JP2003018151A - External storage device and certification method conducted between the external storage device and the system device, certification system, computer device and system device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enable a system device to certify an external storage device, by inhibiting the external storage device from operating, except the combination with specified system devices. SOLUTION: This certification method is performed between a secure HDD 20 for performing the write and read of data and a set top box 10 for accessing this secure HDD 20; the set top box 10 transmits random numbers generated to the secure HDD 20, and the secure HDD 20 transmits the information, which is coded with a secret key, after performing processing under a certain rule to the transmitted random numbers to the set top box 10; and the set top box 10 decodes the received information, using a secrete key; and based on the decoded information, it recognizes that the processing has been conducted in conformity with a fixed rule, and the secure HDD 20 and the set top box 10 hold the same secret key with each other.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an authentication method and the like performed between an external storage device and a system device, and in particular,
The present invention relates to an authentication method that effectively secures strong security.

[0002]

2. Description of the Related Art Recently, in addition to CATV (cable television),
As a method for recording the content received when the digital broadcasting CS broadcasting and BS digital broadcasting are started,
Attention has shifted from the conventional video tape recording method to a method of recording on an external storage medium such as a hard disk drive (HDD). In addition to this function for receiving CATV, CS broadcasting, and BS digital broadcasting, it is set as an information terminal with functions such as recording programs on the built-in hard disk drive for chasing and watching, and connecting to the Internet. Top box (STB: S
et Top Box) exists.

[0003] The set top box focuses on the distribution of contents, and in the current business model, it is often distributed to customers free of charge. For manufacturers that distribute set-top boxes equipped with hard disk drives for free, there is no problem if the hard disk drive is used for the purpose of broadcasting content, but it will not be used for other purposes. There's a problem. That is, it is necessary to exclude customers who receive free distribution of the set top box for the purpose of diverting the hard disk drive.

[0004]

In the ATA (IDE), which is the most popular as a hard disk interface for AT compatible machines, the following security commands are supported as standard ATA commands. -SECURITY SET PASSWORD-SECURITY UNLOCK-SECURITY ERASE PREPARE-SECURITY ERASE UNIT-SECURITY FREEZE LOCK
D

However, these are simple password systems, for example, a command "SECUR" for releasing the locked state of the hard disk drive.
In "ITY UNLOCK", the password as the factor is transferred to the hard disk drive. In the case of this configuration, for example, even if the hard disk drive is stolen, it can be effectively operated in a mode in which it is not desired to steal its contents. However, it is not assumed that the system owner of the set-top box steals the password while the hard disk drive is connected and then diverts the hard disk drive to another. That is, even though the manufacturer of the set-top box wants to permit the use of the hard disk drive distributed free of charge only to a specific set-top box (for example, the set-top box combined at the time of distribution), the current technology Then, it is difficult to exclude such customers.

What a person (attacker) who tries to steal this hard disk drive performs is a password hack and stealing. In the current technology, the hard disk drive password is
lain Text) has been delivered. By monitoring this, the attacker can easily steal the hard disk drive password (password hack).
Further, once the hard disk drive receives the hard disk drive password, it subsequently responds to commands from any controller. This configuration not only gives the attacker a chance to use the hard disk drive for other purposes,
There is also a possibility that the contents in the hard disk drive will be easy to read and the vulnerability of content protection will be increased.

The present invention has been made in order to solve the above technical problems, and its object is to prohibit an external storage device from operating except in combination with a specific system. To do. Another object is to implement a sufficiently secure protocol and mechanism so that a person who attempts to steal an external storage device will not succeed in stealing it, even if he / she knows the authentication protocol. Still another object is to provide a new command system considering the maximum compatibility with the current commands.

[0008]

Based on the above object, the present invention shares secret information (secret key) between an external storage device such as a hard disk drive and a system device on the system side. Perform mutual authentication. Also, the system device encrypts the password using this secret information and sends it to the external storage device, and thereafter, the system device
Every time a command is issued to the external storage device or a specific command group is issued to the external storage device, the password generated every time based on the secret information is transmitted to the external storage device. Furthermore, the external storage device that has received the password checks the validity of the password every time and then responds to or rejects the command from the system device.

That is, the present invention can be understood as an authentication method performed between an external storage device that writes and reads data and a system device that accesses the external storage device. Here, this system device transmits the generated random number to the external storage device, and the external storage device
The transmitted random number is processed according to a certain rule, and then the information encrypted with the secret key is transmitted to the system device, and the system device decrypts the received information using the secret key and decrypts it. Recognize that the random number has been processed according to a certain law based on the information provided, and confirm that the external storage device and the system device hold the same secret key. Is characterized by. here,
This system device can be characterized in that it counts the number of authentication failures as a result of the confirmation and stops access to the external storage device when the number of authentication failures exceeds a certain value.

Further, in the authentication method to which the present invention is applied,
The external storage device transmits an encrypted random number obtained by encrypting the generated random number using the first secret key, and the system device transmits the encrypted random number to the first secret key. The information encrypted by the second secret key is transmitted to the external storage device after being decrypted by using the key and processed according to a certain law, and the external storage device transmits the transmitted information to the second secret key. It can be characterized by confirming that the number after decryption using the key is a random number processed according to a certain law.

Further, in the authentication method to which the present invention is applied,
The external storage device and the system device have the first secret information.
It is preferable to hold the key and the second key with respect to each other, and perform the encryption and the decryption using the first key and the second key, respectively.

Further, in the authentication method to which the present invention is applied,
The external storage device encrypts the generated random number with the secret key and transmits it to the system device, and the system device decrypts the transmitted random number with the secret key, and then uses the decrypted random number for the password. The result of the logical operation is transmitted to the external storage device, and the external storage device performs the inverse operation of the logical operation on the transmitted operation result to extract the password, which is stored in the external storage device. It can be characterized in that it is judged whether or not the password matches the existing password. Further, the first secret key and the second secret key are held together, and the system device encrypts the random number decrypted by the first secret key with the second secret key to form a password mask, It is possible to transmit the calculation result obtained by performing the logical calculation using the password mask to the external storage device.

On the other hand, the present invention can be understood as an authentication system including an external storage device and a system device for accessing the external storage device. In the system device in this authentication system, the generated random number is transmitted to the external storage device, the external storage device processes the transmitted random number according to a certain rule, and then the information encrypted with the secret key is transmitted to the external device. By receiving the information from the storage device, decrypting the received information using the secret key, and recognizing that the random number is processed according to a certain law based on the decrypted information, the external It is confirmed that the storage device and the system device hold the same private key. As a result of this confirmation, the number of consecutive authentication failures is counted, and when the number of consecutive authentication failures exceeds a certain value, the access to the external storage device is stopped. It is possible to deal with the problem of stopping access.

The present invention also provides a set top box (STB) provided with a built-in hard disk drive.
Can be understood as a computer device such as.

From another point of view, the present invention can be understood as a system device for accessing an external storage device. The system device includes a holding unit that holds two secret keys common to the external storage device as secret information,
Random number generation means for generating random numbers, transmission means for transmitting random numbers to an external storage device, external storage device processes the transmitted random numbers according to a certain rule, and then encrypts information with a secret key to the outside The receiving means for receiving from the storage device, the decrypting means for decrypting the received information by using the secret key, and the random number generated by the random number generating means by the decrypted information are processed according to a certain law. The external storage device and the system device are provided with a confirmation unit that confirms that the external storage device and the system device hold the same secret key by recognizing the fact that they have been performed.

Further, in an external storage device such as a hard disk drive to which the present invention is applied, a holding means for holding the same secret key as the system device, a random number generating means for generating a random number, and an encryption using the secret key for the random number. Encrypting means for performing encryption, transmitting means for transmitting encrypted encrypted random numbers to the system device, and the system device for processing the random numbers processed by the system device after decrypting the transmitted encrypted random numbers. It is characterized in that it is provided with a receiving means for receiving from, and a confirming means for confirming that the received random number is processed according to a certain law.

[0017]

BEST MODE FOR CARRYING OUT THE INVENTION The present invention will be described below in detail based on the embodiments shown in the accompanying drawings. FIG. 1 is a diagram for explaining the configuration of a computer system to which this embodiment is applied. Here, a digital type set top box 10 for a cable TV (CATV) will be described as an example of a computer system. A set top box 10 to which the present embodiment is applied is connected to a cable modem 8 that receives a program (content) distributed as a cable TV and a display (TV) 9 that displays and outputs the distributed program. .

A smart card 7, which is one of the IC cards, can be attached to the set top box 10 which functions as the system side. This smart card 7 has secret information on the system side (Pks, Pk described later).
h) is saved. A random number generator is incorporated in the smart card 7, and the random number to be generated on the system side in the present embodiment is generated inside the smart card 7.

The set top box 10 is a smart card reader 11 capable of reading information stored in the smart card 7 and accessing the smart card 7.
A display I / F 12 that functions as an interface (I / F) with the display (TV) 9, an Ethernet (registered trademark) I / F 13 that captures content received via the cable modem 8, and a RAM 14 that stores various counter values and the like. An MPU 15 for controlling the entire set top box 10 and a ROM 16 in which an operation program of the MPU 15 is stored. The ROM 16 includes a DES (Dat
a Encryption Standard) and an encryption program such as RC4, which is a target stream encryption method, are installed.

Further, the set top box 10 is a secure (Sec) which is an external storage device to which the present embodiment is applied.
ure) HDD (hard disk drive) 20 is connected. The manufacturer providing the set top box 10 provides the set top box 10 and the secure HDD 20 in the form of being integrated in a housing. The content distributed via the cable modem 8 passes through the Ethernet I / F 13 of the set top box 10 and is stored in the secure HDD 20. The stored content is reproduced and displayed on the display (TV) 9 via the display I / F 12 as needed.

FIG. 2 is an explanatory diagram detailing the configuration of the external storage device to which this embodiment is applied. The secure HDD 20 to which this embodiment is applied is a disk medium 21 that is a medium for storing data, a media controller 22 that controls the disk medium 21, and an MPU that is an arithmetic processing unit that controls the entire secure HDD 20.
23, a ROM 24 in which a cryptographic program such as DES or RC4 is mounted, a RAM 25 that stores various counters controlled by the MPU 23, and an ATA I / F that controls the interface with the system side by an ATA (AT Attachment).
It is equipped with 26.

FIG. 3 is a diagram for explaining the configuration of processing blocks in the computer system described with reference to FIGS. 1 and 2. Here, the system side 30 (set top box 10 side) which is a system device and the HDD side 50 (secure HDD 20 side) which is an external storage device are connected via a data bus 40. System side 30
Is a central processing unit 3 included in the MPU 15 shown in FIG.
1, a data transmission / reception control device 32 that executes data transmission / reception with the HDD side 50, and a security control mechanism 33 in which security-related information is stored in the present embodiment. The security control mechanism 33 includes a non-volatile memory 34 and a random number generator 35 stored in the smart card 7 shown in FIG. 1, and the MPU shown in FIG.
It includes an authentication failure counter 36 and a command counter 37 which are controlled and managed by 15 and held on the RAM 14. Further, a random number generator 38 used for a command different from the random number generator 35 is provided.

The random number generator 38 is a ROM shown in FIG.
16 is implemented by software, and more specifically, it is realized by a cryptographic program such as DES or RC4. The random number generator 38 is a secret key (secret information) stored in the non-volatile memory 34 of the smart card 7 shown in FIG.
(Pks, Pkh)) and an initial random number value from the random number generator 35. The cryptographic program repeatedly generates the pseudo random number sequence by encrypting the received random number initial value with the secret key. Information regarding the authentication failure is stored in the authentication failure counter 36 and is used for transition to a predetermined state such as system stop. The command used for transmission / reception with the hard disk drive via the data bus 40 is stored in the command counter 37.

The HDD side 50 is the MPU 23 shown in FIG.
1 includes a central processing unit 51, a data transmission / reception control device 52 for transmitting / receiving data to / from the system side 30 via the data bus 40, and a security control mechanism 53.
The security control mechanism 53 includes a random number generator 54. The random number generator 54 may be provided with dedicated hardware and connected to the MPU 23, but in the present embodiment, it is implemented by software on the ROM 24,
As a premise, the disk medium 21 is shipped when the HDD is shipped.
It is assumed that two random number initial values peculiar to are written. An encryption program such as DES or RC4 is installed on the ROM 24, and one initial value is used as an encryption key.
It is assumed that other initial values are encrypted by a cryptographic program and that the result of the encryption is the generated random number.
By overwriting the generated random number on the initial value and then repeating this generation process, the same random number sequence is prevented from being generated.

The random number generator 57 is implemented by software on the ROM 24 and realized by a cryptographic program such as DES or RC4. This cryptographic program receives a cryptographic key and a random number initial value, and repeatedly encrypts the random number initial value with the cryptographic key to generate a pseudo random number sequence. Authentication failure counter 55 and command counter 56
Are controlled and managed by the MPU 23 shown in FIG. 2, and these values are held in the RAM 25.

An authentication failure counter 36 provided on the system side 30 and an authentication failure counter 55 provided on the HDD side 50 record the number of consecutive authentication failures.
Here, when it becomes clear that the other device does not share the secret information, the authentication fails and the count values of the authentication failure counters 36 and 55 are incremented. The counter values of the authentication failure counters 36 and 55 are reset to “0” when it becomes clear that the partner device shares the secret information. When the counter values of the authentication failure counters 36 and 55 exceed a certain number,
The operation of the system side 30 or the HDD side 50 is stopped.

Next, the encryption / authentication method performed by the system side 30 and the HDD side 50 in the present embodiment will be described with reference to FIGS. Here, the personalize process, password encryption, and continuous device authentication mechanism will be described.

FIG. 4 is a diagram for explaining a personalization process performed at the time of initializing. In the present embodiment, the secret information (Perso
nalKey) and using this secret information,
Mutual authentication of devices is performed. This mutual authentication of equipment is always performed when the power is turned on. Also, the system side 3
0 and the HDD side 50 mutually generate random numbers, encrypt this using this secret information, and then exchange them.

As shown in FIG. 4, the system side 30 and the HD
The D side 50 is a secret key Pks and a secret key Pkh as secret information.
And has initial values Is and Ih, respectively. These are the system side 30 and the HDD side 50.
It should be written at the time of manufacture with
By executing the initialization program with the D side 50,
It is assumed that Pks and Pkh return to Is and Ih, respectively. For example, a value peculiar to the customer is given to these Is and Ih, and each of them is kept secret so that the HDD side 5 in the initial state is
Even for 0, it can be prohibited to connect it to the system side 30 of another company.

It is considered that Pks or Pkh held as a secret state may be different from each other or may be a value obtained by processing one value such as Pks = f (Pkh). For example, as Pks, there is a method of adding 1 to Pkh or adopting an exclusive OR of Pkh with a specific constant value. System side 30 and HDD side 50 in this initial state
Using, the manufacturer providing the STB loads the secure HDD 20 into the set top box 10.

On the system side 30, a random number RNDx is first generated, and then on the HDD side 50, "SET_PE
RSONALIZE ”command is issued. at the same time,
The random number RNDx generated earlier is H as an argument of the command.
It is transmitted to the DD side 50. This example also includes the case where some processing is performed at the time of passing the random numbers. For example, there is a case where the encrypted random number RNDx is transmitted to the HDD 50.

On the HDD side 50, a random number RNDy is generated, and then the received random number RNDx is subjected to specific processing. Then, a concatenation of the random number RNDy and the random number RNDx subjected to a specific process is encrypted by Pkh and transmitted to the system side 30. Here, it is encrypted by DES which is a procedure open type. Further, as an example of processing the random number RNDx, a case where +1 is simply shown is shown, but for example, the random number RNDy is added,
An exclusive OR may be taken with the random number RNDy. Further, "0" may be added.

On the system side 30, the processed random number RNDx is decrypted with the secret key Pkh (= Ih), and the result is the random number RND which has been subjected to the specific processing.
It is checked whether it is the same as x. In the example shown in FIG. 4, it is confirmed whether or not the decoding result is RNDx + 1. If this result is incorrect, the system side 30
The authentication failure counter 36 therein is incremented, and this command protocol is terminated. Authentication failure counter 36
If the output of (1) exceeds a certain value (for example, 3), it is considered that there is a security problem and the system side 30 makes a transition to a predetermined state such as system stop and does not accept the command. However, the state of the transition basically depends on the security policy of the manufacturer of the set top box 10.

When RNDx + 1 is correctly confirmed, as shown in FIG. 4, the system side 30 generates a random number newPks, which is set as a new Pks candidate. Further, on the system side 30, RNDy is decrypted with Pkh (= Ih), and a specific processing (here, +1) is performed on the result. On the system side 30, newPks and RNDy + 1 are encrypted with Pks (= Is) and transmitted to the HDD side 50.

Next, on the HDD side 50, the processed and sent RNDy is decrypted with the secret key Pks (= Is), and the result is the same as the RNDy which has undergone the specific processing. It is checked whether there is any (in this example, it is checked whether the decoding result is RNDy + 1).
If this result is not correct, the authentication failure counter 55 in the HDD side 50 is incremented, this command protocol is terminated, and an error is returned to the system side 30 in the same manner as a normal ATA command. If the output of the authentication failure counter 55 exceeds a certain value (for example, 3), there is a security problem and the HDD side 5
At 0, a transition to a predetermined state such as system stop is made and control is performed so that the command cannot be accepted.
However, the state of the transition basically depends on the security policy of the manufacturer that provides the set top box 10.

When RNDy + 1 is correctly confirmed, the HDD side 50 outputs a random number newPkh,
This is a new Pkh candidate. Next, on the HDD side 50, newPks is decrypted with the secret key Pks (= Is), and this is used as the new secret key Pks, and the old secret key Pks (=
Is) is replaced. From the HDD side 50, a normal termination is returned to the system side 30 as a status code, and the result of encrypting newPkh with the secret key Pkh (= Ih) is transmitted to the system side 30. After that, HDD side 5
At 0, newPkh is the new private key Pkh and the old Pkh
(= Ih).

On the system side 30, when an error is returned as a status code, Pks and Pkh are not updated and the protocol is terminated. When the status code indicates normal termination, newPkh is decrypted by Pkh (= Ih) on the system side 30,
This is replaced with the old Pkh (= Ih) as the new Pkh. Furthermore, newPks is set as new Pks, and old Pks
ks (= Is) is replaced.

By the protocol as described above, the secret keys Pks and Pkh are updated, and thereafter, communication is not possible except on the system side 30 and the HDD side 50 of the pair having this new secret key. After that, when it becomes necessary to update the private key further, the current P in the above protocol is used.
By replacing the values of ks and Pkh with Is and Ih, the same protocol can be realized.

FIG. 5 is a diagram for explaining the password encryption process. Here, similarly to the above, the system side 30 and the HDD side 50 have secret keys Pks and Pkh as secret information, and when the power is turned on, the HDD side 50 is activated in a password-locked state. Shall be done. At this time, in the present embodiment, the system side 30 has to send the password to the HDD side 50 in order to use the HDD side 50, and the procedure shown in FIG. 5 is executed.

On the system side 30, first, the random number sRND
Is generated, and then “OPEN_S” is sent to the HDD 50.
ESSION ”command is issued. At the same time, the previously generated random number sRND is HD as the argument of this command.
It is transmitted to the D side 50.

On the HDD side 50, the random number hRND is first generated, and then the received random number sRND is subjected to a specific process. Then, a secret key Pkh is generated for the concatenation of the random number hRND and the random number sRND that has been subjected to a specific process.
Then, the data is encrypted by DES, for example, and transmitted to the system side 30. Here, as an example of processing the random number sRND, an example in which +1 is simply applied is shown, but for example, the random number hRND may be added, or exclusive OR with the random number hRND may be taken. Furthermore, "0" may be added.

On the system side 30, the processed random number sRND is decrypted with the secret key Pkh, and it is judged whether or not the result is the same as the specific processed random number sRND. (In the example shown in FIG. 5, it is confirmed whether or not the decoding result is sRND + 1). If this result is not correct, the authentication failure counter 36 in the system side 30 is incremented and this command protocol is terminated. If the output of the authentication failure counter 36 exceeds a certain value (for example, 3), it is considered that there is a security problem and the system side 30 is transited to a predetermined state such as system stop and does not accept the command. Controlled by. However, basically, the state to be changed depends on the security policy of the STB manufacturer.

When sRND + 1 is correctly confirmed, the system side 30 decrypts the encrypted hRND at Pkh and extracts the random number hRND. System side 3
At 0, this random number hRND is further encrypted with the secret key Pks, and this is designated as PW_Mask. At the same time, HD
Also on the D side 50, the random number hRND is encrypted with the secret key Pks, and this is PW_Mask. On the system side 30, a normal HDD password is masked by encrypting (calculating an exclusive OR in this case) by PW_Mask (generation of Masked_PW).

From the system side 30, the standard "SECU
RITY UNLOCK ”command is issued. At this time, the generated Mas is used instead of the plain password.
ked_PW is embedded in the password field,
It is transmitted to the HDD side 50. On the HDD side 50, Mas
ked_PW is decrypted (here, Masked_PW)
By calculating the exclusive OR of PW and PW_Mask), a plain HDD password is extracted. H
On the DD side 50, the obtained HDD password is used, and thereafter, the standard "SECURITY UNLOC" is used.
Command processing is executed according to the procedure of the K ”command.

FIG. 6 is a diagram for explaining a continuous device authentication mechanism. Initial Set (Initial Set
up), first, on the system side 30, by the password encryption process, "OPEN_SESSIO"
N ”command is issued. Along with this, the system side 3
The random numbers sRND and hRND are shared between 0 and the HDD side 50. Here, the system side 30 and the HDD side 50
Then, sRND and hRND are given to a specific function, and the seed value Iv of the pseudo random number sequence is created. As a specific function, for example, calculation of an exclusive OR of sRND and hRND can be cited.
It is also possible to encrypt with RND.

On the system side 30 and the HDD side 50,
The same pseudo random number generator (PRNG (Pseudo Random Number)
Generator)) is incorporated, and Iv is given as an initial value to the generator, and a random number sequence PRNG (Iv ++) is generated.
The head of this random number sequence on the system side 30 is set to Krs, and H
The head of this random number sequence on the DD side 50 is Krh.

Each time a command is sent from the system side 30 to the HDD side 50, or from the system side 30 to the HDD
Every time a specific command group (eg, READ command) is sent to the side 50, the system side 30 sends “SET_KE”.
Y ”command is issued, and Krs is HD as its argument.
It is transmitted to the D side 50. Also, from the system side 30 HD
A READ command is transmitted to the D side 50. This READ command is a normal ATA command, but in this example, it is an example of a command that requires device authentication.

On the HDD side 50, the Krs transmitted prior to the reception of this READ command is based on the HDD side 50.
It is checked whether it is the same as the internally generated Krh. If they are the same, the READ command is processed normally. After that, on the HDD side 50 and the system side 30, the random numbers extracted in order from the random number sequences obtained by the respective PRNGs are set as new Krs and Krh, respectively, and "SET" is set.
The protocol from the "_KEY" command is repeated.
When Krs is different from Krh, the operation of the HDD 50 is stopped and the state is changed to the security locked state. In order to cancel this, "OPEN_S
It is necessary to take steps from the "ESSION" command.

As described above, the system side 30 and the HD
Sharing the secret key with the D side 50 and exchanging it with a new key, encrypting the password, performing a continuous device authentication mechanism,
Both devices can be authenticated. This makes HD
The D side 50 does not operate except the specific system side 30,
Further, the system side 30 can recognize the fake HDD side 50. Also, when sharing two keys,
While using a relatively weak encryption method that uses a short key,
It becomes possible to secure strong security in practice.

Next, the flow of processing on the system side 30 which is the set top box 10 (system device) will be described in detail with reference to FIGS. FIG. 7 is a flowchart for explaining the flow of overall processing on the system side 30. First, the power of the central processing unit 31 is turned on (step 101), and the processing of the "OPEN_SESSION" command is executed (step 102). Then, it is determined whether or not there is a personalize (PERSONALIZE) request (step 103). If there is a request, "SET_PER
The processing of the "SONALIZE" command is executed (step 104) and the process proceeds to step 107. Step 1
If there is no request in 03, it is judged whether or not there is a request for various HDD commands (step 105). If there is a request, various HDD command processes are executed (step 106) and the process proceeds to step 107. When the request does not exist in step 105, it is determined whether the command counter 37 shown in FIG. 3 is larger than a specific value, for example, "10" (step 107). If this specific value is exceeded, the command counter 37 is set to "0" (step 108), and the "SET_KEY" command processing is executed (step 109). In step 107,
If this particular value is not exceeded, the command counter 3
7 is incremented (+1) (step 110), and the process returns to step 103.

When the process from (3) in the figure, that is, the timeout error and the decryption result described later are not correct, the authentication failure counter 36 is incremented (+1) (step 111). Then, it is judged whether or not the authentication failure counter 36 is larger than a specific value, for example, 3 (step 112). If it exceeds the specific value, it is determined that there is an error and the central processing unit 31 is stopped (step 113).
If the authentication failure counter 36 does not exceed a specific value,
The processing from step 103 is executed.

FIG. 8 is a flowchart detailing the processing of the "SET_PERSONALIZE" command in step 104 of FIG. The system side 30 first takes out the 64-bit random number RNDx from the random number generator 35 (step 201). Then, the "SET_PERSONALIZE" command having the retrieved random number as a parameter is transmitted from the data transmission / reception control device 32 to the HDD side 50 (step 202). Then, it waits for 128-bit communication data received by the data transmission / reception control device 32 (step 203). The central processing unit 31 determines whether a time-out error has occurred (step 20).
4) In the case of time-out, the above-described authentication failure processing is performed. Before a timeout error occurs 12
If 8-bit communication data is received, the received 12
The 8-bit communication data is set to D1 (step 205).

Next, the central processing unit 31 extracts Pkh from the hard disk secret key area of the non-volatile memory 34 (step 206). And the received data D at this Pkh
1 is decoded (step 207). Here, it is determined whether the latter half 64-bit data of the decoded data is RNDx + 1.
(Step 208), if it is not RNDx + 1, that is,
If this result is not correct, the above-described authentication failure processing is performed. If correct, the first half 6 of the decoded data
The 4-bit data is set to RNDy (step 209).

Next, Pks is taken out from the system private key area of the non-volatile memory 34 (step 210). Then, 64-bit data D2 is created from the random number generator 35.
(Step 211), 56 bits are taken out from this D2 and set as a new system secret key newPks (Step 21).
2). Next, the 128-bit data obtained by combining D2 and RNDy + 1 is encrypted with Pks (step 213), and this encrypted data is transmitted from the data transmission / reception control device 32 (step 214). Then, it waits for 128-bit communication data from the data transmission / reception control device 32 (step 215), judges whether there is a time-out error (step 216), and if there is a time-out error, shifts to the above-mentioned step. If it's not a timeout error,
The received 64-bit communication data is decrypted with Pkh, and the value is stored in the hard disk secret key area of the non-volatile memory 34 (step 217). Then, newPks is stored in the system private key area of the non-volatile memory 34 (step 218), the authentication failure counter 36 is set to 0 (step 219), and the process returns to step 107.

FIG. 9 is a flow chart detailing the processing of the "OPEN_SESSION" command in step 102 of FIG. The system side 30 first takes out the 64-bit random number sRND from the random number generator 35 (step 301), and transmits the “OPEN_SESSION” command having the fetched random number as a parameter from the data transmission / reception control device 32 to the HDD side 50 ( Step 302). Then, it waits for the 128-bit communication data received by the data transmission / reception control device 32 (step 303). Here, it is determined whether or not a time-out error has occurred (step 304). If the time-out has occurred, the process proceeds to the authentication failure process. When the 128-bit communication data is received before the time-out error occurs, the received 128-bit communication data is set as D1 (step 305).

Next, the central processing unit 31 takes out Pkh from the hard disk secret key area of the non-volatile memory 34 (step 306) and decrypts the received data D1 with this Pkh (step 307). Here, the latter half 64 of the decoded data
It is determined whether or not the bit data is sRND + 1 (step 308), and if it is not sRND + 1, that is, if this result is incorrect, the above-described authentication failure processing is performed. If it is correct, the first half 64-bit data of the decoded data is set to hRND (step 309).

Next, Pks is taken out from the system private key area of the non-volatile memory 34 (step 310), and hRN is set.
Let the exclusive OR of the value obtained by encrypting D with Pks and the HDD password stored in the non-volatile memory 34 be D2.
(Step 311). ATA with this D2 as a parameter
The data transmission / reception control device 3 transmits the SECURITY command.
2 to the HDD 50 (step 312). Then, the value of sRND + hRND is set to the initial value of the random number generator 35 (step 313), the authentication failure counter 36 is set to 0 (step 314), and the process returns to step 103.

FIG. 10 is a flow chart showing the processing of the "SET_KEY" command in step 109 of FIG. In the “SET_KEY” command processing, the seed value Iv of the pseudo random number sequence is acquired from the random number generator 38.
(Step 401). Then, the "SET_KEY" command having this Iv as a parameter is transmitted from the data transmission / reception control device 32 to the HDD side 50 (step 402), and the process returns to step 103.

As described above, the system side 30 such as the set-top box 10 according to the present embodiment generates a random number and transmits it to the HDD side 50, and the HDD side 50 applies a certain rule to this random number. Is processed according to
Receives (processed random number) encrypted with a secret key. On the other hand, the system side 30 decrypts the encrypted "processed random number" using a secret key, and confirms whether the number is the generated random number based on a certain rule. is doing. As a result, the system side 30
At, it is possible to determine whether the HDD side 50 holds the secret key.

Next, referring to FIGS. 11 to 14, the HDD side 5
The processing flow of 0 will be described in detail. FIG. 11 is a flowchart for explaining the flow of the entire process on the HDD side 50. First, the power of the central processing unit 51 is turned on (step 501), and the processing of the "OPEN_SESSION" command is executed (step 502). And
Whether or not there is a personalize (PERSONALIZE) command is determined (step 503), and if the command is present,
The processing of the "SET_PERSONALIZE" command is executed (step 504), and the process proceeds to step 508. If there is no request in step 503, “S
It is determined whether or not there is an "ET_KEY" command (step 5
05). If the command exists, "SET_KE
The Y ”command processing is executed (step 506), the command counter 56 is set to 0 (step 507), and the process proceeds to step 508.

If the command does not exist in step 505, the command counter 56 shown in FIG.
For example, it is determined whether it is larger than "10" (step 508). If this specific value is exceeded, the central processing unit 51 is stopped (step 509). If this specific value is not exceeded, the command counter 56 is incremented (+1) (step 510) and the process returns to step 503.

In the process from the step in the figure, that is, when the timeout error and the decryption result described later are not correct, the authentication failure counter 55 is incremented (+1) (step 511). Then, it is judged whether or not the authentication failure counter 55 is larger than a specific value, for example, 3 (step 512). If it exceeds the specific value, it is determined that there is an error and the central processing unit 51 is stopped (step 509).
If the authentication failure counter 55 does not exceed a specific value,
The processing from step 503 is executed.

FIG. 12 is a flowchart detailing the processing of the "SET_PERSONALIZE" command in step 504 of FIG. The central processing unit 51 on the HDD side 50 first receives RNDx from the data transmission / reception control unit 52 (step 601), and receives the random number generator 54.
A 64-bit random number RNDy is extracted from (step 60
2). And non-volatile memory (disk media 21)
Pkh is taken out from the hard disk private key area of (step 603). Thereafter, 128-bit data obtained by combining RNDy and RNDx + 1 is encrypted with Pkh (step 604). Data transmission / reception control device 5 for encrypted data
2 to the system side 30 (step 60)
5). Then, wait for the 128-bit communication data received by the data transmission / reception control device 52 (step 60).
6). When waiting for this communication data, it is judged whether or not a time-out error has occurred (step 607), and in the case of time-out, the above-mentioned authentication failure processing is performed. When the 128-bit communication data is received before the time-out error occurs, the received 128-bit communication data is set as D1 (step 608).

Next, the central processing unit 51 takes out Pks from the system private key area of the non-volatile memory (disk medium 21) (step 609). Then, the received data D1 is decoded with this Pks (step 610). here,
It is determined whether the latter half 64-bit data of the decrypted data is RNDy + 1 (step 611), and if it is not RNDy + 1, that is, if this result is incorrect, the above-described authentication failure processing is performed. If it is correct, the first half 64-bit data of the decoded data is set to newPks (step 612).

Next, 64-bit data D2 is created from the random number generator 54 (step 613), 56 bits are extracted from this D2, and a new hard disk secret key newPk.
h (step 614). Next, the data is encrypted with D2 and Pkh (step 615), and this encrypted data is transmitted from the data transmission / reception control device 52 (step 616). And
Store newPkh in the hard disk private key area of the non-volatile memory (disk medium 21) (step 617),
The newPks is stored in the system private key area of the non-volatile memory (disk medium 21) (step 618). Then, the authentication failure counter 55 is set to 0 (step 61
9) and returns to step 508.

FIG. 13 is a flowchart detailing the processing of the "OPEN_SESSION" command in step 502 of FIG. The HDD side 50 first receives the sRND from the data transmission / reception control device 52 (step 701). Then, the 64-bit random number hRND is taken out from the random number generator 54 (step 702), and Pkh is taken out from the hard disk secret key area of the nonvolatile memory (disk medium 21) (step 703). Next, the 128-bit data obtained by combining the extracted random numbers hRND and sRNDx + 1 is encrypted with the extracted Pkh (step 70
4) The encrypted data is transmitted from the data transmission / reception control device 52 to the system side 30 (step 705).

Next, the central processing unit 51 waits for the ATA SECURITY command from the data transmission / reception control device 52 (step 706) and judges whether the command has not arrived by a predetermined time and a time-out error has occurred. (Step 707). If the time is out, the process shifts to the authentication failure process of. When the ATA SECURITY command is received before the time-out error occurs, the parameter of the received ATA SECURITY command is set to D1 (step 708).

Further, the central processing unit 51 takes out Pks from the system private key area of the non-volatile memory (disk medium 21) (step 709) and outputs the random number hRND as Pks.
The exclusive OR of the value encrypted in step 1 and D1 is set as D2 (step 710). Here, it is determined whether or not the HDD password stored in the non-volatile memory (disk medium 21) and D2 match (step 711). If they do not match, that is, if this result is incorrect. Is
The process shifts to the authentication failure process described above. If it is correct, the value of sRND + hRND is set to the initial value of the random number generator 54 (step 712), the authentication failure counter 55 is set to 0 (step 713), and the process returns to step 503.

FIG. 14 is a flow chart showing the processing of the "SET_KEY" command in step 506 of FIG. In the "SET_KEY" command processing,
First, the central processing unit 51 includes a data transmission / reception control device 52.
The seed value Iv of the pseudo random number sequence is received from (step 8
01), it is determined whether the value obtained from the random number generator 57 is equal to Iv (step 802). If they are equal, the process returns to step 507. If they are not equal, the central processing unit 51 is stopped (step 803).

As described above, according to this embodiment, the external storage device such as the hard disk drive (HDD) is authenticated by the system storage device (side) such as the set top box 10 to identify the external storage device. It is possible to prevent the system device from operating other than the combination and to recognize the fake external storage device (device authentication). by this,
For example, a set top box 1 that incorporates an HDD
It is possible to eliminate the risk of removing only the HDD and using it for another purpose as opposed to the business form such as providing 0 for free. Further, in consideration of export restrictions on encryption technology, it is possible to provide an encryption method that is not subject to export restrictions. Furthermore, it becomes possible to provide a new command system having the maximum consistency with the HDD commands so far.

[0071]

As described above, according to the present invention,
It is possible to prohibit the external storage device from operating other than in combination with a specific system device. Further, the system device can authenticate the external storage device.

[Brief description of drawings]

FIG. 1 is a diagram for explaining the configuration of a computer system to which this embodiment is applied.

FIG. 2 is an explanatory diagram detailing the configuration of an external storage device to which this embodiment is applied.

FIG. 3 is a diagram for explaining the configuration of processing blocks in the computer system described with reference to FIGS. 1 and 2.

FIG. 4 is a diagram for explaining personalization processing performed at the time of initializing.

FIG. 5 is a diagram for explaining a password encryption process.

FIG. 6 is a diagram for explaining a continuous device authentication mechanism.

FIG. 7 is a flowchart for explaining the flow of overall processing on the system side.

FIG. 8 shows “SET_P” in step 104 of FIG.
7 is a flowchart detailing the processing of an "ERSONALIZE" command.

FIG. 9 shows “OPEN_” in step 102 of FIG.
10 is a flowchart detailing the processing of the "SESSION" command.

FIG. 10 shows “SET_” in step 109 of FIG.
10 is a flowchart showing the processing of a “KEY” command.

FIG. 11 is a flowchart for explaining the flow of overall processing on the HDD side.

FIG. 12 shows a message “SET” in step 504 of FIG.
13 is a flowchart detailing the processing of the "_PERSONALIZE" command.

13 is a flow chart showing "OPE" in step 502 of FIG.
9 is a flowchart detailing the processing of the "N_SESSION" command.

14 is a flow chart showing "SET" in step 506 of FIG. 11. FIG.
10 is a flowchart showing the processing of the “_KEY” command.

[Explanation of symbols]

7 ... Smart card, 8 ... Cable modem, 9 ... Display (TV), 10 ... Set top box, 11 ... Smart card reader, 12 ... Display I / F, 13
... Ethernet I / F, 14 ... RAM, 15 ... MPU,
16 ... ROM, 20 ... Secure HDD (hard disk drive), 21 ... Disk media, 22 ...
Media controller, 23 ... MPU, 24 ... ROM,
25 ... RAM, 26 ... ATA I / F, 30 ... System side, 31 ... Central processing unit, 32 ... Data transmission / reception control unit, 33 ... Security control mechanism, 34 ... Nonvolatile memory, 35 ... Random number generator, 36 ... Authentication Failure counter, 37
... command counter, 38 ... random number generator, 40 ... data bus, 50 ... HDD side, 51 ... central processing unit, 52 ... data transmission / reception control unit, 53 ... security control mechanism, 5
4 ... Random number generator, 55 ... Authentication failure counter, 56 ... Command counter, 57 ... Random number generator

Continued front page    (72) Inventor Hideto Niijima             1623 1423 Shimotsuruma, Yamato-shi, Kanagawa Japan             BM Corporation Tokyo Research Laboratory             Within (72) Inventor Hiroaki Eto             1623 1423 Shimotsuruma, Yamato-shi, Kanagawa Japan             BM Corporation Tokyo Research Laboratory             Within F-term (reference) 5B017 AA07 BA07 CA07                 5D044 BC01 CC04 DE50 HL11                 5J104 AA07 KA02 KA04 KA06 NA02                       PA05

Claims (20)

[Claims] 1. An authentication method performed between an external storage device that writes and reads data and a system device that accesses the external storage device, wherein the system device uses the generated random number as the external device. To the storage device, the external storage device transmits to the system device the information encrypted with a secret key after processing the transmitted random number according to a certain law, the system device Decrypting the received information using a secret key, recognizing that the random number has been processed according to the certain law based on the decrypted information, and the external storage device An authentication method characterized by confirming that the system device holds the same private key. 2. The system device counts the number of authentication failures as a result of confirmation, and stops access to the external storage device when the number of authentication failures exceeds a certain value. The authentication method according to claim 1. 3. An authentication method performed between an external storage device for writing and reading data and a system device for accessing the external storage device, wherein the external storage device is configured to generate a random number 1 transmits an encrypted random number encrypted using the secret key to the system device, and the system device decrypts the transmitted encrypted random number using the first secret key, After the information is processed according to a certain rule, the information encrypted with the second secret key is transmitted to the external storage device, and the external storage device stores the transmitted information as the second secret key. An authentication method characterized by confirming that the number after being decrypted by using the random number is processed according to the certain law. 4. The external storage device and the system device hold the same value as an initial value of the first secret key and the second secret key, and thereafter, the first secret key and the system secret device hold the same value. The authentication method according to claim 3, wherein a new value using a random number is shared as a value with the second secret key. 5. The external storage device counts the number of authentication failures as a result of the confirmation, and stops a predetermined operation when the number of authentication failures exceeds a certain value. The authentication method described in 3. 6. An authentication method performed between an external storage device that writes and reads data and a system device that accesses the external storage device, wherein the external storage device and the system device are secret. A first key and a second key are held as information with each other, and the external storage device generates the first cryptographic information by encrypting using the first key and transmits the first cryptographic information to the system device. The system device decrypts the transmitted cryptographic information by using the first key and also decrypts the decrypted value by using the second key. Two
And transmitting it to the external storage device, and the external storage device decrypts the received second cryptographic information using the second key. 7. An authentication method performed between an external storage device for writing and reading data and a system device for accessing the external storage device, wherein the external storage device generates a random number. , The random number is encrypted using a secret key and transmitted to the system device, the system device decrypts the transmitted random number using a secret key, and the decrypted random number to the password. And transmits the operation result on which the logical operation has been performed to the external storage device, and the external storage device extracts the password by performing an inverse operation of the logical operation on the transmitted operation result. An authentication method characterized by determining whether or not it matches a password held by an external storage device. 8. The external storage device and the system device mutually hold a first secret key and a second secret key, and the system device is decrypted by the first secret key. 8. The password mask is obtained by encrypting a random number with the second secret key, and the operation result obtained by performing a logical operation on the password with the password mask is transmitted to the external storage device. Authentication method. 9. An external storage device for writing and reading data, and a system device for accessing the external storage device, wherein the system device transmits the generated random number to the external storage device and transmits the random number. The external storage device processes the generated random number according to a certain law and then receives the information encrypted with the secret key from the external storage device, and decrypts the received information using the secret key. The external storage device and the system device have the same secret key by recognizing that the random number has been processed according to the certain rule based on the decrypted information. An authentication system characterized by confirming that the 10. The system device counts the number of authentication failures as a result of confirmation, and stops access to the external storage device when the number of authentication failures exceeds a certain value. The authentication system according to claim 9. 11. The external storage device and the system device generate a random number sequence having the same value as an initial value of a random number generator, and each time a command is transmitted / received, a random number extracted in order is a new random number. The authentication system according to claim 9, wherein the authentication system is a column. 12. An external storage device for writing and reading data, and a system device for accessing the external storage device, wherein the external storage device uses a first secret key for the generated random number. The encrypted encrypted random number is transmitted to the system device, and the transmitted encrypted random number is decrypted by the system device using the first secret key and processed according to a certain rule. After the information encrypted with the second secret key is received from the system device and the received information is decrypted with the second secret key, the number is the random number according to the certain law. An authentication system characterized by confirming that it has been processed. 13. The external storage device and the system device hold the same value as an initial value of the first secret key and the second secret key, and thereafter, the first secret key and the second secret key 13. The authentication system according to claim 12, wherein a new value using a random number is shared as a value with the second secret key. 14. A computer apparatus comprising a hard disk drive for writing and reading data, and a system for accessing the hard disk drive, wherein the computer apparatus performs authentication between the system and the hard disk drive. The drive and the system mutually hold a first key and a second key as secret information, and the hard disk drive generates the first cipher information by encrypting using the first key. To the system, the system decrypts the transmitted cryptographic information using the first key, and encrypts the decrypted value using the second key. By doing so, the second encryption information is generated and transmitted to the hard disk drive. Bed the computer apparatus characterized by decoding using the second key to the second encryption information received. 15. The first key and the second key held in the system are stored in an IC card, and the first key and the second key held in the hard disk drive are 15. The computer device according to claim 14, wherein the computer device is stored in a disk medium that constitutes a hard disk drive. 16. A system device connected to an external storage device for writing and reading data, and accessing the external storage device, comprising: random number generating means for generating a random number; and the random number for the external storage device. And a receiving means for receiving from the external storage device information encrypted with a secret key after the external storage device processes the transmitted random number according to a certain rule. Decryption means for decrypting the received information using a secret key, and processing of the random number generated by the random number generation means by the decrypted information according to the certain law. By recognizing the above, the external storage device and the system device are provided with confirmation means for confirming that they hold the same secret key. 17. The secret information includes a holding unit that holds two secret keys common to the external storage device, and separates a secret key for encrypting information and a secret key for decrypting transmitted cipher information. 17. Separately used.
The described system unit. 18. An external storage device connected to a system device for writing and reading data, the holding device holding the same private key as the system device, a random number generating device for generating a random number, and Encrypting means for encrypting a random number using the secret key, transmitting means for transmitting the encrypted random number encrypted by the encrypting means to the system device, and the encrypted random number transmitted Receiving means for receiving from the system device a random number processed by the system device after being decrypted by the system device, and confirming that the random number received by the receiving device is processed according to a certain law. Confirmation means to
An external storage device comprising: 19. An external storage device connected to a system device for writing and reading data, the random number generating means generating a random number, and encrypting the random number using a first secret key. Encryption means, transmission means for transmitting the encrypted random number encrypted by the encryption means to the system device, and information processed by the system device for the transmitted encrypted random number. An external storage device comprising: receiving means for receiving from the system device; and decrypting means for decrypting the information received by the receiving means using a second secret key. 20. The receiving means decrypts the encrypted random number using the first secret key in the system device, performs a predetermined process, and then uses the second secret key. 20. The external storage device according to claim 19, wherein the external storage device receives encrypted information.