JP6720767B2 - Server device - Google Patents

Description

The present specification discloses a server device that executes communication of encrypted data with a client device.

The copying machine disclosed in Patent Document 1 has a function of encrypting data representing an image to be printed and transmitting the encrypted data to a printer. The copying machine identifies one or more encryption means that can be used by the copying machine itself from the encryption selection table including the IDs of the plurality of encryption means, and identifies the identified one or more encryption means. For each of them, the time required to encrypt the data representing the image to be printed using the encryption means is calculated. Then, the copying machine encrypts the data by using the encrypting means whose calculated time is shorter than the threshold value, and sends the encrypted data to the printer.

JP, 2006-054798, A

When communication of encrypted data is to be executed between the server device and the client device, the client device transmits to the server device method information indicating a plurality of encryption methods available to the client device itself. It is possible to do it. Then, the server device selects one encryption method from among the plurality of encryption methods indicated by the method information, and transmits selection information indicating the selected encryption method to the client device. As a result, communication of the encrypted data is executed between the server device and the client device using the selected encryption method. The present specification provides a technique by which a server device can appropriately select an encryption method in a situation where such a mechanism is used.

In the server device disclosed in this specification, the server device can use N (N is an integer of 2 or more) encryption methods including the first encryption method and the second encryption method. From the client device, a receiving unit that receives, from the client device, system information indicating M (where M is an integer of 2 or more) encryption systems available to the client device, In the first case, in which the method information and the function information indicating that at least one of the server device and the client device should execute the specific function are received, the first encryption method is the second encryption method. The first target method is selected from the two or more encryption methods included in both the N encryption methods and the M encryption methods so as to be selected with priority over the encryption method. A first selecting unit for transmitting the first selection information indicating the selected first target method to the client device when the first target method is selected; A first encrypted data communication obtained by encrypting the first target data by using the selected first target method when the selected information is transmitted. In the second case where the function information is received from the communication execution unit 1 and the client device without receiving the function information, the second encryption method is preferentially selected over the first encryption method. As described above, a second selection unit that selects a second target method from two or more encryption methods included in both the N encryption methods and the M encryption methods, When the second target method is selected, the second transmitting unit that transmits the second selection information indicating the selected second target method to the client device, and the second selection information is transmitted. And a second communication execution unit that executes communication of the second encrypted data obtained by encrypting the second target data using the selected second target method with the client device. Prepare

According to the above configuration, the server device preferentially selects the first encryption method over the second encryption method in the first case in which the method information and the function information are received from the client device. , In the second case of selecting the first target method and receiving the method information from the client device without receiving the function information, the second encryption method is preferentially selected over the first encryption method. So that the second target scheme is selected. In this way, the server device changes the priority order of the first and second encryption methods according to whether or not the function information is received from the client device, and thus can appropriately select the encryption method.

In the server device disclosed in this specification, the server device can use N (N is an integer of 2 or more) encryption methods including the first encryption method and the second encryption method. From the first client device and the memory storing the possible information indicating that the first method information indicating the M (M is an integer of 2 or more) encryption methods available to the first client device. The first identification information for identifying the first method information and the first client device from the first receiving unit and the first client device, the first identification information including a predetermined character string. N encryption schemes and M encryption schemes, such that in the first case where the information and are received, the first encryption scheme is selected in preference to the second encryption scheme. And a first selection unit that selects the first target method from the two or more encryption methods that are included in both A first transmission unit that transmits first selection information indicating a target scheme to the first client device, and a first transmission method that uses the selected first target scheme when the first selection information is transmitted. From the second client device to the second client device, a first communication execution unit that executes communication of the first encrypted data obtained by encrypting the first target data with the first client device, A second receiving unit that receives the second method information indicating the L available encryption methods (L is an integer of 2 or more), the second method information from the second client device, and the second method information. Second identification information for identifying the client device of the second identification information that does not include the predetermined character string, and the second case is received, the second encryption method is the first The second target method is selected from the two or more encryption methods included in both the N encryption methods and the L encryption methods so that the second encryption method is selected with priority over the encryption method. A second selection unit to be selected and a second transmission unit that, when the second target method is selected, transmits second selection information indicating the selected second target method to the second client device. Then, when the second selection information is transmitted, the second encrypted data communication obtained by encrypting the second target data by using the selected second target method is transmitted to the second And a second communication execution unit that executes the second communication execution unit.

According to the above configuration, the server device sets the first encryption method to the first encryption method in the first case when the first method information and the first identification information including the predetermined character string are received from the first client apparatus. The first target method is selected so as to be preferentially selected over the second encryption method, and the second method information and the second identification information that does not include the predetermined character string are received from the second client device. In the second case, the second target method is selected so that the second encryption method is selected with priority over the first encryption method. In this way, the server device changes the priority order of the first and second encryption methods depending on whether or not the identification information received from the client device includes a predetermined character string. You can choose to.

A control method, a computer program, and a computer-readable recording medium that stores the computer program for realizing the above server device are also novel and useful. A communication system including the server device and the client device described above is also new and useful.

1 shows a configuration of a communication system. 5 shows a flowchart of a process of the printer according to the first embodiment. A specific case of the first embodiment will be shown. 7 shows a flowchart of processing of the printer according to the second embodiment. A specific case of the second embodiment will be shown.

(Structure of communication system 2; FIG. 1)
As shown in FIG. 1, the communication system 2 includes a printer 10 and a plurality of terminal devices 110, 120, 130. The printer 10, each terminal device 110, and the like belong to a wireless network formed by an AP (abbreviation of Access Point) 200. In a modified example, the printer 10, each terminal device 110, etc. may belong to a wired network. In the following, the plurality of terminal devices 110, 120, 130 may be collectively referred to simply as “terminal device”.

Encrypted communication can be executed between the printer 10 and the terminal device. The encrypted communication is communication according to SSL (abbreviation of Secure Sockets Layer)/TLS (abbreviation of Transport Layer Security) (hereinafter referred to as “SSL communication”). SSL communication is encrypted communication in which a common key encryption method and a public key encryption method are combined. In particular, in this embodiment, the printer 10 functions as a server conforming to SSL, and the terminal device functions as a client conforming to SSL. In a modification, IPsec (abbreviation of Security Architecture for Internet Protocol), SMB (Server Message Block) 3.0, etc. may be adopted as the encrypted communication.

(Structure of Printer 10)
The printer 10 is a peripheral device (that is, a peripheral device of a terminal device) capable of executing at least a printing function. The printer 10 includes an operation unit 12, a display unit 14, a network interface (hereinafter, the interface is referred to as “I/F”) 16, a print execution unit 18, and a control unit 30.

The operation unit 12 includes a plurality of keys. The user can input various instructions to the printer 10 by operating the operation unit 12. The display unit 14 is a display for displaying various information. The display unit 14 also functions as a so-called touch panel. That is, the display unit 14 also functions as an operation unit. The network I/F 16 is an I/F for executing wireless communication according to the Wi-Fi method. The print execution unit 18 is a printing mechanism such as an inkjet type or a laser type.

The control unit 30 includes a CPU 32 and a memory 34. The CPU 32 executes various processes according to the program 36 stored in the memory 34. The memory 34 is composed of a volatile memory, a non-volatile memory, or the like. The memory 34 stores an encryption method table 38 and screen data 40 in addition to the program 36.

In the encryption method table 38, the names of the plurality of encryption methods available (that is, interpretable) by the printer 10 and the priority order of the encryption methods are associated with each other. The encryption method includes GCM (abbreviation of Galois/Counter Mode) and CBC (abbreviation of Cipher Block Chaining). In general, GCM has higher security than CBC. Also, the time required to encrypt (or decrypt) data using CBC is shorter than the time required to encrypt (or decrypt) the same data using GCM. In the situation where the printer 10 does not have to execute printing, the table 38 is set so that the priority order of the GCM is higher than the priority order of the CBC. In a situation where the printer 10 should perform printing, the table 38 may be changed so that the CBC priority is higher than the GCM priority.

The printer 10 functions as a WEB server and can transmit screen data 40 representing a WEB page to the outside. For example, when the terminal device accesses the WEB server of the printer 10, the screen data 40 is transmitted to the terminal device.

(Configuration of terminal devices 110, 120, 130)
The terminal device may be a portable terminal device such as a mobile phone or a smartphone, or may be a stationary terminal device such as a desktop PC. The two terminal devices 110 and 120 are manufactured by the same vendor “XXX”, and the terminal device 130 is manufactured by a vendor “YYY” different from the vendor “XXX”. The terminal device 110 has a printer application 112. The application 112 is an application for transmitting a print notification to the printer 10 before transmitting print data to the printer 10. The print data has a relatively large data size, and the screen data 40 has a relatively small data size. Therefore, generally, the data size of the print data is larger than the data size of the screen data 40. The application 112 is an application provided by the vendor of the printer 10, and is installed in the terminal device 110 from a server on the Internet, for example. The terminal devices 120 and 130 do not have the printer application 112.

(Printer processing; Figure 2)
Next, the processing executed by the printer 10 will be described with reference to FIG. The following communication executed by the printer 10 is communication via the network I/F 16. Therefore, in the following, the description “via the network I/F 16” will be omitted.

In S12, the CPU 32 monitors the reception of the trigger signal from the terminal device. The trigger signal is print notification, status request, ClientHello, or the like.

In S14, the CPU 32 determines whether or not the trigger signal is a print notification and a status request. The print notification is a signal transmitted from the terminal device when the printer application 112 is installed in the terminal device and an operation for transmitting encrypted print data is executed in the terminal device. The status request is a signal according to SNMP (abbreviation of Simple Network Management Protocol) and is a signal for requesting the transmission of the status of the printer 10. When the CPU 32 determines that the trigger signal received in S12 is the print notification and the status request (YES in S14), the process proceeds to S16.

In S16, the CPU 32 determines whether printing can be executed. Specifically, the CPU 32 confirms signals from various sensors (not shown), determines that printing can be executed unless an error state (YES in S16), and proceeds to S18. For example, it is determined that printing cannot be executed (NO in S16), and the process proceeds to S40. The various sensors described above include, for example, a sensor for detecting the remaining amount of consumables (toner, ink, etc.), a sensor for detecting whether or not printing paper is stored in the paper tray, and the like.

In S18, the CPU 32 transmits an OK signal indicating that printing can be executed to the terminal device, and proceeds to S20. On the other hand, in S40, the CPU 32 transmits an NG signal indicating that printing cannot be executed to the terminal device. When S40 ends, the process returns to S12 without further communication with the terminal device. As a result, it is possible to prevent the communication of print data from being executed in a situation where the printer 10 cannot execute printing.

In S20, the CPU 32 changes the priority order in the encryption method table 38. Specifically, the CPU 32 changes the priority of CBC to be higher than that of GCM. This allows the CBC to be selected with priority over the GCM.

In S22, the CPU 32 receives ClientHello from the terminal device. ClientHello is a signal for requesting execution of SSL communication. ClientHello includes information indicating one or more encryption methods that can be used by the terminal device.

In S24, the CPU 32 selects the encryption method to be used for encrypting the print data. Specifically, the CPU 32 identifies one or more encryption schemes included in both the encryption scheme table 38 and ClientHello, and selects from the identified one or more encryption schemes in the table 38. Select the encryption method with the highest priority. For example, when CBC and GCM are included in both the encryption method table 38 and ClientHello, the CPU 32 has changed the table 38 so that the priority of CBC becomes higher (S20). select.

In S26, the CPU 32 transmits ServerHello including information indicating the selected encryption method to the terminal device. Thereby, the printer 10 and the terminal device agree on the encryption method to be used for encrypting the print data. As a result, the terminal device generates encrypted data by encrypting the print data according to the agreed encryption method.

In S30, the CPU 32 receives the encrypted data from the terminal device. Next, in S32, the CPU 32 generates print data by decrypting the encrypted data using the selected encryption method. Then, in S34, the CPU 32 supplies the print data to the print execution unit 18, and causes the print execution unit 18 to print the image represented by the print data.

In S36, the CPU 32 restores the priority order in the encryption method table 38 changed in S20 to the original state. That is, the CPU 32 changes the priority of GCM to be higher than that of CBC. When S36 ends, the process returns to S12.

When the CPU 32 determines that the trigger signal received in S12 is ClientHello (YES in S50), the process proceeds to S52. When the operation for accessing the WEB server of the printer 10 is executed in the terminal device, ClientHello is transmitted from the terminal device without transmitting the print notification and the status request. In this case, YES is determined in S50. S52 and S54 are the same as S24 and S26. Before S52 is executed, the priority order in the encryption method table 38 is not changed (that is, the process corresponding to S20 is not executed).

In S60, the CPU 32 receives a screen data request from the terminal device. The screen data request is a signal for requesting the printer 10 functioning as a WEB server to transmit the screen data 40.

In S62, the CPU 32 generates the encrypted data by encrypting the screen data 40 using the selected encryption method.

In S64, the CPU 32 transmits the encrypted data to the terminal device. As a result, in the terminal device, the encrypted data is decrypted using the encryption method included in the ServerHello transmitted in S54, and the WEB page represented by the screen data 40 is displayed on the terminal device. When S64 ends, the process returns to S12.

When the CPU 32 determines that the trigger signal received in S12 does not include the print notification but includes only the status request (NO in S50), the process proceeds to S70. When the terminal device performs an operation for transmitting unencrypted print data, the terminal device transmits a status request without transmitting a print notification. S70, S72, and S80 are the same as S16, S18, and S40.

In S74, the CPU 32 receives print data from the terminal device. Since the print data received here is not encrypted, the decryption is not executed. S76 is the same as S34. When S76 ends, the process returns to S12.

(Specific case; Figure 3)
Next, specific cases A to C realized by the processing of FIG. 2 will be described with reference to FIG.

(Case A)
In case A, the terminal device that should perform communication with the printer 10 is the terminal device 110 having the printer application 112. The terminal device 110 is set to execute encrypted data communication. The encryption methods that can be used by the terminal device 110 are GCM, CBC, and CCM (abbreviation of Counter with CBC-MAC).

The user performs an operation for causing the printer 10 to perform printing (for example, selection of a file representing an image to be printed) on the terminal device 110. In this case, at T10, the terminal device 110 generates a print notification according to the printer application 112, and then simultaneously transmits a print notification according to SNMP and a status request to the printer 10.

When the printer 10 receives the print notification and the status request from the terminal device 110 in T10 (YES in S14 of FIG. 2), the printer 10 transmits an OK signal to the terminal device 110 in T20 (YES in S16, S18). Then, at T22, the printer 10 changes the priority order in the encryption method table 38 (S20).

Upon receiving the OK signal from the printer 10 at T20, the terminal device 110 transmits ClientHello to the printer 10 at T30. ClientHello includes information indicating GCM, CBC, and CCM.

When the printer 10 receives the ClientHello from the terminal device 110 at T30 (S22), first, the GCM and CBC included in both the encryption method table 38 and the ClientHello are specified, and then, the GCM and the CBC are selected most. A CBC having a high priority is selected (S24). Then, at T32, the printer 10 transmits ServerHello including the information indicating the CBC to the terminal device 110 (S26).

Upon receiving the ServerHello from the printer 10 at T32, the terminal device 110 encrypts the print data according to the CBC indicated by the information included in the ServerHello at T40, thereby generating encrypted data. Here, the print data is data obtained using a file selected by the user before T10 is executed. Then, at T50, the terminal device 110 transmits the encrypted data to the printer 10.

When the printer 10 receives the encrypted data from the terminal device at T50 (S30), the printer 10 generates print data by decrypting the encrypted data according to the CBC at T60 (S32). Then, at T62, the printer 10 executes printing according to the print data (S34).

When the printing is completed, in T70, the printer 10 returns the encryption method table 38 to the state before the change (S36). Since the configuration in which the priority order in the table 38 is changed at T22 and T70 is adopted, the printer 10 can use the changed table 38 when the print notification is received from the terminal device 110. .. On the other hand, when the print notification is not received (for example, when the screen data 40 is requested to be transmitted), the printer 10 can use the pre-change encryption method table 38.

(Case B)
In case B, as in case A, the printer 10 executes communication with the terminal device 110. The user performs an operation on the terminal device 110 to access the WEB server of the printer 10. In this case, in T110, the terminal device 110 transmits ClientHello to the printer 10 without transmitting a print notification and a status request.

When the printer 10 receives ClientHello from the terminal device 110 at T110 (YES in S50), first, the GCM and CBC included in both the encryption method table 38 and ClientHello are specified, and then the GCM and CBC are selected. , GCM having the highest priority is selected (S52). Then, in T112, the printer 10 transmits ServerHello including the information indicating the GCM to the terminal device 110 (S54).

Upon receiving the ServerHello from the printer 10 at T112, the terminal device 110 transmits a screen data request to the printer 10 at T120.

When the printer 10 receives the screen data request from the terminal device 110 at T120 (S60), the printer 10 encrypts the screen data 40 in accordance with the selected GCM at T130 to generate encrypted data (S62). Then, in T140, the printer 10 transmits the encrypted data to the terminal device 110 (S64).

When the terminal device 110 receives the encrypted data from the printer 10 in T140, the terminal device 110 generates the screen data 40 in T150 by decrypting the encrypted data according to the GCM indicated by the information included in the ServerHello of T112. .. Then, at T152, the terminal device 110 displays the WEB page represented by the screen data 40.

(Case C)
In case C, the terminal device that should perform communication with the printer 10 is the terminal device 120 that does not have the printer application 112. The terminal device 120 is not set to execute encrypted data communication.

The user performs an operation on the terminal device 120 for causing the printer 10 to perform printing. In this case, in T210, the terminal device 120 sends a status request according to SNMP to the printer 10 without sending a print notification.

When the printer 10 receives the status request without receiving the print notification from the terminal device 120 in T210 (NO in S50), the printer 10 transmits an OK signal to the terminal device 120 in T220 (YES in S70, S72).

Upon receiving the OK signal from the printer 10 in T220, the terminal device 120 transmits the print data to the printer 10 without executing encryption in T230.

When the printer 10 receives the print data from the terminal device 120 in T230 (S74), the printer 10 executes printing according to the print data without executing decryption in T240 (S76).

(Effect of the first embodiment)
As described above, between the printer 10 and the terminal device 110, encrypted communication of print data having a relatively large data size and encrypted communication of screen data 40 having a relatively small data size are performed. Can be performed. Then, both the printer 10 and the terminal device 110 can use GCM and CBC. As described above, the time required to encrypt (or decrypt) data using CBC is shorter than the time required to encrypt (or decrypt) the same data using GCM. Therefore, in the present embodiment, when the printer 10 receives the print notification from the terminal device 110 (T10 in FIG. 3), that is, when the encrypted communication of the print data having a relatively large data size is to be executed. Selects CBC preferentially (T22, T32). As a result, the time required for T40 and T60 can be shortened, and as a result, the printed product of T62 can be promptly provided to the user. On the other hand, when the printer 10 does not receive the print notification from the terminal device 110, that is, when the encrypted communication of the screen data 40 having a relatively small data size should be executed, the printer 10 preferentially selects the GCM ( T112). Since the data size of the screen data 40 is small, the time required for T130 and T150 is short, and encrypted communication according to GCM having relatively high security can be executed. In this way, the printer 10 can appropriately select the encryption method to be used for the encrypted communication depending on whether or not to receive the print notification.

(Correspondence)
The printer 10 and the terminal device 110 are examples of a “server device” and a “client device”, respectively. The encryption method table 38 is an example of “possible information” and “priority table”. The print notification, ClientHello, and status request are examples of “function information”, “status request”, and “method information”, respectively. CBC is an example of the "first encryption method" and the "first target method". GCM is an example of the “second encryption method” and the “second target method”. The print data and the screen data 40 are examples of the “first target data” and the “second target data”, respectively. Printing is an example of the “specific function”. Further, the print notification indicating that the printer 10 should execute the print function is an example of “function information indicating that the server device should execute the specific function”.

(Second embodiment; FIG. 4)
The differences from the first embodiment will be mainly described. In this embodiment, the terminal device 110 does not have the printer application 112. The printer 10 does not change the priority for selecting the encryption method depending on whether or not the print notification is received, but sets the encryption method according to the vendor of the terminal device that requests execution of printing. Change the priority for selection. The CPU 32 executes the process of FIG. 4 instead of the process of FIG. The CPU 32 starts the process of FIG. 4 when receiving the status request according to the SNMP from the terminal device.

S112, S114, and S140 are the same as S16, S18, and S40 of FIG. In S120, the CPU 32 determines whether ClientHello has been received from the terminal device. When the CPU 32 determines that ClientHello has been received (YES in S120), the process proceeds to S122. On the other hand, when the CPU 32 receives the unencrypted print data without receiving ClientHello, the CPU 32 determines NO in S120, and proceeds to S170. S170 is the same as S76 of FIG. That is, the case of YES in S112, NO in S114, NO in S120, and S170 is similar to the case of NO in S50 and YES in S70, S72, S74, and S76 in FIG.

In S122, the CPU 32 determines whether the terminal device is a terminal device manufactured by a specific vendor (for example, “XXX”). Specifically, the CPU 32 determines whether the MAC address of the terminal device included in ClientHello includes a predetermined character string “XXX” indicating a predetermined vendor. As described above, the vendor of the terminal devices 110 and 120 is “XXX”, and when ClientH of S120 is transmitted from these terminal devices, the MAC address includes the predetermined character string “XXX”. That is, the predetermined character string “XXX” is a character string commonly assigned to a plurality of terminal devices manufactured by the same vendor. In this case, the CPU 32 determines YES in S122, and proceeds to S124. S124 to S136 are the same as S20 and S24 to S36 in FIG.

On the other hand, the vendor of the terminal device 130 is “YYY”, and when ClientHello of S120 is transmitted from the terminal device 130, the MAC address does not include the predetermined character string “XXX”. In this case, the CPU 32 determines NO in S122, and proceeds to S150. S150 to S158 are the same as S126 to S134. However, before S150 is executed, the priority order in the encryption method table 38 is not changed (that is, the process corresponding to S124 is not executed).

(Specific case; Figure 5)
Next, specific cases D and E realized by the processing of FIG. 4 will be described with reference to FIG.

(Case D)
In Case D, the terminal device that should perform communication with the printer 10 is the terminal device 110 manufactured by the vendor “XXX”. T410, T420, and T430 are the same as T10, T20, and T30 of case A of FIG. Here, ClientHello of T430 includes the MAC address of the terminal device 110, and the MAC address includes the character string “XXX” as a part thereof.

When the printer 10 receives ClientHello from the terminal device 110 at T430 (YES at S120), the printer 10 determines that the MAC address includes the predetermined character string “XXX” (YES at S122), and at T432, the priority of CBC is high. The priority order in the encryption method table 38 is changed so that (S124). T434 to T470 are the same as T32 to T70 of case A in FIG.

(Case E)
In case E, the terminal device that should perform communication with the printer 10 is the terminal device 130 manufactured by the vendor “YYY”. The terminal device 130 is set to execute encrypted data communication. The encryption methods that can be used by the terminal device 130 are GCM, CBC, and CCM.

T510 to T530 are the same as T410 to T430 of Case D. However, ClientHello of T530 includes the MAC address of the terminal device 130, and the MAC address includes the character string "YYY" as a part thereof.

When the printer 10 receives the ClientHello from the terminal device 130 at T530 (YES in S120), the printer 10 determines that the MAC address does not include the predetermined character string "XXX" (NO in S122), and the priority is not changed. The GCM is selected according to the activation method table 38 (S150). T532 to T562 are the same as T434 to 462 of Case D, except that GCM is used instead of CBC.

(Effect of the second embodiment)
In the present embodiment, it is assumed that the vendor “XXX” of the terminal device 110 requests the vendor of the printer 10 to realize high-speed printing. Therefore, in the present embodiment, when the printer 10 receives the ClientHello from the terminal device 110 (T430 in FIG. 5), that is, when the MAC address of the terminal device 110 includes the predetermined character string “XXX”, the CBC is set. Select preferentially (T432, T434). As a result, the time required for T440 and T460 can be shortened, and as a result, the printed product of T462 can be promptly provided to the user. On the other hand, the printer 10 receives ClientHello from the terminal device 130 manufactured by the vendor “YYY” different from the vendor “XXX” (T530), that is, the MAC address of the terminal device 130 is the predetermined character string “XXX”. If not included, the GCM is preferentially selected (T532). As a result, the printer 10 can execute encrypted communication according to GCM having relatively high security. In this way, the printer 10 changes the priority order of the encryption method according to whether or not the MAC address received from the terminal device includes the predetermined character string “XXX”. Therefore, according to the vendor of the terminal device, The encryption method to be used for encrypted communication can be appropriately selected. In particular, in this embodiment, since the configuration in which the priority order of the encryption method is changed depending on the presence or absence of the print notification is not adopted, the vendor of the printer 10 does not need to prepare the printer application 112 for transmitting the print notification. .. The printer 10 can appropriately select the encryption method according to the vendor of the terminal device without using the printer application.

Specific examples of the present invention have been described above in detail, but these are merely examples and do not limit the scope of the claims. The technology described in the claims includes various modifications and changes of the specific examples illustrated above. Modifications of the above embodiment are listed below.

(Modification 1) The printer 10 may be able to use three or more encryption methods (for example, GCM, CCM, and CBC). The time required to encrypt data using CCM is shorter than the time required to encrypt the same data using GCM, and the time required to encrypt the same data using CBC. Longer than. In general, CCM has lower security than GCM and higher security than CBC. In the encryption method table 38, GCM, CCM, and CBC may be arranged in order from the higher priority to the lower priority before the change, and after the change, from the higher priority to the lower priority. Alternatively, CBC, CCM, and GCM may be arranged in this order.

(Modification 2) In the above embodiment, the CPU 32 executes data encryption and decryption according to the program 36 (S32, S62 in FIG. 2, S132, S156 in FIG. 4). Alternatively, data encryption and decryption may be performed by hardware such as a logic circuit. That is, the “encryption unit” and the “decryption unit” may be realized by software or hardware.

(Modification 3) The “server device” may be a scanner capable of executing a scan function or a multi-function device capable of executing a multi-function including a print function and a scan function. The scan data has a relatively large data size like the print data. Therefore, when the “server device” is a scanner, for example, in S14 of FIG. 2, it is determined whether or not a scan notification for requesting execution of the scan has been received. After S26, the document is scanned to generate scan data, and the scan data is encrypted according to the encryption method selected in S24. In S30, the encrypted data is transmitted, and S32 and S34 are not executed. In this modification, the scan notification and the scan data are examples of “function information” and “first target data”, respectively. Similarly, communication of encrypted scan data may be executed in the second embodiment as well. In this case, the process of FIG. 4 is started when ClientHello is received without receiving the status request. Therefore, the processes of S112, S114, S120, S140 and S170 are omitted.

(Modification 4) The “client device” may be a scanner capable of executing a scan function, and the “server device” may be a terminal device such as a PC. In this case, the scan data generated by the scanner may be displayed on the terminal device. For example, when the user performs an operation for transmitting encrypted scan data on the scanner, a scan notification is transmitted from the scanner to the terminal device. In this case, the terminal device changes the priority order of the encryption method in the encryption method table so that the priority order of the CBC is higher than that of the GCM, as in the above embodiment. After that, when receiving the ClientHello including the CBC and the GCM from the scanner, the terminal device selects the CBC according to the encryption method table and transmits the ServerHello including the CBC to the scanner. As a result, the scanner generates scan data, and the scan data is encrypted according to the CBC. Upon receiving the encrypted data from the scanner, the terminal device decrypts the encrypted data according to CBC to generate scan data, and displays the image represented by the scan data. Further, for example, when the user performs an operation for transmitting a setting value (for example, default scan setting) in the scanner, ClientHello including CBC and GCM is transmitted from the scanner to the terminal device without transmitting the scan notification. To be done. In this case, the terminal device does not change the priority of the encryption method in the encryption method table. Therefore, since the priority of GCM is higher than that of CBC, the terminal device selects GCM and sends ServerHello including GCM to the scanner. As a result, the setting value is encrypted in the scanner according to the GCM. When the terminal device receives the encrypted data from the scanner, the terminal device decrypts the encrypted data according to the GCM to generate a setting value, and executes a process using the setting value (for example, transmission to another scanner, display, etc.). .. According to this modification, the terminal device can quickly execute the encrypted communication of the scan data, and can execute the encrypted communication of the set value according to the encryption method having high security. In the present modification, the scan function, scan notification, scan data, and setting value are examples of “specific function”, “function information”, “first target data”, and “second target data”, respectively. Further, the scan notification indicating that the scanner should execute the scan function is an example of “function information indicating that the client device should execute the specific function”.

(Modification 5) The “client device” may be a scanner capable of executing a scan function, the “server device” may be a printer, and the scanner and printer may cooperate to realize the copy function. For example, when the user performs an operation corresponding to the copy function on the scanner, a copy notification is sent from the scanner to the printer. Upon receiving the copy notification from the scanner, the printer executes S20 to S26 of FIG. 2 to transmit the ServerHello including the CBC to the scanner, as in the above-described embodiment. As a result, the scanner generates scan data, and the scan data is encrypted according to the CBC. Upon receiving the encrypted data from the scanner, the terminal device decrypts the encrypted data according to the CBC to generate scan data, and prints the image represented by the scan data. Further, for example, when the user executes an operation for transmitting the setting value in the scanner (for example, login data (for example, user ID and password) for logging in to the scanner), the CBC and The ClientHello containing the GCM is sent from the scanner to the printer. In this case, the printer does not change the priority of the encryption method in the encryption method table. Therefore, since the priority of GCM is higher than that of CBC, the printer selects GCM and sends ServerHello including GCM to the scanner. As a result, the setting value is encrypted in the scanner according to the GCM. When the printer receives the encrypted data from the scanner, the printer decrypts the encrypted data according to GCM to generate a setting value, and executes processing using the setting value (for example, setting login data to the printer itself). According to this modification, the printer can quickly perform encrypted communication of scan data, and can also perform encrypted communication of set values according to an encryption method having high security. In the present modification, the copy function (that is, the combination of the scan function and the print function), the copy notification, the scan data, and the set value are respectively “specific function”, “function information”, “first target data”, and “first target data”. 2 of the target data”. The copy notification indicating that the printer and the scanner should execute the copy function is an example of “function information indicating that the server device and the client device should execute the specific function”.

(Modification 6) S20 of FIG. 2 may not be executed, and S20 may be executed before S52. Then, after S60, the encryption method may be executed according to the changed table 38. That is, when the screen data request is received, the printer 10 changes the priority of the encryption system and selects the encryption system (for example, CBC), and when the screen data request is not received, the encryption system is received. The encryption method (for example, GCM) may be selected without changing the priority order of. According to this modification, the printer 10 can quickly execute the encrypted communication of the screen data representing the WEB page, and can execute the encrypted communication of the print data according to the encryption method having high security. it can. In this modification, the screen data request, the screen data 40, and the print data are examples of “function information”, “first target data”, and “second target data”, respectively. In addition, the function of the terminal device that is the client device displaying the WEB page is an example of the “specific function”.

(Modification 7) In the second embodiment, the printer 10 may further execute the following processing. That is, the printer 10 may execute the same process as S122 when receiving ClientHello from the terminal device without receiving the status request that is the trigger of the process of FIG. Then, when the printer 10 determines that the MAC address of the terminal device includes the predetermined character string “XXX” (for example, in the case of the terminal device 110), the printer 10 executes S20 and S52 to S64 of FIG. If it is determined that the MAC address of does not include the predetermined character string "XXX" (for example, in the case of the terminal device 130), S52 to S64 are executed without executing S20. According to this modification, the printer 10 can appropriately select the encryption method to be used for the encrypted communication according to the vendor of the terminal device. In the present modification, the screen data 40 is an example of “first target data” and “second target data”.

(Modification 8) The printer 10 may store the MAC address of each of the terminal devices 110, 120, and 130 and the number of times printing is requested from the terminal device in association with each other. Then, in S122 of FIG. 4, when the MAC address of the terminal device that is the source of the ClientHello matches with the MAC address associated with the number of times greater than the predetermined value, the printer 10 proceeds to S124 and matches. If not, the process may proceed to S150. According to this modification, the printer 10 can quickly execute encrypted communication with a terminal device that frequently requests execution of printing, and execute printing according to an encryption method having high security. It is possible to execute encrypted communication with a terminal device that requests less frequently. In this modification, the MAC address associated with the number of times larger than the predetermined value is an example of the “predetermined character string” and the “first identification information”, and the number of times less than or equal to the predetermined value is associated. The MAC address is an example of “second identification information”. In this modification, the IP address of the terminal device may be used instead of the MAC address. In this case, the IP address is an example of the “first (or second) identification information”.

(Modification 9) In each of the above-described embodiments, the CPU 32 executes the program 36 (that is, the software) to realize the processes of FIGS. 2 to 5. Instead of this, at least a part of the processes of FIGS. 2 to 5 may be realized by hardware such as a logic circuit.

Further, the technical elements described in the present specification or the drawings exert technical utility alone or in various combinations, and are not limited to the combinations described in the claims at the time of filing. In addition, the technique illustrated in the present specification or the drawings achieves a plurality of purposes at the same time, and achieving the one purpose among them has technical utility.

2: communication system, 10: printer, 12: operation unit, 14: display unit, 16: network I/F, 18: print execution unit, 30: control unit, 32: CPU, 34: memory, 36: program, 38 : Encryption method table, 40: WEB page, 110, 120, 130: terminal device, 112: printer application

Claims (14)

A server device,
A memory that stores possibility information indicating that the server device can use N (N is an integer of 2 or more) encryption methods including a first encryption method and a second encryption method. ,
A receiving unit for receiving from the client device, method information indicating M (M is an integer of 2 or more) encryption methods available to the client apparatus;
In the first case, the method information and the function information indicating that at least one of the server device and the client device should perform a specific function are received from the client device, the first case is received. 2 or more encryption methods included in both the N encryption methods and the M encryption methods so that the encryption method of 1 is preferentially selected over the second encryption method. A first selecting unit that selects a first target method from the methods;
A first transmission unit that transmits, to the client device, first selection information indicating the selected first target scheme when the first target scheme is selected;
When the first selection information is transmitted, the client communicates the first encrypted data obtained by encrypting the first target data using the selected first target method. A first communication execution unit that executes with the device;
In a second case where the method information is received from the client device without receiving the function information, the second encryption method is preferentially selected over the first encryption method. As described above, a second selection unit that selects a second target method from two or more encryption methods included in both the N encryption methods and the M encryption methods,
A second transmission unit that transmits, to the client device, second selection information indicating the selected second target method when the second target method is selected;
When the second selection information is transmitted, the client performs the communication of the second encrypted data obtained by encrypting the second target data by using the selected second target method. A second communication execution unit that executes with the device;
A server device including. The server device further includes
A function execution unit for executing the specific function,
The server device according to claim 1, further comprising: a function control unit that causes the function execution unit to execute the specific function related to the first target data in the first case. The function execution unit includes a print execution unit,
The first selection unit receives the function information, which is information indicating that the client device transmits data to be printed to the server device, from the client device, and then receives the method information from the client device. In the first case, the first target scheme is selected,
The first communication execution unit receives from the client device the first encrypted data obtained by the client device encrypting the first target data using the first target method. Then
The server device further includes
A decryption unit that decrypts the first encrypted data by using the first target scheme when the first encrypted data is received, and generates the first target data,
The server device according to claim 2, wherein the function control unit causes the print execution unit to print an image represented by the first target data. The first selection unit is a status request according to the function information and SNMP (abbreviation of Simple Network Management Protocol) from the client apparatus, and the status request for inquiring the status of the server apparatus; 4. The server device according to claim 1, wherein the first target method is selected in the first case where the method information is received from the client apparatus after the reception of the method. The server device further includes
In the second case, the second target data, which is screen data representing a screen to be displayed on the client device, is encrypted by using the selected second target method, and the second target data is encrypted. Equipped with an encryption unit that generates encrypted data of
5. The second communication execution unit transmits the second encrypted data to the client device when the second encrypted data is generated, according to any one of claims 1 to 4. Server device. The feasible information includes a priority table in which the priority of each of the N encryption methods is described.
In the priority table, the priority of the second encryption method is higher than the priority of the first encryption method,
In the second case, the second selection unit selects the second encryption method so that the second encryption method is preferentially selected over the first encryption method in accordance with the priority table. Select the target method of
The server device further includes
Changing the priority table so that when the function information is received from the client device, the priority order of the first encryption method is higher than the priority order of the second encryption method. It is equipped with a change unit of 1,
In the first case, the first selection unit may select the first encryption method with priority over the second encryption method according to the changed priority table. Select the first target method,
The server device further includes
When the first target method is selected, the changed priority table is used so that the priority order of the second encryption method is higher than the priority order of the first encryption method. The server device according to claim 1, further comprising a second changing unit that changes the priority table of FIG. A server device,
A memory that stores possibility information indicating that the server device can use N (N is an integer of 2 or more) encryption methods including a first encryption method and a second encryption method. ,
A first receiving unit for receiving, from the first client apparatus, first method information indicating M (M is an integer of 2 or more) encryption methods available to the first client apparatus;
From the first client device, the first method information and the first identification information for identifying the first client device, the first identification information including a predetermined character string, The N encryption schemes and the M encryption schemes so that, in the first case received, the first encryption scheme is selected with priority over the second encryption scheme. A first selecting unit that selects a first target method from two or more encryption methods included in both
A first transmitting unit that transmits first selection information indicating the selected first target scheme to the first client device when the first target scheme is selected;
When the first selection information is transmitted, the communication of the first encrypted data obtained by encrypting the first target data using the selected first target method is performed. A first communication execution unit that executes with one client device;
A second receiving unit for receiving, from the second client device, second system information indicating L (where L is an integer of 2 or more) encryption systems available to the second client device;
The second method information from the second client device, and the second identification information for identifying the second client device, the second identification information not including the predetermined character string; , In the second case, the N encryption methods and the L encryption methods are selected so that the second encryption method is preferentially selected over the first encryption method. A second selection unit that selects a second target method from two or more encryption methods included in both the encryption method and
A second transmission unit that transmits second selection information indicating the selected second target scheme to the second client device when the second target scheme is selected;
When the second selection information is transmitted, the communication of the second encrypted data obtained by encrypting the second target data by using the selected second target method is performed. A second communication execution unit that executes with the second client device;
A server device including. The server device according to claim 7, wherein the predetermined character string includes a character string commonly assigned to a plurality of devices including the first client device. The first identification information is a MAC address of the first client device,
The server device according to claim 7, wherein the second identification information is a MAC address of the second client device. The server device according to claim 9, wherein the predetermined character string is a character string forming a part of a MAC address, and is the character string indicating a vendor of the first client device. The feasible information includes a priority table in which the priority of each of the N encryption methods is described.
In the priority table, the priority of the second encryption method is higher than the priority of the first encryption method,
In the second case, the second selection unit selects the second encryption method so that the second encryption method is preferentially selected over the first encryption method in accordance with the priority table. Select the target method of
The server device further includes
When the first identification information is received from the first client device, the priority of the first encryption method is set higher than the priority of the second encryption method. A first changing unit for changing the ranking table,
In the first case, the first selection unit may select the first encryption method with priority over the second encryption method according to the changed priority table. Select the first target method,
The server device further includes
When the first target method is selected, the changed priority table is used so that the priority order of the second encryption method is higher than the priority order of the first encryption method. 11. The server device according to claim 7, further comprising a second changing unit that changes the priority table of FIG. 12. The time for encrypting data using the first encryption method is shorter than the time for encrypting the same data using the second encryption method. The server device according to any one of 1. A computer program for a server device,
The server device is
A memory that stores possibility information indicating that the server device can use N (N is an integer of 2 or more) encryption methods including a first encryption method and a second encryption method. ,
And a processor,
The computer program causes the processor to perform the following processes:
A receiving process for receiving from the client device, method information indicating M (M is an integer of 2 or more) encryption methods available to the client device;
In the first case, the method information and the function information indicating that at least one of the server apparatus and the client apparatus should perform a specific function is received from the client apparatus, the first case is received. 2 or more encryption methods included in both the N encryption methods and the M encryption methods so that the encryption method of 1 is preferentially selected over the second encryption method. A first selection process of selecting a first target method from the methods;
A first transmission process of transmitting, to the client device, first selection information indicating the selected first target scheme when the first target scheme is selected;
When the first selection information is transmitted, the client performs the communication of the first encrypted data obtained by encrypting the first target data using the selected first target method. A first communication execution process executed with the device;
In a second case where the method information is received from the client device without receiving the function information, the second encryption method is preferentially selected over the first encryption method. A second selection process for selecting a second target method from two or more encryption methods included in both the N encryption methods and the M encryption methods,
A second transmission process of transmitting, to the client device, second selection information indicating the selected second target scheme when the second target scheme is selected;
When the second selection information is transmitted, the client performs the communication of the second encrypted data obtained by encrypting the second target data by using the selected second target method. A second communication execution process executed with the device;
A computer program that causes a computer to execute. A computer program for a server device,
The server device is
A memory that stores possibility information indicating that the server device can use N (N is an integer of 2 or more) encryption methods including a first encryption method and a second encryption method. ,
And a processor,
The computer program causes the processor to perform the following processes:
A first reception process for receiving, from the first client device, first method information indicating M (M is an integer of 2 or more) encryption methods available to the first client apparatus;
From the first client device, the first method information and the first identification information for identifying the first client device, the first identification information including a predetermined character string, The N encryption schemes and the M encryption schemes so that, in the first case received, the first encryption scheme is selected with priority over the second encryption scheme. A first selection process for selecting a first target method from two or more encryption methods included in both
A first transmission process of transmitting, to the first client device, first selection information indicating the selected first target scheme when the first target scheme is selected;
When the first selection information is transmitted, the communication of the first encrypted data obtained by encrypting the first target data using the selected first target method is performed. A first communication execution process executed with one client device;
A second receiving process for receiving, from the second client apparatus, second method information indicating L (L is an integer of 2 or more) encryption methods available to the second client apparatus;
The second method information from the second client device, and the second identification information for identifying the second client device, the second identification information not including the predetermined character string; , In the second case, the N encryption methods and the L encryption methods are selected so that the second encryption method is preferentially selected over the first encryption method. A second selection process of selecting a second target method from two or more encryption methods included in both the encryption method and
A second transmission process of transmitting, to the second client device, second selection information indicating the selected second target scheme when the second target scheme is selected;
When the second selection information is transmitted, the communication of the second encrypted data obtained by encrypting the second target data by using the selected second target method is performed. A second communication execution process executed with the second client device;
A computer program that causes a computer to execute.

Images