JP2005346263A - Storage system and storage method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To improve security performance and use convenience in a storage device such as an information processor, which can be separated from a host side, for storing data, and for outputting the stored data when connected to the host device and the storage method of the device. <P>SOLUTION: Biometrics information is entered, and the entered biometrics information is integrated into template data, and the template data-integrated biometrics information is authenticated by verifying the template data-integrated biometrics information stored in a reference information storing part with a reference. A storage part is able to perform access to the outside based on the fact that authentication is acquired by an authentication processing part. A storage operation control part makes the reference information storing part store the template data-processed biometric information, and decides the permission/non-permission of the operation according to the acquisition and examination of information owned by physically individualized articles. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a storage apparatus that can be disconnected from a host side such as an information processing apparatus and that accumulates data and outputs the accumulated data when connected to the host side, and a storage method of such an apparatus, in particular. The present invention relates to a storage apparatus and a storage method suitable for improving security and usability.

  With the widespread use of information products such as computers, digital cameras, and digital recording devices, consumer demands for digital information storage media are increasing day by day. In addition to discs dedicated to computers, manufacturers sell various media as digital information storage media. For example, PCMCIA cards, compact flash (registered trademark), smart media (registered trademark), multimedia, secure digital, memory There are flash memory products such as sticks.

  These storage media have become the new generation of storage devices in place of conventional flexible disks and hard disks. In particular, compact flash (registered trademark) and PCMCIA cards have been adopted in consumer electronic products such as digital cameras, MP3 players, personal digital assistants (PDAs), computers (PC / NB), and the like. More recently, removable hard disks have attracted the most market attention because of their small volume and ease of use.

  There are many types of removable hard disks on the market due to differences in storage memory capacity and shape. These products have a small volume and are convenient to use, and are equipped with an integrated USB plug-and-play plug, and are considered to be removable hard disks that allow users to access data without having to install a drive program. . Compared with similar products such as Compact Flash (registered trademark), SmartMedia (registered trademark), MMC, SD card, Memory Stick, removable hard disk has smaller volume, larger capacity, faster speed, stronger structure, manufacturing It has advantages such as low cost. In addition, since it has a commonly used interface such as a USB standard and the software driver is standardized, it has an advantage of good compatibility with the host device.

  In addition, as disclosed in Patent Document 1 (Utility Model Registration No. 3089717), a removable hard disk equipped with a USB plug does not require a power source and has a plug-and-play function, and also has high safety and high-speed data. Transmission speed (12Mb / sec), hot swapping, and easy operation are realized. In addition, there is an advantage that a system of Windows (registered trademark) 98, Mac OS 8.6 or higher is supported, without having to modify the installation of the computer without requiring computer assembly experience.

  Removable hard disks and portable products on the market are increasingly accepted by consumers and attracting the attention of traders. The reason is that all of them are compatible with the USB standard, have a large storage capacity space, and can be directly connected and communicated with a computer equipped with a USB plug. Another factor is that data can be transmitted directly to other types of consumer electronic / communication devices very easily.

  For behavioral businessmen, the portable nature of removable hard disks provides the convenience of data storage and modification. For ordinary students, the high capacity characteristics of removable hard disks provide the speed of high-speed file exchange with MP3, VIDEO, GAME, PHOTO, etc. Thereby, it can be applied to a mass storage device such as a digital camera, a digital recorder, an MP3 player, a portable information terminal, an online machine, an STB (set top box), a mobile phone, a notebook personal computer, and an information appliance (IA).

  The above-mentioned various removable hard disks are further coupled to various common tool programs such as e-mail, communication records, ICQ, etc., so that the other party has a digital device such as a computer or a mobile phone wherever it is located. You can easily contact that person. Although the usage concept is similar to that of a disk, the data storage space can reach 8MB to 1GB although it is small in volume and light in weight. Furthermore, it is a storage device in a new era that has the possibility of extending the storage space indefinitely. .

  In addition to this, it can be designed in accordance with the copy protection encryption standard, and its application can be further expanded. For example, in addition to preventing personal data from being inadvertently deleted, it can be adapted to data storage having copyrights such as sound recordings, books, and games. Furthermore, it is suitable for application to electronic commerce such as credit cards, telephone cards, and membership cards. Such an emerging storage media child has an application space that could not be imagined in the past, and can be plugged and played by plugging directly into the slot of the equipment that uses the storage media directly. Functions such as high storage capacity are demonstrated. The manufacturing cost does not increase in terms of external design.

  On the other hand, as a security system in a computer system, a network system, or other devices, there is a fingerprint collation system that realizes personal authentication by fingerprint collation. In the conventional fingerprint collation system, for example, original fingerprint data is registered and stored in a personal computer. Then, the user's fingerprint data is input from a scanner-equipped fingerprint verification device connected to the personal computer, and the fingerprint original data and the input fingerprint data are compared and verified in the personal computer.

  In addition, the original fingerprint data is registered and stored in the security memory of the smart card, the user's fingerprint data is input from the fingerprint verification device connected to the personal computer, the two data are compared and verified in the personal computer, and the personal authentication is performed. There is also a carrier type. Furthermore, as a next-generation type, there is a registered fingerprint original data in a security memory in a fingerprint verification token, and verification is also performed in the fingerprint verification token.

  In addition, as a prior art regarding a fingerprint collation system, there exists a thing disclosed by patent document 2 (Unexamined-Japanese-Patent No. 2001-43190), for example. Moreover, as a prior art regarding the electronic system using fingerprint collation, there exists a thing disclosed by patent document 3 (Unexamined-Japanese-Patent No. 2001-92786), for example. Furthermore, Patent Document 4 discloses a technology for a fingerprint authentication device that is independent, and performs fingerprint collation in the device and acquires and transfers appropriate data from a plurality of data stored therein depending on the authentication result. (Japanese Unexamined Patent Publication No. 2003-85149) discloses one. In this disclosure, security data is improved by storing necessary security data in the IC card unit and decrypting it in the IC card unit.

  As an IC card used here, as disclosed in Patent Document 5 (Japanese Patent Publication No. 2002-525720), a contact type interface defined by ISO 7816-2 and ISO 7816-3, and a USB (universal serial bus) are used. An IC card having a dual interface with a standard contact interface has been developed. An IC card having a USB interface facilitates connection with a USB-compatible device such as a personal computer, and is beginning to attract attention as a network access ID card such as an employee ID card.

  On the other hand, an ID module for network access incorporating an IC chip called e-Token is used. It has a USB contact interface and can be plugged in and plugged into a USB connector on a personal computer. That is, it can be used in a system that secures network security without requiring troublesome operations. Sometimes called a dongle, it is convenient to carry with a cell phone strap or key holder.

  In the mobile phone field, security ID modules such as SIM (subscriber identity module) and UIM (USIM), which are small IC cards, are being used. A UIM (user identity module) records contractor information issued by a mobile phone company, and identifies a user by being incorporated in a mobile phone. The UIM is standardized by expanding the SIM function, and in addition to the contractor information, private information such as a telephone directory, personal identification information for credit settlement, etc. can be encrypted and registered. For this reason, UIM is also called USIM (universal SIM).

The SIM is standardized for the purpose of using the GSM mobile phone service, but the UIM is considered to be used for receiving an international roaming service, for example, by inserting it into an cdma2000 mobile phone in the United States. The SIM and UIM itself can be manufactured and issued using existing technology. One of the features of SIM and UIM (USIM) is that they have very high security. In this application, the term SIM is used to mean UIM (USIM) unless there is a contradiction.
Utility Model Registration No. 3039717 JP 2001-43190 A JP 2001-92786 A JP 2003-85149 A JP-T-2002-525720

  Most of the memory devices that are the above-mentioned removable hard disks do not take security into consideration, and if they are transferred to a third party, the internal data is read as it is. Therefore, it is necessary to strictly manage the device itself. Some memory devices encrypt data to improve security, but use a specific host or a device that contains the restoration processing driver software to restore the encrypted data. In this case, the convenience of using any host is limited.

  In addition, there are memory devices that protect internal data with a password, but it is possible to set the log on entry to remain in the host side device that inputs the password, and it is not necessarily safe for security There is also a problem that I cannot say. In such a case, it can be safely used only by a host device that is known not to have a log extraction function, and it cannot be said that it can be used by any host device anytime, anywhere.

  Another problem is that passwords can be forgotten. In order to make it hard to forget, it is often the same as the password used for other devices and communication access. For this reason, if the password is stolen by other devices or communication access, the password of the memory device can be easily identified.

  In order to improve security, it is conceivable to add a biometrics authentication function represented by fingerprint authentication, which is the above-described prior art, to this memory device. However, in this conventional biometrics authentication, first, in order to perform authentication or use authentication data, a specific host device or a device serving as a host incorporating specific application software is required. That is, since the authentication result is effective only after communication with these hosts, there is a problem that host devices such as personal computers to be connected are limited.

  Second, biometric authentication has a problem that 100% authentication cannot be guaranteed. In other words, these authentications generally have a personal authentication rate and a stranger rejection rate, and it is impossible to achieve 100% for each as long as biometric authentication is used, but no correspondence is shown in the prior art. For this purpose, for example, it is considered that a means for re-registering authentication data or a means for invalidating the authentication function must be held. However, conversely, the fact that such re-registration of authentication data and invalidation of the authentication function can be used by a third party, and there is a big problem in security. In practice, it is necessary to register the authentication data by some method in the initial state, and the fact that registration is possible means that a third party can also register, and there is still a problem in security.

  The present invention has been made in consideration of the above circumstances, and is a storage apparatus that can be disconnected from the host side such as an information processing apparatus and that accumulates data and outputs the accumulated data when connected to the host side Another object of the present invention is to provide a storage apparatus and a storage method capable of improving security and convenience of use in the storage method of such an apparatus.

  In order to solve the above problems, a storage apparatus according to the present invention includes a biometrics information input unit that inputs biometrics information, a template data conversion processing unit that converts the input biometrics information into template data, An authentication processing unit that performs authentication processing by comparing biometrics information that has been converted into template data with reference to templated biometrics information that is stored in a reference information storage unit, and an interface for exchanging data with the outside Based on the fact that authentication has been obtained by the authentication processing unit, access to the outside becomes possible, and data sent from the outside via the interface is accumulated and / or accumulated via the interface. To output the recorded data to the outside Acquiring information that is possessed by a physically individualized article, and an operation for holding the biometrics information that has been processed into the template data in the reference information holding unit, and allowing or not permitting the operation -A holding operation control unit determined by examination is provided.

  That is, the input biometric information is converted into template data, and the result is authenticated based on the template data held in the reference information holding unit. If authentication is obtained, the storage unit can be accessed via the interface. Here, in order to hold the biometrics information that has been processed into the template data in the reference information holding unit, the permission by the holding operation control unit is required. The holding operation control unit acquires information held by the physically individualized article and permits the information by examining the acquired information.

  Therefore, if there is no “physically individualized article”, the setting and rewriting of the reference information is impossible and the security is greatly improved. Further, since the authentication process is performed by its own configuration, and this is not password authentication, the convenience that the host can be used regardless of the security is improved and the usability is improved.

  Further, the storage method according to the present invention inputs biometrics information, processes the input biometrics information into template data, and physically separates the biometrics information that has been processed into template data. The biometric information processed by the second template data different from the biometrics information processed by the template data is obtained by acquiring information held by the article and holding the information in the reference information holding unit based on examination of the acquired information. The metrics information is verified against the template-processed biometrics information held as a reference, and based on the fact that authentication is obtained by the authentication processing, the data sent from the outside through the interface is obtained. Stored in the storage unit and / or via the interface And outputting the stored data in the storage unit to the outside.

  This storage method can improve security and convenience of use by substantially the same operation as the above storage apparatus.

  According to the present invention, in a storage apparatus that can be disconnected from a host side such as an information processing apparatus and that accumulates data and outputs the accumulated data when connected to the host side, and a storage method for such an apparatus, Security and convenience of use can be improved.

  As an embodiment of the present invention, the reference information holding unit may be further provided. The storage apparatus is configured to include a reference information holding unit.

  Here, the reference information holding unit may be arranged so as to be included in the physically individualized article. This is suitable when a “physically individualized article” can hold a relatively large amount of information. As an example, the reference information holding unit may be included in a SIM or IC card as the article that is physically individualized. The reference information holding unit may be provided on the main body side instead of the “physically individualized article” side.

  Further, as an embodiment, an encryption unit that encrypts the data transmitted from the outside via the interface and supplies the encrypted data to the storage unit, and an encrypted data stored in the storage unit And a decrypting unit that decrypts the decrypted data and sends the decrypted data to the outside via the interface. Security is further improved by encryption.

  As an embodiment, the holding operation control unit emits an electromagnetic wave signal including electric power necessary for the operation of the article to acquire the information of the article, and the article responds to the radiation. It is possible to receive an electromagnetic wave signal transmitted more. It is an example of acquisition of the information by non-contact with an article. Examples of the article include an IC card and an IC tag provided with an antenna unit for transmission and reception.

  As an embodiment, the biometric information input unit may input fingerprint information as the biometric information. It is an illustration as biometric information and its input part. Other biometric information includes image information such as iris patterns, vein patterns, portraits (faces), and voice information such as voiceprints. Therefore, an input unit corresponding to the information can be provided.

  As an embodiment, the interface may be compliant with the USB standard. In view of recent interface standards, a USB standard interface is advantageous for connection to a host side such as a personal computer.

  Further, as an embodiment, the template data conversion processing unit, the authentication processing unit, and the holding operation control unit are each operated by processing in a CPU, and the CPU accumulates data in the storage unit / A storage unit controller that controls output of data from the storage unit may be included to be interposed between the interface and the storage unit. By interposing the CPU between the interface and the storage unit, security when outputting data accumulated in the storage unit is further improved.

  Further, as an embodiment as a storage method, the obtained authentication may be invalidated when connection with the outside through the interface is interrupted. When the connection with the outside through the interface is interrupted, there is a high possibility that the user's work is interrupted. Therefore, the authentication is reset to prevent the third party from continuing work from this state.

  Based on the above, embodiments of the present invention will be described below with reference to the drawings. FIG. 1 is a perspective view (FIG. 1A) and a block diagram (FIG. 1B) showing the configuration of a storage apparatus according to an embodiment of the present invention. As illustrated in FIG. 1, the storage device 10 includes an interface 11, a CPU 12, a reference information holding unit 13, a storage unit 14, a fingerprint input unit (biometrics information input unit) 15, and a physical key information input unit 16. A physical key 17 as a physically individualized article can be inserted into the physical key information input unit 16.

  The interface 11 is used for connection with a device on the host side. Here, a connector conforming to the USB standard is used as the connector, and this is attached to one of the side surfaces of the rectangular parallelepiped shape having the smaller area. The data passing through the interface 11 includes data for controlling various operations in addition to data stored in the storage device and data output from the storage device. Through this interface 11, the CPU 12 exchanges data with the host and controls it.

  The CPU 12 functions as a template processing unit, an authentication processing unit, a holding operation control unit, a storage unit controller, and an encryption unit / decryption unit. As the template processing unit, the raw fingerprint information input from the fingerprint input unit 15 is subjected to pattern recognition (for example, extracting the feature amount) and converted into fingerprint data converted into template data. As the authentication processing unit, the fingerprint information converted into the template data is collated with reference to the fingerprint information converted into the template data stored in advance in the reference information holding unit 13 to perform the authentication process.

  The holding operation control unit examines information obtained when the physical key 17 is inserted into the physical key information input unit 16 and holds the fingerprint information converted into template data in the reference information holding unit 13. Determine whether to allow or disallow. The storage unit controller performs address control of data accumulated in the storage unit 14 and data output from the storage unit 14. The encryption unit / decryption unit encrypts data stored in the storage unit 14 and decrypts data output from the storage unit 14.

  The reference information holding unit 13 holds fingerprint information converted into template data as authentication reference information. As described above, when the holding of the fingerprint information converted into the template data is permitted by the function as the holding operation control unit of the CPU 12, the holding is performed, and the function as the authentication processing unit of the CPU 12 is used as the reference information of the authentication process. Reading is performed. For example, a non-volatile memory such as a flash ROM or an EEPROM can be used.

  The storage unit 14 is a data storage unit as the storage device. Data is exchanged with the CPU 12. For example, a nonvolatile memory such as a flash ROM or an EEPROM can be used.

  The fingerprint input unit 15 inputs fingerprint information as biometric information. Here, in order to reduce the size as a whole, the fingerprint input unit 15 is a sweep type using a thermal method. The surface of the fingerprint input unit 15 has a detection surface in which thermal elements are arranged in a line. When reading a fingerprint, the abdomen of the fingertip is pressed against the detection surface of the fingerprint input unit 15 and moved (rubbed) in the direction shown in the figure. . The sweep type recognizes the characteristics of the fingerprint by rubbing the finger on the strip-shaped detection surface with a width of several millimeters in this way, but it can be dealt with by providing a correction function even when there is unevenness in the rubbing speed or pressing. is there. Examples of commercially available sweep type fingerprint sensors that can be used as the fingerprint input unit 15 include “FCD4B14” (FingerChip) manufactured by ATMEL.

  Note that a capacitive fingerprint sensor can be used as the fingerprint input unit 15. For example, in the case of a planar capacitance type, a number of sensor elements that convert fingerprint irregularities into electrical signals are laid out as a detection unit that detects fingerprint irregularities as electrical signals. The fingerprint is read by bringing the abdomen of the fingertip into contact with the surface of the sensor element that has been spread.

  The physical key information input unit 16 has a slit for receiving the physical key 17 as shown in the figure, and is an input for acquiring information on physical characteristics (for example, shape) of the received physical key 17. Part. As an example of information acquisition, for example, when the physical key 17 is inserted into the slit, depending on the shape thereof, a plurality of fine electrical switches and photocouplers arranged in the vertical and horizontal directions on the main body side are turned on / off. A form that utilizes the fact that the patterns are different is mentioned. The acquired feature information is sent to the CPU 12.

  In the configuration of the storage apparatus 10, the operation description is further performed in accordance with the use procedure. The storage apparatus 10 has no data in the reference information holding unit 13 in the initial state. When the physical key 17 is inserted into the physical key information input unit 16 to hold the template data in the reference information holding unit 13, the fingerprint input unit 15 functions as an input element for registration. The inputted fingerprint information is converted into template data by a template data conversion process in the CPU 12. The converted / created template data can be held in the reference information holding unit 13.

  The template data conversion processing is preferably performed by connecting a specific host device (not shown) to the interface 11 and using necessary control software. This is because, in fingerprint registration, it is generally more stable to authenticate a plurality of times of input data and create template data serving as a reference for subsequent verification with data to be authenticated. In such a creation process, operation is smoother if there is control from the host device. At the stage of holding the template data, access (accumulation / output) from the host side to the storage unit 14 in the storage apparatus 10 can be freely performed. This state is a state in which security is released by the physical key 17.

  Next, after the template data is held in the reference information holding unit 13, the storage unit 14 cannot be accessed without fingerprint authentication. At this time, the physical key 17 is removed from the storage apparatus 10 and stored strictly separately. In addition, the storage apparatus 10 of this embodiment is a so-called independent device with a fingerprint authentication function, and does not require host-side support for fingerprint authentication processing. When the storage apparatus 10 is connected to a host device such as a personal computer, a code determined to be a removable memory device and / or a large-capacity storage memory is returned to the host side. Although it is possible to connect to any host device, the data in the storage unit 14 is locked only by the connection, and the lock cannot be removed unless fingerprint authentication is performed.

  There is generally no 100% certification for biometrics certification. Therefore, only by the authentication, if some kind of authentication failure occurs, the storage unit 14 cannot be accessed and necessary data may not be extracted. In such a case, in this storage apparatus 10, if the physical key 17 stored separately is used, the reference information held in the reference information holding unit 13 can be ignored and the security can be canceled. Can access data stored in

  It should be noted that a plurality of template data may be held in the reference information holding unit 13 in order to reduce the person rejection rate. For example, since there are 10 fingers in both hands, the identity rejection rate can be lowered by storing a plurality or all of them and sequentially performing authentication.

  In addition, while the interface 11 is connected to the host device, the access to the storage unit 14 can be freely improved after authentication, and the authentication result is displayed when the interface 11 is removed from the host device. You may make it discard. Thereby, it is possible to easily prevent the interrupted work from being continued by a third party. In addition, security can be improved when the storage apparatus 10 is removed from the host device and carried.

  In this embodiment, a CPU 12 as an encryption unit / decryption unit is interposed between the interface 11 and the storage unit 14. With such a configuration, the CPU 12 performs processing and control of encryption of stored data and decryption of output data, and the CPU 12 manages encryption / decryption keys. Therefore, even if it is disassembled and the storage unit 14 is directly accessed, the contents cannot be decrypted and the security is improved.

  As described above, according to the present embodiment, the convenience of the storage apparatus can be fully demonstrated, regardless of the host to be used, while ensuring high security. In addition, it appropriately addresses the problem of refusal of identity in biometrics information authentication that may occur during use.

  In the above embodiment, the fingerprint input unit 15 is used as a biometrics information input unit. However, vein pattern authentication or iris pattern authentication using an optical sensor or the like, and portrait (face) authentication using a camera as an input element. Various input elements can be used according to each authentication, such as voice authentication using a microphone as an input element. In general, template data of biometrics information can use feature amount or feature point data as a pattern, power spectrum data by frequency analysis, or the like. When the data capacity is small, there is an advantage that the processing load is small, but the authentication rate generally tends to decrease. Therefore, it is preferable to use a certain amount of template data in order to increase security.

  In the above embodiment, the reference information holding unit 13 and the storage unit 14 are prepared separately. However, since these are both nonvolatile memories, a configuration in which these are prepared in the same chip can be realized. In this case, the used addresses in the chip may be disassembled and used for template data or storage data, respectively. Thereby, the number of parts to be used can be reduced and the manufacturing cost can be reduced. Recently, some CPUs have a ROM mounted therein. In this case, a configuration in which the reference information holding unit 13 is provided in the CPU 12 can be realized.

  Moreover, although the said embodiment was what is called a USB device which used the USB connector as the interface 11, for example, a PCMCIA card, a compact flash (registered trademark), a smart media (registered trademark), a multimedia, a secure digital, a memory stick Etc., those having their own external interface may be used.

  Next, a storage apparatus according to another embodiment of the present invention will be described with reference to FIG. FIG. 2 is a block diagram showing the configuration of a storage apparatus according to another embodiment of the present invention. The components already described are given the same numbers. The description is omitted unless it is added.

  In this embodiment, a hub 21 is provided between the interface 11 and the storage unit 14, and a storage unit controller 23 is interposed in the previous stage of the storage unit 14 due to this relationship. The hub 21 is controlled by the hub controller 22 to switch between a data flow between the interface 11 and the storage unit controller 23 and a data flow between the interface 11 and the CPU 12A. The hub controller 22 is controlled by the CPU 21A. The CPU 12A has the same functions as the storage unit controller and the encryption unit / decryption unit from the CPU 12 in FIG.

  According to such a configuration, since the CPU 12A is not interposed between the interface 11 and the storage unit 14, the data stored in the storage unit 14 cannot be encrypted, but the internal configuration of the CPU 12A can be simplified. However, since the data is stored in the storage unit 14 without being encrypted, the data stored in the storage unit 14 can be read by disassembling the storage device. Although security is somewhat sacrificed in this respect, since it has the same effect as the above-described embodiment except for this point, it is a possible configuration as a simplified configuration.

  Next, still another embodiment of the present invention will be described with reference to FIG. FIG. 3 is a perspective view (FIG. 3A) and a block diagram (FIG. 3B) showing a configuration of a storage apparatus according to still another embodiment of the present invention, which is the same as the components already described. Numbered. The description is omitted unless it is added.

  In this embodiment, the IC tag 32 is used as a physically individualized article. In order for the storage apparatus 10A to acquire information held by the IC tag 32, the storage apparatus 10A is provided with a short-range antenna 31 as a key information input unit. The short-range antenna 31 emits an electromagnetic wave signal including electric power necessary for the IC tag 32 to operate within a very short range (for example, about several tens of cm to 2 m).

  On the other hand, the IC tag 32 transmits unique information (= key information) held therein in response to the electromagnetic wave signal as an electromagnetic wave signal. When the transmitted electromagnetic wave signal reaches the short-range antenna 31 of the storage apparatus 10A again, it is received and sent to the CPU 12. Subsequent processing such as examination of the sent information is as described above. In other words, this embodiment can be grasped by the difference that the physical key 17 is merely replaced with the IC tag 32.

  Beyond this, this embodiment is a mode in which communication with the IC tag 32 is performed in response to a command from the CPU 12 even after access to the storage unit 14 becomes possible, and predetermined specific information from the IC tag 32 is obtained. It is also conceivable to use such that only the storage unit 14 can be accessed. For example, if the IC tag 32 is embedded in the name tag of a legitimate user, the storage unit 14 cannot be automatically accessed when the user leaves the work desk. Such an improvement in security when left connected to a host device is an effect specific to this embodiment.

  When the user returns to the work desk, predetermined storage information can be acquired again from the IC tag 32 so that the storage unit 14 can be automatically accessed. Even if the IC tag 32 is not provided, it is possible to return to a state in which access to the storage unit 14 is possible if authentication is obtained by inputting a fingerprint from the fingerprint input unit 15.

  Next, still another embodiment of the present invention will be described with reference to FIG. FIG. 4 is a perspective view (FIG. 4 (a)) and a block diagram (FIG. 4 (b)) showing the configuration of a storage apparatus according to still another embodiment of the present invention, which are the same as those already described. Numbered. The description is omitted unless it is added.

  In this embodiment, the SIM 41 is used as a physically individualized article. In this embodiment, the SIM 41 further functions as a reference information holding unit. That is, in this embodiment, the reference information holding unit is provided not on the main body side but on the individualized article side. The SIM 41 has a plurality of electrodes 42 on its surface, and the internal electrode and the electrode 42 are in electrical contact with each other when inserted into a SIM insertion portion 43 provided in the storage apparatus 10B. The SIM insertion unit 43 thus functions as a key information input unit and a reference information holding unit receiving unit.

  The SIM 41 is made of a plate-like resin having a long side of about 25 mm and a short side of about 15 mm. The thickness is within 1.0 mm (usually 0.76 mm) and is a uniform thin plate. For example, contact (ISO7816-2, ISO7816-3) and non-contact dual mode IC modules are sealed inside the plate electrically connected to the plurality of electrodes 42. The reason why the SIM 41 has a cutout at one vertex of the rectangle is to facilitate identification of the insertion direction and the plate surface direction when the SIM 41 is inserted into the storage device 10B.

  Since the SIM 41 cannot restore the data stored internally physically or electrically by itself, the SIM device 41 has a high tamper-proof property. The security of the accumulated data can be improved. By holding the SIM 41 separately from the storage apparatus 10B, it is further impossible for a third party to read the data stored in the storage unit 14.

  As in the above-described embodiments, the reference information holding unit may be provided in the storage apparatus 10B instead of in the SIM 41. In this case, the template data is written to the reference information holding unit provided in the storage apparatus 10B in a controlled manner by examining the key information in the SIM 41 as in the above embodiment. Furthermore, the data stored in the storage unit 14 can be encrypted using information stored in the SIM 41 as a key. This also improves security.

  It should be noted that an IC card having the same function can be used as a physically individualized item instead of the SIM 14.

1 is a perspective view (partially broken) and a block diagram showing a configuration of a storage apparatus according to an embodiment of the present invention. The block diagram which shows the structure of the storage apparatus which concerns on another embodiment of this invention. FIG. 9 is a perspective view (partially broken) and a block diagram showing a configuration of a storage apparatus according to still another embodiment of the present invention. FIG. 9 is a perspective view (partially broken) and a block diagram showing a configuration of a storage apparatus according to still another embodiment of the present invention.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 10,10A, 10B ... Storage apparatus, 11 ... Interface, 12,12A ... CPU, 13 ... Reference information holding part, 14 ... Storage part, 15 ... Fingerprint input part, 16 ... Physical key information input part, 17 ... Physical Key, 21 ... Hub, 22 ... Hub controller, 23 ... Storage unit controller, 31 ... Key information input unit (short distance antenna), 32 ... IC tag, 41 ... SIM, 42 ... Electrode, 43 ... SIM insertion unit.

Claims (11)

A biometrics information input unit for inputting biometrics information;
A template data conversion processing unit that converts the input biometric information into template data;
An authentication processing unit for performing authentication processing by comparing the templated biometrics information with the templated biometrics information held in the reference information holding unit;
An interface to exchange data with the outside,
Based on the fact that authentication has been obtained by the authentication processing unit, access to the outside becomes possible, and data sent from the outside via the interface is accumulated by the access and / or accumulated via the interface. A storage unit that outputs the stored data to the outside,
An operation for holding the biometrics information that has been processed into the template data in the reference information holding unit is performed, and permission / non-permission of the operation is determined by acquisition / examination of information of physically individualized articles. And a holding operation control unit.   The storage apparatus according to claim 1, further comprising the reference information holding unit.   The storage apparatus according to claim 2, wherein the reference information holding unit is included in the physically individualized article.   The storage apparatus according to claim 3, wherein the reference information holding unit is included in a SIM or an IC card as the article that is physically individualized. An encryption unit that encrypts the data sent from the outside via the interface and supplies the encrypted data to the storage unit;
The storage apparatus according to claim 1, further comprising: a decryption unit that decrypts the encrypted data stored in the storage unit, and sends the decrypted data to the outside through the interface.   The holding operation control unit emits an electromagnetic wave signal including power necessary for the operation of the article to acquire the information of the article, and the electromagnetic wave signal transmitted from the article in response to the radiation The storage apparatus according to claim 1, wherein the storage apparatus is received.   The storage apparatus according to claim 1, wherein the biometric information input unit inputs fingerprint information as the biometric information.   The storage apparatus according to claim 1, wherein the interface conforms to a USB standard. The template data conversion processing unit, the authentication processing unit, and the holding operation control unit are each operated by processing in the CPU,
The CPU includes a storage unit controller that controls accumulation of data in the storage unit and output of data from the storage unit, and is interposed between the interface and the storage unit. The storage device described. Enter biometric information,
The inputted biometrics information is processed as template data,
The template data-processed biometrics information is acquired in the physically individualized article and stored in the reference information holding unit based on examination of the acquired information,
The biometrics information processed by the second template data different from the biometrics information processed by the template data is subjected to authentication processing by collating with the templated biometrics information held as a reference,
Based on the fact that authentication has been obtained by the authentication processing, the data sent from the outside through the interface is stored in the storage unit and / or the data stored in the storage unit is output to the outside through the interface. A storage method characterized by the above.   11. The storage method according to claim 10, wherein the obtained authentication is invalidated when connection with the outside through the interface is interrupted.

Images