JP4653457B2 - Security server, document security management system, and document security management method - Google Patents

Description

  The present invention relates generally to information security maintenance management, and more particularly, to a document security management technology capable of maintaining and managing information security even in an environment where information is converted into electronic data and hard copy by a scanner, a copier, a facsimile, or the like. .

  In recent years, there has been an increasing interest in how to ensure the security of information assets regardless of whether individuals or companies. The reasons behind this include security holes and computer virus problems, the need for confidential management of customer information, and the desire to strengthen the management and operation system of information systems. With regard to standardization related to information security, many standards such as ISO15408, ISO17799, BS7799, and ISMS have been established, and in general offices, security policies are being established and information security management is being implemented.

  For example, the handling policy regarding document security is defined as “document security policy”, and based on this policy, the development of “policy-based document security system” that operates document systems and various devices in a coordinated manner and performs consistent document management. Has been done.

  The policy can be described in the rule table as a series of rules. A system that maintains and manages the security of documents in the domain can be considered by installing in the domain a server that centrally manages security related to document creation and copying using a rule table. Management is performed based on a document ID assigned to a document and a user attribute registered in advance.

  Regarding the management of electronic documents created by a word processor or the like, it is possible to issue and manage protected documents by assigning IDs to each electronic document and encrypting them. IDs and attributes of electronic documents are managed as profiles. Then, policy-based document security management is realized by inquiring the access authority to the security server using a dedicated program for opening the electronic document.

  On the other hand, with respect to information management on a hard copy (paper document), an ID is given when printing image data, this ID is embedded in the image, and printed out together with the image data. Image data IDs and information embedded during printing are also managed as profiles. When the reproduced print medium is read by scanning, copying, etc., the printed ID is read, and the security authority is inquired based on the read ID, thereby realizing policy-based information security management. .

  FIG. 1 shows an example of a profile managed by the security server. Corresponding to the unique document ID, an attribute file representing the attributes of the electronic document and embedding information that is embedded at the time of printing and output together with the image are defined. In the attribute file, for example, document security attributes, document categories, document security levels, and the like are recorded. The embedding information is composed of, for example, image related information in a bitmap format or JPEG format, and includes a print ID that is embedded at the time of print output.

  When exchanging documents between multiple domains with different document security policies, it is possible to apply the above-mentioned policy-based document security management as it is by describing the inquiry destination of the document security policy for electronic documents. it can.

  However, for paper documents, it is impractical to embed a document security policy inquiry destination in an image due to differences in information embedding formats, limitations on printing space and reading means, and the like.

Thus, it has been proposed to set up a TTP (Trusted Third Party) that controls a plurality of domains and to set a general security policy for the TTP (see, for example, Patent Document 1). For access across domains, TTP determines access authority and performs security management in an open distributed environment.
JP-A-7-141296

  However, it is not easy to set the overall security policy, and even if it can be set, the situation where the authority for access determination must be transferred to an external organization is not desirable.

  Even if document management is properly performed within a domain or between different domains using the above-described conventional security server or TTP system, if a document is used beyond the security range planned by the system. , Security is compromised at that time. For example, when a document printed from a protected electronic document is repeatedly used for copying, scanning, facsimile transmission, or the like, it is difficult to track whether security is maintained.

  In addition, there is a possibility that the ID information embedded in the image (or document) may be falsified, and the ID itself may be deteriorated or altered due to repeated copying, which causes a problem that accurate ID information cannot be read.

  Accordingly, an object of the present invention is to provide a document security management system capable of tracking security maintenance and management status even when printing, copying, and the like are repeated.

  It is another object of the present invention to provide a document security management system that can easily maintain and manage security between different domains without transferring the access determination authority to the outside.

  Another object of the present invention is to provide a document security management system using an identifier that is difficult to tamper with and has excellent resistance to copying.

In order to achieve the above object, according to a first aspect of the present invention, a security server connected to an image forming apparatus via a network is provided. Security server
(A) a first profile management table for recording a profile of the electronic document when the electronic document is generated by the image forming apparatus;
(B) a second profile management table that records a profile of the print document in association with an ID of a document from which the print document is derived when the print document is generated by the image forming apparatus;

  For example, when an electronic document is generated with an arbitrary print document as a derivation source, the first profile management table records the profile of the electronic document in association with the ID of the arbitrary print document that is the derivation source. .

  Alternatively, when a print document is generated with an arbitrary electronic document as a derivation source, the second profile management table records the ID of the arbitrary electronic document as a derivation source ID of the print document in the profile of the print document. To do.

  When a print document is generated using an arbitrary print document as a derivation source, the second profile management table records the ID of the arbitrary print document as a derivation source ID of the print document in the profile of the print document.

  As described above, each time a new document is generated by the image forming operation, a profile is generated in association with information on a document from which the generated document is derived. When the generated document is an electronic document, the first profile is generated. When the generated document is a print document in the management table, it is registered in the second profile management table. This facilitates document tracking and maintains security.

  According to a second aspect of the present invention, there is provided a document security management system including an image forming apparatus and a security server connected to the image forming apparatus via a network. In the document security management system, when an electronic document is generated by the image forming apparatus, the security server generates a first profile management table that records a profile of the generated electronic document, and a print document is generated by the image forming apparatus. A second profile management table for recording the profile of the print document in association with the ID of the derivation source document. When outputting the print document, the image forming apparatus embeds a new print ID in the print document and prints it.

  According to such a system, every time an electronic document or a print document is generated, the profile of the generated document is managed in an individual profile management table in association with the information of the document that is the derivation source. Therefore, even when an illegal image forming operation is performed, security tracking for each document is facilitated.

  Regardless of the type of document, security is maintained uniformly, and the user or administrator can easily track the security status of each job.

  DESCRIPTION OF EMBODIMENTS Hereinafter, preferred embodiments of the present invention will be described with reference to the drawings.

  FIG. 2 is a diagram showing a schematic configuration of a document security management system according to an embodiment of the present invention. The document security management system includes a security server 3, a printer 1 and a multifunction machine 2 as image forming apparatuses, and a personal computer (PC) 5 that generates an electronic document (including characters and / or images). Further, if necessary, a document server 19 for storing and managing the generated electronic document may be provided. These devices are connected to each other via the network 4.

  The security server 3 manages documents generated and transmitted / received by the printer 1, the MFP 2, the PC 5, and the like in the domain. The security server 3 individually manages document information as electronic data and document information as printed matter. Specifically, a document profile management table 15 for managing electronic documents and a print profile management table 16 for managing printed and copied paper documents (physical documents such as hard copies) are separately provided.

  The electronic document generated by the PC 5 is printed out from the printer 1 or the multifunction device 2. When the multifunction device 2 has different image forming applications such as a printer, a copier, a scanner, and a facsimile, and functions as a printer, it prints out electronic data received from the PC 5 or another facsimile (not shown) on paper or the like. . When functioning as a copier, image data read from a print medium such as paper or a photograph is reproduced on the paper medium. When functioning as a scanner or a facsimile transmitter, image data (electronic data) read from a document is transmitted to a predetermined transmission destination.

  The printer 1 includes a print ID generation unit 10 that generates a print IP for identifying a print job when electronic data is printed on paper or the like. As the print ID, an arbitrary identifier such as a numeral, a sign, a barcode, or a QR code can be used. In the embodiment, a two-dimensional code is used as an example. As will be described later, the two-dimensional code is composed of, for example, a minute dot pattern, and prints the print ID of the dot pattern together with the image data when electronic data is printed out.

  When the multifunction device 2 functions as a printer, copier, or facsimile receiver, that is, when electronic data is reproduced and output onto a medium such as paper, a print ID is assigned to each job as in the printer 1. Conversely, when functioning as a scanner or a facsimile transmitter, that is, when generating electronic data from a paper medium, the print ID attached to the document is read and identified. Therefore, the multifunction machine 2 includes a print ID generation unit 10 and an identifier acquisition unit 11.

  In the embodiment, the printer 1 and the multifunction peripheral 2 are, for example, electrophotographic image forming apparatuses, but the present invention is not limited to this example. Further, the print ID does not necessarily have to be generated on the image forming apparatus side such as the printer 1 or the multifunction machine 2, and may be generated by the security server 3 or a client application of the PC 5. The generation of the print ID will be described later. In FIG. 2, for simplicity of illustration, one printer 1 and one multifunction device 2 are illustrated, but a plurality of printers 1 and multifunction devices 2 may be connected via the network 4.

  The security server 3 includes a document ID generation unit 12, a storage unit 13, an identifier search unit 14, and a print ID generation unit 17. The document profile management table 15 and the print profile management table 16 described above are stored in a part of the storage unit 13 and individually manage information as an electronic document and information as a paper document. Here, the paper document is a generic name for physical documents output on an arbitrary medium by printer output, copying, facsimile reception, or the like. The document ID generation unit 12 assigns a document ID every time the PC 5 creates a new electronic document, or every time the multifunction device 2 scans a document or the like and newly generates electronic data. The storage unit 13 stores information received from the printer 1, the MFP 2, and the PC 5, and writes necessary information in the document profile management table 15 and the print profile management table 16 as necessary. The identifier retrieval unit 14 retrieves a document ID and a print ID from the document profile management table 15 and the print profile management table 16. An optional print ID generation means 17 issues a print ID in place of the image forming apparatus (printer 1, multifunction device 2) when printing or copying is performed.

  Although not shown, the storage unit 13 stores a rule table created based on the security policy. The rule table describes a certain rule that serves as a criterion for determining whether to permit (including processing such as reading and editing) access to a document managed in the domain. For example, what level of user is allowed to access what security level of a document. The storage unit 13 may also store a user DB (not shown) in which user information such as a user name, affiliation, and level is recorded.

  FIGS. 3A and 3B are diagrams respectively showing configuration examples of the print profile management table 16 and the document profile management table 15 that the security server 3 has.

  As shown in FIG. 3A, the print profile management table 16 stores each paper document in association with the ID of the derivation source that caused the paper document to be generated. Record the history of whether or not Specifically, for a paper document such as a hard copy, a unique print ID is assigned to each job, and the print attribute information 16a of the job is recorded in association with it. The print ID, the print attribute information 16a, the security attribute includes the category to which the paper document belongs (confidential document, technical document, general document, etc.), the zone to which it belongs (laboratory, office, development department, etc.), security level ( High, Medium, Low, etc.).

  Then, the derivation source electronic document or paper document ID that is the source from which the paper document is generated is associated as the derivation source ID 16b. For example, if a paper document is output by the printer function of the printer 1 or the multifunction device 1 in response to a print request from the PC 5, the ID of the document file created by the PC 5 becomes the derivation source ID. Further, if this paper document is duplicated by the copy function of the multifunction machine 2, the print ID given to the original document becomes the derivation source ID.

  If there is further data or a document that is the source of the latest derivation source ID 16a, the derivation source ID 16b is linked. Hereafter, if there is a derivation source, it will be linked to the upstream one by one. This makes it possible to trace back the usage status of the document.

  Similarly, as shown in FIG. 3B, the document profile management table 15 associates each generated electronic document with the ID of the derivation source that caused the electronic document to be generated. Record the history of how it was generated. Specifically, a unique document ID is given to each generated document file, and attribute information 15a of the document is recorded in association with it. The document attribute information 15a includes, as security attributes of an electronic document, a category to which the electronic document belongs (confidential document, technical document, general document, etc.), a zone to which the electronic document belongs (laboratory, office, development department, etc.), security level (High, Medium, Low, etc.).

  If there is a derivation source document from which the electronic document is generated, the derivation source document ID is recorded in association with the derivation source ID 15b. For example, when an electronic document is generated from a paper document by the scanner function of the multifunction device 2, the print ID assigned to the scanned paper document (original 1) is entered as the derivation source ID 15b.

  If there is further source data or document for the latest derivation source ID 15b, the derivation source ID 15c is described. For example, if the scanned document 1 is output by the printer function of the printer 1 or the multifunction device 2 in response to a print request from the PC 5, the document ID of the original electronic data is further derived backward. It is described as ID15c. If the scanned document 1 is duplicated by the copy function of the multifunction machine 2, the print ID assigned to the original document 2 is described as the derivation source ID 15c. If there are more previous derivation sources, they are linked sequentially upstream.

  In this way, each time an image is reproduced on the print medium by the image forming function (copying, printing, etc.) of the printer 1 or the multifunction device 2, a print ID is given. It is added to the print profile management table 16 of the security server 3.

  On the other hand, each time an electronic document is generated by the image forming function (scanning or the like) of the PC 5 or the multifunction device 2, a document ID is given, and this document ID together with derivation source information is stored in the document profile management table 15 of the security server 3. To be added. Regardless of whether there is an inquiry based on either the print ID or the document ID, the history is grasped, and the tracking becomes easy. As a result, the security judgment can be made accurately.

  FIGS. 4A and 4B are diagrams showing examples of detailed information described in the print profile management table 16 and the document profile management table 15, respectively.

  As shown in FIG. 4A, the print profile management table 16 includes, for each print ID, the date and time when the job (copying, printer output, etc.) occurred, the processing function (copy function, printer function, etc.) that generated the job. The user ID of the user who performed the process, the device ID that performed the job, and the like are described.

  Similarly, as shown in FIG. 4B, the document profile management table 15 includes, for each document ID, the date and time when the electronic document was generated, the processing means (new document creation, scanner function, etc.) that generated the electronic document, The user ID of the user who performed the processing, the device ID that generated the electronic document, and the like are described.

  With this detailed information, the history of electronic data and hard copy can be grasped in detail, and the document can be traced more easily.

  FIG. 5 is a diagram illustrating an example of an access log in which an access request to the security server 3 is recorded. As described above, every time an image forming operation such as printing, copying, or scanning by the printer occurs, the security server 3 is connected to the document profile management table 15 or the print profile management table 16 from the image forming apparatus on the network. Access occurs. Recording an access log to the security server 3 facilitates document security management and tracking.

  In the example of FIG. 5, each time a log is generated, the log generation date, processing means, user ID that performed the process, device ID that requested the log, and the like are recorded in association with the document ID or print ID to be added. By using such an access log record together with the detailed information shown in FIG. 4, even if a document leaks out of the rules in the policy-based document security system, who, when and by what means and which device Thus, it is possible to determine specifically whether the document has been reproduced.

  FIG. 6 is a diagram showing how the derivation source ID of the profile changes. For example, when the electronic document 0 is generated by a word processor, a document ID (D00138295) is assigned. When this electronic document is printed by a printer, a print ID (P054729831 is assigned and a paper document 1 is generated. On this paper document 1, an ID pattern representing a print ID is printed together with an image. The origin of 1 is electronic document 0, and the document ID of electronic document 0 is recorded in the profile of paper document 1.

  When the paper document 1 is scanned and the electronic document 2 is generated, another document ID is assigned. The derivation source of the electronic document 2 is the paper document 1 and the electronic document 0 in ascending order. When the electronic document 2 is further printed by the printer, a new print ID is given and a paper document 3 is generated. An ID pattern corresponding to a new print ID is printed on the paper document 3. Hereinafter, as the conversion of the image into electronic data and hard copy are repeated, a new document ID or print ID is assigned, and the derivation source ID is added.

  When an electronic document is generated, the corresponding document ID is recorded in the document profile management table 15 of the security server 3 together with the derivation source ID. When a paper document is generated, the corresponding print ID is recorded in the print profile management table 16 of the security server 3 together with the derivation source ID. Therefore, even if different types of image forming operations are repeated as shown in FIG. 6, the document can be tracked and the security of the document can be maintained.

  7A to 7C are sequence diagrams showing profile processing during printing performed in the document security management system of FIG.

  In FIG. 7A, a print ID pattern (for example, a two-dimensional code) is generated by the security server 3. When the security server 3 receives the document ID together with the print request from the client application such as the PC 5 (S101), the security server 3 searches the document profile management table 15 to check whether the derivation source ID information is described in the corresponding document profile. (S102). If there is derivation source ID information, the ID information is added to the print profile to generate a print profile, and the print profile management table 16 is updated (S103). If there is no derivation source ID information in the corresponding document profile, a print profile is generated using only the document ID as the derivation source ID, and the print profile management table is updated (S103).

  Thereafter, a print ID pattern is generated (S104), the ID pattern is registered in the print profile management table 16 as necessary (S105), and the print ID pattern is notified to the client application (S106). The client application superimposes the received ID pattern on the print data and transmits it to the printer 1 to make a print request (S107). The printer 1 prints out the received print data (S108), and notifies the client application of the result (S109).

  In FIG. 7B, the print ID pattern is generated by the client application. The security server 3 searches the document profile management table 15 in response to a print request from the client application, generates a print profile, and updates the print profile management table (S111 to S113). The security server 3 notifies the client application of the print ID assigned to the print profile (S114). The client application generates an ID pattern corresponding to the print ID (S115), and when registering the ID pattern itself in the print profile, transmits the generated ID pattern to the security server (S116). In this case, the security server 3 searches the print profile, registers the ID pattern, and notifies the client application of the result (S117 to S119).

The client application superimposes the generated ID pattern on the print data and transmits it to the printer 1 to make a print request (S120). The printer 1 prints out the print data together with the ID pattern (S121), and notifies the client application of the result (S122). The print request (S120) and optional ID pattern registration (S118) may be mixed.

  In FIG. 7C, the print ID pattern is generated by the printer 1. The security server 3 searches the document profile management table 15 in response to a print request from the client application, generates a print profile, and updates the print profile management table (S131 to S133). The security server 3 notifies the client application of the print ID assigned to the print profile (S134).

  The client application transmits the print ID received from the security server 3 to the printer 1 together with the print data (S135). The printer 1 generates an ID pattern corresponding to the print ID (S136), prints out the print data together with the ID pattern (S141), and notifies the client application of the result (S142). When registering the generated ID pattern in the print profile, the ID pattern is transmitted to the security server 3 (S137). The security server 3 searches the print profile, registers the ID pattern, and notifies the printer 1 of the result. ID pattern registration (S137 to S140) and print output (S141) may be mixed.

  8A to 8C are sequence diagrams showing profile processing during scanning performed by the document security management system of FIG.

  In FIG. 8A, the print ID is extracted by a scanner (scanner function of the multifunction machine 2). First, a paper document is scanned by a scanner (S201), a print ID is extracted from the read ID pattern (S202), and the ID pattern is removed from the read image data as necessary (S203). Then, the extracted print ID is notified to the security server 3 (S204).

  The security server 3 searches for a print profile corresponding to the print ID (S205), and if there is derivation source ID information in the corresponding print profile, generates and registers a document profile including the derivation source ID information. If there is no derivation source ID information in the corresponding print profile, a document profile with the received print ID as the derivation source ID is generated and registered (S206). The scanner notifies the scanner of the document ID assigned to the generated document profile (S207).

  The scanner transmits the read data and the document ID to the document server 19 (S208). The document server 19 stores the received data in association with the document ID (S209), and notifies the scanner of the result (S210).

  Note that the removal of the ID pattern (S203) is not necessarily performed by a scanner, and may be performed by a printer when electronic data obtained by scanning is printed by a printer or the like, for example.

  In FIG. 8B, the security server 3 extracts the print ID. The paper document is scanned by the scanner (S221), and the read electronic data is transmitted to the security server 3 (S222). The security server 3 extracts the print ID from the received data (S223), and removes the ID pattern from the data as necessary (S224). Further, a print profile corresponding to the print ID is searched (S225), and if there is derivation source ID information, the derivation source ID information is added to the print ID extracted this time to generate a document profile, and the derivation source ID is If not, a document profile is generated using the extracted print ID as a derivation source ID (S226). Then, the document ID given to the generated electronic document is sent to the scanner (S227). The scanner transmits the read data and the document ID to the document server 19 (S228). The document server 19 stores the electronic data in association with the document ID (S229), and notifies the scanner of the result (S230).

  In FIG. 8C, the print ID is extracted by the document server 19. The paper document is scanned by the scanner (S241), and the scanned data is transmitted to the document server 19 (S242). The document server 19 extracts the print ID from the received data (S243), and removes the ID pattern from the received data as necessary (S244). The document server 19 also notifies the security server 3 of the extracted print ID (S245). The security server 3 searches for a print profile corresponding to the print ID (S246), and if there is derivation source ID information in the corresponding print profile, generates a document profile including the derivation source ID information. If there is no derivation source ID, a document profile is generated using the extracted print ID as the derivation source ID (S247). The security server 3 notifies the document server 19 of the document ID given to the document profile (S248). The document server 19 stores the read data in association with the received document ID (S249) and notifies the scanner of the result (S250).

  9A and 9B are sequence diagrams showing profile processing during copying performed in the document security management system of FIG.

  In FIG. 9A, the ID pattern processing is performed by the copier (or the copy function of the MFP 2). The paper document is read by the copier (S301), the print ID is extracted from the read data (S302), and the ID pattern is removed from the read data (S303). Then, the extracted print ID is notified to the security server 3 (S304).

  The security server 3 searches for a print profile corresponding to the extracted print ID (S305), and if there is derivation source ID information in the print profile, generates a new print profile including the derivation source ID information. If not, a print profile with the extracted print ID as a derivation source ID is generated (S306). Then, the print ID corresponding to the generated print profile is notified to the copier (S307).

  The copier generates an ID pattern corresponding to the new print ID (S308), and notifies the security server 3 of the print ID and the ID pattern (S309). The security server 3 registers this ID pattern in the corresponding print profile (S310, S311) and notifies the result to the copier (S312). The copier prints out the newly generated ID pattern by superimposing it on the read image information (S313).

  In FIG. 9B, the security server 3 performs ID pattern processing. The copier reads a paper document and transmits the read image data to the security server 3 (S321, S322). The security server 3 extracts the print ID from the received data (S323), and notifies the extracted print ID to the copier (S324). The copier removes the ID pattern of the print ID. The security server 3 searches for a print profile corresponding to the extracted print ID (S326), and if there is derivation source ID information, generates a new print profile including this (S327). Also, an ID pattern of a print ID corresponding to the generated print profile is generated and registered (S328, 329). The generated ID pattern is transmitted to the copier (S330). The copier prints out a new ID pattern superimposed on the read image data (S331).

  As described above, whenever a job such as copying, scanning, or printing is performed, a print ID or document ID is assigned to a newly generated paper document or electronic document, and is recorded together with the derivation source ID information.

  FIG. 10 is a diagram illustrating an example in which the document security management system according to the above-described embodiment is applied to a plurality of domains. In the first security domain 50A, document security management based on the first security policy is performed using the first security server 3A. The security server 3A has a document profile management table 15A and a print profile management table 16A. The multifunction machine 2A is connected to the security server 3A via a network (not shown). The multifunction machine 2A has an identifier acquisition unit 11A.

  In the second first security domain 50B, security management of documents based on the second security policy is performed using the second security server 3B. The security server 3B has a document profile management table 15B and a print profile management table 16B. The multifunction machine 2B is connected to the security server 3B via a network (not shown). The multifunction machine 2B has an identifier acquisition unit 11B.

Assume that the paper document 22 is printed by the printer (multifunction machine) 2A of the first domain 50A. The printer 2, you notify the security server 3A (ID pattern if the necessary) granted print ID on the paper document 22. The security server 3A generates a print profile including the document ID from which the printed paper document 22 is derived, and adds it to the print profile management table 16A .

  The user 200 copies the paper document 22 generated in the first domain 50A with the copier (multifunction peripheral) 2B in the second domain 50B having a different security policy (arrow (1)). The copier 2B requests authentication from the security server 3B based on the read print ID (arrow (2)). The security server 3B receives system authentication and user authentication by the authentication server 20 (arrow (3)), and confirms the domain to which the paper document 22 belongs by the location management server 30 (arrow (4)).

When it is determined that the paper document 22 belongs to the domain 50A, the copier 2B inquires of the security server 3A of the first domain 50A whether or not a copy job may be performed (arrow (5)). If permitted, the extracted print ID is transmitted to the security server 3A. The security server 3A searches the print profile corresponding to this print ID and returns the derivation source ID information (arrow (6)). Copier 2B sends a derivation source ID information to the security server 3B, the security server. 3B generates a new print profile including derivation source ID information is added to the print profile management table 16 B. Then, the corresponding print ID is transmitted to the copier 2B (arrow (7)). The copier 2B prints the image information of the paper document 22 by superimposing the print ID ID pattern.

  FIG. 11 is a diagram showing a processing sequence between the domains described above. In the sequence diagram of FIG. 11, the processing after the arrow (2) in FIG. 10 is shown.

  In response to the copy request from the user 200, the copier 2B sends an authentication request to the security server 3B (S411). The security server 3B sends an authentication request for the system of the domain 50B to the authentication server 20 common to the domains (S412). Upon confirming the requested copier 2B, the authentication server 20 issues a system ticket to the security server 3B (S413). The security server 3B sends a system ticket to the copier 2B (S414).

  Next, the copier 2B makes an authentication request for the user 200 to the security server 3B (S415). The security server 3B transmits the user attribute of the user 200 to the authentication server 20 and makes a user authentication request (S416). When the user authentication is completed, the authentication server 20 issues a user ticket to the security server 3B (S417). The security server 3B sends the user ticket to the copier 2B (S418).

  Next, the copier 2B makes a session start request to the security server 3B using the system ticket (S419), and the security server 3B sends a session ID “A” to the copier 2B (S420).

  The copier 2B scans the paper document 22 to read the image, extracts the print ID, and removes the ID pattern (S421). Then, using the session ticket and the session ID, a location request is sent to the security server 3B together with the extracted print ID (S422). The security server 3B inquires the location management server 30 in which domain the extracted print ID is managed (S423). The location management server 30 identifies the domain 50A based on the print ID and notifies the security server 3B (S424). The security server 3B notifies the location to the copier 2B (S425).

  The copier 2B makes a session start request to the security server 3A of the domain 50A (S426). The security server 3A issues a session ID “B” to the copier 2B (S427). The copier 2B requests permission of copying using the session ID “B” and the user ticket (S428).

  The security server 3A determines whether copying is permitted or prohibited, and if permitted, the condition is determined with reference to a rule table (not shown), and the determination result is notified to the copier 2B (S429). If copying is permitted, the copier 2B sends the extracted print ID to the security server 3A (S430). The security server 3A searches the print profile management table 15A for a print profile corresponding to this print ID (S431), and notifies the derivation source ID information to the copier 2B (S432).

The copier 2B sends the received derivation source ID information to the security server 3B of the domain 50B (S433). The security server 3B generates a new print profile including the derivation source ID information (S434), generates an ID pattern, and transmits this to the copier 2B (S435, S43 6 ). The copier 2B prints out the ID pattern superimposed on the image data read from the paper document 22. The copied paper document is given a new print ID, and is managed in association with the derivation source ID information.

  In this way, the document security can be maintained because it is possible to trace back the process of digitization and hard copy of a document even between domains of different security policies.

  Finally, a print ID assigned to a paper document in the embodiment of the present invention will be described.

  As described above, a two-dimensional code is used as an example of an ID pattern representing a print ID. The two-dimensional code is printed in 2 × 2 units of the minimum dots of the printer 1 (or the print function of the multifunction device 2). In the case of a 1200 dpi printer, the minimum diameter of the printer is 21 μm, so the diameter of a two-dimensional code dot is 42 μm. Dot placement positions are determined at intervals of 6 pixels in the horizontal and vertical directions.

  Even when dots are present at all positions, the dot area ratio is 2.8%, and even if a dot gain of about 50% is expected, it is less than 5%. Do not be disturbed by the dots to make the document difficult to see.

  In general, when an identifier is attached to a paper document that requires security considerations, it is not desirable that the identifier be easily separated from the information content recorded in the paper document and altered. Further, when document data is reproduced as a hard copy, the identifier printed on the sheet must maintain the function as an identifier, and resistance to copying is necessary. Furthermore, if it can be recognized at a glance that a certain code is attached to the paper document, an effect of suppressing an image forming action that violates the rule can be expected. The print ID attached to the paper document needs to satisfy such requirements.

12 and 13 are diagrams showing a two- dimensional code composed of a dot pattern used in the embodiment of the present invention.

  As shown in FIG. 12, the two-dimensional code 100 is composed of fine dots 110 that are visible. Since the dots 110 are printed on a paper document together with image information such as text and pictures, it is difficult to take out and erase only the two-dimensional code 100.

  The two-dimensional code 100 may include an error correction code. In addition, it is effective to use a redundant arrangement in which the same two-dimensional code is repeatedly arranged, since it can be restored even if some of the dots have disappeared. For security reasons, it is also possible to prevent the decoding of the two-dimensional code by inserting a noise component at a predetermined pixel position.

  As shown in FIG. 13, one two-dimensional code 100 is represented by a dot pattern printed in an area composed of 8 × 12 cells 101. One dot is printed in one cell 101 with 6 × 6 pixels of one cell as a unit. The area (A) forms a frame 102 of the two-dimensional code 100, and dots are always printed. The area (B) represents the upper end and lower end of the two-dimensional code 100, and dots are always printed in the three consecutive cells at the upper end, and dots are not always printed in the two adjacent cells at the lower end.

Cells 101 to which numbers 1 to 48 are assigned are cells constituting an identifier and an error correction code, and cells 101 in which N is described are cells into which noise components are inserted. In the odd-numbered cell 101, in order from the higher- order bit of the identifier, a dot is printed if the bit is “1”, and no dot is printed if the bit is “0”. In the even-numbered cell 101, in order from the upper bit of the error correction code, if the bit is “1”, a dot is printed, and if the bit is “0”, no dot is printed.

  In the cell 101 in which N is written, it is determined whether or not to print a dot by a random number. However, when dots are printed in all the other cells in the row and column in which N is written, they are not printed in order to distinguish them from the frame 102 of the two-dimensional code. For example, since dots are printed in all the cells 101 in the upper end area (A), when all the cell identifiers of the numbers 1 to 3 and the bits of the error correction code are “1”, N in the same row At least one of these is not always printed without waiting for a decision with a random number.

  In the present embodiment, a rectangular area defining one two-dimensional code 100 includes 96 cells 101, and 96 dots can be printed. Among the 96, 19 dots forming the frame 102 of the two-dimensional code, 3 dots indicating the upper end of the two-dimensional code, 2 dots indicating the lower end, 24 dots (24 bits) indicating the identification magazine, 24 dots indicating the error correction code (24 bits), 24 dots indicating noise components. By using Reed-Solomon codes for error correction, 12 bits out of 48 bits can be restored.

  In the document security management system according to the present embodiment, 40 × 40 two-dimensional codes 100 composed of dot patterns are formed in the image forming area of one sheet, and the two-dimensional code 100 is read by the identification magazine acquisition unit 11. The read two-dimensional codes 100 are respectively compared, and the dot pattern having the largest number is set as a correct two-dimensional coat ID pattern.

  Next, at the time of copying, the original print ID is erased from the image data obtained by scanning a paper document on which the dot pattern is printed, and the dot pattern of the new print ID is printed and output. The update process will be described.

  A paper document is scanned to detect the position of each dot in the dot pattern. Since the frame 102 of the two-dimensional code is fixed, the position of the frame can be accurately captured. Therefore, the positions of the dots constituting the identifier and the error correction code are detected fairly accurately based on the position of the frame 102. it can.

  An operation according to the rule shown in FIG. 14 is performed on the dot position thus detected. That is, for cells in which dots are actually printed on a paper document, the cells that need to be dotted even with an ID pattern representing a new print ID are not changed. Cells that do not need to be dotted with a new ID pattern are whitened. On the other hand, for cells in which dots are not printed on a paper document, cells that need to be dotted with a new ID pattern are made black. No change is made for cells that do not require dots.

  When such processing is performed, it is possible that dots overlapped with characters, figures, etc. printed on a paper document are white and the image is deteriorated. However, the area ratio is the same ratio (up to about 2%) as the black dots on the original white background. Further, the probability that white is required is 0.5 × (total number of dots of identifier and error correction code) / (total number of dots of two-dimensional code) = 0.5 * (24 + 24) / 96 = 0.25. Therefore, in the area ratio, the ratio of white dots shown in the entire document is about 0.5%. Therefore, in a paper document in which the ratio of black paper is low (the black ratio is about 6% to 20%), there is almost no problem.

Next, a method for tracking a document from a print ID extracted from a paper document will be described. By searching the print profile management table 16 shown in FIG. 3 (a), and the print attribute information, it is clear derivation source ID information. The paper document currently being processed is often the most downstream derivative document, and the document can be traced back by referring to the print profile management table 16 .

For example, when a paper document to be tracked is found in a place other than the security-managed domain, the derivation source ID described in the print profile management table 16 is traced upstream, and FIG. By referring to the detailed information and the access log record shown in FIG. 5, it is possible to specify the ID of the user who brought the document (in the state of an electronic document or paper document) out of the domain.

A document can also be tracked from the document ID. If the file of the electronic document is encrypted, the document ID attached to the electronic document can be extracted by decrypting the file with software for decrypting the file. Figure 3 searches the document profile management table (b), by referring to the document attribute and derived based on the ID information, allowing tracking.

  FIG. 15 is a diagram for explaining another example of reading a two-dimensional code as a print ID attached to a paper document. In the example of FIG. 15, among a paper document on which a two-dimensional code composed of dot patterns is printed, one dot pattern that is clearly printed is surrounded by a marker, for example, and the two-dimensional code 120 surrounded by the marker is scanned by a scanner. Read with.

  The color of the marker may be a predetermined color or may be designated when scanning. Any color that can be recognized by the scanner and that is not included in the paper document can be used.

  An area surrounded by markers is extracted from the scanned data. For example, the pixel value is raster-scanned from the upper left to the lower right of the image, and the position where the marker color is recognized is the upper left 121 of the area. Again, the pixel value is raster scanned from the lower right direction to the upper left direction, and the position where the color of the marker is recognized is set as the lower right 122 of the region. A dot pattern is extracted from the area specified by the upper left position 121 and the lower right position 122.

  This method requires manual work when enclosing with markers, but it can extract the two-dimensional code more accurately than the method that automatically reads all the dot patterns and determines the most patterns as the two-dimensional code. Can do.

FIG. 16 is a diagram illustrating an example of an input interface for inputting dots on a paper document on a screen. On the screen, the dot pattern is decoded and displayed. On the display screen 130, a lattice area defining a cell 140 corresponding to the dot arrangement of the two-dimensional code pattern is set. Each cell 140 is an input unit for inputting the presence / absence of a dot. The uppermost row and the leftmost column are fixed input portions indicating a frame of a two-dimensional code, and black circles are always input. Three cells in the horizontal direction in the second column from the top are fixed input portions indicating the upper end side of the dot pattern, and black circles 141 are always input thereto. Therefore, the presence / absence of dots is input using cells other than these fixed input portions.

  The clear button 132 is a button that is used when input is restarted from the beginning. When the clear button 132 is clicked, cells other than the fixed input portion are initialized, and, for example, a dotless state is obtained.

The decode button 133 is a button used when the input dot pattern is decoded and a print ID is extracted. When the decode button 133 is clicked after all the dots are input, the print ID is extracted and the decode result is displayed in the decode result window 134.

  If you left-click the mouse in each cell, you can toggle the status of doted (black circle), no dot (no mark), and indeterminate (question mark). Further, when the user right-clicks, each state may be selected from a pull-down menu. As for the indeterminate state, a question mark may not be input, and a state with dots or without dots may be set.

  The dot input result may be displayed in the upper right window 131 of the display screen 130 in a state close to actual printing.

  A method for specifying a print ID as a two-dimensional code from the input dot pattern will be described. The input “with dot”, “without dot”, and “indeterminate” are applied to the bits of the corresponding code. At this time, “1” indicates that there is a dot and “0” indicates that there is no dot. For uncertainties, each of the test code set to “0” and the test code set to “1” is decoded, and the most successful decoding is determined as the ID.

  In addition, when 12 dots or less capable of error correction are designated as indeterminate among 48 dots excluding the noise component, the probability that the decoded one is correct is 100 if it is assumed that all other than indeterminate are correct. %. Therefore, it is necessary to carefully determine an upper limit value between 0 dots and 12 dots in consideration of errors other than those designated as indeterminate.

It is a figure which shows an example of the profile managed with the conventional security server. 1 is a schematic configuration diagram of a document security management system according to an embodiment of the present invention. It is a figure which shows the example of the print profile management table and document profile management table which a security server has. 6 is a diagram illustrating an example of detailed information recorded in a print profile management table and a document profile management table. FIG. It is a figure which shows the example of the access log recorded on a security server. It is a figure which shows a mode that the derivation source of a profile changes with the flow of image formation operation | movement. FIG. 7 is a profile processing flow at the time of printing (No. 1) and is a diagram illustrating an example in which a print ID pattern is generated by a security server. FIG. 10 is a profile processing flow at the time of printing (part 2), and illustrates an example in which a print ID pattern is generated by a client application. FIG. 10 is a profile processing flow at the time of printing (part 3), and illustrates an example in which a print ID pattern is generated by a printer. FIG. 9 is a profile processing flow at the time of scanning (part 1), and illustrates an example in which a print ID is extracted by a scanner. FIG. 10 is a profile processing flow at the time of scanning (part 2), and illustrates an example in which a print ID is extracted by a security server. FIG. 10 is a profile processing flow at the time of scanning (No. 3) and is a diagram illustrating an example in which a document server extracts a print ID. It is a profile processing flow at the time of a copy (the 1), and is a figure which shows the example which processes ID pattern by a copier. It is a profile processing flow at the time of copying (the 2), and is a figure which shows the example which processes an ID pattern in a security server. It is a figure which shows the example which applied the document security management system of embodiment of this invention to multiple domains. It is a document management sequence diagram in a plurality of domains. It is a figure which shows an example of the two-dimensional code used as ID pattern in embodiment of this invention. It is a figure which shows the cell arrangement example of a two-dimensional code. It is a figure for demonstrating the update method of a dot pattern. It is a figure which shows the example which scans a two-dimensional code. It is a figure which shows the decoding display screen of a dot pattern.

Explanation of symbols

1 Printer 2 MFP 3 Security Server 4 Network 5 PC
DESCRIPTION OF SYMBOLS 10 Print ID generation means 11 Identifier acquisition means 12 Document ID generation means 13 Storage means 14 Identifier search means 15 Document profile management table 16 Print profile management table 17 Print ID generation means 19 Document server 20 Authentication server 30 Location management server 100 Two-dimensional code

Claims (12)

A security server connected to an image forming apparatus via a network,
Depending on the generation of the electronic document in the image forming apparatus, a first ID generation means for applying a new first ID to the electronic document,
Depending on the generation of the print document in the image forming apparatus, and a second ID generation means for applying a new second ID for the print document,
First profile management in which the first ID of an arbitrary electronic document and the first or second ID of a derivation source document indicating the history of generation of the arbitrary electronic document are recorded in association with each other Table,
Second profile management in which the second ID of an arbitrary print document and the first or second ID of a derivation source document indicating the history of generation of the arbitrary print document are recorded in association with each other Table,
The first or second ID corresponding to the type of the acquired ID is the arbitrary first or second ID acquired via the network accompanying the generation of the electronic document or the print document in the image forming apparatus. Means for searching from the profile management table of
As a result of the search, when the first or second ID acquired via the network exists in the first or second profile management table, the searched first or second ID and The first or second ID of the derivation source document indicating the history of generation associated with the retrieved ID is the electronic document or print document newly assigned with the first or second ID. In the first or second profile management table corresponding to the newly assigned ID type, the ID information indicating the generation history of the ID is associated with the newly assigned first or second ID. Storage means for recording;
A security server comprising: When the electronic document is generated from said any printed document, said first profile management table, the profile of the electronic document, in association with the second ID, which is assigned to the arbitrary printed document The security server according to claim 1, wherein the security server is recorded. When the printed document is created from the arbitrary electronic document, the second profile management table recording the first ID assigned to the arbitrary electronic document as the derivation source ID of the print document The security server according to claim 1, wherein: Wherein when the printed document is generated from said any printed document, the second profile management table, derive the second ID of the print document to be the generated granted to the arbitrary printed document The security server according to claim 1, wherein the security server is recorded as an ID. A document security management system including an image forming apparatus and a security server connected to the image forming apparatus via a network,
The security server is
Depending on the generation of the electronic document in the image forming apparatus, a first ID generation means for applying a new first ID to the electronic document,
Depending on the generation of the print document in the image forming apparatus, and a second ID generation means for applying a new second ID for the print document,
First profile management in which the first ID of an arbitrary electronic document and the first or second ID of a derivation source document indicating the history of generation of the arbitrary electronic document are recorded in association with each other Table,
Second profile management in which the second ID of an arbitrary print document and the first or second ID of a derivation source document indicating the history of generation of the arbitrary print document are recorded in association with each other Table,
The first or second ID corresponding to the type of the acquired ID is the arbitrary first or second ID acquired via the network accompanying the generation of the electronic document or the print document in the image forming apparatus. Means for searching from the profile management table of
As a result of the search, when the first or second ID acquired via the network exists in the first or second profile management table, the searched first or second ID and The first or second ID of the derivation source document indicating the history of generation associated with the retrieved ID is the electronic document or print document newly assigned with the first or second ID. In the first or second profile management table corresponding to the newly assigned ID type, the ID information indicating the generation history of the ID is associated with the newly assigned first or second ID. Storage means for recording;
With
Wherein the image forming apparatus, the newly granted the first or second ID is received via the network, when outputting the electronic document or printed documents, the new first to those the document Alternatively, a document security management system wherein the second ID is embedded and output . 6. The document security management system according to claim 5 , wherein the image forming apparatus prints the newly assigned second ID on the print document as a visible dot array. The image forming apparatus, when generating the print document or electronic document from said any printed document, the security server or the image forming apparatus, the second ID attached on said any printed document Extract and
The security server records the extracted second ID as a derivation source ID in the first or second profile management table according to the type of the newly assigned ID. The document security management system according to claim 5 . In a security server connected to an image forming apparatus via a network,
In response to the generation of the electronic document in the image forming apparatus , a new first ID is assigned to the electronic document,
In response to the generation of the print document in the image forming apparatus, a second ID is newly given to the print document,
The first ID of the arbitrary electronic document and the first or second ID of the derivation source document indicating the history of generation of the arbitrary electronic document are associated with each other and recorded in the first profile management table. And
The second ID of the arbitrary print document is associated with the first or second ID of the derivation source document indicating the history of generation of the arbitrary print document, and recorded in the second profile management table. And
The first or second ID corresponding to the type of the acquired ID is the arbitrary first or second ID acquired via the network accompanying the generation of the electronic document or the print document in the image forming apparatus. From the profile management table of
As a result of the search, when the first or second ID acquired via the network exists in the first or second profile management table, the searched first or second ID and The first or second ID of the derivation source document indicating the history of generation associated with the retrieved ID is the electronic document or print document newly assigned with the first or second ID. In the first or second profile management table corresponding to the newly assigned ID type, the ID information indicating the generation history of the ID is associated with the newly assigned first or second ID. Document security management method characterized by recording . Transmitting the newly generated first or second ID from the security server to the image forming apparatus via the network;
  The document security management method according to claim 8, wherein: When the electronic document is generated from said any printed document, extracts the second ID given to the arbitrary printed document at said security server,
10. The document security management method according to claim 9 , wherein the extracted second ID is recorded in the first profile management table as a derivation source ID of the electronic document. When the printed document is generated from said any electronic document, a first ID assigned in the security server to the arbitrary electronic document, the second profile management table as the derivation source ID of the print document The document security management method according to claim 9 , wherein: When the printed document is generated from said any printed document, extracts the second ID that is assigned to the arbitrary printed document at said security server,
Document security management method according to claim 9, characterized in that for recording the second ID of the extracted, the second profile management table as the derivation source ID of the printed document.

Images