JP2004152261A - Document printing program, document protection program and document protection system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a document printing program, a document protection program, and a document protection system which prevent leakage of a document due to printout.
SOLUTION: A means for acquiring a decryption key of an encrypted document file, a means for decrypting the document file based on the acquired decryption key, and a printing requirement associated with the document file are transmitted via a network. And a means for executing a printing process that satisfies the acquired printing requirements, and a document protection program for protecting document files.
[Selection diagram] Fig. 1

Description

  The present invention relates to a document printing program, a document protection program, and a document protection system.

  2. Description of the Related Art In recent years, in offices and the like that handle information such as documents and images (hereinafter, referred to as documents), a method of electronically recording a document on an information recording medium as a document file instead of printing the document on paper has become mainstream. .

  If the document is electronically recorded, the document can be recorded without using paper resources, so that resource saving can be achieved, and it is not necessary to store the paper on which the document is printed, thereby realizing space saving.

  In addition, if documents are recorded electronically, the same document can be distributed to many people at the same time, and documents can be distributed to people at remote locations via a network, thereby improving work efficiency. Can be achieved.

  The advantage of electronically recording a document that allows the same document to be distributed to many people at the same time or distributed to a remote location over a network has the advantage that the document can be easily leaked. It is also inside out.

  Since many documents handled in offices and the like require confidentiality, it is necessary to take measures to prevent leakage of the documents.

  Conventional techniques for preventing document leakage include “Method of encrypting information for remote access while maintaining access control” disclosed in Patent Document 1 and “Information security architecture for encrypting” disclosed in Patent Document 2. As in "documents for remote access while maintaining access control" and "document management system" disclosed in Patent Literature 3, only a legitimate user refers to the contents of a document by requesting user authentication when opening a document file. There is a method of enabling printing, and a method of checking whether a user has a right to print when attempting to print an opened document file, and printing only an authorized user.

In addition, the document file is controlled so that printing is permitted only when payment is completed, as in “a method for restricting printing of electronically transmitted information and a document with printing restriction” disclosed in Patent Document 4. There is also such technology.
U.S. Pat. No. 6,339,825 U.S. Pat. No. 6,289,450 JP 2001-142874 A JP-A-2002-024097

  In the inventions disclosed in the above patent documents, although it is possible to prevent unauthorized persons from printing the document, no security is set for the printed matter (printout).

  Therefore, once a document is printed by impersonating a user who has the authority to print, a printout of the document can be copied and distributed to others without any restrictions.

  Furthermore, if the person who wants to leak the document is a legitimate user who has the authority to print, this cannot be prevented.

  As described above, the conventional technology has problems that the usability of the document file is not good and the security for preventing the leakage of the document due to the printout is insufficient.

  The present invention has been made in view of such a problem, and an object of the present invention is to provide a document printing program, a document protection program, and a document protection system that prevent leakage of a document due to printout.

  In order to achieve the above object, a document printing program according to the present invention comprises: means for acquiring a decryption key of an encrypted document file; means for decrypting the document file based on the acquired decryption key; The system includes means for acquiring a print requirement associated with a file from a server via a network, and means for executing a print process satisfying the acquired print requirement.

  Thereby, security measures at the time of printing can be enforced.

  Further, the document protection program of the present invention includes a means for obtaining an encryption key for encrypting a document file, and a means for registering information specifying printing requirements for the document file with the server in association with the document file via a network. And means for encrypting the document file with the encryption key.

  The document protection system according to the present invention may further comprise a means for obtaining an encryption key for encrypting the document file, and a means for registering information specifying printing requirements of the document file with the server in association with the document file via a network. And a distributor terminal in which a document protection program including means for encrypting the document file with the encryption key is mounted, means for obtaining a decryption key for the encrypted document file, and Means for decrypting the document file based on the document file, means for acquiring a print requirement associated with the document file from a server via a network, and means for executing a print process satisfying the acquired print requirement. Printing program implemented It can be configured as comprising a user terminal.

  A means for acquiring an encryption key for encrypting the document file; a means for associating information specifying printing requirements for the document file with the document file and registering the document file on a server via a network; A server mounted with a document protection program comprising means for encrypting with a key, means for acquiring a decryption key of the encrypted document file, and means for decrypting the document file based on the acquired decryption key. A user terminal on which a document printing program including means for acquiring a printing requirement associated with the document file from a server via a network and means for executing a printing process satisfying the acquired printing requirement is implemented. Configured as equipped Kill.

  According to the present invention, it is possible to provide a document printing program, a document protection program, and a document protection system that prevent leakage of a document due to printout.

[First Embodiment]
First Embodiment A preferred embodiment of the present invention will be described.

  The inventors of the present application separately propose a technique for protecting a document file by setting an ACL (Access Control List) individually for the document file by a distributor, but distribute the document to a large number of users. In this case, setting the printing requirements individually for each user increases the burden on the document file distributor for creating the ACL.

  On the other hand, if the content of the document file is a business document, etc., how to protect it is not determined by the distributor independently, but rather by the security policy (confidentiality) of the organization to which it belongs (such as a company or organization). Management rules). Therefore, if the document protection and printing system can protect the document file according to the security policy of the organization to which the distributor belongs, the distributor does not need to set the ACL.

  In the first embodiment of the present invention, a document protection / printing system that protects a document according to a security policy of an organization to which a distributor belongs will be described.

  FIG. 1 shows a configuration of a document protection / printing system according to the present embodiment.

  The document protection / printing system according to the present embodiment includes a distributor terminal 301, a user terminal 302, a printer 303, and an access control server 304.

  As the distributor terminal 301 and the user terminal 302, a computer terminal provided with a display device (for example, LCD), an input device (for example, keyboard), an external recording device (for example, FDD, HDD) and the like can be applied. Note that a document protection program 311 is mounted on the distributor terminal 301, and a document printing program 321 is mounted on the user terminal 302.

  The document protection program 311 sets printing requirements for the document file according to the input operation of the user (distributor) of the distributor terminal 301, and uses the encryption algorithm (RC4, Triple DES, IDEA, etc.) to set the document file. Is a program that performs a process of encrypting a document and generating a protected document. FIG. 2 shows a configuration example of the document protection program 311 and includes an encryption unit 311a, an encryption key acquisition unit 311b, an attribute assignment unit 311c, and an attribute registration unit 311d. The function of each unit will be described later in operation.

  Referring back to FIG. 1, the document print program 321 decrypts the protected document and causes the printer 303 to execute a print process according to the set print requirements in accordance with an input operation of the user of the user terminal 302. Is a program that performs FIG. 3 shows a configuration example of the document print program 321 and includes a decryption unit 321a, a decryption key acquisition unit 321b, a print requirement acquisition unit 321c, and a print processing unit 321d. FIG. 4 shows a configuration example of the print processing unit 321d in FIG. 3, and includes a requirement processing unit 321e, a document processing unit 321f, a printer driver 321g, a warning display unit 321h, and a log recording unit 321i. . The function of each unit will be described later in operation.

  Referring back to FIG. 1, when the user attempts to access (eg, print) a document, the access control server 304 refers to the ACL in response to a request from the document printing program 321 and determines whether the user has authority to access the document. No, it is a server that acquires how the processing requirements are set.

  The access control server 304 stores a user database 341 storing authentication information (a set of a user name and a password) for each user and information indicating the class of the user, and processing requirements set for each user. Is associated with an ACL database 342 in which a plurality of ACLs are registered in accordance with security attributes, information indicating what security attributes are set for each protected document, and an encryption key for decrypting the protected document. Is connected to a security attribute database 343 registered.

  FIG. 5 shows an example of the configuration of the access control server 304, which includes an attribute DB registration unit 304a, a user authentication unit 304b, an access authority confirmation unit 304c, and a print requirement acquisition and transmission unit 304d. The function of each unit will be described later in operation.

  An example of an ACL corresponding to a security attribute is an ACL corresponding to a small organization, such as an ACL for a first design room or an ACL for a second design room. FIG. 6 shows an example of the structure of the ACL. The ACL includes a user name (User Name), an access type (Access Type), permission information (Permission), and a processing requirement (Requirement) as parameters. This ACL is registered in the ACL database 342 for each security attribute.

  Examples of printing requirements set by the document protection program 311 in the document file in response to the input operation of the distributor include background dot pattern (BDP) and confidential printing (Private Access: PAC). ), Addition of a digital watermark (DWM), addition of a barcode (Embedding Barcode: EBC), security label stamp (SLS), and the like.

  The operation of the document protection / printing system according to the present embodiment will be described. First, the operation of the entire system will be described.

  The distributor operates the distributor terminal 301 and mounts the document file thereon. For example, a distributor may create a document file using an input device, or read a document file recorded on an information recording medium using an external recording device.

  When setting security on the document file, the distributor operates the input device of the distributor terminal 301 to transfer the document file to the document protection program 311. The document protection program 311 that has acquired the document file requests the distributor to set security attributes. For example, the document protection program 311 requests setting of security attributes by displaying a message on the display device of the distributor terminal 301 or the like. FIG. 7 shows an example of a screen for requesting the setting of security attributes. The setting of the document category (technology-related, personnel-related, etc.) and the confidential level (secret, confidential, confidential, public, etc.) can be performed from a pull-down menu or the like. It can be done by selecting. Note that the document file to be protected can be specified on the screen in FIG.

  When the distributor sets the security attribute for the document file via the input device of the distributor terminal 301, the document protection program 311 acquires this.

  The document protection program 311 that has acquired the security attribute generates a unique document ID for each document file, associates the encryption key used for encryption and decryption with the security attribute, and transmits it to the access control server 304, and Request registration in the attribute database 343.

  The document protection program 311 adds a document ID to a document file encrypted using an encryption key to generate a protected document.

  The distributor delivers the protected document generated by the document protection program 311 to the user.

  When a user wants to print a document, the user installs the protected document on the user terminal 302. For example, the protected document recorded on the information recording medium may be read by a user terminal using an external recording device, or when the user terminal 302 can communicate with the distributor terminal 301, the communication terminal is connected via a communication network. The protected document may be obtained from the distributor terminal 301.

  When the user instructs the document printing program 321 to print via the input device of the user terminal 302, the document printing program 321 requested to print inputs a user name and a password required to authenticate the user. To the user. For example, the document printing program 321 requests input of a user name and a password by displaying a message on a display device of the user terminal 302 or the like. FIG. 8 shows an example of a screen requesting a user name (user ID) and a password, which can be input by a keyboard or the like.

  The document print program 321 sends the user name and password input by the user to the access control server 304, and requests user authentication.

  The access control server 304 performs user authentication using the user name and the password passed from the document print program 321 to specify the user.

  When the user is specified, the access control server 304 refers to the security attribute database 343 and specifies the type of the security attribute set in the protected document. Thereafter, the access control server 304 refers to the ACL registered in the ACL database 342 that corresponds to the security attribute set in the protected document, and determines whether the user has the authority to print the document file. Also, when a user prints a document file, it obtains what printing requirements are set.

  If the user has the authority to print the document file, the access control server 304 sends an encryption key for decrypting the protected document together with permission information indicating that printing is permitted, The print requirements are transmitted to the user terminal 302 and passed to the document print program 321.

  The document print program 321 that has obtained the encryption key and the printing requirements together with the permission information from the access control server 304 decrypts the protected document using the encryption key and restores the document file.

  Then, the document print program 321 causes the printer 303 to execute print processing so as to satisfy the print requirements. For example, when the above-described BDP is set as a printing requirement in a document file, a copy-forgery-inhibited pattern image is printed together with the contents of the document.

  As a result, when printing a document file, it is possible to enforce printing requirements in accordance with a preset security attribute.

  It should be noted that the user may not be aware of the printing requirements, and some printing requirements cannot be processed without a specific printer. Therefore, it is desirable that the user be provided with information to that effect before printing is performed. . FIG. 9 shows an example of a confirmation screen displayed on the display device of the user terminal 302, in which printing requirements and available printers are displayed, and a printer to be used can be selected. .

  Here, the operations of the document protection program 311 and the access control server 304 when the document is protected, and the operations of the document print program 321 and the access control server 304 when the protected document is restored into a document file and printed are described in further detail. I do.

  FIG. 10 shows an operation when the document protection program 311 generates a protected document. When the document protection program 311 obtains the document file and its security attribute by the input operation of the distributor on the input device of the distributor terminal 301, it generates an encryption key for encrypting and decrypting the document file. Then, the document protection program 311 encrypts the document file using the generated encryption key, and generates an encrypted document.

  Further, the document protection program 311 generates a protected document by attaching a unique document ID to the encrypted document for each document file.

  After generating the protected document, the document protection program 311 transmits the encryption key, the security attribute, and the document ID to the access control server 304 by using the communication function of the distributor terminal 301, and registers these to the access control server 304. Request.

  The access control server 304 that has received the encryption key, the security attribute, and the document ID from the document protection program 311 associates them with each other, registers them as one record in the security attribute database 343, and records and holds them.

  The above operation will be described in more detail with reference to FIGS.

  First, in FIG. 2, the encryption unit 311a of the document protection program 311 encrypts the document file delivered from the distributor using the encryption key generated by the encryption key acquisition unit 311b. Is passed to the attribute assigning unit 311c.

  The attribute assigning unit 311c generates a document ID, assigns a document ID to the encrypted document passed from the encrypting unit 311a, and outputs the document as a protected document.

  The attribute registration unit 311d receives security attributes from the distributor, receives an encryption key from the encryption key acquisition unit 311b, and receives a document ID from the attribute assignment unit 311c, and sends these document IDs and encryption codes to the access control server 304. Request registration by passing the key and security attributes.

  Next, in FIG. 5, the attribute DB registration unit 304a of the access control server 304 registers the passed document ID, encryption key, and security attribute in the security attribute database 343.

  In the above example, the case where the document protection program 311 generates the document ID and the encryption key is described, but these processes may be performed by the access control server 304 or a server (not shown).

  If the distributor terminal 301 and the access control server 304 are connected not via a dedicated line but via a network, and there is a risk of eavesdropping when transmitting an encryption key or the like, an SSL (Secure Socket) Layer).

  Any protocol may be used when the document protection program 311 communicates with the access control server 304. For example, a distributed object environment may be introduced to transmit and receive information based on Java (R) Remote Method Invocation (RMI) or Simple Object Access Protocol (SOAP). In that case, the access control server 304 may implement a method such as “register (String docId, byte [] key, byte [] acl)”. In the case of SOAP, the SOAP protocol is exchanged over HTTPS, and in the case of RMI, if RMI is executed using an SSL-based SocketFactory, security on the network can be ensured.

  Next, an operation when the document print program 321 prints a protected document will be described.

  FIG. 11 shows the contents of the processing performed by the document print program 321. FIG. 12 shows an operation flow of the document print program 321 and the access control server 304.

  When the document print program 321 obtains the protected document, the user name, and the password by the user's input operation on the input device of the user terminal 302, the document print program 321 obtains the document ID attached to the protected document.

  Then, a user name, a password, a document ID, and an access type (information indicating a process requested by the user. In this case, since a protected document is to be printed, “print” is transmitted) are transmitted to the access control server 304. Request for access right. FIG. 13 is a diagram illustrating an example of an inquiry by SOAP to the access control server 304. The access control server 304 determines whether access is permitted by passing a user name (userId), a document ID (docId), and an access type (accessType). In this example, an inquiry SOAP message (isAllowed) is sent, and the result (isAllowedResponse) is received. The results include what is allowed (allowed is true) and the requirements (requirements).

  When acquiring the user name, password, document ID, and access type from the document printing program 321, the access control server 304 refers to the information registered in the user database 341 to perform user authentication. In other words, the access control server 304 refers to the information registered in the user database 341, and determines, in the user database 341, the information that matches the pair of the user name and the password included in the information acquired from the document print program 321. It is determined whether or not it has been registered.

  If the user authentication fails (in other words, if a set of a user name and a password included in the information passed from the document print program 321 is not registered in the user database 341), the access control server 304 Then, the permission information (information indicating whether or not the process requested by the user is permitted) is transmitted to the user terminal 302 as “non-permission”, and is passed to the document print program 321. In this case, the permission information indicating “error” may be transferred to the document printing program 321.

  On the other hand, when the user authentication is successful, the access control server 304 reads a record related to the document ID included in the information acquired from the document printing program 321 from among the records registered in the security attribute database 343.

  The access control server 304 acquires a security attribute included in the read record. Then, the access control server 304 reads and acquires the ACL corresponding to the security attribute acquired from the record from among the ACLs registered in the ACL database 342. Further, the access control server 304 acquires permission information and printing requirements from the ACL based on the user name and the access type acquired from the document printing program 321.

  In other words, the access control server 304 acquires the permission information and the printing requirement set in the ACL in advance based on the user name and the access type.

  If the permission information acquired from the ACL is “permitted”, the access control server 304 transmits the encryption key and the printing requirement stored in the record together with the permission information to the user terminal 302 and passes it to the document printing program 321. .

  On the other hand, when the permission information acquired from the ACL is “not permitted”, the access control server 304 transmits only the permission information to the user terminal 302 and passes it to the document print program 321.

  Upon receiving the permission information from the access control server 304, the document print program 321 refers to the obtained permission information. If the permission information is "not permitted", the document print program 321 displays a message on a display device or the like to request the permission information. Notifies the user that processing cannot be performed.

  On the other hand, if the acquired permission information is “permitted”, the encrypted document portion of the protected document is decrypted using the encryption key passed along with the permission information and restored to a document file.

  Further, the document print program 321 sets the printer driver so as to satisfy the print requirement acquired together with the permission information (for example, sets the print mode to the confidential print mode if PAC is specified), and causes the printer 303 to perform the document print processing. Is executed.

  If necessary, a message may be displayed on a display device to request the user to set print parameters.

  If printing that satisfies the printing requirements acquired from the access control server 304 cannot be executed by the printer 303, in other words, if the printer 303 does not have a function that satisfies the printing requirements set in the ACL, the document printing program 321 Notifies the user by displaying a message to that effect on the display device or the like, and terminates the process without performing printing.

  The above operation will be described in more detail with reference to FIGS.

  First, in FIG. 3, the decryption key acquisition unit 321b of the document print program 321 confirms the access right to the access control server 304.

  In the access control server 304 that has received the confirmation inquiry, the user authentication unit 304b performs user authentication with reference to the user database 341 and notifies the document print program 321 of the authentication result in FIG. If the user authentication is successful, the access right confirmation unit 304c acquires permission information and a decryption key by referring to the security attribute database 343 and the ACL database 342, and the print requirement acquisition and transmission unit 304d sends the print And notifies the document print program 321. In FIG. 5, the authentication result is returned once and the authentication result is passed again, but this may be executed at once. Although the permission information, the decryption key, and the printing requirement are returned separately, these may be returned at once.

  In FIG. 3, when the access right can be confirmed, the decryption key obtaining unit 321b obtains a decryption key from the access control server 304 and passes it to the decryption unit 321a. Further, the printing requirement acquisition unit 321c acquires the printing requirement from the access control server 304 and passes it to the print processing unit 321d.

  The decryption unit 321a decrypts the protected document using the decryption key acquired from the decryption key acquisition unit 321b, obtains a document file, and transfers the document file to the print processing unit 321d.

  Next, in FIG. 4, the requirement processing unit 321e of the print processing unit 321d performs a plurality of processes according to the content of the received printing requirement. That is, for processing that requires processing of the document file itself, such as the above-described BDP, EBC, and SLS, processing information is given to the document processing unit 321f to process the document file, and the processed document file is printed by the printer driver. The print data is provided to the printer 303 and printing is performed. For processing that requires special settings in the printer driver, such as PAC, print settings are made in the printer driver 321g. Further, when it is necessary to display a warning message to the user, the warning message is sent to the warning display unit 321h, and the display device displays the warning message. If it is necessary to keep a print log, the log information is passed to the log recording unit 321i, and the log data is registered in a remote server or the like.

  Through the above operations, it is possible to set different access rights and printing requirements for each user. Further, as described above, in the system configuration in which the server side determines the access authority to the document file, the contents of the ACL registered in the ACL database 342 can be changed by an input operation on the distributor terminal 301 or the access control server 304. In this case, it is possible to change the printing requirements after distributing the protected document.

  For example, it is possible to set the access right to the already distributed protected document to a new user, or to add a printing requirement to a specific user.

  A person who knows that the document protection / printing system according to the present embodiment protects a document file by the above-described method can cause a computer terminal to execute a program impersonating the document printing program 321. It is also possible to illegally obtain the encryption key and decrypt the protected document. In this case, the protected document can be printed without being forced by the printing requirements set as the ACL.

  For this reason, the document file is not simply encrypted using only the encryption key, but is obtained by combining the secret key embedded in the document protection program 311 with the encryption key (exclusive OR). It is preferable to encrypt the document file with. In this case, by embedding the same secret key in the document printing program 321, only the document printing program 321 that enforces the printing requirements set by the distributor at the time of printing can decrypt and print the protected document. It becomes possible.

  14 and 15 show a configuration example of a type in which a secret key is embedded in the inside as described above. FIG. 14 shows a configuration example of the document protection program 311, and FIG. Only the part related to decoding in the configuration example is shown. In this example, not only the secret key is simply embedded inside, but also a random number is introduced to further strengthen unauthorized access.

  14, the document protection program 311 includes an encryption unit 311a, an encryption key acquisition unit 311b, an attribute assignment unit 311c, an attribute registration unit 311d, and a parameter acquisition unit 311e.

  In operation, the parameter acquisition unit 311e generates a parameter (kp) and passes it to the encryption key acquisition unit 311b. The parameter (kp) is held in the document protection program 311 or is generated when requested.

  After receiving the parameter (kp) from the parameter obtaining unit 311e, the encryption key obtaining unit 311b generates two random numbers (kd) and (ks), and calculates the encryption key (k) by the equation k = H {ks, kp, kd } Or k = D {kd, D {ks, kp}}, generate the encryption key (k) to the encryption unit 311a, the random number (kd) to the attribute assignment unit 311c, and the random number (ks) The information is passed to the attribute registration unit 311d. Note that H {data1, data2,...} Means to calculate a hash value of data1, data2,..., And D {data, key} means to decode data with a key.

  The encryption unit 311a encrypts the document file (doc) delivered from the distributor using the encryption key (k) acquired from the encryption key acquisition unit 311b, and assigns the encrypted document (enc) to the attribute. The information is passed to the assigning unit 311c. The expression is enc = E {doc, k}. E {data, key} means that data is encrypted with the key.

  Next, the attribute assigning unit 311c generates a document ID (id), and protects the encrypted document (enc) by assigning the document ID (id) and the random number (kd) passed from the encryption key acquiring unit 311b. Output document (enc + id + kd). The attribute assigning unit 311c passes the generated document ID (id) to the attribute registering unit 311d.

  The attribute registration unit 311d stores the document ID (id) passed from the attribute assignment unit 311c, the random number (ks) passed from the encryption key acquisition unit 311b, and the security attribute (attr) acquired from the distributor as the access control server 304. Will be notified and registration will be required.

  In decryption, in FIG. 15, the decryption key obtaining unit 321b obtains a random number (kd) from the protected document, and holds the random number (kd) from the parameter obtaining unit 321j inside the document print program 321 or upon request. The generated parameter (kp) is obtained, and a random number (ks) is further obtained from the access control server 304, and the expression k = H {ks, kp, kd} or k = D {kd, D as in the case of encryption. Calculate with {ks, kp}} to obtain a decryption key (encryption key) (k).

  Then, the decryption unit 321a decrypts the encrypted document (enc) with the decryption key (k) to obtain a document file (doc).

  14 and 15 are based on the random number (ks) registered in the access control server 304, the random number (kd) in the protected document, and the parameter (kp) obtained from the document protection program 311 or the document print program 321. This is a method for generating an encryption key (decryption key) (k). However, this is a case where the access control server 304 is illegally accessed by a malicious user and a random number (ks) is known. Also, if the random number (kd) and the parameter (kp) are not known, the protected document cannot be decrypted. Note that in an environment where the access control server 304 is sufficiently guarded so as not to be illegally accessed, the random number (ks) may be used as it is as the encryption key (decryption key) (k).

  On the other hand, in the first embodiment described so far, the printing requirement is stored only in the access control server 304. However, the printing requirement is not limited to such a format, and may be included in a protected document. For example, print requirements that are always specified for a document file regardless of the user may be included in the protected document. This is the same for a second embodiment described later.

  FIG. 16 shows a configuration example of the document print program 321 when the print requirements are divided into a first print requirement included in the protected document and a second print requirement stored in the access control server 304. The requirement acquisition unit 321c acquires the second printing requirement from the access control server 304, the decryption unit 321a acquires the first printing requirement from the protected document, and the print processing unit 321d based on the first printing requirement and the second printing requirement. Print processing. Others are the same as the document print program 321 shown in FIG.

  In the present embodiment, the document print program 321 performs only processing related to printing of a document file. However, the document print program 321 has a function of presenting the contents of a document file to a user and editing the document file. May be provided. For example, it is possible to realize a function of displaying, editing, and printing a portable document file (Portable Document Format: PDF File) as a plug-in of Adobe Acrobat (R).

  As described above, according to the document protection / printing system according to the present embodiment, it is possible to enforce the printing requirement preset as the ACL according to the security attribute when printing the document file.

[Second embodiment]
In the above-described first embodiment of the present invention, the document protection / printing system that protects a document according to the security policy of the organization to which the distributor belongs has been described.

  However, in the document protection / printing system according to the first embodiment, when the size of the organization to which the distributor belongs is large, many ACLs must be defined and registered in advance for each subordinate organization. For example, "ACL for technical documents in the first design room", "ACL for contract documents in the first design room", "ACL for technical documents in the second design room", "ACL for contract documents in the second design room" Thus, it is necessary to define an ACL in advance so as to cover each user.

  In general, an organization's security policy is general and does not specify who can access which document files.

  FIG. 17 shows an example of the security policy set by the organization. As shown in FIG. 17, a security policy in an organization sets a confidential level (Sensitivity) and a field (Category) for a document, and then sets the level and the category of a user who is allowed to access the document. It can be said that the printing requirements are set.

  For example, a document relating to a human resource (Human Resource) having a top secret level of confidentiality can be printed only by a manager of the human resources department on condition that tint block printing is performed.

  In a second embodiment of the present invention, a document protection / printing system will be described in which a security policy set forth by an organization is described electronically as it is and applied to the protection of a document file.

  FIG. 18 shows the configuration of the document protection / printing system according to the present embodiment.

  The document protection / printing system according to the present embodiment includes a distributor terminal 401, a user terminal 402, a printer 403, and an access control server 404.

  As in the first embodiment, the distributor terminal 401 and the user terminal 402 each include a computer including a display device (for example, LCD), an input device (for example, keyboard), an external recording device (for example, FDD, HDD), and the like. Terminal can be applied. A document protection program 411 is mounted on the distributor terminal 401, and a document print program 421 is mounted on the user terminal 402.

  The document protection program 411 sets the processing requirements according to the input operation of the user (distributor) of the distributor terminal 401 in the document file, and uses the encryption algorithm (RC4, Triple DES, IDEA, etc.) for the document file. Is a program that performs a process of encrypting a document and generating a protected document. The internal configuration of the document protection program 411 is the same as that in the first embodiment shown in FIG.

  The document printing program 421 is a program that performs a process of decrypting the protected document and causing the printer 403 to execute a printing process according to the set printing requirements in accordance with an input operation of a user (user) of the user terminal 402. . The internal configuration of the document print program 421 is the same as that in the first embodiment shown in FIGS.

  When the user attempts to print a document, the access control server 404 refers to the security policy 444 recorded and held by the user in response to a request from the document print program 421, and determines whether or not the user has authority to print the document. Or a server that acquires how the printing requirements are set. FIG. 19 shows a configuration example of the access control server 404, which includes an attribute DB registration unit 404a, a user authentication unit 404b, an access authority confirmation unit 404c, and a print requirement acquisition and transmission unit 404d. The function of each unit will be described later in operation.

  FIG. 20 shows an example of the security policy 444 registered in the access control server 404.

  For example, a document file whose category is "Technical" and whose confidentiality level is "Secret" has a category of "Technical" and a class of "Medium" or "High". Stipulates that the user is permitted to view but requires RAD, to permit printing but to require PAC, BDP, EBC and RAD, and not to permit hard copy. .

  The access control server 404 may record and hold the data of the security policy 444 in any form. If XML (eXtensible Markup Language) is used, it can be easily described as shown in FIG.

  The access control server 404 stores a user database 441 storing authentication information (a set of a user name and a password) for each user, and information indicating what security attributes are set for each protected document. And a security attribute database 443 registered with an encryption key for decrypting the protected document.

  FIG. 22 shows an example of information registered in the user database 441.

  In FIG. 22, the structure is such that the category and the class are managed as separate attributes for each user. For example, in the case where the user is managed using the user management mechanism of Windows (R) Domain, the group account is used. May be generated as Technical_Medium, and a user named Ichiro may belong to the group. By setting the naming rule of the belonging group in this way, it is possible to manage the category and the class.

  The operation of the document protection / printing system according to the present embodiment will be described. First, the operation of the entire system will be described.

  The distributor operates the distributor terminal 401 and mounts the document file thereon. For example, a distributor may create a document file using an input device, or read a document file recorded on an information recording medium using an external recording device.

  When setting security for the document file, the distributor operates the input device of the distributor terminal 401 to transfer the document file to the document protection program 411. The document protection program 411 that has acquired the document file requests the distributor to set security attributes. For example, the document protection program 411 requests the setting of the security attribute by displaying a message on the display device of the distributor terminal 401 or the like. The screen requesting the setting of the security attribute is the same as that in the first embodiment shown in FIG. Here, the security attribute is information indicating which of the security attributes registered in the security attribute database 443 the document to be protected corresponds to.

  When the distributor sets the security attribute for the document file via the input device of the distributor terminal 401, the document protection program 411 acquires this.

  The document protection program 411 that has acquired the security attribute generates a unique document ID for each document file, transmits the encryption key to be used for decryption and the security attribute to the access control server 404 in association therewith, and registers it.

  The document protection program 411 adds a document ID to a document file encrypted using an encryption key to generate a protected document.

  The distributor delivers the protected document generated by the document protection program 411 to the user.

  When a user wants to print a document, the user installs the protected document on the user terminal 402. For example, a protected document recorded on an information recording medium may be read by a user terminal using an external recording device, or, if the user terminal 402 can communicate with the distributor terminal 401, the user can read the protected document via a communication network. The protected document may be obtained from the distributor terminal 401.

  When the user instructs the document printing program 421 to perform printing via the input device of the user terminal 402, the document printing program 421 requested to perform printing inputs a user name and a password necessary for authenticating the user. To the user. For example, the document printing program 421 requests input of a user name and a password by displaying a message on a display device of the user terminal 402 or the like. The screen for requesting the user to input a user name and a password is the same as that in the first embodiment shown in FIG.

  The document print program 421 sends the user name and password input by the user to the access control server 404, and requests user authentication.

  The access control server 404 performs user authentication using the user name and password passed from the document print program 421, and specifies the user.

  When the user is specified, the access control server 404 refers to the security attribute database 443 and specifies the type of the security attribute set in the protected document.

  The access control server 404 determines whether or not the user has the authority to print the document based on the information indicating the class of the user acquired from the user database 441 and the security attribute set for the document. Acquire what printing requirements are set when printing a file.

  If the user has the right to print the document file, the access control server 404 sends an encryption key for decrypting the protected document and permission information indicating that printing is permitted, and The print requirements are transmitted to the user terminal 402 and passed to the document print program 421.

  The document print program 421, which has obtained the encryption key and the printing requirements together with the permission information from the access control server 404, decrypts the protected document using the encryption key and restores the document to a document file.

  Then, the document print program 421 causes the printer 403 to execute print processing so as to satisfy the print requirements. For example, when BDP is set as a printing requirement in a document file, a copy-forgery-inhibited pattern image is printed together with the contents of the document.

  As a result, when printing a document file, it is possible to enforce printing requirements in accordance with a preset security attribute.

  Here, the operations of the document protection program 411 and the access control server 404 when the document is protected, and the operations of the document print program 421 and the access control server 404 when the protected document is restored into a document file and printed are described in more detail. I do.

  FIG. 23 shows processing when the document protection program 411 generates a protected document. FIG. 24 shows an operation flow of the document protection program 411 and the access control server 404.

  When the document protection program 411 obtains the document file and its security attribute by the input operation of the distributor on the input device of the distributor terminal 401, it generates an encryption key for encrypting and decrypting the document file. Then, the document protection program 411 encrypts the document file using the generated encryption key to generate an encrypted document.

  Further, the document protection program 411 generates a protected document by attaching a unique document ID for each document file to the encrypted document.

  After generating the protected document, the document protection program 411 transmits the encryption key, the security attribute, and the document ID to the access control server 404 using the communication function of the distributor terminal 401, and registers these registrations to the access control server 404. Request to.

  The access control server 404 that has received the encryption key, the security attribute, and the document ID from the document protection program 411 records and holds them as one record in the security attribute database 443. More specifically, the attribute DB registration unit 404a of the access control server 404 in FIG.

  Although the case where the document protection program 411 generates the document ID and attaches it to the encrypted document has been described as an example, when the encrypted document file is generated using a hash algorithm such as SHA-1, the hash value of the encrypted document file may be changed. The value may be used instead of the document ID. In this case, it is not necessary to attach the document ID to the protected document, and when the document ID is to be obtained later, the hash value may be calculated again.

  In the above example, the case where the document protection program 411 generates the document ID and the encryption key is described. However, these processes may be performed by the access control server 404 or a server (not shown).

  If the distributor terminal 401 and the access control server 404 are connected not via a dedicated line but via a network, and there is a fear of eavesdropping upon transmission of an encryption key or the like, an SSL (Secure Socket) Layer).

  Any protocol may be used when the document protection program 411 communicates with the access control server 404. For example, a distributed object environment may be introduced to transmit and receive information based on Java (R) Remote Method Invocation (RMI) or Simple Object Access Protocol (SOAP). In that case, the access control server 404 may implement a method such as “register (String docId, byte [] key, byte [] acl)”. In the case of SOAP, the SOAP protocol is exchanged over HTTPS, and in the case of RMI, if RMI is executed using an SSL-based SocketFactory, security on the network can be ensured.

  Next, an operation when the document printing program 421 prints a protected document will be described. FIG. 25 shows an operation flow of the document print program 421 and the access control server 404.

  When the document print program 421 obtains the protected document, the user name, and the password by the user's input operation on the input device of the user terminal 402, the document print program 421 obtains the document ID attached to the protected document.

  Then, a user name, a password, a document ID, and an access type (information indicating a process requested by the user. In this case, since a protected document is to be printed, “print” is transmitted) are transmitted to the access control server 404. Request for access right.

  When acquiring the user name, password, document ID, and access type from the document printing program 421, the access control server 404 refers to the information registered in the user database 441 and performs user authentication.

  In other words, the access control server 404 refers to the information registered in the user database 441, and the information that matches the set of the user name and the password included in the information acquired from the document print program 421 is stored in the user database 441. It is determined whether or not it has been registered.

  If the user authentication fails (in other words, if a set of the user name and the password included in the information passed from the document print program 421 is not registered in the user database 441), the access control server 404 Then, the permission information is transmitted to the user terminal 402 as “non-permission” and passed to the document print program 421. In this case, the permission information indicating “error” may be transferred to the document printing program 421.

  On the other hand, if the user authentication is successful, the access control server 404 reads a record related to the document ID included in the information acquired from the document printing program 421 from among the records registered in the security attribute database 443. Further, the access control server 404 acquires the “class” and “department” of the user from the user database 441.

  The access control server 404 acquires security attributes (ie, confidentiality level and category) set in the document file based on the read record. Then, based on the security policy 444 stored and retained by the user and the security attribute read from the record, permission information indicating whether or not the user can perform the process indicated by the access type on the document and the user printing the document. To get the printing requirements when doing

  If the user has the authority to print the document file, the permission information set as the security policy 444 is “permitted”, so the access control server 404 determines the encryption key stored in the record and the printing requirement. The document is transmitted to the user terminal 402 together with the permission information, and is passed to the document printing program 421.

  On the other hand, if the user does not have the right to print the document file, the permission information set as the security policy 444 is “non-permitted”, so the access control server 404 transmits only the permission information to the user terminal 402. To the document print program 421.

  More specifically, as shown in FIG. 19, the processing in the access control server 404 performs the user authentication with the user authentication unit 404b referring to the user database 441, and notifies the access result confirmation unit 404c of the authentication result. If the user authentication is successful, the access right confirmation unit 404c refers to the security attribute database 443 and the security policy 444 to acquire the permission information and the decryption key, and the printing requirement acquisition / transmission unit 404d sends the printing requirement from the security policy 444 to the printing requirement. And notifies the document print program 421. In FIG. 19, the permission information, the decryption key, and the printing requirement are returned separately, but they may be returned at once.

  Next, the document printing program 421 sets the printer driver so as to satisfy the printing requirement acquired together with the permission information (for example, sets the confidential printing mode if PAC is specified), and prints the document file on the printer 403. Execute the process.

  If necessary, a message may be displayed on a display device to request the user to set print parameters.

  If printing that satisfies the printing requirements acquired from the access control server 404 cannot be performed by the printer 403, in other words, if the printer 403 does not have a function that satisfies the printing requirements set as the security policy 444, this is so. Is displayed on the display device to notify the user, and the process ends without performing printing.

  Through the above operations, it is possible to set different access rights and printing requirements for each user. Further, as described above, in the system configuration in which the server determines the access right to the document file, the security policy 444 registered in the access control server 404 is changed by an input operation on the distributor terminal 401 or the access control server 404. In this case, it is possible to change the printing requirements after distributing the protected document.

  For example, it is possible to set the access right to the already distributed protected document to a new user, or to add a printing requirement to a specific user.

  If the document print program 421 always inquires of the security policy to the access control server 404 when printing a document file, the information processing amount of the access control server 404 increases as the number of users increases, and the burden is increased. It gets bigger.

  Therefore, a part of the functions of the access control server 404 may be transferred to the document printing program 421.

  For example, when the document print program 421 passes the document ID to the access control server 404 after performing user authentication, the document print program 421 acquires a security policy, an encryption key, and a security attribute from the access control server 404, and based on this, Processing may be performed by determining permission information and printing requirements.

  By doing so, the amount of information processing of the access control server 404 can be reduced, and the burden on system operation can be reduced. In this case, since the document printing program 421 makes a determination based on the security policy, it is preferable to attach a security attribute to the document, encrypt the document, encrypt the document, and attach a document ID to create a protected document. This eliminates the need to manage security attributes by the access control server 404, and can further reduce the load on the access control server 404 in system operation.

  A person who knows that the document protection / printing system according to the present embodiment protects a document file by the above-described method can cause a computer terminal to execute a program impersonating the document printing program 421. It is also possible to illegally obtain the encryption key and decrypt the protected document. In this case, it is possible to print the protected document without being forced by the printing requirements set as the security policy.

  For this reason, the document file is not simply encrypted using only the encryption key, but a combination of the secret key embedded in the document protection program 411 and the encryption key (exclusive OR). It is preferable to encrypt the document file with. In this case, by embedding the same secret key in the document printing program 421, only the document printing program 421 that enforces the printing requirements set by the distributor at the time of printing can decrypt and print the protected document. It becomes possible. Specifically, similarly to the first embodiment, it can be configured as shown in FIGS.

  In the present embodiment, the document print program 421 performs only processing related to printing of a document file. However, the document print program 421 has a function of presenting the contents of a document file to a user and editing the document file. May be provided. For example, it is possible to realize a function of displaying, editing, and printing a portable document file (Portable Document Format: PDF File) as a plug-in of Adobe Acrobat (R).

  As described above, according to the document protection / printing system according to the present embodiment, printing requirements set in advance as security policies can be enforced when printing a document.

  FIG. 26 shows a part of the security functions of the printer applied in the above embodiments. These will be specifically described using the system configuration in the second embodiment as an example.

  First, the operation of the document print program 421 when PAC is set as the print requirement will be described. FIG. 27 shows the operation of the document print program 421 when PAC is set.

  (1) When printing a document file in which a PAC is set, the document print program 421 displays a print dialog and then inputs a personal identification number (PIN) as shown in FIG. A dialog is displayed on the display device of the user terminal 402, and the user is requested to input a PIN.

  (2) When the user inputs a PIN using the input device of the user terminal 402, the document print program 421 sets this in the printer driver and instructs printing.

  The printer driver generates print data (PDL data) described in PDL (Page Description Language) such as Postscript from a document, and converts PJL (Print Job Language) data describing print job information such as the number of copies and an output tray. It is added to the head of PDL data. The printer driver further adds a PIN as a part of the PJL data, and sends the PDL data with the PJL data to the printer 403.

  Upon receiving the PDL data with PJL data, the printer 403 refers to the contents of the PJL data. If the PDL data includes a PIN for confidential printing, the printer 403 does not output the PJL data to a storage device (HDD or the like) inside the printer 403. Save the attached PDL data. When the user inputs the PIN via the operation panel of the printer 403, the printer 403 checks the input PIN against the PIN included in the PJL data, and if they match, the print job conditions (number of copies, tray) included in the PJL data Printout in accordance with PDL data.

  (3) If a PIN cannot be set in the printer driver, that is, if the printer 403 does not support confidential printing, the user is notified to select another printer that supports confidential printing, and the document is printed. The processing ends without performing.

  In this way, after the printing is performed, the printout of the document is not output from the printer 403 until the same PIN that was input before the printing is input on the operation panel of the printer 403. Therefore, the printout of the document is not inadvertently left in the printer 403, and the leakage of the document due to the printout can be prevented. Further, communication with the printer 403 may be protected by SSL so that print data flowing on the network is not eavesdropped.

  Further, the document print program 421 may be linked with the user management of the Windows (R) Domain so that the user is not required to input a PIN. For example, instead of prompting the user to enter a PIN, the user ID of the currently logged-on user is acquired from the Windows (R) Domain, and the user ID is sent to the printer 403 together with the print data. The printer 403 may receive a password input from a user on the operation panel, perform user authentication using the user ID and the password using the user authentication mechanism of Windows (R) Domain, and print out if successful. . The present invention is not limited to the Windows (R) Domain, and by linking it with user management that has been introduced in advance, it is possible to reduce troublesome PIN input for the user.

  Next, the operation of the document printing program 421 when EBC is set as the printing requirement will be described.

  (1) The document print program 421 generates data of barcode image data (or a two-dimensional code) indicating a document ID when printing a document in which EBC is set.

  (2) The document print program 421 sets the generated barcode image data as a stamp image in the printer driver, and instructs the printer 403 to print.

  (3) If EBC cannot be set in the printer driver, that is, if the printer 403 does not support the stamp function, the user is notified to select another printer that supports the stamp function, and printing is not performed. The process ends.

  By doing so, a barcode is printed on each page of the document printout, and only a copier, fax machine, or scanner that can identify this barcode decodes the barcode to obtain the document ID. The access control server 404 can determine whether hard copy, image reading, fax transmission, and the like are permitted based on the document ID. As a result, security can be ensured consistently up to the paper document.

  Next, the operation of the document print program 421 when BDP is set as the print requirement will be described.

  (1) When printing a document for which BDP is set, the document print program 421 acquires the user name requesting printing and the printing date and time as character strings (for example, Ichiro, Aug. 04, 2002). 23:47:10).

  (2) The document print program 421 generates a copy-forgery-inhibited pattern image so that the generated character string rises when a document printout is copied by a copying machine.

  (3) The document print program 421 sets the generated copy-forgery-inhibited pattern image as a stamp in the printer driver, and instructs the printer 403 to print the document.

  (4) If BDP cannot be set in the printer driver, that is, if the printer 403 does not support copy-forgery-inhibited pattern printing, the user is notified to select another printer that supports copy-forgery-inhibited pattern printing, and printing is performed. The processing ends without executing.

  In this way, each page of the document printout is printed as a copy-forgery-inhibited pattern image with the name of the user who executed the print process and the date and time, and the character string is printed when the printout is processed by a copier, scanner, or fax. It will emerge. This is effective when a copying machine that does not support EBC is used, and has a deterrent effect on information leakage caused by copying a printout of a document.

  Next, the operation of the document printing program 421 when SLS is set as the printing requirement will be described.

  (1) When printing a document file in which the SLS is set, the document print program 421 selects an image prepared in advance according to the confidentiality level of the document (in the case of Top Secret, a mark of “top secret”) Etc.).

  (2) The data of the selected image is set as a stamp in the printer driver, and the printer 403 is instructed to print.

  (3) If SLS cannot be set in the printer driver, that is, if the printer 403 does not support SLS, the user is notified to select another printer that supports label stamps, and printing is performed. The processing ends without executing.

  By doing so, “top secret” or “secret” is automatically printed as a stamp on the printout of the document file, so that it is clear that the document is a confidential document. That is, it is possible to call attention to the management of the person who has the printout.

  The above examples are only examples of printing requirements. For example, print a digital watermark to prevent tampering, or print a protected document on special paper. Limited to a tray).

  In addition, the printing requirements may include those that restrict or prohibit the function, those that force the use of the function, and those that specify ordinary printing conditions. As an example of restricting / prohibiting the function, in order to distinguish from the original confidential document, only a special user is permitted to print in color, and the other users are restricted to print only in gray scale. Printing requirements. Examples of forcibly using the function include printing requirements for forcing the use of confidential printing mode, printing requirements for forcing a log, and the name of the user who printed on the printing paper. There are a printing requirement for printing, a printing requirement for forcibly printing a watermark, a printing requirement for forcibly printing a copy-forgery-inhibited pattern, and the like. Examples of specifying normal printing conditions include a printing requirement for specifying A4 as a paper setting, a printing requirement for using a recycled paper tray, and a printing requirement for specifying double-sided printing.

  Further, the description has been made using keywords such as RAD and PAC as the expression format of the printing requirement. However, even if the keyword is not such a keyword, for example, the data itself of the setting file to be set in the printer driver or inserted into the print data. The printing requirements may be defined using data such as data described in a page description language, a character string to be displayed on the screen itself, and contents of requirements to be processed, using data such as data described in a script language. That is, the expression of the printing requirement is not limited to a keyword.

  As described above, by using various security functions supported by the printer 403 to set printing requirements in accordance with the security policy, the security functions of the printer 403 can be utilized without waste and consistent security up to printout can be achieved. Can be secured. This is the same in the system configurations of the other embodiments.

  On the other hand, in the above description, the protection target is described as the whole document. However, a portion to be protected (called a segment) and a portion not to be protected may be mixed in the document. . For example, as shown in FIG. 29, a plurality of protected segments may exist in a plurality of protected documents. In this case, if a different segment ID is assigned to each protected segment and the document ID in the above description is read as a segment ID, access control including printing for each protected segment can be controlled based on the same principle. In practice, the beginning and end of the protected segment must be marked with a marker that indicates that the protected segment starts there and that the protected segment ends there. For the method of inserting such a marker, a conventional technique such as a MIME multi-part separator can be used.

  Further, although the description has been given based on the embodiment in which the document protection program is arranged on the distributor terminal, the document protection program body may be arranged on the remote server. For example, the relationship between the distributor terminal 401, the document protection program 411, and the access control server 404 in FIG. 18 can be modified as shown in FIG. By arranging in this way, a protected document can be obtained by sending a document and necessary parameters to a remote server even from a terminal on which the document protection program is not installed.

  The embodiments described above are examples of preferred embodiments of the present invention, and the present invention is not limited to these embodiments.

  For example, in each of the above embodiments, the case where the distributor terminal and the user terminal are separate devices has been described as an example, but they may be configured to share the same device.

  Further, in each of the above embodiments, the case where the user directly operates the user terminal on which the document print program is installed has been described as an example, but the present invention is not limited to this. For example, a configuration may be adopted in which a document printing program is mounted on a server, and a user operates a user terminal to execute the document printing program via a network.

  The method of user authentication is not limited to a method using a user name and a password, and a PKI-based authentication method using a smart card may be applied.

  As described above, the present invention can be variously modified.

  Further, in the above description, the term "printer" is used, but this is not limited to a printer dedicated to printers in a narrow sense, but also includes copying, facsimile, a composite / integrated device thereof, that is, all devices having a printing function. It means equipment.

FIG. 1 is a diagram illustrating a configuration of a document protection / printing system according to a first embodiment of the present invention; FIG. 4 is a diagram illustrating a configuration example of a document protection program. FIG. 3 is a diagram illustrating a configuration example of a document printing program. FIG. 3 illustrates a configuration example of a print processing unit. FIG. 3 is a diagram illustrating a configuration example of an access control server. FIG. 3 is a diagram illustrating a configuration example of an ACL. FIG. 9 is a diagram illustrating an example of a screen requesting the setting of a security attribute. FIG. 7 is a diagram illustrating an example of a screen requesting a user name (user ID) and a password. It is a figure showing the example of the confirmation screen displayed on the display of a user terminal. FIG. 4 is a diagram illustrating a flow of operations of the document protection program and the access control server according to the first embodiment. FIG. 4 is a diagram illustrating an operation of a document printing program according to the first embodiment. FIG. 3 is a diagram illustrating a flow of operations of a document print program and an access control server according to the first embodiment. FIG. 7 is a diagram illustrating an example of an inquiry to the access control server by SOAP. FIG. 4 is a diagram illustrating a configuration example of a document protection program. It is a figure showing a situation of decoding. FIG. 3 is a diagram illustrating a configuration example of a document printing program. FIG. 4 is a diagram illustrating an example of a security policy. FIG. 2 is a diagram illustrating a configuration of a document protection / printing system according to a second embodiment in which the present invention is suitably implemented. FIG. 3 is a diagram illustrating a configuration example of an access control server. FIG. 3 is a diagram illustrating a data structure when a security policy is electronic data. FIG. 3 is a diagram illustrating an example in which a security policy is described as electronic data. FIG. 3 is a diagram illustrating a structure example of information recorded in a user database. FIG. 14 is a diagram illustrating processing of a document protection program according to the second embodiment. It is a figure showing the flow of operation of a document protection program and an access control server concerning a 2nd embodiment. FIG. 13 is a diagram illustrating a flow of operations of a document print program and an access control server according to a second embodiment. FIG. 3 is a diagram illustrating an example of a security function of the printer. FIG. 9 is a diagram illustrating processing when printing a document in which a PAC is set. It is a figure showing a dialog of PIN input. FIG. 11 is a diagram illustrating processing when a document is protected by being divided into a plurality of segments. FIG. 11 is a diagram illustrating a state where a document protection program is arranged on a remote server.

Explanation of reference numerals

301 Distributor terminal 302 User terminal 303 Printer 304 Access control server 341 User database 342 ACL database 343 Security attribute database 311 Document protection program 321 Document printing program 311a Encryption unit 311b Encryption key acquisition unit 311c Attribute assignment unit 311d Attribute registration unit 311e Parameter Acquisition unit 321a Decryption unit 321b Decryption key acquisition unit 321c Printing requirement acquisition unit 321d Print processing unit 321e Requirements processing unit 321f Document processing unit 321g Printer driver 321h Warning display unit 321i Log recording unit 321j Parameter acquisition unit 304a Attribute DB registration unit 304b User authentication Unit 304c access authority confirmation unit 304d print requirement acquisition and transmission unit 401 distributor End 402 user terminal 403 printer 404 access control server 411 document protection program 421 document printing program 441 user database 443 security attribute database 444 security policy 411a encryption section 411b encryption key acquisition section 411c attribute assignment section 411d attribute registration section 411e parameter acquisition section 421a Decryption unit 421b Decryption key acquisition unit 421c Printing requirement acquisition unit 421d Print processing unit 421e Requirements processing unit 421f Document processing unit 421g Printer driver 421h Warning display unit 421i Log recording unit 421j Parameter acquisition unit 404a Attribute DB registration unit 404b User authentication unit 404c Access Authority confirmation unit 404d Printing requirement acquisition sending unit

Claims (19)

Means for obtaining a decryption key for the encrypted document file;
Means for decrypting the document file based on the obtained decryption key;
Means for acquiring printing requirements associated with the document file from a server via a network;
Means for executing a printing process satisfying the acquired printing requirements. Means for authenticating the user to the server;
2. The document printing program according to claim 1, further comprising: means for acquiring printing requirements of the authenticated user from an ACL provided in an organization unit in association with a security attribute of the document file.   The document printing program according to claim 2, wherein the server has a security attribute database for registering a security attribute of the encrypted document file in association with the document file.   4. The document printing program according to claim 3, wherein the security attributes include a document category and a security level. Means for authenticating the user to the server;
2. The document printing program according to claim 1, further comprising: means for acquiring printing requirements of the authenticated user from a security policy associated with a security attribute of the document file and a user type.   6. The document printing program according to claim 5, wherein the server is provided with a security attribute database for registering the security attribute of the encrypted document file in association with the document file.   7. The document printing program according to claim 6, wherein the security attribute includes a document category and a security level, and the user type includes a category and a level.   The document printing program according to claim 2, wherein a parameter corresponding to an encryption key for encrypting the document file is obtained from a server via a network, and a decryption key is derived from the parameter.   9. The document printing program according to claim 8, wherein a parameter held or generated internally is used for generating the decryption key.   The document printing program according to claim 8, wherein a parameter included in the document file is used for generating the decryption key. Means for obtaining an encryption key for encrypting the document file;
Means for associating information specifying printing requirements for the document file with the document file and registering the information with a server via a network;
Means for encrypting the document file with the encryption key.   The document protection program according to claim 11, wherein a security attribute specifying the printing requirement is registered in a server in association with the document file.   13. The document protection program according to claim 12, wherein the server has a security attribute database for registering the security attribute in association with the document file.   14. The document protection program according to claim 13, wherein the security attributes include a document category and a security level.   The document protection program according to claim 11, wherein the encryption key used for encryption is registered in the server.   16. The document protection program according to claim 15, wherein parameters used for deriving an encryption key used for encryption are registered in the server.   17. The document protection program according to claim 15, wherein a parameter used for deriving an encryption key used for encryption is added to a part of the document file. Means for obtaining an encryption key for encrypting the document file, means for associating information specifying printing requirements for the document file with the document file and registering the document file on a server via a network, and A distributor terminal on which a document protection program comprising encryption means is mounted,
Means for obtaining a decryption key for an encrypted document file, means for decrypting the document file based on the obtained decryption key, and obtaining printing requirements associated with the document file from a server via a network A document protection system comprising: a user terminal on which a document printing program including means for performing a printing process that satisfies the acquired printing requirements is implemented. Means for obtaining an encryption key for encrypting the document file, means for associating information specifying printing requirements for the document file with the document file and registering the document file on a server via a network, and A server on which a document protection program comprising encryption means is mounted,
Means for obtaining a decryption key for an encrypted document file, means for decrypting the document file based on the obtained decryption key, and obtaining printing requirements associated with the document file from a server via a network A document protection system comprising: a user terminal on which a document printing program including means for performing a printing process that satisfies the acquired printing requirements is implemented.

Images