JP2018156633A - Information management terminal device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide means for enabling an individual or a corporation to proactively and securely manage information by terminal equipment such as a smartphone, a PC, or a server.SOLUTION: There is provided information management terminal equipment including: health information acquisition means 1242; health information storage means 1243 for storing health information and a health information passbook; and storage media 11. The storage media 11 comprise: a secret region 111 which can be accessed only by a specific program; and a normal region 112 which can be accessed even by a program other than the specific program. The health information acquisition means 1242 applies date/time records as the health information passbook, the health information storage means 1243 successively stores the health information and the health information passbook in the normal region 112, and the secret region 111 stores a data alteration detection parameter for detecting alteration of the health information and/or the health information passbook.SELECTED DRAWING: Figure 2

Description

  The present invention relates to acquisition, accumulation, and distribution of information that is an object of information processing such as data mining using AI (artificial intelligence) analysis or the like. More specifically, it relates to a series of processes such as information acquisition, storage, distribution, analysis, and visualization in devices and systems that handle human and physical health information.

  In order to extract effective information from big data or the like by AI or the like, it is desirable that the data quality / acquisition means and acquisition date need to be accurately recorded information. In addition, strict recording and management are required for the management and distribution of data that can be specified by individuals in accordance with the Personal Information Protection Law and the like regarding information relating to people.

  For example, in Patent Document 1, in order to protect a legitimate user from a user who tries to abuse the content, the content information is stored in the hidden memory area, and the content information stored in the hidden memory area is accessed in the hidden memory area. A portable memory device is described that stores information for each.

  In Patent Document 2, in order to control whether or not a user can use the content by a method different from the conventional method, when the user terminal reproduces or executes the content, it is determined whether or not the user has authority to use the content. If it is determined that the user does not have the right to use the content, the license management apparatus requests the license information with the expiration date set. A content protection system is described that determines that there is.

  In Patent Document 3, an encryption / decryption key is stored in the medium itself in order to improve safety and functionality, making it difficult to access from an external device, and only a host device having a certificate can access the key. A storage device is described.

  Patent Document 4 discloses a selector that connects a host controller and a circuit in a copyright protection chip to access encrypted content stored in a storage device using a host controller that accesses a memory card; When the encrypted content key stored in the storage device, the decryption key generation information, and the shared secret information are stored, and the access unit accesses the content obtained by decrypting the encrypted content stored in the hard disk, A copyright protection chip is described that includes a communication circuit that communicates with a host controller and transmits encrypted content key and decryption key generation information stored in a register to the host controller.

  Patent Document 5 records usage history information such as duplication and modification when a content usage terminal uses content received from a content providing terminal in order to perform appropriate protection according to the usage status of the content. Transmission to the content providing terminal at a predetermined time interval, the content providing terminal receives it, determines the protection level based on the usage history information, preset usage conditions and protection pattern, and corresponding protection processing A content protection system that distributes protected content that has been performed to content-use terminals is described.

  Patent Document 6 describes a digital content protection device that embeds an electronic watermark in which the user's identity is embedded in the digital content and provides it to the user in order to prevent illegal distribution of the digital content.

  In Patent Document 7, in order to prevent unauthorized copying of content on a terminal, encrypted content is decrypted and reproduced using a content key included in a license acquired from a license server, and user information included in the license is also disclosed. Describes a terminal device with a content protection function having content playback means for inserting the content as a digital watermark into the played content.

JP 2013-37715 A JP 2012-18662 A JP 2010-182332 A JP 2010-10824 A JP 2005-316836 A JP-A-2005-57769 JP 2004-318448 A

  As described above, most of the conventional technologies are licensed audio / video contents, and the living body / behavior / environment / equipment state generated by the person or object subject to IoT or big data. -Diverse data such as device operation was not assumed. In addition, most of the content protection technologies are mainly cloud and management server, and there is no technology from the viewpoint of personal information protection in which individuals judge the confidentiality of data. Furthermore, when using data acquired by various sensors such as vital sign sensors as analysis targets for big data or AI, the reliability of the data is very important, but in many cases, the data acquired by the sensor is BLE (Bluetooth). Low energy) or WiFi is generally sent to a terminal such as a smartphone and further sent to the cloud as it is for processing, and no particular attention has been paid to tampering with the terminal. Processing software such as Android, which is often used for smartphones and tablet terminals, is relatively open, and security improvements such as fingerprint authentication have been progressing in recent years. However, there are various ways to accumulate highly confidential personal health information for a lifetime. Currently, terminals such as smartphones that run various application software are not necessarily safe. Further, when personal health information or the like is accumulated in the terminal, it is left to the user to move data when the terminal is replaced.

  Therefore, an object of the present invention is to provide a means for individuals and corporations (referred to as information owners) who own data to independently and securely manage information using devices such as smartphones, PCs, and servers. .

In order to solve the above problems, an information management terminal device according to the present invention provides:
Information acquisition means for acquiring first information to be managed, information storage means for storing the first information and second information that is additional information to the first information, and storage media An information management terminal device comprising:
The storage medium has a secret area accessible only by a specific program including a program for operating the information management terminal device as the information storage means, and a normal area accessible by programs other than the specific program,
The information acquisition means assigns a date / time record as the second information,
The information storage means sequentially stores the first information or the link capable of referring to the first information and the link capable of referring to the second information or the second information in the normal area. And
The secret area holds a data falsification detection parameter for detecting falsification of the first information and / or the second information.

  As a result, information that can be detected when falsification is detected in the date or content can be stored in a compact manner at the information owner using the terminal device, and information utilization led by the information owner can be realized.

In a preferred embodiment of the present invention, the data falsification detection parameter detects whether the first information and / or the second information is falsified using the first information and / or the second information. It is a key for generating information to be used.
In this way, by using a key for generating information for detecting the presence or absence of data tampering as a data tampering detection parameter, a large amount of data can be handled even when the data capacity that can be recorded in the secret area is limited. Can do.

In a preferred embodiment of the present invention, the secret area includes a program tampering detection parameter for performing tampering detection of the specific program,
Program alteration detection means for performing alteration detection processing of the specific program using the program alteration detection parameter is provided.
As a result, it is possible to prevent falsification of the program that acquires and accumulates information, so that the reliability of information can be dramatically improved.

In a preferred form of the present invention, the program alteration detection means periodically performs alteration detection processing of the specific program,
When the falsification of the specific program is detected, the first information and the second information accumulated from the time when the falsification detection process of the specific program was executed to the time when the falsification of the program was detected. It is characterized by performing deletion or recovery.
As a result, information that may have been tampered with in the program can be deleted, and the reliability of the stored information can be ensured. The recovery of the health information and the health information passbook here can be realized by storing the health information and the health information passbook in advance in other terminal devices and server devices and acquiring them.

In a preferred form of the present invention, the data falsification detection means for performing falsification detection processing of the first information and / or the second information using the data falsification detection parameter,
When the previous alteration detection processing of the first information and / or the second information is executed when the data alteration detection means detects the alteration of the first information and / or the second information. To the first information and / or the second information accumulated until the time when the falsification of the first information and / or the second information is detected.
As a result, it is possible to reliably delete or recover data that may be falsified, and to reliably remove data with low reliability.

In a preferred embodiment of the present invention, the information management terminal device further comprises distribution means for selecting and outputting distribution target information from the first information and the second information accumulated by the information accumulation means,
The distribution unit includes: a secret level setting unit that sets a secret level of the selected distribution target information; and a unit that outputs the secret level as additional information to the distribution target information. .
As a result, the accumulated information can be transmitted to other terminals and used actively.

In a preferred embodiment of the present invention, the level of secrecy is
Class 0 for transmitting the distribution target information without encryption;
Class 1 to be transmitted in a state where the distribution target information is encrypted,
A class 2 that encrypts the distribution target information, prohibits copying at an output destination, sets an expiration date of the distribution target information, and transmits the class 2;
Class 3 that encrypts the distribution target information, prohibits copying at an output destination, restricts handling of processing result information caused by arbitrary processing on the distribution target information, and sets an expiration date of the distribution target information , Including.
As a result, the confidentiality of the health information to be distributed can be made into a rule, and it is possible to generate a distribution information for the information owner to control the health information management at the distribution destination or the conventional type that distributes widely to general servers.

In a preferred form of the present invention, the second information is a history of output by the distribution means, information for specifying an output destination by the distribution means, the level of secrecy, and a processing result at the output destination by the distribution means, It contains at least one.
As a result, analysis, redistribution, erasure, etc. of the received health information remain as a record, and verification by the information owner of the distribution source is facilitated, and the reliability of the system is dramatically increased.

In a preferred aspect of the present invention, the first information is information on the health of a person and / or an object.
This makes it possible to appropriately handle information that needs to be handled securely, such as the health status of people and things.

An information management terminal device according to another aspect of the present invention
Receiving means for receiving first information distributed from another terminal device and second information that is additional information to the first information; and analyzing the first information and the second information. An information management terminal device comprising: an analysis unit for performing; an output unit for transmitting and / or displaying an analysis result of the analysis unit to the other terminal device; and a storage medium,
The storage medium includes a secret area accessible only by a specific program including a program for operating the information management terminal device as the receiving unit, the analyzing unit, and the output unit, and a program other than the specific program And an accessible normal area,
The receiving means has a secret level determining means for determining a secret level given to the first information and the second information,
The analysis means and the output means handle the first information, the second information, and the analysis result according to the confidentiality level,
The concealment area includes a program falsification detection parameter for detecting falsification of the specific program,
An information management terminal device comprising: a program falsification detection unit that detects falsification of the specific program using the program falsification detection parameter.
As a result, it is possible to prevent the program from being tampered with and to eliminate the risk of handling information that is contrary to the confidentiality level or the analysis result thereof.

In a preferred form of the present invention, the analysis means stores the history information of the analysis or a link that can refer to the history information of the analysis in the normal area,
The secret area holds a data falsification detection parameter for detecting falsification of the history information.
This accumulates analysis history information in a tamper-detectable state, facilitates verification by the information owner of the distribution source, and dramatically increases the reliability of information handling.

In a preferred embodiment of the present invention, when the analysis unit detects falsification of the history information of the analysis, the falsification of the history information of the analysis is detected from the time when the falsification detection processing of the history information of the previous analysis is executed. The analysis history information accumulated up to the point in time is deleted or recovered.
As a result, it is possible to reliably delete or recover data that may be falsified, and to reliably remove data with low reliability.

In a preferred embodiment of the present invention, the level of secrecy is
Class 0 that handles the first information and the second information without encryption;
Class 1 handled in a state where the first information and the second information are encrypted,
A class 2 that encrypts the first information and the second information, prohibits copying at an output destination, and sets and handles an expiration date of the first information and the second information; and
Encrypt the first information and the second information, set the prohibition of copying at the output destination, the restriction of the handling of the analysis result, the expiration date of the first information and the second information And class 3 to be handled.
As a result, the confidentiality of the information and the analysis result can be made into a rule, and it is possible to generate a distribution information for the information owner to control the conventional information distribution to a general server and the health information management at the distribution destination.

In a preferred form of the present invention, the receiving means receives the analysis result from another terminal device,
The analysis unit re-analyzes the analysis result.
Accordingly, various analyzes can be performed according to the confidentiality level, that is, according to the intention of the information owner, such as obtaining a more detailed analysis result from the analysis result or obtaining an analysis result from another viewpoint.

In a preferred aspect of the present invention, the first information is information on the health of a person and / or an object.
This makes it possible to appropriately handle information that needs to be handled securely, such as the health status of people and things.

  Health information that can be detected when the date or content is altered can be stored in a compact manner at the information owner using the terminal device, and information utilization led by the information owner can be realized.

It is a block diagram of the system using the information management terminal device which concerns on Embodiment 1 of this invention. It is a functional block diagram of the health information distribution side device which concerns on Embodiment 1 of this invention. It is a functional block diagram of the health information reception / analysis side device concerning Embodiment 1 of the present invention. It is a flowchart which shows the program reading process in Embodiment 1 of this invention. It is a flowchart which shows the alteration detection process of the program in Embodiment 1 of this invention. It is a flowchart which shows the health information acquisition process in Embodiment 1 of this invention. It is a flowchart which shows the health information delivery process in Embodiment 1 of this invention. It is a flowchart which shows the health / analysis information reception process in Embodiment 1 of this invention. It is a flowchart which shows the health information analysis / analysis information reanalysis process in Embodiment 1 of this invention. It is a flowchart which shows the recording / reading process of the data in Embodiment 1 of this invention. It is a functional block diagram of the health information distribution side device which concerns on Embodiment 2 of this invention. It is a functional block diagram of the health information reception / analysis side device concerning Embodiment 2 of the present invention. It is a flowchart which shows the program reading process in Embodiment 2 of this invention. It is a functional block diagram of the health information distribution side device which concerns on Embodiment 3 of this invention. It is a functional block diagram of the health information reception / analysis side device which concerns on Embodiment 3 of this invention. It is a flowchart which shows the recording / reading process of the data in Embodiment 3 of this invention. It is a flowchart which shows the alteration detection process of the program in Embodiment 3 of this invention. It is a sequence diagram which shows an example of the flow of the exchange of data between the devices in Embodiment 3 of this invention.

(Embodiment 1)
<Overall configuration of system using information management terminal device>
Hereinafter, Embodiment 1 of the present invention will be described in detail with reference to the drawings. FIG. 1 is a configuration diagram of a system using an information management terminal device according to the present embodiment. As shown here, the information management terminal device according to the present invention includes a health information distribution side device 1 that acquires and distributes information from sensors, and a health information reception / analysis side device that performs reception and analysis of information. 2a to 2c (hereinafter referred to as the health information receiving / analyzing side device 2 when there is no need to distinguish between them) are configured to be communicable directly or via the network NW. Further, the health information distribution side device 1 is a terminal device 3a, 3b, which is not an information management terminal device according to the present embodiment but is a general computer or server device (hereinafter generally referred to as a terminal when there is no need to distinguish between them). (Referred to as device 3) is configured to be communicable directly or via the network NW. The health information distribution side device 1 includes various sensors (hereinafter referred to as a sensor 4a attached to an infant, a sensor 4b attached to an elderly person, a sensor 4c attached to a manufacturing apparatus, and a sensor 4d attached to an automobile. In the case where it is not particularly necessary to distinguish, the sensor 4 is generally referred to as a sensor 4) and can be communicated wirelessly or by wire. Further, the health information distribution side device 1 and the health information reception / analysis side device 2 also communicate with the management server device 5 that stores information about programs operating on these devices and information about the sensors 4 via the network NW. Configured to be possible.

  The health information in the present invention is a general term for information generated or involved by a person or a thing. For example, as information related to human health, biological information (electrocardiogram, pulse wave, heart rate, pulse, body temperature, etc.), behavior information (sleep, meal, excretion, GPS position, purchase, medication, medical history, etc.), environmental information ( Information such as temperature, humidity, atmospheric pressure, air pollution, pollen, etc. is generated by the product, that is, information related to the health of the product, such as device status information (abnormal noise, temperature, vibration, etc.), device operation information (handle / accelerator) -Operation information such as brakes, abnormal sound information such as non-destructive testing, operation time, GPS position, operation staff, etc.), equipment environmental information (almost the same as people), and the like. In addition, devices that handle devices such as the health information distribution side device 1, the health information reception / analysis side device 2, and the terminal device 3 are collectively referred to as a user. A user who performs distribution or the like is called an information owner.

  Moreover, it is good also as a structure which can handle not only the above-mentioned person and a thing's health information but various information. For example, with respect to various types of information that require the detection of tampering or tampering, such as storage and distribution of documents such as drawings attached to contracts in a state that can guarantee their validity, Management using the information management terminal device according to the present invention can be performed.

  The basis of the present invention is peer-to-peer (P2P) communication between the health information distribution side device 1 and the health information reception / analysis side device 2 or the terminal device 3, so that a specific cloud server or the like is used. do not need. Of course, connection to a cloud server is also possible as an extension of P2P communication.

  In the present embodiment, the recording medium with enhanced security is used as the distribution-side medium 11 in combination with a smartphone, tablet, PC, etc. (referred to as a device) that are widely spread, and the health information distribution-side device 1 is the same. Furthermore, the health information receiving / analyzing side device 2 is realized by the receiving / analyzing side media 21 and the device, respectively. As the recording medium, for example, an SD card of SeeQVault (registered trademark) standard can be used. In the recording medium, a secret area and a normal public area are defined by a processor built in the recording medium. Among these, only the specific authentication software operating on the device can access the secret area using a public key generated from the secret key stored in the secret area of the recording medium. In other words, there is a medium having a secret area that is invisible to a general file system such as that provided by an OS (Operating System, basic software) installed in the device and that can be accessed only by specific authentication software. Become. In addition, as long as the recording medium conforms to a standard having a similar mechanism, the recording card is not limited to the SD card of the SeeQVault standard, and other recording media may be used.

<Configuration of health information distribution device>
FIG. 2 shows a functional block diagram of the health information distribution side device 1. As shown here, the health information distribution side device 1 includes a distribution side medium 11, an encoder 12 that obtains the health information from the sensor 4 and records it on the distribution side medium 11, and health information reception / analysis of the health information. A distribution unit 13 that performs transmission to the side device 2 and the terminal device 3, and an individual / qualification information authentication unit 14 that performs authentication when acquiring and distributing health information.

  The distribution side media 11 has a secret area 111 and a normal area 112. The secret area 111 is an area that can be accessed only by specific authentication software operating on the device as described above, using a public key generated from the secret key stored in the secret area of the recording medium. Further, as will be described later, the secret area 111 can be accessed only when mutual authentication between the device authentication unit 1111 and the media authentication unit 121 and 131 is established. The normal area 112 is not a general file system provided by the OS or the like of the device, but media file system control information 1112 held in the secret area 111 (such as a pointer for realizing sequential writing to the medium). Information is managed by a private media file system.

  The secret area 111 is a device authentication unit 1111 that performs mutual authentication between the distribution-side medium 11 and the health information distribution-side device 1, the media file system control information 1112 described above, and data reading / writing to the normal area 112. At this time, a data encryption key 1113 which is a key for performing encryption / decryption, a program file on the health information distribution side device 1, a health information passbook, a hash value used for detecting unauthorized tampering of health information, and the like Falsification detection parameter 1114.

  The normal area 112 receives the health information from the sensor 4 and stores the received health information in the encoder program file 1121 and distributes the stored health information to the health information receiving / analyzing device 2 and the terminal device 3. The distribution program file 1122 to be performed, the health information passbook 1123 which is a record of distribution of health information, and the accumulation of health information 1124 received from the sensor 4 are included.

  Here, in the health information passbook 1123, as attributes of the health information acquired from the sensors 4, the sensor identifiers of the respective sensors 4, the acquisition date and type of the health information, the size, the data alteration detection parameters (for example, the hash of the health information) Value) etc. are recorded sequentially with overwriting prohibited. Also, when the health information is output from the health information distribution side device 1 to the health information reception / analysis side device 2 or the terminal device 3, the output history, the output destination, the secret level set at the time of output, the output destination Includes information such as returned analysis results.

  Note that the information included in the secret area 111 and the encoder program file 1121 and the distribution program file 1122 included in the normal area 112 are recorded in the distribution side medium 11 at the time of initial setting of the distribution side medium 11 or by a reliable distribution method. It is what is done.

  The encoder 12 includes a media authentication unit 121 that performs mutual authentication between the device and the media with the device authentication unit 1111, a media file system 122 for accessing the normal area 112, and health information from the sensor 4. The health information passbook 1123 and health information 1124 for acquiring and storing the health information passbook 1123 and the health information 1124, the encoder program 124, and the falsification detection means 123 for detecting falsification of the encoder program 124 are provided.

  The encoder program 124 is executed by the health information distribution side device 1 reading the encoder program file 1121 from the normal area 112 and executing it. The sensor authentication means 1241 for authenticating the sensor 4 and the health information from the sensor 4 are acquired. Health information acquisition means 1242 and health information storage means 1243 for storing health information in health information 1124 and storing health information additional information in health information passbook 1123 are included.

  Similarly to the media authentication unit 121, the distribution unit 13 includes a media authentication unit 131 that performs mutual authentication between devices and media, a media file system 132 for accessing the normal area 112, a health information passbook 1123, and health information 1124. A distribution program 134 that distributes health information, a health information passbook 1123, health information 1124, falsification detection means 133 that detects falsification of the distribution program 134, a distribution destination of health information and health information passbook from the information owner, and distribution Information delivery destination / secret level designation input accepting means 135 for accepting designation of the secret level to be set, and falsification detection parameter concealing delivery means 136 for concealing and delivering the falsification detection parameter 1114.

  The distribution program 134 is a program in which the health information distribution side device 1 reads and executes the distribution program file 1122 from the normal area 112, and generates a health information container to be distributed by containerizing the health information passbook 1123 and the health information 1124. Health information container generating means 1341, and health information container distributing means 1342 for distributing the health information container to the health information receiving / analyzing device 2 and the terminal device 3.

  The falsification detection parameter concealment distribution means 136 distributes the health information to other health information reception / analysis side devices 2 and the like, and then checks the falsification detection parameter ( A hash value or the like) in a concealed state.

  In this embodiment, the secret level for accepting designation from the information owner by the information distribution destination / secret level designation input receiving unit 135 is as shown in Table 1. This secret level is specified by the information owner in principle for the health information container to be distributed, and is handled as additional information when the health information is recorded and distributed. As shown in Table 1, in class 0 with the lowest level of secrecy, health information that is difficult to tamper with, including the date of health information, remains only as evidence at the owner of the information. Dependent. In this case, it is possible to send information to a general terminal device (conventional cloud service or the like) as shown as the terminal devices 3a and 3b in FIG. In order to realize a secret level of class 1 or higher, a secure storage medium is also required on the analysis side that receives the information container. By installing reception / analysis software that is difficult to falsify on this media, it is difficult to make arbitrary distribution to the receiving container. In addition, the history of redistribution is written and recorded in the health information passbook on the receiving side and the information owner side. Specifically, in the case of class 1 designation, decryption of received health information is required. The decryption key needs to be stored in advance in the secret area on the receiving side. In class 2, the information owner can further specify control of redistributed hyphae, expiration date, and deletion of received health information. In class 3, the same designation is possible for the analysis result.

  In the present embodiment, the encoder 12 and the distribution unit 13 each include a media authentication unit 121, a media authentication unit 131, a media file system 122, a media file system 132, a falsification detection unit 123, and a falsification detection unit 133. Although shown, it is good also as a structure which makes these functions common. However, in any case, the media authentication means 121 and 131, the media file systems 122 and 132, and the falsification detection means 123 and 133 are tamper-resistant (software code obfuscation processing), and the secret area 111 is accessed. In order to do this, these software (nuclear software) is essential.

<Configuration of health information reception / analysis device>
FIG. 3 shows a functional block diagram of the health information receiving / analyzing device 2. As shown here, the health information receiving / analyzing side device 2 receives the health information from the receiving / analyzing side media 21 and the health information distributing side device 1 and sends the analysis result to the health information distributing side device 1. Transmission / reception unit 22 for performing transmission, transmission for requesting reanalysis to other health information receiving / analysis side device 2 and terminal device 3 of health information analysis result, reception of reanalysis result, and received health information And a decoder 23 for performing browsing control and analysis, and personal / qualification information authenticating means 24 for performing authentication when receiving or browsing health information.

  The receiving / analyzing medium 21 can use a recording medium having a secret area 211 and a normal area 212 as in the distribution-side medium 11, and the media authentication means 221 is the same as the device authentication means 2111, media similar to the secret area 111. File system control information 2112, data encryption key 2113, and falsification detection parameter 2114 are included.

  The normal area 212 receives the health information from the health information distribution side device 1 and transmits the health information analysis result to the health information distribution side device 1, the other health information reception / analysis side device 2, the terminal device 3, and the like. Transmission / reception program file 2121 to be performed, decoder program file 2122 for performing analysis and browsing control of received health information, health information passbook / health information 2123 for storing health information and information added thereto, and health information analysis results Analysis result information 2124 for storing.

  Note that each piece of information included in the secret area 211 and the transmission / reception program file 2121 and decoder program file 2122 included in the normal area 212 are distributed at the time of initial setting of the receiving / analyzing medium 21 or by a reliable distribution method. Is recorded.

The transmission / reception unit 22 includes a media file system 122 that performs mutual authentication between the device and the media with the device authentication unit 2111, a media file system 222 that accesses the normal area 212, a media file system 222, As falsification detection means 223 for detecting falsification of health information passbook / health information 2123, analysis result information 2124, etc., receiving and opening of health information container and analysis information container, and analysis information container of analysis result of health information by decoder 23 Transmission / reception program 224 for performing transmission, confidential level determination means 225 for determining the confidential level set in the health information container and analysis information container, and falsification detection parameter concealment distribution for concealing and distributing the falsification detection parameter 2114 Means 226.
Have

  The transmission / reception program 224 is executed by the health information reception / analysis side device 2 by reading the transmission / reception program file 2121 from the normal area 212 and receiving the health information container from the health information distribution side device 1 or receiving other health information. / Health / analysis information container receiving means 2241 for receiving the analysis information container from the analysis side device 2 or the terminal device 3, and opening the received health information container and analysis information container, to the health information passbook / health information 2123 Health / analysis information container opening means 2242 for recording, and analysis information container transmission means 2243 for delivering the analysis result of health information by the decoder 23 stored in the analysis result information 2124 as an analysis information container.

  The falsification detection parameter concealment distribution means 226 distributes the health information analysis result to the health information distribution side device 1 or other health information reception / analysis side device 2 and then verifies whether the falsification has occurred. The falsification detection parameter (hash value etc.) of the distributed analysis result is provided in a concealed state.

  The decoder 23 includes a media authentication unit 231 that performs mutual authentication between the device and the media with the device authentication unit 2111, a media file system 232 that performs access to the normal area 212, health information analysis and browsing / It has a decoder program 234 that controls transmission, etc., and a health information passbook / health information 2123, analysis result information 2124, and a falsification detection means 233 that detects falsification of the decoder program 234.

  The decoder program 234 is executed by the health information reception / analysis side device 2 by reading the decoder program file 2122 from the normal area 212 and browsing the health information and analysis results, the health information distribution side device 1, and other health information reception. / Analysis side device 2, browsing control means 2341 that controls transmission to the terminal device 3, and health information analysis means 2342 that analyzes health information.

  In the present embodiment, the transmission / reception unit 22 and the decoder 23 each include a media authentication unit 221, a media authentication unit 231, a media file system 222, a media file system 232, a falsification detection unit 223, and a falsification detection unit 233. Although shown, it is good also as a structure which makes these functions common. However, in any case, the media authentication means 221 and 231, the media file systems 222 and 232, and the falsification detection means 223 and 233 are tamper resistant (software code obfuscation processing), and access to the secret area 211 is performed. In order to do this, these software (nuclear software) is essential.

  In the present embodiment, as described above, as the output of the analysis result by the health information reception / analysis side device 2, the display on the health information reception / analysis side device 2 by the browsing control means 2341 and the analysis information container transmission The configuration capable of outputting to the health information distribution side device 1, the health information receiving / analysis side device 2, and the terminal device 3 by means 2243 has been shown. However, only one of these is provided as the output means. It is good. For example, it is possible to display only the health information reception / analysis side device 2 by the browsing control means 2341, and a configuration for allowing the user of the health information reception / analysis side device 2 to browse the analysis result, or an analysis information container transmission means Only the transmission by 2243 is possible, the analysis result is returned to the health information delivery side device 1 that is the source of the health information and the health information passbook, and the reanalysis to the other health information reception / analysis side device 2 and the terminal device 3 is possible. For example, a configuration in which only a request is made.

  Moreover, although the health information distribution side device 1 and the health information reception / analysis side device 2 have different functions, the present invention is not limited to this. For example, a recording medium including information stored in the distribution side medium 11 and the reception / analysis side medium 21 is connected to a terminal device having the functions of the encoder 12, the distribution unit 13, the transmission / reception unit 22, and the decoder 23. A terminal device that can be used as either the information distribution side device 1 or the health information reception / analysis side device 2 may be used.

  It is assumed that all the programs such as the encoder program file 1121, the distribution program file 1122, the transmission / reception program file 2121 and the decoder program file 2122 are registered in advance in the management server device 5. Further, it is assumed that attribute information (sensor identifier for identifying the sensor 4 and other information related to the sensor 4) regarding each sensor 4 is also stored in the management server device 5 in advance and can be referred to at the time of analysis.

<Loading programs and detecting tampering>
The encoder program file 1121 and the distribution program file 1122 are read when the health information distribution side device 1 is activated. Moreover, it is good also as a structure read when performing the acquisition process of health information regularly or based on a user's instruction | indication. FIG. 4 is a flowchart showing the flow of the reading process of the encoder program file 1121.

  First, in step S101, mutual authentication is performed between the health information distribution side device 1 and the distribution side medium 11. This is a process executed between the media authentication unit 121 and the device authentication unit 1111.

  If it is determined in step S102 that the device-media authentication process has succeeded, the process proceeds to step S103, where the encoder program file 1121 is read into the health information distribution side device 1 as the encoder program 124, and the health Development of the information distribution side device 1 on the memory is performed.

  If authentication fails in step S102, the encoder program 124 is not read in step S103, and the process ends. At this time, a configuration may be adopted in which a message or log indicating authentication failure is output.

  The same processing is performed for reading the distribution program file 1122 by the health information distribution side device 1. Alternatively, the encoder program file 1121 and the distribution program file 1122 may not be read separately, and after the authentication process once, both the encoder program file 1121 and the distribution program file 1122 may be read in step S103. Further, when the health information reception / analysis side device 2 reads the transmission / reception program file 2121 and the decoder program file 2122, the health information reception / analysis side device 2 performs the same processing.

  Even after the program is read from the media authentication unit 121 (or the media authentication unit 221) by the above-described processing, a detection process as to whether or not the program has been tampered with is periodically performed. FIG. 5 is a flowchart showing the flow of falsification detection processing.

  First, in step S201, the falsification detection parameter 1114 and the falsification detection parameter 2114 are read. In this embodiment, the hash value of the encoder program file 1121 and the distribution program file 1122 is used as the falsification detection parameter 1114 related to the program, and the hash value of the transmission / reception program file 2121 and the decoder program file 2122 is used as the falsification detection parameter 2114 related to the program. Are used, respectively. Here, the hash value is a value obtained by performing an irreversible calculation process on the original data using a hash function. The hash value of the legitimate file is calculated and recorded in advance, and in the falsification detection process, the hash value of the file subject to falsification detection is calculated in the same procedure and becomes the same as the hash value of the legitimate file. Whether or not the file has been tampered with can be verified.

  After reading the hash value recorded as the falsification detection parameters 1114 and 2114 in step S201, the hash value of the inspection target program is calculated in step S202. Here, the encoder program file 1121 and the distribution program file 1122 read into the health information distribution side device 1 and the transmission / reception program file 2121 and the decoder program file 2122 read into the health information reception / analysis side device 2 are the inspection target programs. .

  In subsequent step S203, hash values are compared. Here, as described above, if the hash values are the same, it can be determined that the program has not been tampered with, but if the hash values are different, there is a suspicion that the program has been tampered with. Therefore, if it is determined in step S204 that the hash values are the same, the falsification detection process ends. If it is determined in step S204 that the hash values are not the same, the process proceeds to step S205, and the program to be inspected is checked. A reloading process is performed. This may be performed again as described above with reference to FIG.

  Also, if the hash values are not the same and there is a risk of falsification of the program, the data acquired up to the present from the previous falsification detection process, that is, there is a possibility that it was acquired by an illegally falsified program, It is preferable to perform processing such as discard or recovery of data with low reliability.

  Here, when falsification of the encoder program 124 is detected, it is preferable to delete the health information and the health information passbook acquired from the previous falsification detection process to the present. In addition, since the analysis result performed using the data is also low in reliability, it can be applied to other health information reception / analysis side devices 2 and terminal devices 3 that hold such analysis results. It is more preferable that the data deletion be requested.

  On the other hand, when falsification of a program other than the encoder program 124 is detected, the health information distribution side device 1, the health information reception / analysis side device 2, the terminal device 3 or the management server device 5 or the illustrated diagram are shown. If the configuration is such that regular backup is taken to other server devices, etc., it is possible that those server devices are not affected by falsification of the program, that is, there is a possibility that highly reliable data exists. . In such a case, it is preferable to acquire such information and to recover the data.

  In addition, even when tampering with a program other than the encoder program 124 is detected, the health information reception / analysis when the tampering of the distribution program 134 is detected, that is, when the tampered program is detected. Health information delivery side device 1 or other health when the health information or health information passbook transmitted to the side device 2 or the terminal device 3 and the analysis result thereof, the alteration of the transmission / reception program 224 or the decoder program 234 is detected The data such as the analysis result transmitted to the information reception / analysis side device 2, the terminal device 3, etc. and the reanalysis result are also unreliable, and the configuration is such that the deletion of such data is requested. More preferably.

  In the present embodiment, as described above, the program file read by the health information delivery side device 1 from the delivery side media 11 or the program file read by the health information reception / analysis side device 2 from the reception / analysis side media 21. Inspects whether or not the information has been tampered with, and if there is a risk of tampering, the program file is reloaded to ensure that the health information and analysis results are not tampered with or used. be able to.

<Health information acquisition process>
Next, a process for acquiring health information from the sensor 4 by the health information distribution side device 1 will be described. FIG. 6 is a flowchart showing the flow of health information acquisition processing. First, in step S301, an information owner authentication process by the individual / qualification information authentication means 14 is performed. Note that this may be performed by an authentication means of the health information distribution side device 1, for example, input of a preset password, or the health information distribution side device 1 performs biometric authentication such as fingerprint authentication or face authentication. Any device having a function to be performed may be configured to use those functions.

  If it is determined in step S302 that the user authentication is successful, the process proceeds to step S303, and the sensor authentication unit 1241 performs the authentication process of the sensor 4. This is to prevent unauthorized acquisition of health information generated by a person other than the information owner, or the target health information delivery side device 1 or the sensor 4, and the sensor 4 is installed or initially registered. At the time of registration change, the sensor-specific identifiers to be listed are listed by the information owner, and the contents of unnatural acquired information are monitored and detected and recorded in the health information passbook 1123. Authenticate to

  If it is determined in step S404 that the authentication of the sensor 4 has succeeded, the process proceeds to step S305, and the health information accumulating unit 1243 performs a process for acquiring health information from the sensor 4. In step S306, additional information is added to the health information acquired here. Examples of the additional information include date / time records (time stamps) when the health information is acquired, information about the sensor 4 that performed the acquisition, and the like. In this case, it is preferable that the additional information is provided in a form that is difficult to falsify with an electronic certificate or an electronic time certificate issued by a trusted site.

  In step S307, the health information acquired in step S305 and given additional information in step S306 is recorded in the health information passbook 1123 and health information 1124. Here, the recording of the health information is sequentially performed with overwriting prohibited.

  Through the above process, the health information is acquired using the health information distribution side device 1. As described above, by authenticating the information owner and the sensor 4, it is possible to prevent unauthorized health information from being recorded by a third party without the intention of the information owner. Furthermore, by adding additional information in a form that is difficult to falsify to the health information acquired from the sensor 4 and performing sequential recording with prohibition of overwriting of the information, the information owner can illegally alter the health information. Can be prevented. Thereby, the reliability of the health information recorded by the health information distribution side device 1 can be made very high.

  In FIG. 6, a process is illustrated that immediately terminates the process when it is determined in step S302 that the user authentication has failed or when the sensor 4 authentication has failed in step S304. Arbitrary processing such as processing for requesting authentication or processing for displaying a warning message may be added.

<Health information distribution process>
The health information acquired from the sensor 4 by the encoder 12 and recorded in the distribution side media 11 and the health information passbook as the additional information can be distributed to the health information reception / analysis side device 2 and the terminal device 3. . FIG. 7 is a flowchart showing the flow of health information distribution processing.

  First, in step S401, authentication of the information owner is performed. This may be a process similar to step S301 in the health information acquisition process described with reference to FIG. If it is determined in step S403 that the user authentication is successful, the distribution processing from step S403 to S405 is performed.

  In step S403, designation of information to be distributed in the health information passbook 1123 and health information 1124, designation of the distribution destination, and a secret level used for distribution are received from the information owner. The designation of the information to be distributed here may be accepted by an arbitrary method such as information acquired from a specific sensor 4 or information acquired in a specific period. For the delivery destination, specify the health information receiving / analysis side device 2 or terminal device 3 directly connected by wire or wireless, or specify the URL (Uniform Resource Locator) if connected via the network NW. The designation may be accepted by an arbitrary method such as Alternatively, the health information receiving / analyzing device 2 or the terminal device 3 connected by a predetermined method such as wired connection may be automatically selected as a delivery destination. The secret level accepts selection of any one of the four classes 0 to 3 as shown in Table 1 above. Alternatively, the confidentiality level used for distribution may be determined in advance for the information to be distributed and the health information reception / analysis side device 2 and terminal device 3 of the distribution destination.

  In the subsequent step S404, a health information container generation process is performed based on the designation received from the information owner in step S403. In this case, the health information container is a container for distributing health information or information to be distributed in the health information passbook at a secret level designated by the information owner. This may be a single file or may be in the form of a collection of multiple files.

  Note that when the health information container or the analysis information container is transmitted to the terminal device 3 that does not have a secure recording medium such as the reception / analysis-side medium 21, the setting of the secret level is set to class 0, or Processing such as omitting the setting of the secret level itself when generating the health information container may be performed.

  In step S405, the health information container is transmitted to the delivery destination, and the health information delivery process ends. In addition to receiving the user authentication in step S401 and various designations in step S403 from the information owner as described herein, the health information distribution process is performed in advance by setting periodic health information distribution. A configuration may be adopted in which the user authentication in step S401 is omitted and is automatically executed periodically.

  Further, along with the distribution of the health information container in step S405, the falsification detection parameter concealment distribution unit 136 may distribute the health information included in the health information container and the falsification detection parameter of the health information passbook. .

<Receiving / analyzing health information>
Next, the reception process by the health information reception / analysis side device 2 of the health information container distributed from the health information distribution side device 1 will be described. In addition, since the same process is performed also when receiving the analysis information container which is the analysis result of a health information container from the other health information reception / analysis side device 2 or the terminal device 3, it demonstrates together. FIG. 8 is a flowchart showing the flow of reception processing of the health information container and the analysis information container by the health information receiving / analysis side device 2.

  After receiving the health information container and the analysis information container in step S501, the confidentiality level is determined in step S502. This is executed by giving information that can determine the level of secrecy without opening the container to the health information container or the analysis information container in advance and reading it.

  In step S503, the health information container and the analysis information container are opened according to the confidentiality level determined in step S502. This is different processing depending on the level of secrecy. For example, if the data is class 0, it is only necessary to expand the container. However, if a secrecy level of class 1 or higher is set, composite processing of encrypted data is performed. Is included. Further, in the case of data of class 2 or higher, additional information acquisition processing such as copy restrictions and expiration dates set for it is included.

  In step S504, the health information and health information passbook obtained by opening the health information container, and the analysis result information obtained by opening the analysis information container are recorded in the health information passbook / health information 2123, and the reception process is completed. To do.

  Note that the reception process as described above is configured to be performed periodically, configured to be performed when there is an instruction from a user who uses the health information reception / analysis side device 2 or the terminal device 3, or health. It may be executed at any timing, such as a configuration that is performed whenever there is distribution of health information from the information distribution side device 1 or distribution of analysis information containers from other health information reception / analysis side devices 2 or terminal devices 3. It may be a simple configuration.

  Further, as described above, when the health information container is configured to transmit the falsification detection parameter from the health information distribution side device 1 from the falsification detection parameter concealment distribution means 136 along with the distribution of the health information container, The information receiving / analyzing device 2 may receive the information and verify whether or not the data has been tampered with after the opening process in step S503.

<Health information analysis / analysis information reanalysis processing>
FIG. 9 shows the analysis process of the health information received from the health information distribution side device 1 in the health information reception / analysis side device 2 and the analysis information received from the other health information reception / analysis side device 2 and the terminal device 3. It is a flowchart which shows the flow of this reanalysis process. First, in step S601, health information and health passbook information are read from the health information passbook / health information 2123.

  In step S602, the health information analysis unit 2342 analyzes the health information and reanalyzes the analysis information. In step S603, the result is temporarily recorded in the analysis result information 2124. Here, using the sensor identifier included in the health passbook information read in step S601, information about the sensor 4 that has obtained health information from the management server device 5 is obtained, and analysis based on the information is performed. This analysis includes, for example, behavioral information such as daytime activity and location information, environmental information such as pollen, air pollution, air pressure, and temperature, and biological information such as stress and blood pressure fluctuations sent in a health information container. By visualizing the interrelationship of the information such as, by analyzing the AI or the like, it is possible to obtain a result that can be used for non-disease countermeasures / treatment / product development using big data.

  Note that the analysis result may be kept temporarily (as long as the confidentiality level set in the health information allows), or only the history information indicating that the analysis has been performed may be kept. It is good also as a simple structure. With such a configuration, verification by the information owner of the health information distribution source can be facilitated.

  After that, in step S604, the analysis result container 2243 transmits the analysis result temporarily recorded in the analysis result information 2124. If the transmission destination here is the analysis result of the health information received from the health information distribution side device 1, the transmission result is sent to the health information distribution side device 1 that is the transmission source, and the analysis result is further received / When analyzing or accumulating in the analysis side device 2 or the terminal device 3, it suffices to set the secret level to these devices and transmit them. Moreover, it is good also as a structure which receives designation | designated of arbitrary transmission destinations from a user.

  Note that when the health information container or the analysis information container is transmitted to the terminal device 3 that does not have a secure recording medium such as the reception / analysis-side medium 21, the setting of the secret level is set to class 0, or Processing such as transmission without the setting of the secret level may be performed.

  Here, it may be configured such that the falsification detection parameter of the analysis result is transmitted by the falsification detection parameter concealment distribution unit 226 in accordance with the transmission of the analysis information container in step S604.

  Here, the process of transmitting the analysis result of the health information to the health information distribution side device 1, the other health information reception / analysis side device 2, and the terminal device 3 has been described. Browsing by a user using the receiving / analyzing device 2 is also possible. Here, in both the transmission to the other device by the analysis information container transmission means 2243 and the browsing by the user using the browsing control means 2341, according to the confidentiality level specified in the original health information container (or analysis information container). Processing is performed. In other words, if the confidentiality level of the original health information container and analysis information container is set to class 2 or higher, and restrictions on data copying and expiration date settings have been given, restrictions on viewing and validity are made accordingly. Expired data is deleted.

<File recording / reading processing by media file system>
Distribution in step S307 in the health information acquisition process, step S404 in the distribution process of health information, step S504 in the reception process of health information and analysis information, steps S601 and S603 in the analysis of health information and the reanalysis process of analysis information, etc. When data is read from or written to the normal area 112 of the side media 11 or the normal area 212 of the transmission / reception unit 22, the media file systems 122, 132, 222, and 232 perform processing for making it difficult to falsify. Is called.

  FIG. 10A is a flowchart showing the flow of data recording processing by the media file systems 122, 132, 222, and 232. When recording data, first, in step S701, a hash value of the data to be recorded is calculated. In other words, this is a data falsification detection parameter used for detection of data falsification.

  In step S702, the data to be recorded is encrypted using the data encryption keys 1113 and 2113. In step S703, the hash values calculated in step S701 are recorded in the secret areas 111 and 211. In step S702, the encrypted data is recorded in the normal areas 112 and 212. Here, the data recording is performed sequentially with overwriting prohibited.

  The reading of the data recorded in the normal areas 112 and 212 in this way is performed according to the flow shown in FIG. First, in step S801, the encrypted data is decrypted. For this, data encryption keys 1113 and 2113 are used.

  In step S802, the hash value of the decrypted data is calculated. In step S803, the calculated hash value and the hash value recorded in the secret areas 111 and 211 are compared. Here, if the hash values do not match, there is a high possibility that the data has been tampered with. Therefore, if it is determined in step S804 that the hash values do not match, the process proceeds to step S805, where data is deleted or recovered.

  The data recovery here refers to, for example, performing backup in advance to the management server device 5 or another server device (not shown) by data recording or periodic processing, and acquiring it. It can be done by the method.

  In addition, when data falsification is detected, it is preferable to perform a falsification detection process on the data existing on another terminal and the analysis result thereof.

  In this way, by reading and writing data that combines encryption and falsification detection using a hash value, the data can be stored safely and unauthorized tampering can be prevented. Further, it is preferable that the data alteration detection process is performed by the process shown in FIG. 10B by a process based on a user instruction or a periodic process.

  In the present embodiment, the program executed on the health information distribution side device 1 and the health information reception / analysis side device 2, the health information, the health information passbook, the analysis information, etc. are distributed on the distribution side media 11, the reception / analysis side media. Although the structure stored in 21 is shown, the present invention is not limited to this. For example, links such as URLs and paths for accessing each information are securely stored in the distribution-side media 11 and the receiving / analysis-side media 21, and by using them, the information as described above can be accessed as a result. If there is, it is not always necessary to store in the delivery side media 11 or the reception / analysis side media 21. With such a configuration, even when the storage capacity of the distribution-side medium 11 is limited, a server device that can communicate via the network NW, the health information distribution-side device 1, the health information reception / analysis-side device A large amount of information can be stored in the storage unit 2.

  As described above, the information owner decides how to handle information according to the setting of the level of confidentiality, and prevents the information owner from falsifying the health information and analysis information itself by preventing falsification of the program that handles health information and analysis information. This information can be grasped, the utilization policy and the distribution destination of the information to be utilized can be determined, and the distributed information can be expired or deleted.

  This makes it difficult for the information owner who generated the information to grasp the whereabouts of the information once it has been absorbed into the cloud and processed once, as in the conventional cloud-based data utilization. Therefore, the protection against information tampering is entrusted to each business operator who uses the information, and the problem that there is a risk of unauthorized tampering can be solved. And without relying on a specific cloud server, by using a configuration based on P2P communication utilizing devices such as smartphones and secure SD cards that are widely used for personally-driven information utilization, It is possible to achieve easy, flexible, and reliable health information acquisition, storage, distribution, and processing without significant investment or infrastructure modification.

(Embodiment 2)
Hereinafter, Embodiment 2 of the present invention will be described in detail with reference to the drawings. In addition, about the fundamentally same component as Embodiment 1 mentioned above, the same code | symbol is attached | subjected and the description is simplified. As described with reference to FIG. 1 in the first embodiment, the system using the information management terminal device according to the present embodiment also includes the health information distribution side device 1, the health information reception / analysis side device 2, the terminal device 3, A sensor 4 and a management server device 5 are provided. However, in this embodiment, the distribution side media 11 and the reception / analysis side media 21 are not the security-enhanced recording media described in the first embodiment but a more general recording media. The management server device 5 is different not only in storing information related to the sensor 4 but also in having each information included in the secret area 111.

<Configuration of health information distribution device>
FIG. 11 shows a functional block diagram of the health information distribution side device 1 according to the present embodiment. As shown here, the health information distribution side device 1 according to the present embodiment includes the same encoder 12, distribution unit 13, and personal / qualification information authentication means 14 as in the first embodiment. The distribution-side medium 11 is different from the first embodiment in that the distribution-side medium 11 includes a normal area 112 and a media identifier 113 and a secret information temporary storage unit 15. That is, this embodiment is not a recording medium having the secret area 111 and the normal area 112 such as the SeeQVault exemplified in the first embodiment, but has the normal area 112 (and the media identifier 113), but has the secret area 111. This shows a configuration when a more general recording medium is used.

  The secret information temporary storage unit 15 is an area for storing information to be included in the secret area 111 received from the management server device 5 as will be described later, and is volatile or non-volatile provided in the health information distribution side device 1. This area is reserved in advance in the process of receiving information to be included in the secret area 111 from the management server device 5 in the memory. Or it is good also as a structure which ensures the area | region used as the confidential information temporary storage part 15 in the normal area | region 112 with which the delivery side medium 11 is provided.

  The media identifier 113 is a unique identifier that is included in each delivery-side media 11 and that cannot be rewritten by the user. For example, an SD card has an area called a CID (card identification) register, which includes a serial number and the like, which cannot be rewritten by the user. It can be used as the media identifier 113.

  Also in the present embodiment, each piece of information included in the normal area 112 is transferred to a server device capable of communicating via the network NW, a storage unit included in the health information distribution side device 1, etc. instead of those entities. It is good also as a structure hold | maintained with the form of a link.

<Configuration of health information reception / analysis device>
FIG. 12 shows a functional block diagram of the health information receiving / analyzing device 2 according to the present embodiment. As shown here, the health information receiving / analyzing device 2 according to the present embodiment includes the transmission / reception unit 22, the decoder 23, and the personal / qualification information authentication means 24 similar to those of the first embodiment. The receiving / analyzing medium 21 is different from the first embodiment in that the receiving / analyzing medium 21 includes a normal area 212 and a media identifier 213 and a secret information temporary storage unit 25. That is, this is not the recording medium having the secret area 211 and the normal area 212 like the SeeQVault exemplified in the first embodiment, but the normal area 212 (and the media identifier 213) as in the health information distribution side device 1 in the present embodiment. ), But a more general recording medium that does not have the secret area 211 is shown.

  Like the confidential information temporary storage unit 15, the confidential information temporary storage unit 25 is stored in advance on the health information reception / analysis side device 2 or the normal area 212 of the reception / analysis side medium 21 or from the management server device 5. This area is ensured in the reception process of the secret area 211 of the first secret area.

  Similarly to the media identifier 113, the media identifier 213 is a value of a recording medium used as the reception / analysis side media 21 such as using a value included in the CID register when an SD card is used as the reception / analysis side media 21. A unique identifier can be used.

  Also in the present embodiment, each piece of information included in the normal area 212 is replaced with those entities, a server device that can communicate via the network NW, a storage unit provided in the health information receiving / analyzing device 2, and the like It is good also as a structure hold | maintained with the form of the link to. With such a configuration, even when the storage capacity of the receiving / analyzing medium 21 is limited, a large amount of information can be accumulated.

<Receiving confidential information, reading programs, detecting tampering>
In the present embodiment, when the health information distribution side device 1 is activated or when reading the encoder program file 1121 and the distribution program file 1122 by a periodic process or a process in accordance with a user instruction, the management server apparatus 5 The secret area 111 is received. FIG. 13 is a flowchart showing a flow of reception processing of the secret area 111 and reading processing of the encoder program file 1121 and the distribution program file 1122. That is, it can be said that this corresponds to the processing described with reference to FIG. 4 in the first embodiment.

  First, in step S901, an authentication process is performed between the health information distribution side device 1 and the management server device 5. This is performed by the media authentication means 121, 221 acquiring the media identifier 113 from the delivery side media 11 and transmitting it to the management server device 5.

  If it is determined in step S902 that the authentication process has been successful, the process proceeds to step S903, and the management server device 5 downloads information to be included in the secret area 111. This is stored in the management server device 5 in a state where the media identifier 113 and the information included in the corresponding secret area 111 are linked in advance, and the secret corresponding to the media identifier 113 received by the management server device 5 in step S901. Information to be included in the area 111 may be performed in a procedure such that the information is transmitted from the management server device 5 to the health information distribution side device 1 in step S903.

  In step S903, the secret area 111 is recorded in the secret information temporary storage unit 15. Here, when the area used as the confidential information temporary storage unit 15 is not secured in advance, the securing process is performed first. Here, as in the case where the secret area 111 is included in the distribution-side medium 11 in the first embodiment, mutual authentication between the device and the media is established between the device authentication unit 1111 and the media authentication units 121 and 131. Is only accessible.

  Thereafter, in step S904, the encoder program file 1121 is read as the encoder program 124 and the distribution program file 1122 is read as the decoder program 234 in the same manner as the processing performed in step S103 of FIG. 4 in the first embodiment.

  As described above, the preparation of the secret area 111, the encoder program 124, and the distribution program 134 on the health information distribution side device 1 is completed. The same process is performed by the health information reception / analysis side device 2 when reading the secret area 211, the transmission / reception program file 2121 and the decoder program file 2122 on the health information reception / analysis side device 2.

  As described above, the authentication process using the media identifiers 113 and 213 is performed, and the information included in the secret area 111 and the secret area 211 is downloaded from the management server device 5, thereby providing a special area having the secret area and the normal area. Without using a recording medium, the health information distribution side device 1 and the health information reception / analysis side device 2 according to the present invention can be realized using a normal SD card or the like.

  In the present embodiment, the configuration in which the media identifier 113 and the media identifier 213 are transmitted to the management server device 5 to perform the authentication process between the device and the server in step S901 has been described. The device-specific identifiers of the distribution-side device 1 and the health information receiving / analysis-side device 2 (for example, the MAC address of the communication unit of the device and the serial number of the device) are transmitted together. The correspondence relationship with the recording medium may be stored in advance and checked in the authentication process. With such a configuration, the health information distribution side device 1 and the health information reception / analysis side device 2 according to the present embodiment can be realized only by using a pre-registered device and a recording medium. Unauthorized acts such as tampering can be made more difficult.

  After the processing for downloading and recording the secret areas 111 and 211 to the health information distribution side device 1 and the health information reception / analysis side device 2 and the processing for reading each program to the device are completed by the processing as described above, the embodiment As described in FIG. 1, the falsification detection processing of the program by the processing as shown in FIG. 5, the health information acquisition processing from the sensor 4 by the health information distribution side device 1 as shown in FIG. Health information delivery processing to the health information reception / analysis side device 2 and terminal device 3 by the health information delivery side device 1 as shown, health information reception by the health information reception / analysis side device 2 as shown in FIG. Analysis processing is performed.

  Further, the writing and reading processing of the health information and the health information passbook in the health information distribution side device 1 and the health information receiving / analysis side device 2 are performed in the same manner as the processing in the first embodiment as shown in FIG. . However, here, updating of the information in the secret areas 111 and 211 such as updating of the media file system control information 1112 and 2112 accompanying writing of data and writing of the hash value for detecting falsification into the secret areas 111 and 211 is performed. After being performed, uploading to the management server device 5 is performed sequentially or periodically, and is included in the secret areas 111 and 211 stored on the management server device 5 in association with the media identifiers 113 and 213. Information is updated.

  In the present specification, a configuration in which the health information distribution side device 1 and the health information reception / analysis side device 2 are realized using a secure recording medium in the first embodiment, and a more general recording medium in the second embodiment. Although the structure which implement | achieves the health information delivery side device 1 and the health information reception / analysis side device 2 was shown using FIG., The health information delivery side device 1 shown in Embodiment 1 and the health information reception / reception shown in Embodiment 2 were shown. Analysis side device 2, health information distribution side device 1 shown in embodiment 2, health information reception / analysis side device 2 shown in embodiment 1, health information reception / analysis side device 2 shown in embodiment 1, and embodiment Health information receiving / analyzing side device 2 shown in FIG. 2, health information distributing side device 1, health information receiving / analyzing side device as shown in each embodiment Between it may be mutually can exchange health information and analysis information structure.

(Embodiment 3)
Hereinafter, Embodiment 3 of the present invention will be described in detail with reference to the drawings. In addition, about the fundamentally same component as Embodiment 1 mentioned above, the same code | symbol is attached | subjected and the description is simplified. As described with reference to FIG. 1 in the first embodiment, the system using the information management terminal device according to the present embodiment also includes the health information distribution side device 1, the health information reception / analysis side device 2, the terminal device 3, A sensor 4 and a management server device 5 are provided. Then, as described in the first embodiment, the health information distribution side device 1 as shown in FIG. 6 acquires the health information from the sensor 4, and the health information distribution side device 1 as shown in FIG. Distribution processing of health information to the information reception / analysis side device 2 and the terminal device 3 and analysis processing of health information by the health information reception / analysis side device 2 as shown in FIG. 8 are performed.

  However, in the system using the information management terminal device according to the present embodiment, the processing related to data recording and reading and the processing related to program falsification detection are different from those shown in the first embodiment.

<Configuration of health information distribution device>
FIG. 14 shows a functional block diagram of the health information distribution side device 1 according to the present embodiment. As shown here, similarly to the first embodiment, the health information distribution side device 1 according to the present embodiment is a recording medium having a secret area 111 and a normal area 112 such as a SeeQVault, an encoder 11 and an encoder. 12, a distribution unit 13, and personal / qualification information authentication means 14.

  In the first embodiment, data to be inspected and a hash value of a program are stored in the secret area 111 as a falsification detection parameter. In contrast, in this embodiment, the secret area 111 has a signature key 1115 as a falsification detection parameter, and the normal area 112 has a health information passbook 1123 and an electronic signature 1125 of the health information 1124.

  In the present embodiment, data to be detected for falsification and the hash value of the program itself are stored in the normal area 112. Then, these hash values are encrypted, and a signature key 1115 for generating an electronic signature is held in the secret area 111 as a falsification detection parameter. In this embodiment, in order to use the public key encryption technology, a pair of a private key and a public key is held as a signature key 1115, and the public key is used as a signature key. Alternatively, only the secret key may be held as the signature key 1115, and the public key paired therewith may be obtained from an external server (not shown) as necessary.

  The data encryption may use a common key encryption method and a common key may be held as the data encryption key 1113. The data encryption may also use a public key encryption method to perform data encryption. The key 1113 may be configured to hold a private key / public key pair. Alternatively, only the private key may be held as the data encryption key 1113, and the public key paired with the data encryption key 1113 may be obtained from an external server (not shown) as necessary.

  Also in the present embodiment, each piece of information included in the normal area 112 is transferred to a server device capable of communicating via the network NW, a storage unit included in the health information distribution side device 1, etc. instead of those entities. It is good also as a structure hold | maintained with the form of a link.

<Configuration of health information reception / analysis device>
FIG. 15 shows a functional block diagram of the health information receiving / analyzing device 2 according to the present embodiment. As shown here, the health information receiving / analyzing side device 2 according to the present embodiment is similar to the first embodiment in that the distribution side medium 11 is a recording medium having a secret area 111 and a normal area 112 such as SeeQVault. , A transmission / reception unit 22, a decoder 23, and personal / qualification information authentication means 24.

  Then, as with the health information distribution side device 1 according to the present embodiment described above with reference to FIG. 14, the signature key 2115 is used as a falsification detection parameter in the secret area 211, and the health information passbook / health is stored in the normal area 112. Each has an electronic signature 2125 of information 2123 and analysis result information 2124.

  Note that the signature key 2115 here also holds a pair of a private key and a public key as the signature key 2115 as in the signature key 1115 in the health information distribution side device 1 described above, and the public key Is used as a signature key. Alternatively, only the private key may be held as the signature key 2115, and the public key paired therewith may be obtained from an external server (not shown) as necessary.

  The data encryption key 2113 here also uses a common key encryption method for data encryption, similar to the data encryption key 1113 in the health information distribution side device 1 described above, and a common key is used as the data encryption key 2113. It may be configured to hold, or a public key cryptosystem is used for data encryption, and a private key / public key pair used for data encryption or only a private key is held as a data encryption key 2113 It is good also as a structure which does.

  Also in the present embodiment, each piece of information included in the normal area 212 is replaced with those entities, a server device that can communicate via the network NW, a storage unit provided in the health information receiving / analyzing device 2, and the like It is good also as a structure hold | maintained with the form of the link to. With such a configuration, even when the storage capacity of the receiving / analyzing medium 21 is limited, a large amount of information can be accumulated.

<File recording / reading processing by media file system>
In the health information distribution side device 1 and the health information reception / analysis side device 2 according to the present embodiment, data is read and written using the signature keys 1115 and 2115 as falsification detection parameters. FIG. 16A is a flowchart showing a data recording process in the present embodiment.

  First, in step S1001, the data is encrypted with the data encryption key 1113. The encrypted data obtained thereby is recorded in the normal area 112 or 212 in step S1002.

  In subsequent step S1003, the hash value of the encrypted data is calculated. Here, processing using an arbitrary predetermined hash function may be performed. The hash value of the data calculated in step S1003 is encrypted with the public key of the signature key 1115 or signature key 2115 in step S1004. In other words, this is processing for giving an electronic signature using the signature keys 1115 and 2115 to the encrypted data.

  Finally, in step S1005, the electronic signature is recorded in the normal area 112 or 212, and the data recording process ends.

  In this way, the secret areas 111 and 211 are configured to hold the signature key for generating the electronic signature by encrypting the hash value, not the hash value itself, in the secret areas 111 and 211 as the falsification detection parameters. However, even when the amount of data that can be recorded is limited to a small capacity, it is possible to store data in a form that allows tampering detection processing to be performed later.

  Next, with reference to FIG. 16B, a data read process according to the present embodiment will be described. First, in step S1101, a hash value of encrypted data to be read is calculated.

  In subsequent step S1102, the electronic signature attached to the encrypted data is decrypted. Here, as described above, in the present embodiment, the public key encryption technique is used, and the public key of the private key / public key pair is used as the signature key. Therefore, the decryption of the electronic signature here uses a secret key paired with the public key used to create the electronic signature in step S1004 in the data recording process.

  In step S1103, the hash value calculated from the encrypted data in step S1101 is compared with the hash value obtained by decrypting the electronic signature in step S1102. If it is determined that the hash values are the same, it is determined that the data has not been tampered with, and the process proceeds from step S1104 to step S1105 to decrypt the data.

  Here, if a common key method is used for data encryption, decryption may be performed using the same key as that used when data is encrypted. Alternatively, if a public key method is used for data encryption, decryption may be performed using a secret key (or public key) that is a pair of public keys (or secret keys) used for data encryption.

  On the other hand, if it is determined that the hash values do not match as a result of the hash value comparison in step S1103, there is a risk of data falsification. For this reason, the process advances from step S1104 to step S1106 to perform processing such as data deletion and recovery. The data recovery here may be performed by an arbitrary method, for example, by backing up data in a predetermined server in advance and acquiring it. Alternatively, a process may be performed in which data recovery is attempted first, and if it fails, only data deletion is performed.

  By recording and reading data as described above, the signature key 1115 and 2115 can be used as a falsification detection parameter, and the data can be handled in a state where falsification can be detected.

<Program falsification detection processing>
Next, with reference to a flowchart shown in FIG. 17, a program falsification detection process in this embodiment will be described. This shows the flow of falsification detection processing of the encoder program file 1121 and the distribution program file 1122 in the health information distribution side device 1 and the transmission / reception program file 2121 and the decoder program file 2122 in the health information reception / analysis side device 2.

  First, in step S1201, a hash value of a program to be inspected is calculated. In step S1202, an electronic signature of a program to be inspected is acquired. Here, the electronic signature may be recorded in the normal areas 112 and 212 together with the program in advance, or may be appropriately received from an external server or the like when performing the falsification detection processing of the program. Also good. The electronic signature obtained here is a hash value calculated from a legitimate program encrypted with the public key of the signature key 1115 or the signature key 1115.

  In step S1203, the electronic signature is decrypted. For the decryption here, the secret key of the signature key 1115 or the signature key 1115 is used. Thereby, the hash value of the program to be inspected is obtained.

  In step S1204, the hash value calculated from the program to be inspected in step S1201 is compared with the hash value obtained by decrypting the digital signature in step S1203. If it is determined that the hash values are the same, it is determined that the program has not been tampered with, and the process ends from step S1205.

  On the other hand, if it is determined that the hash values do not match as a result of the hash value comparison in step S1204, the program may be falsified. For this reason, the process advances from step S1205 to step S1206, and re-read processing of the program to be inspected is performed. Note that the program re-reading process in step S1206 may be performed by a process similar to the process described with reference to FIG. 4 in the first embodiment.

<Data exchange between devices>
The data encryption keys 1113 and 2113 and the signature keys 1115 and 2115 in the information management terminal device according to this embodiment are preferably configured to be different for each device. In such a configuration, it is possible to exchange data more securely between devices by exchanging data encryption keys and signature keys using the falsification detection parameter concealment distribution means 136 and 226. .

  Here, a procedure for exchanging data between devices using a public key cryptosystem for data encryption will be described. As an example, FIG. 18 shows a flow of processing when data is transmitted from the health information distribution side device 1 to the health information reception / analysis side device 2a. Here, an example in which a public key cryptosystem is adopted for data encryption is shown.

  First, in step S1301, a signature public key and a data encryption key 2113 included in a signature key 2115 held by the health information reception / analysis side device 2a are transferred from the health information reception / analysis side device 2a to the health information distribution side device 1. The public key for data encryption included in is transmitted to the health information distribution side device 1. This may be started as a process of requesting data transmission from the health information receiving / analyzing side device 2a to the health information distributing side device 1, or the health information receiving / analyzing side from the health information distributing side device 1 The device 2a may be requested to accept data, and may be started as a response thereto.

  In subsequent step S1302, the health information distribution side device 1 performs data encryption processing using the data encryption public key received in step S1301. In step S1303, a transmission signature is created for the encrypted data using the signature public key received in step S1301. That is, as described above with reference to steps S1003 to S1004 in FIG. 16A, this is a process of generating a hash value of encrypted data and encrypting it with the signature public key.

  In step S1304, the data encrypted in step S1302 and the electronic signature created in step S1303 are transmitted from the health information distribution side device 1 to the health information reception / analysis side device 2a.

  The health information receiving / analyzing side device 2a that has received the encrypted data and the electronic signature for the encrypted data decrypts them. First, in step S1305, the electronic signature is verified. That is, as described above with reference to steps S1101 to S1103 of FIG. 16B, the calculation of the hash value of the encrypted data and the electronic signature using the electronic signature private key held by itself Is a process of comparing the hash values obtained by these processes. If it is determined by verification of the electronic signature that the data has not been tampered with, in step S1306, the data is decrypted using the data encryption private key held by itself.

  In this way, the public key used for signature and data encryption is transmitted from the device that receives the data to the device that transmits the data, and the generation of the encrypted data using the data and the digital signature By adopting a configuration for performing the creation process, data verification and decryption can be performed only by the data receiving device that holds the secret key paired with each of the public keys.

  If the common key encryption method is used for data encryption, the data encryption key 2113 held by the health information receiving / analyzing device 2a is transmitted to the health information distributing device 1 in step S1301, A process using the data encryption key 2113 may be used for the encryption in step S1302 and the decryption in step S1306.

  Here, an example of processing for transmitting data from the health information distribution side device 1 to the health information reception / analysis side device 2a has been shown. When the result is transmitted to the health information distribution side device 1, the same process may be performed by switching between the data transmission side and the reception side.

  As described above, according to the system using the information management terminal device according to the present embodiment, the signature key 1115, 2115 is held as a falsification detection parameter in the secret area, and an electronic signature created using the signature key is used. By adopting a configuration for performing falsification detection processing of data and programs, recording media whose capacity of the secret area is limited can be used as the distribution side media 11 and the reception / analysis side media.

  Also, different signature keys and data encryption keys are prepared for each device, and data is sent and received by sending a public key from the receiving device to the sending device in advance. Thus, data can be transmitted and received more safely in a state where verification and decryption are possible only with the receiving device.

DESCRIPTION OF SYMBOLS 1 Health information distribution side device 11 Distribution side medium 111 Secret area 1111 Device authentication means 1112 Media file system control information 1113 Data encryption key 1114 Tamper detection parameter 1115 Signature key 112 Normal area 1121 Encoder program file 1122 Distribution program file 1123 Health information passbook 1124 health information 1125 electronic signature 113 media identifier 12 encoder 121 media authentication means 122 media file system 123 falsification detection means 124 encoder program 1241 sensor authentication means 1242 health information acquisition means 1243 health information storage means 13 distribution unit 131 media authentication means 132 media file System 133 Tamper detection means 134 Distribution program 1341 Health information container generation means 1 42 health information container delivery means 135 information delivery destination / secret level designation input acceptance means 136 falsification detection parameter concealment delivery means 14 personal / qualification information authentication means 15 secret information temporary storage unit 2 health information reception / analysis side device 21 reception / analysis Side media 211 Secret area 2111 Device authentication means 2112 Media file system control information 2113 Data encryption key 2114 Tampering detection parameter 2115 Signature key 212 Normal area 2121 Transmission / reception program file 2122 Decoder program file 2123 Health information passbook / health information 2124 Analysis result information 2125 Electronic signature 213 Media identifier 22 Transmission / reception unit 221 Media authentication means 222 Media file system 223 Falsification detection means 224 Transmission / reception program 2241 Health / analysis information container Communication means 2242 Health / analysis information container opening means 2243 Analysis information container transmission means 225 Concealment level determination means 226 Falsification detection parameter concealment distribution means 23 Decoder 231 Media authentication means 232 Media file system 233 Falsification detection means 234 Decoder program 2341 Browsing control means 2342 health information analysis means 24 personal / qualification information authentication means 25 secret information temporary storage unit 3 terminal device 4 sensor 5 management server device NW network

Claims (15)

Information acquisition means for acquiring first information to be managed, information storage means for storing the first information and second information that is additional information to the first information, and storage media An information management terminal device comprising:
The storage medium has a secret area accessible only by a specific program including a program for operating the information management terminal device as the information storage means, and a normal area accessible by programs other than the specific program,
The information acquisition means assigns a date / time record as the second information,
The information storage means sequentially stores the first information or the link capable of referring to the first information and the link capable of referring to the second information or the second information in the normal area. And
The information management terminal device, wherein the secret area holds a data falsification detection parameter for detecting falsification of the first information and / or the second information.   The data alteration detection parameter uses the first information and / or the second information to generate information for detecting whether the first information and / or the second information is falsified. The information management terminal device according to claim 1, wherein the information management terminal device is a key. The secret area includes a program tampering detection parameter for performing tampering detection of the specific program,
The information management terminal device according to claim 1, further comprising a program falsification detection unit that performs falsification detection processing of the specific program using the program falsification detection parameter. The program alteration detection means periodically performs alteration detection processing of the specific program,
When the falsification of the specific program is detected, the first information and the second information accumulated from the time when the falsification detection process of the specific program was executed to the time when the falsification of the program was detected. The information management terminal device according to claim 3, wherein deletion or recovery is performed. Data falsification detection means for performing falsification detection processing of the first information and / or the second information using the data falsification detection parameter,
When the previous alteration detection processing of the first information and / or the second information is executed when the data alteration detection means detects the alteration of the first information and / or the second information. The deletion or recovery of the first information and the second information accumulated up to a point in time when the falsification of the first information and / or the second information is detected is performed. The information management terminal device according to any one of claims 1 to 4. A distribution unit that selects and outputs distribution target information from the first information and the second information stored in the information storage unit;
The distribution unit includes: a secret level setting unit that sets a secret level of the selected distribution target information; and a unit that outputs the secret level as additional information to the distribution target information. The information management terminal device according to any one of claims 1 to 5. The concealment level is
Class 0 for transmitting the distribution target information without encryption;
Class 1 to be transmitted in a state where the distribution target information is encrypted,
A class 2 that encrypts the distribution target information, prohibits copying at an output destination, sets an expiration date of the distribution target information, and transmits the class 2;
Class 3 that encrypts the distribution target information, prohibits copying at an output destination, restricts handling of processing result information caused by arbitrary processing on the distribution target information, and sets an expiration date of the distribution target information The information management terminal device according to claim 6, comprising:   The second information includes at least one of an output history by the distribution means, information for specifying an output destination by the distribution means, a confidentiality level, and a processing result at the output destination by the distribution means. The information management terminal device according to claim 6, wherein the information management terminal device is characterized.   The information management terminal device according to any one of claims 1 to 8, wherein the first information is information on the health of people and / or things. Receiving means for receiving first information distributed from another terminal device and second information that is additional information to the first information; and analyzing the first information and the second information. An information management terminal device comprising: an analysis unit for performing; an output unit for transmitting and / or displaying an analysis result of the analysis unit to the other terminal device; and a storage medium,
The storage medium includes a secret area accessible only by a specific program including a program for operating the information management terminal device as the receiving unit, the analyzing unit, and the output unit, and a program other than the specific program And an accessible normal area,
The receiving means has a secret level determining means for determining a secret level given to the first information and the second information,
The analysis means and the output means handle the first information, the second information, and the analysis result according to the confidentiality level,
The concealment area includes a program falsification detection parameter for detecting falsification of the specific program,
An information management terminal device comprising: a program falsification detection unit that detects falsification of the specific program using the program falsification detection parameter. The analysis means accumulates in the normal area a link that can refer to the analysis history information or the analysis history information,
The information management terminal device according to claim 10, wherein the secret area holds a data alteration detection parameter for detecting alteration of the history information.   When the analysis means detects the falsification of the history information of the analysis, the accumulated information from the time when the falsification detection processing of the history information of the analysis was executed until the time when the falsification of the history information of the analysis was detected 12. The information management terminal device according to claim 11, wherein the history information of analysis is deleted or recovered. The concealment level is
Class 0 that handles the first information and the second information without encryption;
Class 1 handled in a state where the first information and the second information are encrypted,
A class 2 that encrypts the first information and the second information, prohibits copying at an output destination, and sets and handles an expiration date of the first information and the second information; and
Encrypt the first information and the second information, set the prohibition of copying at the output destination, the restriction of the handling of the analysis result, the expiration date of the first information and the second information The information management terminal device according to claim 10, wherein the information management terminal device includes a class 3 to be handled. The receiving means receives the analysis result from another terminal device,
The information management terminal device according to claim 10, wherein the analysis unit re-analyzes the analysis result. The information management terminal device according to any one of claims 10 to 14, wherein the first information is information on the health of a person and / or an object.