JP2018129616A - Information processing device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To allow acquisition of an access key for using a SED (Self-encrypting device) without requiring user's operation and without providing any special function to other devices.SOLUTION: A information processing device stores an encrypted file in storage means, brings the storage means into an unlocked state or a locked state in response to an input of an access key, and performs information processing using the decrypted file by using a storage device that decrypts and outputs the file stored in the storage means in the unlock state. The information processing device can be connected to a communication network and includes identifier acquisition means, key acquisition means, and input means. The identifier acquisition means acquires an identifier of a device connected to the communication network from the device through the communication network. The key acquisition means acquires an access key on the basis of the acquired identifier. The input means inputs the acquired access key to the storage device.SELECTED DRAWING: Figure 1

Description

  Embodiments described herein relate generally to an information processing apparatus.

  A storage device is known that has a function of automatically encrypting and storing files such as data files and program files, and protects files from being read / written by users other than authorized users. Such a storage device is standardized by the Trusted Computing Group (TCG) as a trusted computing group opal security subsystem class (TCG Opal SSC) and is called a self-encrypting drive (SED).

  Using this SED has the advantage that the file is encrypted and protected from unauthorized access. On the other hand, in order to read / write a file from / to the SED in the information processing apparatus, the user has to input an access key for certifying proper authority to the information processing apparatus, which is convenient for the user. Is damaged.

  By the way, as a method for obtaining secret information such as an encryption key and authentication information in general without requiring an explicit operation from a user, several techniques using a secret sharing method as shown in Patent Document 1 and Patent Document 2 are used. Has been proposed. If such a known technique is applied to an information processing apparatus that uses an SED, an operation by the user for inputting an access key can be eliminated.

  However, in the conventional technique using the secret sharing method, the information processing apparatus using the SED has a function of transmitting a tally for obtaining an access key in each of a plurality of other devices that can communicate with the information processing apparatus. I had to.

  As an example, if a POS system is provided with a payment terminal using SED, for example, a function of transmitting a tally to the payment terminal must be provided in a plurality of POS terminals. In other words, when the settlement terminal is to be introduced into an existing POS system configured with a POS terminal that does not have a function for transmitting a tally, a function for transmitting a tally to at least a part of the POS terminal is provided. It is necessary to replace it with the one provided.

  Under such circumstances, it has been desired that an information processing apparatus can acquire an access key for using the SED without requiring user operation and without providing a special function to other devices.

JP 2010-219603 A Japanese Patent Application Laid-Open No. 2014-6676

  A problem to be solved by the present invention is to provide an information processing apparatus that can acquire an access key for using an SED without requiring a user operation and without providing a special function to another device. That is.

  The information processing apparatus according to the embodiment stores, in a storage unit, a file obtained by encrypting a file given from the outside, and sets the storage unit to an unlocked state or a locked state in response to input of a predetermined access key. In the unlocked state, a storage device that decrypts and outputs the file stored in the storage means is used to perform information processing using the decrypted file, and can be connected to a communication network. An identifier acquisition unit, a key acquisition unit, and an input unit are provided. The identifier acquisition unit acquires an identifier of another device connected to the own device via the communication network from the device via the communication network. The key acquisition unit acquires the access key based on the identifier acquired by the identifier acquisition unit. The input means inputs the access key acquired by the key acquisition means to the storage device.

1 is a block diagram showing a main circuit configuration of a personal computer according to a first embodiment. The figure which shows typically the structure of the key table shown by FIG. The flowchart which shows the procedure of the process in the lock setting part shown by FIG. The flowchart which shows the procedure of the process in the lock setting part shown by FIG. The block diagram which shows the principal part circuit structure of the personal computer which concerns on 2nd Embodiment. The figure which shows typically the structure of the tally table shown by a figure. The flowchart which shows the procedure of the process in the lock setting part shown by FIG. The block diagram which shows the principal part circuit structure of the payment terminal which concerns on 3rd Embodiment.

Hereinafter, embodiments will be described with reference to the drawings.
(First embodiment)
In the present embodiment, a personal computer will be described as an example of the information processing apparatus.
FIG. 1 is a block diagram showing a main circuit configuration of a personal computer 100 according to the first embodiment.

  The personal computer 100 includes a control unit 1, a wireless communication unit 2, a user interface (UI) unit 3, and a storage unit 4. The wireless communication unit 2, the user interface unit 3, and the storage unit 4 are connected to the control unit 1, respectively.

The control unit 1 includes a processor and a memory. The control unit 1 executes various applications by reading out the application program stored in the storage unit 4 and executing it by the processor. The control unit 1 also stores the key table 1c in the above memory. The control unit 1 includes an interface unit for exchanging data with each connected unit.
The information processing unit 1a executes information processing according to the application program.
The lock setting unit 1b outputs an access key to the storage unit 4 while referring to the key table 1c by a lock state setting process described later. The key table 1c will be described later.

  The wireless communication unit 2 performs wireless communication with an access point connected to the LAN 300. Accordingly, the wireless communication unit 2 enables the control unit 1 to communicate with another communication device 200 connected to the LAN 300 via the LAN 300. The communication device 200 is a device having a function of performing communication via the LAN 300, and may include various types of devices such as a personal computer, a printer, or a multifunction peripheral. When the wireless communication unit 2 receives a packet from the LAN 300 while the lock setting unit 1b is executing a lock state setting process described later, the wireless communication unit 2 is concerned whether the packet is addressed to the personal computer 100 or not. Without giving to the control unit 1. As the wireless communication unit 2, a known device adapted to a wireless LAN can be used. The LAN 300 may be configured as either a wired LAN or a wireless LAN, or a combination of a wired LAN and a wireless LAN. The LAN 300 may be replaced with another type of communication network such as an optical communication network or Bluetooth (registered trademark), or may be combined. That is, the LAN 300 can be replaced with any communication network as long as the transmitted data includes the identifier of the transmission source device.

  The user interface unit 3 inputs an instruction from the user to the control unit 1. Thus, the user interface unit 3 is an example of an input device. The user interface unit 3 outputs information to be notified to the user regarding the operation of the control unit 1. As the user interface unit 3, a well-known input device such as a touch panel can be arbitrarily used.

The storage unit 4 includes a storage unit 41, an access control unit 42, an encryption key output unit 43, an encryption processing unit 44, and an interface unit 45.
The storage unit 41 is a device for storing files, and for example, an EEPROM (electrically erasable programmable read-only memory), an HDD (hard disc drive), an SSD (solid state drive), or the like can be applied. The storage unit 41 can logically set one or a plurality of storage areas. FIG. 1 shows an example in which n storage areas 41-1 to 41-n are set. Each of the storage areas 41-1 to 41-n is an area for storing an encrypted file. Thus, the storage unit 41 is an example of a storage unit that stores a file obtained by encrypting a file given from the outside. The storage unit 41 includes areas other than the storage areas 41-1 to 41-n. One such area is a preboot authentication area that stores a program file for preboot authentication processing.

  The access control unit 42 manages whether each of the storage areas 41-1 to 41-n is in a locked state or an unlocked state. When the access key determined for each of the storage areas 41-1 to 41-n is given from the interface unit 45 together with the lock or unlock instruction, the access control unit 42 responds to the instruction by the area. Is locked or unlocked. The access control unit 42 acquires a predetermined encryption key for the storage area from the encryption key output unit 43 when the storage area is unlocked, and sends the encryption key to the encryption processing unit 44. set. The access control unit 42 discards the encryption key set in the encryption processing unit 44 as described above when a certain storage area is locked.

  The encryption key output unit 43 has, for each of the storage areas 41-1 to 41-n, an encryption key table in which the above access key and an encryption key predetermined for the storage area are associated with each other. The encryption key output unit 43 extracts the encryption key associated with the access key given from the access control unit 42 from the encryption key table and gives it to the access control unit 42. The encryption key output unit 43 may calculate the encryption key by using a specific calculation formula such as a hash function based on the information given from the access control unit 42 instead of using the encryption key table.

  The encryption processing unit 44 encrypts the file using the set encryption key when a file write is requested by designating the storage area in which the corresponding encryption key is set. To do. Then, the encryption processing unit 44 writes the encrypted file in the designated storage area. The encryption processing unit 44, when requested to read a file specifying a storage area in which the corresponding encryption key is set, decrypts the file using the set encryption key. . Then, the encryption processing unit 44 outputs the decrypted file to the interface unit 45. If the encryption key corresponding to the designated storage area is not set, the encryption processing unit 44 rejects the write and read requests.

The interface unit 45 gives the access key sent from the control unit 1 to the access control unit 42. The interface unit 45 gives a request for reading or writing a file from the control unit 1 to the encryption processing unit 44. The interface unit 45 gives the decrypted file given from the encryption processing unit 44 to the control unit 1. As the interface unit 45, for example, a device compliant with a general-purpose interface standard such as SATA (serial advanced technology attachment) can be used.
Thus, the storage unit 4 has a function as an SED and is an example of a storage device.

FIG. 2 is a diagram schematically showing the configuration of the key table 1c.
The key table 1c stores an access key and a necessary identifier in association with each of the storage areas 41-1 to 41-n set in the storage unit 41. The necessary identifier includes at least one identifier of the communication device 200. In the present embodiment, as the identifier, a MAC ID that is a physical address uniquely assigned to the hardware of the network device is used. However, as the identifier, various other data such as an IP address, a computer name, or a serial number that can uniquely identify the device, or data obtained by combining them can be used. The access key is a character string such as “xxx” in the example of FIG. That is, in the key table 1c, a character code string representing a character string used as an access key is actually described as access key information. However, the access key may be arbitrary binary data different from the character string code string.
Thus, the key table 1c is an example of a table in which access keys are described in association with identifiers.

  Next, the operation of the personal computer 100 configured as described above will be described. Note that the content of the processing described below is an example, and various processing that can obtain the same result can be used as appropriate.

  In a plurality of storage areas 41-1 to 41-n set in the storage unit 41, there are program files of a plurality of different applications for realizing the function as the information processing unit 1a in the control unit 1, respectively. Each is remembered. When the control unit 1 selectively executes one of the plurality of program files, the application executed by the information processing unit 1a can be changed. For example, an application that handles confidential information can be executed in a normal office location of a user of the personal computer 100, but an application other than an application that handles confidential information can be executed in a location other than the office location described above. And

  On the other hand, the program file for the control unit 1 to realize the function as the lock setting unit 1b is stored in an area that is first read when the personal computer 100 is started among the areas set in the storage unit 41. This area is generally an area where an operating system is stored. This area is set so that at least reading is possible at the time of activation.

  Then, the control unit 1 starts the operation as the lock setting unit 1b based on the program file at a predetermined timing. The timing is, for example, when the personal computer 100 is activated. Or the said timing is good also as every fixed time.

FIG. 3 is a flowchart showing a processing procedure in the lock setting unit 1b.
As Act1, the lock setting unit 1b clears the value of the variable m to zero. The variable m is used for counting the number of executions of a confirmation loop described later.

As Act2, the lock setting unit 1b confirms whether or not the collection period has ended. Then, if the collection period has not ended, the lock setting unit 1b determines No and proceeds to Act3.
As Act 3, the lock setting unit 1 b confirms whether or not the packet is received by the wireless communication unit 2. If no packet is received, it is determined No and the process returns to Act2.
Thus, as Act2 and Act3, the lock setting unit 1b waits for a packet to be received in a situation where the collection period has not ended. When the packet transmitted from the communication device 200 to an arbitrary destination is transmitted to the personal computer 100 via the LAN 300, the wireless communication unit 2 receives the packet. In this case, the wireless communication unit 2 gives the received packet to the control unit 1. In response to this, the lock setting unit 1b determines Yes in Act3, and proceeds to Act4.

  As Act 4, the lock setting unit 1 b extracts the identifier of the transmission source device from the received packet and stores it in the internal memory of the control unit 1. Here, the memory area for storing the identifier is cleared at the start of the processing shown in FIG. Thus, the lock setting unit 1b functions as an identifier acquisition unit that acquires the identifier of the communication device 200. The access point 400 is also one of communication devices connected to the LAN 300. Therefore, the lock setting unit 1b also acquires the identifier of the access point 400.

  Thereafter, the lock setting unit 1b returns to the standby state for Act2 and Act3. Thus, the lock setting unit 1b accumulates the identifier of the transmission source indicated in the packet received during the collection period. Note that the lock setting unit 1b may store the newly extracted identifier without confirming whether it is the same as the stored identifier, or confirm whether it is the same. It may be stored only when different.

  The lock setting unit 1b determines Yes in Act2 when a predetermined time has elapsed from the time point when the process shown in FIG. 3 is started or the time point when Act2 is first executed. . In this case, the lock setting unit 1b proceeds to a confirmation loop starting from Act5. Note that the above time may be arbitrarily determined by, for example, the creator of the program file representing the processing shown in FIG. 3 or the administrator of the personal computer 100. However, the above time is preferably set to a time during which a collection period is set such that at least one packet transmitted from each of the devices having the identifiers set as necessary identifiers in the key table 1c can be received.

As Act5, the lock setting unit 1b increases the value of the variable m by one.
As Act 6, the lock setting unit 1b confirms whether or not all of the identifiers represented as necessary identifiers in the key table 1c are provided for the m-th storage area 41-m. If all the necessary identifiers are included in the identifier stored in Act 4, the lock setting unit 1b determines Yes and proceeds to Act 7.

  As Act 7, the lock setting unit 1b confirms whether or not the storage area 41-m is in the locked state. Then, the lock setting unit 1b determines Yes if it is in the locked state, and proceeds to Act9.

On the other hand, if all of the necessary identifiers are not included in the identifier stored in Act 4, the lock setting unit 1b determines No in Act 6, and proceeds to Act 8.
As Act8, the lock setting unit 1b confirms whether or not the storage area 41-m is in the unlocked state. If the lock setting unit 1b is in the unlocked state, the lock setting unit 1b determines Yes and proceeds to Act9.
In other words, the lock setting unit 1b receives all of the necessary identifiers when the storage area 41-m is in the locked state and also receives a part of the necessary identifiers when the storage area 41-m is in the unlocked state. If not, proceed to Act9.

  As Act 9, the lock setting unit 1 b outputs the access key indicated in the key table 1 c with respect to the storage area 41-m to the interface unit 45 of the storage unit 4. That is, the lock setting unit 1b reads the access key stored in the key table 1c in association with the acquired identifier, and functions as a reading unit. Then, the function as the key acquisition unit is realized by the cooperation of the function as the reading unit of the lock setting unit 1b and the key table 1c. The lock setting unit 1 b functions as an input unit that inputs the acquired access key to the storage unit 4. The control unit 1 stores in the memory information indicating whether it is in the locked state or the unlocked state in association with each of the storage areas 41-1 to 41-n. Then, the lock setting unit 1b allows the determination of Act7 or Act8 by inverting the information when the access key is output here. However, the lock setting unit 1b may make an inquiry to the access control unit 42 to determine whether the storage area 41-m is in the locked state or the unlocked state.

  The access key is given to the access control unit 42 via the interface unit 45. If the storage area 41-m is in a locked state in response to the access key being given, the access control unit 42 sends a predetermined encryption key for the storage area 41-m to the encryption key output unit 43. And the encryption key is set in the encryption processing unit 44. Further, in response to the access key being given, the access control unit 42 discards the encryption key set in the encryption processing unit 44 if the storage area 41-m is in the locked state.

  After completing Act9, the lock setting unit 1b proceeds to Act10. If the necessary identifiers are prepared but the determination is No in Act 7 because the storage area 41-m is already unlocked, Act 9 is passed and the process proceeds to Act 10. If the lock setting unit 1b does not have the necessary identifiers, but the determination is No in Act 8 because the storage area 41-m is already in the locked state, it passes Act 9 and proceeds to Act 10.

  As Act 10, the lock setting unit 1b checks whether or not the value of the variable m is n or more. If the lock setting unit 1b determines No because the value of the variable m is less than n, the lock setting unit 1b repeats the processes after Act5. That is, the lock setting unit 1b changes the target storage area and processes Act6 to Act9. The loop of Act5 to Act10 repeated in this way is a confirmation loop. If Act 6 to Act 9 have been processed for all of the storage areas 41-1 to 41-n, the value of the variable m is n. Therefore, the lock setting unit 1b determines Yes in Act 10 because the value of the variable m is greater than or equal to n, and ends the process shown in FIG.

  As described above, according to the personal computer 100, when there is an environment in which at least one predetermined identifier of the communication device 200 and the access point 400 can be acquired, the storage areas 41-1 to 41-n are automatically set. Thus, it is unlocked. Therefore, in this case, the operator does not have to perform an operation for inputting the access key. Moreover, since the personal computer 100 uses an identifier transmitted from another device for normal communication, the other device does not need to have a function capable of transmitting a tally in the secret sharing method.

As an illegal act on the personal computer 100, an act of illegally accessing data accessible by an application that handles confidential information after being taken out of a place where the regular user normally works is known. Yes.
However, there is a high possibility that the personal computer 100 cannot acquire at least a part of the identifier that can be acquired at the office location in a location other than the office location described above. For this reason, among the storage areas 41-1 to 41-n, the identifiers that cannot be acquired in this way are used as the required identifiers, and are locked. Thereby, an unauthorized person cannot use an application based on the program file stored in the locked storage area, and the above-described fraud can be prevented. In addition, the program file and data stored in the locked storage area are not read by an unauthorized person, and it is possible to prevent an unauthorized act by analyzing them.

  It is also conceivable that an unauthorized person who has entered the office when the person at the office is absent while the personal computer 100 is left at the office will use the personal computer 100 illegally. However, since the communication device 200 has stopped operating, there is a high possibility that at least a part of the identifier that can be acquired at the office location described above cannot be acquired. Can be prevented.

By the way, when switching lock / unlock by the above processing, for example, when a part of the communication device 200 is in a non-transmission state for maintenance or the like, the storage area including the identifier of the communication device 200 in the necessary identifier is locked. It will be fixed to the state. However, such a situation is not a situation where fraud is performed.
Therefore, in order to cope with such a situation, the lock setting unit 1b executes the process shown in FIG. 4 separately from the process shown in FIG.

As Act 21, the lock setting unit 1 b confirms whether or not an access key has been input by an operation by the operator on the user interface unit 3. If the lock setting unit 1b determines No because the access key is not input, the process proceeds to Act 22.
As Act 22, the lock setting unit 1b confirms whether there is a mismatch described later. If the lock setting unit 1b determines No because there is no mismatch, the lock setting unit 1b returns to Act 21.
Thus, the lock setting unit 1b waits for an access key to be input or a mismatch to occur as Act21 and Act22.

  When the operator wants to change the lock / unlock set by the processing of FIG. 3 for one of the storage areas 41-1 to 41-n, the operator inputs an access key corresponding to the storage area. The user interface unit 3 is operated as described above. Then, the lock setting unit 1b determines Yes in Act 21, and proceeds to Act 23.

  As Act 23, the lock setting unit 1 b outputs the access key input by the operation on the user interface unit 3 to the interface unit 45. Thereby, the lock / unlock for the storage area corresponding to the access key is inverted by the access control unit 42. Thereafter, the lock setting unit 1b returns to the standby state of Act21 and Act22.

Thereby, in the above cases, the administrator of the personal computer 100 can change the storage area that has been fixed in the locked state to the unlocked state.
However, the state in which the lock / unlock is changed in accordance with the instruction from the operator as described above should be temporary in the case described above. Therefore, if the state set in the storage unit 4 and the state managed by the process shown in FIG. 3 are inconsistent, the lock setting unit 1b determines Yes in Act 22, and returns to Act 24. move on.

  As Act 24, the lock setting unit 1b causes the user interface unit 3 to display a guidance screen. Although the specific content of the guidance screen may be arbitrary, for example, to notify the administrator of the personal computer 100 that the lock / unlock for the storage area where the above-mentioned inconsistency is being manually set And Thereafter, the lock setting unit 1b returns to the standby state of Act21 and Act22.

  When the processing shown in FIG. 3 is executed at regular intervals, the lock / unlock change according to the operator's instruction as described above by the processing shown in FIG. 4 is shown in FIG. It may be canceled by processing. For this reason, the lock setting unit 1b may exclude the storage area where the above-described inconsistency occurs from the processing shown in FIG.

  By the way, when another personal computer having the same configuration as the personal computer 100 is present, it is assumed that the other personal computer and the personal computer 100 use each identifier as a necessary identifier. If the personal computer 100 does not transmit an identifier unless the operation of the information processing unit 1a is started, the personal computer 100 may fall into a deadlock state in which it waits for reception of the identifier. For this reason, it is preferable that the personal computer 100 is configured to transmit the identifier even when all the storage areas to be locked are unlocked. For example, the OS is stored in an area that is not locked under any conditions, and when the OS is started from there, the identifier is transmitted to the LAN 300. However, it is possible to avoid falling into the deadlock state by setting a rule that the identifier of the personal computer 100 is not set as a necessary identifier of another personal computer.

(Second Embodiment)
FIG. 5 is a block diagram showing a main circuit configuration of the personal computer 101 according to the second embodiment. 5, the same elements as those shown in FIG. 1 are denoted by the same reference numerals, and detailed description thereof is omitted.

  The personal computer 101 includes a wireless communication unit 2, a user interface unit 3, a storage unit 4 and a control unit 5. That is, the personal computer 101 includes the control unit 5 instead of the control unit 1 in the personal computer 100.

The control unit 5 includes a processor and a memory. The control unit 5 operates as the information processing unit 1a and the lock setting unit 5a by reading the program stored in the storage unit 4 and executing the program. The control unit 5 stores the tally table 5b in the above memory. Although not shown, the control unit 5 includes an interface unit for exchanging data with each connected unit.
The lock setting unit 5a outputs an access key to the storage unit 4 while referring to the tally table 5b by a lock state setting process described later.

FIG. 6 is a diagram schematically showing the structure of the tally table 5b.
The tally table 5b stores at least a plurality of entries in which the masked hash value and the encrypted electronic tally are associated with each of the storage areas 41-1 to 41-n.

  The masked hash value is obtained by masking a hash value obtained by substituting the identifier of the communication device 200 or the access point 400 into a predetermined hash function, leaving a part. For example, “xxxx12abxxxx” shown in FIG. 6 is a part of the hash value where “12ab” is left, and indicates a part where “x” is masked.

  The encrypted electronic tally is a set of an identifier and an electronic tally used for determining an associated masked hash value and encrypted with an unmasked hash value. The electronic tally is obtained by dividing the access key determined for the corresponding storage area by the secret sharing method. Of the encrypted electronic tally included in the plurality of entries for one storage area, j are determined using j electronic tally necessary for restoring the access key associated with the area. The That is, the tally table 5b includes at least j entries for one storage area.

Hereinafter, the masked hash value and the encrypted electronic tally will be described more specifically.
Assume that one of the necessary identifiers is “0x11 0x11 0x11 0x11 0x11 0x11” in hexadecimal notation, and the hash value calculated from this identifier is “0x123412ab5678” in hexadecimal notation. This hash value is a temporary value for explanation, and the size and value are not necessarily the same as the actual one. In the tally table, the hash value is masked before and after by “*”, and “**** 12ab ****” becomes the masked hash value. If one of the electronic tally obtained by dividing the access key “xxx” by the secret sharing method is “0xabcd1234 ...” in hexadecimal notation, the identifier “0x11 0x11 0x11 0x11” precedes it. “0x111111111111acbd1234...” That is a value obtained by concatenating “0x11 0x11” is encrypted using “0x123412ab5678” that is a hash value as an encryption key. A predetermined encryption algorithm is used for this encryption. As the encryption algorithm, for example, AES (advanced encryption standard) can be used. It is assumed that the value thus obtained is an encrypted electronic tally and is “0xf271d7df ...”. In this case, the tally table 5b includes an entry including a pair of “**** 12ab ****” as the masked hash value and “0xf271d7df ...” as the encrypted electronic tally. . Such entry creation processing is performed, for example, by the lock setting unit 5a.

  Thus, the tally table 5b is an example of a table that includes a plurality of entries that associate the masked hash value and the encrypted electronic tally with respect to devices such as the communication device 200 and the access point 400.

  Next, the operation of the personal computer 101 configured as described above will be described. Note that the content of the processing described below is an example, and various processing that can obtain the same result can be used as appropriate.

  The operation of the personal computer 101 is different from the operation of the personal computer 100 in the process for switching between lock / unlock in the lock setting unit 5a. Therefore, the processing will be described below.

  FIG. 7 is a flowchart showing a processing procedure in the lock setting unit 5a. Note that some of the operations having the same contents as those shown in FIG. 3 are omitted, and those shown in the drawings are given the same reference numerals, and detailed descriptions thereof are omitted.

The lock setting unit 5a collects identifiers as Act1 to Act4 in the same manner as the lock setting unit 1b. If the lock setting unit 5a determines Yes in Act 2 because the collection period has ended, the lock setting unit 5a proceeds to Act 31.
As Act31, the lock setting unit 5a calculates the hash values of all identifiers collected during the collection period. Thus, the lock setting unit 5a functions as calculation means for calculating a hash value.

As Act 32, the lock setting unit 5a increases the value of the variable m by one.
As Act 33, the lock setting unit 5a selects an unselected one of the plurality of entries for the mth storage area in the tally table 5b as a target entry.

  As Act 34, the lock setting unit 5a checks whether or not the entry of interest is an entry to be processed later. Specifically, the lock setting unit 5a has a hash value calculated by Act31 in which a hash value (hereinafter referred to as a candidate hash value) that matches the masked hash value included in the entry of interest in a portion that is not masked. Check if it exists in the value. Even between a plurality of different hash values, there may be a case where the portions are not masked to match each other. Therefore, there may be a plurality of candidate hash values. Then, if there is a candidate hash value, the lock setting unit 5a determines Yes and proceeds to Act35. Thus, the lock setting unit 5a functions as search means.

  As Act 35, the lock setting unit 5a decrypts the encrypted electronic tally included in the entry of interest with the candidate hash value. When there are a plurality of candidate hash values, the lock setting unit 5a decrypts each encrypted electronic tally with the plurality of candidate hash values. Thus, the lock setting unit 5a functions as a decryption unit.

  As Act 36, the lock setting unit 5a checks whether or not the identifier included in the data obtained by the decryption in Act 35 matches the identifier used in Act 31 to calculate the candidate hash value. If the lock setting unit 5a determines Yes to match, the process proceeds to Act 37.

  As Act 37, the lock setting unit 5a stores in the memory the electronic tally included in the data obtained by the decryption in Act 35 together with the matched identifier. Thus, the lock setting unit 5a functions as selection means. Thereafter, the lock setting unit 5a proceeds to Act 38. If the candidate hash value does not exist in the hash value calculated in Act 31, the lock setting unit 5a determines No in Act 34, passes Act 35 to Act 37, and proceeds to Act 38. If the identifier included in the data obtained by the decryption at Act 35 does not match the identifier used at Act 31 for calculating the candidate hash value, the lock setting unit 5a determines No at Act 36, and determines Act 37. Pass and proceed to Act 38.

Hereinafter, Act34 to Act37 will be described more specifically. Here, a specific description and conditions for the masked hash value and the encrypted electronic tally will be described together.
For example, it is assumed that “0x11 0x11 0x11 0x11 0x11 0x11” can be acquired from one of the communication devices 200 as an identifier. In this case, the lock setting unit 5a calculates the hash value of the identifier and obtains “0x123412ab5678”. The lock setting unit 5a searches the tally table 5b using “**** 12ab ****” which is a result of masking the front and back of the hash value as a key. If the tally table 5b has the contents shown in FIG. 6, the lock setting unit 5a finds the top entry in each of the first and nth storage areas by the above search. The lock setting unit 5a acquires “0xf271d7df ...” as the value of the encrypted electronic tally from the found entry in the first storage area. Further, the lock setting unit 5a decrypts the encrypted electronic tally “0xf271d7df ...” using “0x123412ab5678” that is the hash value of the identifier of the communication device 200 as an encryption key, thereby “0x111111111111acbd1234 ...”. Get. Since the first half of the decryption result matches the above-obtained identifier “0x11 0x11 0x11 0x11 0x11 0x11”, the lock setting unit 5a assigns the top entry of the first storage area to the above-mentioned entry. It is determined that the entry is correct corresponding to the communication device 200 identified by the acquired identification information. Then, the lock setting unit 5a stores “0xabcd1234”, which is the latter half of the decryption result, as one of electronic tally. On the other hand, the lock setting unit 5a acquires “0xe287bbae ...” as the value of the encrypted electronic tally from the found entry of the nth storage area. Further, the lock setting unit 5a decrypts the encrypted electronic tally “0xe287bbae ...” using “0x123412ab5678” which is the hash value of the identifier of the communication device 200 as an encryption key, and the decryption result is “0x111111111111acbd1234. .. " Since the first half of the decryption result does not match the above-obtained identifier “0x11 0x11 0x11 0x11 0x11 0x11”, the lock setting unit 5a changes the top entry of the nth storage area to the above entry. It is determined that the entry is not a correct entry corresponding to the communication device 200 identified by the acquired identification information. Then, the lock setting unit 5a does not store “0xabcd1234”, which is the latter half of the decryption result, as one of the electronic tally.

  As Act 38, the lock setting unit 5a checks whether or not there is no unselected entry among the plurality of entries for the m-th storage area in the tally table 5b. If the lock setting unit 5a determines No because there is an unselected entry, the lock setting unit 5a returns to Act 33 and repeats the subsequent processing. Thereby, the lock setting unit 5a executes Act33 to Act37 in a state where each of the plurality of entries for the mth storage area in the tally table 5b is set as the target entry. At this time, when the Act 37 is executed a plurality of times, the lock setting unit 5a adds and saves a new electronic tally without deleting the already stored electronic tally. When the lock setting unit 5a has finished executing Act33 to Act37 with all of the plurality of entries for the mth storage area in the tally table 5b as the target entry, it determines Yes in Act38 and proceeds to Act39.

  As Act 39, the lock setting unit 5a attempts to restore the access key using the electronic tally saved in the memory. If all of the electronic tally divided from one access key by the secret division method is stored in the memory, the access key can be restored from the electronic tally by a known process. Thus, the lock setting unit 5a functions as a restoring unit.

  As Act 40, the lock setting unit 5a confirms whether or not the access key has been successfully restored. If the lock setting unit 5a determines Yes because the restoration is successful, the process proceeds to Act7. On the other hand, if the lock setting unit 5a determines No because the restoration has failed, the process proceeds to Act8. Thereafter, the lock setting unit 5a executes Act7 to Act10 in the same manner as the lock setting unit 1b. However, if it is determined No in Act 10, the lock setting unit 5a returns to Act 32.

  Thus, as with the personal computer 100, when the personal computer 101 is taken out to a place other than the normal office place, the storage areas 41-1 to 41-n are locked. Thereby, the effect similar to 1st Embodiment is achieved.

  In the personal computer 100 according to the first embodiment, if the contents of the key table 1c are analyzed by an unauthorized person, the access key may be known. Even if the access key can be protected from unauthorized persons from knowing its value by some means such as encryption, if the environment in which the personal computer 100 operates normally is formed in a pseudo manner, the storage areas 41-1 to 41-1 41-n can be accessed. However, since it is not easy for an outsider to check the identifiers of the communication device 200 and the access point 400, the personal computer 100 according to the first embodiment can ensure a certain level of security.

On the other hand, according to the personal computer 101, no access key is stored in the tally table 5b. For this reason, even if the tally table 5b is analyzed by an unauthorized person, the risk of the access key being known to the unauthorized person is low, and higher security than that of the personal computer 100 can be ensured.
Moreover, the personal computer 101 holds an electronic tally and does not require other devices to transmit the electronic tally.

  In the personal computer 101, it is also possible to dynamically update the tally table 5b. When the access key can be restored in Act 39, the lock setting unit 5a can determine that the personal computer 101 is in a safe environment, that is, in an environment where it should normally operate. In such a case, the lock setting unit 5a may update the tally table 5b by the following procedure.

The lock setting unit 5a masks a part of the hash value calculated when the hash value calculated in Act 31 does not match any masked hash value included in the tally table 5b in the unmasked part. To generate a new masked hash value. In addition, the lock setting unit 5a encrypts a set of one of the reconfigured electronic tally and the identifier used to calculate the hash value with the hash value, thereby creating a new encrypted electronic Generate tally. Then, the lock setting unit 5a adds a new entry including the generated masked hash value and the encrypted electronic tally to the tally table 5b.
Thereby, even when the communication device 200 or the access point 400 is replaced due to a failure or the like, the tally table is automatically updated, so that there is no need for an administrator or a service person to reset the tally table, Maintainability is improved.

  At this time, in addition to the masked hash value and the encrypted electronic tally, the data of the date and time at which the identifier of the communication device 200 or the access point 400 was last acquired may be included in the entry of the tally table 5b. . In this way, when the data size of the tally table 5b is equal to or greater than the threshold, the entries are deleted in order from the oldest date and time so that the data size of the tally table 5b does not become too large. be able to.

(Third embodiment)
In the third embodiment, a payment terminal that processes payment by credit card will be described as an example of the information processing apparatus.

  FIG. 8 is a block diagram showing a main circuit configuration of a payment terminal 500 according to the third embodiment. 5, the same elements as those shown in FIG. 1 are denoted by the same reference numerals, and detailed description thereof is omitted.

The payment terminal 500 includes a storage unit 4 and a payment processing unit 6.
The settlement processing unit 6 includes a reading unit 61, a control unit 62, a printing unit 63, a transmission / reception unit 64, and a user interface unit 65. The reading unit 61, the printing unit 63, the transmission / reception unit 64, and the user interface unit 65 are connected to the control unit 62.

  The reading unit 61 reads card data recorded on a payment card such as a credit card. The reading unit 61 encrypts the read card data and sends it to the control unit 62. As the reading unit 61, for example, a known device configured to include a magnetic card reader or the like can be used.

  A POS terminal 600 is connected to the control unit 62 without going through the LAN 300. For example, a general-purpose serial interface can be used for connection between the control unit 62 and the POS terminal 600. The control unit 62 includes a processor and a memory. The control unit 62 operates as the settlement processing unit 62a and the lock setting unit 1b by reading the program stored in the storage unit 4 and executing the program. The control unit 62 also stores the key table 1c in the above memory. Although illustration is omitted, the control unit 62 includes an interface unit for exchanging data with each connected unit.

  The settlement processing unit 62a acquires transaction data representing a settlement amount related to a transaction to be settled from the POS terminal 600. The settlement processing unit 62a receives and decrypts the encrypted card data sent from the reading unit 61. The settlement processing unit 62a encrypts settlement data including transaction data and card data by a method defined by a settlement service provided by the settlement server 700. The settlement processing unit 62a controls the transmission / reception unit 64 so as to transmit the encrypted settlement data to the settlement server 700. The settlement processing unit 62a represents the settlement result based on the settlement data, and controls the printing unit 63 to print a slip representing the settlement result based on the response data transmitted from the settlement server 700.

  The printing unit 63 issues a settlement slip by printing a slip image on a slip sheet under an instruction from the settlement processing unit 62a. As the printing unit 63, for example, a known device configured to include a thermal printer or the like can be used.

  The transmission / reception unit 64 performs data communication via the LAN 300. The partner with which the transmission / reception unit 64 communicates is mainly the settlement server 700, but communication with a plurality of POS terminals 600 and POS servers 800 connected to the LAN 300 is also possible. The transmission / reception unit 64 sends the payment data to the payment server 700 to the LAN 300 under the control of the control unit 62. The transmission / reception unit 64 receives response data transmitted from the payment server 700 and received via the payment network 900 and the LAN 300, and provides the response data to the payment processing unit 62a. When the lock setting unit 1b is executing a lock state setting process to be described later, the transmission / reception unit 64 receives a packet transmitted via the LAN 300, and whether or not the packet is addressed to the settlement terminal 500. Regardless, it is given to the control unit 62. As the transmission / reception unit 64, a known device adapted to the LAN 300 can be used. The LAN 300 may be configured as either a wired LAN or a wireless LAN, or a combination of a wired LAN and a wireless LAN. The LAN 300 may be replaced with another type of communication network such as an optical communication network or Bluetooth (registered trademark), or may be combined. That is, the LAN 300 can be replaced with any communication network as long as the transmitted data includes the identifier of the transmission source device. That is, the LAN is an example of a communication network.

  A plurality of POS terminals 600 belong to one POS system and are connected to the LAN 300 in order to communicate with a POS server 800 mainly belonging to the same POS system. When the POS terminal 600 to which the illustrated payment terminal 500 is not connected permits card payment, a payment terminal 500 different from the illustrated one is connected without going through the LAN 300. That is, although only one payment terminal 500 is shown in FIG. 8, a POS system may be configured including a plurality of payment terminals 500 while being connected to other POS terminals 600.

  The user interface unit 65 inputs a user instruction to the control unit 62. Thus, the user interface unit 65 is an example of an input device. The user interface unit 65 outputs information to be notified to the user regarding the operation of the control unit 62. As the user interface unit 65, for example, a touch panel can be used.

  The storage unit 4 is the same as in the first embodiment. However, the storage unit 4 is connected to the control unit 31 instead of the control unit 1 in the first embodiment.

  Next, the operation of payment terminal 500 configured as described above will be described. Note that the content of the processing described below is an example, and various processing that can obtain the same result can be used as appropriate.

  A plurality of different program files for realizing the function as the settlement processing unit 62a in the control unit 62 are stored in each of the storage areas 21-1 to 21-n set in the storage unit 21. Is done. When the control unit 62 selectively executes one of the plurality of program files, it is possible to change the content of the payment processing by the payment processing unit 62a. For example, when a security crisis is suspected, such as analysis of the contents of payment processing based on a program file, the above-mentioned crisis can be avoided by switching to payment processing based on another program file. .

  On the other hand, the program file for the control unit 62 to realize the function as the lock setting unit 1 b is stored in an area that is first read when the settlement terminal 500 is activated among the areas set in the storage unit 21. This area is generally an area where an operating system is stored. This area is set so that at least reading is possible at the time of activation.

  And the control unit 62 starts the operation | movement similar to 1st Embodiment as the lock setting part 1b based on said program file at a predetermined timing. The timing is, for example, when the payment terminal 500 is activated. Or the said timing is good also as every fixed time.

  Thus, according to the settlement terminal 500, the storage areas 21-1 to 21-n are automatically unlocked when they are in an environment where they can receive an identifier of at least one predetermined device. Therefore, in this case, the operator does not have to perform an operation for inputting the access key. In addition, since the payment terminal 500 uses an identifier that is transmitted from another device and acquired via the LAN 300, the other device does not need to have a function that can transmit a tally in the secret sharing method.

  Now, as a fraudulent act on a device such as the payment terminal 500, the device is illegally taken out of a store where the device is originally installed by an unauthorized person outside the business hours, and the program file is analyzed or modified. The act of returning to the store is known.

  However, when the payment terminal 500 is taken out by an unauthorized person from the store where it is originally installed, the payment terminal 500 is disconnected from the LAN 300 and cannot receive a packet from a device connected to the LAN 300. Therefore, all of the storage areas 21-1 to 21-n are locked. Thereby, the unauthorized person cannot take out the decrypted program file from the storage unit 21, and the contents of the settlement process by the settlement processing unit 62a can be prevented from being analyzed by the unauthorized person.

  It is also conceivable that an unauthorized person who has entered the store outside the store's business hours without trying to bring the payment terminal 500 out of the store will attempt to analyze or modify the program file while being connected to the LAN 300. However, since other devices such as the POS terminal 600 have stopped operating, packets from those devices cannot be received. Thereby, fraud can be prevented similarly to the above.

  Note that the lock setting unit 1b also executes the processing shown in FIG. 4 in the same manner as in the first embodiment. As a result, as in the first embodiment, the administrator of the payment terminal 500 can change the storage area that has been fixed in the locked state to the unlocked state.

This embodiment can be variously modified as follows.
The present invention can also be realized as other types of information processing apparatuses that perform specific information processing other than payment processing.

  The lock setting units 1b and 5a may be realized as hardware, or may be realized by combining software control with hardware such as a logic circuit.

  The storage unit 4 may be externally attached to the personal computers 100 and 101 or the payment terminal 500.

  Acquisition of an identifier of another device may be performed without going through a communication network. For example, the identifier transmitted from the lighting fixture as the brightness of the illumination light may be acquired via a light detection device such as a photodiode. Alternatively, an identifier that is wirelessly transmitted using Bluetooth (registered trademark) or the like from a device carried by a user who has authority to use the personal computer 100 may be acquired via a receiving device. Or you may acquire the identifier transmitted via the said USB etc. from the apparatus wiredly connected via USB (universal serial bus) etc. with respect to the personal computer 100. FIG.

  The key table 1c may be associated with each of the necessary identifiers and store information indicating the timing at which the necessary identifiers were most recently acquired. Then, the lock setting unit 1b may set the storage area in which the elapsed time from the timing at which all the necessary necessary identifiers have been acquired is within a specified time to the unlocked state. In other words, the lock setting unit 1b enters an unlocked state when all of the associated necessary identifiers can be acquired within a specified time for a certain storage area, and any of the required identifiers cannot be acquired over the specified time. If it is locked, it will be locked.

  The tally table 5b may be associated with each entry, and may store information indicating the timing stored as relating to the identification information obtained from the electronic tally extracted from the entry. The lock setting unit 5a unlocks the storage area associated with the access key when the elapsed time from the timing when the electronic tally for restoring the access key can be obtained is within a specified time. It may be in a locked state. In other words, the lock setting unit 5a sets an unlocked state when all the electronic tally for restoring the associated access key is obtained within a specified time for a certain storage area, and any of the electronic tally is set for the specified time. A locked state is set when it cannot be obtained over the above.

  The device identified by the necessary identifier does not need to be installed in the vicinity of the place where the personal computers 100 and 101 and the payment terminal 500 are originally used, and may be a server installed in a remote place, for example. Good.

  Similar to the relationship between the first embodiment and the second embodiment, the lock setting unit 1b and the key table 1c are replaced with the lock setting unit 5a and the tally table 5b instead of the control unit 31 in the third embodiment. It is also possible to provide a control unit. Thereby, also in the payment terminal like 3rd Embodiment, it becomes possible to acquire the effect similar to 4th Embodiment.

  Although several embodiments of the present invention have been described, these embodiments are presented by way of example and are not intended to limit the scope of the invention. These novel embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made without departing from the scope of the invention. These embodiments and modifications thereof are included in the scope and gist of the invention, and are included in the invention described in the claims and the equivalents thereof.

  DESCRIPTION OF SYMBOLS 1 ... Control unit, 1a ... Information processing part, 1b ... Lock setting part, 1c ... Key table, 2 ... Wireless communication unit, 3 ... User interface unit, 4 ... Storage unit, 5 ... Control unit, 5a ... Lock setting part, 5b ... tally table, 6 ... settlement processing unit, 21 ... storage unit, 21-1 to 21-n ... storage region, 31 ... control unit, 41 ... storage unit, 41-1 to 41-n ... storage region, 42 ... Access control unit 43 ... Encryption key output unit 44 ... Encryption processing unit 45 ... Interface unit 61 ... Reading unit 62 ... Control unit 62a ... Settlement processing unit 63 ... Printing unit 64 ... Transmission / reception unit 65 ... User interface unit, 100, 101 ... Personal computer, 200 ... Communication device, 300 ... LAN, 400 ... Access point, 500 ... Payment terminal, 600 ... P S terminal, 700 ... settlement server, 800 ... POS server, 900 ... settlement network.

Claims (5)

A file obtained by encrypting a file given from the outside is stored in the storage means, and the storage means is unlocked or locked in response to the input of a predetermined access key. In an information processing apparatus that performs information processing using the decrypted file by using a storage device that decrypts and outputs the file stored in the storage means,
Identifier acquisition means for acquiring an identifier transmitted by another device;
Key acquisition means for acquiring an access key based on the identifier acquired by the identifier acquisition means;
Input means for inputting the access key acquired by the key acquisition means to the storage device;
An information processing apparatus comprising: The key acquisition means includes
A table describing the access key in association with the identifier;
Reading means for reading out the access key associated with the identifier acquired by the identifier acquiring means from the table;
The information processing apparatus according to claim 1, further comprising: The key acquisition means includes
A masked hash value obtained by masking a part of a hash value obtained from the identifier of the device and a set of the identifier of the device and an electronic tally assigned to the device are encrypted with the hash value. A table including a plurality of entries associated with the encrypted encrypted electronic tally for each of the devices;
Calculation means for calculating a hash value of the identifier acquired by the identifier acquisition means;
Search means for searching an entry including a masked hash value whose unmasked portion matches the hash value calculated by the calculation means;
Decryption means for decrypting the encrypted electronic tally included in the entry searched by the search means with the hash value calculated by the calculation means;
When the identifier included in the set of the identifier and the electronic tally obtained by decrypting the encrypted electronic tally by the decryption unit matches the identifier acquired by the identifier acquisition unit, the electronic tally included in the set A selection means to select as effective,
Restoring means for restoring the access key from a plurality of electronic tallys selected by the selecting means;
The information processing apparatus according to claim 1, further comprising: When the access key can be restored by the restoration means, a hash value that does not match in any part of the hash value calculated by the calculation means that is not masked with any of the masked hash values included in the table To generate a new masked hash value by masking a part of the extracted hash value, the identifier used by the calculation means to calculate the extracted hash value, and the reconfigured electronic A set of one of the tallys is encrypted with the extracted hash value to generate a new encrypted electronic tally, and a new one including the encrypted electronic tally and the generated masked hash value is generated. Adding means for adding a new entry to the table,
The information processing apparatus according to claim 3, further comprising: The key acquisition means includes
An input device that inputs information in response to an operation by the operator,
Further comprising
When an access key is input by the input device, the access key is acquired.
The information processing apparatus according to any one of claims 1 to 4.