WO2023112272A1 - Procédé de gestion, dispositif de traitement d'informations et programme de gestion - Google Patents

Procédé de gestion, dispositif de traitement d'informations et programme de gestion Download PDF

Info

Publication number
WO2023112272A1
WO2023112272A1 PCT/JP2021/046594 JP2021046594W WO2023112272A1 WO 2023112272 A1 WO2023112272 A1 WO 2023112272A1 JP 2021046594 W JP2021046594 W JP 2021046594W WO 2023112272 A1 WO2023112272 A1 WO 2023112272A1
Authority
WO
WIPO (PCT)
Prior art keywords
database
information
data
user
program
Prior art date
Application number
PCT/JP2021/046594
Other languages
English (en)
Japanese (ja)
Inventor
雅樹 西垣
Original Assignee
富士通株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 富士通株式会社 filed Critical 富士通株式会社
Priority to PCT/JP2021/046594 priority Critical patent/WO2023112272A1/fr
Priority to JP2023567449A priority patent/JP7549283B2/ja
Publication of WO2023112272A1 publication Critical patent/WO2023112272A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Definitions

  • the present invention relates to a management method, an information processing device, and a management program.
  • the database system may use a database management program to manage the database and execute data processing.
  • the database management program is sometimes called a DBMS (Database Management System) program.
  • a database system may set user rights to a database and allow access to the database within the scope of the rights. Also, the database system may register a stored procedure that defines a data processing procedure and execute the stored procedure upon request.
  • a system for managing encryption keys for encrypting and decrypting databases has been proposed.
  • the proposed system stores key information in which a user ID, a ciphertext obtained by encrypting an encryption key using a password, and a revision number indicating the generation of the password are associated with each other.
  • the proposed system decrypts the key ciphertext with the old password to restore the encryption key, re-encrypts the encryption key with the new password to generate new key information, and restores the old key information.
  • the specific database management program may be a restricted database management program that restricts user operations more than a normal database management program.
  • the database system could be attacked by a third party replacing the database management program. If a database management program with a high data protection level is replaced with one with a low data protection level, there is a possibility that data may be illegally read from the database by a third party. Accordingly, in one aspect, the present invention aims to prevent replacement of database management programs by a third party.
  • a management method in which a computer executes the following processes. Acquire revision information that identifies a database management program that manages a database, and user information that indicates a user of the database. Key information is generated using the acquired revision information and user information. Encrypt the database using the generated key information. After the database is encrypted, discard the generated key information.
  • an information processing device having a storage unit and a processing unit is provided. Also, in one aspect, a management program to be executed by a computer is provided.
  • FIG. 1 is a diagram for explaining an information processing device according to a first embodiment;
  • FIG. It is a figure which shows the example of the information processing system of 2nd Embodiment.
  • 3 is a block diagram showing an example of hardware of a data processing server;
  • FIG. 4 is a block diagram showing an example structure of a data capsule;
  • FIG. 4 is a block diagram illustrating an example of software for a data processing server;
  • FIG. 10 is a diagram showing an example of a capsule management table;
  • FIG. 10 is a flow chart showing an example procedure for generating a data capsule;
  • FIG. 10 is a flow chart showing an example procedure for using a data capsule;
  • FIG. 1 is a diagram for explaining an information processing apparatus according to the first embodiment.
  • the information processing apparatus 10 according to the first embodiment holds data using a database management program.
  • the information processing device 10 may be a client device or a server device.
  • the information processing device 10 may be called a computer, database device, or management device.
  • the information processing device 10 has a storage unit 11 and a processing unit 12 .
  • the storage unit 11 may be a volatile semiconductor memory such as a RAM (Random Access Memory), or may be a non-volatile storage such as a HDD (Hard Disk Drive) or flash memory.
  • the processing unit 12 is, for example, a processor such as a CPU (Central Processing Unit), a GPU (Graphics Processing Unit), or a DSP (Digital Signal Processor). However, the processing unit 12 may include an electronic circuit such as ASIC (Application Specific Integrated Circuit) or FPGA (Field Programmable Gate Array).
  • the processor executes programs stored in a memory such as a RAM (which may be the storage unit 11), for example.
  • a collection of processors may be referred to as a multiprocessor or simply as a "processor.”
  • the storage unit 11 stores a database 13 and a database management program 14.
  • the database 13 may be a relational database or a non-relational database such as a tree database or a network database.
  • the database 13 contains data sets such as table data.
  • the database 13 may contain administrative information used to control data access.
  • the management information may include user definitions that indicate users who can access the database 13, and may include authority definitions that indicate the types of data operations permitted to users.
  • the management information may also include a data structure definition, and may include a stored procedure definition that defines a series of data processing procedures.
  • the database 13 is encrypted. Encryption of database 13 may include encryption of data sets and may include encryption of management information. The encryption may be performed at a fine granularity such as each record of a table or each item of management information, or may be performed at a coarse granularity such as an entire table or an entire file of management information.
  • the database management program 14 manages the database 13.
  • the database management program 14 is sometimes called a DBMS program.
  • the database management program 14 receives a request message containing a query such as an SQL statement or a specification of a stored procedure from a user.
  • the database management program 14 refers to the user definition and authority definition to confirm that the contents of the request message are within the user's authority.
  • the database management program 14 then executes a query or specified stored procedure on the database 13 .
  • the database management program 14 may be a restricted version database management program that restricts user operations more than a normal database management program. For example, the database management program 14 may be prohibited from changing management information such as user definitions, authority definitions, data structure definitions, and stored procedure definitions. Further, in the database management program 14, among data search, data insertion, data update and data deletion, some data operations such as data update and data deletion may be prohibited.
  • the processing unit 12 encrypts the database 13.
  • the processing unit 12 may package the encrypted database 13 and the database management program 14 and output package data.
  • the processing unit 12 may provide the package data to the user or transmit it to another information processing device.
  • the processing unit 12 acquires revision information 15 and user information 16 .
  • the revision information 15 is an identifier that identifies the database management program 14.
  • the revision information 15 may be the version number of the database management program 14 or a copy serial number of the database management program 14 .
  • Revision information 15 may be embedded in database management program 14 .
  • User information 16 is an identifier that indicates a user of database 13 . This user is, for example, a data provider who stores data to be protected in the database 13 . The user information 16 may be written in a file attached to the database 13 or may be included in the database 13 .
  • the processing unit 12 uses the acquired revision information 15 and user information 16 to generate key information 17 according to a specific key generation algorithm. For example, the processing unit 12 combines the revision information 15 and the user information 16 and inputs the combined character string into a function such as a hash function to generate the key information 17 .
  • the key information 17 may include a common key used for common key cryptography, or may include a public key and a private key used for public key cryptography.
  • the processing unit 12 encrypts the database 13 using the generated key information 17. After the database 13 is encrypted, the processing unit 12 discards the generated key information 17. FIG. Since the key information 17 is not saved, the key information 17 is regenerated from the revision information 15 and the user information 16 when the database 13 is decrypted.
  • the database management program 14 may use the regenerated key information 17 to access the database 13 .
  • Database management program 14 may include a module for regenerating key information 17 .
  • the information processing apparatus 10 generates the key information 17 from the revision information 15 and the user information 16, encrypts the database 13 using the key information 17, and encrypts the database 13. After that, the key information 17 is discarded.
  • the database management program 14 and the user of the database 13 are linked, and it becomes difficult to decrypt the database 13 unless the set of the correct revision information 15 and user information 16 is known. Then, it becomes difficult to access the database 13 from another database management program having different revision information. This prevents a third party from accessing the database 13 by replacing the database management program 14 with another database management program.
  • the database management program 14 may be a specific database management program with enhanced data protection.
  • the database management program 14 is prohibited from changing management information. In this case, by inhibiting the replacement of the database management program 14, the risk of unauthorized reading of data from the database 13 by a third party and data leakage is reduced, and data security is improved.
  • the information processing device 10 may reacquire the revision information 15 and the user information 16 to regenerate the key information 17 and decrypt the database 13 using the regenerated key information 17 . This allows the information processing device 10 to access the database 13 safely.
  • the information processing device 10 may also output package data including the database management program 14 embedded with the revision information 15, the encrypted database 13, and a file containing the user information 16.
  • the database management program 14 may include a module that regenerates the key information 17 and decrypts the database 13 .
  • other users can also operate the database 13 within the permitted range.
  • FIG. 2 is a diagram illustrating an example of an information processing system according to the second embodiment.
  • the information processing system of the second embodiment has a data processing server 31 and user servers 32 and 33 connected to a network 30 .
  • the network 30 may include a LAN (Local Area Network) or the Internet.
  • the data processing server 31 corresponds to the information processing device 10 of the first embodiment.
  • the data processing server 31 is a server computer that generates a data capsule, which will be described later, in response to requests from the user servers 32 and 33.
  • the data processing server 31 may be located in a data center or may be a cloud server.
  • the data processing server 31 receives a data capsule creation request from a certain user server.
  • the data capsule creation request specifies the data to be stored in the data capsule and management information such as users who can access the data and restrictions on the access method.
  • the data processing server 31 generates a data capsule for distributing the data in a protected state according to the data capsule generation request and returns it to the user server.
  • a data capsule contains encrypted data and a DBMS program that provides limited data access.
  • the user servers 32 and 33 are server computers of users who use the services of the data processing server 31.
  • a user may be called a participant and may be an individual or a company.
  • the user servers 32 and 33 may be located in data centers or may be cloud servers. Also, instead of the user servers 32 and 33, client computers may be used.
  • the user servers 32 and 33 each transmit a data capsule creation request to the data processing server 31 and receive the created data capsule from the data processing server 31 .
  • User servers 32 and 33 each transmit data capsules to other user servers according to business requirements. For example, user server 32 may transmit a data capsule to user server 33 and user server 33 may transmit a data capsule to user server 32 .
  • Each of the user servers 32 and 33 performs data processing on the initial data stored in the data capsule by activating the DBMS program included in the data capsule received from the other user server.
  • the DBMS program may restrict data access so that the initial data itself is not read from the data capsule.
  • the DBMS program may output data processing results obtained by processing the initial data according to a certain processing procedure instead of the initial data itself.
  • each of the user servers 32 and 33 may save additional data in the received data capsule and send it back to the other user server. As a result, data processing among data held by a plurality of users is realized while reducing the risk of data leakage.
  • FIG. 3 is a block diagram showing an example of hardware of the data processing server.
  • the data processing server 31 has a CPU 101, a RAM 102, an HDD 103, a GPU 104, an input interface 105, a media reader 106 and a communication interface 107 connected to a bus.
  • User servers 32 and 33 may have hardware similar to data processing server 31 .
  • a CPU 101 corresponds to the processing unit 12 of the first embodiment.
  • a RAM 102 or HDD 103 corresponds to the storage unit 11 of the first embodiment.
  • the CPU 101 is a processor that executes program instructions.
  • the CPU 101 loads at least part of the programs and data stored in the HDD 103 into the RAM 102 and executes the programs.
  • the data processing server 31 may have multiple processors. A collection of processors may be referred to as a multiprocessor or simply as a "processor.”
  • the RAM 102 is a volatile semiconductor memory that temporarily stores programs executed by the CPU 101 and data used for calculations by the CPU 101 .
  • the data processing server 31 may have types of volatile memory other than RAM.
  • the HDD 103 is a nonvolatile storage that stores software programs such as an OS (Operating System), middleware, application software, and data.
  • the data processing server 31 may have other types of non-volatile storage such as flash memory and solid state drives (SSDs).
  • the GPU 104 is a processor that performs image processing in cooperation with the CPU 101 and outputs images to the display device 111 connected to the data processing server 31 .
  • the display device 111 is, for example, a CRT (Cathode Ray Tube) display, a liquid crystal display, an organic EL (Electro Luminescence) display, or a projector.
  • the data processing server 31 may be connected to other types of output devices such as printers.
  • the input interface 105 receives input signals from the input device 112 connected to the data processing server 31 .
  • the input device 112 is, for example, a mouse, touch panel, or keyboard.
  • a plurality of input devices may be connected to the data processing server 31 .
  • the medium reader 106 is a reading device that reads programs and data recorded on the recording medium 113 .
  • the recording medium 113 is, for example, a magnetic disk, an optical disk, or a semiconductor memory. Magnetic disks include flexible disks (FDs) and HDDs. Optical discs include CDs (Compact Discs) and DVDs (Digital Versatile Discs).
  • a medium reader 106 copies the program and data read from the recording medium 113 to another recording medium such as the RAM 102 or HDD 103 .
  • the read program may be executed by CPU 101 .
  • the recording medium 113 may be a portable recording medium. Recording medium 113 may be used to distribute programs and data. Recording medium 113 and HDD 103 may also be referred to as computer-readable recording media.
  • the communication interface 107 communicates with the user servers 32 and 33 via the network 30.
  • the communication interface 107 may be a wired communication interface connected to a wired communication device such as a switch or router, or a wireless communication interface connected to a wireless communication device such as a base station or access point.
  • FIG. 4 is a block diagram showing an example structure of a data capsule.
  • Data capsule 120 includes customer number file 121 , configuration file 122 , management information file 123 and data file 124 .
  • Data capsule 120 also includes DBMS program 131 , erase program 132 and container program 133 .
  • the management information file 123 and data file 124 correspond to the database 13 of the first embodiment.
  • the DBMS program 131 corresponds to the database management program 14 of the first embodiment.
  • the customer number file 121 is a file containing customer numbers.
  • the customer number corresponds to the user information 16 of the first embodiment.
  • This customer number is the identification number of the user who requested the data processing server 31 to create the data capsule 120, that is, the user who stored the initial data in the database. However, the customer number may be the identification number of the user to whom the data capsule 120 is transferred.
  • Customer number file 121 is not encrypted.
  • the configuration file 122 is a file in which a file path indicating the location of the management information file 123 in the data capsule 120 is described. Configuration file 122 is encrypted.
  • the management information file 123 is a file in which management information used for controlling access to the database is described.
  • the management information file 123 contains the file paths of the data files 124 .
  • the management information file 123 also includes user definitions 125 , authority definitions 126 , data structure definitions 127 and procedure definitions 128 .
  • the user definition 125 indicates users who can access the database.
  • a user may be identified by a user name, a customer number, a server name of a user server, or a communication address of a user server.
  • Authority definition 126 indicates the type of data manipulation permitted for each user. For example, permission/inhibition of data search, data insertion, data update, and data deletion for each relational table is defined.
  • the data structure definition 127 indicates the table structure of the relational database.
  • a relational database such as a tree-type database or a network-type database may also be used.
  • a procedure definition 128 indicates a stored procedure.
  • a stored procedure is a program describing a series of data processing that is difficult to describe in a single SQL statement.
  • a stored procedure is described using a procedure description language that extends SQL.
  • a stored procedure call instruction is received instead of an SQL statement, the stored procedure is executed. Appropriate use of stored procedures prevents the data itself contained in the database from being output to the outside of the data capsule 120 .
  • the management information file 123 is encrypted.
  • the unit of encryption may be coarse granularity such as the entire management information file 123, or fine granularity in which each item of the management information file 123 is a unit such as the user definition 125 and the authority definition 126.
  • FIG. 1 A block diagram illustrating an exemplary computing environment in accordance with the present disclosure.
  • the data file 124 is a file containing records of relational database tables.
  • Data file 124 is encrypted.
  • the unit of encryption may be coarse granularity, such as the entire data file 124, or fine granularity, such as table units or record units.
  • the DBMS program 131 is a restricted version of the DBMS program whose functions are restricted compared to normal DBMS programs.
  • the DBMS program 131 may not have the function of changing the management information file 123 .
  • the DBMS program 131 may not have a function to execute some data operations such as data update and data deletion among data retrieval, data insertion, data update and data deletion.
  • a revision number 134 is embedded in the DBMS program 131.
  • the revision number 134 is an identification number that identifies the DBMS program 131 .
  • the data processing server 31 assigns a new revision number and embeds it in the restricted version of the DBMS program each time it issues a data capsule for a new project.
  • the DBMS program 131 includes a key generation module 135 and a data access module 136.
  • Key generation module 135 generates encryption keys for decrypting configuration file 122 and management information file 123 and for decrypting and re-encrypting data file 124 .
  • the encryption key of the second embodiment is a common key of common key cryptography. However, the encryption key may be a public key and a private key of public key cryptography.
  • the key generation module 135 generates an encryption key from the revision number 134 embedded in the DBMS program 131 and the customer number described in the customer number file 121 according to a specific key generation algorithm. This encryption key is the same as the encryption key used when the data processing server 31 generates the data capsule 120 . The encryption key used when generating the data capsule 120 is not saved and is regenerated when the data capsule 120 is used. However, instead of generating the encryption key by itself, the key generation module 135 transmits the revision number 134 and the customer number to the data processing server 31 to request the data processing server 31 to regenerate the encryption key. may receive a cryptographic key.
  • the data access module 136 provides users with limited access to the data files 124 .
  • Data access module 136 receives a request message from a user and, based on user definition 125 and authority definition 126, verifies that the content of the request message is within the authority of the user.
  • the data access module 136 then executes the SQL statement included in the request message or the stored procedure specified by the request message against the relational table included in the data file 124 .
  • the data access module 136 uses the encryption key regenerated by the key generation module 135 to decrypt and re-encrypt.
  • Data access module 136 may decrypt configuration file 122 , management information file 123 and data file 124 in their entirety upon startup of DBMS program 131 .
  • the data access module 136 may also decode the used portions of the management information file 123 and the data file 124 when accessing the relational table.
  • the data access module 136 may also re-encrypt the data file 124 when updating the relationship table.
  • the data processing server 31 When generating the data capsule 120, the data processing server 31 generates and encrypts the configuration file 122, the management information file 123 and the data file 124 using a normal version of the DBMS program whose functions are not limited.
  • the data processing server 31 inputs management information and data to the normal DBMS in accordance with the data capsule creation request.
  • the data processing server 31 replaces the normal version of the DBMS program with the DBMS program 131 after the configuration file 122, the management information file 123 and the data file 124 are generated.
  • the deletion program 132 is a program that deletes the management information file 123 and the data file 124 according to instructions from the container program 133 in order to prevent data leakage.
  • the deletion program 132 first deletes the management information file 123 and then deletes the data file 124 .
  • Deletion of the management information file 123 and the data file 124 is performed by overwriting the storage area in which the management information file 123 and the data file 124 are stored with specific bits so as to make it unrestorable.
  • the container program 133 is a representative program for encapsulating the data capsule 120 into a single file.
  • the container program 133 is executed first.
  • the container program 133 performs user authentication using a customer number and a password when started.
  • the container program 133 may hold account information indicating the correspondence between the customer number and the correct password. If user authentication succeeds, the container program 133 starts the DBMS program 131 .
  • the container program 133 starts status confirmation to continuously confirm that the data capsule 120 is not being illegally used.
  • container program 133 detects an event of possible unauthorized use of data capsule 120
  • container program 133 decides to invalidate data capsule 120 and activates erasure program 132 .
  • the container program 133 periodically communicates with the data processing server 31 after startup.
  • the communication partner of the container program 133 may be a specific server other than the data processing server 31 . If a communication failure is detected, the container program 133 decides to invalidate the data capsule 120 . Also, the container program 133 confirms that the current time has not passed the expiration date. The container program 133 may hold information about the expiration date of the data capsule 120 . If the current time has passed the expiration date, the container program 133 decides to invalidate the data capsule 120 .
  • the container program 133 monitors the result of user authentication for the data capsule 120 to detect unauthorized access. If the results of multiple user authentications correspond to a specific pattern, the container program 133 determines that there is a possibility of unauthorized intrusion and decides to invalidate the data capsule 120 .
  • a pattern of unauthorized intrusion is, for example, that the number of user authentication failures exceeds a threshold within time T1, and that user authentication succeeds within time T2.
  • the state confirmation detects the possibility that the data capsule 120 has been transferred to an unauthorized person or that the data capsule 120 has been illegally accessed by an unauthorized person.
  • FIG. 5 is a block diagram illustrating an example of software for a data processing server.
  • the data processing server 31 has a management table storage unit 141 and a program storage unit 142 . These storage units are implemented using the RAM 102 or the HDD 103, for example.
  • the data processing server 31 also has a request receiving section 143 , a matter management section 144 , a key generation section 145 , a data storage section 146 , a build section 147 and a monitoring section 148 . These processing units are implemented using, for example, the CPU 101 and programs.
  • the management table storage unit 141 stores a capsule management table.
  • the capsule management table associates the revision number of the restricted version of the DBMS with the customer number of the user who registers the initial data in the database for each project for creating a data capsule.
  • the program storage unit 142 stores the normal version of the DBMS program.
  • the program storage unit 142 also stores the source code of the restricted version of the DBMS program, and the erase program and container program incorporated in the data capsule.
  • the request receiving unit 143 communicates with the user servers 32 and 33.
  • the request receiving unit 143 provides a web interface to the user servers 32 and 33 and receives a data capsule creation request from either of the user servers 32 and 33 .
  • the request receiving unit 143 notifies the item management unit 144 of the customer number included in the data capsule creation request, and acquires the revision number and encryption key from the item management unit 144 .
  • the request receiving unit 143 notifies the data storage unit 146 of the encryption key and the user definition, authority definition, data structure definition, procedure definition and data included in the data capsule creation request.
  • the request receiving unit 143 notifies the build unit 147 of the revision number and the customer number, acquires the generated data capsule from the build unit 147, and returns it to the user server.
  • the matter management unit 144 refers to the capsule management table stored in the management table storage unit 141 and assigns a new revision number to be used in the new matter.
  • the item management unit 144 associates the revision number with the customer number and registers them in the capsule management table.
  • the item management unit 144 notifies the key generation unit 145 of the revision number and the customer number, acquires the encryption key from the key generation unit 145, and notifies the request reception unit 143 of the encryption key and the revision number.
  • the key generation unit 145 generates an encryption key from the customer number and revision number according to a specific key generation algorithm. For example, the key generation unit 145 generates a character string by combining a customer number and a revision number, inputs the generated character string to a function such as a hash function, and adopts a bit string output by the function as an encryption key.
  • a function such as a hash function
  • the data storage unit 146 uses the normal version of the DBMS program stored in the program storage unit 142 to register user definitions, authority definitions, and procedure definitions in management information. In addition, the data storage unit 146 registers the data structure definition in the management information and registers the data in the relationship table using the normal version of the DBMS program. At this time, the data storage unit 146 uses the encryption key obtained from the request reception unit 143 to encrypt the management information and the relationship table. This creates a configuration file, a management information file and a data file.
  • the build unit 147 embeds the revision number obtained from the request receiving unit 143 into the source code of the restricted version of the DBMS program stored in the program storage unit 142, and builds the restricted version of the DBMS program. Building includes compiling source code and linking libraries. Also, the build unit 147 generates a customer number file in which the customer number acquired from the request receiving unit 143 is described.
  • the build unit 147 reads out the erase program and the container program from the program storage unit 142.
  • the build unit 147 encapsulates the customer number file, the configuration file, the management information file, the data file, the restricted version of the DBMS program, the erasure program and the container program to generate a data capsule.
  • a data capsule corresponds to an image file in which a group of files on a storage device are grouped into a single file while maintaining a directory hierarchy.
  • the builder 147 provides the data capsule to the request receiver 143 .
  • the monitoring unit 148 communicates with the data capsules provided to the user servers 32 and 33 and tracks them.
  • the monitoring unit 148 periodically receives messages from the container program and returns response messages while the restricted version of the DBMS program is being executed.
  • the monitoring unit 148 may be implemented in a server different from the data processing server 31 .
  • FIG. 6 is a diagram showing an example of a capsule management table.
  • the capsule management table 151 is stored in the management table storage unit 141.
  • FIG. The capsule management table 151 associates project number, revision number, customer name, customer number, project name, date of creation, and expiration date.
  • the item number is an identification number that identifies the item that provides the new data capsule.
  • the revision number is an identification number that identifies a restricted version of the DBMS program, and is assigned to each project.
  • the customer name is the name of the user who registers the initial data in the database.
  • a customer number is an identification number assigned in advance to the user.
  • the project name is a name that indicates the use of the data capsule.
  • the creation date is the date when the data processing server 31 created the data capsule.
  • the expiration date is the time limit during which the generated data capsule can be used. Expired data capsules are invalidated and the database is deleted. The expiration date is specified by the user in the data capsule creation request.
  • FIG. 7 is a diagram illustrating an example of encryption key generation.
  • Key generator 145 receives revision number 152 and customer number 153 .
  • Key generation unit 145 inputs revision number 152 and customer number 153 to key generation algorithm 154 to generate encryption key 155 .
  • the key generation unit 145 combines the revision number 152 and the customer number 153 and inputs them to the key generation algorithm 154 .
  • the restricted version DBMS program inputs the revision number 152 embedded in the restricted version DBMS program and the customer number 153 described in the customer number file into the key generation algorithm 154 to regenerate the encryption key 155 .
  • the restricted version DBMS program may output the revision number 152 and the customer number 153 to request the external module of the restricted version DBMS program to regenerate the encryption key 155 .
  • FIG. 8 is a flow chart showing an example procedure for generating a data capsule.
  • the request receiving unit 143 receives a data capsule creation request.
  • the matter management unit 144 refers to the capsule management table 151 and assigns a new revision number.
  • the item management unit 144 records the customer number and the revision number included in the data capsule creation request in the capsule management table 151 .
  • the key generator 145 generates an encryption key from the revision number and customer number.
  • the data storage unit 146 uses the normal version of the DBMS program to register the user definition, authority definition and procedure definition included in the data capsule creation request in the database. The data storage unit 146 encrypts these definition information using an encryption key.
  • the data storage unit 146 uses the normal version of the DBMS program to register the data structure definition and the data body in the database. The data storage unit 146 encrypts these definition information and data using an encryption key.
  • the data storage unit 146 discards the encryption key used above.
  • the build unit 147 embeds the revision number in the source code of the restricted version of the DBMS program, and builds the restricted version of the DBMS program having the revision number.
  • the build unit 147 further adds the customer number file, deletion program, and container program to the configuration file, management information file, and data file generated by the normal version of the DBMS program and the limited version of the DBMS program.
  • the build unit 147 encapsulates these files and programs to generate data capsules.
  • FIG. 9 is a flow chart showing an example procedure for using a data capsule.
  • the user server 32 activates the container program 133, inputs the customer number and password into the container program 133, and performs user authentication.
  • the user server 32 determines whether an event that invalidates the data capsule 120 has been detected by the container program 133. Invalidation events include failure of regular communication with the data processing server 31, occurrence of user authentication results suspected of unauthorized access, and expiration of the expiration date. If an invalidation event is detected, the process proceeds to step S28; otherwise, the process proceeds to step S22.
  • the user server 32 starts the DBMS program 131.
  • the user server 32 extracts the revision number embedded in the DBMS program 131 and extracts the customer number from the customer number file 121 .
  • the user server 32 uses the DBMS program 131 to generate an encryption key from the extracted revision number and customer number.
  • the user server 32 decrypts the management information file 123 using the DBMS program 131 and confirms the authority of the user of the user server 32.
  • the user server 32 decrypts the data file 124 using the DBMS program 131 and executes the query or stored procedure specified by the user.
  • the user server 32 discards the encryption key generated by the DBMS program 131. FIG. Then, the use of the data capsule ends.
  • the user server 32 activates the deletion program 132 and deletes the management information file 123 and the data file 124 from the data capsule 120.
  • FIG. the data processing server 31 of the second embodiment generates and provides data capsules in response to requests from users.
  • a data capsule contains a restricted version of the DBMS program and an encrypted database.
  • the encryption key for decrypting the database is not stored, and is generated from the revision number embedded in the restricted version of the DBMS program and the customer number of the database each time the database is used.
  • This ties the restricted version of the DBMS program to the database, making it difficult to decrypt the database without using the correct DBMS program. Therefore, it becomes difficult for a third party to replace the DBMS program to weaken the protection of the database, and the risk of data leakage is reduced.
  • the data capsule includes a container program that detects an event that should invalidate the data capsule, and an erasure program that invalidates the data capsule by erasing the database.
  • the container program detects, as events, communication failure with the server tracking the data capsule, expiration, and unauthorized breach of user authentication. This reduces the risk of data leakage when the data capsule is illegally transferred to a third party.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention empêche le remplacement d'un programme de gestion de base de données par une tierce partie. Un dispositif de traitement d'informations (10) acquiert : des informations de révision (15) pour identifier un programme de gestion de base de données (14) pour gérer une base de données (13) ; et des informations d'utilisateur (16) indiquant un utilisateur de la base de données (13). Le dispositif de traitement d'informations (10) utilise les informations de révision (15) acquises et les informations d'utilisateur (16) acquises pour générer des informations clés (17). Le dispositif de traitement d'informations (10) utilise les informations clés (17) générées pour chiffrer la base de données (13). Le dispositif de traitement d'informations (10) rejette les informations clés (17) générées après que la base de données (13) a été chiffrée.
PCT/JP2021/046594 2021-12-16 2021-12-16 Procédé de gestion, dispositif de traitement d'informations et programme de gestion WO2023112272A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2021/046594 WO2023112272A1 (fr) 2021-12-16 2021-12-16 Procédé de gestion, dispositif de traitement d'informations et programme de gestion
JP2023567449A JP7549283B2 (ja) 2021-12-16 2021-12-16 管理方法、情報処理装置および管理プログラム

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/046594 WO2023112272A1 (fr) 2021-12-16 2021-12-16 Procédé de gestion, dispositif de traitement d'informations et programme de gestion

Publications (1)

Publication Number Publication Date
WO2023112272A1 true WO2023112272A1 (fr) 2023-06-22

Family

ID=86773819

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/046594 WO2023112272A1 (fr) 2021-12-16 2021-12-16 Procédé de gestion, dispositif de traitement d'informations et programme de gestion

Country Status (2)

Country Link
JP (1) JP7549283B2 (fr)
WO (1) WO2023112272A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003203014A (ja) * 2002-01-08 2003-07-18 Sony Corp 情報処理装置および方法、記録媒体、並びにプログラム
JP2005209069A (ja) * 2004-01-26 2005-08-04 Nippon Telegr & Teleph Corp <Ntt> データベース制御装置

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200050785A1 (en) 2018-08-10 2020-02-13 Ca, Inc. Database record access through use of a multi-value alternate primary key

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003203014A (ja) * 2002-01-08 2003-07-18 Sony Corp 情報処理装置および方法、記録媒体、並びにプログラム
JP2005209069A (ja) * 2004-01-26 2005-08-04 Nippon Telegr & Teleph Corp <Ntt> データベース制御装置

Also Published As

Publication number Publication date
JPWO2023112272A1 (fr) 2023-06-22
JP7549283B2 (ja) 2024-09-11

Similar Documents

Publication Publication Date Title
JP4398145B2 (ja) 自動データベース暗号化の方法および装置
US7792300B1 (en) Method and apparatus for re-encrypting data in a transaction-based secure storage system
US7171557B2 (en) System for optimized key management with file groups
US9122888B2 (en) System and method to create resilient site master-key for automated access
JP4759513B2 (ja) 動的、分散的および協働的な環境におけるデータオブジェクトの管理
US7152165B1 (en) Trusted storage systems and methods
JP5210376B2 (ja) 固定コンテンツ分散型データ記憶システムにおけるデータ機密保持方法
US7770213B2 (en) Method and apparatus for securely forgetting secrets
US7694134B2 (en) System and method for encrypting data without regard to application
CN110352413B (zh) 一种基于策略的实时数据文件访问控制方法与系统
US20030081790A1 (en) System for ensuring data privacy and user differentiation in a distributed file system
US20030037248A1 (en) Crypto-pointers for secure data storage
TWI394419B (zh) 使用邏輯分割以管理加密內容之系統及方法
US8200964B2 (en) Method and apparatus for accessing an encrypted file system using non-local keys
US20080232592A1 (en) Method and apparatus for performing selective encryption/decryption in a data storage system
US20030210790A1 (en) Optimizing costs associated with managing encrypted data
US7315859B2 (en) Method and apparatus for management of encrypted data through role separation
AU2002213436A1 (en) Method and apparatus for automatic database encryption
JP2004185152A (ja) ライセンス移動装置及びプログラム
US7660423B2 (en) Method and apparatus for maintaining ephemeral keys in limited space
US6920563B2 (en) System and method to securely store information in a recoverable manner on an untrusted system
TW200535815A (en) Information processing device and method, program, and recording medium
US9147087B2 (en) Method of accessing a data storage device
CN116594567A (zh) 信息管理方法、装置和电子设备
TWI362207B (en) Key cache management through multiple localities

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21968187

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023567449

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE