JP5422300B2 - Graphic data encryption / decryption device and graphic data browsing system - Google Patents

Description

  The present invention relates to a graphic data encryption / decryption device, and more particularly to a graphic data encryption / decryption technique requiring disclosure restriction.

  Drawings such as design drawings include detailed information about products. Therefore, it is necessary to appropriately limit the disclosure destination of the shape and description of components described in the drawings. In addition, geographic information distribution systems that distribute various information in combination with maps are used, but these map data are not generally disclosed, such as military bases, privately owned sites, or company factories. It contains a lot of information that is desirable.

  As a method for hiding the shape of the drawing, for example, a method disclosed in Patent Document 1 is known. Patent Document 1 discloses a method for generating a new part corresponding to the shape of a concealed part (referred to as a concealed part shape model in Patent Document 1) and storing information on the concealed part in association with the concealed part shape model. Is disclosed. Patent Document 2 discloses a method for preparing and distributing map data individually encrypted for each distribution destination with respect to map data.

JP 2007-179419 A JP 2005-121719 A

  In the concealing method of the drawing disclosed in Patent Document 1, it is possible to conceal the drawing in units of parts. However, when the concealed part is restored, it is necessary to specify the concealed part shape model used for restoration. For example, in map data, data relating to a large amount of features is often managed. Therefore, in response to a search request specifying a facility or a position from the user, it is desirable to return only the map data of a portion necessary for the user as a search result, for example, for display.

  Further, in the case where encrypted data is prepared for each user individually as in the method disclosed in Patent Document 2, a search process must be executed after decrypting all of the encrypted data. , The response performance of the search process is degraded. Therefore, if the graphic data includes graphic data that should be restricted to disclosure, and the graphic data is encrypted and protected, the necessary graphic data and related encrypted data are requested in response to a request from the user. It is desirable to send only.

  In order to solve the above problem, the encryption device generates a new figure (hereinafter referred to as a sanitized area) for an area that is not disclosed except for a specific user, adds it to the figure data, and an area that is not disclosed. Is stored in association with the sanitized area, and a replacement or deletion process is added to the figure in the area not disclosed. Further, when the input graphic data includes a sanitized area, the decrypting device decrypts the encrypted data corresponding to the sanitized area and restores the graphic data. Furthermore, the graphic data browsing system includes such an encryption device and a decryption device.

  A specific aspect of the encryption device is that a storage device stores encrypted graphic data having a graphic data part for storing graphic data and an encrypted data part, and an encryption key corresponding to a user who views the graphic data An encryption definition information generation unit that generates encryption definition information that defines encryption target data included in the graphic data, a sanitized region that associates the encryption target data, and a user as a disclosure destination of the encryption target data; In addition, the sanitized area is added to the data part, the data to be encrypted is encrypted using the encryption key corresponding to the user defined as the disclosure destination, and the encrypted data encrypted in the encrypted data part is sanitized. An encryption processing unit is provided that stores the data in association with the region and applies processing to the data to be encrypted included in the graphic data unit.

  A specific mode of the decryption device is to input a storage device that stores a decryption key corresponding to a user who browses graphic data, and an encrypted graphic data having a graphic data portion and an encrypted data portion for storing graphic data In addition, when the sanitized area is in the graphic data portion, the decrypting unit acquires the encrypted data corresponding to the sanitized area and decrypts the encrypted data using the decryption key.

  According to the present invention, it is possible to encrypt figure data that should restrict the disclosure destination included in the figure data in a state that cannot be disclosed to other than the defined specific disclosure destination, and to decrypt the figure data at the specific disclosure destination, It is possible to control so that graphic data whose disclosure is restricted cannot be restored except by the disclosure destination.

It is a block diagram of the map data browsing system in Example 1. It is a block diagram of each apparatus in a map data browsing system. It is a processing sequence performed before distributing the map data in Example 1. FIG. It is a processing sequence of the map data browsing in Example 1. FIG. It is a figure showing the outline of the map data before and behind encryption. It is a figure showing the outline of the display image of the map data before and behind encryption. It is a figure which shows an example of the data structure of encryption definition information. It is a process flowchart of an encryption process part. It is a figure showing an example of the screen image which sets encryption definition information. It is a processing flowchart of a decoding. It is a block diagram of the map data browsing system in Example 2. It is a processing sequence performed before distributing the map data in Example 2. FIG. It is a processing sequence of map data browsing in Example 2.

  As an embodiment of the present invention, a new figure (hereinafter referred to as a sanitized area) corresponding to an area that is not disclosed except for a specific user is added to the figure data, and the encrypted data of the figure in the area that is not disclosed is sanitized. A description will be given of an encryption apparatus that stores and associates with a region, and adds a replacement or deletion process to a graphic of a region that is not disclosed. Also, a description will be given of a decryption device that restores graphic data by decoding encrypted data corresponding to the sanitized area when the input graphic data includes a sanitized area. Further, a graphic data browsing system including such an encryption device and a decryption device will be described.

  (1) A storage device for storing encrypted graphic data having a graphic data part for storing graphic data and an encrypted data part, and an encryption key corresponding to a user who views the graphic data; 2) Encryption definition information generation unit that generates encryption definition information that defines encryption target data included in graphic data, a sanitization area that associates the encryption target data, and a user as a disclosure destination of the encryption target data And (3) Add the sanitized area to the data part, encrypt the data to be encrypted using the encryption key corresponding to the user defined as the disclosure destination, and encrypt the encrypted data part It has an encryption processing unit that stores data in association with the sanitized region and applies processing to the data to be encrypted included in the graphic data unit. Note that, as in the embodiments described later, the encryption of the data to be encrypted and the processing on the data to be encrypted may be processed in reverse order by copying the graphic data.

  The decryption device includes: (1) a storage device that stores a decryption key corresponding to a user who browses graphic data; and (2) encrypted graphic data having a graphic data portion and an encrypted data portion for storing graphic data. When there is an input and the sanitized area is in the graphic data part, the encrypted data corresponding to the sanitized area is acquired, and the decrypting part decrypts the encrypted data using the decryption key.

  This embodiment will be described using indoor map data (plan view data in architectural drawings) as an example of graphic data. Indoor map data is an example of graphic data that contains privacy-related information such as a company building or a room for personal use, and contains a lot of information that should be controlled for disclosure / non-disclosure according to the browsing user. In the following, description will be made using indoor map data. However, the graphic data that is the target of this embodiment is not limited to indoor map data, but general map data such as outdoors, or design drawings, etc. Other graphic data may be used. Hereinafter, this embodiment will be described as the map data browsing system of Example 1 and Example 2.

  FIG. 1 is a configuration diagram of a map data browsing system in the present embodiment. In the map data browsing system, a map encryption apparatus 101, a map storage apparatus 102, a key management apparatus 103, a map browsing apparatus 105, and a map distribution apparatus 104 are connected via a network 100. In FIG. 1, the dotted line represents the flow of data.

  The map encryption apparatus 101 includes an encryption definition information generation unit 110 and an encryption processing unit 111. The encryption definition information generation unit 110 generates encryption definition information 121 from the plaintext map data 120. The encryption processing unit 111 generates encrypted map data 124 from the encryption definition information 121, the plaintext map data 120, and the encryption key 122.

  The map storage device 102 has a database processing unit 112 and stores encrypted map data 124. The database processing unit 112 uses, for example, an SQL (Structured Query Language) sentence or an API (Application Program Interface) of a GIS (Geographical Information System) product to search, register, delete, and change the encrypted map data 124. Perform a series of processing related to the database.

  The map data distribution device 104 includes a query processing unit 117. The query processing unit 117 receives a request (query) from the query request unit 115 in the map browsing device 105, analyzes the query, and uses the database processing unit 112 in the map storage device 102 to send to the map browsing device 105. Create map data for display to reply.

  The map browsing apparatus 105 includes a query request unit 115, a decryption processing unit 116, and a display processing unit 118. The query request unit 115 transmits a query such as a search for map data to the map distribution device 104, and receives display map data returned from the map distribution device 104. The decryption processing unit 116 performs decryption processing on the received display map data using the decryption key 123, and further generates a display image such as a map image image from the decrypted display map data. The display processing unit 118 displays the generated display image on the display device 204 (FIG. 2) of the map browsing device 105.

  The key management apparatus 103 has a key generation unit 113. The key generation unit 113 generates a decryption key 123 corresponding to the encryption key 122 used for encryption. The encryption key 122 and the decryption key 123 generated by the key management apparatus 103 may be a public key and a secret key in a public key encryption technique such as RSA, or in a common key encryption technique such as AES (Advanced Encryption Standard). It may be a shared key.

  In addition, since the secret key in the public key encryption technology and the shared key in the common key encryption technology are used for decryption that restricts the disclosure destination, an external storage medium is used for sending to the map encryption device 101 and the map browsing device 105. It is desirable to use direct transmission or transmission using encrypted communication. The secret key and the shared key are preferably stored in a tamper-resistant device such as an IC card or HSM (Hardware Security Module). On the other hand, since the public key in the public key encryption technology is information that can be disclosed, a general communication path may be used by HTTP (Hyper Text Transfer Protocol) or the like for sending to the map encryption apparatus 101. However, it is desirable that the key management apparatus 103 issues a public key certificate and uses the public key certificate to confirm that the public key used in the map encryption apparatus 101 has no errors or tampering.

  In FIG. 1, the key generation is performed in the key management apparatus 103, but it may be different. For example, the map browsing device 105 may generate the encryption key 122 and the decryption key 123 and send the generated encryption key 122 to the map encryption device 101. At this time, when using public key encryption technology, it is desirable that the key management apparatus 103 issues a public key certificate to the public key (encryption key 122) generated by the map browsing apparatus 105.

  In generating the encryption key 122 and the decryption key 123, for example, ASN. 1 (Abstract Syntax Notation One), XML (eXtensible Markup Language), and other formats can be used to uniquely identify the user, such as the name and user ID of the user who uses the encryption key 122 and the decryption key 123 The identifier may be written in the encryption key 122 and the decryption key 123 so that the identifier can be referred to when the key is used in the map encryption device 101 and used as information for specifying the encryption key 122 and the decryption key 123. Good. Note that the above identifier is not an identifier that can uniquely identify the user, but may be an identifier for the key itself.

  In the following, the case where the encryption key 122 and the decryption key 123 are assigned to each user will be described as an example. For example, the same key is assigned to one or more users on the basis of authority, job title, affiliation, etc. You may do it.

  FIG. 2 is a configuration diagram of each device in the map data browsing system of FIG. As shown in FIG. 2, each device in the map data browsing system includes a CPU (Central Processor Unit) 201, a RAM (Random Access Memory) 202, an input device 203, a display device 204, a communication device 205, a reading device 206, and The computer is configured as a general computer (electronic computer) to which the external storage device 207 is connected.

  The input device 203 is a keyboard or a mouse. The display device 204 is a display for display. The external storage device 207 is an HDD (Hard Disk Drive) or the like. A communication device 205 is a communication interface for communicating with other devices via the network 100. The reading device 206 is a device for reading or writing data from an external storage medium 208 such as an FD (Flexible Disk), a USB (Universal Serial Bus) memory, or a CD-R (Compact Disk Recordable). . The CPU 201 implements each processing unit (such as the encryption processing unit 111) illustrated in FIG. 1 as a process by executing a program loaded on the RAM 202.

  3 and 4 are outlines of the processing sequence of the map data browsing system. FIG. 3 is a processing sequence performed before distributing map data to the map browsing device 105 in the processing sequence of the map data browsing system. The key generation by the key management device 103 and the map encryption device 101 of the generated key are performed. And a processing sequence from sending to the map browsing device 105, encryption of the plaintext map data 120 in the map encryption device 101, and storage of the encrypted encrypted map data 124 in the map storage device 102. The sequence is shown below.

  The key generation unit 113 of the key management apparatus 103 generates the encryption key 122 and the decryption key 123 (S301). The decryption key 123 generated by the key management apparatus 103 is sent to the map browsing apparatus 105 (S302). The map browsing device 105 receives and stores the decryption key 123 (S303). The encryption key 122 generated by the key management apparatus 103 is sent to the map encryption apparatus 101 (S304). The map encryption apparatus 101 receives and stores the encryption key 122 (S305). The encryption definition information generation unit 110 in the map encryption apparatus 101 generates encryption definition information 121 using the plaintext map data 120 (S306). The encryption processing unit 111 in the map encryption device 101 generates the encrypted map data 124 using the encryption definition information 121, the plaintext map data 120, and the encryption key 122, and sends it to the map storage device 102 ( S307). The map storage device 102 receives and stores the encrypted map data 124 (S308).

  In the above processing sequence, key generation is performed by the key management device 103. As described above, the encryption key 122 and the decryption key 123 are generated not by the key management device 103 but by the map browsing device 105. May be sent to the map encryption apparatus 101. In this case, the generation of the encryption key and the decryption key in step 301 is performed in the map browsing device 105, and the decryption key in step 302 is sent from the map browsing device 105 to the key management device 103. Will be sent.

  When the same set of encryption key 122 and decryption key 123 is assigned to a plurality of users, in step 302, the decryption key 123 is sent to all map browsing devices 105 corresponding to the plurality of users. Do. When assigning different sets of encryption key 122 and decryption key 123 to a plurality of different users, step 301 is executed for each user to generate encryption key 122 and decryption key 123 for each user, By executing Step 302 and Step 303, the encryption key 122 and the decryption key 123 are sent. In the above process, a set of a plurality of encryption keys 122 and decryption keys 123 may be assigned to the same user.

  FIG. 4 shows a processing sequence in the map data browsing system from transmission of map data for display from the map distribution device 104 to the map browsing device 105 until display on the map browsing device 105. In this processing sequence, a map browsing request (query) is sent from the map browsing device 105, a query is analyzed by the map distribution device 104, a search is performed using the map storage device 102, and is sent to the map browsing device 105. Decoding and display processing are performed in the map browsing device 105.

  The query request unit 115 in the map browsing device 105 sends a map browsing request (query) to the map distribution device 104 (S401). The query processing unit 117 in the map distribution device 104 analyzes the query from the map browsing device 105, and sends a search request corresponding to the analysis result to the map storage device 102 (S402). The database processing unit 112 in the map storage device 102 receives the search request, executes the search processing for the encrypted map data 124, and returns the search result to the map distribution device 104 (S403). The query processing unit 117 in the map distribution device 104 generates display map data as a response to the map browsing device 105 from the returned search result, and sends it to the map browsing device 105 (S404). The map browsing device 105 receives the display map data as a response to the query (S405). The decryption processing unit 116 in the map browsing apparatus 105 executes decryption processing using the encrypted display map data and the decryption key 123, and creates a map display image (S406). The display processing unit 118 in the map browsing device 105 displays the display image on the display device 204 (S407).

  Prior to the distribution request from the map browsing apparatus 105 to the map distribution apparatus 104 in step 401, the map distribution apparatus 104 desirably performs user authentication. For this purpose, a device ID (MAC address (Media Access Control Address), etc.) unique to the map browsing device 105 is used in the map distribution device 104, and authentication information is received from the map browsing device 105 and authenticated. That's fine. Alternatively, the user who uses the map browsing device 105 may be requested to input ID / PW (Pass Word), and authentication may be performed using the ID / PW (Pass Word), or authentication using an encryption technology such as SSL (Secure Sockets Layer). Or authentication using biometric information may be used.

  In the map browsing request (query) to the map distribution device 104 by the query request unit 115 of the map browsing device 105 in the above step 401, position information such as latitude, longitude, or height designated by the user, or Includes keywords such as place names and facility names. In the case of a map browsing request including position information, a user's current position may be acquired using a positioning device such as GPS, and the acquired current position may be used as position information.

  In the analysis of the query in the map distribution device 104 in step 402, the query processing unit 117 may send the query from the map browsing device 105 to the map storage device 102 as it is, or analyze the query and use the result. A query to the map storage device 102 may be modified from the map browsing device 105, or a new query may be generated.

  In the generation of display map data in step 404, the query processing unit 117 may send the search result from the map storage device 102 to the map browsing device 105 as it is, or the query processing unit 117 in the map distribution device 104. You may send it after processing.

  In the process of receiving a query from the map browsing device 105 in the map distribution device 104 in steps 402 to 404 and responding to the query to the map browsing device 105, the map distribution device 104 interactively processes with the map storage device 102. May be performed. That is, the map distribution device 104 may request the map storage device 102 again according to the search result from the map storage device 102 in step 403.

  The generation of the encryption definition information 121 and the encryption processing of the plaintext map data 120 in Step 306 and Step 307 of FIG. 3 will be described. Prior to these descriptions, changes in map data before and after encryption will be described.

  FIG. 5 is a schematic diagram showing how map data changes before and after encryption processing. FIG. 6 shows a display image of the map data shown in FIG. Accordingly, the same reference numerals are used for the same components in FIGS. As described above, in this embodiment, description will be made using the indoor map data shown in FIGS. 5 and 6. However, the map data to be encrypted is not limited to indoor map data, but is generally used outdoors. It can be applied to other map data such as typical map data or drawings.

  In general, map data is shape data (geometry) that represents the shape of a feature, attributes that represent features other than the shape, such as the name and description of the feature, and connection relationships between features (consisting of nodes and edges). Network data). FIG. 5 is an example in which these map data are simplified using the connection relationship between features and expressed using a table.

  Although FIG. 5 represents map data using a table, it is not limited to this. For example, in GIS (Geographic Information System), for example, a feature (referred to as an object or a feature) is used as a minimum unit, and a feature having the same property or a plurality of features existing at a specific location is defined as a container. In some cases, containers are arranged in units called maps, arranged according to the map structure (building structure, etc.), and expressed and managed using a tree structure. Even in such a case, it can be similarly applied by treating each row in the table of FIG. 5 as the above feature.

  As shown in FIG. 6, in the example shown here, in the floor plan of the building composed of a passage, stairs, conference room, etc., in the area consisting of the passage 2, the work area, and the reading room (hereinafter referred to as the project area). FIG. 5 shows a change in data before and after encryption (FIG. 5) and a change in display image (FIG. 6) in the case of encrypting the feature of FIG. The plaintext map data 120 in FIG. 5 is a diagram showing a part of the features (viewing room, passage 2, document storage) extracted from the indoor map shown in FIG. It is.

  When restricting the disclosure destination of the project area (the area composed of the reading room, the work area, and the passage 2) in the display image of the plaintext map data 120 illustrated in FIG. 6, the encryption definition information generation unit 110 restricts the disclosure destination. Target data (that is, data to be encrypted; hereinafter referred to as encryption target data) and a disclosure destination are set, and encryption definition information 121 is generated. Next, the encryption processing unit 111 generates encrypted map data 124 from the generated encryption definition information 121, the plaintext map data 120, and the encryption key 122. The data structure of the encryption definition information 121, the processing by the encryption processing unit 111 using the encryption definition information 121, and the setting method of the encryption definition information 121 will be described with reference to FIGS. To do.

  As shown in FIG. 5, the encrypted map data (encrypted map data 124) is composed of two parts, a map data part 124A and an encrypted data part 124B. Here, the map data unit 124A stores the map data itself, and the encrypted data unit 124B stores the encryption result (encrypted data) of the data to be encrypted.

  Compared with the plaintext map data 120, the map data portion 124A in the encrypted map data 124 is added with a row 520 (hereinafter referred to as a sanitized region 520) having an ID of 901 and a type of sanitized region. The geometry and name to be encrypted are substituted with NULL as the encrypted data. Further, these encrypted data are stored in the encrypted data portion 124B in combination with reference information (901, which is the value of the ID column in the map data portion 124A in FIG. 5) of the newly created sanitized region 520. Is done.

  The encrypted data stored in the encrypted data unit 124B is, for example, ASN. One or more encryption target data (for example, the geometry and name to be encrypted) associated with one sanitized area (for example, sanitized area 520) using a data format such as 1 or XML The result of encryption may be divided and shaped using tags, and stored in the encrypted data part 124B. In addition, in order to facilitate the decryption, for example, data including reference information to the decryption key 123 capable of decrypting the encrypted data or a list of users capable of decryption is generated together with the encrypted data. May be.

  In FIG. 5, NULL is substituted as the encrypted data, but in an actual database system, NULL may not be substituted due to design limitations. In this case, a value other than NULL may be substituted for the encrypted data. For example, as the encryption data of the geometry, random geometry data or the same geometry data as the sanitized area may be embedded. For attributes such as names, a blank character string may be substituted or “name unknown” may be stored. Further, in cases other than the character string type (for example, integer type), a meaningless value or numerical data indicating that it is encrypted may be similarly defined and substituted.

  FIG. 7 shows an example in which the data structure of the encryption definition information 121 is expressed using the XML format. Note that the description content of the encryption definition information 121 in FIG. 7 is data representing the encryption definition information 121 in FIGS. 5 and 6. As shown in FIG. 7, the encryption definition information 121 is composed of sanitized area elements, and data to be encrypted and disclosure destination setting information are described in the sanitized elements. In the target feature element which is a child element in the sanitizing region element, the ID of the target feature (see FIG. 5) is described in the ID attribute, the target feature is specified, and the encryption in the feature is further performed. Target data (geometry, name, etc.) to be described is described in the target attribute in the target data element. Further, the disclosure destination list describes a user who decrypts the encryption target data encrypted after the encryption process (in other words, owns the decryption key 123 for decrypting the target data described here).

  In addition, although the example represented using XML as the encryption definition information 121 was shown in FIG. 7, it may differ from this. For example, the encryption definition information 121 may be expressed by separately defining tag information using a data format such as ASN.1. In addition, even when the data structure is defined using XML, it may be different from each element described in FIG. 7. If the XML data has the same meaning, the data format is not limited to that shown in FIG. Also good.

  FIG. 8 shows a process flowchart of the encryption processing unit 111 that generates the encrypted map data 124 from the encryption definition information 121, the plaintext map data 120, and the encryption key 122.

  The plaintext map data 120 is copied to the map data portion 124A of the encrypted map data 124 (S801). The encryption definition information 121 is read, and if there is a sanitized region element, the process proceeds to step 803, and if not, the process ends (S802). A sanitized region is generated with reference to the geometry element in the sanitized region element and added to the encrypted map data 124 (S803). If there is a target feature element, the process proceeds to step 805, and if not, the process proceeds to step 807 (S804). The ID attribute in the target feature element is read, and the target feature to be encrypted is specified from the plaintext map data 120. Further, by referring to the target attribute in the target data element, the data to be encrypted (encryption target data) is acquired and replaced with NULL (S805). With reference to the disclosure destination element in the disclosure destination list element, the corresponding encryption key 122 is acquired, and the encryption target data acquired in step 805 is encrypted (S806). The encryption result is shaped and written into the encrypted data part 124B, and the process proceeds to step 802 (S807).

  The copy in step 801 means that the plaintext map data 120 is retained. When it is not necessary to hold the plaintext map data 120, after executing the encryption in step 806, the replacement process in NULL in step 805 is executed.

  When the encryption processing unit 111 illustrated in FIG. 8 uses the encryption definition information 121 illustrated in FIG. 7, for example, the encryption definition information 121 illustrated in FIG. 7 is converted into the SAX (Simple API for XML) of XML. It can be executed by reading sequentially from the beginning. Hereinafter, the encryption processing unit 111 illustrated in FIG. 8 will be described using the encryption definition information 121 illustrated in FIG. 7, but the encryption definition information 121 may not be the one illustrated in FIG. 7. .

  In the processing from step 804 to step 806, the encryption processing unit 111 sequentially reads the target feature element 804 in the sanitized region element from the encryption definition information 121, acquires the encryption target data, and performs encryption. . Here, when a plurality of disclosure destinations are described in the disclosure destination list, the data to be encrypted is encrypted separately using the encryption keys 122 corresponding to the plurality of disclosure destinations described. The encrypted data stored in the encrypted data portion 124B in the encrypted map data 124 is obtained by adding an encrypted data element for each disclosure destination element in the encryption definition information 121 described in FIG. The converted result is encoded by BASE64 and stored. The encrypted data stored in the encrypted data unit 124B is not limited to this, but XML, ASN. 1 may be used to separately define a data format different from that in FIG. For example, a format such as GXML (Geography XML) that manages map data using XML is used, and encrypted data is managed by applying these tag information.

  In the encryption processing unit 111, each encryption target data is encrypted separately for each disclosure destination, but the encryption processing (S806) may be performed as follows.

  First, a random shared key (hereinafter referred to as a session key) in the common key encryption technique is generated separately for each data to be encrypted. Next, the session key generated separately for each data to be encrypted is encrypted as follows. First, all the disclosure destination elements described in the sanitizing region element are acquired, and the following processing is performed for each disclosure destination. If there is a disclosure destination that matches the disclosure destination that is currently processing in the disclosure destination element in each target data element, the session key used when encrypting the target data is obtained, and this is used as the session key encryption. Add to the conversion list. In other words, the session key encryption list includes session keys corresponding to each of a plurality of pieces of encryption target data related to one disclosure destination. After performing the above processing on all target data, the session keys described in the session key encryption list are aggregated (for example, concatenated) and encrypted using the encryption key 122 corresponding to the disclosure destination Process. The same processing is repeated for all disclosure destinations. In the encryption using the encryption key 122 of the above session key encryption list, the hash value of the encrypted data or the MAC (Message Authentication Code) is included in the session key encryption list to guarantee the integrity of the encrypted data at the time of decryption. ) Etc. may be included. The above encryption processing is called selective disclosure type encryption, and is disclosed in Japanese Unexamined Patent Application Publication No. 2009-49731.

  FIG. 9 shows an example of a setting GUI (Graphic User Interface) for generating the encryption definition information 121. As shown in FIG. 9, this GUI has a map display area 906 and a setting area 907. A file menu 902, a database menu 903, and a key reading menu 904 at the top of the GUI represent operation menus. When each menu is selected by the user, the following processing is executed.

  File menu 902: Reading the created encryption definition information 121 or saving the encryption definition information 121 being created.

  Database menu 903: The plaintext map data 120 is read from the database storing the plaintext map data 120, and the storage location of the encrypted map data 124 is designated. Also, the disclosure destination is set, the encryption definition information 121 is generated, and the encryption processing unit 111 is executed.

  Key read menu 904: Reads the encryption key 122 necessary for setting the encryption definition information 121.

  In the above description, it is assumed that the database menu 903 is provided as the menu, and the plaintext map data 120 and the encrypted map data 124 are on the database system. It does not have to be on the database system, and may exist as a file in a format such as CSV (Comma Separated Values).

  In the map display area 906, the result of drawing the plain text map data 120 is displayed, and the sanitizing area 520 is designated according to the input from the input device 203 such as a mouse. In the specification, a rectangular area such as the selection area 901 may be used as the sanitizing area 520 or a polygon or a circle may be used as the sanitizing area as indicated by a dotted line in FIG. It may be used as 520. Alternatively, a feature to be disclosed may be selected using a mouse, and a sanitized region 520 may be created based on the geometry data of the selected feature, or a plurality of features may be selected using a mouse. A region where these are connected or a region including all of the plurality of selected features may be newly created and used as the sanitizing region 520.

  In the following, the operation of the GUI illustrated in FIG. 9 will be described by taking as an example the case where the selection area 901 shown in FIG. 9 is set as a new sanitizing area 520 and this is set as area Y.

  When the selection area 901 in FIG. 9 is designated as the sanitizing area 520, a new item (area Y in FIG. 9) is registered in the non-disclosure area item in the setting area. In addition, a list of features included in area Y is displayed in a list of target feature list items (here, passage 2, reading room, work area, lock doors B and C, document storage). Here, the item to be displayed in the target feature list item may be a feature that is completely included in the sanitized region 520, or a feature that includes a part or a center point of the feature. But you can. In addition, when displaying a feature partially including the sanitizing region 520 and a feature including the center point, the sanitizing region 520 is changed to a different one by changing the display color or the font. The user may be made aware of the feature containing the part.

  Next, when the feature for which the disclosure destination is set is selected from the target feature list using the input device 203 such as a mouse (a work area is selected by an arrow in FIG. 9), the feature selected in the target attribute item All attributes in the object are displayed. At this time, the display color of the corresponding feature in the map display area 906 is changed or the boundary line is thickened to clearly indicate which feature on the map the selected feature is. May be.

  Next, an attribute is selected from the target attribute items (room name in FIG. 9), a user designated as a disclosure destination is selected from the disclosure destination items, and a disclosure destination setting button 905 is selected, thereby disclosing one item. The previous setting is completed. Hereinafter, by repeating the above processing, various settings can be made for the features and attributes in one sanitized region 520. Further, by creating a plurality of selection areas 901, a plurality of sanitized areas 520 can be generated, and one or more sanitized areas 520 can be created in the map data.

  In FIG. 9, when all feature encryption is selected, in step 805 of the encryption processing unit 111 shown in FIG. , NULL replacement) may be as follows. Get all attributes such as geometry and attributes within a feature. Next, instead of data replacement, the target feature (corresponding line in the map data portion 124A) is deleted from the map data portion 124A of the encrypted map data 124. By doing so, it is possible to hide the feature itself. Even when the deletion process is performed in this manner, the deleted feature can be restored by the decoding processing unit 116 shown in FIG.

  Next, decryption processing of the encrypted map data 124 generated as described above will be described.

  As shown in FIG. 4, the map distribution device 104 acquires display map data to the database processing unit 112 in accordance with a query request from the query request unit 115 in the map browsing device 105. At this time, the query processing unit 117 uses the database processing unit 112 to acquire the map data from the map data unit 124A for the query request from the query request unit 115. At this time, if the sanitized area 520 is included in the acquired map data, the ID information of the sanitized area 520 is acquired, and the encrypted data is acquired from the encrypted data unit 124B using this as search information. To do. At this time, if the search request from the query request unit 115 is position information in the above processing and the map display image displayed by the map browsing device 105 is smaller than the sanitized area 520, the query request unit If the search request from 115 is delivered to the database processing unit 112 as it is, the response from the database processing unit 112 may not include the sanitized region 520. In this case, for example, in response to the search request from the query request unit 115, the query reception unit 117 corrects the query so as to return all the features including the search request, and performs a search to the database processing unit 112. May be.

  In the above processing, in the encrypted map data 124 shown in FIG. 5, the ID number of the map data portion 124A is described in the ID column of the encrypted data portion 124B, and this is used as search information from the encrypted data portion 124B. Encrypted data can be acquired, but may be as follows. In the replacement processing of the data to be encrypted in step 805 of the encryption processing unit 111, when the geometry is replaced with the geometry data of the sanitized region 520 instead of NULL, the following may be performed.

  First, in step 805 of the encryption processing unit 111, if the data to be encrypted is a geometry, the data is replaced with the geometry data of the sanitized region 520. Next, in step 806, each feature is individually encrypted and embedded in the encrypted data portion 124B, and the ID of the corresponding feature is embedded in the ID of the encrypted data portion 124B. Alternatively, an ID for uniquely identifying the encrypted data is individually stored in the ID of the encrypted data portion 124B, and the ID is described in the encryption information string of the map data portion 124A. The corresponding encrypted data can be referred to from the encrypted information string.

  At the time of decryption, when the sanitized region 520 is included in the acquired display map data, the encrypted data having the same ID in the encrypted data portion 124B is obtained from the ID of the feature having the same geometry data as the sanitized region. To get. Alternatively, the encrypted data is acquired from the encrypted data unit 124B using the information in the encrypted information.

  Encrypted data necessary for decryption may be acquired from the encrypted data unit 124B by performing the above processing.

  In the map storage device 102 or the map distribution device 104, in addition to the encrypted map data 124, a keyword list including IDs corresponding to attributes such as names may be stored. By using the keyword list, it is possible to cope with the search by using the keyword in the keyword list even when the keyword is used for the encrypted attribute, such as the document storage in FIG. Become. In addition, the name stored in the keyword list is, for example, by generating a hash value by using a cryptographic hash function such as SHA-1, and storing the hash value, so that the keyword can be directly identified from the keyword list. It is desirable not to do so. In this case, it is desirable to limit the keywords that can be used according to the result of user authentication of the map distribution device 105.

  Alternatively, a keyword list may be created for each user, and encryption may be performed for each keyword using the encryption key 122 of the user. In this case, the query from the user may be encrypted using the encryption key, and the search may be performed in the encrypted state. When performing keyword search in an encrypted state, the encryption used for encrypting the keyword list is not a stochastic encryption method such as RSA-OAEP (Optimal Asymmetric Encryption Padding) but a deterministic encryption method. Need to be. Note that the processing of the encryption processing unit 111 shown in FIG. 8 is desirably a stochastic encryption method from the viewpoint of security.

  In the above description, the map distribution device 104 performs the process of acquiring encrypted data from the encrypted data unit 124B. However, the above processing is performed by the database processing unit 112 in the map storage device 102. Also good.

  FIG. 10 is a diagram showing a decoding process flowchart in the map browsing apparatus 105 in step 406 of FIG. The display map data sent from the map distribution device 104 is data obtained by extracting a part of the encrypted map data 124 shown in FIG. Accordingly, the display map data may have the same data structure as that of the encrypted map data 124 of FIG. 5, but for example, XML or other data formats are used such as GXML for the data representation of the map data portion 124A. The data structure may be individually defined for the display map data 124. In the following description, it is assumed that the display map data has the same data structure as FIG.

  Display map data is read (S1001). If the sanitized area exists in the display map data, the process proceeds to step 1003, and if not, the process ends (S1002). Encrypted data corresponding to the sanitized area 520 is acquired from the encrypted data portion 124B in the display map data (S1003). The encrypted data acquired in step 1003 is decrypted with the decryption key 123 (S1004). If the decoding is successful, the process proceeds to step 1006. If the decoding is unsuccessful, the process proceeds to step 1002 (S1005). The feature is restored from the decoding result (S1006). The sanitized area is deleted, and the process proceeds to step 1002.

  The above-described decryption processing in steps 1004 and 1005 and the determination of success / failure of the decryption are based on the reference information of the decryption key 123 that can decrypt the encrypted data in the encrypted data (for example, the ID of the user who owns the decryption key 123, etc. And the reference information of the decryption key 123 used for decryption is included in the encrypted data to be decrypted. Alternatively, an encryption algorithm such as RSA-OAEP may be used, and the determination may be made using the success / failure of decryption obtained from the decryption result. Alternatively, MAC (Message Authentication Code) or the like may be assigned to each encrypted data in advance at the time of encryption, MAC verification processing may be performed at the time of decryption, and determination may be made using the verification success / failure obtained from the verification result. . In the above determination of success / failure of decoding, the decoding process itself may be terminated and decoding failure may be output in the following cases. For example, when determining the success / failure of the decryption using the reference information of the decryption key 123, the encrypted data can be decrypted from the reference information by the decryption key 123 given to the decryption process. If the decryption result in step 1004 of the encrypted data is unsuccessful, the decryption failure is output as the reference information and the decryption result in step 1004 contradict each other, and the decryption process itself in FIG. May be.

  Further, in step 1007, the sanitizing area 520 is deleted, but the sanitizing area 520 may not be deleted. In this case, in the creation of the display image after the decoding process is completed, the restored feature can be displayed by overwriting the decoding result on the sanitized area. Further, even if there is a feature that has partially failed in decoding of the geometry in steps 1004 and 1005, the region corresponding to the corresponding feature can be displayed on the display image without making it a blank region. . Note that when the feature geometry or the feature itself is encrypted, the sanitized area 520 may not be displayed but may be displayed as if there was no feature from the beginning.

  In step 1004 of the decryption process, the obtained encrypted data is decrypted with the decryption key 123. In the process of step 806 of the encryption process, the encryption target data is encrypted using the encryption key 122 corresponding to the disclosure destination in the disclosure destination list element. Therefore, in the decryption of the encrypted data in step 1004 of the decryption process, if the encryption key 122 corresponding to the given decryption key 123 is included in the disclosure destination of the decryption target encryption target data, the encryption key 122 The decrypted data can be decoded. On the other hand, if the data to be encrypted is not included in the disclosure destination, the encrypted data cannot be decrypted. The above processing is performed on each encryption target data for each sanitized area. Therefore, the decryption process shown in FIG. 8 outputs a different decryption result for each given decryption key 123 (that is, a user who owns the decryption key), and outputs a display image having a different disclosure range for each user. Is possible. That is, by specifying a disclosure destination (encryption key 122) for each data to be encrypted at the time of encryption, it becomes possible to control information disclosed to a user who possesses the corresponding decryption key 123.

  In the above, when a plurality of decryption keys 123 are stored in the map browsing device 105, the decryption process in the above step 1004 is performed on all the stored decryption keys 123.

  In the above description, the map distribution device 104 generates display map data including encrypted data in response to a map browsing request from the map browsing device 105 and returns it to the map browsing device 105. It is not necessary to include encrypted data in the data. In that case, the acquisition of the encrypted data in step 1003 is not from the map data for display, but requests the map distribution device 104 to acquire the encrypted data, and the map browsing device 105 transmits the encrypted data corresponding to the map distribution device 104. Reply to

  Further, in the map data illustrated in FIGS. 5 and 6 above, an example in which only attributes such as a map geometry (shape) and a name are encrypted is shown. On the other hand, it is possible to perform encryption and decryption by performing the same processing as described above, and this makes it possible to cope with functions for map data such as route search and guidance.

  In the map data browsing system in the first embodiment shown in FIG. 1, the decoding process is executed by the map browsing device 105. However, for example, when the map browsing device 105 does not have sufficient processing performance, such as a mobile phone, a decoding process is executed on the map browsing device 105 to create a drawing image of map data and display it on the screen. Problems such as taking a long time to display occur.

  In FIG. 11, in order to solve the above problem, the decoding process and the drawing process of the map data are performed by the map decoding apparatus 107, and the map browsing apparatus 105 is modified to display only the received drawing image. It is a block diagram which shows the outline of the map data browsing system of a present Example. Since the encryption and decryption processes are the same as those in the first embodiment, differences from the first embodiment will be described below.

  11, the key management device 103, the map storage device 102, the map encryption device 101, and the map distribution device 104 are the same as the respective devices shown in FIG. However, the key management apparatus 103 distributes the decryption key 123 not to the map browsing apparatus 105 but to the map decryption apparatus 107. Further, the query processing unit 117 in the map distribution device 104 performs transmission / reception with the map decoding device 107 as well as the map browsing device 105 and the map storage device 102.

  FIG. 12 is a process performed before distributing map data to the map browsing apparatus 105 in the map data browsing system of the present embodiment, and corresponds to the processing sequence of FIG. 3 of the first embodiment.

  The encryption key 122 and the decryption key 123 are generated (S1201). The decryption key is sent to the map decryption device 107 (S1202). The map decryption apparatus 1075 receives and stores the decryption key 123 (S1203). The encryption key 122 is sent to the map encryption apparatus 101 (S1204). The map encryption apparatus 101 receives and stores the encryption key 122 (S1205). The encryption definition information generation unit 110 in the map encryption apparatus 101 generates encryption definition information 121 using the plaintext map data 120 (S1206). Using the encryption processing unit 111 in the map encryption apparatus 101, encrypted map data is generated from the encryption definition information 121, the plaintext map data 120, and the encryption key 122, and sent to the map storage apparatus 102 (S1207). . The map storage device 102 receives and stores the encrypted map data (S1208).

  The difference between the above processing and the processing of the first embodiment shown in FIG. 3 is that the decryption key 123 is sent to the map decryption device 107 instead of the map browsing device 105.

  In the above processing, as in the first embodiment, the encryption key 122 and the decryption key 123 may use a public key or a secret key in a public key encryption technique such as RSA, or a common key encryption such as AES. A shared key in the technology may be used. Note that both the secret key in the public key encryption technology and the shared key in the common key encryption technology are used for decryption (restriction of disclosure destination), and therefore, when sent to the map encryption device 101 or the map browsing device 105 It is desirable to use direct transmission using an external storage medium or transmission using encrypted communication. On the other hand, since the public key in the public key encryption technology is information that can be disclosed, a general communication path such as HTTP may be used for sending to the map encryption apparatus 101. However, it is desirable that the key management device 103 confirms that there is no error or falsification in the public key used in the map encryption device 101 by issuing a public key certificate.

  Similarly to the first embodiment, the encryption key 122 and the decryption key 123 may be generated in the map browsing device 105 instead of the key management device 103 and sent to the map encryption device 101. .

  Next, a processing sequence from sending a query from the map browsing apparatus 105 in this embodiment to displaying a map will be described with reference to FIG.

  The query request unit 115 in the map browsing device 105 sends a map data distribution request to the map distribution device 104 (S1301). The query processing unit 117 in the map distribution device 104 analyzes the query from the map browsing device 105 and sends a search request to the map storage device 102 (S1302). The database processing unit in the map storage device 102 receives the search request, executes the search processing for the encrypted map data 124, and returns the search result to the map distribution device 104 (S1303). The query processing unit 117 in the map distribution device 104 receives the search result, generates display map data, and sends it to the map decoding device 107 (S1304). The decryption process 116 in the map decryption apparatus 107 performs the decryption process using the encrypted map data and the decryption key 123 (S1305). The map distribution device 104 receives the decoding result from the map decoding device 107 and creates a display image (S1306). The map browsing apparatus 105 receives a display image as a response to the query (S1307). The display processing unit 118 in the map browsing device 105 displays a display image using the display device 204 (S1308).

  The difference between the above processing and the processing of the first embodiment shown in FIG. 4 is that the decoding processing is performed in the map decoding processing 107. Accordingly, the decoding process (FIG. 10) described in the first embodiment is performed by the map decoding device 107 in this embodiment. In addition to the above-described decoding processing, display image generation processing such as an image from map data is also performed by the decoding processing unit 116 after the decoding processing is completed, or the display image is displayed by the query processing unit 117 in the map distribution device 104. May be generated. Thereby, since the display map data is sent to the query request unit 115 as a display image, there is no need to convert the given map data into a display image on the display processing unit 118 of the map browsing device 105. Processing can be reduced.

  Prior to the decryption process in step 1305 described above, the map decryption device 107 is desired to perform user authentication in order to identify the decryption key 123 used at the time of decryption. For this purpose, a device ID (MAC address or the like) unique to the map browsing device 105 or user-specific information (user ID, password, biometric information or the like) is stored in the map decoding device 107, and the map browsing device 105 is stored. Therefore, authentication information may be received and authenticated. For example, authentication using an encryption technique such as SSL (Secure Sockets Layer) or authentication using biometric information may be used. The above authentication processing may be performed directly from the map browsing device 105 to the map decoding device 107, or the map distribution device 104 may act instead. In order to implement this, for example, the authentication information stored in the map decoding device 107 is copied and stored in the map distribution device 104, and the map decoding device 107 uses the authentication result of the map distribution device 104. What is necessary is just to authenticate the map browsing apparatus 105. Note that the user authentication process is not limited to the above-described mode as long as a decryption key that can be used according to the user who uses the map decryption device 107 that finally transmitted the query request can be specified.

  In addition, when transmission / reception of data in the map browsing apparatus 105 and the map distribution apparatus 104 in FIG. 13 is performed on a public network such as the Internet, it is desirable to use an encrypted communication path.

  According to the embodiment described above, it is possible to encrypt the graphic data that should be restricted to the disclosure destination included in the graphic data in a state that cannot be disclosed to other than a specific disclosure destination, and decrypt the graphic data at an appropriate disclosure destination, Control can be performed so that graphic data whose disclosure is restricted cannot be restored except by a defined disclosure destination.

  100: Network 101: Map encryption device 102: Map storage device 103: Key management device 104: Map distribution device 105: Map browsing device 107: Map decryption device 110: Encryption definition information generation unit 111: Encryption processing unit, 112: Database processing unit, 113: Key generation unit, 115: Query request unit, 116: Decryption processing unit, 117: Query processing unit, 118: Display processing unit, 120: Plain text map data, 121 : Encryption definition information, 122: Encryption key, 123: Decryption key, 124: Encrypted map data, 124A: Map data part, 124B: Encrypted data part, 201: CPU, 202: RAM, 203: Input device 204: Display device, 205: Communication device, 206: Reading device, 207: External storage device, 208: External storage medium, 520: Black area, 521 Encryption target data, 901: selection area, 902: File Menu, 903: Database menu, 904: key read menu, 906: map display area, 907: setting area.

Claims (6)

Figure information in which figure shape data and figure identifiers are registered in association with each other;
An encryption that defines an identifier of the encryption target graphic and a disclosure target that is permitted to view the encryption target graphic for each encryption target graphic that is restricted from browsing among the figures included in the graphic information. Definition information,
An encryption key for each of the disclosure objects;
A storage unit that stores
Based on the encryption definition information, obtain shape data of the graphic to be encrypted and an identifier of the graphic included in the graphic information, and the shape data of the graphic to be encrypted is allowed to browse the graphic to be encrypted. using the encryption key of the disclosed subject has an encryption data generating unit for generating encrypted data in association with the identifier of the encryption target graphic,
The shape data and figure identifier of each figure included in the figure information are acquired, and the figure shape data related to the encryption target figure is deleted or replaced with other data among the acquired figure shape data. A graphic data generation unit for generating graphic data;
An encrypted graphic data generating unit that generates encrypted graphic data for the graphic information by combining the encrypted data and the graphic data;
A graphic encryption apparatus capable of restoring graphic information from the decrypted encrypted data and graphic data. The figure encryption apparatus according to claim 1,
The encrypted data generation unit further generates shape data of an integrated figure obtained by integrating the adjacent encryption target figures, and generates encrypted data using the shape data of the integrated figure. Graphic encryption device. The figure encryption device according to claim 2,
The graphic encryption apparatus further selects one of the graphics included in the graphic information and designates it as an encryption target graphic, and an input that designates one or more disclosure objects that are permitted to be browsed for the encryption target graphic And an encrypted information receiving unit for receiving
Encryption definition information related to the graphic information from the encryption target graphic received by the encryption information receiving unit, the disclosure target of the encryption target graphic, and the identifier of the encryption target graphic included in the graphic information An encryption definition information generation unit for generating
A graphic encryption apparatus comprising: Figure information in which figure shape data and figure identifiers are registered in association with each other;
An encryption that defines an identifier of the encryption target graphic and a disclosure target that is permitted to view the encryption target graphic for each encryption target graphic that is restricted from browsing among the figures included in the graphic information. Definition information,
An encryption key for each of the disclosure objects;
A storage unit that stores
A session key generation unit for generating a session key for each encryption target graphic registered in the encryption definition information for the graphic information;
Based on the encryption definition information, obtain shape data of the graphic to be encrypted and an identifier of the graphic included in the graphic information, and use the shape data of the graphic to be encrypted as a session key for the graphic to be encrypted. Encrypted data generation unit for generating encrypted data in association with the identifier of the encryption target graphic,
For each disclosure target registered in the encryption definition information for the graphic information, the session key used for encryption of the encryption target graphic that can be browsed by the disclosure target is aggregated and the encryption key of the disclosure target is used. A session key encryption unit for generating an encrypted session key encrypted with
The shape data and figure identifier of each figure included in the figure information are acquired, and the figure shape data related to the encryption target figure is deleted or replaced with other data among the acquired figure shape data. A graphic data generation unit for generating graphic data;
An encrypted graphic data generating unit that generates encrypted graphic data for the graphic information by combining the encrypted data and the graphic data;
A graphic encryption apparatus capable of restoring graphic information from the decrypted encrypted data and graphic data. A storage unit storing a decryption key used for decrypting the encrypted graphic data;
Of the graphics included in the map information, graphics shape data and graphics identifiers of graphics that are not restricted to browsing, graphics data having identifiers of encryption target graphics that are restricted to be browsed, and shape data of encryption target graphics An encrypted figure data receiving unit that receives encrypted figure data having encrypted data associated with an identifier of the figure to be encrypted, and
A decryption processing unit that decrypts the encrypted data of the received encrypted figure data using a decryption key stored in the storage unit;
If the decryption of the encrypted data is successful, based on the identifier of the graphic to be encrypted associated with the encrypted data, the shape data of the graphic to be encrypted obtained by decrypting the encrypted data is mapped applied to the data, and graphic data restoration unit for restoring the shape data of the encrypted target graphic,
A display processing unit for generating and displaying a figure shape based on the figure shape data included in the figure data;
An encrypted figure decryption apparatus characterized by comprising: A storage unit storing a decryption key used for decrypting the encrypted graphic data;
Of the figures included in the map information, the figure data and figure identifiers that are not restricted to be browsed, the figure data having the identifiers of the figure to be encrypted that are restricted to be browsed, and the shape data of the figure to be encrypted are encrypted. Encryption by associating the encrypted data associated with the identifier of the encryption target figure and the session key used for encryption of each encryption target figure that can be browsed by the browsing target for each browsing target. An encrypted graphic data receiving unit for receiving encrypted graphic data having a session key;
A session key decryption processing unit for decrypting an encrypted session key of the received encrypted figure data using a decryption key stored in the storage unit;
If the decryption of the encrypted session key is successful, a decryption processing unit that decrypts the encrypted data of the encrypted graphic data using the session key obtained by decrypting the encrypted session key;
When the decryption of the encrypted data is successful, based on the identifier of the graphic associated with the encrypted data, the shape data of the encryption target graphic obtained by decrypting the encrypted data is applied to the map data A graphic data restoration unit for restoring the shape data of the encryption target graphic;
A display processing unit for generating and displaying a figure shape based on the figure shape data included in the figure data;
An encrypted figure decryption apparatus characterized by comprising:

Images