JP4652719B2 - File data deletion program and file data deletion system - Google Patents

Description

  In the present invention, when file data is transmitted from a computer on the provider side to a computer on the supplier side, a use period is determined based on each other's time limit information, and the file data is deleted when the use period is not satisfied. The present invention relates to a file data deletion system and a file data deletion program.

  In recent years, protection of information leakage has been active. For example, when file data is sent from the provider's computer to the recipient's computer via the Internet, etc., the file data should be deleted from the provider's file data at 00:00 hours There is also a method in which data is written and sent, and the recipient's computer decodes the file data and deletes the file data at 00:00 hours after receiving the file data.

  In such a system, it is impossible to completely synchronize the timer of the computer on the provider side and the timer of the computer on the receiver side, and the time of the timer can be adjusted illegally. To the third person's time in many cases.

That is, a third-party computer, a server, a provider-side computer, and a recipient-side computer are connected to each other via a communication network, and the provider-side computer stores a file based on the time from the third-party server. The data that the file data should be deleted is written and sent to the data at 0:00 hours, and the time on the recipient's computer from the third party's server is 0000 hours The received file data was deleted.
Japanese Patent No. 3391992 Japanese Patent No. 3225919

However, between two computers since the reference time of the third party, when the scrubbing of the file data from the upstream side, there is a problem that the cost that Kaka.

According to the present invention, the time is adjusted between the computers without receiving the time from the third party via the communication network, and the recipient computer deletes the file data from the provider computer. An object is to obtain a cost-effective file data deletion system and its program.
An object of the present invention is to provide a file data deletion system that can prevent copying, falsification, editing, and redistribution.

The present invention deletes the content obtained by connecting a user terminal (40) and a service site system (41, 42, 43, 44) for transmitting content to the user terminal (40) through a communication network (4). Ru file data deletion system der for.

The file data deletion system of the present invention is characterized by the following.
The user terminal (40)
A specific directory area is generated, and in this specific directory area, (a) a content package from the system of the content and the service site (41, 42, 43, 44) and having time restriction information; (b) First storage means (46) in which a hash value of the content is stored;
A driver program unit (45) provided between the first storage means (46) and the application unit;
The driver program unit (45)
Means for prohibiting and dedicating access to the specific directory from outside the driver program section (45);
When the user terminal (40) is changed to another user terminal, a change request for changing the user terminal (40) including the user information of the user terminal, the hash value, and the time limit regulation information Means for transmitting to the service site system (41, 42, 43, 44);
When the user terminal (40) is changed to the other user terminal,
Means for receiving a new content package, its new hash value and remaining usable period from the service site system (41, 42, 43, 44) and storing them in the specific directory area of the other user terminal; ,
Access the service site system, extract the time of the time server of the service site system, and based on this time and the new time restriction information of the new content package, the content of the content at the other user terminal Means for permitting use or deleting the content,
The service site system (41, 42, 43, 44)
Second storage means (44) for storing the content package in association with the user information;
Means for reading the time from the time server, calculating the remaining usable period from this time, and generating the new content package embedded with the new time limit information based on the remaining usable period;
Means for associating and storing the new content package and the user information and the new hash value in the second storage means (44);
Means for transmitting the new content package, the new hash value to the other user terminal (40);
When the new hash value is received from the other user terminal (40), if the new hash value is positive, it is determined that the download of the new content package is completed, and the system (41, 42) of the service site is determined. , 43, 44) and a means for deleting the new content package stored in the distribution server (42) .
The time limit information is
Date specification for deleting the content, the elapsed time of receipt, and may Ru 1 or more information Der chosen from among open elapsed time.

As described above, according to the present invention, copying, falsification, editing, and redistribution can be completely prevented.

<Embodiment 1>
Figure 1 is a schematic configuration diagram of a file data deletion system of the first embodiment.

This embodiment, and transmitted to the computer 1 of the provider side comprises an application unit 2 for adding timed information Ap file data Fi, the recipient's computer 3 The file data Fi via the communication network 4, providing the OS driver program 13 of the receiving side of the computer 3 adds a timed information Aq beneficiaries side file data Fi, the application portion 5 of the receiving side of the computer 3 and timed information a q beneficiaries side The file open (displayed on the display unit) is permitted based on the time information Ap on the user side. When the permission is prohibited, the driver program unit 13 deletes the file data Fi.

That is, this embodiment, focuses on the relationship between two parties with beneficiaries provider of data, based on the recipient and recognized relative time and provider of the file data, file data security Interview tea To improve.

File data deletion system shown in Figure 1, the computer 1 of the provider side, a timer 6, a data provider time generating section 7, a transmission file creation unit 8, an encryption unit 10, without transmitting and receiving unit (not ) Etc.

  The data provider time creation unit 7 displays a screen (not shown) for creating the time information Ap on the provider side in accordance with the file transmission instruction on the display unit, and displays the current time of the timer 6 as the provider. System time a1 (provider side use start time), and the provider side system time a1 is displayed on the above-mentioned screen, and the provider side who has permitted the use of the file data Fi to the recipient side The expiration date a2 for the receiver side (expiration date from the provider side) is displayed on the screen, the difference between the expiration date a2 for the receiver side and the system time a1 of the provider side is obtained, and this is the provider side Is displayed on the screen as an effective period a3 (a use permission period from the provider side) from the recipient to the recipient side.

The system time a1 on the provider side, the expiration date a2 on the recipient side, and the validity period a3 on the recipient side are collectively referred to as time limit information Ap from the provider side. This time limit information Ap from the provider side is stored in the memory 9.

In accordance with the file transmission instruction, the transmission file creation unit 8 stores the time information Ap (provider side) from the provider side stored in the memory 9 in the header Fp (Fp1, Fp2, Fp3) of the file data Fi. The system time a1, the expiration date a2 to the recipient side, and the expiration date a3) to the recipient side are embedded, encrypted by the encryption unit 10 and transmitted.

Further, the transmission file creation unit 8 may store the file data Fi with the above-mentioned time limit information Ap in the storage medium 11 such as a CD - ROM, a floppy disk, or an MO.

  On the other hand, the personal computer 3 on the receiver side has an application unit 5, a timer 12, a driver program unit 13 provided in the OS, and the like.

The application unit 5 includes at least a file open unit 16, a time condition determination unit 17, and the like, and the driver program unit 13 includes a file close unit 18, a deletion unit 19, and a time stamp writing processing unit 26 .

The file open unit 16 monitors whether or not there is a request to open the file data Fi. If it is determined that there is an open request, the file Ri has a header Ri of the file data Fi stored in the hard disk 15 with respect to the driver program unit 13. to (also referred to as a receiving side of the system time b1. or use start time of the receiving side.) the current time of the timer 12 and, as an active set by beneficiaries side limit b2 (expiration date of receiving side), The driver program unit 13 writes the valid period b3 set on the recipient side. The above-mentioned system time b1 on the receiver side, the expiration date b2 set on the receiver side, and the validity period b3 (use permission period on the receiver side) set on the receiver side are collectively referred to as time information Aq on the receiver side. That's it.

The time condition determination unit 17 causes the driver program unit 13 to read the time information Aq on the recipient side and the time information Ap on the provider side, and based on these time information and the determination conditions stored in advance, When the file open request cannot be validated or permitted , the driver program unit 13 deletes the file data Fi.

FIG. 2 is a schematic configuration diagram of the computer 3 on the recipient side. As shown in FIG. 2, the application unit 5 is provided on the driver program unit 13.

As shown in FIG. 2, the driver program unit 13 includes an application interface unit 20, a flow control unit 21, a data processing unit 22, a file system monitoring driver unit 23, an encryption / decryption unit 24, and access data. The management unit 25, the time stamp writing processing unit 26, and a transmission / reception unit (not shown) that performs transmission / reception with the communication network 4 using a predetermined protocol (Internet).

When accessing a file stored in the hard disk 15 from the application unit 5 running on the recipient's computer 3, the application unit 5 issues an access request to the file through an interface provided by Windows as a standard. At this time, the application unit 5 communicates with the hard disk 15 via the driver program unit 13 provided in the OS.

The file system supervising driver section 23 is for performing transmission and reception of the file system driver 27 and the data in response to a request from the flow control unit 21 or the data processing unit 22.

  The application interface unit 20 provides an interface between the application unit 5 and the driver program unit 13, receives a command such as a file access request from the application unit 5, and the execution result or other data received from the flow control unit 21. Is sent to the application unit 5.

The data processing unit 22 is for creating file attribute data and inputting / outputting data to / from the access data management unit 25, encryption / decryption unit 24, and transmission / reception unit.

The flow control unit 21 analyzes a command received from the application unit 5 via the application interface unit 20 and gives an instruction to the data processing unit 22, the file system monitoring driver unit 23, and the like to control. .

  The access data management unit 25 is for referring to, registering, controlling, and managing a file in which information related to a file stored in an auxiliary storage device such as the hard disk 15 is stored.

Specifically, it registers and deletes data such as file access logs, control conditions, and file attributes, and manages their references. In other words, it manages file close and delete functions . The file system monitoring driver 23 is for providing an interface with the file system driver 27 that provides access to a file stored in an auxiliary storage device such as the hard disk 15.

  The operation of the file data deletion system configured as described above will be described below.

Figure 3 is a flow chart illustrating a schematic operation of the provider side. The provider operator selects a file to be transmitted to the recipient and inputs a transmission instruction for this file.

In response to the file transmission instruction, the transmission file creation unit 8 of the provider's computer 1 reads the selected file data Fi from the hard disk (S1).

  In response to the file transmission instruction, the data provider time creation unit 7 reads the current time of the timer 6 as the system time a1 on the provider side, and displays the system time a1 on the provider side on the aforementioned screen. In addition, the expiration date a2 from the provider side who has permitted the use of the file data Fi to the recipient side is displayed on the screen, the expiration date a2 to the recipient side and the system time of the provider side The difference of a1 is obtained, and this is displayed on the screen as a valid period a3 from the provider side to the recipient side (time limit information Ap from the provider side). Then, a time condition setting process for embedding this in the header Fp of the file data Fi is performed (S2).

The encryption unit 10 encrypts the file (MPEG, JPEG) (S3), and the transmission unit writes the encrypted file in the transmission buffer memory and transmits the file (S4). File data Fi with timed information Ap from provider side may be stored in a storage medium.

Figure 4 is a flowchart for explaining the processing of FIG. 3 in detail. As shown in FIG. 4, the transmission file creation unit 8 monitors whether there is a transmission instruction of the file (S10).

  If it is determined in step S10 that there is a file transmission instruction, the file data Fi corresponding to the file number selected to be transmitted is read from the database (S11).

Then, the data provider time generating unit 7 displays a timed condition setting screen (see FIG. 5 (a)) on the display unit (S12).

  For example, if the current time of the timer 6 is April 10, 2004, 17:00, it is displayed as the system time a1 on the provider side as shown in FIG. In FIG. 5A, UTC time is also displayed.

Then, the data provider time generating unit 7 determines whether the expiration a2 to recipients side is set (S13). In step S13, when it is determined that the input expiration a2 to recipients side, calculates the lifetime a3 to recipients side (S14).

  For example, when the validity period a2 for the file (content: document or the like) to the recipient is input as 3 days, the validity period (3 days) on the recipient side is added to the system time a1 on the recipient side. In this embodiment, the expiration date a2 for the recipient is calculated as 13:00 on April 13, 2004 (see FIG. 5A). Also, the effective period based on the UTC time is obtained and displayed.

Then, the difference between the system time a1 (2004/4/10 1700) on the provider side and the expiration date a2 (April 13, 2004, 17:00) is calculated as the effective period a3 ( 259200) (see FIG. 5A).

Next, it is determined whether the data provider time generating unit 7 OK button (not shown) is depressed (S15), when the OK button is pressed, from the provider side of FIGS. 5 (a) The time limit information Ap is sent to the transmission file creation unit 8.

  The transmission file creation unit 8 embeds the time information Ap on the provider side in the header Fp (Fp1, Fp2, Fp3) of the file data Fi, and passes this to the encryption unit 10 (S16).

Encrypting unit 10 encrypts the file data Fi created by transmitting the file creation section 8 (S17), the transmission unit is written into the transmission buffer memory (S18), and transmits a communication network 4 (internet) (S19).

On the other hand, receiving side receives the file data Fi encrypted from the computer 1 of provider side, to decrypt it, and stores the folder specified beforehand. That is, a specific area is generated in the hard disk 15 shown in FIG. 2, and the access data management unit 25 of the driver program unit 13 stores the file data Fi in this specific area.

Then, as shown in FIG. 6, the application unit 5 checks whether or not a file exists in the designated folder (S20: monitoring whether there is a file). That is, the application unit 5 outputs a command as to whether or not file data exists on the hard disk 15 via the application interface unit 20 , and the flow control unit 21 inputs this command to the access data management unit 25 for access. The data management unit 25 reads the result of whether or not file data exists on the hard disk 15 by the data processing unit 22 and the file system monitoring driver unit 23, and causes the application unit 5 to output the result.

Next, when the file opening unit 16 of the application unit 5 determines that the file data Fi exists in the hard disk 15, it determines whether or not a time stamp has already been written (S21). In this determination, the time condition determination unit 17 of the application unit 5 outputs a command for inquiring whether or not there is a time stamp write via the application interface unit 20, the flow control unit 21, and the file system monitoring driver unit 23.

When the application unit 5 determines that a time stamp has been written in step S21, the file open unit 16 determines whether there is a file open request (S22).

If it is determined in step S21 that the time stamp (system time, expiration date, and validity period set on the recipient side) has not been written, the time condition determination unit 17 of the application unit 5 A time stamp write command is transmitted to the time stamp, and the flow control unit 21 decodes the time stamp write command and outputs the time stamp write command to the time stamp write processing unit 26.

The time stamp writing processing unit 26 reads the header Fp of the file data Fi of the hard disk 15 via the data processing unit 22, the file system monitoring driver unit 23, and the file system driver 27, and this header Fp (Fp1, Fp2, Fp3). For example, as shown in FIG. 7, the system time a1 of the provider is “38087.70833: UTC time”, the expiration date a2 to the receiver side is “38090.70833: UTC time”, and the receiver side is valid. When the period a3 is written as “3.00000”, for example, when the system time a1 on the provider side is delayed by 30 minutes with respect to the absolute time (see FIG. 5C), the event shown in FIG. as shown in, the header R1 file data Fi, system time b1 the recipient side is the current time of the timer 12 is " It is written and 8087.68750 ", the header R2, is written as the expiration date b2 of" 38090.68750 "is set in the receiving side.

  In addition, in the header R3, a validity period b3 (3.00000) set on the receiver side, which is the difference between the system time b1 on the receiver side and the expiration date b2 set on the receiver side, is written (FIG. 7). See i). The headers Fp and Ri described above are masked when time information is written.

  The above b1, b2, and b3 are transferred to the data processing unit 22 by the time stamp writing processing unit 26 and written to the file header Ri of the hard disk 15 by the file system driver 27 via the file system monitoring driver unit 23. Yes (masked).

In other words, the time limit information Aq on the receiver side, which is time stamp time information, is written in the kernel mode , so that time tampering can be prevented.

Further, with respect to absolute time, when the timer 12 of the receiving side is ahead 2 hours 30 minutes (absolute time 2004/4/10 17:30), the system time b1 of beneficiaries side 2004/4/10 20: 00 = 38087.833333 (see FIG. 5B).

  The expiration date b2 set on the recipient side is “38090.70833”, and the expiration date b3 set on the recipient side is “2.887500”.

  The time information Aq on the receiver side is also written and masked in the header Ri of the file data Fi.

  That is, the time stamp writing processing unit 26 passes the times b1, b2, and b3 to the data processing unit 22 and the file system header 27 of the file data on the hard disk 15 by the file system driver 27 via the file system monitoring driver unit 23. Write to Ri.

Therefore, since the time stamp time information (timer information Aq on the receiver side) is written in the kernel mode , it is possible to prevent time tampering.

  Next, when the file open and the file open unit 16 of the application unit 5 determine in step S22, the time condition determination unit 17 of the application unit 5 includes the application interface unit 20, the flow control unit 21, the data processing unit 22, The system time a1 on the provider side which is a fixed value written in the header Fp of the file data Fi by the file system monitoring driver unit 23, and the system time b1 on the receiver side which is a fixed value written in the header Ri. Are compared (S23).

  In step S23, when it is determined that the system time a1 on the provider side is smaller than the system time b1 on the receiver side, the system time (a1) on the provider side is delayed from the system time (b1) on the receiver side. Therefore, a process (A process) is performed in which the expiration date (a2) from the provider side to the recipient is set to the expiration date b2 set on the receiver side (S24). This A process will be described later.

  In step S23, when the time condition determination unit 17 determines that the system time (a1) on the provider side is greater than the system time (b1) on the receiver side (that is, the system time of the provider is advanced). The time at the time of the file open request on the receiver side is read from the timer 12, and this system time k1 (system time at the start of use on the receiver side) and the system time (b1; fixed value) on the receiver side of the header R1 Compare (S25).

If it is determined in step S25 that the system time k1 at the start of use is smaller than the system time b1 in the header R1, a process B described later that does not permit the use of the file data Fi is executed (S26). That is, if the system time k1 at the time of file open request is later than the system time when the file is received, the file data Fi is not used.

  In step S25, if it is determined that the system time k1 that is the current time on the recipient side at the time of the file open request is greater than the system time (b1) on the recipient side (the current time on the recipient side is the file data If it is ahead of the system time on the recipient side at the time of reception), the processing from step S28 to step S31 described later is repeated (S27).

  Next, when it is determined in step S25 that the current time on the receiver side is ahead of the system time on the receiver side when the file data is received, the time condition determination unit 17 uses the driver program unit 13 to The expiration date b2 (fixed value) set on the receiver side of the header R2 of the file data Fi of the hard disk 15 is output, the expiration date b2 (time based on the timer 12) set on the receiver side and the current time of the timer 12 The system time k1, which is the time, is compared (S28).

In step S28, the current system time k1 on the receiver side is determined based on the expiration date b2 set on the receiver side (the validity period a3 that is a use permission period from the provider side and the system time b1 on the receiver side) When the expiration date b2) is not reached, it is determined that the file data Fi can be used, and the file open unit 16 of the application unit 5 reads the file data Fi from the hard disk 15 by the driver program unit 13. by (S29), passing the encryption / decryption unit 24 to decrypt (S30), and displays it on the screen (S31).

  In step S28, when the time condition determination unit 17 of the application unit 5 determines that the system time k1, which is the current time of the timer 12, is greater than the expiration date b2 set on the receiver side (the current time on the receiver side is If the expiration date b2 has been exceeded), the driver program unit 13 causes the file close process to be executed (S32) and the file is deleted (S33).

  That is, the access data management unit 25 deletes the file data Fi on the hard disk 15 via the data processing unit 22, the file system monitoring driver unit 23, and the file system driver 27.

  Next, process A will be described below with reference to the flowchart of FIG. The process A is started when there is a file open request and the system time a1 on the provider side of the header Fp of the file data Fi is behind the system time b1 set on the receiver side of the header Ri.

  The time condition determination unit 17 of the application unit 5 compares the current system time k1 on the receiver side, which is the current time of the timer 12, with the system time a1 on the provider side of the header Fp (S40).

In step S40, when it is determined that the current system time k1 on the receiver side is smaller than the system time a1 from the provider side (the current time of the timer 12 on the receiver side is behind the time from the provider side). ), Process B that does not permit the use of the file data Fi is executed (S41).

  If it is determined in step S40 that the current system time k1 on the receiver side is greater than the system time a1 on the provider side (the current system time k1 on the receiver side is ahead of the system time a1 on the provider side). The processing from step S43 to step 46 described later is repeated until the file is closed (S42).

  In step S43, the current system time k1 on the receiver side is compared with the expiration date b2 set on the receiver side in the header Ri of the file data Fi (S43).

In step S43, when the system time k1, which is the current time of the timer 12 on the receiver side, is less than or equal to the expiration date b2 set on the receiver side of the header Ri (not reaching b2), the time condition determining unit 17 Then, it is determined that the file data Fi can be used, and the file opening unit 16 of the application unit 5 causes the driver program unit 13 to read the file data Fi from the hard disk 15 (S44), and the encryption / decryption unit It is decoded and passes the 24 (S45), and displays it on the screen (S46).

  In step S43, when the time condition determination unit 17 of the application unit 5 determines that the system time k1, which is the current time of the timer 12, is smaller than the expiration date b2 set on the receiver side (the current time on the receiver side is If the expiration date b2 is exceeded, the driver program unit 13 causes the file close process to be executed (S47) and the file is deleted (S48).

  That is, the access data management unit 25 deletes the file data Fi on the hard disk 15 via the data processing unit 22, the file system monitoring driver unit 23, and the file system driver 27.

  In other words, the use of the file data is restricted by the subsequent processing depending on the situation when the file data is used (FIG. 6 S23).

Each time the data recipient uses the file data Fi , the application program analyzes the following conditions on the computer to prevent unauthorized use.

Expiration In either condition attained is intended not to exceed the time to, simplification of the operational aspects of the provider of the data (a) (see FIG. 6 (d)).

The determination of the above time condition is
If header (a1)> header (b1) and system time at start of use> header (b1) (flow diagram S23, S25, S27), file data until expiration date (b2) Can be used.

  When the expiration date (b2) is passed (flow diagram S32, S33), the target file is forcibly closed and deleted.

  In the future, it is acceptable to correct the time of computer (b), which was originally delayed from the time of (a).

  However, since the future correction range is unpredictable, the first expiration date (b2) is applied.

  When header (a1)> header (b1, b1 ′) and system time at start of use <header (b1, b1 ′) (flow diagram S23, S25) have passed (flow diagram S26) ) The process forcibly closes and deletes the target file.

  The computer (b), which was originally delayed from the time (a), does not have to be delayed more than the first time slump, and it is determined that the system time has been intentionally manipulated.

  When header (a1) <header (b1, b1 ′) and system time at start of use> header (a1) (flow diagram S23, S25) have passed (flow diagram S40, S42) By the processing, the file data can be used until the expiration date (b2 ′).

  When the expiration date (b2 ') has passed (flow diagram 8 S47, S48), the target file is forcibly closed and deleted.

Originally, (a) the time the computer that is ahead (see d in FIG. 5): It is acceptable for future correct the time of (b recipients's computer).

  However, since the future correction range is unpredictable, the first expiration date (b2 ') is applied.

  When header (a1) <header (b1, b1 ′) and system time at start of use <header (a1) (flow diagram S23, S25) have passed (flow diagram S40, S41) By the process, the target file is forcibly closed and deleted.

Originally, computers were ahead time (a): This is a rather time need to be previously returned time (b recipients's computer) is the reference (a), a reference time (a) In the content, it is determined that the system time was intentionally manipulated illegally.

That is, the above-described conditions indicate the following.
In the case of header (a1)> header (b1, b1 ′), the system time at the start of use> header (b1, b1 ′) has the header (a2) as the valid time limit.

  In the case of header (a1)> header (b1, b1 '), the system time at the start of use <header (b1, b1') does not allow the use of file data.

  In the case of header (a1) <header (b1, b1 '), system time at the start of use> header (a1) has header (a2) as the valid time limit.

  When header (a1) <header (b1, b1 '), the system time at the start of use <header (a1) does not allow the use of file data.

The condition control described above, the file data maximum utilization effective time period of the recipient, it ensures less recognize timed provider of data.

<Embodiment 2>
Figure 9 is a schematic configuration diagram of a file data deletion system of the second embodiment.

This embodiment comprises an application for adding the use permit count data Dp of the file data Fi to the computer 30 of the provider side, and transmitted to the computer 31 of the receiving side via the communication network 4 the file data Fi, receiving OS driver program 39 of the computer 31 of the finisher side adds use permit count data Dq beneficiaries side file data Fi, recipient side of the application portion 35 of the computer 31 receiving side of the use permit count data Dq If the file open (displayed on the screen) is permitted and the permission is prohibited, the driver program unit 39 deletes the file data Fi.

  In other words, in the second embodiment, the mechanism for realizing the limitation on the number of times of use has conventionally been a mechanism that depends on the application side as a system, and it has been impossible to specify other than file data in a specific format.

  This embodiment provides a system having an effective number control function that is highly convenient for a provider and a receiver by holding a counter (usable number of times of use) that specifies a condition of the number of times of use in the file data itself. .

  In the file data deletion system shown in FIG. 9, the provider-side computer 30 includes a counter 34, a data provider usage count creation unit 32, a transmission file creation unit 33, an encryption unit 10, and a transmission / reception unit (not shown). ) Etc.

The data provider usage count creation unit 32 displays a screen (not shown) for inputting usage permission count information Dp on the provider side in accordance with the file transmission instruction on the display unit. to save the permission to use the number of times information Dp in the memory 36.

In response to the file transmission instruction, the transmission file creation unit 33 embeds the provider-side use permission count information Dp stored in the memory 36 in the header Fp of the file data Fi, and encrypts it by the encryption unit 10 for transmission. Let

In addition, the transmission file creation unit 33 may store the file data Fi in which the above-described use permission number information Dp is written in the storage medium 11 such as a CDROM, a floppy disk, or an MO.

  On the other hand, the receiver-side computer 31 includes an application unit 35, a counter 34, a driver program unit 39 provided in the OS, and the like.

The application unit 35 includes at least a file open unit 16, a usage count condition determination unit 37, and the like, and the driver program unit 39 includes a file close unit 18, a deletion unit 19, and a usage count write processing unit 38.

The file open unit 16 monitors whether or not there is a request to open the file data Fi, and when it is determined that there is an open request, the header of the file data Fi stored in the hard disk 15 with respect to the driver program unit 39. The driver program unit 39 writes the count value of the counter 34 (use permission count information Dq set on the receiver side) into Ri.

The usage number condition determination unit 37 causes the driver program unit 39 to read the usage permission number information Dp on the provider side of the header Fp of the file data Fi and the usage permission number information Dq set on the receiver side of the header Ri. When the file open request cannot be validated or permitted based on the usage count information and the usage count determination conditions stored in advance, the driver program unit 39 deletes the file data Fi.

FIG. 10 is a schematic configuration diagram of the computer 31 on the recipient side. As shown in FIG. 10, the application unit 35 is provided on the driver program unit 39.

As shown in FIG. 10, the driver program unit 39 includes an application interface unit 20, a flow control unit 21, a data processing unit 22, a file system monitoring driver unit 23, an encryption / decryption unit 24, and access data. The management unit 25, the number-of-uses writing processing unit 38, and a transmission / reception unit (not shown) that performs transmission / reception with the communication network 4 using a predetermined protocol (Internet).

When accessing a file stored in the hard disk 15 from the application unit 35 running on the recipient's computer 31, the application unit 35 issues an access request to the file through an interface provided by Windows as a standard. At this time, the application unit 35 communicates with the hard disk 15 via the driver program unit 39 provided in the OS.

The file system supervising driver section 23 is for performing transmission and reception of the file system driver 27 and the data in response to a request from the flow control unit 21 or the data processing unit 22.

Application interface unit 20 provides an interface between the application unit 35 and the driver program 39 receives a command file access request or the like from the application unit 35, the execution result, or other received from the flow control unit 21 Data is sent to the application unit 35.

  The operation of the system according to the second embodiment configured as described above will be described below. FIG. 11 is a schematic flowchart for explaining the operation of the computer 30 on the provider side.

Sending file creation unit 33 of the provider side of the computer 30, it reads the designated file data Fi (S50).

Next, when the data provider use count creation unit 32 inputs the use permission count information Dp on the screen, the data provider use count creation unit 32 stores the use permission count information Dp in the memory 36, and the transmission file creation unit 33 permits the use of the memory 36. The number information Dp is written in the header Fp of the file data Fi. That is, the use permission count is set in the file data Fi (see (a) in FIG. 12) (S51).

  Next, the encryption unit 10 encrypts the file data Fi (S52). Then, the data is written to the transmission buffer memory and transmitted or written to the storage medium (S53).

FIG. 13 is a flowchart for explaining the operation on the recipient side. On the other hand, the computer 31 of the receiving side receives the file data Fi from the provider side, to decrypt it, and stores the folder specified beforehand. That is, the file data Fi is stored in the hard disk 15 shown in FIGS.

Then, as shown in FIG. 13, the application unit 35 checks whether or not a file exists in the designated folder (S60: monitoring of existence of file). That is, the application unit 35 outputs a command indicating whether or not a file exists on the hard disk 15 via the application interface unit 20, and the flow control unit 21 inputs this command via the application interface unit 20, The control unit 21 causes the application unit 35 to output the result of whether or not the file exists on the hard disk 15 by the file system monitoring driver unit 23 .

Next, when the file opening unit 16 of the application unit 35 determines that the file data Fi exists in the hard disk 15, it determines whether or not the usage permission number information Dq has already been written in the header Ri (S61). For this determination, the application unit 35 outputs a command for inquiring whether or not the usage permission count has been written to the application interface unit 20, and the application interface unit 20 passes the command to the flow control unit 21 in a predetermined format.

  The flow control unit 21 outputs a command for inquiring whether to write the number of times to the use number writing processing unit 38.

When the application unit 35 determines in step S61 that the usage permission count information Dq has been written, the file open unit 16 determines whether there is a file open request (S62).

  When it is determined in step S61 that the usage permission count information Dq has not been written, the application 35 sends a usage permission count write command to the application interface unit 20, and the flow control unit 21 decodes the usage permission count information Dq. A use count write command is output to the write processing unit 38.

The usage count writing processing section 38 reads the usage permission count information Dp on the provider side of the header Fp of the file data Fi of the hard disk 15 via the data processing section 22, the file system monitoring driver section 23, and the file system driver 27, The use permission frequency information Dp on the provider side is written in the header Ri. For example, when the use permission number information Dp on the provider side is “3”, the use permission number information Dq on the receiver side is written as “3”.

That is, since the usage permission count information is written in the kernel mode , falsification of the usage permission count can be prevented.

  Next, when it is determined in step S61 that the usage permission count information Dq is written in the header Ri, and in step S62, when the file open and the application unit 35 determine, the application unit 35 includes the application interface unit 20, The flow control unit 21, the data processing unit 22, and the file system monitoring driver unit 23 read the header Ri of the file data Fi, and subtract the use permission number information Dq written in the header Ri (S63). That is, the count value of the counter 34 is subtracted and the subtracted value is written in the header Ri.

  Next, the usage count writing processing unit 38 of the application unit 35 uses the application interface unit 20, the flow control unit 21, the data processing unit 22, and the file system monitoring driver unit 23 on the provider side to use the header Fp of the file data. The permitted number of times information Dp and the permitted number-of-uses information Dq on the receiver side of the header Ri are read and compared (S64).

Next, in step S64, when it is determined that the usage permission count information Dp on the provider side is smaller than the usage permission count information Dq on the recipient side (the usage permission count on the receiver side exceeds the usage count from the provider) In order to prevent unauthorized use, the access data management unit 25 of the driver program unit 39 performs processing A for closing the file and deleting the file data Fi (S65).

Further, when the use permit count data Dq beneficiaries side is determined to less use permit count data Dp of the provider side in step S64, until it is off § Irukurozu, executes the processing from step S67 to be described later to step 69 (S66).

  Next, in step S64, when it is determined that the use permission number information Dp on the provider side is equal to or less than the use permission number information Dq on the receiver side, the use permission number information Dp on the provider side and the use permission number on the receiver side are determined. The information Dq is compared (S67).

In step S67, when Dq is not “0”, the usage count condition determination unit 37 determines that the number of times the file data Fi can be used remains, and the file open unit 16 of the application unit 35 the program unit 39 to read the file data Fi from the hard disk 15 (S68), passing the encryption / decryption unit 24 to decrypt (S69), and displays it on the screen (S69).

In step S67, when the usage count condition determination unit 37 of the application unit 35 determines that the usage permission number information Dq on the recipient side is “0”, the driver program unit 35 causes the file close process to be executed ( S71), the file data Fi is deleted (S72).

That is, the access data management unit 25 deletes the file data Fi on the hard disk 15 via the data processing unit 22, the file system monitoring driver unit 23, and the file system driver 27.

<Embodiment 3>
In general, due to the importance of protecting the rights of copyright holders, the conventional technology has lost the convenience of being able to enjoy purchased content anywhere and enjoyed by users due to digitalization.

For example, media ID scheme, previously added a unique number (media ID) to the MO disk is a function MO network era has provided with a function of reading this number MO drive. In other words, it is that enjoyed anywhere once you pay to this MO.

However, devices that support this media ID system is small (not the industry standard), the copyright holder of distribution rights, in that it is not intended to protect the screening rights, etc. (in other words, anyone corresponding to the MO of the media ID system if the playback equipment that is, anywhere she can use.), this alone is not expected to spread.

Content ID system, on the other hand, industry standard also build a content ID management scheme, content, user, distribution, if you can manage all of the available scenes, can also be used freely where to say the content purchased by the user, This is the idea.

  However, it is not practical to centrally manage the entire ubiquitous digital content market.

Also, when borrowing content and extending its return period , the above-mentioned MO in the network era cannot cope.

Even to solve the needs of such users, a copy of the content, tampering, editing, for the re-distribution, it must be completely prevented.

Therefore, the present embodiment realizes the system configuration shown in FIG. 14 and prevents these illegalities and tampering.

  FIG. 14 is a schematic configuration diagram of the file data deletion system according to the third embodiment.

As shown in FIG. 14, the OS includes a driver program unit 45, and a user-side PC 40 that deletes original data in a specific directory generated on the hard disk 46 is connected to the communication network 4, and a time server 43 is connected to the communication network 4. The distribution management server 41, the distribution server 42, and the DB server 44 are connected. The time server 43, the distribution management server 41, the distribution server 42, and the DB server 44 may be collectively referred to as the service side .

In the header of the above-mentioned original data, there are time limit information (date designation, elapsed time after receipt, open elapsed time), access restriction information (use, print count designation), use restriction information (copy, rename storage, edit, etc.) Prohibition), communication restriction information (the type of protocol permitted for communication and the availability of communication itself), a use password, other information (distributor and user information), and the like are stored.

Then, the original data is restricted to allow if decoded by the reproduction player associated with the original data information (extension), it is made possible to reproduce the original data.

The user side PC40 is the DL function of the driver program 45 (also referred to as a control and management software) (download function), and stores the data in a particular directory, move or copy data from a particular directory, communication, Does not allow any interaction with external devices (media).

Then, within a specific de I directory you can not only refer to the driver program section 45, do not have direct access to data within a specific directory from the application.

In addition, the driver program unit 45 constantly monitors the data in the specific directory, and acquires the time to the time server 43 at regular intervals (such as every 5 minutes), and automatically deletes the target data if it has expired. The meaning of decryption here is reproduction by a reproduction player associated with the extension of the original data, and is performed without returning the content package to the original data.

Aforementioned driver program 45, download function (save the file in a specific directory, download address is invisibly), a particular directory only Explorer (file reference and execution) function, decoding (decryption) functions (decoding turned into and executes the application associated with the extension of the original file playback), an access protection to certain directories (file also) (OS, does not allow access from the application.), file replication - the use regulatory functions such as editing, moving, renaming stored prevention, and timed delete function the same as the first embodiment, the communication regulation function (file not exchanged downloading function other than communication method.), control of an external device Function (does not send the file to an external device or media User login function (access to the distribution management server 41 and user authentication), usage management function (hash value generation storage, DL history generation storage, content file information management, usage terminal information, etc.) ). Further, utilization terminal information described above, when installing Doraibapu b gram unit 45 delivers the unique code from the delivery management server 41 is realized by storing the user terminal.

FIG. 15 is a schematic configuration diagram of the distribution management server 41 and the distribution server 42 . The distribution management server 41 includes a user authentication unit 51, an original data storage unit 52, a time management unit 53, a package data automatic generation unit 54, and a distribution management unit 55.

  The distribution server 42 includes a DL authentication unit 56, a content reception unit 58, a management unit 59, and a content storage / distribution unit 57.

  The user authentication unit 51 includes a user authentication function (receives a user ID / password from the user side), a hash value authentication function (received from the user side together with user information / use terminal information), and a use password transmission function. .

  The original data storage unit 52 stores and manages the content displayed on the product display.

The package data automatic generation unit 54 has an automatic generation function (a content package in which various types of restriction information are embedded in content based on purchase information associated with user information, a hash value, and a usage password are automatically generated) It has a function to calculate and automatically generate.

The distribution management unit 55 has management information for moving the packaged content package to the distribution server 42 .

  For example, the purchase information is stored in the DB server 44 when the user purchases content at another shop site (another system), and the package data automatic generation unit 54 accesses and acquires the DB server 44.

  The time management unit 53 has a function of determining a time as a relative time reference similar to that of the first embodiment and passing it to the package data automatic generation unit 54 and the like.

  In addition, the management unit 59 of the distribution server 42 encrypts the DL address, a function for generating a DL address (dynamic DNS function), a function for generating a DL path (sent to the user by e-mail after generation), and the like. And a function for transmitting to the user side.

The content reception unit 58 has a function of receiving a content package (also referred to as file data) from the distribution management server 41 and locating it to the content storage / distribution unit 57. The DL authentication unit 56 has a function of authenticating the DL path.

Content storage and delivery unit 57 has a function of connecting to download function of the user-side software, and transmits the content package.

  The DB server 44 stores all data generated in each process.

  That is, this Embodiment 3 has the effect described below by the above configuration.

  (1) In accordance with a request from the user side PC 40, the service side embeds time information and restriction information of the reference value (time server) at that time in the requested content, automatically creates a content package, and sets a unique hash value. Generated and saved as user information, and the user side PC 40 locates to the DL-capable distribution server 42 and sends the DL address information that changes each time to the DL application under the user environment (invisible to the user), This is a rental content distribution system that permits a user DL with a DL password (see flowcharts of FIGS. 16 and 17). When the download is completely completed, the content package is deleted and the hash value is stored on the user side.

(2) Further, when the requesting use in devices other than the user side PC40 was the first to DL (Download), the control and management software functions of the user-side PC40 (driver program 45), the distribution server 42 The hash value of the content and the restriction information / time information are transmitted, the hash value and the user information are used for authentication, and after ensuring that the content has not been tampered correctly, the remaining usable period of the user side PC 40 is determined from the time information. After calculating and regenerating the content package (also with a new hash value), it locates to the distribution server 42 , conveys the DL password to the user, and the control / management software of the user side PC 40 deletes the stored content. This is a device rewriting system (see the flowcharts in FIGS. 18 and 19) (the same applies to the extension). Also, the user performs re-DL using the received DL password on the required notebook PC or the like.

  FIG. 16 is a flowchart for explaining the operation on the user side and the service side according to (1) of the third embodiment.

  The user-side PC 40 distributes a content distribution request (content name, transmission source address, ID, password, transmission destination address, etc.) to the service side (S81).

  The distribution management server 41 on the service side receives the content distribution request and performs user authentication by comparing with the user information stored in the DB server 44 (S82).

In step S82, the when the user authentication is the delivery management server 41 determines that the OK, the distribution management server 41, after acquiring a reference time from the time server 43, the reference time information to the content, content package hash embedded regulatory information A value is created and distributed to the DB server 44 (S83).

The DB server 44 stores the content package and the hash value in association with the user information (S84).

  Then, the distribution management server 41 distributes the content DL path to the user side PC (S85), and the user side PC 40 receives the content DL path (S86).

Delivery management server 41 of the service side, after the contents DL path distribution, control management software users to locate a content package to accessible address (S87).

On the other hand, the user side PC40 accesses the distribution server 42 by downloading the function of software of the user, it requests the DL to the distribution management server 41 of the service side (S90). Next, the distribution management server 41 on the service side refers to the DB server 44 and distributes the DL path, and then performs DL path authentication determination (S89).

In step S89, if the authentication OK, the distribution server 42 of the service side distributes encrypts DL address to the user (S91).

The user-side PC 40 receives the DL address and decodes this address in a form that is not visible to the user. Then, the hash value is stored in the specific folder, and this hash value is transmitted to the service side (S92). If the hash value is positive, the service-side distribution management server 41 deletes the content package stored in the distribution server 42 as DL completion (S93).

Further, the user-side PC 40 inquires of the time server 43 about time authentication when reproducing the content package (S96).

The user-side PC 40 permits the use of content based on the restriction information after time authentication (S95).

Next, the (2) it will be described with reference to the flowchart of FIG. FIG. 18 is a flowchart for explaining the operation on the user side and the service side in (2) of the third embodiment.

As illustrated in FIG. 18 , the user-side PC 40 transmits a use device change request (user information, hash value, time, restriction information) to the service-side distribution management server 41 (S101).

The distribution management server 41 on the service side receives the request for changing the device to be used from the user side PC 40 (S102), refers to the DB server 44, and performs DB authentication with a hash value that the content package has not been tampered with ( S103).

The authentication result is transmitted to the user PC 40, and the user PC 40 automatically deletes the content package after authentication (S104).

If it is determined in step S103 that the user authentication result is OK, the service-side distribution management server 41 reads the time from the time server 43, calculates the remaining usage time after acquiring this time, and creates a new content package. A new hash value is automatically generated (S105).

The service-side DB server 44 associates and saves the user information, the new content package, and the new hash value (S107).

  Then, the service-side distribution management server 41 distributes the content DL path to the user-side PC 40 (S108). The user side PC 40 receives and stores the content DL path (S109).

The distribution management server 41 of the service side, control and management software users to locate this content package to address accessible after content DL path distribution (S110).

On the other hand, the user side PC40 accesses the distribution server 42 by downloading the function of software of the user, it requests the DL to the distribution management server 41 of the service side (S 111).

  The service-side distribution management server 41 receives the DL request from the user PC side 40 and authenticates the DL request with reference to the DB 44 (S112).

When the determination in step S112 is determined that the authentication OK is encrypts and delivers DL address to the user-side PC 40 (S113).

The user-side PC 40 decodes this DL address in a form that is not visible to the user. After the end, the new hash value is stored in the specific folder, and this new hash value is transmitted to the service side (S114).

The distribution management server 41 on the service side receives this new hash value, and if this new hash value is positive, DL content is completed and the content package stored in the distribution server 42 is deleted (S115).

The user-side PC 40 authenticates the time to the time server when the content package is played after transmitting the new hash value (S116), and permits the use of the content based on the restriction information (S117).

The present invention is effective in the business of renting the recipient's computer in storage or communication network video, music, a book or the like in the storage medium.

Also, to provide document or the like to recipients side, it is effective in the business, such as show a predetermined period.

It is a schematic block diagram of the file data deletion system of this Embodiment 1. It is a schematic block diagram of the computer 3 of a receiver side. It is a flowchart explaining schematic operation | movement by the side of a provider. It is a flowchart for demonstrating the process of FIG. 3 in detail. It is explanatory drawing explaining the relationship between the various time of this Embodiment, and various time. 3 is a flowchart for explaining the operation of the first embodiment. It is explanatory drawing explaining the time limit information written in file data. It is a flowchart explaining the process A of this Embodiment. It is a schematic block diagram of the file data deletion system of this Embodiment 2. It is a schematic block diagram of the computer 31 of a receiver side. 10 is a schematic flowchart for explaining the operation of the computer 30 on the provider side according to the second embodiment. It is explanatory drawing explaining the frequency | count of use written in the header of the file data of this Embodiment. 10 is a flowchart for explaining the operation of a receiver-side computer according to the second embodiment. FIG. 10 is a schematic configuration diagram of a file data deletion system according to a third embodiment. It is a schematic block diagram of the delivery management server and delivery server of this Embodiment 3. It is a flowchart explaining the operation | movement by the side of the user of (1) of this Embodiment 3, and the service side. It is a flowchart explaining the operation | movement by the side of the user of (1) of this Embodiment 3, and the service side. It is a flowchart explaining the operation | movement by the side of a user of this Embodiment 3 and the service side. It is a flowchart explaining the operation | movement by the side of a user of this Embodiment 3 and the service side.

DESCRIPTION OF SYMBOLS 1 Provider computer 3 Receiver computer 6 Timer 7 Data provider time creation unit 8 Transmission file creation unit 10 Encryption unit 12 Timer 13 Driver program unit 16 File open unit 17 Time condition determination unit
26 time stamp writing processor

Claims (2)

File data for deleting the content in which the user terminal (40) and the service site system (41, 42, 43, 44) for transmitting the content to the user terminal (40) are connected by the communication network (4). A deletion system,
The user terminal (40)
A specific directory area is generated, and in this specific directory area, (a) a content package from the system of the content and the service site (41, 42, 43, 44) and having time restriction information; (b) First storage means (46) in which a hash value of the content is stored;
A driver program unit (45) provided between the first storage means (46) and the application unit;
The driver program unit (45)
Means for prohibiting and dedicating access to the specific directory from outside the driver program section (45);
When the user terminal (40) is changed to another user terminal, a change request for changing the user terminal (40) including the user information of the user terminal, the hash value, and the time limit regulation information Means for transmitting to the service site system (41, 42, 43, 44);
When the user terminal (40) is changed to the other user terminal,
Means for receiving a new content package, its new hash value and remaining usable period from the service site system (41, 42, 43, 44) and storing them in the specific directory area of the other user terminal; ,
Access the service site system, extract the time of the time server of the service site system, and based on this time and the new time restriction information of the new content package, the content of the content at the other user terminal Means for permitting use or deleting the content,
The service site system (41, 42, 43, 44)
Second storage means (44) for storing the content package in association with the user information;
Means for reading the time from the time server, calculating the remaining usable period from this time, and generating the new content package embedded with the new time limit information based on the remaining usable period;
Means for associating and storing the new content package and the user information and the new hash value in the second storage means (44);
Means for transmitting the new content package, the new hash value to the other user terminal (40);
When the new hash value is received from the other user terminal (40), if the new hash value is positive, it is determined that the download of the new content package is completed, and the system (41, 42) of the service site is determined. 43, 44) and a means for deleting the new content package stored in the distribution server (42). The time limit information is
File data deletion system of claim 1, wherein the specified date to delete the content and elapsed time of receipt, and Ru 1 or more information Der chosen from among open elapsed time.

Images