JP5307199B2 - Data management system and data management method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To maintain confidentiality of data between a third party network server providing network service and a user device without changing the firmware and system mechanism of the third party network server. <P>SOLUTION: A relay server 210 has an encryption function and a decryption function. When receiving a new request for customer data upload from a terminal device 230 (S1), the relay server identifies an encryption method for the request (S2-S4), and encrypts an object to be encrypted in the customer data in accordance with the encryption system (S6). Then, the relay server transmits the encrypted data together with the upload request to an application server 15. When receiving the encrypted data, the application server 15 meets the upload request and stores the encrypted data in a data storage unit 154. <P>COPYRIGHT: (C)2013,JPO&amp;INPIT

Description

  The present invention relates to a technique for encrypting character data and a technique for storing encrypted data in a server apparatus on a network, and in particular, the content of data managed by the server apparatus is received from an administrator of the server apparatus. The present invention relates to a data management system and a data management method capable of preventing leakage.

  Conventionally, network services that allow users to use various applications such as customer management applications (CRM applications) and data management applications provided from server devices (hereinafter referred to as “network servers”) provided on the Internet via the Internet are known. It has been. Users of such network services can freely use their various applications provided by a network server owned by a third party to store their own data (for example, customer data and address data) stored on the network. Can be accessed. If such a network service is used, there is no need to provide a server system for the user himself / herself to manage data. On the other hand, since the data is stored in a network server or its external storage placed under the control of a third party, there is a risk of data leaking against the user's will. However, in recent years, due to improvements in user authentication technology and network security technology, the risk of data leakage from the network server has been reduced, and users themselves have to manage network servers under the control of third parties. The management method to manage the data of is becoming mainstream.

  In addition, with the rapid globalization of companies, network servers have been installed around the world. In addition, in preparation for situations in which network servers become unavailable due to the occurrence of natural disasters, human disasters such as wars, conflicts, and terrorism (hereinafter referred to as “disasters”), users can It came to use multiple existing network servers.

JP 2002-278970 A

  By the way, even if the user of the network service uses a network server installed outside the country, the user's own data stored in the network server can be freely handled. However, due to changes in laws and social conditions in each country, the management system of the network server has changed, and data reading is restricted regardless of the user's own data. Unexpected situations such as leakage or data erasure may occur. In addition, when the morality of the network server administrator is reduced due to changes in the social situation, there may be a problem that user data is unfairly disclosed by the administrator. For such problems, it is effective to store data encrypted in advance in a network server. For example, Patent Document 1 discloses a system in which, when encrypted data and index information are transmitted to a network server, the network server stores the encrypted data.

  However, the system described in Patent Document 1 employs a mechanism in which not only encrypted data but also index information for indexing these data is stored in the network server in a state linked to the encrypted data. Has been. In order to realize such a mechanism, it is necessary to change the firmware or system of the network server according to the above mechanism. However, a user of a network service such as a customer management application needs to change the network server of the provider of the service. It is virtually impossible to change the firmware or system.

  Therefore, the present invention has been made in view of the above circumstances, and the object of the present invention is to change the firmware and system mechanism of a third party network server that provides a network service such as a customer management application. It is another object of the present invention to provide a data management system and a data management method capable of maintaining the confidentiality of data between a third-party network server and a user device.

(1) In the present invention, a data processing device managed by a first administrator and a server device managed by a second administrator different from the first administrator are connected to be communicable via a network. Data management system. The data processing apparatus includes: an encryption unit that encrypts character data including a plurality of characters; and a decryption that decrypts the character data encrypted by the encryption unit in a procedure reverse to the encryption of the encryption unit. Means. The data processing device generates encrypted data by encrypting the character data included in the storage target data by the encryption unit when a storage request for the storage target data including at least the character data is input. The encrypted data is transmitted to the server device. The server device is configured to store the encrypted data in a predetermined storage device when the encrypted data is received from the data processing device.

  In the data management system configured as described above, when the storage request is input to the data processing device from a client terminal or the like, the data processing device sends the character data of the storage target data corresponding to the storage request to the encryption unit. Encrypt it. The character data encrypted at this time may be input together with the storage request, or a storage area specified by an address (IP address, memory address, hard disk track address, etc.) input together with the storage request. It may be stored in. This storage area is placed under the management of the first administrator, and corresponds to a memory or HDD in the data processing apparatus, or an HDD provided on the network. The character data is data represented by characters, and is synonymous with document data or text data.

  The encrypted character data (encrypted data) is transmitted to the server device via the network. When the server apparatus receives the encrypted data transmitted from the data processing apparatus, the server apparatus stores the encrypted data in a predetermined storage device. This storage device is placed under the management of the second administrator, for example, one provided in the server device or one provided at a predetermined address on the network. The encrypted data stored in the storage device is stored by the server device.

  Thus, since the data management system of this invention is comprised, the encrypted character data are stored in the server apparatus which a 2nd administrator manages. Therefore, even if the data in the server device leaks, the data contents are not known to anyone other than the first administrator because the data is encrypted. In addition, since data encryption and decryption are performed by the data processing apparatus, the present invention can be easily applied to an existing data server system without changing the firmware and system of the server apparatus under the control of the second administrator. Can be applied.

  In this data management system, the data processing device is configured to transmit the read request to the server device when a read request for the storage target data is input. In this case, when the server device receives the read request from the data processing device, the server device reads the encrypted data specified based on the read request from the storage device and transmits it to the data processing device. When the data processing apparatus receives the encrypted data transmitted from the server apparatus in response to the read request, the data processing apparatus causes the decryption means to decrypt the encrypted data and return it to the original character data.

(2) The above character data is expressed by a continuous notation method in which words are not separated. That is, this character data is a sequence of a plurality of words without being divided (how to separate words with a space or the like) such as Chinese, Japanese, Korean (hereinafter collectively referred to as “CJK language”). This is text data in which a sentence described in a continuous notation is converted into a character code. In this case, the encryption means decomposes the character data included in the storage target data into a plurality of blocks composed of consecutive N characters based on the N-gram method, and encrypts each block. It is preferable.

  Typical examples of languages that employ continuous notation are Chinese, Japanese, and Korean (CJK language). Sentences created in the CJK language are not written differently from sentences in Western languages (hereinafter abbreviated as “Western languages”) configured by combining alphabetic characters. Character data including a character string used in such a language is decomposed by the encryption means into blocks composed of consecutive N characters based on the N-gram method, and each block is encrypted. Is done. By being encrypted in this way, one block composed of N consecutive characters is grasped as one characteristic part. Therefore, even for encrypted character data (encrypted data), partial match search processing, full-text search processing, and sort processing for character data (encrypted data) that is still encrypted based on the characteristic portion Each process such as can be realized with high accuracy.

(3) When the search keyword is input, the data processing device causes the encryption means to encrypt the search keyword to generate an encryption keyword, and transmits the encryption keyword to the server device. When the encrypted data corresponding to the encryption keyword is received as a search result, the decryption means decrypts the encrypted data. In this case, when the server device receives the encryption keyword from the data processing device, the server device searches the storage device for the encryption data corresponding to the encryption keyword, and uses the searched encryption data as a search result as the data. It is preferable that it is what is transmitted to a processing apparatus.

  Thus, the search process is performed without decrypting the encrypted data in the server apparatus, and the search result is decrypted by the data processing apparatus. Therefore, it is possible to realize a search function for searching for encrypted data while preventing leakage of data from the server device.

(4) The encryption means decomposes the character data included in the data to be stored into a plurality of blocks composed of consecutive N characters based on the N-gram method, and converts each block into an integer. After the processing, the numerical value shown in the data after the integer conversion processing is replaced with a character specified based on a predetermined character replacement table. The data processing device causes the decryption means to decrypt the encrypted data when the encrypted data is received from the server device. The server device sorts encrypted data belonging to an item based on a sorting request for a predetermined item so as to be in a predetermined sort order, and stores the encrypted data together with sort order information indicating an order after sorting. It is transmitted to the processing device.

  Since the encryption unit is configured as described above, when the sort processing is performed on the encrypted data in the server device, the sort order for the encrypted data matches the sort order for the character data after decryption. That is, the sorting result performed on the encrypted data can be applied to the decrypted character data. As a result, it is possible to realize a sorting function that targets encrypted data while preventing leakage of data from the server device.

(5) The present invention can also be understood as a data management method applied to the above-described data management system. In the data management system to which this data management method is applied, a data processing device managed by a first administrator and a server device managed by a second administrator different from the first administrator form a network. it is communicatively connected data management system via. The data management method includes first to fifth steps. In the first step, when a storage request for storage target data including character data composed of a plurality of characters represented by a continuous notation method that expresses without separating words is input to the data processing device, the character data Is divided into a plurality of blocks composed of consecutive N characters based on the N-gram method, each block is encrypted to generate encrypted data , and the encrypted data is transmitted to the server device. In the second step, when the encrypted data transmitted from the data processing device is received by the server device, the encrypted data is stored in a predetermined storage device. The third step, the search keyword decomposes the search keyword into a plurality of blocks composed of N consecutive characters based on N-gram scheme when it is input to the data processing apparatus, each respective block The encryption keyword is generated by encryption, and the encryption keyword is transmitted to the server device. In the fourth step, when the encryption keyword transmitted from the data processing device is received by the server device, the encryption data corresponding to the encryption keyword is searched from the storage device, and the searched encryption data is The search result is transmitted to the data processing apparatus. In the fifth step, when the encrypted data transmitted from the server device is received by the data processing device as the search result, the encrypted data is decrypted by a procedure reverse to the encryption in the first step .

  As a result, even if data in the server apparatus leaks, since the data is encrypted, the contents of the data are not known to anyone other than the first administrator. In addition, since data encryption and decryption are performed by the data processing device, it is not necessary to change the firmware or system of the server device under the control of the second administrator. Further, the search process is performed without decrypting the encrypted data in the server apparatus, and the search result is decrypted by the data processing apparatus. Therefore, it is possible to realize a search function for searching for encrypted data while preventing leakage of data from the server device even during a search.

According to the present invention, the content of the first administrator's data is prevented from leaking from the second administrator's server device without changing the firmware of the second administrator's server device or the system mechanism. It is possible to maintain the confidentiality of. In addition, when the character data is document data or text data of a sentence created by the continuous notation, the character data is encrypted for each block divided based on the N-gram method, so that consecutive N One block consisting of individual characters is grasped as one characteristic part. Therefore, even in the character data (encrypted data), it is possible to achieve partial matching processing on it, a full-text search processing of all the processes with high precision.

FIG. 1 is a network diagram showing a network configuration of the data management system 10. FIG. 2 is a block diagram illustrating a schematic configuration of each device of the data management system 10. FIG. 3 is a sequence diagram showing a data or signal transmission / reception sequence executed in the data management system 10 when data is uploaded. FIG. 4 is a flowchart illustrating an example of a procedure of processing executed by the relay server 210 when uploading data. FIG. 5 is a sequence diagram showing a data or signal transmission / reception sequence executed in the data management system 10 when searching for data. FIG. 6 is a flowchart illustrating an example of a procedure of processing executed by the relay server 210 when searching for data. FIG. 7 is a sequence diagram showing a data or signal transmission / reception sequence executed in the data management system 10 when sorting data. FIG. 8 is a flowchart illustrating an example of a procedure of processing executed by the relay server 210 when data is sorted. FIG. 9 is a flowchart illustrating an example of the procedure of the encryption process executed by the relay server 210. FIG. 10 is a diagram illustrating an example of customer data and a user interface.

  Hereinafter, a data management system 10 (an example of the data management system of the present invention) according to an embodiment of the present invention will be described with reference to the drawings as appropriate.

  As shown in FIG. 1, the data management system 10 includes an application server 15 that provides an application (hereinafter abbreviated as “application server”. An example of a server device of the present invention) and a client management system 20. Yes. The application server 15 is communicably connected to the relay server 210 (an example of the data processing apparatus of the present invention) of the client management system 20 via the Internet 12 (an example of the network of the present invention).

  In the present embodiment, the application server 15 manages a business operator (corresponding to a second administrator of the present invention, hereinafter referred to as a “SaaS business operator”) that provides an application service belonging to a category of so-called “Software as a Service”. It is put under operation. On the other hand, the client management system 20 is operated under the management of an operator different from the SaaS operator (corresponding to the first administrator of the present invention). Conventionally, a management system in which both a server and a client management system are managed and operated by the same administrator has been mainstream. However, in recent years, it has become more important to reduce the capital investment burden of the system and to distribute the risk of equipment damage and data loss in the event of a disaster. The SaaS provider undertakes the provision of storage areas, storage of user data, and database management of customer information, etc., and the users use application services provided by the SaaS provider through the network. Such a system as the data management system 10 of this embodiment is becoming mainstream. Examples of such application services include CRM solutions provided by Salesforce.com Inc. in the United States and Google Calendar (Web Calendar Service) provided by Google Incorporated in the United States. Google is a registered trademark of Google Incorporated.

  The application server 15 has a database management function, a data search function, and a sort function. The database management function is a function for accumulating and storing customer data, address data, and the like transferred from an external device via the Internet 12 as a database in an internal or external storage area. The data search function is a function for performing a keyword search on the database based on a search keyword transferred from an external device. The sort function is a function for rearranging (sorting) the order of customer data in the database with respect to the item when the item to be sorted is designated from the external device. The application server 15 is configured to provide each function described above to the client management system 20 through the Internet 12. Therefore, application software for realizing the above functions is installed in the application server 15. Thereby, the client management system 20 can use the network service of each function provided by the application server 15. Below, each structure of the application server 15 and the client management system 20 is demonstrated in detail.

  As shown in FIG. 2, the application server 15 includes a control unit 151 such as a CPU, a ROM 152, a RAM 153, a data storage unit 154 that is a large-capacity storage medium such as an HDD, and a communication I that performs communication with the outside. / F155 is a computer (electronic computer). Each component provided in the application server 15 is connected to be communicable with each other via an internal bus. Data transferred via the Internet 12 is stored and stored in the data storage unit 154 as a database. The type of data stored in the data storage unit 154 is not particularly limited. In this embodiment, as shown in FIG. 10A, a customer number, a customer name, a customer address, a customer-related memo (hereinafter “customer memo”). It is assumed that customer data in a list format (hereinafter also referred to as “customer list”) consisting of five items of registration date (date of update) is database-managed in text format. Note that an application storage area (not shown) is allocated to the data storage unit 154, and application programs for realizing the above-described database management function, data search function, and sort function are stored in this storage area. .

  As shown in FIG. 1, the client management system 20 includes a relay server 210, an information management server 220, and a plurality of terminal devices 230 (230A, 230B, 230C), which communicate with each other via a LAN 21. Connected as possible.

  As shown in FIG. 2, the terminal device 230 includes a control unit 231 such as a CPU, a ROM 232, a RAM 233, an HDD 234, an input unit 235 such as a keyboard, a monitor 236 such as a liquid crystal display, and external communication. A computer (electronic computer) including a communication I / F 237 that performs the above operations, specifically, a personal computer, a PDA, a mobile phone, a tablet terminal, a smartphone, and the like. A user who intends to use the network service of the application server 15 operates the terminal device 230 to transmit various requests regarding the above-described database management function, data search function, and sort function to the relay server 210 and the application server 15. To do.

  The information management server 220 includes a control unit 221 such as a CPU, a ROM 222, a RAM 223, a basic information storage unit 224 such as an HDD storing basic information to be described later, and a communication I / F 225 that performs communication with the outside. It is a computer (electronic computer) provided. The basic information storage unit 224 stores, as basic information, encryption designation information for designating an encryption method used for encryption and decryption, a plurality of character substitution tables used for encryption processing, and the like. The encryption designation information is stored in the basic information storage unit 224 as table data in a state associated with identification information such as a user ID for identifying the terminal device 230 and a plurality of predetermined language information. . The table data is referred to when selecting an encryption method according to the identification information of the terminal device 230 or an encryption method according to the language of characters used in the data to be encrypted when selecting an encryption method to be described later. Is done.

  The basic information storage unit 224 stores a first character replacement table and a second character replacement table. The first character replacement table is used for encryption by a first encryption method described later, and the second character replacement table is used for encryption by a second encryption method described later.

  The encryption designation information is read from the basic information storage unit 224 by the relay server 210 when there is a data upload request (data write request) from the terminal device 230 to the relay server 210. For example, when there is an upload request from the terminal device 230A to the relay server 210, it corresponds to the encryption designation information corresponding to the identification information of the requesting terminal device 230A or the language used for the data to be encrypted The encryption designation information to be read is read from the table data, and the encryption designation information is transmitted from the information management server 220 to the relay server 210. The encryption designation information may be different for each terminal device 230, or may be common to all the terminal devices 230 belonging to the client management system 20.

  The relay server 210 is a computer (electronic computer) that includes a control unit 211 such as a CPU, a ROM 212, a RAM 213, an HDD 214 that stores various applications, and communication I / Fs 215 and 216 that communicate with the outside. . The communication I / F 215 is an interface for connecting to the LAN 21, and the communication I / F 216 is an interface for connecting to the Internet 12. The relay server 210 is installed with applications that perform encryption processing and decryption processing, and applications for relaying various data and signals between the application server 15 and the terminal device 230, respectively. The program is stored in the HDD 214.

  In the present embodiment, at least the following two types of encryption programs are stored in the HDD 214 as applications for encryption processing. Specifically, a program for executing encryption by the first encryption method and a program for executing encryption by the second encryption method are stored in the HDD 214. The first encryption method is an encryption method that does not allow sort processing on encrypted data but allows search processing. The second encryption method is an encryption method that enables sort processing and search processing on encrypted data. These encryption methods are properly used according to the object to be encrypted.

  The first encryption method is composed of N characters that are continuous from text data (corresponding to character data of the present invention) input as an encryption target based on a so-called N-gram method used for full-text search and the like. And the text data of each divided block is encrypted in the AES128CFB mode, and character replacement processing is performed on the encrypted text data. On the other hand, the second encryption method is a method in which text data input as an object of encryption is divided into blocks composed of consecutive N characters, and character replacement processing is performed on the text data of each block. is there. These ciphers were written in Japanese, which is not written like a sentence written in Japanese, that is, in a continuous notation method in which multiple words are written consecutively without separating the words with spaces or the like. This is selected when encryption processing is performed on text data of a sentence. Text data of sentences that are not written is not only text data of sentences in Japanese but also text data of sentences created in so-called CJK languages (Chinese, Japanese, Korean) or Thai. . Note that when encryption processing is performed on text data of texts in Western languages, a conventionally known encryption method (AES or the like) different from the first encryption method and the second encryption method is selected.

  Hereinafter, various processing procedures executed in the data management system 10 will be described with reference to FIGS. 3 to 10. In the following description, communication (data and signal transmission / reception) executed in the data management system 10 is performed based on a communication protocol standardized by the International Organization for Standardization (ISO) or the International Telecommunications Union (ITU). Detailed description of the communication method will be omitted. In the following, the control unit 211 of the relay server 210 that executes the encryption process and the decryption process corresponds to the encryption unit and the decryption unit of the present invention.

  First, an example of a processing procedure executed by the relay server 210 when data is uploaded from the client management system 20 to the application server 15 will be described in detail with reference to FIGS. 3 and 4. In the following embodiment, the data management system 10 has an input screen 36 (see FIG. 10B) that is an example of a user interface that is used in a network service by the application server 15 after establishing communication connection between devices. ) Is displayed on the monitor 236 of the terminal device 230. In the following, an example in which new customer data is uploaded to a database (see FIG. 10A) relating to customer data stored in the data storage unit 154 (see FIG. 2) of the application server 15 will be described. . The customer data transmitted / received by the data management system 10 at the time of uploading is text data in which a plurality of Japanese characters are represented by character codes defined by UTF-8.

  When a user uploads new customer data from the terminal device 230 to the application server 15, first, the user operates the terminal device 230 to request upload of the customer data together with arbitrary customer data (storage of the present invention). (Corresponding to the request) is transmitted to the relay server 210 (see FIG. 3). Specifically, in each input column of items (also referred to as fields or columns) such as a customer number, customer name, customer address, customer memo, and registration date provided on the input screen 36 (see FIG. 10B). When the registration button 31 is pressed after necessary items are input in Japanese, the control unit 231 of the terminal device 230 causes the input data of each item to be 3 bytes or 4 defined by UTF-8. It is converted into text data composed of byte character codes, and transmitted to the relay server 210 together with an upload request to the application server 15. At this time, identification information (for example, user ID) of the terminal device 230 is transmitted together with the upload request. Note that the converted data of each item (customer number, customer name, customer address, customer memo, and individual data for each registration date) is a group of customer data (hereinafter referred to as "record" ").).

  In addition, since UTF-8 can display Chinese, Japanese, and Korean (CJK language) characters, in Japan and other CJK language countries, multilingual character codes can be used by computers. UTF-8, which is a character code, is used.

  As shown in FIG. 4, when the relay server 210 receives the upload request and the record from the terminal device 230 (YES in S1), the control unit 211 manages the encryption method corresponding to the upload request as information management. A request is made to the server 220 (S2). At the time of this request, the control unit 211 transmits the identification information of the terminal device 230 and the character type information of the text data included in the input record (for example, distinction between Japanese sentence data or English sentence data) to the information management server 220. The distinction between Japanese text data and English text data can be made from the character code used.

  When the information management server 220 receives a request from the relay server 210, the control unit 221 reads out encryption designation information (for specifying an encryption method) corresponding to the upload request from the basic information storage unit 224. Specifically, the encryption designation information corresponding to the identification information of the terminal device 230 and the character type information of the input record is read from the table data in the basic information storage unit 224. In this embodiment, since the text data included in the input record is Japanese, the encryption designation information for designating the first encryption method and the second encryption method described above is read, and these encryptions are also read. The first character replacement table and the second character replacement table used in the method are read out. Thereafter, the encryption designation information and the character replacement table are transmitted to the relay server 210.

  As shown in FIG. 4, in the relay server 210, when the encryption designation information and the character replacement table are received from the information management server 220 (YES in S3), the control unit 211 changes the encryption method indicated by the encryption designation information. Specify (S4). Specifically, the first encryption method and the second encryption method indicated by the encryption designation information are specified. Thereafter, a target to be encrypted is specified from among a plurality of items of data included in the record (S5). In the present embodiment, a predetermined customer memo is specified as a target of the first encryption method among a plurality of items included in the record, and a predetermined customer name and customer address (hereinafter referred to as “customer name etc.”). Is specified as a target of the second encryption method. Other items (customer number, registration date) are excluded from encryption targets because of their low confidentiality.

  Thereafter, the control unit 211 encrypts only the data of the item specified as the encryption target in the record (S6). In the present embodiment, encryption processing based on the first encryption method (hereinafter referred to as “first encryption processing”) is performed on the customer memo data, and the second encryption method is performed on the data such as the customer name. Is performed (hereinafter referred to as “second encryption process”). This encryption process is performed for each item of data.

  The first encryption process for the customer memo data is performed according to the procedure shown in the flowchart of FIG. Specifically, first, the text data of the customer memo to be encrypted (character data encoded based on UTF-8) is a sequence of two characters (X, Y) based on the 2-gram method. (S41). For example, if a Japanese sentence “I have run for the Tokyo Governor Election” has been entered in the customer memo field of the above record, this sentence will be (X, Y) = {(East, Kyoto) ( (Kyoto, Miyako) (Kyoto, Wisdom) (Kyoto, Things) (Things, Elections) (Elections, Raises) (Earth, Departure) (Departures, Horses) (Horse, Deer) Thus, it is divided into 11 blocks. Hereinafter, a character code in which each of these blocks is represented by UTF-8 is represented as P (X, Y).

  Next, the control unit 211 converts the character code P (X, Y) represented by UTF-8 into a character code represented by Unicode 16 (S42). The character code after conversion, that is, the character code represented by Unicode 16 is represented as P '(X', Y '). According to Unicode 16, one character is represented by 2 bytes. Therefore, the character X represented by a 3 or 4-byte character code in UTF-8 is a character X ′ represented by a 2-byte character code in Unicode 16. Similarly, a character Y represented by a 3- or 4-byte character code in UTF-8 is a character Y ′ represented by a 2-byte character code in Unicode 16. Therefore, P ′ (X ′, Y ′) is represented by 4 bytes (32 bits). By performing the conversion process in step S42 in this way, it is possible to suppress an increase in data after encryption.

Next, the converted P ′ (X ′, Y ′) is converted into an integer by the control unit 211 (S43). Here, the numerical value after being converted to an integer is represented as Q ₁ (X ′, Y ′). This Q ₁ (X ′, Y ′) multiplies the operation value obtained by exclusive OR (exclusive bit sum) of X ′ and Y ′ by 65535 and adds Y ′ to the operation result. It is a numerical value obtained in this way, and is obtained by the mathematical formula of Q ₁ (X ′, Y ′) = (X ′ ^ Y ′) * 65535 + Y ′. In the above formula, (X ′ ^ Y ′) indicates exclusive OR. By performing the exclusive OR operation in this way, the positional relationship between the character X and the character Y becomes difficult to read from Q ₁ (X ′, Y ′), and the encrypted data can be easily obtained. It will not be deciphered. The integer value obtained in step S43 is displayed in 4 bytes (32 bits). In other words, the integer value can be converted by an integer processing in step S43 is the 65535 positive integer of ⁰ to ^{2 32.}

Subsequently, Q ₁ (X ′, Y ′) is encrypted in the AES128CFB mode (S44). In the next step S44, the encrypted 4-byte text data is subjected to character replacement processing for each byte of the text data (S45). Specifically, a first character substitution table is prepared in which different characters and symbols are predetermined so as to correspond to each of 256 numerical values that can be expressed in one byte, and based on the first character substitution table, For each byte of the 4-byte text data, a character or the like corresponding to the numerical value represented by the 1 byte is selected from the first character replacement table and assigned.

  When the character replacement process is completed for all the blocks divided in step S41 (YES in S46), the text data corresponding to the adjacent blocks is connected to one encrypted data (corresponding to the encrypted data of the present invention). ) Is generated (S47). The encrypted data generated in this way is not the text data of the original sentence “I have run for the Tokyo Governor Election.”, But is an unknown character string with character replacement.

  The second encryption process for data such as a customer name is performed according to the procedure shown in the flowchart of FIG. Specifically, first, similarly to steps S41 and S42 described above, the control unit 211 converts the text data of the item to be encrypted (character-coded based on UTF-8) into the 2-gram method. Is divided into blocks composed of two consecutive characters (X, Y) (S51), and then the character code P (X, Y) represented by UTF-8 is represented by Unicode 16. Character code P ′ (X ′, Y ′) is converted (S52).

Next, P ′ (X ′, Y ′) after conversion is converted into an integer by the control unit 211 (S53). Here, the numerical value after the integerization is expressed as Q ₂ (X ′, Y ′). This Q ₂ (X ′, Y ′) is a numerical value obtained by adding Y ′ to a value obtained by multiplying X ′ by 65535, and Q ₂ (X ′, Y ′) = 65535 * X It is calculated | required by numerical formula of '+ Y'. The integer value obtained in step S53 is displayed in 4 bytes (32 bits).

Subsequently, for the 4-byte text data of Q ₂ (X ′, Y ′), a character replacement process is performed for each byte of the text data (S54). Specifically, a second character substitution table (see Table 1) in which different characters and symbols are determined in advance so as to correspond to each of 256 numerical values that can be expressed in one byte is prepared. Based on the table, for each byte of the 4-byte text data, a character or the like corresponding to the numerical value represented by the one byte is selected from the second character replacement table and assigned. In the second character replacement table, as shown in Table 1, numbers 0 to 255 are assigned in order from the smallest numerical value indicated by the character code. Since the characters are assigned so as to correspond to the order, even if the character replacement process is performed on Q ₂ (X ′, Y ′), the text data after the replacement of the positional relationship between the characters X and Y is replaced. It can be read from.

  Thereafter, when the character replacement process is completed for all the blocks divided in step S51 (YES in S55), the text data corresponding to the adjacent blocks is connected to one encrypted data (corresponding to the encrypted data of the present invention). ) Is generated (S56). The text data generated in this way is an unknown character string that is different from the original sentence.

  When all the data to be encrypted (customer name, customer address, customer memo) in the above record is encrypted, the same relationship as the record before encryption is given between the data of each item. Each piece of data is handled as a single record as a group. At this time, a prefix (Prefix) and a suffix (Suffix) are added as identifiers before and after the encrypted data of the customer memo to be encrypted first, and the encryption of the customer name and customer address to be encrypted second. A prefix and a suffix may be added as separate identifiers before and after each data. Thereby, the relay server 210 can easily identify the first encryption target item and the second encryption target item when the encrypted record is sent from the application server 15. Become.

  When the encryption process in step S6 shown in FIG. 4 is completed, the encrypted record is transmitted from the relay server 210 to the application server 15 via the Internet 12 together with the upload request (S7). The record transmitted at this time may be further encrypted by an SSL (Secure Socket Layer) method, or may be transmitted to the application server 15 without being encrypted by SSL. Note that a series of steps S1 to S7 corresponds to the first step of the present invention.

  When the application server 15 receives the encrypted record, the control unit 151 stores the record in the data storage unit 154 (corresponding to the second step of the present invention). Thereafter, an upload completion notification is transmitted from the application server 15 to the relay server 210. When the relay server 210 receives the upload completion notification (YES in S8), the relay server 210 transmits the upload completion notification to the terminal device 230 (S9).

  Next, an example of a processing procedure executed by the relay server 210 when a data search request is issued from the client management system 20 to the application server 15 will be described in detail with reference to FIGS. 5 and 6. In the following, it is assumed that a search screen 37 (see FIG. 10C), which is an example of a user interface used in the network service by the application server 15, is displayed on the monitor 236 of the terminal device 230. .

  When a user performs a data search from the terminal device 230 to the application server 15, first, the user operates the terminal device 230 to relay a search request together with a search keyword (corresponding to the search keyword of the present invention). It transmits to 210 (refer FIG. 5). Specifically, on the search screen 37 shown in FIG. 10C, after the search keyword is input in the input field of any of the customer name, customer address, and customer memo, the inspection button 32 is pressed and operated. Then, the control unit 231 of the terminal device 230 transmits the input search keyword and the search request for the application server 15 to the relay server 210.

  As shown in FIG. 6, when the relay server 210 receives the search request and the search keyword from the terminal device 230 (YES in S31), the control unit 211 manages the encryption method corresponding to the search request as information management. A request is made to the server 220 (S32). At the time of this request, the control unit 211 transmits the identification information (for example, user ID) of the terminal device 230 and the character type information of the input search keyword (for example, discrimination between Japanese sentence data or English sentence data) to the information management server 220. .

  When the information management server 220 receives a request from the relay server 210, the control unit 221 reads encryption designation information corresponding to the search request from the basic information storage unit 224. Specifically, the encryption designation information corresponding to the identification information of the terminal device 230 and the character type information of the search keyword is read from the table data in the basic information storage unit 224. In this embodiment, it is assumed that the character type of the input search keyword is Japanese. In this case, the encryption designation information for designating the first encryption method and the second encryption method is read, and the first character substitution table and the second character substitution table used for these encryption methods are read. . Thereafter, the encryption designation information and the character replacement table are transmitted to the relay server 210.

  As shown in FIG. 6, when the relay server 210 receives the encryption designation information and the character replacement table from the information management server 220 (YES in S33), the control unit 211 displays the first information indicated by the encryption designation information. The encryption method and the second encryption method are specified (S34), and then the search keyword is encrypted (S35). In this embodiment, the search keyword input in the customer memo column is encrypted according to the first encryption method, and the search keyword input in the customer name and customer address column is encrypted according to the second encryption method. . The encryption here is the same as the encryption described in step S6 above, and is the same as the procedure shown in FIG.

  When the encryption is completed, as shown in FIG. 6, an encrypted search keyword (hereinafter referred to as “encryption keyword”, which corresponds to the encryption keyword of the present invention) is sent from the relay server 210 to the application via the Internet 12 together with the search request. It is transmitted to the server 15 (S36). Note that a series of processing in steps S31 to S36 corresponds to the third step of the present invention.

  In the application server 15, when the encryption keyword is received, the control unit 151 compares the encryption keyword with a database in the data storage unit 154 (see FIG. 2) and searches for encryption data including the encryption keyword (FIG. 5). reference). If the encrypted data exists by the search, a record including the encrypted data is transmitted to the relay server 210 (corresponding to the fourth step of the present invention).

  As shown in FIG. 6, in the relay server 210, when the record is received as a search result (YES in S37), the encrypted data of each item of the received record is decrypted by the control unit 211 (S381). The processes in steps S38 and S381 correspond to the fifth step of the present invention. If the control unit 211 determines that there is the identifier (prefix and suffix) before and after each data in the record before executing the decryption process in step S381, the control unit 211 changes the encryption method corresponding to the identifier for each data. To be specific. Then, the encrypted data of each item is decrypted according to the reverse procedure of the specified encryption method. Note that the specific method of the decryption process is the reverse procedure of the encryption in step S6, and thus the description thereof is omitted here. Thereafter, an original record including the decrypted original data is transmitted to the terminal device 230 (S382) and displayed on the monitor 236 of the terminal device 230.

  On the other hand, if the record is not received as a search result (NO in S37) and a signal indicating no search (no hit) is received from the application server 15 (YES in S391), a signal indicating no search is sent to the terminal. The information is transmitted to the device 230 (S392), and message information without search is displayed on the monitor 236 of the terminal device 230.

  Next, using FIG. 7 and FIG. 8, when the client management system 20 requests the application server 15 to sort the customer list (see FIG. 10A), the relay server 210 executes it. An example of the processing procedure to be performed will be described in detail. In the following, it is assumed that customer data arranged in ascending order for customer numbers as shown in FIG. 10A is displayed on the monitor 236 of the terminal device 230 as a user interface.

  When a user issues a sort request from the terminal device 230 to the application server 15, first, the user operates the terminal device 230 to transmit a sort request together with items to be sorted (sort items) to the relay server 210. (See FIG. 7). Specifically, in the customer list screen 38 shown in FIG. 10A, any of the upward triangular keys 33 (33A, 33B, 33C) provided in the item columns of the customer name, customer address, and registration date. Or, when any of the downward triangular keys 34 (34A, 34B, 34C) provided in the item columns of the customer name, customer address, and registration date is pressed, the control unit 231 of the terminal device 230 is operated. Transmits the item information indicating the pushed item and the sort request to the application server 15 to the relay server 210 (see FIG. 7). When the key 33 is pressed, a request for sorting the items in ascending order is transmitted. When the key 34 is pressed, a request for sorting the items in descending order is transmitted.

  As shown in FIG. 8, when the relay server 210 receives the sort request and the item information from the terminal device 230 (YES in S62), the control unit 211 immediately receives the received sort request and item information. Transfer to the application server 15 (S62).

  In the application server 15, upon receiving a request from the relay server 210, the control unit 151 sorts items specified by the item information (hereinafter referred to as “designated items”) in descending or ascending order, and then sorts them. Along with the information indicating the order and the specified items, all the records to be searched in the data storage unit 154 are transmitted to the relay server 210 (see FIG. 7).

  As shown in FIG. 8, in the relay server 210, when all the records are received as the sorting result (YES in S63), the encrypted data included in the received record is decrypted by the control unit 211 (S64). Note that the specific method of the decryption is the reverse procedure of the encryption in step S6, and thus the description thereof is omitted here. Thereafter, the decrypted original record and the information indicating the sort order are transmitted to the terminal device 230 (S65). Then, in the terminal device 230, a customer list sorted in the sort order is created as a sorting result, and the customer list is displayed on the monitor 236 (see FIG. 7).

  As described above, in this embodiment, when new customer data is stored (updated) from the client management system 20 to the application server 15, the customer data is encrypted by the relay server 210 of the client management system 20, and the encryption is performed. Data is transmitted to the application server 15 and stored. For this reason, even if data in the application server 15 is leaked, the data is encrypted, so that the content of highly confidential customer data is not disclosed to the outside. Further, since the data encryption and decryption are performed by the relay server 210, the present invention can be realized by the data management system 10 without changing the firmware and the system of the application server 15 under the management of the SaaS provider. That is, even if the administrator of the client management system 20 (the user of the application server 15) does not have the ASP operator who manages the application server 15 change the firmware of the application server 15, the data security according to the present invention. A highly reliable data server system can be easily constructed.

  In addition, the search process is performed without decrypting the encrypted data in the application server 15, and the search result is decrypted by the relay server 210. Therefore, the data is encrypted while preventing leakage of data from the application server 15. It is possible to realize a search function that uses the data as a search target.

  Moreover, since the data of the item to be sorted is encrypted by the second encryption method, the database in the application server 15 can be sorted in an encrypted state. As a result, the sort process is performed without decrypting the encrypted data in the application server 15, and the sort result is decrypted by the relay server 210. Therefore, the data is encrypted while preventing leakage of data from the application server 15. It is possible to realize a sorting function for sorting the processed data.

  In the above-described embodiment, the client management system 20 is configured to connect the relay server 210, the information management server 220, and the terminal device 230 via the LAN 21, but is not limited to such a connection configuration. For example, a connection configuration in which the terminal device 230 is connected to the Internet 12 and accesses the relay server 210 through the Internet 21 may be used. Further, not only the terminal device 230 but also the information management server 220 may have a connection configuration capable of communicating with the relay server 210 through the Internet 12. The present invention can also be applied to such a connection configuration.

  In the above embodiment, in step S41, the character data to be encrypted is divided into blocks composed of two consecutive characters (X, Y) based on the 2-gram method. The character may be divided into three characters based on the 3-gram method, or may be divided into four characters based on the 4-gram method.

10: Data management system 12: Internet 15: Application server 20: Client management system 21: LAN
36: Input screen 37: Search screen 38: Customer list screen 210: Relay server 220: Information management server 230: Terminal device

Claims (3)

A data management system in which a data processing device managed by a first administrator and a server device managed by a second administrator different from the first administrator are connected to be communicable via a network. And
The data processing device
Character data composed of a plurality of characters represented by a continuous notation method that expresses without separating words is divided into a plurality of blocks composed of consecutive N characters based on the N-gram method, and encryption means for encrypting,
Decrypting means for decrypting the character data encrypted by the encrypting means by a procedure reverse to the encryption of the encrypting means,
When a storage request for storage target data including at least the character data is input, the encryption unit encrypts the character data included in the storage target data to generate encryption data, and the encryption data is stored in the server device. Is configured to send to
The server device is
A data management system configured to store the encrypted data in a predetermined storage device when the encrypted data is received from the data processing device. The data processing device
When a search keyword is input, the encryption means encrypts the search keyword to generate an encryption keyword, and transmits the encryption keyword to the server device.
When the encryption data corresponding to the encryption keyword is received as a search result from the server device, the encryption data is decrypted by the decryption means,
The server device is
When the encryption keyword is received from the data processing device, the encryption data corresponding to the encryption keyword is searched from the storage device, and the searched encryption data is transmitted to the data processing device as a search result. The data management system according to claim 1 . A data processing device which is managed by the first manager, the communicatively connected data management system via a network and a server device managed by a different second administrator with the first manager An applied data management method,
When a storage request for storage target data including character data composed of a plurality of characters expressed by a continuous notation notating between words is input to the data processing device, the character data is converted into an N-gram method. A first step of decomposing the block into a plurality of blocks composed of consecutive N characters, encrypting each block to generate encrypted data, and transmitting the encrypted data to the server device;
A second step of storing the encrypted data in a predetermined storage device when the encrypted data transmitted from the data processing device is received by the server device;
Searches decomposes the query into a plurality of blocks composed of N consecutive characters based on N-gram scheme when it is input to the data processing apparatus, cryptographic keywords to encrypt each of blocks A third step of generating the encryption keyword and transmitting the encryption keyword to the server device;
When the encryption keyword transmitted from the data processing device is received by the server device, the encryption data corresponding to the encryption keyword is retrieved from the storage device, and the retrieved encryption data is used as a retrieval result to retrieve the data. A fourth step of transmitting to the processing device;
A fifth step of decrypting the encrypted data in a procedure reverse to the encryption in the first step when the encrypted data transmitted from the server device is received by the data processing device as the search result; Data management method provided.

Images