JP2008312156A - Information processing apparatus, encryption processing method, and encryption processing program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To perform encryption difficult to be decrypted and to shorten an encryption processing time for the outflow of a log file. <P>SOLUTION: Information 301 recorded in an access log file 18 is automatically decomposed into confidential information 304 and non-confidential information 305 utilizing a partition character 312 of a general URL format. The non-confidential information 304 is recorded in plaintext and the confidential information 305 is encrypted and recorded, so that the amount of data to perform encrypting operation thereon is decreased and acceleration is attained. Furthermore, a key of a common encryption key scheme is generated in access log generation, and the key of the common encryption key scheme is encrypted according to a public key encryption scheme (defined as a first encryption scheme, hereafter). Thus, it becomes difficult to decrypt the encrypted confidential information 304 and even if a nonvolatile storage device such as a hard disk storing the access log file 18 thereon is stolen, the key to be used for decryption is not easily ascertained. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention, for example, provides information to the public, reservations for public facilities, reservations and ticketing of tickets such as boarding passes for airplanes, and other confidential information such as user personal information acquired by the terminal device when performing other transactions. The present invention relates to an information processing apparatus, an encryption processing method, and an encryption processing program suitable for managing information.

  Conventionally, a WEB (World Wide Web) browser incorporated in a terminal device such as a personal computer can display a desired screen on a display device in accordance with a user operation. The WEB browser executes an unspecified application program described in, for example, HTML (Hyper Text Markup Language), JavaScript (registered trademark) incorporated in HTML, or other languages, and displays it on the screen. On the screen displayed by the WEB browser, there is provided a link button for moving to a WEB page designated by the description in the application program and selected by the user. Further, the WEB browser is provided with a function button such as a “return” button for returning to the previous page of the page currently displayed by the WEB browser. The user of the terminal device operates these link buttons or function buttons to use the WEB browser to provide information to the public, reserve public facilities, and reserve and issue tickets such as boarding passes for airplanes, Other services such as various transactions can be provided.

  Generally, a terminal device acquires an access history to an unspecified URL (Uniform Resource Locator) by a user operation on an application screen, an operation content of a user's function button, and the acquired information together with the date and time of a hard disk or the like A function of saving in an access log file on the non-volatile storage device. In addition to this access log file, the contents stored as log information include the state of a human sensor that detects whether or not a user is approaching, the recording of card reader operations, and the like.

  The log information in the access log file is used for various investigation purposes. Mainly, for example, a cause investigation when a malfunction of the terminal device occurs, a statistical survey of the usage frequency of the terminal device, a statistical survey of the usage frequency of the content, and the like can be given. However, the access log file may include personal information such as the user's name, address, gender, age, date of birth, telephone number, credit card number, transaction amount, and other confidential information. Therefore, if access log files are leaked due to theft of non-volatile storage devices such as hard disks that store access log files, or theft of access log files due to unauthorized access via communication lines, etc. There is.

  By the way, when the investigator uses the access log for the purpose of investigating the cause of the malfunction of the terminal device, the confidential information is not required. For this reason, when an authorized person who can access an access log file that contains confidential information passes the access log file to the investigator, an access log file for investigation is created and the information related to confidential information is deleted from the access log file. The method was taken. In addition, if a part of the confidential information is required to identify the user of the terminal device, the authority will replace the confidential information part with another code so that the confidential information is not identified. The method of creating and passing the access log file was used. In these methods, an authorized person needs to create an access log file for investigation from the access log file of the terminal device.

  In addition to the techniques described above, there are techniques described in Patent Documents 1 to 4 as techniques for preventing unauthorized use of access log files.

  Patent Document 1 discloses an invention relating to a confidential document management technique. In the confidential document management technique described in Patent Document 1, the confidential document file is encrypted and stored on the server, and the editing operation is read out to the client device. That is, when the encrypted file is edited, the target confidential document file is obtained from the server and decrypted on the client device side, and the decrypted confidential document file (temporary file) is edited on the client device side. When editing is completed, the temporary file is encrypted again and stored on the server. Use of this confidential document management technology is effective in preventing reading of data in a confidential document file in the event of theft of a non-volatile storage device such as a hard disk or the access log file due to unauthorized access via a communication line. .

  Patent Document 2 discloses a technique in which a file on a server and a file on a client are plaintext, but the target file is encrypted by a device on a communication path and transmitted to the other party.

  Patent Document 3 discloses a technique for keeping the existence of an access log file secret by applying a steganography technique for concealing an encrypted access log file on a server to other files such as image data. Is disclosed.

  Also, in Patent Document 4, a confidentiality level is set for confidential data, confidential data with the lowest confidentiality level is recorded in plain text, and encryption keys are separately used according to the confidentiality level for encryption. Technology is disclosed.

  Thus, various confidential document management techniques using encryption techniques have been proposed. There are mainly two methods for this encryption technique. One is a common key cryptosystem that uses the same key for encryption processing and decryption processing. The other is a public key cryptosystem that uses different keys for the encryption process and the decryption process, and this public key cryptosystem is characterized by low risk even if one of the keys (public key) is disclosed. Has been.

  The latter public key cryptosystem further includes a plurality of schemes, and a typical one is RSA (Rivest Shamir Adleman) cryptosystem. However, in the public key cryptosystem, since encryption processing generally takes time, dedicated hardware is often used for processing by an electronic computer. On the other hand, the former common key encryption method is a method represented by DES (Data Encryption Standard) encryption. As an algorithm suitable for processing by an electronic computer has been devised, the encryption processing time is reduced as compared with the public key cryptosystem. Nevertheless, a considerable amount of computation is required, and the problem that the encryption process takes time remains.

  Therefore, a method (hybrid encryption method) has been proposed that uses a common key encryption method with relatively little processing time for encryption of electronic documents and files, and uses public key encryption only for encryption of the common key. . For example, in Non-Patent Document 1 and Non-Patent Document 2, cipher lists recommended for the electronic government by the Ministry of Economy, Trade and Industry are published. As an example, the block cipher described in Non-Patent Document 5 and Non-Patent Document 6, which is a public key cipher, is used for the encryption of the common key, and the stream cipher described in Non-Patent Document 4 is used for the encryption of electronic documents and files. Furthermore, the pseudo-random number generation algorithm described in Non-Patent Document 3 is recommended for generating pseudo-random numbers necessary for the encryption process.

JP 2006-260176 A JP-A-2005-322201 JP 2006-252033 A Japanese Patent No. 2887299 "E-Government Recommended Cipher List", Ministry of Economy, Trade and Industry, 2003 “Procedures for Using Cryptography in Procurement of Information Systems by Each Ministry”, Ministry of Economy, Trade and Industry, February 28, 2002 "Pseudorandom number generator MUGI specification Ver. 1.3", Hitachi, Ltd., May 8, 2002 “MULTI-S01 Cryptographic Specification Version 1.2”, Hitachi, Ltd., May 12, 2002 "128-bit block cipher Camlia algorithm specification version 2.0", Nippon Telegraph and Telephone Corporation, Mitsubishi Electric Corporation, September 21, 2001 "Federal Information Processing Standards Publication 197" November 26, 2001 Announcing the ADVANCED ENCRYPTION STANDARD (AES)

  By the way, in the conventional storage management in which the authorized person creates an access log file for investigation from the access log file of the terminal device, the non-volatile storage device holding the access log file in the terminal device or the access log file to the access log file There was a problem that access log files leaked due to unauthorized access. Furthermore, when investigating the cause of the malfunction of the terminal device, there is a possibility that confidential information may be leaked due to the person in charge or intentional error. Furthermore, it is troublesome because an authorized person needs to create an access log file for investigation from the access log file of the terminal device.

  The technique described in Patent Document 1 decrypts the confidential document file stored in the server each time on the client device side, encrypts it again after editing, and returns it to the server. However, there is a problem that it is not practical because it takes time. Further, the above method is not applicable in the usage mode in which the terminal device is not connected to the server.

  Further, the technique described in Patent Document 2 does not consider theft of the recording medium storing the access log file. Furthermore, it cannot be applied to a usage pattern in which the terminal device is not connected to the server.

  The technique described in Patent Document 3 is effective for preventing reading when the nonvolatile storage device storing the access log file is stolen. However, the capacity of the access log file varies greatly depending on the purpose of use, and may reach several hundred MB to several GB. When the access log file is concealed to a file such as image data, a capacity several hundred times larger is required. That is, the accelerator log file eventually becomes a huge file of several TB, which has a problem in practicality.

  In the technique described in Patent Document 4, it is necessary to set a confidentiality level for each confidential data in advance or insert a separator such as a blank in the original text of the confidential data. For this reason, this technique cannot be applied to a terminal device installed on a street for an unspecified number of application programs.

  Furthermore, the currently known encryption processing methods require a certain amount of calculation because all encryption methods encrypt and decrypt the entire file. Therefore, enormous processing time is required. In addition, it is necessary to insert a random number in order to realize disturbance or padding of the encryption target file, which causes a disadvantage that the data length after encryption becomes longer than the original data length.

  The present invention has been made to solve the above problems, and log files are leaked due to theft of a non-volatile storage device holding log files in a terminal device installed on a street or the like or unauthorized access to log files. It is an object to perform encryption that is difficult to decrypt for a log file and to reduce the time required for encryption in preparation for the situation.

  Furthermore, in order to avoid leakage of confidential information recorded on the recording medium due to the researcher's intention or negligence, the encrypted data is difficult to decrypt without disclosing the actual data (the confidential information part), and It is an object of the present invention to enable data identification even in the encrypted data.

  In order to solve the above-mentioned problems and achieve the object of the present invention, the first aspect of the present invention is that when log information consisting of a character string is encrypted, the log information consisting of a character string is first processed according to a predetermined rule. The confidential information and the first confidential information are decomposed, and the first confidential information obtained by decomposing the log information is encrypted by the first encryption method. Next, the date / time information and the non-confidential information obtained by disassembling the log information and the encrypted first confidential information are synthesized according to a predetermined rule to generate recording character string information. Then, the first encryption key used in the first encryption method is encrypted by the public key method to generate a decryption key, and a log file in which a plurality of recording character string information and the decryption key are recorded is generated. Then, it is stored in a nonvolatile storage unit.

  Further, the second aspect of the present invention is to further decompose the first confidential information obtained by decomposing the log information to extract second confidential information, and to extract the second confidential information by the second encryption method. Encrypt processing. The character string is different from the character string before the encryption process and is converted into a character string corresponding to the character string before the encryption process on a one-to-one basis.

  According to the present invention, even if a log file leaks to a third party due to theft of a nonvolatile storage device storing the log file or theft of the log file due to unauthorized access via a communication line, the confidentiality in the log file Information leakage can be prevented. In addition, it is possible to prevent leakage of confidential information recorded on the recording medium due to the intention or negligence of the investigator.

  Further, since only the confidential information in the log file is encrypted, the time required for encryption can be shortened. Furthermore, since the identification information in the log file is encrypted so that it can be identified even after the encryption processing, the data can be easily identified without disclosing confidential information in the investigation of the log file. .

  Hereinafter, examples of embodiments of the present invention will be described with reference to FIGS. The information processing apparatus according to the present embodiment is installed in, for example, a street or a store for the purpose of providing information to the public, reservations for public facilities, reservations and ticketing of airplane boarding passes and other tickets, and other transactions. This is an example applied to a terminal device. This terminal device detects that access or operation by a user has been performed, and generates log information in which confidential information and non-sensitive information are mixed as needed. Each log information is decomposed into confidential information and non-confidential information, the non-confidential information is recorded in plain text, and the confidential information is encrypted and recorded, thereby realizing a safe and wasteful log information encryption process. .

  FIG. 1 is an overall configuration diagram of a terminal device according to an embodiment of the present invention. As shown in FIG. 1, the terminal device 100 according to the present embodiment mainly includes an information processing device 2, a volatile storage device 12, a nonvolatile storage device 15, and a clock 22. The server 11 is communicably connected via a telecommunication line). A display 20 and a touch panel 21 are connected to the terminal device 100. As the terminal device 100 (information processing device 2) according to the present embodiment, for example, a personal computer connected to a display device can be used.

  In the present embodiment, the information processing device 2 and the volatile storage device 12, the nonvolatile storage device 15, and the clock 22 are configured separately, but some or all of them are included in the information processing device 2. You may make it provide. For example, the volatile storage device 12, the nonvolatile storage device 15, and the clock 22 may be stored in the information processing device 2 to be integrated.

  The terminal device 100 acquires application software (hereinafter referred to as “application”) based on the operation content of the user on the touch panel 21 from the server 11 and causes the display 20 to display an application window (a display area having a predetermined shape). Then, the terminal device 100 encrypts log information such as an access history and an operation history to the server 11 using a key stored in the volatile storage device 12 and writes the encrypted information in the access log file 18 of the nonvolatile storage device 15. .

  In this embodiment, the access log is taken as an example of the log information. However, the log information is not limited to the access log of the terminal device 100 (such as an access history or an operation history by the user), but the history of the overall operation of the terminal device 100. Can be obtained as

  Next, the information processing apparatus 2 that is one of the components of the terminal apparatus 100 will be described. The information processing apparatus 2 includes a control unit (not shown) including, for example, a CPU (Central Processing Unit), and operates a WEB browser 1 having an encryption processing function under the control of the control unit. The WEB browser 1 includes an HTML display / processing unit 3, a function button display / processing unit 4, a URL character string decomposition unit 5, a common key encryption unit 6, a one-way encryption unit 7, and a recording The functions of the combining units 8a and 8b, the key organization unit 9, and the public key encryption unit 10 are provided. The program of the WEB browser 1 may be recorded in a ROM (not shown) in the information processing apparatus 2 or the nonvolatile storage device 15.

  The HTML display / processing unit 3 constitutes a display processing unit (log information generating means) together with the function button display / processing unit 4. The HTML display / processing unit 3 acquires an application described in HTML from the server 11 based on the operation content of the touch panel 21, processes the application, and displays an application window on the display 20.

  The function button display / processing unit 4 displays the function buttons on the display 20 and transmits information based on the function button operation performed from the touch panel 21 to the HTML display / processing unit 3.

  Further, when a URL character string in which non-confidential information and confidential information are mixed is input from the HTML display / processing unit 3, the URL character string decomposing unit 5 decomposes the character string into a non-confidential information portion and a confidential information portion. At the same time, a part of the confidential information part is extracted. The URL character string decomposing unit 5 outputs the decomposed non-confidential information portion to the recording combining unit 8a, and the confidential information portion and a part of the confidential information unit are shared by the recording combining unit 8a. The data is output to the key method encryption unit 6 and the one-way encryption unit 7.

  The common key system encryption unit 6 is an example of a first encryption unit. The common key encryption unit 6 encrypts the character string input from the URL character string decomposition unit 5 using the common key 13 stored in the volatile storage device 12 using the common key encryption method (the first key). 1) and outputs the encrypted character string to the recording composition unit 8a.

  The one-way encryption unit 7 is an example of a second encryption unit. The one-way encryption unit 7 converts the character string input from the URL character string decomposition unit 5 into the same ciphertext if the same plaintext is used using the one-way key 14 stored in the volatile storage device 12. Encryption (second encryption) is performed, and the encrypted character string is output to the recording composition unit 8a. The one-way encryption here refers to conversion into a character string different from that before the encryption process and a character string corresponding to the character string before the encryption process on a one-to-one basis. The encryption key used for the one-way encryption process, that is, the one-way key 14 may be discarded to make decryption after encryption difficult. As a result, it is extremely difficult to decrypt the encrypted character string, but the character string before encryption can be determined from the encrypted character string.

  Further, the recording composition unit 8a and the recording composition unit 8b synthesize a plurality of input character strings in a predetermined format. The record composition unit 8a adds the character string of the date and time information output from the clock 22 and the URL character string to the character strings input from the URL character string decomposition unit 5, the common key encryption unit 6, and the one-way encryption unit 7. The contents of the log information input from the disassembling unit 5 are combined by adding additional information that is simply expressed by symbols. On the other hand, the recording synthesizing unit 8 b synthesizes the date and time information output from the clock 22 and the additional information that is the operation content of the function button display / processing unit 4. The character strings (recording character string information) generated by the recording composition unit 8 a and the recording composition unit 8 b are recorded in the nonvolatile storage device 15 as the access log file 18. The recording combining unit 8a and the recording combining unit 8b may be integrated.

  The key generation unit 9 generates a common key 13 and a one-way key 14 used for character string encryption. After generating the key, the key generation unit 9 outputs only the common key to the public key encryption unit 10. The key generated by the key generation unit 9 is stored in the volatile storage device 12.

  The public key system encryption unit 10 encrypts the common key 13 output from the key generation unit 9 using the encryption public key 17 provided from the nonvolatile storage device 15. Here, the encrypted common key 13 is recorded at a predetermined position in the log file.

  The volatile storage device 12 is composed of, for example, a RAM (Random Access Memory). The volatile storage device 12 stores the common key 13 and the one-way key 14 generated by the key generation unit 9. The common key 13 is used for the encryption process of the common key method encryption unit 6. The one-way key 14 is used for the encryption process of the one-way encryption unit 7.

  The nonvolatile storage device 15 is composed of, for example, a ROM (Read Only Memory). The nonvolatile storage device 15 stores an encryption item designation table 16, an encryption public key 17, and an access log file 18. In the encryption item specification table 16, a character string (encryption item) to be encrypted by the one-way encryption unit 7 is registered. The encryption public key 17 is a public key for encrypting a key generated by the information processing apparatus 2 as will be described later. The access log file 18 is an example of log information, and includes an access history to the terminal device, an operation history, and the like.

  Next, actual log information acquisition processing will be described by taking the operation of the facility reservation application as an example. FIG. 2 shows an example of screen transition by the facility reservation application using the WEB browser 1. The display screen includes an application window written in HTML and a function button of the WEB browser. On the application window described in HTML, several link buttons with names such as facility names, availability and reservation confirmation are arranged.

  Here, the function buttons are “return”, “forward”, “first”, “up”, “down”, “right”, “left”, “print” at the bottom of the window 501. A generic term for buttons. An application window refers to a display area other than the function button portion displayed on the screen. In FIG. 2, the URL character string 316 shown above the initial screen 501 corresponds to the URL of the initial screen 501.

  For example, it is assumed that the user selects the link button “tennis court” on the touch panel 21 on the public facility reservation initial screen 501. At this time, the HTML display / processing unit 3 of the terminal device 100 detects the user's operation and requests the server 11 for an application “select desired tennis court date” linked to the URL character string 317. Then, the terminal apparatus 100 acquires the “tennis court desired day selection” application described in HTML or the like transmitted from the server 11. The acquired application causes the display 20 to display a desired date selection screen 502 for selecting “desired tennis court date” based on the application acquired by the HTML display / processing unit 3. Here, as for the URL character string 317, the character string “?” And “tennis court” are selected as the URL “yoyaku.cgi” of the screen 502 to be displayed next as a result of the operation performed on the facility reservation initial screen 501. The character string “sel = 1” indicating that is added.

  A desired date selection screen 502 is an example of an application window for selecting a desired date for tennis court reservation. In this desired date selection screen 502, a calendar for January is described. Here, it is assumed that the user selects the desired date 25 on the touch panel 21. Then, the HTML display / processing unit 3 displays a usage time zone selection screen 503 for selecting “tennis court January 25 usage court / time zone” linked to the URL character string 318. Here, the URL character string 318 above the usage time zone selection screen 503 adds a character string “date = 210125” indicating that “January 25” has been selected to the URL character string 317 of the desired date selection screen 502. However, they are separated by the character string “&”.

  On this use time zone selection screen 503, a table showing the usage status of tennis courts on January 25 is displayed. The vertical items (A to E) are the types of courts and the horizontal items (7 to 15). Represents the time zone. In this table, “○” is displayed when the tennis court can be reserved, and “X” is displayed when the reservation is impossible. For example, it is assumed that the court A and the use time zone 11:00 are selected. Then, the HTML display / processing unit 3 and the function button display / processing unit 4 display the user ID input screen 504 linked to the URL character string 319. Here, the URL character string 319 includes information character strings “court = A” and “time = 11” indicating that “Court A • 11 o'clock” is selected in the URL character string 318 of the usage time zone selection screen 503. They are added and separated by the character string “&”.

  On the user ID input screen 504, the user operates a numeric button on the touch panel 21 and inputs a user ID, for example, “31416”. After entering the user ID, the HTML display processing unit 3 and the function button display / processing unit 4 display a password input screen 505 linked to the URL character string 320. Here, the URL character string 320 is a form in which a character string “id = 31416” indicating the input user ID is added to the URL character string 319 of the user ID input screen 504 and separated by the character string “&”. It has become.

  On the password input screen 505, the user operates a number button on the touch panel 21 to input a password, for example, “5963”. After the password is input, the HTML display / processing unit 3 and the function button display / processing unit 4 perform the same processing as described above, and displays the reservation result confirmation screen 506 linked to the URL character string 301. Here, the URL character string 301 has a form in which a character string “pw = 5963” indicating the password input to the URL character string 320 of the password input screen 505 is added and separated by the character string “&”. When the first button is selected on the reservation result confirmation screen 506, the screen returns to the initial screen 501. A predetermined encryption process is performed on log information including each URL character string corresponding to each operation described above, and then recorded in the access log file 18 of the nonvolatile storage device 15.

  For URLs including “xxx.cgi” as in the URL character strings 301 and 317 to 320 described above, a program written in a programming language called, for example, Perl is stored on the server 11. Is executed. The information processing apparatus 2 receives screen data written in HTML generated by executing this program, and displays an application window on the display 20. The character string after “?” After the URL character string “xxx.cgi” is an argument passed to the program. In general, the URL character string “xxx.cgi” is the same part. By specifying a number with an argument, you can display a different application window or display a calendar for a specific month by specifying a date. .

  Next, log information encryption processing by the information processing apparatus 2 will be described. FIG. 3A shows a procedure of access log encryption processing. Here, the encryption processing of the reservation result confirmation screen 506 URL character string 301 of the facility reservation application shown in FIG. 2 will be described as an example. The URL character string 301 is “http: //.../yoyaku.cgi? & Pw = 5963 & id = 31416 & court = A & time = 11 & date = 210125 & sel = 1”, and “31416” is an ID (identification) Information), and “5963” corresponds to the password portion. Both the user ID and the password are confidential information.

  Generally, the URL is written in a format called a query character string. In the query character string, the character string before the character “?” Indicates a character string for specifying a file on the server in the URL body, and the character string after the character “?” Indicates an argument. The argument is a method in which a plurality of terms (character strings) in which the name and value are connected by the character “=” are separated by the character “&”. That is, it can be determined that there is confidential information after the character “?” In the URL character string 301.

  Therefore, the URL character string decomposing unit 5 first regards the character string before the character “?” In the URL character string as the non-confidential information 304, and regards the character string after the character “?” As the first confidential information 305, and the URL character. Decompose column 301. If it is known that the same character string as the delimiter code such as the character “/” appears multiple times, it may be decomposed at the position of some delimiter code. Furthermore, even if it is not in the general grammar of the URL, for example, a character string of one or more characters such as a character string “yoyaku.cgi” may be designated and processed as a delimiter. That is, the target character string is divided based on a predetermined character or a predetermined character string included in a character string constituting log information such as a URL character string.

  When the URL character string 301 includes the character string of the first confidential information 305, the common key method encryption unit 6 uses the common key 13 stored in the volatile storage device 12 and uses the common key encryption method (first The first confidential information 305 is encrypted by the encryption method. Then, the common key encryption unit 6 inputs information 306 including the encrypted character string to the recording composition unit 8a. On the other hand, the character string of the non-confidential information 304 is input to the recording composition unit 8a as plain text.

  Here, a case where the user ID is information necessary for identifying a user in a survey or the like will be described. In this case, the user ID part is encrypted by a one-way encryption method (second encryption method), so that only the user can be identified while keeping the actual data secret. If the encryption process is performed with the, the same character string is converted into the same character string. Therefore, if a character string that is easy to estimate with the same character string, such as “pw =” or “time =”, is included in the range (character string) to be encrypted, it becomes vulnerable to a cryptanalysis attack. Therefore, it is desirable to limit the items to be encrypted by the one-way encryption unit 7 to the minimum necessary. For example, by further disassembling the URL character string 301 and encrypting only predesignated items using the one-way encryption method, damage of information leakage can be minimized even if it is decrypted.

  A method of encrypting only the items designated in advance in the confidential information by the one-way encryption method will be specifically described. First, a character string to be compared with a character string on the left side of the character “=” is registered in the encryption item designation table 16 and stored in the nonvolatile storage device 15 in advance.

  For example, it is assumed that the character string “id” is registered in the encryption item designation table 16 as an item (character string) to be encrypted in the one-way encryption unit 7. As described above, when the URL “string” 301 of the reservation result confirmation screen 506 is decomposed by regarding the character “&” as a delimiter, the following six character strings “sel = 1”, “date = 210125”, “ It is decomposed into “time = 11”, “court = A”, “id = 31416”, and “pw = 5963”. The URL character string decomposing unit 5 determines that the item “id” registered in the encrypted item specification table 16 matches “id” in the URL character string 301, and the right character of the character string “id = 31416”. The column “31416” is extracted as the second confidential information 307. Then, the second confidential information 307 is one-way encrypted by the one-way encryption unit 7, and the encrypted second confidential information 308 is input to the recording composition unit 8a.

  The second confidential information 308 is a character string that is different from the character string before the encryption process and has a one-to-one correspondence with the character string before the encryption process. Thereby, the character string before encryption can be discriminated from the character string after encryption. Therefore, the investigator can identify a specific user ID and other user IDs.

  The HTML display / processing unit 3 of the information processing apparatus 2 acquires date and time information as a character string from the clock 22 when the URL character string is sent to the server 11.

  In parallel with or after the URL character string 301 decomposition process and the subsequent encryption process, the recording composition unit 8a obtains the date information 302 and the additional information 303. First, the recording composition unit 8 a obtains the date / time information 302 from the clock 22 when the HTML display / processing unit 3 obtains an application corresponding to the URL character string 301 from the server 11. The date / time information 302 may be the date / time when the recording character combination unit 8a obtains the URL character string in a state of being decomposed and encrypted. Further, additional information 303 representing the contents of the log information is obtained from the HTML display / processing unit 3 constituting the log information generating means via the ULR character string decomposing unit 5. In this example, since it is an access history to WEB, the additional information 303 is “URL”.

  Then, the recording combining unit 8a combines the date / time information 302, the additional information 303, the plaintext non-confidential information 304, the encrypted first confidential information 306, and the encrypted second confidential information 308 into one. Thus, a recording character string 309 is created. At this time, a delimiter code 312 is added between the character strings corresponding to the pieces of information to synthesize them. Thereafter, the recording character string 309 is added to the access log file 18 of the nonvolatile storage device 15. As an example of the delimiter 312, for example, an ASCII character code delimiter code is used. If the same data (character) as the delimiter code exists, the delimiter code may be added for identification.

  By the way, for example, the access log generated by the operation of the function button on the application window includes only the date / time information 302 and the additional information 303 and does not have a URL character string. For example, when the first button is selected on the reservation result confirmation screen 506 in FIG. 2, a character string “HOME” is added as additional information 303 from the function button display / processing unit 4 as shown in FIG. The date and time information 302 when the operation is performed is input to the recording composition unit 8b. The recording synthesizing unit 8 b generates a single recording character string (record) 310 by synthesizing the character strings of the date information 302 and the additional information 303, and appends them to the access log file 18.

  FIG. 4 is an example of the access log file 18 described in a text format. The common key 13 used for encryption of confidential information by the common key system encryption unit 6 is described in a predetermined position of the access log file 18, for example, in the first line. However, as described above, the common key 13 is encrypted by the public key encryption unit 10 using the encryption public key 17 and is described in the accelerator log file 18 as text data. In the second line, a recording character string 309 generated by the recording composition unit 8a is described. The third line describes a recording character string 310 in which date information 302 generated when a function button is operated and additional information 303 are synthesized.

  In the example of the accelerator log file 18 shown in FIG. 4, only the recording character strings 309 and 310 are described, but actually, the recording character strings corresponding to each log information are in the order of acquisition of the log information (date and time). (In order). For example, in the example of the application operation shown in FIG. 2, URL character strings 316 to 320 and 301 are described in the access log file 18 in the order of the user operation.

  Next, a browsing device for browsing the access log file 18 encrypted by the terminal device 100 of the present embodiment will be described. FIG. 5 is a configuration example of a browsing device 200 for browsing the access log file 18 encrypted by the encryption processing of the present invention. As an example, the browsing device 200 can include a browsing processing device 23, a volatile storage device 212, a nonvolatile storage device 215, and a display 220. Here, the removable medium 19 in which the access log file 18 is stored in the browsing device 200 is connected to the browsing device 200 via an interface (not shown). As the browsing device 200 according to the present embodiment, for example, a terminal device such as a personal computer equipped with a display device can be used.

  The browsing processing device 23 constituting the main body of the browsing device 200 includes a log cutout unit 24, a common key method decryption unit 25, a synthesis unit 26, and a public key method decryption unit 27. The browsing processing device 23 may be configured by a computer system, and the functions of each unit may be realized by software described in a program language. Alternatively, the functions of each unit may be realized by hardware as a configuration by a dedicated device. It may be. The software program may be recorded in a ROM (not shown) in the browsing processing device 23 or in the nonvolatile storage device 215.

  The public key method decrypting unit 27 encrypts and records the common key 13 that is encrypted and recorded at a predetermined position (first line in the example of FIG. 4) of the access log file 18 that is copied and carried to the removable medium 19. The decryption secret key 28 stored in the key is decrypted and the common key 13 is generated.

  The log cutout unit 24 decomposes the access log records (character strings) recorded after the second record (second line) of the access log file 18 into plain text non-confidential information and encrypted confidential information, The plaintext non-confidential information is transmitted to the combining unit 26, and the encrypted confidential information is transmitted to the common key method decrypting unit 25.

  The common key method decrypting unit 25 has a function of decrypting the confidential information encrypted using the common key 13 and sending the decrypted confidential information to the synthesizing unit 26.

  The synthesizing unit 26 has a function of appropriately synthesizing the plaintext non-confidential information obtained by the log cutout unit 24 and the secret information decrypted by the common key method decrypting unit 25 and transmitting them to the display 220.

  FIG. 6 is a diagram showing a procedure for decrypting an access log encrypted by the encryption method of the present invention. The access log decoding procedure shown in FIG. 6 will be described with reference to FIG. First, the browsing processing device 23 extracts the access log (recording character string) 309 to be decoded from the access log file 18 one record at a time and sends it to the log cutout unit 24. Next, the log cutout unit 24 uses the delimiter 312 to divide the access log (character string for recording) 309 into plaintext non-confidential information 313 and 304 and confidential information 306 encrypted by the first encryption method. To the confidential information 308 encrypted by the second encryption method.

  Here, the log cutout unit 24 sends the non-confidential information 313 and 304 to the synthesizing unit 26, and sends the confidential information 306 encrypted by the first encryption method to the common key method decrypting unit 27. On the other hand, the confidential information 308 encrypted by the second encryption method is discarded because it is redundantly included in the confidential information 306 encrypted by the first encryption method in this embodiment. That is, delete.

  Then, the common key method decryption unit 25 decrypts the confidential information 306 encrypted by the first encryption method into the plaintext confidential information 305 using the common key 13 and sends it to the synthesis unit 26. Finally, the synthesizing unit 26 synthesizes the non-confidential information 313 and 304 and the decrypted confidential information 305 to create the URL character string 301 before encryption of the recording character string 309 and displays it on the display 220. As a result, the access log that has been encrypted by the investigator or the like can be viewed on the display 220.

  FIG. 7 shows a procedure for decoding the access log created by the function button operation. First, the access log (URL character string) 301 recorded by the function button operation recorded in the access log file 18 is input to the log cutout unit 24. The log cutout unit 24 sends the function button operation access log 310 to the synthesis unit 26 because it does not have encrypted information. Then, the composition unit 26 outputs the input function button operation access log 310 as it is to the display 220 and displays it on the screen.

  FIG. 8 is a configuration example of a browsing apparatus for browsing only the non-confidential information and the one-way encrypted confidential information portion of the access log file encrypted according to the present invention. In this example, it is not necessary to decrypt the one-way encrypted confidential information part. Therefore, the browsing device 210 excludes the volatile storage device 212 and the nonvolatile storage device 215 that store keys, the common key method decryption unit 25 that performs decryption, and the public key method decryption unit 27 from the viewing device 200 illustrated in FIG. It has a configuration.

  FIG. 9 is a diagram showing a reading procedure in which the confidential information of the access log encrypted by the encryption method of the present invention is concealed. The access log reading procedure of FIG. 9 will be described with reference to FIG. When performing such a reading procedure, the browsing processing device 23 extracts the access log (recording character string) from the access log file 18 one record (one line) at a time, and sends it to the log cutout unit 24 of the browsing processing device 23. The log cutout unit 24 uses the delimiter 312 to extract the access log (character string for recording) 309 as plain text non-confidential information 313 and 304 and confidential information encrypted by the first encryption method. 306 and the confidential information 308 encrypted by the second encryption method.

  Then, the log cutout unit 24 sends the non-confidential information 313 and 304 to the synthesizing unit 26 and sends the confidential information 308 to the synthesizing unit 26. The confidential information 306 portion is discarded. The synthesizing unit 26 synthesizes the plaintext non-confidential information 313 and 304 and the confidential information 308 encrypted by the second encryption method, creates a URL character string 311, and outputs it to the display 220. As a result, the access log that has been encrypted by the investigator or the like can be viewed on the display 220.

  When the URL character string 311 synthesized by the synthesizing unit 26 includes a code (character, symbol, etc.) that is not a character code that can be displayed on the display 220, the URL character string 311 is converted into a character code representing a hexadecimal number and displayed. Show it. In the present embodiment, the access log is displayed on the display 220 and viewed by the person in charge of the survey. Therefore, there is a case where it is necessary to convert a code that cannot be displayed on the display 220 into a character code representing a hexadecimal number. . However, when the character code is used for input of other application software, a person skilled in the art may perform code conversion as appropriate.

  According to the browsing apparatus 210 having the above configuration, the URL character string 311 (see FIG. 9) that does not include the confidential information 306 does not have all the information of the original URL character string 301 (see FIG. 3). This information is useful for specific applications such as cause analysis.

  Note that the browsing device 210 outputs the confidential information output to the combining unit 26 in accordance with the encryption method applied to the confidential information sent from the log cutout unit 24 by the common key method decryption unit 25 of the browsing device 200 shown in FIG. A configuration may be adopted in which information is switched.

  According to the above-described embodiment of the present invention, information recorded in the access log file 18 (for example, a URL character string) is automatically separated from the confidential information 305 using a general URL format delimiter. Disassembled into confidential information 304. The non-confidential information 304 is recorded in plain text, and the confidential information 305 is encrypted and recorded in the access log file 18, thereby reducing the amount of data to be encrypted and increasing the speed. Further, a common encryption key method key is generated when the access log is generated, and the common encryption key method key is encrypted by a public key encryption method (hereinafter referred to as a first encryption method). As a result, decryption becomes difficult, and a key used for encryption is not easily found even when a nonvolatile storage device such as a hard disk storing the access log file 18 is stolen. In addition, confidential information (user ID, etc.) that is necessary only for the identification of the user while keeping the original data before encryption is encrypted (hereinafter referred to as the second ciphertext) if it is the same plaintext. By using the (encryption method) method and discarding the used encryption key, the one-way encryption is performed to make decryption difficult.

  Further, as described above, according to the first encryption method, by utilizing the fact that a predetermined rule, for example, a rule called a URL query character string, is followed, the character “?” And the character “?” ? "And thereafter are regarded as a confidential information part, and the URL character string is decomposed and encrypted. Thereby, regardless of the intention of the manufacturer of the WEB browser, it is possible to cope with even the URL character string of the application program created by an arbitrary manufacturer.

  Further, it is possible to reduce the risk when log information including confidential information is leaked due to theft of the nonvolatile storage device storing the access log file or theft of the access log file due to unauthorized access via the communication line. In addition, when the confidential information included in the log information is necessary only for identification of a user who has used the terminal device in the past, the confidential information used for identification of the user is encrypted in a form that is difficult to decrypt. Therefore, it is possible to reduce the risk of information leakage due to intention or negligence. Furthermore, since the non-confidential information is not encrypted when the access log file including the confidential information is encrypted, the encryption process can be speeded up.

  In the case of an application that does not require the confidential information part used for user identification such as the user ID of the access log file 18, the terminal device 100 of FIG. 1 is configured not to have the one-way encryption unit 7. Also good. In that case, the one-way key 14 stored in the volatile storage device 12 is also unnecessary. In addition, the structure of the browsing apparatus 200 shown in FIG. 5 is the same. However, the browsing device 200 executes a process in which there is no confidential information portion 308 encrypted by the second encryption method in the recording character string 309 illustrated in FIG.

  In addition, in the case where the information necessary for identification, that is, the second confidential information exists as a part of the first confidential information, but does not need to record all of the first confidential information, the terminal shown in FIG. The apparatus may be configured without the common key system encryption unit 6. In this case, the common key 13, the public key encryption unit 10, and the encryption public key 17 are also unnecessary. In FIG. 3, although the first confidential information 305 is extracted from the URL character string 301, it is not synthesized by the recording synthesizing unit 8a where encryption is performed.

  Further, in the terminal device 100 and the browsing devices 200 and 210, a recording medium in which a program code of software that realizes the functions of the above-described embodiments is supplied to the system or apparatus, and the computer (or CPU or the like) of the system or apparatus Needless to say, this can also be achieved by reading and executing the program code stored in the recording medium.

  Furthermore, in the above-described embodiment, the example in which the log information generation unit is applied to the HTML display / processing unit 3 and the function button display / processing unit 4 has been described. However, the presence / absence or movement of an object is detected and based on the detection result. You may apply to the object detection sensor which produces | generates log information. Alternatively, for example, read and write data recorded in a contactless magnetic card such as a cash card or a non-contact magnetic card used in a train commuter pass, and read / write contents of the data. You may apply to the reader / writer etc. which produce | generate the log information which shows a log | history.

It is a whole block diagram of the terminal device which concerns on one Embodiment of this invention. It is the figure which showed the screen transition based on the application process of the facility reservation which concerns on one Embodiment of this invention. It is a figure which shows the procedure of the encryption process of the access log which concerns on one Embodiment of this invention. It is an example of the access log file described in the text format which concerns on one Embodiment of this invention. It is a structural example of the browsing apparatus which concerns on one Embodiment of this invention. It is a figure which shows the procedure of the decoding process of the encrypted access log which concerns on one Embodiment of this invention. It is a structural example of the browsing apparatus which concerns on one Embodiment of this invention. It is a figure which shows the decoding procedure of the access log of the browsing apparatus which concerns on one Embodiment of this invention. It is a figure which shows the read-out procedure which concealed the confidential information of the encrypted access log which concerns on one Embodiment of this invention.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... WEB browser, 2 ... Information processing apparatus, 3 ... HTML display / processing part, 4 ... Function button display / processing part, 5 ... URL character string decomposition part, 6 ... Common key system encryption part, 7 ... One-way encryption 8, a recording composition unit, 9 a key generation unit, 10 a public key encryption unit, 12 a volatile storage device, 13 a common key, 14 a one-way key, 15 a nonvolatile storage device, DESCRIPTION OF SYMBOLS 16 ... Encryption item designation | designated table, 17 ... Public key for encryption, 18 ... Access log file, 20 ... Display, 21 ... Touch panel, 22 ... Clock, 23 ... Viewing processing apparatus, 24 ... Log extraction part, 25 ... Common key System decryption unit, 26 ... synthesis unit, 27 ... public key system decryption unit, 28 ... private key for decryption, 220 ... browsing device, 212 ... volatile storage device, 301 ... URL character string, 302 ... date and time information, 303 ... addition Information, 304 ... non-confidential information 305 ... first confidential information, 306 ... encrypted first confidential information, 307 ... second confidential information, 308 ... second confidential information encrypted in one direction, 309 ... recording character string, 310 ... Recording character string, 312 ... Delimiter, 315 ... Encrypted common key

Claims (8)

A character string decomposing unit that decomposes log information formed of an arbitrary character string generated by the information processing apparatus into non-confidential information and first confidential information according to a predetermined rule;
A first encryption unit that encrypts the first confidential information obtained by decomposing the log information using a first encryption method;
A clock part,
The date / time information supplied from the clock unit, the non-confidential information obtained by disassembling the log information, and the encrypted first confidential information are combined according to a predetermined rule to obtain character string information for recording. A recording composition unit to be generated;
The recording character string information generated by the recording composition unit is stored in a log file together with a decryption key obtained by encrypting the first encryption key used in the first encryption method with a predetermined public key. An information processing apparatus comprising: a non-volatile storage unit. The information processing apparatus according to claim 1,
A display processing unit that detects user operation content, generates an image to be displayed on the screen of the display device, and generates log information according to the user operation content;
The information processing apparatus, wherein the character string decomposition unit obtains the log information from the display processing unit, and decomposes the log information into non-confidential information and first confidential information according to a predetermined rule. The information processing apparatus according to claim 1,
The character string decomposing unit divides a character string constituting the log information based on a predetermined character included in the character string constituting the log information or a predetermined character string. apparatus. The information processing apparatus according to claim 1,
A second encryption unit that performs encryption processing by the second encryption method;
The character string decomposition unit further decomposes the first confidential information obtained by decomposing the log information to extract second confidential information, and the second encryption unit performs second encryption on the second confidential information. An information processing apparatus characterized by performing encryption processing in accordance with a method and converting the character string to a character string that is different from the character string before the encryption processing and corresponding to the character string before the encryption processing. The information processing apparatus according to claim 4,
The non-volatile storage unit stores an encryption item designation table in which encryption items to be encrypted by the second encryption unit are registered,
The character string decomposing unit extracts a character string that matches an encrypted item registered in the encrypted item designation table from the first confidential information, and the second encrypting unit extracts from the first confidential information. An information processing apparatus, wherein the character string is encrypted by a second encryption method. The information processing apparatus according to claim 4,
Temporarily storing a first encryption key used for encryption processing by the first encryption unit and a second encryption key used for encryption processing by the second encryption unit in a volatile storage unit; An information processing apparatus characterized by the above. Decomposing log information consisting of character strings into non-confidential information and first confidential information according to a predetermined rule;
A step of encrypting the first confidential information obtained by decomposing the log information by a first encryption method;
Synthesizing date and time information, non-confidential information obtained by disassembling the log information and the encrypted first confidential information according to a predetermined rule, and generating character string information for recording;
Generating a decryption key by encrypting a first encryption key used in the first encryption method by a public key method;
Generating a log file in which the character string information for recording and the decryption key are recorded, and storing the log file in a non-volatile storage unit. A procedure for decomposing log information consisting of character strings into non-confidential information and first confidential information according to a predetermined rule;
A procedure of encrypting the first confidential information obtained by decomposing the log information by a first encryption method;
A procedure for synthesizing date / time information, non-confidential information obtained by disassembling the log information and the encrypted first confidential information in accordance with a predetermined rule, and generating character string information for recording;
A procedure for generating a decryption key by encrypting a first encryption key used in the first encryption method by a public key method;
A log information encryption program for causing a computer to execute a procedure of generating a log file in which the recording character string information and the decryption key are recorded and storing the log file in a nonvolatile storage unit.

Images