1. Field of the Invention
The present invention relates to data processing devices and data processing methods.
2. Description of the Related Art
In computer systems, data is often stored in external storage devices. An external storage device, such as a hard disk drive (HDD), is connected to a computer system via a cable (e.g., an IDE cable, a SCSI cable, a USB cable, or an IEEE 1395 cable) or the like, so that the external storage device is not physically integrated with the computer system and can be separated from the computer system. Thus, if the external storage device is separated from the computer system and is analyzed, data stored in the external storage device can be leaked.
A countermeasure against this threat is encryption of data that is stored in an external storage device. More specifically, data that is written to an external storage device is encrypted and data that is read from the external storage device is decrypted, thereby preventing leakage of data stored in the external storage device.
There exist three approaches for newly adding an encryption and decryption function to an existing computer system.
A first approach is to add an encryption and decryption function within a computer system. According to this approach, however, since an encryption and decryption function is added within an existing computer system, the configuration of the computer system must be changed considerably.
A second approach is to add an encryption and decryption function to an external storage device. According to this approach, however, since an encryption and decryption function is added to an external storage device, it is not possible to use general external storage devices.
A third approach is to newly provide a device that bridges between a computer system and an external storage device. Techniques relating to the third approach are proposed, for example, in Japanese Patent Laid-Open No. 4-98552 and Japanese Patent Laid-Open No. 11-85621.
According to Japanese Patent Laid-Open No. 4-98552, an electronic filing device including encrypting means, decrypting means, and data processing means, the electronic filing device encrypts data that is recorded on an external storage device and decrypts data that is read from the external storage device. Furthermore, information needed for encryption or decryption can be separated.
Japanese Patent Laid-Open No. 11-85621 discloses a recording-data encryption device connected between a computer system and an external storage device. The recording-data encryption device includes storing means for storing key information, and encrypting means for encrypting data transmitted from the computer system, using the key information, and transferring the resulting encrypted data to the external storage device. The recording-data encryption device also includes decrypting means for decrypting encrypted data read from the external storage device, using the key information, and transferring the resulting decrypted data to the computer system, and protocol controlling means for monitoring the encrypting means and the decrypting means and controlling the operations thereof. With the configuration described above, without changing the configurations of the computer system and the external storage device, data that is stored on the external storage device can be encrypted, so that leakage of data stored in the external storage device can be prevented. Furthermore, the key information can be stored on a second external storage device, which is a removable device such as an IC card.
According to Japanese Patent Laid-Open No. 4-98552, an image scanner, a display, a printer, or data processing means for controlling an operation panel controls the encrypting means and the decrypting means. That is, according to the related art, the encrypting means and the decrypting means can be separated from the data processing means. Thus, from the perspective of physical configuration, the related art can be classified as the third approach (a bridging device is newly provided).
However, since the data processing means controls the encrypting means and the decrypting means, from the perspective of functional configuration, the related art can be classified as the first approach (an encryption and decryption function is added within the computer system). This causes a considerable change in the configuration of the computer system.
According to Japanese Patent Laid-Open No. 11-85621, data that is stored on an external storage device is encrypted without changing the configurations of the computer system and the external storage device, thereby preventing leakage of the data stored on the external storage device. That is, data is encrypted as a countermeasure against the threat of stealing of the external storage device alone. However, since key information used for encryption is stored in the recording-data encryption device, when the external storage device and the recording-data encryption device are stolen together, data stored on the external storage device can be readily accessed by connecting both the external storage device and the recording-data encryption device to another computer system.
In the method according to the related art, the key information can be stored on a second external storage device, which is a removable device such as an IC card. However, when the external storage device, the recording-data encryption device, and the second storage device are all stolen together, data stored on the external storage device can be accessed similarly to the case described above. Thus, the problem is not essentially solved.