JP2004318838A - Software update device, software update system, software update method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To reduce the load of update processing while securing high safety characteristics. <P>SOLUTION: When firmware of a device to be updated (image processor 100) communicable via a network is updated using a software update device (mediation device 101), the mediation device 101 generates one-time password, sends the password to the image processor 100 via a communication path using SSL to allow the image processor to store it therein (S102 to S106), sends the one-time password to the image processor 100 via a communication path using FTP having a smaller processing load than that of the SSL to allow the image processor to perform the authentication processing (S111), and, when the authentication processing is success, sends the firmware for updating to the image processor 100 via a communication path by the FTP to make the image processor update the firmware (S112, S113). If the success of update is confirmed, it is good to invalidate the one-time password (S120 to S123). <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a software update device that updates software of a device to be updated communicable via a network, a software update system including such a software update device and a device to be updated, and a software update by the software update device. A method and a program for causing a computer to function as the above-described software update device. The software to be updated may be, for example, firmware or an application program.

2. Description of the Related Art Conventionally, in an image processing apparatus such as a printer, a facsimile apparatus, a copier, a scanner, and a digital multifunction peripheral, it is possible to update firmware, which is software for performing basic hardware control. According to Patent Document 1, a service center obtains firmware version information from an image forming apparatus, and transmits firmware to the image forming apparatus via a communication control device when it determines that the version is old and needs to be updated. Describes an image forming apparatus management system for updating firmware.
JP 2002-288066 A

By the way, in the image forming apparatus management system described in Patent Document 1, communication between a service center and a communication control apparatus is basically performed by a public line (PSTN) or a dedicated line, or between a communication control apparatus and the image forming apparatus. Communication is performed using a communication path of the RS-485 standard.
On the other hand, in recent years, a management system has been proposed in which communication between the management device and the managed device is performed via a network such as the Internet or a local area network (LAN), with emphasis on versatility and expandability. I have. In such a management system, as in the case of Patent Document 1, it is conceivable to transmit firmware from the management device to the managed device to update the firmware.

The processing in this case is, for example, the processing shown in the sequence diagram of FIG. In this case, it is considered that the management device is a firmware update device (firmware update device), and the managed device is an update device of firmware (hereinafter, also simply referred to as “firmware”).
In the process shown in FIG. 26, the firmware update device 91 and the device to be updated 92 communicate using FTP (File Transfer Protocol), and an ID and a password for FTP are set in the firmware update device 91 in advance. These are stored in both the firmware update device 91 and the device to be updated 92.

In this process, first, the firmware update device 91 executes a version information acquisition process at regular time intervals or when a predetermined event occurs, transmits an ID and a password to the device to be updated 92, and requests a connection by FTP. I do. The ID and the password conform to the FTP standard, and the device to be updated 92 that has been requested to connect can authenticate the firmware updating device 91 with these. Then, the ID and the password are compared with those stored, and if they match, the connection is established as a successful authentication (S11). If the IDs or passwords do not match, the connection is not established, an error occurs, and the process ends.
When the connection is established, the firmware update device 91 requests the device to be updated 92 to transmit the firmware version information, and the device to be updated 92 transmits the firmware version information in response to the request (S12). Thereafter, the firmware update device 91 disconnects the connection with the device to be updated 92 (S13). The above is the version information acquisition processing.

Next, the firmware update device 91 determines whether or not update is necessary based on the acquired firmware version information. If the latest version of the firmware has already been installed in the device to be updated 92, no update is required. Here, if it is determined that the update is unnecessary, the process ends, and thereafter, when a trigger occurs, the version information acquisition process is performed again. However, if it is determined that the update is necessary (S14), the next firmware transmission process is executed.
In this process, first, as in the case of step S11, the ID and the password are transmitted to the device to be updated 92, and the connection is established (S15). Then, the update firmware is transmitted to the device to be updated 92 (S16). Upon receiving this, the device to be updated 92 performs a firmware update process (S17), and upon completion of the update, resets itself, restarts, and enables the new firmware (S18). Also, the FTP connection is disconnected by resetting the device to be updated 92. The above is the firmware transmission process.
Through the above processing, the firmware of the device to be updated 92 can be updated when necessary. When the version information acquisition processing and the firmware transmission processing are performed again, the same processing is performed using the same password, as shown by the same step numbers in the continuation of the sequence diagram.

However, since communication using FTP does not encrypt data, IDs and passwords are transferred over the network in plain text. Therefore, as shown in FIG. 27, if the communication path between the firmware update device 91 and the device to be updated 92 is monitored by the packet monitor 93, the ID and password can be extracted from the transferred data packet. If this is abused, it becomes possible for a third party to impersonate the firmware updating device 91 and access the device to be updated 92 to update the firmware to an unauthorized one.
Therefore, as shown in FIG. 26, it can be said that using the password transmitted by FTP over and over again has a problem in terms of security.
The above-mentioned point also causes a problem similarly to the case where the software to be updated is not firmware but other software such as an application program.

When a communication path such as PSTN, a dedicated line, or RS-485 is used as described in Patent Document 1, communication is performed using a unique communication protocol. Without analyzing and knowing the protocol, communication cannot be monitored. Therefore, since monitoring is difficult, such a safety problem does not occur, and no means for solving the problem is described.
However, if a software update system is to be constructed using Internet standard technologies such as TCP / IP (Transmission Control Protocol / Internet Protocol), it is important to solve such security problems. .

By the way, in order to solve the above problem, as a communication protocol for encrypting communication contents, for example, a protocol called SSL (Secure Socket Layer) has been developed and widely used. By performing communication using this protocol, it is possible to combine a public key cryptosystem and a common key cryptosystem to authenticate a communication partner and to prevent tampering and eavesdropping by encrypting information.
By performing such communication using SSL, the firmware update device 91 and the device to be updated 92 can safely exchange a common key, and communication can be performed securely. However, a communication method including encryption processing such as SSL has a greater processing load for authentication and data transfer than a communication method that does not perform encryption such as FTP.
In particular, when transmitting large-size data such as software, this effect is significant. Also, of course, even when a protocol other than FTP and SSL is used, the problem of a large and small processing load similarly exists.

  An object of the present invention is to solve these problems and to reduce the load of an update process while ensuring high security when updating software of a device to be updated communicable via a network by the software update device. And

  In order to achieve the above object, the present invention provides a software update device capable of communicating with a device to be updated via a network, generates update authentication information when updating the software of the device to be updated, and encrypts the authentication information. Authentication information setting means for requesting the device to be updated to be transmitted and stored in the first communication path, and transmitting the update authentication information to the device to be updated, and requesting an authentication process based on the authentication information. An authentication requesting means for transmitting the update software to the device to be updated via a second communication path having a smaller processing load than the first communication path when the authentication processing is successful. It is.

In such a software updating device, it is preferable to provide an authentication information invalidating unit that transmits a request for invalidating the updating authentication information to the device to be updated after transmitting the updating software.
Further, means for updating the software of the device to be updated in response to a software update request from the outside and returning the result to the request source of the update request may be provided.

Further, a means for receiving a start notification indicating activation from the device to be updated, and obtaining version information of the software from the device to be updated when the start notification is received from the device to be updated after transmission of the software for update It is preferable to provide a means for comparing the transmitted version information of the update software with the version information to confirm the success or failure of the update.
Furthermore, the first communication path may be a communication path for performing SSL communication, and the second communication path may be a communication path for performing FTP communication.
Alternatively, the first communication path may be a communication path for encrypting and transmitting data to be transmitted, and the second communication path may be a communication path for transmitting data to be transmitted without encryption.

  Further, the software updating system of the present invention updates the software of the device to be updated to the software updating device in the software updating system including the software updating device and the device to be updated, which can communicate with each other via a network. Authentication information setting means for generating update authentication information, transmitting the update authentication information to the updated device via an encrypted first communication path, and storing the updated authentication information; and updating the update device with the update authentication information. An authentication requesting means for transmitting information and requesting an authentication process based on the authentication information; and, when the authentication process is successful, updating software via a second communication path having a smaller processing load than the first communication path. Transmission means for transmitting to the device to be updated, and when the device to be updated is requested to store the authentication information for updating A storage unit for storing the authentication information, and an authentication unit for performing an authentication process using the received update authentication information and the update authentication information stored in the storage unit when the authentication process is requested, and returning a result. And updating means for receiving the updating software when the authentication processing is successful and updating the software of the own device to the updating software.

  In such a software updating system, the software updating device further includes an authentication information invalidating unit that transmits a request for invalidating the updating authentication information to the device to be updated after transmitting the updating software. The device to be updated may be provided with a unit that invalidates the update authentication information stored in the storage unit when the invalidation request is received.

Further, to the device to be updated, means for restarting the device itself after updating the software by the updating means, means for transmitting a start notification indicating the fact to the software updating device at startup, and Means for transmitting software version information to the device in response to the request, the software updating device, when the activation notification is received from the updated device after transmission of the update software, the updated device It is preferable to provide means for requesting transmission of software version information, acquiring the version information, and comparing the version information of the transmitted update software with the transmitted version information to confirm whether the update was successful.
Furthermore, the first communication path may be a communication path for performing SSL communication, and the second communication path may be a communication path for performing FTP communication.
Alternatively, the first communication path may be a communication path for encrypting and transmitting data to be transmitted, and the second communication path may be a communication path for transmitting data to be transmitted without encryption.

  Further, the software updating method of the present invention is a software updating method for updating software of an updated device communicable via a network by a software updating device, wherein the updating authentication information is used when updating the software of the updated device. Is transmitted to the device to be updated via the encrypted first communication path and stored therein, and the device to be updated is transmitted with the authentication information for updating to perform an authentication process based on the authentication information. When the authentication process is successful, the update software is transmitted to the device to be updated via the second communication path having a smaller processing load than the first communication path, and the software is updated. is there.

In such a software update method, it is preferable that the updated device invalidates the update authentication information after transmitting the update software.
Further, the software of the device to be updated may be updated in response to an external software update request, and the result may be returned to the source of the update request.

Further, receiving a start notification indicating that it has been started from the updated device, acquiring the software version information from the updated device when receiving the start notification from the updated device after transmitting the update software, It is preferable to confirm the success or failure of the update by comparing the transmitted version information of the update software.
Furthermore, it is preferable that the first communication path is a communication path for performing communication by SSL, and the second communication path is a communication path for performing communication by FTP.
Alternatively, the first communication path may be a communication path for encrypting and transmitting data to be transmitted, and the second communication path may be a communication path for transmitting data to be transmitted without encryption.

  Further, the program according to the present invention, when updating the software of the device to be updated, a computer that controls a software updating device capable of communicating with the device to be updated via a network, generates update authentication information, and encrypts the authentication information. Authentication information setting means for requesting the device to be updated to be transmitted and stored in the first communication path, and transmitting the update authentication information to the device to be updated, and requesting an authentication process based on the authentication information. Authentication request means for transmitting the update software to the device to be updated via a second communication path having a smaller processing load than the first communication path when the authentication processing is successful. It is a program.

In such a program, a program for causing the computer to function as authentication information invalidating means for transmitting a request for invalidating the update authentication information to the device to be updated after transmitting the update software is further provided. It is good to include.
It is preferable that a program for causing the computer to function as a means for updating the software of the device to be updated in response to an external software update request and returning the result to a request source of the update request is further included.

A means for receiving a start notification indicating that the computer has been started from the device to be updated; and It is preferable to further include a program for acquiring the version information and comparing it with the transmitted version information of the update software to function as means for confirming the success or failure of the update.
Further, the first communication path may be a communication path for performing SSL communication, and the second communication path may be a communication path for performing FTP communication.
Alternatively, the first communication path may be a communication path for encrypting and transmitting data to be transmitted, and the second communication path may be a communication path for transmitting data to be transmitted without encryption.

ADVANTAGE OF THE INVENTION According to the software update apparatus, the software update system, and the software update method of this invention as mentioned above, when updating the software of the to-be-updated apparatus which can communicate via a network by a software update apparatus, high security is ensured. However, the load of the update process can be reduced.
Further, according to the program of the present invention, the features of such a software updating device are realized by causing a computer to control the software updating device, and the same effect can be obtained.

Hereinafter, preferred embodiments of the present invention will be described with reference to the drawings.
First, a configuration example of a software update device and a software update system according to the present invention will be described. FIG. 1 is a conceptual diagram showing an example of the configuration of a remote management system including the software update system. In FIG. 1, the mediation device 101 is a software update device, and the managed device 10 is an updated device. The management device 102 may be a software update device, and in this case, the mediation device 101 may be a device to be updated. Will be described. Here, the case where the software to be updated is firmware will be described as an example, but it goes without saying that this may be other software such as an application program.

This software update system includes image processing devices such as printers, fax machines, digital copiers, scanners, and digital multifunction devices, network home appliances, vending machines, medical equipment, power supplies, air conditioning systems, gas / water / electricity, etc. Of the remote management system that uses a communication device having a communication function in a weighing system, a general-purpose computer, an automobile, an aircraft, or the like. Then, it has a function of transmitting firmware from the mediation device 101 to the managed device 10 when necessary, and updating the firmware of the managed device 10.
Further, the above-described remote management system includes a mediation device 101, which is a remote management mediation device connected to the managed device 10 by a LAN (local area network), and furthermore, the mediation device 101 and the Internet 103 (also in another network such as a public line). This is provided with a management device 102 functioning as a server device connected to the managed device 10 via the intermediary device 101. The mediation device 101 and the managed device 10 form various hierarchical structures according to the usage environment.

  For example, in the installation environment A shown in FIG. 1, the mediation device 101a that can establish a direct connection with the management device 102 by HTTP has a simple hierarchical structure that follows the managed devices 10a and 10b. In the installation environment B shown, since four managed devices 10 are installed, the load increases if only one mediation device 101 is installed. Therefore, the mediation device 101b that can establish a direct connection with the management device 102 by HTTP follows not only the managed devices 10c and 10d but also another mediation device 101c, and the mediation device 101c is managed by the managed devices 10e and 10f. Are formed to form a hierarchical structure. In this case, information issued from the management device 102 for remotely managing the managed devices 10e and 10f is transmitted to the managed device 10e or 10f via the mediation device 101b and the mediation device 101c which is a lower node thereof. Will be reached.

Further, like the installation environment C, the managed devices with mediation functions 11a and 11b in which the managed device 10 also has the function of the mediation device 101 are connected to the management device 102 via the Internet 103 without a separate mediation device. You may make it.
Although not shown, the managed device 10 may be further connected to the managed device 11 having the mediation function.
In each installation environment, a firewall 104 is installed in consideration of security.

In such a remote management system, the mediation device 101 has an application program for controlling and managing the managed device 10 connected thereto.
The management device 102 is installed with an application program for performing control management of each mediation device 101 and control management of the managed device 10 via the mediation device 101. Each of the nodes in the remote management system including the managed device 10 transmits a "request" which is a request for processing to a method of an application program to be mounted by RPC (Remote Procedure Call). A "response" as a result of the performed processing can be obtained.

That is, the mediation device 101 or the managed device 10 connected thereto can generate a request to the management device 102, pass it to the management device 102, and obtain a response to the request, while the management device 102 A request to the mediation device 101 is generated and delivered to the mediation device 101, and a response to the request can be obtained. This request includes causing the mediation device 101 to transmit various requests to the managed device 10 and acquiring a response from the managed device 10 via the mediation device 101.
To realize RPC, known protocols (communications) such as SOAP (Simple Object Access Protocol: soap), HTTP (HyperText Transfer Protocol), FTP, COM (Component Object Model), CORBA (Common Object Request Broker Architecture), and the like. Standards), technologies, specifications, etc. can be used.

The data transmission / reception model of this transmission / reception is shown in the conceptual diagram of FIG.
(A) is a case where a request to the management device 102 has occurred in the managed device 10. In this case, the managed device 10 generates a managed device-side request a, and the management device 102 that has received the request a via the intermediary device 101 returns a response a to the request. It can be assumed that there are a plurality of intermediary devices 101 shown in the figure (installation environment B shown in FIG. 1 above). (A) shows a case in which not only the response a but also the response delay notification a 'is returned. This is because when the management device 102 receives a request from the managed device via the intermediary device 101 and determines that a response to the request cannot be returned immediately, it notifies a response delay notification and temporarily disconnects the connection state. However, this is because a response to the above-mentioned request is newly delivered at the time of the next connection.

  (B) is a case where a request for the managed device 10 has occurred in the management device 102. In this case, the management device 102 generates a management device-side request b, and the managed device 10 that has received the request b via the mediation device 101 returns a response b to the request. In the case of (B), returning the response delay notification b 'when the response cannot be returned immediately is the same as the case of (A).

Next, the physical configuration of the management device 102 shown in FIG. 1 will be described. The management device 102 includes a CPU, a ROM, a RAM, a nonvolatile memory, a network interface card (hereinafter, referred to as an NIC) and the like (not shown). .
The physical configuration of the mediation device 101 shown in FIG. 1 is as shown in FIG.
That is, CPU 52, SDRAM 53, flash memory 54, RTC (real time clock) 55, Op-Port (operation unit connection port) 56, PHY (physical media interface) 57, modem 58, HDD control unit 59, extended I / F (interface ) 60, RS232 I / F61, RS485 I / F62, HDD (hard disk drive) 63 and the like. Then, the mediation device 15 is connected to the LAN via the PHY 57. It is also connected to the managed device 10 via the LAN. Although it is possible to connect to the managed device 10 via the RS232 I / F61 and the RS485 I / F62, this I / F is not used here.

  For the managed device with mediation function 11, these units may be simply added to the managed device 10 in order to realize the function of the mediation device 101, but the CPU, ROM, and RAM included in the managed device 10 are provided. The functions of the intermediary device 101 can also be realized by making the CPU execute an appropriate application or program module using hardware resources such as.

  FIG. 4 is a block diagram illustrating an example of a software configuration of the mediation device 101. As shown in this figure, the software of the mediation device 101 is composed of three layers: an application layer 70, a service layer 80, and a protocol layer 90. The programs constituting the software are stored in the HDD 63, the SDRAM 53, or the flash memory 54, read out as necessary, and executed by the CPU 52. The CPU 52 executes these programs as necessary and controls the apparatus, thereby realizing each function (functions as authentication information setting means, authentication request means, transmission means, and other means). it can.

In this software, the application layer 70 has a device control method group 71 and an NRS (New Remote Service) application method group 72.
The device control method group 71 includes methods for setting information to be managed, device setting, software update, polling setting change, log output, and start-up processing. This is a program for performing device information management, communication settings, and the like.
The NRS application method group 72 includes methods of log collection, software download, device command execution, device setting change, supply notification, abnormality notification, device activation / introduction, device life / death confirmation, and various notifications from the managed device 10. This is a program for responding to requests and requests, and for causing the managed device 10 to perform operations in accordance with requests from the management device 102.

Next, the service layer 80 includes a security service 81, a communication service 82 for connected devices, a communication service 83 for a management device, and a scheduler service 84.
The security service 81 is a module that generates and executes a job for preventing or preventing illegal outflow of internal information or the like to the outside.
The connection device communication service 82 is for exchanging information with the network connection device connected to the intermediary device 101. This module generates and executes jobs such as parameter management and APL management.
The management device communication service 83 is a module that generates and executes jobs such as command reception, file transmission / reception, information request, and information transmission (information notification) with the management device 102.
The scheduler service 84 is a module that deploys a remote control application based on predetermined set time information.

  The next protocol layer 90 is provided with each method for generating and executing a job for transmitting and receiving information using a protocol corresponding to an information transmission / reception target. That is, SOAP (Simple Object Access Protocol), and HTTP, Hypertext Transfer Protocol Security (HTTPS) used as a lower protocol thereof, FTP, and the like can be controlled so as to widely support a communication environment of a network connection device via a LAN. Methods.

  Hereinafter, as a more specific example of the remote management system shown in FIG. 1, an image processing apparatus remote management system using an image processing apparatus as a managed apparatus will be described. This remote management system includes an embodiment of the software updating system according to the present invention, in which the image processing apparatus is an apparatus to be updated. FIG. 5 is a conceptual diagram showing an example of the configuration of the image processing apparatus remote management system. The managed apparatus 10 is connected to the image processing apparatus 100, and the managed apparatus 11 with the intermediary function is connected to the image processing apparatus 110 with the intermediary function. The only difference is that it differs from FIG. 1, and a description of the overall configuration of the system will be omitted. It should be noted that the software update system can be constituted only by the mediation apparatus 101 which is the embodiment of the software update apparatus of the present invention and the image processing apparatus 100 which is the apparatus to be updated. Elements are not required.

  The image processing apparatus 100 is a digital multifunction peripheral having functions such as copying, facsimile, and scanner, and a function of communicating with an external device. The image processing apparatus 100 includes an application program for providing a service related to the function. Is what it is. Further, the image processing apparatus with an intermediary function 110 is obtained by adding the function of the intermediary apparatus 101 to the image processing apparatus 100.

The physical configuration of such an image processing apparatus 100 will be described with reference to FIG.
FIG. 6 is a block diagram illustrating an example of a physical configuration in the image processing apparatus 100. As shown in FIG. 1, the image processing apparatus 100 includes a controller board 200, an HDD (hard disk drive) 201, an NV-RAM (non-volatile RAM) 202, a PI (personal interface) board 203, a PHY 204, an operation panel 205, a plotter / A scanner engine board 206, a power supply unit 207, a finisher 208, an ADF (automatic document feeder) 209, a paper feed bank 210, and other peripheral devices 211 are provided.

  Here, the controller board 200 corresponds to a control unit, includes a CPU, a ROM, a RAM, and the like, and controls each function via a PCI-BUS (Peripheral Components Interconnect-Bus) 212. The HDD 201 corresponds to a storage unit. The NV-RAM 202 corresponds to a storage unit, and is a nonvolatile memory such as a flash memory.

Further, the PI board 203 and the PHY 204 correspond to communication means and perform communication with the outside, and correspond to, for example, a communication board. The PI board 203 has an interface conforming to the RS485 standard, and is connected to a public line via a line adapter. The PHY 204 is an interface for communicating with an external device via a LAN, and is based on IEEE (Institute of Electrical and Electronic Engineers) 802.11b standard (compatible with wireless LAN), IEEE 1394 standard, IEEE 802.3 standard (Ethernet (registered trademark) (2) Interfaces conforming to (2) are provided, and a plurality of communication means are provided.
The operation panel 205 is a user interface corresponding to an operation unit and a display unit.

  Here, ENGRDY is a signal line for notifying the controller board 200 that various initial settings on the engine side have been completed and preparation for transmission and reception of commands with the controller board 200 has been completed. PWRCTL is a signal line for controlling power supply to the engine from the controller board 200 side. The operation of these signal lines will be described later.

Next, a software configuration of the image processing apparatus 100 will be described with reference to FIG.
FIG. 7 is a block diagram illustrating an example of a software configuration of the image processing apparatus 100. The software configuration of the image processing apparatus 100 includes an uppermost application module (app) layer and a lower service module layer. The programs constituting these software programs are stored in the HDD 201 or the RAM on the controller board 200, read out as necessary, and executed by the CPU on the controller board 200. Then, the CPU executes these programs as necessary to realize the respective functions (functions as storage means, authentication means, update means, and other means).

In particular, the software in the application module layer is configured by a program for causing the CPU to function as a plurality of application control means for realizing predetermined functions by operating hardware resources, and the software in the service module layer includes the CPU in the hardware. Service control interposed between a hardware resource and each application control means for receiving operation requests for hardware resources from a plurality of application control means, arbitrating the operation requests, and controlling execution of operations based on the operation requests It is constituted by a program for functioning as a means.
The OS 320 is an operating system such as UNIX (registered trademark), and executes each program of the service module layer and the application module layer in parallel as a process.

  The service module layer includes an operation control service (OCS) 300, an engine control service (ECS) 301, a memory control service (MCS) 302, a network control service (NCS) 303, a fax control service (FCS) 304, and a customer support system (CSS). ) 305, system control service (SCS) 306, system resource manager (SRM) 307, image memory handler (IMH) 308, delivery control service (DCS) 316, user control service (UCS) 317, data encryption security service (DESS) ) 318, and a certificate cut control service (CCS) 319. Further, a copy application 309, a fax application 310, a printer application 311, a scanner application 312, a net file application 313, a web application 314, and an NRS (new remote service) application 315 are mounted on the application module layer.

These will be described in more detail.
The OCS 300 is a module that controls the operation panel 205.
The ECS 301 is a module that controls an engine such as a hardware resource.
The MCS 302 is a module that performs memory control, and performs, for example, acquisition and release of an image memory, use of the HDD 201, and the like.
The NCS 303 is a module that performs mediation processing between the network and each application program in the application module layer.
The FCS 304 is a module that performs facsimile transmission / reception, facsimile reading, facsimile reception printing, and the like.

The CSS 305 is a module that converts data when transmitting and receiving data via a public line, and is a module in which functions related to remote management via a public line are collected.
The SCS 306 is a module that performs start management and end management of each application program in the application module layer according to the content of the command.
The SRM 307 is a module that controls a system and manages resources.
The IMH 308 is a module for managing a memory for temporarily storing image data.

The DCS 316 is a module that transmits and receives image files and the like stored in the memory on the HDD 201 and the controller board 200 using Simple Mail Transfer Protocol (SMTP) or File Transfer Protocol (FTP).
The UCS 317 is a module that manages user information such as destination information and address information registered by the user.
The DESS 318 is a module that authenticates each unit or an external device using PKI or SSL and encrypts communication.
The CCS 319 is a module that performs an authentication process on the authentication information input to the image processing apparatus 100.

The copy application 309 is an application program for implementing a copy service.
The fax application 310 is an application program for implementing a fax service.
The printer application 311 is an application program for implementing a printer service.

The scanner application 312 is an application program for implementing a scanner service.
The net file application 313 is an application program for implementing a net file service.
The web application 314 is an application program for implementing a web service.
The NRS application 315 is an application program for realizing functions related to data conversion when transmitting / receiving data via a network and remote management via the network (including functions relating to communication with the management apparatus 102). . Then, it also has a function of converting data received via a network from an external device into a data structure suitable for processing in each application.
For convenience of explanation, in the following description, processes executed by the CPU operating according to the above-described programs will be described assuming that those programs execute the processes.

Here, the operation of the above-mentioned ENGRDY signal and PWRCTL signal will be described with reference to FIG.
FIG. 8A shows an example of the operation of the ENGRDY signal and the PWRCTL signal when the device starts up. When the AC power of the AC-POWER is turned on, the power supply is started, and at the same time, the ENGDY signal becomes High. In this state, communication with the engine cannot be performed. This is because the initial setting of the engine has not been completed. Then, after a certain period of time, the initialization on the engine side is completed, and communication with the engine side becomes possible when the ENGRDY signal becomes low.

  Next, FIG. 6B shows an example of the operation of the ENGDY signal and the PWRCTL signal when the mode shifts to the energy saving mode. In order to shift to the energy saving mode, the PWRCTL signal is turned off by the controller board 200. At the same time, the power supply falls. Along with this, the ENGRDY signal becomes High and shifts to the energy saving mode. Next, the case of returning from the energy saving mode is shown in FIG.

  FIG. 9C shows an example of the operation of the ENGDY signal and the PWRCTL signal when returning from the energy saving mode. When returning from the energy saving mode (B), the PWRCTL signal is turned ON by the controller board 200. At the same time, power is supplied. However, as shown in (A) above, the ENGRDY signal is in a High state until the initialization on the engine side is completed. When the initialization is completed, communication with the engine side becomes possible, and the signal becomes Low.

Next, the internal configuration of the NRS application 315 included in the software configuration of the image processing apparatus 100 described above will be further described with reference to FIG.
FIG. 9 is a functional block diagram illustrating an example of the configuration of the NRS application. As shown in the drawing, the NRS application 315 performs processing between the application module layer and the NCS 303. The web server function unit 500 performs a response process for a request received from the outside. The request here may be, for example, a SOAP request according to a Simple Object Access Protocol (SOAP) described in an XML (Extensible Markup Language) format which is a structured language. The web client function unit 501 performs a process of issuing an external request. libxml 502 is a library for processing data described in the XML format, and libsoap 503 is a library for processing SOAP. Also, libgwww 504 is a library that processes HTTP, and libgw_ncs 505 is a library that performs processing with the NCS 303.

The above SOAP request is received by the PHY 204, and a SOAP document including a SOAP header and a SOAP body is passed to the NRS application 315 via the NCS 303 in the form of an HTTP message. Then, in the NRS application 315, the SOAP body is extracted from the SOAP document using the libsoap 503, and the SOAP body is interpreted using the libxml 502 to generate a DOM (Document Object Model) tree. After converting the data structure into a data structure suitable for the processing in, the data is passed to the application corresponding to the command included in the SOAP body.
The data structure is, for example, C language structure data when the application program is described in C language, and the data is passed to the application by calling the application program using the structure data as an argument. be able to.

Based on the above-described configuration, an example of a communication sequence at the time of data transmission / reception performed in the image processing apparatus remote management system in FIG. 5 will be described with reference to FIG. FIG. 10 is a diagram illustrating an example of a communication sequence at the time of data transmission and reception performed between the management device, the mediation device, and the image processing device.
In this example, first, the mediation apparatus 101 performs polling (inquiry as to whether there is a transmission request) to the management apparatus 102 (S601). That is, a polling SOAP document to which an identifier as its own identification information is added is generated and transmitted to the management apparatus 102 as an HTTP message. As shown in FIG. 5, since the firewall 104 is provided between the mediation device 101 and the management device 102, a communication session is established from the management device 102 to the mediation device 101 (communication is requested and the communication path is Therefore, even if it is desired to transmit a request from the management apparatus 102 to the relay apparatus 101 (or the image processing apparatus 100 via the relay apparatus 101), it is necessary to wait for polling from the relay apparatus 101 as described above. There is.

  Upon receiving the HTTP message from the mediation device 101, the management device 102 generates a SOAP document indicating a charging counter acquisition request, and sends the corresponding mediation device 101 (the source of the received SOAP message) an HTTP message of a response to polling. (S602). At this time, the corresponding mediation device 101 is recognized based on the identifier added to the SOAP document in the received HTTP message. As described above, if a response (HTTP response) to a communication (HTTP request) from inside the firewall 104, data can be transmitted from outside the firewall to the inside.

Upon receiving the HTTP message from the management device 102, the mediation device 101 generates a SOAP document indicating a request to acquire a charging counter based on the HTTP message, and also generates an NRS of the image processing device 100 connected to itself as the HTTP message. The data is transmitted to the application 315 (S603).
The NRS application 315 notifies the SCS 306 of a charging counter acquisition request described in a SOAP document received as an HTTP message from the mediation device 101 (S604).
Upon receiving the notification of the charging counter acquisition request from the NRS application 315, the SCS 306 reads the charging counter data stored in the NV-RAM 202 (S605). Then, the read data (response data) of the charging counter is transferred to the NRS application 315 (S606).

Upon receiving (acquiring) the data of the charging counter from the SCS 306, the NRS application 315 generates a SOAP document for the charging counter indicating the content thereof, and transmits it to the intermediary device 101 as an HTTP message (S607).
Upon receiving the SOAP document for the charging counter from the NRS application 315, the mediation device 101 transmits the SOAP document to the management device 102 as an HTTP message (S608).
Thus, data transmission and reception are performed by the communication sequence.

Next, unlike FIG. 10, an example of a communication sequence when data is transmitted from the image processing apparatus 100 to the management apparatus 102 via the mediation apparatus 101 will be described with reference to FIG.
FIG. 11 is a diagram illustrating an example of a communication sequence when data is transmitted from the image processing apparatus to the management apparatus 102.
In this example, first, the OCS 300 notifies the SCS 306 that the user call key has been pressed (S701).
Upon receiving the notification from the OCS 300 that the user call key has been pressed, the SCS 306 notifies the NRS application 315 of a user call request (S702).

Upon receiving the notification of the user call request from the SCS 306, the NRS application 315 generates a user call SOAP document, which is user call information for notifying the user call, and transmits it to the intermediary device 101 as an HTTP message (S703).
Upon receiving the SOAP document for the user call from the NRS application 315, the mediation device 101 adds an identifier, which is its own identification information, to the SOAP document, and transmits the SOAP document as an HTTP message to the management device 102 as well. Make a user call. That is, the management apparatus 102 notifies the management apparatus 102 of a user call SOAP document to which its own identifier has been added (S704). In this case, since the transmission is performed from the inside to the outside of the firewall 104, the mediation apparatus 101 can transmit data by itself establishing a session to the management apparatus 102.
Here, the pattern after the processing in step S704 will be described separately from the following (A) to (C).

First, in (A), the management apparatus 102 receives a SOAP document for a user call as an HTTP message from the intermediary apparatus 101 of the user, and if the reception is normally completed, a message to that effect (the user call is successful) If the call result did not end normally (abnormally ended), a SOAP document indicating the call result indicating that (the user call failed) is generated and reported as a response by an HTTP message. The data is transmitted to the original mediation device 101 (S705).
Upon receiving the SOAP document indicating the call result from the management apparatus 102, the mediation apparatus 101 transmits the SOAP document as an HTTP message to the NRS application 315 of the image processing apparatus 100 whose user call key has been pressed (S706).

Upon receiving the SOAP document indicating the call result from the mediation device 101, the NRS application 315 interprets (determines) the call result indicated by the SOAP document and notifies the SCS 306 of the result (S707).
When the SCS 306 receives the call result, it hands it over to the OCS 300.
Upon receiving the call result from the SCS 306, the OCS 300 displays the content, that is, a message indicating whether the user call was successful or unsuccessful, on a character display on the operation panel 205 (S708).

Next, in (B), if the mediation apparatus 101 determines that there is no response from the management apparatus 102 even after a lapse of a specified time (predetermined predetermined time), the mediation apparatus 101 returns a call result indicating that the user call has failed. The generated SOAP document is transmitted to the NRS application 315 as an HTTP message (S709).
Upon receiving the SOAP document indicating the call result indicating failure, the NRS application 315 interprets the call result indicating failure described in the SOAP document and notifies the SCS 306 (S710).
When the SCS 306 receives the call result from the NRS application 315, it delivers it to the OCS 300.
Upon receiving the call result from the SCS 306, the OCS 300 displays the content thereof, that is, a message indicating that the user call failed, on a character display on the operation panel 205 (S711).

Next, in (C), if the NRS application 315 determines that there is no response from the mediation apparatus 101 even after the specified time has elapsed, it notifies the SCS 306 of a call result indicating that the user call has failed (S712).
When the SCS 306 receives the call result from the NRS application 315, it delivers it to the OCS 300.
Upon receiving the call result from the SCS 306, the OCS 300 displays the content thereof, that is, a message indicating that the user call failed, on a character display on the operation panel 205 (S713).

  Here, in order to transmit data from the management apparatus 102 to the relay apparatus 101 (or the image processing apparatus 100 via the relay apparatus 101) via the firewall 104, the data is transmitted in the form of a response to an HTTP request from the relay apparatus 101. However, the means that goes through the firewall 104 is not limited to this. For example, using the SMTP (Simple Mail Transfer Protocol), the management apparatus 102 sends a mail describing or attached data to be transmitted from the management apparatus 102. Transmission to the mediation device 101 is also conceivable. However, HTTP is excellent in terms of reliability.

Here, a reference example of a firmware update process of the image processing apparatus 100 executed in the image processing apparatus remote management system shown in FIG. 5 having such basic functions will be described.
As means for improving the security of the processing shown in FIG. 26 in the section of the background art, in addition to encrypting the communication, a password list as shown in FIG. 12 may be used. This is a process that uses a list. The device corresponding to the firmware update device 91 is the mediation device 101, and the device corresponding to the device to be updated 92 is the image processing device 100.
The password list used here is one in which a number of passwords corresponding to the IDs set in the mediation device 101 are generated and ordered. Such a password list is stored in a memory card or the like, and sent to an administrator of the mediation apparatus 101 and the image processing apparatus 100 via a secure route other than a network such as registered mail. To memorize it. Then, when requesting authentication from the intermediary device 101 to the image processing device 100, the first one of the unused passwords is selected and used, and the used password is used and the authentication is requested next. In such a case, the following password is used.

The processing corresponding to FIG. 26 when such a password list is used is, for example, as shown in the sequence diagram of FIG.
Also in the processing shown in FIG. 13, the mediation apparatus 101 and the image processing apparatus 100 communicate using FTP (File Transfer Protocol).
Also in this processing, when a predetermined event occurs, the mediation apparatus 101 transmits an ID and a password to the image processing apparatus 100 and requests connection by FTP. Is determined (S41). Here, it is assumed that no password has been used yet, and the leading password A is selected.

Then, the mediation apparatus 101 acquires the version information of the firmware of the image processing apparatus 100 by performing the version information acquisition processing in the same manner as in steps S11 to S13 of FIG. 26 (S42 to S44). Is the password A selected in step S11. Then, since the image processing apparatus 100 also stores the same password list, the authentication processing can be performed by referring to this and comparing it with the first password A.
When the version information acquisition processing is completed, the mediation apparatus 101 starts password update processing, and transmits a password update request to the image processing apparatus 100 using HTTP (Hyper Text Transfer Protocol) (S45). Then, in accordance with this request, the image processing apparatus 100 sets the used password (password A) in the password list to used (S46), and if this is successful, returns an update OK notification (S47).

  Upon receiving this notification, the mediation apparatus 101 sets the used password to “used” in the same manner as the image processing apparatus 100 (S48). The above is the password update processing. By this processing, both the mediation apparatus 101 and the image processing apparatus 100 determine that the password once transferred by FTP has been used, and replace the next secure password (password B) which has not been used yet. Can be set to use. However, when the firmware transmission process is subsequently performed, the password used in the version information acquisition process is used as it is until the firmware transmission process ends.

  Next, the mediation apparatus 101 determines whether or not update is necessary based on the version information of the firmware acquired in step S43. Here, if it is determined that the update is unnecessary, the process is terminated, and if necessary, the version information acquisition process is performed. However, if it is determined that the update is necessary (S49), the next firmware transmission process is executed (S50 to S53). This processing is almost the same as the firmware transmission processing shown in FIG. 26, except that the password used for the authentication processing is the password A included in the password list.

Through the above processing, the firmware of the image processing apparatus 100 can be updated when necessary. When the version information acquisition processing and the firmware transmission processing are performed again, the password to be used is determined again with reference to the password list (S54). Here, since the password A has been used, the following is performed. The password B will be selected.
Then, in steps S55 to S57, version information acquisition processing is performed as in steps S42 to S44, but the password used for authentication is password B here.
Hereinafter, similarly, the password is sequentially changed to the passwords C, D,... And the process is repeated.

If a password list is used in this way, the password once transferred using FTP will not be used after the firmware update process, and the authentication process will always be performed using a password kept secret. Therefore, unauthorized access such as spoofing can be prevented, and security can be improved.
However, since the password list used in this reference example includes a large number of passwords, the data amount increases, and preparing an area for storing the data leads to an increase in memory cost. Also, since the password is stored in the device, there is no denying that a third party who has accessed the device may steal the password for the entire list. In addition, there is also a problem that the password list is first sent by mail or the like, and it is necessary for the administrator to manually store the password list. Further, when an error occurs in the processing and the password No. used between the devices is changed. However, if a situation different from the above occurs, there is a problem that the authentication process cannot be performed normally. In addition, since the number of passwords included in the password list is finite, after all the passwords have been used, distribute the new list again and store it, or reuse the used password with a certain danger There was also a problem that it was necessary to do.

Incidentally, in the image processing apparatus remote management system shown in FIG. 5, communication between the mediation apparatus 101 and the image processing apparatus 100 can be performed after performing authentication using SSL as necessary. . Therefore, next, a communication procedure in the case of performing the authentication will be described focusing on an authentication process. This authentication can be considered as mutual authentication in which each other authenticates each other and one-way authentication in which one authenticates the other. First, the case of mutual authentication will be described.
FIG. 14 is a diagram illustrating a flowchart of a process executed by each device when the mediation device 101 and the image processing device 100 perform mutual authentication by SSL, together with information used for the process.

  As shown in FIG. 14, when performing mutual authentication by SSL, it is necessary to store the root key certificate, the private key A, and the public key certificate A in the intermediary device 101 first. The private key A is a private key issued to the intermediary device 101 by a certificate authority (CA). The public key certificate A is a digital certificate in which the CA attaches a digital signature to the public key corresponding to the private key. The root key certificate is a digital certificate obtained by adding a digital signature to a root key, which is a key for confirming the validity of the digital signature given by the CA. The public key is a key body for decrypting a document encrypted using the corresponding private key, and bibliographic information including information such as the issuer (CA), issuer, and expiration date of the public key. And is constituted by

  Further, the image processing apparatus 100 needs to store a root key certificate, a private key B, and a public key certificate B. The private key B and the public key certificate B are a private key and a public key certificate issued to the image processing apparatus 100 by the CA. Here, it is assumed that the same CA issues a certificate to the mediation apparatus 101 and the image processing apparatus 100 using the same root private key. In this case, the root key certificate is transmitted to the mediation apparatus 101 and the image processing apparatus 100. Is common.

  The description of the flowchart will be started. In FIG. 14, the arrow between the two flowcharts indicates the data transfer, the transmitting side performs the transfer process at the step at the base of the arrow, and the receiving side receives the information and performs the processing at the step at the tip of the arrow. Shall be performed. If the processing of each step is not completed normally, a response indicating that the authentication has failed is returned at that point and the processing is interrupted. The same applies to the case where an authentication failure response is received from the other party, the case where the processing times out, and the like. In addition, each process is realized by the CPU of each of the mediation device 101 and the image processing device 100 performing a process according to a required control program.

When requesting the image processing apparatus 100 to connect, the mediation apparatus 101 starts the processing of the flowchart illustrated on the left side of FIG. Then, in step S21, a connection request is transmitted to the image processing apparatus 100.
On the other hand, when receiving the connection request, the image processing apparatus 100 starts the processing of the flowchart shown on the right side of FIG. Then, in step S31, a first random number is generated, and this is encrypted using the private key B. Then, in step S32, the encrypted first random number and the public key certificate B are transmitted to the intermediary device 101.

Upon receiving this, the mediation apparatus 101 confirms the validity of the public key certificate B using the root key certificate in step S22. This includes a process of referring to the bibliographic information included in the public key to confirm that the image processing apparatus 100 is an appropriate communication partner.
If the confirmation is successful, in step S23, the first random number is decrypted using the public key B included in the received public key certificate B. Here, if the decryption succeeds, it can be confirmed that the first random number is certainly received from the image processing apparatus 100 to which the public key certificate B is issued. Then, the image processing apparatus 100 is authenticated as a valid communication partner.

  Thereafter, in step S24, a second random number and a third random number are generated separately. Then, in step S25, the second random number is encrypted using the private key A, the third random number is encrypted using the public key B, and these are transmitted to the image processing apparatus 100 together with the public key certificate A in step S26. I do. The encryption of the third random number is performed so that the random number is not known to devices other than the image processing device 100.

  Upon receiving this, the image processing apparatus 100 checks the validity of the public key certificate A using the root key certificate in step S33. As in the case of step S22, this also includes a process of confirming that the mediation device 101 is an appropriate communication partner. If the confirmation is successful, in step S34, the second random number is decrypted using the public key A included in the received public key certificate A. Here, if the decryption is successful, it can be confirmed that the second random number is certainly received from the intermediary device 101 to which the public key certificate A is issued. Then, the image processing apparatus 100 is authenticated as a valid communication partner.

  After that, the third random number is decrypted using the private key B in step S35. By the processing up to this point, the first to third random numbers common to the server side and the client side are shared. Then, at least the third random number is not known by the devices other than the generated mediation device 101 and the image processing device 100 having the private key B. If the processing up to this point is successful, a response indicating successful authentication is returned to the mediation apparatus 101 in step S36.

  Upon receiving this, the mediation apparatus 101 generates a common key from the first to third random numbers in step S27, and ends the authentication processing as being used for encryption of subsequent communication. The image processing apparatus 100 also performs the same processing in step S37 and ends. Communication is established with each other by the above processing, and thereafter, communication is performed by encrypting data by a common key encryption method using the common key generated in step S27 or S37.

  If such mutual authentication by SSL is performed at the time of communication, the mediation apparatus 101 and the image processing apparatus 100 can securely exchange a common key after authenticating each other, and secure communication with a reliable partner. Can be done. In the following description, when any of these devices makes an SSL connection request to a communication partner, a mutual authentication process as shown in FIG. 14 is performed in response to the request, and if the authentication is successful. Establish communication. However, FIG. 14 shows a process when the mediation device 101 requests the connection to the image processing device 100. Therefore, when the image processing device 100 requests the connection to the mediation device 101, the image processing device 100 14 performs processing corresponding to the mediation apparatus 101 in FIG. 14, and the mediation apparatus 101 performs processing corresponding to the image processing apparatus 100 in FIG. 14.

Note that if one-way authentication is adopted and, for example, the image processing apparatus 100 only needs to authenticate the mediation apparatus 101, the encryption of the first and third random numbers is omitted in the authentication processing shown in FIG. be able to. In this case, the image processing apparatus 100 only needs to store only the root key certificate. The authentication process can be simplified as shown in FIG. That is, the processing of steps S22 and S23 on the mediation apparatus 101 side is unnecessary, and the processing of step S35 on the image processing apparatus 100 side is also unnecessary.
Conversely, when the mediation device 101 authenticates the image processing device 100, the encryption of the second random number can be omitted. In this case, only the root key certificate needs to be stored in the mediation apparatus 101 side. The authentication process can be simplified as shown in FIG. That is, the processing of steps S23 and S24 on the mediation apparatus 101 side becomes unnecessary.

Next, a firmware update process of the image processing apparatus 100, which is an operation related to the feature of this embodiment in the image processing apparatus remote management system shown in FIG. 5, and a configuration necessary for the operation will be described. This process is a process shown in the sequence diagram of FIG. 17, and is a process according to the software updating method of the present invention. Each CPU of the management device 102, the mediation device 101, and the image processing device 100 executes This is done by executing. Note that the mediation device 101 functions as the software update device of the present invention, and the image processing device 100 is the device to be updated. These devices implement the software update system of the present invention, and the management device 102 corresponds to an external device that issues a firmware update request to the software update system.
It is assumed that the update firmware is stored in advance in the intermediary device 101 prior to performing the processing shown in FIG. This storage may be performed by transferring from the management device 102 or another device, or by reading the data recorded on the recording medium into the mediation device 101. Other suitable methods may be employed.

In the image processing apparatus remote management system shown in FIG. 5, the management apparatus 102 sends a request A firmware update request is transmitted (S101). Although illustration is omitted, this transmission can be performed as a response to the polling from the mediation apparatus 101 as described with reference to FIG.
Upon receiving this request, the mediation apparatus 101 starts processing related to firmware update of the image processing apparatus 100, but first performs one-time password sharing processing (S102).

  In this process, first, in step S102, the intermediary device 101 generates a one-time password using random numbers or the like as update authentication information to be used for authentication processing at the time of firmware update, and stores this. Then, an SSL connection request is made to the image processing apparatus 100 (S103). When this connection is established, a one-time password is transmitted to the image processing apparatus 100, and a request is made to store the one-time password (S104). This request can be made as an RPC by SOAP.

  The image processing apparatus 100 stores the one-time password received in response to the request in the storage unit (S105), and uses the one-time password as a password corresponding to the ID of the mediation apparatus 101 in the authentication processing at the time of the FTP connection. . Since the authentication has been completed at the time of the SSL connection request, the one-time password is not used for the authentication processing here. Although illustration is omitted, after the storage is completed, the image processing apparatus 100 returns a response to that effect to the relay apparatus 101, and upon receiving this response, the relay apparatus 101 disconnects the SSL connection (S106). The communication in steps S103 to S106 is performed using HTTPS.

  The above process is a one-time password sharing process. In this process, the CPU 52 of the mediation device 101 functions as an authentication information setting unit. By this processing, the mediation apparatus 101 and the image processing apparatus 100 can safely share the one-time password using the encrypted communication path. The SSL communication path used here is the first communication path. The “communication path” is determined by a protocol (communication method) used for communication rather than a physical transmission path. Therefore, even if the physical transmission path is the same, if the communication protocol is different, the “communication path” will be different, and conversely, the physical transmission path will change according to the situation like communication via the Internet Even if the communication is performed, the “communication path” is specified if the communication device and the protocol used for the communication are determined.

When the one-time password sharing process ends, the mediation device 101 next performs a version information acquisition process.
This processing is substantially the same as steps S11 to S13 of the processing shown in FIG. 26 in the section of the conventional technology, but when the mediation apparatus 101 requests the FTP connection in step S107, the image processing apparatus 100 The password to be transmitted is the same one-time password as that transmitted in step S104. Then, the image processing apparatus 100 performs an authentication process using the one-time password stored in step S105. If they match, a connection is established as authentication success (S107). If they do not match, a connection is not established, an error occurs, and the process ends. In this process, the CPU 52 of the mediation apparatus 101 functions as an authentication request unit, and the CPU of the image processing apparatus 100 functions as an authentication unit.

When the connection is established, the image processing apparatus 100 transmits firmware version information in response to a request from the mediation apparatus 101 (S108). The mediation apparatus 101 acquires this version information, and then disconnects from the image processing apparatus 100 (S109). The above is the version information acquisition processing.
The processing in the next step S110 and the subsequent firmware transmission processing are almost the same as steps S14 to S18 in the processing shown in FIG. 26 except that a one-time password is used.

That is, the mediation apparatus 101 determines whether update is necessary based on the version information of the firmware acquired in step S108, and if it determines that update is necessary (S110), executes the next firmware transmission process. When it is determined that the update is unnecessary, the management apparatus 102 may be notified of the fact as a response to the firmware update request.
In the firmware transmission process, the mediation device 101 first transmits the ID and the one-time password to the image processing device 100 in the same manner as in step S107, and the image processing device 100 performs the authentication process. Is established (S111). Then, the mediation apparatus 101 transmits the update firmware to the image processing apparatus 100 (S112). In this process, the CPU 52 of the mediation device 101 functions as a transmission unit.

Upon receiving this, the image processing apparatus 100 updates its own firmware to the received update firmware (S113). In this processing, the CPU of the image processing apparatus 100 functions as an updating unit. Then, when the update is completed, it resets itself, restarts, and activates the new firmware (S114). Further, the FTP connection is disconnected by resetting the image processing apparatus 100. The above is the firmware transmission process.
The FTP communication path used here is the second communication path. In the case of FTP, since the communication contents are not encrypted, the processing load is much smaller than that of the first communication path using SSL.

  When the restart is completed, the image processing apparatus 100 may transmit a power-on notification to the mediation apparatus 101 as a start notification indicating that the image processing apparatus 100 has started (S115). By doing so, the mediation apparatus 101 can know that the firmware update has been completed in the image processing apparatus 100, so that it is possible to determine at an appropriate timing whether or not the update was successful. The power-on notification can be described as a SOAP document and transmitted using HTTP.

Upon receiving this power-on notification, the mediation apparatus 101 performs version information acquisition processing in the same manner as in steps S107 to S109, establishes communication with the image processing apparatus 100 by FTP, and The firmware version information is acquired from (S116 to S118). If the version information matches that of the update firmware transmitted in step S112, it is determined that the firmware update has been successful (S119), and the next one-time password erasing process is performed. If they do not match, it is determined that the update has failed, and the firmware transmission processing is performed again, or the management apparatus 102 is notified as a response to the firmware update request that the update has failed.
In addition, even when it is determined that the update has failed, it was confirmed that communication using the SSL (communication on a route that can securely transmit the one-time password) with the image processing apparatus 100 was possible. In such a case, a one-time password erasing process may be performed.

In the next one-time password erasing process, the mediation device 101 issues an SSL connection request to the image processing device 100 as in the one-time password sharing process (S120). Then, when this connection is established, an erasure password is transmitted to the image processing apparatus 100, and a request is made to store the password (S121). This request is a so-called one-time password invalidation request. In this process, the CPU 52 of the mediation apparatus 101 functions as an authentication information invalidating unit. The erasing password may be a random password created for each transmission or a fixed password. What is necessary is just to use the password which is not transmitted by FTP and is not transmitted by FTP after that. When making this request, the one-time password stored by itself may be deleted.
The one-time password invalidation request only needs to be a request to erase the stored one-time password, but if the password storage (overwrite) request is used as described above, the one-time password The process can be shared with the case of sharing a password, so that the program can be made more compact and the development efficiency can be improved.

In response to this request, the image processing apparatus 100 overwrites the one-time password with the received erasing password (S122), and thereafter does not use the one-time password stored in step S105 for the authentication process at the time of the FTP connection. . Since the authentication has been completed at the time of the SSL connection request, the erasing password is not used for the authentication processing here. After this storage is completed, the mediation apparatus 101 disconnects the SSL connection (S123).
The above processing is the one-time password erasing processing, and the one-time password stored in the image processing apparatus 100 can be invalidated by this processing.
When the one-time password erasing process ends, the mediation apparatus 101 notifies the management apparatus 102 that the update has been successful as a response to the firmware update request (S124).
By performing the above processing, the firmware of the device to be updated that can be communicated via the network can be updated by the software updating device.

FIGS. 18 to 20 show flowcharts of this processing. The description of the above processing will be supplemented with reference to these drawings. In these figures, the arrow between the two flowcharts indicates the transfer of data, the transmitting side performs the transfer process at the step at the base of the arrow, and the receiving side executes the processing at the step at the tip of the arrow when receiving the information. Assumed to be performed.
Upon receiving the firmware update request from the management device 102, the mediation device 101 starts the processing of the flowchart illustrated on the left side of FIG. Then, a one-time password is generated and stored in step S201, and a connection request is made to the image processing apparatus 100 by SSL in step S202.

Upon receiving this request, the image processing apparatus 100 starts the processing of the flowchart shown on the right side of FIG. Then, in step S301, a connection process is performed with the mediation apparatus 101 by SSL. The processing performed in step S202 on the mediation apparatus 101 side and in step S301 on the image processing apparatus 100 side is the mutual authentication processing shown in FIG.
If the authentication succeeds, the image processing apparatus 100 returns a response indicating that the authentication has succeeded as in step S36 in FIG. Then, the mediation apparatus 101 transmits the one-time password generated in step S201 to the image processing apparatus 100 in step S203, and requests that the one-time password be stored. Upon receiving this, the image processing apparatus 100 stores it in step S302 and returns a storage completion response. Upon receiving this response, the mediation apparatus 101 sends a disconnection request to the image processing apparatus 100 in step S204 to disconnect the SSL connection. The mediation device 101 that has received this request also disconnects the connection in step S303. The processing so far is the one-time password sharing processing.

Next, the mediation apparatus 101 issues an FTP connection request to the image processing apparatus 100 in step S205. Then, the image processing apparatus 100 requests an ID and a password for authentication in step S304, and accordingly, the mediation apparatus 101 transmits the ID and the one-time password generated in step S201 in step S206.
The image processing apparatus 100 performs an authentication process using the ID and the password. If the ID and the password match, the image processing apparatus 100 returns a response indicating that the authentication is successful. Then, the mediation apparatus 101 that has received this transmits a version information acquisition request to the image processing apparatus 100 in step S207 to obtain the version information of the firmware. In response to this, the image processing apparatus 100 transmits the version information to the mediation apparatus 101 in step S306, and upon acquiring this, the mediation apparatus 101 disconnects the FTP connection in step S208. The processing up to this point is the version information acquisition processing.
If the authentication fails in step S305, the process proceeds to step S307 to perform an error process. The process includes notifying the mediation device 101 of the authentication failure and shifting to a state of waiting for a connection request again. Conceivable.
Although not shown, the same processing may be performed when mutual authentication by SSL fails in step S301 or the like.

On the other hand, the mediation apparatus 101 proceeds to step S209 after step S208, and determines whether it is necessary to update the firmware of the image processing apparatus 100 based on whether the version information acquired in step S207 is the latest version. Judge. If it is necessary to update the firmware, the process proceeds to step S210 to perform a firmware transmission process.
In this case, the mediation apparatus 101 performs processing similar to steps S205 and S206 in step S210, and the image processing apparatus 100 performs processing similar to steps S304 and S305 in step S308 to establish an FTP connection. The password used here is also the same one-time password as in step S206.

  When the connection is established, the mediation apparatus 101 transmits the update firmware to the image processing apparatus 100 in step S211. When the image processing apparatus 100 receives this in step S309, in step S310 the own apparatus firmware is set as the update firmware. Update. At this time, if another job is being executed or is reserved, the job may wait without being updated until the job is completed. When the firmware update is completed, the image processing apparatus 100 resets itself in step S311 and restarts to activate the new firmware. Further, the FTP connection is disconnected by resetting the image processing apparatus 100. The above is the firmware transmission process.

  Subsequently, when the restart of the image processing apparatus 100 is completed, the image processing apparatus 100 transmits a power-on notification indicating that the image processing apparatus 100 has been started to the mediation apparatus 101. Then, in response to this, the mediation apparatus 101 requests the image processing apparatus 100 to perform FTP communication in step S212, and performs the same processing as steps S205 to S208 until step S214. Get version information of. In steps S313 and S314, the image processing apparatus also performs the same processing as in steps S304 to S307 and transmits the firmware version information.

  Then, in step S215, the mediation apparatus 101 compares the version information acquired in step S213 with the version information of the update firmware transmitted in step S211. If they match, it determines that the update has succeeded, and determines in step S217 in FIG. Proceed to. If they do not match, it is determined that the update has failed, and the process advances to step S216 to perform error processing. As this error processing, the firmware transmission processing from S210 is performed again to try to update the firmware of the image processing apparatus 100, or the update to the management apparatus 102, which is the transmission source of the firmware update request, indicates that the update has failed. Or return a response. In the latter case, the process is terminated, and a new firmware update request is waited.

If the determination in step S215 is YES and the process proceeds to step S217 in FIG. 20, the one-time password invalidation process starts, and the mediation device 101 connects the image processing device 100 to the image processing device 100 using SSL as in step S202. Is performed, and mutual authentication is performed in addition to the processing of step S315 on the image processing apparatus 100 side. When the image processing apparatus 100 returns a response indicating that authentication has been successful, the mediation apparatus 101 transmits an erasure password to the image processing apparatus 100 in step S218, and requests that the password be stored. Upon receiving this, the image processing apparatus 100 overwrites the one-time password stored in step S316 with the erasing password, and returns a storage completion response. Upon receiving this response, the mediation apparatus 101 sends a disconnection request to the image processing apparatus 100 in step S219 to disconnect the SSL connection. The mediation apparatus 101 that has received this request also disconnects the connection in step S317. The processing so far is the one-time password invalidation processing.
In this process, as long as the stored one-time password can be erased, it is not always necessary to overwrite the password, as described above.

  This process is similar to the one-time password sharing process, except that the erasing password does not always need to be generated every time. However, if the image processing apparatus 100 changes the password used for the FTP authentication processing to another password by such processing, the original one-time password that has a risk of leakage can be invalidated, and impersonation by a third party can be performed. Can be prevented. Further, if the erasing password is not transferred by FTP but is transferred by a secure communication path using, for example, SSL, the password is not leaked.

After the one-time password invalidation processing, the mediation apparatus 101 notifies the management apparatus 102 of the result of the firmware update in step S220, and ends the processing.
If it is determined in step S209 that updating of the firmware is unnecessary, the process directly proceeds to step S217 in FIG. 20 to perform a one-time password invalidation process. Since the processing on the image processing apparatus 100 side is basically performed in response to a trigger from the mediation apparatus 101, unless there is a request in step S210 or step S212, the image processing apparatus 100 performs the processing of the portion shown in FIG. Not performed.

By performing the processing described above, when updating the firmware of the device to be updated that can be communicated via the network by the software updating device, the updating process can be performed by a compact program while ensuring high security. it can. As described above, the same applies to software other than firmware to be updated.
That is, first, the version information acquisition processing and the software transmission processing that are essential for updating the software are performed by the FTP with a small processing load, so that the program can be made compact. Since the software itself is not highly confidential data than authentication information such as a password or user information of a managed device, there is no problem in communication that does not perform encryption such as FTP, and the processing load is reduced. There is a strong demand for compact programs. Further, since the software has a larger size than authentication information such as a password, the processing load can be greatly reduced by transmitting the software via a communication path with a small processing load.

On the other hand, in order to prevent unauthorized software from being received, it is important to authenticate the communication partner. However, the password used for the authentication processing by FTP is generated just before use, and the communication contents are encrypted. The mediation apparatus 101 and the image processing apparatus 100 are shared by using SSL. Therefore, the password is not leaked to the third party, and the third party may impersonate the intermediary device 101, transmit illegal software from another device to the image processing apparatus 100, and update the same. Can be prevented.
Further, if the password used for the authentication processing by the FTP is invalidated immediately after confirming the success of the software update, a third party can monitor the communication by the FTP and illegally obtain the one-time password. However, there is no possibility that a connection will be made later using the password, and unauthorized access can be prevented.

If the version information of the software is confirmed when the image processing apparatus 100 is restarted after the software update, the success or failure of the update can be easily known on the mediation apparatus 101 side. Then, in the case of failure, it is possible to promptly take measures such as re-update. If the image processing apparatus 100 transmits a power-on notification to the mediation apparatus 101 at the time of restart, the timing of this confirmation can be easily measured.
Furthermore, if the mediation apparatus 101 causes the image processing apparatus 100 to update the software in response to an external request and returns the result as a response, the software update status in each image processing apparatus 100 can be updated. Can be managed by

  In addition, especially when firmware update is considered, the firmware includes software for performing basic control of hardware.If the update function is provided in the firmware itself, if the update fails, the device operates completely. There is a risk of disappearing. Therefore, in order to avoid such a situation, an update program for an update process is separately prepared, and the firmware of only the other portions is updated. In this case, it is not appropriate to use a large storage capacity for an update program that is not used during a normal operation other than the firmware update, in consideration of cost and the like. Therefore, there is a demand that the update program should have as small a capacity as possible. Therefore, by performing the above-described update processing, the processing directly required for the update can be realized using a compact program such as FTP, so that the capacity of the update program is reduced. Requirements can be satisfied.

  Also, in the case of firmware, as described above, the device to be updated is provided with an update program for firmware update processing in addition to the firmware itself in case of an update failure, as described above. If the one-time password is not invalidated when the update fails, even if the update fails, the process can be restarted from the version information acquisition process that does not use SSL. Only the program for the version information acquisition process and the firmware transmission process need be prepared. Therefore, it is not necessary to include a part necessary for this processing in the update program while improving security by using SSL for password transfer, and the update program can be made compact.

In the above-described processing for invalidating the one-time password, the above-described processing is performed by overwriting the password for erasure, thereby sharing the processing with the case of sharing the one-time password, thereby reducing the size of the program. I have.
However, in place of the overwriting request for the erasing password, a request is made to simply not use the stored one-time password for the authentication processing, and the image processing apparatus does not perform the one-time password authentication processing accordingly. Setting may be made. In this case, it is not necessary to conceal the request itself, so that it is not always necessary to perform SSL communication. Such a setting is effective if the risk that the erasing password is stolen from the image processing apparatus 100 is considered.

(Modification)
Hereinafter, various modifications that can be applied to the above-described embodiment will be described.
In the embodiment described above, an example has been described in which the mediation apparatus 101 starts the firmware update process when receiving the firmware update request from the management apparatus 102, and at this time, the mediation apparatus 101 generates a one-time password. However, the firmware update processing according to the present invention is not limited to this.

First, as a first modification, the one-time password may be generated on the image processing apparatus 100 side. In this case, the processing shown in FIG. 21 is performed instead of the processing of steps S101 to S106 in FIG.
That is, when the mediation apparatus 101 receives the firmware update request in step S101, it starts processing related to the firmware update of the image processing apparatus 100, but first transmits a one-time password generation request to the image processing apparatus 100 (S401). ). Since the request itself does not need to be confidential, it can be transmitted as a SOAP document by HTTP.

Then, the image processing apparatus 100 generates a one-time password in accordance with the password and stores the one-time password (S402). Then, this one-time password is used as a password corresponding to the ID of the mediation apparatus 101 that is the transmission source of the one-time password generation request in the authentication processing at the time of the FTP connection.
Thereafter, the image processing apparatus 100 issues a connection request by SSL to the mediation apparatus 101 (S403). When this connection is established, the one-time password is transmitted to the mediation device 101, and a request is made to store the one-time password (S404). This request is made as RPC by SOAP.

The intermediary device 101 stores the one-time password received in response to the request in the storage unit (S405), and transmits this one-time password in the authentication process for the FTP connection thereafter. Although illustration is omitted, after completion of the storage, the mediation apparatus 101 returns a response to that effect to the image processing apparatus 100, and upon receiving this response, the image processing apparatus 100 disconnects the SSL connection (S406). The communication in steps S403 to S406 is performed using HTTPS.
Then, in the processing of steps S402 to S406, the CPU of the image processing apparatus 100 functions as authentication information setting means.
According to such a process, as in the case of the process shown in FIG. 17, the one-time password can be safely shared between the mediation device 101 and the image processing device 100 using the encrypted communication path. Therefore, the same effect as in the case of performing the processing shown in FIG. 17 can be obtained.

As a second modification, the image processing apparatus 100 may be configured to be able to directly receive a firmware update instruction from the operation panel 205 or the like. In this case, the processing shown in FIG. 22 is performed instead of the processing of steps S101 to S106 in FIG.
That is, when the image processing apparatus 100 receives an instruction to update the firmware (S411), the processing related to the firmware update of the image processing apparatus 100 is started, and a one-time password generation request is transmitted to the mediation apparatus 101. (S412). Then, upon receiving this request, the mediation apparatus 101 performs a one-time password sharing process in the same manner as in the case of receiving the firmware update request from the management device 102 in the process shown in FIG. That is, in steps S413 to S417, the same processing as in steps S102 to S106 in FIG. 17 is performed.

With this configuration, even when the image processing apparatus 100 directly receives the firmware update instruction, the firmware of the image processing apparatus 100 can be updated in the same manner as when a firmware update request is received from the management apparatus 102.
In this modification, there is no firmware update request from the management device 102, but if the management device 102 can be specified, the update result notification in step S124 may be performed. In this way, the management apparatus 102 can grasp the update status of the firmware according to an instruction from a device other than itself, and can perform appropriate management.
In addition, the mediation apparatus 101 can directly receive a firmware update instruction from an operation unit connected to the Op-Port 56, and start processing related to firmware update of the image processing apparatus 100 (processing after the one-time password sharing processing) in response to the instruction. You may do so.

As a third modification, a combination of the first modification and the second modification may be considered. That is, the image processing apparatus 100 directly receives a firmware update instruction, and further generates a one-time password on the image processing apparatus 100 side.
In this case, the processing shown in FIG. 23 is performed instead of the processing of steps S101 to S106 in FIG.

In this process, the process in step S411 is the same as that in FIG. 22 and the processes in steps S402 to S406 are the same as in FIG. 21. Therefore, a detailed description is omitted. The server 101 recognizes that the processing related to the firmware update of the image processing apparatus 100 has been started when the storage request of the one-time password is received in step S404, and performs the subsequent processing.
The effect of this modification is a combination of the effect of the first modification and the effect of the second modification.

As a fourth modification, in the one-time password erasing process, a request to store the erasing password can be made from the image processing apparatus 100 side. In this case, the processing shown in FIG. 24 is performed instead of the processing of steps S120 to S123 in FIG.
That is, the image processing apparatus 100 first makes a connection request by SSL to the intermediary apparatus 101 as in step S412 in FIG. 22 (S421). Then, when this connection is established, the password for erasure is transmitted to the mediation apparatus 101, and a request is made to store the password (S422). This request is a so-called one-time password invalidation request. In this process, the CPU of the image processing apparatus 100 functions as authentication information invalidating means.

In response to the request, the mediation apparatus 101 overwrites the one-time password with the received erasing password (S423), and prevents the one-time password stored up to that point from being transmitted in the subsequent FTP connection. On the other hand, the image processing apparatus 100 itself also overwrites the stored one-time password with the erasure password (S424), and prevents the stored one-time password from being used for the authentication processing at the time of the FTP connection thereafter. I do. After the storage, the image processing apparatus 100 disconnects the SSL connection (S425).
This modified example can be applied to the above-described embodiment and each modified example. However, when applied to a case where the one-time password is generated on the image processing apparatus 100 side as in the first and third modified examples, an SSL password is used. Can be unified on the image processing apparatus 100 side, which is effective for simplifying the program.
In the case where this modification is applied, when the mediation apparatus 101 determines that the update of the firmware is successful in step S119 of FIG. 17, the intermediate apparatus 101 notifies the image processing apparatus 101 to that effect. The process shown in FIG. 24 may be started when the notification is received by 101.

  Further, in the above-described embodiment and each modified example, the image processing apparatus having the communication function is mainly described as an example of the device to be updated. However, the present invention is not limited to this, and the image processing apparatus having the communication function may be provided. Networked home appliances, vending machines, medical equipment, power supplies, air conditioning systems, gas / water / electricity metering systems, etc., and various types of electronic devices with communication functions, including general-purpose computers that can be connected to networks, automobiles, aircraft, etc. Applicable to the device.

For example, in the remote management system shown in FIG. 1, each of these devices may be a managed device (updated device) to configure a remote management system and a certificate setting system as shown in FIG. In this figure, network home appliances such as a television receiver 12a and a refrigerator 12b, a medical device 12c, a vending machine 12d, a weighing system 12e, and an air conditioning system 12f are given as examples of managed devices provided with an intermediary device 101 separately. . Then, as examples of the managed device having the function of the mediation device 101, the car 13a and the aircraft 13b are cited. In a device that moves over a wide range, such as an automobile 13a or an aircraft 13b, it is preferable that the device also has the function of a firewall (FW) 104.
The present invention is of course applicable to updating the software of each device to be managed in such a remote management system.

Further, the software update device is not limited to the mediation device shown in FIGS. 1, 3 and 25, and may be a dedicated device for software update or the management device 102.
Further, the software update system of the present invention is not always included in the remote management system, and the configuration of the device to be updated, the software update device, the management device, and the connection form thereof are limited to the above embodiments. It is not something that can be done. Communication between these devices can be performed using various communication lines (communication paths) capable of constructing a network, whether wired or wireless.

Further, as for the communication path, an example is described in which the communication path by SSL is used as the first communication path and the communication path by FTP is used as the second communication path. However, the present invention is not limited to this. If the data to be transmitted is encrypted and transmitted, and the second communication path has a smaller processing load than the first communication path, it is a communication path (communication method) using another protocol. It does not matter. At this time, it is conceivable that the processing load is reduced by setting the second communication path as a communication path for transmitting data to be transmitted without encrypting the data. Also, the communication path when the update device transmits the update authentication information to the device to be updated and requests authentication is different from the second communication path used for transferring the update software, for example, a unique protocol for authentication. Communication path.
Further, it is needless to say that the above-described modifications may be appropriately combined and applied.

  Further, the program according to the present invention provides a computer which controls a software updating device capable of communicating with the device to be updated via a network, with each of the above-mentioned functions (authentication information setting means, authentication requesting means, transmitting means and other means as The above-described effects can be obtained by causing a computer to execute such a program.

Such a program may be stored in a storage means such as a ROM or an HDD provided in the computer from the beginning, but may be stored in a non-volatile storage medium such as a CD-ROM or a flexible disk, an SRAM, an EEPROM, or a memory card as a recording medium. It can also be provided by recording it on a medium (memory). Each of the above-described procedures can be executed by installing the program recorded in the memory in the computer and causing the CPU to execute the program, or reading and executing the program from the memory by the CPU.
Further, the program can be downloaded from an external device provided with a recording medium storing the program or an external device having the program stored in the storage means and executed.

As described above, according to the software updating device, the software updating system, the software updating method, or the program of the present invention, when the software of the device to be updated communicable via a network is updated by the software updating device, The update processing load can be reduced while ensuring high security.
Therefore, by applying the present invention, it is possible to provide a system that can safely and easily update software of a communication device sold to a user, for example.

1 is a conceptual diagram showing a configuration example of a remote management system including a software update system according to the present invention. FIG. 2 is a conceptual diagram showing a data transmission / reception model in the remote management system. It is a block diagram showing an example of hardware constitutions of an intermediary device which constitutes the remote management system. FIG. 4 is a block diagram illustrating an example of a software configuration of the mediation device. 1 is a conceptual diagram showing a configuration example of an image processing apparatus remote management system including a software updating system according to the present invention in which an image processing apparatus is an apparatus to be updated. FIG. 2 is a block diagram illustrating an example of a hardware configuration of an image processing apparatus that configures the image processing apparatus remote management system. FIG. 2 is a block diagram illustrating an example of a software configuration of the image processing apparatus. FIG. 4 is a diagram for describing an ENGRDY signal and a PWRCTL signal in the image processing device. FIG. 2 is a functional block diagram illustrating a configuration example of a web service application in the image processing apparatus. FIG. 4 is a diagram illustrating an example of a communication sequence at the time of data transmission / reception performed in the image processing apparatus remote management system illustrated in FIG. 3.

FIG. 4 is a diagram illustrating an example of a communication sequence when data is transmitted from the image processing apparatus illustrated in FIG. 3 to the management apparatus 102. FIG. 4 is a diagram illustrating an example of a password list used in a reference example of a process of updating the firmware of the image processing device by the mediation device illustrated in FIG. 3. FIG. 9 is a sequence diagram showing a firmware update process of the reference example. FIG. 4 is a diagram illustrating a processing example when performing mutual authentication using SSL between the mediation device and the image processing device illustrated in FIG. 3. It is a figure showing the example of processing at the time of performing one-way authentication similarly. It is a figure showing another example. FIG. 4 is a sequence diagram illustrating a processing example when updating the firmware of the image processing device by the mediation device illustrated in FIG. 3. 4 is a flowchart illustrating a part of a process example when updating the firmware of the image processing apparatus by the mediation apparatus illustrated in FIG. 3. FIG. 19 is a flowchart illustrating a process continued from FIG. 18. FIG. 20 is a flowchart showing a process continued from FIG. 19.

FIG. 18 is a sequence diagram illustrating a processing example of a part that replaces the processing of FIG. 17 in the first modified example of the processing illustrated in FIG. 17. FIG. 18 is a sequence diagram illustrating a processing example of a part that replaces the processing of FIG. 17 in the second modified example. FIG. 18 is a sequence diagram illustrating a processing example of a part that replaces the processing of FIG. 17 in the third modified example. FIG. 18 is a sequence diagram illustrating a processing example of a part that replaces the processing of FIG. 17 in the fourth modified example. FIG. 2 is a diagram illustrating another configuration example of the remote management system illustrated in FIG. 1. FIG. 10 is a sequence diagram illustrating an example of a firmware update process in a conventional firmware update system. FIG. 27 is a diagram for explaining the danger of the processing shown in FIG. 26.

Explanation of reference numerals

10: Managed Device 11: Managed Device with Mediation Function 52: CPU 53: SDRAM
54: Flash memory 55: RTC
56: Op-Port 57: PHY
58: Modem 59: HDD control unit 63: HDD 70: Application layer 80: Service layer 90: Protocol layer 100: Image processing device 101: Mediation device 102: Management device 103: Internet 104: Firewall 105: Terminal device 110: Mediation function Attached image processing apparatus 200: controller board 201: HDD
202: NV-RAM 203: PI board 204: PHY 205: Operation panel 206: Plotter / scanner engine board 207: Power supply unit 212: PCI-BUS
300: OCS 301: ECS
302: MCS 303: NCS
304: FCS 305: CSS
306: SCS 307: SRM
308: IMH 309: Copy application 310: Fax application 311: Printer application 312: Scanner application 313: Net file application 314: Web application 315: NRS application 316: DCS
317: UCS 318: DESS
319: CCS

Claims (23)

A software update device capable of communicating with a device to be updated via a network,
Authentication information setting means for generating update authentication information when updating the software of the device to be updated, and transmitting the updated authentication information to the device to be updated via an encrypted first communication path, and storing the authentication information;
Authentication request means for transmitting the update authentication information to the device to be updated, and requesting an authentication process based on the authentication information,
Transmitting means for transmitting the updating software to the device to be updated via a second communication path having a smaller processing load than the first communication path when the authentication processing is successful. apparatus. The software update device according to claim 1,
A software updating apparatus, comprising: authentication information invalidating means for transmitting a request for invalidating the updating authentication information to the device to be updated after transmitting the updating software. The software updating device according to claim 1 or 2,
A software updating apparatus comprising means for updating the software of the device to be updated in response to an external software update request, and returning the result to a request source of the update request. The software update device according to claim 1, wherein:
Means for receiving an activation notification indicating activation from the device to be updated,
If the activation notification is received from the device to be updated after the transmission of the software for update, the software obtains the version information of the software from the device to be updated and compares it with the version information of the software for update to check whether the update was successful. And a means for performing software updating. The software update device according to any one of claims 1 to 4,
The first communication path is a communication path for performing communication by SSL,
The software update device according to claim 2, wherein the second communication path is a communication path for performing communication by FTP. The software update device according to any one of claims 1 to 4,
The first communication path is a communication path for encrypting data to be transmitted and transmitting the encrypted data.
The software update device according to claim 2, wherein the second communication path is a communication path for transmitting data to be transmitted without encryption. A software update system configured by a software update device and a device to be updated that can communicate with each other via a network,
In the software updating device,
Authentication information setting means for generating update authentication information when updating the software of the device to be updated, and transmitting the updated authentication information to the device to be updated via an encrypted first communication path, and storing the authentication information;
Authentication request means for transmitting the update authentication information to the device to be updated, and requesting an authentication process based on the authentication information,
Transmitting means for transmitting the update software to the device to be updated on a second communication path having a smaller processing load than the first communication path when the authentication processing is successful;
In the device to be updated,
Storage means for storing the update authentication information when requested to be stored,
When the authentication process is requested, an authentication unit that performs an authentication process using the received update authentication information and the update authentication information stored in the storage unit and returns a result,
An updating unit that receives the update software when the authentication process is successful, and updates the own software to the update software. The software update system according to claim 7, wherein
In the software updating device,
After the transmission of the update software, provided an authentication information invalidating means for transmitting a request for invalidating the update authentication information to the device to be updated,
In the device to be updated,
A software updating system comprising means for invalidating the update authentication information stored in the storage means when the invalidation request is received. The software update system according to claim 7 or 8,
In the device to be updated,
Means for restarting the device itself after updating the software by the updating means,
Means for transmitting a start notification to that effect to the software update device at the time of start,
Means for transmitting software version information to the software update device in response to a request from the device,
In the software updating device,
When the activation notification is received from the device to be updated after the transmission of the software for update, the device for update is requested to transmit the version information of the software to the device to be updated, and the version information is acquired. A software update system comprising means for comparing the version information with the version information to determine whether the update was successful. A software update system according to any one of claims 7 to 9, wherein
The first communication path is a communication path for performing communication by SSL,
The software update system according to claim 2, wherein the second communication path is a communication path for performing communication by FTP. A software update system according to any one of claims 7 to 9, wherein
The first communication path is a communication path for encrypting data to be transmitted and transmitting the encrypted data.
The software update system according to claim 2, wherein the second communication path is a communication path for transmitting data to be transmitted without encryption. A software updating method for updating software of an updated device communicable via a network by a software updating device,
When updating the software of the device to be updated, update authentication information is generated, transmitted to the device to be updated via an encrypted first communication path, and stored therein.
Transmitting the update authentication information to the device to be updated, and performing an authentication process based on the authentication information;
Software, wherein when the authentication process is successful, update software is transmitted to the device to be updated via a second communication path having a processing load smaller than that of the first communication path, and software is updated. Update method. The software update method according to claim 12, wherein
A software update method, comprising: causing the device to be updated to invalidate the update authentication information after transmitting the update software. A software update method according to claim 12 or 13, wherein
A software update method comprising: updating software of the device to be updated in response to an external software update request; and returning a result to a request source of the update request. A software update method according to any one of claims 12 to 14, wherein
Receiving a start notification indicating that the device has been started from the device to be updated,
When the activation notification is received from the device to be updated after the transmission of the software for update, the software obtains the version information of the software from the device to be updated and compares the version information of the software for update to check whether the update was successful. Software updating method. A software update method according to any one of claims 12 to 15, wherein
The first communication path is a communication path for performing communication by SSL,
The software update method according to claim 2, wherein the second communication path is a communication path for performing communication by FTP. A software update method according to any one of claims 12 to 15, wherein
The first communication path is a communication path for encrypting data to be transmitted and transmitting the encrypted data.
The software update method, wherein the second communication path is a communication path for transmitting data to be transmitted without encryption. A computer that controls a software update device that can communicate with the device to be updated via a network,
Authentication information setting means for generating update authentication information when updating the software of the device to be updated, and transmitting the updated authentication information to the device to be updated via an encrypted first communication path, and storing the authentication information;
Authentication request means for transmitting the update authentication information to the device to be updated, and requesting an authentication process based on the authentication information,
A program for causing the update software to function as a transmission unit that transmits the update software to the device to be updated via a second communication path having a smaller processing load than the first communication path when the authentication processing is successful. The program according to claim 18, wherein
A program for causing the computer to function as an authentication information invalidating unit that transmits a request for invalidating the update authentication information to the device to be updated after transmitting the update software is further included. program. The program according to claim 18 or 19,
A program for causing the computer to function as a means for updating the software of the device to be updated in response to an external software update request and returning the result to a request source of the update request is further included. program. The program according to any one of claims 18 to 20, wherein
Said computer,
Means for receiving an activation notification indicating activation from the device to be updated,
When the activation notification is received from the device to be updated after the transmission of the software for update, the software obtains the version information of the software from the device to be updated and compares the version information of the software for update to check whether the update was successful. A program characterized by further including a program for causing the program to function as means for executing the program. The program according to any one of claims 18 to 21, wherein
The first communication path is a communication path for performing communication by SSL,
The program, wherein the second communication path is a communication path for performing communication by FTP. The program according to any one of claims 18 to 21, wherein
The first communication path is a communication path for encrypting data to be transmitted and transmitting the encrypted data.
The second communication path is a communication path for transmitting data to be transmitted without encryption.

Images