JPH09282235A - Access control method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve the security of a portable storage medium such as a PC card. SOLUTION: When a ciphering request for using a non-ciphered PC card 1d as a cipher card is issued from a user, the user is urged to input a password to be used in key data generation for the ciphering and deciphering processings of the PC card 1d. Then, the password inputted from the user is stored in the PC card 1d, key data are generated by utilizing the data and the key data are presented to the user. Thereafter, based on the generated key data, the ciphering processing of the data already stored in the mounted PC card 1d and the processing of re-storing the ciphered data in the PC card 1d are performed. Thus, the ciphering is performed even to the PC card 1d in use in which the data are already stored.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an access control method used in a computer system in which a portable storage medium is detachably mounted.

[0002]

2. Description of the Related Art Conventionally, when writing data to a portable storage medium such as a PC card or a floppy disk having a built-in semiconductor memory, a method has been adopted in which the write data is stored in the storage medium as it is without being transformed. As a result, even a user other than the user who wrote the data could easily access the data. As a data security method in this method, write protection by a write protect switch is hardware-wise, and software write-protected files and hidden files by changing attribute information of files are known software-wise.

However, even if such a security system is adopted, anyone can easily analyze and confirm the data structure in the PC card or the floppy disk, and the attributes thereof can be easily changed. Because of this, it was not possible to obtain sufficient confidentiality.

As a data storage method in consideration of security, password data is stored in a storage medium such as a PC card and the password stored in the storage medium is stored by inputting the password at the time of access. A method of performing data writing and reading after performing collation and checking the access right is known. Further, there is also a method in which encryption processing is performed for each file or directory to be stored so that valid data cannot be obtained even if another user accesses it. The encryption key data used at this time is added as attribute information of a file or directory, respectively, and by acquiring this, the decryption of the encrypted data is realized.

However, in these security methods, since the password or the encryption / decryption key data itself is stored in a storage medium such as a PC card, it cannot be analyzed at the time of I / O access, but the storage medium cannot be analyzed. It is possible to obtain them by analyzing the data of, and then easily access the data. In other words, since only a single level of concealment was performed, it was possible to cancel it easily, and this was also low in concealment.

[0006]

As described above, in the conventional security system for a portable memory medium such as a PC card having a semiconductor memory or a floppy disk, a third party can easily change the attribute. You can
Since the password and the data for encryption can be analyzed and acquired, the security technology for concealing the personal information of the portable storage medium carried on an individual basis is low in reliability.

Therefore, recently, the present applicant has proposed a security method of encrypting the data to be written therein in units of storage media such as PC cards rather than in units of files or directories (Japanese Patent Application No. 8-42913).
issue). However, this security method is a method for setting the PC card to perform encryption processing for write data to be written to the PC card in the future when the PC card is formatted. , It cannot be encrypted without reformatting it. Therefore, with respect to a PC card in which data is already stored, the PC card cannot be encrypted while the data is still stored. Further, there is no function for releasing the confidentiality of the encrypted PC card, and there is a problem that the PC card must be reformatted in order to release the confidentiality.

The present invention has been made in view of the above circumstances, and it is possible to easily access a portable storage medium in use by performing encryption processing with high confidentiality for each medium. The purpose is to provide a method.

[0009]

According to the present invention, in an access control method used in a computer system in which a portable storage medium is detachably mounted, an encryption request for the portable storage medium mounted in the computer system is provided. In response to the input password from the user, key data for encrypting / decrypting the data to be stored in the portable storage medium is generated and presented to the user,
The input password is stored in the portable storage medium, the data already stored in the attached portable storage medium is encrypted based on the generated key data, and the encrypted data is stored in the portable storage. When re-stored in a medium and a portable storage medium for storing the encrypted data is attached to the computer system, encryption / decryption key data is generated from an input password read from the portable storage medium, Based on the result of comparison between the generated encryption / decryption key data and the encryption / decryption key data input by the user, the presence / absence of an access right to the portable storage medium is determined, and the access right is determined. When it is determined that the write data is encrypted and the encrypted data is written, in response to a data write / read request for the portable storage medium. Inclusive, or, characterized in that to read and decrypt the encrypted data.

According to this access control method, when the user issues an encryption request for using a portable storage medium such as a PC card or a floppy disk as an encryption card, the encryption and decryption processing of the portable storage medium is performed. The user is prompted to enter the password used to generate the key data for. Then, the password input by the user is stored in the portable storage medium, key data is generated using the data, and the key data is presented to the user. In this way, only the password used to generate the key data is stored in the portable storage medium, and the key data is held and managed inside the software used as the I / O control system for realizing the access control method. It Thereafter, based on the generated key data, an encryption process of data already stored in the mounted portable storage medium, and a process of re-storing the encrypted data in the portable storage medium, As a result, the encryption is performed even on the portable storage medium in use that has already stored data.

When the encrypted portable storage medium is installed in the computer system, access right check is performed. In this access right check, the user is prompted to enter the key data instead of the password, and this is compared with the key data generated from the password read from the portable storage medium. When it is determined that the user has the access right, the write data is encrypted and the encrypted data is written, or the encrypted data is read and the encrypted data is decrypted according to the data write / read request.

Therefore, it is possible to easily perform highly confidential encryption processing on a portable storage medium that is being used in units of the medium. Further, the storage medium does not store the key data used for actual data encryption and decryption, but stores only the original password for generating the key data. Therefore, the confidentiality cannot be released by a third party simply analyzing the data in the storage medium. Therefore, it is possible to realize access control suitable for maintaining security of a portable storage medium, which is characterized in that it is carried in an individual unit and is detachably attached to a computer system for use.

[0013]

Embodiments of the present invention will be described below with reference to the drawings. FIG. 1 shows a functional configuration of a computer system to which an access control method according to an embodiment of the present invention is applied and a program executed by the computer system. Here, a PC card equipped with a semiconductor memory will be described as an example of a portable storage medium that can be detachably attached to a computer system.

This computer system is provided with a computer main body having an input device 1a consisting of a keyboard, a mouse or a pen, a trackball, etc., and a display device 1c, and this computer main body is in a power-on state. Also, the PC card 1d can be attached and detached.

The processing control unit 1b discriminates whether the PC card 1d is inserted into or removed from the computer system main body, sets or cancels setting of data concealment for the PC card 1d, and discriminates I / O requests requested from the computer system main body. , Data I / O control to the PC card 1d via data encryption and decryption processing, and input / output control via the input device 1a and display device 1c according to these processes. The function is realized by using a PC card driver which is software executed by the CPU in the computer system main body.

The processing control device 1b includes a code / position data 1b1 input from the input device 1a and a display device 1c.
An input / output processing unit 1b3 for processing output data 1b2 such as character data and graphic data output to the computer, and detection of insertion / extraction of the PC card 1d into / from the computer system main body.
And a PC card detection processing unit 1b4 that determines the type of PC card, a data I / O processing unit 1b5 that determines an I / O request for the PC card 1d, and performs data I / O processing on the PC card 1d, An encryption card discrimination processing unit 1b6 for discriminating whether the PC card detected and discriminated by the PC card detection processing unit 1b4 is an encrypted PC card, and an encryption for an unencrypted PC card 1d. A password input processing unit 1b7 for selecting encryption / non-encryption settings, inputting password data used for generating key data (key data) for encryption, and storing it in the PC card 1d, and a password input processing 1b.
Key data generation processing unit 1b8 that generates key data for data encryption / decryption from the password data that is input and stored in step 7, and a key that notifies the user of the key data generated by the key data generation processing unit 1b8. Data notification processing unit 1b9 and encrypted PC card 1d
Access right check processing unit 1b10 for inputting key data and determining the data to check the access right to the encrypted data, and for writing the data to the encrypted PC card 1d, the target data is encrypted. A data encryption processing unit 1b11 to be encrypted and a data decryption processing unit 1b1 to decrypt target data when reading data from the encrypted PC card 1d.
2 and when a regular PC card 1d is attached to the computer system main body and encryption is set for the PC card 1d, the data I / O processing unit 1b5 and the data encryption processing unit 1b11 have already used the PC card. Encryption initial processing unit 1b13 for encrypting data stored in 1d
When a regular PC card 1d is attached to the computer system main body and the encryption setting is released for the PC card 1d, the data I / O processing unit 1b5 and the data decryption processing unit 1b12 have already inserted the card into the card. Decryption processing unit 1b14 for decrypting stored data and deleting password data, block management information data 1b15 for managing data stored in the PC card, and used by each processing unit It is composed of a work data buffer 1b16 used as a buffer for storing and buffering variables.

Further, the PC card 1d is a controller 1d3 which controls data read / write to the common memory 1d1 and the attribute memory 1d2 in accordance with the data I / O control processing signal from the computer system main body.
And a common memory 1d1 for storing data transmitted from the computer system main body via this controller 1d3
And an attribute memory 1d2 in which the attribute information of the PC card 1d is stored. Note that these memories are configured by using a non-volatile memory such as a flash EEPROM.

FIG. 2 shows the block management information data 1b15.
FIG. 1d data write to PC card,
Like the hard disk device and the floppy disk device, the block I / O control is performed by the data I / O control in block (sector) units, so that the block management information data 1b15 includes the total block number data 2a in the PC card, as shown in FIG.
The defective block number data 2b for managing the unnecessary blocks that have become unusable and the block number of the defective block. 1 to N data 2c and spare block number data 2 of the spare block which is the replacement destination of the defective block
d, spare block registration number data 2e which is the number of alternative blocks of the spare block, spare block No. 1 to
It comprises N data 2f.

FIG. 3 is a block diagram of the attribute memory 1d2. The attribute memory has a PC card size 3a, a spare block number 3b, and a manufacturer name 3
c, release version 3d, password data 3
Card attribute information such as d is stored.

The procedure of access control for the PC card 1d executed by using the PC card driver will be described below. First, the basic flow of access control processing will be described.

When the PC card 1d is attached, it is checked whether or not it is an encryption card. If the PC card 1d is not an encryption card, the user is allowed to select whether or not the PC card 1d is to be encrypted. Then, in the case of encryption, the user is prompted to input the password data used to generate the encryption / decryption key data for the encryption and decryption processing. Then enter the entered password data into the PC card 1
Stored in d and encrypted using that data /
It generates key data for decryption and announces the key data to the user. Then, the already stored data is encrypted and the encrypted data is stored again. If the attached card is an encryption card, the user must enter the encryption / decryption key data,
Check the access right to the PC card 1d.

Specifically, access control is performed using the following steps. (1) Input / output step that prompts the user for input and confirmation. (2) PC card detection step of detecting and discriminating the attachment / detachment state between the PC card and the computer system main body, and the proper PC card.

(3) A data I / O request for the PC card is discriminated and the data I / O corresponding to the request is determined.
Data I / O step for processing. (4) An encrypted card check step of checking whether the card is encrypted from the data in the card and notifying the user of the result by the input / output step.

(5) When it is determined in the encryption card check step that the PC card is not encrypted, the input / output step prompts the user to select whether or not to encrypt the PC card, and the encryption is confirmed. If selected, a password input step of urging the user to input the original data of the key data for encryption / decryption, and as a result store the data input by the user in the PC card.

(6) Key data generating step for generating key data for encryption / decryption which is actually used at the time of data encryption / decryption based on the password data input and stored in the password input step .

(7) A key data notification step of announcing the key data generated in the key data generation step to the user in the input / output step. (8) When the PC card is determined to be encrypted in the encryption card check step, the input / output step prompts the user to input key data for data encryption / decryption, and the data is the PC card. An access right check step of determining an access right to the PC card by comparing the data generated in the key data generation step based on the password data stored in the inside.

(9) When writing the data to the PC card when the access right to the PC card is acquired in the access right check step, the key data generation step generates the data encryption / decryption key data, A data encryption step of encrypting the data based on the key data and storing it in the PC card.

(10) PC when access right to the PC card is acquired in the access right check step
Generates data encryption / decryption key data in the key data generation step for reading data from the card,
I / O the result of decrypting the data based on the key data
Data decryption step to pass to the request.

(11) When the PC card is judged not to be encrypted by the encryption card check step, it is judged whether or not there is data in the PC card, and the password input step, the key data generation step and the data encryption are carried out. In the encryption step, an encryption initial processing step of generating key data for data encryption / decryption based on the password data stored in the PC card and encrypting the data in the PC card based on this key data .

(12) When the PC card is determined to be encrypted in the encryption card check step and the access right to the PC card is acquired in the access right check step, the PC card is encrypted in the input / output step. Prompt the user to decide whether or not to cancel, and if the user selects cancellation as a result, delete the password data stored in the PC card and decrypt the encrypted data Decryption Step.

Next, referring to the flowchart of FIG.
A flow of main processing in the PC card access control processing will be described. The access control of the PC card 1d is executed by the PC card device driver resident in the main memory (or EMS memory) of the computer system main body, and this PC card device driver is the main memory when the computer system main body is started. Resident in memory (or EMS memory) and I / O for PC card
Initialization processing such as allocation of O port address or allocation of PC card slot to disk device is performed, and the processing is returned to the computer system main body (step 4).
a-4c). As a result, the PC card device driver waits for the PC card corresponding to the assigned disk device to be attached.

When the PC card 1d is installed in the PC card slot of the computer system main body, the computer system main body detects the PC card installation signal from the PC card 1d and calls the PC card device driver.

The PC card device driver receives the attribute memory select signal from the computer system main body, and the PC card detection processing section 1b4 fetches the data of the attribute memory 1d2 in the PC card into the work memory data buffer 1b16 and mounts it. It is determined whether or not the selected PC card is a PC card that can be recognized by the device driver (steps 4d and 4e).

As a result, when the device driver is determined to be an unrecognizable PC card, the input / output processing unit 1b3
Via, the user is notified that the PC card is not a proper or unformatted PC card, and the process is returned to the computer system main body (steps 4f to 4).
h).

In addition, P which can be recognized by this device driver
When it is determined that the card is a C card, the encrypted card determination processing unit 1
At b6, the data in the password data 3e area in the acquired attribute data is checked to determine whether or not the PC card is set for encryption processing (step 4i). As a result, when it is determined that the PC card is not set with the encryption processing, the encryption card determination processing unit 1b6 informs the user via the input / output processing unit 1b3 that the PC card is not encrypted. , Announcing the selection of whether or not to set the encryption process for the PC card is displayed (step 4j).

If the user selects the encryption setting, the process is returned to the computer system main body after performing the PC card encryption setting process, and if the user who does not set it is selected, the computer system main body is directly processed. The process is returned (steps 4k to 4h). Details of the PC card encryption setting process will be described later with reference to FIG.

Further, when the encrypted card discrimination processing unit 1b6 discriminates the PC card for which the encryption processing has already been set, the access right check processing unit obtains the access right to the PC card. At 1b10,
The user is urged via the input / output processing unit 1b3 to input that the PC card has the encryption processing set and the key data used for the encryption / decryption processing (step 4).
o). And key data generated based on the password data in the data acquired from the attribute memory,
The key data input by the user is compared (step 4)
p). As a result, when the two key data do not match, the error that the access right cannot be obtained is displayed as an error via the input / output processing unit 1b3, and the process is returned to the computer system main body (steps 4q to 4s). Further, when the key data of both are the same, the input / output processing unit 1b3
The user is informed of the fact that the PC card is set with the encryption processing and a selection as to whether or not to cancel the encryption processing setting of the PC card through the user (step 4).
t).

If the user selects the cancellation of the encryption setting, the processing is returned to the computer system main body after performing the PC card encryption setting cancellation processing, and if the user who does not cancel the setting is selected, the computer remains as it is. The process is returned to the system (steps 4u to 4x). Details of the PC card encryption setting cancellation processing will be described later with reference to FIG.

Further, when an I / O request command such as data write or data read is input to the disk device corresponding to the PC card from the input device of the computer system main body, the PC is subjected to the data I / O processing.
After checking the card and performing data I / O processing and setting the status value, the processing is returned to the data I / O command of the computer system main body (steps 4y to 4a '). Details of the data I / O processing will be described later with reference to the flowchart of FIG. 7.

Next, the above-mentioned PC card encryption setting processing, PC card encryption setting cancellation processing and data I / O
The flow of processing will be described. (PC Card Encryption Setting Process) First, the PC card encryption setting process will be described with reference to the flowchart of FIG.

When this processing is called by the main processing of this device driver, the password input processing unit 1b7 sends the key data used for data encryption / decryption processing to the user via the input / output processing unit 1b3. Prompt input of password data for generation (step 5a). The password data input here is stored in the password data 3e area in the attribute memory 1d2 in the PC card (step 5b).

Then, based on this password data, the key data generation processing unit 1b8 actually encrypts the data /
Key data used for decryption is generated, and the key data notification processing unit 1b9 announces the generated key data to the user (steps 5c and 5d).

Further, since the data already stored in the PC card is also encrypted, the encryption initial processing section 1b13 acquires the block management information data in the PC card and based on the information. To obtain the data in the PC card, encrypt the data via the data write process via the encryption process in the data I / O processing unit 1b5,
After storing the encrypted data in the same storage location again, the process is returned to the main process (steps 5e to 5g).

(PC card encryption setting cancellation processing) Next,
The PC card encryption setting cancellation processing will be described with reference to the flowchart of FIG.

When this processing is called from the main processing of this device driver, the descrambling processing unit 1b14
The data in the password data 3e area in the attribute memory 1d2 data in the PC card is deleted (step 6a). Although the password data stored in the PC card at this time is deleted, the key data acquired in the main process before this process is called is retained in the memory.

Then, in order to decrypt the data already stored in the PC card, the block management information data in the PC card is acquired, and the data I is stored based on the information and the key data. After restoring the encrypted data via the data read process via the decryption process in the / O processing unit 1b5, the data is transferred to the same position again via the data write process without the encryption process. Store (steps 6b to 6c). After performing the above processing,
The process is returned to the main process (step 6d). Data I / O Processing (Data I / O Processing) Next, the aforementioned data I / O processing will be described with reference to the flowchart of FIG. Of the data I / O processing, only the data write and data read processing directly related to the present invention will be described here.

Main processing of this device driver or
When this processing is called by the PC card encryption setting processing or the PC card encryption setting cancellation processing, the data I / O processing unit 1b5 again checks whether the PC card is in a state capable of data I / O processing. The data in the attribute memory in the PC card is acquired and confirmed (step 7a). As a result, when the PC card is not a recognizable card or is not mounted, the PC card is announced to the user via the input / output processing unit 1b3, and the process is returned to the main process (steps 7b and 7c). ).

When the PC card is in the data I / O processable state, the process branches depending on the contents of the data I / O request received at the time of the call. If the data I / O request is a data write, it is determined whether or not there is key data in the password data 3e in the attribute memory 1d2 in the PC card or in the memory. Is encrypted (directly if it does not exist), the data is stored in the common memory 1d1 via the controller 1d3, the data in the attribute memory and the block management information data, the status value is set, and then the process is returned to the main process ( Steps 7d-7h).

When the data I / O request is a data read, the data in the common memory 1d1 is acquired via the controller 1d3, the data in the attribute memory and the block management information data, and the data in the attribute memory 1d2 in the PC card is acquired. After determining whether the key data exists in the password 3e or the memory of the device, if it exists, the key data is used to decrypt the data (directly if it does not exist), and the status value is set. The process is returned to the process (steps 7l to 7m).

As described above, in this embodiment,
When the user issues an encryption request that uses the PC card 1d as an encryption card, the user is prompted to enter a password used to generate key data for the encryption and decryption processing of the PC card 1d. Then, while storing the password input by the user in the PC card 1d,
The data is used to generate key data, and the key data is presented to the user. In this way, only the password used to generate the key data is stored in the PC card 1d, and the key data is held and managed inside the device driver. After that, based on the generated key data, the encryption processing of the data already stored in the mounted PC card 1d and the encrypted data are processed by the PC card 1d.
The process of re-storing the data is performed on the PC card 1d in which data is already stored.

When the encrypted PC card 1d is installed in the computer system, access right check is performed. In this access right check, the user is prompted to enter the key data, not the password.
It is compared with the key data generated from the password read from the card 1d. When it is determined that the user has the access right, the write data is encrypted and the encrypted data is written, or the encrypted data is read and the encrypted data is decrypted according to the data write / read request. Therefore, it is possible to easily perform highly confidential encryption processing on the medium of the PC card 1d in use.

Further, the storage medium does not store the key data used for actual data encryption and decryption, but only the original password for generating the key data. Therefore, it is not possible to decipher by simply analyzing the data in the storage medium by a third party. Therefore, it is carried on an individual basis,
In addition, access control suitable for maintaining security of a portable storage medium, which is characterized by being detachably attached to a computer system and used, can be realized.

In the present embodiment, the computer system main unit is displayed as an announcement means for prompting the user to select the confidential (encryption) setting on the PC card and to input the password or the encryption / decryption key data. Although it is described that the device is used, a voice announcement or the like performed by a voice output device of the computer system main body (not shown) may be used. In addition, the display form is GUI
May be taken into consideration. Further, as the data encryption and decryption processing, the method is not specifically described in the present embodiment, but the method may be a secret key encryption method or a public key encryption method. Further, when checking the access right, the number of retries until the key data match may be set a plurality of times. In addition, PC
Although the password data stored in the card is stored in the attribute memory in the PC card in the present embodiment, it may be stored in the common memory. The data to be encrypted may be the entire PC card or may be processed in directory or file units.

Further, regarding the data I / O control method by the data encryption (encryption) setting and the encryption setting cancellation according to the present invention, not only a PC card but also a portable storage medium such as a silicon disk, a mini disk, a DVD, etc. It is a technology that can be applied to all. In particular, by setting and canceling the setting of anonymity at the time of mounting the storage medium into the computer system main body, it is possible to do so without imposing a burden on the user, so that the security of personal information tends to be strengthened in the future. Therefore, the present invention is effective.

[0055]

As described above, according to the present invention, by providing a process of encrypting and re-storing data already stored in a portable storage medium such as a PC card, it is possible to use it. It is possible to set encryption for a portable storage medium as well, and it is possible to improve the confidentiality of a PC card or the like that is used in various small mobile devices and will be used more frequently at the individual level in the future. In addition, when a portable storage medium is attached to the computer system main unit, it is determined whether or not it is an encrypted card. Instead, the data can be encrypted on a card-by-card basis without burdening the user with operations. Furthermore, by newly adding the decryption processing, a portable storage medium is attached to the data processing body, and when the access right is acquired in the access right check step for the storage medium, the encrypted PC card It is possible to realize to restore the normal state.

[Brief description of drawings]

FIG. 1 is a block diagram showing the configuration of a computer system to which an access control method according to an embodiment of the present invention is applied.

FIG. 2 is a PC used in the computer system of the embodiment.
The figure for demonstrating the data management structure of a card.

FIG. 3 is a PC used in the computer system of the embodiment.
The figure for demonstrating the data structure of the attribute memory of a card.

FIG. 4 is an exemplary flowchart illustrating a flow of access control processing in the computer system of the same embodiment.

FIG. 5 is an exemplary flowchart illustrating a flow of PC card encryption setting processing in the computer system of the embodiment.

FIG. 6 is an exemplary flowchart for explaining the flow of PC card encryption setting cancellation processing in the computer system of the same embodiment.

FIG. 7 is a data I in the computer system of the same embodiment.
6 is a flowchart illustrating the flow of the / O processing.

[Explanation of symbols]

1b ... Process control device, 1d ... PC card, 1b4 ... PC
Card detection processing unit, 1b5 ... Data I / O processing unit, 1b
6 ... Encrypted card discrimination processing unit, 1b7 ... Password data input processing unit, 1b8 ... Key data generation processing unit, 1b9 ...
Key data notification processing unit, 1b10 ... Access right check processing unit, 1b11 ... Data encryption processing unit, 1b12 ... Data decryption processing unit, 1b13 ... Encryption initial processing unit, 1b1
4 ... Decryption processing unit.

Claims (4)

[Claims] 1. An access control method used in a computer system in which a portable storage medium is detachably mounted, comprising: an input from a user in response to an encryption request for the portable storage medium mounted in the computer system. Generating key data for encrypting / decrypting data to be stored in the portable storage medium based on a password and presenting it to the user, and storing the input password in the portable storage medium; Encrypting the data already stored in the mounted portable storage medium based on the generated key data,
The encrypted data is re-stored in the portable storage medium, and when the portable storage medium storing the encrypted data is attached to the computer system, the encrypted password is encrypted from the input password read from the portable storage medium. Decryption key data is generated, and based on the result of comparison between the generated encryption / decryption key data and the encryption / decryption key data input by the user, the access right to the portable storage medium is determined. When it is determined that there is an access right, the presence or absence is determined, and in response to a data write / read request for the portable storage medium,
An access control method comprising: encrypting write data and writing the encrypted data; or reading encrypted data and decrypting the encrypted data. 2. When it is determined that the user has the access right, the input password is deleted from the portable storage medium, and the encrypted storage is performed in response to a descrambling request for the portable storage medium. The access control method according to claim 1, wherein the stored data is decrypted and stored again in the portable storage medium. 3. An access control method used in a computer system in which a portable storage medium is detachably mounted, wherein the portable storage medium mounted when the portable storage medium is mounted in the computer system. Is an encrypted medium, and when the mounted portable storage medium is a non-encrypted medium, the portable storage medium is based on an input password in response to an encryption request from a user. Generate key data for encrypting / decrypting data to be stored in and present it to a user, store the input password in the portable storage medium, and based on the generated key data, The data already stored in the portable storage medium is encrypted, the encrypted data is stored again in the portable storage medium, and the mounted portable storage medium is encrypted. When the medium, the encryption / decryption key data is generated from the input password read from the portable storage medium, and the generated encryption / decryption key data and the encryption / decryption input by the user The presence or absence of the access right to the portable storage medium is determined based on the comparison result with the key data for use, and when it is determined that the access right is possessed, in response to the data writing / reading request to the portable storage medium,
An access control method comprising: encrypting write data and writing the encrypted data; or reading encrypted data and decrypting the encrypted data. 4. When it is determined that the user has the access right, the input password is deleted from the portable storage medium, and the encrypted storage is performed in response to a decryption request for the portable storage medium. 4. The access control method according to claim 3, wherein the stored data is decrypted and stored again in the portable storage medium.