JP2011048526A - Information device and authentication program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an information device wherein authentication processing to a connected computer is completed on the information device side. <P>SOLUTION: This information device transmits first test request information to the connected first computer via a communication part recognizable as a network device by the computer when the information device is connected with the computer, holds a first port number used for the transmission of the first test request information when receiving first test response information from the first computer to the first test request information, collates a combination between the held first port numbers and a combination between previously held identification port numbers each for identifying the computer, and authenticates the first computer. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present embodiment relates to an information apparatus that performs authentication processing on a connected computer.

  Leakage of information including customer information and important company data is a problem. For example, there are many cases of leakage via a portable medium such as a portable memory device (so-called USB memory device) conforming to the USB (Universal Serial Bus) standard. Therefore, in order to prevent information leakage from the USB memory device, products that require a password to access a storage area of the USB memory device and products that require a fingerprint input are in circulation.

  In addition, a portable device is disclosed in which when a portable device is connected to a host device, the host device can identify the portable device and establish a communication link with the host device (for example, Patent Document 1).

JP 2006-114048 A

  In many cases, a product that requires a password or a product that requires a fingerprint input to access a storage area of a conventional USB memory device is connected to a computer, and an authentication process is performed between the product and the computer. However, from the viewpoint of security, it is desirable that the authentication process is completed by each device.

  Therefore, an information device is provided in which authentication processing for a connected computer is completed on the information device side.

  When connected to a computer, the information apparatus according to an example of the present embodiment can be recognized as a network device by the computer based on a device driver activated in the computer, and can communicate with the computer. A communication unit that enables communication, a storage unit that stores an identification port number that is a port number for identifying a computer, and first test request information for a first computer connected via the communication unit When the first test response information from the first computer for the first test request information is received, the first port number used for transmitting the first test request information is held. The combination of the held first port number and the combination of the identification port information are collated, and the first compilation is performed based on the collation result. Including an authentication unit that performs authentication of over data, the.

  An authentication program executed by a control unit of an information device connectable to a computer according to an example of the present embodiment is connected to a computer based on a device driver activated on the computer when connected to the computer. The first test request information is transmitted to the first computer connected via the communication unit provided in the information device that can be recognized as the computer and enables communication with the computer. The first port number used for transmission of the first test request information is held when transmission processing and first test response information from the first computer for the first test request information are received. A combination of the holding process, the held first port number, and an identification port which is a port number for identifying the computer. Collating the combination of preparative information to execute an authentication process for authenticating said first computer based on the collating result, to the control unit.

  According to the information apparatus in the embodiment of the present invention, the authentication process for the connected computer can be completed on the information apparatus side.

The structure for implement | achieving correlation of PC100 and a USB memory device is shown. A state when the USB memory device 200 is connected to the PC 100 is shown. The state where the application program 231 is loaded on the PC 100 and the process 101 is activated is shown. The sequence of association of the PC 100 and the USB memory device 200 (controller 240) by the process 101 is shown. The sequence performed when using the USB memory device 200 for which the association processing with the PC 100 has been completed is shown. An example of the entire configuration of the USB memory device 201 in this embodiment (a state before the PC 100 recognizes a network device) is shown. 2 shows an example of the entire configuration of a USB memory device 201 in the present embodiment (a state in which a PC 100 recognizes a network device 500). An example of an internal structure of the microcomputer 600 in this embodiment is shown. An example of a sequence from a network address assignment process performed by the PC 100 to an IP address acquisition of the PC 100 by the USB memory device 201 executed as a premise of the association between the PC 100 and the USB memory device 201 in the present embodiment is shown. It is a figure for demonstrating 3WAY-HandShake. An example of a sequence when a TCP connection is attempted to the port of the PC 100 set to DROP a TCP reception packet in which the SYN flag is set in the present embodiment is shown. An example of a sequence when a SYN packet is transmitted to a port capable of receiving a SYN packet in the present embodiment is shown. An example of the port number stored in the port number storage area 601 after the port scan is performed for a predetermined range of port numbers is shown. An example of the whole control flow by the microcomputer 600 in this embodiment is shown. An example of the association setting process flow in this embodiment is shown. An example of the authentication processing flow with respect to the computer connected by the USB memory device in this embodiment is shown.

  In order to prevent information leakage through the USB memory device, a technique for associating the USB memory device with a PC so that the USB memory device can be used only in a specific computer is conceivable. That is, in order to use a portable storage device such as a USB memory device only on the owner's PC, it is possible to associate it with the PC at the first use and make it unavailable on other PCs. As a technique for associating the USB memory device with the PC so that the USB memory device can be used only in a specific computer PC, for example, the following can be considered.

  First, a unique ID of a PC that is permitted to be used (such as a BIOS ID) and an automatic startup application program for associating the ID are stored in advance in the USB memory device. When the USB memory device is connected to the PC, the application program is read and activated on the PC, and a unique ID stored in a predetermined position of the PC is read.

  Then, the application program collates the ID read from the PC with the ID stored on the USB memory device. As a result of the collation, if both IDs match, the application program permits the use of the USB memory device, and prohibits access to the USB memory device if they do not match. A technique for associating a USB memory device with a PC will be described below. In the following description, the portable medium is described as a USB memory device, but the present invention is not limited to this.

  FIG. 1 shows a configuration for realizing the association between the PC 100 and the USB memory device. The USB memory device 200 is in a state before being connected to the PC 100. At this time, the association between the PC 100 and the USB memory device 200 is not performed. The ROM 230 is a read-only memory. The ROM 230 stores an application program 231 that controls association between the PC 100 and the USB memory device 200.

  The memory 220 is a flash memory for storing data and the like. The memory 220 stores content 221 to be protected. The USB hub 210 is a hub device for showing the ROM 230 and the memory 220 to the PC 100 side.

  The controller 240 is a device that receives a control command from the application program 231 and instructs the USB hub 210 to show the memory 220 to the PC 100 side. In addition, an association storage area 241 for storing association information with the PC 100 is provided.

  FIG. 2 shows a state when the USB memory device 200 is connected to the PC 100. The USB connector of the USB memory device 200 is connected to the USB connector of the PC 100. Then, the PC 100 can refer to the ROM 230 and the controller 240 via the USB hub 210.

  Then, the user who uses the PC 100 activates the application program 231 on the ROM 230. Alternatively, the application program 231 is automatically started by an automatic start function of an operation system (hereinafter referred to as “OS”. For example, Windows (registered trademark) is used as the OS in this embodiment).

  FIG. 3 shows how the application program 231 is loaded on the PC 100 and the process 101 is activated. In FIG. 3, the application program 231 stored in the ROM 230 is loaded into a RAM (Random Access Memory) provided in the PC 100 via the USB hub 210. The application program 231 is executed on the PC 100 as the process 101.

  FIG. 4 shows a sequence of associating the PC 100 and the USB memory device 200 (controller 240) by the process 101. The process 101 started from the USB memory device 200 on the PC 100 extracts a unique ID (PCID) assigned to the PC 100 from the PC 100. The PCID is, for example, a MAC address assigned to the network card or a BIOS-ID assigned to the BIOS in the PC 100. The process 101 transfers the extracted PCID to the USB memory device 200.

  The controller 240 has an association storage area 241 for storing the PCID. The controller 240 stores the PCID received from the PC 100 in the association storage area 241. Thereby, the PCID of the PC 100 is set in the controller 240 (S1).

After completing the setting of the PCID, the process 101 notifies the controller 240 that the binding phase is completed (S2).
FIG. 5 shows a sequence performed when the USB memory device 200 that has been associated with the PC 100 is used. First, the USB connector of the USB memory device 200 that has been associated with the PC 100 described in FIG. 4 is connected to the USB connector of the PC 100.

  Then, the process 101 on the PC 100 extracts the PCID of the PC 100 from the PC 100 as described above. Then, in order to confirm whether the PC connected to the USB memory device 200 is the PC 100 associated through the sequence of FIG. 4, the process 101 transmits the PCID to the controller 240 together with the confirmation request (S11). ).

  When receiving the confirmation request, the controller 240 compares the PCID stored in S1 of FIG. 4 with the PCID sent from the process 101 in S11. As a result of the comparison, if the PCIDs match, the controller 240 determines that the PC is associated with the USB memory device 200 in advance. If the PCID does not match, the controller 240 determines that the PC is not associated.

In the case of an unassociated PC, processing such as erasing information of the memory 220 or invalidating the function of the memory 220 is performed.
However, in this method, the application program 231 of the USB memory device 200 must be activated on the PC 100 in order to confirm whether the PC 100 is associated.

  If the application program 231 is not activated, even if the USB memory device 200 is connected to a PC not associated in advance, processing such as invalidating the function of the USB memory device 200 cannot be performed.

  As described above, in the case of FIGS. 1 to 5, the application program 231 for associating the PC 100 with the USB memory device 200 needs to be executed on the PC 100 side. Since the PC 100 cannot be trusted (is a black box) for the USB memory device 200 side, there is a problem with such a configuration. That is, from the viewpoint of security, it is desirable that the association mechanism is completed within the USB memory device.

  Therefore, in this embodiment, the connected computer is recognized as a network device, and a program for confirming the association between the PC and the USB memory device is executed. This program sends a predetermined test request packet (a packet whose behavior unique to the PC can be discriminated from the network, for example, a packet for confirming the opening / closing status of a specific port) to the computer by network connection. . Then, the program receives a test response for the packet. Then, when the PC confirms that the PC is associated with the USB memory device in advance, the program permits the computer to access the memory.

  With this configuration, the mechanism for determining the association between the PC and the USB memory device is completed within the USB memory device. Therefore, even if it is assumed that the PC is not reliable, it can be safely determined whether the PC and the USB memory device are associated with each other.

  In the following, the association process with the PC performed at the initial stage of the USB memory device 201 will be described with reference to FIGS. 6 to 13, and the entire process including the PC authentication process by the USB memory device 201 will be described with reference to FIG. 16 will be described.

FIG. 6 shows an example of the entire configuration of the USB memory device 201 in this embodiment (a state before the PC 100 recognizes a network device).
The USB memory device 201 includes a USB hub 210, a ROM 230, a memory 220, a controller 240, a network device, and a microcomputer (hereinafter referred to as “microcomputer”) 600. FIG. 6 is obtained by adding a network device 500 and a microcomputer 600 to the configuration of FIG.

  The USB hub 210 is a hub device for switching between the network device 500, the ROM 230, and the memory 220 and showing them to the PC 100 side. The UBS hub 210 is switched so that only the network device 500 can be seen from the PC 100 side when the USB memory device 201 is connected to the PC 100.

The network device 500 is a device for controlling communication with the PC 100 by connecting to the network, and has a MAC address, for example.
When the USB memory device 201 is connected and the network device 500 is detected, the OS on the PC 100 side reads and installs the driver of the network device 500 stored in advance.

  Note that the driver of the network device 500 may be stored in the UBS memory device 201 so that the driver of the network device 500 can be installed in the PC 100 when the OS of the PC 100 is not held in advance.

  Thereafter, the OS on the PC 100 side performs processing for assigning a network address. As an address assignment method, there are methods such as DHCP (Dynamic Host Configuration Protocol) and AutoIP.

  The microcomputer 600 controls setting processing and authentication processing for authentication of the PC 100 connected to the USB memory device 201. The microcomputer 600 includes a non-volatile memory having a port number storage area 601 in which the port number of the PC 100 can be stored in order to identify the PC 100.

  When the authentication of the PC 100 by the microcomputer 600 is successful, the controller 240 causes the USB hub 210 to switch the device shown on the PC 100 side from the network device 500 to the ROM 230 and the memory 220 based on the control of the microcomputer 600.

FIG. 7 shows an example of the entire configuration of the USB memory device 201 in this embodiment (a state where the PC 100 recognizes the network device 500).
The device driver 110 and the network stack 120 are installed in the OS (Windows (registered trademark)) of the PC 100 and are activated. The device driver 110 is a driver for the network device 500 installed above. With the device driver 110, the PC 100 can recognize the network device 500 as a device existing on the network.
The network stack 120 performs a communication protocol analysis on a packet transmitted from the USB memory device 201 via the device driver 110.

FIG. 8 shows an example of the internal configuration of the microcomputer 600 in the present embodiment. The microcomputer 600 includes a packet reception unit 611, a packet analysis unit 612, a packet transmission unit 613, and a nonvolatile memory 603.
The packet receiving unit 611 receives a packet (for example, DHCP-DISCOVERY, the IP address of the PC 100, etc.) transferred from the network device 500 from the PC 100.

  The packet analysis unit 612 analyzes the received packet. If the packet analysis unit 612 determines that it is DHCP-DISCOVERY as a result of the analysis, the packet analysis unit 612 generates a RARP packet without returning a response to the DHCP-DISCOVERY. Also, the packet analysis unit 612 generates a TCP packet using the acquired IP address within a range of port numbers set in advance, and performs port scanning. Further, the packet analysis unit 612 stores the IP address of the PC 100 sent from the PC 100 and the port number obtained by the port scan in the nonvolatile memory 603. Here, the port number refers to an identification number of a network application program in communication between devices on a communication network.

  The packet transmission unit 613 transfers the RARP packet, the TCP packet, etc. generated by the packet analysis unit 612 to the network device 500 in order to transfer to the PC 100.

  The nonvolatile memory 603 has a port number storage area 601 and an IP address storage area 602. The port number storage area 601 can hold, for example, one or more port numbers (for example, port 1, port 2, port 3, etc.).

  The IP address storage area 602 stores the IP address of the PC 100 acquired from the PC 100. The IP address storage area 602 may be stored in a storage device different from the nonvolatile memory 603, and in that case, may be a volatile memory.

  In the initial state, in the port number storage area 601, for example, 0 is set to each of the ports 1 to 3. The IP address “0.0.0.0” is set in the IP address storage area 602.

The USB memory device 201 and the microcomputer 600 include the above-described components. An example of specific processing by these components will be described later in order.
First, as will be described later, when the association process between the USB memory device 201 and the PC 100 is performed, the USB memory device 201 performs a port scan on the PC 100. Therefore, the USB memory device 201 needs the network address of the PC 100 as a premise of the port scan. Therefore, a process for acquiring the network address of the PC 100 by the USB memory device 201 will be described with reference to FIG.

  FIG. 9 shows an example of a sequence from the network address assignment processing by the PC 100 to the acquisition of the IP address of the PC 100 by the USB memory device 201 executed as a premise of the association between the PC 100 and the USB memory device 201 in this embodiment.

  When acquiring the network address of the PC 100, an address assignment process is performed by the PC 100 as a previous step. As described above, there are methods such as DHCP (Dynamic Host Configuration Protocol) and AutoIP as address assignment methods. This time, AutoIP (Automatic Private IP Addressing) will be described as one example of network address assignment.

  First, the network stack 120 transmits DHCP-DISCOVERY to the microcomputer 600 via the device driver 110 and the network device 500 (S21-S23).

  The microcomputer 600 analyzes the transmitted packet. As a result of the analysis, if it is determined that the packet is a packet indicating DHCP-DISCOVERY, the microcomputer 600 does not send a reply to the DHCP-DISCOVERY (S24).

  As a result, the response time for DHCP-DISCOVERY times out. When the time-out occurs, the network stack 120 starts a process of automatically assigning IP addresses to the PC 100 and the network device 500 in the PC 100 (S25). That is, when the network stack 120 determines that there is no response to DHCP-DISCOVERY (= no DHCP server), the AutoIP function is started. In the AutoIP function, the IP address of the network device 500 is appropriately selected and determined from the range of 169.254.0.0 to 169.250.2555.255 by the network stack 120. At this time, the OS of the PC 100 holds information that associates the IP address of the PC 100 with the IP address of the network device 100.

  Even in the case of DHCP, as in the case of AutoIP, the network stack 120 assigns the network device 500 and creates information in which the IP address of the PC 100 and the IP address of the network device 100 are associated with each other.

Next, the IP address acquisition sequence of the PC 100 by the USB memory device 201 will be described.
On the USB memory device 201 side, when receiving the DHCP-DISCOVERY from the network stack 120, the microcomputer 600 issues a RARP (Reverse Address Resolution Protocol). RARP is a protocol for obtaining an IP address assigned to a network device having a specific MAC address. The RARP is transferred to the network stack 120 via the network device 500 and the device driver 110 (S31-S33).

In response to the RARP, the network stack 120 transmits the IP address assigned to the PC 100 in S25 to the microcomputer 600 (S34).
When the IP address of the PC 100 transmitted from the network stack 120 is received as an RARP response, the microcomputer 600 can detect that the network stack 120 has assigned an IP address to the PC 100 and the network device 500. The microcomputer 600 stores the received IP address of the PC 100 in the port number storage area 601.

  Next, the association between the PC 100 and the USB memory device 201 will be described. The user changes the default firewall setting of the associated PC 100 in advance. Specifically, in the firewall setting of the PC 100, for example, the operation at the time of receiving a SYN packet for a port indicated by one or more arbitrary port numbers in the range of port numbers 41000 to 42000 is changed to other values in the range. Set the operation different from the port indicated by the port number. The combination of the set arbitrary port numbers can be identification information for identifying the PC 100. That is, when the USB memory device 201 performs port scan of the range of port numbers 41000 to 42000 with respect to the PC 100, the combination of the port numbers used for the port scan when there is a response to the port scan is identified with the identification information of the PC 100. It can be. Further, when the USB memory device 201 performs port scan on the range of port numbers 41000 to 42000 with respect to the PC 100, the combination of the port numbers used for the port scan when there is no response to the port scan is identified with the identification information of the PC 100. It is good.

  It is assumed that the user is notified in advance that the USB memory device 201 performs port scanning for ports in the range of port numbers 41000 to 42000. The port scan is performed according to 3WAY-HandShake, which is a procedure for establishing a connection by TCP (Transmission Control Protocol).

  FIG. 10 is a diagram for explaining 3WAY-HandShake. In this embodiment, the client CL corresponds to the USB memory device 201, and the server SV corresponds to the PC 100.

  Here, in 3WAY-HandShake, for example, the port indicated by port numbers 41001, 41020, and 41100 is set to receive a TCP reception packet in which the SYN flag is set from the USB memory device 201. And Further, it is assumed that the firewall function of the PC 100 is set to drop the TCP reception packet in which the SYN flag is set for the ports indicated by the port numbers other than these.

  Now, TCP connection by 3WAY-HandShake will be described. At the time of TCP connection by 3WAY-HandShake, a SYN packet is transmitted from the client CL (= 201) to the server SV (= 100) for each of the ports indicated by the port numbers 41001, 41020, and 41100 (S41).

  The server SV (= 100) that has received the SYN packet sends ACK for the SYN packet and SYN from the server SV (= 100) to the client CL (= 201) in the form of SYN + ACK (S42).

  The client CL (= 201) returns an ACK for the SYN + ACK (S43). The PC 100 replies up to SYN + ACK for the ports indicated by the port numbers 41001, 41020, 41100 (S32). However, it is assumed that the PC 100 is set to drop the TCP reception packet with the ACK flag set (in S33, the PC 100 DROPs the ACK transmitted from the USB memory device 201).

  Next, port scanning using this 3WAY-HandShake will be described. In advance, in 3WAY-HandShake, for example, the user performs setting so that the TCP reception packet in which the SYN flag is set from the USB memory device 201 is received for the ports indicated by the port numbers 41001, 41020, and 41100. . For the ports indicated by other port numbers, the firewall function of the PC 100 is set so as to drop the TCP reception packet in which the SYN flag is set. Thereby, the characteristics of the PC 100 can be expressed.

  First, the microcomputer 600 uses the IP address of the PC 100 acquired from the PC 100 to perform port scanning for each port included in the range of the port numbers 41000 to 42000 of the PC 100.

  Specifically, using the acquired IP address of the PC 100, a TCP connection is attempted to each port in the range of the port numbers 41000 to 42000 of the PC 100 by 3WAY-HandShake as described in FIG. The following is a sequence for establishing a TCP connection to a port that is set to DROP a TCP reception packet with the SYN flag set (FIG. 11). When a SYN packet is transmitted to a port that can receive the SYN packet The sequence (FIG. 12) will be described.

  FIG. 11 shows an example of a sequence when a TCP connection is attempted to the port of the PC 100 set to DROP the TCP reception packet in which the SYN flag is set in the present embodiment.

  The microcomputer 600 transmits a TCP-SYN packet to the port indicated by the port number 41000 of the PC 100 via the network driver 500 and the device driver 110 using the IP address of the PC 100 acquired from the network stack 120 (S51). -S53).

  As described above, the setting of the firewall function of the PC 100 is configured to drop the TCP reception packet in which the SYN flag is set for the ports indicated by port numbers other than the port numbers 41001, 41020, and 41100. Therefore, the network stack 120 DROPs (discards) the TCP-SYN packet for the port indicated by the received port number 41000 (S54).

  FIG. 12 shows an example of a sequence when a SYN packet is transmitted to a port capable of receiving a SYN packet in the present embodiment. The microcomputer 600 transmits a TCP-SYN packet to the port indicated by the port number 41001 of the PC 100 via the network driver 500 and the device driver 110 using the IP address of the PC 100 acquired from the network stack 120 (S61). -S63).

  The SYN reception packet is a SYN reception packet for the port indicated by the port number 41001 that can receive the SYN packet. Therefore, the network stack 120 returns a SYN + ACK packet to the microcomputer 600 via the device driver 110 and the network driver 500 (S64-S66).

  The microcomputer 600 receives a response packet (SYN + ACK packet) for the port scan. Then, as will be described with reference to FIG. 13, the microcomputer 600 stores the port number used for the port scan when the response packet is received.

  FIG. 13 shows an example of the port number stored in the port number storage area 601 after the port scan is performed for a predetermined range of port numbers. The port number used for the port scan when the SYN + ACK packet is received is stored in the port number storage area 601 as shown in FIG. At this point, the association between the PC 100 and the USB memory device 201 is completed. That is, the initial setting of the USB memory device 201 is completed.

  A combination of port numbers stored in the port number storage area 601 after the port scan can be identification information for identifying the PC 100. As described above, in order to identify the PC 100, a response packet is set to be transmitted to a port indicated by one or more arbitrary port numbers in accordance with the PC 100. Therefore, when the response packet is received, the combination of port numbers used in the port scan can be identification information for identifying the PC 100. In the example of FIG. 13, the combination of the port numbers 41001, 41020, and 41100 is the identification number of the PC 100 associated with the USB memory device 201.

Next, it will be described that the USB memory device 201 associated with a specific PC authenticates the PC 100 connected to the USB memory device 201.
When the USB memory device 201 is used by connecting the USB memory device 201 to an arbitrary computer, the IP address of the PC 100 is acquired as described with reference to FIG. 9, and the port number 41000 as described with reference to FIGS. A port scan is performed for ports indicated in the range of 42000. At this time, the microcomputer 600 retains the port number used in the port scan when the SYN + ACK packet is received.

  After the port scan is completed, it is determined whether or not the retained port number combination matches the port number combination stored in the port number storage area 601. When the held combination of port numbers matches the combination of port numbers stored in the port number storage area 601, the microcomputer 600 determines that the PC 100 is the PC 100 associated in advance. In this case, the microcomputer 600 instructs the controller 240 to switch. Based on this switching instruction, the controller 240 causes the USB hub 210 to switch the device shown on the PC 100 side from the network device 500 to the ROM 230 and the memory 220. Thereby, the function of the USB memory device 201 can be validated for the PC 100.

  On the other hand, if the combination of the held port numbers does not match the combination of the port numbers stored in the port number storage area 601 after the port scan ends, the microcomputer 600 indicates that the PC 100 is associated with the PC 100 associated in advance. Judge that there is no. In this case, the microcomputer 600 does not instruct the controller 240 to switch. Therefore, the function of the USB memory device 201 does not become effective for the PC 100.

  In the above, the present embodiment has been described focusing on the sequence between the PC 100 and the UBS memory device 200a. In the following, focusing on the microcomputer 600, the contents described with reference to FIGS. 9 to 12 will be described with reference to FIGS.

  FIG. 14 shows an example of the overall control flow by the microcomputer 600 in this embodiment. First, the USB memory device 201 is connected to the PC 100 by the user. Then, after the PC 100 recognizes the network device 500 of the USB memory device 201, a DHCP-DISCOVERY packet is transmitted from the PC 100. The microcomputer 600 receives the transmitted packet (S101). The microcomputer 600 analyzes the transmitted packet, and if the result of the analysis indicates that the packet indicates DHCP-DISCOVERY, the microcomputer 600 does not send a reply to the DHCP-DISCOVERY.

  Then, the microcomputer 600 transmits RARP to the PC 100 (S102). The microcomputer 600 receives the IP address of the PC 100 transmitted from the PC 100 as a response to this RARP. The microcomputer 600 sets the received IP address of the PC 100 in the IP address storage area 602 (S103).

  At this time, if all the port numbers stored in the port number storage area 601 are 0 (“Yes” in S104), the microcomputer 600 performs an association setting process (FIG. 15) (S105). On the other hand, if any of the port numbers stored in the port number storage area 601 is not 0 (“Yes” in S104), the microcomputer 600 authenticates the computer connected when using the USB memory device 201 (see FIG. 16) is performed (S106).

  FIG. 15 shows an example of an association setting process flow in the present embodiment. FIG. 15 shows port number setting processing performed at the time of initial setting of the USB memory device 201. FIG. 15 corresponds to the processing of the microcomputer 600 in FIGS. 11 and 12.

  The microcomputer 600 transmits a TPC-SYN packet to the port indicated by the port number i (i = 41000 to 42000) of the PC 100 to be port scanned (S111).

  The microcomputer 600 determines whether the packet returned from the PC 100 is SYN + ACK (S112). If the packet returned from the PC 100 is not SYN + ACK (“No” in S112), the microcomputer 600 increments the port number i (S115) and returns to the processing of S111.

  When the packet returned from the PC 100 is SYN + ACK (“Yes” in S112), the microcomputer 600 stores the port number i used in the TPC-SYN packet transmission (S111) in the port number storage area 601 (S113).

  Then, the microcomputer 600 determines whether all the port numbers to be stored in advance in the port number storage area 601 are not 0, or the port to be scanned has ended. If any of the port numbers to be stored in advance in the port number storage area is 0 (“No” in S114), or if all the ports to be scanned have not been scanned (“No” in S114), the microcomputer 600 Increments the port number i (S115) and returns to the processing of S111.

  The microcomputer 600 determines that all the port numbers to be stored in the port number storage area 601 are not all 0 (“Yes” in S114) or the scanning of all the ports to be scanned is completed (“Yes” in S114). The flow in FIG. 15 ends.

  Thus, at this point, the association between the PC 100 and the USB memory device 201, that is, the initial setting of the USB memory device 201 is completed. As a result, a combination of port numbers stored in the port number storage area 601 can be used as identification information of the PC 100.

FIG. 16 shows an example of an authentication processing flow for a computer connected by the USB memory device in the present embodiment.
The microcomputer 600 transmits a TPC-SYN packet to the port indicated by the port number i (for example, i = 41000 to 42000) of the PC 100 that is the port scan target (S121).

  The microcomputer 600 determines whether or not the packet returned from the PC 100 is SYN + ACK (S122). If the packet returned from the PC 100 is not SYN + ACK (“No” in S122), the microcomputer 600 increments the port number i (S125), and returns to the processing of S111.

  If the packet returned from the PC 100 is SYN + ACK (“Yes” in S122), the microcomputer 600 indicates that the port number used in the TPC-SYN packet transmission (S121) corresponding to the received SYN + ACK packet is the port number storage area. It is determined whether it matches any of the port numbers stored in 601 (S123).

  If the port number used for the TPC-SYN packet transmission (S121) corresponding to the received SYN + ACK packet does not match any of the port numbers stored in the port number storage area 601 (“No” in S123), the microcomputer 600 The PC 100 is determined not to be associated with the PC 100 in advance, and the flow of FIG. 16 is terminated (authentication failure).

  If the port number used for the TPC-SYN packet transmission corresponding to the received SYN + ACK packet matches any of the port numbers stored in the port number storage area 601 (“Yes” in S123, “No” in S124), The microcomputer 600 increments the port number i (S125) and returns to the process of S111. Steps S121 to S125 are repeated until all the scans for the port scan target ports are completed.

  If the combination of port numbers used for TPC-SYN packet transmission corresponding to the received SYN + ACK packet matches the combination of port numbers stored in the port number storage area 601, the microcomputer 600 indicates that the PC 100 is associated in advance. It is determined that the PC 100 is present (authentication successful).

  When the authentication is successful, the microcomputer 600 instructs the controller 240 to switch. Based on this switching instruction, the controller 240 causes the USB hub 210 to switch the device shown on the PC 100 side from the network device 500 to the ROM 230 and the memory 220. Thereby, the function of the USB memory device 201 becomes effective.

  In this embodiment, a USB standard memory device is used, but the present invention is not limited to this, and other standards such as IEEE 1394, PCI, and PCI Express may be used. The device is not limited to the memory device, and may be any device connected to a computer such as a digital camera, a printer, a hard disk drive, and a mouse. In this embodiment, AutoIP is used as the address assignment method. However, the present invention is not limited to this, and DHCP or other address assignment methods may be used. The numerical values used in the present embodiment are examples, and are not limited to the numerical values.

  According to this embodiment, the USB memory device is pretending to be a general-purpose network device. When communication is possible on the PC side, dummy communication is started from the USB memory device side to the PC. The USB memory device can detect the characteristics of the PC through the dummy communication and determine whether the PC is a specific PC. Thereby, when the USB memory device is connected to the PC, the authentication process as to whether or not the PC is associated with the USB memory device in advance can be completed in the USB memory device. Then, the USB memory device can enable its function only for a specific computer based on the authentication result.

  Accordingly, it is sufficient that the PC side can recognize the USB memory device as a network device and be in a communicable state, and an authentication process does not occur and the authentication process is not executed on the PC side. Therefore, when authenticating the computer, the authentication can be performed without depending on the computer. That is, the independence of the authentication process can be improved from the USB memory device. As a result, unauthorized access to the USB memory device can be avoided and security can be improved.

As described above, the information device according to the present embodiment includes a communication unit, a storage unit, and an authentication unit.
When connected to a computer, the communication unit can be recognized as a network device by the computer based on a device driver activated in the computer, and enables communication with the computer. For example, the communication unit corresponds to the network device 500 in the present embodiment.

  The storage unit stores an identification port number that is a port number for identifying a computer. More specifically, second test response information from the second computer with respect to second test request information (TPC-SYN packet) transmitted to the second computer connected via the communication unit. When (SYN + ACK packet) is received, the second port number used for transmitting the second test request information is stored. Here, the second computer is set to operate differently from the ports indicated by other port numbers when the test request information is received for one or more ports. The storage unit corresponds to, for example, the port number storage area 601 in this embodiment.

  The authentication unit transmits first test request information to the first computer connected via the communication unit, and the first test response from the first computer with respect to the first test request information Holding the first port number used to transmit the first test request information when the information is received, checking the combination of the held first port number and the combination of the identification port information, The first computer is authenticated based on the collation result. That is, the authentication unit performs a port scan on the connected first computer within a predetermined port number range, and receives the first test response information from the first computer for the port scan. In this case, the first port number used for the port scan is retained, and the combination of the first port number and the combination of the identification port information are collated to authenticate the first computer Can do. For example, in this embodiment, the authentication unit corresponds to the microcomputer 600 or the packet analysis unit 612.

  By configuring in this way, after making the PC recognize the communication unit of the information device, it is used when the test request information is transmitted by the information device when there is test response information for the transmitted test request information. The combination of the port information and the combination of the port information held in advance as PC identification information can be collated to authenticate the PC. As a result, the computer only needs to be able to recognize the information device as a network device and be able to communicate, and the computer does not generate an authentication process. Therefore, the authentication process can be completed in the information device. Therefore, unauthorized access to the information device can be avoided, and the security for the information device can be further improved.

The information device further includes a switching unit and a switching control unit.
The switching unit switches whether to enable the function of the information device for the first computer. For example, in the present embodiment, the switching unit corresponds to the USB hub 210.

The switching control unit controls switching of the switching unit based on a collation result by the authentication unit. For example, in this embodiment, the switching control unit corresponds to the controller 240.
With this configuration, access to the information apparatus can be permitted only to an authenticated computer. Note that the information device may be a portable storage medium as an example.

  The embodiment of the present invention is not limited to the above-described embodiment, and various configurations or embodiments can be taken without departing from the gist of the present invention.

100 PC
101 Process 120 Network stack 200, 201 USB memory device 210 USB hub 220 Memory 221 Content 230 ROM
231 Application program 240 Controller 241 Association storage area 500 Network device 600 Microcomputer 601 Port number storage area 602 IP address storage area 603 Non-volatile memory 611 Packet reception unit 612 Packet analysis unit 613 Packet transmission unit

Claims (6)

A communication unit that, when connected to a computer, can be recognized as a network device by the computer based on a device driver activated in the computer, and enables communication with the computer;
A storage unit that stores an identification port number that is a port number for identifying a computer;
The first test request information is transmitted to the first computer connected via the communication unit, and the first test response information from the first computer with respect to the first test request information is received. The first port number used for transmission of the first test request information is stored, the combination of the stored first port number and the combination of the identification port information are verified, and based on the verification result An authentication unit for authenticating the first computer;
An information device comprising: The storage unit is a second computer connected via the communication unit, and when receiving test request information for one or more ports, the storage unit operates differently from ports indicated by other port numbers. Used to transmit the second test request information when receiving the second test response information from the second computer for the second test request information transmitted to the second computer set to The information device according to claim 1, wherein the port number is stored as the identification port number. When the authentication unit performs a port scan on the connected first computer within a range of a predetermined port number, and receives the first test response information from the first computer for the port scan The first port number used for the port scan is held, and the combination of the first port number and the combination of the identification port information are collated to authenticate the first computer. The information device according to claim 1 or 2. The information device further includes:
A switching unit for switching whether to enable the function of the information device for the first computer;
Based on the verification result by the authentication unit, a switching control unit that controls switching of the switching unit,
The information apparatus according to any one of claims 1 to 3, further comprising: The information device according to claim 1, wherein the information device is a portable storage medium. An authentication program executed by a control unit of an information device connectable to a computer,
When connected to a computer, the information device is capable of being recognized as a network device by the computer based on a device driver running on the computer and enabling communication with the computer. A transmission process for transmitting the first test request information to the first computer connected via the communication unit;
A holding process for holding the first port number used to transmit the first test request information when the first test response information from the first computer is received with respect to the first test request information;
An authentication process for verifying the combination of the held first port number and the combination of identification port information, which is a port number for identifying a computer, and authenticating the first computer based on the verification result; ,
Is executed by the control unit.