JP5151531B2 - Image forming apparatus and data management method - Google Patents

Description

  The present invention relates to an image forming apparatus and a data management method.

  In recent years, an image forming apparatus capable of additionally installing a program after shipment has been provided. Also, such a program can be downloaded via a network from, for example, a website operated by the manufacturer of the image forming apparatus.

By enabling the distribution of the program via the network, the user of the image forming apparatus can easily obtain the program and enhance the function of the image forming apparatus.
JP 2005-275694 A

  However, it is not always the case that the users of the program are good faith users. For example, there may be a person who tries to decipher the acquired program and create a pirated version. In particular, in recent years, it is possible to execute a Java (registered trademark) program in an image forming apparatus, but it is very easy to decode an intermediate code of Java (registered trademark) compared to a program in another language. There is a fact that there are tools that support decoding.

  The present invention has been made in view of the above points, and an object thereof is to provide an image forming apparatus and a data management method capable of appropriately reducing the possibility of decoding electronic data.

  Accordingly, in order to solve the above-described problem, the present invention is an image forming apparatus provided with a plurality of types of storage media, in which a first encryption key is recorded in advance, and a plurality of electronic files are stored. Data input means for receiving input of a package file; first decryption means for decrypting the package file with the first encryption key; and at least a storage location and an encryption strength for each electronic file stored in the package file An acquisition unit for acquiring protection information for identifying one of the plurality of electronic files stored in the decrypted package file, and storing in the storage destination based on the protection information and the protection information And storage means for executing at least one of storage by encryption based on encryption strength based on That.

  In such an image forming apparatus, it is possible to appropriately reduce the possibility of the electronic data being decoded.

  According to the present invention, it is possible to provide an image forming apparatus and a data management method capable of appropriately reducing the possibility of decoding electronic data.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 is a diagram showing an example of a system configuration in the embodiment of the present invention. In the figure, the distribution server 10 and one or more devices 20 are connected by a network 30 such as the Internet or a LAN (Local Area Network).

  The distribution server 10 is a computer that manages the program package 11 and executes distribution of the program package 11 in response to a download request from the device 20. In the distribution server 10, the entire program package 11 is encrypted with the encryption key B. Therefore, at the time of downloading, the program package 11 is distributed on the network in an encrypted state. In the figure, the program package 11 is described as one block, but a plurality of program packages 11 may exist depending on the function to be realized (type of application). The program package 11 is a plurality of program files packaged (archived) into one file, and is also a program distribution unit. Taking Java (registered trademark) as an example, one program package 11 corresponds to one JAR file.

  FIG. 2 is a diagram showing a configuration example of a program package in the embodiment of the present invention. In the figure, a program package 11 includes a profile data file 111, a program file 112, a data file 113, and the like. The profile data file 111 is a file in which the protection information of the program file 112 is defined for each of the program file 112 and the data file 113 included in the program package 11. Here, the protection information refers to information for identifying a processing content or the like required (to protect) a file to be protected.

  The program file 112 is a file in which the substance of the program package 11 is stored, and a plurality of program files 112 can be stored in one program package 111. For example, taking Java (registered trademark) as an example, a Class file corresponds. The data file 113 is a file in which program setting information, environment information, and the like are recorded, and a plurality of data files 113 are stored in one program package.

  Returning to FIG. The device 20 is an image forming apparatus generally called a multifunction peripheral or a multifunction peripheral that realizes a copy function, a print function, a scanner function, a FAX function, and the like in a single casing. The device 20 can additionally install the program package 11 downloaded from the distribution server 10 to enhance the function. In applying the present invention, the device 20 does not necessarily have to be a multifunction device. For example, an image forming apparatus such as a copier, a printer, a scanner, or a facsimile may be used.

  FIG. 3 is a diagram illustrating a hardware configuration example of the device according to the embodiment of the present invention. In the figure, a device 20 includes a ROM 21, a RAM 22, a CPU 23, a TPM (Trusted Platform Module) 24, a flash memory 25, an HDD (Hard Disk Drive) 26, an operation panel 27, a scanner 28, A printer 29 and the like are provided.

  The ROM 21 stores various programs and data used by the programs. The RAM 22 is used as a storage area for loading a program, a work area for the loaded program, and the like. The CPU 23 realizes functions to be described later by processing a program loaded in the RAM 22. The TPM 24 is an example of a secure device and is also called a security chip. The TPM 24 is unique to each device 20, and if it is removed from the device 20, the device 20 cannot be activated. Further, the contents of the TPM 24 cannot be read by the other device 20 or the computer after the TPM 24 is removed. In the present embodiment, the TPM 24 generates and stores the encryption key A. The encryption key A is used for encrypting data recorded in the flash memory 25. A partial area or the whole of the flash memory 25 may be encrypted with the encryption key A. Note that the encryption key A is generated by the TPM 24 unique to each device 20, and therefore differs from device 20 to device 20.

  The flash memory 25 is a rewritable nonvolatile memory (ROM). In the present embodiment, the encryption key B is stored and used as a storage unit for the installation destination (save destination) of the program file 112 included in the program package 11. The encryption key B is the same encryption key as the encryption key B in FIG. The encryption key B is used for decrypting the program file 112 included in the program package 11 downloaded from the distribution server 10.

  The HDD 26 is a so-called HDD, and is used as a storage unit for storing the program file 112 included in the downloaded program package 11. That is, in the present embodiment, the flash memory 25 and the HDD 26 correspond to a plurality of types of storage media that are storage destinations of the program file 112. The HDD 26 is also used as a storage area for storing image data scanned by the device 20, user information, address book information, and the like. An NVRAM (Non-volatile RAM) or the like may be used instead of the HDD 26 or in combination with the HDD 26.

  The operation panel 27 is hardware including a button, a liquid crystal panel, and the like for receiving input from the user and notifying information to the user. The scanner 28 is hardware for reading image data from a document. The printer 28 is hardware for printing image data on printing paper.

  FIG. 4 is a diagram illustrating a functional configuration example of the device according to the embodiment of the present invention. In the figure, the device 20 includes an initialization unit 210, an installation unit 220, and the like. Each unit in the figure is realized by processing that the program causes the CPU 23 to execute. The initialization unit 210 controls an initialization process that is executed before the device 20 is shipped from the factory. The encryption keys A and B are stored in the device 20 by the initialization process. The installation unit 220 includes a download unit 221, a flash memory decryption unit 222, a program decryption unit 223, a protection information analysis unit 224, an encryption key generation unit 225, a storage unit 226, and the like, and controls the installation process of the program package 11. .

  The download unit 221 downloads (receives) the program package 11 from the distribution server 10 to receive an input of the program package 11 that is an installation (storage) target. The flash memory decryption unit 222 decrypts the encryption key B stored in the flash memory 25 with the encryption key A stored in the TPM 24. The program decryption unit 223 decrypts the program package 11 with the encryption key B decrypted by the flash memory decryption unit 222.

  The protection information analysis unit 224 determines the processing content requested for each of the program file 112 and the data file 113 based on the protection information stored in the profile data file 111 of the downloaded program package 11. The encryption key generation unit 225 randomly generates an encryption key for encrypting the program file 112 or the like that requires encryption based on the protection information. The storage unit 226 stores the program file 112 and the like in a storage destination (flash memory 25 or HDD 26) determined based on the protection information. Note that the storage unit 226 stores the program file 112 or the like that is required to be encrypted based on the protection information after being encrypted with the encryption key generated by the encryption key generation unit 225.

  Hereinafter, the processing procedure of the device 20 will be described. FIG. 5 is a sequence diagram for explaining a processing procedure executed before shipping the device.

  When an initialization instruction is input before the device 20 is shipped from the factory, the initialization unit 210 issues an encryption key A initialization command to the TPM 24 (S101). The TPM 24 randomly generates the encryption key A, records (stores) the generated encryption key A in the TPM 24, and outputs it to the initialization unit 210 (S102).

  Subsequently, when the encryption key B is input, the initialization unit 210 stores the encryption key B in the flash memory 25 (S103). Subsequently, the initialization unit 210 encrypts the entire flash memory 25 or a part of the area including the encryption key B stored in the flash memory 25 using the encryption key A (S104). Subsequently, the initialization unit 210 stores a program (initial program) installed at the time of shipment in the HDD 26 (S105).

  As is clear from the processing described above, the device 20 has the encryption keys A and B recorded in the TPM 24 or the flash memory 25 at the time of factory shipment. The encryption key B is encrypted with the encryption key A at the time of shipment from the factory.

  Next, a processing procedure when the program package 11 is installed in the device 20 after the shipped device 20 is installed in the user's office or the like will be described. FIG. 6 is a flowchart for explaining the processing procedure of the installation processing by the installation unit.

  For example, when an instruction to install the program package 11 is input via the operation panel 27 or the like, the download unit 221 downloads the designated program package 11 from the distribution server 10 (S201). The program package 11 is downloaded in an encrypted state with the encryption key B. Further, at the time of downloading, it is preferable to use encrypted communication such as SSL (Secure Socket Layer).

  Subsequently, the flash memory decryption unit 222 acquires the encryption key A from the TPM 24 (S202), and decrypts the flash memory 25 with the encryption key A (S203). Thereby, the encryption key B stored in the flash memory 25 is decrypted.

  Subsequently, the program decryption unit 223 acquires the encryption key B from the decrypted flash memory 25 (S204), and decrypts the program package 11 using the encryption key B (S205). Subsequently, the program decryption unit 223 temporarily stores the profile data file 111, the program file 112, and the data file 113 stored in the program package 11 that has been compressed in, for example, the zip format or is made into an archive file. The data is expanded in the RAM 22 or the HDD 26 (S206).

  Step S207 and subsequent steps are loop processing that is repeatedly executed for each expanded program file 112 or data file 113. Therefore, one program file 112 or data file 113 is sequentially processed. Hereinafter, the program file 112 or the data file 113 to be processed in the loop process is referred to as “current file”.

  In step S207, the protection information analysis unit 224 determines the processing content required for the current file based on the protection information stored in the profile data file 111 (S207).

  FIG. 7 is a diagram illustrating a configuration example of protection information. As shown in the figure, the protection information 111a is information in which a file name, a confidential level, a storage destination, and an encryption strength are defined for each program file 112 or data file 113. The security level is divided into three levels of “high”, “medium”, and “low” according to the required security level. As the storage destination, the flash memory 25 or the HDD 26 is designated. The encryption strength specifies the strength of encryption when storing a file. Note that the flash memory 25 is difficult to physically remove from the device 20 as compared to the HDD 26 and is considered to be safer as much, and therefore, the flash memory 25 is treated as a more secure storage medium in the present embodiment.

  Therefore, in step S207, the protection information analysis unit 224 obtains protection information (one line in FIG. 7; hereinafter referred to as “current protection information”) corresponding to the file name of the current file, and records it in the RAM 22.

  Subsequently, the encryption key generation unit 225 determines whether or not encryption is requested in the current protection information (encryption strength is specified) (S208). If encryption is requested (Yes in S208), the encryption key generation unit 225 randomly generates an encryption key having the encryption strength specified in the current protection information based on a random number or the like (S209). Since the encryption key generated here is random, it is highly likely to be unique to each file (different for each file). Therefore, even if the encryption key for one file leaks, it does not affect other files.

  Subsequently, the storage unit 226 encrypts the current file using the encryption key generated by the encryption key generation unit 225 (S210). After the encryption is completed, the storage unit 226 stores the used encryption key in the flash memory 25 in association with the current file (for example, in association with the file name). By doing so, the corresponding encryption key can be identified when the current file is decrypted.

  On the other hand, when encryption is not requested in the current protection information (No in S208), the encryption key generation unit 225 does not generate an encryption key.

  Subsequently, the storage unit 226 determines the storage destination of the current file based on the current protection information (S211). When the storage destination of the current protection information is “flash memory”, the storage unit 226 stores the current file in the flash memory 25 (S212), and encrypts the flash memory 25 with the encryption key A (S213). On the other hand, when the storage destination of the current protection information is “HDD”, the storage unit 226 stores the current file in the HDD 26 (S214).

  When the processing after step S207 is completed for all the files included in the program package (Yes in S215), the installation processing ends. Each file temporarily expanded in step S206 is deleted as needed by the storage unit 226 after each file is saved.

  Thus, each file included in the program package 11 is encrypted with the encryption strength specified in the protection information 111a. In addition, based on the storage location specified in the protection information 111a, the storage location of the file is selected from the recording media with different safety regarding information leakage. That is, in the device 20 according to the present embodiment, the protection strength of the file can be changed depending on the combination of the storage destination and the encryption strength (including the necessity of encryption). Therefore, the file can be flexibly protected according to the importance of the file.

  The contents executed by the processing of FIG. 6 are conceptually shown as follows. FIG. 8 is a diagram conceptually showing installation of a program package on the device based on the protection information.

  FIG. 8 shows an example in which the program package 11 downloaded from the distribution server 10 is decrypted with the key B and then expanded into the profile data file 111, the program files 112a, 112b, and 112c, and the data files 113a and 113. It is shown.

  Each file is processed based on the protection information stored in the profile data file 111. For example, the program file 112 a is encrypted with the key Xa generated by the encryption key generation unit 225 and stored in the flash memory 25. The program file 112 b is encrypted with the key Xc generated by the encryption key generation unit 225 and stored in the HDD 26. The program file 112c is stored in the HDD 26 as plain text. The data file 113 a is encrypted with the key Xb generated by the encryption key generation unit 225 and stored in the flash memory 25. The data file 113b is stored in the HDD 26 in plain text.

  The profile data file 111 may be managed outside the program package 11. For example, it may be stored in advance in the device 10 or may be stored in a computer connected via a network.

  Further, the protection information of each file may be described in each file. For example, if the program file 112 or the data file 113 is in text format, it may be described as a comment in the file. Further, a code for identifying the protection information may be included in the file name. By attaching the protection information to each file, the independence of the protection information with respect to the package configuration of the program package 11 can be enhanced. That is, it is not necessary to change the profile data file 111 according to the addition or deletion of the file.

  Also, the method for defining protection information need not be for each file name. For example, the protection information may be defined for each file name or keyword included in the file. Further, the files may be classified into groups according to other information, and the protection information may be defined for each group.

  By the way, the program entity may be protected by distributing the stub without distributing the program entity. FIG. 9 is a diagram illustrating a configuration example when a stub is distributed. In FIG. 9, the same parts as those of FIG.

  In the figure, an example is shown in which the program file 112c is a stub (a program that does not include the logic (entity) of the program and has only an interface for calling the logic). The substance of the program is stored as a program file 112r in the program execution server 40 which is a computer connected to the device 10 via a network, for example.

  In such a configuration, for example, when the application 115 that is one of the applications in the device 20 calls a function or method of the program file 112c (S301), the program file 112c stores the RPC ( A call by Remote Procedure Call is performed on the program file 112r (S302). Thereby, the process requested by the application 115 is executed by the program file 112r, and the result is returned to the application 115 via the program file r112c.

  The processing content will be described in more detail. FIG. 10 is a flowchart for explaining the processing procedure by the stub. In the same figure, it demonstrates based on the structure of FIG.

  When the function of the program file 112c is called from the application 115 in the device 10 (S401), the program file 112c makes a connection request to the program execution server 40 (S402).

  The program execution server 40 that has been waiting (S501) authenticates the device 10 in response to a connection request from the program file 112c (S502). For the authentication, for example, a known one such as SSL (Secure Socket Layer) client authentication may be used. In this case, in step S402, the client certificate of the device 10 is transferred from the device 10 to the program execution server 40.

  When the device 10 is not authenticated (No in S503), the program execution server 40 disconnects the connection with the device 10 as an error (S506). When the device 10 is authenticated, the program execution server 40 maintains the connection with the device 10.

  Subsequently, the program file 112c calls the program file 112r by RPC (Remote Procedure Call) of the function corresponding to the function called from the application 15 (S403). At this time, for example, a message ID for identifying each request from the device 10, a program ID for identifying the program file 112 r, and argument data of a function related to RPC are transferred to the program execution server 40.

  In the program execution server 40, the program file 112r is called and a function related to RPC is executed (S504). When the processing is completed, the program file 112r returns a message ID, a program ID, and an execution result to the program file 112c (S505).

  When the program file 112c acquires the execution result (S404), the program file 112c returns the execution result to the calling application 15 (S405).

  As described above, according to the present embodiment, the program package 11 to be installed is encrypted and distributed. Therefore, it is possible to reduce the possibility of being decoded in the distribution process. In particular, intermediate codes (such as JAR files) of Java (registered trademark) are easy to decipher, and the source code can be protected more effectively against such programs. Further, the device 20 decrypts the program package 11 to be installed with the encryption key B stored in advance before shipment. Therefore, it is not necessary to distribute the encryption key B, and the possibility that the encryption key B is stolen can be reduced.

  The encryption key B is recorded in the flash memory 25 in a state encrypted with the encryption key A stored in the secure device. Therefore, even if the flash memory 25 is taken out, the possibility that the encryption key B is decrypted can be reduced.

  A device that is more secure than the flash memory may be used instead of the flash memory 25. By doing so, the encryption key B can be managed more securely. A specific example of such a device is a memory device having tamper resistance. In other words, if it is difficult to analyze the internal structure or the data being handled, or if there is unauthorized access from outside (such as disassembling and trying to analyze), the device itself will be destroyed in a circuit. In addition, a means for preventing forgery, alteration, tampering and the like is provided.

  Note that the flash memory 25 does not encrypt and decrypt the entire data, but encrypts and decrypts a part of each data (encryption key B and program file 112) stored in the flash memory 25 or a part of the area. May be performed.

  In addition, the device 20 according to the present embodiment selects a storage destination according to the protection information of the profile data file 111. As a result, a profile with a high protection level can be managed more securely, and a performance at startup or the like can be prioritized for a file with a low protection level. In addition, since files that do not need to be protected can be stored in a relatively inexpensive device, the required amount of expensive devices can be reduced, and the cost of the entire device 20 can be reduced.

  Further, the program package 11 does not necessarily have to be downloaded via a network. For example, the program package 11 may be installed via an SD card, a CD-ROM, or the like on which the program package 11 encrypted with the encryption key B is recorded.

  In the present embodiment, the protection target is described as the program package 11, but the present invention is effective for the protection of the entire electronic data. That is, the present embodiment may be realized by replacing the program package 11 with arbitrary electronic data.

  Further, the secure device is not limited to the TPM. Other devices (for example, tamper-resistant memory devices) that function normally only when attached to the device 20 or have difficulty in reading stored information even if they are removed May be substituted.

  As mentioned above, although the Example of this invention was explained in full detail, this invention is not limited to such specific embodiment, In the range of the summary of this invention described in the claim, various deformation | transformation・ Change is possible.

It is a figure which shows the system configuration example in embodiment of this invention. It is a figure which shows the example of a program package structure in embodiment of this invention. It is a figure which shows the hardware structural example of the apparatus in embodiment of this invention. It is a figure which shows the function structural example of the apparatus in embodiment of this invention. It is a sequence diagram for demonstrating the processing procedure performed before shipment of an apparatus. It is a flowchart for demonstrating the process sequence of the installation process by an installation part. It is a figure which shows the structural example of protection information. It is a figure which shows notionally the installation to the apparatus of the program package based on protection information. It is a figure which shows the structural example at the time of distributing a stub. It is a flowchart for demonstrating the process sequence by a stub.

Explanation of symbols

10 Distribution Server 11 Program Package 11 Profile Data File 12 Program File 13 Data File 20 Device 21 ROM
22 RAM
23 CPU
24 TPM
25 Flash memory 26 HDD
27 Operation Panel 28 Scanner 29 Printer 30 Network 40 Program Execution Server 210 Initialization Unit 220 Installation Unit 221 Download Unit 222 Flash Memory Decryption Unit 223 Program Decryption Unit 224 Protection Information Analysis Unit 225 Encryption Key Generation Unit 226 Storage Unit B Bus

Claims (12)

An image forming apparatus including a plurality of types of storage media,
An encryption key storage means in which the first encryption key is recorded in advance;
Data input means for receiving input of a package file storing a plurality of electronic files;
First decryption means for decrypting the package file with the first encryption key;
Obtaining means for obtaining protection information for identifying at least one of a storage destination and encryption strength for each electronic file stored in the package file;
Storage that executes at least one of storage to a storage destination based on the protection information and storage by encryption based on encryption strength based on the protection information for each of the plurality of electronic files stored in the decrypted package file And an image forming apparatus. The first encryption key is encrypted with a second encryption key and recorded in the encryption key storage means,
A secure device in which the second encryption key is recorded;
Second decryption means for decrypting the first encryption key with the second encryption key,
The image forming apparatus according to claim 1, wherein the first decryption unit decrypts the package file with the decrypted first encryption key. Encryption key generation means for generating an encryption key according to the encryption strength specified in the protection information,
The image forming apparatus according to claim 1, wherein the storage unit encrypts the electronic file with the encryption key generated by the encryption key generation unit.   The image forming apparatus according to claim 3, wherein the encryption key generation unit generates a different encryption key for each electronic file.   The at least one of the electronic files is a stub having an interface for calling a substance of a program stored in a computer connected to the image forming apparatus via a network. 5. The image forming apparatus according to claim 4.   The image forming apparatus according to claim 1, wherein the plurality of types of storage media have different safety regarding information leakage. A data management method executed by an image forming apparatus including a plurality of types of storage media and an encryption key storage unit in which a first encryption key is recorded in advance,
A data input procedure for receiving input of a package file storing a plurality of electronic files;
Obtaining a first encryption key from the encryption key storage means, and decrypting the package file with the first encryption key;
An acquisition procedure for acquiring protection information for identifying at least one of a storage destination and encryption strength for each electronic file stored in the package file;
For each of the plurality of electronic files stored in the decrypted package file , any one of the above-mentioned by saving to the storage medium according to the storage destination based on the protection information and encryption with encryption strength based on the protection information A data management method comprising: a storage procedure for executing at least one of storage in a storage medium The first encryption key is encrypted by a second encryption key recorded in a secure device included in the image forming apparatus and recorded in the encryption key storage unit,
Obtaining the second encryption key from the secure device , and having a second decryption procedure for decrypting the first encryption key with the second encryption key;
8. The data management method according to claim 7, wherein the first decryption procedure decrypts the package file with the decrypted first encryption key. An encryption key generation procedure for generating an encryption key according to the encryption strength specified in the protection information;
9. The data management method according to claim 7, wherein the storing procedure encrypts the electronic file with the encryption key generated in the encryption key generation procedure.   The data management method according to claim 9, wherein the encryption key generation procedure generates a different encryption key for each electronic file.   8. The stub according to claim 7, wherein at least one of the electronic files is an interface for calling an entity of a program stored in a computer connected to the image forming apparatus via a network. The data management method according to any one of 10   The data management method according to any one of claims 7 to 11, wherein the plurality of types of storage media have different security regarding information leakage.

Images