JP6124338B2 - Information processing system - Google Patents

Description

  The present invention relates to an information processing system including a communication device and a storage device.

  In an information processing system including a communication device and a semiconductor storage device connected to the communication device, the content data stored in the semiconductor storage device is prevented from being read illegally between the communication device and the semiconductor storage device. A technology for performing data communication by secure communication has been put into practical use.

  As a technology for realizing secure communication, a technology (security technology) for ensuring the confidentiality of communication data by encrypting communication data using block cipher or stream cipher, a hash value of communication data, etc. By calculating the technology to ensure the integrity of communication data (tamper prevention technology) and the MAC value (MAC: Message Authentication Code) of communication data, etc., the integrity of communication data and the data sender A technique for ensuring the authenticity of the image (spoofing technique) is known.

  As secure communication in an information processing system including a communication device and a semiconductor storage device, generally, a secret technology and an anti-falsification technology are often used, or a secret technology and an anti-spoofing technology are often used. The security level is higher than the former.

  Also, as another technique to improve the security level, a technology (mutual authentication technology) in which the communication device and the semiconductor storage device authenticate each other before allowing access to the content data is put into practical use. Has been.

  In general challenge-and-response mutual authentication, the communication device issues an authentication command for instructing execution of mutual authentication. The communication device generates a first authentication code based on the authentication command, encrypts the first authentication code, and transmits the encrypted first authentication code to the semiconductor memory device. After decrypting the received first authentication code, the semiconductor storage device encrypts the first authentication code again and transmits it to the communication device. The communication device decrypts the received first authentication code and then determines whether the first authentication code transmitted to the semiconductor memory device matches the first authentication code received from the semiconductor memory device. Authenticate the validity of the storage device. Further, after the communication device authenticates the validity of the semiconductor storage device, the semiconductor storage device generates a second authentication code, encrypts the second authentication code, and transmits it to the communication device. After decrypting the received second authentication code, the communication device encrypts the second authentication code again and transmits it to the semiconductor memory device. The semiconductor memory device determines whether the second authentication code transmitted to the communication device after decrypting the received second authentication code matches the second authentication code received from the communication device. Authenticate the validity of When the validity of the communication device and the semiconductor storage device is mutually authenticated by the above processing, the communication device issues an access command for accessing the content data.

  Patent Document 1 below discloses an information processing apparatus that calculates the hash value of the entire database and determines whether the database has been tampered with by comparing the previously calculated hash value with the currently calculated hash value. ing. Further, in Patent Document 1 below, a plurality of mutual authentication procedures are prepared, and the CPU selects one mutual authentication procedure from among the plurality of mutual authentication procedures. An information processing apparatus to be executed is also disclosed.

JP 2000-349751

  As described above, secure communication using the anti-spoofing technology has a higher security level than secure communication using the anti-tampering technology.

  However, in order to realize secure communication using anti-spoofing technology, compared with the case where it is realized using anti-falsification technology, the circuit scale to be mounted increases and the cost increases, and the processing content There is a problem that the latency is increased due to the complexity.

  The present invention has been made in view of such circumstances, and in an information processing system including a communication device and a storage device connected to the communication device, an anti-spoofing technique is used without increasing costs and increasing latency. An object of the present invention is to obtain an information processing system capable of realizing a security level comparable to that of secure communication.

  An information processing system according to a first aspect of the present invention is an information processing system comprising: a communication device; and a storage device that is connected to the communication device and has a storage unit that stores content data. An apparatus generates a first security parameter based on content data transmitted to the communication apparatus in response to an access command received from the communication apparatus, and stores the first security parameter and the storage in the communication apparatus. A synthesis parameter is generated by synthesizing the first authentication code for authenticating the device, and content data with a synthesis parameter including the content data and the synthesis parameter is transmitted to the communication device, and the communication The apparatus receives the content data with the synthesis parameter from the storage device, and receives the synthesis parameter. The first security parameter and the first authentication code are extracted from the composite parameter included in the content data with meter, and the composite parameter is added based on the first security parameter extracted from the composite parameter. The integrity of the content data included in the content data is evaluated, and the validity of the storage device is authenticated based on the first authentication code extracted from the synthesis parameter.

  According to the information processing system according to the first aspect, the storage device generates the first security parameter based on the content data transmitted to the communication device in response to the access command received from the communication device, The security parameter and the first authentication code for causing the communication device to authenticate the storage device are combined to generate a composite parameter, and the content data with the composite parameter including the content data and the composite parameter is transmitted to the communication device. Send to. Further, the communication device receives the content data with the synthesis parameter from the storage device, and extracts the first security parameter and the first authentication code from the synthesis parameter included in the content data with the synthesis parameter. Then, based on the first security parameter extracted from the synthesis parameter, the integrity of the content data included in the content data with the synthesis parameter is evaluated, and stored based on the first authentication code extracted from the synthesis parameter. Authenticate the validity of the device. In this way, the communication device can execute the integrity evaluation of the content data and the authentication of the validity of the storage device. Therefore, it is not necessary to mount a large-scale dedicated circuit for realizing the anti-spoofing technology, and complicated processing using the dedicated circuit is also unnecessary, so that there is no increase in cost and latency, It is possible to achieve a security level comparable to secure communication using anti-spoofing technology.

  The information processing system according to the second aspect of the present invention is the information processing system according to the first aspect, in particular, the communication device is configured such that the second authentication is the same as the first authentication code generated by the storage device. Generating a code, extracting the first security parameter from the synthesis parameter based on the synthesis parameter and the second authentication code, and based on the content data included in the content data with the synthesis parameter, A second security parameter is generated, and the extracted first security parameter is compared with the generated second security parameter to evaluate the integrity of the content data. is there.

  According to the information processing system according to the second aspect, the communication device generates a second authentication code that is the same as the first authentication code generated by the storage device, and based on the combination parameter and the second authentication code. Thus, the first security parameter is extracted from the composite parameter. In addition, the communication device generates a second security parameter based on the content data included in the content data with the synthesis parameter. Then, the integrity of the content data is evaluated by comparing the extracted first security parameter with the generated second security parameter. When the content data transmitted from the storage device to the communication device has been tampered with, the first security parameter generated by the storage device (that is, the first security parameter extracted from the composite parameter) and the communication device generated It does not match the second security parameter. Therefore, by comparing the extracted first security parameter with the generated second security parameter, it is possible to easily and reliably evaluate whether the content data has been tampered with.

  In the information processing system according to the third aspect of the present invention, in particular in the information processing system according to the second aspect, the storage device includes an exclusive OR of the first security parameter and the first authentication code. The synthetic parameter is generated by an operation, and the communication device extracts the first security parameter from the synthetic parameter by an exclusive OR operation of the synthetic parameter and the second authentication code. It is what.

  According to the information processing system according to the third aspect, the storage device generates the composite parameter by performing an exclusive OR operation between the first security parameter and the first authentication code. Then, the communication device extracts the first security parameter from the composite parameter by performing an exclusive OR operation between the composite parameter and the second authentication code. In this way, the communication device generates a second authentication code that is the same as the first authentication code, and performs an exclusive OR operation between the synthesis parameter and the second authentication code, thereby obtaining the first parameter from the synthesis parameter. Security parameters can be extracted easily and accurately.

  The information processing system according to a fourth aspect of the present invention is the information processing system according to any one of the first to third aspects, in particular, the communication device is configured to generate the first authentication code generated by the storage device. And generating a second security parameter based on the content data included in the content data with the synthesis parameter, and based on the synthesis parameter and the second security parameter. Then, the first authentication code is extracted from the synthesis parameter, and the validity of the storage device is authenticated by comparing the extracted first authentication code with the generated second authentication code. It is characterized by this.

  According to the information processing system according to the fourth aspect, the communication device generates a second authentication code that is the same as the first authentication code generated by the storage device. Further, the communication device generates a second security parameter based on the content data included in the content data with the composite parameter, and based on the composite parameter and the second security parameter, the first authentication code is generated from the composite parameter. To extract. Then, the legitimacy of the storage device is authenticated by comparing the extracted first authentication code with the generated second authentication code. If the storage device is illegal, the first authentication code generated by the storage device (that is, the first authentication code extracted from the synthesis parameter) does not match the second authentication code generated by the communication device. Therefore, by comparing the extracted first authentication code and the generated second authentication code, it is possible to easily and reliably authenticate whether the storage device is valid or illegal.

  An information processing system according to a fifth aspect of the present invention is the information processing system according to the fourth aspect, in particular, wherein the storage device is an exclusive OR of the first security parameter and the first authentication code. The synthetic parameter is generated by an operation, and the communication device extracts the first authentication code from the synthetic parameter by an exclusive OR operation of the synthetic parameter and the second security parameter. It is what.

  According to the information processing system according to the fifth aspect, the storage device generates the composite parameter by performing an exclusive OR operation between the first security parameter and the first authentication code. Then, the communication device extracts the first authentication code from the composite parameter by performing an exclusive OR operation between the composite parameter and the second security parameter. In this way, the communication device generates a second security parameter that is the same as the first security parameter, and performs an exclusive OR operation on the synthesized parameter and the second security parameter, thereby obtaining the first security parameter from the synthesized parameter. The authentication code can be extracted easily and accurately.

  An information processing system according to a sixth aspect of the present invention is the information processing system according to any one of the first to fifth aspects, and in particular, the communication device controls the information processing system by software processing. And a first control circuit that is mounted separately from the main control unit and controls the storage device by hardware processing, wherein the storage device controls the storage unit The access command is issued by the main control unit, receives the content data with the synthesis parameter, extracts the first security parameter and the first authentication code, and the content data. The integrity control of the storage device and the authentication of the validity of the storage device are executed by the first control circuit, and the access command is received and the first security is received. And generation of utility parameters, and generating the synthesis parameters, the generation and transmission of content data with said composition parameters and is characterized in that said second control circuit is performed.

  According to the information processing system of the sixth aspect, the reception of the content data with the synthesis parameter, the extraction of the first security parameter and the first authentication code, the evaluation of the integrity of the content data, and the validity of the storage device The first control circuit executes the sex authentication. The second control circuit executes reception of an access command, generation of a first security parameter, generation of a synthesis parameter, and generation and transmission of content data with a synthesis parameter. Thus, in the process of content data integrity evaluation and storage device authenticity authentication by the communication device, the main control unit executes only the issuance of an access command. The essential processes such as the extraction of the first security parameter and the first authentication code, the evaluation of the integrity of the content data, and the authentication of the validity of the storage device are performed by the first control circuit and the second control circuit. Executed between. Therefore, even when an attack that modifies the control of the main control unit by program analysis or the like is performed, unless the contents of the hardware processing by the first control circuit and the second control circuit are analyzed and modified, An attacker cannot avoid the process of evaluating the integrity of content data and authenticating the storage device. As a result, it is possible to prevent content data from being falsified and content data from being illegally read out from the storage device even when subjected to an attack that alters the control of the main control unit. Become.

  The information processing system according to a seventh aspect of the present invention is the information processing system according to the sixth aspect, in particular, wherein the first control circuit controls the content data included in the content data with the synthesis parameter to the main control. If the storage device is determined to be illegal and / or the integrity of the content data is denied, a notification to that effect is input to the main control unit. .

  According to the information processing system according to the seventh aspect, the first control circuit performs the synthesis regardless of whether the content data has been tampered with and whether the storage device is valid or illegal. Content data included in parameter-added content data is input to the main control unit. Therefore, it is possible to input the received content data to the main control unit without waiting for completion of the processing for evaluating the integrity of the content data and the processing for authenticating the validity of the storage device. Further, when the first control circuit determines that the storage device is illegal and / or denies the integrity of the content data, the first control circuit inputs a notification to that effect to the main control unit. Therefore, the main control unit can execute processing such as discarding or invalidating the content data input from the first control circuit.

  An information processing system according to an eighth aspect of the present invention is the information processing system according to the sixth aspect, particularly when the first control circuit determines that the storage device is illegal and / or the content data When completeness is denied, the content data included in the content data with the synthesis parameter is not input to the main control unit.

  According to the information processing system of the eighth aspect, the first control circuit is included in the content data with the synthesis parameter when it is determined that the storage device is illegal and / or when the integrity of the content data is denied. Content data is not input to the main control unit. Therefore, it is possible to prevent falsified content data from being input to the main control unit and content data read from an unauthorized storage device to be input to the main control unit.

  The information processing system according to the ninth aspect of the present invention is the information processing system according to the seventh or eighth aspect, in particular, when the first control circuit further determines that the storage device is illegal and / or If the integrity of the content data is denied, subsequent communication between the first control circuit and the second control circuit is blocked.

  According to the information processing system according to the ninth aspect, when the first control circuit determines that the storage device is illegal and / or denies the integrity of the content data, the first control circuit and the first control circuit The subsequent communication with the control circuit 2 is cut off. As a result, it is prohibited to transmit an access command from the communication device to the storage device or to transmit content data from the storage device to the communication device. As a result, it is possible to prevent content data from being illegally read from the storage device, content data read from the storage device being tampered with, and transmitted to the communication device.

  An information processing system according to a tenth aspect of the present invention is the information processing system according to any one of the sixth to ninth aspects, in which the first control circuit generates a first number sequence. And a second authentication circuit that generates the second authentication code based on the first number sequence, wherein the second control circuit is the same as the first number sequence. A second number sequence generating unit that generates a second number sequence; and a second authentication control unit that generates the first authentication code based on the second number sequence, the first authentication control unit Authenticates the validity of the storage device based on whether or not the first authentication code extracted from the synthesis parameter matches the second authentication code generated based on the first number sequence It is characterized by this.

  According to the information processing system according to the tenth aspect, the first authentication control unit matches the first authentication code extracted from the synthesis parameter with the second authentication code generated based on the first number sequence. The validity of the storage device is authenticated depending on whether or not to do so. When the storage device is illegal, the first authentication code extracted from the synthesis parameter does not match the second authentication code generated based on the first number sequence. Therefore, whether the storage device is valid or not is simplified depending on whether or not the first authentication code extracted from the synthesis parameter matches the second authentication code generated based on the first number sequence. And it becomes possible to authenticate reliably.

  In the information processing system according to the eleventh aspect of the present invention, in particular, in the information processing system according to the tenth aspect, the second authentication control unit compresses the second number sequence to compress the first number sequence. An authentication code is generated.

  According to the information processing system according to the eleventh aspect, the second authentication control unit generates the first authentication code by compressing the second number sequence. Therefore, even if the bit length of the second number sequence exceeds the allowable authentication code length, it is possible to generate a second authentication code that fits within the allowable authentication code length by compressing the second number sequence. Become.

  In the information processing system according to the twelfth aspect of the present invention, in particular in the information processing system according to the tenth or eleventh aspect, the first number sequence generation unit and the second number sequence generation unit are provided for each authentication process. The first number sequence and the second number sequence different from each other are generated respectively.

  According to the information processing system according to the twelfth aspect, the first number sequence generation unit and the second number sequence generation unit generate a different first number sequence and second number sequence for each authentication process. As a result, since the first authentication code and the second authentication code are changed for each authentication process, the security strength can be improved.

  An information processing system according to a thirteenth aspect of the present invention is the information processing system according to any one of the first to twelfth aspects, particularly for the communication device to cause the storage device to authenticate the communication device. An access command with an authentication code is generated by adding a third authentication code to the access command, and the access command with an authentication code is transmitted to the storage device. The storage device receives the authentication code from the communication device. When the access command is received, the validity of the communication device is authenticated based on the third authentication code included in the access command with the authentication code, and when the communication device is determined to be valid, the authentication The storage unit is accessed based on the access command included in the access command with code. Is shall.

  According to the information processing system according to the thirteenth aspect, the communication device generates an access command with an authentication code by adding a third authentication code for causing the storage device to authenticate the communication device to the access command, The access command with the authentication code is transmitted to the storage device. Further, the storage device receives the access command with the authentication code from the communication device, and authenticates the validity of the communication device based on the third authentication code included in the access command with the authentication code. When it is determined that the communication device is valid, the storage unit is accessed based on the access command included in the access command with the authentication code. As described above, since the storage device authenticates the validity of the communication device based on the third authentication code, mutual authentication between the storage device and the communication device can be realized, so that the security strength can be further improved. Become.

  Moreover, by using an access command with an authentication code in which a third authentication code is added to the access command, authentication of the communication device by the storage device and access to the storage unit can be executed as common processing. Therefore, before the communication device transmits an access command to the storage device, it is not necessary to separately execute a process for authenticating the communication device by the storage device, and the overhead associated with the authentication process can be reduced, so that the content data is accessed. It is possible to shorten the time required until. That is, the communication device and the storage device can be communicated by one round-trip communication between the transmission of the access command with the authentication code from the communication device to the storage device and the transmission of the content data with the synthesis parameter from the storage device to the communication device in response. Mutual authentication can be performed. As a result, compared to general challenge and response mutual authentication that requires two-way communication (two-way communication in total) from each of the communication device and the storage device, the processing speed and efficiency can be improved. It becomes possible.

  The information processing system according to a fourteenth aspect of the present invention is the information processing system according to the thirteenth aspect, in particular, the storage device based on the access command when the storage device determines that the communication device is illegal. It is characterized in that access to the part is not performed.

  According to the information processing system in the fourteenth aspect, the storage device does not access the storage unit based on the access command when it determines that the communication device is illegal. Accordingly, even when a read command is transmitted from an unauthorized communication device to the storage device, the storage device does not read content data from the storage unit. As a result, it is possible to prevent content data from being illegally read from the storage device.

  An information processing system according to a fifteenth aspect of the present invention is the information processing system according to the fourteenth aspect, particularly when the storage device further determines that the communication device is illegal from the communication device. The access command to be transmitted is not received.

  According to the information processing system of the fifteenth aspect, when the storage device determines that the communication device is illegal, the storage device does not receive an access command transmitted from the communication device thereafter. Accordingly, even when a read command is transmitted from an unauthorized communication device to the storage device, the storage device does not receive the read command. As a result, it is possible to prevent content data from being illegally read from the storage device.

  The information processing system according to the sixteenth aspect of the present invention is the information processing system according to any one of the thirteenth to fifteenth aspects, particularly the access command with an authentication code transmitted from the communication device to the storage device. And the first authentication code used when generating the composite parameter transmitted from the storage device to the communication device in response to the access command, It is characterized by being different.

  According to the information processing system of the sixteenth aspect, the third authentication code included in the access command with the authentication code transmitted from the communication device to the storage device and the storage device to the communication device in response to the access command. This is different from the first authentication code used when generating the composite parameter to be transmitted. That is, the third authentication code that the communication device transmits to the storage device and the first authentication code that the communication device receives from the storage device are different from each other. In this way, it is possible to further improve the security strength by making the authentication code different between transmission and reception.

  According to the present invention, in an information processing system including a communication device and a storage device connected to the communication device, a security level comparable to that of secure communication using an anti-spoofing technique is provided without increasing costs and increasing latency. It can be realized.

1 is a diagram schematically showing an overall configuration of an information processing system according to an embodiment of the present invention. It is a figure which shows the structure of a microprocessor. It is a figure which shows the structure of a memory controller. It is a figure which shows the structure of a memory controller. It is a figure which shows a read command. It is a figure which shows the 1st example of content data with a synthesis parameter. It is a figure which shows the 2nd example of content data with a synthesis parameter. It is a figure which shows the structure of a memory controller. It is a figure which shows the structure of a memory controller. It is a figure which shows the read command with an authentication code.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. In addition, the element which attached | subjected the same code | symbol in different drawing shall show the same or corresponding element.

<Embodiment 1>
FIG. 1 is a diagram schematically showing an overall configuration of an information processing system 1 according to Embodiment 1 of the present invention. The information processing system 1 includes a communication device 2 and a semiconductor storage device 3. The communication device 2 is a personal computer, for example. The semiconductor memory device 3 is, for example, a memory card that can be detachably connected to the communication device 2. Alternatively, an arbitrary storage device such as an optical disk or a magnetic disk can be used in place of the semiconductor storage device 3.

  The communication device 2 includes a microprocessor 11 (main control unit) as a main system that controls the information processing system 1 by software processing, and a memory controller 12 (first control circuit) mounted separately from the microprocessor 11. It is prepared for. The memory controller 12 controls the semiconductor memory device 3 by hardware processing.

  The semiconductor storage device 3 includes a memory array 22 (storage unit) that stores arbitrary content data such as images, sounds, texts, codes, management information, and the like, and a memory controller 21 (second control circuit) that controls the memory array 22 ). The memory array 22 is configured using, for example, a NAND flash memory. However, the present invention is not limited to this example, and the memory array 22 may be configured using a NOR flash memory or the like.

  FIG. 2 is a diagram showing the configuration of the microprocessor 11. The microprocessor 11 includes a CPU 41, a computing unit 42, a RAM 43, a ROM 44, a bridge 45, and a register 46 that are connected to each other via a bus 47.

  FIG. 3 is a diagram showing a configuration of the memory controller 12 according to the first embodiment. As shown in the connection relationship of FIG. 3, the memory controller 12 includes a key generation unit 51 (first number sequence generation unit), an encryption / decryption unit 52, an authentication control unit 53 (first authentication control unit), and a mask circuit. 54 and 55 and a hash circuit 56 are provided. The key generation unit 51 generates a random number sequence (session key K in the following example) by using a predetermined random number generation algorithm using a fixed secret key P with high confidentiality. The key generation unit 51 generates a different session key K (nonce) every time the memory controller 12 receives an access command from the microprocessor 11.

  FIG. 4 is a diagram showing a configuration of the memory controller 21 according to the first embodiment. As shown in the connection relationship of FIG. 4, the memory controller 21 includes a key generation unit 61 (second number sequence generation unit), an encryption / decryption unit 62, an authentication control unit 63 (second authentication control unit), and a hash. A circuit 64 is provided. The key generation unit 61 uses the same shared key P as the shared key P held by the key generation unit 51, and uses the same random number generation algorithm as the key generation unit 51 to generate the session key K generated by the key generation unit 51. The same session key K is generated. The key generation unit 61 generates a different session key K each time the memory controller 21 receives an encrypted access command from the memory controller 12.

  Hereinafter, the operation of the information processing system 1 according to the present embodiment will be described with reference to FIGS. As a premise, it is assumed that the encryption / decryption units 52 and 62 are initialized with the session key K (N−1) generated last time by the key generation units 51 and 61. In the following example, a case where a read command is used as an access command for the communication device 2 to access the memory array 22 will be described.

  First, the microprocessor 11 issues a read command C0 having a predetermined byte length for reading desired content data from the memory array 22. FIG. 5 is a diagram showing the read command C0. The read command C0 has a specific command ID for identifying that it is a read command, an address indicating the storage location of content data in the memory array 22, and an undefined area filled with meaningless data. including.

  Referring to FIG. 3, the memory controller 12 receives a read command C0 from the microprocessor 11 and inputs the received read command C0 to the encryption / decryption unit 52.

  Next, the encryption / decryption unit 52 generates the encrypted read command X0 by encrypting the read command C0 using the currently set session key K (N-1). Then, the generated encrypted read command X0 is transmitted to the memory controller 21.

  Next, the key generation unit 51 generates a session key K (N) according to a request from the authentication control unit 53. The session key K (N) is input to the encryption / decryption unit 52 and the authentication control unit 53.

  Next, the authentication control unit 53 initializes the encryption / decryption unit 52 with the session key K (N) generated by the key generation unit 51 this time.

  Referring to FIG. 4, memory controller 21 inputs encrypted read command X 0 received from memory controller 12 to encryption / decryption unit 62.

  Next, the encryption / decryption unit 62 reproduces the read command C0 by decrypting the encrypted read command X0 using the currently set session key K (N-1). Then, the reproduced read command C0 is input to the authentication control unit 63.

  Next, the authentication control unit 63 extracts a read address from the read command C0.

  Next, the key generation unit 61 generates a session key K (N) according to a request from the authentication control unit 63. The session key K (N) is input to the encryption / decryption unit 62 and the authentication control unit 63.

  Next, the authentication control unit 63 initializes the encryption / decryption unit 62 with the session key K (N) generated by the key generation unit 61 this time.

  Next, the key generation unit 61 generates the next session key K (N + 1) according to the request from the authentication control unit 63. Session key K (N + 1) is input to authentication control unit 63.

  Next, the authentication control unit 63 accesses the memory array 22 based on the read address extracted from the read command C0. That is, the content data T0 is read from the memory array 22 by the control signal U indicating the read address. The content data T0 is input to the authentication control unit 63 and the hash circuit 64.

  Next, the hash circuit 64 calculates a hash value of the content data T0 using a predetermined arbitrary hash function. Then, the calculated hash value HB is input to the authentication control unit 63.

  Next, the authentication control unit 63 generates an authentication code SB (N + 1) for the communication device 2 to authenticate the validity of the semiconductor storage device 3 based on the session key K (N + 1) input from the key generation unit 61. To do. For example, when the bit length of the session key K (N + 1) is less than or equal to a predetermined allowable authentication code length, the session key K (N + 1) is used as it is as the authentication code SB (N + 1). On the other hand, if the bit length of the session key K (N + 1) exceeds the allowable authentication code length, the authentication code SB (N + 1) that fits within the allowable authentication code length is generated by compressing the session key K (N + 1). As an example, when the allowable authentication code length is set to 32 bits and the bit length of the session key K (N + 1) is 128 bits, the session key K (N + 1) is set to the 127th to 96th bits, The bit group is divided into four bit groups of 95 to 64 bits, 63 to 32 bits, and 31 to 0 bits, and exclusive OR operation is performed with the next bit group in order from the first bit group ([127 : 96] ExOR [95:64] ExOR [63:32] ExOR [31: 0]). As a result, a 32-bit authentication code SB (N + 1) is generated from the 128-bit session key K (N + 1).

  Next, the authentication control unit 63 performs an exclusive OR operation between the hash value HB and the authentication code SB (N + 1), thereby combining the hash value HB and the authentication code SB (N + 1) into a composite parameter VB (N + 1). ) Is generated.

  Next, the authentication control unit 63 generates content data T1 (N + 1) with composite parameters by adding the composite parameter VB (N + 1) to the content data T0. FIG. 6 is a diagram illustrating a first example of the content data T1 (N + 1) with a synthesis parameter. The authentication control unit 63 generates the content data T1 (N + 1) with the synthesis parameter by adding the synthesis parameter VB (N + 1) to the end of the content data T0. FIG. 7 is a diagram illustrating a second example of the content data T1 (N + 1) with the synthesis parameter. The authentication control unit 63 generates the content data T1 (N + 1) with the synthesis parameter by adding the synthesis parameter VB (N + 1) to the head of the content data T0. The authentication control unit 63 inputs the generated content data T1 (N + 1) with synthesis parameter to the encryption / decryption unit 62.

  Next, the encryption / decryption unit 62 encrypts the content data T1 (N + 1) with the synthesis parameter by using the session key K (N) that is currently set, so that the encrypted content data with the synthesis parameter Y1 ( N + 1). Then, the generated encrypted content data Y1 (N + 1) with the synthesis parameter is transmitted to the memory controller 12.

  Referring to FIG. 3, memory controller 12 inputs encrypted composite parameter-added content data Y <b> 1 (N + 1) received from memory controller 21 to encryption / decryption unit 52.

  Next, the encryption / decryption unit 52 decrypts the encrypted composite parameter-added content data Y1 (N + 1) using the currently set session key K (N), thereby generating composite parameter-added content data T1 (N + 1). ). Then, the reproduced content data T1 (N + 1) with synthesis parameter is input to the authentication control unit 53. Further, the encryption / decryption unit 52 inputs the content data T0 included in the content data T1 (N + 1) with the synthesis parameter to the hash circuit 56.

  Next, the hash circuit 56 calculates the hash value of the content data T0 using the same hash function as the hash circuit 64. Then, the calculated hash value HA is input to the authentication control unit 53.

  Next, the key generation unit 51 generates a session key K (N + 1) according to the request from the authentication control unit 53. Session key K (N + 1) is input to authentication control unit 53. Next, the authentication control unit 53 generates an authentication code SA (N + 1) based on the session key K (N + 1) by the same processing as the authentication control unit 63 described above.

  Next, the authentication control unit 53 extracts the hash value HB and the authentication code SB (N + 1) from the synthesis parameter VB (N + 1) included in the content data T1 (N + 1) with the synthesis parameter. Specifically, the authentication control unit 53 performs an exclusive OR operation on the synthesis parameter VB (N + 1) included in the content data T1 (N + 1) with the synthesis parameter and the authentication code SA (N + 1) generated by itself. The hash value HB is extracted from the synthesis parameter VB (N + 1). Further, by performing an exclusive OR operation on the synthesis parameter VB (N + 1) included in the content data T1 (N + 1) with the synthesis parameter and the hash value HA input from the hash circuit 56, the synthesis parameter VB (N + 1) The authentication code SB (N + 1) is extracted from.

  Next, the authentication control unit 53 compares the hash value HB extracted from the synthesis parameter VB (N + 1) with the hash value HA input from the hash circuit 56, thereby completing the integrity (data matches) of the content data T0. That is, the data has not been tampered with). Specifically, when both hash values match, the integrity of the content data T0 is affirmed, and when both hash values do not match, the integrity of the content data T0 is denied.

  Next, the authentication control unit 53 compares the authentication code SB (N + 1) extracted from the synthesis parameter VB (N + 1) with the authentication code SA (N + 1) generated by itself, thereby verifying the validity of the semiconductor memory device 3 ( Authenticate that the data sender is legitimate, that is, not impersonating. Specifically, when the two authentication codes match, the semiconductor storage device 3 is authenticated as valid, and when the two authentication codes do not match, the semiconductor storage device 3 is authenticated as illegal.

  According to the first example shown in FIG. 6, the synthesis parameter VB is added to the end of the content data T0. Accordingly, the authentication control unit 53 processes the content data T0 before the synthesis parameter VB. In this case, the authentication control unit 53 extracts from the content data T1 (N + 1) with the synthesis parameter without waiting for completion of the processing for evaluating the integrity of the content data T0 and the processing for authenticating the validity of the semiconductor storage device 3. The content data T0 is input to the microprocessor 11. Thereafter, when the integrity of the content data T0 is denied and / or when the semiconductor storage device 3 is determined to be illegal, the authentication control unit 53 indicates that the content data T0 has been tampered with and / or the semiconductor storage device 3 Is input to the microprocessor 11. On the other hand, when the integrity of the content data T0 is affirmed and the semiconductor storage device 3 is determined to be valid, the authentication control unit 53 does not input the notification to the microprocessor 11.

  According to the second example shown in FIG. 7, the synthesis parameter VB is added to the head of the content data T0. Accordingly, the authentication control unit 53 processes the composite parameter VB before the content data T0. In this case, the authentication control unit 53 first performs the process of evaluating the integrity of the content data T0 and the process of authenticating the validity of the semiconductor storage device 3, and denies the integrity of the content data T0 and / or If it is determined that the semiconductor memory device 3 is illegal, the content data T0 extracted from the content data T1 (N + 1) with the synthesis parameter is not input to the microprocessor 11. On the other hand, when the integrity of the content data T0 is affirmed and the semiconductor storage device 3 is determined to be valid, the authentication control unit 53 uses the content data T0 extracted from the content data T1 (N + 1) with the synthesis parameter as a microprocessor. 11 is input.

  The authentication control unit 53 replaces the data with all “0” or all “1” when the integrity of the content data T0 is denied and / or when the semiconductor storage device 3 is determined to be illegal. A control signal D for enabling mask processing is input to the mask circuits 54 and 55. Thereby, subsequent communication between the communication device 2 and the semiconductor memory device 3 is blocked.

  The authentication control units 53 and 63 perform the same processing as described above every time the read command C0 is issued from the microprocessor 11. In the next process, the authentication control unit 53 evaluates the integrity of the content data T0 by comparing the hash value HB extracted from the synthesis parameter VB (N + 2) with the hash value HA input from the hash circuit 56. To do. Further, the authenticity of the semiconductor memory device 3 is authenticated by comparing the authentication code SB (N + 2) extracted from the synthesis parameter VB (N + 2) with the authentication code SA (N + 2) generated by itself.

  In the above description, the processing in which the communication device 2 evaluates the integrity of the content data T0 and the processing to authenticate the validity of the semiconductor storage device 3 are executed by the hardware processing of the memory controller 12, but the microprocessor 11 It may be executed by software processing.

  In the above description, the hash value is used as a security parameter for evaluating the integrity of the content data T0. However, the hash value is used for a CRC (Cyclic Redundancy Check) value, a MAC (Message Authentication Code) value, or error correction. Other security parameters such as error syndrome may be used.

<Embodiment 2>
FIG. 8 is a diagram showing a configuration of the memory controller 12 according to the second embodiment. FIG. 9 is a diagram illustrating a configuration of the memory controller 21 according to the second embodiment.

  Hereinafter, the operation of the information processing system 1 according to the present embodiment will be described with reference to FIGS. As a premise, it is assumed that the encryption / decryption units 52 and 62 are initialized with the session key K (N−1) generated last time by the key generation units 51 and 61. In the following example, a case where a read command is used as an access command for the communication device 2 to access the memory array 22 will be described.

  First, the microprocessor 11 issues a read command C0 having a predetermined byte length for reading desired content data from the memory array 22.

  Referring to FIG. 8, the memory controller 12 receives a read command C0 from the microprocessor 11 and inputs the received read command C0 to the authentication control unit 53.

  Next, the key generation unit 51 generates a session key K (N) according to a request from the authentication control unit 53. The session key K (N) is input to the encryption / decryption unit 52 and the authentication control unit 53.

  Next, the authentication control unit 53 generates an authentication code S (N) for the semiconductor storage device 3 to authenticate the validity of the communication device 2 based on the session key K (N). For example, when the bit length of the session key K (N) is less than or equal to a predetermined allowable authentication code length, the session key K (N) is used as it is as the authentication code S (N). On the other hand, when the bit length of the session key K (N) exceeds the allowable authentication code length, an authentication code S (N) that fits within the allowable authentication code length is generated by compressing the session key K (N). As an example, when the allowable authentication code length is set to the bit length (for example, 32 bits) of the undefined area of the read command C0, and the bit length of the session key K (N) is 128 bits, the session key K (N) is divided into four bit groups of 127-96 bits, 95-64 bits, 63-32 bits, and 31-0 bits, and the next bit group in order from the first bit group. Exclusive OR operation between them ([127: 96] ExOR [95:64] ExOR [63:32] ExOR [31: 0]). As a result, a 32-bit authentication code S (N) is generated from the 128-bit session key K (N).

  Next, the authentication control unit 53 generates the read command C1 (N) with an authentication code by adding the authentication code S (N) to the read command C0. FIG. 10 is a diagram showing a read command C1 (N) with an authentication code. The authentication control unit 53 replaces meaningless data included in the undefined area of the read command C0 with the authentication code S (N), thereby adding an authentication code including a command ID, an address, and an authentication code S (N). A read command C1 (N) is generated. The authentication control unit 53 inputs the generated read command with authentication code C1 (N) to the encryption / decryption unit 52.

  Next, the encryption / decryption unit 52 encrypts the read command with authentication code C1 (N) using the currently set session key K (N-1), thereby reading the read command with encrypted authentication code. X1 (N) is generated. Then, the generated read command X1 (N) with an encrypted authentication code is transmitted to the memory controller 21.

  Next, the authentication control unit 53 initializes the encryption / decryption unit 52 with the session key K (N) generated by the key generation unit 51 this time.

  Referring to FIG. 9, memory controller 21 inputs read command X1 (N) with an encrypted authentication code received from memory controller 12 to encryption / decryption unit 62.

  Next, the encryption / decryption unit 62 decrypts the encrypted read command with authentication code X1 (N) using the currently set session key K (N-1), thereby reading the read command with authentication code C1. Play (N). Then, the reproduced read command with authentication code C1 (N) is input to the authentication control unit 63.

  Next, the authentication control unit 63 extracts the read command C0 and the authentication code S (N) from the read command with authentication code C1 (N).

  Next, the key generation unit 61 generates a session key K (N) according to a request from the authentication control unit 63. The session key K (N) is input to the encryption / decryption unit 62 and the authentication control unit 63. Next, the authentication control unit 63 generates an authentication code S (N) based on the session key K (N) by the same process as the authentication control unit 53 described above.

  Next, the authentication control unit 63 generates an authentication code S (N) extracted from the read command with authentication code C1 (N) and an authentication code S generated based on the session key K (N) input from the key generation unit 61. By comparing (N), the authenticity of the communication device 2 is authenticated. Specifically, when both authentication codes S (N) match, the communication device 2 is determined to be valid, and when both authentication codes S (N) do not match, the communication device 2 is determined to be illegal.

  If the authentication control unit 63 determines that the communication device 2 is illegal, the authentication control unit 63 does not access the memory array 22 based on the read command C0 extracted from the read command C1 (N) with the authentication code. That is, reading of the content data T0 from the memory array 22 is not executed.

  If the authentication control unit 63 determines that the communication device 2 is illegal, the authentication control unit 63 prohibits the encryption / decryption unit 62 from receiving transmission data from the communication device 2. Thereby, the memory controller 21 does not receive an access command transmitted from the communication device 2 to the semiconductor memory device 3 thereafter.

  On the other hand, when it is determined that the communication device 2 is valid, the authentication control unit 63 next accesses the memory array 22 based on the read command C0 extracted from the read command with authentication code C1 (N). That is, the content data T0 is read from the memory array 22 by the control signal U indicating the read address. The content data T0 is input to the authentication control unit 63 and the hash circuit 64.

  If the authentication control unit 63 determines that the communication device 2 is valid, the authentication control unit 63 initializes the encryption / decryption unit 62 with the session key K (N) generated by the key generation unit 61 this time.

  Next, the key generation unit 61 generates the next session key K (N + 1) according to the request from the authentication control unit 63. Session key K (N + 1) is input to authentication control unit 63.

  Next, the hash circuit 64 calculates a hash value of the content data T0 using a predetermined arbitrary hash function. Then, the calculated hash value HB is input to the authentication control unit 63.

  Next, the authentication control unit 63 generates an authentication code SB (N + 1) for the communication device 2 to authenticate the validity of the semiconductor storage device 3 based on the session key K (N + 1) input from the key generation unit 61. To do. Similarly to the above-described authentication control unit 53, the authentication control unit 63 uses the session key K (N + 1) as it is as the authentication code SB when the bit length of the session key K (N + 1) is equal to or less than a predetermined allowable authentication code length. Used as (N + 1). On the other hand, if the bit length of the session key K (N + 1) exceeds the allowable authentication code length, the authentication code SB (N + 1) that fits within the allowable authentication code length is generated by compressing the session key K (N + 1).

  Next, the authentication control unit 63 performs an exclusive OR operation between the hash value HB and the authentication code SB (N + 1), thereby combining the hash value HB and the authentication code SB (N + 1) into a composite parameter VB (N + 1). ) Is generated.

  Next, the authentication control unit 63 generates content data T1 (N + 1) with composite parameters by adding the composite parameter VB (N + 1) to the content data T0. The authentication control unit 63 inputs the generated content data T1 (N + 1) with synthesis parameter to the encryption / decryption unit 62.

  Next, the encryption / decryption unit 62 encrypts the content data T1 (N + 1) with the synthesis parameter by using the session key K (N) that is currently set, so that the encrypted content data with the synthesis parameter Y1 ( N + 1). Then, the generated encrypted content data Y1 (N + 1) with the synthesis parameter is transmitted to the memory controller 12.

  Referring to FIG. 8, the memory controller 12 inputs the encrypted combined parameter-added content data Y <b> 1 (N + 1) received from the memory controller 21 to the encryption / decryption unit 52.

  Next, the encryption / decryption unit 52 decrypts the encrypted composite parameter-added content data Y1 (N + 1) using the currently set session key K (N), thereby generating composite parameter-added content data T1 (N + 1). ). Then, the reproduced content data T1 (N + 1) with synthesis parameter is input to the authentication control unit 53. Further, the encryption / decryption unit 52 inputs the content data T0 included in the content data T1 (N + 1) with the synthesis parameter to the hash circuit 56.

  Next, the hash circuit 56 calculates the hash value of the content data T0 using the same hash function as the hash circuit 64. Then, the calculated hash value HA is input to the authentication control unit 53.

  Next, the key generation unit 51 generates a session key K (N + 1) according to the request from the authentication control unit 53. Session key K (N + 1) is input to authentication control unit 53. Next, the authentication control unit 53 generates an authentication code SA (N + 1) based on the session key K (N + 1) by the same processing as the authentication control unit 63 described above.

  Next, the authentication control unit 53 extracts the hash value HB and the authentication code SB (N + 1) from the synthesis parameter VB (N + 1) included in the content data T1 (N + 1) with the synthesis parameter. Specifically, the authentication control unit 53 performs an exclusive OR operation on the synthesis parameter VB (N + 1) included in the content data T1 (N + 1) with the synthesis parameter and the authentication code SA (N + 1) generated by itself. The hash value HB is extracted from the synthesis parameter VB (N + 1). Further, by performing an exclusive OR operation on the synthesis parameter VB (N + 1) included in the content data T1 (N + 1) with the synthesis parameter and the hash value HA input from the hash circuit 56, the synthesis parameter VB (N + 1) The authentication code SB (N + 1) is extracted from.

  Next, the authentication control unit 53 evaluates the integrity of the content data T0 by comparing the hash value HB extracted from the synthesis parameter VB (N + 1) with the hash value HA input from the hash circuit 56. Specifically, when both hash values match, the integrity of the content data T0 is affirmed, and when both hash values do not match, the integrity of the content data T0 is denied.

  Next, the authentication control unit 53 compares the authentication code SB (N + 1) extracted from the synthesis parameter VB (N + 1) with the authentication code SA (N + 1) generated by itself, thereby verifying the validity of the semiconductor memory device 3. Certify. Specifically, when the two authentication codes match, the semiconductor storage device 3 is authenticated as valid, and when the two authentication codes do not match, the semiconductor storage device 3 is authenticated as illegal.

  According to the first example shown in FIG. 6, the synthesis parameter VB is added to the end of the content data T0. Accordingly, the authentication control unit 53 processes the content data T0 before the synthesis parameter VB. In this case, the authentication control unit 53 extracts from the content data T1 (N + 1) with the synthesis parameter without waiting for completion of the processing for evaluating the integrity of the content data T0 and the processing for authenticating the validity of the semiconductor storage device 3. The content data T0 is input to the microprocessor 11. Thereafter, when the integrity of the content data T0 is denied and / or when the semiconductor storage device 3 is determined to be illegal, the authentication control unit 53 indicates that the content data T0 has been tampered with and / or the semiconductor storage device 3 Is input to the microprocessor 11. On the other hand, when the integrity of the content data T0 is affirmed and the semiconductor storage device 3 is determined to be valid, the authentication control unit 53 does not input the notification to the microprocessor 11.

  According to the second example shown in FIG. 7, the synthesis parameter VB is added to the head of the content data T0. Accordingly, the authentication control unit 53 processes the composite parameter VB before the content data T0. In this case, the authentication control unit 53 first performs the process of evaluating the integrity of the content data T0 and the process of authenticating the validity of the semiconductor storage device 3, and denies the integrity of the content data T0 and / or If it is determined that the semiconductor memory device 3 is illegal, the content data T0 extracted from the content data T1 (N + 1) with the synthesis parameter is not input to the microprocessor 11. On the other hand, when the integrity of the content data T0 is affirmed and the semiconductor storage device 3 is determined to be valid, the authentication control unit 53 uses the content data T0 extracted from the content data T1 (N + 1) with the synthesis parameter as a microprocessor. 11 is input.

  The authentication control unit 53 replaces the data with all “0” or all “1” when the integrity of the content data T0 is denied and / or when the semiconductor storage device 3 is determined to be illegal. A control signal D for enabling mask processing is input to the mask circuits 54 and 55. Thereby, subsequent communication between the communication device 2 and the semiconductor memory device 3 is blocked.

  The authentication control units 53 and 63 perform the same processing as described above every time the read command C0 is issued from the microprocessor 11. In the next process, the authentication control unit 63 is generated based on the authentication code S (N + 1) extracted from the read command with authentication code C1 (N + 1) and the session key K (N + 1) input from the key generation unit 61. The authenticity of the communication device 2 is authenticated depending on whether or not the authentication code S (N + 1) matches. The authentication control unit 53 evaluates the integrity of the content data T0 by comparing the hash value HB extracted from the composite parameter VB (N + 2) with the hash value HA input from the hash circuit 56. Further, the authentication control unit 53 compares the authentication code SB (N + 2) extracted from the composite parameter VB (N + 2) with the authentication code SA (N + 2) generated by itself, thereby verifying the validity of the semiconductor memory device 3. Certify.

  In the above description, the processing in which the communication device 2 evaluates the integrity of the content data T0 and the processing to authenticate the validity of the semiconductor storage device 3 are executed by the hardware processing of the memory controller 12, but the microprocessor 11 It may be executed by software processing.

  In the above description, the hash value is used as a security parameter for evaluating the integrity of the content data T0. However, other security parameters such as a CRC value, a MAC value, or an error syndrome used for error correction are used. It may be used.

  In the above description, the authentication code S is added to the read command C0 and the content data T0 as its response value. However, the authentication code S may be added to other access commands such as a write command and an erase command. .

  When the authentication code S is added to the write command, the semiconductor memory device 3 uses the authentication code S added to the write command received from the communication device 2 and the authentication code S generated by itself to the communication device. 2 can be authenticated. Further, by adding the authentication code S to the status notification as the response value of the status command transmitted following the write command, the communication device 2 can authenticate the status code received from the semiconductor memory device 3. The validity of the semiconductor memory device 3 can be authenticated based on S and the authentication code S generated by itself.

  When the authentication code S is added to the erase command, the semiconductor memory device 3 determines the communication device based on the authentication code S added to the erase command received from the communication device 2 and the authentication code S generated by itself. 2 can be authenticated. Further, by adding the authentication code S to the status notification as the response value of the status command transmitted following the erase command, the communication device 2 can add the authentication code added to the status notification received from the semiconductor memory device 3. The validity of the semiconductor memory device 3 can be authenticated based on S and the authentication code S generated by itself.

<Summary>
According to the information processing system 1 according to the first and second embodiments, the semiconductor memory device 3 is based on the content data T0 transmitted to the communication device 2 in response to the read commands C0 and C1 received from the communication device 2. Generating a hash value HB (first security parameter) and combining the hash value HB and the first authentication code SB (N + 1) for causing the communication device 2 to authenticate the semiconductor storage device 3 The parameter VB (N + 1) is generated, and the content data T1 (N + 1) with composite parameter including the content data T0 and the composite parameter VB (N + 1) is transmitted to the communication device 2. Further, the communication device 2 receives the content data T1 (N + 1) with the synthesis parameter from the semiconductor storage device 3, and authenticates the hash value HB and the authentication from the synthesis parameter VB (N + 1) included in the content data with the synthesis parameter T1 (N + 1). The code SB (N + 1) is extracted. Then, based on the hash value HB extracted from the synthesis parameter VB (N + 1), the integrity of the content data T0 included in the content data T1 (N + 1) with the synthesis parameter is evaluated, and extracted from the synthesis parameter VB (N + 1). The validity of the semiconductor memory device 3 is authenticated based on the authentication code SB (N + 1). In this way, the communication device 2 can execute the integrity evaluation of the content data T0 and the authenticity authentication of the semiconductor storage device 3. Therefore, it is not necessary to mount a large-scale dedicated circuit for realizing the anti-spoofing technology, and complicated processing using the dedicated circuit is also unnecessary, so that there is no increase in cost and latency, It is possible to achieve a security level comparable to secure communication using anti-spoofing technology.

  Further, according to the information processing system 1 according to the first and second embodiments, the communication device 2 uses the second authentication code SA (N + 1) that is the same as the authentication code SB (N + 1) generated by the semiconductor storage device 3. The hash value HB is extracted from the synthesis parameter VB (N + 1) based on the synthesis parameter VB (N + 1) and the authentication code SA (N + 1). Further, the communication device 2 generates a hash value HA (second security parameter) based on the content data T0 included in the content data T1 (N + 1) with composite parameters. Then, the integrity of the content data T0 is evaluated by comparing the extracted hash value HB with the generated hash value HA. When the content data T0 transmitted from the semiconductor storage device 3 to the communication device 2 has been tampered with, the hash value HB generated by the semiconductor storage device 3 (that is, the hash value extracted from the synthesis parameter VB (N + 1)), The hash value HA generated by the communication device 2 does not match. Therefore, by comparing the extracted hash value HB and the generated hash value HA, it is possible to easily and reliably evaluate whether or not the content data T0 has been tampered with.

  Further, according to the information processing system 1 according to the first and second embodiments, the semiconductor storage device 3 performs the synthesis parameter VB (N + 1) by performing an exclusive OR operation between the hash value HB and the authentication code SB (N + 1). Is generated. Then, the communication device 2 extracts the hash value HB from the synthesis parameter VB (N + 1) by the exclusive OR operation of the synthesis parameter VB (N + 1) and the authentication code SA (N + 1). In this way, the communication device 2 generates the same authentication code SA (N + 1) as the authentication code code SB (N + 1), and performs an exclusive OR operation between the synthesis parameter VB (N + 1) and the authentication code SA (N + 1). As a result, the hash value HB can be easily and accurately extracted from the synthesis parameter VB (N + 1).

  Further, according to the information processing system 1 according to the first and second embodiments, the communication device 2 generates the same authentication code SA (N + 1) as the authentication code SB (N + 1) generated by the semiconductor storage device 3. Further, the communication device 2 generates a hash value HA based on the content data T0 included in the content data T1 (N + 1) with the synthesis parameter, and based on the synthesis parameter VB (N + 1) and the hash value HA, the synthesis parameter The authentication code SB (N + 1) is extracted from VB (N + 1). Then, the validity of the semiconductor memory device 3 is authenticated by comparing the extracted authentication code SB (N + 1) with the generated authentication code SA (N + 1). If the semiconductor storage device 3 is illegal, the authentication code SB (N + 1) generated by the semiconductor storage device 3 (that is, the authentication code extracted from the synthesis parameter VB (N + 1)) and the authentication code SA generated by the communication device 2 Does not match (N + 1). Accordingly, by comparing the extracted authentication code SB (N + 1) with the generated authentication code SA (N + 1), it is possible to easily and reliably authenticate whether the semiconductor memory device 3 is valid or illegal. It becomes.

  Further, according to the information processing system 1 according to the first and second embodiments, the semiconductor storage device 3 performs the synthesis parameter VB (N + 1) by performing an exclusive OR operation between the hash value HB and the authentication code SB (N + 1). Is generated. Then, the communication device 2 extracts the authentication code SB (N + 1) from the synthesis parameter VB (N + 1) by exclusive OR operation of the synthesis parameter VB (N + 1) and the hash value HA. In this way, the communication device 2 generates the same hash value HA as the hash value HB, and performs an exclusive OR operation between the synthesis parameter VB (N + 1) and the hash value HA, thereby obtaining the synthesis parameter VB (N + 1). The authentication code SB (N + 1) can be extracted easily and accurately.

  Further, according to the information processing system 1 according to the first and second embodiments, the reception of the content data T1 (N + 1) with the synthesis parameter, the extraction of the hash value HB and the authentication code SB (N + 1), and the content data T0 The memory controller 12 (first control circuit) executes the integrity evaluation and the authenticity verification of the semiconductor memory device 3. The reception of the read command C0, the generation of the hash value HB, the generation of the synthesis parameter VB (N + 1), and the generation and transmission of the content data T1 (N + 1) with the synthesis parameter are the memory controller 21 (second control). Circuit). Thus, in the process of evaluating the integrity of the content data T0 and authenticating the validity of the semiconductor storage device 3 by the communication device 2, the processing executed by the microprocessor 11 (main control unit) is only the issue of the read command C0. Yes, generation of synthesis parameter VB (N + 1), extraction of hash value HB and authentication code SB (N + 1) from synthesis parameter VB (N + 1), evaluation of integrity of content data T0, and validity of semiconductor memory device 3 Essential processing such as authentication is executed between the memory controller 12 and the memory controller 21. Accordingly, even if an attack that alters the control of the microprocessor 11 by program analysis or the like is performed, content by the attacker unless the contents of the hardware processing by the memory controller 12 and the memory controller 21 are analyzed and altered. The process of evaluating the integrity of the data T0 and authenticating the correctness of the semiconductor memory device 3 is not avoided. As a result, even when an attack that alters the control of the microprocessor 11 is performed, the content data T0 is prevented from being falsified and the content data T0 is prevented from being read from the semiconductor storage device 3 illegally. It becomes possible.

  Moreover, in the information processing system 1 according to the first and second embodiments, according to the first example shown in FIG. 6, the memory controller 12 can determine whether the content data T0 has been tampered with or not. Regardless of whether the semiconductor memory device 3 is valid or illegal, the content data T0 included in the content data T1 (N + 1) with composite parameters is input to the microprocessor 11. Accordingly, the received content data T0 can be input to the microprocessor 11 at an early stage without waiting for completion of the processing for evaluating the integrity of the content data T0 and the processing for authenticating the validity of the semiconductor memory device 3. . If the memory controller 12 determines that the semiconductor storage device 3 is illegal and / or denies the integrity of the content data T0, the memory controller 12 inputs a notification to that effect to the microprocessor 11. Therefore, the microprocessor 11 can execute processing such as discarding or invalidating the content data T0 input from the memory controller 12.

  In the information processing system 1 according to the first and second embodiments, according to the second example shown in FIG. 7, the memory controller 21 determines that the semiconductor storage device 3 is illegal and / or content data. When the completeness of T0 is denied, the content data T0 included in the content data T1 (N + 1) with the synthesis parameter is not input to the microprocessor 11. Accordingly, it is possible to prevent the altered content data T0 from being input to the microprocessor 11 and the content data T0 read from the unauthorized semiconductor storage device 3 from being input to the microprocessor 11. Become.

  Further, according to the information processing system 1 according to the first and second embodiments, when the memory controller 12 determines that the semiconductor storage device 3 is illegal and / or denies the integrity of the content data T0, Subsequent communication between the memory controller 12 and the memory controller 21 is cut off. As a result, it is prohibited to transmit an access command from the communication device 2 to the semiconductor storage device 3 and to transmit content data T0 from the semiconductor storage device 3 to the communication device 2. As a result, it is possible to prevent content data T0 from being read out illegally from the semiconductor storage device 3, content data T0 read out from the semiconductor storage device 3 being altered and transmitted to the communication device 2, and the like. It becomes.

  Further, according to the information processing system 1 according to the first and second embodiments, the authentication control unit 53 (first authentication control unit) includes the authentication code SB (N + 1) extracted from the synthesis parameter VB (N + 1), The validity of the semiconductor memory device 3 is authenticated based on whether or not the authentication code SA (N + 1) generated based on the session key K (N + 1) generated by the key generation unit 51 matches. When the semiconductor memory device 3 is illegal, the authentication code SB (N + 1) extracted from the synthesis parameter VB (N + 1) does not match the authentication code SA (N + 1) generated based on the session key K (N + 1). . Therefore, the semiconductor memory device 3 determines whether or not the authentication code SB (N + 1) extracted from the synthesis parameter VB (N + 1) matches the authentication code SA (N + 1) generated based on the session key K (N + 1). It is possible to simply and reliably authenticate whether it is legitimate or illegal.

  Further, according to the information processing system 1 according to the first and second embodiments, the authentication control unit 63 determines that the bit length of the session key K (N + 1) generated by the key generation unit 61 exceeds the allowable authentication code length. Generates the authentication code SB (N + 1) by compressing the session key K (N + 1). Therefore, even if the bit length of the session key K (N + 1) exceeds the allowable authentication code length, the authentication code SB (N + 1) that fits within the allowable authentication code length is generated by compressing the session key K (N + 1). It becomes possible to do.

  Further, according to the information processing system 1 according to the first and second embodiments, the key generation units 51 and 61 generate different session keys K for each authentication process. As a result, since the authentication code S generated by the authentication control units 53 and 63 is changed for each authentication process, the security strength can be improved.

  Further, according to the information processing system 1 according to the second embodiment, the communication device 2 adds the third authentication code S (N) for causing the semiconductor storage device 3 to authenticate the communication device 2 to the read command C0. As a result, a read command C1 (N) with an authentication code is generated, and the read command C1 (N) with an authentication code is transmitted to the semiconductor memory device 3. Further, the semiconductor memory device 3 receives the read command C1 (N) with the authentication code from the communication device 2, and based on the authentication code S (N) included in the read command C1 (N) with the authentication code, the communication device 2 Authenticate the validity of When it is determined that the communication device 2 is valid, the memory array 22 is accessed based on the read command C0 included in the read command with authentication code C1 (N). Thus, since the semiconductor storage device 3 authenticates the validity of the communication device 2 based on the authentication code S (N), mutual authentication between the semiconductor storage device 3 and the communication device 2 can be realized. Further improvement is possible.

  Moreover, by using the read command C1 (N) with an authentication code in which the authentication code S (N) is added to the read command C0, the authentication of the communication device 2 by the semiconductor memory device 3 and the access to the memory array 22 are performed. It can be executed as a common process. Therefore, before the communication device 2 transmits a read command to the semiconductor storage device 3, it is not necessary for the semiconductor storage device 3 to separately execute a process for authenticating the communication device 2, and overhead associated with the authentication process can be reduced. It is possible to shorten the time required to access the content data. That is, transmission of the read command C1 (N) with an authentication code from the communication device 2 to the semiconductor storage device 3, and transmission of content data T1 (N + 1) with composite parameters from the semiconductor storage device 3 to the communication device 2 in response thereto Thus, mutual authentication between the communication device 2 and the semiconductor memory device 3 can be performed by one-way communication. As a result, compared to general challenge and response mutual authentication that requires round-trip communication (two-round communication in total) from each of the communication device 2 and the semiconductor storage device 3, the processing speed and efficiency are improved. It becomes possible to plan.

  Further, according to the information processing system 1 according to the second embodiment, the semiconductor memory device 3 does not access the memory array 22 based on the read command C0 when the communication device 2 is determined to be illegal. Therefore, even when a read command is transmitted from the unauthorized communication device 2 to the semiconductor memory device 3, the semiconductor memory device 3 does not read the content data T0 from the memory array 22. As a result, it is possible to prevent content data T0 from being read from the semiconductor memory device 3 illegally.

  Further, according to the information processing system 1 according to the second embodiment, when the semiconductor storage device 3 determines that the communication device 2 is illegal, it does not receive a read command transmitted from the communication device 2 thereafter. Accordingly, even when a read command is transmitted from the unauthorized communication device 2 to the semiconductor memory device 3, the semiconductor memory device 3 does not receive the read command. As a result, it is possible to prevent content data T0 from being read from the semiconductor memory device 3 illegally.

  Further, according to the information processing system 1 according to the second embodiment, the authentication code S (N) included in the read command C1 (N) with the authentication code transmitted from the communication device 2 to the semiconductor memory device 3, The authentication code SB (N + 1) used when generating the composite parameter VB (N + 1) transmitted from the semiconductor memory device 3 to the communication device 2 in response to the read command is different from each other. That is, the authentication code S (N) transmitted from the communication device 2 to the semiconductor storage device 3 and the authentication code SB (N + 1) received from the semiconductor storage device 3 by the communication device 2 are different from each other. In this way, it is possible to further improve the security strength by making the authentication code different between transmission and reception.

DESCRIPTION OF SYMBOLS 1 Information processing system 2 Communication apparatus 3 Semiconductor memory device 11 Microprocessor 12 Memory controller 21 Memory controller 22 Memory array 51 Key generation part 52 Encryption / decryption part 53 Authentication control part 56 Hash circuit 61 Key generation part 62 Encryption / decryption part 63 Authentication control unit 64 Hash circuit

Claims (16)

A communication device;
A storage device connected to the communication device and having a storage unit storing content data;
An information processing system comprising:
The storage device
Based on content data transmitted to the communication device in response to an access command received from the communication device, a first security parameter is generated,
Generating a composite parameter by combining the first security parameter and a first authentication code for causing the communication device to authenticate the storage device;
Transmitting content data with composite parameters including the content data and the composite parameters to the communication device;
The communication device
Receiving the content data with the synthesis parameter from the storage device;
Extracting the first security parameter and the first authentication code from the composite parameter included in the content data with the composite parameter;
Based on the first security parameter extracted from the synthesis parameter, evaluate the integrity of the content data included in the content data with the synthesis parameter,
An information processing system for authenticating the validity of the storage device based on the first authentication code extracted from the synthesis parameter. The communication device
Generating a second authentication code identical to the first authentication code generated by the storage device;
Extracting the first security parameter from the composite parameter based on the composite parameter and the second authentication code;
Generating a second security parameter based on the content data included in the content data with the composite parameter;
The information processing system according to claim 1, wherein integrity of the content data is evaluated by comparing the extracted first security parameter with the generated second security parameter. The storage device generates the composite parameter by performing an exclusive OR operation between the first security parameter and the first authentication code,
The information processing system according to claim 2, wherein the communication device extracts the first security parameter from the combined parameter by performing an exclusive OR operation between the combined parameter and the second authentication code. The communication device
Generating a second authentication code identical to the first authentication code generated by the storage device;
Generating a second security parameter based on the content data included in the content data with the composite parameter;
Extracting the first authentication code from the composite parameter based on the composite parameter and the second security parameter;
The information processing according to any one of claims 1 to 3, wherein the authenticity of the storage device is authenticated by comparing the extracted first authentication code and the generated second authentication code. system. The storage device generates the composite parameter by performing an exclusive OR operation between the first security parameter and the first authentication code,
The information processing system according to claim 4, wherein the communication device extracts the first authentication code from the combined parameter by performing an exclusive OR operation between the combined parameter and the second security parameter. The communication device
A main control unit for controlling the information processing system by software processing;
A first control circuit that is mounted separately from the main control unit and controls the storage device by hardware processing;
Have
The storage device
A second control circuit for controlling the storage unit;
The issuing of the access command is executed by the main control unit,
The reception of the content data with the synthesis parameter, the extraction of the first security parameter and the first authentication code, the evaluation of the integrity of the content data, and the authentication of the validity of the storage device 1 control circuit is executed,
The reception of the access command, generation of the first security parameter, generation of the synthesis parameter, and generation and transmission of the content data with the synthesis parameter are executed by the second control circuit. Information processing system as described in any one of -5.   The first control circuit inputs the content data included in the content data with the synthesis parameter to the main control unit, and determines that the storage device is illegal and / or denies the integrity of the content data. In the case, the information processing system according to claim 6, wherein a notification to that effect is input to the main control unit.   When the first control circuit determines that the storage device is illegal and / or denies the integrity of the content data, the first control circuit transfers the content data included in the content data with the synthesis parameter to the main control unit. The information processing system according to claim 6, wherein no information is input.   Further, the first control circuit further determines between the first control circuit and the second control circuit when the storage device is determined to be illegal and / or when the integrity of the content data is denied. The information processing system according to claim 7 or 8, wherein subsequent communication is blocked. The first control circuit includes:
A first number sequence generator for generating a first number sequence;
A first authentication control unit that generates the second authentication code based on the first number sequence;
Including
The second control circuit includes:
A second number sequence generation unit for generating a second number sequence identical to the first number sequence;
A second authentication control unit for generating the first authentication code based on the second number sequence;
Including
The first authentication control unit stores the memory depending on whether the first authentication code extracted from the synthesis parameter matches the second authentication code generated based on the first number sequence. The information processing system according to claim 6, wherein authenticity of the device is authenticated.   The information processing system according to claim 10, wherein the second authentication control unit generates the first authentication code by compressing the second number sequence.   The information processing system according to claim 10 or 11, wherein the first number sequence generation unit and the second number sequence generation unit generate the first number sequence and the second number sequence that are different for each authentication process. . The communication device
Generating an access command with an authentication code by adding a third authentication code for authenticating the communication device to the storage device to the access command;
Sending the access command with the authentication code to the storage device;
The storage device
Receiving the access command with the authentication code from the communication device;
Authenticating the validity of the communication device based on the third authentication code included in the access command with the authentication code;
The information processing according to any one of claims 1 to 12, wherein when the communication device is determined to be valid, the storage unit is accessed based on the access command included in the access command with an authentication code. system.   The information processing system according to claim 13, wherein the storage device does not access the storage unit based on the access command when the communication device is determined to be illegal.   The information processing system according to claim 14, wherein the storage device further does not receive an access command transmitted from the communication device after that when determining that the communication device is illegal. The third authentication code included in the access command with the authentication code transmitted from the communication device to the storage device, and the composite parameter transmitted from the storage device to the communication device in response to the access command. The information processing system according to any one of claims 13 to 15, wherein the first authentication code used for generation is different from each other.

Images