JPH09204330A - Device and method for ciphering and deciphering information - Google Patents

Abstract

PROBLEM TO BE SOLVED: To release a user from the managing of a cipher key and cipher file by generating a cipher folder on a storage device and allowing a ciphering and deciphering means to cipher a selected plain text file so as to automatically store and manage. SOLUTION: When ciphering is instructed from the user, the file ciphering and deciphering means 1000 automatically generates the cipher key from the password 1070 of a cipher folder 1040 specified by the user by a cipher key automatic generation means 1010. Then through the use of the cipher key, the means 1000 ciphers a specified normal sentence file 1030 to store in a cipher file area 1080 in the cipher folder 1040 as a cipher file 1090. In addition, at the time of this storing, through the use of a file name converting means 1220, each file 1090 is stored by using individually unique internal name so as to make the cipher folder 1040 an area hidden from the user. At the time of deciphering, a corresponding normal sentence file 1030 and the name of the cipher file are stored in a plain text file/cipher file corresponding table 1060 so as to return to the original normal sentence file.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an information system and method for encrypting and retaining personal information and secret information to prevent information leakage to a third party.

[0002]

2. Description of the Related Art Due to the spread of high-performance and highly portable computers such as notebook personal computers (hereinafter referred to as PCs) and pen-input PCs, they have been used at various places outside the office, such as on business trips. , Opportunities to use computers for business purposes are increasing. With the spread of such portable computers, information leakage due to theft or loss of computers is becoming a problem.

On the other hand, computers such as PCs have become widespread at home due to the progress of multimedia. In such a home-use computer, the computer is often shared with the family and the personal information protection function is becoming necessary.

Due to the portability of computers and their pervasiveness in homes, there is an increasing need for end-user level security functions against leakage of confidential information and personal information related to business.

As a security function corresponding to these needs, a confidential information file or a personal information file is encrypted with an encryption key, and a file is protected to protect information access from a third party who does not have the encryption key. Function is known as an effective method.

[0006]

By the way, in the conventional file encryption function, since the encryption key which is kept secret to the third party is used for the encryption process, the encryption by the password input is performed at the time of the file encryption and the decryption. Preparatory operations such as a key opening operation were required, and the user had to manage the encryption key. Further, the management of the encrypted file is left up to the user, and for example, it is necessary for the user to memorize which encryption key was used to decrypt the file to decrypt the file later. As described above, the conventional file encryption function has a problem in that it requires specialized knowledge and is complicated to operate, which makes it difficult for the end user to operate and cannot be used easily. Therefore, advanced security functions such as file encryption are generally intended for users who perform some specialized work.

The inventor of the present invention is capable of encrypting and decrypting a file without the user being aware of the encryption key by automatically generating the encryption key, and collectively managing the encrypted files encrypted with a specific encryption key. By doing so, it is not necessary to manage each encrypted file for each user. Furthermore, if the user is authenticated only during the file decryption operation, the user is not necessarily authenticated during the encryption operation. We paid attention to the fact that encrypted files can be protected even without them.

Therefore, the present invention is based on the above points of interest.
Enables file encryption by freeing the user from managing encryption keys and encrypted files, and by selecting a plaintext file on the screen and activating the encryption process using a graphic metaphor such as an icon. Darkness of information
It is an object to provide a decoding device and method.

[0009]

In order to achieve the above object, an information encryption / decryption device according to one aspect of the present invention encrypts and decrypts a plaintext file designated by a user with an encryption key. Encryption / decryption means and a cryptographic information storage means (hereinafter referred to as an encryption folder) on a storage device that collectively stores and manages the encrypted files encrypted by the encryption / decryption means using a specific encryption key. Call), a plurality of the encryption folders are generated on the storage device, and the encryption key,
Also, it includes encryption folder generation means for independently assigning the authentication password, and storage means for storing an authentication password for performing authentication when a user accesses the encryption folder.

Further, according to another aspect of the present invention, the encryption control device comprises an internal data encryption / decryption means for encrypting internal data related to encryption in the encryption folder, and A file name conversion means for converting a file name of the plaintext file into an internal encrypted file name of the encryption folder, and a correspondence table of the plaintext file name and the converted encryption file name in the encryption folder.

According to another aspect of the present invention, the encryption control device includes an encryption key automatic generation means for automatically generating an encryption key based on the authentication password, and inside the encryption folder,
An authentication password storage area for registering and holding the authentication password is included.

The outline of the operation of the encryption control device according to the present invention will be described. By creating an encryption folder in the storage device by the encryption folder creating means in advance, the plaintext file selected by the user is The encryption / decryption means encrypts using the encryption key assigned to the encryption folder, automatically stores in the encryption folder, and collectively stores and manages the encrypted files by the user. It is possible to eliminate the need for individual management. Further, when the user accesses the encryption folder to encrypt / decrypt the file, the encryption / decryption means authenticates whether or not the user is a correct user by the authentication password assigned to the encryption folder. Done,
Protects the encrypted folder from unauthorized access.

The cipher file name stored in the cipher folder is converted from the plaintext file recognized by the user into an internal cipher file by the file name conversion means, and the cipher file name in the cipher folder is also stored. The internal data for storing and managing the encrypted file is also encrypted by the internal data encryption / decryption unit to hide the encrypted file stored in the encryption folder from the user, and It is possible to protect from unauthorized access and erroneous operation.

The encryption key automatic generation means automatically generates the encryption key based on the authentication password input by the user to access the encryption folder, and does not require complicated operation / management of the encryption key by the user. And

Further, when the encrypted folder is generated, the encrypted folder generating means sets the authentication password storage area inside the encrypted folder, and the authentication password inputted by the user is encrypted by the internal data encryption / decryption means. When the password is registered / held in the authentication password storage area as described above, the encryption / decryption means omits the authentication by inputting the authentication password and reads the authentication password registered in the authentication password storage area,
The internal data encryption / decryption means decrypts the data, and the automatic encryption key generation means automatically generates an encryption key to encrypt the file. Therefore, the user can encrypt a file by selecting a plaintext file and activating the encryption / decryption means without inputting the authentication password.

In particular, the cryptographic folder generation means displays a graphic metaphor such as an icon for making a user imagine a cryptographic device such as a safe when generating the cryptographic folder on the computer screen for each of the cryptographic folders.
When the encryption / decryption means is activated upon the selection operation of the graphic metaphor, a plaintext file is selected from the file management function on the screen by a pointing device such as a mouse, and the graphic metaphor is directly selected. A file can be encrypted by a simple and intuitive operation on the screen of selecting, and an easy-to-use encryption function for general users can be provided.

[0017]

Embodiments of the present invention will be described below with reference to the drawings. FIG. 2 shows the basic configuration of a system that realizes the encryption control device of the present invention. 1 is CPU, 2 is ROM,
3 is RAM, 4 is a disk device, 5 is a display device,
6 is a keyboard, 7 is a mouse, and 8 is a system bus. Each control program for realizing the present invention is stored on the disk 4 in advance, loaded on the RAM 4, and controlled and executed by the CPU 1. Further, after processing each data area on the RAM 4, the data that needs to be stored is stored on the disk 4.

FIG. 1 shows a block diagram of an embodiment for realizing the present invention, and the basic structure of the present invention will be described. 1
Reference numeral 000 is a file encryption / decryption means for encrypting and decrypting a file using an encryption key, 1220 is a file name conversion means for converting a file name from a plaintext file name to an internal encrypted file name, 1010 Represents an encryption key automatic generation means for automatically generating an encryption key from a password, which is a feature of the present invention, 1030 is a plaintext file to be encrypted, and 1040 is a feature of the present invention on the disk 4. Represents an encrypted folder, which is an encrypted file area 1080 for storing an encrypted file 1090 which is an encrypted plaintext 1030 and the encrypted folder 1040.
Encrypted data area 10 for storing information for managing
It consists of 50. In addition, the encrypted data area 1050
Is a plaintext file / encryption file correspondence table 1060 for managing the correspondence between the plaintext file name before encryption and the encrypted file name after encryption, the password 1070 used for authentication for the user to access the encryption folder, the encryption An arbitrary numerical value 1230 used when the automatic key generation means 1010 automatically generates an encryption key from the password 1070,
The encryption folder name 1240 is stored, and each storage area is included. Reference numeral 1020 represents an encryption folder generating means for generating the encryption folder 1040, and enables generation of a plurality of encryption folders on the disk 4.

In this embodiment, in order to encrypt a file, one or more encryption folders 104 are initially set on the disk 4 by the encryption folder generation means 1020.
Generate 0. The encrypted folder generation means 1020 generates a directory that forms the encrypted folder 1040 on the disk 4, and within the directory, the files that form the encrypted data area 1050 and the encrypted file area 1
Create a subdirectory that makes up 080. Furthermore, when creating the encrypted folder 1040, the user is requested to input the password 1070, the arbitrary value 1230, and the encrypted folder name 1240, and the password 1070, the arbitrary value 1230, and the encrypted folder name 1 input by the user are requested.
240 is encrypted and stored in the encrypted data area 1050. The data stored in the encrypted data area 1050 is encrypted with an encryption key prepared exclusively for encrypting these internal data so that the data cannot be referenced.

The encryption key automatically generated by the file encryption / decryption means 1000 is stored in the encrypted data area 1050 by the automatic encryption key generation means 1010 when the encryption / decryption is performed. It is generated from the password 1070 and the arbitrary numerical value 1230. Automatic encryption key generation means 1
010 takes out the password 1070 and the arbitrary numerical value 1230, decrypts them, synthesizes them while performing appropriate bit operation such as bit shift and operation, and automatically generates a unique encryption key for each encryption folder. Arbitrary number 12
The numeral 30 is a numerical value having a sufficient bit size for generating an encryption key from the password 1070, and is input by the user only once when the encryption folder 1040 is generated. Also,
The encryption key automatic generation means 1010 automatically generates the encryption key from the registered password 1070 at the time of generating the encryption folder and encrypts and stores the encryption key in the encrypted data area 1050 together with the password, as in the embodiment described later. is there. In this case, since the registered encryption key can be used for encryption, it is not necessary to successively generate the encryption key.

The plaintext file 1030 is encrypted by the file encryption / decryption means 1000. When there is a file encryption instruction from the user, the file encryption / decryption means 1000 first automatically generates an encryption key from the password 1070 of the encryption folder 1040 designated by the user by the encryption key automatic generation means 1010. Then, the plaintext file 1030 designated by the user is encrypted by using the encryption key implicitly automatically generated and stored as the encrypted file 1090 in the encrypted file area 1080 of the encryption folder 1040. In this way, when the encrypted folder is generated, the password 1070 is stored in advance in the encrypted folder 1040, the encryption key is automatically generated based on the password 1070, and the file is encrypted by the encryption key, so that the user can A file can be encrypted by a simple operation such as file selection and activation of the file encryption / decryption means 1000 without performing authentication by password input or opening of an encryption key.

Further, the file encryption / decryption means 1000
When storing the encrypted file 1090, the file name conversion unit 1220 generates a unique internal name for each encrypted file 1090, stores the encrypted file 1090 in the encrypted file area 1080 using the name, and encrypts the encrypted file 1090. The folder 1040 is an area hidden from the user. At the time of decryption, in order to restore the original plaintext file, the name of the corresponding plaintext file 1030 and the name of the encrypted file 1090 are stored in the plaintext file / encrypted file correspondence table 1060 of the encrypted data area 1050. In this way, the encryption folder 1040 is created by encrypting the encrypted data area 1050 with the encryption key for encrypting the internal data and converting the encrypted file name by the file name conversion means 1220 and the plaintext file / encrypted file correspondence table 1060. Hide from users and free them from managing encrypted files and encryption keys.

The plaintext file 1030 is also decrypted by the file encryption / decryption means 1000.

When the file encryption / decryption means 1000 is started for decryption, the file encryption / decryption means 1000 performs authentication processing with the password 1070 for the user input password, and then the plaintext file / encryption file correspondence table. With reference to 1060, the cipher files 1090 in the cipher file area 1080 are displayed in a list with plaintext file names. In this state, the encryption folder 10
With 40 open, the user can select and decrypt the encrypted file 1090 in the encrypted file area 1080 from the list display with the plaintext file name. When the user selects one or more encrypted files 1090 from the list and activates the file encryption / decryption means 1000 again, the file encryption / decryption means 1000 first uses the password 1070 by the encryption key automatic generation means 1010. Automatically generate encryption key. Next, with reference to the plaintext file / encrypted file correspondence table 1060, the plaintext file name selected by the user by the file name conversion means 1220 is converted into the name of the encrypted file 1090, and is extracted from the encrypted file area 1080. Further, it decrypts using the automatically generated encryption key and restores the plaintext file with the original plaintext file name.

As described above, the encryption key automatic generation means 1010 and the file name conversion means 122 are also used when the file is decrypted.
0 and plaintext file / encrypted file correspondence table 1060
Password 107 without paying attention to the encryption key.
Input 0, select encrypted file by plaintext file name,
Then, the file can be decrypted by a simple operation of starting the file encryption / decryption means 1000.

Next, with reference to FIG. 3, an embodiment for converting an encrypted folder into an external file for the purpose of transferring the encrypted folder to another computer through a medium such as an FD (Floppy Disk) or a network will be described. . The encrypted folder 1040 in FIG. 3 is the same as the encrypted folder in FIG. When the user requests the conversion of the encrypted folder to the external file, the encrypted folder / file generating means 1100 causes the encrypted folder 10 selected by the user to be generated.
40 encrypted file area 1050, encrypted file area 1080 encrypted file area 1080
Read the data of each, combine them into one file,
Create an encrypted folder file 1120. The encrypted folder file 1120 is output as an external file to a specific directory on the disk 4 or the FD 1300.

The encryption folder file 1120 is the FD1
The file encryption function according to the concept of the present invention can be transferred to a preset computer via 300, the network 1400, or the like, and can be restored to the encrypted folder 1040 again by the encrypted folder generation means 1110. The encrypted folder generation means 1110 uses the encrypted folder file 1120 to generate the encrypted data area 1050 and the encrypted file area data 1
The data of each 130 is read out, and based on this data, the encrypted folder 1040 is generated on the disk 4 connected to the transfer destination computer in the same manner as the encrypted folder generating means 1020. The encrypted file stored in the encrypted folder can be decrypted by inputting the password just as in the embodiment of FIG.

In the embodiment of FIG. 3, one file is used as the encrypted folder file 1120. However, when the computer operating system (OS) supports transfer for each directory, the files in the directory of the encrypted folder or Of course, it is also possible to collect the directories in an appropriate directory and store them in a medium such as the FD1300 as an external file group.

Further, when the encrypted folder file 1120 is composed of one file as in the embodiment of FIG. 3, the size of the encrypted folder file 1120 may be large because the data of a plurality of encrypted files are included inside. is there. In this case, the encryption folder / file generating means 110
When the encrypted folder file 1120 is generated by 0, data compression processing is performed, and when the encrypted folder generation unit 1110 generates the encrypted folder 1040 again, decompression processing is performed. Can be reduced.

In the embodiment shown in FIG. 3, the file encryption system according to the concept of the present invention is preliminarily set in the computer that transfers the encrypted folder file 1120. This is inconvenient when distributing the encrypted file to any computer. Therefore, in another embodiment of FIG. 4, the encrypted file in the encrypted folder / file can be expanded even on a computer in which the file encryption system of the present invention is not preset.

The self-decoding file generation means 1140 is
The data of the encrypted data area 1050 of the encryption folder 1040 and the data of the encryption file 1090 are read and combined. Further, using this as the data to be decrypted, the decryption means 1170 and the encryption key automatic generation means 10 having a function equivalent to the decryption processing of the file encryption / decryption means 1000.
10 is connected to the file of the decryption program 1150 constituted by 10 and 10 to generate the file of the self-decryption program 1160. The self-decryption program 1160 uses a specific directory on the disk 4 or FD1 as an external file.
Output to 300.

When the self-decoding program 1160 is transferred to another computer and executed, the decoding means 1170 is activated. The decryption unit 1170 reads the data of the encrypted data area 1050 and the encrypted file area data 1130 from the data of the encrypted folder 1040 combined as the internal data. Then, the user is requested to input a password, the password is compared with the password 1070, and if the password is correct, the decryption process is started. Password 1070
The process of automatically generating the encryption key from the data and decrypting the data of the encryption file 1090 is the same as that of the embodiment of FIG. Output the decrypted plaintext file 1030 to, for example, the directory specified by the user on the disk 4 connected to the transfer destination computer, and finally, if necessary, delete the self-decryption program 1160 itself from the disk, The self-decoding process ends. According to this embodiment, the user of any computer capable of executing a program can access the network 14
An encrypted file can be transferred in units of encrypted folders via 00, greatly expanding the application range of the present invention.

Next, a method for limiting the number of times an unauthorized password is input to prevent unauthorized access to the encrypted folder will be described with reference to FIG. The file encryption / decryption unit 1000, the automatic key generation unit 1010, the encrypted folder generation unit 1020, and the encrypted folder 1040 shown in FIG.
It is the same configuration as. 1180 is an encryption folder 1040
When a user accesses to, the authenticating means 1190 for authenticating the user with the password, the authenticating means 118
0 is a counter for counting the number of times an invalid password is input, and 1200 is for invalidating the encrypted folder 1040 to prevent unauthorized access to the encrypted folder 1040 when an invalid password is input by the user. The encrypted folder invalidating unit 1210 for performing the encryption folder is used to restore the encrypted folder 1040 that is invalidated by the encrypted folder invalidating unit 1200, so that the encrypted folder is backed up before being invalidated.・ Indicates backup means.

The file encryption / decryption means 1000 uses the authentication means 1180 to decrypt the encrypted file 1090 in the encryption folder 1040 by the authentication means 1180.
Require user to enter password to access 040. When the password is input by the user, the authentication unit 1180 causes the password 1070 in the encryption folder to be entered.
In comparison, if they match, it is determined that the user is a valid user, the file encryption / decryption means 1000 is notified, and the processing of the file encryption / decryption means 1000 is advanced. On the other hand, when an incorrect password is input, the authentication means 1180 increments the counter 1190. However, when the correct password is entered, the counter 1190
clear. An invalid password is continuously input, and the value of the counter 1190 is set a predetermined number of times,
For example, if the number exceeds three times, the authentication unit 1180 instructs the encrypted folder invalidation unit 1200 to invalidate the encrypted folder 1040.

Upon receiving an instruction from the authentication means 1180, the encrypted folder invalidating means 1200 receives the encrypted folder 104.
The password 1070 in 0 is deleted. Authentication means 118
When 0 confirms that the password 1070 has been deleted, the authentication process is stopped and the user is notified as a message that the encrypted folder is invalid. Therefore, once the password 1070 is deleted,
Access to the encryption folder 1040 becomes impossible.

When invalidated, even a legitimate user cannot access the encrypted folder 1040. Therefore, a means for restoring the invalidated encrypted folder 1040 by the authorized user is required. Therefore, the encrypted folder backup means 1210 provides a function of backing up the encrypted folder 1040.

Encryption folder backup means 1210
Copies the content of the password 1070 to a removable medium such as the FD 1300 when backing up the encryption folder 1040. Further, the cipher folder name 1240 is recorded in the FD 1300 as information for specifying the cipher folder 1040. When returning, the encrypted folder name 1240 is compared and the backed up FD1
It is confirmed that the contents of 300 and the encryption folder 1040 match, the password 1070 backed up in the FD 1300 is copied to the encryption folder 1040, and the encryption folder 1040 is returned to the original state.

To prevent the FD1300 used for backup from being used for unauthorized restoration processing, the FD1300
At the time of recovery by, the encrypted folder name 1240 is compared, the password input is requested to the user, and the password 1070 in the FD 1300 is checked for a match, whereby an unauthorized recovery process by a third party can be prevented.

This encrypted folder backup means 121
By setting 0, the user prepares the encrypted folder 1040 for invalidation and backs up the encrypted folder in advance in the FD 130.
By keeping it in 0 etc., even if the encrypted folder 1040 is invalidated by an invalid password input, the FD13
It is possible to restore the encryption folder 1040 by using 00 and access again.

The encryption folder backup means 12
The backup operation of 10 can be performed after the password authentication, and the recovery operation can be performed at any time.
Only a legitimate user can back up the encrypted folder 1040, and even if it is invalidated, it can be restored, and it is possible to prevent unauthorized backup by a third party.

FIG. 6 shows a block diagram of an embodiment of the present invention, which will be described in more detail.

Reference numeral 11 is a file encryption control program for implementing the present invention. Reference numeral 111 is a user interface unit for the user to perform file encryption.
Reference numeral 1111 is a file encryption user interface. This user interface 1111 is
A simple file encryption operation, which is a feature of the present invention, is realized. Reference numeral 1112 is a user interface for file decryption. Reference numeral 1113 denotes a file encryption metaphor registration user interface for registering a metaphor that is an operation target for the user to perform file encryption. Using this encryption metaphor, the user interface 1111 realizes the above-described simple file encryption operation. Reference numeral 112 denotes a file encryption area generation unit that secures a data area required for file encryption on the disk 4. Reference numeral 113 is a password registration means for previously registering a password required for user authentication. Reference numeral 114 is an encryption key generation / registration means for generating and registering an encryption key required for file encryption. This encryption key generation / registration means automatically generates an encryption key, which is a feature of this embodiment, using the password input by the user. 1
Reference numeral 15 is a user authentication means for comparing the password input by the user with the password registered in advance to authenticate the user. Reference numeral 116 is a file encryption unit that performs encryption in file units. Reference numeral 117 is a file decryption unit that decrypts in file units. 118 is
It is an internal data encryption / decryption unit that realizes encryption of internal data in order to maintain the confidentiality of the encrypted file. Reference numeral 119 is a data encryption / decryption unit that encrypts / decrypts data using a given encryption key.

12 is a file encryption control program 1
It is file encryption control data for controlling 1.
This file encryption control data is processed on the memory,
It is saved on the disk 4 so that it is valid even when the system is restarted. Reference numerals 121, 122, and 123 are encryption data areas for storing control data that needs to be encrypted and stored in the disk 4 in order to maintain the confidentiality of the encrypted file in the file encryption control data 12. . 1
211 is the password data entered by the user, 12
12 is the data of the automatically generated file encryption key, 121
31 and 12132 are file name change information holding the correspondence relationship between the original plaintext file name when the name is changed to hide the encrypted file from the user and the changed encrypted file name. This is file position information on the disk 4 that existed before the encrypted plaintext file was encrypted. 120 is an internal data encryption key for encrypting internal data.

Reference numeral 13 is a file management means for providing a management function for the user to operate and manage the files on the disk device 4.

Reference numerals 141 and 142 are plaintext files stored on the disk 4 and to be encrypted. In the present embodiment, the file encryption control program 11 is executed according to the user's instruction for the plaintext files 141, 142, etc. to be encrypted.
, Using the file management means to notify.

Reference numerals 151, 152, and 153 are encrypted file areas secured on the disk 4 for storing the encrypted file data 1511 and 1512.

The correspondence between the components shown in FIG. 6 and the components shown in FIG. 1 is as follows: the file encryption area generation means 112, the password registration means 113, the encryption folder generation means 1020,
The encryption key generation / registration means 114 is the encryption key automatic generation means 1
010, the file encryption means 116, the file decryption means 117, and the data encryption / decryption means 119 are stored in the file encryption / decryption means 1000.
1, 122, and 123 are in the encrypted data area 1050,
Powered 1211, password 1070, file name change information 12131, 12132, plain text file /
The plaintext file 1 is added to the encrypted file correspondence table 1060.
41 and 142 are in the plaintext file 1030, and encrypted file areas 151, 152 and 153 are in the encrypted file area 1
In 080, the ciphers 1511 and 1512 are cipher file 1
090 respectively.

Next, the procedure for registering the file encryption metaphor,
A file encryption procedure and a file decryption procedure will be described with reference to flowcharts.

FIG. 7 is a flowchart showing a processing procedure at the time of file encryption metaphor registration. When the user operates the encryption metaphor generating means (program) 1113 which is the user interface to activate the file encryption metaphor registration processing (step 5001), the user interface 1113 first activates the file encryption area generating means 112. By controlling, the encrypted data area 121 is created as a file on the disk 4 and the encrypted file area 151 is created as a directory on the disk 4 (step 5002). These files and directories are created, for example, under a directory on the disk 4 storing the encryption control program 11. Further, in the present embodiment, since the user can generate a plurality of metaphors for encryption by the user interface 1113, the file encryption area generation means 112 is used by the user every time the user generates a metaphor. , The encrypted data areas 122 and 123, and the encrypted file area 15
2, 153, etc. are generated at any time. As a result, the user can operate the respective metaphors to classify and store the files in the independently set storage areas of the encrypted files. The user can classify, encrypt, and save files for each user or for each file type, for example. Next, the user interface 1113 requests the user to input a password (step 5003). The password entered by the user is passed to the password registration means 113. The password registration unit 113 uses the internal data encryption key 120 to encrypt the password input by the user by the internal data encryption / decryption unit 118. The internal data encryption / decryption means 118 performs data encryption by the data encryption / decryption means 119. When the password is encrypted, the password registration means 113 stores it in the disk 4 as the password 1211 (step 5004). When the registration of the password is completed, the password registration means 113 passes the password before encryption to the encryption key generation / registration means 114. When the password is passed, the encryption key generation / registration means 11
Reference numeral 4 automatically generates an encryption key by, for example, synthesizing a password and a numerical value previously assigned to each encrypted data area so as to be unique and performing a bit operation or the like. Further, the encryption key generating / registering means 114
Encrypts the generated encryption key by the internal data encryption key 120 and the internal data encryption / decryption means 118, and stores it in the disk 4 as the file encryption key 1212 (step 5005). The encrypted file areas 151, 152, 153 and the encrypted data area 1 as described above
When the generation / registration process of 21, 122, 123 is completed,
Finally, a metaphor registration process for file encryption is performed (step 5006). Registration of this metaphor will be described in an example described later.

Next, the processing procedure at the time of file encryption will be described with reference to the flowchart of FIG. When the user executes the file encryption control program 11 after performing the above-described encryption metaphor registration processing (step 60).
01), the user interface 1111
Displays the file encryption metaphor for the user to perform file encryption processing operations. When the user operates a pointing device such as the mouse 7 to select a plaintext file to be encrypted on the user interface of the file management means 13 and then selects a file encryption metaphor, the user The interface 1111 starts the file encryption process for the selected plaintext file (step 6002). These user interfaces will be described in detail in the examples below. By the way, for example, when the plaintext file 141 is selected, the user interface 1111 first passes the plaintext file name to the file encryption means 116. Upon receiving the plaintext file name 141 to be encrypted, the file encryption means 116 creates an encrypted file name (step 6003). This encrypted file name is generated, for example, by combining a serial number created from the counter value of the number of times of encryption processing and a specific character so as to be unique to each encrypted file. Next, in order to restore the original plaintext file name at the time of decryption, after encrypting the set of the encrypted file name and the plaintext file name of 141 by the internal data encryption key 120 and the internal data encryption / decryption procedure 118, The file name change information 12131 is stored in the disk 4 (step 60).
04). Next, the file encryption means 116 uses the internal data encryption key 120 and the internal data encryption / decryption means 1 for the position information of the plaintext file 141 on the disk 4 (positional information of the directory in which the plaintext file 141 was stored).
File position information 12141 after encrypted by 18
Is stored in the disk 4 (step 6005). Next, the data of the plaintext file 141 is read from the disk 4, and the internal data encryption key 120 and the file encryption key 1212 decrypted by the internal data encryption / decryption procedure 118 are read.
Data is encrypted by the data encryption / decryption means 119, and the encrypted file / data 1511 is stored in the disk 4
(Step 6006). The above is the file encryption process. When file encryption processing is started for a plurality of plaintext files, step 600
The processing from step 3 to step 6005 is repeated (step 60
07). However, the above procedure is an example, and especially when encrypting multiple files, by changing the procedure and encrypting and storing the file name change information and file position information etc. for multiple files collectively, further processing It goes without saying that the invention can be devised such as speeding up.

Next, the processing procedure at the time of file decryption will be described with reference to the flowchart of FIG. For example, when the user interface 1112 is activated by performing an operation such as pointing to the file encryption metaphor and continuously pressing the mouse twice (hereinafter referred to as double click), the user interface 1112 is activated. Starts the file decryption process (step 7001). These user interfaces will be described in detail in the examples below. User interface 11
As the file decryption processing, the first step 12 requests the user to input a password in order to authenticate the user (step 7002). When the user inputs the password, the user interface 1112 passes the password to the user authentication means 115. User authentication means 1
When the password 15 is received, the encrypted password 1211 is taken out from the disk 4, decrypted by the internal data encryption key 120 and the internal data encryption / decryption procedure 118, and compared with the password input by the user, Check if user (step 700)
3, 7004). If the passwords do not match with each other, the user is warned by issuing a message or the like and the process is terminated (step 7005). On the other hand, if the passwords match, the user interface 1112 starts window display processing for file decryption. First, in order to display a list of encrypted files on the window, the user interface 1112 requests the file decryption means 117 for a list of encrypted file names. When receiving the request for the list of encrypted file names, the file decryption unit 117 sequentially extracts the file name change information 12131 and 12132, and decrypts them by the internal data encryption key 120 and the internal data encryption / decryption procedure 118. Will be transformed. And the cryptographic area 1 associated with the currently selected cryptographic metaphor
When all the file name change information on 21 is acquired, a list of original plaintext file names of encrypted files is created (step 7006) and returned to the user interface 1112. All the file name change information on the decrypted encrypted area 121 is held in an appropriate buffer for use later in file decryption. Upon receiving the list of encrypted plaintext file names, the user interface 1112 displays the list on the window (step 7007).
Next, when the user selects a file to decrypt from the list of encrypted plaintext filenames on the window (step 7008), the user interface 1112.
Creates a list of selected file names and passes it to the file decryption means 117 together with the file decryption request. Upon receiving the file decryption request, the file decryption means 117 first reads out the file encryption key 1212, and decrypts the file encryption key 1212 by the internal data encryption key 120 and the internal data encryption / decryption means 118. After that, with the file decryption request, the file names on the list of file names selected by the user, which were received together, are sequentially fetched, and the file names that are decrypted and stored in the buffer when creating the list of all encrypted files are changed. Search for a matching file name from the plaintext file name of the information,
The encrypted file name is converted into the encrypted file name stored in the encrypted file / data area 151 (step 7009). Then, the file position information corresponding to this encrypted file is acquired from the file position information in the encrypted data area 121, and the position of the original file on the disk 4 is specified (step 701).
0). Further, the encrypted file data having the converted encrypted file name is read from the encrypted file data 151,
The decrypted file encryption key 1212 is used to decrypt the data by the data encryption / decryption means 119, and the decrypted file is stored in the original position of the disk 4 as a plaintext file (step 7011). The processes of steps 7009 to 7011 of the file decrypting means 117 are repeated for all the files selected by the user (step 701).
2). The above is the file decryption process.

Each of the processes shown in FIGS. 7 to 9 can be described individually or collectively as a program in a computer-readable disk or semiconductor memory. The aspect is also included in the present invention.

Next, on the personal computer, Gra
Microsoft's operating system "MS-Windows" (MS-Wind), which realizes a user interface with a physical user interface (GUI)
ows will describe the user interface in one embodiment in which the present invention is applied to the registered trademark of Microsoft Corporation in the United States, by using a diagram showing a concrete image of a screen.

Further, in the present embodiment, the "safe folder" which imitates the safe, which is the most common tool for realizing the security function in daily life, is realized as the file encryption metaphor. By using such everyday items as metaphors, we made it possible for end users to easily operate advanced security functions together with simple operations.

FIG. 10 shows an image of the window of the safe folder registration / deletion utility for realizing the registration function of the file encryption metaphor. By the user pointing to the new registration button with the mouse to select it, pressing the mouse button and immediately releasing it (hereinafter referred to as clicking the operation by pointing with the mouse to select, pressing the mouse button and immediately releasing) , When the new registration of the safe folder is activated, the new folder registration window shown in FIG. 11 is displayed.

In this embodiment, as described in the embodiment of FIG. 6, registration of a plurality of encrypted metaphors is realized. Therefore, in the new folder registration window of FIG. 11, when a plurality of safe folders are registered, the user inputs a folder name for distinguishing each folder. Further, in the new folder registration window of FIG. 11, user authentication and password input serving as a base for generating an encryption key are performed. It also issues a password re-entry request to prevent typos.

FIG. 12 shows a state in which a safe-shaped icon as a safe folder metaphor is registered in the program manager, which is a program execution utility of MS-Windows, by the new folder registration operation. If you register multiple safe folders by repeating the new folder registration operation, the safe folder list window will show
A plurality of safe folder icons with different names under the icon are registered.

FIG. 13 shows the operation of deleting the already registered safe folder in the same window of the safe folder registration / deletion utility as in FIG.
The name of the safe folder registered as shown in the figure is registered. In the display area showing the folder list, select the safe folder by clicking with the mouse and select the delete button.
The folder deletion window 4 is displayed. Therefore, if the password input when the safe folder is registered is entered, the safe folder is deleted. Although this delete function was not described for convenience in the embodiment shown in the block diagram of FIG. 6,
This can be realized by deleting the file in the encrypted data area corresponding to the deleted safe folder, and the directory in the encrypted file area and the encrypted file below it.

By the way, in the state shown in FIG. 12, although the programs for encryption and decryption are registered in the program manager, they have not been executed yet. However, once the safe folder icon is registered in the program manager, for example, the safe folder icon on the safe folder list window is clicked twice with the mouse (hereinafter, the mouse is clicked twice continuously). This is referred to as double-clicking), so that a program for encrypting and decrypting the safe folder can be executed. FIG. 15 shows a safe folder icon when the safe folder program is executed by the above operation. The icon of the safe folder at the time of execution is the same as the execution status of general programs.
It is displayed in the wallpaper area that is the background of windows. By operating the safe folder icon in this state, file encryption and decryption can be performed very easily.

FIG. 16 shows a screen in which a plurality of files are encrypted from the safe folder icon in the running state. First, in the window that displays the list of file names of the file manager, which is the file management utility for MS-Windows, move the mouse over multiple file names to select, and then release when you have made the selection ( The operation of moving the mouse while holding down the mouse button and releasing the mouse is referred to as "drag and drop" below. Select multiple files to be encrypted. Drag again with the selected file group.・ Starting the AND-DROP operation and dropping (mouse button release operation) on the safe folder will encrypt the selected files. As described above, if the safe folder is used, the file can be encrypted at any time by an extremely simple operation such as drag and drop via the file manager or the like simply by executing the icon and displaying the icon. Further, as described in the embodiment of the block diagram of FIG. 6, when the encryption metaphor of the safe file is registered, the encryption key is automatically generated internally from the password used for the authentication of the user, so that the user is aware of the encryption key. It is not necessary to do so, and since the encryption is implicitly used for encryption, it is very effective in simplifying the operation that user authentication is not required. By doing this, for example, if the safe folder is set to be automatically executed when MS-Windws is executed, the user can feel free to use this information whenever he / she creates a memo of private information or a confidential document related to business. It is very convenient because files can be encrypted by a high-level encryption function that uses an encryption key and saved without fear of being seen by a third party.

Of course, for a user who may worry about inadvertent encryption because it can be encrypted easily, for example, after the safe folder is executed, the password authentication is performed only for the first encryption operation. 6, the user interface 1111 for file encryption is provided with a counter for counting the number of encryption processes, and the user authentication means 115 is provided only when the encryption process is activated for the first time. This can be easily realized by performing user authentication according to, and the user can be made to select such an operation as an option when registering the safe folder.

Next, in the present embodiment, the file decryption process is activated by double-clicking the safe folder in the state shown in FIG. If the user who displays the password input window of FIG. 17 by double-clicking on the safe folder matches the password specified when the safe folder is registered, the file decryption window of FIG. 18 can be opened. Needless to say, if the password is wrong, the file decryption window cannot be opened, and a third party who does not know the password cannot access the encrypted file.

In the file decryption window as shown in FIG. 18, a list of files that have already been encrypted and stored in the safe folder is displayed. To decrypt a file, click the file name you want to decrypt on the list of encrypted files with the mouse, select it, and then click the eject button to encrypt it on the disk, as shown in FIG. Restores the original plaintext to the previously stored directory and stores it. Further, similarly, the file can be deleted by selecting the file with the mouse and clicking the delete button as shown in FIG.

If the encrypted file is not referred to in the list of the decryption window, the file name in the plain text is changed to the file name by the serial number or the like as described in the embodiment of the block diagram of FIG. Therefore, even if the file management utility such as the file manager looks into the encrypted file area 151 of the safe folder and the like does not know what the file is, more confidentiality is maintained.

[0065]

According to the present invention, even an end user who is not familiar with the mechanism and operation of a computer can easily utilize the encryption / decryption of data such as files by intuitive and simple operation. It is possible to easily improve the security of personal information on a computer and confidential information related to business.

[Brief description of drawings]

FIG. 1 is a block diagram showing one embodiment of the present invention.

FIG. 2 is a block diagram showing a basic system configuration to which the present invention is applied.

FIG. 3 is a block diagram showing another embodiment of the present invention.

FIG. 4 is a block diagram showing another embodiment of the present invention.

FIG. 5 is a block diagram showing another embodiment of the present invention.

FIG. 6 is a block diagram showing another embodiment of the present invention.

FIG. 7 is a flowchart showing a procedure of file encryption metaphor registration processing.

FIG. 8 is a flowchart showing a procedure of file encryption processing.

FIG. 9 is a flowchart showing a procedure of file decoding processing.

FIG. 10 illustrates safe folder registration / registration according to an embodiment of the present invention.
It is a figure which shows a deletion utility window.

FIG. 11 is a diagram showing a new folder registration window of a safe folder.

FIG. 12 is a diagram showing a window of a program manager in which a safe folder is registered.

FIG. 13 shows safe folder registration / registration according to an embodiment of the present invention.
It is a figure which shows a deletion utility window.

FIG. 14 is a diagram showing a folder deletion window of a safe folder.

FIG. 15 is a diagram showing an icon when a safe folder is executed.

FIG. 16 is a diagram showing an operation screen for encrypting a file in a safe folder via a file manager.

FIG. 17 is a diagram showing a password input window for opening a window in a safe folder.

FIG. 18 is a diagram showing a decryption window for a safe folder.

FIG. 19 is a diagram showing a file decryption operation in a decryption window of a safe folder.

FIG. 20 is a diagram showing a file delete operation in the safe folder decryption window.

[Explanation of symbols]

1 ... CPU, 2 ... ROM, 3 ... RAM, 4 ... Disk, 5 ...
Display, 6 ... Keyboard, 7 ... Mouse, 8 ...
System bus, 11 ... File encryption control, 111 ...
User interface, 112 ... File encryption area generation means, 113 ... Password registration means, 114.
..Cryptographic key generation / registration means, 115 ... User authentication means, 1
16 ... File encryption means, 117 ... File decryption means, 118 ... Internal data encryption / decryption means, 119 ...
Data encryption / decryption means, 12 ... File encryption control data, 121, 122, 123 ... Encrypted data area, 13 ... File management means, 141, 142 ... Plaintext file, 151, 152, 153 ... Encrypted file area, 1000 ... File encryption / decryption means, 1010.
..Automatic encryption key generation means, 1020 ... cipher folder generation means, 1030 ... plain text file, 1040 ... encryption folder, 1050 ... encrypted data area, 1060 ... plaintext file / encrypted file correspondence Table, 1070 ... Password, 1080 ... Cryptographic file area, 1090 ...
Encrypted file, 1100 ... Encrypted folder / file generating means, 1110 ... Encrypted folder generating means, 1120.
..Encryption folder file, 1130 ... encryption file area data, 1140 ... self-decryption program generating means, 1150 ... decryption program, 1160 ... self-decryption program, 1170 ... decryption Means, 1180 ...
Authentication means, 1190 ... Counter, 1200 ... Cryptographic folder invalidating means, 1210 ... Cryptographic folder backup means, 1230 ... Arbitrary numerical value, 1240 ... Cryptographic folder name, 1220 ... File name conversion Means, 1300 ... F
D, 1400 ... Network

─────────────────────────────────────────────────── ─── Continuation of the front page (51) Int.Cl. ⁶ Identification number Office reference number FI Technical display location G09C 1/00 630 7259-5J G09C 1/00 630Z 660 7259-5J 660D H04L 9/08 H04L 9 / 00 601A 9/32 601Z 673A (72) Inventor Hiroshi Furukawa 1099, Ozenji, Aso-ku, Kawasaki-shi, Kanagawa Ltd. System Development Laboratory, Hitachi, Ltd. (72) Masato Sumitomo 810, Shimoimazumi, Ebina, Kanagawa Hitachi, Ltd. Office Systems Division (72) Inventor Yuichi Kobayashi 810 Shimoimazumi, Ebina City, Kanagawa Prefecture Hitachi Systems Division, Office Systems Division

Claims (18)

[Claims] 1. A file encryption / decryption means for encrypting and decrypting a plaintext file designated by a user with an encryption key in a data encryption system for encrypting / decrypting information on a computer; A storage area means for storing at least one encrypted file encrypted by a file encryption / decryption means using a specific encryption key, and storing encryption information for managing the file, and the encryption information storage area means An information encryption / decryption device including a password registration means for registering an authentication password when a user accesses. 2. A file name conversion means for converting a file name of the plaintext file into a file name of an internal encrypted file of the encryption information storage area means, a file name correspondence table of the plaintext file name and the encrypted file name. And an internal data encryption / decryption means for encrypting internal data related to encryption input to the encryption information storage area means, thereby hiding the encryption information storage area from a user. 1. An information encryption / decryption device described in 1. 3. An encryption key automatic generation means for automatically generating the encryption key based on the authentication password, wherein the file encryption / decryption means stores a file with an encryption key automatically generated by the encryption key automatic generation means. Encryption, and
The information encryption / decryption device according to claim 1, which performs decryption. 4. The input to the encryption information storage area means,
An internal data encryption / decryption means for encrypting internal data related to encryption is included, and the authentication password is encrypted by the internal data encryption / decryption means and registered in the authentication password storage area of the password registration means. A method for holding a file, decrypting the authentication password when encrypting the plaintext file, automatically generating an encryption key by the encryption key automatic generation means, and encrypting the file using the encryption key. An encryption / decryption device for the information described in 3. 5. The encryption of information according to claim 1, further comprising cryptographic information storage area invalidating means for invalidating the cryptographic information storage area means in response to an unauthorized authentication password input a specific number of times or more. Decoding device. 6. A cryptographic information storage area backup means for making the cryptographic information storage area means invalidated by the cryptographic information storage area invalidating means available again as the cryptographic information storage area means. Information encryption / decryption device. 7. A cryptographic information storage area generating means for generating a plurality of the cryptographic information storage area means, and independently assigning the cryptographic key and the authentication password, respectively, on a storage device. Information encryption / decryption device. 8. The encryption information storage area means is provided with a position information table on the storage device before encryption of the encryption file stored in the encryption information storage area means, and at the time of decryption of the encryption file. 2. The information encryption / decryption device according to claim 1, wherein the plaintext file after decryption is automatically returned to the original position on the storage device. 9. An external file conversion means for converting all data in the encryption information storage area means into an external file that can be transferred to another computer, and a code for regenerating the encryption information storage area means from the external file. 2. The information encryption / decryption device according to claim 1, further comprising information storage area generation means, which enables transfer of the information of the encrypted information storage area means to another computer. 10. A self-decryption program file capable of automatically decrypting the encryption file in the encryption information storage area means by executing the transfer to another computer for execution and inputting the authentication password. 2. The information encryption / decryption device according to claim 1, further comprising self-decryption program generation means for generating all the data in the information storage area means by integrating the data into a file decryption processing program. 11. A graphic metaphor that allows an image of a cryptographic device such as a safe to be easily imaged is displayed on a screen of a display of a computer as an operation target of file encryption. A user interface means for encrypting a file in response to a simple continuous operation.
An encryption / decryption device for the described information. 12. An information encryption / decryption method in which encryption and decryption of information on a computer is performed by using an apparatus includes the following steps: an encrypted file obtained by encrypting a plaintext file as the information. An encrypted file area to be stored, an encrypted data area to store a plaintext file name and an encrypted file name in association with each other, and a password storage area to store a password obtained by encrypting a password entered by a user with a system key. Providing a specified storage area (storage folder); in encryption, generating an encrypted password using the system key for the password entered by the encrypted user, and storing it in the password storage area; Decrypt with a key to generate an encryption key; encrypt the specified plaintext file using the encryption key Storing the encrypted plaintext file in the encrypted file area; and registering a table showing the correspondence between the plaintext file name and the encrypted file name in the encrypted data area; Display the registration correspondence table of the encrypted data area based on the password input by the user; specify the file name to be decrypted by the user by referring to the display table; the decryption key based on the input password Decrypting the encrypted file with the specified file name using the generated decryption key. 13. The information encryption / decryption method according to claim 12, wherein in the decryption, in response to an input of a decryption user password, the entered password is stored in the password storage area. Collate,
Depending on the result of the authentication, the execution of the decryption process is permitted or denied. 14. An information encryption / decryption method, comprising: setting a plurality of the storage areas and displaying them on a display screen by a metaphor icon that distinguishes and represents each area. 15. An information encryption / decryption method according to claim 14, wherein a file name displayed on the display screen is designated by a pointing device and the plurality of storage areas are displayed by the device in a superimposing relationship. Invoking a decryption operation (process) by identifying one of 16. An information encryption / decryption method according to claim 12, wherein in the decryption, the file name represents an encrypted file stored in an encrypted file area in a storage area. 17. A computer-readable memory medium for instructing operations of encryption and decryption of information on a computer includes the following: storing an encrypted file obtained by encrypting a plaintext file as the information. An encrypted data area for storing a plaintext file name and an encrypted file name in association with each other, an encrypted data area for storing a plaintext file name and an encrypted file name in association with each other, and a user Means for providing a storage area (storage folder) specifying a password storage area for storing the password obtained by encrypting the password input by the user with the system key;
In encryption, means for generating an encrypted password using the system key for the password input by the encrypted user and storing it in the password storage area; means for decrypting the encrypted password with the system key and generating the encryption key; Means for encrypting a specified plaintext file using the encryption key, and storing the encrypted plaintext file in the encrypted file area; and the encryption table for representing correspondence between the plaintext file name and the encrypted file name. Means for registering in the data area; means for displaying the registration correspondence table of the encrypted data area on the basis of the password entered by the decryption user in decryption; referring to the display table, the file name to be decrypted by the user Means for designating the decryption key based on the input password; Using the decryption key has means for decrypting the encrypted file of the specified file name. 18. The medium according to claim 17, wherein in the decryption, in response to an input of a password of a decryption user, the entered password is collated with a password stored in the password storage area to perform authentication. Depending on the result, it includes means for permitting or prohibiting execution of the decryption process.