JP6098182B2 - ID identifier generation method and ID identifier generation system - Google Patents

Description

  The present invention relates to a technical field such as a method for generating an ID identifier assigned to an individual.

  In recent years, a numbering system related to social security and tax has been studied as a basis for confirming that personal information existing in a plurality of organizations is the same information. In this system, an ID identifier (ID number) assigned to an individual is managed as a “visible number” that is paired with personal information such as a name and has visibility that can be distributed and used in related fields. Such ID identifiers are: (a) “all personality (for example, numbering for all people with a resident's card), (b) uniqueness (numbering for each person so that there is no duplication), (c) Visibility (visible number) that can be distributed and used in a “private-private-government” relationship, and (d) that it is associated with the latest four basic information (name, address, gender, date of birth) Has characteristics. On the other hand, the ID identifier is a “visible number” printed on the card face of the “personal number card” or a document relating to social security / tax payment together with personal information such as name, and anyone can use the ID identifier and personal information of others. Know the combination. Therefore, if the ID identifier is used in fields that handle sensitive personal information such as the medical / nursing care field, the specific individual who is the subject of the sensitive personal information can be easily identified, and privacy is infringed. There is a problem of being.

  On the other hand, as disclosed in Patent Document 1, for example, an authentication system capable of single sign-on without disclosing personal information between a plurality of authentication servers has been proposed. In this authentication system, for example, when the user A1 of the company A accesses the Web-related application of the company B, the conversion ID generated from the user ID of the user A1 between the authentication server 2a of the company A and the authentication server 2b of the company B, and Since authentication is performed using an authentication linkage token including attribute information, the company A can access the Web application of the company B by single sign-on without disclosing the user ID that identifies the user A1 to the company B. It can be done. For this reason, it is possible to solve the problem that privacy is infringed using such conversion ID.

JP 2012-203781 A

  However, in the technique of Patent Document 1, the intranet 10a of the company A is provided with the repository 3a in which the user information table 31a and the ID conversion log table 32 are recorded, and the repository 3a is in the company A. Since the correspondence relationship between the user ID and the conversion ID is recorded in the ID conversion log table 32 of the repository 3a, there is a concern that the user ID can be known from the conversion ID. For this reason, it is difficult to use the ID identifier in such a field that handles highly sensitive personal information in the medical / nursing care field (hereinafter simply referred to as medical care).

  Therefore, the present invention has been made in view of the above points and the like, and an ID identifier generation method and an ID that can efficiently generate an ID identifier that can be used in the field of handling sensitive personal information such as medical care. An object is to provide an identifier generation system.

In order to solve the above-mentioned problem, the invention described in claim 1 is an ID identifier generation method executed by one or more computers, the step of acquiring a first ID identifier, and the acquired first A step of converting the ID identifier in a one-to-one mapping to calculate an intermediate value, a step of acquiring the calculated intermediate value, and user information designated by a user to which the first ID identifier is assigned To generate a second ID identifier by performing personalization conversion on the acquired intermediate value, and to search the generated second ID identifier for information unique to the user obtaining a key for, viewing contains a second step of generating an ID identifier, from the obtained by converting the user information in one-way hash function values, predetermined The intermediate value vector and the insertion position displacement vector consisting of the elements are extracted, and the intermediate value is inserted into the position of the displacement indicated by the insertion position displacement vector from the beginning of the character string as the character string. And the second ID identifier is generated by combining them.

The invention according to claim 2 is an ID identifier generation system comprising an electronic information medium and an information processing apparatus, wherein the information processing apparatus is stored in the electronic information medium or printed on the electronic information medium. A first acquisition unit that acquires one ID identifier; and a calculation unit that calculates an intermediate value by converting the acquired first ID identifier in a one-to-one mapping, wherein the electronic information medium includes the electronic information medium, Using the second acquisition means for acquiring the calculated intermediate value and user information specified by the user to which the first ID identifier is assigned, personalized conversion is performed on the acquired intermediate value. Generating means for generating a second ID identifier, wherein the information processing apparatus uses the second ID identifier generated by the generating means as a key for searching for information unique to the user. Take Includes a third obtaining means for, wherein the generating means, the user information from the converted and obtained values in one-way hash function takes the intermediate value vector and the insertion position displacement vector of a predetermined number of elements Generating the second ID identifier by inserting and combining elements of the intermediate value vector at the displacement position indicated by the insertion position displacement vector from the beginning of the character string, using the intermediate value as a character string. It is characterized by.

  According to the present invention, it is possible to efficiently generate an ID identifier that can be used in the field of handling sensitive personal information such as medical care.

It is a conceptual diagram which shows the flow from which a 2nd ID identifier is produced | generated from a 1st ID identifier. It is a block diagram which shows the example of a schematic structure of the electronic medical chart system which concerns on this embodiment. It is a sequence diagram which shows operation | movement of the electronic medical chart system which concerns on this embodiment. It is a sequence diagram which shows operation | movement of the electronic medical chart system which concerns on this embodiment.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

[1. Principle of the present invention]
First, the principle of the present invention will be described. In the present invention, from an ID identifier (hereinafter referred to as “first ID identifier”) that is numbered with uniqueness and uniqueness and distributed as a “visible number”, it is uniqueness and uniqueness. The second ID identifier that can be used in a highly sensitive field is generated while maintaining the characteristics. The first ID identifier is a code used to uniquely identify an individual in information processing (within the information processing range) for personal information. For example, insured person numbers, medical examination ticket numbers, basic pension numbers, social security and tax numbers (hereinafter referred to as “My Numbers”), medical IDs (tentative names), and the like.

  In order to use the second ID identifier as an “invisible number” in a highly sensitive field, it must be difficult to derive the first ID identifier from the second ID identifier. Therefore, in the present invention, one or more computers perform ID identifier generation processing (ID identifier issuance processing) including the following two-stage conversion. That is, as a first step, the computer converts the first ID identifier in a one-to-one mapping (ID conversion (first step) processing), and as the second step, the conversion result in the first step is Further, by performing individualization (personalization) conversion (ID conversion (second stage) individualization processing), a second ID identifier is generated (issued).

  FIG. 1 is a conceptual diagram illustrating a flow in which a second ID identifier is generated from a first ID identifier.

The conversion in the first stage may be anything as long as it is a one-to-one mapping. The one-to-one mapping, and f a mapping to a set Y from the set X, _{x 1} ∈X, relative _{x 2} ∈X, their image _{f (x 1) ∈Y, f} (x 2) ∈Y But,
If x ₁ ≠ x ₂ then f (x ₁ ) ≠ f (x ₂ )
When satisfying, the mapping f is called a one-to-one mapping from X to Y.

  Here, an example of the one-to-one mapping in the first stage will be described below.

The first ID identifier is a decimal k-digit integer x, ie,
x∈Z / nZ, n = 10 ^k
(Where “x∈Z / nZ” represents the remainder set when the integer x is divided by n), and the mapping f: Z / nZ → Z / nZ
f (x) = ax + b (mod n)
If a, b ∈ (Z / nZ) ^* and (Z / nZ) ^* are defined as irreducible residue class groups, this mapping is a one-to-one mapping. Here, f (x) indicates a remainder when “ax + b” is divided by n. Assuming that the result obtained by performing the conversion by the one-to-one mapping in the first stage on the first ID identifier x is an intermediate value y ₁ ,
y ₁ = f (x) = ax + b (mod n)
It becomes.

As another example of the one-to-one mapping in the first stage, the intermediate value y ₁ may be obtained by encryption using common key encryption (block encryption). For example, when enciphering plaintext x using the key k with the common key block cipher is represented by Enc (k, x), the first ID identifier is an integer x of decimal k digits, that is, x∈Z / For nZ,
f (x) = Enc (k, x)
Obtaining an intermediate value y ₁ by converting a value (binary) to a string of numbers f (x) obtained by.

  Next, an example of the second stage personalization conversion will be described below.

From the value obtained by converting user information (password, password, biometric information metrics, etc.) that can be known only by the subject (user) given the ID identifier using a one-way hash function, m (predetermined) an intermediate value vector y ₂ of elements, the insertion position displacement vector d, is taken out by extraction algorithm. At this time, symmetric key cryptography may be used instead of the hash function.

y ₂ = {t ₁ , t ₂ ,..., t _m }, 0 ≦ t _i ≦ k
d = {d ₁ , d ₂ ,..., d _m },
The conversion result y ₁ by the first-stage mapping is expressed as a character string, and t ₁ (that is, the position of the displacement d ₁ indicated by the insertion position displacement vector d) from the beginning of the character string (that is, the position of the displacement d ₁ indicated by the insertion position displacement vector d) , the elements of the intermediate value vector y _2), inserting a t ₂ to the position of the displacement d ₂ (as a string), combined will be repeated until it an intermediate value vector y ₂ of the number of elements m.

Hereinafter, a numerical example in the case where the first ID identifier is composed of 11-digit numerical values will be described.
For example, the first ID identifier x of Mr. A is x = 16592411302. As a one-to-one mapping in the first stage, here, y ₁ = 83407588698 is calculated by calculating with a conversion formula in which the 10's complement to x is y ₁ . If the intermediate value vector y ₂ and the insertion position displacement vector d generated by the personalization transformation in the second stage are y ₂ = {64, 38} and d = {3, 7}, respectively, y ₁ = If y ₂ = {64,38} is inserted into displacement 3 and displacement 7 of 83407588698, z = 834 64 0758 38 8698 is obtained as the second ID identifier z.

As described above, the same conversion rule is applied to all members who are assigned ID identifiers as conversion rules (for example, conversion parameters a, b, n) of the one-to-one mapping in the first stage. them if the first ID Shikkai sex and unique property identifier x has is also maintained in the intermediate result y _1. Since the organization that numbers and manages the first ID identifier (hereinafter referred to as “number management organization”) knows the conversion parameters a, b, and n, the first ID identifier x and the intermediate value y ₁ Can be easily converted in both directions. However, conversion parameters of the second stage of individualizing (personalized) converting the generated intermediate value vector y ₂ and the insertion position displacement vector d is only entity (user) applied an ID identifier are possible generation numbers Even the management organization cannot know y ₂ and d, so even if it knows the second ID identifier generated by the above method, it cannot easily know the first ID identifier of the subject. Therefore, the second ID identifier converted and generated by the above method is suitable for use in sensitive fields such as medical care. The ID identifier generation process described above may be implemented in a computer that provides a service that handles highly sensitive information. The personalization conversion in the second stage may be implemented on a personal number card (IC card) to be distributed to an individual, in addition to a method implemented on a computer that provides a service. By mounting on a personal number card (IC card), it is ensured that only the subject given the ID identifier can execute the conversion from the first ID identifier to the second ID identifier, and the big in the sensitive personal information field. It is possible to dispel concerns such as the presence of a brother.

[2. Application example of the present invention]
Next, an electronic medical record system to which the ID identifier generation system of the present invention is applied will be described with reference to FIGS. FIG. 2 is a block diagram illustrating a schematic configuration example of the electronic medical chart system according to the present embodiment. 3 and 4 are sequence diagrams illustrating the operation of the electronic medical chart system according to the present embodiment.

  As shown in FIG. 2, the electronic medical chart system S according to the present embodiment includes a business server 1, a business record database 2, a client terminal 3, and an IC card 4 (an example of an electronic information medium). The business server 1 and the client terminal 3 are an example of an information processing apparatus in the present invention. Further, in the following explanation, explanation will be given by taking My Number as an example of the first ID identifier given to the user of the client terminal 3 and the IC card 4. The business server 1 and the client terminal 3 are connected to a network composed of, for example, the Internet. The business record database 2 may be provided in the business server 1 or may be provided in a server other than the business server 1. The client terminal 3 can communicate with the IC card 4 wirelessly or wired via a reader / writer, for example.

  The business server 1 includes, for example, a server computer, and includes an ID conversion unit 11 that performs ID conversion (first stage) processing, a business application 12 (by an application program), and the like. The business application 12 has a function of performing a chart search process or the like in response to a request from the client terminal 3 and returning a response to the client terminal 3, for example. The business record database 2 stores a business record 21 including a medical ID, an examination date, a medical record, a prescription, a test record, a medical staff name, and the like in association with each other. The business server 1 can access the business record database 2. The client terminal 3 is composed of, for example, a personal computer or a portable information terminal such as a smart phone, and can make various requests by accessing the business server 1 via a network using, for example, a Web browser.

  The IC card 4 is, for example, a medical card distributed to users, and has an IC chip mounted thereon. The IC chip includes a CPU (microcomputer), RAM, flash memory (or EEPROM), and an I / O circuit. Various data and programs are stored in the flash memory, and this data includes the My Number. This my number is printed on the IC card 4, for example. The CPU is a controller that executes various programs, and includes an ID individualization unit 41 that performs ID conversion (second stage) individualization processing. The I / O circuit is for performing data communication with the client terminal 3 by wire or wireless.

  In the above configuration, as shown in FIG. 3, the client terminal 3 transmits a my number read command to the IC card 4 in response to a read instruction from the user (step S1). In response to the my number read command from the client terminal 3, the IC card 4 reads the my number stored in the flash memory and transmits it to the client terminal 3 (step S2). When the client terminal 3 receives (acquires) the My Number from the IC card 4, the client terminal 3 accesses the business server 1 via the network and transmits a request including the My Number to the business server 1 (Step S3). Note that the client terminal 3 may be configured to acquire the My Number printed on the IC card 4 when the user inputs from the client terminal 3.

When receiving the request including the my number from the client terminal 3, the ID conversion unit 11 of the business server 1 acquires the my number and executes ID conversion (first stage) processing (step S4). The ID conversion (first stage) process is converted by the acquired My number is one-to-one mapping to an intermediate value y ₁ is calculated. Then, the business server 1 transmits a response including the calculated intermediate value y ₁ to the client terminal 3 (step S5).

The client terminal 3 receives the response including intermediate values y ₁ from the service server 1, in response to an input instruction by the user to input a PIN (Personal identification number) (step S6). The PIN is an example of user information designated by a user to whom a My Number is assigned. Then, the client terminal 3 transmits an ID individualization command including the intermediate value y ₁ received from the business server 1 and the input PIN (that is, the PIN specified by the user) to the IC card 4 (step) S7). The ID individualization unit 41 of the IC card 4 executes ID conversion (second stage) individualization processing in response to the ID individualization command from the client terminal 3 (step S8). In this ID conversion (second stage) Individual treatment, ID personalization unit 41 obtains the PIN and the intermediate value _{y 1} included in the ID personalization command. Then, the ID individualization unit 41, based on the value obtained by converting the acquired PIN with, for example, a one-way hash function, as described above, the intermediate value vector y ₂ composed of a plurality of elements and the insertion position displacement vector d And using the acquired intermediate value y ₁ as a character string, the element of the intermediate value vector y ₂ is inserted and combined from the beginning of the character string to the displacement position indicated by the insertion position displacement vector d (intermediate value vector repeated until the number of elements y ₂₎ to produce a medical treatment ID is a second ID identifier (calculated) by. Then, the IC card 4 transmits the generated medical ID to the client terminal 3 (step S9). As a result, the client terminal 3 acquires the medical ID as a key for searching for information unique to the user.

  The client terminal 3 displays, for example, a medical chart search screen acquired from the business server 1 (step S10), and if there is a search instruction from the user through the medical chart search screen, a request including a medical ID obtained from the IC card 4 is received. It transmits to the business server 1 (step S11). When the business server 1 receives a request including a medical ID from the client terminal 3 (acquires a medical ID as a key for searching for information unique to the user), the business server 1 executes a medical chart search process using the medical ID as a key. Then, the patient record data (an example of information unique to the user) is acquired from the business record database 2 (step S12). Then, the business server 1 transmits a response including the acquired chart data to the client terminal 3 (step S13). Upon receiving the response including the chart data from the business server 1, the client terminal 3 displays the chart on the chart editing screen according to the chart data (step S14).

  In the operation example shown in FIG. 3, the business server 1 is configured to execute the ID conversion (first stage) process. However, as shown in FIG. 4, the client terminal 3 receives the My Number from the IC card 4. Upon reception (acquisition), the ID conversion (first stage) process may be executed (step S3a) without transmitting the My Number to the business server 1. The other processing shown in FIG. 4 is the same as the processing shown in FIG.

  As described above, according to the above-described embodiment, as the first stage, the My Number is converted in a one-to-one mapping, and as the second stage, the personalized conversion is further performed on the conversion result in the first stage. Since the second ID identifier is generated as a key for searching for information unique to the user, the second ID that can be used in the field of handling sensitive personal information such as medical care An identifier can be generated efficiently.

  In the above embodiment, the electronic medical record system S is configured to generate the second ID identifier by a plurality of computers, but may be configured to generate the second ID identifier by one computer. Good. The present invention is also applicable to various systems other than the electronic medical chart system.

1 business server 2 business record database 3 client terminal 4 IC card

Claims (2)

An ID identifier generation method executed by one or more computers,
Obtaining a first ID identifier;
Converting the acquired first ID identifier in a one-to-one mapping to calculate an intermediate value;
Obtaining the calculated intermediate value;
Generating a second ID identifier by performing personalization conversion on the acquired intermediate value using user information designated by the user to which the first ID identifier is assigned;
Obtaining the generated second ID identifier as a key for searching for information unique to the user;
Only including,
The step of generating the second ID identifier takes out an intermediate value vector consisting of a predetermined number of elements and an insertion position displacement vector from values obtained by converting the user information with a one-way hash function, The value is a character string, and the second ID identifier is generated by inserting and combining an element of an intermediate value vector at a displacement position indicated by the insertion position displacement vector from the beginning of the character string. ID identifier generation method. An ID identifier generation system comprising an electronic information medium and an information processing device,
The information processing apparatus includes:
First acquisition means for acquiring a first ID identifier stored in an electronic information medium or printed on the electronic information medium;
Calculating means for converting the acquired first ID identifier in a one-to-one mapping to calculate an intermediate value;
With
The electronic information medium is
Second acquisition means for acquiring the calculated intermediate value;
Generating means for generating a second ID identifier by performing personalization conversion on the acquired intermediate value using user information specified by a user to which the first ID identifier is assigned;
With
The information processing apparatus includes:
Third acquisition means for acquiring the second ID identifier generated by the generation means as a key for searching for information unique to the user;
Equipped with a,
The generation means extracts an intermediate value vector and an insertion position displacement vector composed of a predetermined number of elements from a value obtained by converting the user information with a one-way hash function, and uses the intermediate value as a character string. An ID identifier generation system, wherein the second ID identifier is generated by inserting and combining elements of an intermediate value vector at a displacement position indicated by the insertion position displacement vector from the beginning of a character string .

Images