JP6623321B2 - Method for managing electronic data for network system, program therefor, and recording medium for program - Google Patents

Description

The present invention relates to a method for managing electronic data for a network system for ensuring the security of electronic data, a program therefor, and a recording medium for the program. More specifically, a method for managing electronic data for a network system, which secures electronic data by storing a key for encryption or decryption in a device different from the encrypted electronic data, a program therefor, and a program It relates to a recording medium.

  The user's electronic data is usually stored and used in a portable memory device, an auxiliary storage device of an electronic computer, or the like. Also, with the speeding-up of communication systems, services using so-called databases and storages on networks, so-called cloud systems, have become widespread. As an example of a cloud system, a web mail service is widely used.In addition, a network storage service that stores electronic data such as photos, videos, and document files in network storage, and multiple users using the network storage service File sharing services for sharing, browsing, and editing files have also become widespread.

  Furthermore, the number of users who receive a cloud service using a notebook computer, a tablet terminal, or the like is increasing. In other words, the tablet terminal is a plate-like electronic computer, and is called a tablet for short. A tablet terminal is an information device in which a liquid crystal screen and a main body are integrated into a thin plate, and operations such as input are performed by directly touching the screen. Examples of the tablet terminal include an iPad (registered trademark) of Apple Inc. in the United States and NEXUS (registered trademark) of Google Inc. in the United States.

  Depending on the model of the tablet terminal, the keyboard can be detached or deformed and used as a notebook computer. The tablet terminal often has a wireless communication standard function such as Wi-Fi (Wireless Fidelity) and WiMAX (Worldwide Interoperability for Microwave Access) as a built-in function. In this situation, if a portable terminal such as a notebook computer or a tablet terminal is lost, the contents of the electronic data are leaked, which is a problem. When using the cloud service, a small amount of electronic data in the mobile terminal will be leaked, but if it leads to corporate know-how and confidential information, it must not be.

  When using a cloud service, data communication between a user's computer and a server on a network is performed by encrypting and transmitting communication data. In an electronic computer, electronic data is encrypted and transmitted to a server according to a predetermined communication protocol. The server decrypts the encrypted electronic data and stores it in the recording device. As a result, the electronic data is recorded in a recording device on the network without being encrypted.

  For example, in a web-based system using a cloud service such as Google Apps, communication between a user terminal and a cloud server is such that data on a network communication path is encrypted by SSL (Secure Socket Layer) communication. Security is assured and electronic data is protected. When this secured data reaches the server, it is decrypted and stored in the storage. In other words, when the data is stored in the storage device of the cloud server, the data is passed through the server-side SSL and becomes original unencrypted electronic data, so-called plaintext data.

  Among them, a large number of electronic data management systems for the purpose of electronic data security have been disclosed. For example, Patent Document 1 discloses an electronic file management system for encrypting a client file and transmitting the encrypted file to a web file server. Even when the file is stored on the web file server, the file itself is encrypted. The client has a configuration in which an encryption filter processing unit and a redirect driver are added to the existing standard web browser function.

  The client enables a plaintext file to be transmitted to a server such as a web file server by a standard web browser or another client by HTTP / TCP / IP, encrypts the file, and saves the file in a database of the web file server. I have. The management and use of the electronic file by the client, and the decryption and use of the encrypted electronic file by only the third party to which the client has granted the access right are made possible.

  Patent Document 2 discloses a data protection system that achieves both concealment of confidential information from an online service provider and reduction of system operation costs incurred by an organization using the online service. In this system, when a web browser of a client terminal transmits data to an online service server, it acquires an encryption script and an encryption key from a key management server via a network in the organization, and executes the encryption script. Obtains the encrypted data of the input data, transmits the obtained encrypted data to the online service server, and renders the decryption script and the encryption key from the key management server when drawing the data display screen received from the online service server. And executing a decoding script to obtain decoded data of the display data, and using the decoded data obtained by the means to draw a data display screen.

JP 2011-216034 A JP 2010-72916 A

  However, it has been pointed out that cloud systems still have insufficient security of electronic data stored on a network. In particular, there are insufficient countermeasures against data leakage or the like due to fraudulent acts or system malfunctions by businesses or managers who manage servers and databases. Furthermore, portable terminals are always at risk of loss, and countermeasures are required.

  Although the above-mentioned cloud services have begun to spread, users have not yet been provided with an environment in which they can use them with peace of mind. In the cloud service, user data is stored in a network storage as plain data without being encrypted. There is a possibility that these plaintext data can be browsed by a business operator or an administrator who manages the network storage. Therefore, as described above, the protection of the cloud database and the electronic data in the storage device of the server has become an issue.

  Furthermore, the use of portable tablet terminals is increasing in many cases, particularly in the field. In this case, there is always a risk of loss because you always carry it. Therefore, there is a need for a measure for preventing data leakage even when a portable terminal such as a tablet terminal containing important information such as confidential information is lost. A mobile terminal such as a tablet terminal connects to a cloud service to download and use electronic data, but unencrypted data may be stored in the mobile terminal.

  There is a risk that important electronic data is leaked due to the loss of the mobile terminal. Furthermore, even if the electronic data is encrypted and stored in the mobile terminal, the decryption key may be stored in the mobile terminal as well. Also in this case, if the portable terminal is lost, the electronic data can be decrypted and browsed with the decryption key, so that the electronic data may be leaked. In this situation, even if the portable terminal is lost, there is a need for measures to prevent the leakage of the electronic data and the decryption key therein.

The present invention has been made under the above-mentioned technical background, and achieves the following objects.
An object of the present invention is to secure security of electronic data by storing encrypted user data, which is electronic data transmitted and received between a mobile terminal and a server, in a device different from a key for encrypting or decrypting the user data. For managing network system electronic data, a program therefor, and a recording medium for the program.

Another object of the present invention is to provide a method for managing electronic data for a network system for ensuring security of electronic data of a user used in a cloud service, a program therefor, and a recording medium for the program.

Another object of the present invention is to provide a method of managing electronic data for a network system for ensuring security of electronic data of user data used in a mobile terminal, a program therefor, and a recording medium of the program.

The present invention employs the following means to achieve the above object.
The present invention relates to a method of managing electronic data for a network system for ensuring security of electronic data by storing a key for encryption or decryption in a device different from the encrypted electronic data, a program therefor, and a program Recording medium is provided.

The method for managing electronic data for a network system according to the present invention comprises:
network,
A mobile terminal connected to the network,
An encryption key for encrypting user data which is electronic data, and for decrypting the user data encrypted with the encryption key, and for managing a decryption key paired with the encryption key. A key management means connected to the network, and
A network system comprising a storage device or a web database on the network storing the encrypted user data,
When using the user data obtained from the network in the portable terminal, in the method for managing network system electronic data for securing and managing the security of the user data,
The mobile terminal acquires the encrypted user data from the storage device or the web database and stores the user data in a storage unit of the mobile terminal,
The portable terminal stores the decryption key acquired from the key management unit in a portable device that can communicate with the portable terminal without storing the decryption key in the storage unit of the portable terminal.
In the portable terminal, when using the encrypted user data, the portable terminal communicates with the portable device to obtain a unique address of the portable device,
The portable terminal is stored in the key management means or the portable terminal, confirms the unique address by accessing a portable device unique address list that has registered a device permitted or disallowed to use,
When the unique address is registered in the portable device unique address list and is an address permitting use of the portable device, the portable terminal communicates with the portable device to acquire the decryption key. Using the user data by decrypting the encrypted user data with the decryption key,
When the unique address is not registered in the portable device unique address list or is an address that prohibits the use of the portable device, the portable terminal determines use of the encrypted user data. It is characterized by stopping.

In addition, the method for managing electronic data for a network system according to the present invention includes:
network,
A mobile terminal connected to the network,
An encryption key for encrypting user data which is electronic data, and for decrypting the user data encrypted with the encryption key, and for managing a decryption key paired with the encryption key. A key management means connected to the network, and
A network system comprising a storage device or a web database on the network storing the encrypted user data,
When using the user data obtained from the network in the portable terminal, in the method for managing network system electronic data for securing and managing the security of the user data,
The key management means includes: (a) the encryption key and the first parameter for encrypting the user data by a functional encryption method; and (b) the decryption of the encrypted user data. Generating and managing a second parameter satisfying a specific function R together with the decryption key paired with the encryption key, and the first parameter;
The user data encrypted in the mobile terminal with the encryption key and the first parameter is stored in the storage device or the web database,
The mobile terminal acquires the encrypted user data from the storage device or the web database and stores the user data in a storage unit of the mobile terminal,
The mobile terminal obtains the decryption key and the second parameter from the key management unit, and the decryption key is not stored in the storage unit of the mobile terminal, but is stored in a mobile device that can communicate with the mobile terminal . The second parameter is stored in the mobile terminal,
When using the encrypted user data in the mobile terminal, the mobile terminal communicates with the mobile device to obtain a unique address of the mobile device,
The portable terminal is stored in the key management means or the portable terminal, confirms the unique address by accessing a portable device unique address list that has registered a device permitted or disallowed to use,
The unique address is registered in the portable device-specific address list, and when an address that is permitted to use of the portable device, the portable terminal acquires the decryption key by communicating with the portable device Using the user data by decrypting the encrypted user data using the decryption key and the second parameter,
When the unique address is not registered in the portable device unique address list or is an address that prohibits the use of the portable device, the portable terminal determines use of the encrypted user data. It is characterized by stopping.

The mobile terminal is obtained from first position information obtaining means mounted on the mobile terminal, and includes first position information indicating the position of the mobile terminal, and second position information obtaining means mounted on the mobile device. Comparing the acquired second position information indicating the position of the mobile device, calculating the distance, the distance is greater than or equal to a predetermined distance, and the position of the mobile device is out of the range available from the mobile terminal If the mobile device is located, or if the communication between the mobile device and the mobile terminal is disconnected, or if communication between the mobile device and the mobile terminal cannot be established for a predetermined period or more, the security means of the mobile terminal There wherein the mobile terminal deletes the user data may be stopped use of the user data.
The key management means may generate the encryption key and / or the decryption key by a key generation algorithm using the unique address as original data for key generation.

It is preferable that the portable terminal and the portable device have a wireless communication unit for performing wireless communication.
The wireless communication means may be Bluetooth (registered trademark).
The portable terminal may be a notebook computer, a tablet terminal, or a smartphone.
The portable device may be one type selected from a watch type device, a pen type device, and a USB key.

An electronic data management program for a network system according to the present invention includes:
network,
A mobile terminal connected to the network,
An encryption key for encrypting user data which is electronic data, and for decrypting the user data encrypted with the encryption key, and for managing a decryption key paired with the encryption key. A key management means connected to the network, and
Used in a network system comprising a storage device or a web database on the network that stores the encrypted user data, when using the user data obtained from the network in the mobile terminal, operating the mobile terminal In the network system electronic data management program for ensuring and managing the security of the user data,
Connecting to the network and obtaining the encryption key from the key management means;
Transmitting the user data encrypted with the encryption key to the network for storage in the storage device or the web database;
Step of connecting to the network, stores from said storage device or the web database in a storage unit of the portable terminal obtains the encrypted the user data,
Connecting to the network, acquiring the decryption key from the key management unit, and storing the decryption key in a portable device that can communicate with the portable terminal without storing the decryption key in the storage unit of the portable terminal;
When using the encrypted user data, communicating with the mobile device to obtain a unique address of the mobile device,
A confirmation step of confirming the unique address by connecting to the network and accessing the key management means or accessing the portable terminal, referring to a portable device unique address list in which available devices are registered,
In the checking step, when the unique address is registered in the portable device unique address list and is an address permitting use of the portable device, the device communicates with the portable device to obtain the decryption key. Decryption key acquisition step,
A decryption step of decrypting the user data with the decryption key obtained in the decryption key acquisition step;
Using the user data decrypted in the decrypting step; and
Stopping the use of the encrypted user data when the unique address is not registered in the mobile device unique address list in the confirmation step, or is an address prohibiting use of the mobile device. And causing the portable terminal to operate the stopping step.

Further, a management program for electronic data for a network system according to the present invention includes:
network,
A mobile terminal connected to the network,
An encryption key for encrypting user data which is electronic data, and for decrypting the user data encrypted with the encryption key, and for managing a decryption key paired with the encryption key. A key management means connected to the network, and
Used in a network system comprising a storage device or a web database on the network that stores the encrypted user data, when using the user data obtained from the network in the mobile terminal, operating the mobile terminal In the network system electronic data management program for ensuring and managing the security of the user data,
Connecting to the network, (a) the encryption key and the first parameter for encrypting the user data by a functional encryption method, and (b) decryption of the encrypted user data. And obtains the encryption key and the first parameter from the key management unit that generates and manages the decryption key paired with the encryption key and the second parameter that satisfies the specific function R together with the first parameter. Step to do,
Transmitting the user data encrypted with the encryption key and the first parameter to the network for storage in the storage device or the web database;
Connected to the network, from the storage device or the web database, electronic data acquisition step of storing acquires the user data encrypted with the encryption key in the first parameter in the storage unit of the portable terminal,
Connect to the network, obtain the decryption key and the second parameter from the key management unit, and store the decryption key in a portable device that can communicate with the portable terminal without storing it in the storage unit of the portable terminal. Storing the second parameter in the mobile terminal;
When using the encrypted user data, communicating with the mobile device to obtain a unique address of the mobile device,
A confirmation step of confirming the unique address by connecting to the network and accessing the key management means or accessing the portable terminal, referring to a portable device unique address list in which available devices are registered,
In the checking step, when the unique address is registered in the portable device unique address list and is an address permitting use of the portable device, the portable device communicates with the portable device and sends the decryption key to the portable device. A decryption key acquisition step comprising: acquiring from a device; and acquiring the second parameter from auxiliary storage means of the portable terminal.
A decryption step of decrypting the encrypted user data with the decryption key and the second parameter acquired in the decryption key acquisition step ;
Using the user data decrypted in the decrypting step; and
In the confirming step, when the unique address is not registered in the portable device unique address list or is an address prohibiting use of the portable device, the use of the encrypted user data is prohibited. The portable terminal is operated to perform a stopping step of stopping.

Further, a management program for electronic data for a network system according to the present invention includes:
The encryption key and the decryption key are preferably generated by the key management unit using a key generation algorithm using the unique address as original data for key generation.
Further, the management program for electronic data for a network system according to the present invention includes a step of monitoring communication between the mobile device and the mobile terminal, and a case where communication between the mobile device and the mobile terminal is disconnected, or If a device with the mobile terminal communication can not be established between more than a predetermined time period, the step of stopping the use of the user data may be operated on the portable terminal.

Still further, a management program for electronic data for a network system of the present invention includes a step of acquiring first position information from the portable device, a step of specifying a position of the portable device by using the first position information, and If not fall within said position is determined in advance, the step of stopping the use of the user data may be operated on the portable terminal.

Further, the management program for electronic data for a network system of the present invention further comprises:
Obtaining first position information from the mobile device;
Obtaining second position information from a position measuring device of the mobile terminal;
Calculating a distance between the portable terminal and the portable device using the first position information and the second position information; and
If said spaced a predetermined distance or more, the step of stopping the use of the user data may be operated on the portable terminal.

The further network electronic data management program for the system of the present invention, the case where the use of user data is stopped, the step of deleting the user data may be operated on the portable terminal.
It is preferable that the portable terminal and the portable device have a wireless communication unit for performing wireless communication.

The wireless communication means may be Bluetooth (registered trademark).
The portable terminal may be a notebook computer, a tablet terminal, or a smartphone.
The portable device may be one type selected from a watch type device, a pen type device, and a USB key.

A recording medium on which the network system electronic data management program of the present invention is recorded is a recording medium on which the above-described network system electronic data management program is recorded.

According to the present invention, the following effects can be obtained.
According to the present invention, when user data is encrypted and used by a dedicated application software on a mobile terminal such as a tablet terminal, the decryption key is stored and used in a mobile device different from the mobile terminal. Security was assured.

According to the present invention, in the case of a cloud service, user data is encrypted, and when used with dedicated application software on a mobile terminal such as a tablet terminal connected to the cloud service, the decryption key is transmitted to a mobile device different from the mobile terminal. Since it is stored and used, the security of the user data in question has been secured.
Further, according to the present invention, even if a mobile terminal such as a tablet terminal is lost, user data in the mobile terminal cannot be decrypted because there is no decryption key.

FIG. 1 is a conceptual diagram illustrating an outline of an electronic data management system 1 according to a first embodiment of this invention. FIG. 2 is a conceptual diagram schematically illustrating data communication between the user terminal 3 and the web server 4 of the electronic data management system 1 according to the first embodiment of this invention. FIG. 3 is a conceptual diagram illustrating an outline of data communication between the tablet terminal 8 and the web server 4 of the electronic data management system 1 according to the first embodiment of this invention. FIG. 4 is a block diagram illustrating an example of the configuration of the BTE 9. FIG. 5 is a block diagram illustrating another example of the configuration of the BTE 9. FIG. 6 is a flowchart showing an example of the processing flow of the security program 32 when uploading and downloading from the web browser 31 to the web server 4. FIG. 7 is a flowchart illustrating an example of the flow of analyzing the HTTP header. FIG. 8 is a flowchart illustrating an example of a flow of analyzing an HTTP body. FIG. 9 is a conceptual diagram illustrating an outline of key management of the electronic data management system 1 according to the first embodiment of this invention. FIG. 10 is a conceptual diagram illustrating an outline of the electronic data management system 1 according to the third embodiment of this invention. FIG. 11 is a flowchart illustrating an example of a flow of a decryption process of the electronic data management system 1 according to the third embodiment of this invention.

[First Embodiment]
FIG. 1 is a conceptual diagram illustrating an outline of an electronic data management system 1 according to a first embodiment of this invention. The electronic data management system 1 includes a network 2, a user terminal 3 accessible to the network 2, a web server 4, a tablet terminal 8, and the like. The electronic data management system 1 encrypts user data and stores it in a storage device on the network 2 or a web database 5 for use.

  User data is electronic data used by a user. User data includes, but is not limited to, text files, still image files, video files, document files in various formats such as Word and pdf, computer program code files, and executable files (.exe files). File. When the user data is stored in the storage device on the network 2 or the web database 5, the user data can be uploaded as it is without changing the data format.

  The user data is changed to a description in a markup language, transmitted from the user terminal 3 used by the user to the web server 4 on the network 2, and stored in the web database 5. The network 2 is any known wired or wireless communication network, but is preferably a local area network (LAN) or the Internet.

  Alternatively, the electronic data management system 1 of the present invention can be applied to a cloud service in which user data is stored in a recording device on the network 2 and an information service is provided to the user using the network 2. The user terminal 3 is an electronic computer for a user to operate and use. The user terminal 3 is a general-purpose computer provided with an input device, an output device, a central processing unit, a main storage device, and the like. The tablet terminal 8 is an electronic computer for a user to operate and use, and is particularly a plate-shaped electronic computer in which a screen and a main body are integrated.

  The tablet terminal 8 is preferably a portable mobile terminal that can be carried around. The tablet terminal 8 is a general-purpose computer having a screen, a central processing unit, a main storage device, and the like. In particular, the screen can be input or operated by a touch operation. When a device such as a keyboard and a mouse is connected to the tablet terminal 8 and the tablet terminal 8 is used, an operation and use more similar to a notebook personal computer can be performed. The user terminal 3 has an auxiliary storage device such as a hard disk drive and an SSD (Solid State Drive).

  The auxiliary storage device of the user terminal 3 stores application programs, user data, and the like. The user terminal 3 has a communication function for connecting to another computer, another device, the network 2, and a device connected to the network 2. The user terminal 3 has a built-in communication device corresponding to a known wireless communication standard or a wired communication standard. For example, the user terminal 3 incorporates a communication device (not shown) compatible with wireless communication standards such as Wi-Fi, Bluetooth (registered trademark), and WiMAX.

  The communication device can communicate with a Bluetooth device (hereinafter, referred to as “BTE”) 7, a network 2 and the like, and can transmit and receive electronic data. Since the types and operations of the communication standards are not the gist of the present invention, detailed description thereof will be omitted. The user terminal 3 has encryption software 6 built-in. The user terminal 3 encrypts user data to be transmitted to the network 2 with a predetermined encryption key using the encryption software 6, and then transmits the data to the network 2.

  The user data encrypted by the encryption software 6 is decrypted by a decryption key corresponding to the encryption key. The encryption key and the decryption key are publicly known and are simultaneously generated by a predetermined key generation program. The key generation-dedicated program can use a well-known arbitrary key generation algorithm, application software, program, or the like. Since the generation of the encryption key and the decryption key is not the gist of the present invention, the detailed description is omitted.

  The decryption key can be stored in an electronic computer, an electronic device, or the like other than the user terminal 3 and used when user data is used. For example, as shown in FIG. 1, it can be stored in the BTE 7. The BTE 7 is a small, portable mobile device. The user accesses the network 2 from an arbitrary location, obtains the encrypted user data from the web server 4, and uses the decryption key in the BTE 7 to decrypt and use the user data.

  The tablet terminal 8 has an auxiliary storage device such as an SSD (Solid State Drive). The auxiliary storage device of the tablet terminal 8 stores application programs, user data, and the like. The tablet terminal 8 has a communication function for connecting to another computer, another device, the network 2, and a device for connecting to the network 2. The tablet terminal 8 incorporates a communication device compatible with any known wireless communication standard or wire communication standard. For example, the tablet terminal 8 incorporates a communication device (not shown) compatible with wireless communication standards such as Wi-Fi, Bluetooth, and WiMAX.

  The communication device communicates with the BTE 9, the network 2, and the like to transmit and receive electronic data. The tablet terminal 8 and the BTE 9 perform wireless communication according to the Bluetooth standard. Since the types and operations of the above-mentioned communication standards are not the gist of the present invention, detailed description thereof will be omitted. The tablet terminal 8 incorporates a dedicated viewer 10 and / or dedicated application software 11. The dedicated viewer 10 is a dedicated application program for viewing electronic data encrypted by the encryption software 6, and has a function of communicating with the BTE 9 and obtaining a decryption key.

  The dedicated application software 11 is also a dedicated application program for browsing and editing the electronic data encrypted by the encryption software 6, and has a function of communicating with the BTE 9 and obtaining a decryption key. The tablet terminal 8 may be provided with both the dedicated viewer 10 and the dedicated application software 11, or may be provided with only one of them. The BTE 9 is a portable device that can be carried by a user. When the decryption key is directly stored in the BTE 9 from the user terminal 3 and used, the BTE 9 may have the same specifications as the BTE 7 described above.

  In other words, the user terminal 3 stores the decryption key in BTE7 and BTE9. When the user starts using the tablet terminal 8, the BTE 9 always communicates with the tablet terminal 8. The BTE 9 stores data for authenticating the tablet terminal 8 in the built-in auxiliary storage device. Therefore, when the user operates the tablet terminal 8, an authentication program (not shown) for authenticating the tablet terminal 8 is activated.

  This authentication program connects to the BTE 9 and authenticates the tablet terminal 8. When the tablet terminal 8 cannot access the BTE 9, the use of the tablet terminal 8 is stopped and the tablet terminal 8 cannot be used. Bluetooth is a standard that allows communication over a distance of several meters to several tens of meters. Therefore, if the tablet terminal 8 and the BTE 9 are separated from each other by a distance greater than the communicable distance, communication becomes impossible and the tablet terminal 8 cannot be used.

  The web server 4 shown in FIG. 1 is a general-purpose server that stores a web database 5. The web database 5 is a database for storing and saving user data used by the user. In the case of a cloud service provided by the web server 4, the web database 5 can be referred to as a cloud database.

  In the present embodiment, the web database 5 means any database including user data, including a cloud database. The user terminal 3 can be directly connected to the network 2, but is connected via general connection means such as a wireless gateway, a proxy server, and a router (not shown). Conventionally, data communication between the user terminal 3 and the web server 4 is performed by encrypting communication data and transmitting and receiving each other.

  In the user terminal 3, the user data is encrypted and transmitted to the web server 4 according to a predetermined communication protocol. The web server 4 decrypts the encrypted user data and stores it in the web database 5. As a result, the user data is recorded in the web database 5 on the network 2 without being encrypted. The present invention provides a function of encrypting user data transmitted from the user terminal 3 and storing the encrypted user data in the web database 5.

  Unlike a cloud service, which is a service that converts data such as text and images into a specific format such as HTML, and a simple web service that provides data described in a specific format such as HTML, user data is different from a cloud service. It is stored in network storage. The network storage is a recording device that can be accessed from the web server 4, such as the web database 5. The user terminal 3 can access the web database 5 via the web server 4 to view, edit, download, and delete user data.

  Similarly, the user can upload new user data to the web database 5 and save it. Examples of such a cloud service include a web mail service, a web storage service, a file sharing service, and the like, which are now becoming widespread, but the cloud service of the present invention is not limited to these. Further, examples of cloud services may include social networks and their user data.

  FIG. 2 is a conceptual diagram illustrating an outline of data communication between the user terminal 3 of the electronic data management system 1 and the web server 4. The user receives the cloud service provided from the web server 4. The user receives this cloud service using the user terminal 3. First, the user starts an application program for cloud service on the user terminal 3. Although such an application program is not limited, the web browser 31 is optimal.

  Of course, application software other than a web browser may be used as long as they have the same communication function. In the present embodiment, as illustrated in FIG. The user terminal 3 activates the web browser 31 by a user operation. When the web browser 31 is activated, the user enters the URL address or IP address of the cloud service of the web server 4 and accesses the service provided from the web server 4.

  When the login screen of the cloud service is displayed on the screen of the user terminal 3, the user logs in with an appropriate user name and password. Communication between the web browser 31 and the web server 4 is performed according to a predetermined communication protocol. As the communication protocol, any known communication protocol can be used as long as it can be used for the cloud service. As the communication protocol, various protocols are used depending on the communication layer and the application.

  The OSI reference model (Open Systems Interconnection reference model) formulated by the International Organization for Standardization (ISO) is a model that defines the communication functions of computers and communication devices by dividing them into seven hierarchical structures, and is currently the most popular. . As shown in the following Table 1, these seven layers are a physical layer, a data link layer, a network layer, a transport layer, a session layer, a presentation layer, and an application layer from a layer close to a physical device to a layer of an application program. ing.

Table 1 exemplifies typical communication protocols in each of the seven layers of the OSI (Open Systems Interconnection) reference model. The OSI reference model is formulated by the International Organization for Standardization and is a model in which the communication function of a computer is divided into a hierarchical structure.

  In the present embodiment, although not limited, a communication protocol adopted in this OSI reference model is used. However, since the present invention is not the invention of the communication protocol itself, all the communication protocols of the seven layers of the OSI reference model will not be described, and in particular, only those necessary for implementing the present invention will be described. A TLS (Transport Layer Security) 33 shown in FIG. 2 is a protocol used for communication requiring security. The TLS 33 may be called SSL (Secure Socket Layer), which is a predecessor security communication protocol.

  The TLS 33 is located above the connection-type transport layer protocol, and is usually used by wrapping the TCP of the transport layer protocol. The TLS 33 is specifically designed for use in the application layer protocol HTTP (Hyper Text Transfer Protocol). HTTP is a communication protocol used for transmitting and receiving contents such as HTML between the web browser 31 and the web server 4. The TLS 33 has a feature that does not depend on a specific protocol of the application layer.

  In the present embodiment, the TLS 33 includes SSL unless otherwise specified. The TLS 33 encrypts user data such as WWW and FTP widely used on the Internet, and securely transmits information related to privacy, credit card numbers, and company secrets between the user terminal 3 and the web server 4. Can be sent and received. The TLS 33 combines security technologies such as public key encryption, secret key encryption, digital certificates, and hash functions to prevent data tapping, falsification, and spoofing.

  The TLS 33 operates at the boundary between the session layer and the transport layer, and can be used transparently from application software that uses a higher-level protocol such as HTTP or FTP without being particularly conscious. The web browser 31 and the server program 41 illustrated in FIG. 2 operate in the application layer. The TLS 33 and the TLS 43 are TLS protocols, and provide security communication between the web browser 31 and the web server 4. The network layers 34 and 44 shown in FIG. 2 are the network layers of the OSI reference model.

  The present invention provides a security program 32 located between the web browser 31 and the TLS 33 of the user terminal 3 for encrypting user data and decrypting the encrypted user data. The security program 32 has a protocol analysis function for analyzing a communication protocol, an encryption function, a decryption function, a BTE monitoring function, and the like. This protocol analysis function is a function of analyzing data of the HTTP protocol or the HTTPS protocol communicated between the web browser 31 and the web server 4.

Encryption, automatic in function of automatically encrypts user data to be transmitted to the web server 4 (cloud data) decoding function, a user data encrypted transmitted from the web server 4 This is a function for decryption. The encryption function performs an encryption process by calling an application software module dedicated to encryption such as the encryption software 6 shown in FIG. The same applies to the decryption function, and the decryption software 35 is shown in FIG.

  The BTE monitoring program 37 is a program for monitoring the BTE 7, and operates in a format built in the security program 32. Alternatively, the BTE monitoring program 37 is independent application software that is called from the security program 32 and operates. The BTE monitoring program 37 has a function of communicating with the BTE 7 and acquiring a decryption key in the BTE 7. Further, the decryption key can be stored in the BTE 7 through a predetermined procedure.

  This is used when the decryption key is changed or when a new decryption key is issued and stored. Further, the security program 32 analyzes the contents of the header and the body of the HTTP or HTTPS, and performs encryption or decryption of only the user data to be uploaded and downloaded, respectively. The security program 32 analyzes the header and body of HTTP or HTTPS, and encrypts or decrypts the user data in the body.

  FIG. 3 is a conceptual diagram schematically illustrating data communication between the tablet terminal 8 of the electronic data management system 1 and the web server 4. Basically, the data communication between the tablet terminal 8 and the web server 4 is substantially the same as the data communication between the user terminal 3 and the web server 4. Although the application program on the tablet terminal 8 is not limited, a web browser 81 will be described as an example. The web browser 81 is the dedicated viewer 10 or the dedicated application program 11 shown in FIG.

  In the tablet terminal 8, the web browser 81 is activated. When the web browser 81 is activated, the user enters the URL address or IP address of the cloud service of the web server 4 and accesses the service provided from the web server 4. When the login screen of the cloud service is displayed on the screen of the tablet terminal 8, the user logs in with an appropriate user name and password. Communication between the web browser 81 and the web server 4 is performed according to a predetermined communication protocol.

  The tablet terminal 8 communicates with the web server 4 using the network layer 84, the TLS 83, and the security program 82 in the same manner as the user terminal 3. The security program 82 is a program for encrypting user data and decrypting the encrypted user data. The security program 82 has a protocol analysis function for analyzing a communication protocol, an encryption function, a decryption function, a BTE monitoring function, and the like.

This protocol analysis function is a function of analyzing data of the HTTP protocol or the HTTPS protocol communicated between the web browser 81 and the web server 4. Encryption function is a function to automatically encrypt user data to be transmitted to the web server 4 (cloud data). The decryption function is a function for automatically decrypting the encrypted user data transmitted from the web server 4.

  The encryption function performs an encryption process by calling an application software module dedicated to encryption such as the encryption software 86. Similarly, the decryption function calls the application software or module dedicated to decryption such as the decryption software 85 to perform the decryption process. The BTE monitoring program 87 is a program for monitoring the BTE 9, and operates in a format built in the security program.

  Alternatively, the BTE monitoring program 87 may be independent application software that is called from the security program 82 and operates. The BTE monitoring program 87 has a function of communicating with the BTE 9 and obtaining a decryption key in the BTE 9. Further, the decryption key may be stored in the BTE 9 through a predetermined procedure. This is used when the decryption key is changed or when a new decryption key is issued and stored.

  FIG. 4 is a block diagram illustrating a configuration example of the BTE 9. The BTE 9 includes an antenna 91 for Bluetooth communication, a Bluetooth communication unit 92 for communicating with external devices, a control unit 93 for controlling the entire BTE 9, a display unit 94 for displaying each information, and an operation unit 95 such as operation buttons. , An oscillating circuit 96 including a clock oscillator for providing clock information, a memory 97 for storing electronic data, and the like. The Bluetooth communication unit 92 is for performing communication specified by the control unit 93 with the tablet terminal 8 or the like via the antenna 91.

  The BTE 9 normally displays the time measured by the oscillation circuit 96 on the display unit 94. The BTE 9 displays information received from an external device via the Bluetooth communication unit 92 on the display unit 94. The user operates the operation unit 95 to transmit data input to the BTE 9 and commands to respond to information from an external device to the Bluetooth communication unit 92. The control unit 93 receives a request for Bluetooth communication from an external device and performs authentication. For the authentication, the identification information stored in the memory 97 is used.

The BTE 9 has a unique identification number or a unique identification code, in other words, an identification ID. The identification ID is stored in the memory 97 and is used for authentication of the BTE 9 and identification of the BTE 9. This unique ID is registered in the key management server 20 and the key management database 21 and managed in a unified manner. In the key management database 21, the identification ID of the BTE 9 is stored in association with the key or the identification number of the key stored in the BTE 9. The memory 97 stores the above-described decryption key .

  When receiving a request for a decryption key from an external device such as the tablet terminal 8, the control unit 93 performs authentication of the tablet terminal 8, user authentication, and the like, and transmits the decryption key requested from the memory 97. Although not shown, the BTE 9 may include a unit having a function of acquiring position information. For example, the BTE 9 has a function of receiving a signal from a GPS (Global Positioning System) and outputting position information on the information of this means. This position information is transmitted to the tablet terminal 8.

  FIG. 5 is a block diagram illustrating another configuration example of the BTE 9. The configuration and function of the BTE 9 of FIG. 5 are basically the same as those of the BTE 9 shown in FIG. 4, and only different portions will be described. The BTE 9 in FIG. 5 includes a coordinate information receiver 98. The coordinate information receiver 98 is a receiver used for a service that provides position information such as GPS. The position information signal received by the coordinate information receiver 98 is passed to the control unit 93, and the control unit 93 transmits the position information signal to the tablet terminal 8.

  This makes it possible to always grasp the position where the BTE 9 exists. The coordinate information receiver 98 can use a position information providing service other than GPS. For example, a position measurement system used only indoors can be used. The tablet terminal 8 can acquire the position information from the BTE 9 and grasp and monitor the position of the BTE 9. From this position information, it is possible to monitor whether the BTE 9 is within the usable range. The security program 82 or the BTE monitoring program 87 shown in FIG. 3 has such a monitoring function.

  When the BTE 9 is out of the usable range, the security program 82 or the BTE monitoring program 87 stops using the tablet terminal 8 or stops using electronic data. Although not shown, the tablet terminal 8 also has a built-in receiver of the position measurement system, and the position of the tablet terminal 8 can be always grasped from the position data received by the receiver. Similarly, if the security program 82 or the BTE monitoring program 87 determines from the position information that the tablet terminal 8 is out of the usable range, the security program 82 or the BTE monitoring program 87 stops using the tablet terminal 8, Stop using electronic data.

[Analysis of HTTP / HTTPS protocol]
FIG. 6 is a diagram showing a flow of processing of the security program 32 when uploading and downloading from the web browser 31 to the web server 4. The flow of processing of the security program 32 will be described below with reference to FIG. When an HTTP request is issued from the web browser 31, the security program 32 receives the HTTP request (step 100).

  The security program 32 analyzes the contents of the HTTP request and determines the type of communication (Step 101). In the case of a CONNECT request for a request for security communication, the security program 32 issues a connection request for SSL communication to the web server 4, performs SSL authentication, and performs handshaking (step 102). In other words, when CONNECT is added to the HTTP request, security SSL communication using the HTTPS protocol is performed.

  After that, the HTTP header is analyzed (step 103). In the case of a POST request for uploading user data or a GET request for requesting download, the HTTP header is analyzed (step 103). When the HTTP request is a POST request, the communication is mainly related to uploading. When the GET request is added to the HTTP request, the communication is mainly related to download. By analyzing the HTTP header, it is determined whether or not the HTTP is the target HTTP (step 104).

  In the case of a non-target HTTP, the security program 32 transmits the HTTP protocol to the web server 4 (Step 108). In the case of the target HTTP, the security program 32 analyzes the HTTP body (step 105). The security program 32 determines the body part from the HTTP protocol, and encrypts the HTTP body (step 107). At the time of encryption, the encryption software 6 is called, and the HTTP body is encrypted by the encryption software 6.

  Thereafter, the security program 32 transmits the HTTP protocol to the web server 4 (Step 108). If it is determined in step 106 that the HTTP protocol is not the target, the security program 32 transmits the HTTP protocol to the web server 4 (step 108).

  FIG. 7 is a flowchart showing an example of the flow of analyzing the HTTP header in step 103 of FIG. The security program 32 acquires the contents of the HTTP header from the HTTP protocol as shown in Step 103 of FIG. 6 (Step 120). The line of “Content-Type” and “CONTENT-Length” of the HTTP header is analyzed (step 121). The security program 32 checks the content of “CONTENT-Length” and checks whether it is “0” (Step 122).

  In the case of “0”, the analysis of the HTTP header is terminated (step 122 → end). If it is not “0”, boundary information is acquired from the content of “Content-Type” (step 123). The boundary information is data indicating the boundary when there are a plurality of types of data in the HTTP body. Then, the boundary information is saved, and the analysis of the HTTP header ends (step 123 → end).

  FIG. 8 is a flowchart illustrating an example of the flow of analyzing the HTTP body. The analysis of the HTTP body in this example is steps 105 to 107 in the flowchart of FIG. The security program 32 searches for a file name from the boundary information acquired by the HTTP header analysis illustrated in FIG. 7 (Step 130). If the file name is not found in the search for the file name, the search result returns “NULL” and the analysis of the HTTP body ends (step 131 → end).

  If the file name is found in the search for the file name, the search result is not “NULL”. Then, the security program 32 acquires the file name and searches for the next line feed code (step 132). Then, the security program 32 encrypts the HTTP body (step 133). When the HTTP is sent from the web server 4, the body of the HTTP is encrypted, and the security program 32 decrypts it. In summary, in the case of a POST request, the HTTP body is encrypted, and in the case of a GET request, the HTTP body is decrypted.

  Then, the analysis of the HTTP body ends (step 133 → end). The SSL connection is performed in step 102 of FIG. The security program 32 establishes an SSL connection with the user terminal 3. After that, the security program 32 establishes an SSL connection with the web server 4. Thereby, the SSL connection is established between the user terminal 3 and the web server 4 which can virtually perform SSL communication.

  The user terminal 3 can be a mobile phone, a netbook, or a tablet computer as long as the function of the user terminal 3 is realized. Further, similarly, the user terminal 3 can be a virtual machine operating in a virtual environment or a thin client terminal. When uploading and downloading from the web browser 81 of the tablet terminal 8 to the web server 4, the processing flow of the security program 82 is the same as in FIG. 7, and the user terminal 3 described above needs to be read back as the tablet terminal 8. And a detailed description is omitted.

  The operating systems of the basic programs that control the user terminal 3 and the tablet terminal 8 are a Windows (registered trademark) operating system of Microsoft Corporation, a MAC OS (registered trademark) operating system of Apple Corporation, and UNIX (registered trademark). ) Or an operating system such as an operating system such as UBUNTU of Linux (registered trademark).

  In particular, in the case of the tablet terminal 8, Symbian OS (registered trademark), BlackBerry (registered trademark), Windows Mobile (registered trademark), iOS (registered trademark), Android (registered trademark), Firefox OS (registered trademark), etc. You can use the operating system for smartphones and tablets. The present invention is not an invention relating to the control of the details of the operating system, and thus the detailed description is omitted.

[About encryption / decryption]
As the above-described encryption key and decryption key, any known encryption scheme such as common key encryption, public key encryption, and functional encryption is used. The present invention does not store all decryption keys of electronic data in a terminal or a computer that uses the electronic data but stores the decryption key in another electronic device or a terminal or a computer when electronic data is used. Only read it in. In the case of the present embodiment, the decryption key is not stored in the tablet terminal 8 that uses the electronic data, but is stored in the BTE 9 that can communicate with the tablet terminal 8.

  If a plurality of keys such as an encryption key and a parameter are required when decrypting electronic data, at least one key is stored in the BTE 9 that can communicate with the tablet terminal 8. Of course, all such keys may be stored in separate portable devices that can communicate with the tablet terminal 8. Hereinafter, an embodiment of the invention will be described.

  FIG. 9 is a conceptual diagram illustrating an outline of key management of the electronic data management system 1 according to the first embodiment of this invention. The electronic data management system 1 of the present invention includes a key management server 20 which is a management unit for managing an encryption key and a decryption key. The key management server 20 communicates with the user terminal 3, the tablet terminal 8, the web server 4, and the like via a network (not shown) although not shown.

  The key management server 20 has a function of generating a pair of an encryption key and a decryption key. The encryption key and the decryption key, identification data related to the user, and the like are stored in the key management database 21. The key management server 20 transmits the encryption key to the user terminal 3 and the decryption key to the tablet terminal 8 through appropriate procedures such as user authentication. If there is a key generation request from the user terminal 3 or the tablet terminal 8, the key management server 20 generates a new key and transmits it to each. When the tablet terminal 8 or its user receives a notification that the decryption key has been lost, the key management server 20 takes measures to stop using the decryption key.

  For example, the key management database 21 is updated to stop using the key. Further, it notifies all the users using the decryption key, the tablet terminal 8, the user terminal 3, and the like, and stops using the decryption key. When a new decryption key is transmitted from the key management server 20, the tablet terminal 8 stores the new decryption key in the BTE 9. After storing the new decryption key in the BTE 9, the tablet terminal 8 notifies the key management server 20. The tablet terminal 8 does not store all of the decryption keys in its storage means, auxiliary storage means and the like.

  When the BTE 9 is lost, the BTE 9 is stored with a new BTE and a new decryption key and passed to the user. Alternatively, the user prepares a new BTE 9 and stores the decryption key newly issued from the key management server 20 in the BTE 9 via the tablet terminal 8. Furthermore, since the data received from the web server 4 is stored in the recording medium of the tablet terminal 8, the auxiliary storage means or the like while being encrypted, if the BTE 9 is not provided, the data is decrypted and significant electronic data is stored. I can't get it.

  These notifications include all or part of the data identifying the user, such as the user's name and identification number, the identification data of the tablet terminal 8, the identification data of the BTE 9, and the identification data of the lost key. It is. In other words, data that can identify the lost item is notified to the key management server 20, and the key management server 20 is set so that the device cannot be used.

[Common key encryption method]
The simplest method is a common key encryption method, in which the same function is used for an encryption key and a decryption key. Therefore, the user terminal 3 encrypts the electronic data with the encryption key, and transmits the encrypted electronic data to the web server 4 to store the encrypted electronic data in the web server 4. The encryption key of the user terminal 3 is stored in the user terminal 3 or the BTE 7. On the tablet terminal 8 side, the decryption key is stored in the BTE 9. The tablet terminal 8 receives the encrypted electronic data from the web server 4, receives the decryption key from the BTE 9, and decrypts the encrypted electronic data with the decryption key.

  In the case of the common key cryptosystem, a problem occurs when the tablet terminal 8 or the BTE 9 is lost. Consider a case where the tablet terminal 8 is lost. Even if a third party who obtains the tablet terminal 8 accesses the web server 4 from the tablet terminal 8, the encrypted electronic data received from the web server 4 cannot be decrypted because the third party does not have the BTE 9. . Needless to say, since the web server 4 has an authentication procedure based on a login name, a password, and the like, a third party cannot easily access the web server 4.

  Furthermore, since the data received from the web server 4 is stored in the recording medium of the tablet terminal 8, the auxiliary storage means or the like while being encrypted, if the BTE 9 is not provided, the data is decrypted and significant electronic data is stored. I can't get it. In the case of the common key cryptosystem, the case where BTE 9 is lost will be considered. Since a third party who has acquired the BTE 9 does not have the tablet terminal 8, the third party cannot access the web server 4. Furthermore, even if another computer accesses the web server 4, a third party cannot easily access the web server 4 because there is an authentication procedure using a login name and a password.

  If the BTE 9 is lost, the administrator can receive a notification from the user who has used the BTE 9 and stop the transmission of the electronic data to the web server 4, so that the safe use of the electronic data is guaranteed. You. If the BTE 9 is lost, there is a risk that the encryption key will be leaked, and another encryption key will be reissued to replace the electronic data in the web server 4 with another encryption. And the use can be restarted.

[Public key cryptosystem]
In the case of the public key cryptosystem, the encryption key and the decryption key are different. The user terminal 3 encrypts the electronic data with the encryption key, which is a public key, and sends it to the web server 4. On the tablet terminal 8 side, a decryption key which is a secret key paired with the public key is stored in the BTE 9. The tablet terminal 8 receives the encrypted electronic data from the web server 4, receives the secret key from the BTE 9, and decrypts the encrypted electronic data with the secret key.

  Consider a case where the tablet terminal 8 is lost. Even if a third party who obtains the tablet terminal 8 accesses the web server 4 from the tablet terminal 8, the encrypted electronic data received from the web server 4 cannot be decrypted because the third party does not have the BTE 9. . Needless to say, since the web server 4 has an authentication procedure based on a login name, a password, and the like, a third party cannot easily access the web server 4.

  Furthermore, since the data received from the web server 4 is stored in the recording medium of the tablet terminal 8, the auxiliary storage means or the like while being encrypted, if the BTE 9 is not provided, the data is decrypted and significant electronic data is stored. I can't get it. Consider the case where BTE 9 is lost. The third party who has obtained the BTE 9 cannot access the web server 4 because there is no tablet terminal 8. Furthermore, even if another computer accesses the web server 4, a third party cannot easily access the web server 4 because there is an authentication procedure using a login name and a password.

  If the BTE 9 is lost, the administrator receiving the BTE 9 is notified by the user and the transmission of the electronic data to the web server 4 can be stopped, so that the safe use of the electronic data is guaranteed. If the BTE 9 is lost, there is a risk that the private key leaks, and another public key and private key of another pair are reissued, and the electronic data in the web server 4 is replaced with another encryption. And the use can be restarted. Furthermore, since the data received from the web server 4 is stored in the recording medium of the tablet terminal 8, the auxiliary storage means or the like while being encrypted, if the BTE 9 is not provided, the data is decrypted and significant electronic data is stored. I can't get it.

  In the public key cryptosystem, a plurality of secret keys SK1 to SKn may be generated for a public key PK. In this case, if the secret key is lost, the key management server 20 notifies all the users that the use of the secret key is prohibited. Then, the BTE 9 is set as a new BTE, and the new secret key is stored in the new BTE and passed to the user. Alternatively, the user prepares a new BTE 9 and stores the new secret key newly transmitted from the key management server 20 in the BTE 9 via the tablet terminal 8.

[Functional cryptography]
There is a functional encryption method as an encryption method. This functional encryption method is a generalization of a public key encryption method, and uses a function as a parameter for a public key and a secret key. The functional encryption method has two or more decryption keys including a decryption key and a parameter. If these keys are stored in different locations, the security of electronic data is improved. Furthermore, even if the key is lost, it is possible to cope by reissuing one of the keys.

  In particular, since a plurality of parameters can be used for one key, use of the lost parameter can be stopped, and another parameter can be reissued and used again. As shown in FIG. 9, the user terminal 3 encrypts the electronic data using the public key PK and the parameter Y. On the tablet terminal 8 side, the encrypted electronic data is decrypted using the secret key SK and the parameter X.

  The public key PK and the secret keys SK1 to SKn are generated in pairs. The parameter Y and the parameter X satisfy a specific function R. As long as the specific function R is satisfied, a plurality of parameters X1 to Xn can be used for the parameter Y. If the parameter X satisfies the function R for the plurality of parameters Y1 to Yn, the encrypted electronic data can be decrypted using the secret key and the parameter X. When this is applied to the present invention, the secret key SK can be stored in the tablet terminal 8 and the parameter X can be stored in the BTE 9.

The secret key SK can be stored in the BTE 9 and the parameter X can be stored in the tablet terminal 8. The user terminal 3 uses the paired public key PK and the parameter Y to encrypt the electronic data. The user terminal 3 stores the public key PK, and the BTE 7 stores the parameter Y. Or, conversely, the user terminal 3 can store the parameter Y and the BTE 7 can store the public key PK. Since the encryption key is assumed to be made public, both the public key PK and the parameter Y can be stored in the user terminal 3 or the BTE 7.

  There is no problem even if the public key PK and the parameter Y are lost. Here, the loss of the tablet terminal 8 and the BTE 9 is considered. Consider a case where the tablet terminal 8 is lost. Even if a third party who has obtained the tablet terminal 8 accesses the web server 4 from the tablet terminal 8, the third party does not have the BTE 9, in other words, has not obtained both the secret key SK and the parameter X. The encrypted electronic data received from the server 4 cannot be decrypted.

  Needless to say, since the web server 4 has an authentication procedure based on a login name, a password, and the like, a third party cannot easily access the web server 4. Consider the case where BTE 9 is lost. A third party who has acquired the BTE 9 cannot access the web server 4 without the tablet terminal 8. Furthermore, even if another computer accesses the web server 4, a third party cannot easily access the web server 4 because there is an authentication procedure using a login name and a password.

  Furthermore, since a personal identification number or the like is used to authenticate the BTE 9 to the computer, it cannot be easily obtained by a third party. When the BTE 9 is lost, the key management server 20 issues a new parameter X instead of the parameter X stored in the BTE 9 and transmits it to the tablet terminal 8. In this case, the new parameter X has a relationship satisfying the parameter Y and the function R on the user terminal 3 side.

  As described above, even if one of the tablet terminal 8 and the BTE 9 is lost, the encrypted electronic data cannot be decrypted. As long as the parameter Y satisfies the function R, a plurality of parameters can be designated, and this can be used as attribute information of electronic data. Examples of the attribute information include the user's e-mail address, the rank of the user's job title, the specialty of the user's major, the copyright information of the content, the use of electronic data, etc. The class of information.

  In the above description, an example has been described in which one of the tablet terminal 8 and the BTE 9 stores a decryption key and the other stores a parameter. However, the decryption key and the parameter can be stored one by one in a plurality of BTEs 9 that can communicate with the tablet terminal 8. When using the electronic data on the tablet terminal 8, a program such as the security program 82 (see FIG. 3) obtains a decryption key and a parameter from each BTE 9, and decrypts the electronic data.

[Others]
As described above, the user terminal 3 and the BTE 7 have been described as encrypting the electronic data. Although detailed description is omitted, like the combination of the tablet terminal 8 and the BTE 9, the user terminal 3 and the BTE 7 have a secret key or a secret key and a parameter X, and can decrypt electronic data. Similarly, the tablet terminal 8 and the BTE 9 can encrypt electronic data using the encryption key or the encryption key and the parameter Y.

The user terminal 3 can be a mobile terminal such as a tablet terminal or a smartphone. The user terminal 3 includes a portable terminal having a function of accessing the network 2 such as a tablet terminal and a smartphone.
Portable devices such as BTE9 and BTE7 have an identification ID. The ID is stored in a memory or the like in the ID, and is used for device authentication and identification. When the BTE 9 and the BTE 7 are lost, the user notifies the administrator and the key management server 20 of the identification IDs of the BTE 9 and the BTE 7, and updates the key management data 21.

  The key management data 21 is set to prohibit use of the portable device having the notified ID. When a new decryption key is generated and stored in a new BTE 9 or BTE 7, the identification ID of the new BTE 9 or BTE 7 is registered in the key management data 21. In this way, the IDs are managed centrally. In this example, the BTE has been described as an example of the portable device. The portable device can be a watch-type device, a pen-type device, a USB key, or the like as long as it has a function equivalent to the above-described BTE. The BTE itself can be a watch-type or pen-type device.

  When the use of the electronic data is stopped in the tablet terminal 8, a step of deleting the electronic data is provided. For example, the security program 32, the BTE monitoring program 37, the security program 82, the BTE monitoring program 87, and the like have a data deletion function for deleting electronic data. When the BTE 9 or BTE 7 or the tablet terminal 8 is located outside the available range for a long period of time equal to or longer than the predetermined period, the data deletion function starts, and the electronic data in the tablet terminal 8 is deleted.

  The type of electronic data to be deleted and other deletion conditions can be set in advance by a user or an administrator. In addition, even if the BTE 9 or BTE 7 is lost and a predetermined period has elapsed, no new BTE 9 or BTE 7 has been registered, or no key has been registered. Delete electronic data. Further, when a predetermined time has elapsed after the use of the tablet terminal 8 has been stopped, or when there is an instruction from an administrator or a server, the data deletion function starts, and the electronic data in the tablet terminal 8 is deleted.

[Second embodiment]
Hereinafter, a second embodiment of the present invention will be described. Since the second embodiment of the present invention is basically the same as the above-described first embodiment, only different portions will be described. In the above-described first embodiment, an example in which the electronic data is transmitted from the web server 4 to the tablet terminal 8 as illustrated in FIG. 1 has been described. In the second embodiment of the present invention, the encrypted electronic data is stored and used in the tablet terminal 8.

  As a use scene of the second embodiment of the present invention, when the tablet terminal 8 accesses a portable auxiliary storage device and reads and uses the encrypted user data, the tablet terminal 8 communicates with the user terminal 3. There are various situations such as a case where the electronic data is directly connected and obtained by using the encrypted electronic data from the user terminal 3 and used, and a case where the encrypted electronic data is created and used in the tablet terminal 8. The function of acquiring an encryption key or a parameter from the BTE 9 and decrypting the encrypted electronic data in the tablet terminal 8 is the same as the above-described example.

[Third Embodiment]
Hereinafter, a third embodiment of the present invention will be described. Since the electronic data management system 1 according to the third embodiment of the present invention is basically the same as the above-described first or second embodiment, only different portions will be described. The electronic data management system 1 according to the third embodiment of the present invention uses an identification number or an identification name of a portable device carried or carried by a user for encryption and decryption.

  The electronic data management system 1 according to the third embodiment of the present invention has the same configuration as that shown in FIG. 1, but BTE 9, smartphone 12, wireless storage 13 , A camera 17 and the like. The mobile devices such as the BTE 9, the smartphone 12, the wireless storage, and the camera 17 are connected to the tablet 8 in accordance with the communication protocol, similarly to the BTE 9, and thus the detailed description of the connection method is omitted.

  When the smartphone 12 is connected to the tablet 8, the tablet 8 acquires a communication identification address such as a MAC address and an IP address of the smartphone 12, a unique address of the smartphone 12, and performs device authentication. The wireless storage 13 is a device that has a wireless communication function such as Wi-Fi and uses a non-volatile memory device such as a USB memory 14 and an SD card 15. The wireless storage 13 is connected to the tablet 8 wirelessly, and causes the tablet 8 to recognize a connected or built-in nonvolatile memory device such as the USB memory 14 and the SD card 15 as an auxiliary storage device.

  At this time, the tablet terminal 8 acquires the identification address or the identification number of the nonvolatile memory device such as the USB memory 14 and the SD card 15 and performs the device authentication. The tablet terminal 8 also acquires an identification address such as a MAC address and an IP address of the wireless storage 13 or an identification number, and performs device authentication. The camera 14 is an example of another device using a nonvolatile memory such as the SD card 16. When the camera 14 itself has a wireless communication function such as Wi-Fi, the tablet terminal 8 recognizes the camera 14 as an external device or an auxiliary storage device.

  At this time, the tablet terminal 8 acquires an identification address or an identification number such as a MAC address and an IP address of the camera 17 and performs device authentication. When the Wi-Fi function is built in a nonvolatile memory device such as the SD card 16, the SD card 16 is recognized by the tablet terminal 8 as an auxiliary storage device. At this time, the tablet terminal 8 acquires the identification address of the SD card 16, the MAC address of the communication function of the SD card 16, the IP address, and the like, and performs device authentication.

  As described above, an identification address for identifying a portable device is generally set by a manufacturer that manufactures such a device. A typical example is an identifier called a MAC address. This is given to a component such as a network card connected to the network. For the MAC address, different addresses are assigned to the respective parts, even for the same model and the same part manufactured by the same manufacturer. Similarly, BTEs and the like also have unique addresses that identify them.

  A procedure for encrypting and decrypting user data using an identification address for identifying a portable device will be described below. First, encryption is performed in the user terminal 3 or the tablet terminal 8, but when generating an encryption key, a unique address of a portable device carried or carried by the user is used. As this unique address, as described in the description of FIG. 10, if the device has a network function, its MAC address, a unique identification address of each device, and the like are used.

  When generating an encryption key in the user terminal 3 or the tablet terminal 8, software or a module for generating an encryption key is used, but a specific function is used together with the unique address of the mobile device or the unique address of the mobile device. Generate a key according to a specific algorithm. The decryption key can be generated together with the encryption key, but may be separately generated later if the same function and a specific function are used. The user terminal 3 or the tablet terminal 8 uses the generated encryption key to encrypt the user data.

  The encrypted user data is transmitted to the web server 4 or transmitted to the tablet 8. Next, decoding will be described. FIG. 11 is a flowchart illustrating an example of a flow of a decryption process of the electronic data management system 1 according to the third embodiment of this invention. First, the user activates the tablet terminal 8 and logs in (first authentication) (steps 201 and 202). Thereafter, the tablet terminal 8 is connected to the network 2, communicates with the web server 4, accesses a cloud service provided by the web server 4, and performs user authentication (second authentication) (steps 203 to 205).

  This makes it possible to acquire user data from the web server 4. As described herein, the procedures for connecting to the network 2, accessing the cloud service, and acquiring user data from the web server 4 are the procedures described in the first embodiment. The tablet terminal 8 acquires the user data from the web server 4 and starts using (steps 206 and 207). When using the user data obtained from the web server 4, the tablet terminal 8 needs to decrypt the user data if the user data is encrypted.

  Therefore, the tablet terminal 8 checks whether the user data acquired from the web server 4 is encrypted (step 208). If not, the user data is used as it is by an appropriate application program or the like (steps 208 → 221). For example, the user data can be browsed, edited, and the like using an application program dedicated to the user data that operates on the tablet terminal 8.

  When the user data acquired from the web server 4 is encrypted, the tablet terminal 8 issues a request to decrypt the user data, and a decryption application program or a decryption module (hereinafter, described as a decryption application program). ) Is activated (step 208 → step 209). The decryption application program specifies the storage location of the decryption key. The storage location of the decryption key is registered in the decryption application program in advance.

  If the storage location of the decryption key is in the auxiliary storage device in the tablet terminal 8, the storage device accesses this auxiliary storage device, obtains the decryption key (step 211, step 212 → 220), and performs the decryption process. If the storage location of the decryption key is stored in the mobile device, the tablet terminal 8 connects to the mobile device and starts the process of obtaining the decryption key (step 211 → step 213). First, the connection between the tablet terminal 8 and the portable device is confirmed. If the connection is not confirmed, the portable terminal is connected (step 213).

  When the connection with the mobile device is established, a unique address of the mobile device is obtained (step 214). As described above, as the unique address of the mobile device, a unique address for communication such as a MAC, a unique address for device identification assigned by a manufacturer, a unique address for device identification assigned by a user, and the like can be used. . The mobile tablet terminal 8 refers to the mobile device specific address list (step 215). The mobile device unique address list is a list in which unique addresses of mobile devices that can be used by the user or the tablet terminal 8 are registered. This is a so-called whitelist of available mobile devices.

  The mobile tablet terminal 8 determines whether the unique address of the connected mobile device is an address registered in the mobile device unique address list (third authentication) (step 215). If the unique address of the portable device is an address registered in the unique address list of the portable device, the use of the portable device is permitted (step 216). Then, the portable device is continuously authenticated, and the portable device can be accessed (step 217).

  If the unique address of the mobile device is not registered in the mobile device unique address list, or if the use of the mobile device is prohibited, the continuation is suspended and the use of user data is stopped. (Steps 216 → 222). If the use of the portable device is permitted, the portable device is subsequently authenticated, and the portable device can be accessed (step 216 → step 217). If the authentication of the mobile device is performed and succeeded, the tablet terminal 8 of the mobile device accesses the mobile device and obtains a decryption key from the stored electronic data (step 218 → step 219).

  Then, the user data is decrypted for the first time with the decryption key and used (steps 220 and 221). In other words, the decryption module or decryption application software obtains the decryption key and starts decrypting the electronic data. Then, the tablet terminal 8 proceeds to the next processing (step 223). It is preferable that the mobile device specific address list is managed in a unified manner. For example, as shown in FIG. 1, it is preferable that the management is performed by a key management server on the network 2.

  The tablet terminal 8 may access the key management server 20 (see FIG. 9) at all times or every time the user data is decrypted to check the unique address of the mobile device. The list of available mobile device-specific addresses may be stored in a location that can be immediately accessed from the tablet terminal 8. For example, when the mobile device specific address list is stored in the tablet terminal 8 or in a memory such as the auxiliary storage device or the BTE 9 connected to the tablet terminal 8, the mobile device specific address list is stored in the tablet terminal 8 even in an environment where connection to the network 2 is not possible. Can be accessed.

  The mobile device unique address list stores a user name indicating the name of the user, a tablet terminal used by the user, a unique address of the mobile device used by the user, information necessary for generating a decryption key or an encryption key, and the like. You. Preferably, the mobile device specific address list is encrypted and stored. Alternatively, the portable device specific address list is stored in a hidden area that cannot be directly accessed from a general-purpose operating system, a recording area that can be accessed only by a dedicated application program, or a format.

  The mobile device-specific address list may include, if necessary, the type of electronic data, the area or place or range in which the electronic data can be used, the usage form of the electronic data, and the like, which is set in advance by a user or an administrator. . In the portable device unique address list, a unique address of a portable device whose use is not permitted can be registered. It is possible to register a lost portable device or the like in this list so that it cannot be used. With this setting, even for a formal user, decryption of the electronic data without the combination of the formal BTE 9 and the portable device further enhances the security of management.

[Other examples]
As described above, in order to use electronic data, a method of performing authentication in a plurality of stages from the first authentication to the third authentication has been described. A method for reducing these authentications and reducing the burden on the user will now be described. For example, the unique address of the mobile device can be used as information for generating a decryption key. This use is as follows. In order to generate an encryption key and a decryption key, a key generation algorithm and original data that is a source of key generation are required.

  As the original data, the unique address of the portable device can be used. However, if the format of the original data and the key generation algorithm are all made public, it may cause information leakage to a third party. The original data is preferably data including a unique address and further including secret information of an administrator or a user, but can be set in advance by an administrator or a user.

  In the above-mentioned use step, when the decryption module connects to the user's portable device, authenticates and obtains the unique address, the decryption module uses the unique address as the original data for key generation, and uses the decryption key or the encryption key. Generate a key or a pair of encryption key and decryption key. Then, the electronic data is used with the generated decryption key. This eliminates the step of storing the decryption key in the portable device. Therefore, if there is a portable device dedicated to the user, and the device can be connected to the tablet terminal 8, the user data can be decrypted. This method is convenient for applications that do not require high security.

  Even if the user loses the tablet terminal 8, the user data cannot be decrypted because the unique address of the mobile device cannot be obtained. At this time, even if the unique address of the mobile device is obtained, the unique address is obtained from the mobile device only when the tablet terminal 8 and the mobile device are connected by a formal communication procedure. Unable to obtain a unique address, and cannot decrypt user data.

  If the user loses the portable device, the portable device notifies the key management server 20 or registers the unique address in the portable device unique address list of the tablet terminal 8 as an unusable device or an unusable unique address. This renders the lost mobile device unusable. Therefore, it is impossible to decrypt the user data using the unique address. Electronic data encrypted using a lost unique address can be converted into encrypted data using another unique address in the following procedure.

  Basically, since the administrator knows the format of the encrypted data, a dedicated application program for the data is created, and decryption is performed only by inputting a unique address with the permission of the administrator. Then, encryption is performed again with the encryption key using the new unique address. Alternatively, there may be an application program having a function of automatically decrypting and encrypting only by inputting old unique data and new unique data. Of course, the application program may be a cloud service.

  The present invention may be used in fields such as cloud services that have a web server and provide network services. Further, the present invention may be used in a field in which electronic data including corporate confidentiality, know-how, personal information, and the like is used on a portable terminal.

DESCRIPTION OF SYMBOLS 1 ... Electronic data management system 2 ... Network 3 ... User terminal 4 ... Web server 5 ... Web database 6 ... Encryption software 7, 9 ... Bluetooth equipment (BTE)
8 Tablet terminal 10 Special viewer 11 Special application software 12 Smartphone 13 Wireless storage 14 USB memory 15, 16 SD card 17 Camera 31, 81 Web browser 32, 82 Security program 33, 43, 83 ... TLS
34, 44, 84 Network layer 41 Server program 91 Antenna 92 Bluetooth communication unit 93 Control unit 94 Display unit 95 Operation unit 96 Oscillation circuit 97 Memory

Claims (20)

network,
A mobile terminal connected to the network,
An encryption key for encrypting user data which is electronic data, and for decrypting the user data encrypted with the encryption key, and for managing a decryption key paired with the encryption key. A key management means connected to the network, and
A network system comprising a storage device or a web database on the network storing the encrypted user data,
When using the user data obtained from the network in the portable terminal, in the method for managing network system electronic data for securing and managing the security of the user data,
The mobile terminal acquires the encrypted user data from the storage device or the web database and stores the user data in a storage unit of the mobile terminal,
The portable terminal stores the decryption key acquired from the key management unit in a portable device that can communicate with the portable terminal without storing the decryption key in the storage unit of the portable terminal.
In the portable terminal, when using the encrypted user data, the portable terminal communicates with the portable device to obtain a unique address of the portable device,
The portable terminal is stored in the key management means or the portable terminal, confirms the unique address by accessing a portable device unique address list that has registered a device permitted or disallowed to use,
When the unique address is registered in the portable device unique address list and is an address permitting use of the portable device, the portable terminal communicates with the portable device to acquire the decryption key. Using the user data by decrypting the encrypted user data with the decryption key,
When the unique address is not registered in the portable device unique address list or is an address that prohibits the use of the portable device, the portable terminal determines use of the encrypted user data. A method for managing electronic data for a network system, wherein the method is stopped. network,
A mobile terminal connected to the network,
An encryption key for encrypting user data which is electronic data, and for decrypting the user data encrypted with the encryption key, and for managing a decryption key paired with the encryption key. A key management means connected to the network, and
A network system comprising a storage device or a web database on the network storing the encrypted user data,
When using the user data obtained from the network in the portable terminal, in the method for managing network system electronic data for securing and managing the security of the user data,
The key management means includes: (a) the encryption key and the first parameter for encrypting the user data by a functional encryption method; and (b) the decryption of the encrypted user data. Generating and managing a second parameter satisfying a specific function R together with the decryption key paired with the encryption key, and the first parameter;
The user data encrypted in the mobile terminal with the encryption key and the first parameter is stored in the storage device or the web database,
The mobile terminal acquires the encrypted user data from the storage device or the web database and stores the user data in a storage unit of the mobile terminal,
The mobile terminal obtains the decryption key and the second parameter from the key management unit, and the decryption key is not stored in the storage unit of the mobile terminal, but is stored in a mobile device that can communicate with the mobile terminal . The second parameter is stored in the mobile terminal,
When using the encrypted user data in the mobile terminal, the mobile terminal communicates with the mobile device to obtain a unique address of the mobile device,
The portable terminal is stored in the key management means or the portable terminal, confirms the unique address by accessing a portable device unique address list that has registered a device permitted or disallowed to use,
The unique address is registered in the portable device-specific address list, and when an address that is permitted to use of the portable device, the portable terminal acquires the decryption key by communicating with the portable device Using the user data by decrypting the encrypted user data using the decryption key and the second parameter,
When the unique address is not registered in the portable device unique address list or is an address that prohibits the use of the portable device, the portable terminal determines use of the encrypted user data. A method for managing electronic data for a network system, wherein the method is stopped. The method for managing electronic data for a network system according to claim 1 or 2 ,
The mobile terminal is obtained from first position information obtaining means mounted on the mobile terminal, and includes first position information indicating the position of the mobile terminal, and second position information obtaining means mounted on the mobile device. Comparing the acquired second position information indicating the position of the mobile device, calculating the distance, the distance is greater than or equal to a predetermined distance, and the position of the mobile device is out of the range available from the mobile terminal If the mobile device is located, or if the communication between the mobile device and the mobile terminal is disconnected, or if communication between the mobile device and the mobile terminal cannot be established for a predetermined period or more, the security means of the mobile terminal Administration method of the electronic data network system, characterized in that but stopping the use of the user data by deleting the user data of the mobile terminal. The method for managing electronic data for a network system according to claim 2,
The method for managing electronic data for a network system, wherein the key management means generates the encryption key and / or the decryption key by a key generation algorithm using the unique address as original data for key generation. The method for managing electronic data for a network system according to claim 1, wherein the method is selected from the claims 1 to 4 .
The electronic data management method for a network system, wherein the mobile terminal and the mobile device have a wireless communication unit for performing wireless communication. The method for managing electronic data for a network system according to claim 5 ,
The method of managing electronic data for a network system, wherein the wireless communication unit is Bluetooth. The method for managing electronic data for a network system according to claim 1, wherein the method is selected from the claims 1 to 6 .
The method for managing electronic data for a network system, wherein the mobile terminal is a notebook computer, a tablet terminal, or a smartphone. The method for managing electronic data for a network system according to claim 1, wherein the method is selected from the claims 1 to 6 .
The electronic data management method for a network system, wherein the portable device is one selected from a clock-type device, a pen-type device, and a USB key. network,
A mobile terminal connected to the network,
An encryption key for encrypting user data which is electronic data, and for decrypting the user data encrypted with the encryption key, and for managing a decryption key paired with the encryption key. A key management means connected to the network, and
Used in a network system comprising a storage device or a web database on the network that stores the encrypted user data, when using the user data obtained from the network in the mobile terminal, operating the mobile terminal In the network system electronic data management program for ensuring and managing the security of the user data,
Connecting to the network and obtaining the encryption key from the key management means;
Transmitting the user data encrypted with the encryption key to the network for storage in the storage device or the web database;
Step of connecting to the network, stores from said storage device or the web database in a storage unit of the portable terminal obtains the encrypted the user data,
Connecting to the network, acquiring the decryption key from the key management unit, and storing the decryption key in a portable device that can communicate with the portable terminal without storing the decryption key in the storage unit of the portable terminal;
When using the encrypted user data, communicating with the mobile device to obtain a unique address of the mobile device,
A confirmation step of confirming the unique address by connecting to the network and accessing the key management means or accessing the portable terminal, referring to a portable device unique address list in which available devices are registered,
In the checking step, when the unique address is registered in the portable device unique address list and is an address permitting use of the portable device, the device communicates with the portable device to obtain the decryption key. Decryption key acquisition step,
A decryption step of decrypting the user data with the decryption key obtained in the decryption key acquisition step;
Using the user data decrypted in the decrypting step; and
Stopping the use of the encrypted user data when the unique address is not registered in the mobile device unique address list in the confirmation step, or is an address prohibiting use of the mobile device. And causing the portable terminal to operate the stopping step. network,
A mobile terminal connected to the network,
An encryption key for encrypting user data which is electronic data, and for decrypting the user data encrypted with the encryption key, and for managing a decryption key paired with the encryption key. A key management means connected to the network, and
Used in a network system comprising a storage device or a web database on the network that stores the encrypted user data, when using the user data obtained from the network in the mobile terminal, operating the mobile terminal In the network system electronic data management program for ensuring and managing the security of the user data,
Connecting to the network, (a) the encryption key and the first parameter for encrypting the user data by a functional encryption method, and (b) decryption of the encrypted user data. And obtains the encryption key and the first parameter from the key management unit that generates and manages the decryption key paired with the encryption key and the second parameter that satisfies the specific function R together with the first parameter. Step to do,
Transmitting the user data encrypted with the encryption key and the first parameter to the network for storage in the storage device or the web database;
Connected to the network, from the storage device or the web database, electronic data acquisition step of storing acquires the user data encrypted with the encryption key in the first parameter in the storage unit of the portable terminal,
Connect to the network, obtain the decryption key and the second parameter from the key management unit, and store the decryption key in a portable device that can communicate with the portable terminal without storing it in the storage unit of the portable terminal. Storing the second parameter in the mobile terminal;
When using the encrypted user data, communicating with the mobile device to obtain a unique address of the mobile device,
A confirmation step of confirming the unique address by connecting to the network and accessing the key management means or accessing the portable terminal, referring to a portable device unique address list in which available devices are registered,
In the checking step, when the unique address is registered in the portable device unique address list and is an address permitting use of the portable device, the portable device communicates with the portable device and sends the decryption key to the portable device. A decryption key acquisition step comprising: acquiring from a device; and acquiring the second parameter from auxiliary storage means of the portable terminal.
A decryption step of decrypting the encrypted user data with the decryption key and the second parameter acquired in the decryption key acquisition step ;
Using the user data decrypted in the decrypting step; and
In the confirming step, when the unique address is not registered in the portable device unique address list or is an address prohibiting use of the portable device, the use of the encrypted user data is prohibited. An electronic data management program for a network system, wherein the portable terminal operates a stopping step of stopping. The management program for electronic data for a network system according to claim 9 or 10,
The encryption key and the decryption key are generated by a key generation algorithm using the unique address as original data for key generation by the key management means. . In claims 9 to 11 electronic data management program for a network system according to item 1 which is selected from among,
Monitoring communication between the mobile device and the mobile terminal; and
If the portable device and the portable terminal communication is disconnected, or, when said portable device and the portable terminal communication can not be established between more than a predetermined time period, wherein the step of stopping the use of the user data the mobile A management program for electronic data for a network system, the program being operated by a terminal. In claims 9 to 11 electronic data management program for a network system according to item 1 which is selected from among,
Obtaining first position information from the mobile device;
Using the first location information to identify the location of the mobile device; and
Wherein if the position does not fall within the range decided in advance, the user data utilizing the steps of the mobile terminal to the network system for electronic data management program for causing the operation to stop the. In claims 9 to 11 electronic data management program for a network system according to item 1 which is selected from among,
Obtaining first position information from the mobile device;
Obtaining second position information from a position measuring device of the mobile terminal;
Calculating a distance between the portable terminal and the portable device using the first position information and the second position information; and
When said distance is spaced a predetermined distance or more, the user data utilizing the steps of the mobile terminal to the network system for electronic data management program for causing the operation to stop the. The electronic data management program according to item 1 which is selected from among claims 9 to 14,
When stopping the use of the user data, to operate the step of deleting the user data to the mobile terminal
An electronic data management program for a network system. In claims 9 to 15 electronic data management program for a network system according to item 1 which is selected from among,
The electronic device management program for a network system, wherein the mobile terminal and the mobile device have a wireless communication unit for performing wireless communication. The management program for electronic data for a network system according to claim 16 ,
The management program for electronic data for a network system, wherein the wireless communication unit is Bluetooth. In claims 9 to 11 electronic data management program for a network system according to item 1 which is selected from among,
An electronic data management program for a network system, wherein the mobile terminal is a notebook computer, a tablet terminal, or a smartphone. The management program for electronic data for a network system according to claim 17 ,
The management program for electronic data for a network system, wherein the portable device is one selected from a watch-type device, a pen-type device, and a USB key. 20. A recording medium recording the electronic system management program for a network system according to claim 1 selected from among claims 9 to 19 .

Images