WO2005033947A1 - Systeme de controle et de protection des donnees d'un contenu numerique - Google Patents

Systeme de controle et de protection des donnees d'un contenu numerique Download PDF

Info

Publication number
WO2005033947A1
WO2005033947A1 PCT/JP2003/012743 JP0312743W WO2005033947A1 WO 2005033947 A1 WO2005033947 A1 WO 2005033947A1 JP 0312743 W JP0312743 W JP 0312743W WO 2005033947 A1 WO2005033947 A1 WO 2005033947A1
Authority
WO
WIPO (PCT)
Prior art keywords
content
client
data protection
protection control
digital content
Prior art date
Application number
PCT/JP2003/012743
Other languages
English (en)
Japanese (ja)
Inventor
Mitsuo Kasama
Original Assignee
Intelligent Network Institute, Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intelligent Network Institute, Co., Ltd. filed Critical Intelligent Network Institute, Co., Ltd.
Priority to PCT/JP2003/012743 priority Critical patent/WO2005033947A1/fr
Priority to AU2003275543A priority patent/AU2003275543A1/en
Publication of WO2005033947A1 publication Critical patent/WO2005033947A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]

Definitions

  • the present invention relates to a digital content data protection control system for web content and other digital content emails.
  • the present invention relates to a data protection control system for digital content in order to eliminate security threats caused by access to information by authorized users.
  • Conventional methods for user authentication in network information distribution include authentication by user ID and password, terminal authentication by IP address, terminal authentication by hardware, and the like.
  • application software is installed on a client terminal, or a plug-in is installed via a general-purpose browser, and the application software and the plug-in are installed.
  • Techniques are used to restrict copying or printing of part or all of the information, depending on the function.
  • authentication by user ID and password can be authenticated by obtaining the user ID and password, even if the user is not the original user. As a result, it is not possible to prevent unauthorized use by the user passing the user ID and password to a third party! /.
  • authentication by IP address The certificate only identifies the terminal, not the user.
  • the IP address using the IP address is different from the IP address of a terminal when it is assigned by a DHCP server, etc., and the terminal cannot be specified because the IP address is different each time it is connected.
  • authentication using IP address is the same as the IP address of multiple terminals due to NAT conversion and the like when a router is interposed. Can not be identified.
  • terminal authentication by hardware can identify terminals, but cannot identify users. It is also necessary to connect dedicated hardware to each terminal. If you install application software on the client terminal or install a plug-in through a general-purpose browser to restrict unauthorized copying and printing of data, they can access the local resources of the terminal. This threatens the security of the terminal.
  • HTML documents not only are created as static files, but also dynamically generated from databases, etc., occupy six shares, and protection of these data is required. ing.
  • e-mail used on the Internet may be forwarded, printed, copied, circulated, etc., and is not a safe means of information transmission.
  • '' Data protection technologies that have been developed to date have not been a versatile method for protecting digital content e-mail such as web content that must be protected on the Internet and intranet. is there.
  • JP-A-2003-1088796 “Document sales system” discloses a document sales system that can purchase only the necessary contents of each book or magazine, and allows the client to view the contents. At times, it has means to prohibit storage and printing of content.
  • Japanese Patent Application Laid-Open No. H11-1 2 9 6 3 3 6 “Hard copy control method, device and recording medium for document described in hypertext” discloses a digital document copy method, which is displayed on a display, for example. It states that the confidentiality of data as the content of the Internet homepage screen should be maintained.
  • the use can be controlled only by the copy restriction, and various data protection controls are not performed.
  • the most stringent requirement is to only provide browsing services to legitimate accessors, and to prohibit local storage of all or part of the file. Further, it is to prohibit copying and pasting of data having a predetermined protection level to another file or another application, prohibition of print output, prohibition of screen copy, and the like.
  • the level of protection that does not completely or partially transfer the contents of the content to the user's local environment implies a requirement that cash files not be created by mouth. '
  • the development of a method to introduce a program that monitors operations on a browser without modifying the HTML file is being sought.
  • the client when using a component that accesses local resources of the client terminal, such as a program using an ActiveX control or a program using a signed Java (registered trademark) Applet, as a program for data protection, the client must be installed. It is necessary to make such a setting in a general-purpose browser of the client, which lowers the security level of the client. Therefore, the present invention solves the above-mentioned various problems, reduces the labor and cost for installation, introduces additional servers and dedicated tools, and protects web content based on various protection levels when processing it.
  • the purpose is to provide a system that enables efficient data protection control.
  • the prohibition of saving all or a part of a file locally, prohibition of copy and paste to another file or another application, prohibition of print output, prohibition of screen copy, not creating a cache file locally The purpose of the system is to provide a system that can prevent various types of unauthorized use, and that can set the appropriate data protection level for each digital content user according to the level required by the digital content provider .
  • This system is provided with input means, control means, display means, output means, storage means, etc., and is accessed from a client terminal such as a computer having a browser for browsing digital contents via a web server, and performs information processing.
  • client terminal such as a computer having a browser for browsing digital contents via a web server, and performs information processing.
  • a web server that stores digital contents
  • a data protection control server that performs data protection control of distributed digital content.
  • the data protection control server controls the data protection control server
  • a browsing request receiving means for receiving a content browsing request from a client terminal; and a client determining a client based on the content browsing request from the client terminal.
  • Data protection control means for inserting into the digital content a data protection control component that cannot access the local resources of the client terminal in order to control the protection of data displayed on the general-purpose browser at the terminal;
  • Content acquisition means for acquiring digital content from the web server according to the content browsing request and the client authentication;
  • Content transmission means for transmitting to the client terminal digital content enabled for data protection control corresponding to the determined client,
  • the content acquisition means acquires an HTML file or other web content stored in advance according to a content browsing request or an HTML file or other web content dynamically generated according to a content browsing request. It is a data protection control system for digital contents.
  • the content acquisition unit acquires a data file stored in a database or a dynamically generated HTML file or other web content including data stored in a database in accordance with a content browsing request. It is a data protection control system for digital contents. '' Also, in order to solve the above problem, in the invention described in claim 4, in the invention described in claim 1,
  • the content acquiring means dynamically includes an e-mail composed of a previously stored HTML mail or other web contents, or an e-mail stored in a database in accordance with the e-mail browsing request. It is a digital content data protection control system for acquiring generated HTML files and other web contents. Further, in order to solve the above-mentioned problem, in the invention described in claim 5, In the invention described in claim 4,
  • E-mail composed of pre-stored HTM L-mail or other web content, or dynamically generated HTM-L file containing e-mail stored in the database according to the e-mail viewing request It is characterized by a digital content data protection control system further equipped with a mail server that sends hyperlink data indicating the location of other web content to client terminals.
  • the mail server When the mail server receives an e-mail addressed to a predetermined e-mail address received at the client terminal, the mail server converts at least the body of the e-mail into a pre-stored HTML mail or other web content, e-mail, or the like. According to the mail viewing request, the data is stored as data to be inserted into dynamically generated HTML files and other web contents, and is also stored in advance at a predetermined e-mail address.
  • the client determination means is configured to perform analysis based on analysis of items described in an HTTP header or identification of a browser based on characteristics in HTTP communication, or determination of execution of a result of executing a predetermined function of a component supported by the browser. It is characterized by being a digital content data protection control system that makes a decision based on any one of or a combination of these based on identification.
  • the processing by the above-mentioned client determination means determines the browser by analyzing the User-Agent described in the HTTP header used in the HTTP communication between the content distribution server and the browser, and determines an unexpected client software program. It is a digital content data protection control system that includes a process to exclude content acquisition requests from the Internet.
  • the processing by the client determination means is performed by analyzing at least one of the IP address, host name, OS, and user name of the browser described in the HTTP header in the HTTP communication between the content distribution server and the browser.
  • Digital content which includes a process of determining whether or not a plurality of requests issued by a client are issued from the same client terminal, and excluding a content acquisition request from an unexpected client terminal. It is a data protection control system.
  • the above-mentioned processing by the client determination means is such that, in the encryption communication between the web server and the browser, a plurality of requests issued by the client are analyzed by analyzing the client certificate used by the browser, and
  • a digital content data protection control system that includes processing to determine whether or not power is output from client software, and to exclude content acquisition requests from unscheduled client terminals. It is characterized by having.
  • the processing by the client determination means includes analyzing a session ID used in encrypted communication between the web server and the browser, so that a plurality of requests issued from the browser can be processed by a single client of the same client terminal. Judge whether the software came from the software or not. It is a digital content data protection control system that includes a process to exclude these content acquisition requests.
  • the above-described processing by the client determination means manages and analyzes the Connection described in the HTTP header used in the HTTP communication between the web server and the browser, so that a plurality of requests issued from the browser can be transmitted to the same client. Judgment is made from the single client software of the terminal, and processing to exclude content acquisition requests from unexpected client terminals, such as the ⁇ guin user '' and the client software, is included. It is a data protection control system for digital contents.
  • the processing by the above-mentioned client judgment means monitors the operation of the client connection time when Connection used for HTTP communication between the web server and the browser is set to Keep-Alive or Close, and performs multiple requests issued from the browser. This is to determine whether the power is issued from a single client software of the same client terminal, and to exclude the unscheduled client terminal 'login user / content acquisition request from client software' It is a data protection control system for digital contents.
  • the processing by the client determination means monitors the operation of disconnecting the communication session of the client when Connection used in HTTP communication between the web server and the browser is set to Keep-Alive or Close, and a plurality of operations issued from the browser are performed. Processing to determine whether the request was issued from a single client software of the same client terminal, and to exclude content acquisition requests from unscheduled client terminals, mouth users, and client software It is a data protection control system for digital contents.
  • the processing by the client determination means monitors the operation of the number of communication sessions opened by the client when Connection used for HTTP communication between the web server and the browser is set to Keep-Alive or Close, and is output from the browser. It is determined whether or not multiple requests are issued from a single client software of the same client terminal, and an unscheduled client terminal.Login user 1 * Processing to exclude content acquisition requests from client software It is a data protection control system for digital contents.
  • the data protection control component inserted into the digital content by the data protection control means is a data protection control for digital content, which comprises only one or both of Java (registered trademark) Applet and Java (registered trademark) Script. It is a control system.
  • the process of importing the data protection control component that cannot access the local resources of the client terminal into the acquired digital content by the data protection control means includes the step of transmitting the data protection control component that outputs the distributed digital content to the data.
  • the protection control server it is a data protection control system for digital contents, which includes processing to modify content browsing requests from clients to link to the web server.
  • the process of acquiring digital content from the web server according to the above-mentioned method involves embedding a data protection control component in the data protection control server, which decodes the digital content distributed according to the content browsing request and decrypts the digital content. Therefore, it is a data protection control system for digital contents, which includes a process for preventing unauthorized use of digital contents in accordance with the data protection control component.
  • the process of acquiring digital content from the web server according to the content browsing request and the client authentication by the content browsing means includes: a key for encrypting the distributed digital content according to the content browsing request.
  • the data protection control server dynamically generates the data, sends it to the client terminal, and then queries the data protection control server for the key and decrypts the digital content. It is characterized in that it is a digital content data protection control system that includes a process of acquiring digital content from the above-mentioned server according to the control component.
  • the process of acquiring digital content from the web server according to the content browsing request and the client authentication by the content acquiring means is performed in accordance with the content browsing request to encrypt the distributed digital content.
  • the data protection control server divides the key and dynamically generates it, transmits the identifier for querying the key in each communication session to the client terminal in each case, and then transmits the identifier for querying the key to the data.
  • Data protection control by embedding a data protection control component that acquires a part of the key by transmitting it to the protection control server over multiple sessions, synthesizes the key and decodes the digital content, into the digital content
  • Data protection control for digital content It is characterized by being a system.
  • the digital content transmitted to the client terminal by the content transmission means and enabled for data protection control can be copied, printed, stored, transferred, screen-captured for part or all of the information corresponding to the determined client. It is characterized by being a data protection control system for digital contents in which at least one of source code display and cache storage can be restricted.
  • an information distributor can authenticate a legitimate information user and simultaneously distribute information while preventing leakage of illegal information, and an information user can access information.
  • the security of the terminal can be kept high. In this way, the confidentiality of the information or the value of the information can be maintained.
  • a content protection system can be introduced without modifying an existing web application. For example, there is no need to introduce or modify existing web applications such as CGI II database search.
  • a general-purpose web browser can be used as the browsing client software, and general-purpose e-mail software can be used for e-mail protection. There is no need to additionally install dedicated software, plug-ins, etc.
  • a component for performing data protection control is created by a Java TM Script or Java TM Applet to create a component that does not access oral resources. Do not access local resources. Therefore, it lowers the security level of the client ⁇ / Nothing.
  • authentication using an ID and a password when determining a client, authentication using an ID and a password, authentication using an IP address, and authentication using a certificate such as an X509 certificate can be used. Can be easily inherited. '' To ensure the reliability of user authentication, use encrypted communication for communication between server and client, and issue it to clients used to encrypt or decrypt data to be communicated. Use information such as certificates as identifiers to authenticate clients. As a result, identification of terminals and users is realized by software without using hardware. In addition, the reliability of user authentication is increased by software that authenticates user ID and password authentication, IP address authentication, and authentication using the identifier used in the above-mentioned encrypted communication under AND and OR conditions.
  • a protection policy for setting an appropriate data protection level in accordance with a required level of a digital content provider and for each digital content user is set in a server that performs data protection control.
  • a simple tool for setting a digital content protection policy can be provided.
  • server management authority is separated into system management authority and business management authority, and the system administrator is treated specially as a super user in the content protection policy.
  • FIG. 1 is a system configuration diagram showing an example of a basic configuration of the system of the present invention.
  • FIG. 2 is a flowchart showing an example of a basic processing flow of the present invention.
  • FIG. 3 is a flowchart showing an example of a basic processing flow of the present invention.
  • FIG. 4 is a system configuration diagram showing an example of a basic configuration of the system of the present invention.
  • FIG. 5 is a flowchart showing an example of a basic processing flow of the present invention. BEST MODE FOR CARRYING OUT THE INVENTION
  • the system of the present invention includes an input unit, a control unit, a display unit, an output unit, a storage unit, and the like, and is processed by a client terminal such as a computer having a browser for browsing digital contents via a web server.
  • the system includes a web server that stores digital contents, and a data protection control server that controls data protection of distributed digital content.
  • FIG. 1 is a system configuration diagram showing an example of a basic configuration of the system of the present invention.
  • a computer terminal such as a personal computer, a workstation, or a server is usually used.
  • the computer terminal includes control means, storage means, input means, output means, display means, and the like. It is also a common form to have a function to send and receive data by connecting to a network represented by the Internet, and to have application programs such as browsers, e-mail software, word processors, and an operating system (OS).
  • client terminals include wireless communication terminals such as mobile phones equipped with a browser function that can be connected to the Internet, mobile information terminals, the Internet ⁇ , game machines, videoconferencing systems, and other devices. Devices such as home appliances having a network connection function may be widely included.
  • the server is provided connected to a network represented by the Internet, and is accessed from a client terminal connected to the network.
  • Networks include the Internet and other forms of networks connected by dedicated lines, as well as forms such as intra-company LANs, inter-company LANs, and WANs.
  • the forms of communication lines that can be used include a wide range of forms such as wired communication and wireless communication, and include forms using satellite communication and B 1 uetoot li.
  • the server constituting the system of the present invention can usually be constituted by an application server, a database server, an authentication server, a web server, a mail server, and other various devices.
  • Each of these servers includes a form that is physically installed on the same device, a form that is physically composed of a plurality of devices, and a form that is physically composed of a plurality of devices that are connected via a network.
  • Various forms are included if functionally similar functions are realized.
  • the system of the present invention includes a web server that stores digital content and a web application program to be accessed from a client terminal.
  • Digital content includes data files displayed on the web, such as HTML files and XML files, and data files displayed on mobile phones that can access websites, such as C-H TML files. .
  • data files displayed on the web such as HTML files and XML files
  • data files displayed on mobile phones that can access websites, such as C-H TML files.
  • character data files, audio data files, image data files, moving image data files, animation data files, and various other digital contents that are displayed or output by being inserted into these files, etc. Can be stored.
  • Digital content includes a form in which web content is stored in advance, and a form in which web content is generated when accessed from a client terminal. Further, it may include data stored in a database or the like, which is inserted into the digital content when generating the live content.
  • the web server may be any web server that can perform data processing in cooperation with the data protection control server as well as the server under the control of the same system administrator as the data protection control server described later. Referring to FIG. 1, the block shown by the dotted line in FIG. 1 functions as a data protection control server.
  • the data protection control server includes a browsing request receiving means for receiving a content browsing request from a client terminal.
  • a browsing request is a digital content browsing request from a browser that can access a web server such as a general-purpose browser from a client terminal. The browsing request is performed by specifying the URL of the website using the browser. I do.
  • the browsing request is received by the browsing request receiving means in the data protection control server provided in cooperation with the web server.
  • the data protection control server controls the transmission and reception of data to and from the client terminal, and it is desirable that the communication between them be encrypted.
  • SSL communication protocol SSL encryption communication prevents eavesdropping and fogging during communication. Therefore, the data protection control server includes an encrypted communication program and an authentication program, and further has a function of performing data protection control described later.
  • the encrypted communication program, the authentication program, and the program for performing data protection control may be configured as a single server, or may be configured as independent servers and operated by different devices. Good. Also, it may be configured as an extension of a web server such as CGI or servlet.
  • the encryption communication program, the authentication program, and the program for performing data protection control are described as being configured as a single server as a data protection control server, A configuration for distributing content to a general-purpose browser of a client terminal via a network will be described.
  • the data protection control server includes a client determination unit that determines a client based on a content browsing request from a client terminal.
  • the client determination means determines a client that makes a digital content browsing request, and performs authentication by communication between the server and the client. By managing communication between the server and the browser, client users, client terminals, and client software are identified, and content acquisition requests from unexpected client software are eliminated.
  • the following user authentication methods can be supported for authentication by the client determination means.
  • a certificate authority function can be provided as an option, and a certificate such as an X509 certificate can be issued by itself using this function.
  • Encrypted communication is performed between the encrypted communication program of the data protection control server and the general-purpose browser of the client terminal.
  • the encrypted communication program uses the certificate used for the encrypted communication transmitted from the general-purpose browser for the encrypted communication, and passes the certificate to the authentication program to make a determination by the client determining means.
  • the authentication program uses the certificate as one of the identifiers for authentication and authenticates the user of the general-purpose browser.
  • Digital content which is a document to be protected, is preferably encrypted between the encryption program of the data protection control server and the general-purpose browser of the client terminal, and the access set in the content protection policy.
  • the use of the content is managed by the data protection control means described later.
  • the setting of the protection policy is preferably performed by the content manager of the web server, and it is preferable that the setting can be made via a web browser.
  • the client determination means performs determination based on analysis of items described in the HTTP header or identification of a browser based on characteristics in HTTP communication, or determination of whether execution of a result of executing a predetermined function of a component supported by the browser is possible. Judgment based on user identification, Judgment based on any of these, or a combination thereof
  • the browser executes a predetermined function as shown below as an example of the components supported by the browser, and identifies the browser based on whether or not execution is possible.
  • the browser is identified based on the characteristics of the HTTP communication.
  • One preferable example of the processing by the client determination means is to determine the browser by analyzing the User-Agent described in the HTTP header used in the HTTP communication between the content distribution server and the browser, and determining the unexpected client software.
  • the processing includes a process of excluding a content acquisition request from a user.
  • the client determination means analyzes the UserAgent described in the H.TPP header included in the browse request received by the browse request receiving means, and makes a determination.
  • the client determination means determines whether or not multiple requests issued by a client are issued from the same client terminal, and content acquisition from an unscheduled client terminal This includes processing for eliminating the request.
  • the client determination unit determines at least one of the IP address, host name, OS, and user name of the browser described in the HTTP header included in the browse request received by the browse request receiving unit. Analyze and judge.
  • processing by the client determination means is that, in encrypted communication between the web server and the browser, a plurality of requests issued by the client are analyzed by analyzing the client certificate used by the browser so that the same client can be used. This includes determining whether or not the content was issued from the single client software of the client terminal, and excluding any content acquisition requests from unscheduled client terminals and logged-in users. ;
  • the client judgment means authenticates the certificate such as the X509 client certificate used by the client software in the SSL communication between the server and the browser, which is included in the browsing request received by the browsing request receiving means. Analyze and judge.
  • processing by the client determination means is that, by analyzing a session ID used in encrypted communication such as SSL communication between the web server and the browser, a plurality of requests issued from the browser can be transmitted to the same client. This includes processing to determine whether or not the power is output from the single client software of the terminal, and to exclude content acquisition requests from unexpected client software.
  • the data protection control server analyzes the session ID used for encrypted communication such as SSL communication between the web server and the browser, so that multiple browsing requests received by the browsing request
  • the client judging means judges whether it is issued from a single client software of the same client terminal.
  • the processing by the client determination means is that, by managing and analyzing the Connection described in the HTTP header used in the HTTP communication between the web server and the browser, a plurality of requests issued from the browser can be processed. Judgment is made from a single client software of the same client terminal, and processing to exclude content acquisition requests from unplanned client terminals, login users, and client software is included. It is a thing.
  • the data protection control server manages the Connection described in the HTTP header included in the browsing request received by the browsing request receiving means, and by analyzing it, multiple requests issued from the browser can be sent to the same client terminal.
  • the client judging means judges whether it is issued from single client software or not.
  • Another preferable example of the processing by the client determination means is to monitor the operation of disconnecting the communication session of the client when the Connection used in the HTTP communication between the web server and the browser is set to Keep-Alive or Close, and Judge whether or not multiple requests issued from a single client software of the same client terminal are issued by the client terminal. Unscheduled client terminal. Login user 'content acquisition request from client software This includes processing to eliminate.
  • the data protection control server monitors the operation of disconnecting the client's communication session when the Connection used for HTTP communication between the web server and the browser is set to Keep-Alive or Close, and the browsing request receiving means receives it.
  • the client determining means determines whether or not the plurality of browsing requests are issued from a single client software of the same client terminal.
  • Another preferable example of the processing by the client determination means is to monitor the operation of the number of communication sessions opened by the client when the Connection used in the HTTP communication between the web server and the browser is set to Keep-Alive or Close, Determines whether multiple requests issued from the browser are issued from a single client software on the same client terminal, and determines whether the client terminal is unscheduled ⁇ Login user ⁇ Content from client software This includes processing to exclude acquisition requests.
  • the data protection control server monitors the operation of the number of communication sessions opened by the client when the Connection used for HTTP communication between the application server and the browser is set to Keep-AJive or Close, and the browsing request receiving means receives it.
  • the client determination means determines whether or not the plurality of browsing requests are issued from single client software of the same client terminal.
  • Another preferable example of the processing by the client determination means is to monitor the operation of the connection time of the client when the connection used for the HTTP communication between the web server and the browser is set to Keep-Alive or Close, and output from the browser. To determine whether the multiple requests made are from the same client 1 and a single client software of the terminal, and the unexpected client terminal 'login User's processing that excludes content acquisition requests from client software.
  • the data protection control server monitors the operation of the client's connection time when the Connection used for HTTP communication between the live server and the browser is set to Keep-Alive or Close.
  • the client judging means judges whether the browsing request is issued from a single client software of the same client terminal.
  • the data protection control server enters data protection control components that cannot access local resources of the client terminal into the digital content. It has protection control means.
  • the data protection control means obtains the information requested by the general-purpose browser of the client terminal from a file prepared in advance on a web server, etc., or obtains the information from a database or other system, and cannot access the local resources of the client terminal.
  • the data protection control component By inserting the data protection control component into digital content, it is processed into data with data protection, and transmitted to a general-purpose browser via an encrypted communication program.
  • the general-purpose browser displays distribution information, which is data with data protection.
  • the data protection control means By setting the data protection control component inserted by the data protection control means, various data protection controls can be performed for each user authenticated by the authentication program of the client judgment means. '' As described above, the data protection control means performs a process of inserting the data protection control component that cannot access the local resources of the client terminal into the obtained digital content, but the data protection control unit outputs the distributed digital content. By embedding the control component in the data protection control server, it includes processing to modify the content browsing request from the client to link to the web server.
  • Fig. 2 shows that the data protection control server sends a content browsing request to protect the data displayed on the general-purpose browser of the client terminal.
  • the following is an example of the flow of a process for causing a link operation to be performed on a node.
  • To insert the data protection control component into the digital content transfer the browsing request to the web server, and obtain the digital content from the ⁇ server, and then go to the data protection control server. Is also good.
  • the insertion of the data protection control component into the digital content may be performed by the data protection control server before transmitting the browsing request to the web server.
  • the digital content transmitted to the client terminal by the content transmission means and enabled for data protection control is preferably copied, printed, or stored for part or all of the information in accordance with the determined client. , Transfer, screen capture, source code display, and / or cache storage can be restricted.
  • a referenceable date and time of the HTML content can be designated.
  • the data protection control component inserted into the digital content by the data protection control means is such that the component that realizes content protection does not have access to local resources.
  • the data protection control component consists solely of either Java Applet or Java Script, or both.
  • Java (registered trademark) Script file and Java (registered trademark) Applet are modified to embed as a link on the server and operate as a link to prevent illegal use of HTML content. I do.
  • the protection policy is set by the digital content manager of the web server, and the protection policy can be set by accessing the data protection control server via the web browser.
  • the data protection control server includes content acquisition means for acquiring digital content from the web server according to the content browsing request and the client authentication.
  • the content obtaining means obtains, in response to the content browsing request, an HTML file or other web content stored in advance, or an HTML file or other extended content dynamically generated in accordance with the content browsing request.
  • HTML files and other web contents In addition to pre-stored HTML files and other web contents, digital content, and HTML files that are dynamically generated by electronic bulletin board programs, data search programs, etc. (CGI, Servlet, etc.) when there is a browsing request Similar data protection control can be performed for web content and digital content.
  • CGI electronic bulletin board programs, data search programs, etc.
  • the content acquisition means can also acquire a data file stored in a database or a dynamically generated HTML file or other web content including data stored in the database in accordance with a content browsing request.
  • FIG. 3 shows an example of a flow of processing in the data protection control server for performing a link operation of a content browsing request to a remote server in order to perform protection control of data displayed on a general-purpose browser of a client terminal.
  • the browsing request for the search service is made via the browser, and the web application receives the search request via the data protection control server and returns the search result. Does nothing, and can use the usual web application and database as it is, and the people can browse and use the search results according to the protection policy.
  • the process of obtaining digital content from the web server according to the content browsing request and the client authentication by the content obtaining means includes encrypting the digital content distributed according to the content browsing request and decrypting the digital content. Includes processing to prevent unauthorized use of digital content by embedding the data protection control component in the data protection control server and following the data protection control component.
  • a key for encrypting digital content distributed according to the content browsing request is dynamically generated in the data protection control server and transmitted to the client terminal.
  • the data protection control component which inquires the control server and decrypting the digital content, into the digital content, it follows the data protection control component! And / or a process of acquiring digital content from the web server.
  • HTTML content to be distributed is encrypted, and the key to decrypt it is HTT
  • the key to decrypt it is HTT
  • embedding a Java (registered trademark) Script file or Java (registered trademark) Applet that is a dynamically changed item described in the P header (for example, Last-Modified) and decrypting using the key on the server Prevent unauthorized use of HTML content.
  • the decryption of the encrypted HTML content can be performed dynamically as described in the HT TP header. Unless the value of the item to be changed is checked for each HTML content, it cannot be decrypted.
  • a key for encrypting digital content distributed according to the content browsing request is dynamically generated by dividing the data at the data protection control server, and the key is transmitted to the client terminal in each communication session.
  • An identifier for querying the key is divided and transmitted, and then an identifier for querying the key is transmitted to the data protection control server over a plurality of sessions, so that a part of the key is obtained, the key is synthesized, and the digital content is
  • embedding the data protection control component for decrypting the content in the digital content it is possible to include a process of acquiring digital content from the Web server according to the data protection control component.
  • the HTML content to be distributed is encrypted, and the key for decrypting it is divided and embedded in multiple communication sessions.
  • the divided keys are dynamically changed items (for example, LastModified) described in the HTTP header sent to the client in each communication session, and they are combined to generate a key and decrypt the Java ( By embedding the (registered trademark) Script file and Java (registered trademark) Applet in the server, unauthorized use of HTML content is prevented. This allows the decryption of encrypted HTML content to be dynamically changed as described in the HHTTP header, even when viewing the Java® Script source and the Java® Applet decompiled source. The key cannot be decrypted without checking the value of the item for each HTML content and synthesizing it.
  • the data protection control server is provided with content transmission means for transmitting, to the client terminal, digital content enabled for data protection control corresponding to the determined client.
  • Data protection control transmitted to client terminal by content transmission means is possible
  • the enabled digital content may be copied, printed, saved, transferred, screen-captured, displayed in source code, and / or cached for some or all of the content, depending on the client identified. It has been made possible to limit this. By using only components that are inaccessible to low-cost resources, it is possible to protect digital content without leaving the client terminal with data related to caches and other content, and without lowering the security level of the client terminal. System.
  • data displayed on a general-purpose browser cannot be printed.
  • data displayed on a general-purpose browser cannot be saved as a file.
  • FIG. 4 is a system configuration diagram showing an example of another basic configuration of the system of the present invention.
  • a client terminal such as a computer having a browser for browsing digital contents via a web server, including input means, control means, display means, output means, storage means, and the like.
  • the system includes a web server that stores digital content, a data protection control server that performs data protection control of distributed digital content, and a mail server.
  • the mail server is a dynamically generated HTML that includes pre-stored HTML emails or other emails composed of web content, or emails stored in a database in response to an electronic mail viewing request. It has a function to transmit hyperlink data indicating the location of files and other web contents to client terminals.
  • the content acquisition means is dynamically generated, including an e-mail composed of a pre-stored HTML mail or other web contents according to the e-mail browsing request, or an e-mail stored in the database in accordance with the e-mail browsing request.
  • HTML file and others Get content.
  • the e-mail server When the mail server receives an e-mail addressed to a predetermined e-mail address received by the client terminal, the e-mail server reads at least the body of the e-mail, and reads the previously stored HTML HTML mail, other web contents, and e-mail. Stored as data to be entered into HTML files and other live content that are dynamically generated as requested.
  • an e-mail composed of a pre-stored HTML mail or other web contents, or an e-mail stored in a database according to an e-mail browsing request is sent to a predetermined e-mail address of the e-mail recipient. It generates an e-mail containing hyperlink data indicating the location of the dynamically generated HTML file and other web contents, and sends it to the client terminal of the recipient of the e-mail.
  • FIG. 5 is a diagram showing an example of the basic processing flow of the e-mail software and the mail server of the mail sender, the e-mail software and the browser of the mail receiver, and the data protection control server in the present embodiment. .
  • the entire body of the e-mail can be placed under the protection of the data protection control server of the present invention, and leakage or leakage of information through the e-mail can be prevented. .
  • the e-mail sender sets the SMTP server of the e-mail software as the predetermined mail server shown in Fig. 4, and sends outgoing e-mail using this e-mail software.
  • the e-mail sender is requested to confirm the e-mail protection policy as an e-mail administrator, and makes settings. Setting a frequently used protection policy as a default saves time and effort.
  • the body of the e-mail is stored as a digital content such as an HTML document in a web server or an e-mail content database provided in conjunction with the web server, and the URL for viewing the e-mail is sent to the recipient. E-mail can be viewed using the data protection control method described above.
  • the e-mail recipient receives the sent URL with ordinary e-mail software, clicks on it, and browses it according to the protection policy via the browser. The forwarded person cannot view the mail content.
  • various data protection control methods based on the data protection control policy can be set.
  • the sender can control the printing, citation, and transmission of the contents of the e-mail at will. Or even after sending an e-mail, it is possible to restrict or prohibit the recipient from browsing.
  • the sender can confirm whether or not the receiver has viewed the contents.
  • the data of the contents such as cash is not stored in the terminal of the e-mail recipient.
  • e-mails can be sent and received using ordinary general-purpose e-mail software and a browser, and does not require a plug-in software ActiveX control or the like. Both the sender and the recipient can use this system while keeping the security settings high.
  • system administrator is generally allowed to access all data in many cases, and may be able to browse the contents beyond the scope of business responsibilities.
  • system management authority and business management authority can be clearly separated, and the protection of digital contents and e-mail contents can be more reliably realized.
  • the labor and cost for introduction can be reduced, and additional servers and dedicated tools can be introduced, and web content can be processed. Without protection, it is possible to provide a system that enables various data protection controls based on various protection levels when protecting digital contents such as web contents.
  • the prohibition of saving all or part of a file locally, prohibition of copy and paste to another file or another application, prohibition of print output, prohibition of screen copy, creation of a cache file locally It is possible to provide a system that not only prevents various unauthorized uses, but also sets the appropriate data protection level according to the digital content provider's request level and for each digital content user.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

L'invention concerne un système de contrôle et de protection des données permettant de protéger un contenu numérique sans accéder à une ressource locale d'un terminal client et sans diminuer le niveau de sécurité. Ledit système comprend un serveur Web permettant de stocker des contenus numériques et un serveur de contrôle et de protection des données permettant de mettre en oeuvre un contrôle et une protection des données de contenus numériques distribués. Le serveur de contrôle et de protection des données présente un moyen de réception de demande de lecture, un moyen d'évaluation de client permettant d'évaluer un client mettant en oeuvre une demande de lecture, un moyen de contrôle de protection des données permettant d'insérer dans le contenu numérique un élément de contrôle et de protection des données qui ne peut pas accéder à la ressource locale du terminal client, un moyen d'acquisition de contenu permettant d'acquérir un contenu numérique à partir du serveur Web, ainsi qu'un moyen de transmission de contenu permettant de transmettre le contenu numérique pour lequel un contrôle et une protection des données correspondant au client évalué sont autorisés.
PCT/JP2003/012743 2003-10-03 2003-10-03 Systeme de controle et de protection des donnees d'un contenu numerique WO2005033947A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2003/012743 WO2005033947A1 (fr) 2003-10-03 2003-10-03 Systeme de controle et de protection des donnees d'un contenu numerique
AU2003275543A AU2003275543A1 (en) 2003-10-03 2003-10-03 Digital content data protection control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2003/012743 WO2005033947A1 (fr) 2003-10-03 2003-10-03 Systeme de controle et de protection des donnees d'un contenu numerique

Publications (1)

Publication Number Publication Date
WO2005033947A1 true WO2005033947A1 (fr) 2005-04-14

Family

ID=34401459

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2003/012743 WO2005033947A1 (fr) 2003-10-03 2003-10-03 Systeme de controle et de protection des donnees d'un contenu numerique

Country Status (2)

Country Link
AU (1) AU2003275543A1 (fr)
WO (1) WO2005033947A1 (fr)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003046940A (ja) * 2001-07-31 2003-02-14 Toshiba Corp Wwwサーバ計算機、動画・静止画のコピー方法及びプログラム

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003046940A (ja) * 2001-07-31 2003-02-14 Toshiba Corp Wwwサーバ計算機、動画・静止画のコピー方法及びプログラム

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
"[Venture fair JAPAN2003] program>shuttensha shosai page", CHUSHO KIGYO SOGO JIGYODAN, 17 January 2003 (2003-01-17), XP002986494, Retrieved from the Internet <URL:http://www.vcc.ne.jp/venture/program/search/company/intelligent.html> [retrieved on 20031211] *
"IPPSAS gaiyo", INTELLIGENT NETWORK KENKYUSHO, 9 December 2002 (2002-12-09), XP002986492, Retrieved from the Internet <URL:http://web.archive.org/web/20021209052943/www.ippsas.jp/content/outline.html> [retrieved on 20031211] *
"IPPSAS taiken corner", INTELLIGENT NETWORK KENKYUSHO, 9 December 2002 (2002-12-09), XP002986493, Retrieved from the Internet <URL:http://web.archive.org/web/20021209084933/www.ippsas.jp/content/demo.html> [retrieved on 20031211] *
"Web contents fusei copy boshi tool IPPSAS ipusasu", INTELLIGENT NETWORK KENKYUSHO, 1 October 2003 (2003-10-01), XP002986491, Retrieved from the Internet <URL:http://www.ippsas.jp/IPPSAS030924.pdf> [retrieved on 20031211] *
SCOTT OAKS: "Java security", KABUSHIKI KAISHA ORAIRI JAPAN, 28 November 2001 (2001-11-28), pages 1 - 17, XP002986495 *

Also Published As

Publication number Publication date
AU2003275543A1 (en) 2005-04-21

Similar Documents

Publication Publication Date Title
US6061448A (en) Method and system for dynamic server document encryption
US6601169B2 (en) Key-based secure network user states
US6961849B1 (en) Selective data encryption using style sheet processing for decryption by a group clerk
TW528957B (en) Method and system for web-based cross-domain single-sign-on authentication
US7313823B2 (en) Anti-alternation system for web-content
US20080066172A1 (en) Secured web syndication
US9172707B2 (en) Reducing cross-site scripting attacks by segregating HTTP resources by subdomain
KR101387600B1 (ko) 전자 파일 전달 방법
US20110302409A1 (en) Method and system for verification of an endpoint security scan
US20030037261A1 (en) Secured content delivery system and method
US20030051172A1 (en) Method and system for protecting digital objects distributed over a network
US20030237005A1 (en) Method and system for protecting digital objects distributed over a network by electronic mail
US20050182821A1 (en) Adhoc secure document exchange
WO2001084271A2 (fr) Systeme et procede de distribution de contenu securise
KR20030036787A (ko) 네트워크를 통하여 분배되는 객체를 보안화하기 위한 감사추적 구축용 시스템
JP2005327285A (ja) トークンを使用する資源のアクセス制御
KR20060040661A (ko) 클라이언트 서버 환경에서 클라이언트를 인증하는 시스템및 방법
US6990582B2 (en) Authentication method in an agent system
Close Web-key: Mashing with permission
US8112328B2 (en) Secure and mediated access for E-services
Gritzalis et al. Addressing threats and security issues in World Wide Web technology
JP4675921B2 (ja) 情報処理システム及びコンピュータプログラム
EP1532505A2 (fr) Garantie de l&#39;application d&#39;une politique avant l&#39;autorisation d&#39;utilisation d&#39;une cle privee
Weeks et al. CCI-Based Web security: a design using PGP
WO2005033947A1 (fr) Systeme de controle et de protection des donnees d&#39;un contenu numerique

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP