WO2020101087A1 - Système et procédé de chiffrement pour traitement d'informations personnelles - Google Patents

Système et procédé de chiffrement pour traitement d'informations personnelles Download PDF

Info

Publication number
WO2020101087A1
WO2020101087A1 PCT/KR2018/014182 KR2018014182W WO2020101087A1 WO 2020101087 A1 WO2020101087 A1 WO 2020101087A1 KR 2018014182 W KR2018014182 W KR 2018014182W WO 2020101087 A1 WO2020101087 A1 WO 2020101087A1
Authority
WO
WIPO (PCT)
Prior art keywords
encryption
secret key
information
decryption
new
Prior art date
Application number
PCT/KR2018/014182
Other languages
English (en)
Korean (ko)
Inventor
이강수
Original Assignee
(주) 더존비즈온
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주) 더존비즈온 filed Critical (주) 더존비즈온
Priority to JP2021524312A priority Critical patent/JP7190035B2/ja
Publication of WO2020101087A1 publication Critical patent/WO2020101087A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Definitions

  • the present invention relates to an encryption / decryption system and method for processing personal information. More specifically, the present invention relates to an encryption / decryption system and method capable of enhancing security by encrypting personal information using different versions of encryption keys.
  • ERP enterprise resource planning
  • the data handled in the ERP solution may include personal information or sensitive information.
  • a typical method of processing personal information or sensitive information is a method of encrypting the data and storing it in a storage (for example, a database).
  • a storage for example, a database.
  • Most of the encryption / decryption of the stored data is based on a pre-generated secret key, and unless otherwise specified, the preset secret key is permanently used. That is, in the conventional encryption / decryption scheme, the secret key generated once is permanently used.
  • the problem to be solved by the present invention is to provide an encryption / decryption system and method for improving security by encrypting personal information using different versions of encryption keys to solve the problems of the conventional method.
  • a secret key management module for managing at least one secret key and version information corresponding to each secret key, receiving an encryption request for receiving an encryption request including predetermined encryption target information from an encryption request terminal
  • the module requests the secret key management module to provide a secret key, receives the encryption secret key and version information of the encryption secret key from the secret key management module, and receives the received encryption secret key.
  • An encryption module that encrypts the encryption target information to generate encryption information corresponding to the encryption target information, and a transmission module that transmits encryption information corresponding to the encryption target information and version information of the encryption secret key to the user terminal.
  • the secret key management module Including, but, the secret key management module generates a new secret key when a predetermined key update condition is satisfied, and gives new version information to the generated new secret key to the new secret key and the new secret key
  • the new version information is stored in a key storage, and the latest secret key and the latest secret key version information are provided in response to the encryption module providing a secret key
  • the encryption request terminal is configured to: Storing the encryption information corresponding to the encryption target information and the version information corresponding to the encryption information, wherein the version information corresponding to the encryption information is version information of the secret key used to generate the encryption information in a database
  • the encryption system a decryption request receiving module for receiving a decryption request including a predetermined decryption target information and version information corresponding to the decryption target information from the decryption request terminal and a version corresponding to the decryption target information It may further include a decryption module for requesting the decryption secret key corresponding to the information to the secret key management module, and decrypting the decryption target information using the received decryption secret key.
  • the encryption module further generates hash information corresponding to the encryption target information
  • the transmission module further transmits hash information corresponding to the encryption target information to the user terminal, and requests the encryption
  • the terminal may further store hash information corresponding to the encryption target information in the database.
  • the encryption / decryption system receives a decryption request from a decryption request terminal, which receives a decryption request including predetermined decryption target information, hash information corresponding to the decryption target information, and version information corresponding to the decryption target information.
  • the decoding module may verify hash information corresponding to the decoding target information and, if verified, decrypt the decoding target information.
  • the information to be encrypted may be characterized as personal information or sensitive information.
  • the secret key management module in response to the request to provide the secret key of the encryption module, based on the information to be encrypted, the optimal for the encryption target information among all the secret keys previously stored in the key storage A secret key may be selected, and version information of the selected optimal secret key and the optimal secret key may be provided to the encryption module.
  • the secret key management module periodically generates a new secret key and gives new version information to the generated new secret key and stores it in the key store, or the most recently generated secret key is constant.
  • a new secret key is generated and new version information is given to the generated new secret key and stored in the key store, or a new secret key is generated and generated when an explicit command from a key manager is input.
  • New version information may be assigned to the new secret key, and stored in the key store.
  • the secret key management module receives a key update condition from a predetermined policy server, generates a new secret key if the received key update condition is satisfied, and new version information on the generated new secret key It can be given and stored in the key store.
  • a re-encryption request receiving module for receiving a re-encryption request of the existing encryption information previously stored in the database from the encryption request terminal, in response to the re-encryption request, the secret key management module,
  • the replacement secret key having version information different from the version information corresponding to the existing encryption information and version information of the replacement secret key are obtained, and the encryption module re-encrypts the existing encryption information using the replacement secret key.
  • Re-encryption information is generated, and the transmission module transmits the re-encryption information and the version information of the replacement secret key to the user terminal, and the encryption request terminal corresponds to the existing encryption information and the existing encryption information.
  • Version information may be replaced with version information corresponding to the re-encryption information and the re-encryption information and stored in the database.
  • the encryption system receiving an encryption request including a predetermined encryption target information from the encryption request terminal, the encryption system, the encryption secret from a predetermined key storage in response to the encryption request Extracting a key and version information corresponding to the encryption secret key, the encryption system encrypting the encryption target information using the encryption secret key, and generating encryption information corresponding to the encryption target information;
  • the encryption system transmitting the encryption information corresponding to the encryption target information and the version information of the encryption secret key to the user terminal, and the encryption request terminal, the encryption information corresponding to the encryption target information and the encryption information And storing the corresponding version information, wherein the version information corresponding to the encryption information is version information of the secret key used to generate the encryption information, in the database, and wherein the encryption system, the predetermined key Generating a new secret key and updating the new secret key and storing the new version information given to the new secret key in the key store by generating a new secret key and granting new version information to the generated new secret key when the update condition is satisfied;
  • the encryption system receiving a decryption request including a version information corresponding to the predetermined decryption target information and the decryption target information from the decryption request terminal, and the encryption system corresponds to the decryption target information
  • the method may further include extracting a decryption secret key corresponding to the version information, and decrypting the decryption target information using the decryption secret key.
  • the step of generating encryption information corresponding to the encryption target information, the encryption system, the step of generating hash information corresponding to the encryption target information further comprises, corresponding to the encryption target information
  • the step of transmitting the encryption information and the version information of the encryption secret key to the user terminal further includes transmitting hash information corresponding to the encryption target information to the user terminal, and encryption information corresponding to the encryption target information
  • storing version information corresponding to the encryption information in a database may further include storing hash information corresponding to the encryption target information in the database.
  • the encryption system receiving a decryption request from the decryption request terminal including a predetermined decryption target information, hash information corresponding to the decryption target information and version information corresponding to the decryption target information and the The encryption system further includes extracting a decryption secret key corresponding to the version information corresponding to the decryption target information, and decrypting the decryption target information using the decryption secret key, wherein the encryption system includes: The hash information corresponding to the target information may be verified, and if verified, the decoding target information may be decrypted.
  • the encryption system in response to the encryption request, extracting the encryption secret key and the version information corresponding to the encryption secret key from a predetermined key storage, the key based on the encryption target information And selecting an optimal secret key (which can maximize security) for the encryption target information among all the secret keys previously stored in the storage.
  • the encryption system when the predetermined key update condition is satisfied, the encryption system generates a new secret key and gives new version information to the generated new secret key to the new secret key and the new secret key
  • the step of storing the granted new version information in the key store may include periodically generating a new secret key and assigning the new version information to the generated new secret key and storing the new version in the key store. If the secret key is used more than a certain number of times, generating a new secret key and assigning new version information to the generated new secret key and storing it in the key store, or a new secret key when an explicit command from a key manager is input And generating and storing the new version of the new secret key in the key store.
  • the encryption system when the predetermined key update condition is satisfied, the encryption system generates a new secret key and gives new version information to the generated new secret key, thereby giving the new secret key and the new secret key
  • the step of storing the new version information in the key store includes receiving a key update condition from a predetermined policy server, generating a new secret key when the received key update condition is satisfied, and adding a new secret key to the generated new secret key. And providing version information and storing it in the key store.
  • the encryption system receiving a request to re-encrypt the existing encryption information stored in the database from the encryption request terminal, the encryption system, in response to the re-encryption request, to the existing encryption information
  • the replacement secret key having different version information from the corresponding version information and version information of the replacement secret key are extracted, and the re-encryption information re-encrypting the existing encryption information is generated using the replacement secret key, and the transmission module
  • the method may further include storing in the database by substituting version information corresponding to encryption information.
  • a computer-readable recording medium recording a program for performing the above-described method.
  • an encryption system comprising a processor and a memory storing a program, wherein the program, when executed by the processor, encrypts the encryption system to perform the above-described method A system is provided.
  • an encryption / decryption system and method for enhancing security by encrypting personal information using different versions of encryption keys it is possible to provide an encryption / decryption system and method for enhancing security by encrypting personal information using different versions of encryption keys.
  • FIG. 1 is a view showing a driving environment of an encryption system according to an embodiment of the present invention.
  • FIG. 2 is a view showing the operation of the encryption system according to an embodiment of the present invention.
  • FIG. 3 is a block diagram showing a specific configuration of an encryption system according to an embodiment of the present invention.
  • FIG. 4 is a diagram showing an example of information stored in a database
  • FIG. 5 is a diagram showing a format of data to be stored.
  • FIG. 6 is a view for explaining the function of the encryption system according to an embodiment of the present invention from a management aspect.
  • first and second may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from other components.
  • the component when one component 'transmits' data to another component, the component may directly transmit the data to the other component, or through at least one other component It means that the data may be transmitted to the other components. Conversely, when one component 'directly transmits' data to another component, it means that the data is transmitted from the component to the other component without passing through the other component.
  • FIG. 1 is a view showing a driving environment of an encryption system according to an embodiment of the present invention.
  • a predetermined encryption system 100 may be provided.
  • the encryption system 100 may be a data processing device.
  • the encryption system 100 may be a server.
  • the encryption system 100 may perform encryption on predetermined data or decrypt the encrypted data at the request of the user terminal 10.
  • the encryption system 100 may encrypt data using a secret key method.
  • the information subject to encryption may be personal information or sensitive information.
  • Personal information is information that can identify each individual directly or indirectly (including information that can be easily combined with other information to identify a specific individual even if the information alone cannot be identified), name, resident number, date of birth, May include gender, address, email address, etc. Or it may be personal information defined in the Act on Promotion of Information and Communication Network Utilization and Information Protection, etc. or the Personal Information Protection Act.
  • Sensitive information may refer to ideas, beliefs, membership of unions or political parties, withdrawal, political views, information about health or sexual life, and other personal information that may significantly infringe the privacy of the data subject.
  • the secret key used for encryption / decryption may be stored in the key storage 200.
  • the key storage 200 may be implemented in a form included in the encryption system 100, and depending on the implementation, the key storage 200 may be built in a remote location and both may be connected through a network. In the latter case, a secure channel may be formed between the key storage 200 and the encryption system 100.
  • the encryption system 100 may access the key storage 200 through socket communication.
  • the user terminal 10 may be an information processing device having a network communication function.
  • the user terminal 100 may be a desktop computer or laptop computer, or a mobile phone, satellite phone, wireless phone, Session Initiation Protocol (SIP), Wireless Local Loop (WLL) station, smart phone, tablet PC, PDA (PDA). Personal Digital Assistant).
  • SIP Session Initiation Protocol
  • WLL Wireless Local Loop
  • smart phone tablet PC
  • PDA PDA
  • PDA Personal Digital Assistant
  • the encryption system 100 and the user terminal 10 may be connected through a wired / wireless network to transmit and receive various information, data and / or signals necessary to implement the technical idea of the present invention.
  • the user terminals 10 and 10-1 may be plural.
  • the user terminal 10 may be an encryption request terminal requesting encryption or a decryption request terminal requesting decryption.
  • the user terminal 10 requests encryption of the information to be encrypted, such as personal information or sensitive information, from the encryption system 100, and the information encrypted by the encryption system 100 is transmitted to a predetermined database 20. Can be saved. That is, the user terminal 10 may store information in the database 20 by converting the information to be encrypted into an encrypted form, rather than storing it in a plain text form.
  • the encryption system 100 may update the secret key to be used for encryption, and manage the updated secret key for each version. Therefore, the encryption system 100 may perform encryption / decryption using any one of several secret keys having different versions.
  • the encryption system 100 may update the secret key periodically or when there is an explicit update command.
  • the encryption system 100 may update the secret key according to an update policy provided by a given policy server 300.
  • FIG. 2 is a view showing the operation of the encryption system 100.
  • an application for encrypting or decrypting data may be installed in the user terminal 10, and the encryption / decryption module and a secret key management module may be included in the encryption system 100.
  • the encryption / decryption module is a module that performs encryption / decryption at the request of an application, and the secret key management module can perform the function of generating, viewing, and deleting the secret key.
  • the secret key storage 200 stores at least one secret key used for encryption / decryption. As described above, the secret key management module can access the secret key storage 200 through a method such as socket communication, and the secret key storage 200 can be built in a remote location.
  • 3 is a block diagram showing a specific configuration of the encryption system 100.
  • the encryption system 100 includes an encryption request receiving module 110, an encryption module 120, a transmission module 130, a decryption request receiving module 140, a decryption module 150, and re It may include an encryption request receiving module 160 and a secret key management module 170.
  • the encryption system 100 may be Of course, it may include more components.
  • the encryption system 100 receives other components included in the encryption system 100 (for example, an encryption request receiving module 110, an encryption module 120, a transmission module 130, and a decryption request)
  • a module 140, a decryption module 150, a re-encryption request receiving module 160, a secret key management module 170, and the like) may further include a control module (not shown) that can control functions and / or resources. It might be.
  • the encryption system 100 may include hardware resources and / or software necessary to implement the technical idea of the present invention, and does not necessarily mean one physical component or one device. . That is, the encryption system 100 may mean a logical combination of hardware and / or software provided to implement the technical idea of the present invention, and if necessary, are installed in devices spaced apart from each other to perform each function. By doing so, it may be implemented as a set of logical components for implementing the technical idea of the present invention. In addition, the encryption system 100 may mean a set of components that are separately implemented for each function or role for implementing the technical idea of the present invention.
  • the management module 170 may be located in different physical devices or may be located in the same physical device.
  • the encryption request receiving module 110, the encryption module 120, the transmission module 130, the decryption request receiving module 140, the decryption module 150, the re-encryption request receiving module 160 In addition, the combination of software and / or hardware constituting each of the secret key management modules 170 may also be located in different physical devices, and components located in different physical devices may be organically combined with each other to implement the respective modules.
  • the module may mean a functional and structural combination of hardware for performing the technical idea of the present invention and software for driving the hardware.
  • the module may mean a logical unit of a predetermined code and a hardware resource for performing the predetermined code, and does not necessarily mean a physically connected code or a type of hardware. It can be easily deduced from the average expert in the technical field of the present invention.
  • the secret key management module 170 may manage at least one secret key and version information corresponding to each secret key.
  • the secret key management module 170 may perform a function of extracting a secret key to be used for encryption / decryption from the key storage 200, creating a new secret key, or deleting or updating an existing secret key.
  • each key stored in the key storage 200 may be given a different version. That is, a unique version may be assigned to each key stored in the key storage 200, and the versioning may also be performed by the secret key management module 170.
  • the key storage 200 may be a DB in which records having a format of ⁇ secret key ⁇ . ⁇ Version of secret key ⁇ are stored.
  • the encryption request receiving module 110 may receive an encryption request including predetermined encryption target information from the encryption request terminal 10.
  • the encryption module 120 requests the secret key management module 170 to provide a secret key in response to the encryption request, and the encryption secret key and version information of the encryption secret key from the secret key management module 170. And encrypting the encryption target information using the received encryption secret key to generate encryption information corresponding to the encryption target information.
  • the secret key management module 170 in response to a request to provide the secret key of the encryption module 120, extracts any one of the secret keys previously stored in the key storage 200 to the encryption module 120 Can provide.
  • the secret key management module 170 may provide the most recently generated secret key.
  • the secret key management module 170 responds to the request to provide the secret key of the encryption module 120, and all secrets previously stored in the key storage 200 based on the information to be encrypted.
  • An optimal secret key for the information to be encrypted may be selected from the keys, and version information of the selected optimal secret key and the optimal secret key may be provided to the encryption module 120. There are many ways to choose the optimal secret key.
  • the secret key management module 170 may select a secret key capable of maximizing the security of the information to be encrypted.
  • the transmission module 130 may transmit encryption information corresponding to the encryption target information and version information of the encryption secret key to the encryption request terminal 10.
  • the encryption request terminal 10 is the encryption information corresponding to the encryption target information and the version information corresponding to the encryption information, wherein the version information corresponding to the encryption information, the secret key used to generate the encryption information Version information of-can be stored in the database (20).
  • the encryption module 120 further generates hash information corresponding to the encryption target information
  • the transmission module 130 further adds hash information corresponding to the encryption target information to the user terminal.
  • Transmission and the encryption request terminal 10 may further store hash information corresponding to the encryption target information in the database 20. Hash information can be used to verify the data later.
  • the secret key management module 170 when the predetermined key update condition is satisfied, the secret key management module 170 generates a new secret key and gives new version information to the generated new secret key to the new secret key and the new secret key.
  • the new version information is stored in the key storage, and the latest secret key and the latest secret key version information may be provided in response to a request for providing the secret key of the encryption module.
  • the secret key management module 170 periodically generates a new secret key and gives new version information to the generated new secret key or stores it in the key store, or the most recently generated secret If a key is used more than a certain number of times, a new secret key is generated and new version information is given to the generated new secret key to store in the key store or a new secret key is generated when an explicit command from the key manager is input. Then, new version information may be given to the generated new secret key and stored in the key store.
  • the secret key management module 170 receives a key update condition from a predetermined policy server, generates a new secret key when the received key update condition is satisfied, and generates the new secret key in the generated new secret key.
  • New version information may be provided and stored in the key store.
  • the secret key management module 170 updates the secret key used for encryption, when the encryption request terminal 10 requests encryption of a plurality of information, all of the plurality of information are transmitted by the same secret key. Rather than being encrypted, it can be encrypted with a secret key that meets certain conditions or is periodically updated.
  • the encrypted information (that is, the encrypted information) may be stored in the database 20 together with the version of the secret key used to generate the corresponding encrypted information, and in some cases, stored together with the hash value. Can be.
  • FIG. 4 is a diagram showing an example of information stored in a database
  • FIG. 5 is a diagram showing a format of data to be stored.
  • a plurality of data are stored in the database 20 in an encrypted form by a total of four secret keys (v1, v2, v3, v4), and each encryption information is shown in FIGS. 4 and 5 As shown, it is stored in the form of ⁇ secret key version ⁇ . ⁇ Password ⁇ . ⁇ Hash ⁇ , and the version of the secret key is the secret key identifier of the ciphertext performed by the symmetric key algorithm, and the hash value is the value for checking the ciphertext tampering. .
  • the DB 20 stores the version of the secret key used to generate the ciphertext, instead of storing the version of the secret key used to encrypt the ciphertext. It may be.
  • the neural network may be a neural network having a property that is overfitted with learning data.
  • the encryption request terminal 10 when the encryption request terminal 10 receives encryption information corresponding to the encryption target information and version information corresponding to the encryption information, the encryption request terminal 10 version information corresponding to the encryption information
  • the neural network may be learned by inputting the encrypted information labeled as to the neural network.
  • the neural network Since the neural network is learned only by the learning data input from the encryption request terminal 10 (that is, the encryption information labeled as version information corresponding to the encryption information), the neural network can be overfitted to the actual encryption information, and later the neural network When learning is completed and any one of the encryption information used for learning is input to the neural network, version information of the secret key used to encrypt the input encryption information may be output from the neural network. The version information of the secret key output in this way can be used to decrypt the encrypted information later.
  • the decryption request terminal 10-1 may extract at least one of data stored in the database 20 and make a decryption request to the encryption system 100.
  • the decryption request receiving module 140 may receive a decryption request including predetermined decryption target information and version information corresponding to the decryption target information from the decryption request terminal (eg, 10-1).
  • the decoding request may further include hash information corresponding to the decoding target information.
  • the decryption module 150 requests the decryption secret key corresponding to the version information corresponding to the decryption target information to the secret key management module 170, and decrypts the decryption target information using the received decryption secret key can do.
  • the decoding module 150 may verify hash information corresponding to the decoding target information and, if verified, decode the decoding target information.
  • the encryption system 100 may re-encrypt existing encrypted information with another secret key, or may collectively process re-encryption of all data stored in the database 20.
  • the re-encryption request receiving module 160 may receive a re-encryption request of existing encryption information previously stored in the database 20 from the encryption request terminal 10.
  • the secret key management module 170 obtains an alternative secret key having version information different from version information corresponding to the existing encryption information and version information of the replacement secret key, and the The encryption module 120 may generate re-encryption information by re-encrypting the existing encryption information using the alternative secret key.
  • the encryption module 120 may perform a process of decrypting the encrypted data using the original encryption key and then encrypting it using the new encryption key.
  • the transmission module 130 transmits the re-encryption information and the version information of the replacement secret key to the user terminal, and the encryption request terminal 10 has the existing encryption information and version information corresponding to the existing encryption information May be replaced with the re-encryption information and version information corresponding to the re-encryption information and stored in the database 20.
  • FIG. 6 is a view for explaining the function of the encryption system 100 according to an embodiment of the present invention from a management aspect.
  • an administrator may perform a secret key inquiry, change, deletion, and generation act through a management tool installed in his terminal. It is possible to perform re-encryption after batch decryption by replacing the secret key of the encrypted data with a new or existing version through batch processing of data, and forgery verification on encrypted personal information using a hash value.
  • FIG. 7 is a diagram illustrating an encryption process among encryption methods for processing personal information according to an embodiment of the present invention.
  • the encryption request terminal 10 may request encryption of personal information A to the encryption system 100 (S110).
  • the encryption system 100 may obtain one of the secret keys (secret key k) and the secret key k version information V (k) stored in the key store 200 from the key store 200 ( S120), it is possible to encrypt the personal information A with the secret key k to generate encrypted information E (S130).
  • the encryption system 100 transmits the encryption information E and the version information V (k) of the secret key k used for encryption of the encryption information E to the encryption request terminal 10 (S140), and the encryption request terminal 10, the encryption information E and version information V (k) may be stored in the DB 20 (S150).
  • the encryption system 10 may further generate hash information and transmit it to the encryption request terminal 10, and the encryption request terminal 10 may store hash information together.
  • the encryption request terminal 10 may perform a process as shown in FIG. 8 instead of step 150 of FIG. 7.
  • the encryption request terminal 10 stores only the encryption information E in the DB 20 (S151), and stores version information V (k) of the secret key k in the DB 20.
  • the encryption information E labeled V (k) may be input to the neural network 25 as learning data (S152). Then, the neural network can be machine-learned by the learning data E (S153).
  • FIG. 9 is a diagram for explaining a decryption process among encryption methods for processing personal information according to an embodiment of the present invention.
  • the decryption request terminal 10-1 obtains the encryption information E to be decrypted from the DB 20 and the version information V (k) of the secret key k used to encrypt the encryption information E. It may be (S210), the encryption system 100 may request the decryption of the encryption information E (S210). At this time, the decryption request terminal 10-1 may transmit the version V (k) of the secret key k as well as the encryption information E to the encryption system 100.
  • the encryption system 100 may obtain a secret key (that is, the secret key k) corresponding to the version V (k) among the secret keys stored in the key store 200 from the key store 200 ( S230), the encrypted information E can be decrypted with the secret key k to generate personal information A (S240).
  • a secret key that is, the secret key k
  • the encrypted information E can be decrypted with the secret key k to generate personal information A (S240).
  • the encryption system 100 may transmit the decrypted personal information A to the decryption request terminal 10-1 (S250).
  • the decoding request terminal 10 may perform a process as illustrated in FIG. 10 instead of step 210 of FIG. 9.
  • the decryption request terminal 10-1 acquires the encryption information E in the DB 20 (S211), and inputs encryption information E into the learned neural network 25 to perform a neural network ( 25) may be requested (S212). Then, the neural network 25 may output version information V (k) of the secret key k used to encrypt the encryption information E as a prediction result (S213).
  • the encryption system 100 may include a processor and a memory storing a program executed by the processor.
  • the processor may include a single-core CPU or a multi-core CPU.
  • the memory may include high-speed random access memory and may also include non-volatile memory, such as one or more magnetic disk storage devices, flash memory devices, or other non-volatile solid-state memory devices. Access to memory by the processor and other components can be controlled by a memory controller.
  • the encryption system 100 when the program is executed by a processor, the encryption system 100 according to the present exemplary embodiment may perform the above-described consulting information providing method.
  • the above-described consulting information providing method may be implemented in the form of a computer-readable program command and stored in a computer-readable recording medium, and a control program according to an embodiment of the present invention and The target program can also be stored in a computer-readable recording medium.
  • the computer-readable recording medium includes all kinds of recording devices in which data readable by a computer system are stored.
  • the program instructions recorded on the recording medium may be specially designed and configured for the present invention, or may be known and available to those skilled in the software art.
  • Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tapes, optical media such as CD-ROMs, DVDs, and floptical disks. Hardware devices specially configured to store and execute program instructions such as magneto-optical media and ROM, RAM, flash memory, and the like are included.
  • the computer-readable recording medium may be distributed over network-connected computer systems so that the computer-readable code is stored and executed in a distributed manner.
  • program instructions include machine language codes such as those produced by a compiler, as well as high-level language codes that can be executed by a device that processes information electronically using an interpreter or the like, for example, a computer.
  • the hardware device described above may be configured to operate as one or more software modules to perform the operation of the present invention, and vice versa.
  • the present invention can be used in an encryption system and method for processing personal information.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un système et procédé de chiffrement/déchiffrement qui chiffre des informations personnelles en utilisant différentes versions d'une clé de chiffrement, renforçant ainsi leur sécurité. La présente invention concerne, selon un de ses aspects, un système de chiffrement comportant un module de gestion de clés secrètes, un module de réception, un module de chiffrement, et un module de transmission, le module de gestion de clés secrètes générant une nouvelle clé secrète lorsqu'une condition prédéterminée de mise à jour pour une clé est satisfaite, affectant des informations de nouvelle version à la nouvelle clé secrète générée et stockant dans un stockage de clés la nouvelle clé secrète et les informations de nouvelle version affectées à la nouvelle clé secrète, et fournissant une clé secrète récente, qui a été générée le plus récemment, et des informations de version associées à la clé secrète récente, en tant que réponse à une demande de fourniture de clé secrète formulée par le module de chiffrement, et un terminal de demande de chiffrement stocke, dans une base de données, des informations de cryptogramme correspondant à des informations à chiffrer et des informations de version correspondant aux informations de cryptogramme, les informations de version correspondant aux informations de cryptogramme étant les informations de version associées à une clé secrète utilisée lors de la génération des informations de cryptogramme.
PCT/KR2018/014182 2018-11-16 2018-11-19 Système et procédé de chiffrement pour traitement d'informations personnelles WO2020101087A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2021524312A JP7190035B2 (ja) 2018-11-16 2018-11-19 個人情報処理のための暗号化システム及び方法

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020180142124A KR102156076B1 (ko) 2018-11-16 2018-11-16 개인정보 처리를 위한 암호화 시스템 및 방법
KR10-2018-0142124 2018-11-16

Publications (1)

Publication Number Publication Date
WO2020101087A1 true WO2020101087A1 (fr) 2020-05-22

Family

ID=70730495

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2018/014182 WO2020101087A1 (fr) 2018-11-16 2018-11-19 Système et procédé de chiffrement pour traitement d'informations personnelles

Country Status (3)

Country Link
JP (1) JP7190035B2 (fr)
KR (1) KR102156076B1 (fr)
WO (1) WO2020101087A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111881463A (zh) * 2020-07-17 2020-11-03 盛视科技股份有限公司 一种串口通信加密方法、系统及串口设备
CN112910916A (zh) * 2021-02-23 2021-06-04 内江佳路云网络科技有限公司 一种基于云计算的智能家居网关系统信息加密处理方法
CN113742340A (zh) * 2021-08-17 2021-12-03 深圳Tcl新技术有限公司 一种数据库表处理方法及相关设备
CN114301606A (zh) * 2021-12-31 2022-04-08 北京三快在线科技有限公司 无人设备密钥管理系统、方法、装置、设备及存储介质
CN113742340B (zh) * 2021-08-17 2024-06-04 深圳Tcl新技术有限公司 一种数据库表处理方法及相关设备

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102621657B1 (ko) * 2021-12-29 2024-01-04 동명대학교 산학협력단 파일 복사 유출 방지 방법

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003224558A (ja) * 2002-01-30 2003-08-08 Matsushita Electric Ind Co Ltd コンテンツ管理方法およびシステム
JP3717176B2 (ja) * 1993-09-29 2005-11-16 株式会社パンプキンハウス 暗号化/復号装置および方法
JP2010534035A (ja) * 2007-07-13 2010-10-28 マイクロソフト コーポレーション 暗号で保護した文書の更新と検証
KR20120133147A (ko) * 2011-05-30 2012-12-10 삼성에스디에스 주식회사 아이디 기반 암호화 방법 및 그 장치
KR101247564B1 (ko) * 2013-01-24 2013-03-26 토피도 주식회사 데이터베이스 데이터의 위변조 방지 방법

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001320355A (ja) * 2000-05-08 2001-11-16 Nippon Telegr & Teleph Corp <Ntt> 暗号鍵管理方法及びその装置
JP5035873B2 (ja) * 2006-09-26 2012-09-26 株式会社日立ソリューションズ 共有暗号ファイルの暗号化・復号処理方法及びプログラム
JP2017130705A (ja) * 2016-01-18 2017-07-27 日本電気株式会社 データ管理システム、データ管理方法、及び、データ管理プログラム

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3717176B2 (ja) * 1993-09-29 2005-11-16 株式会社パンプキンハウス 暗号化/復号装置および方法
JP2003224558A (ja) * 2002-01-30 2003-08-08 Matsushita Electric Ind Co Ltd コンテンツ管理方法およびシステム
JP2010534035A (ja) * 2007-07-13 2010-10-28 マイクロソフト コーポレーション 暗号で保護した文書の更新と検証
KR20120133147A (ko) * 2011-05-30 2012-12-10 삼성에스디에스 주식회사 아이디 기반 암호화 방법 및 그 장치
KR101247564B1 (ko) * 2013-01-24 2013-03-26 토피도 주식회사 데이터베이스 데이터의 위변조 방지 방법

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111881463A (zh) * 2020-07-17 2020-11-03 盛视科技股份有限公司 一种串口通信加密方法、系统及串口设备
CN112910916A (zh) * 2021-02-23 2021-06-04 内江佳路云网络科技有限公司 一种基于云计算的智能家居网关系统信息加密处理方法
CN113742340A (zh) * 2021-08-17 2021-12-03 深圳Tcl新技术有限公司 一种数据库表处理方法及相关设备
CN113742340B (zh) * 2021-08-17 2024-06-04 深圳Tcl新技术有限公司 一种数据库表处理方法及相关设备
CN114301606A (zh) * 2021-12-31 2022-04-08 北京三快在线科技有限公司 无人设备密钥管理系统、方法、装置、设备及存储介质
CN114301606B (zh) * 2021-12-31 2023-07-21 北京三快在线科技有限公司 无人设备密钥管理系统、方法、装置、设备及存储介质

Also Published As

Publication number Publication date
JP7190035B2 (ja) 2022-12-14
JP2022506740A (ja) 2022-01-17
KR20200057900A (ko) 2020-05-27
KR102156076B1 (ko) 2020-09-16

Similar Documents

Publication Publication Date Title
WO2020101087A1 (fr) Système et procédé de chiffrement pour traitement d&#39;informations personnelles
WO2016137304A1 (fr) Sécurité de bout en bout sur la base de zone de confiance
WO2021095998A1 (fr) Procédé et système informatiques sécurisés
WO2019194403A1 (fr) Dispositif utilisateur et dispositif électronique pour partager des données au moyen d&#39;une chaîne de blocs et procédé de chiffrement homomorphe et procédés associés
US9769132B2 (en) Control system for securely protecting a control program when editing, executing and transmitting the control program
JP6479758B2 (ja) コンピュータ上におけるアプリケーション間の信頼性の確立
CN101577720B (zh) 用于有效执行数据恢复/迁移过程的系统和方法
WO2019156533A1 (fr) Dispositif de nœud à base de chaîne de blocs, procédé pour faire fonctionner un dispositif de nœud et système de traitement de données
CN113849847B (zh) 用于对敏感数据进行加密和解密的方法、设备和介质
WO2014003516A1 (fr) Procédé et appareil de fourniture de partage de données
KR101220160B1 (ko) 모바일 클라우드 환경에서 안전한 프록시 재암호화 기반의 데이터 관리 방법
WO2012093900A2 (fr) Procédé et dispositif pour authentifier une entité de réseau personnel
WO2019182377A1 (fr) Procédé, dispositif électronique et support d&#39;enregistrement lisible par ordinateur permettant de générer des informations d&#39;adresse utilisées pour une transaction de cryptomonnaie à base de chaîne de blocs
CN110708291B (zh) 分布式网络中数据授权访问方法、装置、介质及电子设备
US9479330B2 (en) Method, information service system and program for information encryption/decryption
WO2017023065A1 (fr) Appareil électronique et son procédé de commande
CN102138145B (zh) 以密码控制对文档的访问
JP6302851B2 (ja) 再暗号化方法、再暗号化システム、および再暗号化装置
WO2019196866A1 (fr) Procédé, appareil et dispositif de traitement d&#39;anonymisation, et support de stockage
CN114020705A (zh) 一种文件处理方法、装置和存储介质
WO2019160167A1 (fr) Procédé de fourniture de données de bio-informations basé sur une pluralité de chaînes de blocs, procédé de stockage de données de bio-informations et système de transmission de données de bio-informations
WO2023191216A1 (fr) Système et procédé de chiffrement et de déchiffrement de données
WO2021107389A1 (fr) Système de réseaux et son procédé de sécurité de messages
WO2022149726A1 (fr) Appareil de système de gestion de porte d&#39;entrée commune destinés à favoriser la commodité de l&#39;entrée d&#39;un livreur dans un immeuble d&#39;habitation, et son procédé de fonctionnement
TWI829218B (zh) 可經由第三方服務子系統間接移轉取用訊標的去中心化資料授權控管系統

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18939926

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2021524312

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18939926

Country of ref document: EP

Kind code of ref document: A1