To provide a cryptographic system capable of flexibly changing decryption authorization and preventing the action of a third person impersonating a user having the decryption authorization to improperly utilize the system.When an enciphered file is accepted in a client, a decryptor ID, a creator ID, and a first enciphered session key are transmitted to a key management server 10 (step 141). It is judged whether or not the creator ID is stored as a decryption object ID in a management database in correspondence with the decryptor ID (step 147). When the creator ID is stored, the first enciphered session key is deciphered with an inherent key corresponding to the creator ID in the management database (step 148), and the obtained session key is enciphered with a public key corresponding to the decryptor ID (step 149). A secret key is used in a client which has received a second enciphered session key so that deciphering processing is performed, to obtain a session key. Enciphered data is deciphered with the session key.