Data storage apparatus, data updating system, data processing method, and computer readable medium
First Claim
1. A data storage apparatus comprising processing circuitry to:
- store encrypted data that has been encrypted, while remaining in an encrypted state, and to store a decryption condition being a parameter to control permitted decryption of the encrypted data, where a decryption-permission user who is permitted to decrypt the encrypted data is defined in the decryption condition that does not require decryption of said encrypted data in order to read;
in a case where revocation information which identifies a revoked user who is no longer the decryption-permission user, has been added to the decryption condition when update timing to update the encrypted data and the decryption condition arrives, process the revocation information to remove the revoked user from the decryption condition while the encrypted data remains in an encrypted state, to transmit the encrypted data and the decryption condition from which the revocation information has been removed, to a re-encryption apparatus that performs re-encryption in a proxy re-encryption scheme, the transmission to the re-encryption apparatus being performed prior to decryption, and to receive from the re-encryption apparatus, the encrypted data that has been re-encrypted in the proxy re-encryption scheme using the decryption condition from which the revocation information has been removed; and
update the encrypted data that has been re-encrypted and received, and the decryption condition from which the revocation information has been removed.
1 Assignment
0 Petitions
Accused Products
Abstract
A data storage unit (202) stores encrypted data while remaining in an encrypted state, and stores decryption conditions to define a user attribute of a decryption-permission user who is permitted to decrypt the encrypted data. In a case wherein revocation information to indicate a user attribute of a revoked user who is no longer the decryption-permission user has been added to the decryption condition when update timing arrives, a revocation information removing unit (206) removes the revocation information from the decryption condition while the encrypted data remains in the encrypted state. Further, the revocation information removing unit (206) transmits the encrypted data and the decryption conditions from which the revocation information has been removed to a re-encryption apparatus that performs re-encryption in a proxy re-encryption scheme, and receives, from the re-encryption apparatus, the encrypted data that has be re-encrypted in the proxy re-encryption scheme using the decryption condition from which the revocation information has been removed. A refresh processing unit (205) updates the encrypted data that has been re-encrypted and the decryption condition from which the revocation information has been removed.
12 Citations
10 Claims
-
1. A data storage apparatus comprising processing circuitry to:
-
store encrypted data that has been encrypted, while remaining in an encrypted state, and to store a decryption condition being a parameter to control permitted decryption of the encrypted data, where a decryption-permission user who is permitted to decrypt the encrypted data is defined in the decryption condition that does not require decryption of said encrypted data in order to read; in a case where revocation information which identifies a revoked user who is no longer the decryption-permission user, has been added to the decryption condition when update timing to update the encrypted data and the decryption condition arrives, process the revocation information to remove the revoked user from the decryption condition while the encrypted data remains in an encrypted state, to transmit the encrypted data and the decryption condition from which the revocation information has been removed, to a re-encryption apparatus that performs re-encryption in a proxy re-encryption scheme, the transmission to the re-encryption apparatus being performed prior to decryption, and to receive from the re-encryption apparatus, the encrypted data that has been re-encrypted in the proxy re-encryption scheme using the decryption condition from which the revocation information has been removed; and update the encrypted data that has been re-encrypted and received, and the decryption condition from which the revocation information has been removed. - View Dependent Claims (2, 3)
-
-
4. A data updating system comprising:
-
a data storage apparatus including; first processing circuitry to store encrypted data which has been encrypted, while remaining in an encrypted state, and to store a decryption condition being a parameter to control permitted decryption of the encrypted data, where a decryption-permission user who is permitted to decrypt the encrypted data is defined in the decryption condition that does not require decryption of said encrypted data in order to read, determine, when update timing to update the encrypted data and the decryption condition arrives, whether revocation information that identifies a revoked user who is no longer the decryption-permission user, has been added to the decryption condition, and in a case wherein the revocation information has been added to the decryption condition, to remove the revoked user from the decryption condition while the encrypted data remains in an encrypted state, to transmit the encrypted data and the decryption condition from which the revocation information has been removed, to a re-encryption apparatus that performs re-encryption in a proxy re-encryption scheme, the transmission to the re-encryption apparatus being performed prior to decryption, and to receive from the re-encryption apparatus, the encrypted data that has been re-encrypted in the proxy re-encryption scheme using the decryption condition from which the revocation information has been removed, and update the encrypted data that has been re-encrypted and received, and the decryption condition from which the revocation information has been removed; and a key update apparatus including second processing circuitry to update a decryption key used for decryption of the encrypted data when the update timing arrives. - View Dependent Claims (5, 6, 7, 8)
-
-
9. A data processing method, comprising
by a computer that stores encrypted data that has been encrypted, while remaining in an encrypted state, and stores a decryption condition being a parameter to control permitted decryption of the encrypted data, where a decryption-permission user who is permitted to decrypt the encrypted data is defined in a decryption condition that does not require decryption of said encrypted data in order to read, in a case where revocation information which identifies a revoked user who is no longer the decryption-permission user, has been added to the decryption condition when update timing to update the encrypted data and the decryption condition arrives, processing the revocation information to remove the revoked user from the decryption condition while the encrypted data remains in an encrypted state, transmitting the encrypted data and the decryption condition from which the revocation information has been removed, to a re-encryption apparatus that performs re-encryption in a proxy re-encryption scheme prior to decryption, receiving from the re-encryption apparatus, the encrypted data that has been re-encrypted in the proxy re-encryption scheme using the decryption condition from which the revocation information has been removed, and updating the encrypted data that has been re-encrypted and received, and the decryption condition from which the revocation information has been removed.
-
10. A non-transitory computer readable medium storing a data processing program that causes a computer that stores encrypted data that has been encrypted while remaining in an encrypted state, and stores a decryption condition being a parameter to control permitted decryption of the encrypted data, where a decryption-permission user who is permitted to decrypt the encrypted data is defined in the decryption condition that does not require decryption of said encrypted data in order to read;
-
a revocation information removing processing to remove, in a case where revocation information identifies a revoked user who is no longer the decryption-permission user, has been added to the decryption condition when update timing to update the encrypted data and the decryption condition arrives, processing the revocation information to remove the revoked user from the decryption condition while the encrypted data remains in an encrypted state, to transmit the encrypted data and the decryption condition from which the revocation information has been removed, to a re-encryption apparatus that performs re-encryption in a proxy re-encryption scheme, the transmission to the re-encryption apparatus being performed prior to decryption, and to receive from the re-encryption apparatus, the encrypted data that has been re-encrypted in the proxy re-encryption scheme using the decryption condition from which the revocation information has been removed; and a refresh processing to update the encrypted data that has been re-encrypted and received by the revocation information removing processing, and the decryption condition from which the revocation information has been removed.
-
Specification