WO2010134249A1 - Data processing system, information flow control method, and non-temporal computer readable medium storing program - Google Patents

Data processing system, information flow control method, and non-temporal computer readable medium storing program Download PDF

Info

Publication number
WO2010134249A1
WO2010134249A1 PCT/JP2010/002057 JP2010002057W WO2010134249A1 WO 2010134249 A1 WO2010134249 A1 WO 2010134249A1 JP 2010002057 W JP2010002057 W JP 2010002057W WO 2010134249 A1 WO2010134249 A1 WO 2010134249A1
Authority
WO
WIPO (PCT)
Prior art keywords
label
security
conversion
flow control
information flow
Prior art date
Application number
PCT/JP2010/002057
Other languages
French (fr)
Japanese (ja)
Inventor
樋口直志
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Publication of WO2010134249A1 publication Critical patent/WO2010134249A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data

Definitions

  • the present invention relates to a data processing system, an information flow control method, and a non-transitory computer-readable medium storing a program, and in particular, a plurality of dynamics that operate according to a label indicating the name of a security attribute added to data.
  • the present invention relates to a data processing system for transmitting and receiving data between information flow control systems, an information flow control method, and a non-transitory computer readable medium storing a program.
  • Non-Patent Document 1 describes an example of an information flow control system.
  • An information flow control system is a system that suppresses the propagation of information within a desired range.
  • the information flow control system is characterized in that it can be suppressed to a desired range even in the case of intermediate processing or multistage information propagation via an intermediary.
  • Non-Patent Document 1 defines security classes that are classifications from the viewpoint of information security, and class join operations for these security classes. Further, Non-Patent Document 1 shows that the security class of information obtained as a result of a certain calculation is a combination of the security classes of the information to be calculated.
  • a logical storage has a function for holding information.
  • logical storage is a variable in a program.
  • the information held by the logical storage a is associated with a security class A that is a security attribute of the information.
  • security class B is associated with the information stored in the logical storage b.
  • the security class of information obtained as a result of applying some operation to the information held in the logical storage a and the information held in the logical storage b is A + B.
  • the symbol “+” indicates a class join operation.
  • Non-Patent Document 1 “+” surrounded by a circle is used as a symbol. However, in this specification, “+” is used. Furthermore, it is assumed that the security class C is associated with the information stored in the logical storage c. At this time, the security class of information obtained as a result of applying some operation to the information held in the logical storages a, b, and c is A + B + C.
  • the flow relationship defines in which logical storage information obtained as a result of the operation can be stored between the above-described single or combined security classes.
  • the security class D is associated with information held by the logical storage d.
  • symbols indicating flow relationships are indicated by arrows.
  • the security class A + B information can be stored in the security class D logical storage.
  • the security class E is associated with the information held by the logical storage e.
  • the following flow relationship (2) is not established, it indicates that information obtained as a result of applying some operation to the information stored in the logical storages a, b, and c cannot be stored in the logical storage e. .
  • Non-Patent Document 1 defines a join operation for a security class that is a security classification of information, and controls a flow of information by defining a flow relationship between security classes. To do.
  • Non-Patent Document 2 describes another example of an information flow control system.
  • FIG. 11 is a block diagram expressing the contents described in Non-Patent Document 2 as an information flow control system.
  • the information flow control system shown in FIG. 11 includes Web services 81, 82 and 83, a security policy 84, a BPEL (Business Process Execution Language for Web Service) program verification means 85, a service cooperation system 86, and a cooperation result utilization means. 88.
  • Web services 81, 82 and 83 includes Web services 81, 82 and 83, a security policy 84, a BPEL (Business Process Execution Language for Web Service) program verification means 85, a service cooperation system 86, and a cooperation result utilization means. 88.
  • BPEL Business Process Execution Language for Web Service
  • Web services 81, 82, and 83 provide independent services, and transmit information with a security label added to the service cooperation system 86.
  • the security label is the name of a single or combined security class shown in Non-Patent Document 1 described above.
  • the service linkage system 86 is a system that links a plurality of services provided by the Web services 81, 82, and 83.
  • the service cooperation system 86 executes a BPEL program 87 in which a state of service cooperation is described. That is, first, the service cooperation system 86 receives information from each of the Web services 81, 82, and 83. Next, the service cooperation system 86 processes the information by the BPEL program 87 and generates a cooperation result. Then, the service cooperation system 86 adds a security label to the generated cooperation result and transmits it to the cooperation result utilization means 88. As a result, the service cooperation system 86 realizes an information flow from the Web services 81, 82, and 83 to the cooperation result utilization unit 88.
  • the cooperation result utilization means 88 receives the cooperation result from the service cooperation system 86 and uses the cooperation result according to the security label added to the received information.
  • the security policy 84 defines information that may be transferred from the Web services 81, 82, and 83 to the cooperation result utilization means 88.
  • the security policy 84 corresponds to a set of flow relationships in Non-Patent Document 1 described above.
  • the BPEL program verification means 85 verifies the information flow generated by the BPEL program 87. That is, the BPEL program verification unit 85 verifies whether or not the BPEL program 87 can cause a flow of information contrary to the security policy 84.
  • the above security label and security policy 84 are determined before the operation of the information flow control system, and are constant throughout the operation. That is, the information exchanged during the operation can change according to the operation, but the security label of the information is determined before the operation. Further, the BPEL program verification means 85 performs verification prior to system operation in accordance with the security policy 84.
  • an information flow control system that verifies an information flow violation before the operation of the system is referred to as a static information flow control system.
  • Non-Patent Document 3 describes another example of an information flow control system.
  • FIG. 12 is a block diagram expressing the contents described in Non-Patent Document 3 as an information flow control system.
  • the information flow control system shown in FIG. 12 processes information input from the information input source 94 and outputs the processing result to the information output destination 99.
  • the information flow control system includes a program 91 in which processing to be performed is described, an IRM (Inline Reference Monitor) 93 in which processing for information flow control is described, and a program 96 with IRM by inserting the IRM 93 into the program 91.
  • the labeling policy 97 defines security labels added to information input from the information input source 94 to the program with IRM 96 and information output from the program with IRM 96 to the information output destination 99.
  • the information flow policy 98 defines a flow relationship between security labels.
  • the information flow control system shown in FIG. 12 operates as follows.
  • the program execution means 95 executes a program 96 with IRM. At that time, the program execution means 95 executes the original processing described in the program 91 among the programs 96 with IRM. At the same time, the program execution means 95 executes the processing described in the IRM 93 inserted by the IRM writing means 92 in the program 96 with IRM.
  • the program execution means 95 adds a security label to the logical storage according to the labeling policy 97 when storing the information read from the information input source 94 in the logical storage in the program 91.
  • the program execution unit 95 calculates information by the program 91
  • the program execution unit 95 adds a label obtained by combining the security label of the calculation target information to the logical storage that holds the calculation result information. This corresponds to the class combination of Non-Patent Document 1 described above.
  • the program execution means 95 determines whether to write or not according to the information flow policy 98. Do not write out information if there is.
  • an information flow control system that verifies an information flow violation during system operation is referred to as a dynamic information flow control system.
  • Patent Document 1 discloses a variable identifier transmission method for concealing information relating to an identifier from a third party by assigning a random number to the identifier and transmitting the encrypted identifier when transmitting the identifier to another device. Techniques related to this are disclosed.
  • Patent Document 2 discloses a technology relating to an information distribution method that facilitates information distribution while ensuring confidentiality.
  • the information transmission device of the slip issuer lists a set of a browsing range identifier for identifying a browsing range in which browsing of the slip is permitted and a common key for encrypting the browsing range for each viewer.
  • the information transmitting apparatus creates decryption information by encrypting using the public key of each viewer, and transmits the decrypted information.
  • the information transmitting apparatus encrypts and transmits the portion specified by the browsing range identifier with the corresponding common key.
  • each viewer's information receiving device decrypts the received decryption information using its own secret key. Then, the information receiving apparatus acquires a common key for decrypting the browsing range permitted by the information receiving apparatus. Thereafter, the information receiving apparatus decrypts the permitted viewing range of the received slip with the previously acquired common key.
  • Patent Document 3 discloses a technique related to an information transmission method via an electronic document that takes into account the security of information that should not be known in the electronic document and the adverse effects on business execution.
  • the following processing is performed. First, an anonymization level for anonymizing a real name word in an electronic document to a predetermined abstraction level is determined. Next, an additional label corresponding to the identification number of the person who receives the electronic document is generated. Then, an anonymous word corresponding to the real name word is selected from the real name word / anonymous word dictionary storing the correspondence relationship between the real name word and the anonymous word which is an abstract concept of the real name word.
  • an anonymous word which has a one-to-one relationship with a real name word is produced
  • the real name word / anonymous word map only for the identification number which memorize
  • Patent Document 4 discloses a technology related to an information asset management server that is disclosed to the outside while maintaining the safety of information assets.
  • the information asset management server disclosed in Patent Document 4 stores storage asset information from a user terminal and a security label that defines a rule to be observed when asset information is disclosed to the outside.
  • the information asset management server generates and stores meta information based on the security label.
  • the information asset management server generates and stores a public information asset obtained by processing the storage asset information based on the meta information.
  • Patent Document 5 discloses a technique related to a process management source sharing prevention method and program for avoiding name collision by changing the name of an object to be generated and preventing resource sharing.
  • the process management source sharing prevention method and program disclosed in Patent Document 5 forcibly enable simultaneous execution of a plurality of processes by an application program that prevents the simultaneous execution of a plurality of processes, and provides a foundation for information flow control.
  • Patent Document 6 discloses a technique related to an encryption ID handling method and a CRM (Customer Relationship Management) system that prevents theft of an encryption key and decryption of a skimmed number.
  • the CRM system disclosed in Patent Document 6 utilizes RFID (Radio Frequency Identification) having an encryption tag management unit.
  • the encryption tag management unit receives the encryption tag manufacturing unit that manufactures the serial encryption tag in which the encrypted serial ID obtained by encrypting the RFID serial ID with the common key is written, and the encrypted serial ID read by the user with the RFID reader.
  • a decryption unit for decrypting the serial ID with the common key.
  • Non-Patent Documents 2 and 3 and Patent Documents 1 to 6 described above the transmission source and the transmission destination are different when transmitting and receiving data with a security label between a plurality of dynamic information flow control systems. There is a problem that the same data is appropriately processed based on the security label, information leakage is prevented, and information cannot be transmitted and received safely.
  • the first reason is that the technology described in Non-Patent Document 2 performs static information flow control, so the security label is statically determined and the dynamic information flow control system cannot be connected. .
  • the second reason for this is that the technique described in Non-Patent Document 3 transmits a security label associated with information, and thus cannot support secure connection.
  • the third reason is that the technique disclosed in Patent Document 1 cannot cope with a complicated internal structure such as security class coupling in a security label.
  • the security label is “information” indicating the classification of information from the viewpoint of security
  • the security label itself has a classification from the viewpoint of security.
  • the information flow control system s1 manages information by associating a security class and a security label with the following information.
  • the security class C and the security label LC are associated with information indicating the company c.
  • the information indicating the person a is associated with a security class A and a security label LA.
  • the labeling policy of the information flow control system s1 associates the security class C + A, which is a combination of the security class C and the security class A, with the security label LX.
  • the security label LX is associated with the salary information x of the person a working for the company c.
  • the information flow control system s1 can manage the salary information x of the person a.
  • the information flow control system s2 provides a service for receiving salary information of a plurality of employees from a plurality of companies, statistically processing the salary information for each company, and returning the results.
  • the information flow control system s2 needs to identify which company the received salary information belongs to, but does not need to identify which person it belongs to.
  • the information flow control system s3 is assumed to provide a service for managing the salary transfer account of each person including the person a.
  • the information flow control system s3 needs to identify which person the received salary information belongs, but does not need to identify which company it belongs to.
  • the information flow control system s1 adds the security label LX to the salary information x of the person a working for the company c and transmits it to the information flow control systems s2 and s3, there are the following problems. That is, the information flow control system s2 cannot determine whether or not the security label LX added to the received salary information x belongs to the security class C.
  • the information flow control system s1 can determine that the security label LX corresponds to C + A by referring to its own labeling policy.
  • the information flow control system s2 does not have a labeling policy in which the security label LX is associated with C + A. Therefore, security cannot be classified from companies other than company c. That is, in this case, the information flow control system s2 cannot appropriately perform processing according to the security label added to the received information.
  • the information flow control system s1 adds the security labels LC and LA to the salary information x of the person a working for the company c and transmits it to the information flow control systems s2 and s3, there are the following problems. That is, the information flow control system s2 may be able to specify that the salary information x is related to the person a. This is because the information flow control system s2 can specify that the salary information x belongs to the company c based on the received security label LC. Further, the information flow control system s3 can specify that the salary information x is that of the person a by the received security label LA.
  • the security labels LC and LA are transmitted to the information flow control systems s2 and s3.
  • the information flow control system s2 obtains that the information flow control system s3 has identified the person a by the security label LA, so that the same security label LA is added and associated with the salary information x received by the information flow control system s2. This is because it can. That is, in this case, the information held by the security label cannot be concealed, and the salary information x of the person a leaks to the information flow control system s2.
  • information indicating the person b is associated with a security class B and a security label LB.
  • the labeling policy of the information flow control system s1 associates a security class C + B, which is a combination of the security class C and the security class B, with a security label LY.
  • the security label LY is associated with the salary information y of the person b working at the company c.
  • the information flow control system s1 can manage the salary information y of the person a.
  • the information flow control system s1 adds the security labels LC and LB to the salary information y of the person b working at the company c and transmits it to the information flow control system s2, there are the following problems. That is, even if the information flow control system s1 receives the processing result of the salary information x from the information flow control system s2, it cannot determine whether the information is falsified. This is because when the information flow control system s2 returns the processing result of the salary information y, it is possible to add the security label LA previously received due to fraud or failure instead of the security label LB. .
  • the information flow control system s1 erroneously specifies that the processing result relates to the person a because the security label LA is added to the processing result received from the information flow control system s2. That is, in this case, the information flow control system s1 cannot detect that the processing result received from the information flow control system s2 has been tampered with. At the same time, in the information flow control system s1, the processing result of the person b is processed and disclosed as that of the person a, and information leaks.
  • the information flow control system s1 adds only the security label LC to the salary information x of the person a working for the company c and transmits the security label LA to the information flow control system s2, the following problem occurs. is there. That is, even if the information flow control system s1 receives the processing result of the salary information x from the information flow control system s2, the processing result cannot be identified as relating to the person a. This is because the information flow control system s1 transmits only the security label LC as the security label to the information flow control system s2. Therefore, the security label LA is not added to the processing result received from the information flow control system s2, and the information flow control system s1 cannot specify the set of the security labels LC and LA from the processing result. That is, in this case, the information flow control system s1 cannot appropriately perform processing according to the security label added to the received processing result.
  • Patent Document 2 is a related technique for limiting the disclosure range in one piece of information according to the transmission destination.
  • Patent Document 3 is related technology that anonymizes information differently according to the disclosure level of a transmission destination for one piece of information.
  • Patent Document 4 is a related technique for generating a public information asset based on a security label.
  • Patent Document 5 is a related technology on the basis of information flow control.
  • Patent Document 6 is related technology in which a common key cryptosystem is applied to RFID. Therefore, even if they are combined, the above-described problems cannot be solved.
  • the present invention has been made to solve such a problem, and processes the same data between a plurality of dynamic information flow control systems based on security labels having different transmission sources and transmission destinations. It is an object to provide a non-transitory computer-readable medium storing a data processing system, an information flow control method, and a program for appropriately processing and preventing information leakage and safely transmitting and receiving information. .
  • the data processing system provides a conversion label that is a set of labels including a conversion label obtained by converting a label that is a name of a plurality of security attributes associated with data into a name different from the label.
  • a set and a disclosed label set which is a set of labels indicating the names of security attributes to be disclosed for causing the communication partner to process the data among the plurality of security attributes, are added, and the data is sent to the communication partner.
  • the processing result of the data to which the conversion label set and the disclosure label set are added is received from the transmission means for transmitting and the communication partner, and the conversion label set and the disclosure label set added to the received processing result
  • verification means for verifying the security of the processing result by using.
  • the information flow control method is a conversion that is a set of labels including a conversion label obtained by converting a label that is a name of a plurality of security attributes associated with data into a name different from the label.
  • a label set and a disclosed label set which is a set of labels indicating names of security attributes to be disclosed for causing the communication partner to process the data among the plurality of security attributes, are added to communicate the data.
  • a transmission step of transmitting to the other party a step of receiving a processing result of the data to which the converted label set and the disclosed label set are added from the communication partner, and a converted label set added to the received processing result And a verification step for verifying the security of the processing result using the disclosure label set and a data processing device To your.
  • the non-transitory computer readable medium storing the information flow control program according to the third aspect of the present invention converts a label that is a name of a plurality of security attributes associated with data into a name different from the label.
  • a converted label set which is a set of labels including the converted label, and a disclosed label set which is a set of labels indicating the names of security attributes to be disclosed to cause the communication partner to process the data among the plurality of security attributes
  • a transmission process for transmitting the data to the communication partner, and the processing result of the data to which the converted label set and the disclosure label set are added from the communication partner.
  • a verification process for verifying the security of the processing result using the converted label set and the disclosure label set added to the processing result. If, it causes the computer to execute the information flow control process including.
  • a non-transitory computer readable medium storing a data processing system for transmitting and receiving information, an information flow control method, and a program can be provided.
  • FIG. 1 is a block diagram showing a configuration of a dynamic information flow control system according to the first exemplary embodiment of the present invention.
  • the data processing system 10 is a computer system that transmits and receives data to and from a communication partner 20 that is an arbitrary information system.
  • the data processing system 10 includes a transmission unit 11 and a verification unit 12.
  • the transmission unit 11 adds the converted label set 32 and the disclosed label set 33 to the data 31 and transmits the data 31 to the communication partner 20.
  • the conversion label set 32 is a set of labels including at least conversion labels obtained by converting labels that are names of a plurality of security attributes associated with the data 31 into names different from the labels. It is assumed that the communication partner 20 cannot reversely convert the conversion label to the original label.
  • the disclosure label set 33 is a set of labels indicating names of security attributes to be disclosed for causing the communication partner 20 to process the data 31 among a plurality of security attributes associated with the data 31.
  • the disclosed label set 33 is a set of labels that the data processing system 10 determines to be disclosed to the communication partner 20 and is used for flow determination in the communication partner 20.
  • the disclosure label set 33 only needs to include at least one label.
  • the transmission unit 11 may include the converted label set 32 and the disclosed label set 33 in the communication packet including the data 31, for example.
  • the transmission unit 11 designates the converted label set 32 and the disclosed label set 33 at the start of a session as communication involving a session, and the converted label set 32 and the disclosed label set 33 are included in data transmitted and received during the session. It may be added.
  • the verification unit 12 receives the processing result 34 of the data 31 to which the conversion label set 35 and the disclosure label set 36 are added from the communication partner 20, and the conversion label set 35 and the disclosure label added to the received processing result 34.
  • the security of the processing result 34 is verified using the set 36.
  • the data processing system 10 can prevent an information flow violation by discarding the received processing result 34 when the verification unit 12 determines that there is a problem with the security of the processing result 34.
  • FIG. 2 is a flowchart showing the flow of the information flow control process according to the first embodiment of the present invention.
  • the transmission unit 11 transmits data 31 to which the converted label set 32 and the disclosed label set 33 are added to the communication partner 20 (S10).
  • the communication partner 20 performs a predetermined process based on the disclosure label set 33 added to the received data 31 and generates a process result 34. At this time, the communication partner 20 does not convert at least the conversion label included in the received conversion label set 32, and sets the conversion label set 35 including the conversion label set 32. Further, the communication partner 20 generates a disclosure label set 36 including at least the disclosure label set 33. Then, the communication partner 20 adds the converted label set 35 and the disclosed label set 36 to the generated processing result 34 and transmits it to the data processing system 10.
  • the verification unit 12 receives the processing result 34 from the communication partner 20 (S20).
  • the received processing result 34 includes a conversion label set 35 and a disclosure label set 36. Thereafter, the verification unit 12 verifies the security of the processing result 34 using the converted label set 35 and the disclosed label set 36 included in the received processing result 34 (S30).
  • the data processing system 10 can cause the communication partner 20 to process the data 31 based on the security attributes included in the disclosure label set 33. That is, the data processing system 10 can cause the communication partner 20 to appropriately process.
  • the data processing system 10 does not disclose to the communication partner 20 the security attributes in the labels other than the disclosure label set 33 among the plurality of security attributes associated with the data 31. . This is because the communication partner 20 cannot know the conversion label 32 and the label before conversion. Therefore, the data processing system 10 can prevent information leakage without disclosing more security attributes than necessary to the communication partner 20.
  • the data processing system 10 can detect the presence or absence of falsification by comparing the conversion label set 35 added to the processing result 34 received from the communication partner 20 and the conversion label set 32, for example. Similarly, the data processing system 10 can appropriately process the processing result 34 by comparing the disclosure label set 36 added to the processing result 34 received from the communication partner 20 with the disclosure label set 33. .
  • Embodiment 1 of the present invention when the same data is processed based on security labels having different transmission sources and transmission destinations among a plurality of dynamic information flow control systems, the processing is appropriately performed. , Information leakage can be prevented and information can be transmitted and received safely.
  • FIG. 3 is a block diagram showing a configuration of the dynamic information flow control system according to the second exemplary embodiment of the present invention.
  • the dynamic information flow control system 40 and the dynamic information flow control system 41 that transmits / receives information to / from the dynamic information flow control system 40 and a composite label added later. Or 42.
  • a dynamic information flow control system that transmits / receives information to / from the dynamic information flow control system 40 is replaced with 2 of the dynamic information flow control system 41 or 42.
  • the present invention is not limited to this, and an arbitrary number may be used.
  • the dynamic information flow control systems 41 and 42 adopt the same internal configuration as that of the dynamic information flow control system 40. In the second embodiment of the present invention, illustration and description of these internal configurations are omitted. To do.
  • the dynamic information flow control systems 41 and 42 do not have to adopt the same configuration as the dynamic information flow control system 40. In this case, it is assumed that the dynamic information flow control systems 41 and 42 can recognize at least the composite label added to the information received from the dynamic information flow control system 40. At the same time, the dynamic information flow control systems 41 and 42 can add a composite label to the processing result when returning the processing result of the received information to at least the dynamic information flow control system 40.
  • the dynamic information flow control systems 40, 41 and 42 are realized as a combination of a computer and software operating on the computer.
  • the flow of information handled by the application unit is controlled based on a security label attached to the information. Details of the configuration method of such a dynamic information flow control system will be omitted because it is known to those skilled in the art, and in this embodiment, information is safely exchanged with other dynamic information flow control systems. Next, the configuration and operation added to the dynamic information flow control system will be described.
  • the composite label is a label in which the converted label set and the disclosed label set are connected.
  • the conversion label set includes at least one or more conversion labels.
  • the conversion label is obtained by converting a security label, which is a name of a plurality of security attributes associated with transmission / reception target data, into a name different from the security label, as in the first embodiment of the present invention. It is assumed that the dynamic information flow control systems 41 and 42 cannot reversely convert the conversion label received from the dynamic information flow control system 40 to the original label.
  • the conversion label set may include a temporary label that is a label other than the conversion label generated by itself.
  • a temporary security class (hereinafter referred to as a temporary class) that is a temporary security attribute is assigned to the temporary label.
  • the temporary class is a security class to be processed in a system other than the dynamic information flow control system 40.
  • the temporary class is handled as a security class that can flow to any logical storage with the weakest restriction in flow determination in the dynamic information flow control system 40.
  • the disclosure label set is a set of disclosure labels that are security labels to be disclosed for processing by either the dynamic information flow control system 41 or 42 among the plurality of security labels associated with the data 31. .
  • the disclosure label set is used for flow determination in the dynamic information flow control systems 41 and 42.
  • the disclosure label set only needs to include at least one disclosure label.
  • a set of labels is expressed as “ ⁇ L1, L2,..., Ln ⁇ ” using curly brackets, and a pair of label sets is expressed using “(label set, label set”. ) ”.
  • the converted label set is expressed as the first element of the pair
  • the disclosed label set is expressed as the second element of the pair.
  • a composite label in which conversion labels LX, LY, and LZ and disclosure labels LA, LB, and LC are connected is represented as “( ⁇ LX, LY, LZ ⁇ , ⁇ LA, LB, LC ⁇ ).
  • the dynamic information flow control system 40 shown in FIG. 3 includes an application unit 51, a disclosure determination unit 52, a composite label generation unit 53, a composite label analysis unit 54, a security policy storage unit 55, and a composite label storage unit 56. And a security label storage unit 57 and a provisional class storage unit 58.
  • the application unit 51 processes information transmitted to and received from the dynamic information flow control system 41 or 42.
  • the application unit 51 realizes information flow control by performing processing based on the security label added to the transmitted / received information. Specifically, first, the application unit 51 inputs the security label to be added to the information to be transmitted and the transmission destination system ID that is the identifier of the dynamic information flow control system to be transmitted to the composite label generation unit 53. To do. And the application part 51 adds the composite label output from the composite label production
  • the application unit 51 receives information to which a composite label is added from the dynamic information flow control system 41 or 42. Then, the application unit 51 inputs the received composite label to the composite label analysis unit 54. Thereafter, the application unit 51 receives the security label output from the composite label analysis unit 54 and processes the information. For example, the application unit 51 receives a processing result of information transmitted by itself.
  • the security label storage unit 57 stores a set of a security label 571 and a class combination 572 that is a security class combination.
  • the class combination 572 is expressed as a kind of security class set.
  • the security label storage unit 57 returns a class combination 572 for a reference using the security label 571 as a key.
  • the security label storage unit 57 returns a security label 571 in response to a reference using the class combination 572 as a key.
  • the security label storage unit 57 returns that fact.
  • the class combination 572 may include the provisional class described above.
  • the pair of the security label 571 and the class combination 572 stored in the security label storage unit 57 is registered during the operation of the dynamic information flow control system 40 and before the operation of the dynamic information flow control system 40. There are cases where it is given as a system security setting.
  • the temporary class storage unit 58 stores a set of a conversion label 581 and a temporary class 582 that is not used for flow determination within the dynamic information flow control system 40. Then, the temporary class storage unit 58 returns the temporary class 582 to the reference using the conversion label 581 as a key. In addition, the temporary class storage unit 58 returns a conversion label 581 with respect to a reference using the temporary class 582 as a key. In addition, the provisional class storage unit 58 returns the fact that there is no return value corresponding to the key in any of the above references.
  • the composite label generation unit 53 receives the security label and the transmission destination system ID added to the transmission target information input from the application unit 51, and generates a composite label from the security label. Then, the composite label generation unit 53 outputs the generated composite label to the application unit 51. Details of the processing of the composite label generation unit 53 will be described later with reference to FIG.
  • the security policy storage unit 55 stores the above-described disclosure label in association with the system ID of the disclosure destination dynamic information flow control system.
  • the disclosure determination unit 52 refers to the security policy storage unit 55 and determines whether or not the security class can be disclosed in the dynamic information flow control system based on the security class and the identifier of the dynamic information flow control system.
  • the disclosure determination by the disclosure determination unit 52 is realized using the security policy storage unit 55, but the disclosure determination unit 52 is not limited to this.
  • the disclosure destination may be defined by other methods.
  • the composite label storage unit 56 includes a transmission destination system ID 561 that is an identifier of a dynamic information flow control system that is a transmission destination of information, a security label 562 that is assigned to the information in the dynamic information flow control system 40, and a security label.
  • a combination of a transmission conversion label 563 converted from 562 and a composite label 564 added when transmitting information to be transmitted to the transmission destination system ID 561 is stored.
  • the composite label generation unit 53 may output the generated composite label to the application unit 51 and store it in the composite label storage unit 56.
  • the composite label storage unit 56, the security label storage unit 57, and the temporary class storage unit 58 can be said to be label information storage means for storing information relating to labels.
  • the application unit 51, the disclosure determination unit 52, and the composite label generation unit 53 can be said to be transmission units.
  • the transmitting unit converts a plurality of security attributes to generate a conversion label, generates the conversion label set including the generated conversion label, and selects a security attribute to be disclosed to the communication partner from the plurality of security attributes It is desirable to generate a disclosure label set, concatenate the converted label set and the generated disclosure label set to generate a composite label, add the generated composite label, and transmit the data to the communication partner. .
  • the conversion label added to the information to be transmitted and the disclosure label set can be made into a single composite label, and the accuracy of falsification detection can be raised.
  • the transmission unit may generate a conversion label by converting a plurality of security attributes so as to have a name different from the conversion label of the communication partner.
  • the composite label generation unit 53 when the same information is transmitted to the information flow control systems 41 and 42, the composite label generation unit 53 generates the conversion label generated for the dynamic information flow control system 41 and the dynamic information flow control system 42.
  • the converted label may be different. This makes it difficult to decipher even if the contents of transmission to a plurality of communication partners are matched.
  • the transmission unit may generate a conversion label different from the past conversion label from labels that are names of a plurality of security attributes. That is, when generating a conversion label again from a security label added to information transmitted in the past, the composite label generation unit 53 may generate a conversion label different from the past. That is, the composite label generation unit 53 may generate different conversion labels from the same security label. This makes it difficult to decipher even if a plurality of transmission contents are matched.
  • the composite label analysis unit 54 receives the composite label added to the received processing result input from the application unit 51, analyzes the composite label, and converts it back to a security label. Then, the composite label analysis unit 54 outputs the reversely converted security label to the application unit 51. Further, the composite label analysis unit 54 makes an inquiry to the disclosure determination unit 52 as appropriate during the analysis. Details of the processing of the composite label analysis unit 54 will be described later with reference to FIGS.
  • the processing result received by the application unit 51 includes the conversion label generated by the composite label generation unit 53 at the time of transmission. Therefore, the composite label analysis unit 54 reversely converts the conversion label generated by its own composite label generation unit 53 out of the conversion labels included in the conversion label set included in the received composite label into a security label. Further, the composite label analysis unit 54 calculates the essential security class set that must be included in the received composite label by removing the non-disclosure security class set from the security class combination corresponding to the inversely converted security label. . Then, the composite label analysis unit 54 removes the transmission conversion label from the conversion label set included in the received composite label. Further, the composite label analysis unit 54 removes an unknown security class from the security class set corresponding to the conversion label set from which the transmission conversion label is removed.
  • the composite label analysis unit 54 removes an unknown security class from the security class set corresponding to the disclosed label set included in the received composite label.
  • the unknown security class is a security class corresponding to a newly acquired security label.
  • the composite label analysis unit 54 calculates a known security class set. Thereafter, the composite label analysis unit 54 determines whether or not the known security class set includes the essential security class set.
  • the application unit 51, the disclosure determination unit 52, and the composite label analysis unit 54 can be said to be verification units. Then, the verification unit acquires the conversion label stored in the label information storage unit based on the conversion label set added to the received processing result, and discloses the received processing result to the communication partner based on the acquired conversion label.
  • the received processing result is Judge that it is. Thereby, the correctness of the processing result can be accurately detected.
  • the verification unit assigns a temporary security attribute to a temporary label that is a label other than the conversion label stored in the label information storage unit in the conversion label set added to the received processing result. It is desirable that the security attribute is added to a plurality of security attributes associated with the data, and the temporary label and the temporary security attribute are associated with each other and stored in the label information storage unit.
  • the transmission unit described above converts the plurality of security attributes to which the temporary security attribute is added by the verification unit to generate the converted label, and the temporary label associated with the temporary security attribute Is obtained from the label information storage means, and the converted label set is generated including the generated converted label and the acquired temporary label. Thereby, the detection accuracy can be increased.
  • the dynamic information flow control system 41 considers a case where the conversion label set received from the dynamic information flow control system 42 includes the conversion label generated by the dynamic information flow control system 42. At this time, the dynamic information flow control system 41 cannot assign the conversion label to the security class. Therefore, the dynamic information flow control system 41 assigns a temporary security class using the conversion label as a temporary label. Thereby, the dynamic information flow control system 41 can process appropriately. When the dynamic information flow control system 41 returns to the dynamic information flow control system 42, the dynamic information flow control system 41 further adds a temporary label to generate a converted label set.
  • the dynamic information flow control system 42 can perform appropriate processing because the conversion label set received from the dynamic information flow control system 41 includes the conversion label generated by itself.
  • the dynamic information flow control system 41 can be appropriately processed by assigning a temporary security class, even if a conversion label generated in a system other than the receiving system is included.
  • the verification unit adds a security attribute corresponding to the new label to a plurality of security attributes. Good. Thereby, added classes can be included, and security can be improved.
  • the dynamic information flow control systems 41 and 42 receive information from the dynamic information flow control system 40, but the information is included in the processing request. That is, the application unit 51 in the dynamic information flow control systems 41 and 42 receives new information, not the processing result of the information transmitted by itself. Therefore, the application unit 51 may have a new composite label added to the received information.
  • the application unit 51 calculates the above-described essential security class set.
  • the required security class set is an empty set. This is because the composite label of the received information does not include the conversion label generated by the composite label generation unit 53 of the own system. Therefore, the known security class set always includes the essential security class set. Therefore, it passes the inspection and can receive information normally. Therefore, whether the composite label of the received information is attached to the reply information or attached to the spontaneously transmitted information, the inspection may be performed in the same manner as described above.
  • the composite label generation unit 53 generates a different conversion label for each dynamic information flow control system of the transmission destination.
  • the composite label analysis unit 54 according to the second embodiment of the present invention inspects the disclosed label set included in the received composite label, and if the inspection fails, the composite label is added. Discarding the information can prevent information flow violation.
  • the composite label generation unit 53 refers to the composite label storage unit 56 using the identifier of the destination dynamic information flow control system and the security label of the information to be transmitted as keys.
  • the security label is replaced with the composite label.
  • FIG. 4 is a flowchart showing the flow of the composite label generation process according to the second embodiment of the present invention.
  • FIG. 5 is a diagram illustrating an example of data in the composite label generation process according to the second embodiment of the present invention.
  • the composite label generation unit 53 converts a security label of information to be transmitted to generate a transmission conversion label that is a conversion label (S201).
  • the composite label generation unit 53 converts the security label LX to generate a transmission conversion label LX ′.
  • the composite label generation unit 53 generates a conversion label for transmission so as to be unique within a plurality of dynamic information flow control systems including the dynamic information flow control systems 40, 41 and 42.
  • the transmission conversion label is UUID (Universally Unique Identifier) (ISO (International Organization for Standardization) / IEC (International Electrotechnical Commission) 11578: 1996, RFC (Request for Comments) 4122). Note that the UUID generation method is known to those skilled in the art, and a detailed description thereof will be omitted.
  • the composite label generation unit 53 refers to the security label storage unit 57 and acquires a security class set corresponding to the security label (S202). For example, in FIG. 5, the composite label generation unit 53 acquires class combination Y + Z + A + B + C. Then, the composite label generation unit 53 refers to the temporary class storage unit 58 and determines whether each security class included in the acquired security class set belongs to the temporary class (S203). For example, in FIG. 5, the composite label generation unit 53 determines that the security classes Y and Z belong to the temporary class. When there is a security class determined to belong to the temporary class, the composite label generation unit 53 acquires a temporary conversion label corresponding to the temporary class from the temporary class storage unit 58 (S204). For example, in FIG. 5, the composite label generation unit 53 acquires the security labels LY and LZ from the security classes Y and Z that are temporary classes.
  • the composite label generation unit 53 generates a conversion label set by connecting the transmission conversion label generated in step S201 and the temporary conversion label acquired in step S204 (S205). For example, in FIG. 5, the composite label generation unit 53 generates a converted label set ⁇ LX ′, LY, LZ ⁇ .
  • the composite label generation unit 53 when there is no security class that is determined not to belong to the temporary class, the composite label generation unit 53 includes the security class obtained by removing the temporary class from the security class set, the dynamic information flow control system of the transmission destination, Is used as a key to make an inquiry to the disclosure determination unit 52 to determine whether it is a disclosure target (S206). For example, in FIG. 5, the composite label generation unit 53 determines A and B among the security classes A, B, and C as disclosure targets. In FIG. 5, the composite label generation unit 53 determines that the security class C is not disclosed. If there is a security class determined to be a disclosure target, the composite label generation unit 53 refers to the security label storage unit 57 and acquires a security label corresponding to the security class (S207).
  • the composite label generation unit 53 acquires the security labels LA and LB from the security classes A and B. Thereafter, the composite label generation unit 53 generates a disclosure label set by concatenating the acquired security labels (S208). For example, in FIG. 5, the composite label generation unit 53 generates a disclosure label set ⁇ LA, LB ⁇ . If it is determined in step S206 that all security classes are not to be disclosed, the composite label generation unit 53 generates an empty disclosure label set.
  • the composite label generation unit 53 generates a composite label by connecting the converted label set generated in step S205 and the disclosed label set generated in step S208 (S209). For example, in FIG. 5, the composite label generation unit 53 generates composite labels ( ⁇ LX ′, LY, LZ ⁇ , ⁇ LA, LB ⁇ ). Then, the application unit 51 adds the composite label generated by the composite label generation unit 53 and transmits the data (S210). At the same time, the composite label generation unit 53 associates the destination system ID, the security label, the transmission label, and the generated composite label with each other and stores them in the composite label storage unit 56 (S211).
  • FIG. 6 is a flowchart showing the first half of the composite label analyzing process according to the second embodiment of the present invention.
  • FIG. 7 is a flowchart showing the latter half of the composite label analysis process according to the second embodiment of the present invention.
  • FIG. 8 is a diagram illustrating an example of data in the composite label analysis process according to the second embodiment of the present invention.
  • the application unit 51 receives the processing result to which the composite label has been added (S301). Then, the composite label analysis unit 54 receives the composite label added to the processing result received from the application unit 51. Next, the composite label analysis unit 54 separates the composite label into a converted label set and a disclosed label set (S302). For example, in FIG. 8, the composite label analysis unit 54 separates the converted label set ⁇ LX ′, LY, LZ, LV ⁇ and the disclosed label set ⁇ LA, LB, LD ⁇ .
  • the composite label analysis unit 54 refers to the composite label storage unit 56, and determines whether or not the conversion label set includes the conversion label for transmission generated by itself (S303). For example, in FIG. 8, the composite label analysis unit 54 determines that the conversion label set ⁇ LX ′, LY, LZ, LV ⁇ includes the transmission conversion label LX ′. When it is determined that the transmission conversion label is included, the composite label analysis unit 54 acquires the transmission destination system ID associated with the transmission conversion label from the composite label storage unit 56 (S304). At the same time, the composite label analysis unit 54 refers to the composite label storage unit 56 and acquires corresponding security labels for all the conversion labels for transmission included in the conversion label set (S305). For example, in FIG.
  • the composite label analysis unit 54 acquires the security label LX from the transmission conversion label LX ′. Then, the composite label analysis unit 54 refers to the security label storage unit 57 and acquires a security class set corresponding to the acquired security label (S306). For example, in FIG. 8, the composite label analysis unit 54 acquires the class combination Y + Z + A + B + C from the security label LX.
  • the composite label analysis unit 54 refers to the temporary class storage unit 58 and determines whether each security class included in the acquired security class set belongs to the temporary class (S307). For example, in FIG. 8, the composite label analysis unit 54 determines that the security classes Y and Z belong to the temporary class. When there is a security class that is determined not to belong to the temporary class, the composite label analysis unit 54 makes a disclosure determination using the security class excluding the temporary class from the security class set and the dynamic information flow control system of the transmission destination as keys. An inquiry is made to the unit 52 to determine whether or not it is a disclosure target (S308). For example, in FIG. 8, the composite label analysis unit 54 determines that A and B of the security classes A, B, and C are to be disclosed. In FIG.
  • the composite label generation unit 53 determines that the security class C is not disclosed.
  • the composite label analysis unit 54 generates an essential security class set including the security class (S311). For example, in FIG. 8, the composite label analysis unit 54 generates an essential security class set ⁇ A, B ⁇ . If there is a security class determined to belong to the temporary class in step S307, or after step S311, the process proceeds to step S318 described later. Further, after step S306, the composite label analysis unit 54 includes each security class included in the acquired security class set in the new security class combination (S315). For example, in FIG. 8, the composite label analyzer 54 generates a new security class combination Y + Z + A + B + C.
  • the composite label analysis unit 54 can acquire a temporary class from the temporary class storage unit 58 for the security label included in the conversion label set. Is determined (S313). When it is determined that the temporary class can be acquired, the composite label analysis unit 54 acquires the temporary class corresponding to the security label from the temporary class storage unit 58 (S314). For example, in FIG. 8, the composite label analysis unit 54 acquires security classes Y and Z, which are temporary classes, from the security labels LY and LZ. Thereafter, the composite label analysis unit 54 includes the acquired temporary class in the new security class combination (S315). In FIG. 8, since a duplicate is included in the new security class combination, it is not newly added. At the same time, the composite label analysis unit 54 includes the acquired temporary class in the known security class set (S312). For example, in FIG. 8, the composite label analysis unit 54 generates a known security class set ⁇ Y, Z ⁇ .
  • the composite label analysis unit 54 assigns a new temporary class to the security label (S316). For example, in FIG. 8, the composite label analysis unit 54 assigns a temporary class V to the security label LV. That is, the composite label analysis unit 54 creates a new temporary class when there is a label that is not a conversion label for transmission generated by itself and is not a temporary class acquired in the past among the labels included in the conversion label set. Assign. Then, the composite label analysis unit 54 registers the assigned temporary class and security label in the temporary class storage unit 58 (S317). At the same time, the composite label analysis unit 54 includes the assigned temporary class in the new security class combination (S315). For example, in FIG. 8, the composite label analyzer 54 generates a new security class combination Y + Z + V + A + B + C.
  • the composite label analysis unit 54 refers to the security label storage unit 57 and determines whether or not an unregistered security label is not included in the disclosure label set separated in step S302 ( S309). For example, in FIG. 8, the composite label analysis unit 54 determines that an unregistered security label is not included in the disclosure label set ⁇ LA, LB, LD ⁇ . When it is determined that no unregistered security label is included, the composite label analysis unit 54 acquires all security classes for the disclosure labels included in the disclosure label set from the security label storage unit 57 (S310). For example, in FIG. 8, the composite label analysis unit 54 acquires security classes A, B, and D.
  • the composite label analysis unit 54 includes the acquired security class in the new security class combination (S315).
  • the composite label analysis unit 54 generates a new security class combination Y + Z + V + A + B + C + D.
  • the composite label analysis unit 54 includes the acquired security class in the known security class set (S312).
  • the composite label analysis unit 54 generates a known security class set ⁇ Y, Z, A, B, D ⁇ . If it is determined in step S309 that an unregistered security label is included, the process proceeds to step S319 described later.
  • the composite label analysis unit 54 performs label consistency determination to check whether the known security class set generated in step S312 includes the essential security class set generated in step S311 based on the inclusion relation of the set. This is performed (S318). If it is determined that there is no label consistency, the composite label analysis unit 54 discards the received processing result and composite label (S319). This is because an unknown security label is disclosed and subsequent information flow control cannot be normally performed. Thereafter, the composite label analysis process ends.
  • the composite label analysis unit 54 can obtain the security label by querying the security label storage unit 57 using the new security class combination generated in step S315 as a key. It is determined whether or not (S320). If the security label can be acquired, the composite label analysis unit 54 acquires the security label and ends the composite label analysis process.
  • the composite label analysis unit 54 creates a new security label (S321). For example, in FIG. 8, the composite label analysis unit 54 determines that there is no security label corresponding to the new security class combination Y + Z + V + A + B + C + D, and creates a new security label LW. Then, the composite label analysis unit 54 registers the created security label in the security label storage unit 57 (S322).
  • the security label can be partially disclosed and information leakage can be prevented.
  • a composite label is generated by combining a converted label obtained by converting the original security label and a disclosed label set corresponding to the disclosed security class among security class sets corresponding to the original security label. .
  • the effects of the present invention will be specifically described using the examples shown in the problem of the invention.
  • the information flow control system s1, the information flow control system s2, and the information flow control system s3 are connected according to the example shown in the subject of the invention.
  • salary information x and y of the person a and the person b of the company c are managed on the information flow control system s1.
  • the statistical processing service operates on the information flow control system s2.
  • the salary transfer account management service is operating on the information flow control system s3.
  • the information flow control system s1 requests the information flow control system s2 to perform processing and receives a result (statistical information).
  • the information flow control system s1 requests the information flow control system s3 to receive a result (transfer completion notification) in order to transfer the salary of the person a.
  • the disclosure determination unit on the information flow control system s1 discloses the security label LC to the information flow control system s2. It shall be determined that This determination is performed based on, for example, a security policy set in advance.
  • the composite label sent to the information flow control system s2 generated by the composite label generation unit on the information flow control system s1 is ( ⁇ LX ′ ⁇ , ⁇ LC ⁇ ).
  • the disclosure determination unit on the information flow control system s1 determines to disclose the security label LA to the information flow control system s3. This determination is performed based on, for example, a security policy set in advance.
  • the composite label generated by the composite label generation unit on the information flow control system s1 and sent to the information flow control system s3 is ( ⁇ LX ′′ ⁇ , ⁇ LA ⁇ ). Since the conversion label is created for each dynamic information flow control system of the transmission destination, the security label LX on the information flow control system s1 is LX ′ for the information flow control system s2, and for the information flow control system s3. Are different conversion labels such as LX ′′.
  • composite labels are stored in a composite label storage unit on the information flow control system s1 in combination with the original security label LX.
  • both of the conversion labels LX ′ and LX ′′ correspond to the security label LX. Since it is on the information flow control system s1, it is not known from the information flow control systems s2 and s3.
  • the security class C corresponding to the security label LC disclosed in the information flow control system s2 is included in the security class combination corresponding to the conversion label LX ′′ sent to the information flow control system s3 is information It is not known from the flow control systems s2 and s3. This is because the composite label storage unit is held on the information flow control system s1, and this composite label storage unit is not disclosed to the information flow control systems s2 and s3.
  • the fact that the security class A corresponding to the security label LA disclosed in the information flow control system s3 is included in the security class combination corresponding to the conversion label LX ′ sent to the information flow control system s2 is that the composite label Since the storage unit is on the information flow control system s1, it is unknown from the information flow control systems s2 and s3. Therefore, even if the composite labels of the information sent to the information flow control systems s2 and s3 are matched, information leakage can be prevented.
  • the composite label ( ⁇ LX ′′ ⁇ , ⁇ LA ⁇ ) added to the information sent to the information flow control system s3 is displayed on the information flow control system s3 or the information flow control when the processing result is returned.
  • the composite label analysis unit on the information flow control system s1 converts the conversion label LX in the composite label. ”Is restored to the original security label LX, it is confirmed that the security label LX corresponds to the security class combination C + A, the undisclosed security class C is removed from this security class combination, and the essential security class set ⁇ A ⁇ Is calculated.
  • a known security class set is calculated from the security class set ⁇ B ⁇ corresponding to the disclosed label set ⁇ LB ⁇ .
  • ⁇ A ⁇ ⁇ ⁇ B ⁇ does not hold, it can be detected that the composite label has been tampered with.
  • the second embodiment it is possible to prevent information leakage caused by matching the composite label between other dynamic information flow control systems connected to the dynamic information flow control system 40.
  • information transmitted from the dynamic information flow control system 40 to other dynamic information flow control systems is given a composite label generated by the composite label generation unit 53.
  • the composite label includes a security label corresponding to the security class determined to be disclosed by the disclosure determining unit 52, but includes other security labels converted into converted labels. Further, the disclosure determination is performed according to the identifier of the dynamic information flow control system of the transmission destination. Therefore, even if other dynamic information flow control systems connected to the dynamic information flow control system 40 match the composite labels, it is impossible to associate the composite labels.
  • the essential security class set is calculated from the transmission conversion label included in the composite label.
  • the essential security class set includes all security classes corresponding to the conversion label and the disclosure label included in the security label corresponding to the transmission conversion label. Since this calculation process is performed based on the composite label storage unit 56, the temporary class storage unit 58, and the security label storage unit 57 in the dynamic information flow control system 40, the calculation process is not interfered with other dynamic information flow control systems.
  • a known security class set is calculated from this composite label.
  • the composite label is tampered with on the other dynamic information flow control system or on the communication path from the other dynamic information flow control system to the dynamic information flow control system 40, and some of the disclosure label set parts are changed. If the disclosure label is missing, tampering can be detected by comparison with the essential security class set.
  • the first embodiment of the present invention is equivalent to FIG.
  • the dynamic information flow control system 40 is the statistical processing system s12 of the company c
  • the dynamic information flow control system 41 is the statistical processing system s12
  • the dynamic information flow control system 42 is the bank account management system s13.
  • a security class C indicating that the information is for the company c and security classes A and B indicating that the information is related to the employees a and b are defined. Then, it is assumed that the personnel system s11 has already stored the data shown in FIG. Further, it is assumed that the personnel system s11 has already stored the data shown in FIG.
  • the statistical processing system s12 shall set in advance a security class C indicating that it is information of the company c and a security label LC corresponding to C.
  • the bank account management system s13 sets in advance a security class A indicating that the information is the person a and a security label LA corresponding to A.
  • the personnel system s11 generates a transmission conversion label LX ′ from the security label LX, and sends the composite label ( ⁇ LX ′ ⁇ , ⁇ LC ⁇ ) to the statistical processing system s12 with accompanying salary information.
  • the bank account management system s13 is requested for a pay transfer of the person a. It is necessary to add a security label LA corresponding to the security class a to the salary information for which the statistical processing is requested so that the salary information is not mixed with other people's information. However, it is not necessary to provide the identification information of the company c to the bank account management system s13. Accordingly, the personnel system s11 generates a transmission conversion label LX ′′ from the security label LX, adds the composite labels ( ⁇ LX ′′ ⁇ , ⁇ LA ⁇ ) to the salary information, and sends it to the bank account management system s13. send.
  • the compound labels ( ⁇ LZ ', LX' ' ⁇ , ⁇ LA ⁇ ) to be added are ( ⁇ LZ', LLA '' is calculated as an essential security class set from LX '', and the known security class is calculated from ( ⁇ LZ ′, LX ′′ ⁇ , ⁇ LB ⁇ ). Since ⁇ LB ⁇ is calculated as a set and not ⁇ LA ⁇ ⁇ ⁇ LB ⁇ , tampering is detected.
  • LZ ′ is a transmission conversion label generated by the bank account management system s3. Thereby, it is possible to prevent the salary transfer amount to the person a from leaking to the person b.
  • the added composite label becomes ( ⁇ LZ ', LX' ' ⁇ , ⁇ LA ⁇ ).
  • the best mode of the invention is used for the bank account management system s13
  • the best mode of the other invention is used for the bank account management system s13
  • information corresponding to the non-disclosure security class in the bank account management system s13 is obtained.
  • the generation of LZ ′ is suppressed and a composite label ( ⁇ LX ′′ ⁇ , ⁇ LA ⁇ ) is added.
  • the presence / absence of the transmission conversion label LZ ′ does not affect the label consistency determination, and the essential security class set calculated from the transmission conversion label LX ′′ is ⁇ LA ⁇ and ( ⁇ LX Since the known security class set calculated from '' ⁇ , ⁇ LA ⁇ ) is ⁇ LA ⁇ , tampering can be detected.
  • the disclosure determination unit 52 determines whether or not the security class can be disclosed.
  • Security labels to be included in the disclosure label set of composite labels This means that the security class corresponding to the non-disclosure security label does not contribute to the flow determination at all in the dynamic information flow control system of the transmission destination. For example, when salary information for a plurality of persons belonging to the same company is sent to a dynamic information flow control system, if the security class of the person is not disclosed in the destination dynamic information flow control system, There is also a case where it is inconvenient depending on processing.
  • Embodiment 3 of the present invention unnecessary security is provided for a certain security class in the same manner as in Embodiments 1 and 2 described above while contributing to flow determination in the destination dynamic information flow control system.
  • the purpose is to avoid disclosure of attributes. Therefore, in the third embodiment of the present invention, the security label corresponding to the corresponding security class is replaced with another security label and then added to the disclosed label set. This disclosure method will be referred to as partial disclosure for convenience.
  • security classes E1, E2,..., En which are different security attributes having a common property.
  • security class A associated with the person a and the security class B associated with the person b have a common property as a security class for identifying the person.
  • the security classes E1, E2,..., En are called security groups.
  • a security group can be said to be a security attribute that identifies a department to which a person belongs, for example.
  • any security class belonging to the security group is associated with the data.
  • the same flow determination is performed for any security class belonging to the security group. Similar flow determination here refers to security class Ei (i is 1, 1) for any security class P other than security classes E1,..., En in the dynamic information flow control system of the transmission destination. 2, 3,..., N) means that the flow determination result from the security class P matches.
  • any security class Ei to Ej (j is any one of 1, 2, 3,.
  • the former will be referred to as the case where the security class Ei can be merged, and the latter as the case where the merge cannot be performed.
  • the dynamic information flow control system according to the third embodiment of the present invention can be realized by modifying the disclosure determination unit 52 and the composite label generation unit 53 according to the second embodiment of the present invention described above.
  • the configuration of the dynamic information flow control system according to the third embodiment of the present invention is basically the same as that of the dynamic information flow control system 40 according to the second embodiment of the present invention shown in FIG. The illustration is omitted.
  • differences from the second embodiment of the present invention will be described.
  • the disclosure determination unit 52 returns one of disclosure, partial disclosure, and non-disclosure ternary values instead of disclosure or non-disclosure binary values. For example, in step S206 of FIG. 4, when it is determined that disclosure is possible, the disclosure determination unit 52 may further determine whether or not partial disclosure. And the composite label production
  • a common label can be said to be a common label that is a common name for a plurality of security attributes that are flow-determined to the same security attribute at the communication partner.
  • the transmission unit includes a common label that is the same label for a plurality of security attributes having a common property in the communication partner in the disclosed label set.
  • the disclosure determination unit 52 may determine whether or not to join when the security class is determined to be partial disclosure.
  • generation part 53 concerning Embodiment 3 of this invention replaces the label of the security class determined to be unmerged with the label which shows that unmerging is possible.
  • the label indicating that the merge is not possible is a restriction label indicating that the flow to other attributes in the security group is restricted. That is, the transmission unit includes the security attribute disclosed to the communication partner in the disclosed label set as a restriction label that is a label that restricts the flow to other security attributes in the communication partner.
  • the security policy storage unit 55 may store the disclosure label in advance by associating the flag indicating whether partial disclosure is possible and the flag indicating whether merge is possible.
  • the security label storage unit 57 may store the security label 571 in association with the security group identification information, the common label, and the restriction label in advance.
  • FIG. 13 is a diagram illustrating an example of data in the composite label generation process when the security class Ei can be joined among the partial disclosures.
  • the security class Ei is a target of partial disclosure, and the security class D is not disclosed. Since handling of the security class D is the same as in the first and second embodiments, detailed description thereof is omitted.
  • the security label LEi is replaced with a common label LE that is a security label and added to the disclosure label set.
  • a conversion table for replacing the security label LEi with the disclosure label LE is prepared in advance for the dynamic information flow control system of the transmission source.
  • a security class E corresponding to the security label LE is prepared for the dynamic information flow control of the transmission destination. This preparation may be performed by an automatic procedure, or may be performed manually by a control system administrator as a system setting.
  • the security class E flow determination in the destination dynamic information flow control system would have been performed for the security class Ei if the composite label generation in the third embodiment of the present invention was not performed. Match with the flow judgment.
  • the security class E is a security class that represents the security class Ei.
  • the security class Ei is transmitted as the security class E. It can contribute to the previous flow judgment. Further, since the individual security class Ei is not disclosed, unnecessary disclosure of security attributes can be avoided. Further, as described in Non-Patent Document 1, since it is generally possible to flow between the same class, the following flow determination is performed, and the security class Ei can be merged while representing the security class E as the security class E. I can express that.
  • FIG. 14 is a diagram illustrating an example of data in the composite label generation process when the security class Ei cannot be merged among the cases where partial disclosure is performed.
  • the security class Ei is a target of partial disclosure, and the security class D is not disclosed. Since handling of the security class D is the same as in the first and second embodiments, detailed description thereof is omitted.
  • the security label LEi is replaced with two labels, a disclosure label LE and a restriction label LNi, and added to the disclosure label set.
  • the disclosure label LE is prepared in advance at the transmission source and the transmission destination as in the case where the merge is possible.
  • the restriction label LNi is associated with a security class Ni having characteristics satisfying the following expressions (4), (5), and (6), and is prepared in advance at the transmission source and the transmission destination.
  • the security class Ni expresses the property that it cannot be merged by the equations (4), (5), and (5). Such a security class Ni is not common in information flow control, but is equivalent to enumerating all the flow relationships other than the flow from Ni to Nj as in the flow determination (7) below. Therefore, it is consistent with the theoretical basis of information flow control.
  • the security class Ni can also be applied to security labels other than the security label LEi.
  • the security label LEi can be replaced with the disclosure label LE and the restriction label LNi
  • the security label LEi ′ can be replaced with the disclosure label LE ′ and the restriction label LNi. That is, the restriction label LNi represents only the non-merging property of the original security label, and the other properties are represented by the disclosure label LE and the disclosure label LE ′.
  • the security label LEi corresponding to the security class Ei is replaced with the disclosure label LE and the restriction label LNi, the disclosure label LE is made to correspond to the security class E representing the security class Ei, and the restriction label LNi cannot be merged.
  • the security class Ei can contribute to the determination of the destination flow as the security class combination E + Ni.
  • the individual security class Ei is not disclosed, and the correspondence between the security class Ei and the security class Ni is also not disclosed, so that unnecessary disclosure of security attributes can be avoided.
  • the security class Ni is a security class that cannot be merged, the security class Ei can be represented by the security class E while the security class Ei cannot be merged.
  • the conversion label can be restored in the same manner as in the first and second embodiments. Description is omitted.
  • LE is included in the disclosure label set as a disclosure label representing each security label LEi.
  • the restriction class LNi is also included in the disclosure label set, so that the security class Ei in the transmission source information flow control system is combined with the security class E or the security class combination in the transmission destination information flow control system. Disclosure of unnecessary security attributes can be avoided while contributing to flow determination as E + Ni.
  • the transmission unit described above does not generate a conversion label and uses a conversion label stored in the label information storage unit when all of the security attributes are disclosed to the communication partner. Also good. Thereby, generation of unnecessary conversion labels for transmission can be suppressed.
  • the composite label generation unit 53 refers to the composite label corresponding to the security label and the identifier of the dynamic information flow control system of the transmission destination, and the composite label does not exist. Always generates a transmission conversion label corresponding to the security label. Instead, in another embodiment of the invention, when the security class combination corresponding to the security label does not include a security class that is not disclosed, a new transmission conversion label is not generated and an existing conversion label is generated. A composite label may be generated from the security label. As a result, it is possible to suppress generation of unnecessary transmission conversion labels.
  • the temporary label is included in the converted label set, but it may be included in the disclosed label set. In this case, if it is determined in step S309 in FIG. 6 that an unregistered security label is included, the composite label analysis unit 54 determines that the label is a temporary label, and can proceed appropriately to step S313.
  • the composite label analysis unit 54 acquires a composite label 564 associated with the transmission conversion label acquired in step S305 from the composite label storage unit 56. Then, the composite label analysis unit 54 extracts a disclosure label set included in the acquired composite label 564. Thereafter, in step S311, the composite label analysis unit 54 may generate the extracted disclosure label set as an essential security class set. When a plurality of transmission conversion labels are included in one received composite label, the composite label analysis unit 54 stores a composite label 564 corresponding to each of the plurality of transmission conversion labels from the composite label storage unit 56. And a disclosure label set is extracted. Thereby, it is possible to appropriately process a plurality of processing requests when processing results are combined into one.
  • the composite label analysis unit 54 can set the disclosed label set itself included in the received composite label as a known security set. That is, in step S318, the composite label analysis unit 54 may compare the disclosed label set at the time of transmission with the disclosed label set at the time of reception.
  • pseudonym having the following meaning.
  • Kana conversion is to substitute one identifier with another identifier.
  • correspondence between identifiers and alternative identifiers is not disclosed.
  • pseudonymization is a different concept from anonymization.
  • anonymization means not disclosing the identifier.
  • a pseudonym is used as the writer's name to be given to a letter in a newspaper column, and anonymization is desired as anonymity.
  • the identifier may be a security label. This is because the security label is an identifier indicating a classification from the viewpoint of security.
  • the present invention has been described as a hardware configuration, but the present invention is not limited to this.
  • the present invention can also realize arbitrary processing by causing a CPU (Central Processing Unit) to execute a computer program.
  • the program can be stored and supplied to a computer using various types of non-transitory computer readable media.
  • Non-transitory computer readable media include various types of tangible storage media (tangible storage medium).
  • non-transitory computer-readable media examples include magnetic recording media (eg flexible disks, magnetic tapes, hard disk drives), magneto-optical recording media (eg magneto-optical discs), CD-ROMs (Read Only Memory), CD-Rs, CD-R / W, DVD (Digital Versatile Disc), BD (Blu-ray (registered trademark) Disc), semiconductor memory (for example, mask ROM, PROM (Programmable ROM), EPROM (Erasable PROM), flash ROM, RAM ( Random Access Memory)).
  • the program may also be supplied to the computer by various types of temporary computer-readable media. Examples of transitory computer readable media include electrical signals, optical signals, and electromagnetic waves.
  • the temporary computer-readable medium can supply the program to the computer via a wired communication path such as an electric wire and an optical fiber, or a wireless communication path.
  • the present invention can be applied to the use of constructing an information processing system in which a plurality of dynamic information flow control systems are connected.

Abstract

In the case of processing the same data on the basis of different security labels at a transmission source and a transmission destination, among a plurality of dynamic information flow control systems, processing is performed appropriately, information leakage is prevented, and information is safely transmitted and received. A data processing system is provided with a transmission means for transmitting data to which a conversion label set and a disclosure label set has been added, to a communication partner, the conversion label set being a set of labels containing conversion labels obtained by converting labels which are names of a plurality of security attributes associated with the data to names different from those of the labels, and the disclosure label set being a set of labels indicating names of security attributes disclosed to the communication partner for processing the data; and a verification means for receiving the processing result of the data added with the conversion label set and the disclosure label set from the communication partner, and verifying security of the processing result using the conversion label set and the disclosure label set added to the received processing result.

Description

データ処理システム、情報フロー制御方法及びプログラムが格納された非一時的なコンピュータ可読媒体Non-transitory computer-readable medium storing data processing system, information flow control method, and program
 本発明は、データ処理システム、情報フロー制御方法及びプログラムが格納された非一時的なコンピュータ可読媒体に関し、特に、データに付加されたセキュリティ属性の名称を示すラベルに応じて動作する複数の動的情報フロー制御システムの間でデータを送受信するためのデータ処理システム、情報フロー制御方法及びプログラムが格納された非一時的なコンピュータ可読媒体に関する。 The present invention relates to a data processing system, an information flow control method, and a non-transitory computer-readable medium storing a program, and in particular, a plurality of dynamics that operate according to a label indicating the name of a security attribute added to data. The present invention relates to a data processing system for transmitting and receiving data between information flow control systems, an information flow control method, and a non-transitory computer readable medium storing a program.
 非特許文献1には、情報フロー制御システムの一例が記載されている。情報フロー制御システムとは、情報の伝播を所望の範囲に抑制するシステムである。特に、情報フロー制御システムは、中間処理や、仲介者を介した、多段の情報伝播であっても、所望の範囲に抑制できることを特徴とする。 Non-Patent Document 1 describes an example of an information flow control system. An information flow control system is a system that suppresses the propagation of information within a desired range. In particular, the information flow control system is characterized in that it can be suppressed to a desired range even in the case of intermediate processing or multistage information propagation via an intermediary.
 非特許文献1では、情報のセキュリティの観点からの分類であるセキュリティクラスと、それらのセキュリティクラスについてクラス結合演算が定義されている。さらに、非特許文献1では、ある演算の結果として得られる情報のセキュリティクラスは、被演算情報のセキュリティクラスの結合となることが示されている。 Non-Patent Document 1 defines security classes that are classifications from the viewpoint of information security, and class join operations for these security classes. Further, Non-Patent Document 1 shows that the security class of information obtained as a result of a certain calculation is a combination of the security classes of the information to be calculated.
 以下に、非特許文献1に記載された情報フロー制御システムの動作を説明する。まず、情報を保持する機能を持つものを論理ストレージとする。例えば、論理ストレージとは、プログラムにおける変数である。また、論理ストレージaが保持する情報には、当該情報のセキュリティ属性であるセキュリティクラスAが対応付けられているとする。また、論理ストレージbが保持する情報には、セキュリティクラスBが対応付けられているとする。このとき、論理ストレージaが保持する情報と論理ストレージbが保持する情報に対して、何らかの演算を適用した結果として得られる情報のセキュリティクラスは、A+Bとなる。ここで、記号「+」はクラス結合演算を示す。尚、非特許文献1では、「丸で囲まれた+」を記号として用いているが、本明細書では「+」で表記するものとする。さらに、論理ストレージcが保持する情報には、セキュリティクラスCが対応付けられているとする。このとき、論理ストレージa、b及びcが保持する情報に対して、何らかの演算を適用した結果として得られる情報のセキュリティクラスは、A+B+Cとなる。 The operation of the information flow control system described in Non-Patent Document 1 will be described below. First, a logical storage has a function for holding information. For example, logical storage is a variable in a program. Further, it is assumed that the information held by the logical storage a is associated with a security class A that is a security attribute of the information. Further, it is assumed that the security class B is associated with the information stored in the logical storage b. At this time, the security class of information obtained as a result of applying some operation to the information held in the logical storage a and the information held in the logical storage b is A + B. Here, the symbol “+” indicates a class join operation. In Non-Patent Document 1, “+” surrounded by a circle is used as a symbol. However, in this specification, “+” is used. Furthermore, it is assumed that the security class C is associated with the information stored in the logical storage c. At this time, the security class of information obtained as a result of applying some operation to the information held in the logical storages a, b, and c is A + B + C.
 また、フロー関係とは、上述した単体もしくは結合されたセキュリティクラスの間で、演算の結果により得られた情報がどの論理ストレージへ保存され得るかを定義するものである。例えば、論理ストレージdが保持する情報には、セキュリティクラスDが対応付けられているとする。また、フロー関係を示す記号を矢印により示すものとする。このとき、以下のフロー関係(1)が成立する場合、セキュリティクラスA+Bの情報がセキュリティクラスDの論理ストレージに保存され得ることを示す。
Figure JPOXMLDOC01-appb-M000001
また、論理ストレージeが保持する情報には、セキュリティクラスEが対応付けられているとする。このとき、以下のフロー関係(2)が成立しない場合、論理ストレージa、b及びcが保持する情報に対して、何らかの演算を適用した結果として得られる情報が論理ストレージeに保存できないことを示す。
Figure JPOXMLDOC01-appb-M000002
 In addition, the flow relationship defines in which logical storage information obtained as a result of the operation can be stored between the above-described single or combined security classes. For example, it is assumed that the security class D is associated with information held by the logical storage d. In addition, symbols indicating flow relationships are indicated by arrows. At this time, if the following flow relationship (1) is established, it indicates that the security class A + B information can be stored in the security class D logical storage.
Figure JPOXMLDOC01-appb-M000001
Further, it is assumed that the security class E is associated with the information held by the logical storage e. At this time, if the following flow relationship (2) is not established, it indicates that information obtained as a result of applying some operation to the information stored in the logical storages a, b, and c cannot be stored in the logical storage e. .
Figure JPOXMLDOC01-appb-M000002
 このように、非特許文献1に記載された情報フロー制御システムは、情報のセキュリティ分類であるセキュリティクラスについて結合演算を定義し、セキュリティクラス間にフロー関係を定義することで、情報の流れを制御する。 As described above, the information flow control system described in Non-Patent Document 1 defines a join operation for a security class that is a security classification of information, and controls a flow of information by defining a flow relationship between security classes. To do.
 非特許文献2には、情報フロー制御システムの他の例が記載されている。図11は、非特許文献2に記載された内容を情報フロー制御システムとして表現したブロック図である。図11に示す情報フロー制御システムは、Webサービス81、82及び83と、セキュリティポリシ84と、BPEL(Business Process Execution Language for Web Service)プログラム検証手段85と、サービス連携システム86と、連携結果利用手段88と、を備える。 Non-Patent Document 2 describes another example of an information flow control system. FIG. 11 is a block diagram expressing the contents described in Non-Patent Document 2 as an information flow control system. The information flow control system shown in FIG. 11 includes Web services 81, 82 and 83, a security policy 84, a BPEL (Business Process Execution Language for Web Service) program verification means 85, a service cooperation system 86, and a cooperation result utilization means. 88.
 Webサービス81、82及び83は、それぞれ独立したサービスを提供し、セキュリティラベルを付加した情報をサービス連携システム86へ送信する。ここで、セキュリティラベルとは、上述した非特許文献1に示される単体もしくは結合されたセキュリティクラスの名称である。 Web services 81, 82, and 83 provide independent services, and transmit information with a security label added to the service cooperation system 86. Here, the security label is the name of a single or combined security class shown in Non-Patent Document 1 described above.
 サービス連携システム86は、Webサービス81、82及び83が提供する複数のサービスを連携するシステムである。サービス連携システム86は、サービス連携の様態が記述されたBPELプログラム87を実行する。すなわち、まず、サービス連携システム86は、Webサービス81、82及び83のそれぞれから情報を受信する。次に、サービス連携システム86は、BPELプログラム87により当該情報を処理して連携結果を生成する。そして、サービス連携システム86は、生成した連携結果にセキュリティラベルを付加して連携結果利用手段88へ送信する。これにより、サービス連携システム86は、Webサービス81、82及び83から連携結果利用手段88への情報フローを実現する。 The service linkage system 86 is a system that links a plurality of services provided by the Web services 81, 82, and 83. The service cooperation system 86 executes a BPEL program 87 in which a state of service cooperation is described. That is, first, the service cooperation system 86 receives information from each of the Web services 81, 82, and 83. Next, the service cooperation system 86 processes the information by the BPEL program 87 and generates a cooperation result. Then, the service cooperation system 86 adds a security label to the generated cooperation result and transmits it to the cooperation result utilization means 88. As a result, the service cooperation system 86 realizes an information flow from the Web services 81, 82, and 83 to the cooperation result utilization unit 88.
 連携結果利用手段88は、サービス連携システム86から連携結果を受信し、受信した情報に付加されたセキュリティラベル応じて、当該連携結果を利用する。 The cooperation result utilization means 88 receives the cooperation result from the service cooperation system 86 and uses the cooperation result according to the security label added to the received information.
 セキュリティポリシ84は、Webサービス81、82及び83から連携結果利用手段88へ遷移してよい情報を定義したものである。ここで、セキュリティポリシ84は、上述の非特許文献1におけるフロー関係の集合に相当する。 The security policy 84 defines information that may be transferred from the Web services 81, 82, and 83 to the cooperation result utilization means 88. Here, the security policy 84 corresponds to a set of flow relationships in Non-Patent Document 1 described above.
 BPELプログラム検証手段85は、BPELプログラム87によって生じる情報フローを検証する。つまり、BPELプログラム検証手段85は、BPELプログラム87がセキュリティポリシ84に反する情報の流れを生じさせ得るか否かを検証する。 The BPEL program verification means 85 verifies the information flow generated by the BPEL program 87. That is, the BPEL program verification unit 85 verifies whether or not the BPEL program 87 can cause a flow of information contrary to the security policy 84.
 なお、上記のセキュリティラベル及びセキュリティポリシ84は、情報フロー制御システムの動作前に定められ、動作中を通じて一定である。つまり、動作中に授受される情報は、動作に応じて変化し得るが、その情報のセキュリティラベルは動作前に定められる。また、BPELプログラム検証手段85は、セキュリティポリシ84に従い、システムの動作前に検証を行う。 The above security label and security policy 84 are determined before the operation of the information flow control system, and are constant throughout the operation. That is, the information exchanged during the operation can change according to the operation, but the security label of the information is determined before the operation. Further, the BPEL program verification means 85 performs verification prior to system operation in accordance with the security policy 84.
 以下では、上述したようにシステムの動作前に情報フロー違反の検証を行う情報フロー制御システムを静的情報フロー制御システムと呼ぶ。 Hereinafter, as described above, an information flow control system that verifies an information flow violation before the operation of the system is referred to as a static information flow control system.
 非特許文献3には、情報フロー制御システムの他の例が記載されている。図12は、非特許文献3に記載された内容を情報フロー制御システムとして表現したブロック図である。図12に示す情報フロー制御システムは、情報入力元94から入力される情報を処理し、処理結果を情報出力先99へ出力する。当該情報フロー制御システムは、行うべき処理が記述されたプログラム91と、情報フロー制御のための処理が記述されたIRM(Inline Reference Monitor)93と、プログラム91にIRM93を挿入してIRM付きプログラム96を生成するIRM書き込み手段92と、IRM付きプログラム96を実行するプログラム実行手段95と、IRM付きプログラム96が参照するラベリングポリシ97と、IRM付きプログラム96が参照する情報フローポリシ98とを備える。 Non-Patent Document 3 describes another example of an information flow control system. FIG. 12 is a block diagram expressing the contents described in Non-Patent Document 3 as an information flow control system. The information flow control system shown in FIG. 12 processes information input from the information input source 94 and outputs the processing result to the information output destination 99. The information flow control system includes a program 91 in which processing to be performed is described, an IRM (Inline Reference Monitor) 93 in which processing for information flow control is described, and a program 96 with IRM by inserting the IRM 93 into the program 91. A program execution unit 95 for executing the IRM-added program 96, a labeling policy 97 referred to by the IRM-added program 96, and an information flow policy 98 referred to by the IRM-added program 96.
 ここで、ラベリングポリシ97は、情報入力元94からIRM付きプログラム96へ入力される情報と、IRM付きプログラム96から情報出力先99へ出力される情報とに付加するセキュリティラベルを定義したものである。情報フローポリシ98は、セキュリティラベル間のフロー関係を定義したものである。 Here, the labeling policy 97 defines security labels added to information input from the information input source 94 to the program with IRM 96 and information output from the program with IRM 96 to the information output destination 99. . The information flow policy 98 defines a flow relationship between security labels.
 図12に示す情報フロー制御システムは、次のように動作する。プログラム実行手段95は、IRM付きプログラム96を実行する。その際、プログラム実行手段95は、IRM付きプログラム96の内、プログラム91に記述された本来の処理を実行する。同時に、プログラム実行手段95は、IRM付きプログラム96の内、IRM書き込み手段92によって挿入されたIRM93に記述された処理を実行する。 The information flow control system shown in FIG. 12 operates as follows. The program execution means 95 executes a program 96 with IRM. At that time, the program execution means 95 executes the original processing described in the program 91 among the programs 96 with IRM. At the same time, the program execution means 95 executes the processing described in the IRM 93 inserted by the IRM writing means 92 in the program 96 with IRM.
 具体的には、プログラム実行手段95は、情報入力元94から読み込んだ情報をプログラム91内の論理ストレージに格納する際に、ラベリングポリシ97に従って論理ストレージにセキュリティラベルを付加する。また、プログラム実行手段95は、プログラム91により情報を演算した際に、演算結果の情報を保持する論理ストレージに、被演算情報のセキュリティラベルを結合したラベルを付加する。これは、上述した非特許文献1のクラス結合に相当する。プログラム実行手段95は、プログラム91内の論理ストレージから読み出した情報を情報出力先99へ書き出す際に、情報フローポリシ98に従って書き出しの許可又は拒否を判定し、許可であれば情報を書き出し、拒否であれば情報を書き出さない。 Specifically, the program execution means 95 adds a security label to the logical storage according to the labeling policy 97 when storing the information read from the information input source 94 in the logical storage in the program 91. In addition, when the program execution unit 95 calculates information by the program 91, the program execution unit 95 adds a label obtained by combining the security label of the calculation target information to the logical storage that holds the calculation result information. This corresponds to the class combination of Non-Patent Document 1 described above. When the information read from the logical storage in the program 91 is written to the information output destination 99, the program execution means 95 determines whether to write or not according to the information flow policy 98. Do not write out information if there is.
 以下では、上述したようにシステムの動作中に情報フロー違反の検証を行う情報フロー制御システムを動的情報フロー制御システムと呼ぶ。 Hereinafter, as described above, an information flow control system that verifies an information flow violation during system operation is referred to as a dynamic information flow control system.
 特許文献1には、識別子を他の装置に送信する際に、識別子に乱数を付与し、それを暗号化した上で送信することで、識別子に関する情報を第三者に秘匿する可変識別子送信方法に関する技術が開示されている。 Patent Document 1 discloses a variable identifier transmission method for concealing information relating to an identifier from a third party by assigning a random number to the identifier and transmitting the encrypted identifier when transmitting the identifier to another device. Techniques related to this are disclosed.
 特許文献2には、秘匿性を確保した上で情報流通を容易に実現する情報流通方法に関する技術が開示されている。特許文献2に開示された技術では、特に、以下の処理が行われる。伝票発行者の情報送信装置は、閲覧者それぞれに、伝票の閲覧を許可する閲覧範囲を識別する閲覧範囲識別子とこの閲覧範囲を暗号化する共通鍵との組を列挙する。そして、当該情報送信装置は、各閲覧者の公開鍵を用いて暗号化して復号情報を作成し、送信する。同時に、当該情報送信装置は、閲覧範囲識別子が指定する部分を対応する共通鍵で暗号化し、送信する。また、各閲覧者の情報受信装置は、受信した復号情報を自己の秘密鍵を用いて復号する。そして、当該情報受信装置は、自己に許可された閲覧範囲を復号するための共通鍵を取得する。その後、当該情報受信装置は、受信した伝票の許可された閲覧範囲を先に取得した共通鍵で復号する。 Patent Document 2 discloses a technology relating to an information distribution method that facilitates information distribution while ensuring confidentiality. In the technique disclosed in Patent Document 2, in particular, the following processing is performed. The information transmission device of the slip issuer lists a set of a browsing range identifier for identifying a browsing range in which browsing of the slip is permitted and a common key for encrypting the browsing range for each viewer. Then, the information transmitting apparatus creates decryption information by encrypting using the public key of each viewer, and transmits the decrypted information. At the same time, the information transmitting apparatus encrypts and transmits the portion specified by the browsing range identifier with the corresponding common key. In addition, each viewer's information receiving device decrypts the received decryption information using its own secret key. Then, the information receiving apparatus acquires a common key for decrypting the browsing range permitted by the information receiving apparatus. Thereafter, the information receiving apparatus decrypts the permitted viewing range of the received slip with the previously acquired common key.
 特許文献3には、電子文書の中の知られたくない情報のセキュリティと業務遂行への弊害を考慮した、電子文書を介した情報伝達方法に関する技術が開示されている。特許文献3に開示された技術では、特に、以下の処理が行われる。まず、電子文書中の実名語を所定の抽象度に匿名化させる匿名化レベルを決定する。次に、電子文書の提供を受ける者の識別番号に応じた付加ラベルを生成する。そして、実名語と実名語の抽象的な概念である匿名単語との対応関係を記憶している実名語/匿名単語辞書より、実名語に対応する匿名単語を選ぶ。そして、匿名単語に付加ラベルを付加することによって実名語と一対一の関係を有する匿名語を生成する。さらに、匿名語と実名語との一対一の関係を記憶する識別番号専用の実名語/匿名語マップを生成する。 Patent Document 3 discloses a technique related to an information transmission method via an electronic document that takes into account the security of information that should not be known in the electronic document and the adverse effects on business execution. In the technique disclosed in Patent Document 3, in particular, the following processing is performed. First, an anonymization level for anonymizing a real name word in an electronic document to a predetermined abstraction level is determined. Next, an additional label corresponding to the identification number of the person who receives the electronic document is generated. Then, an anonymous word corresponding to the real name word is selected from the real name word / anonymous word dictionary storing the correspondence relationship between the real name word and the anonymous word which is an abstract concept of the real name word. And an anonymous word which has a one-to-one relationship with a real name word is produced | generated by adding an additional label to an anonymous word. Furthermore, the real name word / anonymous word map only for the identification number which memorize | stores the one-to-one relationship between an anonymous word and a real name word is produced | generated.
 特許文献4には、情報資産の安全性を維持しつつ外部に公開する情報資産管理サーバに関する技術が開示されている。特許文献4に開示された情報資産管理サーバは、ユーザ端末からの保存用資産情報と、外部に資産情報を公開する際に守るべき規約を規定したセキュリティラベルとを記憶する。また、当該情報資産管理サーバは、セキュリティラベルに基づいてメタ情報を生成し、記憶する。そして、当該情報資産管理サーバは、メタ情報に基づいて保存用資産情報を加工した公開用情報資産を生成し、記憶する。 Patent Document 4 discloses a technology related to an information asset management server that is disclosed to the outside while maintaining the safety of information assets. The information asset management server disclosed in Patent Document 4 stores storage asset information from a user terminal and a security label that defines a rule to be observed when asset information is disclosed to the outside. The information asset management server generates and stores meta information based on the security label. Then, the information asset management server generates and stores a public information asset obtained by processing the storage asset information based on the meta information.
 特許文献5には、生成するオブジェクトの名前を変更することで名前の衝突を避け、リソースの共有を防止するプロセス管理ソース共有防止方法及びプログラムに関する技術が開示されている。特許文献5に開示されたプロセス管理ソース共有防止方法及びプログラムは、複数プロセス同時実行を自ら防ぐアプリケーションプログラムを強制的に複数プロセス同時実行可能にし、情報フロー制御の基盤を提供する。 Patent Document 5 discloses a technique related to a process management source sharing prevention method and program for avoiding name collision by changing the name of an object to be generated and preventing resource sharing. The process management source sharing prevention method and program disclosed in Patent Document 5 forcibly enable simultaneous execution of a plurality of processes by an application program that prevents the simultaneous execution of a plurality of processes, and provides a foundation for information flow control.
 特許文献6には、暗号鍵の盗難及びスキミングされた番号の復号を防止する暗号化IDのハンドリング方法及びCRM(Customer Relationship Management)システムに関する技術が開示されている。特許文献6に開示されたCRMシステムは、暗号タグ管理部を有するRFID(Radio Frequency Identification)を活用したものである。暗号タグ管理部は、RFIDのシリアルIDを共通鍵で暗号化した暗号化シリアルIDを書き込んだシリアル暗号タグを製造する暗号タグ製造部と、ユーザがRFIDリーダで読み出した暗号化シリアルIDを受信し、共通鍵でシリアルIDに復号する復号部とを備える。 Patent Document 6 discloses a technique related to an encryption ID handling method and a CRM (Customer Relationship Management) system that prevents theft of an encryption key and decryption of a skimmed number. The CRM system disclosed in Patent Document 6 utilizes RFID (Radio Frequency Identification) having an encryption tag management unit. The encryption tag management unit receives the encryption tag manufacturing unit that manufactures the serial encryption tag in which the encrypted serial ID obtained by encrypting the RFID serial ID with the common key is written, and the encrypted serial ID read by the user with the RFID reader. And a decryption unit for decrypting the serial ID with the common key.
特開2004-317764号公報JP 2004-317764 A 特開2002-259634号公報JP 2002-259634 A 特開2003-016064号公報JP 2003-016064 A 特開2008-181224号公報JP 2008-181224 A 特開2008-234128号公報JP 2008-234128 A 特開2009-009421号公報JP 2009-009421 A
 しかしながら、上述した非特許文献2及び3並びに特許文献1乃至6では、複数の動的情報フロー制御システムの間で、セキュリティラベルを付加したデータの送受信を行う場合に、送信元及び送信先が異なるセキュリティラベルに基づいて同一のデータを適切に処理し、情報漏洩を防止して安全に情報の送受信を行うことができないという問題点がある。 However, in Non-Patent Documents 2 and 3 and Patent Documents 1 to 6 described above, the transmission source and the transmission destination are different when transmitting and receiving data with a security label between a plurality of dynamic information flow control systems. There is a problem that the same data is appropriately processed based on the security label, information leakage is prevented, and information cannot be transmitted and received safely.
 その理由の第一は、非特許文献2に記載された技術では、静的情報フロー制御を行うため、セキュリティラベルは静的に定まっており、動的情報フロー制御システムの連結ができないためである。その理由の第二は、非特許文献3に記載された技術では、情報に付随するセキュリティラベル自体を送信しているため、セキュアな連結に対応できないためである。その理由の第三は、特許文献1に示される技術では、セキュリティラベルにおけるセキュリティクラス結合のような複雑な内部構造を持つ場合には対応できないためである。 The first reason is that the technology described in Non-Patent Document 2 performs static information flow control, so the security label is statically determined and the dynamic information flow control system cannot be connected. . The second reason for this is that the technique described in Non-Patent Document 3 transmits a security label associated with information, and thus cannot support secure connection. The third reason is that the technique disclosed in Patent Document 1 cannot cope with a complicated internal structure such as security class coupling in a security label.
 以下では、上記の理由の第二について、より詳細に説明して上述した本発明の問題点を明らかにする。セキュリティラベルは、情報のセキュリティの観点からの区分を示す「情報」であるため、セキュリティラベル自体にもセキュリティの観点からの区分が存在する。例えば、情報フロー制御システムs1は、次のような情報にセキュリティクラス及びセキュリティラベルが対応付けられて情報を管理しているものとする。まず、企業cを示す情報には、セキュリティクラスC及びセキュリティラベルLCが対応付けられている。また、人物aを示す情報には、セキュリティクラスA及びセキュリティラベルLAが対応付けられている。そして、情報フロー制御システムs1が有するラベリングポリシは、セキュリティクラスCとセキュリティクラスAとを結合したセキュリティクラスC+AとセキュリティラベルLXとを対応付けている。このとき、企業cに勤務する人物aの給与情報xには、セキュリティラベルLXが対応付けられている。これにより、情報フロー制御システムs1は、人物aの給与情報xを管理することができるものとする。 In the following, the second of the above reasons will be explained in more detail to clarify the above-mentioned problems of the present invention. Since the security label is “information” indicating the classification of information from the viewpoint of security, the security label itself has a classification from the viewpoint of security. For example, it is assumed that the information flow control system s1 manages information by associating a security class and a security label with the following information. First, the security class C and the security label LC are associated with information indicating the company c. The information indicating the person a is associated with a security class A and a security label LA. The labeling policy of the information flow control system s1 associates the security class C + A, which is a combination of the security class C and the security class A, with the security label LX. At this time, the security label LX is associated with the salary information x of the person a working for the company c. Thereby, the information flow control system s1 can manage the salary information x of the person a.
 次に、情報フロー制御システムs2は、複数の企業から複数の従業員の給与情報を受信し、企業ごとに給与情報を統計処理し、結果を返信するサービスを提供するものとする。但し、情報フロー制御システムs2は、受信した給与情報がどの企業に属するものであるかを識別する必要があるが、どの人物のものであるかを識別する必要はない。また、情報フロー制御システムs3は、人物aを含む各個人の給与振込口座を管理するサービスを提供するものとする。但し、情報フロー制御システムs3は、受信した給与情報がどの人物のものであるかを識別する必要があるが、どの企業に属するものであるかを識別する必要はない。 Next, it is assumed that the information flow control system s2 provides a service for receiving salary information of a plurality of employees from a plurality of companies, statistically processing the salary information for each company, and returning the results. However, the information flow control system s2 needs to identify which company the received salary information belongs to, but does not need to identify which person it belongs to. The information flow control system s3 is assumed to provide a service for managing the salary transfer account of each person including the person a. However, the information flow control system s3 needs to identify which person the received salary information belongs, but does not need to identify which company it belongs to.
 ここで、情報フロー制御システムs1が、企業cに勤務する人物aの給与情報xにセキュリティラベルLXを付加して情報フロー制御システムs2及びs3に送信する場合、次の問題がある。それは、情報フロー制御システムs2は、受信した給与情報xに付加されたセキュリティラベルLXがセキュリティクラスCに属するものであるか否かを判断することができないことである。まず、情報フロー制御システムs1は、自己が有するラベリングポリシを参照することで、セキュリティラベルLXがC+Aに相当すると判定できる。しかし、情報フロー制御システムs2は、セキュリティラベルLXとC+Aとを対応付けたラベリングポリシを有していない。そのため、企業c以外の企業とのセキュリティの区分ができない。つまり、この場合、情報フロー制御システムs2は、受信した情報に付加されたセキュリティラベルに応じて適切に処理を行うことができない。 Here, when the information flow control system s1 adds the security label LX to the salary information x of the person a working for the company c and transmits it to the information flow control systems s2 and s3, there are the following problems. That is, the information flow control system s2 cannot determine whether or not the security label LX added to the received salary information x belongs to the security class C. First, the information flow control system s1 can determine that the security label LX corresponds to C + A by referring to its own labeling policy. However, the information flow control system s2 does not have a labeling policy in which the security label LX is associated with C + A. Therefore, security cannot be classified from companies other than company c. That is, in this case, the information flow control system s2 cannot appropriately perform processing according to the security label added to the received information.
 また、情報フロー制御システムs1が、企業cに勤務する人物aの給与情報xにセキュリティラベルLC及びLAを付加して情報フロー制御システムs2及びs3に送信する場合、次の問題がある。それは、情報フロー制御システムs2は、給与情報xが人物aに関するものであること特定できる可能性があることである。なぜならば、情報フロー制御システムs2は、受信したセキュリティラベルLCにより、給与情報xが企業cのものであることを特定できる。また、情報フロー制御システムs3は、受信したセキュリティラベルLAにより、給与情報xが人物aのものであることを特定できる。そして、セキュリティラベルLC及びLAは、情報フロー制御システムs2及びs3に共に送信されている。そのため、情報フロー制御システムs2は、情報フロー制御システムs3がセキュリティラベルLAにより人物aを特定したことを入手することにより、同じセキュリティラベルLAが付加され、自己が受信した給与情報xに関連付けることができるためである。つまり、この場合、セキュリティラベルが持つ情報を秘匿できず、情報フロー制御システムs2へ人物aの給与情報xが漏洩することとなる。 Further, when the information flow control system s1 adds the security labels LC and LA to the salary information x of the person a working for the company c and transmits it to the information flow control systems s2 and s3, there are the following problems. That is, the information flow control system s2 may be able to specify that the salary information x is related to the person a. This is because the information flow control system s2 can specify that the salary information x belongs to the company c based on the received security label LC. Further, the information flow control system s3 can specify that the salary information x is that of the person a by the received security label LA. The security labels LC and LA are transmitted to the information flow control systems s2 and s3. Therefore, the information flow control system s2 obtains that the information flow control system s3 has identified the person a by the security label LA, so that the same security label LA is added and associated with the salary information x received by the information flow control system s2. This is because it can. That is, in this case, the information held by the security label cannot be concealed, and the salary information x of the person a leaks to the information flow control system s2.
 ここで、さらに次の場合を考える。まず、人物bを示す情報には、セキュリティクラスB及びセキュリティラベルLBが対応付けられている。そして、情報フロー制御システムs1が有するラベリングポリシは、セキュリティクラスCとセキュリティクラスBとを結合したセキュリティクラスC+BとセキュリティラベルLYとを対応付けている。このとき、企業cに勤務する人物bの給与情報yには、セキュリティラベルLYが対応付けられている。これにより、情報フロー制御システムs1は、人物aの給与情報yを管理することができるものとする。 Here, consider the following cases. First, information indicating the person b is associated with a security class B and a security label LB. The labeling policy of the information flow control system s1 associates a security class C + B, which is a combination of the security class C and the security class B, with a security label LY. At this time, the security label LY is associated with the salary information y of the person b working at the company c. Thereby, the information flow control system s1 can manage the salary information y of the person a.
 このとき、情報フロー制御システムs1が、企業cに勤務する人物bの給与情報yにセキュリティラベルLC及びLBを付加して情報フロー制御システムs2に送信する場合、次の問題がある。それは、情報フロー制御システムs1は、情報フロー制御システムs2から給与情報xの処理結果を受信したとしても、情報が改竄されたものか否かを判断できないことである。なぜなら、情報フロー制御システムs2は、給与情報yの処理結果を返信する際に、不正に又は不良により以前に受信したセキュリティラベルLAをセキュリティラベルLBの代わりに付加することが可能であるためである。この場合、情報フロー制御システムs1は、情報フロー制御システムs2から受信した処理結果にセキュリティラベルLAが付加されていることにより、当該処理結果が人物aに関するものであると誤って特定してしまう。つまり、この場合、情報フロー制御システムs1は、情報フロー制御システムs2から受信した処理結果が改竄されていることを検出することができない。併せて、情報フロー制御システムs1において、人物bの処理結果が人物aのものとして処理及び開示されてしまい、情報が漏洩することとなる。 At this time, when the information flow control system s1 adds the security labels LC and LB to the salary information y of the person b working at the company c and transmits it to the information flow control system s2, there are the following problems. That is, even if the information flow control system s1 receives the processing result of the salary information x from the information flow control system s2, it cannot determine whether the information is falsified. This is because when the information flow control system s2 returns the processing result of the salary information y, it is possible to add the security label LA previously received due to fraud or failure instead of the security label LB. . In this case, the information flow control system s1 erroneously specifies that the processing result relates to the person a because the security label LA is added to the processing result received from the information flow control system s2. That is, in this case, the information flow control system s1 cannot detect that the processing result received from the information flow control system s2 has been tampered with. At the same time, in the information flow control system s1, the processing result of the person b is processed and disclosed as that of the person a, and information leaks.
 さらに、情報フロー制御システムs1が、企業cに勤務する人物aの給与情報xにセキュリティラベルLCのみを付加させ、セキュリティラベルLAを欠落させて情報フロー制御システムs2に送信する場合、次の問題がある。それは、情報フロー制御システムs1は、情報フロー制御システムs2から給与情報xの処理結果を受信したとしても、当該処理結果が人物aに関するものとは特定できないことである。なぜならば、情報フロー制御システムs1は、情報フロー制御システムs2へセキュリティラベルとしてセキュリティラベルLCのみを送信しているためである。そのため、情報フロー制御システムs2から受信した処理結果にセキュリティラベルLAが付加されることはなく、情報フロー制御システムs1は、当該処理結果からセキュリティラベルLC及びLAの組を特定することができない。つまり、この場合、情報フロー制御システムs1は、受信した処理結果に付加されたセキュリティラベルに応じて適切に処理を行うことができない。 Further, when the information flow control system s1 adds only the security label LC to the salary information x of the person a working for the company c and transmits the security label LA to the information flow control system s2, the following problem occurs. is there. That is, even if the information flow control system s1 receives the processing result of the salary information x from the information flow control system s2, the processing result cannot be identified as relating to the person a. This is because the information flow control system s1 transmits only the security label LC as the security label to the information flow control system s2. Therefore, the security label LA is not added to the processing result received from the information flow control system s2, and the information flow control system s1 cannot specify the set of the security labels LC and LA from the processing result. That is, in this case, the information flow control system s1 cannot appropriately perform processing according to the security label added to the received processing result.
 尚、特許文献2は、一つの情報について、送信先に応じて当該情報内の開示範囲の制限を行う関連技術である。特許文献3は、一つの情報について、送信先の開示レベルに応じて、情報自体に異なる匿名化を行う関連技術である。特許文献4は、セキュリティラベルに基づいて公開用情報資産を生成する関連技術である。特許文献5は、情報フロー制御の基盤の関連技術である。特許文献6は、共通鍵暗号方式をRFIDに適用した関連技術である。そのため、これらを組み合わせても上述した問題点を解決することはできない。 Note that Patent Document 2 is a related technique for limiting the disclosure range in one piece of information according to the transmission destination. Patent Document 3 is related technology that anonymizes information differently according to the disclosure level of a transmission destination for one piece of information. Patent Document 4 is a related technique for generating a public information asset based on a security label. Patent Document 5 is a related technology on the basis of information flow control. Patent Document 6 is related technology in which a common key cryptosystem is applied to RFID. Therefore, even if they are combined, the above-described problems cannot be solved.
 本発明は、このような問題点を解決するためになされたものであり、複数の動的情報フロー制御システムの間で、送信元及び送信先が異なるセキュリティラベルに基づいて同一のデータを処理する場合に、適切に処理し、情報漏洩を防止して安全に情報の送受信を行うデータ処理システム、情報フロー制御方法及びプログラムが格納された非一時的なコンピュータ可読媒体を提供することを目的とする。 The present invention has been made to solve such a problem, and processes the same data between a plurality of dynamic information flow control systems based on security labels having different transmission sources and transmission destinations. It is an object to provide a non-transitory computer-readable medium storing a data processing system, an information flow control method, and a program for appropriately processing and preventing information leakage and safely transmitting and receiving information. .
 本発明の第1の態様にかかるデータ処理システムは、データに対応付けられた複数のセキュリティ属性の名称であるラベルを当該ラベルとは異なる名称に変換した変換ラベルを含むラベルの集合である変換ラベル集合と、前記複数のセキュリティ属性の内、通信相手に当該データを処理させるために開示するセキュリティ属性の名称を示すラベルの集合である開示ラベル集合と、を付加して前記データを前記通信相手へ送信する送信手段と、前記通信相手から、前記変換ラベル集合と前記開示ラベル集合とが付加された前記データの処理結果を受信し、当該受信した処理結果に付加された変換ラベル集合と開示ラベル集合とを用いて当該処理結果のセキュリティの検証を行う検証手段と、を備える。 The data processing system according to the first aspect of the present invention provides a conversion label that is a set of labels including a conversion label obtained by converting a label that is a name of a plurality of security attributes associated with data into a name different from the label. A set and a disclosed label set, which is a set of labels indicating the names of security attributes to be disclosed for causing the communication partner to process the data among the plurality of security attributes, are added, and the data is sent to the communication partner. The processing result of the data to which the conversion label set and the disclosure label set are added is received from the transmission means for transmitting and the communication partner, and the conversion label set and the disclosure label set added to the received processing result And verification means for verifying the security of the processing result by using.
 本発明の第2の態様にかかる情報フロー制御方法は、データに対応付けられた複数のセキュリティ属性の名称であるラベルを当該ラベルとは異なる名称に変換した変換ラベルを含むラベルの集合である変換ラベル集合と、前記複数のセキュリティ属性の内、前記通信相手に当該データを処理させるために開示するセキュリティ属性の名称を示すラベルの集合である開示ラベル集合と、を付加して前記データを前記通信相手へ送信する送信ステップと、前記通信相手から、前記変換ラベル集合と前記開示ラベル集合とが付加された前記データの処理結果を受信するステップと、前記受信した処理結果に付加された変換ラベル集合と開示ラベル集合とを用いて当該処理結果のセキュリティの検証を行う検証ステップと、を含むデータ処理装置を制御する。 The information flow control method according to the second aspect of the present invention is a conversion that is a set of labels including a conversion label obtained by converting a label that is a name of a plurality of security attributes associated with data into a name different from the label. A label set and a disclosed label set, which is a set of labels indicating names of security attributes to be disclosed for causing the communication partner to process the data among the plurality of security attributes, are added to communicate the data. A transmission step of transmitting to the other party, a step of receiving a processing result of the data to which the converted label set and the disclosed label set are added from the communication partner, and a converted label set added to the received processing result And a verification step for verifying the security of the processing result using the disclosure label set and a data processing device To your.
 本発明の第3の態様にかかる情報フロー制御プログラムが格納された非一時的なコンピュータ可読媒体は、データに対応付けられた複数のセキュリティ属性の名称であるラベルを当該ラベルとは異なる名称に変換した変換ラベルを含むラベルの集合である変換ラベル集合と、前記複数のセキュリティ属性の内、前記通信相手に当該データを処理させるために開示するセキュリティ属性の名称を示すラベルの集合である開示ラベル集合と、を付加して前記データを前記通信相手へ送信する送信処理と、前記通信相手から、前記変換ラベル集合と前記開示ラベル集合とが付加された前記データの処理結果を受信し、当該受信した処理結果に付加された変換ラベル集合と開示ラベル集合とを用いて当該処理結果のセキュリティの検証を行う検証処理と、を含む情報フロー制御処理をコンピュータに実行させる。 The non-transitory computer readable medium storing the information flow control program according to the third aspect of the present invention converts a label that is a name of a plurality of security attributes associated with data into a name different from the label. A converted label set which is a set of labels including the converted label, and a disclosed label set which is a set of labels indicating the names of security attributes to be disclosed to cause the communication partner to process the data among the plurality of security attributes And a transmission process for transmitting the data to the communication partner, and the processing result of the data to which the converted label set and the disclosure label set are added from the communication partner. A verification process for verifying the security of the processing result using the converted label set and the disclosure label set added to the processing result. If, it causes the computer to execute the information flow control process including.
 本発明により、複数の動的情報フロー制御システムの間で、送信元及び送信先が異なるセキュリティラベルに基づいて同一のデータを処理する場合に、適切に処理し、情報漏洩を防止して安全に情報の送受信を行うデータ処理システム、情報フロー制御方法及びプログラムが格納された非一時的なコンピュータ可読媒体を提供することができる。 According to the present invention, when the same data is processed between a plurality of dynamic information flow control systems based on security labels having different transmission sources and transmission destinations, it is processed appropriately to prevent information leakage and to be safe. A non-transitory computer readable medium storing a data processing system for transmitting and receiving information, an information flow control method, and a program can be provided.
本発明の実施の形態1にかかる情報フロー制御システムの構成を示すブロック図である。It is a block diagram which shows the structure of the information flow control system concerning Embodiment 1 of this invention. 本発明の実施の形態1にかかる情報フロー制御処理の流れを示すフローチャート図である。It is a flowchart figure which shows the flow of the information flow control process concerning Embodiment 1 of this invention. 本発明の実施の形態2にかかる情報フロー制御システムの構成を示すブロック図である。It is a block diagram which shows the structure of the information flow control system concerning Embodiment 2 of this invention. 本発明の実施の形態2にかかる複合ラベル生成処理の流れを示すフローチャート図である。It is a flowchart figure which shows the flow of the composite label production | generation process concerning Embodiment 2 of this invention. 本発明の実施の形態2にかかる複合ラベル生成処理におけるデータの例を示す図である。It is a figure which shows the example of the data in the composite label production | generation process concerning Embodiment 2 of this invention. 本発明の実施の形態2にかかる複合ラベル解析処理の前半の流れを示すフローチャート図である。It is a flowchart figure which shows the flow of the first half of the composite label analysis process concerning Embodiment 2 of this invention. 本発明の実施の形態2にかかる複合ラベル解析処理の後半の流れを示すフローチャート図である。It is a flowchart figure which shows the flow of the second half of the composite label analysis process concerning Embodiment 2 of this invention. 本発明の実施の形態2にかかる複合ラベル解析処理におけるデータの例を示す図である。It is a figure which shows the example of the data in the composite label analysis process concerning Embodiment 2 of this invention. 本発明の実施例1におけるセキュリティラベル記憶部に格納されるデータの例を示す図である。It is a figure which shows the example of the data stored in the security label memory | storage part in Example 1 of this invention. 本発明の実施例1における複合ラベル記憶部に格納されるデータの例を示す図である。It is a figure which shows the example of the data stored in the composite label memory | storage part in Example 1 of this invention. 関連技術にかかる情報フロー制御システムの構成を示すブロック図である。It is a block diagram which shows the structure of the information flow control system concerning related technology. 関連技術にかかる情報フロー制御システムの構成を示すブロック図である。It is a block diagram which shows the structure of the information flow control system concerning related technology. 本発明の実施の形態3にかかる複合ラベル生成処理におけるデータの例を示す図である。It is a figure which shows the example of the data in the composite label production | generation process concerning Embodiment 3 of this invention. 本発明の実施の形態3にかかる複合ラベル生成処理におけるデータの例を示す図である。It is a figure which shows the example of the data in the composite label production | generation process concerning Embodiment 3 of this invention.
 以下では、本発明を適用した具体的な実施の形態について、図面を参照しながら詳細に説明する。各図面において、同一要素には同一の符号が付されており、説明の明確化のため、必要に応じて重複説明は省略する。 Hereinafter, specific embodiments to which the present invention is applied will be described in detail with reference to the drawings. In the drawings, the same elements are denoted by the same reference numerals, and redundant description will be omitted as necessary for the sake of clarity.
<発明の実施の形態1>
 図1は、本発明の実施の形態1にかかる動的情報フロー制御システムの構成を示すブロック図である。データ処理システム10は、任意の情報システムである通信相手20との間で、データの送受信を行うコンピュータシステムである。データ処理システム10は、送信部11と、検証部12とを備える。 <Embodiment 1 of the Invention>
FIG. 1 is a block diagram showing a configuration of a dynamic information flow control system according to the first exemplary embodiment of the present invention. The data processing system 10 is a computer system that transmits and receives data to and from a communication partner 20 that is an arbitrary information system. The data processing system 10 includes a transmission unit 11 and a verification unit 12.
 送信部11は、データ31に変換ラベル集合32と、開示ラベル集合33と、を付加してデータ31を通信相手20へ送信する。ここで、変換ラベル集合32は、データ31に対応付けられた複数のセキュリティ属性の名称であるラベルを当該ラベルとは異なる名称に変換した変換ラベルを少なくとも含むラベルの集合である。尚、通信相手20は、変換ラベルから元のラベルへ逆変換することができないものとする。また、開示ラベル集合33は、データ31に対応付けられた複数のセキュリティ属性の内、通信相手20にデータ31を処理させるために開示するセキュリティ属性の名称を示すラベルの集合である。開示ラベル集合33は、データ処理システム10が通信相手20に開示しても良いと判断したラベルの集合であり、通信相手20においてフロー判定に用いられる。尚、開示ラベル集合33は、少なくとも1つのラベルを含んでいればよい。 The transmission unit 11 adds the converted label set 32 and the disclosed label set 33 to the data 31 and transmits the data 31 to the communication partner 20. Here, the conversion label set 32 is a set of labels including at least conversion labels obtained by converting labels that are names of a plurality of security attributes associated with the data 31 into names different from the labels. It is assumed that the communication partner 20 cannot reversely convert the conversion label to the original label. The disclosure label set 33 is a set of labels indicating names of security attributes to be disclosed for causing the communication partner 20 to process the data 31 among a plurality of security attributes associated with the data 31. The disclosed label set 33 is a set of labels that the data processing system 10 determines to be disclosed to the communication partner 20 and is used for flow determination in the communication partner 20. The disclosure label set 33 only needs to include at least one label.
 送信部11は、例えば、データ31を含む通信パケットに変換ラベル集合32及び開示ラベル集合33を含めてもよい。または、送信部11は、セッションを伴う通信として、セッションの開始時に変換ラベル集合32及び開示ラベル集合33を指定し、当該セッションの間に送受信されるデータに変換ラベル集合32及び開示ラベル集合33が付加されているとしてもよい。 The transmission unit 11 may include the converted label set 32 and the disclosed label set 33 in the communication packet including the data 31, for example. Alternatively, the transmission unit 11 designates the converted label set 32 and the disclosed label set 33 at the start of a session as communication involving a session, and the converted label set 32 and the disclosed label set 33 are included in data transmitted and received during the session. It may be added.
 検証部12は、通信相手20から、変換ラベル集合35と開示ラベル集合36とが付加されたデータ31の処理結果34を受信し、受信した処理結果34に付加された変換ラベル集合35と開示ラベル集合36とを用いて処理結果34のセキュリティの検証を行う。 The verification unit 12 receives the processing result 34 of the data 31 to which the conversion label set 35 and the disclosure label set 36 are added from the communication partner 20, and the conversion label set 35 and the disclosure label added to the received processing result 34. The security of the processing result 34 is verified using the set 36.
 これにより、データ処理システム10は、検証部12により処理結果34のセキュリティに問題があると判定した場合、受信した処理結果34を破棄することにより、情報フロー違反を防ぐことができる。 Thereby, the data processing system 10 can prevent an information flow violation by discarding the received processing result 34 when the verification unit 12 determines that there is a problem with the security of the processing result 34.
 図2は、本発明の実施の形態1にかかる情報フロー制御処理の流れを示すフローチャート図である。先ず、送信部11は、変換ラベル集合32と開示ラベル集合33とを付加したデータ31を通信相手20に送信する(S10)。 FIG. 2 is a flowchart showing the flow of the information flow control process according to the first embodiment of the present invention. First, the transmission unit 11 transmits data 31 to which the converted label set 32 and the disclosed label set 33 are added to the communication partner 20 (S10).
 この後、通信相手20は、受信したデータ31に付加された開示ラベル集合33に基づいて、所定の処理を行い、処理結果34を生成する。このとき、通信相手20は、少なくとも受信した変換ラベル集合32に含まれる変換ラベルを変換せず、変換ラベル集合32を含む変換ラベル集合35とする。また、通信相手20は、少なくとも開示ラベル集合33を含む開示ラベル集合36を生成する。そして、通信相手20は、生成した処理結果34に変換ラベル集合35及び開示ラベル集合36を付加して、データ処理システム10へ送信する。 Thereafter, the communication partner 20 performs a predetermined process based on the disclosure label set 33 added to the received data 31 and generates a process result 34. At this time, the communication partner 20 does not convert at least the conversion label included in the received conversion label set 32, and sets the conversion label set 35 including the conversion label set 32. Further, the communication partner 20 generates a disclosure label set 36 including at least the disclosure label set 33. Then, the communication partner 20 adds the converted label set 35 and the disclosed label set 36 to the generated processing result 34 and transmits it to the data processing system 10.
 そして、検証部12は、通信相手20から処理結果34を受信する(S20)。ここで、受信した処理結果34には、変換ラベル集合35及び開示ラベル集合36が含まれている。その後、検証部12は、受信した処理結果34に含まれる変換ラベル集合35と開示ラベル集合36とを用いて処理結果34のセキュリティを検証する(S30)。 The verification unit 12 receives the processing result 34 from the communication partner 20 (S20). Here, the received processing result 34 includes a conversion label set 35 and a disclosure label set 36. Thereafter, the verification unit 12 verifies the security of the processing result 34 using the converted label set 35 and the disclosed label set 36 included in the received processing result 34 (S30).
 これにより、まず、データ処理システム10は、通信相手20に対して開示ラベル集合33に含まれるセキュリティ属性に基づいてデータ31の処理を行わせることができる。つまり、データ処理システム10は、通信相手20に対して適切に処理をさせることができる。 Thereby, first, the data processing system 10 can cause the communication partner 20 to process the data 31 based on the security attributes included in the disclosure label set 33. That is, the data processing system 10 can cause the communication partner 20 to appropriately process.
 また、このとき、データ処理システム10は、通信相手20に対して、データ31に対応付けられた複数のセキュリティ属性の内、開示ラベル集合33以外のラベルにおけるセキュリティ属性については、開示することがない。それは、通信相手20は、変換ラベル32と変換前のラベルを知り得ないためである。そのため、データ処理システム10は、通信相手20に対して必要以上にセキュリティ属性を開示することがなく、情報漏洩を防ぐことができる。 At this time, the data processing system 10 does not disclose to the communication partner 20 the security attributes in the labels other than the disclosure label set 33 among the plurality of security attributes associated with the data 31. . This is because the communication partner 20 cannot know the conversion label 32 and the label before conversion. Therefore, the data processing system 10 can prevent information leakage without disclosing more security attributes than necessary to the communication partner 20.
 また、データ処理システム10は、例えば、通信相手20から受信した処理結果34に付加された変換ラベル集合35と、変換ラベル集合32とを比較することにより、改竄の有無を検出することができる。同様に、データ処理システム10は、通信相手20から受信した処理結果34に付加された開示ラベル集合36と、開示ラベル集合33とを比較することにより、処理結果34を適切に処理することができる。 Further, the data processing system 10 can detect the presence or absence of falsification by comparing the conversion label set 35 added to the processing result 34 received from the communication partner 20 and the conversion label set 32, for example. Similarly, the data processing system 10 can appropriately process the processing result 34 by comparing the disclosure label set 36 added to the processing result 34 received from the communication partner 20 with the disclosure label set 33. .
 このように、本発明の実施の形態1により、複数の動的情報フロー制御システムの間で、送信元及び送信先が異なるセキュリティラベルに基づいて同一のデータを処理する場合に、適切に処理し、情報漏洩を防止して安全に情報の送受信を行うことができる。 As described above, according to Embodiment 1 of the present invention, when the same data is processed based on security labels having different transmission sources and transmission destinations among a plurality of dynamic information flow control systems, the processing is appropriately performed. , Information leakage can be prevented and information can be transmitted and received safely.
<発明の実施の形態2>
 図3は、本発明の実施の形態2にかかる動的情報フロー制御システムの構成を示すブロック図である。図3に示す本発明の実施の形態2では、動的情報フロー制御システム40と、動的情報フロー制御システム40と後述する複合ラベルが付加された情報の送受信を行う動的情報フロー制御システム41又は42とを備える。尚、本発明の効果を明確に説明する便宜上、本実施の形態では、動的情報フロー制御システム40と情報の送受信を行う動的情報フロー制御システムを動的情報フロー制御システム41又は42の2つとしているが、これに限定されず、任意の個数で構わない。また、動的情報フロー制御システム41及び42は、動的情報フロー制御システム40と同様の内部構成を採用するものとし、本発明の実施の形態2では、これらの内部構成の図示及び説明は省略する。 <Embodiment 2 of the Invention>
FIG. 3 is a block diagram showing a configuration of the dynamic information flow control system according to the second exemplary embodiment of the present invention. In the second embodiment of the present invention shown in FIG. 3, the dynamic information flow control system 40, and the dynamic information flow control system 41 that transmits / receives information to / from the dynamic information flow control system 40 and a composite label added later. Or 42. For the convenience of clearly explaining the effects of the present invention, in this embodiment, a dynamic information flow control system that transmits / receives information to / from the dynamic information flow control system 40 is replaced with 2 of the dynamic information flow control system 41 or 42. However, the present invention is not limited to this, and an arbitrary number may be used. The dynamic information flow control systems 41 and 42 adopt the same internal configuration as that of the dynamic information flow control system 40. In the second embodiment of the present invention, illustration and description of these internal configurations are omitted. To do.
 尚、動的情報フロー制御システム41及び42は、動的情報フロー制御システム40と同様の構成を採用しなくても構わない。その場合、動的情報フロー制御システム41及び42は、少なくとも動的情報フロー制御システム40から受信する情報に付加された複合ラベルを認識することができるものとする。同時に、動的情報フロー制御システム41及び42は、少なくとも動的情報フロー制御システム40へ受信した情報の処理結果を返信する際に、処理結果に複合ラベルを付加することができるものとする。 Note that the dynamic information flow control systems 41 and 42 do not have to adopt the same configuration as the dynamic information flow control system 40. In this case, it is assumed that the dynamic information flow control systems 41 and 42 can recognize at least the composite label added to the information received from the dynamic information flow control system 40. At the same time, the dynamic information flow control systems 41 and 42 can add a composite label to the processing result when returning the processing result of the received information to at least the dynamic information flow control system 40.
 尚、動的情報フロー制御システム40、41及び42は、計算機及び計算機上で動作するソフトウェアの組合せとして実現される。また、動的情報フロー制御システム上で動作するアプリケーション部について、アプリケーション部が取り扱う情報のフローを、情報に付随するセキュリティラベルに基づいて制御する。このような動的情報フロー制御システムの構成方法の詳細については、当該技術者にとって既知であるので省略し、本実施の形態では、その他の動的情報フロー制御システムと情報を安全に授受するために、動的情報フロー制御システムに追加する構成と動作について説明する。 The dynamic information flow control systems 40, 41 and 42 are realized as a combination of a computer and software operating on the computer. In addition, for an application unit operating on the dynamic information flow control system, the flow of information handled by the application unit is controlled based on a security label attached to the information. Details of the configuration method of such a dynamic information flow control system will be omitted because it is known to those skilled in the art, and in this embodiment, information is safely exchanged with other dynamic information flow control systems. Next, the configuration and operation added to the dynamic information flow control system will be described.
 ここで、複合ラベルは、変換ラベル集合と、開示ラベル集合とが連結されたラベルである。変換ラベル集合は、少なくとも1つ以上の変換ラベルを含む。変換ラベルは、上述した発明の実施の形態1と同様に、送受信対象のデータに対応付けられた複数のセキュリティ属性の名称であるセキュリティラベルを当該セキュリティラベルとは異なる名称に変換したものである。尚、動的情報フロー制御システム41及び42は、動的情報フロー制御システム40から受信した変換ラベルを元のラベルへ逆変換することができないものとする。また、変換ラベル集合は、自己が生成した変換ラベル以外のラベルである仮ラベルを含むものであっても構わない。また、仮ラベルには、便宜上、仮のセキュリティ属性である仮のセキュリティクラス(以下、仮クラスと称する)が割り当てられるものとする。仮クラスは、動的情報フロー制御システム40以外のシステムにおいて処理対象とされるセキュリティクラスである。そして、仮クラスは、動的情報フロー制御システム40内でのフロー判定においては、最も制限の弱い、どの論理ストレージへもフローできるセキュリティクラスとして扱われる。 Here, the composite label is a label in which the converted label set and the disclosed label set are connected. The conversion label set includes at least one or more conversion labels. The conversion label is obtained by converting a security label, which is a name of a plurality of security attributes associated with transmission / reception target data, into a name different from the security label, as in the first embodiment of the present invention. It is assumed that the dynamic information flow control systems 41 and 42 cannot reversely convert the conversion label received from the dynamic information flow control system 40 to the original label. The conversion label set may include a temporary label that is a label other than the conversion label generated by itself. For the sake of convenience, a temporary security class (hereinafter referred to as a temporary class) that is a temporary security attribute is assigned to the temporary label. The temporary class is a security class to be processed in a system other than the dynamic information flow control system 40. The temporary class is handled as a security class that can flow to any logical storage with the weakest restriction in flow determination in the dynamic information flow control system 40.
 また、開示ラベル集合は、データ31に対応付けられた複数のセキュリティラベルの内、動的情報フロー制御システム41又は42のいずれかに処理させるために開示するセキュリティラベルである開示ラベルの集合である。開示ラベル集合は、動的情報フロー制御システム41及び42においてフロー判定に用いられる。尚、開示ラベル集合は、少なくとも1つの開示ラベルを含んでいればよい。 The disclosure label set is a set of disclosure labels that are security labels to be disclosed for processing by either the dynamic information flow control system 41 or 42 among the plurality of security labels associated with the data 31. . The disclosure label set is used for flow determination in the dynamic information flow control systems 41 and 42. The disclosure label set only needs to include at least one disclosure label.
 ここで、以下では、次の表記を用いる。まず、ラベルの集合については、波括弧を用いて、「{L1、L2、・・・、Ln}」と表記し、ラベル集合の対については、丸括弧を用いて「(ラベル集合、 ラベル集合)」と表記する。さらに、複合ラベルにおいて、変換ラベル集合を対の最初の要素として表記し、開示ラベル集合を対の二番目の要素として表記する。例えば、変換ラベルLX、LY及びLZと、開示ラベルLA、LB及びLCとが連結された複合ラベルは、「({LX、LY、LZ}、{LA、LB、LC})と表記される。 Here, the following notation is used below. First, a set of labels is expressed as “{L1, L2,..., Ln}” using curly brackets, and a pair of label sets is expressed using “(label set, label set”. ) ”. Further, in the composite label, the converted label set is expressed as the first element of the pair, and the disclosed label set is expressed as the second element of the pair. For example, a composite label in which conversion labels LX, LY, and LZ and disclosure labels LA, LB, and LC are connected is represented as “({LX, LY, LZ}, {LA, LB, LC}).
 図3に示す動的情報フロー制御システム40は、アプリケーション部51と、開示判定部52と、複合ラベル生成部53と、複合ラベル解析部54と、セキュリティポリシ記憶部55と、複合ラベル記憶部56と、セキュリティラベル記憶部57と、仮クラス記憶部58と、を備える。 The dynamic information flow control system 40 shown in FIG. 3 includes an application unit 51, a disclosure determination unit 52, a composite label generation unit 53, a composite label analysis unit 54, a security policy storage unit 55, and a composite label storage unit 56. And a security label storage unit 57 and a provisional class storage unit 58.
 アプリケーション部51は、動的情報フロー制御システム41又は42との間で送受信される情報の処理を行う。アプリケーション部51は、当該送受信される情報に付加されたセキュリティラベルに基づいた処理を行うことにより、情報フロー制御を実現する。具体的には、まず、アプリケーション部51は、送信対象の情報に付加するべきセキュリティラベルと、送信対象の動的情報フロー制御システムの識別子である送信先システムIDとを複合ラベル生成部53に入力する。そして、アプリケーション部51は、複合ラベル生成部53から出力される複合ラベルを、送信対象の情報に付加して送信先システムIDが示す動的情報フロー制御システム41又は42へ送信する。例えば、アプリケーション部51は、動的情報フロー制御システム41又は42に対して、当該情報についての処理要求を送信する。また、アプリケーション部51は、動的情報フロー制御システム41又は42から複合ラベルが付加された情報を受信する。そして、アプリケーション部51は、受信した複合ラベルを複合ラベル解析部54へ入力する。その後、アプリケーション部51は、複合ラベル解析部54から出力されるセキュリティラベルを受け付けて、当該情報の処理を行う。例えば、アプリケーション部51は、自己が送信した情報の処理結果を受信する。 The application unit 51 processes information transmitted to and received from the dynamic information flow control system 41 or 42. The application unit 51 realizes information flow control by performing processing based on the security label added to the transmitted / received information. Specifically, first, the application unit 51 inputs the security label to be added to the information to be transmitted and the transmission destination system ID that is the identifier of the dynamic information flow control system to be transmitted to the composite label generation unit 53. To do. And the application part 51 adds the composite label output from the composite label production | generation part 53 to the information of transmission object, and transmits to the dynamic information flow control system 41 or 42 which transmission destination system ID shows. For example, the application unit 51 transmits a processing request for the information to the dynamic information flow control system 41 or 42. In addition, the application unit 51 receives information to which a composite label is added from the dynamic information flow control system 41 or 42. Then, the application unit 51 inputs the received composite label to the composite label analysis unit 54. Thereafter, the application unit 51 receives the security label output from the composite label analysis unit 54 and processes the information. For example, the application unit 51 receives a processing result of information transmitted by itself.
 セキュリティラベル記憶部57は、セキュリティラベル571とセキュリティクラス結合であるクラス結合572の組を記憶する。ここで、クラス結合572はセキュリティクラス集合の一種として表現される。そして、セキュリティラベル記憶部57は、セキュリティラベル571をキーにした参照に対してクラス結合572を返す。また、セキュリティラベル記憶部57は、クラス結合572をキーにした参照に対してセキュリティラベル571を返す。また、セキュリティラベル記憶部57は、前記の何れの参照においてもキーに対応する返戻値が存在しない場合には、その旨を返す。なお、クラス結合572は、上述した仮クラスを含み得る。また、セキュリティラベル記憶部57の記憶するセキュリティラベル571とクラス結合572の組は、動的情報フロー制御システム40の動作中に登録される場合と、動的情報フロー制御システム40の動作前に、システムのセキュリティ設定として与えられる場合のいずれもある。 The security label storage unit 57 stores a set of a security label 571 and a class combination 572 that is a security class combination. Here, the class combination 572 is expressed as a kind of security class set. Then, the security label storage unit 57 returns a class combination 572 for a reference using the security label 571 as a key. The security label storage unit 57 returns a security label 571 in response to a reference using the class combination 572 as a key. In addition, when there is no return value corresponding to the key in any of the above references, the security label storage unit 57 returns that fact. Note that the class combination 572 may include the provisional class described above. The pair of the security label 571 and the class combination 572 stored in the security label storage unit 57 is registered during the operation of the dynamic information flow control system 40 and before the operation of the dynamic information flow control system 40. There are cases where it is given as a system security setting.
 仮クラス記憶部58は、動的情報フロー制御システム40内部ではフロー判定に用いられない、変換ラベル581と仮クラス582の組を記憶する。そして、仮クラス記憶部58は、変換ラベル581をキーにした参照に対して仮クラス582を返す。また、仮クラス記憶部58は、仮クラス582をキーにした参照に対して変換ラベル581を返す。また、仮クラス記憶部58は、前記の何れの参照においても、キーに対応する返戻値が存在しない場合には、その旨を返す。 The temporary class storage unit 58 stores a set of a conversion label 581 and a temporary class 582 that is not used for flow determination within the dynamic information flow control system 40. Then, the temporary class storage unit 58 returns the temporary class 582 to the reference using the conversion label 581 as a key. In addition, the temporary class storage unit 58 returns a conversion label 581 with respect to a reference using the temporary class 582 as a key. In addition, the provisional class storage unit 58 returns the fact that there is no return value corresponding to the key in any of the above references.
 複合ラベル生成部53は、アプリケーション部51から入力される送信対象の情報に付加するセキュリティラベルと送信先システムIDとを受け付け、当該セキュリティラベルから複合ラベルを生成する。そして、複合ラベル生成部53は、生成した複合ラベルをアプリケーション部51へ出力する。尚、複合ラベル生成部53の処理の詳細は、図4に後述する。 The composite label generation unit 53 receives the security label and the transmission destination system ID added to the transmission target information input from the application unit 51, and generates a composite label from the security label. Then, the composite label generation unit 53 outputs the generated composite label to the application unit 51. Details of the processing of the composite label generation unit 53 will be described later with reference to FIG.
 セキュリティポリシ記憶部55は、上述した開示ラベルと開示先の動的情報フロー制御システムのシステムIDとを関連付けて記憶する。開示判定部52は、セキュリティポリシ記憶部55を参照し、セキュリティクラスと動的情報フロー制御システムの識別子を基に、当該セキュリティクラスが動的情報フロー制御システムにおいて開示可能か否か判定する。尚、ここでは、開示判定部52による開示判定を、セキュリティポリシ記憶部55を用いて実現しているが、これに限定されない。他の方法で開示先の定義を行っても構わない。 The security policy storage unit 55 stores the above-described disclosure label in association with the system ID of the disclosure destination dynamic information flow control system. The disclosure determination unit 52 refers to the security policy storage unit 55 and determines whether or not the security class can be disclosed in the dynamic information flow control system based on the security class and the identifier of the dynamic information flow control system. Here, the disclosure determination by the disclosure determination unit 52 is realized using the security policy storage unit 55, but the disclosure determination unit 52 is not limited to this. The disclosure destination may be defined by other methods.
 複合ラベル記憶部56は、情報の送信先の動的情報フロー制御システムの識別子である送信先システムID561と、動的情報フロー制御システム40内でその情報に付与されるセキュリティラベル562と、セキュリティラベル562を変換した送信用変換ラベル563と、送信対象の情報を送信先システムID561へ送信する際に付加される複合ラベル564の組を記憶する。例えば、複合ラベル生成部53は、生成した複合ラベルをアプリケーション部51へ出力すると共に、複合ラベル記憶部56へ格納するとよい。尚、複合ラベル記憶部56とセキュリティラベル記憶部57と仮クラス記憶部58とは、ラベルに関する情報を記憶するラベル情報記憶手段と言える。 The composite label storage unit 56 includes a transmission destination system ID 561 that is an identifier of a dynamic information flow control system that is a transmission destination of information, a security label 562 that is assigned to the information in the dynamic information flow control system 40, and a security label. A combination of a transmission conversion label 563 converted from 562 and a composite label 564 added when transmitting information to be transmitted to the transmission destination system ID 561 is stored. For example, the composite label generation unit 53 may output the generated composite label to the application unit 51 and store it in the composite label storage unit 56. Note that the composite label storage unit 56, the security label storage unit 57, and the temporary class storage unit 58 can be said to be label information storage means for storing information relating to labels.
 言い換えると、アプリケーション部51、開示判定部52及び複合ラベル生成部53は、送信部と言える。そして、送信部は、複数のセキュリティ属性を変換して変換ラベルを生成し、当該生成した変換ラベルを含めて前記変換ラベル集合を生成し、複数のセキュリティ属性から通信相手に開示するセキュリティ属性を選択して開示ラベル集合を生成し、変換ラベル集合と、当該生成した開示ラベル集合とを連結して複合ラベルを生成し、当該生成した複合ラベルを付加してデータを通信相手へ送信することが望ましい。これにより、送信対象の情報に付加される変換ラベルと開示ラベル集合とが一塊の複合ラベルとすることができ、改竄の検出の精度を挙げることができる。 In other words, the application unit 51, the disclosure determination unit 52, and the composite label generation unit 53 can be said to be transmission units. The transmitting unit converts a plurality of security attributes to generate a conversion label, generates the conversion label set including the generated conversion label, and selects a security attribute to be disclosed to the communication partner from the plurality of security attributes It is desirable to generate a disclosure label set, concatenate the converted label set and the generated disclosure label set to generate a composite label, add the generated composite label, and transmit the data to the communication partner. . Thereby, the conversion label added to the information to be transmitted and the disclosure label set can be made into a single composite label, and the accuracy of falsification detection can be raised.
 また、送信部は、通信相手とは異なる他の通信相手へデータを送信する場合、複数のセキュリティ属性から通信相手の変換ラベルとは異なる名称となるように変換して変換ラベルを生成するとよい。例えば、複合ラベル生成部53は、同一の情報を情報フロー制御システム41及び42に送信する場合、動的情報フロー制御システム41向けに生成した変換ラベルと、動的情報フロー制御システム42向けに生成した変換ラベルとを異なるものとするとよい。これにより、複数の通信相手への送信内容を突き合わせても解読され難くなる。 In addition, when transmitting data to another communication partner different from the communication partner, the transmission unit may generate a conversion label by converting a plurality of security attributes so as to have a name different from the conversion label of the communication partner. For example, when the same information is transmitted to the information flow control systems 41 and 42, the composite label generation unit 53 generates the conversion label generated for the dynamic information flow control system 41 and the dynamic information flow control system 42. The converted label may be different. This makes it difficult to decipher even if the contents of transmission to a plurality of communication partners are matched.
 さらに、送信部は、複数のセキュリティ属性の名称であるラベルから過去の変換ラベルとは異なる変換ラベルを生成するとよい。つまり、複合ラベル生成部53は、過去に送信した情報に付加されたセキュリティラベルから再度、変換ラベルを生成する際には、過去とは異なる変換ラベルを生成すると良い。すなわち、複合ラベル生成部53は、同一のセキュリティラベルから異なる変換ラベルを生成するとよい。これにより、複数の送信内容を突き合わせても解読され難くなる。 Furthermore, the transmission unit may generate a conversion label different from the past conversion label from labels that are names of a plurality of security attributes. That is, when generating a conversion label again from a security label added to information transmitted in the past, the composite label generation unit 53 may generate a conversion label different from the past. That is, the composite label generation unit 53 may generate different conversion labels from the same security label. This makes it difficult to decipher even if a plurality of transmission contents are matched.
 複合ラベル解析部54は、アプリケーション部51から入力される受信した処理結果に付加された複合ラベルを受け付け、当該複合ラベルを解析してセキュリティラベルに逆変換する。そして、複合ラベル解析部54は、逆変換したセキュリティラベルをアプリケーション部51へ出力する。また、複合ラベル解析部54は、解析の際、適宜、開示判定部52へ問い合わせを行う。尚、複合ラベル解析部54の処理の詳細は、図6及び図7に後述する。 The composite label analysis unit 54 receives the composite label added to the received processing result input from the application unit 51, analyzes the composite label, and converts it back to a security label. Then, the composite label analysis unit 54 outputs the reversely converted security label to the application unit 51. Further, the composite label analysis unit 54 makes an inquiry to the disclosure determination unit 52 as appropriate during the analysis. Details of the processing of the composite label analysis unit 54 will be described later with reference to FIGS.
 ここで、アプリケーション部51が受信した処理結果には、送信時に複合ラベル生成部53が生成した変換ラベルが含まれることとなる。そこで、複合ラベル解析部54は、受信した複合ラベルに含まれる変換ラベル集合に含まれる変換ラベルのうち、自己の複合ラベル生成部53が生成した変換ラベルをセキュリティラベルに逆変換する。さらに、複合ラベル解析部54は、当該逆変換したセキュリティラベルに相当するセキュリティクラス結合から、非開示のセキュリティクラス集合を取り除くことで、受信した複合ラベルが含まなければならない必須セキュリティクラス集合を算出する。そして、複合ラベル解析部54は、受信した複合ラベルに含まれる変換ラベル集合から送信用変換ラベルを除く。さらに、複合ラベル解析部54は、送信用変換ラベルが除かれた変換ラベル集合に相当するセキュリティクラス集合から未知のセキュリティクラスを除く。同様に、複合ラベル解析部54は、受信した複合ラベルに含まれる開示ラベル集合に相当するセキュリティクラス集合から未知のセキュリティクラスを除く。ここで、未知のセキュリティクラスとは、新規に取得したセキュリティラベルに相当するセキュリティクラスである。これにより、複合ラベル解析部54は、既知セキュリティクラス集合を算出する。その後、複合ラベル解析部54は、既知セキュリティクラス集合が必須セキュリティクラス集合を含む否かを判定する。 Here, the processing result received by the application unit 51 includes the conversion label generated by the composite label generation unit 53 at the time of transmission. Therefore, the composite label analysis unit 54 reversely converts the conversion label generated by its own composite label generation unit 53 out of the conversion labels included in the conversion label set included in the received composite label into a security label. Further, the composite label analysis unit 54 calculates the essential security class set that must be included in the received composite label by removing the non-disclosure security class set from the security class combination corresponding to the inversely converted security label. . Then, the composite label analysis unit 54 removes the transmission conversion label from the conversion label set included in the received composite label. Further, the composite label analysis unit 54 removes an unknown security class from the security class set corresponding to the conversion label set from which the transmission conversion label is removed. Similarly, the composite label analysis unit 54 removes an unknown security class from the security class set corresponding to the disclosed label set included in the received composite label. Here, the unknown security class is a security class corresponding to a newly acquired security label. Thereby, the composite label analysis unit 54 calculates a known security class set. Thereafter, the composite label analysis unit 54 determines whether or not the known security class set includes the essential security class set.
 言い換えると、アプリケーション部51、開示判定部52及び複合ラベル解析部54は、検証部と言える。そして、検証部は、受信した処理結果に付加された変換ラベル集合に基づいてラベル情報記憶手段に格納された変換ラベルを取得し、取得した変換ラベルに基づいて受信した処理結果の通信相手に開示するセキュリティ属性の名称を示すラベルの集合である必須ラベル集合を特定し、特定した必須ラベル集合が前記受信した処理結果に付加された開示ラベル集合に含まれる場合に、受信した処理結果を正規のものと判定する。これにより、処理結果の正当性を正確に検出できる。 In other words, the application unit 51, the disclosure determination unit 52, and the composite label analysis unit 54 can be said to be verification units. Then, the verification unit acquires the conversion label stored in the label information storage unit based on the conversion label set added to the received processing result, and discloses the received processing result to the communication partner based on the acquired conversion label. When a mandatory label set that is a set of labels indicating the names of security attributes to be identified is specified and the specified mandatory label set is included in the disclosed label set added to the received processing result, the received processing result is Judge that it is. Thereby, the correctness of the processing result can be accurately detected.
 また、検証部は、前記受信した処理結果に付加された変換ラベル集合の内、前記ラベル情報記憶手段に格納された変換ラベル以外のラベルである仮ラベルについて、仮のセキュリティ属性を割り当て、当該仮のセキュリティ属性を前記データに対応付けられた複数のセキュリティ属性に追加し、当該仮ラベルと当該仮のセキュリティ属性とを関連付けて前記ラベル情報記憶手段に格納することが望ましい。そして、このとき、上述した送信部は、前記検証部により前記仮のセキュリティ属性が追加された複数のセキュリティ属性を変換して前記変換ラベルを生成し、当該仮のセキュリティ属性に関連付けられた仮ラベルを前記ラベル情報記憶手段から取得し、当該生成した変換ラベルと、当該取得した仮ラベルとを含めて前記変換ラベル集合を生成することが望ましい。これにより、検出の精度を高めることができる。また、自己の情報フロー制御システムにおいてフロー判定に寄与しない属性を扱うことができる。そのため、例えば、動的情報フロー制御システム41は、動的情報フロー制御システム42から受信した変換ラベル集合に、動的情報フロー制御システム42で生成された変換ラベルを含む場合を考える。このとき、動的情報フロー制御システム41は、当該変換ラベルをセキュリティクラスに割り当てることができない。そこで、動的情報フロー制御システム41は、当該変換ラベルを仮ラベルとして仮のセキュリティクラスを割り当てる。これにより、動的情報フロー制御システム41は、適切に処理することができる。そして、動的情報フロー制御システム41は、動的情報フロー制御システム42に返信する際に、仮ラベルをさらに加えて変換ラベル集合を生成する。これにより、動的情報フロー制御システム42は、動的情報フロー制御システム41から受信した変換ラベル集合に、自己が生成した変換ラベルが含まれるため、適切な処理を行うことができる。尚、動的情報フロー制御システム41は、受信したシステム以外のシステムにおいて生成された変換ラベルが含まれたとしても同様に、仮のセキュリティクラスを割り当てることで、適切に処理することができる。 The verification unit assigns a temporary security attribute to a temporary label that is a label other than the conversion label stored in the label information storage unit in the conversion label set added to the received processing result. It is desirable that the security attribute is added to a plurality of security attributes associated with the data, and the temporary label and the temporary security attribute are associated with each other and stored in the label information storage unit. At this time, the transmission unit described above converts the plurality of security attributes to which the temporary security attribute is added by the verification unit to generate the converted label, and the temporary label associated with the temporary security attribute Is obtained from the label information storage means, and the converted label set is generated including the generated converted label and the acquired temporary label. Thereby, the detection accuracy can be increased. In addition, it is possible to handle attributes that do not contribute to flow determination in the information flow control system of its own. Therefore, for example, the dynamic information flow control system 41 considers a case where the conversion label set received from the dynamic information flow control system 42 includes the conversion label generated by the dynamic information flow control system 42. At this time, the dynamic information flow control system 41 cannot assign the conversion label to the security class. Therefore, the dynamic information flow control system 41 assigns a temporary security class using the conversion label as a temporary label. Thereby, the dynamic information flow control system 41 can process appropriately. When the dynamic information flow control system 41 returns to the dynamic information flow control system 42, the dynamic information flow control system 41 further adds a temporary label to generate a converted label set. Accordingly, the dynamic information flow control system 42 can perform appropriate processing because the conversion label set received from the dynamic information flow control system 41 includes the conversion label generated by itself. Note that the dynamic information flow control system 41 can be appropriately processed by assigning a temporary security class, even if a conversion label generated in a system other than the receiving system is included.
 さらに、検証部は、受信した処理結果に付加された開示ラベル集合が、必須ラベル集合に含まれない新たなラベルを含む場合、当該新たなラベルに対応するセキュリティ属性を複数のセキュリティ属性に追加するとよい。これにより、追加されたクラスを含めることができ、セキュリティを向上させることができる。 Further, when the disclosed label set added to the received processing result includes a new label that is not included in the required label set, the verification unit adds a security attribute corresponding to the new label to a plurality of security attributes. Good. Thereby, added classes can be included, and security can be improved.
 尚、動的情報フロー制御システム41及び42は、動的情報フロー制御システム40からの情報を受信するが、当該情報は処理要求に含まれるものである。つまり、動的情報フロー制御システム41及び42におけるアプリケーション部51は、自己が送信した情報の処理結果ではなく、新規の情報を受信する。そのため、アプリケーション部51は、受信した情報に付加された複合ラベルが新規なものであっても構わない。 The dynamic information flow control systems 41 and 42 receive information from the dynamic information flow control system 40, but the information is included in the processing request. That is, the application unit 51 in the dynamic information flow control systems 41 and 42 receives new information, not the processing result of the information transmitted by itself. Therefore, the application unit 51 may have a new composite label added to the received information.
 つまり、アプリケーション部51は、受信した情報が、自己が送信した情報が処理された処理結果でない場合、つまり、他システムが自発的に送信した情報である場合、上述した必須セキュリティクラス集合を算出すると、必須セキュリティクラス集合が空集合となる。なぜなら、受信した情報の複合ラベルには自システムの複合ラベル生成部53が生成した変換ラベルが含まれないためである。そのため、既知セキュリティクラス集合は、必ず必須セキュリティクラス集合を含む。そのため、検査に合格し、正常に情報を受信できる。よって、受信した情報の複合ラベルは、返信情報に付随するものであれ、自発的に送信された情報に付随するものであれ、同様に上記の手順で検査を行ってよい。 That is, when the received information is not the processing result obtained by processing the information transmitted by itself, that is, the information transmitted spontaneously by another system, the application unit 51 calculates the above-described essential security class set. The required security class set is an empty set. This is because the composite label of the received information does not include the conversion label generated by the composite label generation unit 53 of the own system. Therefore, the known security class set always includes the essential security class set. Therefore, it passes the inspection and can receive information normally. Therefore, whether the composite label of the received information is attached to the reply information or attached to the spontaneously transmitted information, the inspection may be performed in the same manner as described above.
 このように、本発明の実施の形態2にかかる複合ラベル生成部53は、送信先の動的情報フロー制御システム毎に異なる変換ラベルを生成する。また、本発明の実施の形態2にかかる複合ラベル解析部54は、受信した複合ラベルに含まれる開示ラベル集合を検査し、検査に不合格であった場合には、当該複合ラベルが付加されていた情報を破棄することにより、情報フロー違反を防ぐことができる。 As described above, the composite label generation unit 53 according to the second embodiment of the present invention generates a different conversion label for each dynamic information flow control system of the transmission destination. Further, the composite label analysis unit 54 according to the second embodiment of the present invention inspects the disclosed label set included in the received composite label, and if the inspection fails, the composite label is added. Discarding the information can prevent information flow violation.
 続いて、本発明の実施の形態2にかかる複合ラベル生成処理について説明する。まず、複合ラベル生成部53は、送信先の動的情報フロー制御システムの識別子と、送信対象の情報のセキュリティラベルをキーとして複合ラベル記憶部56を参照する。前記のキーに対応する複合ラベルが得られた場合には、その複合ラベルでセキュリティラベルを置換する。 Subsequently, the composite label generation process according to the second embodiment of the present invention will be described. First, the composite label generation unit 53 refers to the composite label storage unit 56 using the identifier of the destination dynamic information flow control system and the security label of the information to be transmitted as keys. When a composite label corresponding to the key is obtained, the security label is replaced with the composite label.
 次に、ここまでの手順で複合ラベルが得られなかった場合の複合ラベル生成部53の動作について、図4及び図5を参照して詳細に説明する。図4は、本発明の実施の形態2にかかる複合ラベル生成処理の流れを示すフローチャート図である。図5は、本発明の実施の形態2にかかる複合ラベル生成処理におけるデータの例を示す図である。 Next, the operation of the composite label generation unit 53 when the composite label is not obtained by the procedure so far will be described in detail with reference to FIGS. FIG. 4 is a flowchart showing the flow of the composite label generation process according to the second embodiment of the present invention. FIG. 5 is a diagram illustrating an example of data in the composite label generation process according to the second embodiment of the present invention.
 まず、複合ラベル生成部53は、送信対象の情報のセキュリティラベルを変換して変換ラベルである送信用変換ラベルを生成する(S201)。例えば、図5では、複合ラベル生成部53は、セキュリティラベルLXを変換して送信用変換ラベルLX'を生成する。ここで、複合ラベル生成部53は、動的情報フロー制御システム40、41及び42を含めた複数の動的情報フロー制御システム内で一意となるように送信用変換ラベルを生成する。例えば、送信用変換ラベルは、UUID(Universally Unique Identifier)(ISO(International Organization for Standardization)/IEC(International Electrotechnical Commission) 11578:1996、RFC(Request for Comments) 4122を参照)である。尚、UUIDの生成方法は、当該技術者にとって既知の事柄であるので、これ以上の詳細な説明は省略する。 First, the composite label generation unit 53 converts a security label of information to be transmitted to generate a transmission conversion label that is a conversion label (S201). For example, in FIG. 5, the composite label generation unit 53 converts the security label LX to generate a transmission conversion label LX ′. Here, the composite label generation unit 53 generates a conversion label for transmission so as to be unique within a plurality of dynamic information flow control systems including the dynamic information flow control systems 40, 41 and 42. For example, the transmission conversion label is UUID (Universally Unique Identifier) (ISO (International Organization for Standardization) / IEC (International Electrotechnical Commission) 11578: 1996, RFC (Request for Comments) 4122). Note that the UUID generation method is known to those skilled in the art, and a detailed description thereof will be omitted.
 ステップS201と並行して、複合ラベル生成部53は、セキュリティラベル記憶部57を参照し、セキュリティラベルに対応するセキュリティクラス集合を取得する(S202)。例えば、図5では、複合ラベル生成部53は、クラス結合Y+Z+A+B+Cを取得する。そして、複合ラベル生成部53は、仮クラス記憶部58を参照し、取得したセキュリティクラス集合に含まれる各セキュリティクラスが仮クラスに属するか否かを判定する(S203)。例えば、図5では、複合ラベル生成部53は、セキュリティクラスY及びZを仮クラスに属すると判定する。仮クラスに属すると判定したセキュリティクラスが存在する場合、複合ラベル生成部53は、仮クラス記憶部58から当該仮クラスに対応する仮変換ラベルを取得する(S204)。例えば、図5では、複合ラベル生成部53は、仮クラスであるセキュリティクラスY及びZからセキュリティラベルLY及びLZを取得する。 In parallel with step S201, the composite label generation unit 53 refers to the security label storage unit 57 and acquires a security class set corresponding to the security label (S202). For example, in FIG. 5, the composite label generation unit 53 acquires class combination Y + Z + A + B + C. Then, the composite label generation unit 53 refers to the temporary class storage unit 58 and determines whether each security class included in the acquired security class set belongs to the temporary class (S203). For example, in FIG. 5, the composite label generation unit 53 determines that the security classes Y and Z belong to the temporary class. When there is a security class determined to belong to the temporary class, the composite label generation unit 53 acquires a temporary conversion label corresponding to the temporary class from the temporary class storage unit 58 (S204). For example, in FIG. 5, the composite label generation unit 53 acquires the security labels LY and LZ from the security classes Y and Z that are temporary classes.
 その後、複合ラベル生成部53は、ステップS201により生成された送信用変換ラベルと、ステップS204により取得された仮変換ラベルとを連結して変換ラベル集合を生成する(S205)。例えば、図5では、複合ラベル生成部53は、変換ラベル集合{LX'、LY、LZ}を生成する。 Thereafter, the composite label generation unit 53 generates a conversion label set by connecting the transmission conversion label generated in step S201 and the temporary conversion label acquired in step S204 (S205). For example, in FIG. 5, the composite label generation unit 53 generates a converted label set {LX ′, LY, LZ}.
 ステップS203において、仮クラスに属さないと判定したセキュリティクラスが存在しないする場合、複合ラベル生成部53は、セキュリティクラス集合から仮クラスを除いたセキュリティクラスと、送信先の動的情報フロー制御システムとをキーとして開示判定部52に問い合わせを行い、開示対象であるか否かを判定する(S206)。例えば、図5では、複合ラベル生成部53は、セキュリティクラスA,B及びCの内、A及びBを開示対象と判定する。また、図5では、複合ラベル生成部53は、セキュリティクラスCを非開示と判定する。開示対象であると判定したセキュリティクラスが存在する場合、複合ラベル生成部53は、セキュリティラベル記憶部57を参照し、当該セキュリティクラスに対応するセキュリティラベルを取得する(S207)。例えば、図5では、複合ラベル生成部53は、セキュリティクラスA及びBからセキュリティラベルLA及びLBを取得する。その後、複合ラベル生成部53は、取得したセキュリティラベルを連結して開示ラベル集合を生成する(S208)。例えば、図5では、複合ラベル生成部53は、開示ラベル集合{LA、LB}を生成する。尚、ステップS206において、全てのセキュリティクラスが開示対象でないと判定した場合、複合ラベル生成部53は、空の開示ラベル集合を生成する。 In step S203, when there is no security class that is determined not to belong to the temporary class, the composite label generation unit 53 includes the security class obtained by removing the temporary class from the security class set, the dynamic information flow control system of the transmission destination, Is used as a key to make an inquiry to the disclosure determination unit 52 to determine whether it is a disclosure target (S206). For example, in FIG. 5, the composite label generation unit 53 determines A and B among the security classes A, B, and C as disclosure targets. In FIG. 5, the composite label generation unit 53 determines that the security class C is not disclosed. If there is a security class determined to be a disclosure target, the composite label generation unit 53 refers to the security label storage unit 57 and acquires a security label corresponding to the security class (S207). For example, in FIG. 5, the composite label generation unit 53 acquires the security labels LA and LB from the security classes A and B. Thereafter, the composite label generation unit 53 generates a disclosure label set by concatenating the acquired security labels (S208). For example, in FIG. 5, the composite label generation unit 53 generates a disclosure label set {LA, LB}. If it is determined in step S206 that all security classes are not to be disclosed, the composite label generation unit 53 generates an empty disclosure label set.
 さらに、複合ラベル生成部53は、ステップS205により生成された変換ラベル集合と、ステップS208により生成された開示ラベル集合とを連結して複合ラベルを生成する(S209)。例えば、図5では、複合ラベル生成部53は、複合ラベル({LX'、LY、LZ}、{LA、LB})を生成する。そして、アプリケーション部51は、複合ラベル生成部53により生成された複合ラベルを付加してデータを送信する(S210)。同時に、複合ラベル生成部53は、送信先システムIDと、セキュリティラベルと、送信用ラベルと、生成した複合ラベルとを関連付けて複合ラベル記憶部56に格納する(S211)。 Furthermore, the composite label generation unit 53 generates a composite label by connecting the converted label set generated in step S205 and the disclosed label set generated in step S208 (S209). For example, in FIG. 5, the composite label generation unit 53 generates composite labels ({LX ′, LY, LZ}, {LA, LB}). Then, the application unit 51 adds the composite label generated by the composite label generation unit 53 and transmits the data (S210). At the same time, the composite label generation unit 53 associates the destination system ID, the security label, the transmission label, and the generated composite label with each other and stores them in the composite label storage unit 56 (S211).
 続いて、本発明の実施の形態2にかかる複合ラベル解析処理について、図6、図7及び図8を参照して詳細に説明する。図6は、本発明の実施の形態2にかかる複合ラベル解析処理の前半の流れを示すフローチャート図である。図7は、本発明の実施の形態2にかかる複合ラベル解析処理の後半の流れを示すフローチャート図である。図8は、本発明の実施の形態2にかかる複合ラベル解析処理におけるデータの例を示す図である。 Subsequently, the composite label analysis processing according to the second embodiment of the present invention will be described in detail with reference to FIGS. 6, 7, and 8. FIG. 6 is a flowchart showing the first half of the composite label analyzing process according to the second embodiment of the present invention. FIG. 7 is a flowchart showing the latter half of the composite label analysis process according to the second embodiment of the present invention. FIG. 8 is a diagram illustrating an example of data in the composite label analysis process according to the second embodiment of the present invention.
 まず、アプリケーション部51は、複合ラベルが付加された処理結果を受信する(S301)。そして、複合ラベル解析部54は、アプリケーション部51から受信した処理結果に付加された複合ラベルを受け取る。次に、複合ラベル解析部54は、複合ラベルを変換ラベル集合と開示ラベル集合とに分離する(S302)。例えば、図8では、複合ラベル解析部54は、変換ラベル集合{LX'、LY、LZ、LV}と開示ラベル集合{LA、LB、LD}とに分離する。 First, the application unit 51 receives the processing result to which the composite label has been added (S301). Then, the composite label analysis unit 54 receives the composite label added to the processing result received from the application unit 51. Next, the composite label analysis unit 54 separates the composite label into a converted label set and a disclosed label set (S302). For example, in FIG. 8, the composite label analysis unit 54 separates the converted label set {LX ′, LY, LZ, LV} and the disclosed label set {LA, LB, LD}.
 そして、複合ラベル解析部54は、複合ラベル記憶部56を参照し、変換ラベル集合に自己が生成した送信用変換ラベルを含むか否かを判定する(S303)。例えば、図8では、複合ラベル解析部54は、変換ラベル集合{LX'、LY、LZ、LV}に送信用変換ラベルLX'を含むと判定する。送信用変換ラベルを含むと判定した場合、複合ラベル解析部54は、複合ラベル記憶部56から当該送信用変換ラベルに関連付けられた送信先システムIDを取得する(S304)。同時に、複合ラベル解析部54は、複合ラベル記憶部56を参照し、変換ラベル集合に含まれる全ての送信用変換ラベルについて、対応するセキュリティラベルを取得する(S305)。例えば、図8では、複合ラベル解析部54は、送信用変換ラベルLX'からセキュリティラベルLXを取得する。そして、複合ラベル解析部54は、セキュリティラベル記憶部57を参照し、取得したセキュリティラベルに対応するセキュリティクラス集合を取得する(S306)。例えば、図8では、複合ラベル解析部54は、セキュリティラベルLXからクラス結合Y+Z+A+B+Cを取得する。 Then, the composite label analysis unit 54 refers to the composite label storage unit 56, and determines whether or not the conversion label set includes the conversion label for transmission generated by itself (S303). For example, in FIG. 8, the composite label analysis unit 54 determines that the conversion label set {LX ′, LY, LZ, LV} includes the transmission conversion label LX ′. When it is determined that the transmission conversion label is included, the composite label analysis unit 54 acquires the transmission destination system ID associated with the transmission conversion label from the composite label storage unit 56 (S304). At the same time, the composite label analysis unit 54 refers to the composite label storage unit 56 and acquires corresponding security labels for all the conversion labels for transmission included in the conversion label set (S305). For example, in FIG. 8, the composite label analysis unit 54 acquires the security label LX from the transmission conversion label LX ′. Then, the composite label analysis unit 54 refers to the security label storage unit 57 and acquires a security class set corresponding to the acquired security label (S306). For example, in FIG. 8, the composite label analysis unit 54 acquires the class combination Y + Z + A + B + C from the security label LX.
 その後、複合ラベル解析部54は、仮クラス記憶部58を参照し、取得したセキュリティクラス集合に含まれる各セキュリティクラスが仮クラスに属するか否かを判定する(S307)。例えば、図8では、複合ラベル解析部54は、セキュリティクラスY及びZを仮クラスに属すると判定する。仮クラスに属さないと判定したセキュリティクラスが存在する場合、複合ラベル解析部54は、セキュリティクラス集合から仮クラスを除いたセキュリティクラスと、送信先の動的情報フロー制御システムとをキーとして開示判定部52に問い合わせを行い、開示対象か否かを判定する(S308)。例えば、図8では、複合ラベル解析部54は、セキュリティクラスA,B及びCの内、A及びBを開示対象と判定する。また、図8では、複合ラベル生成部53は、セキュリティクラスCを非開示と判定する。開示対象であると判定したセキュリティクラスが存在する場合、複合ラベル解析部54は、当該セキュリティクラスを含めて必須セキュリティクラス集合を生成する(S311)。例えば、図8では、複合ラベル解析部54は、必須セキュリティクラス集合{A、B}を生成する。ステップS307により仮クラスに属すると判定したセキュリティクラスが存在する場合、又は、ステップS311の後、後述するステップS318へ進む。また、ステップS306の後、複合ラベル解析部54は、取得したセキュリティクラス集合に含まれる各セキュリティクラスを新規セキュリティクラス結合に含める(S315)。例えば、図8では、複合ラベル解析部54は、新規セキュリティクラス結合Y+Z+A+B+Cを生成する。 Thereafter, the composite label analysis unit 54 refers to the temporary class storage unit 58 and determines whether each security class included in the acquired security class set belongs to the temporary class (S307). For example, in FIG. 8, the composite label analysis unit 54 determines that the security classes Y and Z belong to the temporary class. When there is a security class that is determined not to belong to the temporary class, the composite label analysis unit 54 makes a disclosure determination using the security class excluding the temporary class from the security class set and the dynamic information flow control system of the transmission destination as keys. An inquiry is made to the unit 52 to determine whether or not it is a disclosure target (S308). For example, in FIG. 8, the composite label analysis unit 54 determines that A and B of the security classes A, B, and C are to be disclosed. In FIG. 8, the composite label generation unit 53 determines that the security class C is not disclosed. When there is a security class determined to be a disclosure target, the composite label analysis unit 54 generates an essential security class set including the security class (S311). For example, in FIG. 8, the composite label analysis unit 54 generates an essential security class set {A, B}. If there is a security class determined to belong to the temporary class in step S307, or after step S311, the process proceeds to step S318 described later. Further, after step S306, the composite label analysis unit 54 includes each security class included in the acquired security class set in the new security class combination (S315). For example, in FIG. 8, the composite label analyzer 54 generates a new security class combination Y + Z + A + B + C.
 また、ステップS303により自己が生成した送信用変換ラベルを含まないと判定した場合、複合ラベル解析部54は、変換ラベル集合に含まれるセキュリティラベルについて仮クラス記憶部58から仮クラスが取得可能か否かを判定する(S313)。仮クラスが取得可能と判定した場合、複合ラベル解析部54は、仮クラス記憶部58から当該セキュリティラベルに対応する仮クラスを取得する(S314)。例えば、図8では、複合ラベル解析部54は、セキュリティラベルLY及びLZから仮クラスであるセキュリティクラスY及びZを取得する。その後、複合ラベル解析部54は、取得した仮クラスを新規セキュリティクラス結合に含める(S315)。尚、図8では、新規セキュリティクラス結合に重複するものが含まれているため、新たに追加されない。同時に、複合ラベル解析部54は、取得した仮クラスを既知セキュリティクラス集合に含める(S312)。例えば、図8では、複合ラベル解析部54は、既知セキュリティクラス集合{Y,Z}を生成する。 If it is determined in step S303 that the transmission conversion label generated by itself is not included, the composite label analysis unit 54 can acquire a temporary class from the temporary class storage unit 58 for the security label included in the conversion label set. Is determined (S313). When it is determined that the temporary class can be acquired, the composite label analysis unit 54 acquires the temporary class corresponding to the security label from the temporary class storage unit 58 (S314). For example, in FIG. 8, the composite label analysis unit 54 acquires security classes Y and Z, which are temporary classes, from the security labels LY and LZ. Thereafter, the composite label analysis unit 54 includes the acquired temporary class in the new security class combination (S315). In FIG. 8, since a duplicate is included in the new security class combination, it is not newly added. At the same time, the composite label analysis unit 54 includes the acquired temporary class in the known security class set (S312). For example, in FIG. 8, the composite label analysis unit 54 generates a known security class set {Y, Z}.
 また、ステップS313により仮クラスが取得不可能と判定した場合、複合ラベル解析部54は、当該セキュリティラベルに新たな仮クラスを割り当てる(S316)。例えば、図8では、複合ラベル解析部54は、セキュリティラベルLVに仮クラスVを割り当てる。つまり、複合ラベル解析部54は、変換ラベル集合に含まれるラベルの内、自己が生成した送信用変換ラベルでなく、かつ、過去に取得した仮クラスでもないラベルが存在する場合、新たな仮クラスを割り当てる。そして、複合ラベル解析部54は、当該割り当てた仮クラス及びセキュリティラベルを仮クラス記憶部58に登録する(S317)。同時に、複合ラベル解析部54は、当該割り当てた仮クラスを新規セキュリティクラス結合に含める(S315)。例えば、図8では、複合ラベル解析部54は、新規セキュリティクラス結合Y+Z+V+A+B+Cを生成する。 If it is determined in step S313 that the temporary class cannot be acquired, the composite label analysis unit 54 assigns a new temporary class to the security label (S316). For example, in FIG. 8, the composite label analysis unit 54 assigns a temporary class V to the security label LV. That is, the composite label analysis unit 54 creates a new temporary class when there is a label that is not a conversion label for transmission generated by itself and is not a temporary class acquired in the past among the labels included in the conversion label set. Assign. Then, the composite label analysis unit 54 registers the assigned temporary class and security label in the temporary class storage unit 58 (S317). At the same time, the composite label analysis unit 54 includes the assigned temporary class in the new security class combination (S315). For example, in FIG. 8, the composite label analyzer 54 generates a new security class combination Y + Z + V + A + B + C.
 また、ステップS303と並行して、複合ラベル解析部54は、セキュリティラベル記憶部57を参照し、ステップS302により分離された開示ラベル集合に未登録のセキュリティラベルを含まないか否かを判定する(S309)。例えば、図8では、複合ラベル解析部54は、開示ラベル集合{LA、LB、LD}に未登録のセキュリティラベルを含まないと判定する。未登録のセキュリティラベルを含まないと判定した場合、複合ラベル解析部54は、セキュリティラベル記憶部57から当該開示ラベル集合に含まれる開示ラベルについて全てのセキュリティクラスを取得する(S310)。例えば、図8では、複合ラベル解析部54は、セキュリティクラスA,B及びDを取得する。その後、複合ラベル解析部54は、取得したセキュリティクラスを新規セキュリティクラス結合に含める(S315)。例えば、図8では、複合ラベル解析部54は、新規セキュリティクラス結合Y+Z+V+A+B+C+Dを生成する。同時に、複合ラベル解析部54は、取得したセキュリティクラスを既知セキュリティクラス集合に含める(S312)。例えば、図8では、複合ラベル解析部54は、既知セキュリティクラス集合{Y,Z、A、B、D}を生成する。尚、ステップS309により未登録のセキュリティラベルを含むと判定した場合、後述するステップS319へ進む。 In parallel with step S303, the composite label analysis unit 54 refers to the security label storage unit 57 and determines whether or not an unregistered security label is not included in the disclosure label set separated in step S302 ( S309). For example, in FIG. 8, the composite label analysis unit 54 determines that an unregistered security label is not included in the disclosure label set {LA, LB, LD}. When it is determined that no unregistered security label is included, the composite label analysis unit 54 acquires all security classes for the disclosure labels included in the disclosure label set from the security label storage unit 57 (S310). For example, in FIG. 8, the composite label analysis unit 54 acquires security classes A, B, and D. Thereafter, the composite label analysis unit 54 includes the acquired security class in the new security class combination (S315). For example, in FIG. 8, the composite label analysis unit 54 generates a new security class combination Y + Z + V + A + B + C + D. At the same time, the composite label analysis unit 54 includes the acquired security class in the known security class set (S312). For example, in FIG. 8, the composite label analysis unit 54 generates a known security class set {Y, Z, A, B, D}. If it is determined in step S309 that an unregistered security label is included, the process proceeds to step S319 described later.
 続いて、複合ラベル解析部54は、ステップS312により生成された既知セキュリティクラス集合が、ステップS311により生成された必須セキュリティクラス集合を含むか否かを集合の包含関係により検査するラベル整合性判定を行う(S318)。ラベル整合性なしと判定した場合、複合ラベル解析部54は、受信した処理結果及び複合ラベルを破棄する(S319)。未知のセキュリティラベルを開示されたことになり、以降の情報フロー制御が正常に行えないためである。その後、複合ラベル解析処理を終了する。 Subsequently, the composite label analysis unit 54 performs label consistency determination to check whether the known security class set generated in step S312 includes the essential security class set generated in step S311 based on the inclusion relation of the set. This is performed (S318). If it is determined that there is no label consistency, the composite label analysis unit 54 discards the received processing result and composite label (S319). This is because an unknown security label is disclosed and subsequent information flow control cannot be normally performed. Thereafter, the composite label analysis process ends.
 また、ステップS318によりラベル整合性ありと判定した場合、複合ラベル解析部54は、ステップS315により生成された新規セキュリティクラス結合をキーにしてセキュリティラベル記憶部57にセキュリティラベルを問い合わせて、取得可能か否かを判定する(S320)。セキュリティラベルが取得可能な場合、複合ラベル解析部54は、当該セキュリティラベルを取得し、複合ラベル解析処理を終了する。 If it is determined in step S318 that the label is consistent, the composite label analysis unit 54 can obtain the security label by querying the security label storage unit 57 using the new security class combination generated in step S315 as a key. It is determined whether or not (S320). If the security label can be acquired, the composite label analysis unit 54 acquires the security label and ends the composite label analysis process.
 ステップS320によりセキュリティラベルが取得不可能な場合、複合ラベル解析部54は、新規にセキュリティラベルを作成する(S321)。例えば、図8では、複合ラベル解析部54は、新規セキュリティクラス結合Y+Z+V+A+B+C+Dに該当するセキュリティラベルが存在しないと判定し、新たなセキュリティラベルLWを作成する。そして、複合ラベル解析部54は、作成したセキュリティラベルをセキュリティラベル記憶部57に登録する(S322)。 If the security label cannot be obtained in step S320, the composite label analysis unit 54 creates a new security label (S321). For example, in FIG. 8, the composite label analysis unit 54 determines that there is no security label corresponding to the new security class combination Y + Z + V + A + B + C + D, and creates a new security label LW. Then, the composite label analysis unit 54 registers the created security label in the security label storage unit 57 (S322).
 このように本発明により、動的情報フロー制御システムに連結された別の動的情報フロー制御システムへ情報を送信し、別の動的情報フロー制御システム上にて処理された情報を受信する際に、セキュリティラベルを部分的に開示し、かつ、情報漏洩を防止できることができる。その理由は、元のセキュリティラベルを変換した変換ラベルと、元のセキュリティラベルに対応するセキュリティクラス集合のうち、開示するセキュリティクラスに対応する開示ラベル集合を組にして複合ラベルを生成するからである。 Thus, according to the present invention, when information is transmitted to another dynamic information flow control system connected to the dynamic information flow control system and information processed on another dynamic information flow control system is received. In addition, the security label can be partially disclosed and information leakage can be prevented. The reason is that a composite label is generated by combining a converted label obtained by converting the original security label and a disclosed label set corresponding to the disclosed security class among security class sets corresponding to the original security label. .
 ここで、発明の課題において示した例を用いて、本発明の効果を具体的に説明する。発明の課題において示した例に従い、情報フロー制御システムs1と、情報フロー制御システムs2と、情報フロー制御システムs3が連結されるものとする。また、情報フロー制御システムs1上で企業cの人物a及び人物bの給与情報x及びyが管理されるものとする。さらに、情報フロー制御システムs2上で統計処理サービスが動作する。また、情報フロー制御システムs3上で給与振込口座管理サービスが動作しているものとする。さらに、情報フロー制御システムs1は、人物aの給与情報を統計処理するため、情報フロー制御システムs2に処理を依頼して結果(統計情報)を受け取るものとする。また、情報フロー制御システムs1は、人物aの給与振込みを行うため、情報フロー制御システムs3に処理を依頼して結果(振り込み完了通知)を受け取るものとする。 Here, the effects of the present invention will be specifically described using the examples shown in the problem of the invention. It is assumed that the information flow control system s1, the information flow control system s2, and the information flow control system s3 are connected according to the example shown in the subject of the invention. In addition, salary information x and y of the person a and the person b of the company c are managed on the information flow control system s1. Furthermore, the statistical processing service operates on the information flow control system s2. Further, it is assumed that the salary transfer account management service is operating on the information flow control system s3. Furthermore, in order to statistically process the salary information of the person a, the information flow control system s1 requests the information flow control system s2 to perform processing and receives a result (statistical information). The information flow control system s1 requests the information flow control system s3 to receive a result (transfer completion notification) in order to transfer the salary of the person a.
 まず、情報フロー制御システムs1上におけるセキュリティラベルLXが、セキュリティクラス結合C+Aに相当する場合、情報フロー制御システムs1上の開示判定部は、情報フロー制御システムs2に対してセキュリティラベルLCを開示する判定を行うものとする。この判定は、例えば事前に設定されたセキュリティポリシに基づいて行われる。その結果、情報フロー制御システムs1上の複合ラベル生成部が生成する、情報フロー制御システムs2に送られる複合ラベルは({LX'}、{LC})である。 First, when the security label LX on the information flow control system s1 corresponds to the security class combination C + A, the disclosure determination unit on the information flow control system s1 discloses the security label LC to the information flow control system s2. It shall be determined that This determination is performed based on, for example, a security policy set in advance. As a result, the composite label sent to the information flow control system s2 generated by the composite label generation unit on the information flow control system s1 is ({LX ′}, {LC}).
 また、情報フロー制御システムs1上の開示判定部は、情報フロー制御システムs3に対してセキュリティラベルLAを開示する判定を行うものとする。この判定は、例えば事前に設定されたセキュリティポリシに基づいて行われる。その結果、情報フロー制御システムs1上の複合ラベル生成部が生成する、情報フロー制御システムs3に送られる複合ラベルは、({LX''}、{LA})である。変換ラベルは、送信先の動的情報フロー制御システム毎に作成されるため、情報フロー制御システムs1上でのセキュリティラベルLXが、情報フロー制御システムs2向けにはLX'、情報フロー制御システムs3向けにはLX''というように異なる変換ラベルとなる。 Also, the disclosure determination unit on the information flow control system s1 determines to disclose the security label LA to the information flow control system s3. This determination is performed based on, for example, a security policy set in advance. As a result, the composite label generated by the composite label generation unit on the information flow control system s1 and sent to the information flow control system s3 is ({LX ″}, {LA}). Since the conversion label is created for each dynamic information flow control system of the transmission destination, the security label LX on the information flow control system s1 is LX ′ for the information flow control system s2, and for the information flow control system s3. Are different conversion labels such as LX ″.
 これらの複合ラベルは、元のセキュリティラベルLXと組にして、情報フロー制御システムs1上の複合ラベル記憶部に記憶される。 These composite labels are stored in a composite label storage unit on the information flow control system s1 in combination with the original security label LX.
 ここで、情報フロー制御システムs2及びs3に送られた情報の複合ラベルを突き合わせたとしても、変換ラベルLX'及びLX''の両者がセキュリティラベルLXに対応するということは、複合ラベル記憶部が情報フロー制御システムs1上にあるため、情報フロー制御システムs2及びs3上からはわからない。 Here, even if the composite labels of the information sent to the information flow control systems s2 and s3 are matched, both of the conversion labels LX ′ and LX ″ correspond to the security label LX. Since it is on the information flow control system s1, it is not known from the information flow control systems s2 and s3.
 また、情報フロー制御システムs2に開示されているセキュリティラベルLCに相当するセキュリティクラスCが、情報フロー制御システムs3に送られた変換ラベルLX''に対応するセキュリティクラス結合に含まれることは、情報フロー制御システムs2及びs3上からはわからない。なぜならば、複合ラベル記憶部が情報フロー制御システムs1上に保持されており、この複合ラベル記憶部は、情報フロー制御システムs2及びs3に対して公開されないからである。 Further, the fact that the security class C corresponding to the security label LC disclosed in the information flow control system s2 is included in the security class combination corresponding to the conversion label LX ″ sent to the information flow control system s3 is information It is not known from the flow control systems s2 and s3. This is because the composite label storage unit is held on the information flow control system s1, and this composite label storage unit is not disclosed to the information flow control systems s2 and s3.
 さらに、情報フロー制御システムs3に開示されているセキュリティラベルLAに相当するセキュリティクラスAが、情報フロー制御システムs2に送られた変換ラベルLX'に対応するセキュリティクラス結合に含まれることは、複合ラベル記憶部が情報フロー制御システムs1上にあるため、情報フロー制御システムs2及びs3上からはわからない。よって、情報フロー制御システムs2及びs3に送られた情報の複合ラベルを突き合わせられても、情報漏洩を防止できる。 Furthermore, the fact that the security class A corresponding to the security label LA disclosed in the information flow control system s3 is included in the security class combination corresponding to the conversion label LX ′ sent to the information flow control system s2 is that the composite label Since the storage unit is on the information flow control system s1, it is unknown from the information flow control systems s2 and s3. Therefore, even if the composite labels of the information sent to the information flow control systems s2 and s3 are matched, information leakage can be prevented.
 また、情報フロー制御システムs3に送られた情報に付加されていた、({LX''}、{LA})という複合ラベルを、処理結果の返信時に情報フロー制御システムs3上もしくは、情報フロー制御システムs3から情報フロー制御システムs1への送信系路上にて({LX''}、{LB})に改竄した場合、情報フロー制御システムs1上の複合ラベル解析部が複合ラベル中の変換ラベルLX''を元のセキュリティラベルLXに復旧し、セキュリティラベルLXがセキュリティクラス結合C+Aに相当することを確認し、このセキュリティクラス結合から非開示セキュリティクラスCを取り除いて、必須セキュリティクラス集合{A}を算出する。さらに、開示ラベル集合{LB}に相当するセキュリティクラス集合{B}から、既知セキュリティクラス集合を算出する。ここで{A}⊆{B}が成立しないことから、複合ラベルが改竄されていることを検知できる。 Further, the composite label ({LX ″}, {LA}) added to the information sent to the information flow control system s3 is displayed on the information flow control system s3 or the information flow control when the processing result is returned. When tampering with ({LX ″}, {LB}) on the transmission path from the system s3 to the information flow control system s1, the composite label analysis unit on the information flow control system s1 converts the conversion label LX in the composite label. ”Is restored to the original security label LX, it is confirmed that the security label LX corresponds to the security class combination C + A, the undisclosed security class C is removed from this security class combination, and the essential security class set {A } Is calculated. Further, a known security class set is calculated from the security class set {B} corresponding to the disclosed label set {LB}. Here, since {A} ⊆ {B} does not hold, it can be detected that the composite label has been tampered with.
 改竄を検知した場合には、受信した情報を破棄し、以降の情報伝播を阻止するので、複合ラベルを改竄されても、改竄された複合ラベルが付随していた情報の漏洩を防止できる。上記の例では、人物aへの給与振込み完了通知が人物bから閲覧可能となる状況を防止できる。 When tampering is detected, the received information is discarded, and subsequent information propagation is prevented. Therefore, even if a composite label is tampered with, it is possible to prevent leakage of information accompanied by the tampered composite label. In the above example, it is possible to prevent a situation in which the pay transfer completion notification to the person a can be viewed from the person b.
 また、本実施の形態2では、動的情報フロー制御システム40に連結されたその他の動的情報フロー制御システム同士で複合ラベルを突き合わせることによる情報漏洩を防止できる。なぜならば、動的情報フロー制御システム40から、その他の動的情報フロー制御システムに送信される情報には、複合ラベル生成部53が生成する複合ラベルが付与されるためである。そして、この複合ラベルには、開示判定部52によって開示判定されたセキュリティクラスに対応するセキュリティラベルは含まれるが、その他のセキュリティラベルは変換ラベルに変換されて含まれる。また、開示判定は送信先の動的情報フロー制御システムの識別子に応じて行われる。そのため、動的情報フロー制御システム40に連結された、その他の動的情報フロー制御システム同士で、複合ラベルを突き合わせたとしても、複合ラベルの対応付けが不可能である。 Further, in the second embodiment, it is possible to prevent information leakage caused by matching the composite label between other dynamic information flow control systems connected to the dynamic information flow control system 40. This is because information transmitted from the dynamic information flow control system 40 to other dynamic information flow control systems is given a composite label generated by the composite label generation unit 53. The composite label includes a security label corresponding to the security class determined to be disclosed by the disclosure determining unit 52, but includes other security labels converted into converted labels. Further, the disclosure determination is performed according to the identifier of the dynamic information flow control system of the transmission destination. Therefore, even if other dynamic information flow control systems connected to the dynamic information flow control system 40 match the composite labels, it is impossible to associate the composite labels.
 また、本実施の形態2では、動的情報フロー制御システム40に連結された、その他の動的情報フロー制御システムから受信した情報に付随する複合ラベルが改竄されていた場合に、改竄検知により情報漏洩を防止できる。なぜならば、動的情報フロー制御システム40が、その他の動的情報フロー制御システムから受信する情報には、複合ラベルが付与されるためである。そして、この複合ラベルが含む送信用変換ラベルから、必須セキュリティクラス集合が算出される。この必須セキュリティクラス集合には、送信用変換ラベルに対応するセキュリティラベルに含まれる、変換ラベルおよび開示ラベルに対応するセキュリティクラスが全て含まれている。この算出過程は、動的情報フロー制御システム40内の複合ラベル記憶部56、仮クラス記憶部58、セキュリティラベル記憶部57を基に行われるので、その他の動的情報フロー制御システムに干渉されない。 In the second embodiment, when a composite label attached to information received from another dynamic information flow control system connected to the dynamic information flow control system 40 is falsified, information is detected by falsification detection. Leakage can be prevented. This is because information received by the dynamic information flow control system 40 from other dynamic information flow control systems is given a composite label. Then, the essential security class set is calculated from the transmission conversion label included in the composite label. The essential security class set includes all security classes corresponding to the conversion label and the disclosure label included in the security label corresponding to the transmission conversion label. Since this calculation process is performed based on the composite label storage unit 56, the temporary class storage unit 58, and the security label storage unit 57 in the dynamic information flow control system 40, the calculation process is not interfered with other dynamic information flow control systems.
 そして、この複合ラベルから、既知セキュリティクラス集合が算出される。ここで、その他の動的情報フロー制御システム上か、その他の動的情報フロー制御システムから動的情報フロー制御システム40への通信経路上において複合ラベルが改竄され、開示ラベル集合部分からいくつかの開示ラベルが欠落していた場合、必須セキュリティクラス集合との比較によって、改竄を検知できる。 Then, a known security class set is calculated from this composite label. Here, the composite label is tampered with on the other dynamic information flow control system or on the communication path from the other dynamic information flow control system to the dynamic information flow control system 40, and some of the disclosure label set parts are changed. If the disclosure label is missing, tampering can be detected by comparison with the essential security class set.
<実施例1>
 次に、具体的な実施例を用いて本発明を実施するための最良の形態の動作を説明する。本発明の実施例1は、図3と同等である。但し、動的情報フロー制御システム40は、企業cの統計処理システムs12、動的情報フロー制御システム41は、統計処理システムs12、動的情報フロー制御システム42は、銀行口座管理システムs13であるものとする。 <Example 1>
Next, the operation of the best mode for carrying out the present invention will be described using specific examples. The first embodiment of the present invention is equivalent to FIG. However, the dynamic information flow control system 40 is the statistical processing system s12 of the company c, the dynamic information flow control system 41 is the statistical processing system s12, and the dynamic information flow control system 42 is the bank account management system s13. And
 まず、企業cの情報であることを示すセキュリティクラスCと、社員である人物a及び人物bに関する情報であることを示すセキュリティクラスA及びBを定義する。そして、人事システムs11は、セキュリティラベル記憶部57に予め図9に示すデータを格納済みであるとする。また、人事システムs11は、複合ラベル記憶部56に図10に示すデータを格納済みであるとする。 First, a security class C indicating that the information is for the company c and security classes A and B indicating that the information is related to the employees a and b are defined. Then, it is assumed that the personnel system s11 has already stored the data shown in FIG. Further, it is assumed that the personnel system s11 has already stored the data shown in FIG.
 また、統計処理システムs12は、企業cの情報であることを示すセキュリティクラスCと、さらにCに対応するセキュリティラベルLCとを、事前に設定するものとする。また、銀行口座管理システムs13は、人物aの情報であることを示すセキュリティクラスAと、さらにAに対応するセキュリティラベルLAとを、事前に設定するものとする。 Also, the statistical processing system s12 shall set in advance a security class C indicating that it is information of the company c and a security label LC corresponding to C. In addition, the bank account management system s13 sets in advance a security class A indicating that the information is the person a and a security label LA corresponding to A.
 ここで、人物aの給与について、統計処理システムs12に統計処理を依頼する状況を考える。給与情報が他社の情報に混入しないよう、統計処理を依頼する給与情報にはセキュリティクラスCに相当するセキュリティラベルLCを付加させる必要がある。しかしながら、各社員の識別情報まで統計処理システムs12に提供する必要は無い。そこで、人事システムs11は、セキュリティラベルLXから送信用変換ラベルのLX'を生成し、複合ラベルの({LX'}、{LC})を給与情報に付随させて統計処理システムs12に送る。 Here, consider a situation where the statistical processing system s12 is requested to perform statistical processing on the salary of the person a. It is necessary to add a security label LC corresponding to security class C to salary information for which statistical processing is requested so that salary information is not mixed with information of other companies. However, it is not necessary to provide each employee's identification information to the statistical processing system s12. Therefore, the personnel system s11 generates a transmission conversion label LX ′ from the security label LX, and sends the composite label ({LX ′}, {LC}) to the statistical processing system s12 with accompanying salary information.
 また、人物aの給与振込みについて、銀行口座管理システムs13に依頼する状況を考える。給与情報が他人の情報に混入しないよう、統計処理を依頼する給与情報にはセキュリティクラスaに相当するセキュリティラベルLAを付加させる必要がある。しかしながら、企業cの識別情報まで銀行口座管理システムs13に提供する必要は無い。そこで、人事システムs11は、セキュリティラベルLXから送信用変換ラベルのLX''を生成し、複合ラベルの({LX''}、{LA})を給与情報に付加させて銀行口座管理システムs13に送る。 Also, consider a situation in which the bank account management system s13 is requested for a pay transfer of the person a. It is necessary to add a security label LA corresponding to the security class a to the salary information for which the statistical processing is requested so that the salary information is not mixed with other people's information. However, it is not necessary to provide the identification information of the company c to the bank account management system s13. Accordingly, the personnel system s11 generates a transmission conversion label LX ″ from the security label LX, adds the composite labels ({LX ″}, {LA}) to the salary information, and sends it to the bank account management system s13. send.
 その結果、統計処理システムs12に送られた複合ラベルの({LX'}、{LC})と、銀行口座管理システムs13に送られた複合ラベルの({LX''}、{LA})を突き合わせても、両者が元々は同一のセキュリティラベルLXから生じていることはわからない。そのため、突き合わせによる情報漏洩を防止できる。 As a result, ({LX ′}, {LC}) of the composite label sent to the statistical processing system s12 and ({LX ″}, {LA}) of the composite label sent to the bank account management system s13. Even if they are matched, it is not known that both of them originate from the same security label LX. Therefore, information leakage due to matching can be prevented.
 また、銀行口座管理システムs13から、人事システムs11に給与振込み完了通知が送信される際に、付加される複合ラベルの({LZ'、 LX''}、 {LA})が({LZ'、 LX''}、 {LB})に改竄されたとしても、LX''から必須セキュリティクラス集合として{LA}が算出され、({LZ'、 LX''}、 {LB})から既知セキュリティクラス集合として{LB}が算出され、{LA}⊆{LB}ではないことから、改竄が検知される。ここで、LZ'は銀行口座管理システムs3が生成した送信用変換ラベルとする。これによって、人物aへの給与振込み額が人物bへ漏洩することを防止できる。 In addition, when the bank account management system s13 sends a pay transfer completion notification to the personnel system s11, the compound labels ({LZ ', LX' '}, {LA}) to be added are ({LZ', LLA '' is calculated as an essential security class set from LX '', and the known security class is calculated from ({LZ ′, LX ″}, {LB}). Since {LB} is calculated as a set and not {LA} ⊆ {LB}, tampering is detected. Here, LZ ′ is a transmission conversion label generated by the bank account management system s3. Thereby, it is possible to prevent the salary transfer amount to the person a from leaking to the person b.
 なお、銀行口座管理システムs13から、人事システムs11に給与振込み完了通知が送信される際に、付加される複合ラベルが({LZ'、 LX''}、 {LA})となるのは、本発明の最良の形態を銀行口座管理システムs13に用いた場合であり、他の発明の最良の形態を銀行口座管理システムs13に用いると、銀行口座管理システムs13における非開示セキュリティクラスに相当する情報が給与振込み完了通知に含まれない場合に、LZ'の生成が抑止され、({LX''}、 {LA})という複合ラベルが付加する。この場合でも、送信用変換ラベルLZ'の有無は、ラベルの整合性判定に影響を及ぼさず、送信用変換ラベルLX''から算出される必須セキュリティクラス集合は{LA}であり、({LX''}、{LA})から算出される既知セキュリティクラス集合は{LA}であるので、改竄検知できる。 Note that when the bank transfer management system s13 sends a salary transfer completion notification to the personnel system s11, the added composite label becomes ({LZ ', LX' '}, {LA}). When the best mode of the invention is used for the bank account management system s13, and the best mode of the other invention is used for the bank account management system s13, information corresponding to the non-disclosure security class in the bank account management system s13 is obtained. When it is not included in the notice of completion of salary transfer, the generation of LZ ′ is suppressed and a composite label ({LX ″}, {LA}) is added. Even in this case, the presence / absence of the transmission conversion label LZ ′ does not affect the label consistency determination, and the essential security class set calculated from the transmission conversion label LX ″ is {LA} and ({LX Since the known security class set calculated from ''}, {LA}) is {LA}, tampering can be detected.
<発明の実施の形態3>
 上述したように、本発明の実施の形態2にかかる開示判定部52では、セキュリティクラスが開示可能か否かを判定し、開示が否と判定した場合には、複合ラベル生成部53は、該当するセキュリティラベルを複合ラベルの開示ラベル集合に含めない。これは、非開示のセキュリティラベルに対応するセキュリティクラスは、送信先の動的情報フロー制御システムにおいて、フロー判定に全く寄与しないことを意味する。例えば、同一企業に属する複数の人物についての給与情報をある動的情報フロー制御システムへ送信した場合、送信先の動的情報フロー制御システムにおいて、人物のセキュリティクラスが非開示である場合、所属部署についての区別も付かず、処理によっては不都合な場合もある。つまり、この場合は、送信先の動的情報フロー制御システムにおいて、どの人物であるかの識別は不要であるが、少なくとも複数の給与情報について、所属部署が同じか否かというレベルでは識別し、フロー判定に寄与させる必要がある。 <Third Embodiment of the Invention>
As described above, the disclosure determination unit 52 according to the second exemplary embodiment of the present invention determines whether or not the security class can be disclosed. Security labels to be included in the disclosure label set of composite labels. This means that the security class corresponding to the non-disclosure security label does not contribute to the flow determination at all in the dynamic information flow control system of the transmission destination. For example, when salary information for a plurality of persons belonging to the same company is sent to a dynamic information flow control system, if the security class of the person is not disclosed in the destination dynamic information flow control system, There is also a case where it is inconvenient depending on processing. In other words, in this case, in the dynamic information flow control system of the transmission destination, it is not necessary to identify which person it is, but at least a plurality of salary information is identified at the level of whether the belonging department is the same, It is necessary to contribute to flow determination.
 そこで、本発明の実施の形態3では、あるセキュリティクラスについて、送信先の動的情報フロー制御システムにおいて、フロー判定に寄与させつつ、上述した実施の形態1及び2と同様に、不必要なセキュリティ属性の開示を回避できることを目的とする。そのため、本発明の実施の形態3では、該当セキュリティクラスに対応するセキュリティラベルを別のセキュリティラベルに置き換えた上で、開示ラベル集合に加えるものである。この開示方法を便宜上、部分開示と呼ぶことにする。 Therefore, in Embodiment 3 of the present invention, unnecessary security is provided for a certain security class in the same manner as in Embodiments 1 and 2 described above while contributing to flow determination in the destination dynamic information flow control system. The purpose is to avoid disclosure of attributes. Therefore, in the third embodiment of the present invention, the security label corresponding to the corresponding security class is replaced with another security label and then added to the disclosed label set. This disclosure method will be referred to as partial disclosure for convenience.
 ここでは、共通の性質を有する異なるセキュリティ属性であるセキュリティクラスE1、E2、・・・、Enが存在するものとする。例えば、人物aに対応付けられたセキュリティクラスAと、人物bに対応付けられたセキュリティクラスBとが人物を識別するセキュリティクラスとして共通の性質を有するといえる。また、セキュリティクラスE1、E2、・・・、Enをセキュリティグループと呼ぶ。セキュリティグループには、例えば、人物が所属する部署を識別するセキュリティ属性といえる。 Here, it is assumed that there are security classes E1, E2,..., En, which are different security attributes having a common property. For example, it can be said that the security class A associated with the person a and the security class B associated with the person b have a common property as a security class for identifying the person. The security classes E1, E2,..., En are called security groups. A security group can be said to be a security attribute that identifies a department to which a person belongs, for example.
 そして、送信元の動的情報フロー制御システムでは、セキュリティグループに属するセキュリティクラスのいずれかをデータに対応付けるものとする。また、送信先の動的情報フロー制御システムでは、当該セキュリティグループに属するセキュリティクラスのいずれについても同様のフロー判定を行うものとする。ここでいう同様のフロー判定とは、送信先の動的情報フロー制御システムにおいて、セキュリティクラスE1、・・・、En以外の任意のセキュリティクラスPに対して、セキュリティクラスEi(iは、1,2,3、・・・、nのいずれか)からセキュリティクラスPへのフロー判定結果が一致するという意味である。別の言い方をすると、送信先の動的情報フロー制御システムにおいては、セキュリティクラスE1、・・・、Enは同類として扱われる。 In the dynamic information flow control system of the transmission source, any security class belonging to the security group is associated with the data. In the dynamic information flow control system of the transmission destination, the same flow determination is performed for any security class belonging to the security group. Similar flow determination here refers to security class Ei (i is 1, 1) for any security class P other than security classes E1,..., En in the dynamic information flow control system of the transmission destination. 2, 3,..., N) means that the flow determination result from the security class P matches. In other words, in the dynamic information flow control system of the transmission destination, the security classes E1,.
 さらに場合分けとして、セキュリティクラスE1、・・・、Enにおいて、任意のセキュリティクラスEiからEj(jは、i以外の1,2,3、・・・、nのいずれか)に対して、常にフロー可能な場合と、i=jの時のみフロー可能という場合を考える。便宜上、前者をセキュリティクラスEiが合流可能な場合、後者を合流不可能な場合と呼ぶことにする。 Further, as a case classification, in any security class E1,..., En, any security class Ei to Ej (j is any one of 1, 2, 3,. Consider the case where flow is possible and the case where flow is possible only when i = j. For convenience, the former will be referred to as the case where the security class Ei can be merged, and the latter as the case where the merge cannot be performed.
 本発明の実施の形態3にかかる動的情報フロー制御システムは、上述した本発明の実施の形態2にかかる開示判定部52及び複合ラベル生成部53に修正を加えることで実現可能である。尚、本発明の実施の形態3にかかる動的情報フロー制御システムの構成は、基本的に図3に示した本発明の実施の形態2にかかる動的情報フロー制御システム40と同等であるため、図示を省略する。以下では、本発明の実施の形態2との差異について説明する。 The dynamic information flow control system according to the third embodiment of the present invention can be realized by modifying the disclosure determination unit 52 and the composite label generation unit 53 according to the second embodiment of the present invention described above. The configuration of the dynamic information flow control system according to the third embodiment of the present invention is basically the same as that of the dynamic information flow control system 40 according to the second embodiment of the present invention shown in FIG. The illustration is omitted. Hereinafter, differences from the second embodiment of the present invention will be described.
 本発明の実施の形態3にかかる開示判定部52は、開示又は非開示の2値ではなく、開示、部分開示又は非開示の3値のいずれかを返すものである。例えば、図4のステップS206において、開示判定部52は、開示可能と判定した場合、さらに、部分開示か否かを判定するようにしてもよい。そして、本発明の実施の形態3にかかる複合ラベル生成部53は、部分開示と判定されたセキュリティクラスのラベルを共通のラベルに置き換えるものである。共通のラベルとは、通信相手において同一のセキュリティ属性へフロー判定される複数のセキュリティ属性に対して共通の名称である共通ラベルといえる。すなわち、送信部は、通信相手において共通の性質を有する複数のセキュリティ属性に対して同一のラベルである共通ラベルとして開示ラベル集合へ含める。 The disclosure determination unit 52 according to the third exemplary embodiment of the present invention returns one of disclosure, partial disclosure, and non-disclosure ternary values instead of disclosure or non-disclosure binary values. For example, in step S206 of FIG. 4, when it is determined that disclosure is possible, the disclosure determination unit 52 may further determine whether or not partial disclosure. And the composite label production | generation part 53 concerning Embodiment 3 of this invention replaces the label of the security class determined to be partial disclosure with a common label. A common label can be said to be a common label that is a common name for a plurality of security attributes that are flow-determined to the same security attribute at the communication partner. In other words, the transmission unit includes a common label that is the same label for a plurality of security attributes having a common property in the communication partner in the disclosed label set.
 さらに、本発明の実施の形態3にかかる開示判定部52は、セキュリティクラスが部分開示と判定された場合に、合流の可否を判定するとよい。そして、本発明の実施の形態3にかかる複合ラベル生成部53は、合流不可能と判定されたセキュリティクラスのラベルを、合流不可を示すラベルに置き換えるものである。合流不可を示すラベルとは、セキュリティグループ内の他の属性へのフローが制限されることを示す制限ラベルといえる。すなわち、送信部は、通信相手に開示するセキュリティ属性を、通信相手において他のセキュリティ属性へのフローが制限されるラベルである制限ラベルとして開示ラベル集合へ含める。 Furthermore, the disclosure determination unit 52 according to the third embodiment of the present invention may determine whether or not to join when the security class is determined to be partial disclosure. And the composite label production | generation part 53 concerning Embodiment 3 of this invention replaces the label of the security class determined to be unmerged with the label which shows that unmerging is possible. The label indicating that the merge is not possible is a restriction label indicating that the flow to other attributes in the security group is restricted. That is, the transmission unit includes the security attribute disclosed to the communication partner in the disclosed label set as a restriction label that is a label that restricts the flow to other security attributes in the communication partner.
 例えば、本発明の実施の形態3にかかるセキュリティポリシ記憶部55は、開示ラベルに部分開示の可否を示すフラグ及び合流可否を示すフラグを対応付けて、予め記憶してもよい。また、本発明の実施の形態3にかかるセキュリティラベル記憶部57は、セキュリティラベル571にセキュリティグループの識別情報、共通ラベル及び制限ラベルを対応付けて、予め記憶してもよい。 For example, the security policy storage unit 55 according to the third exemplary embodiment of the present invention may store the disclosure label in advance by associating the flag indicating whether partial disclosure is possible and the flag indicating whether merge is possible. In addition, the security label storage unit 57 according to the third embodiment of the present invention may store the security label 571 in association with the security group identification information, the common label, and the restriction label in advance.
 これにより、部分開示であるセキュリティクラスについて、送信先の動的情報フロー制御システムにおいて、共通のラベルによりフロー判定に寄与させつつ、合流不可を示すラベルにより不必要なセキュリティ属性の開示を回避できる。 This makes it possible to avoid disclosure of unnecessary security attributes by means of a label indicating that the merging is impossible while contributing to flow determination by a common label in the dynamic information flow control system of the transmission destination for the security class that is partially disclosed.
 図13は、部分開示を行う場合のうち、セキュリティクラスEiが合流可能な場合の複合ラベル生成処理におけるデータの例を示す図である。図13の例において、セキュリティクラスEiは、部分開示の対象であり、セキュリティクラスDは、非開示とする。セキュリティクラスDの取り扱いは、実施の形態1及び2と同様であるので、詳細な説明を省略する。 FIG. 13 is a diagram illustrating an example of data in the composite label generation process when the security class Ei can be joined among the partial disclosures. In the example of FIG. 13, the security class Ei is a target of partial disclosure, and the security class D is not disclosed. Since handling of the security class D is the same as in the first and second embodiments, detailed description thereof is omitted.
 セキュリティクラスEiが合流可能な場合、セキュリティラベルLEiをセキュリティラベルである共通ラベルLEに置き換え、開示ラベル集合に加える。その際に、予め送信元の動的情報フロー制御システムに対し、セキュリティラベルLEiを開示ラベルLEに置き換える変換表を準備しておくものとする。また、送信先の動的情報フロー制御に対し、セキュリティラベルLEに対応するセキュリティクラスEを準備させておくものとする。なお、この準備は自動的な手順によってもよいし、システムの設定として制御システムの管理者が人手で行ってもよい。 When the security class Ei can be merged, the security label LEi is replaced with a common label LE that is a security label and added to the disclosure label set. At that time, a conversion table for replacing the security label LEi with the disclosure label LE is prepared in advance for the dynamic information flow control system of the transmission source. Also, a security class E corresponding to the security label LE is prepared for the dynamic information flow control of the transmission destination. This preparation may be performed by an automatic procedure, or may be performed manually by a control system administrator as a system setting.
 なお、送信先の動的情報フロー制御システムにおけるセキュリティクラスEのフロー判定は、本発明の実施の形態3における複合ラベル生成を行わなかったならば、セキュリティクラスEiに対して行われたであろうフロー判定と一致させておく。別の言い方をするならば、セキュリティクラスEは、セキュリティクラスEiを代表するセキュリティクラスである。 Note that the security class E flow determination in the destination dynamic information flow control system would have been performed for the security class Ei if the composite label generation in the third embodiment of the present invention was not performed. Match with the flow judgment. In other words, the security class E is a security class that represents the security class Ei.
 このようにセキュリティクラスEiに対応するセキュリティラベルLEiを開示ラベルLEに置き換え、開示ラベルLEをセキュリティクラスEiを代表するセキュリティクラスEへと対応させることにより、セキュリティクラスEiは、セキュリティクラスEとして、送信先のフロー判定に寄与できる。また、個別のセキュリティクラスEiは開示されていないため、不必要なセキュリティ属性の開示を回避できる。さらに、非特許文献1に記載されているように、一般に同一クラス間はフロー可能であるため、以下のフロー判定となり、セキュリティクラスEiをセキュリティクラスEに代表させつつセキュリティクラスEiが合流可能であることを表現できる。
Figure JPOXMLDOC01-appb-M000003
 In this way, by replacing the security label LEi corresponding to the security class Ei with the disclosure label LE and making the disclosure label LE correspond to the security class E representing the security class Ei, the security class Ei is transmitted as the security class E. It can contribute to the previous flow judgment. Further, since the individual security class Ei is not disclosed, unnecessary disclosure of security attributes can be avoided. Further, as described in Non-Patent Document 1, since it is generally possible to flow between the same class, the following flow determination is performed, and the security class Ei can be merged while representing the security class E as the security class E. I can express that.
Figure JPOXMLDOC01-appb-M000003
 図14は部分開示を行う場合のうち、セキュリティクラスEiが合流不可能な場合の複合ラベル生成処理におけるデータの例を示す図である。図14の例では、セキュリティクラスEiが部分開示の対象であり、セキュリティクラスDは非開示とする。セキュリティクラスDの取り扱いは、実施の形態1及び2と同様であるので、詳細な説明を省略する。 FIG. 14 is a diagram illustrating an example of data in the composite label generation process when the security class Ei cannot be merged among the cases where partial disclosure is performed. In the example of FIG. 14, the security class Ei is a target of partial disclosure, and the security class D is not disclosed. Since handling of the security class D is the same as in the first and second embodiments, detailed description thereof is omitted.
 セキュリティクラスEiが合流不可能な場合、セキュリティラベルLEiを開示ラベルLEと制限ラベルLNiの2個のラベルに置き換えて、開示ラベル集合に加える。開示ラベルLEについては、合流可能な場合と同様に、送信元と送信先で予め準備しておくものとする。制限ラベルLNiは下記の(4)式、(5)式及び(6)式を満たす特性を持つセキュリティクラスNiと対応させ、予め送信元と送信先で準備しておくものとする。
Figure JPOXMLDOC01-appb-M000004
Figure JPOXMLDOC01-appb-M000005
Figure JPOXMLDOC01-appb-M000006
 If the security class Ei cannot be merged, the security label LEi is replaced with two labels, a disclosure label LE and a restriction label LNi, and added to the disclosure label set. The disclosure label LE is prepared in advance at the transmission source and the transmission destination as in the case where the merge is possible. The restriction label LNi is associated with a security class Ni having characteristics satisfying the following expressions (4), (5), and (6), and is prepared in advance at the transmission source and the transmission destination.
Figure JPOXMLDOC01-appb-M000004
Figure JPOXMLDOC01-appb-M000005
Figure JPOXMLDOC01-appb-M000006
 (4)式、(5)式及び(5)式によりセキュリティクラスNiは、合流不可能という性質を表現している。このようなセキュリティクラスNiは、情報フロー制御において一般的ではないが、以下のフロー判定(7)のように、NiからNjへのフロー以外の、全てのフロー関係を列挙するのと同等であるため、情報フロー制御の理論的基礎と矛盾しない。
Figure JPOXMLDOC01-appb-M000007
 The security class Ni expresses the property that it cannot be merged by the equations (4), (5), and (5). Such a security class Ni is not common in information flow control, but is equivalent to enumerating all the flow relationships other than the flow from Ni to Nj as in the flow determination (7) below. Therefore, it is consistent with the theoretical basis of information flow control.
Figure JPOXMLDOC01-appb-M000007
 また、「フローできない」という否定関係を設定できない情報フロー制御システムにおいては、上記のようにNiからNjへのフロー以外の全てのフロー関係を列挙することで代替できる。 Also, in the information flow control system in which the negative relationship “cannot flow” cannot be set, it can be replaced by listing all the flow relationships other than the flow from Ni to Nj as described above.
 セキュリティクラスNiは、セキュリティラベルLEi以外のセキュリティラベルにも適用できる。例えば、セキュリティラベルLEiを開示ラベルLEと制限ラベルLNiに置き換え、セキュリティラベルLEi'を開示ラベルLE'と制限ラベルLNiに置き換えることができる。つまり、制限ラベルLNiは元のセキュリティラベルの合流不可能な性質だけを代表しており、それ以外の性質は開示ラベルLE及び開示ラベルLE'が代表しているので、制限ラベルLNiは様々なセキュリティラベルに対して汎用となっている。 The security class Ni can also be applied to security labels other than the security label LEi. For example, the security label LEi can be replaced with the disclosure label LE and the restriction label LNi, and the security label LEi ′ can be replaced with the disclosure label LE ′ and the restriction label LNi. That is, the restriction label LNi represents only the non-merging property of the original security label, and the other properties are represented by the disclosure label LE and the disclosure label LE ′. General purpose for labels.
 このようにセキュリティクラスEiに対応するセキュリティラベルLEiを、開示ラベルLEと、制限ラベルLNiに置き換え、開示ラベルLEをセキュリティクラスEiを代表するセキュリティクラスEへと対応させ、制限ラベルLNiを合流不可能を表現するセキュリティクラスNiへと対応させることにより、セキュリティクラスEiはセキュリティクラス結合E+Niとして、送信先のフロー判定に寄与できる。また、個別のセキュリティクラスEiは開示されず、セキュリティクラスEiとセキュリティクラスNiの対応関係も開示されないため、不必要なセキュリティ属性の開示を回避できる。さらに、セキュリティクラスNiが合流不可能なセキュリティクラスであるため、セキュリティクラスEiをセキュリティクラスEに代表させつつ、セキュリティクラスEiが合流不可能であることを表現できる。 In this way, the security label LEi corresponding to the security class Ei is replaced with the disclosure label LE and the restriction label LNi, the disclosure label LE is made to correspond to the security class E representing the security class Ei, and the restriction label LNi cannot be merged. , The security class Ei can contribute to the determination of the destination flow as the security class combination E + Ni. Further, the individual security class Ei is not disclosed, and the correspondence between the security class Ei and the security class Ni is also not disclosed, so that unnecessary disclosure of security attributes can be avoided. Furthermore, since the security class Ni is a security class that cannot be merged, the security class Ei can be represented by the security class E while the security class Ei cannot be merged.
 尚、開示ラベルLEとセキュリティクラスEの設定および、制限ラベルLNiとセキュリティクラスNiの設定は事前になされているため、変換ラベルの復元は、実施の形態1及び2と同様に行えるので、詳細な説明を省略する。 Since the disclosure label LE and the security class E and the restriction label LNi and the security class Ni are set in advance, the conversion label can be restored in the same manner as in the first and second embodiments. Description is omitted.
 以上のように、あるセキュリティクラスE1、・・・、Enに対応するセキュリティラベルLE1、・・・、LEnについて、個々のセキュリティラベルLEiを代表する開示ラベルとしてLEを開示ラベル集合に含め、さらにEiが合流不可能である場合には、制限ラベルLNiも開示ラベル集合に含めるという部分開示により、送信元情報フロー制御システムにおけるセキュリティクラスEiを、送信先情報フロー制御システムにおいてセキュリティクラスEもしくはセキュリティクラス結合E+Niとしてフロー判定に寄与させつつ、不必要なセキュリティ属性の開示を回避できる。 As described above, for security labels LE1,..., LEn corresponding to a certain security class E1,..., En, LE is included in the disclosure label set as a disclosure label representing each security label LEi. , The restriction class LNi is also included in the disclosure label set, so that the security class Ei in the transmission source information flow control system is combined with the security class E or the security class combination in the transmission destination information flow control system. Disclosure of unnecessary security attributes can be avoided while contributing to flow determination as E + Ni.
<その他の発明の実施の形態>
 尚、上述した送信部は、複数のセキュリティ属性の内、全てのセキュリティ属性を通信相手に開示する場合に、変換ラベルを生成せず、ラベル情報記憶手段に格納された変換ラベルを用いるようにしてもよい。これにより、不要な送信用変換ラベルの生成を抑止できる。 <Other embodiments of the invention>
Note that the transmission unit described above does not generate a conversion label and uses a conversion label stored in the label information storage unit when all of the security attributes are disclosed to the communication partner. Also good. Thereby, generation of unnecessary conversion labels for transmission can be suppressed.
 また、本発明の実施の形態2では、複合ラベル生成部53が、セキュリティラベルと送信先の動的情報フロー制御システムの識別子に対応する複合ラベルを参照し、複合ラベルが存在しなかった場合には、そのセキュリティラベルに対応する送信用変換ラベルを、必ず生成する。これに代わり、他の発明の実施の形態においては、セキュリティラベルに相当するセキュリティクラス結合が非開示のセキュリティクラスを含まない場合には、新たな送信用変換ラベルを生成せず、既存の変換ラベルとセキュリティラベルから複合ラベルを生成するようにしてもよい。これによって、必要以上の送信用変換ラベルの生成を抑止できる。 In the second embodiment of the present invention, the composite label generation unit 53 refers to the composite label corresponding to the security label and the identifier of the dynamic information flow control system of the transmission destination, and the composite label does not exist. Always generates a transmission conversion label corresponding to the security label. Instead, in another embodiment of the invention, when the security class combination corresponding to the security label does not include a security class that is not disclosed, a new transmission conversion label is not generated and an existing conversion label is generated. A composite label may be generated from the security label. As a result, it is possible to suppress generation of unnecessary transmission conversion labels.
 尚、本発明の実施の形態2では、変換ラベル集合に仮ラベルを含めていたが、開示ラベル集合に含めても構わない。その場合、図6のステップS309により未登録のセキュリティラベルを含むと判定した場合、複合ラベル解析部54は、仮ラベルと判定し、ステップS313へ進むようにすることで適切に処理ができる。 In Embodiment 2 of the present invention, the temporary label is included in the converted label set, but it may be included in the disclosed label set. In this case, if it is determined in step S309 in FIG. 6 that an unregistered security label is included, the composite label analysis unit 54 determines that the label is a temporary label, and can proceed appropriately to step S313.
 また、図6のステップS306乃至S308の処理に代えて、次の処理を行うようにしてもよい。まず、複合ラベル解析部54は、複合ラベル記憶部56からステップS305により取得した送信用変換ラベルに対応づけられた複合ラベル564を取得する。そして、複合ラベル解析部54は、取得した複合ラベル564に含まれる開示ラベル集合を抽出する。その後、ステップS311において、複合ラベル解析部54は、抽出した開示ラベル集合を必須セキュリティクラス集合として生成するとよい。尚、受信した1つの複合ラベル内に複数の送信用変換ラベルが含まれていた場合、複合ラベル解析部54は、複合ラベル記憶部56から複数の送信用変換ラベルのそれぞれに対応する複合ラベル564を取得し、開示ラベル集合を抽出することとなる。これにより、複数の処理要求に対して、処理結果を一つにまとめた場合に適切に処理することができる。 Further, instead of the processing in steps S306 to S308 in FIG. 6, the following processing may be performed. First, the composite label analysis unit 54 acquires a composite label 564 associated with the transmission conversion label acquired in step S305 from the composite label storage unit 56. Then, the composite label analysis unit 54 extracts a disclosure label set included in the acquired composite label 564. Thereafter, in step S311, the composite label analysis unit 54 may generate the extracted disclosure label set as an essential security class set. When a plurality of transmission conversion labels are included in one received composite label, the composite label analysis unit 54 stores a composite label 564 corresponding to each of the plurality of transmission conversion labels from the composite label storage unit 56. And a disclosure label set is extracted. Thereby, it is possible to appropriately process a plurality of processing requests when processing results are combined into one.
 同様に、ステップS312において、複合ラベル解析部54は、受信した複合ラベルに含まれる開示ラベル集合そのものを既知セキュリティ集合とすることができる。つまり、ステップS318において、複合ラベル解析部54は、送信時の開示ラベル集合と受信時の開示ラベル集合とを比較してもよい。 Similarly, in step S312, the composite label analysis unit 54 can set the disclosed label set itself included in the received composite label as a known security set. That is, in step S318, the composite label analysis unit 54 may compare the disclosed label set at the time of transmission with the disclosed label set at the time of reception.
 尚、上述した変換は、以下の意味を有する仮名化という用語を用いても構わない。仮名化とは、ある識別子を別の識別子で代替することである。また、識別子と、代替の識別子の対応関係は公開されない。ここで、仮名化は匿名化とは異なる概念である。仮名化によって元の識別子と、代替の識別子との対応付けは公開されないが、代替の識別子は公開される。それに対し、匿名化は識別子を公開しないことを意味する。これは例えるならば、新聞の投書欄への投書につける筆者名を、ペンネームにするのが仮名化で、匿名希望とするのが匿名化である。ここで、識別子は、セキュリティラベルであり得る。セキュリティラベルはセキュリティの観点からの分類を指し示す識別子だからである。 Note that the above-described conversion may use the term pseudonym having the following meaning. Kana conversion is to substitute one identifier with another identifier. Also, the correspondence between identifiers and alternative identifiers is not disclosed. Here, pseudonymization is a different concept from anonymization. Although the association between the original identifier and the alternative identifier is not disclosed by pseudonymization, the alternative identifier is disclosed. On the other hand, anonymization means not disclosing the identifier. For example, a pseudonym is used as the writer's name to be given to a letter in a newspaper column, and anonymization is desired as anonymity. Here, the identifier may be a security label. This is because the security label is an identifier indicating a classification from the viewpoint of security.
 上述の実施の形態では、本発明をハードウェアの構成として説明したが、本発明は、これに限定されるものではない。本発明は、任意の処理を、CPU(Central Processing Unit)にコンピュータプログラムを実行させることにより実現することも可能である。上述の例において、プログラムは、様々なタイプの非一時的なコンピュータ可読媒体(non-transitory computer readable medium)を用いて格納され、コンピュータに供給することができる。非一時的なコンピュータ可読媒体は、様々なタイプの実体のある記録媒体(tangible storage medium)を含む。非一時的なコンピュータ可読媒体の例は、磁気記録媒体(例えばフレキシブルディスク、磁気テープ、ハードディスクドライブ)、光磁気記録媒体(例えば光磁気ディスク)、CD-ROM(Read Only Memory)、CD-R、CD-R/W、DVD(Digital Versatile Disc)、BD(Blu-ray(登録商標) Disc)、半導体メモリ(例えば、マスクROM、PROM(Programmable ROM)、EPROM(Erasable PROM)、フラッシュROM、RAM(Random Access Memory))を含む。また、プログラムは、様々なタイプの一時的なコンピュータ可読媒体(transitory computer readable medium)によってコンピュータに供給されてもよい。一時的なコンピュータ可読媒体の例は、電気信号、光信号、及び電磁波を含む。一時的なコンピュータ可読媒体は、電線及び光ファイバ等の有線通信路、又は無線通信路を介して、プログラムをコンピュータに供給できる。 In the above-described embodiment, the present invention has been described as a hardware configuration, but the present invention is not limited to this. The present invention can also realize arbitrary processing by causing a CPU (Central Processing Unit) to execute a computer program. In the above example, the program can be stored and supplied to a computer using various types of non-transitory computer readable media. Non-transitory computer readable media include various types of tangible storage media (tangible storage medium). Examples of non-transitory computer-readable media include magnetic recording media (eg flexible disks, magnetic tapes, hard disk drives), magneto-optical recording media (eg magneto-optical discs), CD-ROMs (Read Only Memory), CD-Rs, CD-R / W, DVD (Digital Versatile Disc), BD (Blu-ray (registered trademark) Disc), semiconductor memory (for example, mask ROM, PROM (Programmable ROM), EPROM (Erasable PROM), flash ROM, RAM ( Random Access Memory)). The program may also be supplied to the computer by various types of temporary computer-readable media. Examples of transitory computer readable media include electrical signals, optical signals, and electromagnetic waves. The temporary computer-readable medium can supply the program to the computer via a wired communication path such as an electric wire and an optical fiber, or a wireless communication path.
 以上、実施の形態を参照して本願発明を説明したが、本願発明は上記によって限定されるものではない。本願発明の構成や詳細には、発明のスコープ内で当業者が理解し得る様々な変更をすることができる。 The present invention has been described above with reference to the embodiment, but the present invention is not limited to the above. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the invention.
 この出願は、2009年5月20日に出願された日本出願特願2009-122344と、2009年10月20日に出願された日本出願特願2009-241431とを基礎とする優先権を主張し、その開示の全てをここに取り込む。 This application claims priority based on Japanese Patent Application No. 2009-122344 filed on May 20, 2009 and Japanese Patent Application No. 2009-241431 filed on October 20, 2009. , The entire disclosure of which is incorporated herein.
 本発明によれば、複数の動的情報フロー制御システムを連結した、情報処理システムを構築するといった用途に適用できる。 According to the present invention, the present invention can be applied to the use of constructing an information processing system in which a plurality of dynamic information flow control systems are connected.
 10 データ処理システム
 11 送信部
 12 検証部
 20 通信相手
 31 データ
 32 変換ラベル集合
 33 開示ラベル集合
 34 処理結果
 35 変換ラベル集合
 36 開示ラベル集合
 40 動的情報フロー制御システム
 41 動的情報フロー制御システム
 42 動的情報フロー制御システム
 51 アプリケーション部
 52 開示判定部
 53 複合ラベル生成部
 54 複合ラベル解析部
 55 セキュリティポリシ記憶部
 56 複合ラベル記憶部
 561 送信先システムID
 562 セキュリティラベル
 563 送信用変換ラベル
 564 複合ラベル
 57 セキュリティラベル記憶部
 571 セキュリティラベル
 572 クラス結合
 58 仮クラス記憶部
 581 変換ラベル
 582 仮クラス
 81 Webサービス
 82 Webサービス
 83 Webサービス
 84 セキュリティポリシ
 85 BPELプログラム検証手段
 86 サービス連携システム
 87 BPELプログラム
 88 連携結果利用手段
 91 プログラム
 92 IRM書き込み手段
 93 IRM
 94 情報入力元
 95 プログラム実行手段
 96 IRM付きプログラム
 97 ラベリングポリシ
 98 情報フローポリシ
 99 情報出力先
 Y セキュリティクラス
 Z セキュリティクラス
 V セキュリティクラス
 A セキュリティクラス
 B セキュリティクラス
 C セキュリティクラス
 D セキュリティクラス
 LX セキュリティラベル
 LX' 送信用変換ラベル
 LX'' 送信用変換ラベル
 LXC セキュリティラベル
 LY セキュリティラベル
 LZ セキュリティラベル
 LV セキュリティラベル
 LA セキュリティラベル
 LB セキュリティラベル
 LC セキュリティラベル
 LD セキュリティラベル
 LW セキュリティラベル
 s1 情報フロー制御システム
 s2 情報フロー制御システム
 s3 情報フロー制御システム
 c 企業
 a 人物
 b 人物
 x 給与情報
 y 給与情報
 s11 人事システム
 s12 統計処理システム
 s13 銀行口座管理システム
 E1 セキュリティクラス
 E2 セキュリティクラス
 Ei セキュリティクラス
 Ej セキュリティクラス
 En セキュリティクラス
 P セキュリティクラス
 LE 開示ラベル
 LE' 開示ラベル
 LEi セキュリティラベル
 LEi' セキュリティラベル
 LNi 制限ラベル
 Ni セキュリティクラス
 Nj セキュリティクラス DESCRIPTION OF SYMBOLS 10 Data processing system 11 Transmission part 12 Verification part 20 Communication partner 31 Data 32 Conversion label set 33 Disclosure label set 34 Processing result 35 Conversion label set 36 Disclosure label set 40 Dynamic information flow control system 41 Dynamic information flow control system 42 Dynamic Information flow control system 51 application section 52 disclosure determination section 53 composite label generation section 54 composite label analysis section 55 security policy storage section 56 composite label storage section 561 destination system ID
562 Security label 563 Transmission conversion label 564 Composite label 57 Security label storage unit 571 Security label 572 Class binding 58 Temporary class storage unit 581 Conversion label 582 Temporary class 81 Web service 82 Web service 83 Web service 84 Security policy 85 BPEL program verification means 86 Service cooperation system 87 BPEL program 88 Cooperation result utilization means 91 Program 92 IRM writing means 93 IRM
94 Information input source 95 Program execution means 96 Program with IRM 97 Labeling policy 98 Information flow policy 99 Information output destination Y Security class Z Security class V Security class A Security class B Security class C Security class D Security class LX Security label LX ' Credit Conversion Label LX '' Conversion Label for Transmission LXC Security Label LY Security Label LZ Security Label LV Security Label LA Security Label LB Security Label LC Security Label LD Security Label LW Security Label s1 Information Flow Control System s2 Information Flow Control System s3 Information Flow Control system c Company a Person b Person x Salary information y Salary information s11 HR system s12 Statistical processing system s13 Bank account management system E1 Security class E2 Security class Ei Security class Ej Security class En Security class P Security class LE Disclosure label LE 'Disclosure label LEi Security label LEi' Security label LNi Restriction label Ni security class Nj security class

Claims (30)

  1.  データに対応付けられた複数のセキュリティ属性の名称であるラベルを当該ラベルとは異なる名称に変換した変換ラベルを含むラベルの集合である変換ラベル集合と、前記複数のセキュリティ属性の内、通信相手に当該データを処理させるために開示するセキュリティ属性の名称を示すラベルの集合である開示ラベル集合と、を付加して前記データを前記通信相手へ送信する送信手段と、
     前記通信相手から、前記変換ラベル集合と前記開示ラベル集合とが付加された前記データの処理結果を受信し、当該受信した処理結果に付加された変換ラベル集合と開示ラベル集合とを用いて当該処理結果のセキュリティの検証を行う検証手段と、
    を備えるデータ処理システム。     A label that is a name of a plurality of security attributes associated with the data, a converted label set that is a set of labels including a converted label that is converted to a name different from the label, and a communication partner of the plurality of security attributes. A disclosure label set, which is a set of labels indicating the names of security attributes to be disclosed for processing the data, and a transmission means for transmitting the data to the communication partner,
    A processing result of the data to which the converted label set and the disclosed label set are added is received from the communication partner, and the processing is performed using the converted label set and the disclosed label set added to the received processing result. Verification means for verifying the security of the results;
    A data processing system comprising:
  2.  前記送信手段は、前記複数のセキュリティ属性を変換して前記変換ラベルを生成し、当該生成した変換ラベルを含めて前記変換ラベル集合を生成し、前記複数のセキュリティ属性から前記通信相手に開示するセキュリティ属性を選択して前記開示ラベル集合を生成し、前記変換ラベル集合と、当該生成した開示ラベル集合とを連結して複合ラベルを生成し、当該生成した複合ラベルを付加して前記データを前記通信相手へ送信することを特徴とする請求項1に記載のデータ処理システム。 The transmission means generates the conversion label by converting the plurality of security attributes, generates the conversion label set including the generated conversion label, and discloses the security to be disclosed to the communication partner from the plurality of security attributes. The disclosed label set is generated by selecting an attribute, the converted label set and the generated disclosed label set are concatenated to generate a composite label, and the generated composite label is added to transmit the data to the communication The data processing system according to claim 1, wherein the data processing system transmits to a partner.
  3.  前記送信手段は、前記通信相手とは異なる他の通信相手へ前記データを送信する場合、前記複数のセキュリティ属性から前記通信相手の変換ラベルとは異なる名称となるように変換して前記変換ラベルを生成することを特徴とする請求項2に記載のデータ処理システム。 When transmitting the data to another communication partner different from the communication partner, the transmission means converts the plurality of security attributes so as to have a name different from the conversion label of the communication partner, and converts the conversion label. The data processing system according to claim 2, wherein the data processing system is generated.
  4.  ラベルに関する情報を記憶するラベル情報記憶手段をさらに備え、
     前記送信手段は、前記生成した変換ラベルを前記ラベル情報記憶手段に格納し、
     前記検証手段は、前記受信した処理結果に付加された変換ラベル集合に基づいて前記ラベル情報記憶手段に格納された変換ラベルを取得し、取得した変換ラベルに基づいて前記受信した処理結果の通信相手に開示するセキュリティ属性の名称を示すラベルの集合である必須ラベル集合を特定し、特定した必須ラベル集合が前記受信した処理結果に付加された開示ラベル集合に含まれる場合に、前記受信した処理結果を正規のものと判定することを特徴とする請求項1乃至3のいずれか1項に記載のデータ処理システム。     Label information storage means for storing information about the label,
    The transmission means stores the generated conversion label in the label information storage means,
    The verification unit acquires a conversion label stored in the label information storage unit based on a set of conversion labels added to the received processing result, and a communication partner of the received processing result based on the acquired conversion label When the required label set, which is a set of labels indicating the names of the security attributes disclosed in FIG. 1, is specified, and the specified required label set is included in the disclosed label set added to the received processing result, the received processing result 4. The data processing system according to claim 1, wherein the data processing system is determined to be a regular one. 5.
  5.  前記検証手段は、前記受信した処理結果に付加された変換ラベル集合の内、前記ラベル情報記憶手段に格納された変換ラベル以外のラベルである仮ラベルについて、仮のセキュリティ属性を割り当て、当該仮のセキュリティ属性を前記データに対応付けられた複数のセキュリティ属性に追加し、当該仮ラベルと当該仮のセキュリティ属性とを関連付けて前記ラベル情報記憶手段に格納し、
     前記送信手段は、前記検証手段により前記仮のセキュリティ属性が追加された複数のセキュリティ属性を変換して前記変換ラベルを生成し、当該仮のセキュリティ属性に関連付けられた仮ラベルを前記ラベル情報記憶手段から取得し、当該生成した変換ラベルと、当該取得した仮ラベルとを含めて前記変換ラベル集合を生成することを特徴とする請求項4に記載のデータ処理システム。     The verification unit assigns a temporary security attribute to a temporary label that is a label other than the conversion label stored in the label information storage unit in the conversion label set added to the received processing result, and Adding a security attribute to a plurality of security attributes associated with the data, associating the temporary label and the temporary security attribute and storing them in the label information storage means;
    The transmitting unit converts the plurality of security attributes to which the temporary security attribute is added by the verification unit to generate the converted label, and the temporary label associated with the temporary security attribute is stored in the label information storage unit. The data processing system according to claim 4, wherein the conversion label set is generated including the generated conversion label and the acquired temporary label.
  6.  前記送信手段は、前記複数のセキュリティ属性の内、全てのセキュリティ属性を前記通信相手に開示する場合に、前記変換ラベルを生成せず、前記ラベル情報記憶手段に格納された変換ラベルを用いることを特徴とする請求項4又は5に記載のデータ処理システム。 The transmission means uses the conversion label stored in the label information storage means without generating the conversion label when all the security attributes of the plurality of security attributes are disclosed to the communication partner. The data processing system according to claim 4 or 5, characterized in that
  7.  前記検証手段は、前記受信した処理結果に付加された開示ラベル集合が、前記必須ラベル集合に含まれない新たなラベルを含む場合、当該新たなラベルに対応するセキュリティ属性を前記複数のセキュリティ属性に追加することを特徴とする請求項4乃至6のいずれか1項に記載のデータ処理システム。 When the disclosed label set added to the received processing result includes a new label that is not included in the required label set, the verification unit sets a security attribute corresponding to the new label as the plurality of security attributes. The data processing system according to claim 4, wherein the data processing system is added.
  8.  前記送信手段は、前記複数のセキュリティ属性の名称であるラベルから過去の変換ラベルとは異なる変換ラベルを生成することを特徴とする請求項1乃至7のいずれか1項に記載のデータ処理システム。 The data processing system according to any one of claims 1 to 7, wherein the transmission unit generates a conversion label different from a past conversion label from labels that are names of the plurality of security attributes.
  9.  データに対応付けられた複数のセキュリティ属性の名称であるラベルを当該ラベルとは異なる名称に変換した変換ラベルを含むラベルの集合である変換ラベル集合と、前記複数のセキュリティ属性の内、前記通信相手に当該データを処理させるために開示するセキュリティ属性の名称を示すラベルの集合である開示ラベル集合と、を付加して前記データを前記通信相手へ送信し、
     前記通信相手から、前記変換ラベル集合と前記開示ラベル集合とが付加された前記データの処理結果を受信し、
     前記受信した処理結果に付加された変換ラベル集合と開示ラベル集合とを用いて当該処理結果のセキュリティの検証する処理をデータ処理装置に実行させる情報フロー制御方法。     A conversion label set that is a set of labels including a conversion label obtained by converting a label that is a name of a plurality of security attributes associated with data into a name different from the label; and the communication partner of the plurality of security attributes And a disclosure label set, which is a set of labels indicating the names of security attributes disclosed for processing the data, and sending the data to the communication partner,
    From the communication partner, the processing result of the data to which the converted label set and the disclosed label set are added is received,
    An information flow control method for causing a data processing apparatus to execute processing for verifying security of a processing result using a converted label set and a disclosure label set added to the received processing result.
  10.  前記送信する際に、前記複数のセキュリティ属性を変換して前記変換ラベルを生成し、当該生成した変換ラベルを含めて前記変換ラベル集合を生成し、前記複数のセキュリティ属性から前記通信相手に開示するセキュリティ属性を選択して前記開示ラベル集合を生成し、前記変換ラベル集合と、当該生成した開示ラベル集合とを連結して複合ラベルを生成し、当該生成した複合ラベルを付加して前記データを前記通信相手へ送信することを特徴とする請求項9に記載の情報フロー制御方法。 In the transmission, the plurality of security attributes are converted to generate the conversion label, the conversion label set including the generated conversion label is generated, and the plurality of security attributes are disclosed to the communication partner. The security label is selected to generate the disclosure label set, the converted label set and the generated disclosure label set are connected to generate a composite label, and the generated composite label is added to the data. The information flow control method according to claim 9, wherein the information flow is transmitted to a communication partner.
  11.  前記送信する際に、前記通信相手とは異なる他の通信相手へ前記データを送信する場合、前記複数のセキュリティ属性から前記通信相手の変換ラベルとは異なる名称となるように変換して前記変換ラベルを生成することを特徴とする請求項10に記載の情報フロー制御方法。 When transmitting the data to another communication partner different from the communication partner, the conversion label is converted from the plurality of security attributes so as to have a name different from the conversion label of the communication partner. The information flow control method according to claim 10, wherein the information flow is generated.
  12.  前記データ処理装置は、ラベルに関する情報を記憶するラベル情報記憶手段をさらに備え、
     前記送信する際に、前記生成した変換ラベルを前記ラベル情報記憶手段に格納し、
     前記検証する際に、前記受信した処理結果に付加された変換ラベル集合に基づいて前記ラベル情報記憶手段に格納された変換ラベルを取得し、取得した変換ラベルに基づいて前記受信した処理結果の通信相手に開示するセキュリティ属性の名称を示すラベルの集合である必須ラベル集合を特定し、特定した必須ラベル集合が前記受信した処理結果に付加された開示ラベル集合に含まれる場合に、前記受信した処理結果を正規のものと判定することを特徴とする請求項9乃至11のいずれか1項に記載の情報フロー制御方法。     The data processing apparatus further comprises label information storage means for storing information about the label,
    When transmitting, store the generated conversion label in the label information storage means,
    When the verification is performed, a conversion label stored in the label information storage unit is acquired based on a conversion label set added to the received processing result, and communication of the received processing result is performed based on the acquired conversion label. When the required label set that is a set of labels indicating the names of security attributes disclosed to the other party is specified, and the specified required label set is included in the disclosed label set added to the received processing result, the received process The information flow control method according to claim 9, wherein the result is determined to be normal.
  13.  前記検証する際に、前記受信した処理結果に付加された変換ラベル集合の内、前記ラベル情報記憶手段に格納された変換ラベル以外のラベルである仮ラベルについて、仮のセキュリティ属性を割り当て、当該仮のセキュリティ属性を前記データに対応付けられた複数のセキュリティ属性に追加し、当該仮ラベルと当該仮のセキュリティ属性とを関連付けて前記ラベル情報記憶手段に格納し、
     前記送信する際に、前記検証により前記仮のセキュリティ属性が追加された複数のセキュリティ属性を変換して前記変換ラベルを生成し、当該仮のセキュリティ属性に関連付けられた仮ラベルを前記ラベル情報記憶手段から取得し、当該生成した変換ラベルと、当該取得した仮ラベルとを含めて前記変換ラベル集合を生成することを特徴とする請求項12に記載の情報フロー制御方法。     At the time of the verification, a temporary security attribute is assigned to a temporary label that is a label other than the conversion label stored in the label information storage unit in the conversion label set added to the received processing result, and the temporary Are added to a plurality of security attributes associated with the data, the temporary label and the temporary security attribute are associated with each other and stored in the label information storage unit,
    When the transmission is performed, a plurality of security attributes to which the temporary security attribute is added by the verification are converted to generate the converted label, and the temporary label associated with the temporary security attribute is stored in the label information storage unit. 13. The information flow control method according to claim 12, wherein the conversion label set is generated including the generated conversion label and the acquired temporary label.
  14.  前記送信する際に、前記複数のセキュリティ属性の内、全てのセキュリティ属性を前記通信相手に開示する場合に、前記変換ラベルを生成せず、前記ラベル情報記憶手段に格納された変換ラベルを用いることを特徴とする請求項12又は13に記載の情報フロー制御方法。 In the transmission, when all the security attributes of the plurality of security attributes are disclosed to the communication partner, the conversion label stored in the label information storage means is used without generating the conversion label. 14. The information flow control method according to claim 12 or 13, wherein:
  15.  前記検証する際に、前記受信した処理結果に付加された開示ラベル集合が、前記必須ラベル集合に含まれない新たなラベルを含む場合、当該新たなラベルに対応するセキュリティ属性を前記複数のセキュリティ属性に追加することを特徴とする請求項12乃至14のいずれか1項に記載の情報フロー制御方法。 When the disclosure label set added to the received processing result includes a new label that is not included in the required label set when the verification is performed, the security attribute corresponding to the new label is set to the plurality of security attributes. The information flow control method according to claim 12, wherein the information flow control method is added to the information flow control method.
  16.  前記送信する際に、前記複数のセキュリティ属性の名称であるラベルから過去の変換ラベルとは異なる変換ラベルを生成することを特徴とする請求項9乃至15のいずれか1項に記載の情報フロー制御方法。 The information flow control according to any one of claims 9 to 15, wherein when the transmission is performed, a conversion label different from a past conversion label is generated from a label which is a name of the plurality of security attributes. Method.
  17.  データに対応付けられた複数のセキュリティ属性の名称であるラベルを当該ラベルとは異なる名称に変換した変換ラベルを含むラベルの集合である変換ラベル集合と、前記複数のセキュリティ属性の内、前記通信相手に当該データを処理させるために開示するセキュリティ属性の名称を示すラベルの集合である開示ラベル集合と、を付加して前記データを前記通信相手へ送信する送信処理と、
     前記通信相手から、前記変換ラベル集合と前記開示ラベル集合とが付加された前記データの処理結果を受信し、当該受信した処理結果に付加された変換ラベル集合と開示ラベル集合とを用いて当該処理結果のセキュリティの検証を行う検証処理と、
    を含む情報フロー制御処理をコンピュータに実行させる情報フロー制御プログラムが格納された非一時的なコンピュータ可読媒体。     A conversion label set that is a set of labels including a conversion label obtained by converting a label that is a name of a plurality of security attributes associated with data into a name different from the label; and the communication partner of the plurality of security attributes A disclosure label set, which is a set of labels indicating the names of security attributes disclosed for processing the data, and a transmission process for transmitting the data to the communication partner,
    A processing result of the data to which the converted label set and the disclosed label set are added is received from the communication partner, and the processing is performed using the converted label set and the disclosed label set added to the received processing result. A verification process to verify the security of the results;
    A non-transitory computer-readable medium storing an information flow control program for causing a computer to execute an information flow control process including:
  18.  前記送信処理は、前記複数のセキュリティ属性を変換して前記変換ラベルを生成し、当該生成した変換ラベルを含めて前記変換ラベル集合を生成し、前記複数のセキュリティ属性から前記通信相手に開示するセキュリティ属性を選択して前記開示ラベル集合を生成し、前記変換ラベル集合と、当該生成した開示ラベル集合とを連結して複合ラベルを生成し、当該生成した複合ラベルを付加して前記データを前記通信相手へ送信することを特徴とする請求項17に記載の情報フロー制御プログラムが格納された非一時的なコンピュータ可読媒体。 The transmission processing generates the conversion label by converting the plurality of security attributes, generates the conversion label set including the generated conversion label, and discloses the security to be disclosed to the communication partner from the plurality of security attributes. The disclosed label set is generated by selecting an attribute, the converted label set and the generated disclosed label set are concatenated to generate a composite label, and the generated composite label is added to transmit the data to the communication The non-transitory computer-readable medium storing the information flow control program according to claim 17, wherein the non-transitory computer-readable medium is transmitted to a partner.
  19.  前記送信処理は、前記通信相手とは異なる他の通信相手へ前記データを送信する場合、前記複数のセキュリティ属性から前記通信相手の変換ラベルとは異なる名称となるように変換して前記変換ラベルを生成することを特徴とする請求項18に記載の情報フロー制御プログラムが格納された非一時的なコンピュータ可読媒体。 In the transmission process, when the data is transmitted to another communication partner different from the communication partner, the conversion label is converted from the plurality of security attributes so as to have a name different from the conversion label of the communication partner. The non-transitory computer-readable medium storing the information flow control program according to claim 18, wherein the information flow control program is stored.
  20.  前記コンピュータは、ラベルに関する情報を記憶するラベル情報記憶手段をさらに備え、
     前記送信処理において生成された変換ラベルを前記ラベル情報記憶手段に格納する処理をさらに含み、
     前記検証処理は、前記受信した処理結果に付加された変換ラベル集合に基づいて前記ラベル情報記憶手段に格納された変換ラベルを取得し、取得した変換ラベルに基づいて前記受信した処理結果の通信相手に開示するセキュリティ属性の名称を示すラベルの集合である必須ラベル集合を特定し、特定した必須ラベル集合が前記受信した処理結果に付加された開示ラベル集合に含まれる場合に、前記受信した処理結果を正規のものと判定することを特徴とする請求項17乃至19のいずれか1項に記載の情報フロー制御プログラムが格納された非一時的なコンピュータ可読媒体。     The computer further comprises label information storage means for storing information about the label,
    A process of storing the converted label generated in the transmission process in the label information storage unit;
    The verification processing acquires a conversion label stored in the label information storage unit based on a conversion label set added to the received processing result, and a communication partner of the received processing result based on the acquired conversion label When the required label set, which is a set of labels indicating the names of the security attributes disclosed in FIG. 1, is specified, and the specified required label set is included in the disclosed label set added to the received processing result, the received processing result 20. A non-transitory computer readable medium storing an information flow control program according to claim 17, wherein the information flow control program is stored.
  21.  前記検証処理は、前記受信した処理結果に付加された変換ラベル集合の内、前記ラベル情報記憶手段に格納された変換ラベル以外のラベルである仮ラベルについて、仮のセキュリティ属性を割り当て、当該仮のセキュリティ属性を前記データに対応付けられた複数のセキュリティ属性に追加し、当該仮ラベルと当該仮のセキュリティ属性とを関連付けて前記ラベル情報記憶手段に格納し、
     前記送信処理は、前記検証処理により前記仮のセキュリティ属性が追加された複数のセキュリティ属性を変換して前記変換ラベルを生成し、当該仮のセキュリティ属性に関連付けられた仮ラベルを前記ラベル情報記憶手段から取得し、当該生成した変換ラベルと、当該取得した仮ラベルとを含めて前記変換ラベル集合を生成することを特徴とする請求項20に記載の情報フロー制御プログラムが格納された非一時的なコンピュータ可読媒体。     The verification process assigns a temporary security attribute to a temporary label that is a label other than the conversion label stored in the label information storage unit in the conversion label set added to the received processing result. Adding a security attribute to a plurality of security attributes associated with the data, associating the temporary label and the temporary security attribute and storing them in the label information storage means;
    The transmission process generates a converted label by converting a plurality of security attributes to which the temporary security attribute is added by the verification process, and a temporary label associated with the temporary security attribute is stored in the label information storage unit. 21. The non-temporary information flow control program according to claim 20, wherein the conversion label set is generated including the generated conversion label and the acquired temporary label. Computer readable medium.
  22.  前記送信処理は、前記複数のセキュリティ属性の内、全てのセキュリティ属性を前記通信相手に開示する場合に、前記変換ラベルを生成せず、前記ラベル情報記憶手段に格納された変換ラベルを用いることを特徴とする請求項20又は21に記載の情報フロー制御プログラムが格納された非一時的なコンピュータ可読媒体。 The transmission process uses the conversion label stored in the label information storage unit without generating the conversion label when all the security attributes of the plurality of security attributes are disclosed to the communication partner. A non-transitory computer-readable medium storing the information flow control program according to claim 20 or 21.
  23.  前記検証処理は、前記受信した処理結果に付加された開示ラベル集合が、前記必須ラベル集合に含まれない新たなラベルを含む場合、当該新たなラベルに対応するセキュリティ属性を前記複数のセキュリティ属性に追加することを特徴とする請求項20乃至22のいずれか1項に記載の情報フロー制御プログラムが格納された非一時的なコンピュータ可読媒体。 In the verification process, when a disclosure label set added to the received processing result includes a new label that is not included in the required label set, a security attribute corresponding to the new label is set as the plurality of security attributes. 23. A non-transitory computer-readable medium in which the information flow control program according to claim 20 is stored.
  24.  前記送信処理は、前記複数のセキュリティ属性の名称であるラベルから過去の変換ラベルとは異なる変換ラベルを生成することを特徴とする請求項17乃至23のいずれか1項に記載の情報フロー制御プログラムが格納された非一時的なコンピュータ可読媒体。 The information flow control program according to any one of claims 17 to 23, wherein the transmission process generates a conversion label different from a past conversion label from a label that is a name of the plurality of security attributes. A non-transitory computer-readable medium on which is stored.
  25.  前記送信手段は、前記通信相手において共通の性質を有する複数のセキュリティ属性に対して同一のラベルとして前記開示ラベル集合へ含めることを特徴とする請求項1又は2に記載のデータ処理システム。 3. The data processing system according to claim 1, wherein the transmission unit includes a plurality of security attributes having a property common to the communication partner in the disclosed label set as the same label.
  26.  前記送信手段は、前記通信相手に開示するセキュリティ属性を、前記通信相手において他のセキュリティ属性へのフローが制限されるラベルとして前記開示ラベル集合へ含めることを特徴とする請求項25に記載のデータ処理システム。 The data according to claim 25, wherein the transmission means includes the security attribute disclosed to the communication partner as a label that restricts a flow to another security attribute at the communication partner to the disclosed label set. Processing system.
  27.  前記通信相手において共通の性質を有する複数のセキュリティ属性に対して同一のラベルとして前記開示ラベル集合へ含めることを特徴とする請求項9又は10に記載の情報フロー制御方法。 The information flow control method according to claim 9 or 10, wherein a plurality of security attributes having a common property in the communication partner are included in the disclosed label set as the same label.
  28.  前記通信相手に開示するセキュリティ属性を、前記通信相手において他のセキュリティ属性へのフローが制限されるラベルとして前記開示ラベル集合へ含めることを特徴とする請求項27に記載の情報フロー制御方法。 28. The information flow control method according to claim 27, wherein a security attribute disclosed to the communication partner is included in the disclosure label set as a label that restricts a flow to another security attribute at the communication partner.
  29.  前記送信処理は、前記通信相手において共通の性質を有する複数のセキュリティ属性に対して同一のラベルとして前記開示ラベル集合へ含めることを特徴とする請求項17又は18に記載の情報フロー制御プログラムが格納された非一時的なコンピュータ可読媒体。 19. The information flow control program according to claim 17 or 18, wherein the transmission process includes a plurality of security attributes having a common property in the communication partner as the same label in the disclosed label set. Non-transitory computer readable medium.
  30.  前記送信処理は、前記通信相手に開示するセキュリティ属性を、前記通信相手において他のセキュリティ属性へのフローが制限されるラベルとして前記開示ラベル集合へ含めることを特徴とする請求項29に記載の情報フロー制御プログラムが格納された非一時的なコンピュータ可読媒体。 30. The information according to claim 29, wherein the transmission process includes a security attribute disclosed to the communication partner as a label that restricts a flow to another security attribute at the communication partner in the disclosed label set. A non-transitory computer readable medium storing a flow control program.
PCT/JP2010/002057 2009-05-20 2010-03-24 Data processing system, information flow control method, and non-temporal computer readable medium storing program WO2010134249A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2009122344 2009-05-20
JP2009-122344 2009-05-20
JP2009-241431 2009-10-20
JP2009241431 2009-10-20

Publications (1)

Publication Number Publication Date
WO2010134249A1 true WO2010134249A1 (en) 2010-11-25

Family

ID=43125942

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2010/002057 WO2010134249A1 (en) 2009-05-20 2010-03-24 Data processing system, information flow control method, and non-temporal computer readable medium storing program

Country Status (1)

Country Link
WO (1) WO2010134249A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6865338B1 (en) * 2020-01-05 2021-05-12 晴喜 菅原 Information processing system

Non-Patent Citations (7)

* Cited by examiner, † Cited by third party
Title
KAZUHISA SUZUKI ET AL.: "Privacy-Aware Data Object Container ni yoru Sairyudo Data Access Seigyo Hoshiki", INFORMATION PROCESSING SOCIETY OF JAPAN KENKYU HOKOKU, vol. 2007, no. 10, 31 January 2007 (2007-01-31), pages 57 - 64 *
KYOJI KATSUNO ET AL.: "Security Policy Model ni Motozuku Kaisogata Kakuri ni yoru Joho Flow Seigyo System", SYMPOSIUM ON MULTIMEDIA, DISTRIBUTED, COOPERATIVE AND MOBILE SYSTEMS RONBUNSHU (DICOM02008), IPSJ SYMPOSIUM SERIES, vol. 2008, no. 1, 9 July 2008 (2008-07-09), pages 998 - 1006 *
MASAKAZU SOSHI ET AL.: "Dual Label o Riyo shita Access Seigyo Model", TRANSACTIONS OF INFORMATION PROCESSING SOCIETY OF JAPAN, vol. 40, no. 3, 15 March 1999 (1999-03-15), pages 1305 - 1314 *
SACHIKO YOSHIHAMA ET AL.: "Doteki Approach ni yoru Gengo Base no Joho Flow Seigyo", TRANSACTIONS OF INFORMATION PROCESSING SOCIETY OF JAPAN, vol. 48, no. 9, 15 September 2007 (2007-09-15), pages 3060 - 3072 *
SACHIKO YOSHIHAMA ET AL.: "Web Application ni Okeru Gengo Level no Doteki Joho Flow Seigyo", INFORMATION PROCESSING SOCIETY OF JAPAN KENKYU HOKOKU, vol. 2007, no. 16, 1 March 2007 (2007-03-01), pages 153 - 158 *
SHIN NAKAJIMA: "Web Service ni Okeru Anzensei to Security no Kaiseki", IEICE TECHNICAL REPORT, vol. 103, no. 483, 20 November 2003 (2003-11-20), pages 19 - 24 *
TAKUYA MISHINA ET AL.: "Raireki ni Motozuku Multi Level Security Bunsho Kanri System", TRANSACTIONS OF INFORMATION PROCESSING SOCIETY OF JAPAN RONBUNSHI JOURNAL, vol. 49, no. 9, 15 September 2008 (2008-09-15), pages 3062 - 3073 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6865338B1 (en) * 2020-01-05 2021-05-12 晴喜 菅原 Information processing system
JP2021111301A (en) * 2020-01-05 2021-08-02 晴喜 菅原 Information processing system

Similar Documents

Publication Publication Date Title
KR102421956B1 (en) Information processing devices and information processing methods
KR102477453B1 (en) Transaction messaging
US20210258170A1 (en) Self-authenticating digital identity
CN107181714A (en) Verification method and device, the generation method of service code and device based on service code
CN109829317A (en) A kind of method, apparatus and system generating electronic contract based on handwritten signature picture
CN105765941A (en) Illegal access server prevention method and device
CN104168117B (en) A kind of speech digit endorsement method
JP2005057417A (en) Electronic document exchanging system, signature decoding service system and program
WO2018210097A1 (en) Method and device for execution transaction mode by classification
CN107395587B (en) Data management method and system based on multipoint cooperation mechanism
CN112308236A (en) Method, device, electronic equipment and storage medium for processing user request
CN101151874A (en) Network node and method for providing internet services on internet marketplaces
CN114172663A (en) Service right confirming method and device based on block chain, storage medium and electronic equipment
CN113129008A (en) Data processing method and device, computer readable medium and electronic equipment
CN113569298A (en) Identity generation method and identity system based on block chain
CN103647650A (en) Rule definition based automatic signature/signature verification device and method
WO2010134249A1 (en) Data processing system, information flow control method, and non-temporal computer readable medium storing program
CN106034031A (en) Method, device, terminal and cloud authentication platform for obtaining identity information
Gabel et al. Privacy patterns for pseudonymity
US20150379305A1 (en) Digitised Handwritten Signature Authentication
CN106575341A (en) Composite document access
Wilson A digital “Yellow Card” for securely recording vaccinations using Community PKI certificates
CN116720773B (en) Bid-inviting method and device based on block bid evaluation
US11652645B2 (en) Storage medium, communication method, and communication device
Domingues et al. Digitally signed and permission restricted pdf files: A case study on digital forensics

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10777489

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10777489

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP