JP5304736B2 - Cryptographic communication system, cryptographic communication method, and decryption device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To browse plaintext in accordance with an authority of a browsing person without inserting any identifier into the plaintext. <P>SOLUTION: An encryption apparatus 10 comprises: an encryption role information storage means 11 for storing encryption role information comprised of an encryption key corresponding to the authority of a browsing person and a key ID of the encryption key; an encryption processing means 12 for creating an encryption part by encrypting an encryption range using the encryption key of the encryption role information; an encrypted information creating means 13 for creating encrypted information comprised of a front-end position of the encryption part, its rear-end position, the key ID corresponding to the encryption key applied to the encryption part, and one or more records including a processing order of the encryption part; an encrypted document creating means 14 for creating an encrypted document by coupling an encrypted document body comprised of a document including the encryption part and the encrypted information; and an encrypted document storage means 15 for storing the encrypted document created by the encrypted document creating means on a predetermined medium. <P>COPYRIGHT: (C)2010,JPO&amp;INPIT

Description

  The present invention is used in an encryption communication system, an encryption communication method of an encryption system, and an encryption communication system in which a created plain document is encrypted and sent to a viewer, and the viewer side decrypts the encrypted document and retrieves the plain document. The present invention relates to an encryption device and a decryption device used in an encryption communication system.

In general, for example, in a company or other organization, a plain document created does not affect the contents even if it is disclosed outside the company, contents that are not disclosed to the outside such as employee and customer information, and ranks higher in the company organization. Various information is mixed, such as the contents of management information disclosed only.
In particular, information that is important and highly confidential in the company is subject to encryption from the viewpoint of security, and it is common to protect the security by encrypting the entire plain document (the entire one file).

However, within a single plain document, content that may or may not be read is mixed depending on the level of authority (managers, general staff, outside personnel, etc.) even within the same organization. There are cases.
In this case, no matter how much the code cannot be read, if the encrypted file is decrypted, it is read by all viewers.
In addition, when a dedicated document is created for each viewer, it must be corrected for each document when it is corrected to a portion common to each viewer in the plain document. In addition, there was a risk that correction errors would occur.
And if it is distributed in the wrong state, incorrect information will be scattered, and it will take a lot of money and time to collect it.

Conventionally, as a technique of an encryption communication system that restricts browsing of a specific range in a sentence according to the authority level of a viewer, techniques described in Patent Documents 1 to 3, for example, are known.
The encryption communication system described in Patent Literature 1 includes an information distribution device possessed by a slip issuer and information distribution devices possessed by a plurality of viewers.
First, in the information distribution device of the slip issuer, a decryption that enumerates a set of a browsing range identifier that identifies a browsing range that permits browsing of the slip and a common key that encrypts the browsing range for each viewer. Create information.
This decryption information is encrypted using each viewer's public key, and decryption information is created and transmitted to each viewer.
In the information distribution apparatus of the viewer, the received decryption information is decrypted using its own private key, and a common key for decrypting the viewing range permitted by itself is obtained.

Next, in the information distribution apparatus of the slip issuer, the portion designated by the viewing range identifier is encrypted with the corresponding common key in the slip and transmitted to each viewer.
In the information distribution apparatus of the browser, the permitted viewing range of each received slip is decrypted with the common key from the decryption information acquired previously.
In this way, the slip creator changes the decryption information for each viewer so that each viewer can browse only a specific portion of the slip determined by the viewing range identifier.

In the cryptographic communication systems described in Patent Documents 2 and 3, identifiers for different browsing ranges are described in advance in a slip used for communication, depending on the authority of the viewer.
Then, the creator of the slip creates an encrypted document by encrypting the portion sandwiched between the identifiers with an encryption key corresponding to the authority of a predetermined viewer, and transmits the encrypted document to the viewer.
Next, the viewer decrypts the encrypted part with an encryption key corresponding to the authority of the viewer.
As a result, the creator of the plain document limits the viewing range according to each viewer.

JP 2002-259634 A (paragraphs [0051] to [0059]) Japanese Patent Laid-Open No. 05-244150 (FIGS. 3 and 4 etc.) JP 09-233067 A (FIGS. 3 and 4 etc.)

However, in such a conventional communication system, an identifier is inserted into a plain document to be sent to a viewer, and a range to be encrypted is specified using this identifier. There is a problem that is complicated.
In addition, since the creator and the viewer who decrypted the encrypted document see the plain document together with the identifier when the identifier is in the plain document, it may be difficult to grasp the contents of the plain document.

  The present invention has been proposed in order to solve the problems of the conventional techniques as described above, and can read a plain document according to the authority of the viewer without inserting an identifier in the plain document. It is an object of the present invention to provide an encryption communication system, a communication method of the communication system, an encryption device used in the communication system, and a decryption device.

  To achieve the above object, an encryption communication system of the present invention comprises an encryption device that creates an encrypted document from a plain document, and a decryption device that decrypts the encrypted document and extracts the plain document. An encryption role information storage unit for storing encryption role information including a plurality of encryption keys corresponding to a viewer's authority and a key ID for identifying the encryption key; and the plain document. And an encryption processing means for creating an encryption part by encrypting the encryption range with an encryption key of the encryption role information, and a front end position of the encryption part, An encrypted information creating means for creating encrypted information comprising one or more records including a rear end position, a key ID corresponding to an encryption key applied to the encryption unit, and a processing order of the encryption unit; Including An encrypted document body made up of a document, an encrypted document creating unit that combines the encrypted information to create the encrypted document, and an encrypted document created by the encrypted document creating unit is stored in a predetermined medium And an encrypted document storage means.

In the encryption communication system having such a configuration, since the encryption information creating means of the encryption device includes the front end position and the rear end position of the encryption part in the encryption information, the front end position and the rear end position of the encryption part are included. The encryption part is specified based on the end position.
Thus, a specific part of the plain document can be encrypted without inserting an identifier in the plain document, and an encrypted document can be easily created.

In the encryption communication system, since the encryption processing means of the encryption device encrypts each encryption range with an encryption key corresponding to the authority of the viewer, the same encrypted document is delivered to a plurality of viewers. In addition, since the viewer decrypts the encrypted document using the encryption key corresponding to his / her authority, the range can be limited according to the viewer.
As a result, it is not necessary to create a dedicated document for each viewer, so that the correction of the document can be simplified, and the management of the document can be simplified.
In addition, the front end position and the rear end position of any encryption range can be positioned between the front end position and the rear end position of another encryption range, and the encryption range can be specified in a multiple manner. Can correspond to a hierarchy.

Further, the encryption processing means has two or more encryption ranges, and the front end position and the rear end position of any one of the encryption ranges are the front end position and the rear end of another encryption range. It is preferable to have a processing order correction function that, when located between the end positions, causes the encryption range to be encrypted before the other encryption ranges.
In the encryption communication system having such a configuration, the encryption processing unit performs encryption processing from another encryption range within the encryption range by the processing order correction function. Thus, the encryption process can be performed correctly.

In addition, when the encryption device uses the encryption role information stored in the encryption role information storage unit, the encryption device includes an authentication unit that authenticates whether or not the creator can use the encryption role information. Is preferred.
Therefore, unless the authenticating means authenticates the creator, the encryption key cannot be taken out, making it difficult to decrypt the encrypted document.
In addition, it is possible to prevent a person other than the viewer from illegally taking out the plain document from the encrypted document.
Note that the authentication unit preferably has a function of encrypting the encrypted role information with a password or the like. In this way, the encrypted role information is encrypted, for example, when it is not used with the password set by the creator, and even if the encrypted role information is taken out illegally, it cannot be viewed. ,preferable.

  In addition, the decryption device includes decryption roll information storage means for storing decryption roll information composed of an encryption key corresponding to the viewer and a key ID corresponding to the encryption key, and an encryption for retrieving the encrypted document stored in the medium. An encrypted document extracting means, a separating means for separating and extracting the encrypted information and the encrypted document body from the encrypted document, and an encryption key corresponding to the key ID of the record of the encrypted information extracted by the separating means In the encryption key reading unit read from the decryption roll information storage unit and the encrypted document body extracted by the extraction unit, the position of the end of the record from the front end position in the reverse order of the processing order of the record of the encryption information It is preferable to include decryption processing means for decrypting the range up to the above with an encryption key corresponding to the range.

In the encryption communication system configured as described above, the decryption processing means decrypts the encryption unit from the front end position to the rear end position using an appropriate encryption key, so that the plain document can be reliably extracted from the encrypted document. Can do.
Further, when the decryption roll information does not have an encryption key corresponding to the key ID included in the encryption information, the portion cannot be decrypted.
Thereby, the viewable range can be limited according to the authority of the viewer.
In addition, since the processing is performed in the reverse order of the processing order in the encryption processing means, the multiplexed encryption unit can be reliably decrypted.

Further, when the decryption device does not have the decryption roll information with the encryption key to be read by the encryption key reading means, the portion from the front end position to the rear end position of the record corresponding to the encryption key is encrypted. It is preferable to provide a deletion means for deleting from the document body.
In this case, since the encryption unit that cannot be decrypted is deleted, the deletion unit can make it difficult to recognize that there is a part that cannot be seen by the viewer.

Moreover, it is preferable that the decrypting apparatus includes an authenticating unit that authenticates whether or not the decryption roll information stored in the decryption roll information storage unit is a viewer who can use the decryption roll information.
Thereby, in the decryption device, the encryption key cannot be taken out unless the authentication means authenticates the viewer, so that it is difficult to decrypt the encrypted document.
In addition, it is possible to prevent a person other than the viewer from illegally taking out the plain document from the encrypted document.
Note that the authentication unit preferably has a function of encrypting the decryption roll information with a password or the like. In this way, the decryption roll information is encrypted when it is not used with the password set by the viewer, for example, and it is preferable because the decryption roll information cannot be viewed even if the decryption roll information is illegally taken out. .

The encryption key is preferably a common key.
Thereby, the encryption process and the decryption process are simplified, and the encryption and decryption process time can be shortened.

In order to achieve the above object, an encryption communication method of the present invention includes an encryption device that creates an encrypted document from a plain document, and a decryption device that decrypts the encrypted document and extracts the plain document. In the encryption communication method of the system, an encryption role information storage unit that stores encryption role information including an encryption key corresponding to a viewer's authority and a key ID for identifying the encryption key on the encryption device side Encrypting an encryption range consisting of a part or all of the plain document with any one of the stored encryption keys with the encryption key to create an encryption part, an encryption processing order, a front end position of the encryption part, A step of creating a record having a rear end position and a key ID corresponding to the encryption key applied to the encryption unit; and a step of creating encryption information by combining the one or more records; Dark An encrypted document body composed of a document including an encrypted encryption part, a step of creating an encrypted document by combining the encrypted information, and an encrypted document created by the encrypted document creating means And the step of storing in
The encryption communication method having such a configuration is not limited to the configuration of the encryption communication system described above, and may be various configurations.

  In order to achieve the above object, the encryption device of the present invention is an encryption device that creates an encrypted document from a plain document, and identifies a plurality of encryption keys corresponding to the authority of the viewer and the encryption keys. An encryption role information storage unit that stores encryption role information that includes a key ID to be recognized, an encryption range that includes a part or all of the plain document, and the encryption range information storage unit that stores the encryption range. Encryption processing means for creating an encryption part by encrypting with the encryption key stored in the front end position, the rear end position of the encryption part in the encryption processing means, the processing order in the encryption processing means, and the Encrypted information creating means for creating encrypted information including one or more records including a key ID corresponding to an encryption key applied to the encryption unit, and an encrypted document including a document including the encrypted encryption unit Main body and the cipher It includes an encryption document creation means for creating an encrypted document by combining the information, and the encrypted document storage means for storing the encrypted document created by this encryption document creation means to a predetermined medium.

  According to the encryption apparatus having such a configuration, a specific part of the plain document can be encrypted without easily inserting an identifier into the plain document, and an encrypted document can be easily created.

In order to achieve the above object, the encryption device of the present invention is a decryption device that decrypts an encrypted document and extracts a plain document, and includes an encryption key corresponding to a viewer and a key ID corresponding to the encryption key. A decryption roll information storage unit for storing decryption roll information, an encrypted document extraction unit for retrieving an encrypted document stored in the medium, and separating the encrypted information and the encrypted document body from the encrypted document. Separating means to be extracted; and encryption key reading means for reading an encryption key corresponding to the key ID of the record of the encrypted information extracted by the separating means from the decryption roll information storage means;
In the encrypted document body extracted by the extraction unit, the range from the front end position to the rear end position of the record is reversed with the encryption key corresponding to the range in the reverse order of the processing order of the records of the encryption information. Decoding processing means for decoding.
According to the decryption apparatus having such a configuration, the encryption part of the encrypted document can be decrypted without inserting an identifier into the plain document.

As described above, according to the encryption communication system, the encryption communication method, the encryption device, and the decryption device of the present invention, the encryption information creating means of the encryption device adds the front end position of the encryption unit to the encryption information. Since the rear end position is included, the cipher part is specified based on the front end position and the rear end position of the cipher part.
Thus, the decryption apparatus can encrypt a specific portion of the plain document without inserting an identifier into the plain document, and can easily create an encrypted document.

It is the schematic which shows the encryption communication system which concerns on one Embodiment of this invention. It is a figure which shows the encryption roll information and decryption roll information which are used for the encryption communication system which concerns on one Embodiment of this invention. It is a figure which shows the process in which the plain document is encrypted and the encryption document is produced in the encryption apparatus of the encryption communication system which concerns on one Embodiment of this invention. It is a figure which shows the encryption information used for the encryption communication system which concerns on one Embodiment of this invention. It is a figure which shows the process in which the decoding apparatus of the encryption communication system which concerns on one Embodiment of this invention decodes an encrypted document, and takes out a plain document. It is a flowchart figure which shows operation | movement of the encryption apparatus of the encryption communication system which concerns on one Embodiment of this invention. It is a figure which shows the process which designates several encryption range in the encryption apparatus of the encryption communication system which concerns on one Embodiment of this invention. It is a figure which shows the process in which the encryption information production | generation means produces encryption information in the encryption apparatus of the encryption communication system which concerns on one Embodiment of this invention. It is a figure which shows the process in which the encryption process means encrypts each encryption range in the encryption apparatus of the encryption communication system which concerns on one Embodiment of this invention. It is a figure which shows the process in which the encryption information preparation means correct | amends encryption information in the process of an encryption process in the encryption apparatus of the encryption communication system which concerns on one Embodiment of this invention. It is a flowchart figure which shows operation | movement of the decoding apparatus of the encryption communication system which concerns on one Embodiment of this invention. It is a figure which shows the process in which the decoding process means performs a decoding process of each encryption part in the decoding apparatus of the encryption communication system which concerns on one Embodiment of this invention. It is a figure which shows the encryption information in the process of the decoding process of a decoding process means in the decoding apparatus of the encryption communication system which concerns on one Embodiment of this invention. It is a figure which shows another decoding roll information for viewers in the decoding apparatus of the encryption communication system which concerns on one Embodiment of this invention. It is a figure which shows the process in which the decoding process means performs a decoding process of each encryption part in the decoding apparatus of the encryption communication system which concerns on one Embodiment of this invention. It is a figure which shows the process in which the decoding process means performs a decoding process of each encryption part in the decoding apparatus of the encryption communication system which concerns on one Embodiment of this invention. It is a figure which shows the encryption information in the process of the decoding process of a decoding process means in the decoding apparatus of the encryption communication system which concerns on one Embodiment of this invention. It is a figure which shows the deletion process of the encryption part by a deletion means in the decoding apparatus of the encryption communication system which concerns on one Embodiment of this invention. It is a figure which shows the encryption information in the deletion process of the encryption part by a deletion means in the decoding apparatus of the encryption communication system which concerns on one Embodiment of this invention.

  Hereinafter, an encryption communication system according to the present invention, a communication method of the encryption communication system, and an encryption device and a decryption device used in the encryption communication system will be described in detail.

As shown in FIG. 1, the basic configuration of an encryption communication system according to an embodiment of the present invention includes an encryption device 10 that creates an encrypted document from a plain document, and a decryption that decrypts the encrypted document and extracts the plain document. Device 20.
The encryption device 10 and the decryption device 20 are composed of general-purpose computers, and include a storage unit including an HDD and an arithmetic processing unit including a CPU.

  The encryption device 10 includes a plurality of encryption keys 112 to 115 corresponding to the authority of the viewer and encryption role information storage means 11 for storing encryption role information including key IDs for identifying the encryption keys 112 to 115, An encryption processing means 12 for grasping an encryption range consisting of a part or all of a document and encrypting the encryption range with an encryption key stored in an encryption role information storage means to create an encryption part; Encryption information comprising one or two or more records including the front end position of the encryption section in the processing means, the rear end position, the key ID corresponding to the encryption key applied to the encryption section, and the processing order in the encryption processing means. The encrypted information creating means 13 for creating the encrypted document body, the encrypted document main body composed of the document including the encryption section, the encrypted document creating means 14 for creating the encrypted document by combining the encrypted information 49, and the encrypted document Create The encrypted document storage unit 15 for storing the encrypted document created by stages in a predetermined medium, and a.

As shown in FIG. 2, the encrypted role information 110 stored in the encrypted role information storage unit 11 is distributed to each creator, and the creator's personal ID 111, encryption keys 112 to 115, and key IDs 112a to 115a. And a role information table including a valid start date 118 and a valid end date 119 that define a period during which the use of the encryption keys 112 to 115 is valid.
In the present embodiment, the encrypted role information 110 has first to fourth encryption keys 112 to 115.
The creator of the encrypted document knows in advance which viewer can use the encryption keys 112 to 115 of the encryption role information 110.

As shown in FIGS. 3A to 3C, the encryption processing means 12 selects the encryption keys 112 to 115 for each of the designated encryption ranges 41 to 43, and encrypts them based on the result. Processing is performed to create encryption units 45-47.
The encryption processing means 12 performs encryption processing according to encryption information 49 described later.
In addition, when there are two or more encryption ranges 41 to 43 to be encrypted, the encryption processing means 12 includes the front end position of any one of the encryption ranges (42) among the encryption ranges 41 to 43. When the rear end position is located between the front end position and the rear end position of the other encryption range (43), the encryption range (42) is encrypted before the other encryption range (43). It has a function to perform processing.

As shown in FIG. 4, the encryption information creating means 13 corresponds to the front end position 494, the rear end position 495, and the encryption keys 112 to 115 applied to the encryption section of the encryption sections 45 to 47 that have been encrypted. The encryption information 49 including one or more records 491 to 493 including the key ID 496 and the processing order 497 in the encryption processing means is created.
The encryption information creating unit 13 has a function of including the front end position 498 and the rear end position 499 of the encryption ranges 41 to 43 specified by the creator who operates the encryption apparatus 10.
As shown in FIG. 3B, the creator specifies the encryption ranges 41 to 43 using the display means 18 such as a CRT or a liquid crystal display attached to the encryption device 10. .
The display unit 18 can display the plain document 50, and the creator designates the encryption ranges 41 to 43 from the displayed plain document 50 by, for example, input with a mouse or a keyboard.
Further, the encryption device 10 allows the creator to identify the encryption range by a function of displaying the encryption ranges 41 to 43 on the display unit 18 in a color different from that outside the encryption range, for example. Features are provided.

The encryption information creating means 13 creates the records 491 to 493 by determining the processing order 497 in the order in which the encryption ranges 41 to 43 are designated.
Further, the front end position and the rear end position of the record created by the encryption information creating means 13 are set as follows, for example, when the plain document 50 is composed of plain text or the like.
In the line unit mode, the front end position = the seventh line (from the top of the plain document 50) and the rear end position = the eleventh line (from the top of the plain document 50).
In the character unit mode, the front end position = the eighth character (from the top of the plain document 50) and the rear end position = the 40th character (from the top of the plain document 50).
In the present embodiment, it is assumed that the encryption device 10 and the decryption device 20 are determined in advance to process plain text in a mode that designates line units.

Further, the encryption information creating means 13 has a function of including the version number 490 in the encryption information 49. The version number 490 is provided in order to determine which version has been encrypted because the data structure to be managed may be different as the encryption apparatus 10 is improved.
The version number 490 is so-called version information used for software.

The encrypted document creating unit 14 combines the encrypted information 49 from the encrypted information creating unit and the encrypted document main body 48 encrypted by the encryption processing unit 12 into an encrypted document 40.
The encrypted document 40 has a unique dedicated file structure, for example, by adding an extension “.XXX” to the end of the file name.

The medium (31, 35) in which the encrypted document storage means 15 writes the encrypted document 40 may be anything, and any medium can be used as long as the decryption device 20 can read it.
The encrypted document storage means 15 is, for example, software (mailer) that transmits an email containing an encrypted document via a network 30 such as the Internet and stores the email in the storage means of the server device 31 (mail server). ), Software for uploading an encrypted document to the storage means of the server device 31, and writing software stored in the medium 35 such as a flexible disk or a compact disk. Alternatively, the data may be directly stored in a storage unit such as a hard disk drive included in the decryption device 20.

The encryption device 10 includes an authentication unit 16 that authenticates whether or not the creator can use the encrypted role information 110 when using the encrypted role information 110 in the encrypted role information storage unit 11. It has been.
The authentication unit 16 has a function of encrypting the encrypted role information 110.
Then, when the creator uses the encrypted role information 110, the authentication unit 16 requests the input of the password set by the creator himself, and when the password is correct, the authentication unit 16 obtains the encrypted encrypted role information 110. Decrypt it so that it can be used.

  The decryption device 20 includes decryption roll information storage means 21 for storing decryption roll information consisting of an encryption key corresponding to the viewer and a key ID corresponding to the encryption key, and an encrypted document extraction for retrieving the encrypted document stored on the medium. Means 22; separation means 23 for separating encrypted information 49 and the encrypted document body from the encrypted document; and decrypting the encryption key corresponding to the key ID of the record of the encrypted information 49 retrieved by the separation means 23 From the encryption key reading means 24 read from the roll information storage means 21 and the encrypted document body separated by the separation means, from the front end position of the record to the rear end position in the reverse order of the processing order of the records of the encryption information 49 And a decryption processing means 25 for decrypting the range with an encryption key corresponding to the range.

As shown in FIG. 2, the decryption roll information 210 stored in the decryption roll information storage unit 22 is the same as the encryption roll information 110 and is distributed to each viewer.
The decryption roll information 210 includes a role information table including a personal ID 211 of the viewer, key IDs 212a to 215a, encryption keys 212 to 215, an effective start date 218 and an effective end date 219 of the encryption key.
In addition, the decryption device 20 is provided with an authentication unit 27 that authenticates whether or not the decryption roll information 210 is a viewer who can use the decryption roll information 210 when the decryption roll information 210 of the decryption roll information storage unit 21 is used. Yes.

In addition, the authentication unit 27 has a function of encrypting the decryption roll information 210.
Then, when the creator uses the encrypted role information 210, the authentication unit 27 requests the input of a password set by the creator himself, and when the password is correct, the encrypted decryption role information 210 is encrypted. Is decrypted so that it can be used.

The encrypted document extracting means 22 is composed of a mailer that receives mail from the mail server 31, a downloader from the server device, software for reading the contents from the medium 35 using hardware such as an FD drive, CD drive, and the like. ing.
The separating unit 23 extracts the encrypted document body and the encrypted information 49 from the encrypted document extracted by the encrypted document extracting unit 22.

The decryption processing means 25 loads the range from the front end position 494 to the rear end position 495 of the records 491 to 493 by the encryption key reading means 24 in the reverse order of the processing order of the records 491 to 493 of the encryption information 49. Decrypt with the encrypted key. Further, the decryption processing means 25 has a function of correcting the encryption information 49 when the encryption key information to be read by the encryption key reading means 24 is not in the decryption roll information 210.
Further, in the decryption device 20, when the encryption key reading unit 24 does not have the encryption keys 212 to 215 to be read in the decryption roll information 210, the records 491 to 491 corresponding to the encryption keys 212 to 215 to be loaded are read. Deletion means 26 is provided for deleting the portion from the front end position 495 to the rear end position 496 of the encrypted document main body 48.
The encryption keys 112 to 115 and 212 to 215 included in the encryption roll information 110 and the decryption roll information 210 are common keys. That is, the encryption keys 112 to 115 and 212 to 215 having the same key IDs 112a to 115a and 212a to 215a included in the encryption roll information 110 and the decryption roll information 210 are the same data.
The decrypting device 20 is provided with display means 29 such as a display on which the decrypted plain document 50 is displayed.

Further, the encryption device 10 and the decryption device 20 are provided with role information acquisition means (not shown) for acquiring the roll information 110 and 210.
The role information acquisition unit acquires role information from a role information management server (not shown) connected to the encryption device 10 and the decryption device 20 via a network.
The role information acquisition unit acquires role information from the role information management server at predetermined intervals, for example, and updates the role information so that the encryption key is within the valid period.

Next, the operation of the cryptographic communication system of the present embodiment configured as described above will be described with reference to FIGS. 6 shows a flowchart of the encryption device 10, and FIG. 11 shows a flowchart of the decryption device 20.
In the present embodiment, the plain document 50 used in this encryption communication system has, for example, 10 lines with the file name “file1.txt” as shown in FIGS. 3 (a) and 7 (a). It is a text file.
The plain document 50 includes a first encryption range 41 in the second to third lines, a second encryption range 42 in the seventh to eighth lines, and a third encryption range in the sixth to ninth lines. Three portions of the encryption range 43 are encrypted.

The first encryption range 41 and the second encryption range 42 are encrypted using the first encryption key, and the third encryption range is encrypted using the second encryption key. The
Moreover, the general sentence which is a part other than the first to third encryption ranges is a range in which no encryption is performed, and indicates content that can be read by anyone.

The encrypted role information 110 is acquired in advance from the role information management server by the role information acquisition unit of the encryption device 10 and the decryption device 20, and this encrypted role information 110 is stored in the encrypted role information storage unit 11. .
Next, the creator who operates the encryption device 10 takes the created plain document 50 into the encryption device 10, and the first to third encryption ranges 41 are included in the plain document 50 displayed on the display unit 18. To 43 are designated (FIG. 3B, S1-1).
Further, every time the encryption range 41 to 43 is designated, the creator selects the encryption keys 112 to 115 for encrypting the encryption range 41 to 43 from the encryption role information 110 (S1-2).
At this time, when the creator determines that the encryption role information 110 is unusable by the creator, the following processing is not performed.

As shown in FIGS. 5 (b), 7 (b) to (d), and FIG. 8, the encryption information creating means 13 specifies the encryption ranges 41 to 43 and selects the encryption keys 112 to 115. Is made, encryption information 49 is created.
First, when the first encryption range 41 is designated and the first encryption key 112 for encrypting the encryption range 41 is selected, a record having a processing order of 1 is created (FIG. 7B). ), (FIG. 8A).
Then, when the third encryption range 43 is designated and a second encryption key for encrypting the encryption range 43 is selected, a record of processing order = 2 is created (FIG. 7C). (FIG. 8B).
Next, when the second encryption range 42 is designated and the first encryption key for encrypting the encryption range 42 is selected, a record of processing order = 3 is created (FIG. 7D). (FIG. 8C).

Thereafter, for example, when an encryption processing execution button (not shown) displayed on the display screen of the display means 18 is clicked with a pointer such as a mouse, the encryption processing means 12 performs the encryption processing.
The encryption processing means 12 first checks the values in the encryption ranges 41 to 43 of the encryption information (FIG. 8C) created by the encryption information creation means 13.
At this time, the processing order of the second encryption range 42 (processing order = 3) included in the third encryption range 43 is after the third encryption range (processing order = 2) 43.
Therefore, the processing order correction function of the encryption processing means 12 sets the processing order of the second encryption range 42 before the third encryption range 43 (FIG. 10A).

Then, as shown in FIGS. 9 and 10, the encryption processing means 12 executes the encryption processing as follows according to the processing order of the encryption information 49.
First, the record of processing order = 1 is referred to (FIG. 10A), and the first encryption range 41 on the second to third lines of the plain document 50 (FIG. 9A) is specified. Then, the encryption range 41 is read from the encryption role information 110 with the first encryption key 112 having the key ID of 1, and is encrypted using this to form the first encryption unit 45 (S1-3). , FIG. 9 (b)).
In this way, the first encryption unit 45 has a larger data amount than the first encryption range 41 due to padding, and increases from 2 lines to 3 lines.
Here, padding (padding) means dividing dummy data according to block size (64 bits or 128 bits) and encrypting dummy data so that the last block matches the size of other blocks when encrypted. Means to insert. Thus, when padding occurs, the ciphertext increases as compared to the capacity of the equivalent.
Therefore, the encryption information creating unit 13 corrects the front end position and the rear end position of the encryption unit 45 of the record with the processing order = 1 from L2-L3 to L2-L4. Further, the front end position and the rear end position of the encryption unit 46 of the record in the processing order = 2 are changed from L7-L8 to L8-L9, and the front end position and the rear end position of the encryption unit 47 of the record in the processing order = 3 are set to L6. Correction is performed from -L9 to L7-L10 (S1-4, FIG. 10B).

Next, the encryption range 42 in the L7 to L8 lines is specified with reference to the front end position and the rear end position of the encryption part of the record of processing order = 2 (FIG. 10B). Then, the encryption range 42 is read from the encryption role information 110 with the first encryption key 112 having a key ID of 1, and encrypted using this to form the second encryption unit 46 (S1-3). , FIG. 9 (c)).
In this way, the second encryption unit 46 has a larger data amount than the second encryption range 42 due to padding, and increases from 2 lines to 3 lines.
Therefore, the encryption information creating unit 13 corrects the front end position and the rear end position of the encryption part of the record of processing order = 2 from L8-L9 to L8-L10. Further, the front end position and the rear end position of the encryption part of the record of processing order = 3 are corrected from L7-L10 to L7-L11 (S1-4, FIG. 10C).

Next, the third encryption range 43 on the L7 to L11 lines is specified by referring to the front end position and the rear end position of the encryption part of the record of processing order = 3 (FIG. 10C). Next, the second encryption key 113 with the key ID 2 is read from the encryption role information 110 and the encryption range 43 is encrypted using this to form the third encryption unit 47 (S1- 3, FIG. 9 (d)).
In this way, the third encryption unit 47 has a larger data amount than the third encryption range 43 due to padding, and increases from 5 lines to 7 lines.
At this time, the encryption information creating unit 13 corrects the front end position and rear end position of the encryption unit 47 of the record of processing order = 3 from L7-L11 to L7-L13 (S1-4, FIG. 10 (d)). ).

Next, the encrypted document creating means 14 combines the encrypted document body 48 and the encrypted information 49 to create the encrypted document 40, and the file name of the encrypted document 40 is “file1.txt.XXX” ( 3D and S1-5).
Then, the encrypted document storage unit 14 stores the encrypted document 40 in the medium 35 or the storage unit of the server device 31 (S1-5).

Thereafter, as shown in FIG. 11, when the plain document 50 is extracted from the encrypted document 40, the decryption device 20 performs a decryption process as follows.
First, the encrypted document take-out means takes out the encrypted document (“file1.txt.XXX”) from the storage unit of the medium 35 or the server device 31 (S2-1, FIG. 5A), and the separating means Then, the encrypted document main body 48 (“file1.txt”) and the encrypted information 49 are separated from the encrypted document 40 (S2-2, FIG. 5B, FIG. 9D).
Next, the encryption key reading unit 24 refers to the key ID of the encryption information 49 (FIG. 13A), and loads the first encryption key 212 and the second encryption key 213 from the decryption roll information 210. (S2-3).
At this time, the authentication means 27 authenticates the viewer. When the authentication means 27 makes the viewer unsuitable, the processing by the decryption processing means 25 is not performed.

Next, the decryption processing means 25 decrypts the encryption units 45 to 47 of the encrypted document body 41 in the reverse order to the processing order 497 of the encryption information 49 (S2-4).
First, as shown in FIGS. 12A and 13A, the third encryption unit 47 (L7-L13) in the encrypted document main body 41 from the front end position and the rear end position of the record of processing order = 3. Is identified. Then, the third encryption unit 46 is decrypted by selecting the second encryption key 113 from the key ID 496 of the record (FIG. 12B).
Next, as shown in FIGS. 12B and 13B, the second encryption unit 46 (L8−) in the encrypted document main body 48 is determined from the front end position and the rear end position of the record in the processing order = 2. L10) is specified. The second encryption unit 46 selects and decrypts the first encryption key from the key ID of the record with the processing order = 2 (FIG. 12C).

Next, as shown in FIGS. 12B and 13B, from the front end position and the rear end position of the record of processing order = 1, the first encryption unit 45 (L2- L4) is specified. The first encryption unit 45 is decrypted by selecting the first encryption key 212 from the key ID of this record (FIG. 12 (d)).
In this case, since the viewer can use the first and second encryption keys 212 and 213 as the decryption roll information 210, all the encryption units 45 to 47 can be decrypted.
Then, the decryption apparatus 20 displays the plain document 50 on the display unit 29 (S2-6).

Next, referring to FIGS. 11 and 14 to 19, the viewer of the encrypted document 50 using the decryption device 20 is a viewer who can use the decryption roll information 210 a having only the second encryption key 213. The case will be described.
Unlike the above, the encrypted document 50 is created, for example, by performing encryption processing in the order of the second encryption range, the third encryption range, and the first encryption range.
In the decryption device 20, the encrypted document takeout unit 22 takes out the encrypted document 50 from the storage unit of the medium 35 or the server device 31, and the separation unit 23 uses the encrypted document main body 48 and the encrypted document from the encrypted document 50. Information 49 is separated (S2-1, S2-2, FIGS. 15A and 15B).
Next, the encryption key reading unit 24 refers to the encryption information 49 and loads the second encryption key 213 in the encryption information 49 from the decryption roll information 210a (S2-3).

Next, the decryption processing means 25 decrypts the encryption units 45 to 47 of the encrypted document main body 28 in the reverse order to the processing order of the encryption information 49 (S2-4).
First, as shown in FIGS. 16 (a) and 17 (a), the first encryption unit 45 (L2-L4) in the encrypted document body from the front end position and the rear end position of the record of processing order = 3. Is identified. However, the first encryption key 212 is not included in the decryption roll information 210, and decryption processing is not performed (FIG. 16B).
At this time, the front end position and the rear end position of the encryption range 41 are compared with the front end position and the rear end position of the encryption unit 45, and since the increment of the encryption unit 45 is one line, the decryption processing means 25 performs processing order. = The front end position and the rear end position of the encryption units 46 to 47 of the record of 3 or less are corrected. Specifically, the decryption processing means 25 changes the front end position and rear end position of the encryption unit 47 of the record of processing order = 2 from L6-L12 to L7-L13, and the encryption unit 46 of the record of processing order = 1. The front end position and the rear end position are L7-L9 to L8-L10.

Next, as shown in FIGS. 16B and 17B, the third encryption unit 47 (L7− in the encrypted document main body 48) is determined from the front end position and the rear end position of the record with the processing order = 2. L13) is specified, and decryption processing is performed with the second encryption key 213 (FIG. 16B).
In addition, as shown in FIG. 16B and FIG. 17B, the decryption roll information 210 does not have the first encryption key 212 in the record in the processing order = 1 and the record in the processing order = 1. It is not decrypted (FIG. 15 (c)).

Next, since the record remains in the encryption information 49, the deleting unit 26 functions (S2-5).
The first encryption unit 45 (L2-4) is specified from the front end position and the rear end position of the record with the processing order = 2, and is deleted (FIG. 18B). At this time, since the number of rows to be deleted is 3, the front end position and rear end position of the encryption unit 46 of the record with processing order = 1 are corrected from L8-L10 to L5-L7.
Next, the second encryption unit 46 (L5-L7) is specified from the front end position and the rear end position of the record of processing order = 1, and this part is deleted to obtain a plain document 50a (FIG. 15 (d)). , FIG. 18 (c)).
Note that the deletion unit 26 can also delete the encryption part in order from the larger numerical value with the larger front end position and rear end position after ignoring the processing order. In the case of the present embodiment, the front end position and the rear end position (L8-L10) of the second encryption unit 46 are larger than the front end position and the rear end position (L2-L4) of the first encryption unit 45. Therefore, the second encryption unit 46 is deleted first. In this way, it is not necessary to correct the encryption information.
Then, the decryption device 20 displays the plain document 50a on the display unit 29 (S2-6).

As a result, even if the same encrypted document 40 is delivered to a plurality of viewers with different authorities, the viewer can decrypt the encrypted document 40 based on the decryption roll information 210, 210a possessed by the viewer. Since it is done, the range can be limited according to the viewer.
As a result, it is not necessary to create a dedicated document for each viewer, so that the correction of the document can be simplified, and the management of the document can be simplified.

In addition, since the encryption information 49 includes the front end position 494 and the rear end position 495 of the encryption units 45 to 47, the decryption device 20 identifies the encryption units 45 to 47 based on this position information.
Thus, a specific part of the plain document 50 can be encrypted without inserting an identifier into the plain document 50, and an encrypted document can be easily created.
Further, since the identifier and the identifier are not inserted into the plain document 50, the creator and the viewer can easily grasp the content of the plain document 50 when the plain document 50 is browsed.

In addition, encryption can be performed even when the front end position and the rear end position of the encryption ranges 41 to 43 include the front end position and the rear end position of another encryption range.
Accordingly, it is possible to deal with an organizational hierarchy by designating the encryption ranges 42 and 43 in a single plain document 40 according to the authority of the viewer.

For example, it is assumed that the above-described plain document 50 is a document for a business unit composed of a system staff and a sales staff, and the plain document 50 includes a system staff section and a sales staff section. In this case, for example, the first encryption key 212 can be used for a sales person in charge of browsing, and the second encryption key 213 can be used for a system person in charge of browsing. In addition, the first encryption key 212 and the second encryption key 213 are made available to the viewer who has a higher position in the business division.
If it does in this way, each viewer will be able to read the part according to each authority.

Also, for example, if the viewer is in charge of the system, the range that can be decrypted with the second encryption key 213 can be read, but the range of sales representatives cannot use the first encryption key 212 and therefore cannot be decrypted and cannot be read. On the other hand, the sales staff can read only the portion that can be decrypted with the first encryption key 212. Moreover, what is necessary is just to read the part (general sentence) which is not encrypted about the part common to the whole business division.
In addition, a viewer who has a higher position in the business division can decrypt both the sales staff and the system staff.

In addition, the encryption keys 212 to 215 for decryption are stored in the decryption device 20 in advance in the decryption roll information 210 and are not distributed in the encrypted document 40, and thus are lost at the time of distribution. And the risk of passing on to other people is greatly reduced.
That is, since the encryption information 49 includes the key ID 496 and does not include the encryption key 42 itself, it is possible to prevent a situation in which the encryption information 49 is analyzed and the encryption key 42 is illegally extracted. Therefore, it can prevent being used for unauthorized browsing by a third party.

Further, since the encryption role information 110 and the decryption role information 210 are encrypted by the authentication means 16 and 27 with the password of the creator or the viewer, for example, the encryption role information 110 and the decryption role information 210 are stolen. Even if it is rare, the encryption key cannot be taken out unless the personal password is analyzed, which makes it difficult to decrypt the encrypted document.
Further, since the encryption units 45 to 47 that cannot be decrypted are deleted by the deleting means 26, it is possible to make it difficult for the viewer to recognize that there is a part that cannot be viewed.

In addition, in the encryption roll information 110 and the decryption roll information 210, the validity period is determined for the encryption keys 112 to 215 and 212 to 215 by using the validity start dates 118 and 218 and the validity end dates 119 and 219. In this effective period, encryption and decryption can be performed, but encryption and decryption cannot be performed otherwise.
As a result, even if the encryption keys 112 to 215 and 212 to 215 are leaked to others or the encryption key is decrypted and analyzed, if the expiration date is not reached, the encryption keys 112 to 215, 212 to 215 can no longer be used. This is preferable in terms of security.
In this embodiment, the encryption roll information includes the effective start dates 118 and 218 and the effective end dates 119 and 219. However, it is preferable to add not only the date but also the time to set the effective period in detail. .

For example, when encrypting a plain document 50 formed of a file created by Microsoft Corporation, Word, PowerPoint or the like (including a text control object), for example, it is as follows.
In the page unit mode, the front end position = 3 pages and the rear end position = 5 pages.
In the line unit mode, the front end position = 7th line from the top of page 3, and the rear end position = 11th line from the top of page 5.
In the character unit mode, the leading edge position is the 23rd character from the top of page 3, and the trailing edge position is the 13th character from the top of page 5. Or, the front end position = the fifth character of the text control 2, and the rear end position = the thirteenth character of the text control 2.
The above is merely an example, and the present invention is not particularly limited thereto. Further, in order to specify the mode in which the front end position and the rear end position of the encryption units 45 to 47 are described, it is preferable that the encryption information 49 includes a position information mode.

In the present embodiment, the above encryption information is created in advance and the specified encryption ranges 41 to 43 are collectively encrypted. However, the present invention is not limited to this.
For example, every time the encryption processing unit 12 of the encryption device 10 designates one encryption range 41 to 43, the encryption processing unit 12 selects the encryption keys 112 to 115 corresponding to the range and performs encryption processing. It is possible.
In this case, it is preferable to change the encryption order by performing encryption while designating the range, while visually observing which range is actually encrypted.
In this case, the creator of the encryption device 10 designates the encryption range so that either the front end position or the rear end position of the encryption range is located in the already encrypted part or both. When trying to do so, the encryption device 10 displays an error message on the display means and performs a process of warning that such an encryption range cannot be specified.

As mentioned above, although the preferable embodiment was shown and demonstrated about the apparatus of this invention, the apparatus which concerns on this invention is not limited only to embodiment mentioned above, A various change implementation is possible in the scope of the present invention. Needless to say.
For example, in the above-described embodiment, the encryption device performs encryption with padding by the encryption processing unit, but there may be no padding. In this case, since the front end position and the rear end position match in the designated encryption range and the encrypted part after the encryption process, information on the front end position and the rear end position of the encryption range need not be provided. .

  A part or all of the above-described embodiment can be described as in the following supplementary notes, but is not limited thereto.

(Supplementary note 1) An encryption communication system comprising: an encryption device that creates an encrypted document from a plain document; and a decryption device that decrypts the encrypted document and extracts the plain document, wherein the encryption device browses An encryption role information storage means for storing encryption role information consisting of a plurality of encryption keys corresponding to the authority of the person and a key ID for identifying the encryption key, and an encryption range consisting of a part or all of the plain document And the encryption processing means for creating the encryption part by encrypting the encryption range with the encryption key of the encryption role information, the front end position of the encryption part, the rear end position, applied to the encryption part A key ID corresponding to the encryption key, encrypted information creating means for creating encrypted information comprising one or more records including the processing order of the encryption part, and an encrypted document body comprising a document containing the encryption part, And the dark Encrypted document creating means for combining encrypted information to create the encrypted document, and encrypted document storage means for storing the encrypted document created by the encrypted document creating means on a predetermined medium, The decryption device stores an encryption key corresponding to all or a part of the plurality of encryption keys stored in the encryption device, and decrypts each encryption range included in the encrypted document with the stored encryption key At the same time, the encryption range in which the corresponding encryption key is not stored is not decrypted, the next encryption range with the encryption key is decrypted, and the decryption processing is performed for all encryption ranges with the encryption key. A cryptographic communication system characterized by the above.

(Supplementary Note 2) The encryption processing means has two or more encryption ranges, and the front end position and the rear end position of any one of the encryption ranges are the front end positions of the other encryption ranges. The encryption communication system according to claim 1, further comprising: a processing order correction function that encrypts the encryption range prior to the other encryption ranges when positioned between the rear end position and the rear end position.

(Additional remark 3) When the said encryption apparatus uses the encryption roll information of the said encryption role information storage means, the authentication means which authenticates whether it is a creator who can use this encryption role information The encryption communication system according to appendix 1 or 2, characterized by comprising:

(Supplementary note 4) The decryption device stores decryption roll information storage means for storing decryption roll information consisting of an encryption key corresponding to a viewer and a key ID corresponding to the encryption key, and an encrypted document stored in the medium. An encrypted document extraction unit to be extracted; a separation unit to separate and extract the encrypted information and the encrypted document body from the encrypted document; and an encryption key corresponding to the key ID of the record of the encrypted information extracted by the separation unit In the encryption key reading unit that reads the decryption roll information from the decryption roll information storage unit and the encrypted document main body extracted by the extraction unit, in the reverse order of the processing order of the records of the encryption information, from the front end position of the record The encryption communication system according to any one of appendices 1 to 3, further comprising: decryption processing means for decrypting a range up to the end position with an encryption key corresponding to the range.

(Supplementary Note 5) When the decryption device does not have the encryption key to be read by the encryption key reading means in the decryption roll information, the part from the front end position to the rear end position of the record corresponding to the encryption key is The encryption communication system according to appendix 4, further comprising: deletion means for deleting from the encrypted document body.

(Additional remark 6) When the said decoding apparatus uses the decoding roll information of the said decoding roll information storage means, it is provided with the authentication means which authenticates whether it is a viewer who can use this decoding roll information. The encryption communication system according to appendix 4 or 5,

(Supplementary note 7) The cryptographic communication system according to any one of supplementary notes 1 to 6, wherein the cryptographic key is a common key.

(Supplementary note 8) An encryption communication method for an encryption communication system, comprising: an encryption device that creates an encrypted document from a plain document; and a decryption device that decrypts the encrypted document and extracts the plain document. On the device side, the plain document is one of the encryption keys stored in the encryption roll information storage means for storing the encryption roll information consisting of the encryption key corresponding to the authority of the viewer and the key ID for identifying the encryption key. A step of encrypting a part or all of an encryption range with an encryption key to create an encryption part, an encryption processing order, a front end position of the encryption part, a rear end position, and an application to the encryption part A step of creating a record having a key ID corresponding to the encrypted key, a step of creating encrypted information by combining the one or more records, and an encryption comprising a document including an encrypted encryption unit Chemical statement A main body and a step of creating an encrypted document by combining the encrypted information and a step of storing the encrypted document created by the encrypted document creating means in a predetermined medium, And decrypting each encryption range included in the encrypted document with an encryption key corresponding to all or part of the plurality of encryption keys stored in the encryption device, and The encryption range in which no encryption key is stored is not decrypted, the decryption process is performed for the next encryption range with the encryption key, and the decryption process is performed for all encryption ranges with the encryption key. Encryption communication method.

(Supplementary note 9) Decryption role information storage means for decrypting an encrypted document and extracting a plain document and storing decryption roll information consisting of an encryption key corresponding to the viewer and a key ID corresponding to the encryption key An encrypted document extracting means for extracting an encrypted document stored in the medium, a separating means for separating and extracting encrypted information and an encrypted document body from the encrypted document, and an encryption extracted by the separating means An encryption key reading unit that reads an encryption key corresponding to the key ID of the encryption information record from the decryption roll information storage unit, and a processing order of the records of the encryption information in the encrypted document body extracted by the extraction unit; Comprises, in reverse order, decryption processing means for decrypting a range from the front end position to the rear end position of the record with an encryption key corresponding to the range, and the decryption roll information storage means The encryption range included in the encrypted document is decrypted with the stored encryption key, and the encryption range in which the encryption key corresponding to the decryption roll information storage unit is not stored is not decrypted. A decryption device that performs a decryption process on a certain next encryption range and performs a decryption process on all encryption ranges having an encryption key.

10 Encryption Device 11 Encrypted Roll Information 110 Encrypted Roll Information 111 Personal ID
112-115 Encryption key 112a-115a Key ID
DESCRIPTION OF SYMBOLS 12 Encryption processing means 13 Encrypted information creation means 14 Encrypted document creation means 15 Encrypted document storage means 16 Authentication means 20 Decryption device 21 Decryption roll information storage means 210 Decryption roll information 211 Personal ID
212-115 Encryption key 212a-115a Key ID
22 Encrypted Document Extraction Unit 23 Separation Unit 24 Encryption Key Reading Unit 25 Decryption Processing Unit 26 Deletion Unit 27 Authentication Unit 30 Network 31 Server Device 35 Media (Media)
40 Encrypted document 41 to 43 Encrypted range 45 to 47 Encrypted part 49 Encrypted information 490 Version number 491 to 493 Record 494 Encrypted part front position 495 Encrypted part rear end position 496 Encryption key ID
498 Front end position of encryption range 499 Back end position of encryption range 50, 50a Plain document

Claims (8)

An encryption communication system comprising: an encryption device that creates an encrypted document from a plain document; and a decryption device that decrypts the encrypted document and extracts the plain document,
The encryption device is
Encrypted role information storage means for storing encrypted role information including a plurality of encryption keys corresponding to the authority of the viewer and a key ID for identifying the encryption keys;
An encryption processing means for grasping an encryption range composed of a part or all of the plain document and encrypting the encryption range with an encryption key of the encryption role information to create an encryption unit;
Encryption that creates encryption information consisting of one or more records including the front end position, the rear end position of the encryption unit, the key ID corresponding to the encryption key applied to the encryption unit, and the processing order of the encryption unit Information creation means;
An encrypted document body composed of a document including the encryption unit, and an encrypted document creating means for creating the encrypted document by combining the encrypted information;
Encrypted document storage means for storing the encrypted document created by the encrypted document creation means on a predetermined medium;
When using encryption role information of the encrypted role information storing means, encryption, wherein an authentication unit for authenticating whether the creator that can use this encryption role information, that Ru provided with Communications system.   The encryption processing means has two or more encryption ranges, and the front end position and the rear end position of any one of the encryption ranges are the front end position and the rear end position of another encryption range. The encryption communication system according to claim 1, further comprising a processing order correction function for performing encryption processing on the encryption range prior to other encryption ranges when located in between. The decoding device is
Decryption roll information storage means for storing decryption roll information consisting of an encryption key corresponding to a viewer and a key ID corresponding to the encryption key;
Encrypted document retrieving means for retrieving an encrypted document stored in the medium;
Separating means for separating and extracting the encrypted information and the encrypted document body from the encrypted document;
An encryption key reading means for reading an encryption key corresponding to the key ID of the record of the encrypted information extracted by the separating means from the decryption roll information storage means;
In the encrypted document body extracted by the extraction unit, the range from the front end position to the rear end position of the record is reversed with the encryption key corresponding to the range in the reverse order of the processing order of the records of the encryption information. cryptographic communication system according to claim 1 or 2 wherein, characterized in that it comprises a decoding means for decoding, the. When the decryption device does not have an encryption key to be read by the encryption key reading means in the decryption roll information, a portion from the front end position to the rear end position of the record corresponding to the encryption key is the encrypted document. 4. The cryptographic communication system according to claim 3, further comprising deletion means for deleting from the main body. The decrypting device comprises authentication means for authenticating whether or not the decryption roll information stored in the decryption roll information storage means is a viewer who can use the decryption roll information. The cryptographic communication system according to 3 or 4 . The encryption key, encrypted communication system according to any one of claims 1 to 5, characterized in that a common key. An encryption communication method of an encryption communication system comprising: an encryption device that creates an encrypted document from a plain document; and a decryption device that decrypts the encrypted document and extracts the plain document,
When a plurality of encryption ranges are specified for a part or all of the plain document on the encryption device side, the plurality of specified encryption ranges are grasped and stored in the encryption roll information storage unit It authenticates whether or not it is a creator who can use the encryption role information consisting of a plurality of encryption keys corresponding to the authority of the viewer and the key ID for identifying the encryption key, and stores in the encryption role information storage means A step of encrypting a plurality of encryption ranges composed of a part or all of the plain document with any one of the stored encryption keys with a selected arbitrary encryption key among the plurality of encryption keys to create an encryption unit When,
Creating a record having a processing order of encryption, a front end position of the encryption unit, a rear end position, and a key ID corresponding to the encryption key applied to the encryption unit;
Combining the one or more records to create encrypted information;
An encrypted document body composed of a document including an encrypted encryption part, and creating an encrypted document by combining the encryption information;
And a step of storing the encrypted document created by the encrypted document creating means on a predetermined medium. An encryption device for creating an encrypted document from a plain document,
Encrypted role information storage means for storing encrypted role information including a plurality of encryption keys corresponding to the authority of the viewer and a key ID for identifying the encryption keys;
An encryption processing means for grasping an encryption range consisting of a part or all of a plain document and encrypting the encryption range with an encryption key stored in the encryption role information storage means to create an encryption part;
One or more records including the front end position of the encryption unit in the encryption processing unit, the rear end position, the processing order in the encryption processing unit, and the key ID corresponding to the encryption key applied to the encryption unit Encryption information creating means for creating encrypted information comprising:
An encrypted document body including an encrypted encryption part, and an encrypted document creating means for creating an encrypted document by combining the encrypted information;
Encrypted document storage means for storing the encrypted document created by the encrypted document creation means on a predetermined medium;
And an authentication means for authenticating whether or not the creator is capable of using the encrypted role information when the encrypted role information stored in the encrypted role information storage means is used. apparatus.