorded in association with the reference target encrypted data. Generating an encryption key share for the terminal device of the data reference request source from the encryption key share for the device, the common share of the terminal device, and the common share of the terminal device of the data reference request source, and the terminal of the data reference request source Record the device's encryption key share in association with the reference encryption data.
A computer program characterized by the above.

Images