JP5443236B2 - Distributed database system - Google Patents

Description

  The present invention relates to a processing technology for a distributed database (hereinafter referred to as “DB”) that manages data in a distributed manner, and more particularly to a distributed DB processing device, processing method, and processing program with improved security. .

  2. Description of the Related Art Conventionally, there is a distributed DB system that performs data management by dividing data to be handled according to a predetermined standard and distributing and storing the data at a plurality of locations. Such a distributed DB system is often used when the amount of data to be managed is enormous.

  For example, since the amount of data for one company is large, the processing load may be excessive for processing with a single server. In such a case, it is divided into data normally required by the branch offices and branch offices of the company, and distributed to servers managed by the branch offices and branch offices. Thereby, the processing burden of each server can be reduced. Also, by performing distributed management in this way, each server does not need to access other servers during normal times, leading to a reduction in communication load and cost.

  By the way, the necessity of preventing information leakage from a DB managing personal information is increasing due to the recent demand for personal information protection. To deal with this, the above distributed DB mechanism can be used. For example, Patent Document 1 proposes a recording method in which personal information is stored by being divided into basic data items and attribute data items and associated with a specific code.

JP-A-11-272681

  However, leakage of personal information is not only caused by intrusion from the outside of the system, for example. Sometimes people inside the system steal information from the corporate network. Even in such a case, when the personal information is distributed and managed, even if only a part of the information leaks, such as only the address and only the age, there is not much problem if the individual cannot be specified.

  However, in the invention of Patent Document 1, when a person who has the authority to use the system tries to search and combine specific personal information distributed and managed, the personal information of the same person is on the path of the internal network. It will flow almost simultaneously (in short time). For this reason, leakage of personal information is limited.

  Therefore, an object of the present invention is to enhance the prevention of leakage of personal information.

In order to solve the above problems, the distributed database system of the present invention is
A dividing unit (for example, the dividing unit 341 in FIG. 1) that divides a plurality of pieces of information (for example, personal information) composed of data of a plurality of attributes (for example, data such as name, address, and age) for each attribute; ,
A first assigning unit (for example, the first assigning unit 342 in FIG. 1) that assigns a unique first key to each data divided by the dividing unit based on a first algorithm;
A first storage unit (for example, the first storage unit 110 in FIG. 1) in which each first key assigned by the first assigning means and data corresponding to each of the first keys is stored in a random position;
A second assigning unit (for example, the second assigning unit 344 in FIG. 1) that assigns a unique second key to the plurality of pieces of information based on a second algorithm;
An encryption means for encrypting the plurality of pieces of information (for example, the encryption unit 332 in FIG. 1);
A second storage unit (for example, the second storage unit 120 in FIG. 1) that stores a pair of the second key allocated by the second allocation unit and the data encrypted by the encryption unit;
A third storage unit (for example, the rule storage unit 320 in FIG. 1) in which the first and second keys, the first and second algorithms, and association information between the data constituting the information are stored;
Is provided.

  According to the present invention, the “plurality of information” is not restored unless all the stored contents of the first to third storage units are leaked, and typically, from any attribute of the data It becomes possible to search data of other attributes related to the data.

  Even if the data stored in the first storage unit, that is, the data that constitutes the information before encryption is leaked, it is only the name, the address, or the age. Therefore, personal information itself is not specified.

  Moreover, even if the data stored in the second storage unit is leaked, it is difficult to decrypt because it is encrypted data. Even if it is decrypted, what is obtained as a result is Because it is just the name, the address, and the age, the personal information itself is not specified.

  Furthermore, even if the storage content of the third storage unit is leaked, it is merely association information or an algorithm, so that the personal information itself is not specified.

  The important point here is that the data before encryption is stored in the first storage unit. Thus, typically, the address data and age data of the person can be immediately searched from specific name data. The reason is that if the third storage unit is referred to based on specific name data, the first key assigned to the name data can be specified, and the address data / age data corresponding to the first key can be specified. This is because it can be identified.

  In addition, the DB processing apparatus of the present invention includes a first storage unit that distributes and stores the divided data, a second storage unit that encrypts and stores the data stored in the first storage unit, and A request determination unit that determines whether a search request input via an input unit or a communication network needs to combine divided data, and the request determination unit does not need to combine divided data When the determination is made, when the first search unit that searches for data from the first storage unit and the request determination unit determine that it is necessary to combine the divided data, the second storage unit And a second search unit for searching for data.

  Note that a distributed DB processing method corresponding to the operation of the DB processing apparatus and a processing program for causing a computer to execute the processing method are also included in the present invention.

Another aspect is characterized by having a combined information storage unit that stores combined information (linking information) for combining the divided data.
In the above aspect, by managing the combination information separately from the data, even if a plurality of data that can be combined leaks, it cannot be combined.

  According to another aspect, the search information storage unit stores search information for searching for data stored in the second storage unit corresponding to the data stored in the first storage unit. It is characterized by having.

  In the above aspect, by storing the search information separately from the data, the data stored in the second storage unit cannot be searched from the data stored in the first storage unit, The data stored in the second storage unit cannot be combined.

  As described above, according to the present invention, it is possible to prevent the leakage of information in such a form that the divided data can be combined, and to facilitate the search of the data while being divided, A type DB processing method and a processing program can be provided.

  In addition, when data stored in the distributed database system is read, it is preferable to read encrypted data. In this way, raw data that is not encrypted in the distributed database system can be prevented from being stolen, and even if the data read log is analyzed by a hacker or the like, what is identified from the analysis result is The encrypted data is not specified as raw data.

It is a functional block diagram which shows one Embodiment of the distributed database processing apparatus of this invention. It is a flowchart which shows the flow of the data registration process in embodiment of FIG. It is a flowchart which shows an example of the data search process in embodiment of FIG. It is explanatory drawing which shows an example of the data distributedly memorize | stored in the 1st memory | storage part in embodiment of FIG. It is explanatory drawing which shows an example which searches the data memorize | stored in the 2nd memory | storage part from the data memorize | stored in the 1st memory | storage part in embodiment of FIG. It is explanatory drawing which shows an example which searches personal information from the data memorize | stored in the 2nd memory | storage part in embodiment of FIG.

1 ... Distributed DB processing apparatus 100 ... Database (DB)
110 ... first storage unit 120 ... second storage unit 200 ... related information storage unit 210 ... search information storage unit 220 ... combined information storage unit 300 ... database management system (DBMS)
301 ... Authentication unit 302 ... Authentication information storage unit 303 ... Determination unit 310 ... Associated information generation unit 311 ... Search information generation unit 312 ... Combined information generation unit 320 ... Rule storage unit 321 ... Split rule storage unit 322 ... Search rule storage unit 322 ... Combining rule storage unit 330 ... Encryption processing unit 331 ... Encryption unit 332 ... Decryption unit 340 ... Registration processing unit 341 ... Dividing unit 342 ... First assigning unit 343 ... Duplicating unit 344 ... Second assigning unit 345 ... Storage unit 350 ... search processing unit 351 ... request determination unit 352 ... first search unit 353 ... search unit 354 ... second search unit 355 ... combination unit 400 ... input unit 500 ... output unit

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

[1. Configuration of Embodiment]
[1-1. overall structure]

  FIG. 1 is a functional block diagram in which each function of the present embodiment is virtually blocked. Note that, for example, the functions described below can be realized by a computer or an electronic circuit that operates according to a predetermined program. A method for realizing such a function, a program therefor, and a recording medium on which the program is recorded are also one embodiment of the present invention.

  As shown in FIG. 1, a distributed database processing apparatus 1 of this embodiment includes a database (hereinafter referred to as “DB”) 100, an associated information storage unit 200, a database management system (hereinafter referred to as “DBMS”), which will be described below. 3), 300, the input unit 400, and the output unit 500.

[1-2. DB]

  The DB 100 is a component that stores data handled by the present embodiment. Data handled in the DB 100 is data divided according to a predetermined standard (division rule). The DB 100 stores the divided data in a distributed manner as described below.

  For example, a case where personal information is used as data will be described. This personal information includes text data of name, address, and age. In this case, the personal information of a plurality of persons is divided into name, address, and age, and these are distributed and stored in the storage units A, B, and C constituting the first storage unit 110. Note that the data stored in the first storage unit 110 is unencrypted data. The data to be stored is not limited to text data.

  FIG. 4 is a diagram illustrating an example of data storage in the first storage unit 110 illustrated in FIG. 1. FIG. 4A shows a state in which a plurality of names and unique first identification information (key1) assigned to them are stored in the storage unit A as a pair. For example, for the name “Taro Suzuki”, Key1 is “010”. The first identification information is assigned based on a predetermined algorithm.

  That is, the distributed database system of the present embodiment first divides a plurality of pieces of personal information composed of data data of a plurality of attributes such as name, address, and age for each attribute, and for each of those data A unique key 1 (first key) is assigned based on a predetermined algorithm.

  The same key 1 as the key 1 “010” assigned to the name “Taro Suzuki” may be assigned to the address and age Key 1 associated with the name “Taro Suzuki”. In other words, key1 “010” may be assigned to the name “Taro Suzuki”, the address of “Taro Suzuki”, and the age of “Taro Suzuki”.

  Alternatively, a key 1 different from the key 1 “010” assigned to the name “Taro Suzuki” may be assigned to the address and age Key 1 associated with the name “Taro Suzuki”. However, in this case, it is necessary to store the correspondence between the keys1. The storage destination in this case may be the association information storage unit 200 that is external to the DBMS 300 or the DB 100.

  Similarly, as shown in FIGS. 4B and 4C, the address and key1 corresponding to the address are stored in the storage unit B, and the age and key1 corresponding to these are stored in the storage unit C, respectively. Is memorized. In the present embodiment, each piece of data is stored at a random position in the first storage unit 110. In FIG. 4, the name “Taro Suzuki” is stored in the first row of the storage unit A, but the address and age of “Taro Suzuki” are stored in any row of the storage units B and C. It will be.

  FIG. 5 is a diagram showing a relationship between each data stored in the storage unit A shown in FIG. 1 and each data stored in the storage unit A ′. FIG. 5A shows the same thing as FIG. FIG. 5B shows search information that links the storage positions of the data shown in FIG. 5A and the data shown in FIG. Here, Key1 related to the storage unit A is stored in the “1” column of the search information, and Key1 related to the storage unit A ′ is stored in the “2” column of the search information.

  FIG. 5C shows the Key1 associated with the storage unit A ′ in a state where the data shown in FIG. 5A is encrypted and the storage position is determined according to the search information shown in FIG. A state stored in the storage unit A ′ together with Key2 assigned by a predetermined algorithm is shown.

  In the present embodiment, the position of each data shown in FIG. 5A is different from the position of each data shown in FIG. For example, the data “Taro Suzuki” is shown in the first line in FIG. 5A, whereas it is shown in the second line in FIG. 5C. However, this is an example, and the position of each data shown in FIG. 5A may be the same as the position of each data shown in FIG.

  That is, for the first storage unit 110, it was indispensable to randomly store a set of data such as name, address, and age constituting one person's personal information, but the second storage unit 120 In contrast, the entire data in the first storage unit 110 may be encrypted, and the position of each data may be changed and stored, or may be stored without being changed. More specifically, since the data stored in the second storage unit 120 is encrypted, it is not essential to encrypt the data stored in the first storage unit 110. The entire personal information before conversion may be encrypted in one unit, or may be encrypted in one set of data units of name, address, and age constituting one person's personal information, or one name and address may be encrypted. You may encrypt by a unit. At this time, for example, the data may be encrypted as a set in a storage unit by a set of data units. In this way, there is an advantage that early reading of data can be realized.

  Next, an encryption method will be described. For example, when the name “Taro Suzuki” is encrypted, Key1 assigned to the name “Taro Suzuki” is read. Since this Key1 is “010”, based on this, the first column of the search information shown in FIG. The key read from the search information is “015”, which is the key 1 related to the storage unit A ′.

  Further, a unique key 2 is assigned to the key “015” by a predetermined algorithm. Here, Key2 is “009”. Furthermore, the text data itself “Taro Suzuki”, which is the object of encryption, is encrypted. Then, Key1 “015” related to the storage unit A ′, the corresponding Key2 “009”, and the encrypted name “Taro Suzuki” are stored in the storage unit A ′ as a set.

  Similarly, the data stored in the storage unit B and the storage unit C are encrypted according to predetermined search information and then stored in the storage unit B ′ and the storage unit C ′.

  The assignment of key1 and key2 is performed by a predetermined algorithm as described above. In the present embodiment, the algorithm and search information are placed in the associated information storage unit 200 that is external to the DBMS 300 or the DB 100.

  FIG. 6 is a relationship diagram of data stored in the storage unit A ′, the storage unit B ′, and the storage unit C ′. FIG. 6A shows an example of storing data in the storage unit A ′. FIG. 6B shows an example of storing data in the storage unit B ′. FIG. 6C shows an example of storing data in the storage unit C ′. FIG. 6D shows an example of search information that links the storage units A ′, B ′, and Key2 of the storage unit C ′ to each other.

  As shown in FIG. 6D, Key2 related to the storage unit A ′ is stored in the first column of the search information, and Key2 related to the storage unit B ′ is stored in the second column of the search information. In the third column, Key2 related to the storage unit C ′ is stored. Here, each key 2 stored in the same column is assigned to each personal information of the same person.

  For example, as shown by the arrow in FIG. 6, when the fourth row of search information is viewed, “009” is stored in the first column, “012” is stored in the second column, and “005” is stored in the first column. ing. As shown in FIG. 6A, the key 2 “009” in the first column is assigned to the name “Taro Suzuki”. Key2 “012” in the second column is assigned to “Address” of “Taro Suzuki”. Key2 “005” in the third column is assigned to “Age” of “Taro Suzuki”.

  Therefore, when searching for personal information of “Taro Suzuki”, first, referring to the storage unit A shown in FIG. 5A, the key 1 of the storage unit A related to “Taro Suzuki” is “010”. Identify that. Next, based on the Key1 “010” of the storage unit A, the search information shown in FIG. 5B is referred to, and the key1 of the storage unit A ′ corresponding to the Key1 “010” of the storage unit A is “015”. ”.

  Next, based on the key 1 “015” of the storage unit A ′, the storage unit A ′ shown in FIG. 6A is referred to, and the corresponding key 2 “009” is specified. Thereafter, based on the key2 “009” related to the storage unit A ′, the search information shown in FIG. 6D is referred to, and the Key2 related to the corresponding storage unit B ′ and storage unit C ′ is read out. As a result, the “address” and “age” of “Taro Suzuki” can be read by referring to the storage unit B ′ and the storage unit C ′ based on these keys 2.

  Here, an example is shown in which “address” and “age” of “Taro Suzuki” are read based on “010” in the key 1 of the storage unit A related to “Taro Suzuki”. Other personal information can also be read based on “address” or “age” of “”.

  5 and 6 show an example in which two keys are used, the number of keys is merely an example. In addition, the identification information, the search information, and the search rule are not limited to the above example as long as the data can be associated with the data in the first storage unit 110 and the data in the second storage unit 120. Any thing is acceptable. What is important here is that in this embodiment, as described above, the key and the algorithm are placed in the associated information storage unit 200 outside the DBMS 300 or the DB 100.

  Further, as to how the dispersed data in the second storage unit 120 are combined, the second identification information given to each data in the second storage unit 120 and the second identification information. Based on the combination information and the combination rule for combining the corresponding information.

[1-3. Associated information storage unit]

  The association information storage unit 200 includes a search information storage unit 210 and a combined information storage unit 220. As described above, the search information storage unit 210 is a configuration unit that stores search information for associating data in the first storage unit 110 and data in the second storage unit 120. As described above, the combined information storage unit 220 is a configuration unit that stores the combined information for associating the data distributed in the second storage unit 120. In the above example, a random number table is used as search information and combination information.

[1-4. DBMS]

  The DBMS 300 is a component that manages access to the DB 100 in an integrated manner. The DBMS 300 according to the present embodiment includes the following components to perform processing such as user authentication, data division, storage, search, search, and combination. For this purpose, the DBMS 300 includes an authentication unit 301, an associated information generation unit 310, a rule storage unit 320, an encryption processing unit 330, a registration processing unit 340, a search processing unit 350, and the like.

  The authentication unit 301 is a configuration unit that authenticates a valid user of the DB 100 based on the authentication information input from the input unit 400. The authentication unit 301 includes an authentication information storage unit 302, a determination unit 303, and the like. The authentication information storage unit 302 is a means for storing in advance authentication information of a legitimate user. The determination unit 303 is a unit that determines whether the authentication information input from the input unit 400 matches the authentication information stored in the authentication information storage unit 302. The authentication information is generally an ID, a password, etc., but includes any authentication information that can be used at present and in the future.

  The association information generation unit 310 includes a search information generation unit 311 and a combined information generation unit 312. The search information generation unit 311 is a configuration unit that generates search information. The combined information storage unit 312 is a component that generates combined information. In the above example, a random number table is used as search information and combination information. The generation of the random number table is a well-known technique, and any method applicable at present or in the future can be used.

  The rule storage unit 320 includes a division rule storage unit 321, a search rule storage unit 322, a combination rule storage unit 323, and the like. The division rule storage unit 321 is a configuration unit that stores a rule for dividing data. As the division rule, in the example of the personal information described above, a rule that divides the data into meaning data such as name, address, and age can be considered. However, the present invention is not limited to this.

  As described above, the search rule storage unit 322 is a configuration unit that stores a search rule for associating data in the first storage unit 110 with data in the second storage unit 120. As described above, the combination rule storage unit 323 is a configuration unit that stores a combination rule for associating data distributed in the second storage unit 120.

  The encryption processing unit 330 includes an encryption unit 331, a decryption unit 332, and the like. The encryption unit 331 is a configuration unit that encrypts data stored in the second storage unit 120. The decryption unit 332 is a configuration unit that decrypts the data stored in the second storage unit 120. For encryption and decryption, any method that can be applied in the present or future can be used.

  The registration processing unit 340 includes a dividing unit 341, a first adding unit 342, a duplicating unit 343, a second adding unit 344, a storing unit 345, and the like. The dividing unit 341 is a component that divides input data based on a division rule. The 1st provision part 342 is a structure part which provides 1st identification information to each divided | segmented data. An example of giving the first identification information is as described above, but the present invention is not limited to this.

  The duplication unit 343 is a component that duplicates the divided data. The 2nd provision part 344 is a structure part which provides 2nd identification information to each replicated data. An example of providing the second identification information is as described above, but the present invention is not limited to this. The storage unit 345 stores the data that has been divided and provided with the first identification information in a distributed manner in the first storage unit 110, and the data that has been duplicated and provided with the second identification information is stored in the second storage unit 345. The storage unit 120 stores the information in a distributed manner.

  The search processing unit 350 includes a request determination unit 351, a first search unit 352, a search unit 353, a second search unit 354, a combining unit 355, and the like. The request determination unit 351 is a configuration unit that determines whether or not an input search request requires a combination of divided data. For example, in the case of a search request for the number of people living in a specific area, only the address data need be searched, and no data combination is required. On the other hand, in the case of a search request for obtaining the address and age of a person with a name, it is necessary to combine the data of name, address, and age.

  The first search unit 352 is a configuration unit that searches the data stored in the first storage unit 110 in accordance with the search condition included in the search request according to the determination result by the request determination unit 351. The search unit 353 searches for data stored in the second storage unit 120 corresponding to the data stored in the first storage unit 110, based on the search information and the search rules, according to the determination result by the request determination unit 351. It is the component which performs. Furthermore, the second search unit 354 is a component that searches the second storage unit 120 for data corresponding to the data searched by the search unit 353 based on the combination information and the combination rule. The combining unit 355 is a component that combines the data searched by the second search unit 354.

  Note that the DBMS 300 can perform processing such as update and deletion of data in the DB 100 in accordance with a request input from the input unit 400, as in a general DBMS. Other functions such as data consistency and concurrent execution control that are included in a general DBMS are well-known techniques and will not be described.

[1-4. Input section]

  The input unit 400 is a configuration unit that allows users (including programmers, managers, general users, etc., who use the system widely) to input and operate various types of information in the distributed database processing apparatus 1. is there. As the input unit 400, any input device that can be used now or in the future, such as a keyboard, a mouse, and a touch panel, can be used. The input unit 400 allows the user to input data, a search request (including search conditions, etc.), and the DBMS 300 performs processing in response to this.

[1-5. Output section]

  The output unit 500 is a means that allows the user to visually recognize the input screen, search results, and the like of the DB 100 in the distributed DB processing apparatus 1 in various ways. As the output unit 500, any output device that can be used now or in the future, such as a display and a printer, can be used.

  As the storage unit such as the DB 100, the associated information storage unit 200, the authentication information storage unit 311, and the rule storage unit 320, any storage medium that can be used at present or in the future, such as various types of computer memory or hard disk, is used. Is possible. In the above description, each storage unit and DB are conceptually distinguished, and a part or all of them may be realized in a common storage medium, and communication paths (including buses, communication networks, etc.) are included. You may implement | achieve by the separate storage medium connected via the. The same applies to the storage units A to C and A 'to C'.

  The DBMS 300 is realized by a control unit configured by a CPU that operates according to a program, a memory, and other peripheral circuits. This control unit has functions provided in a general computer such as an input / output function of information and an arithmetic function between the input unit 400 and the output unit 500.

  The DBMS 300 generally functions as a kind of middleware that operates between an operating system and application programs. However, each of the above-mentioned units may include a part of the functions of the operation system and application program, or may be a function that operates in cooperation with the function. Is omitted.

  Further, the input unit 400 and the output unit 500 may be configured to be remotely arranged and connected via a communication network.

[2. Operation of the embodiment]
The processing flow according to the present embodiment as described above will be described with reference to FIGS.

[2-1. Data registration process]

  First, data registration processing for storing data in a distributed manner will be described with reference to the flowchart of FIG. 2 and the explanatory diagrams of FIGS. That is, the user inputs authentication information using the input unit 400 (step 01). The determination unit 303 determines whether or not the input authentication information matches the authentication information stored in the authentication information storage unit 302 (step 02). If the determination unit 303 determines that the authentication information does not match, it is determined that the user is not a valid user, and the subsequent processing cannot proceed (NO in step 02).

  If it is determined that the authentication information matches, the user is authenticated as a valid user (YES in step 02). This user inputs personal information using the input unit 400 (step 03). The dividing unit 341 divides the input personal information according to the division rule (step 04). In the above example, personal information is divided into name, address, and age.

  Further, the duplicating unit 343 duplicates each divided data (step 05). At this time, the encryption unit 331 encrypts each divided data (step 06). And the 1st provision part 342 assign | provides 1st identification information to each divided | segmented data and each replicated data according to search information and a coupling rule (step 07). In the above example, a key (key1) is assigned to each based on the random number table (see FIG. 4). Note that the search information may be generated in advance by the search information generation unit 311 and stored in the search information storage unit 210, or may be generated by the search information generation unit 311 when the first identification information is given. Thereafter, it may be stored in the search information storage unit 310.

  The second assigning unit 344 assigns the second identification information to each replicated and encrypted data according to the search information and the search rule (step 08). In the above example, the name, address, and age are copied and encrypted, and a key (key2) is assigned to each based on the random number table (see FIG. 6). Note that the combined information may be generated in advance by the combined information generation unit 312 and stored in the combined information storage unit 220, or may be generated by the combined information generation unit 312 when the second identification information is given. Thereafter, the information may be stored in the combined information storage unit 320.

  The storage unit 345 stores the data divided by the dividing unit 341 and provided with the first identification information in a distributed manner in the first storage unit 110 (step 09). In the above example, names, addresses, and ages are stored in the storage units A, B, and C, respectively. Further, the storage unit 345 stores the encrypted data to which the second identification information is added in a distributed manner in the second storage unit 120 (step 10). In the above example, the encrypted names, addresses, and ages are stored in the storage units A ′, B ′, and C ′.

[2-2. Data search processing]

  Next, processing for retrieving data will be described with reference to the flowchart of FIG. 3 and the explanatory diagrams of FIGS. First, in the same manner as described above, user authentication is performed (steps 11 and 12). Next, the user uses the input unit 400 to input a search request (step 13). The request determination unit 351 determines whether the search request is for only the divided data or needs to combine the divided data (step 14).

  When the search request includes a search condition for only the divided data, the request determination unit 351 determines that the connection is unnecessary (NO in step 15). For example, this is the case when the search request is only the name, only the address, and only the age. Then, the first search unit 352 searches only the data from one of the first storage units 110 (storage units A, B, and C) (step 21).

  In this case, since it is not necessary to combine with other data, the search result is output to the output unit 500 as it is (step 20). It should be noted that the same can be applied to a search condition in which the first storage unit 110 only needs to be searched independently, such as the number of people with the same surname and the number of people living in the same ward.

  On the other hand, if the search request requires combining of the divided data, the request determination unit 351 determines that combining is necessary (YES in step 15). For example, this is the case where the request is such that a specific name and the address of the person can be used to identify the individual by combining the distributed data.

  In such a case, the search unit 353 searches for data in the second storage unit 120 corresponding to the data in the first storage unit 110 according to the input search condition, search information, and search rule (step 16). . For example, when searching for an address from the name, the name of the corresponding second storage unit 120 assigned to the name of the first storage unit 110 is searched. In the above example, the key (015) corresponding to the key (010) assigned to the name (Taro Suzuki) is determined from the random number table, and data corresponding to this is searched (see FIG. 5).

  Next, the second search unit 354 searches the second storage unit 120 for data to be combined with the searched data in accordance with the combination information and the combination rule (step 17). In the above example, the key (012,005) corresponding to the key (009) assigned to the encrypted name (Taro Suzuki) is determined from the random number table, and data corresponding to this is searched (FIG. 6). reference).

  Then, the decryption unit 332 decrypts each retrieved data (step 18). Further, the combining unit 355 combines the decrypted data (step 19). The combined search result is output to the output unit 500 (step 20).

[3. Effects of the embodiment]

  The effects of the present embodiment (the present invention) as described above are as follows. In other words, according to the present embodiment, when each divided data is searched independently, the processing load is light and the search can be performed at high speed because encryption is not performed. In this case, even if the data leaks from the internal route (for example, X in FIG. 1), the individual cannot be specified, so there are few problems.

  On the other hand, when searching by combining the divided data, only the encrypted data flows through the path. For this reason, even if a plurality of data flowing through the internal route (for example, Y in FIG. 1) leaks at the same time, the contents can be concealed.

[4. Other Embodiments]

  The present invention is not limited to the embodiment as described above. For example, the present invention is not limited to that realized by a specific single computer. By configuring with a plurality of server devices or distributing the processing with a plurality of computers according to each functional block, it is also possible to configure a system in which a plurality of devices are connected to perform processing.

  In the above embodiment, the first storage unit and the second storage unit each distribute data to three. However, the number of distributions may be any number as long as it is two or more. . The number of distributions may be different between the first storage unit and the second storage unit.

  The data handled by the present invention is not limited to specific data. The data illustrated above is only one example, and can be widely applied to data that is distributed and managed. What kind of data can be included as personal information is free, and the division unit and number are also free. The present invention is effective for preventing leakage of personal information, but the data used is not limited to personal information.

Claims (5)

Dividing means for dividing a plurality of pieces of information composed of data of a plurality of attributes for each of the attributes;
First assigning means for assigning a unique first key to each data divided by the dividing means based on a first algorithm;
A first storage unit in which each first key assigned by the first assigning means and data corresponding to each of the first keys are stored in a random position;
Second assigning means for assigning a unique second key to the plurality of information based on a second algorithm;
Encryption means for encrypting the plurality of information;
A second storage unit in which the second key assigned by the second assigning unit and the data encrypted by the encrypting unit are stored in a pair at random positions;
A third storage unit in which the first and second keys, the first and second algorithms, and association information between data constituting the information are stored;
A distributed database system comprising:   The distributed database system according to claim 1, further comprising means for restoring the information based on the storage contents of the third storage unit.   2. The distributed database system according to claim 1, wherein the second assigning unit assigns a unique second key to each data stored in the first storage unit based on the second algorithm.   The distributed database system according to claim 1, wherein the encryption unit encrypts each data stored in the first storage unit.   2. The distributed database system according to claim 1, further comprising: a reading unit that reads out the encrypted data stored in the second storage unit at the time of reading the information data.