In recent years, networks such as the Internet have become indispensable infrastructure of society, and systems for sophisticatedly using information are built on the networks. On the other hand, just like other properties, information can be considered as assets owned by individuals or corporations. If important information is leaked over a network through which the information diffuses instantly, irrevocable loss will be caused. Innumerable information leakage problems in such a manner actually occur in reality.
However, if strictly keeping information secret in order to prevent leakage, it will cause inconvenience in information exchange and information utilization between kind collaborators, such as sharing medical information between medical experts for cooperation purpose.
In order to securely deliver information and yet sophisticatedly use information, it is necessary to develop an information distribution system enabling both the “security of information” and the “freedom of information exchange”. Such a system, which can securely hold information and securely transfer the information to a required place, is configured by a secure storage system and a secure transport system.
However, under the current circumstances, although an encrypted storage system and an encrypted transport system are individually arranged and security thereof is each guaranteed, it is undeniable that there is a dangerous area between the storage system and the transport system. In other words, there exist cases such as where data taken from the encrypted file is transmitted after being decrypted, where data received by encryption communication is then stored in plaintext, and the like. All these are elements which may lead to information leakage.
Further, access authentication for accessing the storage (file) system and opposite party authentication for performing communication are typically separately managed. Further, management of these authentications is performed by an expert on the center side, and the client (the user) who actually owns the information can not designate a person to access the information on his (or her) terminal side and on his (or her) own will.
As described above, there are two problems. The first problem lies in security of information transmission. With the conventional method in which the information is encrypted and transmitted, and then the encrypted information is decrypted at the destination to obtain the original information, it is impossible to completely guarantee security. The second problem lies in freedom of information transmission. For the sake of “security”, management of access to the information is performed by an administrator on the server side, and therefore the actual owner of the information can not freely handle the information and freely disclose the information to a trusted third person.
As an encryption technology to solve the first problem, there is a storage technology which has an encryption storage function. The encryption storage function is responsible for transmitting electronic data (such as image, character and the like) in an encrypted state, and storing the data in a storage section in the encrypted state.
Herein, an encryption key for performing encryption is managed by the user who sends the information. Thus, the encryption key of the user who sends the information has to be used to decrypt the encrypted data. Thus, only the owner of the encryption key (i.e., the user who sends the information) can encrypt his (or her) electronic data, and decrypt the encrypted data.
However, since the user who sends the information obviously will never give his (or her) encryption key to any other person, the difficult problem is still outstanding when the user wants to securely distribute the encrypted electronic data to a particular user other than himself (or herself).
As to the second problem, for example, when performing communication between a head office and a branch office via the Internet, high security has to be guaranteed. To serve this purpose, a technique is proposed in which a private key is provided to the server on the head office side, and a public key corresponding to the private key of the head office is provided to each client on the branch office side (see Patent Document 1).
According to the technique disclosed in Patent Document 1, a common key is generated on the branch office side (i.e., the client side). Further, the generated common key is encrypted using the public key and transmitted to the server side (i.e., the head office side). The server can obtain the common key generated on the client side by decrypting the received information with its own private key.    [Patent Document 1] Japanese Unexamined Patent Application Publication No. 2002-305513