TW515957B - A secure database management system for confidential records - Google Patents

Abstract

A system for managing sensitive data is described. The system prevents a system administrator from accessing sensitive data by storing data and identifier information on different computer systems. Each query is encrypted using two codes, the first code readable only by an identifier database and a second code readable only by a data access database. By routing the data path from a source terminal to the identifier database which substitutes an internal ID, then to the data access database and back to the source terminal, data security is significantly improved.

Description

515957 A7 B7 V. Description of the Invention () Background of the Invention Field of the Invention The present invention relates to the protection of confidential information. In particular, the present invention relates to avoiding access to confidential information by persons with high-level computer access rights. Description of related skills Printed by the Consumer Cooperatives of the Central Standards Bureau of the Ministry of Economic Affairs (please read the precautions on the back before filling this page) Computer systems have been used for some time to process confidential information. These systems typically include databases and processors that manipulate large volumes of highly private and confidential information. To prevent outsiders from accessing this confidential information, fire walls and encryption systems are often used to protect it from unauthorized access. Examples of traditional systems and methods used to protect confidential data from unauthorized access include user authentication, access location restriction, and user level access controls). Although these systems are useful to prevent "outsiders" from accessing confidential information, these systems typically do not protect data from access by "insiders", these insiders Have a sufficiently high system access authorization to circumvent security controls. In particular, it is difficult to prevent system administrators from accessing sensitive or confidential information. A system administrator with a high-level system access authorization is typically able to access most of the data on a computer system. As the information on your computer becomes increasingly confidential and valuable, system administrators or other "trusted insiders" have increasing incentives to crack the system's protection mechanism! 1 This paper size applies to China National Standard (CNS) A4 specification (210X297 mm) 515957 A7 _B7__ 5. Description of the invention (3) Different specific embodiments of the management system. Figure 4 illustrates the use of multiple identifier sub-repository_banks in a specific embodiment of the invention. Figure 5 illustrates a combination of identifiers and data request databases under a common management control in a specific embodiment of the invention. Detailed Description of the Invention In the following detailed description, the present invention will describe a method and apparatus for protecting confidential information. The following detailed description will list numerous specific details so that the present invention can be fully understood. However, those skilled in the art will appreciate that the invention may be practiced without those details. In other respects, well-known methods, procedures, protocols, components, and circuits, such as public or non-public key cryptography known to those skilled in the art, have not been described in detail. Is described so as not to obscure the gist of the present invention. Member of the Central Standards Bureau of the Ministry of Economic Affairs, M Consumer Cooperatives (please read the precautions on the back before filling out this page) In a specific embodiment of the present invention, the security system uses a computer that contains multiple Large networks are implemented. For example, the Internet represents a large-scale network, which is coupled to a plurality of subnetworks, such as a local area network or a network connected to B. Ethernet coupled computers. For best security, every time the network is under the control of a different administrator. Each administrator will have no control over computers outside their associated secondary network. By separating the confidential data and storing and retrieving this paper in different sub-network computers, the paper size applies the Chinese National Standard (CNS) A4 specification (2 丨 OX297 mm) 515957 A7 B7 i. Description of the invention () Confidential data 'The data will be protected from improper access by individual administrators of the subnet. FIG. 1 illustrates a secure data management system 100, which is used to implement a specific embodiment of the present invention. A user inputs data into a source terminal 104. A typical user might be a doctor or other person with appropriate access rights to request the required information. In a specific embodiment, the source terminal 104 may be a computer, or other processing device including a personal computer. In another embodiment, the source terminal 104 is only one terminal coupled to a host computer or other processing device. The source terminal may be connected to a local computer network or, the source subnetwork "106. The source subnet 106 may be a plurality of computers connected together by a local network. The source terminal The machine 104 typically identifies or collects information to identify the user by obtaining a password, handprint, fingerprint, retinal scan, or other appropriate confirmation mechanism. After confirming the identity of the user, an example of the information is needed to The user who is said to be a doctor, lawyer, anti-drug officer, government official or banker requests access to specific information on a different subject, which is processed by the secure data management system 100. The user may also A computer program or system. The source terminal 104 receives information from the user and combines the information into a data packet 1 16 for output to other parts of the security system 100. The data packet 116 consists of a Identifier 112 and two smaller data packets of a data access request 124. Identifier 1 12 includes, for example, user LD. 11 8 and subdata packets with subject ID 120. The first subdata packet (user ID 11 8) This paper is compliant with the national standard (CNS) Α4 size (210 × 297 mm) (Please read first (Notes on the back then fill out this page) clothing.

、 1T 515957 A7 B7, --.............. .................... ..........-_______ 5. The invention description (5) includes information about the user, such as the information needed to confirm the doctor who requested the information. This information may include (but is not limited to) last name, first name, middle name, social security number, date of birth, mother's last name, driver's license number, medical certificate number, lawyer's license number, personal ID of the anti-drug officer, invoice number , Fingerprint number, or other information necessary or useful to identify the requesting user. The second secondary data packet (Subject I.D.120) includes information about the subject. The information in the second data packet includes data identifying the individual or entity with which the data access request was made. Such information may include, for example, last name, first name, middle name, social welfare number, date of birth, place of birth, mother's last name, driver's license number, street address, email address, file number, patient identification number, prisoner identification Number, account number, or company name. The processor 1 08 associated with the source terminal 10 04 uses a first encryption code to encrypt the identifier 112 including the secondary data packets 118, 120. In a specific embodiment of the present invention, the identifier 112 also includes a secondary data packet 104, which contains the information or address of the source terminal 104 that generated the secondary data packet 116. The address of the source terminal may be included in the secondary data packet 104 with a globally unique identifier (globally unique 1 (^ 111 ^ 丨 61 <) or nGUID ''). The data packet Π6 also includes the data. The second part of the access request 124. The data access request 124 contains details of the requested data, such as requesting an experimental result or requesting a new progress record. In a specific embodiment of the present invention, the data access request 1 24 may also be a token. A token may be an instruction, index, or code whose designation will be marked -8-China National Standard (CNS) A4 Specification (210X297 mm) (Read the precautions on the back before reading Write this page again)

515957 V. A7 B7 Description of Invention () (Read the precautions on the back before writing this page) Write down a memory address or other instructions executed by the recipient. The tag authorizes communication with the source sub-network 106 to obtain details of the data request. The processor 108 encrypts the data request 124 within a second code. The data request 124 is associated with the identifier 112 within the data packet 116, so that the external subnet of the computer or processor can connect the identifier 112 to the data request 124. In medical applications, the source terminal 104 is typically Computer Source A computer in the subnet 106 used in, for example, a medical facility or a hospital facility. The source terminal 104 transmits a data packet 1 1 6 including an identifier 112 and a data access request i 24 to a second processor or identifier sub-database 128. The identification sub-database is preferably part of a second computer sub-network 130. The second network 130 is typically a local area network under the control of a second administrator. The secondary network 130 and the source secondary network 106 may be located in different regions of the country. A communications link is coupled to the source terminal 104 and the identification sub-database 128 in the future. In a specific embodiment, the communication link is an Internet link and / or a private line. The identifier database 128 has codes necessary to decode the identifier 112. The encoding and decoding of the identifier 112 may be performed in a variety of ways. In a specific embodiment of the invention, the source terminal 104 encrypts the identifier 112 using a public key of the identifier database 128. The identification sub-database 128 uses a relative private key to decode the identification 112 in the data packet 116. Because the identification sub-database 128 does not have the decoding key code required to read the information contained in the data access request 124, the capital paper size applies the Chinese National Standard (CNS) A4 specification (210X 297 mm) 515957 V. A7 B7 SUMMARY OF THE INVENTION (7) The material access request information is protected from being read by a system administrator identifying the sub-database 1 28 and the sub-network 130. The identification sub-database 128 uses the information contained in the identification 1 12 to generate (1) an access level showing the access allowances of the data requested by the user, and (2) an identification Relative to the individual or entity (subject) of the requested material. The identifier 112 information serves as a search key for a query database, which is typically a lookup table 132. In a specific embodiment, the user request data with the specified user ID 11 8 is used to identify the data in the comparison table 1 32 and the decision is confirmed with respect to the subject ID section 20 in the subject ID section. The individual's authorized access to that user. In particular, the secondary network 130 determines the type of data access activity that the user has for the subject identified by the subject I.D. 120. For example, the sub-network 130 may determine whether the user is a doctor who is treating the identified individual. When a doctor is confirmed to be treating the confirmed individual, the doctor is given a relevant access right to enable the doctor to review X-rays, test results, or add a progress note to the patient's On record. A sub-network 130 containing an identification sub-database 128 links an authorized user access right to the doctor. Typically using a look-up table such as look-up table 133, the identification sub-database 128 assigns a subject internal I.D. (Subject Internal I.D.) to the identified individuals in the subject I.D. section 120 of the identification 112. The identification sub-database 128 outputs a data packet 148 including (1) a main data section 144 and (2) a data access request 124. In a specific embodiment -10-This paper is suitable for size / fl Chinese National Standard (CNS) A4 (210X 297 mm) (that is, read the precautions on the back before writing this page)

515957 A7 B7 5. In the description of the invention () (^ Read the notes on the back before filling this page), the main data section 144 includes a user access authority sub-section 136 and the sub-sub-section identified in the main body. An internal identifier in 1 40. The body data section 144 may also include the address of the source terminal 104 at the beginning. Because the data contained in the body data section 144 is often incomprehensible to an intruder, the body data section 144 does not need to be encrypted. In the highest security system, the subject material in the subject data 144 is encrypted and encrypted, so that the subject data can only be read by the data request database 152. In a specific embodiment of the present invention, the identity of the user, the subject, the address of the source terminal 104 and the time of data reception and / or transmission are stored in the log 156 of the identification sub-database 128. The data request database 152 and the associated subnet 1 54 received a data packet 148. When the subject data 144 is encrypted, the data request database 152 decodes the subject data section 144 of the data packet 1 48 and retrieves the subject's internal I.D. 140 and user access rights 136. The data request database 152 also decodes the data access request 124. The data access request 1 24 of the data packet 148 is encrypted with a code that only the data request database 152 can read. In a specific embodiment of the present invention, the source terminal 104 uses the public key code of the data request database 152 to encrypt the data access request 124, so that the data request database 152 can use a relative secret key code to retrieve The data access request 1 24. The data request database 1 52 determines whether the user access right can perform the data access type in the data access request 124 after referring to the record with respect to the subject internal identifier 1 40. When the user has properly adapted the paper size; 1] Chinese National Standard (CNS) A4 specification (210X297 mm) 515957 A7 B7 _ one, one-one. *-… ·-'&Quot; " el "r 1" '1 V. Description of the invention (9) When the user has access rights and therefore has the right to perform the operation', the requested operation is performed after the record is entered into the internal identifier 140. In a specific embodiment, the data request database 152 does not contain user statistics, personal identifiers, and other personally identifiable information, which can be used to link individuals or entities to data contained in the data record 157 data. For example, known individual identifiable attributes including user statistics and specific identifiers (e.g., addresses) are retrieved and stored in the identifier sub-database 128. Therefore, although the system administrator of the data request database 1 52 and the relative subnet 1 54 can access information relative to the requested data (for example, a record of an AIDS diagnosis), the administrator cannot know that he has this The name of an AIDS patient. Only the identity sub-database 128 contains information linking a public identity (e.g., the patient's name and address) to the internal identity. It is conceivable that the method of separating the data in the identification sub database 1 28 and the data request database 1 52 can be used to store other sensitive data, which needs to be avoided except for authorized users A link between two data elements. After the data request database 1 52 performs a request data access operation such as retrieving a set of experimental results from Table 1 57, the data request database 152 uses the source terminal ID 1 04 included in the main data 1 44 to upload the data A result set of the operation is sent back to the source terminal 104. The connection between the data request database 152 and the source terminal 104 may be via the Internet or the data may be transmitted via a secure line. The result set may be encrypted for transmission to the source terminal, for example, using source terminal-12-this paper is of appropriate size; ^ Country & Standard (CNS) A4 (210X 297 mm) (read first read (Notes on the back are reproduced on this page)

515957 V. A7 B7 ——..............- 10 Description of the invention () The common key code of the machine 104. (Read the precautions on the back before writing this page.) In order to further increase security, especially to avoid identifying a system administrator in the sub-database 128 or the data request database 1 52, try to get the internal Confirmation code or unauthorized data access, each database maintains a record (10g). The identification sub-database maintains a first record 156, which may store a challenge as a specific user from the source terminal 104 and that a challenge occurred at a specific time. Similarly, the data request database 152 maintains a second record 164, which records records of the subject's internal ID operations, the destination to which the requested information was delivered, the source terminal ID 104, and the information reached Time received from the identification sub-database 128. When the integrity of the system is questioned, a third party auditor can compare the first record 156 and the second record 164 to determine if something unusual happened. A better procedure for a third-party audit is to protect the user-subject pairing by converting the records using a procedure such as a check sum or hash function before presenting the data to the auditor. Confidentiality of information. The identification sub-database can generate reports periodically to reveal the nature of all users who access records of a particular subject during a particular period. These reports can be sent directly to the subject or someone designated by the subject for review. Any unusual situation can be appropriately corrected. As a result, inappropriate access records can be found in a timely manner and all users must be held accountable for their actions. Figures 2A and 2B are a flowchart 200 illustrating a procedure for implementing the present invention. At block 204, a user at the source terminal requests data. -13-The size of this paper is China State Standard (CNS) A4 (210X 297 mm) 11515957 A7 B7 Ministry of Fire • Fire illuminating IV Bamboo 卬 f: 5. Description of the invention The user may enter a password or other identifying information to Verify that the user is the entity he or she claims to be. At block 208, the source terminal encrypts the identification information of the subject, such as the patient's name, with a first code. In a specific embodiment, the identifier is encrypted using a common key code of the identifier database. The identifier typically includes the address of the terminal and user information (such as the name of the person requesting the information). The identification subpackage may also include the source terminal public key code. At block 208, the source terminal also uses a second code to encrypt the data access request. In a specific embodiment, the data access request is encrypted using a second public key code such as a second database of the data request database. The data access request contains information about the nature of the data request, such as deleting a record, displaying experimental results, and updating financial information. In a specific embodiment of the present invention, the entire data packet is marked at blocks 2-12. This encryption may be completed using a secret key code of the source terminal. This encryption is used to identify the source terminal 104 and to prevent other terminals from forging the source terminal 104. In another embodiment, the verification may be performed using digital signature algorithms (such as RSA, ElGamal, and Rabin) that are well known in the industry to digitally sign the data packet. At block 216, the data packet is transmitted to a secondary network of a computer, the computer containing a first database or identification sub-database. In the identification sub-database, identification information is decrypted at block 220. Decryption is typically accomplished using a secret key code identifying the sub-database. At block 224, the identification sub-database uses the decrypted identification information to search for the individual (subject) of the requested data, such as a disease in a hospital. 14-This paper size applies the Chinese National Standard (CNS) A4 specification (210X297 mm) (Read the notes on the back before you fill in this page) 515957 A7 B7 12 — V. Send a note () (Read the notes on the back before you fill in this page) person, and make sure that person or entity exists. The identification sub-database also verifies that the individual requesting the access has access to the subject information in box 224. For example, the subject may be a patient in a hospital and the person requesting information may be a doctor. When used in a hospital, the identification sub-database may check a table to determine that the patient and doctor are a doctor-patient pair in block 224. If the doctor and patient do not form a doctor-patient pair, then access is not allowed in block 230 and the source terminal is notified in block 232 that the information is not available. If the doctor and patient are a doctor-patient pair, then the access is permitted in decision block 230 and the database retrieves in block 236 (1) the appropriate level of authority relative to the pair of doctor-patient, and (2) Relative to the patient's internal ID. The identification sub-database encrypts the internal ID, permission level and source terminal address in block 240 for transmission to a data request database in another managed sub-network. The actual patient's name and the doctor's name are taken from the data and replaced with an internal ID. In a specific embodiment of the invention, the identification sub-library uses the public key code of the data request database to encrypt the internal ID. In block 244 of FIG. 2B, the data packet containing the internal identifier, user access authority or permission level, along with the previously encrypted data access request, is transmitted to the data request database in block 244. In a specific embodiment, an entry is added to the record to record the transmission in block 244. The transmission may be via a dedicated line or a virtual private network to ensure the security and integrity of the data. In a specific embodiment, the entire packet is encrypted and signed. In block 248, the data request database will receive the identification sub-data. -15-This paper size is in accordance with the Chinese National Standard (CNS) A4 specification (210X 297 mm) 13515957 in the Ministry. f: A7 B7 5. Decrypt the materials in the library of invention description. At block 252, the data request database retrieves patient medical records relative to the internal identifier. In decision block 256, the data request database determines whether or not access to specific information in the file can be performed based on the received access permission level. If access is not allowed, a notification is sent to the source terminal in block 260. When the permission level indicates that access to the specific information can be performed, the data request database performs the requested operation and encrypts the result set in a data packet for transmission to the source terminal. In a specific embodiment, the requested information is encrypted in block 264 using the public key code of the source terminal. The source terminal public key code can already be received with the data access request. The encrypted data is then transmitted back to the source terminal in block 268. The source terminal displays the data to the authorized user at the same time as decoding. By dividing the data in a transaction request packet into several parts, each part can only be accessed by a computer system or a relative sub-network managed by a relative independent system administrator, making the subject confidential And the integrity of the information is preserved. Each database, such as identifier 128 and data request database 152, can be built on a standard computer system. These systems can be integrated by using a directly connected network or if the data transmission is already encrypted by using a public Internet connection. The above description also shows that the data is transmitted from the source terminal 104 to the identification sub-database 128, and then transmitted back to the source terminal via the data request database 152. Figures 3 A and 3B illustrate this basic architecture with and without a recording monitor, respectively. However, there are still other data transmissions 16-This paper size applies to the Chinese National Standard (CNS) A4 specification (210X 297 mm) (read the precautions on the back before writing this page)

14515957 A7 B7 V. Description of the invention The method is possible, so the invention should not be limited to this type of data transmission. 3C and 3D illustrate other specific embodiments of the design of the information transmission and data management system. Figure 3A illustrates a two-way data transfer between the user 300 and the identification sub-database 308 along the data path 304. When the identification sub-database 308 accepts a query, the identification sub-database 308 sends the data request to the data request database 312. The data request database 312 provides a response to the user 300 along the data path 316. The example architecture of Figure 3A is a basic unit that does not include a recording monitor. FIG. 3B illustrates the use of a separate record monitor 320 to monitor the transmission of information between the identification sub-database 308 and the data request database 312. The record monitor compares records from the identification sub-database 308 and the data request database 312. The mismatch between the records may be due to a user making an unauthorized query to the data request database 312 without identifying the sub-database 308 to obtain information. Alternatively, this may be due to an attempt to query the identification sub-database and link internal I.D. to identification information. When such a difference occurs, the recording monitor 320 transmits a warning to the user 300 or some independent confirmation system. Figure 3C illustrates a system including a single user 300 and multiple data request databases 350, 354. Multiple data request databases divide the data and thereby reduce the amount of information that the administrators of each data request database 350, 354 need to process and control. Separating information can increase security. In FIG. 3C, the user at the source terminal divides and encrypts the data for each data request database unit 350, 35. Identification Sub-database 3 58 Confirmation -17-This paper size applies Chinese National Standard (CNS) A4 (210X 297 mm) (It is said that you must read the precautions on the back before filling in this page}

15515957 A7 B7 V. Description of the invention The identity of the user 300 and forwards the divided and encrypted data to the respective first data request database 350 and / or the second data request database 3 54. In a specific embodiment of the present invention, each data request database 3 50, 3 54 has its own related public-private encryption key-pairs to ensure that the user 300 and each The security of data transmission between two data request databases 350, 354. Each data request database 350, 354 responds to the request and transmits its response directly back to the user 300, who recombines these responses. Central i '·) 1 JT Xiaozhu (read the precautions on the back before writing this page} Figure 3D illustrates the segmentation of the identification sub-database to reduce the amount of processing information required by each identification sub-database. In Figure 3D In the process, the user 300 transmits a unique request to one or both of the first identification sub-database 362 and the second identification sub-database 366. When the first identification sub-database 362 or the second identification sub-database 366 confirms that the user 300 and the After querying the subject, the sub-databases 362 and 366 identify the data access request to the data request database 3 70. The data request database 370 provides its response and the data path 376 to the user 300. In a specific aspect of the present invention In the embodiment, the dual identification sub-databases 362, 366 may be used to improve security, which implements additional confirmation of the authenticity of the user 300 by requiring independent confirmation of different identification criteria in each identification sub-database 362, 366. In the described specific embodiment, the data request database 370 provides a response only after the confirmable database 362, 366 confirms a request. In addition, multiple identification databases may be used to assign different users or subjects to the relative identification databases as an additional security mechanism or to balance the data transmission load of the entire network. -18 This paper standard applies China National Standard (CNS) A4 specification (210X297 mm) 515957 A7 B7 Γ ......... 16 '^ V. Description of the invention () Figure 4 illustrates the example In the system 400, a user 404 transmits a data request containing user and subject identification information to a first identification sub-database 408 in a series of identification sub-databases. Each identification sub-database 408, 412, 41 in a series of identification sub-databases 6 Verify a specific unit of user or subject identification information. For example, the first identification sub-database 408 may contain the subject ’s name. After the first identification sub-database confirms information such as a name, the first identification sub-database 408 will The query is passed to the second identification sub-database 412. The second identification sub-database 412 uses the second unit of information (such as the subject's social welfare number) and the received data The identity of the subject is further confirmed by comparison. When the information is confirmed again, the second identification sub-database 4 1 2 transmits the query to the third identification sub-database 416, which may compare a certain third unit of the data (such as a fingerprint) ) To confirm the identity of the subject of the query. Each identification sub-database uses the backhaul data paths 420, 424, 428 to keep the user 404 informed of the progress of the query among different identification sub-databases. The subject's (or user's) records are linked between the identification sub-databases using an internal identification. For example, each of the identification sub-database pairs (e.g., identification sub-database pair 412, 4 16) share a common internal identification mark. The user 404 encrypts the data with a common key code of the identification sub-database to each identification sub-database 408, 4 12, 4 1 6. After all three identification sub-databases 408, 412, and 416 confirm that the subject or user 404 has been satisfactorily authenticated, the data request database 432 receives the data access request and transmits a response to the data path 43 6 to Use -19-> and paper size to apply Chinese National Standard (CNS) A4 specifications (210X297 mm 1 " (Read the precautions on the back before filling this page)

Claims (1)

515957 A8 B8 C8 D8 VI. Application for Patent Scope 1. A method for managing data, the method includes: Encrypting a data packet with a table and a code to encrypt an identification subsection and a second code to encrypt a data access request The data is transmitted to a first system, which is configured to decode and determine the authenticity of the identifier and transmit the data access request with an internal index to a second system. 2. The method of claim 1 in which the first system is under the control of a first management, and the second system is under the control of a second management. 3. If the method of claim 1 is applied, the method further comprises: using a public key of the system to encrypt the identifier; using a public key of the second system to encrypt the data Access request. 4. The method of claim 3 in the scope of patent application, wherein the identifier is digitally signed so that the identification of the creator of the data packet can be implemented. 5. The method according to item 1 of the patent application, wherein the identifier includes a subject representation ° 6. The method according to item 1 of the patent application, wherein the first system updates a log to display the receipt To a query or data packet transmission, and the second system updates a record to show the transmission of the data access request or data access result received. 7. —A device for processing security data under the control of a first administrator, the device contains: -22-This paper size is applicable to China National Standard (CNS) A4 specification (210X297 mm) (Please read the note on the back first Please fill in this page again) Order printed by the Employees 'Cooperatives of the Central Standards Bureau of the Ministry of Economics 515957 Printed by the Employees' Cooperatives of the Central Standards Bureau of the Ministry of Economics A8 B8 C8 D8 ______ Six, apply for a patent scope 1 input port to receive from a source to 1 An identifier encrypted with a first code and a relative data access request encrypted with a second code; a processor to decrypt the first code and determine an internal identification relative to the identifier; and The output connection is used to output the internal identification mark and the data encrypted by the second code to a second database contained under a second administrator operation. 8. The device of claim 7 in which the processor confirms that the user who sent the information has appropriate access rights to the requested information. 9. As for the device under the scope of patent application 8, the processor will transmit the access request to the second device only after confirming that the source has appropriate access rights. 10. As for the device under the scope of patent application, the device further comprises: a memory to store a log containing a record of internal codes (rec 〇rds) transmitted to the device. ). Π. The device according to item 7 of the patent application scope, wherein the device uses a private key to decode the first code. 1 2 · A system for managing confidential information, the system includes: a source terminal to receive a data access request, and output a data packet 'the data packet contains the first sub-code encoded by a first code identification information A subsection and a second section of requested data encoded with a second code; an identification sub-database to receive the data packet and decode the identification information; the identification sub-network is retrieved based on the identification information I Internal Identification-23-This paper size applies Chinese National Standard (CNS) A4 specification (210X297 mm) (Please read the precautions on the back before filling out this page) 515957 A8 B8 C8 D8 The scope of patent application, and link to the internal The identifier gives the request code encoded in the second code; and a data request database to receive the internal identifier and the request code encoded in the second code, the data request database decodes the request data and sends a response back to The source terminal. 13. The system of claim 12, wherein the first code uses a common key code of the identification sub-database, and the second code uses a common key code of the data request database. 14. If the system of claim 12 is applied for, the identification sub database and the data request database are both part of a relatively subnet. 15. —A method for managing confidential information, the method comprising: receiving an internal identifier, the internal identifier being linked to a coded data request from a database of identifiers; receiving a coded data request linked to the internal identifier ; Decode the encoded data request and implement the data request; and transmit an output response to a source terminal. (Please read the notes on the back before filling out this page) Printed by the Consumers' Cooperatives of the Central Bureau of Standards, Ministry of Economic Affairs 24-This paper size applies to China National Standard (CNS) A4 (21〇 X 297 mm) 515957 A7 V. Description of the invention (2) (Amended in September 2002) 殄, 丨 Money owner: 4ben in green, I do not have βm, one tt internal trade fl is Ιι 合 4t to * i J 修身 ί ίΛ \ C and sell confidential information . Therefore, the industry needs a system that can store confidential data in a form that is not accessible to broad-level computer administrators while allowing access by appropriate personnel. SUMMARY OF THE INVENTION The present invention discloses a variety of methods for storing data picked up by an interpolator. A receiving terminal receives a request for data retrieval from a user, and then uses a first code plus a ^ identifier (iden t fifi r) and encrypts a data access request with a second code. The identifier and the data access request are transmitted to a first database. The first database decodes the identifier and determines whether the user has the authority to request the required information. The first database then retrieves an associated access permission and internal identifier. The first database sends a data access request that is still in an encrypted state to the second database along with the related access rights and internal identifiers. The second database retrieves the information requested in the information access request, and in a specific embodiment, if the user has appropriate access rights, the requested information is transmitted to the receiving terminal. (Please read the notes on the back before filling this page) Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economics Brief Description of Drawings Figure 1 illustrates a computer network used to implement a specific embodiment of a data management system. Figures 2A and 2B illustrate a flowchart of a method for implementing the data management system. Figures 3 A, 3 B, 3 C, and 3 D illustrate the use of one of the data tubes of the present invention. The paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 515957 A7 B7 i. Description of the invention (17n ( (Amended in September 2002) ^ Reading member ^ Indications ^ I! 丨 3 Institute-^ > Printed by the Consumer Cooperatives of the Intellectual Property Bureau of the Ministry of Economic Affairs Ⅱ: Απ '-ΓΓ4Γ; ά1. Ρ ^ ΐ User 404. And define the user data of the self-identifier of the subject or the user ’s neighboring identification data request information as the output code. The function of a database of the present invention is defined to confirm that the identity of the user and the subject are converted into internal ID. The data request database accepts the data access request from the source database and provides a response. For each of the subject-subject pairs, each identifying sub-database outputs at least one internal identification number (ID). The internal identification number is a The index of the linked sub-database or one of the links used to identify the information between the sub-database and the material library. The database of the query results of the data request database may typically contain ASCII tables and other embedded information. A complex data type. In a specific embodiment, the data request database is the last link in the chain, which provides data directly to the user. However, a database may be used as an identification sub-database And a data request database. This specific embodiment is illustrated in FIG. 5 in which a single administrator controls a combination of a second identification sub-database and a data request database. In the system 500 illustrated in FIG. 5, a user 504 sends a query to the first identification sub-database 508. After the identification sub-database 508 confirms that the user 504 has the authority to accept the requested data, the identification sub-database 508 transmits a data access request to the combined database 5 1 A data request database part 5 of 6 6. The combination database 51 6 data request database part 5 12 provides a response to the user 5 04. The confirmation information in the data request database 5 I2 may be used as confirmation information And / or data request. For example, the combinatorial database 516 may have the task of maintaining fingerprint ID records. Resources from the identification sub-database 508 This paper applies -20 deposit scale Chinese National Standard (CNS) A4 size (210 χ 297 mm) (Please read the notes on the back of this page and then fill in) Staple: 515957 Α7 Β7 ^ ίι.Μνμ,.,: '-^ Ltr4t.ii') tv: Printed by the Consumers' Cooperative of Intellectual Property Bureau of the Ministry of Economic Affairs 5. Description of Invention (18) (Amended in September 2002) The fetch request may contain instructions A new fingerprint record is required to be added to the fingerprint record table 514. After this operation is successfully completed, a message is returned to the user 504 from the data request database 512. Alternatively, a fingerprint for identifying a user or subject may be transferred from the identification sub-database 508 to the identification sub-database 52. After verifying the identity with the record in the fingerprint record table 514, an internal ID is generated. After obtaining authorization for data transmission, the identification sub-database 520 transmits the internal ID and data access request to the second data request database 524, which provides a response to the user 504. Various arrangements of the identification sub-database and data request database can be combined or changed to implement a data management system with various functions, data security, data integrity and confidentiality. From the description of the above figures, those skilled in the art can understand that the enumeration and description of the specific embodiments herein are only for illustrating the present invention, rather than limiting the scope of the present invention. Those skilled in the art will understand that the present invention may be implemented in other forms without departing from the spirit or main characteristics of the present invention. For example, although the description herein uses only one subject or patient embodiment, a request may similarly access records of multiple entities or patients. The scope of the present invention is defined in the following patent application scope. Description of drawing numbers of main components 104, 204-2 16 source terminal 106 source subnet 130, 154 subnet 220-244, 308 '358, 362, 366, 408, 412, 416, 508, 520 identification sub-database 248-268, 312, 350, 3 54, 370, 432, 512, 524 data request database 320 record terminal 5 MM fingerprint record table 5 1 6 combination database -21---install --- (please read first Note on the back then fill out this page) This paper size applies to China National Standard (CNS) A4 (210 X 297 mm)