JP2007249507A - Information leakage prevention method, information leakage prevention system and information terminal - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To surely prevent the leakage of information such as internal personal information or secret information even when any communicable terminal such as a portable telephone set is lost or stolen. <P>SOLUTION: A portable telephone set 101 and an authentication server 102 connected to the Internet are connected, so that a portable telephone set is configured. The portable telephone set registers one piece of secret information divided by itself and PIN information in an authentication server, and authenticates a user based on the PIN information, and acquires the secret information from the authentication server. The authentication server registers the PIN information and secret information in a portable telephone table, and receives the PIN information from the portable telephone set, and performs user authentication, and returns the secret information. The secret information in the portable telephone set is erased when the user authentication based on the PIN information fails more than specified number of times. The secret information acquired from the authentication server is stored in a volatile memory, and erased power disconnection and reset. The other piece of the divided secret information is stored by the portable telephone itself, and the whole secret information is restored when the both pieces of information can complete. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an information leakage prevention method, an information leakage prevention system, and an information terminal. In particular, when a communicable information terminal such as a mobile phone is lost or stolen, personal information stored in the terminal is stored. In particular, the present invention relates to an information leakage prevention method, an information leakage prevention system, and an information terminal that can prevent leakage of information such as confidential information.

  2. Description of the Related Art In recent years, with the enhancement of functions of information terminals that can be carried and communicated, such as mobile phones, business operations that have been conventionally performed on notebook PCs or the like can be performed on portable terminals. . Along with this, there is an increasing number of cases where confidential information such as customer information of customers and wholesale prices is stored and used in portable terminals.

  On the other hand, with the enforcement of the Personal Information Protection Law, prevention of leakage of information that can identify an individual such as an individual's name, address, and telephone number is an important issue. If such information is leaked, the organization's It becomes a big problem that affects the survival. In addition, it has become important to strictly manage information other than personal information and to establish a system that does not leak information.

  For this reason, there is a demand for a mechanism that does not leak personal information or confidential information stored in a mobile terminal even if the mobile terminal is lost or stolen.

  As a conventional technique related to prevention of leakage of confidential information, for example, a technique described in Patent Document 1 is known. This prior art prevents leakage of a specific program or specific data stored in a mobile phone, and the data stored in a non-volatile memory such as a flash memory is transferred according to a request from a server. It is to delete.

Moreover, the technique described in the nonpatent literature 1 etc. is known as another prior art. This prior art is such that when a mobile phone acquires and holds personal information from a server, the received data is deleted after a specific time or a predetermined time has elapsed.
Japanese Patent Application No. 2002-589970 (page 31) "Development of a" government support system "with a high personal information leakage prevention function using au mobile phones" KDDI CORPORATION, Hewlett-Packard Japan Co., Ltd., announced on March 11, 2005 http://www.kddi .com / corporate / news_release / 2005/0311 /

  However, the prior art described in Patent Document 1 described above cannot receive a command from the server when the mobile phone is moved to a place where the radio wave of the mobile phone does not reach, and cannot store personal information or confidential information. It cannot be erased, and because it cannot protect against attacks that extract data on non-volatile memory due to mobile phone hardware modifications, it has the problem that confidential information is stolen. .

  In addition, in the related art described in Non-Patent Document 1, when erasing data of a mobile phone after a certain period of time, it is necessary to erase data at short intervals in order to maintain safety. Deletion of data causes a problem of reducing user convenience, and since data is stored in a server accessed via a public communication network such as the Internet, the server is attacked. There is a problem that personal information and confidential information are stolen.

  The object of the present invention is to solve the above-mentioned problems of the prior art and ensure leakage of information such as personal information and confidential information when a communicable information terminal such as a mobile phone is lost or stolen. To provide an information leakage prevention method, an information leakage prevention system, and an information terminal that can be prevented.

  According to the present invention, there is provided an information leakage prevention method for preventing leakage of confidential information in an information terminal, wherein the information terminal includes a communication unit that connects to an authentication server via a network, and the information terminal Confidential information is encrypted and divided, and one of the divided data is transmitted to the authentication server and held, and the other divided data is held in its own terminal. This is achieved by acquiring one piece of divided data and restoring the confidential information from this data and the other data held in the terminal itself.

  In addition, in the information leakage prevention system for preventing leakage of confidential information in the information terminal, the object is that the information terminal encrypts the confidential information in the information terminal with communication means for connecting to the authentication server via the network. Means for transmitting and dividing, means for transmitting one piece of divided data to the authentication server, means for holding the other piece of divided data in its own terminal, and dividing the information from the authentication server when using the confidential information Means for obtaining one data, and means for restoring the confidential information from one data obtained from the authentication server and the other data held in the terminal, wherein the authentication server comprises an information terminal And means for holding one of the divided data transmitted from the terminal and means for returning the one data in response to a request from the information terminal. It is.

  Further, the object is to provide an information terminal capable of preventing leakage of confidential information, a communication means connected to an authentication server via a network, and a means for encrypting and dividing the confidential information in the information terminal. Means for transmitting one data to the authentication server, means for holding the other divided data in its own terminal, means for obtaining the one divided data from the authentication server when using the confidential information; And means for restoring the confidential information from the one data acquired from the authentication server and the other data held in the terminal.

  According to the present invention, when a communicable information terminal such as a mobile phone is lost or stolen, leakage of information such as personal information and confidential information can be surely prevented.

  Embodiments of an information leakage prevention method and an information leakage prevention system according to the present invention will be described below in detail with reference to the drawings.

  FIG. 1 is a diagram showing a configuration of a network system for constructing an information leakage prevention system according to an embodiment of the present invention. The embodiment of the present invention described below will be described by taking a mobile phone as an example of a terminal. However, the present invention is applicable to any information terminal as long as it has a communication function. be able to. In FIG. 1, 101 is a mobile phone, 102 is an authentication server, 103 is a mobile phone carrier gateway, 104 is the Internet, and 105 is a mobile phone network.

  The network system shown in FIG. 1 includes a mobile phone 101 that is a communication device that runs an application that uses confidential data, and an authentication server 102 that is a communication device that ensures the security of confidential data in cooperation with the mobile phone 101. The mobile phone carrier is configured by a mobile phone carrier gateway 103 which is a communication device for connecting the mobile phone network 105 constructed for a mobile phone of the company by the mobile phone carrier and the Internet 104. The mobile phone 101 can connect to the Internet 104 via the mobile phone carrier gateway 103 and communicate with the authentication server 101.

  FIG. 2 is a block diagram showing the configuration of the mobile phone 101. 2, 201 is a CPU, 202 is a memory, 203 is a communication unit, 204 is an input unit, 205 is an output unit, 206 is a data registration program, 207 is a data use program, 208 is distributed encrypted data B, and 209 is a storage unit. , 210 is a terminal identifier number, 211 is a bus, 212 is distributed encrypted data A, 213 is local PIN information, 214 is an encryption key, and 215 is confidential data.

  The mobile phone 101 includes a CPU 201 that executes programs, a memory 202 that loads programs and data, a communication unit 203 that establishes connections with other terminals, an input unit 204 that inputs commands and data, and a system An output unit 205 that outputs a status, etc., a terminal identifier number 210, a storage unit 209 such as a nonvolatile memory that stores a data registration program 206, a data use program 207, and distributed encrypted data B208 are connected by a bus 211. Configured.

  The communication unit 203 has a function of establishing a connection with another terminal using TCP, which is a standard protocol of the Internet, and performing data communication, and the input unit 204 is a keyboard, mouse, pen input, voice The input means includes an input, a button, a jog dial, and a cross key. The output unit 205 is an output unit such as a display or a voice. The terminal identification number 210 is a number assigned so that the mobile phone carrier can uniquely identify each mobile phone 101.

  The data registration program 206 is a program for registering PIN information and confidential data from the mobile phone 101 in the authentication server, and the data use program 207 is a user when actually using the confidential data on the mobile terminal 101. The distributed encryption data B208 is a program that performs authentication and access control, and is necessary for creating confidential data used by the mobile phone 101.

  On the memory 202, distributed encryption data A 212, local PIN information 213, encryption key 214, confidential data 215, and the like that are temporarily stored are loaded. The distributed encrypted data A 212 is data acquired from the authentication server 102 that is necessary for creating confidential data used in the mobile phone 101, and the local PIN information 213 is used for user authentication in the mobile phone 101. It is data. The encryption key 214 is data used to encrypt and decrypt confidential data, and the confidential data 215 is plain text personal information, confidential information, and the like held in the mobile phone 101.

  FIG. 3 is a block diagram showing the configuration of the authentication server 102. In FIG. 3, 301 is a CPU, 302 is a memory, 303 is a communication unit, 304 is an input unit, 305 is an output unit, 306 is a data setting program, 307 is a data authentication program, 308 is a mobile phone table, and 309 is a carrier GW table. , 310 is a storage unit, and 311 is a bus.

  The authentication server 102 includes a CPU 301 that executes programs, a memory 302 that loads programs and data, a communication unit 303 that establishes connections with other terminals, an input unit 304 that inputs commands and data, and a system An output unit 305 that outputs a status and the like, and a storage unit 310 that stores a data setting program 306, a data authentication program 307, a mobile phone table 308, and a carrier GW table 309 are connected by a bus 311.

  The data setting program 306 is a program for setting PIN information and confidential data received from the mobile terminal 101 in the mobile phone table 308, and the data authentication program 307 performs user authentication in response to an authentication request from the mobile terminal 101. It is a program to be performed. The mobile phone table 308 is a table for managing information of the registered mobile phone 101, and the carrier GW table 309 is a carrier gateway used by the mobile phone company when the mobile phone 101 connects to the Internet 104. 10 is a table for managing network addresses 103.

  FIG. 4 is a diagram showing the configuration of the mobile phone table 308. The table 308 includes an item number 401, a registered terminal number 402, a mobile phone carrier 403, a local PIN 404, a network PIN 405, an encryption key 406, distributed encryption data 407, and a lockout flag 408.

  In this table 308, an item number 401 is an identifier for uniquely determining a record in the table, and a registered terminal number 402 is a number that can uniquely identify a registered mobile phone 101, for example, a manufacturing number. Or network number. The mobile phone carrier 403 is an identifier of the mobile phone company being used, and the local PIN 404 is data used when user authentication is performed only inside the mobile phone 101.

  Furthermore, the network PIN 405 is data used when processing an authentication request from the mobile phone 101, and the encryption key 406 is data used when the mobile phone 101 encrypts and decrypts confidential data. . The distributed encrypted data A407 is one of the divided pieces of confidential data encrypted by the mobile phone 101, and the lockout flag 408 indicates whether or not the mobile phone is in a lockout state in which user authentication is not accepted. This is a flag for judging.

  FIG. 5 is a diagram showing the configuration of the carrier GW table 309. This table 309 includes an item number 501, a gateway address 502, and a mobile phone address 503.

  In this table 309, an item number 501 is an identifier for uniquely determining a record in the table, and a gateway address 502 represents a network address of the carrier gateway 103 announced by a mobile phone company. The mobile phone carrier 503 is an identifier of a mobile phone company corresponding to the gateway address 502.

  Next, confidential data registration processing by the user and confidential data usage processing by the user will be described. In the confidential data registration processing by the user, the data registration program 206 of the mobile phone 101 and authentication are performed. The data setting program 306 of the server 102 is used, and the data use program 207 of the mobile phone 101 and the data authentication program 307 of the authentication server 102 are used for processing of using confidential data by the user. Therefore, the processing operation of each program will be described below.

  FIG. 6 is a flowchart for explaining the processing operation of the data registration program 206 in the cellular phone 101 when the user registers confidential data, which will be described next.

(1) A user of the mobile phone 101 inputs a local PIN and a network PIN by using a key of the input unit 204 and the like, inputs confidential data to be stored, and causes the data registration program 206 to acquire it. The confidential data may be directly input by the user, but may be data from a memory card connected to the mobile phone 101 or data obtained via the Internet (step 601).

(2) Next, the data registration program 206 transmits an encryption key acquisition request to the authentication server 102 to acquire the encryption key in order to encrypt the confidential data acquired in step 601. At this time, the acquisition request transmitted to the authentication server 102 includes the terminal identification number 210 (step 602).

(3) The confidential data acquired in the process of step 601 is encrypted by the AES encryption method using the encryption key acquired in the process of step 602, and the encrypted confidential data is converted into an even-byte data string and an odd-byte data string. Divide into data columns. The divided data strings are called divided encrypted data A and divided encrypted data B (steps 603 and 604).

(4) The divided encrypted data A divided in the process of step 604 and the local PIN and network PIN information input by the user in the process of step 601 are transmitted to the authentication server 102 for registration in the authentication server 102. (Step 605).

  FIG. 7 is a diagram for explaining an image for dividing the confidential data encrypted by the processing in step 604 shown in FIG. Assume that a 10-byte encrypted data string shown as encrypted data 701 is obtained when the confidential data is encrypted in the process of step 603. In the process of step 604, only the odd bytes of the encrypted data 701 are collected to generate the distributed encrypted data B702, and only the even bytes of the encrypted data 701 are collected to generate the distributed encrypted data A703.

  FIG. 8 is a flowchart for explaining the processing operation of the data setting program 306 of the authentication server 102 when an encryption key acquisition request is received in the processing of step 602 of FIG. 6, which will be described next.

(1) The authentication server 102 receives an encryption key acquisition request from the data registration program 206 of the mobile phone 101. When the request is received, it is confirmed that the encryption key acquisition request source is the mobile phone. This confirmation process will be described later with reference to FIG. 9 (steps 801 and 802).

(2) If it is confirmed in step 802 that the encryption key acquisition request source is a mobile phone, it is checked whether the terminal identification number acquired in step 802 is registered in the mobile phone table 308. (Step 803).

(3) If the terminal identification number is not registered in the mobile phone table 308 in the confirmation in step 803, a new record is registered in the mobile phone table 308. At that time, the terminal identification number 402 and the mobile phone carrier 403 acquired in step 802 are registered, and a new encryption key is set (step 810).

(4) If the terminal identification number is registered in the mobile phone table 308 in the confirmation in step 803, or after the processing in step 810, the encryption key 406 is acquired from the mobile phone table 308 and returned to the mobile phone 101. (Step 804).

(5) Thereafter, the distributed encrypted data A, the local PIN, and the network PIN transmitted as a registration request from the mobile phone 101 in the process of step 605 shown in FIG. 6 are received (step 805).

(6) Since the network may be temporarily disconnected between the process of step 804 and the process of step 805, the same process as the process of step 802 is performed again, and the transmission source is carried by the mobile phone. Make sure it is a phone. This confirmation process is also performed in the same manner as described later with reference to FIG. 9 (step 806).

(7) If it is confirmed in step 806 that the transmission source is a mobile phone, the processing is continued, and the network PIN is added to the item of the mobile phone table 308 corresponding to the terminal identification number acquired in step 806. Is set (step 807).

(8) When the network PIN corresponding to the terminal identification number is set in the item of the mobile phone table 308 in the confirmation in step 807, the item of the mobile phone table 308 corresponding to the terminal identification number acquired in the processing of step 806 It is confirmed whether or not the network PIN received in step 805 is the same as the network PIN received in step 805, and if not, nothing is done and the processing here ends (step 808).

(9) If the two network PINs are the same in the confirmation in step 808, the distributed encrypted data received in the process of step 805 in the item of the mobile phone table 308 corresponding to the terminal identification number acquired in the process of step 806 A is registered, and the process here is terminated (step 809). Even if another distributed encrypted data A407 for the same terminal identification number and the same network PIN has already been registered in the mobile phone table 308, a plurality of distributed encrypted data for the same terminal identification number and the same network PIN are stored. It is assumed that A407 can be overlaid and registered.

(10) If the network PIN corresponding to the terminal identification number is not set in the item of the mobile phone table 308 in the confirmation in step 807, the mobile phone table 308 corresponding to the terminal identification number acquired in the process of step 806 is stored. The distributed encrypted data A, local PIN, and network PIN received in step 805 are registered in the item, and the processing here is terminated (step 811).

  FIG. 9 is a flowchart for explaining the operation of the process for confirming that the encryption key acquisition request source in the process of step 802 shown in FIG. 8 is a mobile phone, which will be described next.

(1) First, the data setting program 306 confirms whether or not the terminal identification number 210 of the mobile phone 101 can be acquired from the received request. If the terminal identification number 210 cannot be acquired, the processing here is stopped ( Steps 901 and 904).

(2) If the terminal identification number 210 of the mobile phone 101 can be acquired from the received request in the confirmation in step 901, there is a possibility that the encryption key acquisition request is transmitted from the mobile phone. It is confirmed whether or not the network address of the connection source is registered in the carrier GW table 309. If it is not registered, the processing here is stopped (steps 902 and 904).

(3) If the network address of the connection source of the request is registered in the carrier GW table 309 in the confirmation in step 902, it is determined that the connection is from the mobile phone company. The process proceeds to (step 903).

  FIG. 10 is a flowchart for explaining the processing operation of the data use program 207 in the mobile phone 101 when the user uses confidential data. Next, this will be described.

(1) When an access request to confidential data is generated by a user of the mobile phone 101 or an application, the data use program 207 checks whether the local PIN information 213 is on the memory 202 (steps 1001 and 1002). .

(2) When the local PIN information 213 is found in the memory 202 in the confirmation in step 1002, the input screen is displayed and the user is prompted to input the registered local PIN information. PIN information is acquired (step 1003).

(3) It is confirmed whether or not the local PIN acquired in step 1003 and the local PIN information 213 in the memory 202 are the same. If they are the same, access to the confidential data 215 in the memory 202 is performed. Allow (steps 1004, 1005).

(4) If the local PIN information 213 is not stored in the memory 202 in the confirmation in step 1002, an input screen is displayed and the user is allowed to input information about the registered network PIN and the new local PIN. The entered PIN information is acquired (step 1006).

(5) Next, the network PIN and local PIN acquired in the processing of step 1006 are transmitted to the authentication server 102, and the local PIN is reset and an acquisition request for temporarily stored information is made (step 1007).

(6) In response to the information acquisition request in step 1007, the distributed encrypted data A, the local PIN information, and the encryption key are transmitted from the authentication server 102, so that these data are received and stored in the memory 202. (Step 1008).

(7) The encrypted data is synthesized from the distributed encrypted data A212 received in the processing of step 1008 and the distributed encrypted data B208 stored in the storage unit 209, decrypted using the received encryption key 214, and plaintext The confidential data 215 in the format is restored and stored in the memory 202, and access to the confidential data 215 in the memory 202 is permitted (steps 1009 and 1005).

(8) When the local PIN inputted and acquired in the confirmation in step 1004 is not the same as the local PIN information 213 in the memory 202, the comparison of the local PIN, which is the confirmation processing in step 1004, is determined in advance. It is confirmed whether or not it has failed more than once, for example, four or more times in succession. Note that the number of failures is counted by the data use program 207 and held in the memory 202 (step 1010).

(9) If the number of failures in the confirmation in step 1010 has not failed more than a predetermined number of times, the processing returns to step 1003, and the processing is repeated by requesting the user to input the local PIN again. If it has failed, the distributed encryption data A 212, local PIN information 213, encryption key 214, and confidential data 215 in the memory 202 are deleted, and the processing returns to step 1002 and continues (step 1011).

  FIG. 11 is a flowchart for explaining the processing operation of the data authentication program 307 when the authentication server 102 receives the PIN reset and information acquisition request transmitted in the process of step 1007 of FIG. Will be described.

(1) When the authentication server 102 receives the PIN reset including the network PIN and the local PIN and the information request from the mobile phone 101, the data authentication program 307 confirms that the acquisition request source is the mobile phone. This process is performed in the same manner as described with reference to FIG. 9 (steps 1101 and 1102).

(2) If it is confirmed in step 1102 that the acquisition request source is a mobile phone, the lockout flag 408 of the item in the mobile phone table 308 corresponding to the terminal identification number acquired in the processing in step 1102 is set. It is confirmed whether or not the lockout flag 408 has been set. If the lockout flag 408 has been set, the processing here is terminated (step 1103).

(3) If the lockout flag 408 is not set in the confirmation in step 1103, the network PIN received in the processing in step 1101 and the items in the mobile phone table 308 corresponding to the terminal identification number acquired in step 1102 It is confirmed whether or not the network PIN 405 is the same (step 1104).

(4) If the network PIN is the same in step 1104, the local PIN 404 in the mobile phone table 308 corresponding to the terminal identification number acquired in step 1102 is rewritten with the local PIN received in step 1101 ( Step 1105).

(5) Thereafter, the distributed encryption data A407, local PIN 404, and network PIN 405 in the mobile phone table 308 corresponding to the terminal identification number obtained in the processing of step 1102 are returned to the mobile phone 101, and the processing here ends. (1106).

(6) If the network PINs are not the same in the confirmation in step 1104, it is confirmed whether or not the comparison of the network PINs has failed for a predetermined number of times or more, for example, 11 or more times consecutively, If it has failed, the lockout flag 408 of the mobile phone table 308 corresponding to the terminal identification number acquired in step 1102 is set. Note that the number of failures is counted by the data authentication program 307 and stored in the memory 302. Also, once the lockout flag 408 is set, this flag 408 can only be released by the administrator of the authentication server 102 (steps 1107 and 1109).

(7) In the confirmation in step 1107, if it has not failed more than a predetermined number of times, or after the processing in step 1109, an error message is returned to the mobile phone 101, and the processing here is terminated (step 1108). ).

  In the above-described embodiment of the present invention, it is possible to restore personal information and confidential information for the first time when the data of both the authentication server information and the mobile terminal information can be obtained. , Confidential information can be protected from being stolen by attackers.

  According to the embodiment of the present invention described above, when a mobile phone is lost or stolen, personal information and confidential information inside the mobile phone are erased at the timing of lockout of authentication of the mobile phone user. In addition, even if the mobile phone hardware is modified to take out personal information or confidential information inside the mobile phone, the information is deleted when the mobile phone is turned off or reset. Can respond.

  Each process in the above-described embodiment of the present invention is configured by a program and can be executed by a CPU provided in the information terminal and the authentication server. These programs are recorded on FD, CD-ROM, DVD, and the like. It can be provided by being stored on a medium, or can be provided by digital information via a network.

It is a figure which shows the structure of the network system which builds the information leakage prevention system by one Embodiment of this invention. It is a block diagram which shows the structure of a mobile telephone. It is a block diagram which shows the structure of an authentication server. It is a figure which shows the structure of a mobile telephone table. It is a figure which shows the structure of a carrier GW table. It is a flowchart explaining the processing operation of the data registration program in a mobile telephone when a user registers confidential data. It is a figure explaining the image which divides | segments the confidential data encrypted by the process of step 604 shown in FIG. 7 is a flowchart for explaining the processing operation of the data setting program of the authentication server when an encryption key acquisition request is received in the processing of step 602 in FIG. 6. FIG. 9 is a flowchart for explaining an operation of processing for confirming that an encryption key acquisition request source is a mobile phone in the processing of Step 802 shown in FIG. 8. FIG. It is a flowchart explaining the processing operation of the data utilization program in a mobile telephone when a user utilizes confidential data. It is a flowchart explaining the processing operation | movement of a data authentication program when an authentication server receives PIN reset and the information acquisition request which were transmitted by the process in step 1007 of FIG.

Explanation of symbols

DESCRIPTION OF SYMBOLS 101 Mobile phone 102 Authentication server 103 Mobile phone carrier gateway 104 Internet 105 Mobile phone network 201, 301 CPU
202, 302 Memory 203, 303 Communication unit 204, 304 Input unit 205, 305 Output unit 206 Data registration program 207 Data utilization program 208 Distributed encryption data B
209, 310 Storage unit 210 Terminal identifier number 211, 311 Bus 212 Distributed encryption data A
213 Local PIN information 214 Encryption key 215 Confidential data 306 Data setting program 307 Data authentication program 308 Mobile phone table 309 Carrier GW table

Claims (8)

  In the information leakage prevention method for preventing leakage of confidential information in the information terminal, the information terminal includes a communication unit connected to an authentication server via a network, and encrypts and divides the confidential information in the information terminal, Sending and holding one of the divided data to the authentication server and holding the other divided data in its own terminal, when using the confidential information, obtaining the one divided data from the authentication server, An information leakage prevention method, wherein the confidential information is restored from this data and the other data held in the terminal.   The information terminal holds the other divided data in its own terminal in a nonvolatile storage unit, and stores the encryption key acquired for encrypting the confidential information from the authentication server and the restored confidential information in the volatile memory. 2. The information leakage prevention method according to claim 1, wherein the information stored in the volatile memory is erased when the power is turned off or reset by holding.   The information terminal registers in advance an authentication server with a local PIN, which is authentication data required when using the information terminal, and a network PIN, which is authentication data required when using the authentication server, and when using the confidential information, 3. The PIN and network PIN are transmitted to an authentication server for authentication, and when the authentication is successful, the one piece of divided data and a decryption encryption key are received from the authentication server. Information leakage prevention method.   4. The information leakage prevention method according to claim 3, wherein the information terminal deletes confidential information held in the information terminal when user authentication by a local PIN has failed more than a specified number of times.   In an information leakage prevention system for preventing leakage of confidential information in an information terminal, the information terminal includes a communication unit connected to an authentication server via a network, a unit for encrypting and dividing the confidential information in the information terminal, Means for transmitting one piece of divided data to the authentication server, means for holding the other piece of divided data in its own terminal, and obtaining the one piece of divided data from the authentication server when using the confidential information Means, and means for restoring the confidential information from one data acquired from the authentication server and the other data held in the terminal, the authentication server transmitted from the information terminal An information leakage prevention system comprising means for holding one of the divided data and means for returning the one data in response to a request from the information terminal. Temu.   The information terminal includes means for previously registering a local PIN, which is authentication data required when using the information terminal, and a network PIN, which is authentication data required when using the authentication server, in the authentication server, and when using the confidential information. Means for transmitting the local PIN and network PIN to an authentication server for receiving authentication, and means for receiving the divided one data and an encryption key for decryption from the authentication server when authentication is successful, The authentication server stores information by registering and holding the local PIN and network PIN from the information terminal, and the local PIN and network PIN transmitted together with the request when requesting confidential information from the information terminal. Decrypts together with the means for authenticating the terminal and the one of the data held at the time of successful authentication Further information leakage prevention system according to claim 5, characterized in that it comprises a means for returning an encryption key for.   In an information terminal capable of preventing leakage of confidential information, communication means connected to an authentication server via a network, means for encrypting and dividing the confidential information in the information terminal, and authenticating one of the divided data Means for transmitting to the server, means for holding the other divided data in its own terminal, means for obtaining the one piece of divided data from the authentication server when using the confidential information, and obtaining from the authentication server An information terminal comprising: means for restoring the confidential information from one data and the other data held in the terminal.   Means for previously registering a local PIN, which is authentication data required when using the information terminal, and a network PIN, which is authentication data required when using the authentication server, in the authentication server; and when using the confidential information, the local PIN and network 8. The information processing apparatus according to claim 7, further comprising: means for receiving authentication by transmitting a PIN to an authentication server, and receiving the one divided data and an encryption key for decryption from the authentication server when authentication is successful. Information terminal.