JP5102798B2 - File sharing system, shared file server device, file sharing method, shared file server device access control method, and programs thereof - Google Patents

Description

  The present invention relates to a file sharing system, a shared file server apparatus, a file sharing method, and an access to a shared file server apparatus that control access to files when sharing files between users via a network such as the Internet or a local area network. The present invention relates to a control method and these programs.

  If you want to share electronic data files among multiple users on the network, you can use a method in which a shared file server device is placed on the network and each user accesses it to upload and download files. Many. In this case, since various threats lurk on the network, access control is generally performed on the shared file server device.

  Such access control is generally realized by a privileged user (server administrator, etc.) of the shared file server device setting access control rules (such as specifying users and user terminals that are allowed to access) on the server. ing.

  In addition, in order to improve security, not only simply controlling access to the file, but also encrypting the file so that it cannot be easily viewed or executed, and only the user with the decryption key can view and execute it. In many cases, measures are taken. For file encryption and sharing of keys between users, for example, the common key encryption technology (Camellia) disclosed in Non-Patent Document 1 and the common key disclosed in Non-Patent Document 2 can be delivered securely. In combination with public key encryption technology (PSEC-KEM), it is possible to increase the security of file sharing.

Nippon Telegraph and Telephone Corporation, “Camellia”, [online], [Search on March 9, 2009], Internet <URL: http://info.isl.ntt.co.jp/crypt/camellia/intro.html > Nippon Telegraph and Telephone Corporation, “PSEC-KEM”, [online], [Search on March 9, 2009], Internet <URL: http://info.isl.ntt.co.jp/crypt/psec/intro .html>

  As described above, only the privileged user of the shared file server device can set rules for controlling access to the files stored in the shared file server device. For this reason, the user needs to follow a regular access control rule determined by a privileged user, and each user cannot set a free rule, which is not convenient.

  In addition, when encrypting a file stored in the shared file server device, the user usually has to prepare an encryption / decryption mechanism independent of the shared file server device, and the encryption / decryption The user also needs to perform the operation himself / herself, and also requires key management.

  It is an object of the present invention to allow users to flexibly set access control rules for shared files, and to provide a mechanism for encryption / decryption and special operations for encryption / decryption. A file sharing system, a shared file server device, a file sharing method, a shared file server access control method, and a program thereof that can encrypt / decrypt a shared file without performing management or key management There is.

  A file sharing system according to the present invention is a file sharing system in which a plurality of users share a file via a network, and includes a shared file server device including a shared folder, an encryption processing unit, and a decryption processing unit, and an encryption key And a key management server device that generates a decryption key and supplies it to the shared file server device, and an information management server device that stores the attribute information of the plurality of users prepared in advance.

A shared folder is a folder created by a certain user using an arbitrary access condition as a folder name. When a file is uploaded here, the access condition is set for the file.
The encryption processing unit converts the file into encrypted data using an encryption key corresponding to the access condition.

  When the attribute information of the user who tries to access the file converted into encrypted data satisfies the access condition, the decryption processing unit uses a decryption key corresponding to the access condition and paired with the encryption key, Decrypt the encrypted data into the file.

  According to the file sharing system, the shared file server device, the file sharing method, the shared file server access control method, and the programs of the present invention, the name of the folder created by the user for the access control rule for the shared file Can be set flexibly and can be shared by simple file operations without the need for the user to prepare an encryption / decryption mechanism, special operations for encryption / decryption, and key management. File encryption / decryption is possible.

1 is a principle configuration diagram of a file sharing system 100. FIG. FIG. 2 is an arrangement image diagram of each device of the file sharing system 100 on a network. An example of expressing access conditions. Examples of operators and reserved words used to express access conditions. The structural example of the user attribute information table 130b. 6 is a configuration example of a group attribute information table 130c. The block diagram which shows an example of an encryption process. The block diagram which shows an example of a decoding process. An example of a processing flow when the file sharing system 100 uploads a shared file. 4 is a processing flow example when accessing a shared file in the file sharing system 100. 2 shows a configuration example of a shared file server apparatus 110. 6 is a configuration example of authentication information 110a for key management server device. 6 is a configuration example of authentication information 110b for information management server device. 3 shows a configuration example of file attribute information 110c. The structural example of the shared file server program 110d. The example of a processing flow of the shared file server program 110d. The example of a processing flow of file upload routine 110d1. The example of a processing flow of file download routine 110d2. The example of a processing flow of file movement routine 110d3. The example of a processing flow of file replication routine 110d4. The example of a processing flow of file deletion routine 110d5. The example of a processing flow of property acquisition routine 110d6. 2 shows a configuration example of a key management server apparatus 120. The structural example of the key table 120a. The structural example of the key management server program 120b. The example of a processing flow of the key management server program 120b. The example of a processing flow of encryption key issue routine 120b1. The example of a processing flow of the decryption key issue routine 120b2. 2 shows a configuration example of an information management server device 130. 4 is a configuration example of an authentication information table 130a. The structural example of the information management server program 130d. The example of a processing flow of the information management server program 130d. The example of a processing flow of user authentication routine 130d1. The example of a processing flow of attribute information acquisition routine 130d2. Processing sequence example when uploading a file. Processing sequence example when downloading a file. Processing sequence example when moving a file. Processing sequence example when copying files. Processing sequence example when deleting a file. Processing sequence example when acquiring properties. Request and response message example when uploading files. An example of a WebDAV method and specific processing contents corresponding thereto. Request and response message example when downloading a file. Request and response message example when moving a file. Request and response message example when copying a file. Request and response message example when deleting a file. Request message example when acquiring properties. Response message example when acquiring properties (1/2). Response message example when acquiring properties (2/2).

First, after explaining the basic configuration, concrete examples (configuration example of each device, example of attribute information / authentication information held by each device, example of processing flow in each device, and between each device) Will be described.
<Principle configuration>
FIG. 1 shows a principle configuration diagram of the file sharing system 100 of the present invention, and FIG. 2 shows an arrangement image of each device of the file sharing system 100 on a network.

  The file sharing system 100 is a file sharing system in which a plurality of users having the client terminal device 10 as an input / output interface share a file via the network 20, and the shared file server device 110, the key management server device 120, and information management The server apparatus 130 is comprised. In FIG. 2, the shared file server device 110 is sandwiched between the network 20 on the client terminal device 10 side and the network 30 on the information management server device 120 and key management server device 130 side. The network may be integrated. In FIG. 2, a plurality of shared file server apparatuses 110 are shown, but at least one shared file server apparatus 110 is required, and the same thing can be added according to the storage capacity and processing capacity. . Since the operation principle of the present invention is the same in a single case or a plurality of cases, the case where there is one will be described below.

  The shared file server device 110 includes a shared folder 111, an encryption processing unit 112, and a decryption processing unit 113.

  The shared folder 111 is a folder that accommodates shared files and is created by the user. The creation authority may be granted to all users or only some users. In the present invention, the access condition is expressed in the folder name x, and the upload user 1 uploads the file 3 to be shared in the shared folder 111, so that the access condition x is set as the attribute of the file 3. Configure. With this configuration, the user can flexibly and easily set rules for controlling access to the shared file.

As a method for expressing the access condition for the folder name x, for example, it can be expressed by a conditional expression as shown in FIG. 3, an operator and a reserved word as shown in FIG. FIG. 3 is expressed in BN notation (Backus-Naur Form), and “+” is an extended expression representing one or more repetitions. Specifically, for example, if the condition is “accessible only to people in their 30s”, the folder name x is
(AGE ge 30) and (AGE lt 40)
In addition, if the condition is “accessible only when the user identifier is alice”, the folder name x is
USER.eq.alice
Can be expressed as follows.

  Note that any number of shared folders 111 may be created. However, since the process is the same for any shared folder, the following description will be given focusing on a single shared folder.

  The encryption processing unit 112 extracts the file 3 in which the access condition x is set from the shared folder 111, encrypts it using the encryption key 4e corresponding to the access condition x, and writes back the encrypted data 3c to the shared folder 111. . At this time, it is desirable that the file name on the display of the encrypted data 3 c is the same as the original file name of the file 3 so that the user can know that the encrypted data 3 c corresponds to the file 3.

  When any user (downloading user 2 in the example of FIG. 1) tries to access the file 3 (encrypted data 3c) of the shared folder 111, the decryption processing unit 113 stores the attribute information a of the user. When the access condition x is satisfied, the encrypted data 3c is decrypted into the file 3 and output using the decryption key 4d paired with the encryption key 4e corresponding to the access condition x.

  The key management server device 120 generates the encryption key 4e corresponding to the access condition x set in the shared folder 111 and supplies the encryption key 4e to the encryption processing unit 112, and the access set in the shared folder 111 A decryption key generation unit 122 that generates a decryption key 4d that is paired with the encryption key 4e corresponding to the condition x and supplies the decryption key 4d to the decryption processing unit 113 is provided. The encryption key generation unit 121 and the decryption key generation unit 122 store the generated encryption key 4e and decryption key 4d, and store them again when a key generation request is made under the same access condition x. The encryption key 4e and the decryption key 4d may be output. This makes it possible to perform processing more efficiently than generating a key each time.

  In the decryption processing unit 113, decryption processing is performed when the attribute information a of the user who tried to access the file 3 satisfies the access condition x. Whether or not the user attribute information a satisfies the access condition x is determined. The determination may be performed on the shared file server apparatus 110 side or the key management server apparatus 120 side. When determining on the shared file server apparatus 110 side, for example, after obtaining the decryption key 4d from the key management server apparatus 120, the determination unit 114 (not shown) further provided in the shared file server apparatus 110 uses it. It is determined whether or not the attribute information a of the user satisfies the access condition x. If the attribute information a satisfies the access condition x, the decryption processing unit 113 performs the decryption process using the obtained decryption key 4d. It can be considered that the process is shifted to processing. On the other hand, when the determination is made on the key management server device 120 side, for example, as shown in FIG. 1, a determination unit 123 is further provided in the key management server device 120 to check whether the user attribute information a satisfies the access condition x. If it is satisfied, the decryption key 4d is output, and if it is not satisfied, the decryption key 4d is not output (= cannot be decrypted by the decryption processing unit 113) and the process proceeds to error processing. Conceivable.

  As a procedure for determining whether or not the attribute information a of the user who intends to access the file 3 satisfies the access condition x, for example, the following can be considered. First, when the user 2 such as download tries to access the file 3, the identifier i is input as authentication information of the user 2 such as download. Subsequently, the shared file server apparatus 110 or the key management server apparatus 120 refers to the information management server apparatus 130 in which a table in which the identifier i of each user is associated with the attribute information a is stored in advance, and uses the identifier i. The attribute information a of the user 2 such as download is extracted as a key. Then, by comparing the extracted attribute information a of the user 2 such as download and the access condition x in the determination unit, it is determined whether or not the user 2 such as download is a user satisfying the access condition x.

  As shown in FIG. 5, for example, the user attribute information a may be configured as a combination of an attribute name and an attribute value representing the content (user attribute information table 130b). Here, the type (number) of attributes may be arbitrarily set as long as it is unique to all users, and a table (group information table 130c) in which identifiers of users are grouped as shown in FIG. 6 is prepared. For example, since the belonging group can be specified from the identifier of the user, the access condition can be set based on the identifier of the belonging group.

  The encryption key 4e and the decryption key 4d generated by the key management server device 120 are generated in accordance with the employed encryption method. In the present invention, the encryption method is not particularly limited, and any existing method may be used according to the required security. For example, FIG. 7 shows an example of encryption processing contents when using a hybrid scheme of asymmetric key encryption (RSA encryption, elliptic curve encryption, etc.) and common key encryption (AES, DES, Camellia, etc.). Are shown in FIG. In encryption, first, the file 3 taken out from the shared folder 111 is converted into encrypted data 3cd by a common key encryption algorithm using the common key 4s generated from the random number in the encryption processing unit 112. Subsequently, using the encryption key 4e corresponding to the access condition x obtained from the encryption key generation unit 121, the common key 4s is converted into encrypted common key data 4sd by an encryption algorithm of asymmetric key encryption. For the access condition x, the encrypted common key data 4sd, and the encrypted data 3cd, for example, XML (eXtensible Markup Language), ASN. After an appropriate structure definition is performed using 1 (Abstract Syntax Notation One) or the like, the encrypted data 3c is generated by filing them together. On the other hand, at the time of decryption, the decryption processing unit 113 first separates the encrypted data 3c into each element, and uses the decryption key 4d corresponding to the access condition x obtained from the decryption key generation unit 122 to use the decryption algorithm of the asymmetric key encryption Thus, the common key 4s is restored from the encrypted common key data 4sd. Then, using the restored common key 4s, the file 3 is restored from the encrypted data 3cd by a common key encryption algorithm.

The processing flow under the principle configuration of the file sharing system 100 shown in FIG. 1 described above will be briefly described again with reference to FIGS. 9 and 10.
・ When uploading shared files (see Figure 9)
When a file 3 to be shared is uploaded by the upload user 1 to the shared folder 111 created by a certain user using the arbitrary access condition x as the folder name x, the shared folder 111 sets the access condition x to the file 3 (S1). Subsequently, the encryption key generation unit 121 generates an encryption key 4e corresponding to the access condition x (S2). Then, the file 3 extracted from the shared file 111 by the encryption processing unit 112 is converted into the encrypted data 3c using the encryption key 4e, and written back to the shared folder 111 (S3).

・ When accessing shared files such as downloads (see Figure 10)
When the user 2 such as download tries to access the file 3, the determination unit 123 uses the identifier i of the user 2 such as download input by the user 2 as a key as a key to download the user 2 from the information management server device 130. The attribute information a is obtained, and it is determined whether or not this satisfies the access condition x to the file 3 (S11). If the attribute information a of the user 2 such as download satisfies the access condition x as a result of this determination, the decryption key generation unit 122 generates a decryption key 4d that is paired with the encryption key 4e corresponding to the access condition x. And output (S12). On the other hand, if the access condition x is not satisfied, the process proceeds to error processing. If the access condition x is satisfied, the decryption processing unit 113 decrypts the encrypted data 3c into the file 3 using the decryption key 4d and outputs it (S13).

  As described above, according to the configuration of the present invention, it is possible to flexibly set the access control rules for shared electronic data as the names of folders created by the user, and the user provides a mechanism for encryption / decryption. It is possible to realize a file sharing system capable of encrypting / decrypting a shared file by a simple file operation without performing a special operation for encryption / decryption or key management.

  The configuration of the present invention can be realized in accordance with the WebDAV (Web-based Distributed Authoring and Versioning / RFC4918) standard. By realizing in accordance with the WebDAV standard, all file management can be completed with HTTP alone without using another service protocol such as FTP or scp. Therefore, only the port number 80 needs to be opened, and the security risk can be minimized. In addition, since HTTP does not depend on the environment, it can be used on various OSs and computer languages, and it is easy to divert already developed HTTP applications. Furthermore, since it is implemented only by extension of HTTP, it can be used even in an environment where an existing file transfer service cannot be used by a firewall, or in an environment via an HTTP proxy.

<Specific Examples>
Specific examples based on the above principle configuration, that is, specific configuration examples of each device, attribute information / authentication information example held in each device, processing flow example in each device, and user / each An example of a processing sequence of the apparatus will be described. The main difference between this specific embodiment and the above-described principle configuration is that the processing request destination authenticates the processing request source and then performs the subsequent processing in order to increase the safety of file sharing.

  Hereinafter, each device will be described first, and then a sequence between the devices will be described.

[Configuration example of each device, example of information to be held, and example of processing flow in the device]
FIG. 11 shows a configuration example of the shared file server apparatus 110. The shared file server device 110 includes a CPU 51, a memory 52, a disk 53, a disk controller 54, and a LAN controller 55. The disk 53 stores an operating system 56, key management server device authentication information 110a, information management server device authentication information 110b, file attribute information 110c, and a shared file server program 110d. Read to the memory 52. With the above configuration, the functions of the shared folder 111, the encryption processing unit 112, and the decryption processing unit 113 in the above-described principle configuration are specifically realized.

  The CPU 51 is a central processing unit, the memory 52 is a processing storage area, the disk 53 is a storage medium, the disk controller 54 is a control means for inputting / outputting information stored in the disk 53, and the LAN controller 55 is connected to the networks 20 and 30. The output interface and operating system 56 are basic software of the computer, and these are generally used in computers.

  FIG. 12 shows a configuration example of the authentication information 110a for the key management server device. The key management server device information 110a is data used when the key management server device 120 authenticates the shared file server device 110. The key management server device information 110a is an authentication attribute (attribute name and attribute value indicating the content) of the shared file server device 110. Set). The number of types of authentication attributes is arbitrary, but an identifier, an address, and a password are necessarily included. If an appropriate PKI (Public Key Infrastructure) is assumed, a certificate may be included.

  FIG. 13 shows a configuration example of the authentication information 110b for the information management server device. The information management server device information 110b is data used when the information management server device 130 authenticates the shared file server device 110, and the authentication attribute of the shared file server device 110 (attribute name and attribute value indicating its contents). Set). The number of types of authentication attributes is arbitrary, but an identifier, an address, and a password are necessarily included. If an appropriate PKI (Public Key Infrastructure) is assumed, a certificate may be included. The key management server device authentication information 110a and the information management server device authentication information 110b have the same essential authentication attributes, and FIGS. 12 and 13 show the same contents because only the essential authentication attributes are described. However, other attributes may be different from each other.

  FIG. 14 shows a configuration example of the file attribute information 110c. The file attribute information is a set of attributes of the file 3 (encrypted data 3c) uploaded to the shared folder 111. The number of attribute types is arbitrary, but the attribute name is uniquely given for each file.

  FIG. 15 shows a configuration example of the shared file server program 110d. The shared file server program 110d includes a file upload routine 110d1, a file download routine 110d2, a file movement routine 110d3, a file duplication routine 110d4, a file deletion routine 110d5, and a property acquisition routine 110d6.

  When there is an access to the file 3 (encrypted data 3c) from the user 2 such as download, the shared file server program 110d executes the processing shown in FIG. First, authentication information (for example, an identifier i, a password, an IP address of the client terminal device 10 or the like input by the user 2 such as download) that the download user 2 is a user who can use the file sharing system 100 is used. After authenticating based on the above, the process proceeds to each processing routine according to the access request contents (file upload / file download / file move / file duplication / file deletion / property acquisition). Here, property acquisition is used when acquiring a list of attributes of files and folders under the folder.

  FIG. 17 shows a processing flow example of the file upload routine 110d1, FIG. 18 shows a processing flow example of the file download routine 110d2, FIG. 19 shows a processing flow example of the file movement routine 110d3, and FIG. 20 shows a processing flow example of the file replication routine 110d4. FIG. 21 shows a processing flow example of the file deletion routine 110d5, and FIG. 22 shows a processing flow example of the property acquisition routine 110d6. In the file upload routine 110d1, it is first determined whether or not the folder name of the folder corresponding to the path designated as the upload destination is the access condition x. If the access condition is x, the encryption key 4e corresponding to the access condition x is acquired and the uploaded file 3 is encrypted. If the access condition is not x, the file 3 is stored without being encrypted. In the file download routine 110d2, it is first determined whether or not the file corresponding to the path designated by the user 2 such as download is encrypted. If it is encrypted, the access condition x is acquired from the attribute information of the file (encrypted data 3c) and sent to the key management server apparatus 120 together with the identifier i of the user 2 such as the download. If the decryption key 4d corresponding to the access condition x can be acquired, the file 3 is decrypted and output using the decryption key 4d. If the decryption key 4d cannot be acquired, the process proceeds to error processing. In the file move routine 110d3 and the file copy routine 110d4, first, when the file corresponding to the move source path designated by the user 2 such as download is encrypted, the attribute information of the file (encrypted data 3c) is used. The access condition x is acquired and sent to the key management server apparatus 120 together with the identifier i of the user 2 such as the download. If the decryption key 4d corresponding to the access condition x can be acquired, the file 3 is decrypted as a temporary file while leaving the encrypted data 3c, and if it cannot be acquired, the process proceeds to error processing. If the folder name of the folder corresponding to the migration destination (or replication destination) path designated by the user 2 such as download is the access condition x ′, the encryption key 4e ′ corresponding to this is acquired and used as a temporary file. The decrypted file 3 is encrypted again (encrypted data 3c ′) and stored in the folder corresponding to the movement destination (or replication destination) path. Finally, in the file movement routine 110d3, both the source encrypted data 3c and the file 3 decrypted as a temporary file are deleted, and in the file replication routine 110d4, the file 3 decrypted as a temporary file in the replication source is deleted. In the file deletion routine 110d5, when the owner of the file corresponding to the deletion target path designated by the user 2 such as download is the user, the file is deleted. In the property acquisition routine 110d6, it is evaluated whether the attribute information a of the user 2 such as download satisfies the access condition x of each shared folder 111 and each file 3 (encrypted data 3c), and then the file that satisfies the access condition x Output file attribute information only for folders.

  FIG. 23 shows a configuration example of the key management server apparatus 120. The key management server device 120 includes a CPU 51, a memory 52, a disk 53, a disk controller 54, and a LAN controller 55. The disk 53 also stores an operating system 56, a key table 120a, and a key management server program 120b, which are read out to the memory 52 when processing is executed. With the above configuration, the functions of the encryption key generation unit 121, the decryption key generation unit 122, and the determination unit 123 in the above-described principle configuration are specifically realized.

  The CPU 51, the memory 52, the disk 53, the disk controller 54, the LAN controller 55, and the operating system 56 are generally used in a computer, as is the same name part of the shared file server apparatus 110.

  FIG. 24 shows a configuration example of the key table 120a. The key table 120a is a database in which each access condition x such as a conditional expression, the corresponding encryption key / decryption key, and creation date / time are data items. The key table 120a is configured so that an encryption key and a decryption key can be uniquely searched using the access condition x as a search key.

  FIG. 25 shows a configuration example of the key management server program 120b. The key management server program 120b includes an encryption key issue routine 120b1 and a decryption key issue routine 120b2. When accessed from the shared file server device 110, the key management server program 120b executes the processing shown in FIG. First, after the shared file server apparatus 110 is authenticated based on the key management server apparatus authentication information 110a, the process proceeds to each processing routine according to the request content (encryption key issue request / decryption key issue request). FIG. 27 shows an example of the processing flow of the encryption key issuance routine 120b1, and FIG. 28 shows an example of the processing flow of the decryption key issuance routine 120b2. In the encryption key issuance routine 120b1, first, it is confirmed whether or not the encryption key 4e corresponding to the access condition x exists in the key table 120a. If it exists, it is obtained. In the decryption key routine 120b2, first, the attribute information of the user 2 such as download is acquired from the information management server device 130 based on the identifier i of the user 2 who wants to access the encrypted data 3c (file 3). It is evaluated whether the access condition x is satisfied. Then, if it is satisfied, it is confirmed whether or not the decryption key 4d corresponding to the access condition x exists in the key table 120a.

  FIG. 29 shows a configuration example of the information management server device 130. The information management server device 130 includes a CPU 51, a memory 52, a disk 53, a disk controller 54, and a LAN controller 55. The disk 53 stores an operating system 56, an authentication information table 130a, a user attribute information table 130b, a group information table 130c, and an information management server program 130d, which are read out to the memory 52 when processing is executed.

  The CPU 51, the memory 52, the disk 53, the disk controller 54, the LAN controller 55, and the operating system 56 are generally used in a computer, as is the same name part of the shared file server apparatus 110.

  FIG. 30 shows a configuration example of the authentication information table 130a. The authentication information table 130a is a table including authentication information for each user and each server, and the authentication information is a set of authentication attributes of the user and the server. The authentication attribute is composed of a pair of an attribute name representing the type and an attribute value representing the content, and the number of types of authentication attributes is arbitrary. However, it is assumed that the attribute name is uniquely given and the identifier of the user or server, their address and password are always included. If an appropriate PKI (Public Key Infrastructure) is assumed, a certificate may be included.

  The user attribute information table 130b is a set of user attribute information a, and is configured, for example, as a set of attribute names and attribute values representing the contents thereof as shown in FIG. The type (number) of attributes may be arbitrarily set as long as it is unique to all users. If a group information table 130c in which the identifiers of each user are grouped as shown in FIG. Therefore, it is possible to set the access condition based on the identifier of the belonging group.

  FIG. 31 shows a configuration example of the information management server program 130d. The information management server program 130d includes a user authentication routine 130d1 and an attribute information acquisition routine 130d2.

  When accessed from the shared file server device 110 or the key management server device 120, the information management server program 130d executes the processing shown in FIG. First, the shared file server apparatus 110 or the key management server apparatus 120 is authenticated based on the information management server apparatus authentication information 110b, and then each processing routine is performed according to the request content (user authentication request / attribute information acquisition request). Transition. A processing flow example of the user authentication routine 130d1 is shown in FIG. 33, and a processing flow example of the attribute information acquisition routine 130d2 is shown in FIG. In the user authentication routine 130d1, whether or not the user authentication information indicated in the request message from the shared file server apparatus 110 matches the authentication information in the authentication information table 130a is collated, and whether the user authentication has succeeded or failed is output. To do. In the attribute information acquisition routine 130d2, the attribute information a and the group information corresponding to the identifier i of the user 2 such as download indicated in the request message from the shared file server device 110 or the key management server device 120 are used as the user attribute information. The table 130b and the group information table 130c are searched and output.

[Example of processing sequence between devices]
FIG. 35 shows an example of a processing sequence between devices at the time of uploading a shared file, and FIG. 36 shows an example of a processing sequence between devices at the time of downloading an encrypted shared file. FIG. 37 shows an example of a processing sequence between devices when moving to another folder, and FIG. 38 shows an example of a processing sequence between devices when copying an encrypted shared file to another folder with access conditions. FIG. 39 shows an example of a processing sequence between devices when deleting an encrypted shared file, and FIG. 40 shows an example of a processing sequence between devices when acquiring the properties of the encrypted shared file. Hereinafter, each sequence will be briefly described. 35 to 40, the authentication process between the apparatuses (the process request destination apparatus authenticates the process request source apparatus based on the authentication information and then performs the following process) is wiretapped by a communication third party. In order to prevent this, it is conceivable to use an existing encryption communication technology such as SSL (Secure Socket Layer). However, since this is a known technology, a description thereof will be omitted.

  When uploading a file to be shared (FIG. 35), first, the upload user 1 sends from the client terminal device 10 a file upload request including user authentication information including the user identifier i, an upload destination path, and the file 3 to be uploaded. The electronic message is transmitted to the shared file server device 110. Subsequently, the shared file server apparatus 110 receives user authentication from the information management server apparatus 130. The client-server authentication method may be an existing method such as HTTP basic authentication, digest authentication, or certificate-based authentication, and the client-server packet encryption method is also an existing method such as SSL. It's okay. If the authentication is OK, the shared file server apparatus 110 transmits an encryption key issue request message including the access condition x of the folder corresponding to the designated upload destination path to the key management server apparatus 120, and corresponds to the access condition x. Upon receipt of the encryption key 4e, the file 3 is encrypted using this. Finally, a response message indicating the processing result is transmitted to the client terminal device 10.

  FIG. 41A shows an example of a request message when it is realized in accordance with the WebDAV standard, and FIG. 41B shows an example of a response message when successful. An example of the WebDAV method and specific processing content executed by the method is shown in FIG. The message example in FIG. 41 is for requesting file upload with a path name of /USER.eq.alice/abc.txt by the PUT method, and user authentication information is specified by the Authorization header. In this path name, the access condition x is specified by the folder name /USER.eq.alice/, so the uploaded file (abc.txt) can be accessed only when this access condition x (user identifier is alice) ) And can be decrypted only by users who satisfy the access conditions (user identifier is alice).

  At the time of downloading the encrypted file (FIG. 36), first, the user 2 such as download sends a user download information including the user identifier i and a file download request message including the download source path from the client terminal device 10. It transmits to the shared file server apparatus 110. Subsequently, the shared file server apparatus 110 receives the user authentication from the information management server apparatus 130, extracts the access condition x from the attribute information of the encrypted data 3c of the designated download source path, and obtains the user identifier i. And a decryption key issuance request message including the access condition x are transmitted to the key management server apparatus 120. Subsequently, the key management server apparatus 120 transmits a user attribute data acquisition request message including the user identifier i to the information management server apparatus 130 to acquire the attribute information a of the user 2 such as download, and the attribute information a If the access condition x is satisfied, the decryption key 4d is issued to the shared file server apparatus 110. Then, the shared file server device 110 decrypts the encrypted data 3c using the decryption key 4d, includes the decrypted file 3 in a response message, and transmits it to the client terminal device 10 (user 2 such as download).

  FIG. 43 (a) shows an example of a request message when it is realized in accordance with the WebDAV standard, and FIG. 43 (b) shows an example of a response message when successful. The electronic message example in FIG. 43 requests downloading of a file with a path name of /folder/abc.txt by the GET method, and user authentication information is specified by an Authorization header. When the user attribute information extracted based on the identifier i included in the user authentication information satisfies the access condition x, a response message including the file abc.txt is returned.

  When moving or copying an encrypted file to another folder with access conditions (FIG. 37 or FIG. 38), first, the user 2 such as download uses the user identifier i from the client terminal device 10 A file move (copy) request message including the user authentication information, the move (copy) source path, and the move (copy) destination path is transmitted to the shared file server apparatus 110. Subsequently, the shared file server apparatus 110 receives the user authentication from the information management server apparatus 130, extracts the access condition x from the attribute information of the encrypted data 3c of the designated movement (duplication) source path, and uses it. A decryption key issue request message including the user identifier i and the access condition x is transmitted to the key management server device 120. Subsequently, the key management server apparatus 120 transmits a user attribute data acquisition request message including the user identifier i to the information management server apparatus 130 to acquire the attribute information a of the user 2 such as download, and the attribute information a If the access condition x is satisfied, the decryption key 4d is issued to the shared file server apparatus 110. Subsequently, the shared file server apparatus 110 decrypts the encrypted data 3c using the decryption key 4d. Then, an encryption key issue request message including the access condition x ′ of the folder corresponding to the designated movement (duplication) destination path is transmitted to the key management server apparatus 120, and the encryption key 4e ′ corresponding to the access condition x ′ is issued. And encrypts the file 3 using this. In the case of migration, the file of the migration source path is further deleted. Finally, a response message indicating the processing result is transmitted to the client terminal device 10.

  FIG. 44 (a) shows an example of a request message when a file is moved when it is realized in accordance with the WebDAV standard, and FIG. 44 (b) shows an example of a response message when it is successful. The message example in FIG. 44 is a request to move a file with a path name of /folder/abc.txt to /folder2/abc.txt by the MOVE method. Each is specified in the Distination header. When the user attribute information extracted based on the identifier i included in the user authentication information satisfies the folder access condition x, the encrypted data of abc.txt in the folder once leaves the encrypted data. After being decrypted to abc.txt, it is encrypted again based on the access condition of folder2 and stored in folder2. Note that the encrypted data in the folder and the decrypted abc.txt are deleted.

  FIG. 45 (a) shows an example of a request message at the time of file duplication and FIG. 45 (b) shows an example of a response message at the time of success in response to the WebDAV standard. The message example in FIG. 45 is a request for copying a file with a path name of /folder/def.txt to a file with a path name of /folder2/def2.txt by the COPY method. The destination is specified in the Destination header. When the user attribute information extracted based on the identifier i included in the user authentication information satisfies the folder access condition x, the encrypted data of def.txt in the folder once leaves the encrypted data. After being decrypted into def.txt, it is encrypted again based on the access conditions of folder2, and is copied into folder2 as def2.txt. Note that the decrypted def.txt in the folder is deleted.

  When deleting an encrypted file (FIG. 39), first, the user 2 such as download deletes the user authentication information including the user identifier i and the path of the file to be deleted from the client terminal device 10. A request message is transmitted to the shared file server device 110. Then, the shared file server apparatus 110 receives the user authentication from the information management server apparatus 130, and if the user 2 such as download is the owner of the file (encrypted data 3c) of the specified path, The file is deleted, and a response message indicating the processing result is transmitted to the client terminal device 10.

  FIG. 46A shows an example of a request message when it is realized in accordance with the WebDAV standard, and FIG. 46B shows an example of a response message when it is successful. The electronic message example of FIG. 46 makes a request to delete a file having a path name of /folder/abc.txt by the DELETE method, and user authentication information is designated by the Authorization header. If the user indicated in the user authentication information matches the owner of abc.txt, the file abc.txt is deleted.

  When acquiring the properties of the encrypted file (FIG. 40), first, the user 2 such as download includes user authentication information including the user identifier i from the client terminal device 10 and the path of the file whose properties are to be acquired. A property acquisition request message is transmitted to the shared file server apparatus 110. Subsequently, the shared file server device 110 transmits a user attribute data acquisition request message including the user identifier i to the information management server device 130 to acquire the attribute information a of the user 2 such as download and is designated. The access condition x is extracted from the attribute information of the property acquisition target file (encrypted data 3c). If the attribute information a of the user 2 such as download satisfies the access condition x, the attribute information of the property acquisition target file (encrypted data 3c) is transmitted to the client terminal device 10 (user 2 such as download). Finally, a response message indicating the processing result is transmitted to the client terminal device 10.

  FIG. 47 shows an example of a request message when it is realized in accordance with the WebDAV standard, and FIGS. 48-1 and 48-2 show examples of a response message when successful. The message example in FIG. 47 requests acquisition of the property of the folder “/ folder2” by the PROPFIND method, and the user authentication information is specified by the Authorization header. In addition, specific items of properties requested in the latter half of the tag group (in this example, storage date / time, last update date / time, Etag value, content type) are specified. Here, the Etag value is a value calculated from the file size and update date, and the WWW client determines whether or not the original file on the WWW server and the file cached by the WWW client match. Used to do. Then, it is determined whether or not the attribute information of the user extracted based on the user identifier i included in the user authentication information satisfies the access condition of each folder and file. A response message including a property composed of the specific items specified above is returned. In the response examples in Figures 48-1 and 48-2, there are two files abc.txt and def2.txt and a folder called subfolder under / folder2, and the properties of / folder2 and the files and folders under these are displayed. I'm replying.

  When the above-described file sharing system and each device constituting the file sharing system are realized by a computer, processing contents of functions that each device should have are described by a program. The processing functions are realized on the computer by executing the program on the computer. In this case, at least a part of the processing content may be realized by hardware. Further, the various processes described above are not only executed in time series according to the description, but may be executed in parallel or individually according to the processing capability of the apparatus that executes the processes or as necessary. In addition, it can change suitably in the range which does not deviate from the meaning of this invention.

Claims (7)

A file sharing system in which multiple users share files via a network,
A user creates an arbitrary access condition as a folder name, and the file is uploaded using the shared folder in which the access condition is set for the file by uploading the file and the encryption key corresponding to the access condition. When the attribute information of the user who wants to access the encrypted data file and the attribute information of the user who wants to access the encrypted data file satisfies the access condition, it is paired with the encryption key corresponding to the access condition. A shared file server device comprising: a decryption processing unit that decrypts the encrypted data into the file using a decryption key;
A key management server device comprising: an encryption key generation unit that generates the encryption key; and a decryption key generation unit that generates the decryption key;
An information management server device for storing the attribute information of the plurality of users prepared in advance;
A file sharing system comprising: The file sharing system according to claim 1,
The key management server device further includes a determination unit that determines whether or not the attribute information of a user who tries to access the encrypted data file satisfies the access condition.
The file sharing system, wherein the decryption key generation unit generates the decryption key only when the determination unit determines that the access condition is satisfied. A shared file server device used when a plurality of users share a file via a network,
A shared folder in which a certain user creates an arbitrary access condition in advance as a folder name and sets the access condition for the file by uploading the file;
An encryption processing unit that encrypts the file using an encryption key corresponding to the access condition;
When the attribute information of the user who intends to access the file converted into encrypted data satisfies the access condition, the encrypted data is stored in the file using a decryption key corresponding to the access condition and paired with the encryption key. A decoding processing unit for decoding into
A shared file server device. A file sharing method in which a plurality of users share a file via a network,
An access condition setting step in which the shared file server device sets the access condition for the file by uploading the file to a shared folder created by a certain user using an arbitrary access condition as a folder name;
An encryption key generation step in which the key management server device generates an encryption key corresponding to the access condition;
An encryption step in which the shared file server device encrypts the file using the encryption key;
The key management server device generates a decryption key paired with the encryption key corresponding to the access condition;
The decryption step of decrypting the encrypted data into the file using the decryption key when the attribute information of the user who tries to access the file converted into encrypted data satisfies the access condition by the shared file server device When,
File sharing method to run. The file sharing method according to claim 4,
The key management server device further executes a determination step of determining whether or not the attribute information of a user who tries to access the encrypted data file satisfies the access condition,
The file sharing method in which the decryption key generation step generates the decryption key only when it is determined in the determination step that the access condition is satisfied. An access control method for a shared file server device used when a plurality of users share a file via a network,
An access condition setting step for setting the access condition for the file by uploading the file to a shared folder created by a user with an arbitrary access condition as a folder name;
An encryption step for encrypting the file using an encryption key corresponding to the access condition;
When the attribute information of the user who intends to access the file converted into encrypted data satisfies the access condition, the encrypted data is stored in the file using a decryption key corresponding to the access condition and paired with the encryption key. A decoding step of decoding into
Access control method for shared file server apparatus for executing.   A program for causing a computer to function as the file sharing system according to claim 1 or 2, or the shared file server apparatus according to claim 3.

Images