JPWO2004088520A1 - Secure network database system and information exchange method - Google Patents

Abstract

Set the confidential coupling degree of multiple elements, set the division rule to divide the information into multiple loosely coupled information based on the set confidential coupling degree, and set the information based on the set division rule The information is divided into a plurality of loosely coupled information, and the divided pieces of loosely coupled information are transmitted to one or more data grid information terminal devices. The data grid information terminal device transmits information communication on the transmission side. The loosely coupled information received from the terminal is stored, and the information communication terminal on the receiving side reads the plurality of loosely coupled information from the information terminal device for data grid, and reconstructs the information from the plurality of loosely coupled information based on the division rule. .

Description

  The present invention relates to a secure network database system and an information exchange method, and in particular, can realize a split transmission and distributed database with high security based on an inexpensive, large-scale and very secure network. , Secure network database system and information exchange method.

In the past, peer-to-peer technology and grid computing technology have been developed, and information processing systems using distributed processing, parallel processing, etc., are increasingly being constructed (for example, “Brendon J. Willsonch, Zou Akira Gen Sano Translation: “All about JAXTA”, Nikkei BP ”,“ Michael Miller / Author Top Studio / Translation Daiwa Institute of Research Information Technology / Supervision, “Introduction to P2P Computing”, Shosuisha ”,“ Katsuhito Jida / Satoshi Hamaya / supervised, "Book that understands P2P as you take it, the next-generation network society where you can see the whole picture, Kanki Publishing", "Foster, I., Kesselman, C., Nick, J. and Tuecke, S., “The Physiology of the Grid: An Open Grid Service. es Architecture for Distributed Systems Integration. ", Globus Project, 2002", "www.globus.org/research/papers/ogsa.pdf,". Tuecke, S., C.k. J., Graham, S. and Kesselman, C., “Grid Service Specification.”, Globus Project, 2002, www.globus.org/research/papers/gsspec.pdf, “SandTol. Gaward, J., Seed, R., Magire, T., Rofrano, J., Sylvester, S., Williams, M., “Java OGSI Hosting Environmental Design-Apportable Grid Service Container Framework.” / Globus Project, 2002 / htw. / Http: // www. -19.pdf "," Christensen, E., Curbera, F., Meredith, G. and Weerawarana., S., "Web Services Description Language (WSDL) 1.1.", W3C, Note 15, 2001, w. . w3. org / TR / wsdl. 5 Sun Microsystems. “Enterprise Java Beans”, “Specification, Version 2.”, JSR 19, www. jcp. org / aboutJava / communityprocess / final / jsr019 / ”,“ OMG. Common Object Request Broker: “Architecture and Specification, Revision 2.2.”, Object Management 96. Java 2 Enterprise Edition (J2EE) .java.sun.com / j2ee / 8W3C: SOAP 1.2: www.w3.org/TR/2001/WD-soap12-20010709 / "," IBM, MicrodSift, Ver200 http: //msdn.mic ossoft.com/library/default.asp?url=/library/enus/dnglobspec/html/ws-security.asp "," The Globus Project, 2002, http://www.globus.org/gul. Microsystems.Java API for XML-based RPC.JAX-RPC 1.0, JSR 101.java.sun.com/xml/jaxrpc/ "," Sun Microsystems. Java Servlet 2.3f. org / aboutJava / communityprocess / final / jsr053 / "," Sun Micr " ossystems.Web Services for J2EE, Version 1.0, JSR 109. http://jcp.org/aboutJava/communityprocess/first/jsr109/ ”, Seed, R., Sandol, T. Http://www.globus.org/ogsa/releases/TechPreview/OGSITPJ2EE.pdf, “Sun Microsystems. Java API for XM Processing 1.1. org / aboutJava / communityprocess / final / jsr063 / ”,“ Sun Microsystems. Java Network Launching Protocol 1.0.1 Specification, JSR 56.http // www.c. “Bray, T., Hollander, D. and Rayman, A. Namespaces in XML, W3C, Recommendation, 1999, www.w3.org/TR/REC-xml-names/”, “Fallside, D.C. XML Schema”. Part 0: Primer.W3C, Recommendation , 2001, www.w3.org/TR/xmlschema-0/., “Brittenham, P. An Overview of the Web Services Inspection Language. 2001, www.ibmwerw. ”,“ Imamura, T, Dillaway, B, Simon. E. XML Encryption Syntax and Processing. W3C, Candidate Recommendation, 2002, http: // www. M., Boyer, J., Fox, B., LaMacc ia, B., Simon, E., XML Signature Syntax and Processing. W3C, Recommendation, 2002, http://www.w3.org/TR/xmlsdigcore/"Apache Axis, Pro. .Org / axis "," von Laszewski, G., Foster, I., Gawor, J., Smith, W. and Tuecke, S. ACM 2000 Java Grand Conference, 2000, www.globus.org/cog ". JUnit, www.junit.org 25 Jakarta Ant, The Jakarta Project. jakarta. apache. org "and the like. ).
Here, the current information system is based on the principle that significant information is handled as a lump in both data transmission and database. The same applies to highly confidential information handled by companies and public institutions. In order to protect the confidentiality of such data, information content is not leaked by encryption.
FIG. 1 is a diagram showing an example of an information exchange system for ensuring security by encrypting information according to the prior art. As shown in FIG. 1, when this encryption is broken and accessed illegally, all information is disclosed at once. Therefore, efforts to increase the strength of encryption and make it difficult to break are continuously being made.
However, as a result of the improvement in computer performance, the current situation is that the technology competition between encryption and decryption has fallen into a never-ending cycle, but the improvement in computer performance will increase the speed of this solution. As a result, there is a problem that the endless competition for the development of encryption technology continues.
Moreover, in such a situation, there is a problem that the result is that the user is constantly increased in computer resources.
As described above, the conventional system has a number of problems, and as a result, it is inconvenient and efficient for both users and administrators of the secure network database system. It was bad.
Therefore, the present invention introduces an unprecedented new security method based on the information exchange system disclosed in Japanese Patent Laid-Open No. 2002-358247 by the present inventor, and is inexpensive, large-scale and extremely suitable for companies. It is an object of the present invention to provide a secure network database system and an information exchange method capable of realizing a high-security divided transmission and distributed database based on a secure network.

In order to achieve the above-described object, a secure network database system according to the present invention is a secure network database system that stores the information processed by an information communication terminal that transmits and receives information including a plurality of elements. The information communication terminal on the transmission side sets a plurality of pieces of the information based on the confidentiality coupling degree setting means for setting the confidentiality coupling degrees of the plurality of elements and the confidentiality coupling degree set by the confidentiality coupling degree setting means. Division rule setting means for setting a division rule for dividing the information into loosely coupled information, and division for dividing the information into a plurality of the loosely coupled information based on the division rule set by the division rule setting means A plurality of loosely coupled information divided by the dividing means and one or more data grid information terminal devices The data grid information terminal device comprises loosely coupled information storage means for storing the loosely coupled information received from the transmitting information communication terminal, and receives information communication on the receiving side. The terminal reads out a plurality of the loosely coupled information from the data grid information terminal device, and reconfigures the information based on the division rule from the plurality of loosely coupled information read out by the reader. And a configuration means.
According to this system, the information communication terminal on the transmission side sets a confidential coupling degree of a plurality of elements, and sets a division rule for dividing the information into a plurality of loosely coupled information based on the set confidential coupling degree. Based on the set division rule, the information is divided into a plurality of loosely coupled information, and the plurality of divided loosely coupled information is transmitted to one or more data grid information terminal devices. The data grid information terminal device stores the loosely coupled information received from the transmission side information communication terminal, and the reception side information communication terminal (where the reception side information communication terminal is connected to the transmission side information communication terminal). May be the same. The same applies hereinafter.) Reads a plurality of pieces of loosely coupled information from the data grid information terminal device in which each piece of loosely coupled information is stored. Reconfigure In, information was divided based on the semantics, physically separated for each decomposed loosely coupled information can be stored in the data grid information terminal device is an independent location.
As a result, there is no complete copy of the original data in any network communication or data storage location, so that the extent of information leakage can be limited even if human acts of criminal acts are performed. become.
In addition, data storage is not concentrated in one place, and communication uses multiple means, so even if a large-scale failure such as a disaster occurs, the impact will spread throughout. Can be prevented.
In addition, by operating a plurality of data grid information terminal devices, which are distributed resources, in parallel, it is possible to realize a function capable of mass storage and use of information that is highly economical and extremely safe.
In addition, the data grid information terminal device can be easily duplicated, and since the redundant configuration including the communication path is easy, it is easy to meet individual usage needs.
This also makes it possible to realize a highly scalable system in which the storage scale of the data grid information terminal device can be started from a small data storage (node).
Here, each data grid information terminal device can be virtually integrated using grid computing or edge computing technology.
In the secure network database system according to the next invention, in the secure network database system described above, the transmission means uses the plurality of loosely coupled information for the data grid using a plurality of transmission paths. Multi-routing means for transmitting to the information terminal device is further provided, wherein the reading means further comprises multi-routing reading means for reading the plurality of loosely coupled information using the plurality of transmission paths.
This more specifically shows an example of the transmitting means and the reading means. According to this system, the transmission means transmits a plurality of loosely coupled information to the data grid information terminal apparatus using the plurality of transmission paths, and the reading means transmits the plurality of loosely coupled information to the plurality of transmission paths. Since the information is read out from the data grid information terminal device, a plurality of pieces of loosely coupled information generated with a reduced degree of confidential coupling can be exchanged using different communication paths. Moreover, the correspondence of loosely coupled information can be concealed, and the confidentiality of information transmitted and received can be further enhanced.
In the secure network database system according to the next invention, in the secure network database system described above, a naming rule setting means for setting a naming rule for setting the name of the element to another name; The information communication terminal on the receiving side further includes aliasing means for changing the name of the element of the information to another name based on the naming rule set by the naming rule setting means. And a name conversion means for converting the name of the element of the information that has been aliased into the original name.
According to this system, the information communication terminal on the transmission side sets a naming rule for setting the name of the element to another name, and changes the name of the element of information to another name based on the set naming rule. Since the information communication terminal on the receiving side converts the name of the aliased information element to the original name based on the naming rule, by generating information having a different name and structure from the original information It is possible to make it difficult to estimate original information at the time of information leakage, and it is possible to further improve the confidentiality of information transmitted and received.
A secure network database system according to the next invention is characterized in that in the secure network database system described above, information is described in XML.
This shows one example of information more specifically. According to this system, since information is described in XML, the confidentiality of XML data can be lowered and confidentiality can be increased by taking advantage of the ease of decomposition and reconfiguration of XML data.
In the secure network database system according to the next invention, in the secure network database system described above, the secret coupling degree setting means includes the name of the element for the element defined in the DTD, The secret coupling degree is set based on at least one of contents and attributes.
This more specifically shows an example of the confidentiality degree setting means. According to this system, since the confidentiality degree is set based on at least one of the element name, content, and attribute for the element defined in the DTD, the content of the XML information element defined in the DTD is set. Based on this, it is possible to efficiently set the confidentiality degree.
The secure network database system according to the next invention further comprises user defining means for defining a user who can access the elements constituting the information in the secure network database system described above. It is characterized by.
According to this system, since a user who can access an element constituting information is defined, a data use restriction function can be realized for the user.
This also makes it possible to realize an appropriate access restriction function even when the user is divided into classes such as an administrator, a data owner, and a data user.
In the secure network database system according to the next invention, in the secure network database system described above, the information communication terminal on the transmission side may divide the plurality of loosely coupled information from the plurality of loosely coupled information by the reconfiguration means. It is further characterized by further comprising reconfiguration information generating means for generating recombination information required when reconfiguring the information based on the rules.
According to this system, the information communication terminal on the transmission side generates recombination information necessary for reconstructing information based on a division rule from a plurality of loosely coupled information by the reconfiguration means. By adding recombination information (such as a kind of password information) for mediating the recombination of loosely coupled information, the confidentiality of the information can be further enhanced.
That is, by adding recombination information generated by random numbers or the like to loosely coupled information, it is possible to make it difficult to estimate the contents when a third party views loosely coupled information. In addition, by defining which recombination information is added to which loosely coupled information in the division rule, the information communication terminal on the receiving side can reconfigure the original information based on the recombination information. Become.
The present invention also relates to an information exchange method. The information exchange method according to the present invention is a secure network database system for storing the information processed by an information communication terminal that transmits and receives information including a plurality of elements. In the information exchanging method executed by using the information exchange terminal, the information communication terminal on the transmitting side sets the confidentiality coupling level of the plurality of elements, and the confidentiality coupling level setting step and the confidentiality coupling level setting step A division rule setting step for setting a division rule for dividing the information into a plurality of loosely coupled information based on the degree of coupling, and the information based on the division rule set in the division rule setting step. A dividing step of dividing the plurality of loosely coupled information into one or more of the plurality of loosely coupled information divided in the dividing step or A loosely coupled information storage for storing the loosely coupled information received from the information communication terminal on the transmitting side, wherein the data grid information terminal device includes a transmitting step for transmitting to one or more data grid information terminal devices The information communication terminal on the receiving side includes a reading step of reading a plurality of the loosely coupled information from the data grid information terminal device, and a plurality of loosely coupled information read in the reading step to the division rule. And a reconstruction step for reconstructing the information based on the information.
According to this method, the information communication terminal on the transmission side sets the security coupling degree of a plurality of elements, and sets a division rule for dividing the information into a plurality of loosely coupled information based on the set security coupling degree. Based on the set division rule, the information is divided into a plurality of loosely coupled information, and the plurality of divided loosely coupled information is transmitted to one or more data grid information terminal devices. The data grid information terminal device stores loosely coupled information received from the transmitting information communication terminal, and the receiving information communication terminal reads a plurality of loosely coupled information from the data grid information terminal device, Because information is reconstructed from loosely coupled information based on the division rules, information is divided based on its semantics, and physically separated for each decomposed loosely coupled information, for data grids that are independent locations It can be stored in the broadcast terminal.
As a result, there is no complete copy of the original data in any network communication or data storage location, so that the extent of information leakage can be limited even if human acts of criminal acts are performed. become.
In addition, because data storage is not concentrated in one place and communication uses multiple steps, even if a large-scale failure such as a disaster occurs, the effect will spread throughout. Can be prevented.
In addition, by operating a plurality of data grid information terminal devices, which are distributed resources, in parallel, it is possible to realize a function capable of mass storage and use of information that is highly economical and extremely safe.
In addition, the data grid information terminal device can be easily duplicated, and since the redundant configuration including the communication path is easy, it is easy to meet individual usage needs.
In addition, this makes it possible to realize a highly scalable method that can start up the storage of the data grid information terminal device from a small data storage (node).
Here, each data grid information terminal device can be virtually integrated using grid computing or edge computing technology.
The information exchanging method according to the next invention is the information exchanging method described above, wherein the transmitting step transmits a plurality of the loosely coupled information to the data grid information terminal device using a plurality of transmission paths. The method further includes a multi-routing step, wherein the reading step further includes a multi-routing reading step of reading the plurality of loosely coupled information using the plurality of transmission paths.
This more specifically shows an example of the transmission step and the reading step. According to this method, the transmitting step transmits a plurality of loosely coupled information to the data grid information terminal apparatus using a plurality of transmission paths, and the reading step transmits the plurality of loosely coupled information to the plurality of transmission paths. Since the information is read out from the data grid information terminal device, a plurality of pieces of loosely coupled information generated with a reduced degree of confidential coupling can be exchanged using different communication paths. Moreover, the correspondence of loosely coupled information can be concealed, and the confidentiality of information transmitted and received can be further enhanced.
The information exchanging method according to the next invention is set in the information exchanging method described above, in a naming rule setting step for setting a naming rule for setting the name of the element to another name, and the naming rule setting step And an aliasing step for changing the name of the element of the information to another name based on the naming rule, and the information communication terminal on the receiving side is aliased based on the naming rule. And a name conversion step of converting the name of the element of the information into an original name.
According to this method, the information communication terminal on the transmission side sets a naming rule for setting the name of the element to another name, and changes the name of the element of information to another name based on the set naming rule. Since the information communication terminal on the receiving side converts the name of the aliased information element to the original name based on the naming rule, by generating information having a different name and structure from the original information It is possible to make it difficult to estimate original information at the time of information leakage, and it is possible to further improve the confidentiality of information transmitted and received.
The information exchange method according to the next invention is characterized in that in the information exchange method described above, the information is described in XML.
This shows one example of information more specifically. According to this method, since the information is described in XML, the confidentiality of the XML data can be lowered and the confidentiality can be improved by taking advantage of the ease of disassembling and reconfiguring the XML data.
An information exchanging method according to the next invention is the information exchanging method described above, wherein the confidentiality coupling degree setting step includes at least one of the name, content and attribute of the element for the element defined in the DTD. The secret coupling degree is set based on the above.
This more specifically shows an example of the confidentiality degree setting step. According to this method, since the confidentiality degree is set based on at least one of the element name, content, and attribute for the element defined in the DTD, the content of the element of the XML information defined in the DTD is set. Based on this, it is possible to efficiently set the confidentiality degree.
The information exchanging method according to the next invention further includes a user defining step in the information exchanging method described above, wherein the transmitting side information communication terminal further defines a user who can access the element constituting the information. It is characterized by.
According to this method, since a user who can access the elements constituting the information is defined, a data use restriction function can be realized for the user.
This also makes it possible to realize an appropriate access restriction function even when the user is divided into classes such as an administrator, a data owner, and a data user.
The information exchanging method according to the next invention is the information exchanging method described above, wherein the information communication terminal on the transmitting side re-configures the information from a plurality of loosely coupled information based on the division rule in the reconfiguration step. The method further includes a reconfiguration information generation step for generating recombination information required for configuration.
According to this method, the information communication terminal on the transmission side generates recombination information necessary for reconstructing information from a plurality of loosely coupled information based on a division rule by the reconfiguration means, and thus is divided. By adding recombination information (such as a kind of password information) for mediating the recombination of loosely coupled information, the confidentiality of the information can be further enhanced.
That is, by adding recombination information generated by random numbers or the like to loosely coupled information, it is possible to make it difficult to estimate the contents when a third party views loosely coupled information. In addition, by defining which recombination information is added to which loosely coupled information in the division rule, the information communication terminal on the receiving side can reconfigure the original information based on the recombination information. Become.

  FIG. 1 is a diagram showing an example of an information exchange system for ensuring security by encrypting information according to the prior art, and FIG. 2 is the case of XML information, and the left side whole information is replaced with two pieces of right side partial information. FIG. 3 is a diagram showing the concept of divided transmission and divided storage of information according to the present invention, and FIG. 4 is a diagram showing security protection by divided transmission and divided storage according to the present invention. FIG. 5 is a diagram illustrating an example of a concept, FIG. 5 is a diagram illustrating a concept of a conventional database system, and FIG. 6 is a diagram illustrating an example of a database system having a decentralized storage configuration according to the present invention. FIG. 7 is a diagram showing the concept of the data grid and relay according to the present invention, and FIG. 8 is a case where the data is divided into two pieces of partial information and transmitted via two different relay servers. Figure showing an example FIG. 9 is a diagram showing an example of extracting information from the database, FIG. 10 is a diagram showing an overview of the end user function of the present invention, and FIG. 11 is a diagram of the file system interface. FIG. 12 is a diagram showing an outline of an SQL interface, FIG. 13 is a diagram showing an outline of an XML interface, and FIG. 14 is a hierarchical grid group of the present invention. FIG. 15 is a diagram showing the concept of a tree group of a tree structure, and FIG. 16 is a diagram showing values of member data grids and their nodes. FIG. 17 is a diagram showing a list of examples of profiles (node profiles) and search formulas and responses to the data grid. FIG. 18 is a diagram showing an example of a node profile by a server, FIG. 18 is a diagram showing a procedure for updating a data grid according to the present invention, and FIG. 19 is a case of finding and searching for a corresponding grid according to the present invention. FIG. 20 is a diagram showing an example of the structure of the data grid according to the present invention, and FIG. 21 shows the concept of the fusion method of the peer technology and the PKI technology according to the present invention. FIG. 22 is a flowchart showing an example of processing in the case where the data owner according to the present invention writes data, and FIG. 23 is a flowchart of data read by the data owner according to the present invention. FIG. 24 is a flowchart showing an example of processing when a data user reads out data according to the present invention. FIG. 25 is a block diagram showing an example of the overall configuration of the system, FIG. 26 is a conceptual diagram showing an overview of the system, and FIG. 27 is an information communication terminal to which the present invention is applied. FIG. 28 is a block diagram showing an example of a software configuration executed in the control unit 102 of the information communication terminal 100 to which the present invention is applied, and FIG. FIG. 30 is a conceptual diagram for explaining the outline of the information flow in the information communication terminal 100, FIG. 30 is a conceptual diagram showing an example of the definition of the confidentiality degree in this system, and FIG. 31 is a sparse diagram of the present invention. FIG. 32 is a conceptual diagram showing an overview of multi-routing of combined XML data, FIG. 32 is a conceptual diagram showing an overview of aliasing of element names according to the present invention, and FIG. 33 shows element names executed by a divider. Aliasing FIG. 34 is a conceptual diagram showing an example of creation of loosely coupled XML data. FIG. 34 is a conceptual diagram showing an outline of generation of various rules used for generating loosely coupled XML in the setting module 102a. FIG. FIG. 36 is a conceptual diagram showing an example of information decomposition and reconfiguration using recombination information. FIG. 36 is a diagram showing an example of original XML information storing card information, and FIG. FIG. 38 is a diagram showing an example of decomposition / reconstruction rules in the present embodiment, and FIG. 38 is a diagram showing an example of loosely coupled XML data decomposed in accordance with the decomposition / reconstruction rules of the present embodiment. FIG. 39 is a diagram showing an example of information pooled on the memory of the information communication terminal 100 on the receiving side in the present embodiment, and FIG. 40 shows the buffer pool in the initial state in the present embodiment. FIG. 41 is a diagram showing an example of loosely coupled XML data obtained by dividing the card number element, and FIG. 42 shows a corresponding card in the buffer pool. FIG. 43 is a diagram in which the card number “123346789799” is set in the number element, and FIG. 43 is a diagram showing the result of receiving all loosely coupled XML data and setting the data in each element on the buffer pool, FIG. 44 is a conceptual diagram showing access management information used for access control according to the present invention. FIG. 45 is a diagram for explaining the concept of access permission elements of the access management information shown in FIG. FIG. 44 is a diagram for explaining the concept of user authority of the access management information shown in FIG. 44. FIG. 47 shows the information flow between the logical client and the data grid. FIG. 48 is a diagram showing the flow of physical information in the example shown in FIG. 47, and FIG. 49 is a diagram in which generation is made completely symmetric in decomposition and recombination. FIG. 50 is a diagram showing the concept when all data elements can be accessed and reconfigured (complete object + all data access right setting). FIG. 50 shows the access management information mentioned above as a reconfiguration rule. FIG. 51 is a diagram showing the concept of creating a reconfiguration rule in which a reference is constrained at the time of generating a reconfiguration rule (reconfiguration rule setting with access restriction). FIG. It is a figure which shows the specific example of a reconstruction rule setting.

Embodiments of a secure network database system and an information exchange method according to the present invention will be described below in detail with reference to the drawings. The present invention is not limited to the embodiments.
Hereinafter, the basic principle of the system will be described, and then the outline of the system, the configuration and processing of the system, and the like will be described in detail.
(1. Basic principle of the present invention)
(1-1) Decomposition based on the meaning of information
In general, information processed in an information processing system such as a computer is composed of a set of subelements constituting the information. For example, in the case of company performance information, “company information” representing the company such as “company name”, “company code”, “location”, “president name”, “last year sales performance”, “scheduled sales this year”, etc. It can be divided into “performance information” related to sales and performance. These are centralized information that represents the performance of a specific company.
If the above information is divided into two parts, “Company Information” and “Performance Information”, even if both information is obtained illegally, the performance of a specific company will not be disclosed unless the correspondence between the two is disclosed. It cannot be recovered and obtained. Further, it is possible to use a quantitative division for collecting 1000 pieces of data together.
FIG. 2 is a diagram showing an example in which the left overall information is divided into two pieces of right partial information in the case of XML information. In the example shown in FIG. 2, the XML element names are replaced with meaningless numerical values and characters in order to further increase the sensitivity (“aliasing” described later corresponds).
(1-2) Split transmission and split storage of information
The problem with current security is that it relies entirely on encryption technology to achieve the required security. The present invention pays attention to the above-mentioned problem because all information is transmitted and stored centrally, and as shown in FIG. The area where there is an information user is separated from the outside, and the whole information is distributed in a plurality so that it does not exist uniformly outside the space of the legitimate user.
Here, FIG. 3 is a diagram showing the concept of divided transmission and divided storage of information according to the present invention. This makes it difficult for non-authorized users to restore the entire information. In this way, advanced information security protection means can be realized in combination with simple existing encryption means.
(1-3) Integration of split messaging and split storage
The present invention is based on the principle of generating a plurality of pieces of partial information by finding a division point that makes restoration as difficult as possible based on the semantic content of the entire information as described above ("confidential coupling degree" described later). Division by is supported.)
FIG. 4 is a diagram for explaining an example of a concept of security protection by divided transmission and divided storage according to the present invention. As shown in FIG. 4, the partial information obtained by disassembling the whole information is separately transmitted separately while being divided using an individual transmission method, for example, HTTP, SMTP, FTP, or the like.
Information is stored in a physically independent medium and location for each piece of partial information. The plurality of storage devices may be arranged in the same LAN or on the Internet or an IP network.
As a result, even if a person other than the information owner succeeds in invading the information storage location and obtains the information, only the partial information stored there can be accessed. In addition, even if the person concerned at the information storage location takes an internal crime, the impact can be limited to a partial one.
(1-4) Decentralized storage configuration
Here, conventional database systems have generally been stored, managed, and used in one place. Such centralized databases have been used extensively for reasons such as management, ease of use, and economies of scale.
FIG. 5 is a diagram showing the concept of a conventional database system. As shown in Fig. 5, all information is disclosed when the confidentiality is broken, all systems are stopped when a failure occurs, etc. Centralized from the viewpoint of data confidentiality protection and the impact level at the time of failure The situation is that we have to review our system.
The amount of information that companies and organizations must store has been rapidly increasing. Moreover, if such information is leaked, there is a danger that it may reach a big social problem. Under such circumstances, the emergence of cheap and absolutely confidential means to protect a large amount of data is eagerly desired.
FIG. 6 is a diagram showing an example of a database system having a decentralized storage configuration according to the present invention. In contrast to a conventional centralized database, the present invention does not allow a complete copy of the data itself to exist either on the database or on the network, as shown in FIG. The basic philosophy is to collect necessary partial information from a plurality of databases holding partial information distributed in a distributed manner and dynamically reconfigure the entire information.
Therefore, the database takes a form in which a plurality of small-scale data holding partial information exist on the net, and each of them operates independently and independently. Such a concept is referred to as a “data grid” in the present invention.
However, overall consistency, optimization, and failure recovery are harmonized by mutual communication between data grids based on grid computing technology.
In this way, in this technology, storage is not stored in a large-scale data server concentrated in one place, but relatively small-scale data servers are installed in a plurality of physically independent locations, and they are placed in IP, etc. It takes a distributed form of connection using the communication means.
Such a decentralized configuration can prevent a single failure from becoming a total failure of the application system. Also, it is desirable that the data servers are distributed and arranged in as many locations as possible in order to withstand the occurrence of a large-scale disaster. In addition, the database can have more excellent fault tolerance due to the redundant configuration and distributed arrangement of the database.
(2. Concept of overall configuration of the present invention)
For the transmission, communication in which data is packetized at the application level based on tunneling by HTTP or the like can be implemented.
(2-1) Data grid and relay
In the present invention, a “virtual storage space” is provided on a network such as the Internet or a LAN, and a plurality of data grids for holding partial information are present therein. Here, FIG. 7 is a diagram showing the concept of the data grid and relay according to the present invention. Each data grid is implemented as an independent node protected by Firewall using existing peer technology.
For example, the transmission path that connects each node and the user's space is the packetized data described above and is transmitted via a relay. This relay is also an independent node protected by a firewall.
In addition, a system that combines transmission using a relay and storage of information in order to select the fastest transmission path and automatically form a detour when a failure occurs may be used.
(2-2) Relay and split transmission
Place as many relays on different backbones as possible to minimize the impact of a failure. Realize safe and reliable transmission of information using a controllable network virtually formed on the Internet by relay.
FIG. 8 is a diagram showing an example of dividing into two pieces of partial information and transmitting each via two different relay servers. By securing two routes indicated by a straight line and a broken line using the configuration as shown in FIG. 8, the route is surely divided even when using a communication means such as the Internet where the user cannot explicitly select the route through which the user passes. Information can be transmitted from another route.
(2-3) Relay and proxy transfer
In addition, this configuration can be used as a detour when communication is interrupted, and high reliability can be realized.
FIG. 9 is a diagram showing an example of extracting information from the database. In FIG. 9, if any failure occurs in one (route indicated by a broken line) while transmitting the division information via two relays, the transmission is switched to the other transmission path (route indicated by a solid line). Shows that complete data can be sent.
When there are a large number of relays, it is possible to perform proxy transfer by selecting the fastest relay.
(3) End user function of the present invention
The following is an overview of the functions that should be provided to users. FIG. 10 is a diagram showing an outline of the end user function of the present invention. As shown in FIG. 10, in all end user functions on the user application side, it is indispensable to have a function of decomposing whole information into a plurality of pieces of partial information and a reconfiguring function from a plurality of pieces of partial information into whole information.
(3-1) File system interface
The above-mentioned highly secure transmission and data storage functions must be provided to ordinary personal computer users. Therefore, a connection between this distributed transmission method and distributed storage is prepared to extend an interface that can be directly accessed from a file system such as Windows or Linux.
FIG. 11 is a diagram showing an outline of the file system interface. With the interface shown in FIG. 11, the user can use the same usage and GUI regardless of whether the file exists on the local disk on the computer or the data on the distributed file.
(3-2) SQL interface
It is an interface for applications using a relational database, and applications can access a distributed database using the same SQL, OBDC, or JDBC interface as other local files.
FIG. 12 is a diagram showing an outline of the SQL interface. The SQL interface shown in FIG. 12 makes it possible for applications to use virtual storage on the network without being aware of it.
(3-3) XML interface
An application using XML can store and retrieve data on a distributed database while using a normal DOM interface.
FIG. 13 is a diagram showing an outline of the XML interface. The XML interface shown in FIG. 13 makes it possible for applications to use virtual storage on the network without being aware of it.
(4) Data grid group concept
Individual data grids are used to hold partial information. At that time, it is possible to exclusively occupy a specific user, a specific file, or a database, but generally it is shared for efficient use of resources.
FIG. 14 is a diagram showing the correspondence between the concept of the hierarchical grid group of the present invention and the concept in a general computer system. In FIG. 14, the left side shows commonly used terms and concepts, and the right side shows terms and concepts in this divided storage. These correspondences are not necessarily fixed, but are dynamically configured depending on the contents. Accordingly, the interrelationship between the groups on the right side in FIG. 14 is not fixed and may be dynamically reconfigured in response to a request such as a search.
In general, in peer technology, peers to other peers maintain a list of neighboring peers and follow it to move between grids in a chain. In addition to this, the system realizes the following semantic dependency discovery and traversal.
In addition, each grid can belong to a plurality of groups, and where it belongs is dynamically changed depending on the type and contents of data held therein.
(4-1) Leader grid and grid group
The “grid group” is conceptually a kind of grouping based on the inclusion relation as described above, but the actual configuration has a tree structure as shown in FIG.
Here, FIG. 15 is a diagram showing the concept of a tree structure grid group. In a database distributed on this network, it is difficult to have a structured access path like a hard disk. Therefore, the data grid brute force search is required for search and update as it is. A node profile is introduced in order to complete this round-robin as much as possible and increase the processing speed. “Leader grid” is a general term for grids having child grids such as the d and c data grids in FIG.
Each node in FIG. 15 represents a data grid, and the rightmost a and b data grids have “profiles” extracted from the data in their own data grid. In this profile, information such as the element name and value range held is recorded. The c node that is the parent of the a and b data grids has a profile that integrates the profiles of the child a and b nodes simultaneously with the profile of the own grid.
If there is an element X in the profile of the a node and an element Y is written in the profile of the b node, the profile of c is the sum of X, Y and the profile of the data held by itself. If it is Z, it becomes X, Y, Z.
In this state, when a search request is sent from the d node, the element name referred to in the search expression is collated with the profile of the c node, and if the referenced element name is in the profile, the c data The actual search of the grid is performed, and if there is relevant data, the result is returned to the requester. At the same time, profile matching for the a node and the b node is performed, and only the necessary child data grid is called. Assuming that the search expression refers to X and Z, after execution of the c node, only the a node is called, and the b node is not called. The search or update is completed when the rightmost data grid processing ends.
FIG. 16 is a diagram showing a list of examples of search expressions and responses to member data grid values, their node profiles (node profiles), and their data grids.
Moreover, FIG. 17 is a figure which shows an example of the node profile by the leader grid of this invention. Here, FIG. 17 shows the case where the information on the business performance of the company described above is divided into two. One group holds “XX” meaning the company name and “YY” meaning the location. Indicates that The other group indicates that “ZZ” representing the amount of loss is held. In the expression in the node profile, a position qualifier and a value qualifier that limit values and repetition can be described. If necessary, the data grid itself within the group member may be a leader grid.
(4-2) Data update and grid group management
The data grid in the group updates the stored information in response to the update request. At the same time, consistency with the node profile held by the leader grid must be maintained. This maintenance of consistency is dynamic and includes moving the data grid to another group.
FIG. 18 is a diagram showing a data grid update procedure according to the present invention. As shown in FIG. 18, the procedure for updating the data grid is as follows.
Processing is performed in response to a request for updating or the like from the client (step SA-1). A request is issued to the grid reader to update the value of the node profile (step SA-2). In some cases, the leader grid negotiates with another leader grid and changes the group to which the data grid belongs (step SA-3). Then, the value of the destination node profile is updated (step SA-4).
This node profile is cached in a plurality of data grids in the group, and when a failure occurs in the leader grid, another grid can act as a leader.
(4-3) Finding and searching for the grid
FIG. 19 is a diagram showing a concept when a corresponding grid is found and searched according to the present invention. The connector on the client side expresses the request in XML and broadcasts (transmits) it to all reader grids (step SB-1). The leader grid that has received the request compares it with its own node profile (step SB-2), determines whether the request is irrelevant to its member grid, and does nothing if it is irrelevant. On the other hand, if it is related, it processes its own database and simultaneously forwards the same request to the data grid of the first member (step SB-3). Similarly, the data grid that has received the request performs only forward to the adjacent data grid if it is not related to the contents of the data grid, and performs processing if the data to be held is a processing target. The result is transmitted to the client (step SB-4), and the request is further forwarded to another data grid. This is done by all data grids in the group.
In addition, the corresponding leader grid communicates with each other or issues a unique ID for each request and incorporates it in a reply message to maintain the correspondence of multiple answers to a single inquiry, and the final result Is synthesized. FIG. 19 shows a case where “Return Num” is used as a unique ID.
(4-4) Data grid structure
FIG. 20 is a diagram showing an example of the structure of a data grid according to the present invention. The data grid is installed in a segment that is blocked from the outside by a firewall. Also, it is configured as a servant in the peer technology. By doing so, there is an advantage that it is difficult to receive a direct attack from the Internet or the like because communication is possible via a relay without having a global IP. In addition, since a data grid can be installed in a segment using a NAT or a proxy server, there is an advantage that options for the installation location are expanded.
(5) Optimization
The system may become less efficient if it is used for many updates and continues to be used. In such a case, dynamic reconfiguration is possible so that high efficiency and response can always be maintained.
(5-1) Optimal placement of data storage
When a large amount of data is deleted and the amount of data held by each data grid decreases, the administrator function is used to integrate a plurality of data grids and reduce the entire data grid. As a result, optimization of data space, improvement of search speed, etc. are realized.
(5-2) Data storage dynamic reconfiguration
When a large deviation occurs in the number of data grids belonging to the grid group, the data size to be held, etc., the entire reconfiguration is performed by the administrator function so that an averaged service can be provided.
(6) Access control
Data that can be accessed is specified according to the access authority set for each user, and usage is restricted. In this system, access rights can be set for each element as required.
(6-1) Redundant arrangement, failure recovery
Multiple data grids can be used to increase fault tolerance. Further, when the failure is recovered, the system access restriction is automatically resolved, and the application processing can be continued.
(6-2) Simultaneous access control and consistency control
The data grid and the lead grid are controlled so as not to generate updates or multiple updates that cannot maintain consistency while communicating with each other.
(7) Authentication and encrypted communication between data grid and user
According to this method, since the entire information does not exist in the public area, it is safer than the conventional security protection. That doesn't mean that security measures such as encryption are unnecessary. Realize complex high-level security by utilizing each feature synergistically. It is realized by combining conventional transmission with split transmission, split storage technology for electronic data, and peer technology.
A case will be described in detail as an example in which fusion with PKI (public key method), which is currently recognized as having the greatest track record in security protection including authentication, is performed.
FIG. 21 is a diagram showing a concept of a method for merging Peer technology and PKI technology according to the present invention. Authentication, encryption, and decryption procedures will be described separately for both the writing and reading functions for each information ownership type.
First, the data owner writes data (step SC-1). Here, FIG. 22 is a flowchart showing an example of processing when the data owner writes data according to the present invention. As shown in FIG. 22, first, partial information is generated by the decomposition and synthesis rules (step SD-1). Then, the division information is encrypted with a private key (step SD-2). Then, the data grid and the user node authenticate with SSL (step SD-3). Then, the data is stored in the database while being encrypted with PKI (step SD-4).
Returning again to FIG. 21, the data owner reads the data (step SC-2). Here, FIG. 23 is a flowchart showing an example of processing when the data owner according to the present invention reads data. As shown in FIG. 23, first, the data grid and the user node authenticate by SSL (step SE-1). Then, the data encrypted with PKI is read from the database (step SE-2). Then, the division information is decrypted with the private key (step SE-3). Then, the entire information is restored by applying the decomposition and synthesis rules (step SE-4).
Returning again to FIG. 21, the data user reads the data (step SC-3). Here, FIG. 24 is a flowchart showing an example of processing when a data user according to the present invention reads data. As shown in FIG. 24, first, the data grid and the user node authenticate by SSL (step SF-1). Then, after the data owner authenticates the user, the owner sends the public key directly to the user (step SF-2). Then, the data encrypted with PKI is read from the database (step SF-3). Then, the division information is decrypted with the data owner's public key (step SF-4). Then, the entire information is restored by applying the decomposition and synthesis rules (step SF-5).
(8) Management function
Collects usage information and resource usage information over the entire communication function and database function, and has a function to control as necessary. A server is used for this implementation.
In addition, the entire log is collected to prepare for the occurrence of a failure.
(9) Summary of basic principles of the present invention
In the present invention, data is divided based on the semantics. The division method is determined by a combination of data elements (for example, confidentiality degree).
In the present invention, transmission / reception is performed using physically independent means for each divided stream. And the safe communication and preservation | save technique of the information by the combination of a secret technique which does not depend only on an encryption algorithm is provided. Therefore, in the present invention, the data is stored in a physically separated and independent place for each decomposed stream. Therefore, as many storage locations as the number of divisions are required for the original data 1. The present invention realizes network-based data storage in which a plurality of storage locations are connected on the network.
Each data grid can be virtually integrated using grid computing or edge computing technology.
According to the present invention, there is no complete copy of the original data in any of the communication and data storage locations on the network, and the range of information leakage can be limited even if a human intentional criminal act is performed.
In addition, the storage scale-up can be started from a small data storage (node) and is very scalable.
In addition, since data storage is not concentrated in one place and communication uses multiple means, even if a large-scale failure such as a disaster occurs, the effect is not spread to the whole. Can do.
In addition, it is possible to provide a safe and inexpensive storage using a cheap communication means using an inexpensive IP network or the Internet.
In addition, by operating a plurality of data grids, which are distributed resources, in parallel, it is possible to realize a function for mass storage and use of information that is highly economical and extremely safe.
In addition, the data grid can be easily duplicated, and the redundant configuration including the communication path is easy, so that it is easy to meet individual usage needs.
It is particularly suitable for applications such as governments and local governments where large-scale information that requires confidentiality needs to be stored for a long period of time and is quickly retrieved when necessary. Similarly, it benefits all companies, including financial institutions and insurance companies.
(Overview of secure network database system)
The outline of the secure network database system (hereinafter sometimes simply referred to as “this system”) will be described below, and then the configuration and processing of this system will be described in detail. FIG. 25 is a block diagram showing an example of the overall configuration of the system, and FIG. 26 is a conceptual diagram showing an overview of the system, and only the portions of the system configuration related to the present invention are conceptually shown. Is shown.
As shown in FIG. 25, in this system, each information communication terminal 100, each relay information communication terminal 150, and each data grid information communication terminal 170 are connected via a network 300 so that they can communicate with each other. It is configured. Here, the information communication terminals 100, 150, and 170 are known personal computers, workstations, home game devices, Internet TV, PHS terminals, portable terminals, mobile communication terminals, information processing terminals such as PDAs, and the like. Peripheral devices such as printers, monitors, and image scanners are connected to the device as necessary, and the information processing device includes software (including programs, data, etc.) that implements a web information browsing function, an e-mail function, and each function described later. ) May be implemented.
This system generally has the following basic features: That is, information is provided from the information communication terminal 100 to other information communication terminals 100 via the network 300.
Among these, information is described by XML as an example, and includes metadata such as tags defined by DTD (document type definition). These pieces of information are generated by the information communication terminal 100 and stored in the data grid information communication terminal 170 via the relay information communication terminal 150.
As shown in FIG. 26, in this system, information is decomposed in the information communication terminal 100 on the transmission side by the disassembly rules and the reconfiguration rules set by the information communication terminal 100 on the transmission side, and the information communication terminal 150 for relay Each piece of information divided into a database managed by the data grid information communication terminal 170 under control is stored separately. The information communication terminal 100 on the receiving side (here, the information communication terminal 100 on the reception side may be the same as the information communication terminal 100 on the transmission side. The same applies hereinafter) is divided. Information is read out from the database managed by each data grid information communication terminal 170 and reconfigured. As a result, it can be easily introduced without affecting existing systems and applications, and high safety can be obtained.
Below, the concept is demonstrated about the setting of the decomposition | disassembly rule and reconfiguration | reconstruction rule in the information communication terminal 100 of this system.
(1) Degree of confidentiality
First, we introduce the concept of “confidentiality”.
As described above, the information created by XML has an element defined in DTD as a basic unit. As described above, the name, contents, attributes, etc. of each element are defined in DTD.
Here, the level of confidentiality expected by the user often differs depending on the combination of elements constituting the exchange information. For example, among company information, the company name and the president name are public information, and therefore, information combining the elements has a low confidentiality level (because it is merely a combination of public information). In addition, if only the information about non-public elements such as the loss amount is exchanged, the actual loss is small because it is not possible to identify the company's loss amount even if it is leaked.
However, in the case where a private element and a public element are combined, there is a strong possibility that a private element will be specified in detail based on public information if the content is leaked.
Therefore, in this system, by defining a “secret combination degree” for each combination of specific elements, the combination of elements is checked from the viewpoint of the confidential level.
That is, this system designates the degree of confidentiality when each element defined in the DTD is combined with another element based on the name, content, attribute, etc. of the element. “Confidential coupling degree” is a value indicating whether or not the confidentiality of information is increased by combining a plurality of elements. For example, a higher numerical value is set as the confidentiality increases. . For example, the name, content, attribute, etc. of each element may be displayed on the monitor, and the user may be allowed to specify the confidentiality degree for each combination of the elements displayed, and the information communication terminal 100 may specify the name of each element. The degree of confidentiality may be automatically specified based on information such as contents and attributes.
Here, an example will be described in which the information communication terminal 100 automatically designates the confidentiality degree based on information such as the name, content, and attribute of each element. Information regarding whether or not the element content is public information (hereinafter referred to as “public attribute”) is defined in the DTD as an essential attribute for each element. Then, the information communication terminal 100 determines the public attribute of each element and automatically sets the confidentiality degree of the element that becomes public information and the element that becomes private information high.
Note that the degree of confidentiality is not limited to the relationship between two elements. For example, when the confidentiality becomes high only when three or more elements are combined, the combination of three or more elements is sufficient. Set the density higher.
FIG. 30 is a conceptual diagram showing an example of the definition of the confidentiality degree in this system.
In this figure, the original XML information 601 includes a company name, a president name, and a deficit for this season as elements. Here, the user and the like define that the company name and the president's name are publicly announced and the confidentiality degree is low. On the other hand, since the loss amount of a company is highly confidential, the combination of the company name and the loss amount of the company is defined as having a high degree of confidentiality.
Temporarily, a division rule that divides these three elements according to the level of confidentiality coupling is generated, and based on this division rule, information 602 including a combination of a company name and a president name, information 603 of a deficit amount, When divided into two, the degree of confidential coupling between the two decreases. That is, the information divided into two is loosely coupled unless the correspondence between the two becomes clear, and the confidential coupling degree as a whole is low.
This system uses the ease of disassembling and reconfiguring XML data to lower the confidentiality of XML data and increase confidentiality. Here, the XML data divided for the purpose of reducing the degree of coupling is referred to as “loosely coupled XML data”. In addition, the coupling rule 604 (that is, a conversion rule between loosely coupled XML and tightly coupled XML, which is a disassembly rule and a reconfiguration rule described later) is recorded in a repository, a DTD file, or another file. By exchanging with each other, the parties can reconstruct and confirm the information.
(2) Multi-routing of loosely coupled XML data
As described above, a plurality of loosely-coupled XML data generated by reducing the degree of confidential coupling conceal the correspondence between the two by exchanging information using different communication paths. Protection can be made more complete. Thus, in this system, security is enhanced by multi-routing the generated loosely coupled XML data using another communication path. Here, the number of routings is variable.
FIG. 31 is a conceptual diagram showing an outline of multi-routing of loosely coupled XML data according to the present invention.
As shown in the figure, the original XML data is decomposed into a plurality of loosely coupled XMLs (step S703) according to the rules generated from the DTD and the confidential coupling degree designated by the user (step S701). The data is transmitted to the data grid through a plurality of transmission paths, and the receiving side similarly reads each loosely coupled XML through the plurality of transmission paths (step S704).
The receiving side reconfigures the loosely coupled XML data received from the plurality of transmission paths based on the separately sent rules (step S702), and obtains the same XML data as the original XML (step S705).
(3) Aliasing of element names
As described above, XML has a high level of structural expression and clear content expression. Although it is XML having such excellent properties, if it is leaked, the analysis of the information content becomes much easier than other expression means. In particular, since the element name often directly indicates the content of the element in operation, the element content can be easily estimated from the element name.
Therefore, in this system, the element name is aliased. This aliasing function is to generate an XML having a different name and structure from the original XML. This function makes it difficult to estimate the original information.
FIG. 32 is a conceptual diagram showing an outline of aliasing of element names according to the present invention.
As described above, when the loosely coupled XML data (801 and 802) and the coupling rule 803 are generated from the tightly coupled XML data, the element names are aliased. “Aliasing” means replacing an element name with a corresponding alias based on a naming rule.
For example, as shown in this figure, naming is based on a correspondence table in which “Company Name” is replaced with “AAA”, “President Name” is replaced with “BBB”, and “Deficit for the Season” is replaced with “XYZ”. Rules are set, aliased XML (hereinafter referred to as “alias XML”) 804 and 805 are created, and a combination rule and a naming rule are managed as a set of information 806.
Here, the naming rule may be based on conversion using the above-described correspondence table, or may be based on conversion using a mathematical algorithm such as a hash function.
(System configuration)
Hereinafter, the configuration of the present system for realizing such basic features will be described.
(System configuration-information communication terminals 100, 150, 170)
First, the configuration of the information communication terminal 100 will be described. Since the information communication terminal for relay 150 and the information communication terminal for data grid 170 can be configured in the same manner, the information communication terminal 100 will be described here. FIG. 27 is a block diagram showing an example of the configuration of the information communication terminal 100 to which the present invention is applied, and conceptually shows only the portion related to the present invention in the configuration. In FIG. 27, the information communication terminal 100 is schematically a communication device (not shown) such as a control unit 102 such as a CPU that controls the entire information communication terminal 100 overall, a router connected to a communication line, and the like. A communication control interface unit 104 connected to the input / output device, an input / output control interface unit 108 connected to an input / output device (not shown), and a storage unit 106 for storing various data. Are communicably connected via an arbitrary communication path. Further, the information communication terminal 100 is communicably connected to the network 300 via a communication device such as a router and a wired or wireless communication line such as a dedicated line.
The storage unit 106 is a storage unit such as a fixed disk device, and stores various programs, tables, files, databases, web page files, and the like used for various processes and website provision. The storage unit 106 of the information communication terminal 100 stores, for example, various kinds of rule information such as DTD and XML data, a schema repository, a join rule, and a naming rule.
In FIG. 27, the communication control interface unit 104 performs communication control between the information communication terminal 100 and the network 300 (or a communication device such as a router). That is, the communication control interface unit 104 has a function of communicating data with other terminals via a communication line.
In FIG. 27, the input / output control interface unit 108 controls the input device and the output device. Here, as an output device, a speaker can be used in addition to a monitor (including a home television) (hereinafter, the output device is described as a monitor). As the input device, a keyboard, a mouse, a microphone, or the like can be used. The monitor also realizes a pointing device function in cooperation with the mouse.
In FIG. 27, the control unit 102 has a control program such as an OS (Operating System), a program defining various processing procedures, and an internal memory for storing necessary data. Thus, information processing for executing various processes is performed.
(System configuration-software configuration of information communication terminal 100)
Next, the software configuration of the information communication terminal 100 configured as described above will be described with reference to FIG. FIG. 28 is a block diagram showing an example of a software configuration executed in 102 of the information communication terminal 100 to which the present invention is applied, and conceptually shows only a part related to the present invention in the configuration. . In FIG. 28, the control unit 102 of the information communication terminal 100 schematically includes a setting module 102a, an execution module 102b, and XML middleware 102c.
In FIG. 28, the setting module 102a has a function of setting rules such as the above-described combination rules and naming rules, and includes a DTD repository, rule builder, and rule setting processing unit, which will be described below. Is done.
(1) DTD liposome
The DTD repository is a storage unit for metadata of XML data. Here, assuming a use environment that handles a plurality of XML business data, a mechanism for systematically managing and using DTDs is required. The DTD repository is a tool for jointly using a large amount of DTD on a network, and manages DTD and schema. The DTD repository is generally configured by software having an information input / output interface function and a storage area management function.
(2) Rule Builder
As described above, the data user determines the data content and the level of secrecy and designates it as the degree of secrecy coupling. The rule builder automatically generates various rules such as a combination rule and a naming rule while referring to the contents designated by the user and the DTD.
(3) Rule setting processing unit
The rule setting processing unit displays a rule setting screen on the monitor (for example, a screen including a display area for the name, content, attribute, etc. of each element and an input area for the confidentiality degree of each element). Performs processing for setting various rules via the input device.
In FIG. 28, the execution module 102b has a function to execute processing on the information received from the XML middleware 102c in accordance with various rules set by the setting module 102a. And an IP allocator, an IP / port manager, a server, a constructor, and an input / output connector.
(1) Parser
The parser has a function of performing syntax analysis in accordance with the W3C XML standard, creating a token, and delivering it to the divider. That is, a parser is a software program that interprets text, determines its logical meaning, and creates a programming data structure that represents the meaning. The system may be a tree-based parser or an event-based parser.
Further, at the time of reception, it has a function of converting the aliased element name to the original element name based on the naming rule.
(2) Divider
The divider has a function of dividing the XML data in accordance with the rules generated by the setting module. Also, at the time of transmission, it has a function of aliasing element names.
(3) IP allocator
The IP allocator has a function of assigning or releasing IP according to the number of divisions.
(4) IP / Port Manager
Since the IP / port manager needs to dynamically allocate resources when using a plurality of IPs and ports, it has a function of monitoring and managing these resources.
(5) Server
The server has a server function corresponding to a service protocol such as Web, Ftp, and smtp.
(6) Constructor
The constructor has a function of receiving a token generated by the parser and reconstructing XML data in accordance with a reconfiguration rule.
(7) I / O connector
The input / output connector has a function of communicating with an application system outside the execution module.
In FIG. 28, XML middleware 102c is middleware for processing XML data and has a function of passing XML data serving as exchange information from the application program executed by the user to the execution module 102b. The execution module 102b has a function of passing XML data received from another information communication terminal 100 to the application program.
(Information flow in the information communication terminal 100)
The flow of information in the information communication terminal 100 configured as described above will be described with reference to FIGS. 29, 33, and 34. FIG.
FIG. 29 is a conceptual diagram illustrating an outline of the flow of information in the information communication terminal 100. Hereinafter, the information flow of the information communication terminal 100 on the transmission side and the information flow of the information communication terminal 100 on the reception side will be described separately.
(1) Information communication terminal 100 on transmission side
First, as a premise, the setting module 102a generates various rules used for generating loosely coupled XML. Here, FIG. 34 is a conceptual diagram showing an outline of generation of various rules used for generation of loosely coupled XML in the setting module 102a.
For example, a case where an XML document related to company information is processed will be described as an example. The rule setting processing unit creates a rule setting screen by referring to the DTD for company information from the DTD repository, and each element by the data owner Lets you specify the degree of confidential coupling. The rule builder automatically generates a combination rule and a naming rule (1001 and 1002) based on the specified content made by the data owner. The created various rules are transmitted to the information communication terminal 100 on the receiving side.
Next, as shown in FIG. 29, the original XML data created by the user application is transmitted to the input / output connector of the execution module 102b via the XML middleware 102c (step S501).
The input / output connector transmits the original XML data to the parser (step S502).
Next, the parser parses the original XML data, generates a token, and transmits it to the divider (step S503).
Next, the divider divides the XML data according to the rules generated by the setting module 102a, performs aliasing of the element names as described above, and creates loosely coupled XML data.
Here, FIG. 33 is a conceptual diagram showing an example of element name aliasing and creation of loosely coupled XML data executed by the divider. In this example, the original XML 901 is loosely coupled to generate two XML data 902 and 903. At the same time, another element name is set according to the naming rule. It is extremely difficult for a third party to create original XML from such loosely coupled XML.
Returning to FIG. 29 again, the divider performs IP allocation based on the control of the IP allocator, and also allocates resources under the control of the IP / port manager. Then, in order to execute the multi-routing described above, loosely coupled XML data is transmitted to a plurality of IP allocators (step S504).
Next, each IP allocator requests the server to transmit loosely coupled XML data to the information communication terminal 100 on the receiving side using another communication path (step S505).
The server transmits each loosely coupled XML data to the data grid information communication apparatus using each communication path (step S506).
(2) Information communication terminal 100 on the receiving side
When the server receives each loosely coupled XML from the data grid information communication apparatus via the network 300 (step S507), the server transmits the loosely coupled XML to the parser (step S508).
Next, the parser restores the aliased element name based on the DTD file received from the transmitting information communication terminal 100 and various rules, and then performs syntax analysis of loosely coupled XML to generate a token. To the constructor (step S509).
Next, the constructor reconstructs the original XML from the loosely coupled XML based on the coupling rule, and transmits it to the input / output connector (step S510).
Next, when the input / output connector transmits the reconfigured XML data to the XML middleware 102c, the XML middleware 102c transmits the XML data to the user application (step S511).
(System configuration-network 300)
Next, the configuration of the network 300 in FIG. 25 will be described. The network 300 has a function of connecting the information communication terminals 100 to each other, such as the Internet.
(Embodiment using recombination information)
If you want to use the Internet for card payments or Internet debit payments, you must enter your card number, account number, password, and transaction amount from the screen. At that time, many people feel anxious about the flow of confidential information on the Internet. In order to handle such highly confidential information on the Internet, which is an open environment and filled with miscellaneous information with different purposes, contents, and qualities, it is necessary to remove such anxiety on the part of the user and to use electronic information with peace of mind. An environment in which business transactions can be conducted must be improved.
Currently, the most popular encryption method on the Internet, such as SSL (Secure Socket Layer), discloses all confidential information such as IDs and passwords to the cracker if it is broken by the cracker. Result.
Therefore, by dividing and transmitting such sensitive information according to the confidentiality degree of the present invention, even if any partial information is disclosed, information such as other account information is prevented from being completely reproduced. In addition, it is extremely important to prevent unauthorized third parties from entering and executing settlement.
Here, since information such as business transactions described in XML data has a large number of elements and a complicated structure, when recombining loosely divided information divided into a plurality of pieces on the receiving side, In general, information (recombination information) for mutual association exists.
For example, in the case of ordering data, common information such as a company code can be used as recombination information.
On the other hand, information for sending and receiving IDs and passwords generally has two or three elements, and the structure is also very simple. For recombination, the information is divided and sent from multiple routes. However, if they are combined in the order of arrival, the original information can be easily estimated, and safe recombination on the receiving side cannot be expected.
Therefore, in the present embodiment, in the original XML data, a common element or attribute used for recombination in the receiving information communication terminal 100 is generated as recombination information in the transmitting information communication terminal 100, By adding the recombination information to the original XML data, the correspondence of each loosely coupled XML data is maintained.
Here, FIG. 35 is a conceptual diagram showing an example when information is decomposed and reconstructed using recombination information. In the figure, the recombination information added to the information (original XML) transmitted / received between the information communication terminals is displayed in white squares. The recombination information is information that does not exist in the original XML data that is the original information, and in order to find a correct combination partner when reconstructing the original XML from a plurality of loosely coupled XMLs on the receiving side, Created and added to the original XML.
Here, the recombination information is preferably a random number or the like in order to make estimation of the original information as difficult as possible.
Hereinafter, an example of the case where the information is decomposed and reconstructed using the recombination information will be described in detail with reference to FIGS. 36 to 43. In the present embodiment, an example of using card data as original XML information is shown.
(1) Original XML information (card information)
FIG. 36 is a diagram showing an example of original XML information storing card information. As shown in the figure, the original XML information is composed of a card number, a password, and an expiration date.
(2) Disassembly / reconstruction rules
FIG. 37 is a diagram showing an example of the decomposition / reconfiguration rule in the present embodiment. In this figure, @random is a random number generation function, and @timeday is a function for acquiring the current time. The decomposition / reconstruction rule in the present embodiment generates a unique random number with the current time as a seed by using these two functions, and stores the value in a variable @num.
In this figure, instructions for recombination of loosely coupled XML data at the time of reconfiguration are as follows:
binding = “abc / zzzz: xyz / hed: mix / ifs”
It is prescribed by.
In other words, this figure shows that three elements are recombination mediation keys (recombination information). Specifically, in loosely coupled XML <abc>, the element <zzz> is a mediation key. (Recombination information), and in the next loosely coupled XML <xyz>, the element <hed> is an intermediate key (recombination information), and in the next loosely coupled XML <mix>, the element <Ifs> indicates an intermediate key (recombination information).
In FIG. 37, the underlined word is a reserved word, and its meaning and notation are determined in advance in this system.
Also, in FIG. 37, execution or substitution of a function (word with @) is executed by the information communication terminal 100 on the transmission side, and its value is determined. Then, after the determined value is embedded in the original XML data, it is divided into loosely coupled XML data using the above-described dividing method, and the loosely coupled XML data is transmitted to the receiving side. In the information communication terminal 100 on the receiving side, this disassembly / reconfiguration rule is referred to in order to know which recombination information is a key element that mediates the combination, and has been aliased. It is used for reverse conversion of element names and does not execute functions.
(3) Loosely coupled XML data
FIG. 38 is a diagram showing an example of loosely coupled XML data decomposed according to the decomposition / reconstruction rule of the present embodiment. This figure shows loosely coupled XML data generated when the mediating key (recombination information) is “gj56a02j”.
In the information communication terminal 100 on the receiving side, the XML data is reconstructed by using the intermediate key (recombination information) indicated by binding of the disassembly / reconstruction rule based on the three loosely coupled XMLs.
(4) Reconstruction of original XML data on the receiving side
The information communication terminal 100 on the receiving side must accept a plurality of loosely coupled XML data at the same time. Since loosely coupled XML data is sent asynchronously, a plurality of loosely coupled XML data are pooled on the memory of the information communication terminal 100 on the receiving side and reconfigured.
Here, FIG. 39 is a diagram showing an example of information pooled on the memory of the information communication terminal 100 on the receiving side in the present embodiment. As shown in the figure, the information pooled in the reconfiguration buffer pool is information obtained by adding a binding element to the original XML information.
Using this area, reconfiguration is performed according to the following procedure.
First, FIG. 40 is a diagram showing an example of information stored in the buffer pool in the initial state in the present embodiment. As shown in FIG. 40, the buffer pool in the initial state is XML data in which all elements have null values.
Next, when loosely coupled XML data is received, a binding element having the same value as the binding key in the received loosely coupled XML data is searched from the XML data in the buffer pool. If found, the loosely coupled XML data is pooled. Set as the value of the corresponding element in.
For example, when loosely coupled XML data of the card number shown in FIG. 41 is received, as shown in FIG. 42, the card number “12346789799” is set in the corresponding card number element in the buffer pool.
Such reconstruction is similarly performed on the remaining two loosely coupled XML data.
Here, FIG. 43 is a diagram showing a result of receiving all loosely coupled XML data and setting the data in each element on the buffer pool.
Finally, only the my-card element excluding the intermediary key (recombination information) is extracted, and the original XML data, which is complete card information, is reproduced.
Here, in the system, when the three elements of the card information are not completed even after a certain period of time is monitored, the lacking portion of loosely coupled data may be retransmitted or re-inputted.
In the example shown in the present embodiment, the XML data in the source format has been described for convenience of explanation. However, all operations may be performed on the XML object (DOM).
(5) Access control
The access control selectively restricts reference and update to the data element for the user, and realizes a data use restriction function for the user. Accordingly, it is necessary to realize access control to data based on the authority set for each user.
As a general method for implementing access control, access management information in which an access right for each user is set on the transmission side is prepared using a GUI tool or the like. When executing access, access is permitted or denied while referring to the created table.
FIG. 44 is a conceptual diagram showing access management information used for access control of the present invention. As shown in FIG. 44, the access management information includes a user ID, an access permission element, a user authority, and the like.
Here, the concept of the access permission element of the access management information shown in FIG. 44 will be described with reference to FIG.
In the example shown in FIG. 45, there are two pieces of information (data A and data B), data A is composed of five elements (a1 to a5), and data B is composed of four elements. (B1 to b4).
In the access permission element of the access management information shown in FIG. 44, the user X is permitted to access four elements a1, a4, b1, and b4, and the user Y has a5, b2, and b3. Since access to the three elements is permitted, FIG. 45 conceptually shows the corresponding accessible elements for the users X and Y, respectively.
Next, the concept of the user authority of the access management information shown in FIG. 44 will be described with reference to FIG.
FIG. 46 shows, as an example of the user authority setting of the access management information in this system, the relationship between a user having administrator authority (user A) and a user having user authority (user B to user D). It represents.
A user with administrator authority (or a user with data owner authority) distributes the reconfiguration rules set in consideration of security requirements and storage allocation requirements to users with data user authority. Access requests for users with user rights are processed through the distributed reconstruction rules and can access the data entity only if permitted.
Administrator and user rights are as follows.
(A) Administrator authority
The entire structure of managed data can be understood and all data can be accessed. Also, disassembly rules and reconstruction rules can be set. In addition, a reconfiguration rule intended for access control can be set for each user. In addition, the set reconfiguration rule can be distributed to the corresponding user. In addition, for each data element, reference, update, and deletion authority can be given to the user or changed.
(B) User authority
Only allowed data can be accessed through the given reconstruction rules. The structure of accessible data can be rearranged (virtual data structure).
Next, FIG. 47 is a conceptual diagram showing the flow of information between the logical client and the data grid. As shown in FIG. 47, the data manager or the data owner creates the entire (complete) data, and decomposes it into a plurality of partial data by applying a preset disassembly rule. It is transmitted and stored in a data grid that is a plurality of storages. Conversely, in the use of data, data is sent out from the storage, and after reconfiguration, complete data is reproduced on the user side.
This logical information flow is actually constituted by the physical information flow shown in FIG. Until data is stored in a plurality of storages, the description is omitted because it is the same as described above.
As shown in FIG. 48, first, the data user (client) sends his request to the reconfiguration rule process. In addition to describing the data reconstruction method, the configuration rule includes all data element names accessible through the reconstruction rule as reference information (step H-1).
Next, an access request for partial data is sent to each data grid (step SH-2), and the corresponding partial data is sent out from a plurality of data grids and returned to the reconstruction rule process (step SH-3). .
Thereafter, the complete data is reproduced and returned to the user (step SH-4).
That is, it is through the contents of the reconstruction rule in step SH-1 that the access to the data grid is specifically requested, and conversely, elements that do not exist here can never be accessed. Furthermore, the user cannot know even the existence of elements not included in the reconstruction rule.
FIG. 49 shows the concept of the case where all data elements can be accessed and reconfigured (complete object + all data access right setting) in the case where generation is made completely symmetric in decomposition and recombination. FIG. This disassembly rule and reconfiguration rule are equivalent to no access control being set, and create a state where all elements can be accessed indefinitely.
Next, FIG. 50 shows a case where a reconfiguration rule in which a reference is constrained at the time of generating a reconfiguration rule is created by referring to the access management information mentioned above when generating the reconfiguration rule (reconfiguration with access restriction). It is a figure which shows the concept of a rule setting. This principle is realized by restricting element references appearing in the reconfiguration rule according to the contents of the access management information. By reflecting the access management information in the reconfiguration rule in this way, it is possible to exclude references to elements that are not permitted access from the reconfiguration rule. As a result, a robust access control function using the reconfiguration rule as an intermediary is realized.
Here, the reconfiguration rule is a set of meta information for generating a dynamic access path for actual data, and an access path cannot be created for a data element not included therein. Therefore, it is possible to realize a very strong access control function that could not be realized so far.
FIG. 51 is a diagram showing a specific example of setting a reconfiguration rule with access restriction. This figure shows the state of access control expressed in the reconfiguration rule when the entire data structure (administrator authority), user 1, user 2, and user 3 each have the access right shown in FIG. ing.
Specifically, the elements that cannot be accessed are excluded from the reconfiguration rules of users 1, 2, and 3, and are configured only from rules that include accessible elements. The center is a storage in the data grid information terminal device realized by the data grid, and indicates that File A and File B are stored therein.
(Advantages and application examples of the present invention)
A few years ago, there were many companies that said that important data would never be carried outside of MT or CD. Today, however, it is common to transmit in real time. Absolute safety has a big meaning. On the other hand, speeding up business and cost saving are urgent issues. A new solution that satisfies both of them is awaited.
The secure network database system (information exchange method) realized by the present invention is realized by combining a secure transmission method and grid data storage technology with encryption technology based on data semantics as a secret. It can be used as a highly efficient information sharing and storage system.
In other words, in the secure network database system (information exchange method), the information is divided based on its meaning without relying on the means of increasing the strength of the encryption algorithm and increasing the security of the information as before. However, a combined security solution is provided for both data transmission and storage by combining the method of transmission and storage while being divided and the conventional security means.
The security so far has been all or nothing of the simple and brute method of entrusting encryption technology. This is an endless battle path for encryption and decryption technologies. In other words, when a conventional security system is broken, all information is leaked, and a failure at one place may immediately become a total failure.
On the other hand, the security of the secure network database system (information exchange method) creates a security environment that seems to be optimal for the user, based on the content and structure of the user's own information. The decomposition and reconfiguration of information into loosely coupled information according to the present invention will be referred to as “skinning”.
That is, the skinning of the present invention utilizes the fact that each piece of information has a meaning and its meaning changes in combination with the decomposition. For example, when dividing into <Company Name> and <Address>, which are elements with low confidentiality, light security is sufficient and it can be placed on the Internet as it is, but with elements such as <Sales Information> with high confidentiality It was necessary to have strong security and put it on the company intranet.
In the secure network database system (information exchange method) of the present invention, the definition of actual skinning should be performed by a simple operation such as dragging on the screen while the user considers the meaning of the information (degree of confidentiality). Can do. Each skin (loosely coupled information) is sent separately using an independent transmission path and stored in an independent storage. This ensures security on the following principle.
Since the location of the skin is private, it is very difficult for a third party (who does not have access authority) to obtain all the related skins at the same time. Also, the disassembly rules (reconstruction rules) are private. Therefore, if the rules are not understood, the original information cannot be synthesized or restored even if the skin is obtained.
The user application that realizes the secure network database system (information exchange method) does not require any special awareness, and there is no need to change the existing application. Moreover, either an intra network or an extra network may be used, and the Internet may be used.
Each skin is stored in a plurality of storages on the data grid information terminal device. In addition, the user can selectively use components at a required level for each skin. Also, IP-VPN and Internet VPN can be used as necessary.
Thus, in the secure network database system (information exchange method), a completely new security method called skinning is used. Usually, each skin has light encryption (for example, encryption according to the naming rule of the present invention described above). Or password management using recombination information, etc.) and is not decrypted except by the user. As a result, two levels of security called encryption and skinning are applied, and in addition to this, synthetic security corresponding to the number of skins is added, and strong total security can be secured.
As described above, since two types of different types of security can be set, it is very difficult to simultaneously take information from a plurality of transmission paths and storage locations, and it is further difficult to restore the entire information from them. Therefore, even when a disk or backup is taken out, the entire information is not leaked, and some failures do not lead to the entire failure.
So far, organizations such as corporations and public offices have made various investments to ensure security, but this will never decrease even if it increases in the future. The encryption technique used in the past is applied uniformly to the entire information, and it has been described that it is the world of All or Nothing. In fact, this concept is the same not only for encryption but also for security in general. In other words, in the past security investment, there are various security requirements and various levels. For the sake of complete safety, investment that can cover any peak (level A), or some risk To limit investment to what seems reasonable (level B).
In other words, at either level A or level B, it is close to All or Noting, and rather than satisfying the security required by each piece of information, a uniform investment is made throughout. This is because there has been no idea of handling information as a large chunk and entering its constituent elements, that is, skins. This clearly invites unnecessary investment.
On the other hand, in the security investment of the secure network database system (information exchange method) according to the present invention, the data grid is maintained at the security level set through the entire information path including the database from the communication. Since each skin is stored in the data grid together with the required security level, the security cost is selectively generated, and optimization and minimization are realized.
Thus, the secure network database system (information exchange method) is a revolutionary solution that not only provides high security but also realizes a wide range of cost savings. In other words, compared with the security investment so far, the security investment of the secure network database system (information exchange method) creates a tunnel for security with a uniform security level from the end to the end for each partial data. By selecting and using the optimum tunnel for each data, the overall security cost can be minimized.
In addition, the secure network database system (information exchange method) uses peer technology and grid computing technology to realize split transmission and decentralized storage, ensuring high safety while using general-purpose products. it can. It also realizes rapid ROI and dramatic TCO reduction. Furthermore, since a plurality of devices and lines operate in parallel in storage and transmission, a high-quality service can be provided even with relatively low-speed devices and lines. In addition, it is highly resistant to wide-area disasters and terrorist attacks through redundant configurations and distributed arrangements of multiple storages, and supports corporate business continuity.
Next, another functional feature of the secure network database system (information exchange method) will be described below. In the past, storage has been increased in consideration of the situation where the capacity is insufficient, and we have provided facilities with a margin so that it will never become full for a certain period in anticipation of future data growth. . But it encompasses a big problem. In other words, it is obviously a wasteful investment, and in some cases, it is necessary to increase the number of buildings. Especially in the large enterprise class, this waste is estimated to reach hundreds of millions to billions per year including related costs.
On the other hand, in the secure network database system (information exchange method), the capacity can be increased in units of the minimum skin. Moreover, the work is almost completed in a few hours. That is, the secure network database system (information exchange method) lowers the information cost of the company, and supports the speeding up of the company easily and quickly. In addition, the small turn at the time of storage expansion works, and it is in the age of change.
Applications of secure network database systems (information exchange methods) include all fields that require the storage of large amounts of electronic documents. However, organizations such as governments and local governments, manufacturing industries, insurance companies, and finance It is particularly suitable for fields such as institutions, medical care and medicines.
This transmission / storage solution is also useful as a means of sharing and exchanging information between multiple organizations such as companies. With advanced security, the inexpensive Internet can be used safely as a mission-critical information exchange and storage infrastructure for a company.
(Other embodiments)
Although the embodiments of the present invention have been described so far, the present invention can be applied to various different embodiments in addition to the above-described embodiments within the scope of the technical idea described in the claims. May be implemented.
For example, the information targeted by the present invention is not limited to data described in XML, but can be performed on all types of information such as fixed length data, CSV format data, data in various database description formats, and the like. Functional features of storage and transmission can also be applied in the same way as XML.
In addition, among the processes described in the embodiment, all or part of the processes described as being performed automatically can be performed manually, or all of the processes described as being performed manually are performed. Alternatively, a part can be automatically performed by a known method.
In addition, the processing procedures, control procedures, specific names, information including parameters such as various registration data and search conditions, screen examples, and database configurations shown in the above documents and drawings, unless otherwise specified. It can be changed arbitrarily.
In addition, regarding the information communication terminal 100, the relay information terminal device 150, and the data grid information terminal device 170, each illustrated component is functionally conceptual and is not necessarily physically configured as illustrated. I don't need it.
For example, the processing functions provided in the information communication terminal 100, the relay information terminal device 150, and the data grid information terminal device 170, particularly the processing functions performed by the control unit, are all or any part of the CPU ( (Central Processing Unit) and a program interpreted and executed by the CPU, or can be realized as hardware by wired logic.
Further, the information communication terminal 100, the relay information terminal device 150, and the data grid information terminal device 170 have various input devices (not shown) such as various pointing devices such as a mouse, a keyboard, an image scanner, and a digitizer as further constituent elements. ), A display device (not shown) used for monitoring input data, a clock generator (not shown) for generating a system clock, and an output device (not shown) such as a printer for outputting various processing results and other data ) May be provided.
The various data stored in the storage unit is a storage device such as a memory device such as a RAM or ROM, a fixed disk device such as a hard disk, a flexible disk or an optical disk, and various programs or tables used for various processing or website provision. And files, databases, web page files, etc.
Furthermore, the specific forms of distribution / integration of the information communication terminal 100, the relay information terminal device 150, and the data grid information terminal device 170 are not limited to those shown in the drawing, and all or a part thereof may be subjected to various loads. Any unit can be configured to be functionally or physically distributed and integrated. For example, each data may be independently configured as an independent database device, and a part of the processing may be realized by using CGI (Common Gateway Interface).
The control units of the information communication terminal 100, the relay information terminal device 150, and the data grid information terminal device 170 are realized by the CPU and a program that is interpreted and executed by the CPU. Can do. In other words, a computer program for giving instructions to the CPU and performing various processes in cooperation with an OS (Operating System) is recorded in the storage unit. This computer program is executed by being loaded into the RAM, and constitutes a control unit in cooperation with the CPU.
However, this computer program may be recorded in an application program server connected to the information communication terminal 100, the relay information terminal device 150, and the data grid information terminal device 170 via an arbitrary network. It is also possible to download all or part of it. Alternatively, all or any part of each control unit can be realized as hardware such as wired logic.
The program according to the present invention can also be stored in a computer-readable recording medium. Here, the “recording medium” is an arbitrary “portable physical medium” such as a floppy disk, a magneto-optical disk, a ROM, an EPROM, an EEPROM, a CD-ROM, an MO, and a DVD, and is incorporated in various computer systems. Program in a short time, such as a communication line or carrier wave when transmitting a program via any “fixed physical medium” such as ROM, RAM, HD, or a network such as LAN, WAN, or the Internet The “communication medium” that holds
The “program” is a data processing method described in an arbitrary language or description method, and may be in any format such as source code or binary code. The “program” is not necessarily limited to a single configuration, but is distributed in the form of a plurality of modules and libraries, or in cooperation with a separate program represented by an OS (Operating System). Including those that achieve the function. Note that a well-known configuration and procedure can be used for a specific configuration for reading a recording medium, a reading procedure, an installation procedure after reading, and the like in each device described in the embodiment.
The network 300 has a function of interconnecting the information communication terminal 100, the relay information terminal device 150, and the data grid information terminal device 170. For example, the Internet 300, an intranet, and a LAN (both wired / wireless) are used. ), VAN, personal computer communication network, public telephone network (including both analog and digital), leased line network (including both analog and digital), CATV network, IMT2000 system, GSM system Or a mobile circuit switching network / portable packet switching network such as PDC / PDC-P system, a wireless paging network, a local wireless network such as Bluetooth, a PHS network, a satellite communication network such as CS, BS or ISDB, etc. Either may be included. That is, this system can transmit and receive various data via any network regardless of wired or wireless.
As described above in detail, according to the present invention, the information communication terminal on the transmission side sets the security coupling degree of a plurality of elements, and based on the set security coupling degree, the information is set to a plurality of loosely coupled information. Set a division rule to divide into two, divide the information into a plurality of loosely coupled information based on the set division rule, and divide the plurality of loosely coupled information into one or more data grids The data grid information terminal device stores the loosely coupled information received from the transmission side information communication terminal, and the reception side information communication terminal (where the reception side information communication terminal is , Which may be the same as the information communication terminal on the transmission side, and so on.) Reads out a plurality of loosely coupled information from the information terminal device for data grid, and reads information based on the division rule from the plurality of loosely coupled information. Because we reconfigure A secure network database system and an information exchange method that can divide information based on its semantics, physically separate each decomposed loosely coupled information, and store the information in an information terminal device for data grid that is an independent place Can be provided.
As a result, there is no complete copy of the original data in any network communication or data storage location, and it is possible to limit the range of information leakage even if human criminal acts are performed A network database system and information exchange method can be provided.
In addition, data storage is not concentrated in one place, and communication uses multiple means, so even if a large-scale failure such as a disaster occurs, the impact will spread throughout. A secure network database system and an information exchange method can be provided.
In addition, by operating multiple data grid information terminal devices, which are distributed resources, in parallel, a secure network that can realize a function that enables mass storage and use of highly economical and highly secure information A database system and information exchange method can be provided.
In addition, a data network information terminal device can be easily duplicated, and a redundant configuration including a communication path is easy, so a secure network database system and an information exchange method that can easily meet individual usage needs Can be provided.
In addition, the scale-up of data grid information terminal equipment storage can be started from a small data storage (node) and a secure network database that can realize a highly scalable system. Systems and information exchange methods can be provided.
Further, according to the present invention, the transmitting means transmits a plurality of loosely coupled information to the data grid information terminal apparatus using a plurality of transmission paths, and the reading means transmits the plurality of loosely coupled information to the plurality of transmission paths. Since the information is read from the data grid information terminal device using the route, a plurality of pieces of loosely coupled information generated with a reduced degree of confidential coupling can be exchanged using different communication paths. Further, it is possible to provide a secure network database system and an information exchange method that can conceal the correspondence relationship of loosely coupled information and can further enhance the confidentiality of information transmitted and received.
Further, according to the present invention, the information communication terminal on the transmission side sets a naming rule for changing the name of the element to another name, and sets the name of the information element based on the set naming rule. Based on the naming rule, the information communication terminal on the receiving side converts the name of the aliased information element into the original name, and thus generates information having a different name and structure from the original information. Thus, it is possible to provide a secure network database system and an information exchange method that can make it difficult to estimate original information at the time of information leakage and can further enhance the confidentiality of information transmitted and received.
Further, according to the present invention, since the information is described in XML, the security that can reduce the confidentiality of the XML data and increase the confidentiality by taking advantage of the ease of decomposition and reconfiguration of the XML data. A network database system and information exchange method can be provided.
Further, according to the present invention, since the confidentiality degree is set based on at least one of the element name, content, and attribute for the element defined in the DTD, the element of the XML information defined in the DTD It is possible to provide a secure network database system and an information exchange method capable of efficiently setting a secret coupling degree based on contents.
Further, according to the present invention, the loosely coupled information includes recombined information for recombining in the receiving-side information terminal device, and the division rule is for specifying correspondence between loosely coupled information and recombined information. A secure network database system and an information exchange method that can further enhance the confidentiality of information by adding recombination information for mediating recombination of divided loosely coupled information since information is included Can be provided.
Further, according to the present invention, a user who can access an element constituting information is defined, and therefore a secure network database system and an information exchange method capable of realizing a data use restriction function for a user are provided. Can be provided.
In addition, a secure network database system and an information exchange method capable of realizing an appropriate access restriction function even when the user is divided into each class such as an administrator, a data owner, or a data user. Can be provided.
Further, according to the present invention, the information communication terminal on the transmission side generates recombination information required when reconstructing information from a plurality of loosely coupled information based on the division rule by the reconfiguration unit. Secure network database system and information exchange that can further enhance the confidentiality of information by adding recombination information (a kind of password information, etc.) to mediate recombination of divided loosely coupled information A method can be provided.
That is, by adding recombination information generated by random numbers or the like to loosely coupled information, it is possible to make it difficult to estimate the contents when a third party views loosely coupled information. In addition, by defining which recombination information is added to which loosely coupled information in the division rule, the information communication terminal on the receiving side can reconfigure the original information based on the recombination information. Become.

As described above, the secure network database system and the information exchanging method are particularly capable of realizing a split transmission and distributed database with high security based on an inexpensive, large-scale and very secure network. it can.
The fields of application of the present invention include all fields that require the storage of a large amount of electronic documents, such as government / local government organizations / institutions, manufacturing industries, insurance companies, financial institutions, medical / pharmaceutical fields, etc. It is particularly suitable for storing and exchanging information.

[0005]
FIG. 1 is a diagram showing an example of an information exchange system for ensuring security by encrypting information according to the prior art. As shown in FIG. 1, when this encryption is broken and accessed illegally, all information is disclosed at once. Therefore, efforts to increase the strength of encryption and make it difficult to break are continuously being made.
However, as a result of the improvement in computer performance, the current situation is that the technology competition between encryption and decryption has fallen into a never-ending cycle, but the improvement in computer performance will increase the speed of this solution. As a result, there is a problem that the endless competition for the development of encryption technology continues.
Moreover, in such a situation, there is a problem that the result is that the user is constantly increased in computer resources.
As described above, the conventional system has a number of problems, and as a result, it is inconvenient and efficient for both users and administrators of the secure network database system. It was bad.
Therefore, the present invention introduces an unprecedented new security method based on the information exchange system disclosed in Japanese Patent Laid-Open No. 2002-358247 by the present inventor, and is inexpensive, large-scale and extremely suitable for companies. It is an object of the present invention to provide a secure network database system and an information exchange method capable of realizing a high-security divided transmission and distributed database based on a secure network.
DISCLOSURE OF THE INVENTION To achieve the above-mentioned object, a secure network database system according to the present invention stores a secure network database for storing the information processed by an information communication terminal that transmits and receives information including a plurality of elements. In the system, the information communication terminal on the transmission side includes a user definition means for defining a user who can access the elements constituting the information, a confidentiality degree setting means for setting the confidentiality degree of the plurality of elements, The machine set by the security coupling degree setting means

[0006]
Based on the degree of tight coupling, a division rule setting means for setting a division rule for dividing the information into a plurality of loosely coupled information, and reconstructing the information from the plurality of the loosely coupled information based on the division rule A reconfiguration information generation unit that generates recombination information required when performing the division, and a division that divides the information into a plurality of the loose coupling information based on the division rule set by the division rule setting unit Means for transmitting the plurality of loosely coupled information divided by the dividing means to one or more data grid information terminal devices, the data grid information terminal device comprising: , Comprising loosely coupled information storage means for storing the loosely coupled information received from the transmitting information communication terminal, wherein the receiving information communication terminal uses a plurality of the loosely coupled information for the data grid Based on the division rule and the recombination information, the information corresponding to each of the accessible users is re-established based on the division rule and the recombination information. And reconfiguring means for configuring.
According to this system, the information communication terminal on the transmission side defines the users who can access the elements constituting the information, sets the security coupling degrees of the plurality of elements, and sets the information based on the set security coupling levels. Set the division rule to divide the information into multiple loosely coupled information, generate the recombination information required when reconfiguring information from multiple loosely coupled information based on the division rule, and set the division Based on the rules, the information is divided into a plurality of loosely coupled information, the plurality of divided loosely coupled information is transmitted to one or more data grid information terminal devices, and the data grid information terminal device is transmitted. Stores the loosely coupled information received from the information communication terminal on the transmission side, and the information communication terminal on the reception side (where the information communication terminal on the reception side may be the same as the information communication terminal on the transmission side. The same applies hereinafter.) A plurality of loosely coupled information is read out from the data grid information terminal device in which each loosely coupled information is stored, and each accessible user is handled based on the division rule and the recombined information from the read multiple loosely coupled information. Since the information is reconstructed, the information is divided based on the semantics, physically separated for each decomposed loosely coupled information, and the information terminal device for data grid which is an independent place

[0007]
Can be saved.
As a result, there is no complete copy of the original data in any network communication or data storage location, so that the extent of information leakage can be limited even if human acts of criminal acts are performed. become.
In addition, data storage is not concentrated in one place, and communication uses multiple means, so even if a large-scale failure such as a disaster occurs, the impact will spread throughout. Can be prevented.
In addition, by operating a plurality of data grid information terminal devices, which are distributed resources, in parallel, it is possible to realize a function capable of mass storage and use of information that is highly economical and extremely safe.
In addition, the data grid information terminal device can be easily duplicated, and since the redundant configuration including the communication path is easy, it is easy to meet individual usage needs.
This also makes it possible to realize a highly scalable system in which the storage scale of the data grid information terminal device can be started from a small data storage (node).
Here, each data grid information terminal device can be virtually integrated using grid computing or edge computing technology.
In addition, according to this system, since a user who can access an element constituting information is defined, a data use restriction function can be realized for the user.
This also makes it possible to realize an appropriate access restriction function even when the user is divided into classes such as an administrator, a data owner, and a data user.
Further, according to this system, since the information communication terminal on the transmission side generates recombination information necessary for reconstructing information from a plurality of loosely coupled information based on the division rule by the reconfiguration unit, By adding recombination information (a kind of password information or the like) for mediating recombination of the divided loosely coupled information, the confidentiality of the information can be further enhanced.

[0008]
That is, by adding recombination information generated by random numbers or the like to loosely coupled information, it is possible to make it difficult to estimate the contents when a third party views loosely coupled information. In addition, by defining which recombination information is added to which loosely coupled information in the division rule, the information communication terminal on the receiving side can reconfigure the original information based on the recombination information. Become.
In the secure network database system according to the next invention, in the secure network database system described above, the transmission means uses the plurality of loosely coupled information for the data grid using a plurality of transmission paths. Multi-routing means for transmitting to the information terminal device is further provided, wherein the reading means further comprises multi-routing reading means for reading the plurality of loosely coupled information using the plurality of transmission paths.
This more specifically shows an example of the transmitting means and the reading means. According to this system, the transmission means transmits a plurality of loosely coupled information to the data grid information terminal apparatus using the plurality of transmission paths, and the reading means transmits the plurality of loosely coupled information to the plurality of transmission paths. Since the information is read out from the data grid information terminal device, a plurality of pieces of loosely coupled information generated with a reduced degree of confidential coupling can be exchanged using different communication paths. Moreover, the correspondence of loosely coupled information can be concealed, and the confidentiality of information transmitted and received can be further enhanced.
In the secure network database system according to the next invention, in the secure network database system described above, a naming rule setting means for setting a naming rule for setting the name of the element to another name; The information communication terminal on the receiving side further includes aliasing means for changing the name of the element of the information to another name based on the naming rule set by the naming rule setting means. And a name conversion means for converting the name of the element of the information that has been aliased into the original name.
According to this system, the information communication terminal on the transmission side uses a different element name.

[0009]
The information element is renamed based on the naming rule. Since the original name is converted to the original name, it is possible to make it difficult to estimate the original information at the time of information leakage by generating information with a different name and structure from the original information, and the confidentiality of the information transmitted and received Can be further enhanced.
A secure network database system according to the next invention is characterized in that in the secure network database system described above, information is described in XML.
This shows one example of information more specifically. According to this system, since information is described in XML, the confidentiality of XML data can be lowered and confidentiality can be increased by taking advantage of the ease of decomposition and reconfiguration of XML data.
In the secure network database system according to the next invention, in the secure network database system described above, the secret coupling degree setting means includes the name of the element for the element defined in the DTD, The secret coupling degree is set based on at least one of contents and attributes.
This more specifically shows an example of the confidentiality degree setting means. According to this system, since the confidentiality degree is set based on at least one of the element name, content, and attribute for the element defined in the DTD, the content of the XML information element defined in the DTD is set. Based on this, it is possible to efficiently set the confidentiality degree.
The present invention also relates to an information exchanging method, and the information exchanging method according to the present invention is a secure network database system for storing the information processed by an information communication terminal that transmits and receives information including a plurality of elements. In the information exchanging method executed using the information, the information communication terminal on the transmission side sets a user definition step for defining a user who can access the element constituting the information, and sets the confidentiality of the plurality of elements The security coupling level setting step and the above security coupling level setting step

[0010]
A division rule setting step for setting a division rule for dividing the information into a plurality of loosely coupled information based on the confidential coupling degree set in the step, and the division rule from the plurality of the loosely coupled information Based on the reconfiguration information generation step for generating recombination information required when reconfiguring the information based on the division rule and the division rule set in the division rule setting step, A dividing step of dividing the loosely coupled information, and a transmitting step of transmitting the plurality of loosely coupled information divided in the dividing step to one or more data grid information terminal devices, The data grid information terminal device includes a loosely coupled information storing step for storing the loosely coupled information received from the transmitting side information communication terminal, The terminal reads the plurality of loosely coupled information from the data grid information terminal device, and the plurality of loosely coupled information read in the readout step, based on the division rule and the recombined information, And reconstructing the information corresponding to each accessible user.
According to this method, the information communication terminal on the transmission side defines a user who can access the elements constituting the information, sets the security coupling degrees of the plurality of elements, and sets the information based on the set security coupling levels. Set the division rule to divide the information into multiple loosely coupled information, generate recombination information required when reconfiguring information from multiple loosely coupled information based on the division rule, and set the division Based on the rule, the information is divided into a plurality of loosely coupled information, the plurality of divided loosely coupled information is transmitted to one or more data grid information terminal devices, and the data grid information terminal device is transmitted. Stores the loosely coupled information received from the information communication terminal on the transmission side, the information communication terminal on the reception side reads a plurality of loosely coupled information from the information terminal device for data grid, Split The information corresponding to each accessible user is reconstructed based on the rules and the recombination information, so the information is divided based on the semantics and physically separated for each decomposed loosely coupled information. It can be stored in the data grid information terminal device.

[0011]
As a result, there is no complete copy of the original data in any network communication or data storage location, so that the extent of information leakage can be limited even if human acts of criminal acts are performed. become.
In addition, because data storage is not concentrated in one place and communication uses multiple steps, even if a large-scale failure such as a disaster occurs, the effect will spread throughout. Can be prevented.
In addition, by operating a plurality of data grid information terminal devices, which are distributed resources, in parallel, it is possible to realize a function capable of mass storage and use of information that is highly economical and extremely safe.
In addition, the data grid information terminal device can be easily duplicated, and since the redundant configuration including the communication path is easy, it is easy to meet individual usage needs.
In addition, this makes it possible to realize a highly scalable method that can start up the storage of the data grid information terminal device from a small data storage (node).
Here, each data grid information terminal device can be virtually integrated using grid computing or edge computing technology.
Also, according to this method, a user who can access the elements constituting the information is defined, so that a data use restriction function can be realized for the user.
This also makes it possible to realize an appropriate access restriction function even when the user is divided into classes such as an administrator, a data owner, and a data user.
Further, according to this method, the information communication terminal on the transmission side generates recombination information required when reconstructing information based on the division rule from a plurality of loosely coupled information by the reconfiguration unit. By adding recombination information (a kind of password information or the like) for mediating recombination of the divided loosely coupled information, the confidentiality of the information can be further enhanced.
In other words, adding recombination information generated by random numbers etc. to loosely coupled information

[0012]
Thus, when a third party sees loosely coupled information, it can be difficult to estimate the contents. In addition, by defining which recombination information is added to which loosely coupled information in the division rule, the information communication terminal on the receiving side can reconfigure the original information based on the recombination information. Become.
The information exchanging method according to the next invention is the information exchanging method described above, wherein the transmitting step transmits a plurality of the loosely coupled information to the data grid information terminal device using a plurality of transmission paths. The method further includes a multi-routing step, wherein the reading step further includes a multi-routing reading step of reading the plurality of loosely coupled information using the plurality of transmission paths.
This more specifically shows an example of the transmission step and the reading step. According to this method, the transmitting step transmits a plurality of loosely coupled information to the data grid information terminal apparatus using a plurality of transmission paths, and the reading step transmits the plurality of loosely coupled information to the plurality of transmission paths. Since the information is read out from the data grid information terminal device, a plurality of pieces of loosely coupled information generated with a reduced degree of confidential coupling can be exchanged using different communication paths. Moreover, the correspondence of loosely coupled information can be concealed, and the confidentiality of information transmitted and received can be further enhanced.
The information exchanging method according to the next invention is set in the information exchanging method described above, in a naming rule setting step for setting a naming rule for setting the name of the element to another name, and the naming rule setting step And an aliasing step for changing the name of the element of the information to another name based on the naming rule, and the information communication terminal on the receiving side is aliased based on the naming rule. And a name conversion step of converting the name of the element of the information into an original name.
According to this method, the information communication terminal on the transmission side sets a naming rule for setting the name of the element to another name, and changes the name of the element of information to another name based on the set naming rule. Since the information communication terminal on the receiving side converts the name of the aliased information element to the original name based on the naming rule,

[0013]
By generating information having a different name and structure from this information, it is possible to make it difficult to estimate original information at the time of information leakage, and it is possible to further improve the confidentiality of information transmitted and received.
The information exchange method according to the next invention is characterized in that in the information exchange method described above, the information is described in XML.
This shows one example of information more specifically. According to this method, since the information is described in XML, the confidentiality of the XML data can be lowered and the confidentiality can be improved by taking advantage of the ease of disassembling and reconfiguring the XML data.
An information exchanging method according to the next invention is the information exchanging method described above, wherein the confidentiality coupling degree setting step includes at least one of the name, content and attribute of the element for the element defined in the DTD. The secret coupling degree is set based on the above.
This more specifically shows an example of the confidentiality degree setting step. According to this method, since the confidentiality degree is set based on at least one of the element name, content, and attribute for the element defined in the DTD, the content of the element of the XML information defined in the DTD is set. Based on this, it is possible to efficiently set the confidentiality degree.
BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a diagram showing an example of an information exchange system for ensuring security by encrypting information according to the prior art, and FIG. 2 is a case of XML information, and the entire information on the left side is shown on the right side. FIG. 3 is a diagram showing the concept of division transmission and division storage of information according to the present invention, and FIG. 4 is a diagram of division transmission and division according to the present invention. FIG. 5 is a diagram illustrating an example of the concept of security protection by storage, FIG. 5 is a diagram illustrating the concept of a conventional database system, and FIG. 6 is a diagram of a database system with a decentralized storage configuration according to the present invention. FIG. 7 shows an example.

[0053]
For the configuration, reading procedure, or installation procedure after reading, a known configuration or procedure can be used.
The network 300 has a function of interconnecting the information communication terminal 100, the relay information terminal device 150, and the data grid information terminal device 170. For example, the Internet 300, an intranet, and a LAN (both wired / wireless) are used. ), VAN, personal computer communication network, public telephone network (including both analog and digital), leased line network (including both analog and digital), CATV network, IMT2000 system, GSM system Or a mobile circuit switching network / portable packet switching network such as PDC / PDC-P system, a wireless paging network, a local wireless network such as Bluetooth, a PHS network, a satellite communication network such as CS, BS or ISDB, etc. Either may be included. That is, this system can transmit and receive various data via any network regardless of wired or wireless.
As described above in detail, according to the present invention, the information communication terminal on the transmission side defines a user who can access the elements constituting the information, sets the confidentiality degree of a plurality of elements, and is set Recombination information required when reconfiguring information from multiple loosely coupled information based on the division rule by setting a division rule for dividing information into multiple loosely coupled information based on the degree of confidential coupling Is generated, and the information is divided into a plurality of loosely coupled information based on the set division rule, and the divided pieces of loosely coupled information are transmitted to one or more data grid information terminal devices. The information terminal device for data grid stores loosely coupled information received from the information communication terminal on the transmission side, and the information communication terminal on the reception side (where the information communication terminal on the reception side is the information communication terminal on the transmission side) May be the same. The same applies below.) Reads out a plurality of loosely coupled information from the data grid information terminal device, and corresponds to each accessible user from the read out loosely coupled information based on the division rule and the recombination information. Since the information is reconstructed, a secure network that can divide the information based on its semantics, physically separate each decomposed loosely coupled information, and store it in an independent data grid information terminal device Database system and information

[0054]
An information exchange method can be provided.
As a result, there is no complete copy of the original data in any network communication or data storage location, and it is possible to limit the range of information leakage even if human criminal acts are performed A network database system and information exchange method can be provided.
In addition, data storage is not concentrated in one place, and communication uses multiple means, so even if a large-scale failure such as a disaster occurs, the impact will spread throughout. A secure network database system and an information exchange method can be provided.
In addition, by operating multiple data grid information terminal devices, which are distributed resources, in parallel, a secure network that can realize a function that enables mass storage and use of highly economical and highly secure information A database system and information exchange method can be provided.
In addition, a data network information terminal device can be easily duplicated, and a redundant configuration including a communication path is easy, so a secure network database system and an information exchange method that can easily meet individual usage needs Can be provided.
In addition, the scale-up of data grid information terminal equipment storage can be started from a small data storage (node) and a secure network database that can realize a highly scalable system. Systems and information exchange methods can be provided.
Further, according to the present invention, a user who can access an element constituting information is defined, and therefore a secure network database system and an information exchange method capable of realizing a data use restriction function for a user are provided. Can be provided.
In addition, as a result, it is possible to realize an appropriate access restriction function even when users are divided into classes such as administrators, data owners and data users.

[0055]
A network database system and information exchange method can be provided.
Further, according to the present invention, the information communication terminal on the transmission side generates recombination information required when reconstructing information from a plurality of loosely coupled information based on the division rule by the reconfiguration unit. Secure network database system and information exchange that can further enhance the confidentiality of information by adding recombination information (a kind of password information, etc.) to mediate recombination of divided loosely coupled information A method can be provided.
That is, by adding recombination information generated by random numbers or the like to loosely coupled information, it is possible to make it difficult to estimate the contents when a third party views loosely coupled information. In addition, by defining which recombination information is added to which loosely coupled information in the division rule, the information communication terminal on the receiving side can reconfigure the original information based on the recombination information. Become.
Further, according to the present invention, the transmitting means transmits a plurality of loosely coupled information to the data grid information terminal apparatus using a plurality of transmission paths, and the reading means transmits the plurality of loosely coupled information to the plurality of transmission paths. Since the information is read from the data grid information terminal device using the route, a plurality of pieces of loosely coupled information generated with a reduced degree of confidential coupling can be exchanged using different communication paths. Further, it is possible to provide a secure network database system and an information exchange method that can conceal the correspondence relationship of loosely coupled information and can further enhance the confidentiality of information transmitted and received.
According to the present invention, the information communication terminal on the transmission side sets a naming rule for setting the name of the element to another name, and sets the name of the element of information to another name based on the set naming rule. Based on the naming rule, the information communication terminal on the receiving side converts the name of the aliased information element into the original name, and thus generates information having a different name and structure from the original information. Therefore, it is possible to make it difficult to estimate the original information in the event of information leakage, and to further improve the confidentiality of the transmitted and received information.

[0056]
And information exchange methods can be provided.
Further, according to the present invention, since the information is described in XML, the security that can reduce the confidentiality of the XML data and increase the confidentiality by taking advantage of the ease of decomposition and reconfiguration of the XML data. A network database system and information exchange method can be provided.
Further, according to the present invention, since the confidentiality degree is set based on at least one of the element name, content, and attribute for the element defined in the DTD, the element of the XML information defined in the DTD It is possible to provide a secure network database system and an information exchange method capable of efficiently setting a secret coupling degree based on contents.
Further, according to the present invention, the loosely coupled information includes recombined information for recombining in the receiving-side information terminal device, and the division rule is for specifying correspondence between loosely coupled information and recombined information. A secure network database system and an information exchange method that can further enhance the confidentiality of information by adding recombination information for mediating recombination of divided loosely coupled information since information is included Can be provided.
Industrial Applicability As mentioned above, secure network database systems and information exchange methods, in particular, split transmission and distribution with high security based on cheap, large and very secure networks. A database can be realized.
The fields of application of the present invention include all fields that require the storage of a large amount of electronic documents, such as government / local government organizations / institutions, manufacturing industries, insurance companies, financial institutions, medical / pharmaceutical fields, etc. It is particularly suitable for storing and exchanging information.

Claims (14)

In a secure network database system for storing the information processed by an information communication terminal that transmits and receives information including a plurality of elements,
The information communication terminal on the sending side
A confidentiality degree setting means for setting the degree of confidentiality of the plurality of elements;
A division rule setting means for setting a division rule for dividing the information into a plurality of loosely coupled information based on the confidentiality degree set by the confidentiality degree setting means;
Splitting means for splitting the information into a plurality of loosely coupled information based on the split rule set by the split rule setting means;
Transmitting means for transmitting a plurality of the loosely coupled information divided by the dividing means to one or more data grid information terminal devices;
With
The data grid information terminal device is
Loosely coupled information storage means for storing the loosely coupled information received from the information communication terminal on the transmitting side;
With
The information communication terminal on the receiving side
Reading means for reading a plurality of the loosely coupled information from the data grid information terminal device;
Reconstructing means for reconstructing the information based on the division rule from a plurality of the loosely coupled information read by the reading means;
A secure network database system characterized by comprising: The transmission means is
A multi-routing means for transmitting the plurality of loosely coupled information to the data grid information terminal device using a plurality of transmission paths;
The reading means is
Further comprising multi-routing reading means for reading the plurality of loosely coupled information from the data grid information terminal device using the plurality of transmission paths,
The secure network database system according to claim 1, wherein: The information communication terminal on the transmission side
Naming rule setting means for setting a naming rule for setting the name of the element to another name;
Based on the naming rule set by the naming rule setting means, aliasing means for changing the name of the element of the information to another name;
Further comprising
The information communication terminal on the receiving side
Based on the naming rule, name conversion means for converting the name of the element of the aliased information to the original name;
The secure network database system according to claim 1 or 2, further comprising: The secure network database system according to any one of claims 1 to 3, wherein the information is described in XML. The security coupling degree setting means sets the security coupling degree for the element defined in the DTD based on at least one of the name, content, and attribute of the element. Secure network database system as described in section The information communication terminal on the transmission side
User-defining means for defining users who can access the elements constituting the information;
The secure network database system according to any one of claims 1 to 5, further comprising: The information communication terminal on the transmission side
Reconfiguration information generating means for generating recombination information required when reconfiguring the information based on the division rule from a plurality of the loosely coupled information by the reconfiguration means;
The secure network database system according to any one of claims 1 to 6, further comprising: In an information exchange method executed using a secure network database system for storing the information processed by an information communication terminal that transmits and receives information including a plurality of elements,
In the information communication terminal on the transmission side, a confidentiality coupling degree setting step for setting the confidential coupling degrees of the plurality of elements,
A division rule setting step for setting a division rule for dividing the information into a plurality of loosely coupled information based on the confidential coupling degree set in the confidential coupling degree setting step in the information communication terminal on the transmission side; ,
In the information communication terminal on the transmission side, based on the division rule set in the division rule setting step, a division step for dividing the information into a plurality of the loosely coupled information;
In the information communication terminal on the transmission side, a transmission step of transmitting the plurality of loosely coupled information divided in the division step to one or more information terminal devices for data grids;
In the data grid information terminal device, loosely coupled information storage step for storing the loosely coupled information received from the transmitting information communication terminal;
In the information communication terminal on the receiving side, a reading step of reading a plurality of the loosely coupled information from the data grid information terminal device;
In the information communication terminal on the receiving side, a reconfiguration step of reconfiguring the information based on the division rule from a plurality of the loosely coupled information read in the reading step;
An information exchange method comprising: The sending step is
A multi-routing step of transmitting a plurality of the loosely coupled information to the data grid information terminal device using a plurality of transmission paths;
The reading step is
Further comprising a multi-routing read step for reading a plurality of the loosely coupled information using the plurality of transmission paths,
The information exchange method according to claim 7, wherein: The information communication terminal on the transmission side
A naming rule setting step for setting a naming rule for setting the name of the element to another name;
Based on the naming rule set in the naming rule setting step, an aliasing step for changing the name of the element of the information to another name;
Further including
The information communication terminal on the receiving side
Based on the naming rule, a name conversion step for converting the name of the element of the aliased information to the original name;
The information exchange method according to claim 7 or 8, further comprising: The information exchange method according to any one of claims 7 to 9, wherein the information is described in XML. The security coupling degree setting step sets a security coupling degree for the element defined in the DTD based on at least one of the name, content, and attribute of the element. Information exchange method described in the section. In the information communication terminal on the transmission side, a user definition step for defining a user who can access the element constituting the information,
The information exchange method according to any one of claims 8 to 12, further comprising: In the information communication terminal on the transmission side, a reconfiguration information generation step for generating recombination information required when reconfiguring the information based on the division rule from a plurality of the loosely coupled information in the reconfiguration step ,
The information exchange method according to any one of claims 8 to 13, further comprising:

Images