JP2006146748A - Computer built-in apparatus and data delivery method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a computer built-in apparatus and a data delivery method, capable of restricting an uploadable frequency or apparatus by only an information storage medium delivered to a user by an easy process without accessing another information source such as a network. <P>SOLUTION: A provider of a program or the like stores data to be uploaded, and encrypted upload restriction information into the information storage medium 31, and delivers them to the user. The computer built-in apparatus 10 decrypts the upload restriction information of the set information storage medium, and uploads the data from the information storage medium only when it is authentic and permits the upload. By erasing the upload restriction information used for acquisition of the upload permission, a permission frequency of the upload can be substantially restricted/managed by a registration number of the upload restriction information. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a computer built-in device such as a copying machine, a facsimile machine, and a printer that can be added and updated by uploading a program and data from an information storage medium, and more particularly to a technique for preventing unauthorized uploading.

  In the case of a computer-embedded device, the contents of the program may be added or changed after the device goes on the market due to a change in the specification of the program or addition of options.

  At this time, if the computer device is connected to the network, the program can be provided after confirming the authority of the user from the server.

  On the other hand, for devices that are not connected to the network, the program is stored in an information storage medium such as a CD-ROM (Compact Disk Read Only Memory) and distributed. In this case, if the information storage medium is obtained, anyone can use the program, which causes inconvenience when it is desired to provide the program only to authorized users.

  Therefore, as a method for preventing the use of an unlimited program, there is a method for distributing a release key of a locked program only to a specific user. However, there is a drawback that anyone can use the program once the release key is obtained.

  In order to solve these drawbacks, the following method using a file management program has been proposed for program distribution of a general-purpose personal computer (hereinafter, PC). The file management program is a program for unlocking a program to be distributed (hereinafter referred to as a distribution program) and managing its use authority.

  The file management program is stored in the same information storage medium as the distribution program, and is installed on the PC prior to the distribution program. The installed file management program generates a unique ID (IDentification) for identifying this PC. This ID is transmitted to the program provider by the user, and the program provider creates a release key unique to the PC from this ID. When the user receives this release key and inputs it to the file management program, the locked distribution program can be used. Since this release key includes an ID for identifying the PC, it cannot be used on another PC.

  Furthermore, since the file management program continuously monitors the usage status of the uploaded distribution program, the usage period and the number of times of use can be limited by the settings (Patent Document 1). reference).

JP 2002-251325 A

  In the above method, since the use authority must be confirmed by the file management program every time the distribution program once uploaded is executed, the processing load on the CPU increases.

  When trying to use such a method in a computer embedded device having only a CPU having a relatively low processing capability, it takes a long time to confirm the use authority, and the usability deteriorates.

  In addition, in the method in which the user obtains a release key specific to each device from the program provider, it is necessary to equip a network connection means separately even though the program is provided on the information storage medium, and the program is stored in the information storage medium. The benefits provided by the medium will be diminished.

  The present invention is intended to solve the above problem, and provides a computer embedded device and a data delivery method capable of limiting the number of times and devices that can be uploaded from an information storage medium by simple processing. It is aimed.

  Another object of the present invention is to provide a computer-embedded device and data delivery that can realize upload restriction only by an information storage medium delivered to a user without requiring access to other information sources such as a network. It aims to provide a method.

The invention according to claim 1 is a storage means for storing uploaded data;
Medium access means for reading information stored in the information storage medium;
Decryption means for reading and decrypting encrypted upload restriction information stored in the information storage medium by the medium access means;
The upload target data stored in the information storage medium is read by the medium access means and stored in the storage means only when the upload restriction information obtained by decryption by the decryption means permits uploading. And an uploading means for executing an upload process.

  According to the above invention, the computer-embedded device uploads data from the information storage medium only when the encrypted upload restriction information read from the information storage medium permits uploading. Since the upload restriction information for determining whether or not the upload can be executed is encrypted, the permission contents as set by the provider are observed and safe and accurate management becomes possible.

  A computer built-in device is a device in which the CPU controls the operation of components incorporated in the device based on a program stored in advance in storage means such as a ROM (Read Only Memory). Any kind of device may be used as long as it has a proper function.

  However, in the present invention, at least a part of such a program can be rewritten, and it is necessary to have a function of uploading data read from an external information storage medium and adding or updating the existing program.

  In this computer built-in device, upload means that operates according to the upload restriction information is incorporated at the time of manufacture. Therefore, the upload target data cannot be uploaded against the contents of the upload restriction information unless even the upload restriction information on the information storage medium is falsified.

  The information storage medium is a portable physical information storage means as long as it can provide a program to be added or updated to the computer embedded device according to the present invention, such as a USB (Universal Serial Bus) memory or a CD-ROM. Anything can be used.

  The medium access means may be configured as a CD-ROM drive, a USB connector, or the like at the time of manufacturing the computer embedded device, or may be configured to be connected later with an external peripheral device for accessing the information storage medium.

  The upload restriction information is information that is referred to in order to define the operation of the upload means. Specifically, data uploads, such as whether or not data can be read, the number of times, information that identifies computer devices that permit upload processing, and data identification information that specifies which data to upload from among multiple data This is information that serves as a criterion for determining whether or not to permit processing.

  The information is encrypted by the encryption means possessed by the provider of the upload target data. For encryption, a predetermined encryption algorithm and a key for encryption are used. The decryption means decrypts the upload restriction information using a corresponding decryption algorithm and a decryption key.

  The encryption key uses a common (secret) key that is common to the encryption means and the decryption means, and the encryption means uses a secret key based on the public key cryptosystem, and the decryption means uses this key. Either of the cases where the public key corresponding to is used. In the former case, the secret key as a common key may be different for each device and for each user, a different secret key may be used for each information storage medium, or the same secret key is used for all devices. It may be used.

In the invention according to claim 2, the upload means includes electronic authentication means.
The upload restriction information includes a pair of restriction information for determining permission of upload and authentication information for confirming whether the upload restriction information is authentic, and one of them is a secret key of a public key cryptosystem. Consists of a set of information encrypted with
The decoding means decodes the information set;
The upload means determines whether or not the upload restriction information is authentic from restriction information and authentication information included in the information set decrypted by the decryption means, and the restriction information is authentic and The computer-embedded device according to claim 1, wherein the upload process is executed only when uploading is permitted.

  According to the above invention, when the upload restriction information set by the data provider has been falsified by another person, the upload process of data from the information storage medium is prohibited regardless of the content of the upload restriction information. Can do.

  The electronic authentication means constitutes a part of the upload means and confirms whether or not the upload restriction information has been tampered with prior to the upload process. The upload unit executes the upload process only when it is confirmed that the upload restriction information is not falsified and the decrypted upload restriction information permits.

  The data provider creates authentication information corresponding to the restriction information from the predetermined restriction information to form a pair of information sets. Here, the restriction information is information representing whether upload is possible or not in a format that can be directly determined by the upload means. On the other hand, the authentication information confirms the identity of the restriction information set by the data provider and the restriction information uniquely specified from the authentication information, such as a copy of the restriction information or a hash value obtained by converting the restriction information with a hash function. Any information is possible.

  A hash function is a calculation method for generating a fixed-length hash value from original information. This function is unidirectional, and is characterized in that it is extremely difficult to extract the original information from the created hash value or to find different information that generates the same hash value.

  Either the restriction information or the authentication information is encrypted with a private key of a public key cryptosystem possessed only by the data provider. This is stored in the information storage medium as an information set together with the other information not encrypted.

  The decryption means on the computer-embedded device side has a public key corresponding to this secret key, and uses this to decrypt the encrypted information in the information set. Since it is known that only the data provider has the private key corresponding to this public key, it can be confirmed that the decrypted information has been written in the storage means by the provider.

  Here, if the authentication information is a hash value of the restriction information, a hash value generation means is also provided in the electronic authentication means on the computer embedded device side, and a hash value is separately generated from the restriction information using this.

  Using the result of decrypting the encrypted information included in the information set, compare the restriction information and its hash value with the authentication information, and if the two information match, the upload restriction information has not been falsified Can be confirmed.

In the invention according to claim 3, the upload restriction information includes one or more information sets.
The media access means, each time the upload means executes the upload process, erases all of the information set used for obtaining the upload permission at that time and the information set having the same content as the information set. 2. The computer-embedded device according to 2.

  According to the above invention, when the data is uploaded, the information set used for obtaining the permission and the information set having the same content are all deleted, so that the same information set is not used for repeated uploads. In effect, the number of times allowed for uploading can be limited and managed.

  It should be noted that when all information sets are deleted, it is necessary not to misunderstand that uploading is permitted without limitation. For this, the upload unit itself may be configured so that upload restriction information is always required to execute the upload process, or if there is no upload restriction information, the information storage medium is prohibited from being uploaded. Information may be written to the information storage medium in advance or when all information sets are erased.

  In addition, when an upload process is executed, all information sets that have the same contents as the information set used to obtain the permission are deleted, so an illegal attempt is made to duplicate the information set and increase the number of uploads. However, this can be disabled and limited to the original number of uploads.

  Furthermore, even if a part of the copied information set is rewritten so that the illegally copied information set is not deleted, electronic authentication is performed when the information set is used, so that tampering is detected and unauthorized. Uploading with a simple information set is prevented.

In the invention according to claim 4, the restriction information included in the information set includes an identifier that identifies a computer embedded device that is permitted to execute the upload process.
4. The computer-embedded device according to claim 2, wherein the upload unit obtains upload permission only from the information set including the identifier that identifies the device. 5.

  According to the above invention, it is possible to specify a device and limit uploading.

  The identifier included in the upload restriction information may be a serial number used when manufacturing each computer-embedded device, or a separate ID may be set. Any device can be used as long as each device can be distinguished from each other. It may be a thing.

  The uploading means may decrypt each information set to search for an information set including its own identifier. If an unencrypted identifier is added to each information set, the uploading means may rely on it. A machine information set may be recognized.

In the invention according to claim 5, the upload target data stored in the information storage medium is digitally signed,
The upload unit includes a data authentication unit that authenticates whether or not the upload target data is authentic by using an electronic signature, and executes the upload process only when the authenticity of the upload target data is confirmed by the data authentication unit. The computer-embedded device according to claim 1, 2, 3 or 4.

  According to the above invention, whether or not the upload target data is falsified is checked by the electronic signature, and the upload process is executed only when there is no falsification.

  The electronic signature is information used when electronically authenticating that the upload target data has not been tampered with, and is obtained by encrypting the authentication information for uniquely identifying the upload target data with the private key of the public key cryptosystem It is.

  The authentication information may use a copy of the upload target data as it is, or may be a hash value. The advantages of hash values are as follows. That is, generally, the encryption information using the public key cryptosystem has a complicated algorithm and takes a long time for the decryption process. Further, data such as programs to be added / updated has a larger amount of information than upload limit information. Therefore, by encrypting a hash value with a small amount of data rather than encrypting a copy of data as authentication information as it is, the amount of information to be decrypted is reduced, and the authentication process is made efficient.

The invention according to claim 6 is a computer built-in device according to claim 1, 2, 3, 4, or 5, further comprising a display means for displaying a cause of the limited execution of the upload process. .

  According to the above invention, the user can know the cause when the upload process is restricted.

  The display means may be a display screen provided in the computer built-in device, or may be a function of transmitting information to be displayed to an external display device.

The invention according to claim 7 is that the computer-embedded device is any one of a copying machine, a facsimile machine, a printer, a scanner, or a multifunction machine having two or more functions including at least one of these functions. The computer-embedded device according to claim 1, 2, 3, 4, 5 or 6.

  According to the above invention, it is possible to limit upload processing of data stored in an information storage medium for devices such as copiers and multifunction peripherals.

The invention according to claim 8 stores in the information storage medium the upload target data to be uploaded to the computer embedded device and the encrypted upload restriction information for limiting the upload of the upload target data,
In the computer-embedded device, the encrypted upload restriction information is read from the information storage medium, decrypted, and stored in the information storage medium only when the upload restriction information obtained by decrypting permits the upload. It is a data delivery method characterized by reading the uploaded data and uploading it to the device.

  According to the above invention, uploading of data stored in the information storage medium delivered to the user can be limited only when the upload restriction information encrypted and stored in the information storage medium permits.

  The computer-embedded device may be any device that has a function of uploading a program or data read from an external information medium and adding or updating the program or data to an existing program.

In the invention according to claim 9, the upload restriction information includes a pair of restriction information for determining permission of upload and authentication information for confirming whether or not the restriction information is authentic. Is configured as an information set encrypted with a public key cryptography private key,
In an information storage medium, upload target data to be uploaded to a computer embedded device and the information set corresponding to the number of times allowed for upload, and the contents of the restriction information differ from each other, and delivered,
In the computer embedded device, the information set is read from the information storage medium, the information set is decrypted, and it is determined whether or not the upload restriction information is authentic from the decrypted restriction information and the authentication information. Only when there is at least one information set including restriction information, the upload target data is read from the information storage medium and uploaded to the device, and any one information set corresponding to the genuine upload restriction information and 9. The data delivery method according to claim 8, wherein all information sets having the same contents are erased from the information storage medium.

  According to the above invention, when the data is uploaded, the information set used for obtaining the permission and the information set having the same content are all deleted, so that the same information set is not used for repeated uploads. In effect, the number of times allowed for uploading can be limited and managed.

In the invention according to claim 10, the upload restriction information includes a pair of restriction information for determining permission of upload and authentication information for confirming whether or not the restriction information is authentic. Is configured as an information set encrypted with a public key cryptography private key,
In an information storage medium, upload target data to be uploaded to a computer embedded device and the information set corresponding to the number of times allowed for upload, and the contents of the restriction information differ from each other, and delivered,
In the computer-embedded device, the information set is read from the information storage medium, the information set is decrypted, and it is determined whether the upload restriction information is authentic from the decrypted restriction information and the authentication information. Only when there is at least one information set including genuine upload restriction information including an identifier, the upload target data is read from the information storage medium and uploaded to the device, and the authentic upload including the device identifier is performed. 10. The data delivery method according to claim 9, wherein any one information set corresponding to the restriction information and all information sets having the same content are erased from the information storage medium.

  According to the above invention, it is possible to specify the device and limit the number of times the upload process is permitted.

  According to the computer-embedded device according to the present invention, uploading of data stored in an information storage medium is limited to a range permitted by upload restriction information encrypted and stored in the information storage medium. It is possible to eliminate illegal uploads by simple processing and to limit and manage the number of uploads and devices. Moreover, since the upload restriction can be realized only by the information storage medium delivered to the user, it can be applied to a local device that does not have access means to other information sources such as a network, and the merit provided by the information storage medium is utilized.

  An apparatus that has an authentication means for upload restriction information and permits upload only when the authentication is successful can prohibit unauthorized uploading by falsification of the upload restriction information.

  When uploading data, the upload restriction information (information set) used to obtain the permission and all the upload restriction information with the same content are deleted. Even if the upload restriction information is copied illegally, Uploads can be limited to the number of executions as set.

  When the upload restriction information includes the identifier of the computer device, the uploading computer built-in device can be specified and restricted.

  In the case of having the data authentication means, when a person other than the data provider falsifies the upload target data in the storage medium, this can be detected and illegal uploading can be prevented.

  In the case of having the display means, the user is informed of the cause when the upload process is restricted, so that the user's anxiety can be resolved by distinguishing it from the failure of the computer built-in device.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  FIG. 1 shows an electrical configuration of a multifunction machine 10 that is a computer-embedded device according to an embodiment of the present invention.

  In addition to the function as a copying machine that reads a document and forms a duplicate image on recording paper, the multifunction device 10 scans the document and outputs the corresponding image data, according to the print data received through the network. This is a device having a printer function for printing, a facsimile function for transferring and reproducing image data through a telephone line, and the like.

  Here, the MFP 10 according to the embodiment of the present invention has an execution function of an upload process that reads and stores a program for addition / update from an information storage medium. Also, predetermined upload restriction information is read from the information storage medium before uploading, and upload processing is executed only when this information permits.

  The multifunction machine 10 is a circuit having a CPU (Central Processing Unit) 11 as a control unit that performs overall control of the operation, a ROM (Read Only Memory) 12 and a RAM (Random Access Memory) 13 as main parts. It consists of

  The ROM 12 is a flash ROM that can be rewritten for additional updates of programs, and stores programs executed by the CPU 11 and various fixed data.

  The RAM 13 functions as a work memory that temporarily stores various data when the CPU 11 executes a program, and a page memory that stores at least one page of image data for performing a rotation process. The RAM 13 is used as a memory for temporarily storing these pieces of information while performing upload authentication information acquired from the information storage medium 31 and electronic authentication of a program to be additionally updated.

  Further, the CPU 11 includes a display unit 20, an operation unit 21, an image reading unit 22, an image storage unit 23, an image processing unit 24, an image forming unit 25, an image output unit 26, and a facsimile control unit 27. LAN (Local Area Network) connection control means 28 and medium access means 30 are connected.

  The display means 20 is constituted by a liquid crystal display and fulfills a function of displaying various guidance displays and status displays to the user. On the display means 20, individual operation screens are switched and displayed for each function such as a copying function, a facsimile function, a printer function, and a scanner function.

  The operation unit 21 includes various operation switches and a touch panel that covers the surface of the display unit 20, and has a function of accepting various operations from the user.

  The image reading means 22 has a function of reading a document image and taking in corresponding image data. The image reading means 22 includes a light source for illuminating the original, a line image sensor for reading the original for one line in the width direction, a moving means for moving the reading position in units of lines in the length direction of the original, and reflection from the original. And an optical path composed of a lens and a mirror for guiding light to a line image sensor to form an image. The line image sensor is composed of a CCD (Charge Coupled Device). The analog image signal output from the line image sensor is A / D converted and captured as digital image data.

  The image storage means 23 is a large-capacity storage device for storing compressed image data, print data, and the like. Here, a hard disk device (HDD) is used.

  The image processing unit 24 has a function of enlarging / reducing the image data, a function of rotating the screen, and the like.

  The image forming unit 25 functions to form and output an image corresponding to the image data on a recording sheet by an electrophotographic process. The image forming unit 25 is configured as a so-called laser printer having a recording paper transport device, a photosensitive drum, a charging device, a laser unit, a developing device, a transfer separation device, a cleaning device, and a fixing device. ing.

  The image output unit 26 functions to supply the image data stored in the image storage unit 23 to the image forming unit 25 in accordance with the operation timing of the image forming unit 25.

  The facsimile control unit 27 performs a function of compressing / decompressing image data by a compression method corresponding to facsimile, and a function of controlling various communication procedures for facsimile transmission / reception.

  The LAN connection control means 28 performs control for transmitting / receiving information to / from a computer on the same premises as the multifunction machine 10 through the LAN.

  The medium access means 30 functions to read information from the information storage medium 31 and to erase information in the information storage medium 31. Here, since a USB memory is used as the information storage medium 31, the medium access means 30 is composed of a USB control unit and a USB connector.

  The USB memory that is the information storage medium 31 is a portable flash memory that is used by being connected to a USB connector. In the information storage medium 31, a program to be uploaded to the ROM 12 and upload restriction information are written and stored in advance by the provider. A flash memory is a kind of ROM that can electrically rewrite stored contents any number of times, and can erase internal data all at once or in blocks and newly write data.

  The CPU 11 has functions as a decrypting means 40 for decrypting the encrypted information and an uploading means 41 for uploading information in the information storage medium 31 and determining whether or not it is possible. Further, the upload means 41 has functions as an electronic authentication means 42 for confirming the authenticity of the upload restriction information in the information storage medium 31 and a data authentication means 43 for confirming the authenticity of the upload target data.

  FIG. 2 shows the attachment position of the USB connector 32 that forms part of the medium access means 30. The USB connector 32 is attached to the right end of the front operation panel 50 of the multifunction machine 10. When the user inserts the plug portion of the information storage medium 31 into the USB connector 32 and performs a predetermined upload start operation, the data delivery operation is started.

  FIG. 3 shows the operation panel 50 of the multifunction machine 10. The operation panel 50 includes a display unit 20, an operation unit 21, and a USB connector 32. The operation means 21 includes various buttons for performing basic operations of the multifunction machine 10 and a touch panel that covers the screen of the display means 20. From this touch panel, detailed settings of the copying function and operations related to upload processing are performed.

  FIG. 4 shows the data structure of the information storage medium 31. The information storage medium 31 is provided with both an upload restriction information holding area 200 and an upload target data holding area 201 in the storage area (hereinafter referred to as a restriction type), and only the upload target data holding area 201 is provided. There are two types (hereinafter referred to as free type).

  Due to the difference in data structure, it can be determined whether or not the data in the information storage medium 31 is protected by the upload restriction information.

  The upload restriction information holding area 200 is an area for storing upload restriction information. The upload restriction information is configured to include one or more pairs of information sets including restriction information 202 and authentication information 203 as shown in the enlarged view 200 (a) of the upload restriction information holding area in FIG. Yes.

  Of the information set, the restriction information 202 is information indicating whether or not uploading is permitted. Furthermore, the restriction type can be divided into “restriction type A” that includes an identifier for specifying a device to be uploaded in restriction information 202 and “restriction type B” that does not include such an identifier.

  On the other hand, the authentication information 203 is information that is compared with the restriction information 202 to confirm that the restriction information 202 has not been tampered with.

  The content of the authentication information 203 needs to be uniquely determined from the restriction information 202 for the purpose of comparison with the restriction information 202. Therefore, in the present embodiment, information obtained by encrypting the same information as the restriction information 202 with the secret key of the public key cryptosystem is adopted as the authentication information 203. However, if the amount of information of the restriction information 202 is large and it takes time to perform decryption work for electronic authentication, the hash value of the restriction information 202 may be used. In the following drawings, encrypted information is represented by (dark) symbols.

  The public key encryption method is an information encryption / decryption method using a pair of secret key and public key. When certain encrypted information can be decrypted with a specific public key, it can be confirmed that this information is information encrypted by a person having a secret key corresponding to the public key.

  This private key is possessed only by the person who stored the upload restriction information in the information storage medium 31, that is, the provider of the upload target data 205.

  In order to confirm that the restriction information 202 has not been tampered with, either the restriction information 202 or the authentication information 203 can be encrypted with the private key of the public key cryptosystem and stored in the information storage medium 31. Is enough.

  In the present embodiment, since the restriction information 202 and the authentication information 203 are the same, the same information set is obtained regardless of which is encrypted. Therefore, hereinafter, unencrypted information is referred to as restriction information 202, and encrypted information is referred to as authentication information 203. However, this is named as a matter of convenience, and if the contents of both pieces of information are different, such as when the authentication information 203 is a hash value of the restriction information 202, whichever information is encrypted, the information can be obtained by the present invention. The effect is unchanged.

  As shown in FIG. 4 (a), the upload target data holding area 201 stores an electronic signature 204 and upload target data 205.

  The upload target data 205 is an update / addition program of the multifunction machine 10 stored in the ROM 12 or numerical data referred to by the program. This data is stored in the upload target data holding area 201 without being encrypted by the upload target data provider.

  The electronic signature 204 is encrypted signature information attached to the upload target data 205, and uses the public key cryptosystem described above to prove the data provider in the information storage medium 31, and the data Guarantees that it has not been tampered with.

  The data provider obtains a hash value by converting the upload target data 205 using a hash function. As in the case of the authentication information 203 described above, this is encrypted with the secret key of the public key cryptosystem possessed only by the provider, and stored in the information storage medium 31 together with the data.

Next, the upload processing operation of the upload unit 41 will be described.
FIG. 5 shows an operation flow in which the upload unit 41 uploads the upload target data 205 from the information storage medium 31. Although FIG. 1 shows the configuration having the data authentication means 43, the operation when the data authentication means 43 is used will be described later. Here, the operation when the data authentication means 43 is not used will be described. 6 to 11 and FIG. 13 show various display screens displayed on the display means 20 of the multifunction machine 10 in each operation of the flowchart of FIG.

  The multifunction device 10 displays a copy basic screen 210 as shown in FIG. 6 in a standby state. This screen 210 includes a guide display unit 211 that can display various guides for notifying the status of the upload process, and an operation unit 212 on which various operation buttons for changing the setting contents are arranged. Yes.

  When the user inserts the information storage medium 31 into the USB connector 32 while the copy basic screen 210 is displayed, the CPU 11 automatically recognizes this via the medium access means 30, and switches the copy basic screen 210 to the upload start confirmation screen. .

  FIG. 7 is the upload start confirmation screen 220 described above. This screen 220 is a screen for accepting an instruction to start upload processing. The guide display unit 221 displays a message requesting the user to confirm upload processing start.

  An authority confirmation progress indicator 222 and an authority confirmation remaining time display 223 are displayed in the lower column of the guide display unit 221, and an “OK” button 224 and a “cancel” button 225 are displayed on the right side of these displays. Is provided.

  When the user presses the “OK” button 224, the upload process is started, and when the “Cancel” button 225 is pressed, the screen is switched to the copy basic screen 210 and enters a standby state. If the set information storage medium 31 is neither a restricted type nor a free type, a notification to that effect is returned to the basic copy screen 210.

  FIG. 8 is an upload authority confirmation screen 230 displayed when the “OK” button 224 is pressed on the upload start confirmation screen 220.

  In the upper guide display section 231 of this screen 230, a message indicating that uploading authority is being confirmed and that care is taken not to pull out the USB memory (information storage medium 31) during that time is displayed. ing.

  The authority confirmation progress indicator 222 displays the progress status of the authority confirmation work as a band graph indicator, and the authority confirmation remaining time display 223 displays the approximate remaining time until the work is completed.

  The “OK” button 224 is grayed out so that the user does not operate it by mistake.

  An operation performed by the upload unit 41 while the upload authority confirmation screen 230 is displayed will be described with reference to FIG.

  When the user operates the “OK” button 224 on the upload start confirmation screen 220 and receives an instruction to start executing the upload process (step S101), the upload unit 41 determines whether the set information storage medium 31 is a restricted type. It is confirmed whether it is a free type (step S102).

  In the case of the free type (step S102; No), the upload process of the upload target data 205 is started immediately, but in the case of the restriction type (step S102; Yes), the following operation is executed.

  First, the upload unit 41 acquires all the information sets in the upload restriction information holding area 200 through the medium access unit 30, and stores them in the RAM 13 which is a temporary memory (step S103).

  Subsequently, when there are a plurality of stored information sets, the upload unit 41 checks whether there is an information set including the identifier of the own device (step S104), and the information in the information storage medium 31 is It is determined whether the restriction type A includes an identifier for identifying a device or the restriction type B does not include an identifier.

  When the restriction type is A (step S104; Yes), the authentication information 203 of the information set is decrypted using the decryption means 40 (step S105).

  The decrypting means 40 holds a public key used for decryption in advance. This public key corresponds to a secret key of a public key cryptosystem obtained by encrypting the authentication information 203 by the provider of upload target data.

  The electronic authentication means 42 compares the decrypted authentication information 203 with the restriction information 202, and if the contents are the same, the upload restriction information 202 is authentic and not falsified. (Step S106; Yes) and the execution of the upload process is started.

  If the compared authentication information 203 and restriction information 202 do not have the same content (step S106; No), the upload means 41 determines that the restriction information 202 has been tampered with, and displays the upload restriction information on the display means 20. The detection screen 240 is displayed (step S110).

  FIG. 9 is an example of the upload restriction information falsification detection screen 240. The guide display unit 241 displays a message indicating that the upload restriction information has been falsified.

  When the user presses the “OK” button 224, the screen is switched to the copy basic screen 210, and the upload unit 41 ends the operation related to the upload process.

  Here, if the upload restriction information has been falsified, if there is an information set that has not been authenticated yet in the RAM 13, an information set in which the restriction information 202 has not been falsified for all remaining information sets. You may set so that operation | movement of step S104 of FIG. 5 to step S106 may be repeated until it confirms.

  When the information in the information storage medium 31 is the restriction type B that does not include the device identification identifier (step S104; No), the upload unit 41 makes the following determination.

  In this case, the upload unit 41 confirms whether or not one or more information sets are stored in the RAM 13. If it can be confirmed that it is stored (step S111; Yes), the upload means 41 decrypts the authentication information 203 of an arbitrary information set using the decryption means 40 (step S112). From the decrypted authentication information 203, it is authenticated that the restriction information 202 of the information set has not been falsified by the same method as described above, and if the authentication is successful (step S113; Yes), the upload process is started.

  When it is confirmed that the restriction information 202 has been tampered (step S113; No), the tampered information set is deleted from the RAM 13 (step S114), and it is confirmed whether there is another information set. Returning to the step (step S111).

  If there is no authenticated information set, all information sets are erased from the RAM 13, and no information set remains (step S111; No), the user has the authority to upload data in the information storage medium 31. It is confirmed that there is not.

  In this case, the upload unit 41 displays an upload prohibition screen 250 indicating that on the display unit 20 (step S115).

  FIG. 10 shows an example of the upload prohibition screen 250. The guide display unit 251 displays a message that the user is not authorized to upload data from the information storage medium 31.

  When the user presses the “OK” button 224, the screen is switched to the copy basic screen 210, and the upload unit 41 ends the operation related to the upload process.

  If it can be confirmed that the upload restriction information has not been falsified by the above-described operation (FIG. 5, step S106; Yes or S113; Yes), the upload means 41 will display the contents of the restriction information 202 of the information set authenticated at that time. Accordingly, the upload target data 205 is read from the information storage medium 31 and stored in the ROM 12 (step S107).

  FIG. 11 shows an example of the upload execution display screen 260 displayed on the display means 20 at this time. The guide display unit 261 displays messages indicating that the program is being rewritten and that care should be taken not to remove the USB memory (information storage medium 31) until the end of rewriting.

  In the lower column of the guide display portion 261, an upload progress indicator 262 and an upload processing remaining time display 263 are displayed. The upload progress indicator 262 displays the progress of the upload process as a band graph indicator, and the upload process remaining time display 263 displays the approximate remaining time until the process is completed. On the right side of these displays, an “OK” button 264 is provided, but at this stage, it is grayed out and does not accept a command from the user.

  While the screen 260 is displayed, the upload unit 41 further executes the following operation.

  When the upload process is completed, the upload unit 41 confirms that the upload process is successful, and then erases all information sets having the same contents as those used for permission of the upload process from the information storage medium 31 (FIG. 5, Step S108).

  As a result, it is possible to prevent the upload unit 41 from mistakenly identifying an illegally copied information set as a legitimate one and executing an upload of a program or the like.

  Furthermore, due to such steps, the information storage medium 31 functions as a counter that limits the number of upload processes.

  For example, as shown in Example 1 in FIG. 12, if restriction information 202 (a) of restriction type B that does not include an identifier is stored for the number of times permitted, the information storage is performed regardless of the target device of the upload process. The total number of times data can be uploaded from the medium 31 can be limited. In Example 1 of FIG. 3, since three pieces of restriction information 202 (a) are registered, subsequent uploads are restricted to three times. Note that the display of the authentication information is omitted in each example of FIG.

  Also, as shown in Example 2 of FIG. 12, if the restriction information 202 (b) of restriction type A including an identifier is stored for each of the multifunction peripherals 10 for which upload processing is to be permitted, the plurality of identified multiple items are stored. Data can be uploaded to the multifunction device 10 using one information storage medium 31. In the example 2 of FIG. 6, since the restriction information 202 (b) is registered in each of the A machine, the B machine, and the C machine, each machine can upload once.

  Furthermore, if these functions are combined and restriction information 202 (c) of restriction type A including an identifier is stored for the number of times permitted for each device, as shown in Example 3 of FIG. The number of times that data can be uploaded can be individually set for each device, such as how many times for other devices and how many times for other devices. In the example 3 in the figure, since the restriction information 202 (c) is registered three times for the A machine and twice for the B machine, the total upload can be restricted to five times while keeping these conditions. .

  However, in order for the information set to function as a counter in this way, the contents of the restriction information 202 are different from each other so that an unused information set is not erased at the same time as the information set once used to permit upload processing. Need to be.

  As described above, when the operation up to step S108 is completed, after confirming that the upload process is successful, the upload execution display screen 260 is switched to the upload completion notification screen 270, and the user is notified that the upload process is completed. (FIG. 5, step S109).

  FIG. 13 is an example of the upload completion notification screen 270. The guide display unit 271 displays a message indicating that the upload process has been completed and a subsequent operation.

  When the user presses an “OK” button 264, the screen is switched to the copy basic screen 210. The user then removes the information storage medium 31 from the USB connector 32 and completes all operations.

  Next, an operation when the authenticity of the upload target data 205 is confirmed using the data authentication unit 43 by the electronic signature 204 will be described. The operation in this case is the same as that shown in FIG. 5 except that step S107 is replaced with the process shown in FIG.

  FIG. 14 shows the flow of processing that is inserted instead of step S107 in FIG. 4 when the data authentication means 43 is used. This processing is reached in the case of the free type or when the upload restriction information permits uploading in the restriction type information storage medium 31.

  First, the upload unit 41 confirms whether or not the electronic signature 204 of the upload target data 205 exists in the upload target data holding area 201 of the information storage medium 31 (FIG. 14, step S301).

  FIG. 15 shows an example of the data alteration confirmation display screen 280 displayed on the display means 20 at this time. The guide display unit 281 displays a message indicating that the upload target data is being confirmed and that the user is careful not to remove the USB memory (information storage medium 31) until the rewriting is completed.

  A data alteration confirmation progress indicator 282 and a data alteration confirmation remaining time display 283 are displayed in the lower column of the guide display portion 281. The progress status of the upload process is displayed as a band graph indicator on the data falsification confirmation progress indicator 282, and the approximate remaining time until the completion of the work is displayed on the data falsification confirmation work remaining time display 283. On the right side of these displays, an “OK” button 284 is provided, but at this stage, it is grayed out and does not accept a command from the user.

  When the electronic signature 204 is not present (FIG. 14, Step S301; No), the data alteration confirmation display screen 280 is switched to a data alteration detection screen 290 described later (Step S307), and the upload process is terminated. For data without the electronic signature 204, since it is not possible to confirm the presence or absence of falsification, the upload process is stopped in consideration of safety.

  Therefore, the data provider must take care to attach the electronic signature 204 to the data when handing over the data with the information storage medium 31 to the user of the multifunction machine 10 having the data authentication means 43.

  When the upload unit 41 recognizes the electronic signature 204 (step S301; Yes), the upload target data 205 and the electronic signature 204 are stored in the RAM 13 as a temporary memory using the medium access unit 30 (step S302). ).

  The data authentication means 43 of the upload means 41 decrypts the electronic signature 204 in the RAM 13 (step S303). The data authentication means 43 holds a public key used for decryption in advance. This public key corresponds to a secret key of a public key cryptosystem obtained by encrypting the authentication information 203 by the provider of upload target data.

  Here, the authentication information 203 of the upload restriction information described above and the electronic signature 204 may be configured to use the same encryption / decryption algorithm and key.

  Next, the data authentication means 43 obtains a hash value for the upload target data 205 in the RAM 13 (step S304), and compares this hash value with the previously decrypted electronic signature 204 (decrypted hash value). . If these values are the same, the upload target data 205 is authenticated as authentic without being falsified (step S305; Yes).

  When it is confirmed that there is no falsification, the upload unit 41 executes an upload process for storing the data in the RAM 13 in the ROM 12 (step S306), ends the process, and returns to step S108 in FIG. 5 (return). .

  If the compared hash values are not the same (FIG. 14, step S305; No), it is determined that the upload target data 205 has been tampered with, and the data tampering detection screen 290 is displayed without returning to the processing of FIG. Display (step S307) The operation related to the upload process is terminated (END).

  FIG. 16 shows an example of the data alteration detection screen 290. The guide display unit 291 displays that the upload target data 205 has been tampered with. When the user presses an “OK” button 284, the screen is switched to the copy basic screen 210, and the operation related to the upload process is completed.

  The embodiment of the present invention has been described with reference to the drawings. However, the specific configuration is not limited to that shown in the embodiment, and there are changes and additions within the scope of the present invention. Are also included in the present invention.

  For example, when the upload unit 41 cannot complete the upload process normally because the USB memory as the information storage medium 31 is pulled out or the power of the multifunction machine 10 is turned off during the data upload process. A rollback function for returning the data in the ROM 12 to the state before the start of the upload process may be provided.

  In addition, when a plurality of upload target data 205 is stored in the information storage medium 31, a screen may be provided that allows the user to select which data is to be uploaded.

  Further, when the information storage medium 31 stores a plurality of upload target data 205 and its electronic signature 204 in the upload target data holding area 201, only the data permitted for upload by the upload restriction information and its electronic signature 204 are stored. Alternatively, the data may be stored in the RAM 13.

  Further, the upload unit 41 may be provided with a function of erasing the information set in which the falsification is detected from the information storage medium 31 so that the upload restriction information that has been falsified is not used again for the permission determination of the upload process.

  Also, if the information storage medium 31 has a non-rewritable ROM for storing unique ID information, and if this ID information is encrypted and stored in a flash memory in which upload restriction information is stored, By checking these pieces of information on the device side, the act of copying the entire information storage medium 31 can be prohibited.

  Further, the public key may not be included in the upload unit in advance. For example, the public key may be stored in the information storage medium 31 and delivered together with the upload target data, or the public key published on the manufacturer's home page may be loaded, or the public key may be loaded on the operation unit of the multifunction device. You may enter manually.

1 is a block diagram illustrating a configuration of a multifunction machine according to an embodiment of the present invention. 1 is an external view showing connector positions of a multifunction peripheral and an information storage medium according to an embodiment of the present invention. It is explanatory drawing which shows the operation panel of FIG. It is explanatory drawing which shows the data structure of the information storage medium of FIG. It is a flowchart which shows the operation | movement at the time of an upload means uploading data. It is explanatory drawing which shows an example of the copy basic screen displayed on the display means of FIG. It is explanatory drawing which shows an example of the upload start confirmation screen displayed on the display means of FIG. It is explanatory drawing which shows an example of the upload authority confirmation screen displayed on the display means of FIG. It is explanatory drawing which shows an example of the upload restriction information falsification detection screen displayed on the display means of FIG. It is explanatory drawing which shows an example of the upload prohibition screen displayed on the display means of FIG. It is explanatory drawing which shows an example of the display screen during upload displayed on the display means of FIG. FIG. 2 is an explanatory diagram showing some data structure examples related to restriction information among information in the information storage medium of FIG. 1. It is explanatory drawing which shows an example of the upload completion notification screen displayed on the display means of FIG. It is a flowchart which shows operation | movement at the time of a data authentication means authenticating data. It is explanatory drawing which shows an example of the display screen during data alteration confirmation displayed on the display means of FIG. It is explanatory drawing which shows an example of the data alteration detection screen displayed on the display means of FIG.

Explanation of symbols

10 ... Machine 11 ... CPU
12 ... ROM
13 ... RAM
DESCRIPTION OF SYMBOLS 20 ... Display means 21 ... Operation means 22 ... Image reading means 23 ... Image storage means 24 ... Image processing means 25 ... Image forming means 26 ... Image output means 27 ... Facsimile control means 28 ... LAN connection control means 30 ... Medium access means 31 ... Information storage medium 32 ... USB connector 40 ... Decryption means 41 ... Upload means 42 ... Electronic authentication means 43 ... Data authentication means 50 ... Operation panel 200 ... Upload restriction information holding area 200 (a) ... Upload restriction information holding area enlarged view 201 ... Upload target data holding area 201 (a) ... Upload target data holding area enlarged view 202 ... Restriction information 202 (a) ... Restriction information 202 (b) ... Restriction information 202 (c) ... Restriction information 203 ... Authentication information 204 ... Electronic signature 205 ... Upload target data 21 DESCRIPTION OF SYMBOLS 0 ... Copy basic screen 211 ... Guide display part 212 ... Operation part 220 ... Upload start confirmation screen 221 ... Guide display part 222 ... Authority confirmation progress indicator 223 ... Authority confirmation remaining time display 224 ... "OK" button 225 ... "Cancel" Button 230 ... Upload authority confirmation screen 231 ... Guide display section 240 ... Upload restriction information falsification detection screen 241 ... Guide display section 250 ... Upload prohibition screen 251 ... Guide display section 260 ... Upload in progress display screen 261 ... Guide display section 262 ... Upload Progress indicator 263 ... Upload processing remaining time display 264 ... "OK" button 270 ... Upload completion notification screen 271 ... Guide display section 280 ... Data falsification confirmation display screen 281 ... Guide display section 282 ... Data falsification confirmation Progress indicator 283 ... data tampering check work remaining time display 284 ... "OK" button 290 ... data tampering detection screen 291 ... guide display unit

Claims (10)

Storage means for storing uploaded data;
Medium access means for reading information stored in the information storage medium;
Decryption means for reading and decrypting encrypted upload restriction information stored in the information storage medium by the medium access means;
The upload target data stored in the information storage medium is read by the medium access means and stored in the storage means only when the upload restriction information obtained by decryption by the decryption means permits uploading. And an uploading means for executing an upload process. The upload means includes electronic authentication means,
The upload restriction information includes a pair of restriction information for determining permission of upload and authentication information for confirming whether the upload restriction information is authentic, and one of them is a secret key of a public key cryptosystem. Consists of a set of information encrypted with
The decoding means decodes the information set;
The upload means determines whether or not the upload restriction information is authentic from restriction information and authentication information included in the information set decrypted by the decryption means, and the restriction information is authentic and The computer-embedded device according to claim 1, wherein the upload process is executed only when uploading is permitted. The upload restriction information includes one or more information sets,
The media access means, each time the upload means executes the upload process, erases all of the information set used for obtaining the upload permission at that time and the information set having the same content as the information set. 2. The computer embedded device according to 2. The restriction information included in the information set includes an identifier that identifies a computer embedded device that is permitted to execute the upload process,
The computer-embedded device according to claim 2, wherein the upload unit obtains upload permission only from the information set including the identifier that identifies the device. The upload target data stored in the information storage medium is digitally signed,
The upload unit includes a data authentication unit that authenticates whether or not the upload target data is authentic by using an electronic signature, and executes the upload process only when the authenticity of the upload target data is confirmed by the data authentication unit. The computer-embedded device according to claim 1, 2, 3 or 4. The computer-embedded device according to claim 1, 2, 3, 4, or 5, further comprising display means for displaying a cause of the execution of the upload process being restricted. The computer-embedded device is any one of a copier, a facsimile machine, a printer, a scanner, or a multifunction machine having two or more functions including at least one of these functions. The computer built-in device according to 2, 3, 4, 5 or 6. Store the data to be uploaded to the computer embedded device and the encrypted upload restriction information for restricting the upload of the data to be uploaded in an information storage medium, and deliver it.
In the computer-embedded device, the encrypted upload restriction information is read from the information storage medium, decrypted, and stored in the information storage medium only when the upload restriction information obtained by decrypting permits the upload. A data delivery method characterized in that the upload target data is read and uploaded to the device. The upload restriction information is a pair of restriction information for determining permission of upload and authentication information for confirming whether or not the restriction information is authentic, and one of them is a private key of a public key cryptosystem. Configured as an encrypted information set with
In an information storage medium, upload target data to be uploaded to a computer embedded device and the information set corresponding to the number of times allowed for upload, and the contents of the restriction information differ from each other, and delivered,
In the computer embedded device, the information set is read from the information storage medium, the information set is decrypted, and it is determined whether or not the upload restriction information is authentic from the decrypted restriction information and the authentication information. Only when there is at least one information set including restriction information, the upload target data is read from the information storage medium and uploaded to the device, and any one information set corresponding to the genuine upload restriction information and 9. The data delivery method according to claim 8, wherein all information sets having the same contents are erased from the information storage medium. The upload restriction information is a pair of restriction information for determining permission of upload and authentication information for confirming whether or not the restriction information is authentic, and one of them is a private key of a public key cryptosystem. Configured as an encrypted information set with
In an information storage medium, upload target data to be uploaded to a computer embedded device and the information set corresponding to the number of times allowed for upload, and the contents of the restriction information differ from each other, and delivered,
In the computer-embedded device, the information set is read from the information storage medium, the information set is decrypted, and it is determined whether the upload restriction information is authentic from the decrypted restriction information and the authentication information. Only when there is at least one information set including genuine upload restriction information including an identifier, the upload target data is read from the information storage medium and uploaded to the device, and the authentic upload including the device identifier is performed. 10. The data delivery method according to claim 9, wherein any one information set corresponding to the restriction information and all information sets having the same content are erased from the information storage medium.

Images