WO2005031580A1 - 情報処理装置、情報処理システム及びプログラム - Google Patents
情報処理装置、情報処理システム及びプログラム Download PDFInfo
- Publication number
- WO2005031580A1 WO2005031580A1 PCT/JP2004/014329 JP2004014329W WO2005031580A1 WO 2005031580 A1 WO2005031580 A1 WO 2005031580A1 JP 2004014329 W JP2004014329 W JP 2004014329W WO 2005031580 A1 WO2005031580 A1 WO 2005031580A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- encryption
- information processing
- data
- encryption key
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2153—Using hardware token as a secondary aspect
Definitions
- the present invention relates to an information processing device that processes and stores data according to a program, an information processing system, and a program to be executed by the information processing device.
- Patent Document 1 can perform encryption and the like without inputting a password each time.
- the user is required to encrypt data stored in the storage device as data to be encrypted. Is specified to perform encryption.
- the user specifies the data to be decoded and performs the decoding. Therefore, every time encryption and decryption are performed, the user has to specify the data to be processed, and there is a problem that the operation is cumbersome and lacks convenience.
- the user may forget to perform the encryption operation.
- the encryption key used for encryption is encrypted and stored in the device in association with the encrypted file, that is, since the encryption key and the encrypted data are both stored, If an unauthorized third party steals a storage device such as a hard disk and decrypts the encryption key, there is a risk of confidential leakage and data tampering.
- a plurality of predetermined persons can use a common encryption key (group key) in order to share the encrypted data with predetermined persons and improve convenience.
- the computer used by the user authenticates that the user is a legitimate user. Making an unauthorized request could result in the encryption key being passed on to an unauthorized person.
- Patent Document 1 Japanese Unexamined Patent Publication No. 9-270784 ([0026] One [0053], FIGS. 4 and 6)
- An object of the present invention is to provide an information processing apparatus, an information processing system, and a program capable of improving security and convenience.
- the present invention solves the above-mentioned problems by the following solving means.
- the first invention is an encryption information storage means (19, 19-4) for storing encryption information for associating a folder or a file with identification information of a corresponding encryption key;
- the request is stored in the encryption information storage means based on the encryption information and the encryption key that can be used by the user.
- Encryption key determination means (115, S440) for determining whether or not the encryption key corresponding to the target data is included; and an encryption key corresponding to the data when the encryption key determination means determines affirmative.
- Data encryption means (111) for encrypting the data to be requested with a key, nonvolatile storage means (19, 19-4) for storing data to be stored, and encryption by the data encryption means; Of the non-volatile data
- the data encryption unit includes: an encryption unit that does not change the data size before and after the encryption; and Z or the folder or the file.
- An information processing device (10, 10-2, 10-3, 10-4) characterized by performing encryption without rewriting attribute information.
- the encryption key determination unit is configured to determine whether the encryption key determination unit has a user power read request for data included in the folder or the file. Based on the encryption information stored by the encryption information storage means, determine whether the encryption key usable by the user includes the encryption key corresponding to the data of the request, Reading means (114) for reading the data of the request object stored in the non-volatile storage means when the encryption key determining means makes a positive determination; and data read by the reading means. And a data decrypting means (112) for decrypting the information with a corresponding encryption key. (10, 10-2, 10-3, 10-4).
- a fourth invention is the information processing device according to the first invention, wherein the encryption information storage means includes a folder or a file designated by a user, and identification information of an encryption key usable by the user.
- the encryption information storage means includes identification information of the folder or the file and encryption key identification information including a hash value of the encryption key.
- the data encryption unit and Z or the data decryption unit performs encryption or decryption using only data having a predetermined attribute. (10, 10-2, 10-3, 10-4).
- a seventh invention is the information processing apparatus according to the first invention, further comprising a time obtaining unit, wherein the encryption information storage unit stores the folder or the file, identification information of a corresponding encryption key, When the user issues a storage request or a reading request, the time indicated by the time obtaining means and the encryption time information are stored.
- Time determining means (115) for determining whether or not the power is in response to the request based on time information corresponding to the data to be requested, which is stored by the coded information storage means.
- Characteristic information processing device (10, 10-2, 10-3).
- the encryption information storage means includes encryption information that associates time information corresponding to the attribute of the folder or the file with the folder or the file. (10, 10-2, 10-3).
- the data encryption unit includes: a storage unit that stores a request to save data for an open file; An information processing device (10-3) characterized in that a file is encrypted using a corresponding encryption key only when the data storage request is at the end of editing of the S file.
- a tenth invention is directed to the information processing apparatus according to the first invention, wherein the data encryption unit is configured to execute only the file specified by the user and the file in the folder Z or the folder specified by the user in advance.
- An eleventh invention is directed to a mobile phone that stores the information processing device (10, 10-3) of the first invention and an encryption key including a personal key and a Z or group key or an element thereof.
- An information processing system comprising: a type information storage medium (30), wherein the information processing apparatus has an external reading unit (16) for reading out information stored in the portable information storage medium, The encryption key determination means of the information processing device, when the storage request or the read request is made, is stored by the encryption information storage means, and based on the encryption information, the external key reading means Determining whether the encryption key read out from the portable information storage medium or its element includes a key corresponding to the requested data. 1 3).
- the portable information storage medium stores authentication information for authenticating a valid user, and stores the authentication information and the information processing device power.
- the information processing system (1, 13) is characterized in that when it is determined, the reading of the encryption key or the element thereof by the external reading means of the information processing device is permitted. .
- the portable information storage medium stores device identification information for identifying the information processing device, and the portable information storage medium indicates the device identification information.
- a fourteenth invention provides an information processing apparatus (10-2) according to the first invention, authentication information storage means (46) for storing authentication information for authenticating a valid user, and the authentication information Authentication determining means (41) for determining whether or not the user is authorized to authenticate a user based on the authentication information stored by the storage means and the user input information received from the information processing apparatus;
- An encryption key storage means (46) for storing an encryption key including a personal key and a Z or group key which can be used by a legitimate user determined to be affirmative by the authentication determination means, or an element thereof;
- a transmitting means (45) for transmitting the encryption key or the element thereof to the information processing apparatus when the determination is made, and a key management apparatus (45) connected to the information processing apparatus via a communication line (50).
- the information processing apparatus comprises: Transmitting means (20) for transmitting user input information to the key management device, and an encryption key or a key which can be used by an authorized user authenticated by the authentication determination means of the key management device based on the user input information.
- An information processing system (12) characterized by determining.
- the encryption key storage means of the key management device includes device identification information for identifying the information processing device to the encryption key or an element thereof.
- the transmitting means transmits the encryption key or the element thereof only to the information processing device indicated by the device identification information corresponding to the encryption key or the element thereof. Is transmitted to the information processing system (12).
- the information processing apparatus is configured to include the portable information storage medium provided with the encryption key or the element thereof or the key management apparatus. If a communication path with an external device other than the external device is established, the information processing system (1, 1, —2, 1—3).
- the information processing apparatus is configured to perform the communication with the portable information storage medium or the key management apparatus when the communication path is invalidated.
- a cryptographic key erasing means (116) provided from the type information storage medium or the key management device and erasing the stored cryptographic key and Z or an element thereof. —2, 1—3).
- the portable information storage medium or the key management device transmits device identification information for identifying the information processing device to the encryption key or the encryption key.
- the information processing device stores the device identification information read from the portable information storage medium by the external reading device, or the encryption key or the encryption key received from the key management device by the receiving device.
- Device identification information determining means for determining whether to respond to a storage request or a read request from a user based on the device identification information received from the key management device, corresponding to the element.
- Information processing system (1, 1-2, 1-3).
- a nineteenth invention is directed to an encryption information storage means (19, 19-4) for storing encryption information for associating a folder or a file with identification information of a corresponding encryption key, and for storing data to be stored.
- a non-volatile storage means (19, 194) for storing information, and a program to be executed by an information processing apparatus (10, 10-2, 10-3, 10-4) which performs processing according to an application program. Then, when there is a request to write data in the folder or the file from the application program (S410, S420), the data is stored by the encryption information storage means!
- the first determination procedure for determining whether or not the encryption key usable by the user includes the encryption key corresponding to the data of the request based on the encryption information!
- the encrypted information storage is performed.
- a second determination procedure for determining whether or not the encryption key usable by the user includes an encryption key corresponding to the data of the request based on the encryption information stored by the means.
- S440 and a readout procedure (S490) for reading out the requested data stored in the non-volatile storage means when a positive determination is made in the second determination procedure,
- S500 data decryption procedure for decrypting the data read in the read procedure with a corresponding encryption key.
- a twenty-first invention is the program according to the nineteenth invention, wherein the first and Z or second determination procedures are input from an external device (30, 40) authenticating the user as a valid user.
- the program is characterized in that the encryption key or an element thereof that can be used by the authorized user includes a key corresponding to the data of the request, and determines whether or not the encryption key can be used.
- a twenty-second invention is the program according to the nineteenth invention, wherein the data encryption step is performed when a write request is issued from an application program to an open file (S410, S420). Only when this write request is a save request at the end of editing the file (S411), the file is encrypted using the corresponding encryption key.
- the data encryption procedure is performed on a file specified by the user in advance and a file in Z or a folder specified by the user in advance. Further, the program is characterized in that encryption is performed only at the front end.
- the information processing device stores the encrypted information, and when a storage request is issued from the user, Based on this encrypted information, the target data is automatically encrypted and stored, so that users using application programs such as word processing applications are not aware of the encryption. Eliminate the complexity of the user's encryption operation, improve security and improve user convenience. Further, by using an encryption key that can be used by the user for encryption, unauthorized encryption by an unauthorized person is prevented.
- the encrypted data can be encrypted (confidential information). ) Cannot be determined, preventing the leakage of confidential information and improving security. Further, the memory area is effectively used by preventing an increase in data size due to encryption.
- the target data is automatically decrypted based on the encryption information so that the user is not conscious of the decryption and is able to perform the decryption of the user. Eliminate the hassle of operation, improve security and improve user convenience.
- encryption key information in which encryption key values are associated with each other, encryption and decryption with an appropriate encryption key are reliably performed. For example, data encryption using an incorrect encryption key is performed. Prevent decryption. Normally, only the key and hash values are stored, and only when necessary, an external device such as a portable information storage medium is provided with an encryption key, thereby reducing the possibility of leakage of the encryption key. Similarly, by storing encryption information that associates identification information of a folder or a file, such as a folder name (file name) and a path, encryption and decryption based on appropriate encryption information are reliably performed.
- Data is determined by judging whether or not the user is capable of responding to a storage request and a read request based on time information associated with each folder, each file, or each attribute. Data access conditions can be set in more detail and security can be improved.
- a cryptographic key stored in a portable information storage medium such as an IC card or an IC tag for encryption
- security is improved by performing communication between the information processing apparatus and the portable information storage medium without passing through a communication line such as a network where there is a risk of eavesdropping.
- the convenience is improved by using a group key that can be replaced with a private key for encryption and decryption.
- the convenience is further improved by sharing the nonvolatile storage means for storing the encrypted data with a plurality of information processing devices.
- the element of the encryption key in the portable information storage medium even if the information stored in the information storage medium leaks, the leakage of the encryption key is prevented.
- the encryption key can be read, thereby restricting the information processing devices that can receive the encryption key and restricting the encryption key. Prevent leaks and improve security.
- the key management device manages the authentication information and the encryption key collectively, and facilitates the management of the encryption key, such as changing the setting of each user. Also, by storing the elements of the encryption key in the key management device, even if the information stored in the key management device is leaked, leakage of the encryption key is prevented.
- the key management device By transmitting the encryption key only to the predetermined information processing device to which the encryption key corresponds, the key management device restricts the information processing devices that can be provided with the encryption key and prevents leakage of the encryption key. , Improve security.
- the present invention aims to improve security and convenience by storing an encryption key and authentication information, and when the user is authenticated as a valid user based on the authentication information, the encryption key is used.
- a portable information storage medium that permits the reading of data, encryption information associated with the identification information of the folder and the hash value of the encryption key is stored, and the user's power is stored in the case where there is a request to save data in this folder.
- Based on the encrypted information it is determined whether or not the encryption key read from the portable information storage medium includes the encryption key corresponding to this folder. This is realized by providing an information processing device that encrypts and stores requested data with an encryption key.
- FIG. 1 is a block diagram showing a configuration of an information processing apparatus and an information processing system according to the present invention.
- the information processing system 1 includes an information processing device 10 and an IC card 30 (30A, 30B, 30C,).
- the IC card 30 is inserted into a reader / writer (hereinafter, referred to as “RZW”) 16 of the information processing device 10, establishes a communication path with the information processing device 10, and is in a communicable state.
- the information processing device 10 carries an IC card 30A, 30B, 30C,... Having similar attributes, such as a company employee of the same company, and uses the IC card 30A (30C, 30C, 30C).
- the information processing device 10 includes a CPU 11, a ROM 12, a RAM 13, and an interface 15 connected to a bus 14, an R / W 16 connected to the interface 15, an input unit 17, a display 18, a magnetic disk 19, and the like. ing.
- the ROM 12 is a nonvolatile read-only memory, and stores basic software such as an operating system (hereinafter, referred to as "OS").
- the CPU 11 is a central processing unit that executes various processes in accordance with an OS stored in the ROM 12 and a program (application program) read from the magnetic disk 19 and expanded in the RAM 13.
- the RAM 13 is a volatile memory capable of rewriting stored data, and is configured to appropriately store programs, data, and the like necessary for the CPU 11 to execute various processes.
- the CPU 11 implements an encryption unit 111, a decryption unit 112, a writing unit 113, a reading unit 114, a determination unit 115, an encryption key erasing unit 116, and the like by executing these programs.
- the encryption unit 111 performs encryption based on an encryption method such as a stream encryption using an encryption key so that the data size does not change before and after encryption. Further, the encryption unit 111 encrypts the data of the file without changing the extension which is the attribute information of the file.
- the decryption unit 112 performs decryption using the encryption key, that is, performs the reverse process of the encryption unit 111.
- the writing unit 113 writes data to the magnetic disk 19, the reading unit 114 reads data from the magnetic disk 19, and the determination unit 115 performs various determination processes (see FIG. 7 described later; ).
- the encryption key erasing unit 116 is provided when the communication path established between the information processing device 10 and the IC card 30 becomes invalid, such as when the IC card 30 is removed from the RZW 16 or when the information processing device 10 logs off. The encryption key read from the IC card 30 and stored in the RAMI 3 or the like is erased.
- the interface 15 manages the input / output of the R / W 16, the input unit 17, the display 18, and the magnetic disk 19.
- the interface 15 is also connected to the CPU 11, the ROM 12, and the RAM 13 via the bus 14.
- the RZW 16 comes into contact with the contact terminal of the IC card 30 to be electrically conductive, and mediates communication between the CPU 11 and the IC card 30.
- the input unit 17 includes, for example, a keyboard and a mouse, and is operated by the user when inputting various commands from the user and other necessary information.
- the display 18 is composed of a CRT, an LCD, and the like, and displays characters, images, and the like.
- the magnetic disk 19 appropriately stores data and application programs that need to be accessed at relatively high speed, and appropriately stores data and programs that can be accessed at a lower access speed than the hard disk.
- An external storage device such as a flexible disk or a magneto-optical disk.
- the magnetic disk 19 stores an application program such as an encrypted Z decryption application program (hereinafter referred to as “encrypted Z decryption application”) and data necessary for executing the program.
- encrypted Z decryption application an encrypted Z decryption application program
- the function of the encrypted Z decryption application will be described later with reference to FIGS.
- FIG. 2 is a diagram showing a file configuration in a memory area of the magnetic disk 19
- FIG. 3 is a diagram showing folder information stored on the magnetic disk 19.
- folders As shown in FIG. 2, in the memory area of the magnetic disk 19, related files are classified into folders (a concept similar to a directory) and stored in a hierarchical structure. At least in this memory area, a file name and a folder name for identifying a file or a folder are assigned to each file and each folder. A file having a predetermined attribute under a predetermined folder is encrypted. The folder with the folder name “X” is called folder X. The same applies to files.
- the magnetic disk 19 stores folder information in a database.
- the folder information is information for associating the folder with the identification information of the encryption key corresponding to the folder.
- the folder information includes the folder name and the path indicating the location of the folder in the magnetic disk 19, and the folder information corresponding to the folder.
- the hash value of the encryption key to be associated Data of a file having a predetermined attribute (extension) under the folder specified by the folder information is encrypted with a corresponding encryption key and stored in the magnetic disk 19.
- the hash value is a value generated by a hash function, which is an arithmetic method for generating a fixed-length pseudo random number from a given original text. Impossible Because of the inverse one-way function, the original value cannot be reproduced, and it is extremely difficult to create different data with the same value.
- the folder name and path of the folder FA and the hash value K A ′ of the encryption key KA are stored in association with each other.
- the folder FA is associated with the hash value KA 'of the corresponding encryption key KA, and has a file (eg, an application program such as a text file) having a predetermined attribute (extension) thereunder.
- the files A-1 and A-2 which are files storing data to be rewritten by execution, are stored in the form of ciphertext encrypted with the encryption key KA.
- the file A-3 is a file other than a predetermined attribute such as an executable file and a dynamic link library file, and is stored in a plain text state.
- the files B-l, B-2 under the folder FB and the file D-1 under the folder FD are in plain text, and the file C-1 under the folder FC is encrypted with the encryption key KG1. It is stored and converted. The registration of the folder information will be described later with reference to FIG.
- the encrypted files A-1 and A-2 have the same size as that before the encryption, and the same extension.
- the IC card 30 includes an IC chip (not shown) in the card base, a contact terminal 31 connected to the IC chip, and the like, and an external device such as an RZW16. It is a portable information storage medium that receives power supply and performs contact communication.
- a portable information storage medium is an information storage medium capable of securely storing predetermined information about a user who carries it, such as an IC card or an IC tag, and reading out the information under predetermined conditions.
- the IC chip includes a CPU 32 connected to the contact terminal 31, a RAM 33 connected to the CPU 32, a ROM 34, a nonvolatile memory 35, and the like.
- the non-volatile memory 35 is a rewritable non-volatile memory such as an EEPROM and an FRAM, and stores a program executed by the CPU 32 and data necessary for executing the program.
- the non-volatile memory 35 stores an encryption key for data encryption Z decryption usable by a valid user of the IC card 30 and a registration password for authenticating the valid user.
- FIG. 4 is an explanatory diagram for explaining an encryption key stored in each IC card 30.
- the non-volatile memory 35 of the IC card 30A used by the user A stores a total of four encryption keys including a personal key KA and three group keys KG1, KG2, and KG3.
- the personal key is an encryption key that can be used only by a legitimate user of the IC card 30, and the group key is an encryption key that can be used by a plurality of predetermined persons belonging to the group. That is, the IC card 30A has a personal key KA that can be used only by the user A and a group key KG1, KG2, KG3 that can be used by a predetermined person belonging to each of the groups 1, 2, and 3. Is stored.
- the IC card 30B carried by the user B has three encryption keys including the personal key KB that can be used only by the user B and the group keys KG1 and KG4 of the groups 1 and 4, and the user C.
- the IC card 30C carried by the user stores a total of three encryption keys, a personal key KC and group keys KG2 and KG3 of group 2 and group 3.
- the number and type of encryption keys stored in the IC card 30 are arbitrary and are not limited to these.
- the CPU 32 is a central processing unit that expands a program stored in the ROM 34 and the nonvolatile memory 35 into the RAM 33 and executes the program, and has a user authentication determination function.
- the user authentication determination function is based on stored authentication information (registered password) and user input information input by the user through the information processing device 10 by operating the input unit 17 of the information processing device 10. This function checks the password and determines whether or not this user is authenticated as a valid user of the IC card 30.
- the IC card 30 writes the determination result as a flag in the RAM 33 and, when authenticated, enters a state in which the information processing apparatus 10 responds to the request for calling the encryption key. The request is rejected. Further, the IC card 30 has a blocking function, and cannot be authenticated in response to the authentication determination by the CPU 32. If the number of times reaches a predetermined number, the state is such that no external access is accepted.
- FIG. 5 is a flowchart showing a process of starting the information processing apparatus 10 and registering folder information.
- step 100 hereinafter, “step” will be referred to as “S”
- S 200 mainly describing the processing of the CPU 11 by executing the encryption Z decryption application
- the user inserts the IC card 30 into the information processing apparatus 10. And turn on the power of the information processing unit 10.
- the information processing apparatus 10 supplies a reset signal, a power supply, a clock signal, and the like to the IC card 30 to activate the IC card 30 (S210), and the IC card 30 is reset and performs an initial response operation (S110).
- the information processing device 10 displays on the display 18 a message requesting the input of a password, transmits the password input by the user operating the input unit 17 to the IC card 30, and requests authentication (S220).
- the CPU 32 of the IC card 30 performs user authentication determination, determines whether or not the user is authorized to authenticate the user as a valid user of the IC card 30 (S120), writes the result in a flag, and sends the result to the information processing device 10. It transmits (S130).
- the information processing apparatus 10 receives a response indicating the authentication result from the IC card 30 (S230), and when the user has not been authenticated, requests the user to input a password again (from S220). ), The resources of the information processing apparatus 10 cannot be accessed, and the log-off state is maintained.
- the information processing apparatus 10 is in a state of being able to access the resources of the information processing apparatus 10 such as a login state, that is, receiving an input from the input unit 17 of the user (S250).
- the information processing device 10 transmits a request to read out the stored encryption key to the IC card 30 and reads out all the stored encryption keys for data decryption from the IC card 30 (S140, S260).
- the CPU 11 calculates the hash value of each encryption key (S270) and stores the hash value in the RAM 13 in association with the encryption key.
- the information processing device 10 requests the user to select a folder to be encrypted and to select an encryption key corresponding to the selected folder, that is, an encryption key for encrypting the folder.
- An image or the like is displayed on the display 18 (S290).
- the user A operates the input unit 17 to specify a folder and an encryption key, and the information processing device 10 inputs selection information of the user (S300), and the folder name and the path of the selected folder.
- the hash value of the encryption key created from the selected encryption key stored in the RAM 13 is stored in the magnetic disk 19 in association with the hash value (S310) and stored.
- the information processing apparatus 10 is in a log-off state by a user operation, and the encryption key erasing unit 116 erases the encryption key data read from the IC card 30 stored in the RAM 13 or the like (S320). ), And terminate the process (S330).
- the attribute (extension) of the file to be encrypted is set in advance in the encryption Z decryption application, but when the user registers this folder information, You may decide.
- FIG. 7 is a flowchart showing a file saving process and a file reading process by the information processing apparatus.
- the storage process and the read process will be described in this order, centering on the process of the CPU 11 in the execution of the encryption Z decryption application.
- the information processing device 10 reads the encryption keys KA, KG1, KG2, and KG3 from the IC card 30A with the IC card 30A of the user A mounted on the RZW16, and stores the encryption keys and their hash values KA, KG1, KG2, KG3 are written and stored, and the user is logged in (see S110 to S140 and S210 to S270 in Fig. 5).
- User A drags file D-1 on the screen of the display 18 with the mouse of the input unit 17 and drops the file D-1 on the folder FA (see Fig. 2). Make a request to save the data.
- the information processing apparatus 10 detects this access request and starts the storage processing (S410). In other words, if there is a request to write data to the application program used by the user (referred to as “user application”) to os, the encrypted Z decryption application intercepts this write request.
- the encryption Z decryption application (judgment unit 115) refers to the folder name and path of the folder to which the requested data is to be written in the folder information, and the folder having the same folder name and path is registered in the folder information. It is determined whether or not it is (S420). If the determination is affirmative, the determination unit 115 determines, based on the extension, whether the attribute of the file specified by the write request is a file having a predetermined attribute to be encrypted (S430).
- the encryption Z decryption application passes the write request intercepted from the user use application to the OS, and the OS (writing unit 113) saves it in plaintext as in the past
- the target file is written (S480), and the process ends (S520).
- the determination unit 115 determines “Yes” in S420, and then determines the hash value of each of the encryption keys KA, KG1, KG2, and KG3 stored in the RAM 13. Next, referring to the hash value KA of the encryption key KA associated with the folder FA in the folder information, it is determined whether or not a matching one is included (S440). If there is no match, the information processing device 10 displays that access is prohibited. Is displayed (S510), control is returned to the user application, and the saving process is terminated (S520).
- the determination unit 115 determines affirmative in S440, and the encryption key Z decryption application (the encryption key key 111) uses this encryption key KA.
- the file D-1 is encrypted (S450, S460), a write request to the folder A for the encrypted file D-1 is made to the OS, and the OS (writing section 113) is encrypted.
- the information processing apparatus 10 detects the access request and starts the reading process (S410). That is, when there is a data read request from the user application to the OS, the encryption application decrypts the read request.
- the encryption Z decryption application (judgment unit 115) registers the folder containing the data to be read out in the folder information, specifies The strength of a file having a predetermined attribute and a cryptographic key having a matching hash value are recorded in RAMI 3 to determine a half IJ (S420, S430, S440). If it is determined in S420, S430, or S440 that it is not, the information processing apparatus 10 performs the same processing (S480, S510), and ends the reading processing (S520).
- the encrypted Z-decryption application issues a read request to the OS, and the OS (reading unit 114) sends the encrypted file A -1 is read from the magnetic disk 19 (S450, S490).
- the encrypted Z decryption application decrypts the file A-1 with the encryption key that has been determined in S430 (S500), and passes the file A-1 to the user use application.
- the user use application performs a process according to the request from the user, such as displaying the decrypted file A-1 on the display 18, and the information processing device 10 ends the reading process (S520).
- the information processing apparatus 10 When the user A rewrites, updates and saves the content (data) of the read file A-1 using a word processing application or the like, the information processing apparatus 10 In the same manner as the storage process, the file A-1 is again encrypted and stored under the folder FA (S410 is also up to S470).
- both user A and user B Since the encryption key (group key) KG1 can be used in association with the folder FC, it is possible to read the file C-1 and save the file in the folder FC (S430 and S470 and S470). S490, S500). On the other hand, since the user Ci cannot use the B-note key KG1, this process cannot be performed (S440, S510).
- the information processing apparatus 10 stores the folder information, and when the user inputs a save request, the information processing apparatus 10 automatically identifies the target file based on the folder information.
- the user using the user application is not conscious of the encryption, eliminating the troublesome operation of the encryption by the user, and improving the security and the user. It has become possible to improve the convenience of the system.
- the encrypted file can be protected.
- Cannot be determined preventing the leakage of confidential information and improving security.
- the target file is automatically decrypted based on the folder information, so that the user is not aware of the decryption and can perform an operation that is focused on the user's decryption. Eliminating the inconvenience, it has become possible to improve security and user convenience as well.
- folder information associated (registered) in accordance with a user's instruction is stored.
- automatic encryption according to the user's intention for example, using a personal key and a group key !, and performing separate encryption, can improve user convenience. .
- the encryption key to be used for encryption is searched for. Therefore, encryption and decryption with an appropriate encryption key are reliably performed. Can prevent data encryption and decryption.
- folder information that associates a folder name and a node, for example, encryption and decryption based on appropriate folder information can be reliably performed.
- the use of the encrypted key stored in the IC card 30 for decryption makes it possible to prevent the leakage of the encrypted key. Furthermore, security can be improved by performing communication between the information processing device 10 and the IC card 30 without passing through a communication line such as a network where there is a risk of eavesdropping. Furthermore, by using a group key that can be replaced with a private key for encryption and decryption, it has become possible to improve convenience.
- the communication path between the information processing device 10 and the IC card 30 becomes invalid, for example, when the RZW16 force is removed from the IC card 30 when the information processing device 10 logs off, the information is read out from the IC card 30 and stored.
- the hash value of the encryption key remains in the information processing apparatus 10, and the encryption key itself is not left, thereby making it possible to prevent the encryption key from being leaked.
- the IC card 30 has a closing function, even if the IC card 30 is lost, the leakage of such information can be prevented by the closing function.
- FIG. 8 is a block diagram showing a configuration of an information processing apparatus and an information processing system according to the present invention.
- the parts performing the same functions as those in the first embodiment are denoted by the same reference numerals, and redundant description will be omitted as appropriate.
- the information processing system 12 in the present embodiment includes an information processing device 10-2 and an information processing device 10-2, and a telephone line, an optical cable or other wired, or an infrared or other wireless communication.
- a key management device 40 connected via a line 50 is provided.
- the information processing device 10-2 is connected to the interface 15 and the communication line 50, and includes a communication unit 20 such as a modem for controlling communication with the key management device 40 via the communication line 50.
- the key management device 40 is a computer including a CPU 41 connected to a bus 43, memories 42 such as RAM and ROM, an interface 44, a communication unit 45 connected to the interface 44, a magnetic disk 46, and the like.
- a predetermined user registered in the key management information manages an encryption key usable by each user. That is, the key management device 40 collectively manages the encryption keys and the registered passwords stored in the plurality of IC cards 30 for each user in the first embodiment.
- the CPU 41 has an authentication determining function of determining whether to authenticate a valid user, and the magnetic disk 46 stores key management information in a database.
- the key management information is a blue bulletin that associates information such as a user ID that identifies the user with an encryption key that can be used by this user and a registered password to authenticate a valid user of the encryption key. is there.
- the information processing device 10-2 makes a request made to the IC card 30 in the first embodiment to the key management device 40, and similarly performs a registration process, a storage process, and a read process (FIG. 5). , See Figure 7).
- the key management device 40 transmits the user ID and the input password (user input information) input by the user by operating the input unit 17 of the information processing device 10-2 to the information processing device 10-2 and the communication line 50.
- the authentication determination is performed by collating the received password with the registered password (authentication information) stored in the magnetic disk 46. Only when authenticated, the key management device 40 can provide the information processing device 10-2 with an encryption key that can be used by the authenticated authorized user.
- the key management device 40 in addition to the same effects as the first embodiment, the key management device 40 collectively manages the registered passwords and the encryption keys of the users. The management of encryption keys, such as changes, has become easier.
- FIG. 9 is a block diagram showing a configuration of an information processing apparatus and an information processing system according to the present invention.
- the information processing system 13 has substantially the same configuration as the information processing system 1 in the first embodiment.
- the information processing system 1-3 includes an information processing device 10-3 and an IC card 30.
- the information processing device 10-3 includes the CPU 11-3, ROM 12, RAM 13, and interface 15 connected to the node 14, and the RZW 16, input unit 17, display 18, and magnetic disk 19 connected to the interface 15. Have.
- the CPU 11-3 executes various processes in accordance with the OS stored in the ROM 12 and the programs read from the magnetic disk 19 and expanded in the RAM 13, and performs an encryption unit 111, a decryption unit 112, and a writing unit 113. 3. It is a central processing unit that realizes the reading unit 114, the determining unit 115, the encryption key erasing unit 116, and the like. Details of the function of the writing unit 113-3 will be described later with reference to FIG.
- FIG. 10 is a flowchart showing a part of a process of saving a file being edited by the information processing apparatus.
- the information processing device 10-3 performs a process of registering folder information (see FIG. 5), a process of reading a file, and a process of storing (see FIG. 7), similarly to the information processing device 10 of the first embodiment.
- FIG. 11 shows processing performed between S410 and S420 in FIG. 7 in the storage processing.
- the processing of the CPU 11-3 in executing the encrypted Z decryption application will be mainly described with reference to FIG.
- the user A double-clicks the file A-1 icon on the screen of the display 18 with a mouse, and the information processing device 10-3 inputs a read request for the file A-1. Then, the file A-1 is decrypted, and a window in which the file A-1 is opened is displayed on the display 18 (from S410 to S450, see S490, S500.) 0 [0059]
- User A The input unit 18 is operated to edit the file, such as writing to the file A-1, and a save request is made for the rewritten data. The request is detected (S410 in FIGS. 7 and 11).
- the writing unit 113-3 of the information processing device 10-3 writes the data in the plain text without encryption on the magnetic disk 19 and temporarily stores the data (see FIG. 10 S411, S412).
- the save request is a data save request at the end of editing of the file A-1, such as a request to close the file A-1
- the processes from S420 to S470 in FIG. Is encrypted and stored.
- the information processing device 10-3 erases the data temporarily stored in S412.
- this storage request is Since the encryption is performed only when the file is requested to be saved at the end of editing, even if the save is repeated during the edit, the save during the edit is not encrypted but in plain text. It is possible to save temporarily, reduce the number of times of encryption, and to speed up the processing.
- the information processing apparatuses 10, 10-2, and 10-3 read the encryption key from the IC card 30 (or the key management apparatus 40) after authenticating the authorized user at the time of startup (FIG. 5).
- step S260 when the encryption key or the hash of the encryption key is required in the registration, the storage processing, and the reading processing of the folder information, the reading may be performed.
- the timing at which the information processing devices 10, 10-2, and 10-3 read the encryption key after the authentication and before the necessary time is not limited.
- the IC card 30 or the key management device 40 may store the hash value of the encryption key in advance in association with the encryption key. It is possible to reduce the processing time for calculating the NO / SH value.
- the information processing apparatuses 10, 10-2, and 10-3 store folder information in which a folder name, a path, an encryption key number, and a hash value are associated as encryption information.
- file information in which a file name, a path, and a hash value of an encryption key are associated with each other may be stored as encryption information, and encryption and decryption may be managed for each file.
- Detailed management is possible, and even files under the same folder can be encrypted with different users' personal keys. For example, the convenience can be improved.
- folder information and file information for identifying the file to be encrypted are stored in the IC card 30!
- the IC card 30 or the key management device 40 stores the element or the encryption key and the element in place of the encryption key storing the encryption key, and stores the information in the information processing apparatus 10. , 10-2, 10-3, the encryption key may be generated based on this element.
- the element of the encryption key is an indispensable constituent element for generating the encryption key, and differs for each encryption key.
- an encryption key is generated by performing a predetermined operation on this element.
- Another element of the same encryption key is stored in another location within the information processing system 1, 1-2, 1-3 (information processing device 10, 10-2, 10-3, system management server, etc.).
- an encryption key may be generated in the information processing devices 10, 10-2, and 10-3 based on the element provided from the IC card 30 or the key management device 40 and the other element.
- the information processing apparatuses 10, 10-2, and 10-3 store the folder information on the magnetic disk 19 and transmit the folder information via the communication line 50 from a predetermined power source. It may be received, stored in the RAM 13 or the like and used for processing.
- the folder information can be stored in the information processing devices 10, 10-2, 10-3 when at least encryption and decryption processes are required. — There are no restrictions on the period or place that 3 remembers.
- the folder information may be divided and stored in a plurality of predetermined locations such as a plurality of servers.
- the folder information may be divided and stored and stored in a plurality of predetermined locations, and these may be collected and subjected to a predetermined method. Unless the information is processed, the information may not be effective information. Since all of the above conditions must be satisfied, it is possible to prevent leakage of folder information.
- the information processing apparatuses 10, 10-2, and 10-3 include an IC card 30, a key management apparatus 40, a previously authorized! With external devices
- a non-predetermined communication path detection unit that detects the establishment of a communication path is provided. If the non-predetermined communication path detection unit detects the establishment of a non-predetermined communication path, an error occurs in response to a save or read request from the user. A setting that does not respond to this request, such as displaying, may be used.
- the encryption key deletion unit 116 may delete the stored encryption key.
- IC card 30 If a communication path has been established with an external device other than the specified one, information stored in the information processing devices 10, 10-2, and 10-3 may be leaked. It is possible to improve security.
- a predetermined external device can be arbitrarily set by allowing its identification information to be registered.
- the IC card 30 stores the device identification information and permits only reading of the encryption key from the information processing devices 10 and 10-3 indicated by the device identification information. .
- the device identification information includes information such as a network address (IP address) and a MAC address of the information processing device 10, 10-3 unique information, information processing device such as an identification code, information processing device 10, 10-3 ID, and authentication information. This is information for authenticating 10, 10-3, and the like, and is information for identifying the information processing apparatus 10, 10-3 of the providing destination that can provide the encryption key.
- the key management device 40 stores the device identification information in association with the encryption key, and provides only the information processing device 10-2 indicated by the corresponding device identification information with the encryption key. May go.
- the conditions for file access can be set in more detail, and security can be improved. Is possible.
- the IC card 30 or the key management device 40 stores the device identification information and transmits the device identification information in response to a predetermined request from the information processing devices 10, 10-2, and 10-3. Even if the devices 10, 10-2, and 10-3 read out, the determination unit 115 determines whether the device identification information is capable of responding to a storage request or a read request from a user based on whether or not the device identification information indicates self. Yo, Similarly, you can set detailed access conditions for files, improving security. It is possible to achieve.
- the IC card 30 and the RZW16s of the information processing apparatuses 10 and 10-3 perform contact communication, but may perform noncontact communication.
- the method is not limited.
- the IC card 30 stores in the non-volatile memory 35 an encryption key for data encryption and Z decryption that can be used by a valid user, and a registration password for authenticating the valid user, but it is necessary to rewrite it. If not, it may be stored in the ROM 34.
- the information processing system 1 includes the IC card 30 as a portable information storage medium, but may include another portable information storage medium having a similar function such as an IC tag.
- the information processing devices 10-4 (10-4A, 10-4B, 10-4C) are connected to the computers 10, 14 (10, 14A, 10, 14B, 10B). , 14C) and the computer 10, 14 via a communication line 50-4 such as an in-house LAN, etc., and a file that is encrypted instead of the magnetic disk 19 in the second or third embodiment.
- a storage device 194 for storing the information.
- the computers 10, 14 have the same configuration as the information processing devices 10, 10-2, 10-3, etc., and are computers capable of communicating via the communication line 50-4. Is a computer having the configuration described above.
- the computers 10 and 14 encrypt and store the data processed by the application program and the like in the storage device 194, and decrypt and read the data.
- the users of the computers 10, 14A, 10, 14B, 10, 14C can share the encrypted file stored in the storage device 194, It is possible to improve convenience.
- FIG. 12 is a diagram showing folder information stored in the magnetic disk 19.
- Each of the information processing devices 10, 10-2, and 10-3 includes a time obtaining unit such as a clock, and records folder information in which time information is associated with a folder name on the magnetic disk 19, as shown in FIG.
- the determination unit 115 refers to the time indicated by the clock and the time information associated with the folder containing the file for which the user has requested saving or reading, and determines whether or not to respond to the request. It may be determined.
- the time obtaining unit is a means for obtaining the time, Not only a clock provided inside the information processing apparatuses 10, 10-2, and 10-3, but also a means (a CPU, a communication means, and the like) for obtaining a time from outside may be used.
- the time information is information indicating a range of time (time zone) during which the corresponding folder can be accessed.
- the encryption / Z decryption application determines the time indicated by the clock and the time included in the folder information. Based on the information, it is determined whether or not to meet the request (not shown). If the information processing devices 10, 10-2, and 10-3 determine that the information is not acceptable, an error is displayed (S510), and if the determination is affirmative, the information processing device 10, 10-2, or 10-3 performs a process for responding to the user's request. Perform (S430 force up to S500) and end the process (S520).
- the information processing apparatuses 10, 10-2, and 10-3 store time information in association with each application (attribute such as an extension) using the file. The processing may be performed similarly.
- the encryption Z decryption application monitors write requests and read requests from the user application to the OS, so that it is possible to easily create a file based on time information. It is possible to perform access restriction processing.
- FIG. 1 is a block diagram showing a configuration of an information processing apparatus and an information processing system. (Example 1)
- FIG. 2 is a diagram showing a file configuration in a memory area of a magnetic disk 19.
- FIG. 3 is a diagram showing folder information stored on a magnetic disk 19.
- FIG. 4 is an explanatory diagram for explaining an encryption key stored in each IC card 30.
- FIG. 5 is a flowchart showing a process of activating an information processing apparatus and registering folder information.
- FIG. 6 is a diagram showing a display screen of a display 18 in registering folder information.
- FIG. 7 is a flowchart showing a file saving process and a file reading process by the information processing device. It is.
- FIG. 8 is a block diagram showing a configuration of an information processing device and an information processing system. (Example 2)
- FIG. 9 is a block diagram showing a configuration of an information processing device and an information processing system. (Example 3)
- FIG. 10 is a flowchart showing a part of a process of saving a file being edited by the information processing device by the information processing device.
- FIG. 11 is a block diagram illustrating a configuration of an information processing device. (Modification)
- FIG. 12 is a diagram showing folder information stored in a magnetic disk 19.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/190,976 US8918633B2 (en) | 2003-09-30 | 2005-07-28 | Information processing device, information processing system, and program |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2003-340798 | 2003-09-30 | ||
JP2003340798 | 2003-09-30 | ||
JP2004074220A JP2005128996A (ja) | 2003-09-30 | 2004-03-16 | 情報処理装置、情報処理システム及びプログラム |
JP2004-074220 | 2004-03-16 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/190,976 Continuation US8918633B2 (en) | 2003-09-30 | 2005-07-28 | Information processing device, information processing system, and program |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2005031580A1 true WO2005031580A1 (ja) | 2005-04-07 |
Family
ID=34395627
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2004/014329 WO2005031580A1 (ja) | 2003-09-30 | 2004-09-30 | 情報処理装置、情報処理システム及びプログラム |
Country Status (3)
Country | Link |
---|---|
US (1) | US8918633B2 (ja) |
JP (1) | JP2005128996A (ja) |
WO (1) | WO2005031580A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130254904A1 (en) * | 2012-03-21 | 2013-09-26 | Kabushiki Kaisha Toshiba | Ic card and ic card control method |
Families Citing this family (57)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7383586B2 (en) * | 2003-01-17 | 2008-06-03 | Microsoft Corporation | File system operation and digital rights management (DRM) |
US20070239615A1 (en) * | 2004-04-23 | 2007-10-11 | Natsume Matsuzaki | Personal Information Management Device, Distributed Key Storage Device, and Personal Information Management System |
US8045714B2 (en) * | 2005-02-07 | 2011-10-25 | Microsoft Corporation | Systems and methods for managing multiple keys for file encryption and decryption |
US9088551B2 (en) * | 2005-06-29 | 2015-07-21 | International Business Machines Corporation | Method and system for easily and securely managing multiple keys used to have access to multiple computing resources |
JP2007026105A (ja) * | 2005-07-15 | 2007-02-01 | Fuji Xerox Co Ltd | ファイル管理装置、ファイル管理方法、及びファイル管理プログラム |
JP2007060581A (ja) * | 2005-08-26 | 2007-03-08 | Nomura Research Institute Ltd | 情報管理システム及び方法 |
US7634585B2 (en) * | 2005-11-04 | 2009-12-15 | Sandisk Corporation | In-line cache using nonvolatile memory between host and disk device |
US20070106842A1 (en) * | 2005-11-04 | 2007-05-10 | Conley Kevin M | Enhanced first level storage caching methods using nonvolatile memory |
JP4663497B2 (ja) * | 2005-12-01 | 2011-04-06 | 株式会社日立製作所 | 情報処理システムおよび情報処理装置の割当管理方法 |
FR2895177B1 (fr) * | 2005-12-20 | 2008-06-13 | Eads Telecom Soc Par Actions S | Partage d'un element secret |
JP2007266928A (ja) * | 2006-03-28 | 2007-10-11 | Casio Comput Co Ltd | 携帯機器及びプログラム |
US20070300080A1 (en) * | 2006-06-22 | 2007-12-27 | Research In Motion Limited | Two-Factor Content Protection |
EP1870828A1 (en) * | 2006-06-22 | 2007-12-26 | Research In Motion Limited | Two-Factor Content Protection |
US7792301B2 (en) * | 2006-06-29 | 2010-09-07 | Microsoft Corporation | Access control and encryption in multi-user systems |
JP5035873B2 (ja) * | 2006-09-26 | 2012-09-26 | 株式会社日立ソリューションズ | 共有暗号ファイルの暗号化・復号処理方法及びプログラム |
US8116455B1 (en) * | 2006-09-29 | 2012-02-14 | Netapp, Inc. | System and method for securely initializing and booting a security appliance |
KR20080029687A (ko) * | 2006-09-29 | 2008-04-03 | 한국전자통신연구원 | 암호화 기능이 내장된 메모리를 이용한 고속 대용량의암호화 장치 및 그 구현 방법 |
JP2008097481A (ja) * | 2006-10-16 | 2008-04-24 | Ricoh Software Kk | 記憶装置上における電子データの保護方法及び装置、ならびにそのプログラムと記録媒体 |
JP2008165577A (ja) * | 2006-12-28 | 2008-07-17 | Ricoh Co Ltd | 文書管理システム、画像形成装置、文書管理方法、文書管理プログラム |
JP2008234544A (ja) * | 2007-03-23 | 2008-10-02 | Sky Kk | ファイル暗号化・復号化システム、ファイル暗号化・復号化方法、及びファイル暗号化・復号化プログラム |
US20090092252A1 (en) * | 2007-04-12 | 2009-04-09 | Landon Curt Noll | Method and System for Identifying and Managing Keys |
US20080292098A1 (en) * | 2007-05-22 | 2008-11-27 | Seiko Epson Corporation | Communication system and receiver device |
CN101083524A (zh) * | 2007-06-14 | 2007-12-05 | 腾讯科技(深圳)有限公司 | 一种电子邮件的加密解密方法及系统 |
JP2008312065A (ja) * | 2007-06-15 | 2008-12-25 | Canon Inc | 画像処理装置およびその方法 |
US8332907B2 (en) | 2007-06-22 | 2012-12-11 | Microsoft Corporation | Detection and management of controlled files |
JP4691696B2 (ja) * | 2007-08-01 | 2011-06-01 | Necシステムテクノロジー株式会社 | ファイル管理装置、ファイル管理システム、及びそのプログラム |
US8799681B1 (en) | 2007-12-27 | 2014-08-05 | Emc Corporation | Redundant array of encrypting disks |
US8498417B1 (en) | 2007-12-27 | 2013-07-30 | Emc Corporation | Automation of coordination of encryption keys in a SAN based environment where an encryption engine, device management, and key management are not co-located |
US8588425B1 (en) * | 2007-12-27 | 2013-11-19 | Emc Corporation | Encryption key recovery in the event of storage management failure |
JP5393038B2 (ja) * | 2008-03-04 | 2014-01-22 | キヤノン株式会社 | 情報処理装置、情報処理方法及びシステム |
US9830278B1 (en) | 2008-03-06 | 2017-11-28 | EMC IP Holding Company LLC | Tracking replica data using key management |
CN101978649B (zh) * | 2008-03-25 | 2013-11-06 | 松下电器产业株式会社 | 数据加密装置 |
US20100014662A1 (en) * | 2008-06-19 | 2010-01-21 | Sami Antti Jutila | Method, apparatus and computer program product for providing trusted storage of temporary subscriber data |
TWI451740B (zh) * | 2008-09-24 | 2014-09-01 | Shrisinha Technology Corp | Hardware Password Verification Method and Its System |
US8161527B2 (en) * | 2009-01-23 | 2012-04-17 | Edward Curren | Security Enhanced Data Platform |
US8364984B2 (en) * | 2009-03-13 | 2013-01-29 | Microsoft Corporation | Portable secure data files |
JP5465920B2 (ja) * | 2009-05-14 | 2014-04-09 | キヤノン電子株式会社 | 情報処理装置、制御方法、コンピュータプログラム及び記憶媒体 |
JP4463320B1 (ja) * | 2009-06-12 | 2010-05-19 | 株式会社ハギワラシスコム | 暗号化記憶装置、情報機器、暗号化記憶装置のセキュリティ方法 |
JP5044670B2 (ja) * | 2010-03-24 | 2012-10-10 | アルプスシステムインテグレーション株式会社 | 電子ファイル管理システム及び電子ファイル管理プログラム |
FR2969343B1 (fr) * | 2010-12-21 | 2013-07-05 | Oberthur Technologies | Dispositif et procede de controle d'acces a une memoire de masse amovible |
US9058497B2 (en) | 2010-12-23 | 2015-06-16 | Microsoft Technology Licensing, Llc | Cryptographic key management |
US8850536B2 (en) * | 2011-08-05 | 2014-09-30 | Safefaces LLC | Methods and systems for identity verification in a social network using ratings |
US20140068256A1 (en) * | 2012-09-04 | 2014-03-06 | Bluebox | Methods and apparatus for secure mobile data storage |
CN102938032B (zh) * | 2012-10-17 | 2017-09-22 | 中兴通讯股份有限公司 | 一种对通讯终端上应用程序加、解密的方法、系统和终端 |
TW201427366A (zh) | 2012-12-28 | 2014-07-01 | Ibm | 企業網路中為了資料外洩保護而解密檔案的方法與資訊裝置 |
JP6216662B2 (ja) * | 2014-02-28 | 2017-10-18 | 日本電産コパル株式会社 | 暗号化通信装置、暗号化通信システム、及び暗号化通信方法 |
KR102356549B1 (ko) * | 2014-03-12 | 2022-01-28 | 삼성전자주식회사 | 디바이스 내의 폴더를 암호화하는 시스템 및 방법 |
US10579786B2 (en) * | 2014-04-02 | 2020-03-03 | Sony Corporation | Information processing system |
US9672386B2 (en) * | 2014-06-03 | 2017-06-06 | Kabushiki Kaisha Toshiba | Digital multi-function peripheral and data protection method of external memory |
WO2016186678A1 (en) * | 2015-05-21 | 2016-11-24 | Hewlett Packard Enterprise Development Lp | Contract token including sensor data |
JP2018019207A (ja) * | 2016-07-27 | 2018-02-01 | 富士ゼロックス株式会社 | 連携管理装置及び通信システム |
JP6300286B1 (ja) * | 2016-12-27 | 2018-03-28 | 株式会社ZenmuTech | アクセス管理システム、アクセス管理方法及びプログラム |
CN111581647B (zh) * | 2019-02-15 | 2023-07-25 | 武汉海康存储技术有限公司 | 文件加密及解密方法、装置 |
JP6894469B2 (ja) * | 2019-06-11 | 2021-06-30 | 株式会社ユビキタスAiコーポレーション | 情報処理装置およびその制御プログラム |
US20220272103A1 (en) * | 2019-06-13 | 2022-08-25 | David J. DURYEA | Adaptive access control technology |
CN111787514B (zh) * | 2020-06-28 | 2024-03-22 | 海尔优家智能科技(北京)有限公司 | 设备控制数据的获取方法及装置、存储介质、电子装置 |
CN111914289B (zh) * | 2020-07-15 | 2023-11-24 | 中国民航信息网络股份有限公司 | 一种应用程序配置信息的保护方法及装置 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPS62134679A (ja) * | 1985-12-09 | 1987-06-17 | 松下電器産業株式会社 | 暗号文書作成読出装置 |
JPH06187220A (ja) * | 1992-12-18 | 1994-07-08 | Fuji Xerox Co Ltd | アクセス管理装置 |
JPH10214233A (ja) * | 1996-04-15 | 1998-08-11 | Toshiba Corp | 情報処理装置、情報処理システム、情報処理方法、プログラム記憶装置、及び鍵の判定方法及び判定装置 |
JPH10301856A (ja) * | 1997-02-28 | 1998-11-13 | Fujitsu Ltd | ファイルアクセスシステムおよび記録媒体 |
JP2000286957A (ja) * | 1999-03-30 | 2000-10-13 | Mitsubishi Electric Corp | 情報処理装置及び媒体 |
Family Cites Families (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH06175905A (ja) | 1992-12-03 | 1994-06-24 | Fujitsu Ltd | 暗号化ファイル共有方法 |
JP2829214B2 (ja) | 1993-03-16 | 1998-11-25 | 三菱電機株式会社 | アンチスキッド制御装置 |
JP3637080B2 (ja) * | 1994-09-16 | 2005-04-06 | 株式会社東芝 | データ入出力管理装置及びデータ入出力管理方法 |
JPH09179768A (ja) | 1995-12-21 | 1997-07-11 | Olympus Optical Co Ltd | ファイル暗号化システム及びファイル復号化システム |
US6085323A (en) | 1996-04-15 | 2000-07-04 | Kabushiki Kaisha Toshiba | Information processing system having function of securely protecting confidential information |
EP0862124A3 (en) | 1997-02-28 | 2003-03-26 | Fujitsu Limited | File access system for efficiently accessing a file having encrypted data within a storage device |
JPH10260903A (ja) | 1997-03-19 | 1998-09-29 | Hitachi Ltd | グループ暗号方法、及びファイル暗号システム |
US6463151B1 (en) * | 1997-10-29 | 2002-10-08 | Matsushita Electric Industrial Co., Ltd. | Data transmission method, data receiving method, data transmission system and program recording medium |
US6336187B1 (en) * | 1998-06-12 | 2002-01-01 | International Business Machines Corp. | Storage system with data-dependent security |
JP2000174746A (ja) * | 1998-09-30 | 2000-06-23 | Hitachi Software Eng Co Ltd | デ―タ復号方法および装置 |
US7146505B1 (en) * | 1999-06-01 | 2006-12-05 | America Online, Inc. | Secure data exchange between date processing systems |
US7571315B1 (en) * | 1999-09-16 | 2009-08-04 | Intel Corporation | Method and apparatus to assign trust to a key |
US7451147B1 (en) * | 1999-11-18 | 2008-11-11 | International Business Machines Corporation | Flexible encryption scheme for GSO target passwords |
JP2001345796A (ja) * | 2000-05-31 | 2001-12-14 | Matsushita Electric Ind Co Ltd | ファイル暗号復号装置 |
US6941456B2 (en) * | 2001-05-02 | 2005-09-06 | Sun Microsystems, Inc. | Method, system, and program for encrypting files in a computer system |
JP2003110548A (ja) * | 2001-09-28 | 2003-04-11 | K Frontier Inc | 電子機器、暗号鍵掛け替え方法およびプログラム |
KR100692425B1 (ko) * | 2001-09-28 | 2007-03-09 | 하이 덴시티 디바이시스 에이에스 | 대량 저장 장치의 암호화/복호화를 위한 방법 및 장치 |
JP4051924B2 (ja) * | 2001-12-05 | 2008-02-27 | 株式会社日立製作所 | 送信制御可能なネットワークシステム |
JP4007873B2 (ja) * | 2002-07-09 | 2007-11-14 | 富士通株式会社 | データ保護プログラムおよびデータ保護方法 |
US7428751B2 (en) * | 2002-12-05 | 2008-09-23 | Microsoft Corporation | Secure recovery in a serverless distributed file system |
-
2004
- 2004-03-16 JP JP2004074220A patent/JP2005128996A/ja active Pending
- 2004-09-30 WO PCT/JP2004/014329 patent/WO2005031580A1/ja active Application Filing
-
2005
- 2005-07-28 US US11/190,976 patent/US8918633B2/en not_active Expired - Fee Related
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPS62134679A (ja) * | 1985-12-09 | 1987-06-17 | 松下電器産業株式会社 | 暗号文書作成読出装置 |
JPH06187220A (ja) * | 1992-12-18 | 1994-07-08 | Fuji Xerox Co Ltd | アクセス管理装置 |
JPH10214233A (ja) * | 1996-04-15 | 1998-08-11 | Toshiba Corp | 情報処理装置、情報処理システム、情報処理方法、プログラム記憶装置、及び鍵の判定方法及び判定装置 |
JPH10301856A (ja) * | 1997-02-28 | 1998-11-13 | Fujitsu Ltd | ファイルアクセスシステムおよび記録媒体 |
JP2000286957A (ja) * | 1999-03-30 | 2000-10-13 | Mitsubishi Electric Corp | 情報処理装置及び媒体 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130254904A1 (en) * | 2012-03-21 | 2013-09-26 | Kabushiki Kaisha Toshiba | Ic card and ic card control method |
US9183400B2 (en) * | 2012-03-21 | 2015-11-10 | Kabushiki Kaisha Toshiba | IC card and IC card control method |
Also Published As
Publication number | Publication date |
---|---|
US8918633B2 (en) | 2014-12-23 |
US20060018484A1 (en) | 2006-01-26 |
JP2005128996A (ja) | 2005-05-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2005031580A1 (ja) | 情報処理装置、情報処理システム及びプログラム | |
CN100504819C (zh) | 访问认证方法、信息处理单元以及可拆卸记录装置 | |
JP5354001B2 (ja) | 情報処理装置、情報処理システム及びプログラム | |
US7802112B2 (en) | Information processing apparatus with security module | |
US8953805B2 (en) | Authentication information generating system, authentication information generating method, client apparatus, and authentication information generating program for implementing the method | |
JP2002229861A (ja) | 著作権保護機能つき記録装置 | |
CN104662870A (zh) | 数据安全管理系统 | |
JP2003058840A (ja) | Rfid搭載コンピュータ記録媒体利用の情報保護管理プログラム | |
JPH11306088A (ja) | Icカードおよびicカードシステム | |
JP2007108833A (ja) | 複数パスワード記憶装置及びパスワード管理方法 | |
JP3727819B2 (ja) | データベース共有化システム | |
JP4965512B2 (ja) | 認証システム、情報処理装置、記憶装置、認証方法及びそのプログラム | |
KR101346284B1 (ko) | 암호화 파일의 생성 방법 및 해독 방법과 이 방법을 실행시키기 위한 프로그램을 기록한 컴퓨터로 판독 가능한 기록 매체 | |
JP4791193B2 (ja) | 情報処理装置、携帯端末装置及び情報処理実行制御方法 | |
CN101243469A (zh) | 从第一平台到第二平台的数字许可证迁移 | |
JP2006268513A (ja) | 端末装置のログオン管理装置 | |
CN113806785B (zh) | 一种用于对电子文档进行安全保护的方法及其系统 | |
JPWO2011058629A1 (ja) | 情報管理システム | |
JPH10228374A (ja) | 複製防止を施した計算機カード | |
KR20030087874A (ko) | 컴퓨팅 장치의 등급별 데이터 보안 방법 | |
JP2006323691A (ja) | 認証装置、登録装置、登録方法及び認証方法 | |
CN115438358B (zh) | 受控文件加密方法及电子设备 | |
JP6844673B2 (ja) | 電子機器、及び、アクセス管理プログラム | |
US11876797B2 (en) | Multi-factor geofencing system for secure encryption and decryption system | |
JP2006011916A (ja) | 編集物のネットワーク校正方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 11190976 Country of ref document: US |
|
WWP | Wipo information: published in national office |
Ref document number: 11190976 Country of ref document: US |
|
122 | Ep: pct application non-entry in european phase |