JP2011233087A - Storage, control method and computer program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide storage having more improved security.SOLUTION: The storage 1 which is connectable to an information processor 2 comprises: a nonvolatile memory 12 for storing encrypted data; a storage section of a control unit 11 for storing delete schedule time which indicates time of data to be deleted; a key/data deleting section 107 for disabling access to data by deleting an encryption key necessary for decryption when current time reaches the delete schedule time, irrespective of whether or not the storage 1 is connected to the information processor 2.

Description

  The present invention relates to a storage device that can be connected to an information processing device.

  In recent years, portable storage devices such as USB memories have become widespread.

  A user can connect such a storage device to an information processing device such as a personal computer, and write data to the storage device or read data from the storage device.

  Portable storage devices are generally easy to handle, easy to handle, compact and suitable for carrying around, so they are useful when you want to take data stored in one information processing device and use it in another information processing device. It is.

  However, due to its ease of handling and compactness, users often forget to unplug it while it is plugged into an information processing device or lose it while carrying it. It can also be stolen.

  In such a case, highly confidential information included in the data stored in the storage device may be leaked to a third party. That is, the portable storage device is convenient, but has a security problem.

  Therefore, in order to improve the security of the storage device, it is possible to remotely manipulate the information stored in the portable storage medium such as a USB memory and establish communication. There has been proposed a portable storage medium management system for erasing internal information in a timely manner even in a state where it is not (Patent Document 1).

  Further, it is determined that the deletion time for deleting the data stored in the storage device is determined, it is determined whether the deletion time has passed, it is detected that the external device is not connected, and the deletion time has passed. A storage device that deletes data from the storage means when it is determined is proposed (Patent Document 2).

JP2008-269285A JP 2009-199216 A

  The storage medium management system proposed in Patent Document 1 and the storage device proposed in Patent Document 2 are still insufficient, although some security is ensured.

  That is, in those cases, after the user leaves the seat with the storage device inserted into the information processing device, a third party refers to the data stored in the storage device on the spot or removes the storage device and takes it away. Security cannot be ensured in the event of a failure.

  The present invention has been made in view of such circumstances, and an object thereof is to provide a storage device with further improved security.

  The storage device described below is a storage device that can be connected to the information processing device, and is a first storage unit that stores data, and a second storage unit that stores a scheduled deletion time that indicates when the data is deleted. And a first access invalidating means for disabling access to the data when the current time reaches the scheduled deletion time regardless of whether or not connected to the information processing apparatus. Have.

  According to the present invention, a storage device with further improved security can be provided.

It is a figure which shows the example of the hardware constitutions of a memory | storage device. It is a figure which shows the example of a functional structure of a memory | storage device. It is a sequence diagram which shows the example of the flow of the process performed at the time of initialization of a memory | storage device. It is a figure which shows the example of an initial setting table. It is a figure which shows the example of a deletion timing list. It is a flowchart which shows the example of the flow of a process when data are preserve | saved at a memory | storage device. It is a flowchart which shows the example of the flow of the process performed when a memory | storage device is removed. It is a flowchart which shows the example of the flow of the alarm time determination process of FIG. It is a flowchart which shows the example of the flow of the process performed after a memory | storage device is removed. It is a flowchart which shows the example of the flow of a process performed when a memory | storage device is connected again. It is a flowchart which shows the example of the flow of a process performed when a memory | storage device is connected again. It is a flowchart which shows the example of the flow of a process performed when a memory | storage device is connected again.

  First, the functions of the storage device 1 according to this embodiment as shown in FIG. 1 will be described.

  The storage device 1 is a portable (removable) storage device suitable for carrying, and includes a nonvolatile memory 12 therein.

  The user can store the data to be taken out in the storage device 1 after connecting the storage device 1 to the information processing device 2 such as a personal computer used by the user and receiving authentication.

The data stored in the storage device 1 cannot be read at various timings from the viewpoint of preventing information leakage. Specifically, reading becomes impossible at the timings (1) to (9) below. However, the user or the administrator thereof can select the timing to be valid among the timings (1) to (9) below according to the purpose of use of the storage device 1.
(1) When the set date and time are reached (2) When a predetermined time has elapsed since the storage device 1 was removed from the information processing device 2 (3) Storage device in the information processing device 2 that is not permitted to connect (4) After the storage device 1 is connected to the information processing device 2, the storage device 1 is removed from the information processing device 2 without successful user authentication. (5) When a predetermined time elapses after the storage device 1 is connected to the information processing device 2 without successful user authentication (6) The storage device 1 is informed When the number of failed user authentications reaches a predetermined number after being connected to the processing device 2 (7) After the storage device 1 is connected to the information processing device 2 and the user authentication is successful, the user When a predetermined time has passed without any operation by (8) (9) When the remaining time of the secondary battery falls below a predetermined value when a predetermined time has elapsed without being removed after the intention of removing the storage device 1 from the information processing device 2 is indicated. Since the stored data cannot be read at the timing (1), the data cannot be reliably read when the set date and time are reached regardless of the usage status of the storage device 1.

  Since the data stored in the storage device 1 cannot be read at the timing (2), the data cannot be reliably read unless the storage device 1 is used for a predetermined time.

  One of the differences from the conventional storage device is that the timings (1) and (2) are not extended in principle by simply connecting the storage device 1 to the information processing device 2.

  Since the data stored in the storage device 1 cannot be read at the timings (3) to (6), the data cannot be read when an unauthorized use by a third party is suspected.

  Since the data stored in the storage device 1 cannot be read out at the timings (7) and (8) above, it is read when the user thinks that the user has forgotten to remove the storage device 1 from the information processing device 2. Is impossible.

  Since the data stored in the storage device 1 cannot be read out at the timing (9), it is impossible to execute an operation that makes the reading impossible because the remaining amount of the secondary battery is insufficient. There is nothing.

  Thus, in the storage device 1, the stored data cannot be read out at various timings, so that information leakage can be prevented.

Hereinafter, an embodiment of the storage device 1 having such a function will be described with reference to the drawings.
[Configuration of Storage Device 1]
FIG. 1 is a diagram illustrating an example of a hardware configuration of the storage device 1, and FIG. 2 is a diagram illustrating an example of a functional configuration of the storage device 1.

  As shown in FIG. 1, the storage device 1 includes a connector unit 10, a control unit 11, a nonvolatile memory 12, a hub 13, changeover switches 14a and 14b, a charging circuit 15, a secondary battery 16, a DC / DC converter 17, and It has a timer 18 and the like.

  The connector unit 10 includes a signal terminal 10a, a power supply terminal 10b, and the like, and serves as a contact point when the storage device 1 and the information processing device 2 are physically connected. The shape of the connector unit 10 is a shape corresponding to an interface used for connection between the storage device 1 and the information processing device 2. As the interface, for example, a serial interface conforming to the USB (Universal Serial Bus) standard is used.

  The storage device 1 and the information processing device 2 are electrically connected by the connector portion 10 being inserted into a corresponding connector portion provided on the information processing device 2 side. Various data are exchanged between the storage device 1 and the information processing device 2 via the signal terminal 10a. In addition, power is supplied from the information processing device 2 to the storage device 1 via the power supply terminal 10b. For example, power of + 5V DC voltage is supplied. The power supplied via the power supply terminal 10 b is supplied to each part of the storage device 1 via the DC / DC converter 17.

  The control unit 11 is a CPU (Central Processing Unit) with a built-in storage unit composed of a non-volatile memory, and is based on programs and data stored in the storage unit and various data input from the information processing apparatus 2. Thus, overall control of the storage device 1 is performed.

  The storage unit of the control unit 11 stores a program for realizing each functional unit as shown in FIG.

  Referring also to FIG. 2, the connection / disconnection detection unit 101 detects that the storage device 1 is connected to the information processing device 2 and that the storage device 1 is removed from the information processing device 2. The detection is performed by detecting whether a voltage is applied to the power supply terminal 10b or whether a current is flowing through the power supply terminal 10b.

  The power supply instructing unit 102 outputs a power on / off signal S02 to the DC / DC converter 17. The power on / off signal S02 is a level signal instructing power on or off.

  The initial setting unit 103 performs initial setting of the storage device 1 based on information input from the information processing device 2.

  The device / user authentication unit 104 authenticates the information processing device 2 to which the storage device 1 is connected and the user who uses the storage device 1.

  The alarm setting unit 105 sets the alarm time S05 in the time measuring unit 18.

  The deletion determination unit 106 determines whether or not access to data stored in the nonvolatile memory 12 is disabled.

  The key / data deleting unit 107 deletes the encryption key stored in the storage unit of the control unit 11 or the data stored in the nonvolatile memory 12.

  In addition, the storage unit of the control unit 11 stores a program for communicating with the information processing apparatus 2 in accordance with a predetermined interface.

  These programs are appropriately executed by the CPU of the control unit 11 so that various controls by the control unit 11 are realized.

  The nonvolatile memory 12 includes a data storage area, a controller for controlling writing and reading of data, and the like. The data stored in the storage area of the nonvolatile memory 12 is retained even when power is not supplied to the nonvolatile memory 12. As the non-volatile memory 12, for example, a semiconductor memory such as a flash memory is used.

  Between the signal terminal 10a and the control unit 11 and the nonvolatile memory 12, a hub 13 having two ports on the control unit 11 and the nonvolatile memory 12 side is provided. Further, selector switches 14 a and 14 b are provided between the hub 13 and the control unit 11 and the nonvolatile memory 12, that is, at the subsequent stage of the hub 13. With such a configuration, it is possible to connect the control unit 11 and the nonvolatile memory 12 to the information processing apparatus 2, respectively, or to connect the control unit 11 and the nonvolatile memory 12 to each other.

  The charging circuit 15 is a circuit for charging the secondary battery 16 with the power supplied via the power supply terminal 10 b when the storage device 1 is connected to the information processing device 2.

  The secondary battery 16 is charged as time passes while the storage device 1 is connected to the information processing device 2, and when the storage device 1 is not connected to the information processing device 2, It becomes a power source for supplying power. For example, a large capacity capacitor is used as the secondary battery 16.

  The DC / DC converter 17 distributes power to each unit of the storage device 1 such as the control unit 11, the nonvolatile memory 12, and the hub 13 in accordance with an instruction from the control unit 11 or the time measuring unit 18. At that time, the voltage is converted to a voltage suitable for the operation of each unit of the storage device 1. For example, the voltage is converted to a + 3.3V DC voltage. When the storage device 1 is connected to the information processing device 2, the power supplied via the power supply terminal 10b is distributed. When the storage device 1 is not connected to the information processing device 2, while the power on / off signal S02 output from the control unit 11 is instructed to turn on the power, the power supplied from the secondary battery 16 is Distribute.

  The time measuring unit 18 is an IC (Integrated Circuit) for constantly counting the current time (current date and time) upon receiving power supply, and is sometimes called an RTC (Real Time Clock). The timer 18 receives power from the secondary battery 16 when the storage device 1 is not connected to the information processing device 2. The current time measured by the time measuring unit 18 is appropriately corrected to the current time measured by the information processing device 2 when the storage device 1 is connected to the information processing device 2.

The timer 18 can be set with an alarm time S05. When the current time reaches the alarm time S05, the timer 18 sends a power-on signal S18 to the DC / DC as shown in FIG. The signal is output to the converter 17.
[Processes performed at initialization]
Next, initialization of the storage device 1 will be described.

  Initialization of the storage device 1 is performed by an operator who performs initialization using the information processing device 2. The worker is the user of the storage device 1 or the administrator thereof.

  Specifically, a CD-ROM storing an initialization program corresponding to the OS (Operating System) of the information processing device 2 for initializing the storage device 1 is distributed to the worker. The initialization program includes a driver, an initial setting application, an operation application, and the like. The initial setting application is a program necessary for initializing the storage device 1. The operation application is a program that is required when the initialized storage device 1 is used.

  The operator installs an initialization program in the information processing apparatus 2. Then, the storage device 1 is connected to the information processing device 2, and an initial setting application is activated in the information processing device 2.

  When the storage device 1 is connected to the information processing device 2, power from the power supply terminal 10 b is supplied to each part of the storage device 1 via the DC / DC converter 17.

  On the other hand, the initial setting application displays a screen for guiding the worker on the display device of the information processing device 2. The operator inputs necessary items according to the contents of the screen and initializes the storage device 1.

  FIG. 3 is a sequence diagram showing an example of the flow of processing performed when the storage device 1 is initialized, and FIG. 4 is a diagram showing an example of the initial setting table FT.

  Hereinafter, a process performed when the storage device 1 is initialized will be described with reference to FIG. However, the order in which the processes described below are executed does not necessarily have to be the order shown in FIG.

  The initial setting application requests the control unit 11 to reset the stored contents (# 301). And the memory content in the control part 11 is returned to the state at the time of factory shipment.

  Next, the initial setting application prompts the operator to input items necessary for performing operational settings (policy settings) when using the storage device 1, and inputs the input contents to the control unit 11. Transmit (# 302 to # 304). The initial setting unit 103 of the control unit 11 sets the received content in an initial setting table FT as shown in FIG. The initial setting table FT is stored in the storage unit of the control unit 11.

  Specifically, the initial setting application prompts the operator to input an administrator password and a user password, and transmits both the input passwords to the control unit 11 (# 302). The initial setting unit 103 of the control unit 11 sets both received passwords in the administrator password FT1 and the user password FT2 of the initial setting table FT, respectively.

  In addition, the initial setting application prompts the user to input a unique ID that is information for specifying the information processing device 2 that permits the connection of the storage device 1, and transmits the input unique ID to the control unit 11 (#). 303). Here, the worker inputs the unique ID of the information processing apparatus 2 that is scheduled to connect and use the storage device 1. Note that the unique ID of the information processing apparatus 2 used for initialization may be automatically transmitted. For example, a MAC address (Media Access Control address) is used as the unique ID. The initial setting unit 103 of the control unit 11 registers the received unique ID in the connection permitted device list FT3 of the initial setting table FT.

  In addition, the initial setting application prompts the operator to input deletion setting information indicating a timing at which data stored in the storage device 1 cannot be read by a method such as designation or selection, and the input deletion The setting information is transmitted to the control unit 11 (# 304). The initial setting unit 103 of the control unit 11 sets the received deletion setting information in each deletion timing information DT of the deletion timing list FT4 of the initial setting table FT. Details of the deletion timing list FT4 will be described later.

  The initial setting application creates a CD-ROM image, which is a file obtained by converting the operation application installed as part of the initialization program into a CD-ROM format, and the created CD-ROM image is nonvolatile. Stored in a predetermined storage area of the memory 12 (# 305). The storage area in which the CD-ROM image is stored is virtually recognized as a CD-ROM drive by the OS of the information processing apparatus 2. The user can use the operation application in the manner of using the program stored in the CD-ROM.

  The initial setting application formats a predetermined storage area of the nonvolatile memory 12 as a removable disk in accordance with the file system corresponding to the OS of the information processing apparatus 2 (# 306). Further, an encryption area for storing the encrypted data is created in the formatted storage area (# 307). The encryption area is recognized as a disk drive in the OS of the information processing apparatus 2 by applying a corresponding encryption key. If the user is authenticated, the user can save the file in the encryption area or open the saved file in the manner of normal file operation.

  The initial setting application generates an encryption key used for accessing the encryption area, and transmits the generated encryption key to the control unit 11 (# 308). The initial setting unit 103 of the control unit 11 sets the received encryption key in the encryption key FT5 of the initial setting table FT.

  Further, the initial setting application acquires the current time counted by the information processing apparatus 2, and transmits the acquired current time to the control unit 11 (# 309). The initial setting unit 103 of the control unit 11 sets the received current time in the time measuring unit 18.

  As described above, the storage device 1 is initialized, and an initialization table FT as shown in FIG. 4 is stored in the storage unit of the controller 11 that has been initialized.

  Details of the deletion timing list FT4 of the initial setting table FT will be described below.

  FIG. 5 shows an example of the deletion timing list FT4.

  In the deletion timing list FT4, various types of deletion timing information DT indicating the timing at which reading of data stored in the nonvolatile memory 12 is impossible are registered. The value of each deletion timing information DT may be set to a predetermined value or may be set based on deletion setting information input by an operator. The value indicated in the deletion setting information input by the operator may be a default value provided from the initial setting application.

  The data retention time limit DT1 is information indicating an absolute time limit for retaining data, and is set to “4 July 2010, 24:00:00” in this example.

  The data holding period DT2 is information indicating a period for holding data starting from when the storage device 1 is removed from the information processing device 2, and is set to “24 hours” in this example.

  The unregistered device connection count DT3 is information indicating how many times the number of times that the storage device 1 has been connected to the information processing device 2 that is not permitted to connect is accumulated and the data is deleted. Then, “3 times” is set.

  The number of unauthenticated removals DT4 is information indicating how many times the number of times the storage device 1 has been removed from the information processing device 2 in a state where user authentication is not successful reaches the time when data is deleted, In this example, “3 times” is set.

  The unauthenticated time DT5 is information indicating the time for which data is held when the user authentication is not successful after the storage device 1 is connected to the information processing device 2, and in this example “ 10 minutes ".

  The number of authentication failures DT6 is information indicating how many times the number of failed user authentications has been accumulated and reached, and is set to “5 times” in this example.

  The no-operation time DT7 is information indicating a time for retaining data when a user operation is not performed after successful user authentication. In this example, the non-operation time DT7 is “15 minutes”. Is set to

  The removal time DT8 is information indicating a time for retaining data when the physical connection between the storage device 1 and the information processing device 2 is released and the physical connection is not disconnected. In this example, “5 minutes” is set.

  The battery lower limit voltage DT9 is information indicating a lower limit voltage indicating how much data is held until the voltage charged in the secondary battery 16 is lowered, and is set to “3 V” in this example.

  It is preferable that a predetermined value is set for the battery lower limit voltage DT9 so that the operator cannot change the setting content. The battery lower limit voltage DT9 is set based on the lower limit voltage at which the DC / DC converter 17 can operate, the power consumption in each part of the storage device 1, the power monitoring cycle described later, and the like.

  Whether the deletion timing information DT (DT1 to DT9) is applied as a timing at which data cannot be read is set in advance or can be selected by the operator. In the example of FIG. 5, “valid” is set for the deletion timing information DT to be applied, and “invalid” is set for the deletion timing information DT that is not applied. Here, the presence / absence of application of a plurality of deletion timing information DT may be linked to each other. For example, when the data retention period DT1 is applied, the data retention period DT2 may not be applied. Battery lower limit voltage DT9 is preferably always applied.

  Further, if the user or the administrator receives authentication by the user password, the administrator password, or both even after the initialization of the storage device 1, the data retention period DT1, the data retention period DT2, and the like are started. The setting contents of each deletion timing information DT can be changed as appropriate.

Hereinafter, description will be made on the assumption that only one of the data retention period DT1 and the data retention period DT2 is applied and all the other deletion timing information DT is applied. Therefore, in the following description, in the processing related to each deletion timing information DT, it is not necessary to perform when the deletion timing information DT is not applied.
[Processes performed when saving data]
FIG. 6 is a flowchart illustrating an example of a flow of processing performed when data is stored in the storage device 1.

  Hereinafter, a process performed when data is stored in the storage device 1 will be described with reference to FIG.

  The user connects the initialized storage device 1 to the information processing device 2, and activates the operation application stored in the nonvolatile memory 12 of the storage device 1 in the information processing device 2. The operation application may be automatically started when the storage device 1 is connected by the function of the OS of the information processing device 2.

  When the storage device 1 is connected to the information processing device 2, the power from the power supply terminal 10b is supplied to each unit of the storage device 1, and the control unit 11 is activated (# 401). Before this, the power supply instructing unit 102 of the control unit 11 uses the power on / off signal S02 output to the DC / DC converter 17 until the storage device 1 is shifted to the standby state (# 508 in FIG. 7). Instruct the power to turn on.

  The device / user authentication unit 104 of the control unit 11 acquires the unique ID from the information processing device 2 to which the storage device 1 is connected, and is registered in the connection permitted device list FT3 of the acquired unique ID and the initial setting table FT. The unique ID is checked (# 402). As a result of the collation, when it is found that the acquired unique ID is not the unique ID registered in the connection permitted device list FT3 (No in # 402), the operation application is notified to the failure of the device authentication (# 403). On the other hand, if it is found that the unique ID is registered (Yes in # 402), it notifies the operation application that the device authentication has been successful (# 404).

  When the operation application receives a notification that the device authentication has been successful, a screen such as a dialog box for prompting the user to input the user password is displayed on the display device of the information processing device 2 and is input. The user password is transmitted to the control unit 11.

  On the other hand, when the operation application receives a notification that the device authentication has failed, the operation application displays a screen for informing the user that the information processing apparatus 2 is an apparatus that is not permitted to connect the storage device 1. The information is displayed on the display device of the processing device 2.

  Upon receiving the user password, the device / user authentication unit 104 of the control unit 11 collates the received user password with the password set in the user password FT2 of the initial setting table FT (# 405). If they do not match as a result of the collation (No in # 405), the operation application is notified of the failure of the user authentication (# 406) and waits until the user password is received again. On the other hand, if the two match (Yes in # 405), the operation application is notified that the user authentication is successful (# 407). Also, the encryption key set in the encryption key FT5 of the initial setting table FT is transmitted (# 408).

  When the operation application receives the encryption key, the operation application hands over the received encryption key to the encryption file system that manages the encryption area of the nonvolatile memory 12. As a result, the encrypted area of the nonvolatile memory 12 is recognized as a disk drive in the OS of the information processing apparatus 2. The user may select to copy the file to be taken out of the files stored in the storage device of the information processing apparatus 2 to the encryption area in the normal file operation procedure. The file selected by the user is stored in the encryption area in a state encrypted with the encryption key.

  On the other hand, when the operation application receives notification that the user authentication has failed, a screen for notifying the user that the entered password is incorrect and a screen for prompting the user to re-enter the correct password. Is displayed on the display device of the information processing device 2.

Note that the device / user authentication unit 104 of the control unit 11 need only perform either device authentication (# 402) or user authentication (# 405).
[Process to be performed at the time of removal]
FIG. 7 is a flowchart showing an example of the flow of processing performed when the storage device 1 is removed from the information processing device 2, and FIG. 8 is a flowchart showing an example of the alarm time determination processing (# 505) in FIG.

  Hereinafter, processing performed when the storage device 1 is removed from the information processing device 2 will be described with reference to FIGS. 7 and 8.

  When the user finishes saving the data in the storage device 1, the user selects to remove the storage device 1 from the information processing device 2 via an operation application or the like. That is, a selection is made to logically remove the storage device 1 from the OS of the information processing device 2. Thereafter, the user physically removes the storage device 1 from the information processing device 2.

  When removal is selected by the user, the operation application transmits to the control unit 11 that removal has been selected. At this point, the storage device 1 is physically connected to the information processing device 2 but is logically disconnected. That is, the communication is disconnected and the acquired authentication is also released.

  When the deletion discriminating unit 106 of the control unit 11 receives that the removal is selected (# 501), the storage device 1 determines that the time set in the removal time DT8 of the deletion timing list FT4 elapses from that point. It is monitored whether or not it is physically removed from the information processing apparatus 2 (# 502). If removal is not detected by the connection / disconnection detection unit 101 within time (No in # 502), the key / data deletion unit 107 deletes the encryption key set in the encryption key FT5 of the initial setting table FT. (# 503). Note that after the encryption key is erased, it is impossible to access data stored in the encryption area of the nonvolatile memory 12. On the other hand, if removal is detected within the time (Yes in # 502), the process proceeds to the following steps (# 504 to # 508). In addition, the process which concerns on the subsequent steps is performed when CPU of the control part 11 operate | moves with the electric power supplied from the secondary battery 16. FIG.

  The alarm setting unit 105 acquires the current time measured by the time measuring unit 18 (# 504). Then, the alarm time S05 is determined as follows (# 505).

  That is, as illustrated in FIG. 8, the alarm setting unit 105 refers to the initial setting table FT, and when the data retention time limit DT1 of the deletion timing list FT4 is set to valid (the data retention period DT2 is invalid) ( (Yes in # 601), the time limit set in the data retention time limit DT1 of the deletion timing list FT4 is acquired as the scheduled data deletion time (# 602). Then, a value obtained by subtracting the current time from the data deletion scheduled time is calculated as the data retention scheduled time (# 603).

  On the other hand, when the data retention period DT1 is set to invalid (data retention period DT2 is valid) (No in # 601), the period set in the data retention period DT2 of the deletion timing list FT4 is set as the data retention scheduled time. (# 604). Then, a value obtained by adding the data retention scheduled time to the current time is calculated as the data deletion scheduled time (# 605).

  Next, the data retention scheduled time calculated in # 603 or acquired in # 604 is compared with the power monitoring cycle (# 606). Here, the power monitoring cycle is a cycle (time interval) for monitoring the remaining voltage in charging of the secondary battery 16 when power from the secondary battery 16 is supplied to each unit of the storage device 1. . The power monitoring period is registered in advance in the storage unit of the control unit 11.

  If the scheduled data retention time is less than or equal to the power monitoring period (Yes in # 606), the scheduled data deletion time acquired in # 602 or calculated in # 605 is determined as the alarm time S05 (# 607). On the other hand, if the scheduled data retention time is greater than the power monitoring period (No in # 606), a value obtained by adding the power monitoring period to the current time is determined as the alarm time S05 (# 608).

  The alarm setting unit 105 sets the alarm time S05 thus determined in the time measuring unit 18 (# 506). Further, the scheduled data deletion time acquired in # 602 or calculated in # 605 is registered in the storage unit of the control unit 11 (# 507).

  In step # 507, instead of registering the scheduled data deletion time, the current time acquired in step # 504 may be registered as the starting time that is the starting point of the data holding period. Alternatively, the scheduled data deletion time may be registered and the starting time may be registered. In this case, if the data retention time limit DT1 of the deletion timing list FT4 is set to be valid, the scheduled data retention time calculated in # 603 is also registered. In addition, when a predetermined operation is performed by the user or the administrator, the value of the starting time may be changed. For example, when the storage device 1 is connected to the information processing device 2 and a predetermined authentication is successful, an operation for instructing the change of the start time is performed by the user or the administrator, the start time value is specified. When the user or the administrator makes an instruction to change the setting of the data retention period DT2 of the deletion timing list FT4, the value of the starting time is automatically set at that time. You may change to the current time. These points are the same in # 709 of FIG. 9 described later.

When the alarm setting unit 105 sets the alarm time S05 and registers the scheduled data deletion time, the power supply instructing unit 102 instructs to turn off the power in the power on / off signal S02 output to the DC / DC converter 17. . As a result, power is not supplied to each part of the storage device 1 except for the timer 18 and the storage device 1 shifts to a standby state (# 508). However, the clock unit 18 continues to count the current time using the power supplied from the secondary battery 16.
[Processes performed after removal]
FIG. 9 is a flowchart illustrating an example of a flow of processing performed after the storage device 1 is removed from the information processing device 2.

  Hereinafter, processing performed after the storage device 1 is removed from the information processing device 2 will be described with reference to FIG. 9.

  When the current time measured reaches the set alarm time S05, the time measuring unit 18 outputs a power-on signal S18 to the DC / DC converter 17. As a result, the power from the secondary battery 16 is supplied to each unit of the storage device 1 via the DC / DC converter 17, and the control unit 11 is activated (# 701). Before this, the power supply instructing unit 102 of the control unit 11 instructs the DC / DC converter 17 to turn on the power until the storage device 1 is again shifted to the standby state (# 710). In the meantime, the following processing is performed.

  The deletion determination unit 106 of the control unit 11 acquires the current time measured by the time measuring unit 18 (# 702). Further, the charging voltage S16 indicating the remaining voltage in the charging of the secondary battery 16 is acquired from the secondary battery 16 (# 703).

  Next, the deletion determination unit 106 compares the acquired current time with the scheduled data deletion time registered when the storage device 1 is removed (# 704). If the current time has reached the scheduled data deletion time (Yes in # 704), the encryption key set in the encryption key FT5 of the initial setting table FT is deleted by the key / data deletion unit 107 (# 705).

  If the starting time is registered when the storage device 1 is removed, the time set in the data holding period DT2 of the deletion timing list FT4 or the registered data holding scheduled time in # 704 May be calculated each time by adding to the starting time. The same applies to # 906 of FIG. 12 described later.

  On the other hand, if the current time has not reached the scheduled data deletion time (No in # 704), the acquired charging voltage S16 is compared with the lower limit voltage set in the battery lower limit voltage DT9 in the deletion timing list FT4 (# 706). If the charging voltage S16 is smaller than the lower limit voltage (Yes in # 706), the key / data deleting unit 107 deletes the encryption key set in the encryption key FT5 of the initial setting table FT (# 705). Here, the reason for erasing the encryption key is that the secondary battery 16 cannot supply the power necessary for operating the CPU of the control unit 11 when the scheduled data deletion time is reached, so that the encryption key can be deleted. This is to avoid disappearance.

On the other hand, when the charging voltage S16 is equal to or higher than the lower limit voltage (No in # 706), the same processing as # 505 to # 508 shown in FIG. 7 is performed. That is, the alarm time S05 is determined (# 707), and the determined alarm time S05 is set in the timer unit 18 (# 708). Also, the scheduled data deletion time is registered in the storage unit of the control unit 11 (# 709). Then, when the power supply instructing unit 102 instructs the DC / DC converter 17 to turn off the power, the storage device 1 again enters the standby state (# 710) and waits until the next alarm time S05 is reached. .
[Processes performed during reconnection]
10 to 12 are flowcharts illustrating an example of a flow of processing performed when the storage device 1 in which data is stored is connected to the information processing device 2 again.

  Hereinafter, processing performed when the storage device 1 storing data is connected to the information processing device 2 again will be described with reference to FIGS.

  The user connects the storage device 1 storing the data to the information processing device 2, and activates the operation application stored in the nonvolatile memory 12 of the storage device 1 in the information processing device 2.

When the storage device 1 is connected to the information processing device 2, the power from the power supply terminal 10b is supplied to each unit of the storage device 1, and the control unit 11 is activated (# 801).
The device / user authentication unit 104 of the control unit 11 prepares a device authentication failure counter for counting the number of times device authentication has failed and a user authentication failure counter for counting the number of times user authentication has failed. In addition, the deletion determination unit 106 of the control unit 11 prepares an unauthenticated removal counter for counting the number of times the storage device 1 has been removed without receiving user authentication.

  These counters are stored in the storage unit of the control unit 11. Therefore, even if the storage device 1 is removed, the number of times indicated by these counters is not reset.

  The device / user authentication unit 104 performs device authentication by the same method as # 402 shown in FIG. 6 (# 802). If the device authentication has failed (No in # 802), the operation application is notified that the device authentication has failed (# 803), and the device authentication failure counter is counted up (# 804). When the number of times indicated in the device authentication failure counter after counting up reaches the number set in the unregistered device connection count DT3 in the deletion timing list FT4 (Yes in # 805). Then, the encryption key set in the encryption key FT5 of the initial setting table FT is deleted by the key / data deletion unit 107 (# 806). On the other hand, if the number set in the unregistered device connection count DT3 has not been reached (No in # 805), the encryption key is not deleted.

  When the device authentication is successful (Yes in # 802), the device / user authentication unit 104 notifies the operation application that the device authentication is successful (# 807) and clears the device authentication failure counter (#). 808).

  In addition, the deletion / deletion detection unit 101 detects that the storage device 1 has been physically removed from the information processing device 2 in a state where the user authentication has not succeeded (Yes in # 815). If yes (Yes in # 809), the unauthenticated removal counter is counted up (# 810). If the number indicated in the unauthenticated removal counter after counting up reaches the number set in the unauthenticated removal number DT4 in the deletion timing list FT4 (Yes in # 811), the encryption of the initial setting table FT The encryption key set in the key FT5 is deleted by the key / data deletion unit 107 (# 812). On the other hand, if the number of unauthenticated removals DT4 has not been reached (No in # 811), the encryption key is not deleted. Note that the processing related to steps # 810 to # 812 is performed by the CPU of the control unit 11 operating with the power supplied from the secondary battery 16.

  Further, the deletion determination unit 106 has passed the time set in the unauthenticated time DT5 of the deletion timing list FT4 in a state where the user authentication has not succeeded (Yes in # 815) since the connection was detected in # 801. If so (Yes in # 813), the key / data deletion unit 107 deletes the encryption key set in the encryption key FT5 of the initial setting table FT (# 814).

  The device / user authentication unit 104 receives the user password from the operation application, and performs user authentication by the same method as # 405 shown in FIG. 6 (# 815). If the user authentication fails (No in # 815), the user application is notified that the user authentication has failed (# 816), and the user authentication failure counter is counted up (# 817). When the number of times indicated in the user authentication failure counter after counting up reaches the number set in the authentication failure frequency DT6 of the deletion timing list FT4 (Yes in # 818), the deletion determination unit 106 is initialized. The encryption key set in the encryption key FT5 of the setting table FT is deleted by the key / data deletion unit 107 (# 819). On the other hand, when the number of times of authentication failure DT6 has not been reached (No in # 818), the process waits until the user password is received again without deleting the encryption key.

  If the user authentication is successful (Yes in # 815), the device / user authentication unit 104 notifies the operation application that the user authentication is successful (# 820), and also includes a user authentication failure counter and an unauthenticated removal counter. Is cleared (# 821, # 822). Also, the encryption key set in the encryption key FT5 of the initial setting table FT is transmitted (# 823).

  When the operation application receives the encryption key, the encrypted area of the nonvolatile memory 12 is recognized as a disk drive in the OS of the information processing apparatus 2. The user can read out, delete, or save a new file stored in the non-volatile memory 12 in a normal file operation procedure.

  Further, the deletion determination unit 106 detects each time an operation by the user is performed in the operation application, and the time set in the non-operation time DT7 of the deletion timing list FT4 from the time when the user operation was performed last time. It is monitored whether or not an operation by the user is performed before the time elapses (# 824). If no operation is performed by the user within the time (Yes in # 824), the encryption key set in the encryption key FT5 of the initial setting table FT is deleted by the key / data deletion unit 107 (# 825).

  Further, the deletion determination unit 106 performs the same processing as # 501 to 503 illustrated in FIG. That is, when it is received from the operation application that the removal of the storage device 1 has been selected (# 826), the storage device 1 is in that time until the time set in the removal time DT8 of the deletion timing list FT4 elapses. It is monitored whether or not it is physically removed from the information processing apparatus 2 (# 827). If removal is not detected within the time (No in # 827), the key / data deletion unit 107 deletes the encryption key set in the encryption key FT5 of the initial setting table FT (# 828).

  While the storage device 1 is reconnected to the information processing device 2, the processing as described above is performed. The deletion determination unit 106 of the control unit 11 performs processing as shown in FIG.

  That is, the deletion determination unit 106 acquires the current time measured by the time measuring unit 18 (# 901). Then, a value obtained by subtracting the current time from the registered scheduled data deletion time is calculated as the remaining time (# 902), and the calculated remaining time is transmitted to the operation application (# 903). Further, when the remaining time has exceeded the predetermined time for the first time (Yes in # 904), the operation application is notified that the data deletion time is approaching (# 905).

  The operation application displays a screen for informing the user of the remaining time on the display device of the information processing apparatus 2 and updates the displayed remaining time every time the remaining time is received. When a notification that the data deletion time is approaching is received, a screen such as a pop-up for notifying the user of the fact is displayed on the display device of the information processing device 2. The reason for displaying such a screen is to prevent the data stored in the nonvolatile memory 12 from being accidentally erased while the user is using the storage device 1.

  The remaining time may be transmitted only once when the user authentication is successful in # 815 of FIG.

  Further, instead of calculating and transmitting the remaining time on the storage device 1 side, the remaining time may be calculated on the operation application side. For example, when the starting time is registered, the deletion determining unit 106 uses the data holding time set in the data holding period DT2 of the deletion timing list FT4 and the value obtained by subtracting the starting time from the current time. A certain elapsed time is transmitted to the operation application. The operation application may calculate a value obtained by subtracting the elapsed time from the data holding time as the remaining time.

  The deletion determination unit 106 performs the processes related to steps # 901 to # 905 at regular intervals until the remaining time runs out, that is, until the current time reaches the scheduled data deletion time (No in # 906). When the current time reaches the scheduled data deletion time (Yes in # 906), the key / data deletion unit 107 deletes the encryption key set in the encryption key FT5 of the initial setting table FT (# 907).

  As described above, even when the storage device 1 is connected to the information processing device 2, the encryption key is erased when the current time reaches the data deletion scheduled time, and then the data stored in the nonvolatile memory 12 is stored. Cannot be decrypted.

  However, when the information processing apparatus 2 to which the storage device 1 is connected is a special information processing apparatus 2, the encryption key is deleted during connection by temporarily invalidating the registered data deletion scheduled time. May not be performed.

  Specifically, the device / user authentication unit 104 also determines whether or not the acquired unique ID is the unique ID of the information processing apparatus 2 specially designated by the user in the device authentication (# 802). When the ID is such a unique ID, the alarm setting unit 105 deletes the registered scheduled data deletion time, for example, when user authentication is successful (Yes in # 815). Further, the alarm time S05 set in the time measuring unit 18 is also canceled. The deletion determination unit 106 does not perform the processing shown in FIG. 12 because the scheduled data deletion time has been deleted. That is, the deletion of the encryption key based on the arrival of the scheduled data deletion time is suppressed.

  This is particularly effective when the data retention period DT2 of the deletion timing list FT4 is set to valid (data retention time limit DT1 is invalid).

  For example, when initializing the storage device 1, the user or the administrator thereof has a unique unique ID or the like of the information processing device 2 that is used everyday among the information processing devices 2 that permit connection of the storage device 1. It is specified as an ID. In addition, the maximum time during which the information processing apparatus 2 that is used everyday may not be used is set as the data holding period DT2. By doing so, the data stored in the storage device 1 is accessed as long as the storage device 1 is connected to the information processing device 2 that is used everyday without using the maximum time set in the data retention period DT2. be able to.

  As described above, in the storage device 1, the stored data cannot be read out at various timings, so that information leakage can be prevented.

  In particular, as shown in # 705 of FIG. 9 and # 907 of FIG. 12, whether the storage device 1 is connected to the information processing device 2 or not, based on the setting of the data retention period DT1 or the data retention period DT2. When the current time reaches the calculated data deletion scheduled time, the encryption key is deleted, and thereafter, the data stored in the storage device 1 cannot be accessed. That is, the time limit for holding data is not extended by simply inserting the storage device 1 into the information processing device 2. Therefore, the security of the storage device 1 is further improved compared to the conventional storage device.

  In the above-described embodiment, the initial setting table FT is stored in the storage unit built in the control unit 11. However, the initial setting table FT is stored in the storage unit including a nonvolatile memory prepared separately. It may be. Alternatively, a partial area of the nonvolatile memory 12 may be used for that purpose. Further, it is not necessary to manage individual information registered in the initial setting table FT in a single table, and each information may be managed individually and in different storage units. For example, the encryption key may be managed separately from other information registered in the initial setting table FT and stored in a partial area of the nonvolatile memory 12.

  Further, in the above-described embodiment, when the data is not stored in the storage device 1, the encryption key is not deleted, but the processing when the data is stored as shown in FIGS. Similarly to, the encryption key may be deleted. In that case, when the initialized storage device 1 is connected to the information processing device 2 for the first time, a device authentication failure counter, a user authentication failure counter, and an unauthenticated failure counter may be prepared.

  In the above-described embodiment, the device authentication failure counter is cleared when the device authentication is successful, and the user authentication failure counter and the unauthenticated removal counter are cleared when the user authentication is successful. Each of these counters may not be cleared at those times. That is, the number of times indicated by these counters may be accumulated with the success of authentication.

  Further, in the above-described embodiment, the encryption key is deleted when a predetermined time has passed since the user authentication has not been successful since the connection of the storage device 1, but the accumulated time of the time in such a state And the encryption key may be deleted when the calculated accumulated time reaches a preset time.

  In the above-described embodiment, the key / data deletion unit 107 deletes the encryption key so that the data stored in the encryption area of the nonvolatile memory 12 cannot be read at a predetermined timing. The entity itself may be deleted. In that case, the control unit 11 can directly access the nonvolatile memory 12 by operating the changeover switches 14 a and 14 b to connect the control unit 11 and the nonvolatile memory 12.

  In the above-described embodiment, the hardware configuration and functional configuration of the storage device 1 can be appropriately changed in accordance with the gist of the present invention. Further, the processing content and processing order performed in the storage device 1 can be changed as appropriate in accordance with the gist of the present invention.

DESCRIPTION OF SYMBOLS 1 Memory | storage device 2 Information processing apparatus 11 Control part (2nd memory | storage means)
12 Non-volatile memory (first storage means)
16 Secondary battery (power supply means)
107 Key / data deletion unit (first access invalidation means, second access invalidation means)

Claims (8)

A storage device connectable to an information processing device,
A first storage means for storing data;
Second storage means for storing a scheduled deletion time indicating a time to delete the data;
Regardless of whether or not connected to the information processing apparatus, when the current time reaches the scheduled deletion time, a first access invalidation means for making access to the data impossible,
A storage device. The data is encrypted and stored in the first storage means;
The first access invalidation means makes the access impossible by deleting an encryption key necessary for decrypting the data;
The storage device according to claim 1. When connected to the information processing apparatus, a process for calculating a remaining time obtained by subtracting a current time from the scheduled deletion time and displaying a screen for notifying the user of the remaining time on the information processing apparatus. Having first display control means to perform,
The storage device according to claim 1 or 2. When connected to the information processing apparatus and the remaining time is less than or equal to a predetermined time, a screen for informing the user that the scheduled deletion time is approaching is displayed on the information processing apparatus Having second display control means for performing processing for
The storage device according to claim 3. An access invalidation inhibiting unit that inhibits the first access invalidating unit from disabling the access when connected to the information processing apparatus specially designated by a user;
The storage device according to claim 1 or 2. Power supply means for supplying power necessary for its own operation when not connected to the information processing apparatus;
Second access invalidation that disables access to the data when the power that can be supplied by the power supply means is lower than a predetermined value when not connected to the information processing apparatus And
The storage device according to claim 1, comprising: A method of controlling a storage device connectable to an information processing device,
Processing for storing data in the first storage means;
A process of storing a scheduled deletion time indicating a time to delete the data in the second storage means;
Regardless of whether or not connected to the information processing device, when the current time reaches the scheduled deletion time, processing to make the data impossible to access;
For controlling a storage device. A computer program used for a storage device connectable to an information processing device,
Processing for storing data in the first storage means;
A process of storing a scheduled deletion time indicating a time to delete the data in the second storage means;
Regardless of whether or not connected to the information processing device, when the current time reaches the scheduled deletion time, processing to make the data impossible to access;
A computer program for causing the storage device to execute.

Images