JP7087932B2 - Storage device, data sharing system and data sharing method - Google Patents

Description

The present invention relates to a storage device connected to a computer network (hereinafter, simply referred to as "network").

Patent Document 1 discloses a storage connection device connected to an external storage. This storage connection device does not disclose the share name of the external storage set for hidden sharing, and can safely connect the external storage by notifying the share name when requested by the user operation terminal device. ..

Japanese Unexamined Patent Publication No. 2015-158742

However, in the prior art, even a shared folder set for hidden sharing can be accessed by specifying a shared name. Therefore, if the shared name is leaked, the shared folder may be attacked by malware or malicious hackers (crackers).

Therefore, the present invention provides a storage device, a data sharing system, and a data sharing method that can improve the security of data shared on a network.

The storage device according to one aspect of the present invention is a storage device connected to a network, and includes a first communication unit that communicates with the terminal device via the network, a first storage unit that stores shared data, and the above. A first communication unit and a first control unit that controls the first storage unit are provided, and the first storage unit includes shared setting data and first key data for sharing the shared data on the network. When the first communication unit receives an unlock signal including the second key data from the terminal device, the first control unit stores the second key data in association with the first. It is determined whether or not it matches the key data, and if the second key data matches the first key data, (i) a new shared name is generated, and (ii) the first key data is used. Using the corresponding shared setting data, the shared name of the shared data is enabled on the network with the generated shared name, and (iii) the generated shared name is transmitted to the terminal device.

According to this, when the shared data sharing service is enabled using the unlock signal including the key data, a new shared name is generated, the shared service is enabled with the shared name, and the shared name is further activated. Can be sent to the terminal device. Therefore, not only is the shared service not activated unless the unlock signal is transmitted, but the shared data cannot be accessed without knowing the newly generated shared name. That is, when the shared service is enabled by the unlock signal, it is possible to suppress unauthorized access from a terminal device different from the terminal device to which the shared name is notified, and improve the security of the shared data. Can be done.

Further, for example, in the storage device according to one aspect of the present invention, the first control unit may newly generate the shared name each time the unlock signal is received.

According to this, a new shared name can be generated each time the unlock signal is received. Therefore, it is possible to improve the security of the shared data against the leakage of the shared name.

Further, for example, in the storage device according to one aspect of the present invention, the shared setting data includes a fixed first character string, the first control unit randomly generates a second character string, and the first character string. And the shared name may be generated by combining the second character string.

According to this, the shared name can be generated by combining the fixed first character string and the randomly generated second character string. For legitimate access, the fixed first character string makes it easy to determine which shared folder is being accessed. On the other hand, for unauthorized access, the randomly generated second character string can increase the difficulty of guessing the entire shared name and improve the security of the shared data.

Further, for example, in the storage device according to one aspect of the present invention, the first control unit further shares the shared data enabled when the first communication unit receives a lock signal from the terminal device. You may disable the service.

According to this, when the lock signal received from the terminal device is received, the shared service can be disabled. Therefore, the shared service can be switched from enabled to disabled only by receiving the lock signal, and the shared service can be easily disabled when the user does not use the shared service.

Further, for example, in the storage device according to one aspect of the present invention, whether or not the first control unit further elapses from the time when the shared data is last accessed from the terminal device is equal to or longer than the threshold time. If it is determined whether or not the elapsed time is equal to or longer than the threshold time, the activated shared data sharing service may be disabled.

According to this, when the elapsed time from the time when the shared data is last accessed from the terminal device is equal to or longer than the threshold time, the shared service can be disabled. Therefore, when the user is not using the shared service, the shared service can be automatically disabled, and the security of the shared data can be further improved.

Further, for example, in the storage device according to one aspect of the present invention, the first storage unit stores the first key data in association with the shared setting data and the first user identifier, and the first user identifier is stored. The control unit may enable the shared service that can be accessed only by the first user identifier when the second key data matches the first key data.

According to this, when the second key data included in the unlock signal matches the first key data, the shared service in which only the first user identifier corresponding to the first key data can access the shared data is enabled. be able to. Therefore, it is possible to limit the users who can access the shared data by using the shared service enabled by the unlock signal, and it is possible to further improve the security of the shared data.

Further, for example, in the storage device according to one aspect of the present invention, the unlocking signal includes a second user identifier, and the first control unit further matches the second user identifier with the first user identifier. When it is determined whether or not the second key data matches the first key data and the second user identifier matches the first user identifier, only the first user identifier matches the shared data. You may enable the shared service that is accessible to.

According to this, when the second user identifier included in the unlock signal matches the first user identifier corresponding to the first key data, the shared service can be enabled. Therefore, even if the same key data is shared by a plurality of users, the shared service can be enabled for each user, and the convenience of the user and the security of the shared data can be improved.

Further, for example, in the storage device according to one aspect of the present invention, when the second key data matches the first key data, the first control unit only uses the terminal device that is the source of the unlock signal. The shared service that can access the shared data may be enabled.

According to this, when the second key data included in the unlock signal matches the first key data, it is possible to enable a shared service in which only the terminal device that is the source of the unlock signal can access the shared data. can. Therefore, it is possible to limit the terminal devices that can access the shared data by the shared service enabled by the unlock signal, and further improve the security of the shared data.

The data sharing system according to one aspect of the present invention includes the storage device and a terminal device connected to the network, and the terminal device is a second communication unit that communicates with the storage device via the network. The second control unit includes an input unit that receives input from the user, a display unit, and a second control unit that controls the second communication unit, the input unit, and the display unit. The two-key data input screen is displayed on the display unit, the second key data is received via the input unit, and the unlocking signal including the second key data received via the input unit is stored in the storage. Send to the device.

According to this, the same effect as that of the storage device can be obtained.

It should be noted that these comprehensive or specific embodiments may be realized by a recording medium such as a system, a method, an integrated circuit, a computer program or a computer-readable CD-ROM, and the system, a method, an integrated circuit, or a computer program may be realized. And may be realized by any combination of recording media.

The storage device or the like according to one aspect of the present invention can improve the security of data shared on the network.

FIG. 1 is a diagram showing a hardware configuration of a file sharing system according to the first embodiment. FIG. 2 is a block diagram showing a functional configuration of the file sharing system according to the first embodiment. FIG. 3 is a sequence diagram showing an example of the sharing setting process in the file sharing system according to the first embodiment. FIG. 4 is a diagram showing an example of the registration screen of the shared folder in the first embodiment. FIG. 5 is a diagram showing an example of a shared setting table according to the first embodiment. FIG. 6 is a sequence diagram showing an example of access processing to a normal shared folder in the file sharing system according to the first embodiment. FIG. 7 is a sequence diagram showing an example of failure in the access process to the security folder in the file sharing system according to the first embodiment. FIG. 8A is a sequence diagram showing a successful example of the first access process to the security folder in the file sharing system according to the first embodiment. FIG. 8B is a sequence diagram showing a successful example of the second access process to the security folder in the file sharing system according to the first embodiment. FIG. 9 is a diagram showing an example of an unlocking signal transmission screen according to the first embodiment. FIG. 10 is a flowchart showing an activation process of the shared service by the storage device according to the first embodiment. FIG. 11 is a diagram showing an example of a shared state table according to the first embodiment. FIG. 12 is a flowchart showing a file operation process by the storage device according to the first embodiment. FIG. 13 is a block diagram showing a functional configuration of the file sharing system according to the second embodiment. FIG. 14A is a sequence diagram showing a successful example of the first access process to the security folder in the file sharing system according to the second embodiment. FIG. 14B is a sequence diagram showing a successful example of the second access process to the security folder in the file sharing system according to the second embodiment.

Hereinafter, embodiments will be specifically described with reference to the drawings.

It should be noted that all of the embodiments described below show comprehensive or specific examples. The numerical values, shapes, materials, components, arrangement positions and connection forms of the components, steps, the order of steps, etc. shown in the following embodiments are examples, and are not intended to limit the scope of claims. Further, among the components in the following embodiments, the components not described in the independent claims indicating the highest level concept are described as arbitrary components. In addition, each figure is not necessarily exactly illustrated. In each figure, substantially the same configurations are designated by the same reference numerals, and duplicate explanations are omitted or simplified.

(Embodiment 1)
The first embodiment will be specifically described with reference to FIGS. 1 to 12.

[Hardware configuration of file sharing system]
First, the hardware configuration of the file sharing system will be described with reference to FIG. FIG. 1 is a hardware configuration diagram of the file sharing system 100 according to the first embodiment. The file sharing system 100 is an example of a data sharing system, and includes a NAS (Network Attached Storage) 10a, a PC (Personal Computer) 20a, 20b, 20c, and a smartphone 20d.

The NAS 10a is connected to the LAN 200 and can transmit and receive data to and from the PC 20a, 20b, 20c and the smartphone 20d. The LAN 200 is an example of a network and is not limited thereto.

The PCs 20a, 20b, 20c include a processor, a memory, a display, an input device, and the like. The PCs 20a, 20b and 20c are connected to the LAN 200.

The smartphone 20d includes a processor, a memory, a touch screen, and the like. The smartphone 20d can be directly connected to NAS10a wirelessly. Further, the smartphone 20d may be connected to the LAN 200 via a wireless access point (WAP) or the like.

[NAS hardware configuration]
As shown in FIG. 1, the NAS 10a includes a wired LAN (Local Area Network) module 11a, a wireless LAN module 11b, HDDs (Hard Disk Drives) 12a and 12b, and a RAID (Redundant Arrays of Inexpensive Disks) module 12d. It includes an SD (Secure Digital) card 12e, a SoC (System on a Chip) 13a, and a DDR RAID (Double Data Rate Synchronous Dynamic Random-Access Memory) 13b.

The wired LAN module 11a includes a connector (for example, RJ-45) to which a LAN cable or the like is connected, and an electronic circuit for communication. The wired LAN module 11a connects the NAS 10a to the network via the LAN cable connected to the connector.

The wireless LAN module 11b includes an antenna, an electronic circuit for communication, and functions as an access point (WAP). The wireless LAN module 11b directly connects the NAS 10a to the smartphone 20d via electromagnetic waves. Further, the wireless LAN module 11b may connect the NAS 10a to the LAN 200 via WAP or the like.

Each of the HDDs 12a and 12b is a magnetic storage device for storing and reading digital data, and is connected to the RAID module 12d via SATA (Serial ATA).

The SD card 12e is a non-volatile semiconductor memory that can be attached to and detached from the SD card connector. The SD card 12e stores programs and setting data.

The RAID module 12d combines a plurality of physical HDDs into one logical storage unit in order to improve data redundancy and / or performance. For example, the RAID module 12d performs mirroring processing (RAID 1), disk management, and the like.

The SoC13a is an integrated circuit that controls the operation of the wired LAN module 11a, the wireless LAN module 11b, the RAID module 12d, and the like.

The DDR SDRAM 13b is a volatile semiconductor memory. The DDR SDRAM 13b is used as a working storage area by, for example, the SoC13a.

[Functional configuration of file sharing system]
Next, the functional configuration of the file sharing system 100 will be specifically described with reference to FIG. FIG. 2 is a block diagram showing a functional configuration of the file sharing system 100 according to the first embodiment. The file sharing system 100 functionally includes a storage device 10 and a terminal device 20.

[Functional configuration of storage device]
First, the functional configuration of the storage device 10 will be described. For example, the NAS 10a of FIG. 1 functions as the storage device 10 of FIG. As shown in FIG. 2, the storage device 10 includes a communication unit 11, a storage unit 12, and a control unit 13.

The communication unit 11 is an example of the first communication unit, and is realized by, for example, the wired LAN module 11a and / or the wireless LAN module 11b of FIG. The communication unit 11 communicates with the terminal device 20 via a network. Specifically, the communication unit 11 receives the unlock signal including the second key data from the terminal device 20. Further, the communication unit 11 receives the lock signal from the terminal device 20.

The unlock signal is a signal for activating the file or file set sharing service based on the pre-stored sharing setting data. The lock signal is a signal for disabling the file or file set sharing service enabled by the unlock signal. The unlock signal and the lock signal are communicated by a general communication protocol such as HTTP (Hypertext Transfer Protocol). In this case, a secure communication protocol such as HTTPS (Hypertext Transfer Protocol Secure) that encrypts and communicates using SSL (Secure Sockets Layer) / TLS (Transport Layer Security) is used to prevent the key data from being stolen. preferable.

The shared service is a service that makes data stored in a computer connected to a network accessible from other computers on the network, for example, in file units or in file sets (for example, folders) consisting of multiple files. be. The unit for sharing data is not limited to a file or a folder, and may be, for example, a drive unit.

The key data is data for verifying the validity of the unlock signal for activating the sharing service of the file or the file set.

The storage unit 12 is an example of the first storage unit, and is realized by, for example, the HDDs 12a and 12b of FIG. 1, the RAID module 12d, and the SD card 12e. The storage unit 12 stores files in, for example, HDDs 12a and 12b. Further, the storage unit 12 stores, for example, the SD card 12e in association with the shared setting data for sharing the shared file on the network and the first key data.

A file is data managed by a file system. Here, files are an example of shared data and are grouped by folders. A folder is data for grouping files. Folders are sometimes called directories.

The control unit 13 is an example of the first control unit, and is realized by, for example, the SoC13a and the DDR SDRAM 13b of FIG. The control unit 13 controls the communication unit 11 and the storage unit 12.

Specifically, in the control unit 13, when the communication unit 11 receives the unlock signal including the second key data from the terminal device 20, the second key data included in the received unlock signal is stored in the storage unit 12. It is determined whether or not the data matches the first key data stored in. Here, when the second key data matches the first key data, the control unit 13 newly generates (i) a shared name, and (ii) uses the shared setting data corresponding to the first key data. Then, with the generated share name, the sharing service of the file on the network is enabled, and (iii) the generated share name is transmitted to the terminal device 20. That is, when the second key data matches the first key data, the control unit 13 permits the file sharing service to be enabled with the newly generated share name, and the second key data becomes the first key data. Prohibit enabling the file sharing service if they do not match. When the file sharing service is enabled, the newly generated shared name is notified to the terminal device 20, and the shared service is enabled with the shared name.

In addition, the control unit 13 disables the enabled file sharing service. That is, the control unit 13 temporarily stops the file sharing service. For example, when the communication unit 11 receives the lock signal from the terminal device 20, the control unit 13 disables the enabled file sharing service. Further, for example, it is determined whether or not the elapsed time from the time when the terminal device 20 last accessed the file is equal to or longer than the threshold time, and when the elapsed time is equal to or longer than the threshold time, the activated file is determined. Disable shared services. The elapsed time is measured, for example, based on the system clock of the storage device 10.

[Functional configuration of terminal device]
Next, the functional configuration of the terminal device 20 will be described. For example, each of the PCs 20a, 20b, 20c and the smartphone 20d of FIG. 1 functions as the terminal device 20 of FIG. As shown in FIG. 2, the terminal device 20 includes a communication unit 21, a control unit 24, a display unit 22, and an input unit 23.

The communication unit 21 is an example of the second communication unit, and is realized by, for example, a wired LAN module or a wireless LAN module. The communication unit 21 communicates with the storage device 10 via the network.

The display unit 22 is realized by, for example, a liquid crystal display or an organic EL display. The display unit 22 displays a graphical user interface (GUI).

The input unit 23 is realized by, for example, at least one of a keyboard and a mouse. Further, the input unit 23 may be realized by a touch screen. The input unit 23 receives input from the user.

The control unit 24 is an example of the second control unit, and is realized by, for example, a processor and a memory. The control unit 24 controls the communication unit 21, the display unit 22, and the input unit 23. Specifically, the control unit 24 displays the second key data input screen on the display unit 22. Then, the control unit 24 receives the second key data via the input unit 23. Then, the control unit 24 transmits the unlock signal including the second key data received via the input unit 23 to the storage device 10 via the communication unit 21.

[Operation of file sharing system]
Next, the operation of the file sharing system configured as described above will be described with reference to FIGS. 3 to 12.

[Shared setting process]
First, the sharing setting process for the storage device 10 to provide the shared service will be described with reference to FIG. FIG. 3 is a sequence diagram showing an example of the sharing setting process in the file sharing system 100 according to the first embodiment. It is preferable to use a secure communication protocol such as the above-mentioned HTTPS also in the communication of the shared setting process.

The terminal device 20 transmits an authentication screen request signal to the storage device 10. The control unit 13 of the storage device 10 transmits an authentication screen for sharing setting to the terminal device 20 based on the request from the terminal device 20. The control unit 24 of the terminal device 20 displays the authentication screen on the display unit 22, and accepts the input of the authentication information from the administrator of the storage device 10 via the input unit 23 (S101). Here, the authentication information includes the user identifier and the password, and is transmitted to the storage device 10.

The control unit 13 of the storage device 10 performs user authentication based on the user identifier and password received from the terminal device 20 (S102). Here, if the user authentication is successful, the control unit 13 transmits the registration screen of the shared folder to the terminal device 20.

The control unit 24 of the terminal device 20 displays the registration screen on the display unit 22 (S103). At this time, for display of the registration screen, for example, a dedicated application program for the file sharing system may be used, or a general-purpose application program (for example, an Internet browser or the like) may be used.

The control unit 24 of the terminal device 20 receives the input of the shared setting data, the user ID, and the security key as necessary from the administrator via the input unit 23 (S104). Specifically, the control unit 24 does not accept the input of the security key if it is the shared setting data for a normal shared folder, and accepts the input of the security key if it is the shared setting data for the security folder. .. The shared setting data, the user ID, and the security key received here are transmitted to the storage device 10.

A security folder is a shared folder that can achieve higher security than a normal shared folder. The difference between the security folder and the normal shared folder will be clarified in the explanation of access processing and the like described later.

The security key entered here corresponds to the first key data. The security key is character string data for identifying the security folder and the user and verifying the validity of the unlock signal for the security folder. The string data indicates characters, numbers, symbols and any combination thereof. Further, the user ID corresponds to the first user identifier and is data for identifying the user.

The control unit 13 of the storage device 10 stores the shared setting data and the user ID received from the terminal device 20 in the storage unit 12 (S105). When the security key is received, the control unit 13 stores the shared setting data, the security key, and the user ID in the storage unit 12 in association with each other.

The control unit 13 of the storage device 10 starts a normal shared folder sharing service based on the shared setting data stored in the storage unit 12 (S106). Here, the security folder sharing service has not started yet.

[Shared folder registration screen]
Here, an example of the registration screen displayed in step S103 of FIG. 3 will be specifically described with reference to FIG. FIG. 4 is a diagram showing an example of the registration screen 30 of the shared folder in the first embodiment.

The registration screen 30 is a GUI for registering the settings of the shared folder in the storage device 10. The registration screen 30 includes widgets 31 to 39.

The widget 31 includes a text box for inputting the name of the shared folder (hereinafter referred to as the shared name). The administrator inputs a character string representing the shared name into the widget 31 via the input unit 23.

The shared name indicates the name of a folder on the network or a part thereof. This shared name may be shared with the name of the folder in the storage device 10.

The widget 32 includes a check box for inputting whether or not to set a security folder in the shared folder. The administrator inputs a check mark to the widget 32 via the input unit 23. Here, when the check mark is added, the security folder setting is valid, and when the check mark is not added, the security folder setting is invalid.

The widget 33 includes a check box for inputting whether or not to set a hidden folder in the shared folder. A hidden folder means a hidden share, and is a shared folder that is not displayed in the list of shared folders on a device on the network. That is, the shared name of the hidden folder is not exposed to the network. Here, when the widget 33 is checked, for example, "$" is automatically added to the end of the share name input to the widget 31.

The widget 34 includes a list box for inputting a user of the folder having the shared name input to the widget 31. The administrator selects a user ID from the list of user IDs via the input unit 23. The list of user IDs includes pre-registered user IDs.

Widget 35 includes a text box for entering a security key. This text box is allowed to be entered when the check box is checked in the widget 32. The administrator inputs the character string corresponding to the security key to the widget 35 via the input unit 23.

The widget 36 includes a button for temporarily storing a set of user IDs and security keys entered in the widgets 34 and 35. A plurality of sets of security keys and user IDs can be registered by the widgets 35 and 36.

The widget 37 deletes a list of user IDs temporarily stored by the widget 36, a check box for selecting a user ID in the list, a checked user ID, and a corresponding security key. For, including. The administrator can delete the set of the user ID and the security key corresponding to the check mark by inputting the check mark in the check box and pressing the delete button.

Widget 38 includes radio buttons for restricting access to shared folders. If any pre-registered user has full access to the shared folder, the "All lock / unlock user access" radio button is selected and access rights are managed for each user. The radio button of "Access restriction setting" is selected for. When the radio button of "access restriction setting" is selected, the screen transitions to a screen in which read-only users and read / write users can be individually set.

The widget 39 includes a button for instructing whether to register or discard the shared setting data input to the widgets 31 to 38. When the "save" button is pressed, the shared setting data is transmitted to the storage device 10.

[Specific example of shared setting table]
Next, the shared setting data stored in the storage unit 12 in step S105 of FIG. 3 will be specifically described with reference to FIG. FIG. 5 is a diagram showing an example of the shared setting table 40 in the first embodiment.

The shared setting table 40 is table data for recording the shared setting data in association with the first key data and the first user identifier. The shared setting table 40 includes the shared name 41, the security folder setting 42, and the access authority 45 as the shared setting data, the security key 43 as the first key data, and the user ID 44 as the first user identifier. The shared setting table 40 can also be associated with a plurality of sets of first key data and first user identifiers for the same shared setting data.

In the share name 41, the character string data input to the widget 31 for the share name in FIG. 3 is registered. If the widget 33 in the hidden folder setting is checked, the character string data input to the widget 31 with "$" added to the end is registered.

In the security folder setting 42, data corresponding to the input of the widget 32 for setting the security folder in FIG. 3 is registered. Here, "true" is registered when the check mark is attached to the widget 32, and "false" is registered when the check mark is not attached to the widget 32.

The character string data input to the widget 32 for the security key of FIG. 3 is registered in the security key 43. The security key 43 corresponds to the first key data.

The user ID corresponding to the security key 43 is registered in the user ID 44.

The access authority for the user ID 44 is registered in the access authority 45. For example, either "read" indicating read-only or "read / write" indicating read / write is registered in the access authority 45.

In the shared setting table 40 of FIG. 5, for example, the security key of "SF1-KEY1" and the read-only "USER1" are stored in association with the shared setting data of "SF1". Further, for example, "SF1" used as a shared name or a part of the shared name in association with the shared setting data of "SF1" and associated with the security key of "SF1-KEY2", and literate "SF1". "USER2" is stored.

[Access processing to normal shared folders]
Next, the access process to the normal shared folder after the shared service is started in step S106 of FIG. 3 will be described with reference to FIG. FIG. 6 is a sequence diagram showing an example of access processing to a normal shared folder in the file sharing system 100 according to the first embodiment.

The control unit 24 of the terminal device 20 transmits an access signal to the normal shared folder to the storage device 10 according to the operation of the user in the input unit 23 (S111). This access signal includes the path of a regular shared folder.

The access signal to the shared folder is, for example, a signal for requesting a connection to the shared folder.

A path means a network path that indicates the location of a resource on the network. The shared folder path contains the shared name of the folder. For example, the network path is determined based on the UNC (Universal Naming Convention).

The control unit 13 of the storage device 10 requests authentication information from the terminal device 20 when the user of the terminal device 20 is not authenticated (S112). The control unit 24 of the terminal device 20 displays, for example, an authentication screen on the display unit 22. Then, the control unit 24 accepts the input of the authentication information (for example, the user ID and the password) from the user via the input unit 23 (S113). The entered authentication information is transmitted to the storage device 10. The control unit 13 of the storage device 10 performs user authentication based on the authentication information received from the terminal device 20 (S114). After that, a response signal to the access signal is transmitted to the terminal device 20 based on the authentication result.

Conventional techniques may be adopted for the process related to user authentication in steps S112 to S114. If the user of the terminal device 20 has already been authenticated, the processes of steps S112 to S114 may be skipped.

The control unit 24 of the terminal device 20 receives an input for file operation from the user and transmits a file operation signal to the storage device 10 (S115). The file operation signal may be, for example, a signal for requesting a list of files in the shared folder, or a signal for reading or writing a file in the shared folder.

When the user authentication is successful, the control unit 13 of the storage device 10 performs a file operation corresponding to the file operation signal based on the access authority of the user, and transmits a response signal corresponding to the operation result to the terminal device 20. (S116). Conventional techniques may be adopted for this process as well. For example, when a file operation signal for reading a file in the shared folder of "NF1" in FIG. 5 is received, the operation is prohibited if the authenticated user is "USER3", and the authenticated user If it is "USER1" or "USER2", the operation is permitted. On the other hand, when a file operation signal for writing a file in the shared folder of "NF1" is received, the operation is prohibited if the authenticated user is "USER1" or "USER3", and the authenticated user is authenticated. If is "USER2", the operation is permitted.

Even if a normal shared folder is set as a hidden folder, if a file operation signal including the shared name is received, the hidden folder corresponding to the file operation signal is based on the user's access authority. You are allowed to perform operations on the files in.

[Access processing to security folder]
Next, the access process to the security folder after the shared service is started in step S106 of FIG. 3 will be described with reference to FIGS. 7, 8A and 8B. FIG. 7 is a sequence diagram showing an example of failure in access processing to the security folder in the file sharing system 100 according to the first embodiment.

The control unit 24 of the terminal device 20 transmits an access signal to the security folder to the storage device 10 according to the user's operation on the input unit 23 (S121). This access signal includes the security folder path.

Since the control unit 13 of the storage device 10 has not yet provided the security folder sharing service, it does not respond to the access signal (S122). That is, since the path of the security folder does not exist yet, the response signal to the operation signal is not transmitted to the terminal device 20.

The control unit 24 of the terminal device 20 displays an error message on the display unit 22 when the elapsed time from the time when the file operation signal is transmitted exceeds the threshold time (S123). For example, if you try to open a file in the security folder from a recently used item in the application, the application will display an error because there is no response from the storage device 10.

As described above, even if the normal shared folder sharing service is provided, the security folder sharing service has not been enabled yet, so the security folder does not exist on the network.

Therefore, a method for accessing the security folder will be described with reference to FIGS. 8A and 8B. FIG. 8A is a sequence diagram showing a successful example of the first access process to the security folder in the file sharing system 100 according to the first embodiment. FIG. 8B is a sequence diagram showing a successful example of the second access process to the security folder in the file sharing system 100 according to the first embodiment.

First, as shown in FIG. 8A, the control unit 24 of the terminal device 20 of the first user transmits the first unlock signal of the security folder to the storage device 10 (S131A). The first unlock signal includes a security key corresponding to the security folder. The GUI for transmitting the first unlock signal will be described later with reference to FIG.

The control unit 13 of the storage device 10 is a shared service of the security folder corresponding to the security key included in the first unlock signal, and is a user ID associated with the security key and the IP of the source of the first unlock signal. Enable the shared service that can access the security folder only by the address (S132A). At this time, the first shared name of the security folder is newly generated, and the response signal including the generated first shared name is transmitted from the storage device 10 to the terminal device 20. The details of the process of this step S132A will be described later with reference to FIG.

The shared service (here, for convenience, referred to as the first shared service) in which only the user ID and the IP address can access the security folder is the user ID and another user ID and another IP address different from the IP address. Means a shared service where the security folder is inaccessible. In the state where the first shared service is enabled, the shared service (here, for convenience, referred to as the second shared service) in which only other user IDs and other IP addresses can access the security folder is enabled. That is not excluded. That is, even when the first shared service is enabled, if the second shared service is enabled, it is possible to access the security folder with another user ID and another IP address. It is also possible for one user to access a plurality of different security folders in a timely manner. In this case, the sharing service is enabled for each security folder and each is provided with a different sharing name.

The control unit 24 of the terminal device 20 transmits a first access signal for accessing the security folder to the storage device 10 based on the first shared name of the security folder included in the response signal (S121A). This first access signal includes a first path using the first shared name of the security folder.

The control unit 13 of the storage device 10 requests authentication information from the terminal device 20 when the user of the terminal device 20 is not authenticated (S112). The control unit 24 of the terminal device 20 displays, for example, an authentication screen on the display unit 22. Then, the control unit 24 accepts the input of the authentication information (for example, the user ID and the password) from the user via the input unit 23 (S113). The entered authentication information is transmitted to the storage device 10. The control unit 13 of the storage device 10 performs user authentication based on the authentication information received from the terminal device 20 (S114). After that, a response signal to the first access signal is transmitted to the terminal device 20 based on the authentication result.

Conventional techniques may be used for the process related to user authentication in steps S112 to S114. If the user of the terminal device 20 has already been authenticated, the processes of steps S112 to S114 may be skipped.

The control unit 24 of the terminal device 20 receives an input for file operation from the user and transmits the first file operation signal to the storage device 10 (S115A).

When the user authentication is successful, the control unit 13 of the storage device 10 performs a file operation corresponding to the first file operation signal based on the access authority of the first user, and outputs a response signal corresponding to the operation result to the terminal. It is transmitted to the device 20 (S133A). The details of the process of this step S133A will be described later with reference to FIG.

When the operation for the file in the security folder is completed, the control unit 24 of the terminal device 20 transmits the lock signal to the storage device 10 based on, for example, the user's operation on the input unit 23 (S136). Further, for example, when the elapsed time from the time when the last operation of the security folder is performed is equal to or longer than the threshold time, the control unit 24 may transmit the lock signal to the storage device 10. That is, when the operation for the security folder is not performed for the threshold time or more, the control unit 24 may transmit the lock signal to the storage device 10.

The control unit 13 of the storage device 10 disables the shared service of the security folder when a predetermined condition is satisfied (S137). At this time, the control unit 13 deletes the record registered in the shared state table described later.

The predetermined condition is, for example, reception of a lock signal from the terminal device 20. Further, the predetermined condition may be, for example, that the elapsed time from the time when the security folder was last accessed is equal to or longer than the threshold time.

On the other hand, as shown in FIG. 8B, the control unit 24 of the terminal device 20 of the second user transmits the second unlock signal of the security folder to the storage device 10 (S131B). The second unlock signal is a signal transmitted after the first unlock signal, and here includes a security key different from the first unlock signal. The GUI for transmitting the second unlock signal will be described later with reference to FIG.

The control unit 13 of the storage device 10 is a shared service of the security folder corresponding to the security key included in the second unlock signal, and is a user ID associated with the security key and the IP of the source of the second unlock signal. Enable the shared service that can access the security folder only by the address (S132B). At this time, a second shared name different from the first shared name of the security folder is newly generated, and a response signal including the generated second shared name is transmitted from the storage device 10 to the terminal device 20. The details of the process of this step S132B will be described later with reference to FIG.

The control unit 24 of the terminal device 20 transmits a second access signal for accessing the security folder to the storage device 10 based on the second shared name of the security folder included in the response signal (S121B). This second access signal includes a second path using the second shared name of the security folder.

After that, processing related to user authentication in steps S112 to S114 is performed as necessary.

The control unit 24 of the terminal device 20 receives an input for file operation from the user and transmits a second file operation signal to the storage device 10 (S115B).

When the user authentication is successful, the control unit 13 of the storage device 10 performs a file operation corresponding to the second file operation signal based on the access authority of the second user, and outputs a response signal corresponding to the operation result to the terminal. It is transmitted to the device 20 (S133B). The details of the process of this step S133B will be described later with reference to FIG.

[Unlock signal transmission screen]
Here, an example of the unlock signal transmission screen displayed in step S131A of FIG. 8A and step S131B of FIG. 8B will be specifically described with reference to FIG. FIG. 9 is a diagram showing an example of an unlocking signal transmission screen according to the first embodiment.

In FIG. 9, the control unit 24 of the terminal device 20 displays the first context menu 52 on the display unit 22 when an operation (for example, right-clicking) by the input unit 23 for the icon 51 on the task bar is detected. Here, when an operation (for example, left click) by the input unit 23 for "SF unlocking" in the first context menu 52 is detected, the control unit 24 displays the second context menu 53 on the display unit 22. ..

In the second context menu 53, there are items of the security folders "SF1", "SF2", and "SF3" in which the security key is registered in advance in the terminal device 20, and the security folders in which the security key is not registered in the terminal device 20. "Arbitrary" item and is displayed.

Here, when an operation (for example, left-click) by the input unit 23 for "arbitrary" in the second context menu 53 is detected, the control unit 24 displays the security key input dialog 54 on the display unit 22. For example, the user acquires a security key from the administrator and inputs the acquired security key in the input dialog 54. Here, if an operation (for example, left-click) for the OK button in the input dialog 54 is detected, the control unit 24 receives an unlock signal including the security key input to the input dialog 54 (for example, the first unlock signal or the first unlock signal). The second unlock signal) is transmitted to the storage device 10.

On the other hand, when an operation (for example, left-click) by the input unit 23 for "SF1", "SF2" or "SF3" in the second context menu 53 is detected, the control unit 24 corresponds to the operated security folder. Attached, the security key registered in advance in the terminal device 20 is read out, and the unlock signal including the security key is transmitted to the storage device 10.

The control unit 24 of the terminal device 20 may transmit the unlock signal to the storage device 10 without using such a transmission screen. For example, when the control unit 24 detects a specific operation (for example, mouse gesture or shortcut key input) by a keyboard or a mouse, the control unit 24 sends an unlock signal including a security key corresponding to the specific operation to the storage device 10. You may send it.

[Security folder sharing service activation process]
Next, the details of the security folder sharing service activation process in step S132A of FIG. 8A and step S132B of FIG. 8B will be specifically described with reference to FIG. FIG. 10 is a flowchart showing an activation process of the shared service by the storage device 10 according to the first embodiment.

The control unit 13 in the storage device 10 acquires a security key from the unlock signal (for example, the first unlock signal or the second unlock signal) (S1321).

Then, the control unit 13 determines whether or not the acquired security key is registered in the shared setting table (S1322). That is, the control unit 13 determines whether or not the security key included in the unlock signal matches the security key included in the shared setting table. For example, in the shared setting table 40 of FIG. 5, the unlock signal includes the security keys "SF1-KEY1", "SF1-KEY2", "SF2-KEY1", "SF2-KEY2", or "SF2-KEY3". Then, the control unit 13 determines that the acquired security key is registered in the shared setting table 40.

Here, when the security key is registered in the sharing setting table (Yes in S1322), the control unit 13 sets the shared name (for example, the first shared name or the second shared name) of the security folder corresponding to the security key. Generate (S1324). Here, the control unit 13 newly generates a shared name each time the unlock signal is received. Specifically, the control unit 13 generates a first shared name when the first unlock signal is received, and when the second unlock signal is received, the second shared name is different from the first shared name. To generate.

In the generation of the shared name (first shared name and second shared name), the control unit 13 randomly generates, for example, a second character string, and the generated first character string and the fixed first character string corresponding to the security folder are generated. A shared name is generated by combining two character strings. As the fixed first character string, for example, the shared name 41 of the shared setting table 40 can be used.

Subsequently, the control unit 13 enables the sharing service of the security folder corresponding to the security key by using the generated sharing name (S1325). Here, the control unit 13 enables a shared service in which only the user ID corresponding to the security key and the IP address of the source of the unlocking signal can access the security folder. That is, in the shared service enabled here, the user and the terminal device 20 who can access the security folder use the IP address of the user specified by the user ID corresponding to the security key and the source of the unlock signal. It is limited to the terminal device 20 having. For example, in the shared setting table 40 of FIG. 5, when the security key "SF1-KEY1" is included in the unlock signal, the control unit 13 is a sharing service of the security folder with the shared name generated from "SF1". Is limited to "USER1" and enabled.

Further, the control unit 13 registers the shared name of the activated security folder, the IP address of the source of the unlocking signal, and the user ID in the shared status table (S1326). The IP address of the source can be obtained from the unlock signal. After that, the control unit 13 transmits the shared name of the security folder to the terminal device 20 (S1327).

On the other hand, when the security key is not registered in the shared setting table (No in S1322), the control unit 13 transmits an error response to the terminal device 20 (S1328). That is, when the security key included in the unlock signal does not match the security key registered in the sharing setting table, the control unit 13 prohibits the activation of the sharing service of the security folder.

[Specific example of shared status table]
Here, a specific example of the shared state table in step S1326 will be described with reference to FIG. FIG. 11 is a diagram showing an example of the shared state table 60 in the first embodiment. The shared status table 60 includes a shared name 61, an IP address 62, and a user ID 63.

In the shared name 41, the shared name of the security folder corresponding to the security key included in the unlock signal, that is, the security folder in which the shared service is enabled is registered. The IP address of the source of the unlocking signal is registered in the IP address 62. A user ID corresponding to the security key is registered in the user ID 63.

For example, when the storage device 10 receives the first unlock signal including the security key "SF1-KEY1" from the terminal device 20 having the IP address of "192.168.0.1", as shown in FIG. The first shared name of "SF1_XYZ" is newly generated. Then, the records of "SF1_XYZ", "192.168.0.1" and "USER1" are registered in the shared state table 60. Then, when the storage device 10 receives the lock signal, the record of FIG. 11 is deleted.

Further, when the storage device 10 receives the second unlock signal including the security key "SF1-KEY2" from the terminal device 20 having the IP address of "192.168.0.2", for example, the first of "SF1_ABC". 2 A new shared name is generated. Then, the records of "SF1_ABC", "192.168.0.2" and "USER2" are registered in the shared state table 60.

[File operation processing]
Next, the details of the operation processing of the files in the security folder in step S133A of FIG. 8A and step S133B of FIG. 8B will be specifically described with reference to FIG. FIG. 12 is a flowchart showing a file operation process by the storage device 10 in the first embodiment.

The control unit 13 of the storage device 10 acquires the shared name, user ID, and source IP address of the security folder from the file operation signal (S1331). By referring to the shared status table, the control unit 13 determines whether or not the acquired shared name is registered in association with the acquired user ID and IP address (S1332). That is, the control unit 13 determines whether or not the shared service of the security folder accessible by the acquired user ID and IP address is enabled.

Here, when the shared name is registered in association with the user ID and IP address (Yes in S1332), the control unit 13 performs a file operation corresponding to the file operation signal based on the access authority of the user. Then, the response signal corresponding to the operation result is transmitted to the terminal device 20 (S1333). That is, the control unit 13 has the file corresponding to the file operation signal when the shared service of the security folder accessible by the user ID included in the file operation signal and the IP address of the source of the file operation signal is enabled. Allow the operation.

On the other hand, when the shared name is not associated with the user ID and the IP address (No in S1332), the control unit 13 transmits an error response to the terminal device 20 (S1334). That is, the control unit 13 has the file corresponding to the file operation signal when the shared service of the security folder accessible by the user ID included in the file operation signal and the IP address of the source of the file operation signal is not enabled. Prohibit operation.

For example, in the shared state table 60 of FIG. 11, a file operation signal for the security folder of "SF1_XYZ" is transmitted from the user of the user ID "USER1" in the terminal device having the IP address "192.168.0.1". In that case, the file operation corresponding to the file operation signal is permitted.

On the other hand, when a file operation signal for the security folder of "SF1_XYZ" is transmitted from the user of the user ID "USER2" (*) in the terminal device having the IP address "192.168.0.1", the file operation is performed. Operations corresponding to signals are prohibited (symbol * indicates a part different from the above permission example). That is, if the file operation signal is transmitted from a user different from the user who transmitted the unlock signal, the operation corresponding to the file operation signal is prohibited.

Further, when a file operation signal for the security folder of "SF1_XYZ" is transmitted from the user of the user ID "USER1" in the terminal device having the IP address "192.168.0.2" (*), the file operation is performed. Operations corresponding to signals are prohibited (symbol * indicates a part different from the above permission example). That is, if a file operation signal is transmitted from a terminal device different from the terminal device from which the unlock signal is transmitted, the operation corresponding to the file operation signal is prohibited.

[Effects, etc.]
As described above, according to the file sharing system 100 and / or the storage device 10 according to the present embodiment, when the file sharing service is enabled by using the unlock signal including the security key, the shared name is newly changed. The shared name can be used to enable the shared service, and the shared name can be transmitted to the terminal device 20. Therefore, not only is the shared service not activated unless the unlock signal is transmitted, but the shared file cannot be accessed without knowing the newly generated shared name. That is, when the shared service is enabled by the unlock signal, unauthorized access from a terminal device different from the terminal device 20 to which the shared name is notified can be suppressed, and the safety of the shared file is improved. be able to.

Further, according to the file sharing system 100 and / or the storage device 10 according to the present embodiment, a new shared name can be generated each time an unlocking signal is received. Therefore, the security of the shared file against the leakage of the shared name can be further improved.

Further, according to the file sharing system 100 and / or the storage device 10 according to the present embodiment, a shared name can be generated by combining a fixed character string and a randomly generated character string. Therefore, for legitimate access, a fixed character string makes it easy to determine which security folder is being accessed. On the other hand, for unauthorized access, the randomly generated character string can increase the difficulty of guessing the entire shared name and improve the security of the shared file.

Further, according to the file sharing system 100 and / or the storage device 10 according to the present embodiment, the file sharing service can be disabled when the lock signal received from the terminal device 20 is received. Therefore, you can switch from enabling to disabling the file sharing service simply by receiving the lock signal, and you can easily disable the file sharing service when the user does not use the file sharing service. can.

Further, according to the file sharing system 100 and / or the storage device 10 according to the present embodiment, when the elapsed time from the time when the file was last accessed from the terminal device 20 is equal to or longer than the threshold time, the file is stored. Shared services can be disabled. Therefore, when the user is not using the file sharing service, the sharing service can be automatically disabled, and the safety of the shared file can be further improved.

Further, according to the file sharing system 100 and / or the storage device 10 according to the present embodiment, when the second key data included in the unlock signal matches the first key data, the user ID corresponding to the security key is used. Only shared services that can access security folders can be enabled. Therefore, the users who can access the security folder by the shared service enabled by the unlock signal can be limited to the users associated with the security key, and the security of the shared file can be further improved. ..

Further, according to the file sharing system 100 and / or the storage device 10 according to the present embodiment, the unlocking signal is obtained when the security key included in the unlocking signal matches the security key associated with the shared setting data. It is possible to enable a shared service that can access the security folder only by the terminal device 20 that is the source of the data. Therefore, the terminal device 20 that can access the security folder in the shared service enabled by the unlock signal can be limited, and the safety of the shared file can be further improved.

(Embodiment 2)
Next, the second embodiment will be described. In the present embodiment, when the shared service of the security folder is enabled, the file in the security folder is output from the storage device to the terminal device, and the shared service is disabled, as in the first embodiment. Mainly different. Hereinafter, the present embodiment will be described with a focus on the differences from the first embodiment.

[Functional configuration of file sharing system]
First, the functional configuration of the file sharing system 100A according to the present embodiment will be specifically described with reference to FIG. FIG. 13 is a block diagram showing a functional configuration of the file sharing system 100A according to the second embodiment. The file sharing system 100A functionally includes a storage device 10A and a terminal device 20A.

[Functional configuration of storage device]
Here, the functional configuration of the storage device 10A will be described. For example, the NAS 10a of FIG. 1 functions as the storage device 10A of FIG. As shown in FIG. 13, the storage device 10A includes a communication unit 11, a storage unit 12, and a control unit 13A.

The control unit 13A is an example of the first control unit, and is realized by, for example, the SoC13a and the DDR SDRAM 13b of FIG. The control unit 13A controls the communication unit 11 and the storage unit 12.

Specifically, the control unit 13A newly generates (i) a shared name when the second key data matches the first key data, as in the control unit 13 of the first embodiment. ii) Enable the sharing service of the shared file on the network with the generated shared name using the shared setting data corresponding to the first key data, and (iii) send the generated shared name to the terminal device 20A. do. Further, in the present embodiment, when the second key data matches the first key data, the control unit 13A transmits (iv) the shared file to the terminal device 20A, and (v) on the network of the shared file. Disable shared services in. That is, in the present embodiment, when the shared service is enabled, the shared file on the storage device 10A is locally copied to the terminal device 20A, and after the local copy, the shared service is automatically disabled without a lock signal. To.

[Functional configuration of terminal device]
Next, the functional configuration of the terminal device 20A will be described. For example, each of the PCs 20a, 20b, 20c and the smartphone 20d of FIG. 1 functions as the terminal device 20A of FIG. As shown in FIG. 13, the terminal device 20A includes a communication unit 21, a display unit 22, an input unit 23, a control unit 24A, and a storage unit 25A.

The control unit 24A is an example of the second control unit, and is realized by, for example, a processor and a memory. The control unit 24A controls the communication unit 21, the display unit 22, the input unit 23, and the storage unit 25A. Specifically, the control unit 24A displays the input screen of the second key data on the display unit 22 as in the control unit 24 of the first embodiment. Then, the control unit 24A receives the second key data via the input unit 23. Then, the control unit 24A transmits an unlock signal including the second key data received via the input unit 23 to the storage device 10A via the communication unit 21.

Further, the control unit 24A stores the shared file received from the storage device 10A in the storage unit 25A. For example, the control unit 24A stores the shared file in the security folder received from the storage device 10A in the local security folder of the storage unit 25A. The security folder of the storage device 10A and the local security folder of the terminal device 20A are synchronized when the shared service is started.

The storage unit 25A is an example of the second storage unit, and is realized by, for example, an HDD, an SSD, or the like. The storage unit 25A stores the shared file received from the storage device 10A in the local security folder.

[Access processing to security folder]
Next, the access process to the security folder after the shared service is started in step S106 of FIG. 3 will be described with reference to FIGS. 14A and 14B. FIG. 14A is a sequence diagram showing a successful example of access processing to the security folder in the file sharing system 100A according to the second embodiment. FIG. 14B is a sequence diagram showing a successful example of synchronization processing of security folders in the file sharing system 100A according to the second embodiment.

As shown in FIG. 14A, the processes of steps S131A to S114 are performed in the same manner as in FIG. 8A of the first embodiment. After that, when the user authentication is successful, the control unit 13A of the storage device 10A transmits all the files in the security folder to the terminal device 20A as shared files (S201A).

The control unit 24A of the terminal device 20A stores the shared file received from the storage device 10A in the local security folder of the storage unit 25A (S202A). That is, the copy of the security folder in the storage device 10A is stored in the storage unit 25A of the terminal device 20A.

The control unit 13A of the storage device 10A disables the shared service of the security folder (S203). That is, in the present embodiment, the control unit 13A automatically disables the shared service without a lock signal after the shared file is transmitted.

The control unit 24A of the terminal device 20A accepts an input for operating a file in the local security folder from the user as a first file operation input (S204). In the present embodiment, the first file operation signal may not be transmitted to the storage device 10A.

The control unit 24A of the terminal device 20A performs a file operation corresponding to the first file operation input (S205). As a result, the shared files in the local security folder are updated.

Subsequently, after the file operation is performed, the processing of FIG. 14B is performed. Note that FIG. 14B describes a case where the same user as in FIG. 14A operates on the same terminal device 20A.

As shown in FIG. 14B, the processes of steps S131B to S114 are performed in the same manner as in FIG. 8B of the first embodiment.

When the user authentication is successful, the control unit 13A of the storage device 10A and the control unit 24A of the terminal device 20A have a security folder in the storage unit 12 of the storage device 10A and a local security folder in the storage unit 25A of the terminal device 20A. And are synchronized (S201B, S202B). As a result, the update of the shared file in the terminal device 20A is reflected in the shared file of the storage device 10A. The synchronization method is not particularly limited, and conventional techniques may be used. In addition, shared files in the local security folder may be deleted after synchronization. According to this, the security of the terminal device 20A is further improved. It should be noted that this deletion process may be executed after step S202B, or may be executed after step S203 in a later step.

The control unit 13A of the storage device 10A disables the shared service of the security folder (S203).

[Effects, etc.]
As described above, according to the file sharing system 100A and / or the storage device 10A according to the present embodiment, the shared file can be transmitted to the terminal device 20A and the shared service can be invalidated. Therefore, after the shared file is transmitted, the shared service can be automatically disabled even if there is no lock signal. As a result, the time during which the shared service is activated can be shortened, and falsification and leakage of the shared file can be suppressed.

(Other embodiments)
Although the file sharing system and the storage device according to one or more aspects of the present invention have been described above based on the embodiments, the present invention is not limited to the embodiments. As long as it does not deviate from the gist of the present invention, one or more of the present embodiments may be modified by those skilled in the art, or may be constructed by combining components in different embodiments. It may be included within the scope of the embodiment.

For example, the hardware configuration of the file sharing system in each of the above embodiments is an example, and is not limited thereto. For example, in the above embodiment, the case where the network is a LAN has been described, but the network is not limited to this. The network may be any network as long as it is a computer network, and may be, for example, a WAN (WideArea Network) or the Internet. Further, in the above embodiment, the example in which the NAS functions as a storage device has been described, but other devices may function as the storage device. For example, a multi-function peripheral, a router, or a file server can also function as a storage device.

Further, in each of the above embodiments, the NAS includes two communication modules, a wired LAN module and a wireless LAN module, but the NAS is not limited thereto. For example, the NAS may include only one of a wired LAN module and a wireless LAN module. Further, the NAS may include a general-purpose processor instead of the SoC.

Further, in each of the above embodiments, the NAS is provided with a RAID module, but it may not be provided with a RAID module. The NAS may be provided with a RAID module according to the capacity, reliability, speed, etc. required for the storage.

Further, in each of the above embodiments, the NAS includes, but is not limited to, a plurality of HDDs and SD cards. NAS may include SSD (Solid State Drive) instead of a plurality of HDDs and SD cards, for example.

In each of the above embodiments, the unlock signal does not include the user ID, but the user ID may be included as the second user identifier in addition to the security key. In this case, the security key included in the unlock signal matches any of the registered security keys, and the user ID (first user identifier) corresponding to the matched registered security key is used as the unlock signal. When matching with the included user ID (second user identifier), the control unit 13 of the storage device 10 is a security folder that can access only the matched user ID and the IP address of the source of the unlocking signal, and matches. You may enable the sharing service of the security folder corresponding to the security key. If the user ID corresponding to the security key does not match the user ID included in the unlock signal, the control unit 13 may respond with an error. The user ID match determination process can be inserted before or after step S1322 in FIG.

According to this, when the user ID included in the unlock signal matches the user ID corresponding to the registered security key, the security folder sharing service can be enabled. Therefore, even if the same key data is shared by a plurality of users, the shared service can be enabled for each user, and the convenience of the user and the security of the shared file can be improved.

In each of the above embodiments, in the process of enabling the shared service of the security folder, it is determined whether or not to enable the shared service based on the security key included in the unlock signal, but the determination is based on the user identifier. May be added. That is, in FIG. 10, if the security key is registered in the shared setting table in step S1322 (Yes in S1322), the user identifier included in the unlock signal is the user identifier registered corresponding to the security key. It is determined whether they match, and if they match, the security folder sharing service may be enabled in step S1324.

In each of the above embodiments, when a file operation signal is received from the terminal device, it is determined whether or not the shared name, user ID, and IP address are registered in the shared status table, but this determination is made. It does not have to be. That is, it is not necessary to determine whether or not the terminal device that is the source of the file operation signal matches the terminal device that is the source of the unlock signal. Further, it is not necessary to determine whether or not the user of the operation signal matches the user of the unlock signal. Specifically, for example, in FIG. 12, step S1332 may be skipped. In this case, when the operation signal is received, the file operation corresponding to the operation signal may be performed based on the access authority of the user in step S1333. Therefore, the shared state table does not have to be stored. That is, the shared service enabled by the unlock signal can access the security folder not only by the user ID corresponding to the security key and the IP address of the source of the unlock signal, but also by other user IDs and other IP addresses. It may be a shared service.

In each of the above embodiments, the IP address is used to identify the terminal device, but the present invention is not limited to this. For example, a MAC (Media Access Control address) address, a host name, or the like may be used instead of the IP address.

In each of the above embodiments, the storage device provides the shared service on a folder-by-folder basis, but the storage device is not limited to this. The storage device may provide a shared service on a file-by-file or drive-by-drive basis.

In each of the above embodiments, when the lock signal is received, the sharing service of all security folders is disabled, but for each security folder, user or terminal device, or any combination thereof. Shared services may be disabled. In this case, for example, when the combination of the shared name, user ID, and source IP address included in the lock signal is registered in the shared status table, the shared service of the corresponding security folder may be disabled.

In each of the above embodiments, various screens such as an unlocking signal transmission screen have been described, but these screens are examples and are not limited thereto. For example, the widget 33 for setting the hidden folder may not be included in the registration screen of the shared folder in FIG.

In each of the above embodiments, the storage device provides the sharing service of both the normal shared folder and the security folder, but may provide only the security folder sharing service. In this case, in FIGS. 4 and 5, the item for setting a normal shared folder may not be included.

Further, in each of the above embodiments, the shared name is generated by combining a fixed character string and a randomly generated character string, but the present invention is not limited to this. For example, the share name may contain only randomly generated strings. Further, the character string included in the shared name does not have to be randomly generated. For example, a new shared name may be generated according to a predetermined rule. For example, a character string may be generated based on the time when the unlock signal is received, and a shared name may be generated by combining the character string and a fixed character string.

Further, in each of the above embodiments, the shared name is newly generated each time the unlocking signal is received, but the timing at which the shared name is generated may not be limited to this. For example, a new shared name may be generated in a predetermined cycle. The cycle may be defined by time or by the number of times an unlock signal is received.

In each of the above embodiments, the control unit of the terminal device may transmit the data to the storage device when the number of accesses to the data stored in the terminal device exceeds the threshold number in a predetermined period. .. Then, the control unit of the storage device may store the data received from the terminal device in the storage unit as shared data. At this time, the data stored in the terminal device may be erased.

The predetermined period is a period having a predetermined time width, and is not particularly limited, but is, for example, one day, one week, or the like. Further, the threshold number may be a variable function set by the user, or may be a fixed number determined empirically or experimentally.

According to this, the data which is frequently accessed in the terminal device can be managed by the storage device. Therefore, important data with a large number of accesses can be protected by the storage device, and falsification and leakage of the data can be suppressed.

Further, one aspect of the present invention may be not only such a storage device but also a file sharing method in which a characteristic component included in the storage device is a step. Further, one aspect of the present invention may be a computer program that causes a computer to execute each characteristic step included in the file sharing method. Further, one aspect of the present invention may be a computer-readable non-temporary recording medium on which such a computer program is recorded.

In each of the above embodiments, each component may be configured by dedicated hardware or may be realized by executing a software program suitable for each component. Each component may be realized by a program execution unit such as a CPU or a processor reading and executing a software program recorded on a recording medium such as a hard disk or a semiconductor memory. Here, the software that realizes the storage device and the like according to the above embodiment is the following program.

That is, this program causes the computer to execute a file sharing method for sharing the file stored in the storage device on the network, and the storage device shares the sharing setting data for sharing the file on the network. And the first key data are stored in association with each other, and in the file sharing method, when an unlock signal including the second key data is received from the terminal device, the second key data is the first key data. If the second key data matches the first key data, (i) a new shared name is generated, and (ii) corresponds to the first key data. Using the shared setting data, the shared name of the file is enabled on the network with the generated shared name, and (iii) the generated shared name is transmitted to the terminal device.

It can be used as a NAS or the like having a function of a storage device that provides a file sharing service on a network.

10, 10A storage device 10a NAS
11, 21 Communication unit 11a Wired LAN module 11b Wireless LAN module 12, 25A Storage unit 12a, 12b HDD
12d RAID module 12e SD card 13, 13A, 24, 24A Control unit 13a SoC
13b DDR SDRAM
20, 20A Terminal device 20a, 20b, 20c PC
20d Smartphone 22 Display unit 23 Input unit 30 Registration screen 31, 32, 33, 34, 35, 36, 37, 38, 39 Widget 40 Sharing setting table 41, 61 Sharing name 42 Security folder setting 43 Security key 44 User ID
45 Access authority 51 Icon 52 1st context menu 53 2nd context menu 54 Input dialog 60 Shared status table 62 IP address 63 User ID
100, 100A file sharing system 200 LAN

Claims (13)

A storage device connected to a network
The first communication unit that communicates with the terminal device via the network,
The first storage unit that stores shared data and
A first control unit that controls the first communication unit and the first storage unit is provided.
The first storage unit stores the shared setting data for sharing the shared data on the network in association with the first key data.
The first control unit is
When the first communication unit receives the unlock signal including the second key data from the terminal device, it is determined whether or not the second key data matches the first key data.
When the second key data matches the first key data, (i) a shared name is newly generated, and (ii) the shared setting data corresponding to the first key data is used. With the shared name, the sharing service of the shared data on the network is enabled, and (iii) the generated shared name is transmitted to the terminal device.
Storage device. The first control unit newly generates the shared name each time the unlock signal is received.
The storage device according to claim 1. When the second key data matches the first key data, the first control unit further (iv) transmits the shared data to the terminal device, and (v) on the network of the shared data. Disable sharing services in
The storage device according to claim 1 or 2. The shared setting data includes a fixed first character string and contains.
The first control unit randomly generates a second character string, and generates the shared name by combining the first character string and the second character string.
The storage device according to any one of claims 1 to 3. The first control unit further disables the enabled sharing service of the shared data when the first communication unit receives a lock signal from the terminal device.
The storage device according to any one of claims 1 to 4. The first control unit further
It is determined whether or not the elapsed time from the time when the shared data was last accessed from the terminal device is equal to or longer than the threshold time.
When the elapsed time is equal to or longer than the threshold time, the enabled sharing service of the shared data is invalidated.
The storage device according to any one of claims 1 to 5. The first storage unit stores the first key data in association with the shared setting data and the first user identifier.
The first control unit is
When the second key data matches the first key data, the shared service that can be accessed only by the first user identifier is enabled.
The storage device according to any one of claims 1 to 6. The unlock signal includes a second user identifier.
The first control unit is
Further, it is determined whether or not the second user identifier matches the first user identifier.
The shared service in which only the first user identifier can access the shared data when the second key data matches the first key data and the second user identifier matches the first user identifier. To enable,
The storage device according to claim 7. The first control unit is
When the second key data matches the first key data, the shared service is enabled so that only the terminal device that is the source of the unlock signal can access the shared data.
The storage device according to any one of claims 1 to 8. The storage device according to any one of claims 1 to 9,
A terminal device connected to the network is provided.
The terminal device is
A second communication unit that communicates with the storage device via the network,
An input unit that accepts input from users and
Display and
The second communication unit, the input unit, and the second control unit that controls the display unit are provided.
The second control unit
The second key data input screen is displayed on the display unit, and the input screen is displayed on the display unit.
The second key data is received via the input unit, and the second key data is received.
The unlocking signal including the second key data received via the input unit is transmitted to the storage device.
Data sharing system. The terminal device further includes a second storage unit for storing data.
When the number of accesses to the data stored in the second storage unit in a predetermined period exceeds the threshold number, the second control unit transmits the data to the storage device.
The first control unit stores the data received from the terminal device as shared data in the first storage unit.
The data sharing system according to claim 10. It is a data sharing method for sharing the shared data stored in the storage device on the network.
The storage device stores the shared setting data for sharing the shared data on the network in association with the first key data.
The data sharing method is
When an unlock signal including the second key data is received from the terminal device, it is determined whether or not the second key data matches the first key data.
When the second key data matches the first key data, (i) a shared name is newly generated, and (ii) the shared setting data corresponding to the first key data is used. With the shared name, the sharing service of the shared data on the network is enabled, and (iii) the generated shared name is transmitted to the terminal device.
Data sharing method. A program for causing a storage device to execute the data sharing method according to claim 12.

Images