WO2010134249A1 - Système de traitement de données, procédé de commande de flux d'informations et support lisible par ordinateur non temporel stockant un programme - Google Patents

Système de traitement de données, procédé de commande de flux d'informations et support lisible par ordinateur non temporel stockant un programme Download PDF

Info

Publication number
WO2010134249A1
WO2010134249A1 PCT/JP2010/002057 JP2010002057W WO2010134249A1 WO 2010134249 A1 WO2010134249 A1 WO 2010134249A1 JP 2010002057 W JP2010002057 W JP 2010002057W WO 2010134249 A1 WO2010134249 A1 WO 2010134249A1
Authority
WO
WIPO (PCT)
Prior art keywords
label
security
conversion
flow control
information flow
Prior art date
Application number
PCT/JP2010/002057
Other languages
English (en)
Japanese (ja)
Inventor
樋口直志
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Publication of WO2010134249A1 publication Critical patent/WO2010134249A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data

Definitions

  • the present invention relates to a data processing system, an information flow control method, and a non-transitory computer-readable medium storing a program, and in particular, a plurality of dynamics that operate according to a label indicating the name of a security attribute added to data.
  • the present invention relates to a data processing system for transmitting and receiving data between information flow control systems, an information flow control method, and a non-transitory computer readable medium storing a program.
  • Non-Patent Document 1 describes an example of an information flow control system.
  • An information flow control system is a system that suppresses the propagation of information within a desired range.
  • the information flow control system is characterized in that it can be suppressed to a desired range even in the case of intermediate processing or multistage information propagation via an intermediary.
  • Non-Patent Document 1 defines security classes that are classifications from the viewpoint of information security, and class join operations for these security classes. Further, Non-Patent Document 1 shows that the security class of information obtained as a result of a certain calculation is a combination of the security classes of the information to be calculated.
  • a logical storage has a function for holding information.
  • logical storage is a variable in a program.
  • the information held by the logical storage a is associated with a security class A that is a security attribute of the information.
  • security class B is associated with the information stored in the logical storage b.
  • the security class of information obtained as a result of applying some operation to the information held in the logical storage a and the information held in the logical storage b is A + B.
  • the symbol “+” indicates a class join operation.
  • Non-Patent Document 1 “+” surrounded by a circle is used as a symbol. However, in this specification, “+” is used. Furthermore, it is assumed that the security class C is associated with the information stored in the logical storage c. At this time, the security class of information obtained as a result of applying some operation to the information held in the logical storages a, b, and c is A + B + C.
  • the flow relationship defines in which logical storage information obtained as a result of the operation can be stored between the above-described single or combined security classes.
  • the security class D is associated with information held by the logical storage d.
  • symbols indicating flow relationships are indicated by arrows.
  • the security class A + B information can be stored in the security class D logical storage.
  • the security class E is associated with the information held by the logical storage e.
  • the following flow relationship (2) is not established, it indicates that information obtained as a result of applying some operation to the information stored in the logical storages a, b, and c cannot be stored in the logical storage e. .
  • Non-Patent Document 1 defines a join operation for a security class that is a security classification of information, and controls a flow of information by defining a flow relationship between security classes. To do.
  • Non-Patent Document 2 describes another example of an information flow control system.
  • FIG. 11 is a block diagram expressing the contents described in Non-Patent Document 2 as an information flow control system.
  • the information flow control system shown in FIG. 11 includes Web services 81, 82 and 83, a security policy 84, a BPEL (Business Process Execution Language for Web Service) program verification means 85, a service cooperation system 86, and a cooperation result utilization means. 88.
  • Web services 81, 82 and 83 includes Web services 81, 82 and 83, a security policy 84, a BPEL (Business Process Execution Language for Web Service) program verification means 85, a service cooperation system 86, and a cooperation result utilization means. 88.
  • BPEL Business Process Execution Language for Web Service
  • Web services 81, 82, and 83 provide independent services, and transmit information with a security label added to the service cooperation system 86.
  • the security label is the name of a single or combined security class shown in Non-Patent Document 1 described above.
  • the service linkage system 86 is a system that links a plurality of services provided by the Web services 81, 82, and 83.
  • the service cooperation system 86 executes a BPEL program 87 in which a state of service cooperation is described. That is, first, the service cooperation system 86 receives information from each of the Web services 81, 82, and 83. Next, the service cooperation system 86 processes the information by the BPEL program 87 and generates a cooperation result. Then, the service cooperation system 86 adds a security label to the generated cooperation result and transmits it to the cooperation result utilization means 88. As a result, the service cooperation system 86 realizes an information flow from the Web services 81, 82, and 83 to the cooperation result utilization unit 88.
  • the cooperation result utilization means 88 receives the cooperation result from the service cooperation system 86 and uses the cooperation result according to the security label added to the received information.
  • the security policy 84 defines information that may be transferred from the Web services 81, 82, and 83 to the cooperation result utilization means 88.
  • the security policy 84 corresponds to a set of flow relationships in Non-Patent Document 1 described above.
  • the BPEL program verification means 85 verifies the information flow generated by the BPEL program 87. That is, the BPEL program verification unit 85 verifies whether or not the BPEL program 87 can cause a flow of information contrary to the security policy 84.
  • the above security label and security policy 84 are determined before the operation of the information flow control system, and are constant throughout the operation. That is, the information exchanged during the operation can change according to the operation, but the security label of the information is determined before the operation. Further, the BPEL program verification means 85 performs verification prior to system operation in accordance with the security policy 84.
  • an information flow control system that verifies an information flow violation before the operation of the system is referred to as a static information flow control system.
  • Non-Patent Document 3 describes another example of an information flow control system.
  • FIG. 12 is a block diagram expressing the contents described in Non-Patent Document 3 as an information flow control system.
  • the information flow control system shown in FIG. 12 processes information input from the information input source 94 and outputs the processing result to the information output destination 99.
  • the information flow control system includes a program 91 in which processing to be performed is described, an IRM (Inline Reference Monitor) 93 in which processing for information flow control is described, and a program 96 with IRM by inserting the IRM 93 into the program 91.
  • the labeling policy 97 defines security labels added to information input from the information input source 94 to the program with IRM 96 and information output from the program with IRM 96 to the information output destination 99.
  • the information flow policy 98 defines a flow relationship between security labels.
  • the information flow control system shown in FIG. 12 operates as follows.
  • the program execution means 95 executes a program 96 with IRM. At that time, the program execution means 95 executes the original processing described in the program 91 among the programs 96 with IRM. At the same time, the program execution means 95 executes the processing described in the IRM 93 inserted by the IRM writing means 92 in the program 96 with IRM.
  • the program execution means 95 adds a security label to the logical storage according to the labeling policy 97 when storing the information read from the information input source 94 in the logical storage in the program 91.
  • the program execution unit 95 calculates information by the program 91
  • the program execution unit 95 adds a label obtained by combining the security label of the calculation target information to the logical storage that holds the calculation result information. This corresponds to the class combination of Non-Patent Document 1 described above.
  • the program execution means 95 determines whether to write or not according to the information flow policy 98. Do not write out information if there is.
  • an information flow control system that verifies an information flow violation during system operation is referred to as a dynamic information flow control system.
  • Patent Document 1 discloses a variable identifier transmission method for concealing information relating to an identifier from a third party by assigning a random number to the identifier and transmitting the encrypted identifier when transmitting the identifier to another device. Techniques related to this are disclosed.
  • Patent Document 2 discloses a technology relating to an information distribution method that facilitates information distribution while ensuring confidentiality.
  • the information transmission device of the slip issuer lists a set of a browsing range identifier for identifying a browsing range in which browsing of the slip is permitted and a common key for encrypting the browsing range for each viewer.
  • the information transmitting apparatus creates decryption information by encrypting using the public key of each viewer, and transmits the decrypted information.
  • the information transmitting apparatus encrypts and transmits the portion specified by the browsing range identifier with the corresponding common key.
  • each viewer's information receiving device decrypts the received decryption information using its own secret key. Then, the information receiving apparatus acquires a common key for decrypting the browsing range permitted by the information receiving apparatus. Thereafter, the information receiving apparatus decrypts the permitted viewing range of the received slip with the previously acquired common key.
  • Patent Document 3 discloses a technique related to an information transmission method via an electronic document that takes into account the security of information that should not be known in the electronic document and the adverse effects on business execution.
  • the following processing is performed. First, an anonymization level for anonymizing a real name word in an electronic document to a predetermined abstraction level is determined. Next, an additional label corresponding to the identification number of the person who receives the electronic document is generated. Then, an anonymous word corresponding to the real name word is selected from the real name word / anonymous word dictionary storing the correspondence relationship between the real name word and the anonymous word which is an abstract concept of the real name word.
  • an anonymous word which has a one-to-one relationship with a real name word is produced
  • the real name word / anonymous word map only for the identification number which memorize
  • Patent Document 4 discloses a technology related to an information asset management server that is disclosed to the outside while maintaining the safety of information assets.
  • the information asset management server disclosed in Patent Document 4 stores storage asset information from a user terminal and a security label that defines a rule to be observed when asset information is disclosed to the outside.
  • the information asset management server generates and stores meta information based on the security label.
  • the information asset management server generates and stores a public information asset obtained by processing the storage asset information based on the meta information.
  • Patent Document 5 discloses a technique related to a process management source sharing prevention method and program for avoiding name collision by changing the name of an object to be generated and preventing resource sharing.
  • the process management source sharing prevention method and program disclosed in Patent Document 5 forcibly enable simultaneous execution of a plurality of processes by an application program that prevents the simultaneous execution of a plurality of processes, and provides a foundation for information flow control.
  • Patent Document 6 discloses a technique related to an encryption ID handling method and a CRM (Customer Relationship Management) system that prevents theft of an encryption key and decryption of a skimmed number.
  • the CRM system disclosed in Patent Document 6 utilizes RFID (Radio Frequency Identification) having an encryption tag management unit.
  • the encryption tag management unit receives the encryption tag manufacturing unit that manufactures the serial encryption tag in which the encrypted serial ID obtained by encrypting the RFID serial ID with the common key is written, and the encrypted serial ID read by the user with the RFID reader.
  • a decryption unit for decrypting the serial ID with the common key.
  • Non-Patent Documents 2 and 3 and Patent Documents 1 to 6 described above the transmission source and the transmission destination are different when transmitting and receiving data with a security label between a plurality of dynamic information flow control systems. There is a problem that the same data is appropriately processed based on the security label, information leakage is prevented, and information cannot be transmitted and received safely.
  • the first reason is that the technology described in Non-Patent Document 2 performs static information flow control, so the security label is statically determined and the dynamic information flow control system cannot be connected. .
  • the second reason for this is that the technique described in Non-Patent Document 3 transmits a security label associated with information, and thus cannot support secure connection.
  • the third reason is that the technique disclosed in Patent Document 1 cannot cope with a complicated internal structure such as security class coupling in a security label.
  • the security label is “information” indicating the classification of information from the viewpoint of security
  • the security label itself has a classification from the viewpoint of security.
  • the information flow control system s1 manages information by associating a security class and a security label with the following information.
  • the security class C and the security label LC are associated with information indicating the company c.
  • the information indicating the person a is associated with a security class A and a security label LA.
  • the labeling policy of the information flow control system s1 associates the security class C + A, which is a combination of the security class C and the security class A, with the security label LX.
  • the security label LX is associated with the salary information x of the person a working for the company c.
  • the information flow control system s1 can manage the salary information x of the person a.
  • the information flow control system s2 provides a service for receiving salary information of a plurality of employees from a plurality of companies, statistically processing the salary information for each company, and returning the results.
  • the information flow control system s2 needs to identify which company the received salary information belongs to, but does not need to identify which person it belongs to.
  • the information flow control system s3 is assumed to provide a service for managing the salary transfer account of each person including the person a.
  • the information flow control system s3 needs to identify which person the received salary information belongs, but does not need to identify which company it belongs to.
  • the information flow control system s1 adds the security label LX to the salary information x of the person a working for the company c and transmits it to the information flow control systems s2 and s3, there are the following problems. That is, the information flow control system s2 cannot determine whether or not the security label LX added to the received salary information x belongs to the security class C.
  • the information flow control system s1 can determine that the security label LX corresponds to C + A by referring to its own labeling policy.
  • the information flow control system s2 does not have a labeling policy in which the security label LX is associated with C + A. Therefore, security cannot be classified from companies other than company c. That is, in this case, the information flow control system s2 cannot appropriately perform processing according to the security label added to the received information.
  • the information flow control system s1 adds the security labels LC and LA to the salary information x of the person a working for the company c and transmits it to the information flow control systems s2 and s3, there are the following problems. That is, the information flow control system s2 may be able to specify that the salary information x is related to the person a. This is because the information flow control system s2 can specify that the salary information x belongs to the company c based on the received security label LC. Further, the information flow control system s3 can specify that the salary information x is that of the person a by the received security label LA.
  • the security labels LC and LA are transmitted to the information flow control systems s2 and s3.
  • the information flow control system s2 obtains that the information flow control system s3 has identified the person a by the security label LA, so that the same security label LA is added and associated with the salary information x received by the information flow control system s2. This is because it can. That is, in this case, the information held by the security label cannot be concealed, and the salary information x of the person a leaks to the information flow control system s2.
  • information indicating the person b is associated with a security class B and a security label LB.
  • the labeling policy of the information flow control system s1 associates a security class C + B, which is a combination of the security class C and the security class B, with a security label LY.
  • the security label LY is associated with the salary information y of the person b working at the company c.
  • the information flow control system s1 can manage the salary information y of the person a.
  • the information flow control system s1 adds the security labels LC and LB to the salary information y of the person b working at the company c and transmits it to the information flow control system s2, there are the following problems. That is, even if the information flow control system s1 receives the processing result of the salary information x from the information flow control system s2, it cannot determine whether the information is falsified. This is because when the information flow control system s2 returns the processing result of the salary information y, it is possible to add the security label LA previously received due to fraud or failure instead of the security label LB. .
  • the information flow control system s1 erroneously specifies that the processing result relates to the person a because the security label LA is added to the processing result received from the information flow control system s2. That is, in this case, the information flow control system s1 cannot detect that the processing result received from the information flow control system s2 has been tampered with. At the same time, in the information flow control system s1, the processing result of the person b is processed and disclosed as that of the person a, and information leaks.
  • the information flow control system s1 adds only the security label LC to the salary information x of the person a working for the company c and transmits the security label LA to the information flow control system s2, the following problem occurs. is there. That is, even if the information flow control system s1 receives the processing result of the salary information x from the information flow control system s2, the processing result cannot be identified as relating to the person a. This is because the information flow control system s1 transmits only the security label LC as the security label to the information flow control system s2. Therefore, the security label LA is not added to the processing result received from the information flow control system s2, and the information flow control system s1 cannot specify the set of the security labels LC and LA from the processing result. That is, in this case, the information flow control system s1 cannot appropriately perform processing according to the security label added to the received processing result.
  • Patent Document 2 is a related technique for limiting the disclosure range in one piece of information according to the transmission destination.
  • Patent Document 3 is related technology that anonymizes information differently according to the disclosure level of a transmission destination for one piece of information.
  • Patent Document 4 is a related technique for generating a public information asset based on a security label.
  • Patent Document 5 is a related technology on the basis of information flow control.
  • Patent Document 6 is related technology in which a common key cryptosystem is applied to RFID. Therefore, even if they are combined, the above-described problems cannot be solved.
  • the present invention has been made to solve such a problem, and processes the same data between a plurality of dynamic information flow control systems based on security labels having different transmission sources and transmission destinations. It is an object to provide a non-transitory computer-readable medium storing a data processing system, an information flow control method, and a program for appropriately processing and preventing information leakage and safely transmitting and receiving information. .
  • the data processing system provides a conversion label that is a set of labels including a conversion label obtained by converting a label that is a name of a plurality of security attributes associated with data into a name different from the label.
  • a set and a disclosed label set which is a set of labels indicating the names of security attributes to be disclosed for causing the communication partner to process the data among the plurality of security attributes, are added, and the data is sent to the communication partner.
  • the processing result of the data to which the conversion label set and the disclosure label set are added is received from the transmission means for transmitting and the communication partner, and the conversion label set and the disclosure label set added to the received processing result
  • verification means for verifying the security of the processing result by using.
  • the information flow control method is a conversion that is a set of labels including a conversion label obtained by converting a label that is a name of a plurality of security attributes associated with data into a name different from the label.
  • a label set and a disclosed label set which is a set of labels indicating names of security attributes to be disclosed for causing the communication partner to process the data among the plurality of security attributes, are added to communicate the data.
  • a transmission step of transmitting to the other party a step of receiving a processing result of the data to which the converted label set and the disclosed label set are added from the communication partner, and a converted label set added to the received processing result And a verification step for verifying the security of the processing result using the disclosure label set and a data processing device To your.
  • the non-transitory computer readable medium storing the information flow control program according to the third aspect of the present invention converts a label that is a name of a plurality of security attributes associated with data into a name different from the label.
  • a converted label set which is a set of labels including the converted label, and a disclosed label set which is a set of labels indicating the names of security attributes to be disclosed to cause the communication partner to process the data among the plurality of security attributes
  • a transmission process for transmitting the data to the communication partner, and the processing result of the data to which the converted label set and the disclosure label set are added from the communication partner.
  • a verification process for verifying the security of the processing result using the converted label set and the disclosure label set added to the processing result. If, it causes the computer to execute the information flow control process including.
  • a non-transitory computer readable medium storing a data processing system for transmitting and receiving information, an information flow control method, and a program can be provided.
  • FIG. 1 is a block diagram showing a configuration of a dynamic information flow control system according to the first exemplary embodiment of the present invention.
  • the data processing system 10 is a computer system that transmits and receives data to and from a communication partner 20 that is an arbitrary information system.
  • the data processing system 10 includes a transmission unit 11 and a verification unit 12.
  • the transmission unit 11 adds the converted label set 32 and the disclosed label set 33 to the data 31 and transmits the data 31 to the communication partner 20.
  • the conversion label set 32 is a set of labels including at least conversion labels obtained by converting labels that are names of a plurality of security attributes associated with the data 31 into names different from the labels. It is assumed that the communication partner 20 cannot reversely convert the conversion label to the original label.
  • the disclosure label set 33 is a set of labels indicating names of security attributes to be disclosed for causing the communication partner 20 to process the data 31 among a plurality of security attributes associated with the data 31.
  • the disclosed label set 33 is a set of labels that the data processing system 10 determines to be disclosed to the communication partner 20 and is used for flow determination in the communication partner 20.
  • the disclosure label set 33 only needs to include at least one label.
  • the transmission unit 11 may include the converted label set 32 and the disclosed label set 33 in the communication packet including the data 31, for example.
  • the transmission unit 11 designates the converted label set 32 and the disclosed label set 33 at the start of a session as communication involving a session, and the converted label set 32 and the disclosed label set 33 are included in data transmitted and received during the session. It may be added.
  • the verification unit 12 receives the processing result 34 of the data 31 to which the conversion label set 35 and the disclosure label set 36 are added from the communication partner 20, and the conversion label set 35 and the disclosure label added to the received processing result 34.
  • the security of the processing result 34 is verified using the set 36.
  • the data processing system 10 can prevent an information flow violation by discarding the received processing result 34 when the verification unit 12 determines that there is a problem with the security of the processing result 34.
  • FIG. 2 is a flowchart showing the flow of the information flow control process according to the first embodiment of the present invention.
  • the transmission unit 11 transmits data 31 to which the converted label set 32 and the disclosed label set 33 are added to the communication partner 20 (S10).
  • the communication partner 20 performs a predetermined process based on the disclosure label set 33 added to the received data 31 and generates a process result 34. At this time, the communication partner 20 does not convert at least the conversion label included in the received conversion label set 32, and sets the conversion label set 35 including the conversion label set 32. Further, the communication partner 20 generates a disclosure label set 36 including at least the disclosure label set 33. Then, the communication partner 20 adds the converted label set 35 and the disclosed label set 36 to the generated processing result 34 and transmits it to the data processing system 10.
  • the verification unit 12 receives the processing result 34 from the communication partner 20 (S20).
  • the received processing result 34 includes a conversion label set 35 and a disclosure label set 36. Thereafter, the verification unit 12 verifies the security of the processing result 34 using the converted label set 35 and the disclosed label set 36 included in the received processing result 34 (S30).
  • the data processing system 10 can cause the communication partner 20 to process the data 31 based on the security attributes included in the disclosure label set 33. That is, the data processing system 10 can cause the communication partner 20 to appropriately process.
  • the data processing system 10 does not disclose to the communication partner 20 the security attributes in the labels other than the disclosure label set 33 among the plurality of security attributes associated with the data 31. . This is because the communication partner 20 cannot know the conversion label 32 and the label before conversion. Therefore, the data processing system 10 can prevent information leakage without disclosing more security attributes than necessary to the communication partner 20.
  • the data processing system 10 can detect the presence or absence of falsification by comparing the conversion label set 35 added to the processing result 34 received from the communication partner 20 and the conversion label set 32, for example. Similarly, the data processing system 10 can appropriately process the processing result 34 by comparing the disclosure label set 36 added to the processing result 34 received from the communication partner 20 with the disclosure label set 33. .
  • Embodiment 1 of the present invention when the same data is processed based on security labels having different transmission sources and transmission destinations among a plurality of dynamic information flow control systems, the processing is appropriately performed. , Information leakage can be prevented and information can be transmitted and received safely.
  • FIG. 3 is a block diagram showing a configuration of the dynamic information flow control system according to the second exemplary embodiment of the present invention.
  • the dynamic information flow control system 40 and the dynamic information flow control system 41 that transmits / receives information to / from the dynamic information flow control system 40 and a composite label added later. Or 42.
  • a dynamic information flow control system that transmits / receives information to / from the dynamic information flow control system 40 is replaced with 2 of the dynamic information flow control system 41 or 42.
  • the present invention is not limited to this, and an arbitrary number may be used.
  • the dynamic information flow control systems 41 and 42 adopt the same internal configuration as that of the dynamic information flow control system 40. In the second embodiment of the present invention, illustration and description of these internal configurations are omitted. To do.
  • the dynamic information flow control systems 41 and 42 do not have to adopt the same configuration as the dynamic information flow control system 40. In this case, it is assumed that the dynamic information flow control systems 41 and 42 can recognize at least the composite label added to the information received from the dynamic information flow control system 40. At the same time, the dynamic information flow control systems 41 and 42 can add a composite label to the processing result when returning the processing result of the received information to at least the dynamic information flow control system 40.
  • the dynamic information flow control systems 40, 41 and 42 are realized as a combination of a computer and software operating on the computer.
  • the flow of information handled by the application unit is controlled based on a security label attached to the information. Details of the configuration method of such a dynamic information flow control system will be omitted because it is known to those skilled in the art, and in this embodiment, information is safely exchanged with other dynamic information flow control systems. Next, the configuration and operation added to the dynamic information flow control system will be described.
  • the composite label is a label in which the converted label set and the disclosed label set are connected.
  • the conversion label set includes at least one or more conversion labels.
  • the conversion label is obtained by converting a security label, which is a name of a plurality of security attributes associated with transmission / reception target data, into a name different from the security label, as in the first embodiment of the present invention. It is assumed that the dynamic information flow control systems 41 and 42 cannot reversely convert the conversion label received from the dynamic information flow control system 40 to the original label.
  • the conversion label set may include a temporary label that is a label other than the conversion label generated by itself.
  • a temporary security class (hereinafter referred to as a temporary class) that is a temporary security attribute is assigned to the temporary label.
  • the temporary class is a security class to be processed in a system other than the dynamic information flow control system 40.
  • the temporary class is handled as a security class that can flow to any logical storage with the weakest restriction in flow determination in the dynamic information flow control system 40.
  • the disclosure label set is a set of disclosure labels that are security labels to be disclosed for processing by either the dynamic information flow control system 41 or 42 among the plurality of security labels associated with the data 31. .
  • the disclosure label set is used for flow determination in the dynamic information flow control systems 41 and 42.
  • the disclosure label set only needs to include at least one disclosure label.
  • a set of labels is expressed as “ ⁇ L1, L2,..., Ln ⁇ ” using curly brackets, and a pair of label sets is expressed using “(label set, label set”. ) ”.
  • the converted label set is expressed as the first element of the pair
  • the disclosed label set is expressed as the second element of the pair.
  • a composite label in which conversion labels LX, LY, and LZ and disclosure labels LA, LB, and LC are connected is represented as “( ⁇ LX, LY, LZ ⁇ , ⁇ LA, LB, LC ⁇ ).
  • the dynamic information flow control system 40 shown in FIG. 3 includes an application unit 51, a disclosure determination unit 52, a composite label generation unit 53, a composite label analysis unit 54, a security policy storage unit 55, and a composite label storage unit 56. And a security label storage unit 57 and a provisional class storage unit 58.
  • the application unit 51 processes information transmitted to and received from the dynamic information flow control system 41 or 42.
  • the application unit 51 realizes information flow control by performing processing based on the security label added to the transmitted / received information. Specifically, first, the application unit 51 inputs the security label to be added to the information to be transmitted and the transmission destination system ID that is the identifier of the dynamic information flow control system to be transmitted to the composite label generation unit 53. To do. And the application part 51 adds the composite label output from the composite label production
  • the application unit 51 receives information to which a composite label is added from the dynamic information flow control system 41 or 42. Then, the application unit 51 inputs the received composite label to the composite label analysis unit 54. Thereafter, the application unit 51 receives the security label output from the composite label analysis unit 54 and processes the information. For example, the application unit 51 receives a processing result of information transmitted by itself.
  • the security label storage unit 57 stores a set of a security label 571 and a class combination 572 that is a security class combination.
  • the class combination 572 is expressed as a kind of security class set.
  • the security label storage unit 57 returns a class combination 572 for a reference using the security label 571 as a key.
  • the security label storage unit 57 returns a security label 571 in response to a reference using the class combination 572 as a key.
  • the security label storage unit 57 returns that fact.
  • the class combination 572 may include the provisional class described above.
  • the pair of the security label 571 and the class combination 572 stored in the security label storage unit 57 is registered during the operation of the dynamic information flow control system 40 and before the operation of the dynamic information flow control system 40. There are cases where it is given as a system security setting.
  • the temporary class storage unit 58 stores a set of a conversion label 581 and a temporary class 582 that is not used for flow determination within the dynamic information flow control system 40. Then, the temporary class storage unit 58 returns the temporary class 582 to the reference using the conversion label 581 as a key. In addition, the temporary class storage unit 58 returns a conversion label 581 with respect to a reference using the temporary class 582 as a key. In addition, the provisional class storage unit 58 returns the fact that there is no return value corresponding to the key in any of the above references.
  • the composite label generation unit 53 receives the security label and the transmission destination system ID added to the transmission target information input from the application unit 51, and generates a composite label from the security label. Then, the composite label generation unit 53 outputs the generated composite label to the application unit 51. Details of the processing of the composite label generation unit 53 will be described later with reference to FIG.
  • the security policy storage unit 55 stores the above-described disclosure label in association with the system ID of the disclosure destination dynamic information flow control system.
  • the disclosure determination unit 52 refers to the security policy storage unit 55 and determines whether or not the security class can be disclosed in the dynamic information flow control system based on the security class and the identifier of the dynamic information flow control system.
  • the disclosure determination by the disclosure determination unit 52 is realized using the security policy storage unit 55, but the disclosure determination unit 52 is not limited to this.
  • the disclosure destination may be defined by other methods.
  • the composite label storage unit 56 includes a transmission destination system ID 561 that is an identifier of a dynamic information flow control system that is a transmission destination of information, a security label 562 that is assigned to the information in the dynamic information flow control system 40, and a security label.
  • a combination of a transmission conversion label 563 converted from 562 and a composite label 564 added when transmitting information to be transmitted to the transmission destination system ID 561 is stored.
  • the composite label generation unit 53 may output the generated composite label to the application unit 51 and store it in the composite label storage unit 56.
  • the composite label storage unit 56, the security label storage unit 57, and the temporary class storage unit 58 can be said to be label information storage means for storing information relating to labels.
  • the application unit 51, the disclosure determination unit 52, and the composite label generation unit 53 can be said to be transmission units.
  • the transmitting unit converts a plurality of security attributes to generate a conversion label, generates the conversion label set including the generated conversion label, and selects a security attribute to be disclosed to the communication partner from the plurality of security attributes It is desirable to generate a disclosure label set, concatenate the converted label set and the generated disclosure label set to generate a composite label, add the generated composite label, and transmit the data to the communication partner. .
  • the conversion label added to the information to be transmitted and the disclosure label set can be made into a single composite label, and the accuracy of falsification detection can be raised.
  • the transmission unit may generate a conversion label by converting a plurality of security attributes so as to have a name different from the conversion label of the communication partner.
  • the composite label generation unit 53 when the same information is transmitted to the information flow control systems 41 and 42, the composite label generation unit 53 generates the conversion label generated for the dynamic information flow control system 41 and the dynamic information flow control system 42.
  • the converted label may be different. This makes it difficult to decipher even if the contents of transmission to a plurality of communication partners are matched.
  • the transmission unit may generate a conversion label different from the past conversion label from labels that are names of a plurality of security attributes. That is, when generating a conversion label again from a security label added to information transmitted in the past, the composite label generation unit 53 may generate a conversion label different from the past. That is, the composite label generation unit 53 may generate different conversion labels from the same security label. This makes it difficult to decipher even if a plurality of transmission contents are matched.
  • the composite label analysis unit 54 receives the composite label added to the received processing result input from the application unit 51, analyzes the composite label, and converts it back to a security label. Then, the composite label analysis unit 54 outputs the reversely converted security label to the application unit 51. Further, the composite label analysis unit 54 makes an inquiry to the disclosure determination unit 52 as appropriate during the analysis. Details of the processing of the composite label analysis unit 54 will be described later with reference to FIGS.
  • the processing result received by the application unit 51 includes the conversion label generated by the composite label generation unit 53 at the time of transmission. Therefore, the composite label analysis unit 54 reversely converts the conversion label generated by its own composite label generation unit 53 out of the conversion labels included in the conversion label set included in the received composite label into a security label. Further, the composite label analysis unit 54 calculates the essential security class set that must be included in the received composite label by removing the non-disclosure security class set from the security class combination corresponding to the inversely converted security label. . Then, the composite label analysis unit 54 removes the transmission conversion label from the conversion label set included in the received composite label. Further, the composite label analysis unit 54 removes an unknown security class from the security class set corresponding to the conversion label set from which the transmission conversion label is removed.
  • the composite label analysis unit 54 removes an unknown security class from the security class set corresponding to the disclosed label set included in the received composite label.
  • the unknown security class is a security class corresponding to a newly acquired security label.
  • the composite label analysis unit 54 calculates a known security class set. Thereafter, the composite label analysis unit 54 determines whether or not the known security class set includes the essential security class set.
  • the application unit 51, the disclosure determination unit 52, and the composite label analysis unit 54 can be said to be verification units. Then, the verification unit acquires the conversion label stored in the label information storage unit based on the conversion label set added to the received processing result, and discloses the received processing result to the communication partner based on the acquired conversion label.
  • the received processing result is Judge that it is. Thereby, the correctness of the processing result can be accurately detected.
  • the verification unit assigns a temporary security attribute to a temporary label that is a label other than the conversion label stored in the label information storage unit in the conversion label set added to the received processing result. It is desirable that the security attribute is added to a plurality of security attributes associated with the data, and the temporary label and the temporary security attribute are associated with each other and stored in the label information storage unit.
  • the transmission unit described above converts the plurality of security attributes to which the temporary security attribute is added by the verification unit to generate the converted label, and the temporary label associated with the temporary security attribute Is obtained from the label information storage means, and the converted label set is generated including the generated converted label and the acquired temporary label. Thereby, the detection accuracy can be increased.
  • the dynamic information flow control system 41 considers a case where the conversion label set received from the dynamic information flow control system 42 includes the conversion label generated by the dynamic information flow control system 42. At this time, the dynamic information flow control system 41 cannot assign the conversion label to the security class. Therefore, the dynamic information flow control system 41 assigns a temporary security class using the conversion label as a temporary label. Thereby, the dynamic information flow control system 41 can process appropriately. When the dynamic information flow control system 41 returns to the dynamic information flow control system 42, the dynamic information flow control system 41 further adds a temporary label to generate a converted label set.
  • the dynamic information flow control system 42 can perform appropriate processing because the conversion label set received from the dynamic information flow control system 41 includes the conversion label generated by itself.
  • the dynamic information flow control system 41 can be appropriately processed by assigning a temporary security class, even if a conversion label generated in a system other than the receiving system is included.
  • the verification unit adds a security attribute corresponding to the new label to a plurality of security attributes. Good. Thereby, added classes can be included, and security can be improved.
  • the dynamic information flow control systems 41 and 42 receive information from the dynamic information flow control system 40, but the information is included in the processing request. That is, the application unit 51 in the dynamic information flow control systems 41 and 42 receives new information, not the processing result of the information transmitted by itself. Therefore, the application unit 51 may have a new composite label added to the received information.
  • the application unit 51 calculates the above-described essential security class set.
  • the required security class set is an empty set. This is because the composite label of the received information does not include the conversion label generated by the composite label generation unit 53 of the own system. Therefore, the known security class set always includes the essential security class set. Therefore, it passes the inspection and can receive information normally. Therefore, whether the composite label of the received information is attached to the reply information or attached to the spontaneously transmitted information, the inspection may be performed in the same manner as described above.
  • the composite label generation unit 53 generates a different conversion label for each dynamic information flow control system of the transmission destination.
  • the composite label analysis unit 54 according to the second embodiment of the present invention inspects the disclosed label set included in the received composite label, and if the inspection fails, the composite label is added. Discarding the information can prevent information flow violation.
  • the composite label generation unit 53 refers to the composite label storage unit 56 using the identifier of the destination dynamic information flow control system and the security label of the information to be transmitted as keys.
  • the security label is replaced with the composite label.
  • FIG. 4 is a flowchart showing the flow of the composite label generation process according to the second embodiment of the present invention.
  • FIG. 5 is a diagram illustrating an example of data in the composite label generation process according to the second embodiment of the present invention.
  • the composite label generation unit 53 converts a security label of information to be transmitted to generate a transmission conversion label that is a conversion label (S201).
  • the composite label generation unit 53 converts the security label LX to generate a transmission conversion label LX ′.
  • the composite label generation unit 53 generates a conversion label for transmission so as to be unique within a plurality of dynamic information flow control systems including the dynamic information flow control systems 40, 41 and 42.
  • the transmission conversion label is UUID (Universally Unique Identifier) (ISO (International Organization for Standardization) / IEC (International Electrotechnical Commission) 11578: 1996, RFC (Request for Comments) 4122). Note that the UUID generation method is known to those skilled in the art, and a detailed description thereof will be omitted.
  • the composite label generation unit 53 refers to the security label storage unit 57 and acquires a security class set corresponding to the security label (S202). For example, in FIG. 5, the composite label generation unit 53 acquires class combination Y + Z + A + B + C. Then, the composite label generation unit 53 refers to the temporary class storage unit 58 and determines whether each security class included in the acquired security class set belongs to the temporary class (S203). For example, in FIG. 5, the composite label generation unit 53 determines that the security classes Y and Z belong to the temporary class. When there is a security class determined to belong to the temporary class, the composite label generation unit 53 acquires a temporary conversion label corresponding to the temporary class from the temporary class storage unit 58 (S204). For example, in FIG. 5, the composite label generation unit 53 acquires the security labels LY and LZ from the security classes Y and Z that are temporary classes.
  • the composite label generation unit 53 generates a conversion label set by connecting the transmission conversion label generated in step S201 and the temporary conversion label acquired in step S204 (S205). For example, in FIG. 5, the composite label generation unit 53 generates a converted label set ⁇ LX ′, LY, LZ ⁇ .
  • the composite label generation unit 53 when there is no security class that is determined not to belong to the temporary class, the composite label generation unit 53 includes the security class obtained by removing the temporary class from the security class set, the dynamic information flow control system of the transmission destination, Is used as a key to make an inquiry to the disclosure determination unit 52 to determine whether it is a disclosure target (S206). For example, in FIG. 5, the composite label generation unit 53 determines A and B among the security classes A, B, and C as disclosure targets. In FIG. 5, the composite label generation unit 53 determines that the security class C is not disclosed. If there is a security class determined to be a disclosure target, the composite label generation unit 53 refers to the security label storage unit 57 and acquires a security label corresponding to the security class (S207).
  • the composite label generation unit 53 acquires the security labels LA and LB from the security classes A and B. Thereafter, the composite label generation unit 53 generates a disclosure label set by concatenating the acquired security labels (S208). For example, in FIG. 5, the composite label generation unit 53 generates a disclosure label set ⁇ LA, LB ⁇ . If it is determined in step S206 that all security classes are not to be disclosed, the composite label generation unit 53 generates an empty disclosure label set.
  • the composite label generation unit 53 generates a composite label by connecting the converted label set generated in step S205 and the disclosed label set generated in step S208 (S209). For example, in FIG. 5, the composite label generation unit 53 generates composite labels ( ⁇ LX ′, LY, LZ ⁇ , ⁇ LA, LB ⁇ ). Then, the application unit 51 adds the composite label generated by the composite label generation unit 53 and transmits the data (S210). At the same time, the composite label generation unit 53 associates the destination system ID, the security label, the transmission label, and the generated composite label with each other and stores them in the composite label storage unit 56 (S211).
  • FIG. 6 is a flowchart showing the first half of the composite label analyzing process according to the second embodiment of the present invention.
  • FIG. 7 is a flowchart showing the latter half of the composite label analysis process according to the second embodiment of the present invention.
  • FIG. 8 is a diagram illustrating an example of data in the composite label analysis process according to the second embodiment of the present invention.
  • the application unit 51 receives the processing result to which the composite label has been added (S301). Then, the composite label analysis unit 54 receives the composite label added to the processing result received from the application unit 51. Next, the composite label analysis unit 54 separates the composite label into a converted label set and a disclosed label set (S302). For example, in FIG. 8, the composite label analysis unit 54 separates the converted label set ⁇ LX ′, LY, LZ, LV ⁇ and the disclosed label set ⁇ LA, LB, LD ⁇ .
  • the composite label analysis unit 54 refers to the composite label storage unit 56, and determines whether or not the conversion label set includes the conversion label for transmission generated by itself (S303). For example, in FIG. 8, the composite label analysis unit 54 determines that the conversion label set ⁇ LX ′, LY, LZ, LV ⁇ includes the transmission conversion label LX ′. When it is determined that the transmission conversion label is included, the composite label analysis unit 54 acquires the transmission destination system ID associated with the transmission conversion label from the composite label storage unit 56 (S304). At the same time, the composite label analysis unit 54 refers to the composite label storage unit 56 and acquires corresponding security labels for all the conversion labels for transmission included in the conversion label set (S305). For example, in FIG.
  • the composite label analysis unit 54 acquires the security label LX from the transmission conversion label LX ′. Then, the composite label analysis unit 54 refers to the security label storage unit 57 and acquires a security class set corresponding to the acquired security label (S306). For example, in FIG. 8, the composite label analysis unit 54 acquires the class combination Y + Z + A + B + C from the security label LX.
  • the composite label analysis unit 54 refers to the temporary class storage unit 58 and determines whether each security class included in the acquired security class set belongs to the temporary class (S307). For example, in FIG. 8, the composite label analysis unit 54 determines that the security classes Y and Z belong to the temporary class. When there is a security class that is determined not to belong to the temporary class, the composite label analysis unit 54 makes a disclosure determination using the security class excluding the temporary class from the security class set and the dynamic information flow control system of the transmission destination as keys. An inquiry is made to the unit 52 to determine whether or not it is a disclosure target (S308). For example, in FIG. 8, the composite label analysis unit 54 determines that A and B of the security classes A, B, and C are to be disclosed. In FIG.
  • the composite label generation unit 53 determines that the security class C is not disclosed.
  • the composite label analysis unit 54 generates an essential security class set including the security class (S311). For example, in FIG. 8, the composite label analysis unit 54 generates an essential security class set ⁇ A, B ⁇ . If there is a security class determined to belong to the temporary class in step S307, or after step S311, the process proceeds to step S318 described later. Further, after step S306, the composite label analysis unit 54 includes each security class included in the acquired security class set in the new security class combination (S315). For example, in FIG. 8, the composite label analyzer 54 generates a new security class combination Y + Z + A + B + C.
  • the composite label analysis unit 54 can acquire a temporary class from the temporary class storage unit 58 for the security label included in the conversion label set. Is determined (S313). When it is determined that the temporary class can be acquired, the composite label analysis unit 54 acquires the temporary class corresponding to the security label from the temporary class storage unit 58 (S314). For example, in FIG. 8, the composite label analysis unit 54 acquires security classes Y and Z, which are temporary classes, from the security labels LY and LZ. Thereafter, the composite label analysis unit 54 includes the acquired temporary class in the new security class combination (S315). In FIG. 8, since a duplicate is included in the new security class combination, it is not newly added. At the same time, the composite label analysis unit 54 includes the acquired temporary class in the known security class set (S312). For example, in FIG. 8, the composite label analysis unit 54 generates a known security class set ⁇ Y, Z ⁇ .
  • the composite label analysis unit 54 assigns a new temporary class to the security label (S316). For example, in FIG. 8, the composite label analysis unit 54 assigns a temporary class V to the security label LV. That is, the composite label analysis unit 54 creates a new temporary class when there is a label that is not a conversion label for transmission generated by itself and is not a temporary class acquired in the past among the labels included in the conversion label set. Assign. Then, the composite label analysis unit 54 registers the assigned temporary class and security label in the temporary class storage unit 58 (S317). At the same time, the composite label analysis unit 54 includes the assigned temporary class in the new security class combination (S315). For example, in FIG. 8, the composite label analyzer 54 generates a new security class combination Y + Z + V + A + B + C.
  • the composite label analysis unit 54 refers to the security label storage unit 57 and determines whether or not an unregistered security label is not included in the disclosure label set separated in step S302 ( S309). For example, in FIG. 8, the composite label analysis unit 54 determines that an unregistered security label is not included in the disclosure label set ⁇ LA, LB, LD ⁇ . When it is determined that no unregistered security label is included, the composite label analysis unit 54 acquires all security classes for the disclosure labels included in the disclosure label set from the security label storage unit 57 (S310). For example, in FIG. 8, the composite label analysis unit 54 acquires security classes A, B, and D.
  • the composite label analysis unit 54 includes the acquired security class in the new security class combination (S315).
  • the composite label analysis unit 54 generates a new security class combination Y + Z + V + A + B + C + D.
  • the composite label analysis unit 54 includes the acquired security class in the known security class set (S312).
  • the composite label analysis unit 54 generates a known security class set ⁇ Y, Z, A, B, D ⁇ . If it is determined in step S309 that an unregistered security label is included, the process proceeds to step S319 described later.
  • the composite label analysis unit 54 performs label consistency determination to check whether the known security class set generated in step S312 includes the essential security class set generated in step S311 based on the inclusion relation of the set. This is performed (S318). If it is determined that there is no label consistency, the composite label analysis unit 54 discards the received processing result and composite label (S319). This is because an unknown security label is disclosed and subsequent information flow control cannot be normally performed. Thereafter, the composite label analysis process ends.
  • the composite label analysis unit 54 can obtain the security label by querying the security label storage unit 57 using the new security class combination generated in step S315 as a key. It is determined whether or not (S320). If the security label can be acquired, the composite label analysis unit 54 acquires the security label and ends the composite label analysis process.
  • the composite label analysis unit 54 creates a new security label (S321). For example, in FIG. 8, the composite label analysis unit 54 determines that there is no security label corresponding to the new security class combination Y + Z + V + A + B + C + D, and creates a new security label LW. Then, the composite label analysis unit 54 registers the created security label in the security label storage unit 57 (S322).
  • the security label can be partially disclosed and information leakage can be prevented.
  • a composite label is generated by combining a converted label obtained by converting the original security label and a disclosed label set corresponding to the disclosed security class among security class sets corresponding to the original security label. .
  • the effects of the present invention will be specifically described using the examples shown in the problem of the invention.
  • the information flow control system s1, the information flow control system s2, and the information flow control system s3 are connected according to the example shown in the subject of the invention.
  • salary information x and y of the person a and the person b of the company c are managed on the information flow control system s1.
  • the statistical processing service operates on the information flow control system s2.
  • the salary transfer account management service is operating on the information flow control system s3.
  • the information flow control system s1 requests the information flow control system s2 to perform processing and receives a result (statistical information).
  • the information flow control system s1 requests the information flow control system s3 to receive a result (transfer completion notification) in order to transfer the salary of the person a.
  • the disclosure determination unit on the information flow control system s1 discloses the security label LC to the information flow control system s2. It shall be determined that This determination is performed based on, for example, a security policy set in advance.
  • the composite label sent to the information flow control system s2 generated by the composite label generation unit on the information flow control system s1 is ( ⁇ LX ′ ⁇ , ⁇ LC ⁇ ).
  • the disclosure determination unit on the information flow control system s1 determines to disclose the security label LA to the information flow control system s3. This determination is performed based on, for example, a security policy set in advance.
  • the composite label generated by the composite label generation unit on the information flow control system s1 and sent to the information flow control system s3 is ( ⁇ LX ′′ ⁇ , ⁇ LA ⁇ ). Since the conversion label is created for each dynamic information flow control system of the transmission destination, the security label LX on the information flow control system s1 is LX ′ for the information flow control system s2, and for the information flow control system s3. Are different conversion labels such as LX ′′.
  • composite labels are stored in a composite label storage unit on the information flow control system s1 in combination with the original security label LX.
  • both of the conversion labels LX ′ and LX ′′ correspond to the security label LX. Since it is on the information flow control system s1, it is not known from the information flow control systems s2 and s3.
  • the security class C corresponding to the security label LC disclosed in the information flow control system s2 is included in the security class combination corresponding to the conversion label LX ′′ sent to the information flow control system s3 is information It is not known from the flow control systems s2 and s3. This is because the composite label storage unit is held on the information flow control system s1, and this composite label storage unit is not disclosed to the information flow control systems s2 and s3.
  • the fact that the security class A corresponding to the security label LA disclosed in the information flow control system s3 is included in the security class combination corresponding to the conversion label LX ′ sent to the information flow control system s2 is that the composite label Since the storage unit is on the information flow control system s1, it is unknown from the information flow control systems s2 and s3. Therefore, even if the composite labels of the information sent to the information flow control systems s2 and s3 are matched, information leakage can be prevented.
  • the composite label ( ⁇ LX ′′ ⁇ , ⁇ LA ⁇ ) added to the information sent to the information flow control system s3 is displayed on the information flow control system s3 or the information flow control when the processing result is returned.
  • the composite label analysis unit on the information flow control system s1 converts the conversion label LX in the composite label. ”Is restored to the original security label LX, it is confirmed that the security label LX corresponds to the security class combination C + A, the undisclosed security class C is removed from this security class combination, and the essential security class set ⁇ A ⁇ Is calculated.
  • a known security class set is calculated from the security class set ⁇ B ⁇ corresponding to the disclosed label set ⁇ LB ⁇ .
  • ⁇ A ⁇ ⁇ ⁇ B ⁇ does not hold, it can be detected that the composite label has been tampered with.
  • the second embodiment it is possible to prevent information leakage caused by matching the composite label between other dynamic information flow control systems connected to the dynamic information flow control system 40.
  • information transmitted from the dynamic information flow control system 40 to other dynamic information flow control systems is given a composite label generated by the composite label generation unit 53.
  • the composite label includes a security label corresponding to the security class determined to be disclosed by the disclosure determining unit 52, but includes other security labels converted into converted labels. Further, the disclosure determination is performed according to the identifier of the dynamic information flow control system of the transmission destination. Therefore, even if other dynamic information flow control systems connected to the dynamic information flow control system 40 match the composite labels, it is impossible to associate the composite labels.
  • the essential security class set is calculated from the transmission conversion label included in the composite label.
  • the essential security class set includes all security classes corresponding to the conversion label and the disclosure label included in the security label corresponding to the transmission conversion label. Since this calculation process is performed based on the composite label storage unit 56, the temporary class storage unit 58, and the security label storage unit 57 in the dynamic information flow control system 40, the calculation process is not interfered with other dynamic information flow control systems.
  • a known security class set is calculated from this composite label.
  • the composite label is tampered with on the other dynamic information flow control system or on the communication path from the other dynamic information flow control system to the dynamic information flow control system 40, and some of the disclosure label set parts are changed. If the disclosure label is missing, tampering can be detected by comparison with the essential security class set.
  • the first embodiment of the present invention is equivalent to FIG.
  • the dynamic information flow control system 40 is the statistical processing system s12 of the company c
  • the dynamic information flow control system 41 is the statistical processing system s12
  • the dynamic information flow control system 42 is the bank account management system s13.
  • a security class C indicating that the information is for the company c and security classes A and B indicating that the information is related to the employees a and b are defined. Then, it is assumed that the personnel system s11 has already stored the data shown in FIG. Further, it is assumed that the personnel system s11 has already stored the data shown in FIG.
  • the statistical processing system s12 shall set in advance a security class C indicating that it is information of the company c and a security label LC corresponding to C.
  • the bank account management system s13 sets in advance a security class A indicating that the information is the person a and a security label LA corresponding to A.
  • the personnel system s11 generates a transmission conversion label LX ′ from the security label LX, and sends the composite label ( ⁇ LX ′ ⁇ , ⁇ LC ⁇ ) to the statistical processing system s12 with accompanying salary information.
  • the bank account management system s13 is requested for a pay transfer of the person a. It is necessary to add a security label LA corresponding to the security class a to the salary information for which the statistical processing is requested so that the salary information is not mixed with other people's information. However, it is not necessary to provide the identification information of the company c to the bank account management system s13. Accordingly, the personnel system s11 generates a transmission conversion label LX ′′ from the security label LX, adds the composite labels ( ⁇ LX ′′ ⁇ , ⁇ LA ⁇ ) to the salary information, and sends it to the bank account management system s13. send.
  • the compound labels ( ⁇ LZ ', LX' ' ⁇ , ⁇ LA ⁇ ) to be added are ( ⁇ LZ', LLA '' is calculated as an essential security class set from LX '', and the known security class is calculated from ( ⁇ LZ ′, LX ′′ ⁇ , ⁇ LB ⁇ ). Since ⁇ LB ⁇ is calculated as a set and not ⁇ LA ⁇ ⁇ ⁇ LB ⁇ , tampering is detected.
  • LZ ′ is a transmission conversion label generated by the bank account management system s3. Thereby, it is possible to prevent the salary transfer amount to the person a from leaking to the person b.
  • the added composite label becomes ( ⁇ LZ ', LX' ' ⁇ , ⁇ LA ⁇ ).
  • the best mode of the invention is used for the bank account management system s13
  • the best mode of the other invention is used for the bank account management system s13
  • information corresponding to the non-disclosure security class in the bank account management system s13 is obtained.
  • the generation of LZ ′ is suppressed and a composite label ( ⁇ LX ′′ ⁇ , ⁇ LA ⁇ ) is added.
  • the presence / absence of the transmission conversion label LZ ′ does not affect the label consistency determination, and the essential security class set calculated from the transmission conversion label LX ′′ is ⁇ LA ⁇ and ( ⁇ LX Since the known security class set calculated from '' ⁇ , ⁇ LA ⁇ ) is ⁇ LA ⁇ , tampering can be detected.
  • the disclosure determination unit 52 determines whether or not the security class can be disclosed.
  • Security labels to be included in the disclosure label set of composite labels This means that the security class corresponding to the non-disclosure security label does not contribute to the flow determination at all in the dynamic information flow control system of the transmission destination. For example, when salary information for a plurality of persons belonging to the same company is sent to a dynamic information flow control system, if the security class of the person is not disclosed in the destination dynamic information flow control system, There is also a case where it is inconvenient depending on processing.
  • Embodiment 3 of the present invention unnecessary security is provided for a certain security class in the same manner as in Embodiments 1 and 2 described above while contributing to flow determination in the destination dynamic information flow control system.
  • the purpose is to avoid disclosure of attributes. Therefore, in the third embodiment of the present invention, the security label corresponding to the corresponding security class is replaced with another security label and then added to the disclosed label set. This disclosure method will be referred to as partial disclosure for convenience.
  • security classes E1, E2,..., En which are different security attributes having a common property.
  • security class A associated with the person a and the security class B associated with the person b have a common property as a security class for identifying the person.
  • the security classes E1, E2,..., En are called security groups.
  • a security group can be said to be a security attribute that identifies a department to which a person belongs, for example.
  • any security class belonging to the security group is associated with the data.
  • the same flow determination is performed for any security class belonging to the security group. Similar flow determination here refers to security class Ei (i is 1, 1) for any security class P other than security classes E1,..., En in the dynamic information flow control system of the transmission destination. 2, 3,..., N) means that the flow determination result from the security class P matches.
  • any security class Ei to Ej (j is any one of 1, 2, 3,.
  • the former will be referred to as the case where the security class Ei can be merged, and the latter as the case where the merge cannot be performed.
  • the dynamic information flow control system according to the third embodiment of the present invention can be realized by modifying the disclosure determination unit 52 and the composite label generation unit 53 according to the second embodiment of the present invention described above.
  • the configuration of the dynamic information flow control system according to the third embodiment of the present invention is basically the same as that of the dynamic information flow control system 40 according to the second embodiment of the present invention shown in FIG. The illustration is omitted.
  • differences from the second embodiment of the present invention will be described.
  • the disclosure determination unit 52 returns one of disclosure, partial disclosure, and non-disclosure ternary values instead of disclosure or non-disclosure binary values. For example, in step S206 of FIG. 4, when it is determined that disclosure is possible, the disclosure determination unit 52 may further determine whether or not partial disclosure. And the composite label production
  • a common label can be said to be a common label that is a common name for a plurality of security attributes that are flow-determined to the same security attribute at the communication partner.
  • the transmission unit includes a common label that is the same label for a plurality of security attributes having a common property in the communication partner in the disclosed label set.
  • the disclosure determination unit 52 may determine whether or not to join when the security class is determined to be partial disclosure.
  • generation part 53 concerning Embodiment 3 of this invention replaces the label of the security class determined to be unmerged with the label which shows that unmerging is possible.
  • the label indicating that the merge is not possible is a restriction label indicating that the flow to other attributes in the security group is restricted. That is, the transmission unit includes the security attribute disclosed to the communication partner in the disclosed label set as a restriction label that is a label that restricts the flow to other security attributes in the communication partner.
  • the security policy storage unit 55 may store the disclosure label in advance by associating the flag indicating whether partial disclosure is possible and the flag indicating whether merge is possible.
  • the security label storage unit 57 may store the security label 571 in association with the security group identification information, the common label, and the restriction label in advance.
  • FIG. 13 is a diagram illustrating an example of data in the composite label generation process when the security class Ei can be joined among the partial disclosures.
  • the security class Ei is a target of partial disclosure, and the security class D is not disclosed. Since handling of the security class D is the same as in the first and second embodiments, detailed description thereof is omitted.
  • the security label LEi is replaced with a common label LE that is a security label and added to the disclosure label set.
  • a conversion table for replacing the security label LEi with the disclosure label LE is prepared in advance for the dynamic information flow control system of the transmission source.
  • a security class E corresponding to the security label LE is prepared for the dynamic information flow control of the transmission destination. This preparation may be performed by an automatic procedure, or may be performed manually by a control system administrator as a system setting.
  • the security class E flow determination in the destination dynamic information flow control system would have been performed for the security class Ei if the composite label generation in the third embodiment of the present invention was not performed. Match with the flow judgment.
  • the security class E is a security class that represents the security class Ei.
  • the security class Ei is transmitted as the security class E. It can contribute to the previous flow judgment. Further, since the individual security class Ei is not disclosed, unnecessary disclosure of security attributes can be avoided. Further, as described in Non-Patent Document 1, since it is generally possible to flow between the same class, the following flow determination is performed, and the security class Ei can be merged while representing the security class E as the security class E. I can express that.
  • FIG. 14 is a diagram illustrating an example of data in the composite label generation process when the security class Ei cannot be merged among the cases where partial disclosure is performed.
  • the security class Ei is a target of partial disclosure, and the security class D is not disclosed. Since handling of the security class D is the same as in the first and second embodiments, detailed description thereof is omitted.
  • the security label LEi is replaced with two labels, a disclosure label LE and a restriction label LNi, and added to the disclosure label set.
  • the disclosure label LE is prepared in advance at the transmission source and the transmission destination as in the case where the merge is possible.
  • the restriction label LNi is associated with a security class Ni having characteristics satisfying the following expressions (4), (5), and (6), and is prepared in advance at the transmission source and the transmission destination.
  • the security class Ni expresses the property that it cannot be merged by the equations (4), (5), and (5). Such a security class Ni is not common in information flow control, but is equivalent to enumerating all the flow relationships other than the flow from Ni to Nj as in the flow determination (7) below. Therefore, it is consistent with the theoretical basis of information flow control.
  • the security class Ni can also be applied to security labels other than the security label LEi.
  • the security label LEi can be replaced with the disclosure label LE and the restriction label LNi
  • the security label LEi ′ can be replaced with the disclosure label LE ′ and the restriction label LNi. That is, the restriction label LNi represents only the non-merging property of the original security label, and the other properties are represented by the disclosure label LE and the disclosure label LE ′.
  • the security label LEi corresponding to the security class Ei is replaced with the disclosure label LE and the restriction label LNi, the disclosure label LE is made to correspond to the security class E representing the security class Ei, and the restriction label LNi cannot be merged.
  • the security class Ei can contribute to the determination of the destination flow as the security class combination E + Ni.
  • the individual security class Ei is not disclosed, and the correspondence between the security class Ei and the security class Ni is also not disclosed, so that unnecessary disclosure of security attributes can be avoided.
  • the security class Ni is a security class that cannot be merged, the security class Ei can be represented by the security class E while the security class Ei cannot be merged.
  • the conversion label can be restored in the same manner as in the first and second embodiments. Description is omitted.
  • LE is included in the disclosure label set as a disclosure label representing each security label LEi.
  • the restriction class LNi is also included in the disclosure label set, so that the security class Ei in the transmission source information flow control system is combined with the security class E or the security class combination in the transmission destination information flow control system. Disclosure of unnecessary security attributes can be avoided while contributing to flow determination as E + Ni.
  • the transmission unit described above does not generate a conversion label and uses a conversion label stored in the label information storage unit when all of the security attributes are disclosed to the communication partner. Also good. Thereby, generation of unnecessary conversion labels for transmission can be suppressed.
  • the composite label generation unit 53 refers to the composite label corresponding to the security label and the identifier of the dynamic information flow control system of the transmission destination, and the composite label does not exist. Always generates a transmission conversion label corresponding to the security label. Instead, in another embodiment of the invention, when the security class combination corresponding to the security label does not include a security class that is not disclosed, a new transmission conversion label is not generated and an existing conversion label is generated. A composite label may be generated from the security label. As a result, it is possible to suppress generation of unnecessary transmission conversion labels.
  • the temporary label is included in the converted label set, but it may be included in the disclosed label set. In this case, if it is determined in step S309 in FIG. 6 that an unregistered security label is included, the composite label analysis unit 54 determines that the label is a temporary label, and can proceed appropriately to step S313.
  • the composite label analysis unit 54 acquires a composite label 564 associated with the transmission conversion label acquired in step S305 from the composite label storage unit 56. Then, the composite label analysis unit 54 extracts a disclosure label set included in the acquired composite label 564. Thereafter, in step S311, the composite label analysis unit 54 may generate the extracted disclosure label set as an essential security class set. When a plurality of transmission conversion labels are included in one received composite label, the composite label analysis unit 54 stores a composite label 564 corresponding to each of the plurality of transmission conversion labels from the composite label storage unit 56. And a disclosure label set is extracted. Thereby, it is possible to appropriately process a plurality of processing requests when processing results are combined into one.
  • the composite label analysis unit 54 can set the disclosed label set itself included in the received composite label as a known security set. That is, in step S318, the composite label analysis unit 54 may compare the disclosed label set at the time of transmission with the disclosed label set at the time of reception.
  • pseudonym having the following meaning.
  • Kana conversion is to substitute one identifier with another identifier.
  • correspondence between identifiers and alternative identifiers is not disclosed.
  • pseudonymization is a different concept from anonymization.
  • anonymization means not disclosing the identifier.
  • a pseudonym is used as the writer's name to be given to a letter in a newspaper column, and anonymization is desired as anonymity.
  • the identifier may be a security label. This is because the security label is an identifier indicating a classification from the viewpoint of security.
  • the present invention has been described as a hardware configuration, but the present invention is not limited to this.
  • the present invention can also realize arbitrary processing by causing a CPU (Central Processing Unit) to execute a computer program.
  • the program can be stored and supplied to a computer using various types of non-transitory computer readable media.
  • Non-transitory computer readable media include various types of tangible storage media (tangible storage medium).
  • non-transitory computer-readable media examples include magnetic recording media (eg flexible disks, magnetic tapes, hard disk drives), magneto-optical recording media (eg magneto-optical discs), CD-ROMs (Read Only Memory), CD-Rs, CD-R / W, DVD (Digital Versatile Disc), BD (Blu-ray (registered trademark) Disc), semiconductor memory (for example, mask ROM, PROM (Programmable ROM), EPROM (Erasable PROM), flash ROM, RAM ( Random Access Memory)).
  • the program may also be supplied to the computer by various types of temporary computer-readable media. Examples of transitory computer readable media include electrical signals, optical signals, and electromagnetic waves.
  • the temporary computer-readable medium can supply the program to the computer via a wired communication path such as an electric wire and an optical fiber, or a wireless communication path.
  • the present invention can be applied to the use of constructing an information processing system in which a plurality of dynamic information flow control systems are connected.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

Dans le cas d'un traitement de mêmes données sur la base de différentes étiquettes de sécurité à une source de transmission et à une destination de transmission, parmi une pluralité de systèmes de commande de flux d'informations dynamiques, un traitement est effectué de manière appropriée, une fuite d'informations est empêchée, et des informations sont transmises et reçues de façon sûre. Un système de traitement de données comporte un moyen de transmission pour transmettre des données, auxquelles un ensemble étiquette de conversion et un ensemble étiquette de divulgation ont été ajoutés, à un partenaire de communication, l'ensemble étiquette de conversion étant un ensemble d'étiquettes contenant des étiquettes de conversion obtenues par conversion d'étiquettes qui sont les noms d'une pluralité d'attributs de sécurité associés aux données en des noms différents de ceux des étiquettes, et l'ensemble étiquette de divulgation étant un ensemble d'étiquettes indiquant des noms d'attributs de sécurité divulgués au partenaire de communication pour traiter les données ; et un moyen de vérification pour recevoir le résultat de traitement des données auxquelles on a ajouté l'ensemble étiquette de conversion et l'ensemble étiquette de divulgation à partir du partenaire de communication, et pour vérifier une sécurité du résultat de traitement à l'aide de l'ensemble étiquette de conversion et de l'ensemble étiquette de divulgation ajoutés au résultat de traitement reçu.
PCT/JP2010/002057 2009-05-20 2010-03-24 Système de traitement de données, procédé de commande de flux d'informations et support lisible par ordinateur non temporel stockant un programme WO2010134249A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2009-122344 2009-05-20
JP2009122344 2009-05-20
JP2009241431 2009-10-20
JP2009-241431 2009-10-20

Publications (1)

Publication Number Publication Date
WO2010134249A1 true WO2010134249A1 (fr) 2010-11-25

Family

ID=43125942

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2010/002057 WO2010134249A1 (fr) 2009-05-20 2010-03-24 Système de traitement de données, procédé de commande de flux d'informations et support lisible par ordinateur non temporel stockant un programme

Country Status (1)

Country Link
WO (1) WO2010134249A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6865338B1 (ja) * 2020-01-05 2021-05-12 晴喜 菅原 情報処理システム

Non-Patent Citations (7)

* Cited by examiner, † Cited by third party
Title
KAZUHISA SUZUKI ET AL.: "Privacy-Aware Data Object Container ni yoru Sairyudo Data Access Seigyo Hoshiki", INFORMATION PROCESSING SOCIETY OF JAPAN KENKYU HOKOKU, vol. 2007, no. 10, 31 January 2007 (2007-01-31), pages 57 - 64 *
KYOJI KATSUNO ET AL.: "Security Policy Model ni Motozuku Kaisogata Kakuri ni yoru Joho Flow Seigyo System", SYMPOSIUM ON MULTIMEDIA, DISTRIBUTED, COOPERATIVE AND MOBILE SYSTEMS RONBUNSHU (DICOM02008), IPSJ SYMPOSIUM SERIES, vol. 2008, no. 1, 9 July 2008 (2008-07-09), pages 998 - 1006 *
MASAKAZU SOSHI ET AL.: "Dual Label o Riyo shita Access Seigyo Model", TRANSACTIONS OF INFORMATION PROCESSING SOCIETY OF JAPAN, vol. 40, no. 3, 15 March 1999 (1999-03-15), pages 1305 - 1314 *
SACHIKO YOSHIHAMA ET AL.: "Doteki Approach ni yoru Gengo Base no Joho Flow Seigyo", TRANSACTIONS OF INFORMATION PROCESSING SOCIETY OF JAPAN, vol. 48, no. 9, 15 September 2007 (2007-09-15), pages 3060 - 3072 *
SACHIKO YOSHIHAMA ET AL.: "Web Application ni Okeru Gengo Level no Doteki Joho Flow Seigyo", INFORMATION PROCESSING SOCIETY OF JAPAN KENKYU HOKOKU, vol. 2007, no. 16, 1 March 2007 (2007-03-01), pages 153 - 158 *
SHIN NAKAJIMA: "Web Service ni Okeru Anzensei to Security no Kaiseki", IEICE TECHNICAL REPORT, vol. 103, no. 483, 20 November 2003 (2003-11-20), pages 19 - 24 *
TAKUYA MISHINA ET AL.: "Raireki ni Motozuku Multi Level Security Bunsho Kanri System", TRANSACTIONS OF INFORMATION PROCESSING SOCIETY OF JAPAN RONBUNSHI JOURNAL, vol. 49, no. 9, 15 September 2008 (2008-09-15), pages 3062 - 3073 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6865338B1 (ja) * 2020-01-05 2021-05-12 晴喜 菅原 情報処理システム
JP2021111301A (ja) * 2020-01-05 2021-08-02 晴喜 菅原 情報処理システム

Similar Documents

Publication Publication Date Title
KR102421956B1 (ko) 정보 처리 장치 및 정보 처리 방법
US20210258170A1 (en) Self-authenticating digital identity
CN107181714A (zh) 基于业务码的验证方法和装置、业务码的生成方法和装置
CN109829317A (zh) 一种基于手写签名图片生成电子合同的方法、装置及系统
CN105765941A (zh) 一种非法访问服务器防止方法以及装置
CN104168117B (zh) 一种语音数字签名方法
JP2005057417A (ja) 電子文書交換システム及び署名復号サービスシステム並びにプログラム
WO2018210097A1 (fr) Procédé et dispositif destinés à l'exécution d'un mode de transaction par classification
CN107395587B (zh) 一种基于多点协作机制的数据管理方法及系统
CN112308236A (zh) 用于处理用户请求的方法、装置、电子设备及存储介质
CN101151874A (zh) 网络节点和在互联网市场上提供互联网服务的方法
CN113129008B (zh) 数据处理方法、装置、计算机可读介质及电子设备
CN114172663A (zh) 基于区块链的业务确权方法及装置、存储介质和电子设备
CN113569298A (zh) 一种基于区块链的身份生成方法及身份系统
CN116561777A (zh) 数据处理方法以及装置
CN103647650A (zh) 基于规则定义的自动签名/验签装置和自动签名/验签方法
CN114492355B (zh) 一种生成ofd格式的电子投标邀请函及回执函的方法和系统
WO2010134249A1 (fr) Système de traitement de données, procédé de commande de flux d'informations et support lisible par ordinateur non temporel stockant un programme
Gabel et al. Privacy patterns for pseudonymity
US20150379305A1 (en) Digitised Handwritten Signature Authentication
CN106575341A (zh) 复合文档访问
CN111241173A (zh) 一种用于多个系统间数据交互的方法及系统
US11652645B2 (en) Storage medium, communication method, and communication device
Domingues et al. Digitally signed and permission restricted pdf files: A case study on digital forensics
CN112437052B (zh) 用于处理信息的方法、装置、电子设备和计算机可读介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10777489

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10777489

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP