JP2009093670A - File security management system, authentication server, client device, program and recording medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a management system, an authentication server or the like, capable of improving security in a file security management system including a client device encrypting a file and/or using an encrypted file and an authentication server. <P>SOLUTION: A file former (client device 30a) sets and registers an use authority for permitting a file to be encrypted and a user thereof by use of an exclusive viewer 32. A user (client device 30b) which received the encrypted file receives the authentication by the authentication server 20 by use of the exclusive viewer 32, whereby the encrypted file can be decoded and used within the range of the use authority permitted to the user. Accordingly, since a key and the decoded file are never left in the user, the safety can be improved. Since the authentication server transmits a warning to the file former or the like when the authentication result is negative, a person involved can immediately investigate the cause. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a security management system, an authentication server, a client device, a program, and a recording medium that prevent unauthorized use of a file in which digital content is recorded. In particular, the client device and the client device are a user and a user. Security of a file consisting of an authentication server that authenticates users who use encrypted files created by setting permission to use and manages key information for decrypting the encrypted files The present invention relates to a management system, an authentication server, a client device, a program, and a recording medium.

  With the development of information processing technology and communication network technology in recent years, various digital contents such as documents, graphics, images, and databases (hereinafter referred to as digital information) are sold via a network, or a plurality of organizations or projects belonging to a company. It is becoming common for people to work while using digital information created in file format.

  However, these digital information can be easily copied, and even if the copy is repeated many times, the information does not deteriorate, and it is possible to illegally create a copy and use it without obtaining proper use rights. There is a problem that it is easy. In addition, there is a lot of highly confidential information in the digital information in the company, and it is also possible to illegally infiltrate the network in the company and steal the secret information. Therefore, there is a problem that it can be taken out easily. Furthermore, when such digital information is transmitted / received between related parties via a communication network such as the Internet, it is possible that a third party can steal the digital information from the network if it has certain knowledge. There are also points.

  Various techniques have been developed to deal with such problems, and among them, a digital information encryption technique is often used. Various encryption algorithms have been developed for this purpose, and generally widely used encryption techniques convert normal plaintext into ciphertext that cannot be easily decrypted or restore it to its original state. Encryption / decryption (also called plain culture) conversion is performed by an encryption algorithm controlled by an encryption key.

  There is a method called asymmetric public key encryption as a typical encryption method. In this public key cryptosystem, each person (or each terminal) creates a pair of encryption key and plain culture key, discloses the encryption key (also called public key), and secrets the plain culture key (secret key). (Also called). Anyone who wants to send a ciphertext to A converts a plaintext into a ciphertext using a public key (encryption key) disclosed by A. Only the receiver A having the secret key (plain culture key) can plainly understand the ciphertext. Therefore, it is not necessary to distribute the key with this method.

  In addition, a non-target encryption system using a common key that is common for encryption and decryption is adopted, and the encrypted common key is sent to the user at the same time as the encrypted digital information, and only users who know the common key. There is also a method of adopting a system that can decipher. Furthermore, a method called a digital signature is also known. In this method, information concealment and authentication are performed simultaneously. That is, the sender encrypts with his / her secret plain culture key, and further encrypts with the receiver's public key and transmits. The receiver does a plain culture with his private key, and further plains with the sender's public key.

  However, when a scheme for encrypting digital information using these encryption algorithms is adopted, encryption or plaintext can be used regardless of whether the method uses a common key or a method that uses a public key and a private key. Key management required for culture is an important issue. In other words, the security of the file, that is, the digital information cannot be maintained unless authentication of the creator and user of the file in which the digital information is recorded and management of the encrypted file and key transferred between the two are not properly performed.

  For example, as shown in FIG. 14, when (I) creator A creates a file in which digital content is recorded and encrypts the file and permits use to user B, creator A uses (III) encryption. The encrypted file C is sent to the user B via the network or other means. At this time, there is (IV) a method of transmitting the key D for decrypting the encrypted file to the user B by another route. The user B can restore and use the file created by the creator A by decrypting the received encrypted file with the key D received by another route. The creator A manages the (II) key by itself. In such a system, (V) the key D remains at the hand of the user B, and the decrypted file information can also remain. Therefore, it is impossible to eliminate the risk that a key or a decrypted file will be leaked from the hand of user B to a malicious third party. This is basically the same in the encryption method using the public key and the secret key, and is the difference that the secret key is at hand of the user B from the beginning.

  Therefore, a key center, which is a third party organization, is interposed between the file creator and users who are individual users, and after the individual authentication of each user at the key center, the file creator to the user An electronic authentication method that mediates communication of a key to is disclosed in Patent Document 1 below. In other words, the electronic authentication method disclosed in Patent Document 1 is provided with a certification center that is a key center between individual users. (I) Each user registers information for personal authentication in the key center. Keep it. (II) When user A (file creator) sends a file to user B (file user), A sends a communication key (encrypted key) addressed to B to the key center. (III) User A sends a file encrypted with a communication key to user B. (IV) The key center communicates with the user B to authenticate the user B. (V) If the authentication of the user B is OK, the key center sends the communication key addressed to B, which is deposited from A, to B. (VI) User B decrypts the file (encrypted with the communication key) received from A using the communication key sent from the key center. The procedure is as follows.

JP 2001-144745 A (FIG. 1)

  However, in the electronic authentication method disclosed in Patent Document 1, a key center is interposed between the file creator and the file user, and the key center performs user authentication and then the key deposited from the file creator. (Key for decrypting encrypted file) is sent to the file user, and the security function is slightly improved by the user authentication step in between, but the key and decryption are at hand of the user. Since the file remains, there is a problem that the problem described in FIG. 14 is not essentially solved.

  The inventor of the present application has conducted various studies to solve the above problems, and as a result, an authentication server is interposed between the client devices, the client device communicates with the authentication server using a dedicated viewer, and is used for an encrypted file. By setting the file security system so that the user and the usage authority information can be set, the user can only perform operations within the scope of the usage authority on the dedicated viewer, the above problem can be solved. The present inventors have found that this can be solved and have completed the present invention.

  That is, the present invention has an object to solve the above-described problems, and the client device and the user who uses the encrypted file created by setting the usage authority permitted by the client device to the user and the user are used. In a file security management system comprising an authentication server that performs authentication and manages key information for decrypting the encrypted file, the system and authentication server, client device, program, and recording with improved security functions The purpose is to provide a medium.

  Moreover, it is preferable that this security service can be mutually used between customers of this security system without disclosing each other's user information. Alternatively, if the security service can be used between a customer of the security service and a third party who has not subscribed to the service, the convenience can be further improved. For this reason, the present invention provides a file security system and an authentication server, a client device, a program, and a recording medium that enable file encryption and use of the encrypted file beyond the boundaries of the customer. Objective.

In order to solve the above-mentioned problem, the invention according to claim 1 of the present application is a file security management system comprising a plurality of client devices having a dedicated viewer connected to an authentication server via a network.
When encrypting a file, the user of the file and the use authority permitted to the user are set through a dedicated viewer, the encryption means for encrypting the file, the identification information of the encrypted file, the setting A client device comprising authentication registration means for registering the registered user and usage authority information in the authentication server,
When using the received encrypted file, the authentication server includes authentication request means for requesting authentication from the authentication server via the dedicated viewer, and based on usage authority information and key information transmitted from the authentication server via the dedicated viewer. A client device comprising decryption means for decrypting the received encrypted file;
An authentication information database in which a user who encrypts a file and / or a user who uses an encrypted file is registered, key information for decrypting the encrypted file, and an encrypted file registered from the client device. A file management database storing identification information, user and usage authority information, and an authentication means for authenticating a user and the set user by referring to the database based on an authentication request from a client device The authentication server includes an authentication server that transmits usage authority information and key information set for the encrypted file to the client device when the authentication result is affirmative.

The invention according to claim 2 of the present application is an authentication server that is connected to a plurality of client devices having dedicated viewers connected via a network and performs authentication of file security management.
When encrypting a file, the user of the file and the use authority permitted to the user are set through a dedicated viewer, the encryption means for encrypting the file, the identification information of the encrypted file, the setting A client device comprising authentication registration means for registering the registered user and usage authority information in the authentication server,
When using the received encrypted file, the authentication server includes authentication request means for requesting authentication from the authentication server via the dedicated viewer, and based on usage authority information and key information transmitted from the authentication server via the dedicated viewer. Communicating with a client device comprising decryption means for decrypting the received encrypted file,
An authentication information database in which a user who encrypts a file and / or a user who uses an encrypted file is registered, key information for decrypting the encrypted file, and an encrypted file registered from the client device. A file management database storing identification information, user and usage authority information, and an authentication means for authenticating a user and the set user by referring to the database based on an authentication request from a client device If the authentication result is affirmative, the use authority information and key information set for the encrypted file are transmitted to the client device.

In the invention according to claim 3 of the present application, when encrypting a file, encryption is performed by setting a user of the file and a usage right permitted to the user through a dedicated viewer and encrypting the file. A client apparatus comprising: means and authentication registration means for registering encrypted file identification information, set user and use authority information in an authentication server,
When using the received encrypted file, the authentication server includes authentication request means for requesting authentication from the authentication server via the dedicated viewer, and based on usage authority information and key information transmitted from the authentication server via the dedicated viewer. In a computer constituting an authentication server that communicates with a client device having a decrypting means for decrypting the received encrypted file,
An authentication information database in which a user who encrypts a file and / or a user who uses an encrypted file is registered based on an authentication request from a client device, key information for decrypting the encrypted file, and Executes a function as an authentication means for authenticating a user and the set user by referring to the file management database storing the identification information of the encrypted file registered from the client device, the user and the usage authority information Let
When the authentication result is affirmative, the program executes a function of transmitting usage authority information and key information set for the encrypted file to the client device.

The invention according to claim 4 of the present application is a client device having a dedicated viewer connected via a network to an authentication server that performs authentication of file security management.
An authentication information database in which a user who encrypts a file and / or a user who uses an encrypted file is registered, key information for decrypting the encrypted file, and an encrypted file registered from the client device. A file management database storing identification information, user and usage authority information, and an authentication means for authenticating a user and the set user by referring to the database based on an authentication request from a client device Provided, if the authentication result is affirmative, communicate with the authentication server that transmits the usage right information and key information set for the encrypted file to the client device,
When encrypting a file, the user of the file and the use authority permitted to the user are set through a dedicated viewer, the encryption means for encrypting the file, the identification information of the encrypted file, the setting A client device comprising authentication registration means for registering the registered user and usage authority information in the authentication server,
When using the received encrypted file, the authentication server includes authentication request means for requesting authentication from the authentication server via the dedicated viewer, and based on usage authority information and key information transmitted from the authentication server via the dedicated viewer. And decrypting means for decrypting the received encrypted file.

The invention according to claim 5 of the present application provides an authentication information database in which a user who encrypts a file and / or a user who uses an encrypted file is registered, and key information for decrypting the encrypted file, A file management database that stores identification information of encrypted files registered from the client device, user and usage authority information, and a user and the setting by referring to the database based on an authentication request from the client device An authentication means for authenticating the user, and when the authentication result is affirmative, an authentication server for transmitting the usage authority information and key information set for the encrypted file to the client device. To the computer that constitutes the client device that communicates between
When encrypting a file, the user of the file and the use authority permitted to the user are set through a dedicated viewer, the encryption means for encrypting the file, the identification information of the encrypted file, the setting The function as an authentication registration means to register the registered user and usage authority information in the authentication server,
When using the received encrypted file, the authentication request means for requesting authentication from the authentication server via the dedicated viewer, the use authority information and the key information transmitted from the authentication server via the dedicated viewer, A program for executing a function as decryption means for decrypting a received encrypted file.

  In the invention according to claim 1, the file creator (creator-side client device) sets a file to be encrypted using a dedicated browser, and uses the encrypted file and uses permitted to the user Set the authority and register it in the authentication server. The user who receives the encrypted file (user-side client device) receives authentication from the authentication server using the dedicated viewer, and the authentication server encrypts it within the range of usage rights permitted to the user on the dedicated viewer. Decrypt and use files. Therefore, the decryption key information does not remain at the user's hand, and if the user is only authorized to view the decrypted file, the decrypted file remains at the user's hand. Since there is no security, the security function is greatly improved. In addition, the authentication server sends a warning to the file creator and / or the system administrator in response to an authentication request from the user, and if the authentication result is negative, the relevant parties immediately investigate the cause. Will be able to. For this reason, it is preferable that the authentication server includes an authentication history database in which the creator stores the authentication history of the registered encrypted file user and usage authority.

  In addition, the file creator sets the user who is allowed to use the file and its usage authority and registers it in the authentication server, and the authentication server allows the user to use the file within the scope of the usage authority. For example, by setting multiple authority levels, such as only allowing viewing of files decrypted from the authority to use the user, allowing saving, allowing editing and saving, etc., the necessary authority level can be given to the required user Even if the authority level is only for browsing, if you can set detailed authority such as the number of times of browsing and expiry date, you can set the minimum browsing authority so that others can Even if the authentication server is authenticated and the authentication server is authenticated, the damage can be minimized.

  In the invention which concerns on Claim 2, the authentication server which comprises the invention which concerns on Claim 1 can be provided. Moreover, in the invention which concerns on Claim 3, the program which functions the computer which comprises the authentication server of invention which concerns on Claim 2 can be provided. In the invention according to claim 4, a client device constituting the invention according to claim 1 can be provided. Moreover, in the invention which concerns on Claim 5, the program which functions the computer which comprises the client apparatus of the invention which concerns on Claim 4 can be provided.

Hereinafter, specific examples of the present invention will be described in detail with reference to examples and drawings. 1 is a conceptual diagram illustrating basic functions of a file security management system according to a first embodiment of the present invention, and FIG. 2 is a block diagram illustrating a configuration of the file security management system according to the first embodiment. is there. FIG. 3 is a flowchart showing a processing procedure of the file creator side client device and the authentication server in the system of FIG. 2, and FIG. 4 is a flowchart showing a processing procedure of the file user side client device and the authentication server in the system of FIG. It is.
FIG. 5 is a block diagram showing the configuration of the file security management system according to the second embodiment of the present invention.
FIG. 6 is a block diagram showing the configuration of the third embodiment of the file security management system according to the third embodiment of the present invention. FIG. 7 is a schematic diagram illustrating configurations of the authentication information DB 22 and the personal address book DB 40 in the third embodiment, and FIG. 8 is a flowchart illustrating a registration procedure in the personal address book DB 40 in the third embodiment. FIG. 9 is a diagram illustrating a configuration of a login screen to the authentication server in the third embodiment, and FIG. 10 is a flowchart illustrating a processing procedure of the file creator side client device and the authentication server in the third embodiment. FIG. 11 is a schematic diagram showing an example of an operation screen displayed on the dedicated viewer in the procedure of FIG. FIG. 12 is a flowchart showing the processing procedure of the file user side client device and the authentication server in the third embodiment, and FIG. 13 shows the user side client device when the file user does not subscribe to the service of the authentication server. It is a flowchart which shows the process sequence of an authentication server.

  In the file security management system according to the first embodiment of the present invention, as shown in the conceptual diagram of FIG. 1, the creator A creates (I) a file in which digital content is recorded, and encrypts the file to create a user B When authorizing use, the creator A logs into the authentication server 20 using a dedicated viewer, designates the file to be encrypted, and uses the user B who is permitted to use the file, for example, the user authority. The file B is encrypted by setting usage authority such as permitting browsing only once for B. Then, (II) the encrypted file identification information (file name, etc.), user and usage authority information, and key information D for decrypting the encrypted file C are transmitted to the authentication server 20. Registers this information in the database. (III) The creator A sends the encrypted file C to the user B by e-mail or other means.

  The key information D registered in the authentication server 20 differs depending on the encryption method adopted by the system, and a method in which the authentication server 20 issues a key when the creator A encrypts a file can be adopted. In this case, it is not necessary to send the key information D from the creator A to the authentication server 20.

  When using the received encrypted file C (IV), the user B logs in to the authentication server 20 using a dedicated viewer and requests authentication. The authentication server 20 has a user authentication database for authenticating users such as the user B and the creator A, and is set for the encrypted file identification information and the encrypted file C registered by the creator A. If there is a file management database that stores the user and use authority information and key information D, and (V) user B and user authentication are obtained with reference to each database, the corresponding encrypted file C The registered use authority information and key information D are transferred to the dedicated viewer of the client device on the user side.

  (VI) User B can thereby decrypt the encrypted file on the dedicated viewer, and can use the decrypted file. When the user is authorized only to view the file, the operation of the dedicated viewer is restricted according to the usage right information sent from the authentication server 20 to the client device of the user B, and the print button, the file save button, and the overwrite save are performed. Since functions such as buttons are disabled, the user cannot leave a decrypted file. Similarly, the decryption key information D is only used for decryption of the encrypted file C by the dedicated viewer, and the user B is not involved in the decryption operation of the encrypted file C, and the user B However, the key information D cannot be stored in the client device. Therefore, it is possible to prevent a risk that the decrypted file C and key information D are leaked from the user B.

  Although not shown in FIG. 1, the authentication server 20 has some inconvenience if the authentication result of the user B is negative, and the file creator A and / or management Send warning information to the The administrator who sends the warning is the system administrator who manages the entire system, the network administrator in the company to which the file creator A and the user B belong, or the manager of the department in charge of the IT environment audit. . As a result, the parties concerned can investigate the cause of the inconvenience. For this reason, it is preferable that the authentication server 20 includes an authentication history database that stores an authentication history.

  FIG. 2 is a block diagram showing the configuration of the file security management system according to the present invention. As shown in FIG. 2, the file security management system 10 according to the present invention is configured such that an authentication server 20 and client devices 30a and 30b are connected via a network. In the case of FIG. 2, the authentication server 20 is operated by an ASP provider (Application Service Provider) and represents a form of providing an application of a security management system to the customer X. For this reason, the client devices 30 a and 30 b are connected to the intranet 12 such as a LAN and connected to the authentication server 20 via the Internet 14. A gateway (not shown) having a firewall is interposed between the intranet 12 and the Internet 14. The present system is not limited to such a configuration, and can be operated as a system closed within one customer. In this case, the authentication server 20 and the client devices 30a and 30b are connected to the intranet 12.

  A server program 21 is installed in the authentication server 20, and authentication information such as a user ID and a password registered by a user (file creator A or encrypted file user B) using the client devices 30a and 30b is stored. Stored authentication information database (authentication information DB) 22, file management database (file management DB) 23 for storing user and usage authority information to be described later for each encrypted file identification information (file name), user (client device) ) Has an authentication history database (authentication history DB) 24 for storing an authentication history in response to an authentication request from.

  The computer constituting the authentication server 20 executes the functions of the authentication means 25, warning transmission means 26, version checking means 27, and database control means 28 by the server program 21. A communication interface function for communicating with the client devices 30a and 30b via the Internet 14 is not shown.

  The client devices 30a and 30b are used by users such as file creator A and user B, have the same configuration, and have a client program 31 installed. Computers constituting the client devices 30 a and 30 b communicate with the authentication server 20 via a dedicated viewer 32 that functions by the client program 31. Further, the computer executes the functions of authentication registration means 34, authentication request means 35, encryption means 36, and decryption means 37 by the client program 31. These functions include a function used when used as a file creator and a function used when used as a file user. Therefore, the client program can be provided as a separate program for the file creator and for the file user.

  A communication interface function for communicating with the authentication server 20 via the intranet 12 and the Internet 14 is not shown. The dedicated viewer 32 communicates between a server and a client that execute a specific application, inputs information from the client and sends it to the server, or displays or prints information received from the server. Sometimes called a browser. In the following description, the client device 30a is used by the file creator A, and the client device 30b is used by the user B of the file (the file encrypted by the creator A).

  When creator A creates a file in which digital content is recorded and encrypts the file to permit use by user B, creator A uses client device 30a and logs in to authentication server 20 using dedicated viewer 32. Then, specify the file to be encrypted, and set the user B and use authority that permits the use of the file, for example, the use authority that allows the user B to view the file only once. Encrypt. In this case, although not shown, a login screen is displayed on the dedicated viewer screen, and a user ID, a password, and identification information (file name) of the file to be encrypted are input and transmitted to the authentication server 20.

  When the authentication server 20 performs user authentication with reference to the authentication information DB 22 and user authentication is obtained (the authentication result is affirmative), the creator A enters the user setting field and the use authority setting field of the dedicated viewer 32. The user authority to be granted to user B and user B is input. The usage authority is, for example, a plurality of authority levels such as allowing the user only to view the encrypted file, allowing the decrypted file to be saved, and allowing the decrypted file to be updated and saved. It is more preferable that the detailed setting screen is configured so that the number of browsing times and the usable period can be set.

  The specified file is encrypted by the encryption means 36 according to the encryption method employed in the system. Then, the authentication registration unit 34 registers the encrypted file identification information (file name, etc.), the user and use authority information, and key information for decrypting the encrypted file C in the authentication server 20. The creator A sends the encrypted file and the identification information of the encrypted file to the user B by e-mail or other means.

  The authentication server 20 stores in the file management DB 23 file identification information (file name, etc.), user and use authority information, and key information for decrypting the encrypted file C transmitted from the client device 30a. The search key of the file management DB 23 is file identification information.

  When using the received encrypted file, the user B uses the client device 30b, logs in to the authentication server 20 using the dedicated viewer 32, and requests authentication by the authentication request means 35. In this case, a login screen is displayed on the screen of the dedicated viewer 32, and a user ID, a password, and identification information (file name) of an encrypted file to be used are input and transmitted to the authentication server 20.

  The authentication server 20 performs personal authentication by the authentication unit 25 with reference to the authentication information DB 22 by the database control unit 28 based on the personal authentication information such as the user ID and password transmitted from the client device 30b. When the authentication is obtained, based on the file identification information, the user B registered in the file and the usage authority information and key information permitted to the user B are read from the file management DB 23. At this time, if the user B and the user ID for personal authentication do not match, the authentication result is negative and the client device 30b is notified of this. Further, the authentication server 20 transmits a warning to the file creator A and the administrator that there is a file access that cannot be authenticated by the warning transmission means 26. If the authentication result is affirmative, use authority information and key information are transmitted to the client device 30b.

  The client device 30b receives the usage authority information and key information sent from the authentication server 20 on the dedicated viewer 32, and the dedicated viewer 32 functions the decryption means 37 based on the key information to decrypt the encrypted file. At the same time, only the operation of the user B within the range of the usage authority information permitted by the user B is valid, and the operation by the user B other than the usage authority is invalidated. For example, if the user B is authorized to view only, the dedicated viewer 32 enables the operation of the display button for the user B to display the decrypted file, but prints the displayed file. Operations such as the print button, the save button to save, the write button to write, and the update save button to overwrite and save the written file are invalidated.

  Therefore, the user B can use the encrypted file received from the creator A only within the usage authority set by the creator A. When the authority given to the user B is only browsing, the decrypted file cannot be stored in the client device 30b, and the key information is for decrypting the encrypted file on the dedicated viewer 32. Thus, user B need not be aware of the decryption operation. The dedicated viewer 32 does not have a decryption button or the like for operating the key information, and the user B cannot perform an operation for saving the key information in the client device 30b. As a result, it is possible to reduce the possibility that the decrypted file and the key information are leaked to a third party other than the user B, and the security can be greatly improved.

  In the above processing procedure, when the user B uses the client device 30b to activate the dedicated viewer 32 and log in to the authentication server 20, the version information of the dedicated viewer 32 is transmitted to the authentication server 20, and the authentication server 20 The version checking means 27 checks whether the latest version is a dedicated viewer. If it is not the latest version, the authentication server 20 transmits usage authority information obtained by further restricting the usage authority given to the user B to the client device 30b. For example, if the usage authority is permission to save the decrypted file, the usage authority is further limited to use only for browsing. In this way, when a hole (security hole) is created in the security by the dedicated viewer 32 due to some cause, the dedicated viewer 32 can be upgraded and dealt with quickly.

  3 and 4 are flowcharts showing the above-described processing procedure, FIG. 3 is a flowchart showing the processing procedure of the client device 30a of the creator A and the authentication server 20, and FIG. 4 is a flowchart of the client device 30b of the user B. 4 is a flowchart illustrating a processing procedure of the authentication server 20.

  When the creator A creates a file in which digital content is recorded, encrypts the file and permits the user B to use the file, the creator A uses the client device 30a. First, in step S10, the user A The viewer 32 is activated and logs into the authentication server 20 in step S11. That is, when the dedicated viewer 32 is activated, a login screen is displayed, and a user ID and a password are input to the input field and transmitted to the authentication server 20. The authentication server 20 compares the authentication information (user information) registered with reference to the authentication information DB 22 to perform personal authentication of the creator A. If the authentication is OK, the creator A uses the dedicated information in step S12. An input for designating a file to be encrypted is performed from the next screen (not shown) of the viewer 32. Next, the creator A inputs the user B who is permitted to use the file in step S13, and the use authority permitted to the user B in step S14, for example, the user B is permitted only to view the file once. Set usage rights.

  When inputting the user B, the creator A operates the reference button of the dedicated viewer 32 to select and set the user from user information registered with reference to the authentication information DB 22 of the authentication server 20. You can also. The reference information provided by the authentication information DB 22 may be group information registered by grouping members of a specific department, section, or project in addition to individual users. If group information is used, a plurality of people in the same group can be set as users at one time.

  Next, the client device 30a encrypts the file specified by the encryption means 36 in step S15, stores the file encrypted in step S16, and stores the encrypted file identification information (file name) in the authentication server 20 in step S17. In step S18, user and usage authority information is transmitted, and in step S19, key information for decrypting the encrypted file is transmitted.

  The authentication server 20 receives the encrypted file identification information (file name), user and usage authority information, and key information for decrypting the encrypted file transmitted from the client device 30a in steps S33 to S35. In step S36, it is stored in the file management DB 23. Then, the creator A logs out from the authentication server 20 in step S20, and terminates the dedicated viewer 32 in step S21. Thereafter, the creator A transmits the stored encrypted file to the user (user B set in step S13). The means for distributing the encrypted file to the user B is not limited to the network (e-mail or the like), and may be distributed by a medium such as a floppy disk.

  Next, a procedure in which the user B uses the encrypted file received from the creator A using the client device 30b will be described with reference to the flowchart of FIG. When using the encrypted file received in step S40, the user B uses the client device 30b, activates the dedicated viewer 32 in step S41, and logs into the authentication server 20 in step S42. If the authentication server 20 performs the personal authentication of the user B and the authentication is OK, the user B identifies the identification information (file) of the encrypted file used from the next screen (not shown) of the dedicated viewer 32 in step S43. The client device 30b transmits file identification information to the authentication server 20 by the authentication request means 35, and transmits a user authentication request to the authentication server 20 in step S44.

  Upon receiving the file identification information, the authentication server 20 refers to the file management DB 23 in step S51, reads the user and usage authority information registered for the corresponding file, and matches the user B in step S52. Do user authentication processing. As a result of the user authentication in step S53, if the user B and the user ID for personal authentication do not match, the authentication result is negative (N0), and this is notified to the client device 30b. In step S56, the authentication server 20 records the authentication history in the authentication history DB 24, and in step S57, sends a warning to the file creator A and the administrator that there is a file access that cannot be authenticated by the warning transmission means 26. To do.

  If the authentication result is affirmative (YES), the authentication server 20 transmits the usage authority information and key information to the client device 30b in steps S54 and S55. The client device 30b receives the usage authority information and key information sent from the authentication server 20 in steps S45 and S46 on the dedicated viewer 32, and the dedicated viewer 32 functions the decrypting means 37 based on the key information in step S47. To decrypt the encrypted file. User B can view the file decrypted in step S48. At this time, as described above, the dedicated viewer 32 operates so as to enable only the operation of the user B within the range of the usage authority information permitted to the user B and disable the operation other than the usage authority.

  For example, when the use authority permitted to the user B is only browsing, the dedicated viewer 32 enables the operation of the display button for displaying the decrypted file by the user B, but prints the displayed file. The operation of the print button, the save button to save, the write button to write, and the update save button to overwrite and save the written file are invalidated. In this case, the user B cannot save the decrypted file. When the user B finishes using the decrypted file within the range of the use authority set by the creator A, the user B logs out from the authentication server 20 in step S49, ends the dedicated viewer 32 in step S60, and performs processing. Finish. In this flowchart, the version check of the dedicated viewer 32 and the processing steps related thereto are not shown.

  FIG. 5 is a diagram showing another embodiment of the file security management system according to the present invention. In this embodiment, the authentication server 20 is configured to provide a security service application to a plurality of customers X to Z. Each customer Y, Z has the same configuration as the customer X, and the authentication server 20 includes a billing means 29, and each database of the authentication information DB 22, file management DB 23, and authentication history DB 24 is partitioned for customer correspondence. The data for each customer is divided and stored. The rest of the configuration is the same as that of the embodiment of FIG. The billing method may be any of a fixed amount billing, a metered amount billing, or a billing method using both of them. When the billing unit 29 performs billing based metering, the authentication server 20 can connect the client devices (creators) When the user logs in, the number of times, the service time from login to logout, and the like may be counted and aggregated for each customer.

  According to the configuration of FIG. 5, an ASP provider (Application Service Provider) operates the authentication server 20 and can construct a business model that services a file security management system to a plurality of customers. As a result, when the customers X to Y request system customization that is common to other customers, the development cost burden paid to the ASP provider can be reduced. Further, when a software development company intervenes in providing a program according to the present invention, the software development company can easily expand the number of customers who sell products by using an ASP service provided by an ASP provider.

  The file security management system according to the second embodiment described above is a system that manages file security between clients in each of customers (X to Z). However, it would be more convenient if a file security management service could be used beyond the customer. For example, if a highly confidential file can be communicated between A, which is a client of customer X, and E, which is a client of customer Y, using a service provided by the authentication server 20, convenience for the customer is improved. That is, if there is a transaction between customers who subscribe to the security management service provided by the authentication server 20 according to the present invention and the same service can be received between both clients, there is no concern about information leakage. This makes it possible to communicate highly important files and improve convenience. For this purpose, the authentication information DB of each customer and all clients may be operated as a common one. In this case, client information of each customer is mutually disclosed. That is, in this method, customer employee information as a client is leaked and it is difficult to say that the method is acceptable to the customer, and a mechanism for solving this is necessary.

  FIG. 6 is a diagram showing the configuration of the file security management system 10 according to the third embodiment of the present invention. The security management system 10 in FIG. 6 is a block diagram of a system configured to be able to use a file security management service beyond a customer. For easy understanding, in FIG. 6, the same components as those in the first and second embodiments are denoted by the same reference numerals. In this security management system 10, the authentication server 20 is provided with a personal address book DB (database) 40, and the client program 31 on the client device 30a, 30b side is provided with a user registration means 38 in the second embodiment. Different from the security management system 10 of FIG.

  That is, in the security management system 10 according to the third embodiment, the client manages the security management service for each client separately from the authentication information DB 22 for authenticating the client of the customer for each customer (X to Z). The authentication server 20 is provided with a personal address book DB 40 for registering the other party to use. In the present embodiment, the personal address book DB 40 is used to permit the other party registered by each client to use this security service. Here, the configuration of the authentication information DB 22 and the personal address book DB 40 will be described.

  FIG. 7 is a schematic diagram showing the configuration of the authentication information DB 22 and the personal address book DB 40. (A) shows the configuration of the authentication information DB 22, and (B) shows the configuration of the personal address book DB. As shown in FIG. 7 (A), the authentication information DB 22 has separate sections for each of the customers X to Y who receive the file security service provided by the authentication server 20, and each customer's clients (users) A to C, E to F and I to K are registered. The registration information for each user includes “user name”, “group” such as a department or project to which the user belongs, “user ID”, “password”, “mail address”, and the like. Other information such as the user's title can also be added.

  On the other hand, the personal address book DB 40 has independent partitions for each of the clients (users) A to C, E to F, and I to K of the customers X to Y, and the clients (users) A to C, E to F, Each of I to K can register a party with whom file communication is desired using this security service. In registration, the client A logs in to the authentication server 20 and calls the personal address book DB 40, and registers the information of the other party in the personal address book 40 of A by the user registration means 38. The data to be registered is, for example, the name and mail address of the other party who is a registered person. The e-mail address is one-to-one information corresponding to an individual, and the encrypted file is communicated via this e-mail address and becomes authentication data when the encrypted file is used. It is.

  A case where an encrypted file is created and used between clients (users) of different customers using the file security system 10 of FIG. 6 will be described below. For example, client A client A and client Y client E are members of a transactional project. A highly confidential file created by A is encrypted using the authentication server 20 and given the authority to use only for viewing. In this case, E logs in to the authentication server 20 and browses the encrypted file.

  Prior to using the authentication server 20, the client A of the customer X first activates the dedicated viewer 32 and logs in to the authentication server 20. In the login process, the authentication server 20 refers to the authentication information DB 22 and displays the menu screen when the client A authenticates that the client A is a regular client of the customer X in accordance with the authentication information of the customer X. Select the registration process. When the registration processing in the personal address book DB 40 is selected, the authentication server 20 permits the access to the personal address book DB 40 of the client A, and the client A uses the user registration means 38 for the personal address book DB 40 (client A user section). Client E is registered. As shown in FIG. 7B, the data to be registered is the name or ID of the registered user (client) and the e-mail address.

  FIG. 8 is a flowchart showing the above-described procedure for registering in the personal address book DB 40 a partner user who is permitted to use a file encrypted by each individual. First, the client A starts the dedicated viewer 32 in step S61, and logs in to the authentication server 20 by inputting a user ID and a password in step S62. The login screen is, for example, a screen as shown in FIG. 9 and has the same configuration as a general server login screen. Next, the client A calls the personal address book DB 40 in step S63, and registers the name of the user permitted to use and the e-mail address in step S64.

  When the registration is completed, the client A creates a file (may be a created file), activates the dedicated viewer 32, and logs into the authentication server 20. The login authentication procedure is the same as in the registration process described above. Next, the client A designates the file to be encrypted in the file designation field displayed on the menu screen, and then, according to the transition of the menu screen, the authentication information DB 22 or the client for setting the file user. A's personal address book DB 40 is selected. Here, the client A selects the personal address book DB 40 and designates the client E registered in the previous procedure. Then, the use authority for the client E is set according to the transition of the menu screen. Here, designation is made to permit only browsing of the encrypted file to E. In the above procedure, the file is specified on the first menu screen. However, it is also possible to specify a file after setting the user and use authority.

  When these designations are completed, the file created by client A is encrypted and stored on client A's computer (client 30a) using a predetermined encryption method. Further, the authentication server 20 registers the file name (file identification information), user, and usage authority information of the encryption target file specified in the previous procedure in the file management DB 23. Then, the client A transmits the encrypted file to the client E by electronic mail.

  The client E that has received the e-mail activates the dedicated viewer 32 and logs into the authentication server 20 to obtain authentication. Here, since the client E is a registered client of the customer Y, the authentication server 20 refers to the authentication information DB 22 and performs user authentication. This procedure is the same as the authentication procedure for client A. Then, when the client E designates the received encrypted file on the computer (client 30b), the file name (file identification information) is sent to the authentication server 20, and the authentication server 20 is set by referring to the file management DB 23. The user and the use authority are checked, and the use authority information and the decryption key information are transmitted to the client E (30b).

  The client 30b receives the usage authority information and the decryption key information, and the dedicated viewer 32 causes the decryption means 37 to function based on the key information to decrypt the encrypted file, and the usage permitted by the user E Only the operation of the user E within the range of the authority information is valid, and the operation by the user E other than the usage authority is invalidated. For example, since the use authority granted to the user E is only viewing, the dedicated viewer 32 enables the operation of the display button for the user E to display the decrypted file, but prints the displayed file. Disable operations such as the print button to save, the save button to save, the write button to write, and the update save button to overwrite and save the written file.

  FIG. 10 is a flowchart showing the processing procedure described above, and is a flowchart showing the processing procedure of the client device 30a of the creator A and the authentication server 20. FIG. 11 is a schematic diagram schematically showing an example of an operation screen displayed on the dedicated viewer 32 in the procedure of FIG. When the input creator A creates a file in which digital content is recorded, encrypts the file and permits the user E to use it, the creator A uses the client device 30a. First, in step S70, the creator A The dedicated viewer 32 is activated and logs into the authentication server 20 in step S71. That is, when the dedicated viewer 32 is activated, a login screen is displayed, and a user ID and a password are input to the input field and transmitted to the authentication server 20. The authentication server 20 compares the authentication information (user information) registered with reference to the authentication information DB 22 to perform personal authentication of the creator A. If the authentication is OK, the creator A displays the dedicated viewer in step S72. An input for designating a file to be encrypted is performed from the next screen (not shown) of 32 (see STEP 1 in FIG. 11). Next, the creator A inputs the user B who is permitted to use the file in step S73, and the use authority permitted to the user E in step S74, for example, the user B is permitted only to view the file once. Etc. (see STEP 2 in FIG. 11). Finally, the target file is encrypted by operating the “encrypt” button at the bottom of the screen.

  In inputting the user E, the creator A operates the reference button of the dedicated viewer 32 to select the user E from the user information registered with reference to the personal address book DB 40 of the authentication server 20. Set. Next, the client device 30a encrypts the file designated by the encryption unit 36 in step S75, stores the file encrypted in step S76, and stores the encrypted file identification information (file name) in the authentication server 20 in step S77. In step S78, information on the user and usage authority is transmitted, and in step S79, key information for decrypting the encrypted file is transmitted.

  The authentication server 20 receives the encrypted file identification information (file name), user and usage authority information, and key information for decrypting the encrypted file transmitted from the client device 30a in steps S93 to S95. In step S96, the file is stored in the file management DB 23. Then, the creator A logs out from the authentication server 20 in step S80, and terminates the dedicated viewer 32 in step S81. Thereafter, in step S82, the creator A transmits the stored encrypted file to the user E (user E set in step S73). The means for distributing the encrypted file to the user E is not limited to the network (e-mail or the like), and may be distributed by a medium such as a floppy disk.

  Note that the procedure for the user E to use the encrypted file received from the creator A is the procedure shown in the flowchart of FIG. In the flowchart of FIG. 12, in the process in which the authentication server 20 authenticates the user E (step S122), other processes are performed except that the user E is authenticated by referring to the authentication information DB 22 and the personal address book DB 40. The steps are the same as those shown in the flowchart of FIG. When the user E receives the encrypted file by e-mail from the creator A, an icon indicating that the file is an encrypted file is displayed on the desktop of the client device 30b of the user E, and this icon is displayed on the user. If the dedicated viewer 32 is activated by the operation of E, a system with good operability can be obtained.

  The procedure of FIGS. 10 and 12 is that the user E is the client E of the customer Y who subscribes to the security service, but can provide the same service with an individual who does not subscribe to the security service. Convenience increases. For example, this is a case where the client A of the customer X performs encrypted file communication with an arbitrary individual (service unsubscribed) M. In this case, the client A registers the user M in the user section of A in the personal address book DB 40 in the procedure of FIG. This procedure is the same as when registering the client E as a user. Then, the client A encrypts the file with the procedure described in the flowchart of FIG. 10 for the registered user M, and then delivers the encrypted file to the user M by means such as mail. In this case, it is necessary to convey the URL of the authentication server 20 to the user M as necessary information. This is because the user M is not a customer of the security system and needs to be able to log in to the authentication server 20.

  Therefore, when the authentication server 20 receives the encrypted file name, user, authority information, and the like from the client A (steps S93 to S94 in the flowchart of FIG. 10), the authentication server 20 sends the URL of the authentication server 20 to the set user M. The user ID and temporary password for login are set, and these pieces of information are transmitted to the mail address of the user M registered in the personal address book DB 40. Such information may be transmitted when the information of the encrypted file is stored in the file management DB 24 in step S96 of the flowchart of FIG. 10, and the encrypted file name, the user and the client A are transmitted from the client A in steps S93 and S94. It may be performed when authority information is received. Note that the notification of the URL of the authentication server 20 to the user M, the user ID for login, and the temporary password information is not limited to the method of notifying the user M from the authentication server 20 as described above. A can be configured so that the client A notifies the additional information when the client A delivers the encrypted file to the user M.

  On the other hand, when the user M uses the encrypted file received from the creator A, the process is performed according to the procedure of the flowchart shown in FIG. That is, FIG. 13 is a flowchart showing a processing procedure on the user side when the service is used between a client in the customer of the service and an individual who is not a customer. First, when the user M receives the encrypted file from A in step S131, the user M connects to the authentication server 20 based on the URL received as an addition in step S132, and enters the user name and mail address from the input screen displayed on the URL. Enter. In step S151, the authentication server 20 compares the input user name and mail address information with the information registered in the personal address book DB 40 by the client A, and checks whether the client A is a registered user. If the user is a registered user, the dedicated viewer 32 is transmitted to the user M in step S152, and the user M receives the dedicated viewer 32 in step S133, and the downloading of the dedicated viewer is completed.

  When downloading of the dedicated viewer 32 is completed, the user M can activate the dedicated viewer 32, log in to the authentication server, and decrypt and use the encrypted file according to the usage authority set by the client A. In this case, except for the point that the authentication server 20 refers to the personal address book DB 40 to authenticate the user M (step S155), the other processing procedures in the flowchart of FIG. 13, steps S134 to S143 are performed. (Including processing steps S153 to S160 of the authentication server 20) is the same procedure as that of the flowchart shown in FIG.

  In addition, when an individual who has not subscribed to this service is registered as a user as described above, the entity that operates the authentication server 20 has increased the number of clients of the customer X to which the registered Kleinato A belongs. The customer X can be charged as a thing. Therefore, the charging unit 29 in FIG. 6 may be configured to perform charging based on the reference result of the personal address book DB 40 when the user is authenticated.

  In the third embodiment described above, since the personal address book DB 40 for each individual belonging to the customer is provided, even if the customer is a provider and tens of thousands of users are subscribed, it is enormous. Since the personal address book is used without using a user list, only the registration information for each individual is displayed and the usability can be improved. In addition, the term “personal address book” in the present invention does not necessarily mean data in which only an e-mail address is registered, but may be any information as long as information that can identify a user is registered. May be used as data for communication between the registered user and the client A or the like, the authentication server 20 or the like.

  1 and FIG. 5, the file is encrypted by the client device 30a on the file creator side, and the user decrypts the encrypted file together with the identification information of the encrypted file, the user and the usage authority information. Although the configuration for registering key information for registration in the authentication server 20 has been described, the file security management system according to the present invention is not limited to this configuration. For example, the client device 30a on the file creation side can receive a dedicated viewer. 32, the authentication server 20 issues an encryption / decryption key to the file management database together with file identification information, user and use authority information. It may be configured to register.

  In addition, when a key pair of a public key and a private key is used as an encryption method and the user who is permitted to use the file creator side client device 30a and the usage authority are set, the public key of the user is set. The file can be encrypted by using it, and the authentication server 20 can register that the user's public key is used as key information for decrypting the file. When the user-side client device 30b logs in to the authentication server 20 using the dedicated viewer 32 and makes an authentication request, the authentication server 20 sends key information together with the usage authority information to the client device 30b, and the user-side client device 30b. Identifies the public key used for encryption from the key information, and can decrypt the encrypted file.

  As described above, the encryption method in the file security management system according to the present invention can be configured using various known encryption methods.

It is a conceptual diagram which shows the basic function of the file security management system which concerns on this invention. It is a block diagram which shows the structure of Example 1 of the file security management system concerning this invention. 6 is a flowchart illustrating a processing procedure of a file creator side client device and an authentication server in the first embodiment. 6 is a flowchart illustrating a processing procedure of a file user side client device and an authentication server in the first embodiment. It is a block diagram which shows the structure of Example 2 of the file security management system concerning this invention. It is a block diagram which shows the structure of Example 3 of the file security management system which concerns on this invention. It is a schematic diagram which shows the structure of authentication information DB22 and personal address book DB40 in Example 3. FIG. It is a flowchart which shows the registration procedure to personal address book DB40 in Example 3. It is a figure which shows the structure of the login screen to an authentication server. 10 is a flowchart illustrating a processing procedure of a file creator side client device and an authentication server in Embodiment 3. It is a schematic diagram which shows an example of the operation screen displayed on a dedicated viewer in the procedure of FIG. 14 is a flowchart illustrating a processing procedure of a file user side client device and an authentication server in the third embodiment. It is a flowchart which shows the process sequence of a user side client apparatus and an authentication server when a file user has not subscribed to the service of an authentication server. It is a conceptual diagram which shows the basic form of the security management by a general encryption file.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... File security management system 12 ... Intranet 14 ... Internet 20 ... Authentication server 21 ... Server program 22 ... Authentication information DB
23 ... File management DB
24 ... Authentication history DB
25 ... Authentication means 26 ... Warning sending means 27 ... Version checking means 28 ... Database control means 29 ... Accounting means 30a, 30b ... Client device 31 ... Client program 32 ... Dedicated viewer 34 ... authentication registration means 35 ... authentication request means 36 ... encryption means X to Y ... customer

Claims (5)

In a file security management system composed of a plurality of client devices having a dedicated viewer connected to an authentication server via a network,
When encrypting a file, the user of the file and an encryption means for encrypting the file by setting usage authority to be granted to the user through a dedicated viewer, identification information of the encrypted file, setting A client device comprising authentication registration means for registering the registered user and usage authority information in the authentication server,
When using the received encrypted file, the authentication server includes authentication request means for requesting authentication from the authentication server via the dedicated viewer, and based on usage authority information and key information transmitted from the authentication server via the dedicated viewer. A client device comprising decryption means for decrypting the received encrypted file;
An authentication information database in which a user who encrypts a file and / or a user who uses an encrypted file is registered, key information for decrypting the encrypted file, and an encrypted file registered from the client device. A file management database storing identification information, user and usage authority information, and an authentication means for authenticating a user and the set user by referring to the database based on an authentication request from a client device A file security management system comprising: an authentication server that transmits usage authority information and key information set for the encrypted file to the client device when the authentication result is affirmative; In an authentication server that is connected to a plurality of client devices having dedicated viewers connected via a network and performs authentication of file security management,
When encrypting a file, the user of the file and the use authority permitted to the user are set through a dedicated viewer, the encryption means for encrypting the file, the identification information of the encrypted file, the setting A client device comprising authentication registration means for registering the registered user and usage authority information in the authentication server,
When using the received encrypted file, the authentication server includes authentication request means for requesting authentication from the authentication server via the dedicated viewer, and based on usage authority information and key information transmitted from the authentication server via the dedicated viewer. Communicating with a client device comprising decryption means for decrypting the received encrypted file,
An authentication information database in which a user who encrypts a file and / or a user who uses an encrypted file is registered, key information for decrypting the encrypted file, and an encrypted file registered from the client device. A file management database storing identification information, user and usage authority information, and an authentication means for authenticating a user and the set user by referring to the database based on an authentication request from a client device And an authentication server, wherein if the authentication result is affirmative, use authority information and key information set for the encrypted file are transmitted to the client device. When encrypting a file, the user of the file and the use authority permitted to the user are set through a dedicated viewer, the encryption means for encrypting the file, the identification information of the encrypted file, the setting A client device comprising authentication registration means for registering the registered user and usage authority information in the authentication server,
When using the received encrypted file, the authentication server includes authentication request means for requesting authentication from the authentication server via the dedicated viewer, and based on usage authority information and key information transmitted from the authentication server via the dedicated viewer. In a computer constituting an authentication server that communicates with a client device having a decrypting means for decrypting the received encrypted file,
An authentication information database in which a user who encrypts a file and / or a user who uses an encrypted file is registered based on an authentication request from a client device, key information for decrypting the encrypted file, and Executes a function as an authentication means for authenticating the user and the set user by referring to the file management database storing the identification information of the encrypted file registered from the client device, the user and the usage authority information Let
A program for executing a function of transmitting usage authority information and key information set for an encrypted file to the client device when an authentication result is affirmative. In a client device having a dedicated viewer connected via a network to an authentication server that performs authentication of file security management,
An authentication information database in which a user who encrypts a file and / or a user who uses an encrypted file is registered, key information for decrypting the encrypted file, and an encrypted file registered from the client device. A file management database storing identification information, user and usage authority information, and an authentication means for authenticating a user and the set user by referring to the database based on an authentication request from a client device Provided, if the authentication result is affirmative, communicate with the authentication server that transmits the usage right information and key information set for the encrypted file to the client device,
When encrypting a file, the user of the file and the use authority permitted to the user are set through a dedicated viewer, the encryption means for encrypting the file, the identification information of the encrypted file, the setting A client device comprising authentication registration means for registering the registered user and usage authority information in the authentication server,
When using the received encrypted file, the authentication server includes authentication request means for requesting authentication from the authentication server via the dedicated viewer, and based on usage authority information and key information transmitted from the authentication server via the dedicated viewer. A client device comprising: decrypting means for decrypting the received encrypted file. An authentication information database in which a user who encrypts a file and / or a user who uses an encrypted file is registered, key information for decrypting the encrypted file, and an encrypted file registered from the client device. A file management database storing identification information, user and usage authority information, and an authentication means for authenticating a user and the set user by referring to the database based on an authentication request from a client device If the authentication result is affirmative, the computer constituting the client device that communicates with the authentication server that transmits the usage authority information and key information set for the encrypted file to the client device,
When encrypting a file, the user of the file and the use authority permitted to the user are set through a dedicated viewer, the encryption means for encrypting the file, the identification information of the encrypted file, the setting The function as an authentication registration means to register the registered user and usage authority information in the authentication server,
When using the received encrypted file, the authentication request means for requesting authentication from the authentication server via the dedicated viewer, the use authority information and the key information transmitted from the authentication server via the dedicated viewer, A program for executing a function as decryption means for decrypting a received encrypted file.

Images