JP2006236051A - Execution limiting device and use limiting device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent a control target device from executing an unpermitted command by an operation error or unauthorized access by a third party when remotely controlling the control target device via a network. <P>SOLUTION: A controller 200 is previously notified of a use right of a permittable command (control instruction), a permittable condition (execution condition) or the like, and this execution limiting device 300 is notified of the command (selection command) and the use right (selection use right) when the controller 200 decides that the condition is satisfied. An execution permission part 301 authenticates the controller 200 when previous notification to the controller 200 and notification from the controller 200 agree with each other, and permits the control target device 100 of the execution of the command. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to remote operation of a device via a network or the like. More specifically, the present invention relates to authentication and restriction in remote operation of a device via a network or the like.

Conventional access control for controlling a home device from an external device via the Internet includes the following.
For example, Patent Document 1 performs communication by encrypting authentication information using a public key / private key of an out-of-home device and a public key / private key of a home device, and performing mutual authentication by deciphering each other, Execute control commands.
JP-A-10-289205

In the conventional access control method, after mutual authentication, any control command is permitted. In other words, if a communication partner is authenticated, execution of an unauthorized command regardless of intentional or negligence Therefore, there is a problem of preventing execution of such a command.
The present invention has been made to solve the above-described problems, for example, and has an object of not permitting execution of unauthorized commands regardless of intentional or negligence from an authenticated party. .

The execution restriction device of the present invention includes:
In an execution restriction device that restricts execution of a control command from a control device to a control target device,
A control command storage unit that stores the control command that can be executed for the control target device;
A control command notification unit that notifies the control device of the control command stored in the control command storage unit;
A control command acquisition unit for acquiring a control command for the device to be controlled;
When the control command stored in the control command storage unit matches the control command acquired by the control command acquisition unit, the control target device is allowed to execute the control command acquired by the control command acquisition unit. An execution permission unit,
It is characterized by having.

  According to the present invention, control from a control device that does not permit remote control of the control target device can be prohibited, and furthermore, the control target device can be prohibited from executing control commands that are not permitted to the control device. There is an effect.

Embodiment 1 FIG.
The first embodiment will be described with reference to FIGS.

FIG. 1 is a diagram showing an example of the appearance of the execution restriction device 300 or the control device 200 in this embodiment.
In FIG. 1, the execution restriction device 300 includes a system unit 910.
Further, the execution restriction device 300 is connected to the Internet 940 via a local area network (LAN) 942 and a gateway 941.

FIG. 2 is a diagram illustrating an example of the hardware configuration of the execution restriction device 300 and the control device 200 according to this embodiment.
FIG. 3 is a diagram illustrating an example of a hardware configuration of the control target device 100 according to this embodiment.
2 and 3, the execution restriction device 300, the control device 200, and the control target device 100 include a CPU (Central Processing Unit) 911 that executes a program. The CPU 911 is connected to a ROM (Read Only Memory) 913, a RAM (Random Access Memory) 914, a communication board 915, and a magnetic disk device 920 via a bus 912.
Further, the control target device 100 includes an operation unit 950 that operates based on a control command from the control device 200.
The RAM 914 is an example of a volatile memory. The ROM 913 and the magnetic disk device 920 are examples of non-volatile memories, and all of them are not necessarily connected. These are examples of a storage device or a storage unit.
The communication board 915 is connected to the LAN 942 or the like.
For example, the communication board 915 is an example of an input unit.
For example, the communication board 915 is an example of an output unit.

Here, the communication board 915 is not limited to the LAN 942 and may be directly connected to the Internet 940 or a WAN (Wide Area Network) such as ISDN. When directly connected to a WAN such as the Internet 940 or ISDN, the execution restriction device 300 is connected to a WAN such as the Internet 940 or ISDN, and the gateway 941 is unnecessary.
The magnetic disk device 920 stores an operating system (OS) 921, a window system 922, a program group 923, a file group 924, and the like. However, when the magnetic disk device 920 is not connected, these may be stored in the ROM 913 or the RAM 914. The program group 923 is executed by the CPU 911, the OS 921, and the window system 922.

The program group 923 stores programs that execute functions described as “˜units” in the description of the embodiments described below. The program is read and executed by the CPU 911.
In the file group 924, what is described as “determination result of”, “calculation result of”, and “processing result of” in the description of the embodiment described below is stored as “˜file”. Yes.
In addition, the arrow portion of the flowchart described in the description of the embodiment described below mainly indicates input / output of data, and for the input / output of the data, the data is a magnetic disk device 920, an FD (Flexible Disk), an optical disk. , CD (compact disc), MD (mini disc), DVD (Digital Versatile Disk) and other recording media. Alternatively, it is transmitted through a signal line or other transmission medium.

  In addition, what is described as “unit” in the description of the embodiment described below may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented by software alone, hardware alone, a combination of software and hardware, or a combination of firmware.

  The program for carrying out the embodiment described below is also a magnetic disk device 920, an FD (Flexible Disk), an optical disk, a CD (compact disk), an MD (mini disk), a DVD (Digital Versatile Disk), or the like. You may memorize | store using the recording device by this recording medium.

FIG. 4 shows an example of the overall configuration of the system in this embodiment.
The control device 200 sends a control command to the control target device 100 in order to remotely operate the control target device 100.
The control target device 100 executes a control command from the control device 200.
However, since the control command is sent via an open network such as the Internet 940, authentication is required to prevent eavesdropping, modification, or impersonation by a malicious third party 999.
Even if the control command is authenticated, it is necessary to verify whether or not the control command can be executed in order to prevent malfunction due to an input error or the like.
Therefore, the execution restriction device 300 interprets the control command from the control device 200 and notifies the control target device 100 of only what can be executed.
Note that the control target device 100 and the execution restriction device 300 may be integrated.

  The execution restriction device 300 includes, for example, a command group storage unit 312 (an example of a control command storage unit), a command information issue unit 314 (an example of a control command notification unit), and a selection command information reception unit 311 (an example of a control command acquisition unit). The execution permission unit 301 is included.

  FIG. 5 is a flowchart showing an example of the control flow of the execution restriction device 300 in this embodiment.

  The command group storage unit 312 stores commands that can be executed by the control target device 100 among the control commands that can be executed by the control target device 100, and that the control device 200 may command to execute. is doing.

FIG. 6 shows an example of the command 400 stored in the command group storage unit 312 in this embodiment.
The command 400 (an example of a control command) includes, for example, a command identifier 401 that identifies a command, execution device information 402 that indicates a control target device that executes the command, a control command code, a command name, and its arguments, and a command character string 403 includes a command description 404 which is an additional description of the command. Further, the command 400 does not have to be managed in association with the command identifier 401 or the command description 404 as described above.
That is, the command identifier 401 is used for identifying a command in the execution restriction device 300.
A plurality of command identifiers 401 may be stored for one command. Alternatively, it may be changed periodically.
The command character string 403 is the content of a command notified to the control target apparatus 100 when the execution of the command is permitted. The control target device 100 interprets this and operates the operation unit 950.
The command description 404 is displayed on the control device 200 to inform the operator of the control device 200 what the command does.

  The command information issuing unit 314 creates command information from the commands stored in the command group storage unit 312 (S11 in FIG. 5).

FIG. 7 shows an example of command information 800 created by the command information issuing unit 314 in this embodiment.
The command information 800 includes, for example, a command identifier 801, execution device information 802 for specifying a device that executes the command, a signature 803 that is an electronic signature for preventing falsification of the command identifier, execution device information, and the like, and a command description 804. The
The execution device information 802 may use a device identifier that identifies a device such as a device manufacturing number, or a public key certificate of a controlled device.
That is, the command identifier 801 is the same as the command identifier 401 stored in the command group storage unit 312 and is used for identifying the command in the execution restriction device 300.
The execution device information 802 indicates the control target device 100 that executes the command. By interpreting this, the control device 200 identifies the control target device 100 that executes the command.
This prevents sending commands to different devices by mistake.
A signature 803 is an electronic signature of the execution restriction device 300 and guarantees that the command information is notified by the execution restriction device 300. This can prevent falsification and impersonation by a third party.
The command description 804 is the same as the command description 404 stored in the command group storage unit 312, and is for notifying the operator of the control device 200 what the command does.

  When there are a plurality of commands that can be executed by the control target apparatus 100, a command identifier 801, execution device information 802, a signature 803, and a command description 804 are created for each command.

The command information issuing unit 314 encrypts and notifies the created command information 800 to the control device 200 (S12 in FIG. 5). At this time, encryption may be performed using a separately determined common key, or encryption may be performed using a public key in the public key certificate of the control device 200.
Thereby, eavesdropping and falsification by a third party 999 can be prevented.

The control device 200 acquires the command information 800 and decrypts it using the common key or its own secret key.
Next, the signature 803 is verified, and it is confirmed that the command information 800 is surely notified from the execution restriction device 300. If the signature 803 is invalid, it is determined that the third party 999 pretending to be the execution restriction device 300 has notified, and the subsequent processing is not performed.

If it is confirmed by the verification of the signature 803 that the command information 800 is notified by the execution restriction device 300, a command description 404 is displayed.
When the operator selects a command from the displayed command descriptions 404, the control device 200 creates selection command information 810 corresponding to the selected command.

FIG. 8 shows an example of the selection command information 810 created by the control device 200 in this embodiment.
The selection command information 810 includes, for example, a command identifier 811, execution device information 812, and a signature 813.
The command included in the selected command information 810 is a command actually selected by the operator among commands that can be executed by the control target device, and is usually one command.
The command identifier 811 corresponds to the selected command among the command identifiers 801 included in the command information 800.
The execution device information 812 corresponds to the command selected from the execution device information 802 included in the command information 800.
The signature 813 is an electronic signature of the control device 200, and guarantees that the selection command information has been notified by the control device 200. Thereby, falsification and impersonation by a third party 999 can be prevented.

  The control device 200 encrypts and notifies the selection command information 810 created in this way to the execution restriction device 300. At this time, encryption may be performed using a separately determined common key, or encryption may be performed using a public key in the public key certificate of the execution restriction device 300.

  The selection command information receiving unit 311 of the execution restriction device 300 acquires the selection command information 810 notified by the control device 200 and decrypts it using the common key or its own secret key (S13 in FIG. 5).

  The execution permission unit 301 verifies the signature 813, and confirms that the selection command information 810 has been notified by the control device 200. If the signature 813 is invalid, it is determined that the third party 999 pretending to be the control device 200 has notified, and the command is not notified to the control target device 100 (S14 in FIG. 5).

The execution permission unit 301 further verifies the command identifier 811 and the execution device information 812. In this verification, if the command identifier 401 that matches the command identifier 811 exists in the command group storage unit 312 and the execution device information 812 matches the device information that the control target device 100 or the execution control device 200 has, the command is correct. Judge that there is.
When a plurality of command identifiers 401 are stored for one command, it is determined whether the command identifier 401 matches that included in the command information 800 notified by the command information issuing unit 314.

  If the execution permission unit 301 determines that the result is invalid, the execution permission unit 301 does not permit the control target device 100 to execute the command (S15 in FIG. 5).

  When determining that the command is correct, the execution permission unit 301 notifies the control target device 100 of the command character string 403 stored in the command group storage unit 312 corresponding to the command identifier 811, and executes the command (FIG. 5 S16).

As a result, not only the control device 200 is authenticated by the signature 813 included in the selected command information 810, but also the control device 200 is authenticated by correctly decoding the command information 800. Authentication will be performed, and safety will increase.
Further, by authenticating the control device 200, it is possible not only to prohibit control from a device that is not permitted to perform remote control, but also to prohibit execution of commands that are not permitted to the control device 200.
That is, a command that is not permitted is not notified to the control device 200 in the command information 800, and therefore execution cannot be instructed by the selection command information 810 from the control device 200.
In addition, the authentication of the control device and the verification of whether the command is permitted to execute are performed at the same time, so that the efficiency is high.

Note that once the control device 200 obtains the command information 800, the command identifier and the execution device information are known, so that the execution of the same command can be instructed any number of times thereafter.
If this is a problem, the following configuration can be used.

That is, the command identifier 401 of the command 400 stored in the command group storage unit 312 is changed periodically or according to a change in execution conditions.
Then, even if the control device 200 knows the old command identifier 401, even if it instructs the execution of the command, the command identifier is not in the command group storage unit 312. Is illegal and cannot be executed.
When the control device 200 wants to execute a command, it requests the execution restriction device 300 to notify the command information 800.
In contrast, the execution restriction device 300 notifies the latest command information 800 when the control device 200 permits the execution of the command.
As a result, the control device 200 acquires the command information 800 and knows the latest command identifier, so that the command execution can be instructed.

Embodiment 2. FIG.
The second embodiment will be described with reference to FIGS. 1 to 3, 5, 6, and 8 to 12.
Since the hardware configurations of the execution restriction device 300, the control device 200, and the control target device 100 in this embodiment are the same as those in the first embodiment, description thereof is omitted here.

FIG. 9 shows an example of the overall configuration of the system in this embodiment.
The execution restriction device 300 includes, for example, a command group storage unit 312 (an example of a control command storage unit), a command encryption processing unit 313 (an example of a control command encryption unit), and a command information issue unit 314 (an example of a control command notification unit). A key management unit 332 (an example of a key storage unit), a usage right issue unit 344 (an example of a key notification unit), a selection command information reception unit 311 (an example of a control command acquisition unit), and an execution permission unit 301.
Here, since the operations of the command group storage unit 312, the selected command information reception unit 311, and the execution permission unit 301 are the same as those in the first embodiment, the description thereof is omitted here.

  The command encryption processing unit 313 encrypts the command stored in the command group storage unit 312. At this time, a different key is used for each command as an encryption key. Key selection may be performed randomly or according to some rules, but the regularity should not be known from the outside. The same key may be used for several commands.

  The key management unit 332 stores, as key management information 600, a key for decrypting the command encrypted by the command encryption processing unit 313.

FIG. 10 shows an example of the key management information 600 stored in the key management unit 332 in this embodiment.
The key management information 600 includes, for example, an encryption command identifier 601 and a decryption key 602.
The encrypted command identifier 601 is used to identify a command encrypted by the command encryption processing unit 313. An arbitrary character string different from the command identifier 401 is used.
The decryption key 602 is a key for decrypting the encrypted command identifier encrypted by the command encryption processing unit 313.

  The command information issuing unit 314 creates command information 800 and notifies the control device 200 of it. At this time, the command information 800 may be further encrypted using a separately determined common key, or may be encrypted using the public key in the public key certificate of the control device 200. Thereby, eavesdropping and falsification by a third party 999 can be prevented.

FIG. 11 shows an example of command information 800 created by the command information issuing unit 314 in this embodiment.
The command information 800 includes, for example, an encrypted command identifier 808 for specifying an encrypted command, an encrypted command identifier 809, execution device information 802, a signature 803, and a command description 804.
Here, the execution device information 802, the signature 803, and the command description 804 are the same as those described in the first embodiment, and a description thereof will be omitted.
The encrypted command identifier 808 is the same as the encrypted command identifier 601 stored in the key management unit 332. Used to identify an encrypted command.
The encrypted command identifier 809 is obtained by encrypting the command identifier 401 stored in the command group storage unit 312 by the command encryption processing unit 313. Alternatively, the command code, the command name, and its argument may be encrypted.

Note that the command description 804 and the like may be encrypted in the same manner as the command identifier.
Further, the encrypted command information 800 does not have to be managed in association with the encrypted command identifier 808 or the command description 804 as described above, but may be the encrypted command identifier 809 itself. Further, the same command character string may be encrypted with a plurality of different keys, or different encrypted command identifiers may be assigned. For example, the same “turn on power” command may be encrypted with a different key for each control device 2 and another encrypted command identifier 808 may be allocated.

This embodiment is characterized in that the command identifier 801 is not included in the command information.
That is, since the control device 200 does not know the key for decrypting the encrypted command identifier 809, it cannot obtain the command identifier 801.
Accordingly, the control device 200 cannot instruct the execution of the command as it is.

  Therefore, the execution restriction device 300 notifies the usage right 820 to the control device 200 separately from the command information.

FIG. 12 shows an example of the usage right 820 notified by the usage right issuing unit 344 in this embodiment.
The usage right 820 includes, for example, a usage right identifier 821, an encryption command identifier 822, a decryption key 826, and a signature 827.
The usage right identifier 821 is used to identify a command that permits remote control from the control device 200. Since a plurality of conditions may be set for the same command, they are managed separately from the command identifier and the encrypted command identifier.
In this example, only one usage right is notified, but when there are a plurality of commands that permit remote control from the control device 200, a plurality of commands are notified for each command.
The encrypted command identifier 822 is the same as the encrypted command identifier 601 stored in the key management unit 332, and indicates which command the usage right is for.
The decryption key 826 is a key used for decrypting the encrypted command identifier 809 to obtain the command identifier 801. This is stored in the key management unit 332.
The signature 827 is an electronic signature of the execution restriction device 300 and guarantees that the execution condition information is notified by the execution restriction device 300. As a result, falsification and impersonation by a third party 999 can be prevented.

  The usage right issuing unit 344 encrypts and notifies the usage right 820. At this time, encryption may be performed using a separately determined common key, or encryption may be performed using a public key in the public key certificate of the control device 200. Thereby, eavesdropping and falsification by a third party 999 can be prevented.

The control device 200 acquires the notified usage right 820 and decrypts it using the common key or its own secret key.
Next, the signature 827 is verified, and it is confirmed that the usage right 820 is surely the one notified by the execution restriction apparatus 300. If the signature 827 is invalid, it is determined that the third party 999 pretending to be the execution restriction device 300 has notified, and the subsequent processing is not performed.

  If the signature 827 is correct, the decrypted key identifier 809 is decrypted using the decryption key 826 to obtain a command identifier.

In this example, the command information 800 is notified of two commands (“turn on power” and “turn off power”). However, in the usage right 820, only the decryption key for the “turn on power” command is notified.
Therefore, the control device 200 was able to know the command identifier of the “power on” command. However, the command identifier of the “power off” command is not known.
That is, the control device 200 can instruct a command to turn on the power, but cannot instruct a command to turn off the power.

Thus, the control device 200 cannot instruct the command unless both the command information 800 and the usage right 820 are notified.
Suppose that a third party 999 eavesdrops on the command information 800. However, the third party 999 cannot know what the command identifier is unless the usage right 820 is also wiretapped. Conversely, even if the usage right 820 is wiretapped, the command identifier cannot be known unless the command information 800 is wiretapped.
If the command identifier is not known, it is safe because the third party 999 cannot impersonate the control device 200 and give a command.

  Note that the usage right 820 may be notified at the same time as the command information 800, but in that case, there is a risk of both being wiretapped at once, so it is preferable to notify them separately.

  Further, the usage right 820 may be notified by the execution restriction device 300 to the control device 200 independently, or may be notified when a request for issuing a usage right is received from the control device 200.

Embodiment 3 FIG.
Embodiment 3 will be described with reference to FIGS. 1 to 3, 5, 6, 8, 10, 11, and 13 to 15.

  This embodiment not only controls whether or not remote control is possible, but also finely controls the conditions of remote control.

  Since the hardware configurations of the execution restriction device 300, the control device 200, and the control target device 100 in this embodiment are the same as those in the first embodiment, description thereof is omitted here.

FIG. 13 shows an example of the overall configuration of the system in this embodiment.
The execution restriction device 300 includes, for example, a command group storage unit 312 (an example of a control command storage unit), a command encryption processing unit 313 (an example of a control command encryption unit), and a command information issue unit 314 (an example of a control command notification unit). A key management unit 332 (an example of a key storage unit), an execution condition storage unit 322, a usage right issue unit 344 (including a key notification unit 334 and a command execution condition issue unit 324 (an example of an execution condition notification unit)), a selection command An information reception unit 311 (an example of a control command acquisition unit) and an execution permission unit 301 are included.
Here, since the operations of the command group storage unit 312, the command encryption processing unit 313, the command information issuing unit 314, the selected command information receiving unit 311, and the key management unit 332 are the same as those in the second embodiment, description thereof is omitted here. .

The execution condition storage unit 322 stores various conditions when the control target device 100 executes a control command as execution conditions.
Examples of execution conditions stored in the execution condition storage unit 322 include the following.

Information about the control device that permits command execution (control device information).
Information on the period during which command execution is permitted (execution date and time information).
Information on whether operator confirmation is required when executing a command (user confirmation necessity information). That is, when the command is authenticated, the operator is requested to confirm again, and the command is notified to the control target device 100 only when the operator gives permission.
Information of the device or issuer that issued the command information (issuer information). For example, a public key certificate of the issuer, a user ID (Identifier) of the issuer, a public key certificate of the issuer device, a device identifier including a manufacturer identification number of the issuer device and a serial number of the device.
Device information that instructs execution of command information (execution instruction device information). For example, a public key certificate of the execution device, a device identifier including a manufacturer identification number of the execution device and a serial number of the device, and the like.
Information of the instructor instructing execution of command information (execution instructor information). For example, the public key certificate of the instructor and the user ID of the instructor.
Network information (execution network information) for remote control of command information execution. For example, an IP (Internet Protocol) address.
Command information is execution count information (execution count information).
Command information that should be executed before command information execution (pre-execution command history information). For example, conditions such as after execution of a power-on command. That is, even when the command is authenticated, if the predetermined condition is not satisfied, the command is not notified to the control target device 100.
Command result information (pre-execution status information) executed before command information execution, for example, conditions such as when the previous command succeeds. That is, even if the command is authenticated, if the predetermined condition is not satisfied, the execution of the command is not permitted.
Event information that triggers command information execution (execution event information). For example, when an error event is raised from a device, or an event that occurs when a user executes a certain command on a device. That is, even when the command is authenticated, the execution of the command is not permitted immediately, but is permitted after a predetermined condition is satisfied.
Immediate / reservation information (reservation information) for command information execution indicating whether the command is to be executed immediately or when another condition is satisfied. That is, when the command is authenticated, it is determined whether to immediately execute the command or wait until a predetermined condition is satisfied.

FIG. 14 is a flowchart showing an example of the control flow of the execution restriction device 300 in this embodiment.
Although not shown in this figure, the command information issuing unit 314 creates and notifies command information (S11 to S12 in FIG. 5).

  The usage right issuing unit 344 creates a usage right 820 based on the key management information 600 stored in the key management unit 332 and the execution conditions stored in the execution condition storage unit 322, and notifies the control device 200 (FIG. 14). S21 to S22).

FIG. 15 shows an example of the usage right 820 created by the usage right issuing unit 344 in this embodiment.
The usage right 820 includes, for example, a usage right identifier 821 for identifying a usage right, an encrypted command identifier 822 for identifying a command, execution device information 823 for specifying a device that actually executes the command, and an execution included in the usage right. Execution date / time information 824, which is information on a period during which execution of a command, which is one of the conditions, is permitted, user confirmation necessity information 825 indicating whether or not user confirmation is required when executing the command, and an encrypted command identifier The decryption key 826 is a decryption key and a usage right signature 827.
Among these, the usage right identifier 821, the encryption command identifier 822, the decryption key 826, and the signature 827 are the same as those described in the second embodiment, and thus description thereof is omitted here.
The execution device information 823 is the same as the execution device information 823 included in the command information 800. A device identifier that identifies the device, such as a device manufacturing number, or a public key certificate of the controlled device may be used.
The execution date / time information 824 indicates a period during which execution of the command can be permitted.
The user confirmation necessity information 825 indicates whether or not the command is to be executed only when the operator is requested to confirm again after the command is authenticated and the operator is permitted.
These conditions are stored in the execution condition storage unit 322. As described above, the execution condition storage unit 322 may store various execution conditions other than this, and may notify the execution conditions.

  The usage right issuing unit 344 encrypts the generated usage right 820 and notifies the control device 200 of it. At this time, encryption may be performed using a separately determined common key, or encryption may be performed using a public key in the public key certificate of the control device 200. Thereby, eavesdropping and falsification by a third party can be prevented.

  In this example, the execution conditions (824, 825, etc.) and the decryption key 826 are notified together, but it is preferable to notify them separately because the security is further improved. Instead, since one notification procedure is added, if it is desired to avoid complication of the procedure, it is preferable to notify together as in this example.

The control device 200 acquires the notified usage right 820 and decrypts it with the common key or its own secret key.
Next, the signature 827 is verified, and it is confirmed that the usage right 820 is surely the one notified by the execution restriction apparatus 300. If the signature 827 is invalid, it is determined that the third party 999 pretending to be the execution restriction device 300 has notified, and the subsequent processing is not performed.

  If the signature 827 is correct, the decrypted key identifier 809 is decrypted using the decryption key 826 to obtain a command identifier.

The control device 200 knows not only the command identifier but also the execution condition of the command from the usage right 820. Therefore, when the operator selects a command, the control device 200 can determine whether the command is not permitted to be executed.
Alternatively, a command that is not permitted to be executed may not be displayed from the beginning, so that the operator cannot select it.

  The control device 200 creates the selected command information 810 only when the operator selects a command that is permitted to be executed.

  FIG. 8 shows an example of the selection command information 810 created by the control device 200 in this embodiment. Since this is the same as that described in Embodiment 1, the description thereof is omitted here.

When the selection command information receiving unit 311 acquires the selection command information 810, the execution permission unit 301 determines whether or not the control target device 100 may be permitted to execute the command.
Since the verification of the signature 813, the verification of the command identifier 811 and the like are the same as those described in Embodiment 1, the description thereof is omitted here (S13 to S15 in FIG. 14).
Further, the execution permission unit 301 determines whether or not the execution condition of the command stored in the execution condition storage unit 322 is satisfied (S26 in FIG. 14).

The command execution condition is notified to the control apparatus 200 in advance, and the control apparatus 200 should notify the selected command information 810 only when the command execution condition is satisfied. There is no need to decide whether to satisfy.
However, if the third party 999 impersonates the control device 200 and notifies the selection command information 810, there is a possibility that the selection command information 810 is notified without knowing the execution condition of the command. The command execution conditions are not necessarily satisfied.

  Therefore, determining whether or not the command execution condition is satisfied does not simply determine whether or not the command execution is permitted, but at the same time, authenticates the person who has notified the command. .

  Thereby, it is possible not only to control whether or not remote control is possible, but also to finely control the conditions of remote control. At the same time, since the actual authentication procedure is increased by one, the safety is further increased.

  When the execution condition of the command is satisfied, the execution permission unit 301 notifies the control target device 100 of the command character string 403 stored in the command group storage unit 312 corresponding to the command identifier 811 and causes the command to be executed. (S16 in FIG. 14).

On the other hand, when the command execution condition is not satisfied, the command is not notified to the control target device 100.
However, as described above, the notification of the selected command information 810 that does not satisfy the command execution condition may be from a third party 999, indicating that security is being broken.

  Therefore, not only simply not permitting command execution, but also watching the state without accepting remote control for a while, changing the command identifier, and notifying the control device 200 of new command information, etc. It is also possible to take measures.

  Thereby, not only unauthorized access by a third party 999 can be prevented, but also necessary measures can be taken.

Embodiment 4 FIG.
Embodiment 4 will be described with reference to FIGS. 1 to 3, 5, 6, 8, and 15 to 19.

  Since the hardware configurations of the execution restriction device 300, the control device 200, and the control target device 100 in this embodiment are the same as those in the first embodiment, description thereof is omitted here.

FIG. 16 shows an example of the overall configuration of the system in this embodiment.
The execution restriction device 300 includes, for example, a command group storage unit 312 (an example of a control command storage unit), a command encryption processing unit 313 (an example of a control command encryption unit), and a command information issue unit 314 (an example of a control command notification unit). A key management unit 332 (an example of a key storage unit), an execution condition storage unit 322, a usage right issue unit 344 (including a key notification unit 334 and a command execution condition issue unit 324 (an example of an execution condition notification unit)), a selection command An information receiving unit 311 (an example of a control command acquisition unit), a usage right processing unit 321 (an example of an execution condition acquisition unit), and an execution permission unit 301 are included.
Here, the operations of the command group storage unit 312, the command encryption processing unit 313, the command information issuing unit 314, the key management unit 332, the execution condition storage unit 322, the usage right issuing unit 344, and the selected command information receiving unit 311 are as follows. Since it is the same as that of the third mode, the description is omitted here.

In the third embodiment, when the selected command information 810 is notified, the authentication is actually performed by determining whether or not the command execution condition is satisfied.
However, even if the third party 999 impersonates the control device 200 and notifies the selected command information 810 without knowing the command execution condition, it cannot be checked if the command execution condition is satisfied by chance. .

  Therefore, in this embodiment, the security of authentication is further enhanced by acquiring from the control device 200 the execution condition that is the basis for determining that the control device 200 satisfies the command execution condition.

  That is, when the control device 200 determines that the execution condition of the command is satisfied and notifies the selected command information 810, separately from this, the usage right (selected usage right) that is the basis of the determination is displayed. Notify

FIG. 17 shows an example of the selective usage right 830 notified by the control device 200 in this embodiment.
The selected usage right 830 includes, for example, a usage right identifier 831, an encrypted command identifier 832, execution device information 833, execution date / time information 834, user confirmation necessity information 835, and a signature 836.
Among these, the usage right identifier 831, the encrypted command identifier 832, the execution device information 833, the execution date / time information 834, and the user confirmation necessity information 835 are command execution conditions among the usage rights 820 notified from the execution restriction device 300. The usage right identifier 821 of the usage right, which is the basis for determining that the information is satisfied, the encryption command identifier 822, the execution device information 823, the execution date / time information 824, and the user confirmation necessity information 825. This indicates that the control apparatus 200 has the execution authority based on the usage right identified by the usage right identifier 831.
The signature 836 is an electronic signature of the control device 200, and guarantees that the usage right is the one notified by the control device 200. Thereby, falsification and impersonation by the third party 999 can be prevented.

  The selection usage right 830 may include a decryption key. In this case, the decryption key may be the same as or different from the decryption key 826 notified by the usage right. When a decryption key different from the decryption key 826 notified by the usage right is included, another decrypted key (for example, an encrypted command identifier 832) is provided, and the decryption key is correct depending on whether the decryption key can be decrypted. It may be verified whether or not.

FIG. 18 is a flowchart showing an example of the control flow of the execution restriction device 300 in this embodiment.
Although not shown in this figure, command information creation, notification, selection command information acquisition, and verification are performed in parallel (S11 to S15 in FIG. 5).

  The control device 200 encrypts and notifies the selected usage right 830 to the execution restriction device 300. At this time, encryption may be performed using a separately determined common key, or encryption may be performed using a public key in the public key certificate of the execution restriction device 300.

  Note that the selection usage right 830 may be notified at the same time as the selection command information 810, but in that case, there is a risk of both being wiretapped at a time, so it is preferable to notify them separately.

  The usage right processing unit 321 of the execution restriction device 300 acquires the selected usage right 830 notified by the control device 200 and decrypts it using the common key or its own secret key (S23 in FIG. 18).

  Next, the execution permission unit 301 verifies the signature 836 and confirms that the selected usage right 830 is surely notified by the control device 200. If the signature 836 is invalid, it is determined that the third party 999 pretending to be the control device 200 has notified, and the subsequent processing is not performed (S24 in FIG. 18).

  If the signature 836 is correct, the usage right is verified. That is, the execution permission unit 301 determines whether the usage right identifier 831 and the execution date / time information 834 of the selected usage right 830 match the usage right notified by the usage right issuing unit 344. If they do not match, it is determined that the third party 999 impersonating the control device 200 has notified, and the subsequent processing is not performed (S25 in FIG. 18).

  Thereafter, the execution permission unit 301 verifies whether the execution condition of the command is satisfied (S26 in FIG. 18), and if satisfied, permits the execution of the command (S27 in FIG. 18).

  As a result, the control device 200 notifies the usage rights that are the basis for command execution, so that even when the execution restriction device 300 manages a large number of usage rights, it is not necessary to search all of them and it is quick. Judgment is possible. At the same time, only the control device 200 that has been notified of the right to use can be notified of the correct right to use, so that the control device 200 is further authenticated, which increases the safety.

  Note that the selected command information 810 and the selected usage right 830 allow the command to be executed only after both are notified, so the following usage is possible.

That is, the selection command information 810 may be notified in advance, and the selection usage right 830 may be notified when it is desired to actually execute the command.
In this case, when the execution permission unit 301 receives the notification of the selection command information 810, the execution permission unit 301 does not determine whether or not the execution condition of the command is satisfied. Remember what was done.
Then, at the time of receiving the notification of the valid selection usage right 830, it is determined whether or not the command execution condition is satisfied, and if it is satisfied, the control target device 100 is permitted to execute the command.

Alternatively, when it is desired to execute the same command a plurality of times, the selection command information 810 may be notified in advance, and the selection usage right 830 may be notified a plurality of times.
In this case, the execution permission unit 301 stores that the correct selection command information 810 has been notified, and even when the correct selection usage right 830 is notified and the execution of the command is permitted, it does not end. Only the correct selection command information 810 is notified. Then, when the correct selection usage right 830 is notified, the execution of the command is permitted by assuming that the condition is satisfied by itself.
In that case, you may decide the period or frequency | count which permits such a skipped procedure.

Further, if either one of the selection command information 810 and the selection usage right 830 is valid, but the other is invalid, it may be configured to end at that time and start the procedure again from the beginning.
Alternatively, a state in which only one of them is valid may be held for a certain period, and if valid ones are prepared within that period, the execution of the command may be permitted assuming that the condition is satisfied.
Alternatively, the number of retries may be determined, and if valid items are prepared within a certain number of times, the execution of the command may be permitted assuming that the condition is satisfied.

Furthermore, even if it is authenticated as legitimate, the configuration may be such that execution is not permitted immediately but confirmation is requested from the operator.
FIG. 19 is a flowchart showing an example of a control flow in such a configuration.
Although not shown in this figure, the selection command information 810 and the selection usage right 830 are authenticated as a previous step.

The execution permission unit 301 looks at the user confirmation necessity information 835 of the selected usage right 830, and determines whether it is necessary to request confirmation from the operator (S161 in FIG. 19).
If it is not necessary to request confirmation from the operator, the control target device 100 is immediately notified of the command.

  When it is necessary to request confirmation from the operator, the execution permission unit 301 notifies the control device 200 of a confirmation request (S162 in FIG. 11).

  Next, the execution permission unit 301 acquires the confirmation by the operator notified from the control device 200 (S163 in FIG. 11).

  If the execution permission is not given by the operator, the execution permission unit 301 ends without notifying the control target device 100 of the command (S164 in FIG. 11).

  The execution permission unit 301 notifies the control target device 100 of a command when the operator is permitted to execute (S16 in FIG. 11).

  Note that the confirmation by the operator is not only to allow execution, but to enter the operator's password, and to notify the command only when it matches the registered password. Also good.

  As a result, not only the authentication of the control device 200 but also the operator who is operating the control device can be authenticated, so the safety is further improved.

In this way, the control device 200 is authenticated by the signature 813 included in the selection command information 810, and further, the content of the selection command information 810 is also authenticated, and the signature 836 included in the selection usage right 830 is also authenticated. Since the content of the selective use right 830 is also authenticated, the safety is greatly enhanced.
In addition to prohibiting execution of commands that are not permitted to the control device 200, it is possible to finely set conditions for permission and conditions for prohibition.
In addition, the authentication of the control device and the verification of whether the command is permitted to execute are performed at the same time, so that the efficiency is high.

When a secret key is used for the encryption process and decryption process described above, the secret key is stored in a tamper-resistant secure chip, and if plaintext or ciphertext is input to the secure chip, the ciphertext or decryption is performed. If the plain text is output, even if it is a legitimate user, the secret key cannot be seen from the outside, and thus the security is further improved.
Alternatively, the usage right processing function may be stored in the secure chip, and if the verification is correct, the usage right 820 may be stored in the secure chip.

Command execution is executed not only when remote control is performed from the control device 200 but also when the stored command is periodically executed or specified with date and time, and when the selective usage right 830 is received. do not do. Instead, the stored selective use right 830 is checked when an event occurs.
For example, this is the case for commands that specify the execution date and time (recording reservations, etc.), and commands that are executed according to conditions (such as lighting the entrance when the outside becomes dark). If these conditions are managed in the execution restriction apparatus 300 and a command is notified to the control target apparatus 100 when the conditions are satisfied, even if the control target apparatus 100 does not have a reservation function or the like, this is the case. Functions can be realized.

  Further, the selection usage right 830 may be held until the execution condition is not satisfied.

As a result, it is possible to prohibit control from a control device that the control target device does not permit remote control or execution of a command that is not permitted by the control device.
In addition, it is possible to prevent falsification of command information by adding a signature in encryption processing, and to prevent eavesdropping of information by encryption.

Embodiment 5. FIG.
A fifth embodiment will be described with reference to FIGS. 1 to 3 and FIGS.

  This embodiment does not relate to the execution limitation of the command itself, but relates to the limitation of the use of the command execution result.

  The hardware configuration of the usage restriction device 350 in this embodiment is the same as that of the execution restriction device 300 in the first embodiment. Further, since the hardware configurations of the control device 200 and the control target device 100 are the same as those in the first embodiment, description thereof is omitted here.

FIG. 20 shows an example of the overall configuration of the system in this embodiment.
The usage restriction device 350 includes, for example, a command result encryption processing unit 363 (an example of an execution result encryption unit), an execution result notification unit 364, a command result key management unit 382 (an example of a key storage unit), a usage condition storage unit 372, A usage right issuing unit 344 (including a key notification unit 334 and a usage condition notification unit 374), a usage right processing unit 371 (an example of a usage condition acquisition unit), a usage request acquisition unit 381, and a usage permission unit 351 are included.

The command result encryption processing unit 363 encrypts command processing result data (execution result).
The command result key management unit 382 stores the identification information of the encrypted data and the decryption key (command result key management information).
FIG. 21 shows an example of the command result key management information 610 stored in the command result key management unit 382 in this embodiment.
The execution result identifier 611 is used to identify an encrypted execution result.
The decryption key 612 is a key for decrypting the execution result encrypted by the command result encryption processing unit 363.
An identifier for identifying encrypted command result data may be attached to the processing result (execution result) of the command encrypted by the command result encryption processing unit 363.
The execution result notifying unit 364 notifies the control device 200 of the execution result encrypted by the command result encryption processing unit 363.
The usage right issuing unit 344 notifies the control device 200 of a usage condition (usage right) including a decryption key 612 for decrypting the encrypted execution result and a condition for decrypting and using the encrypted execution result.

FIG. 22 shows an example of the usage right 850 notified by the usage right issuing unit 344 in this embodiment.
The usage right 850 includes, for example, a usage right identifier 851 for identifying a usage right, an execution result identifier 852 for identifying an execution result, execution device information 853 for specifying a device that has actually executed a command, and an execution included in the usage right. Usage date / time information 854, which is information on a period during which use of the execution result, which is one of the conditions, is permitted, user confirmation necessity information 855 indicating whether user confirmation is required when using the execution result, encrypted execution It consists of a decryption key 856 which is a key for decrypting the result, and a usage right signature 857.
The usage right identifier 851 is used to identify a usage right that permits the use of the execution result in the control device 200. Since a plurality of conditions may be set for the same execution result, they are managed separately from the execution result identifier.
The execution result identifier 852 is notified from the execution result notifying unit 364 together with the execution result, and is for identifying an execution result that is permitted to be used.
The execution device information 853 is information about the control target device 100 that created the execution result. A device identifier that identifies the device, such as a device manufacturing number, or a public key certificate of the controlled device may be used.
The use date / time information 854 indicates a period during which use of the execution result is permitted.
The user confirmation necessity information 855 indicates whether or not use of the execution result is permitted only when the operator is requested to confirm again when the execution result is used and the operator is authenticated.
The decryption key 856 is a key for decrypting the execution result so that it can be used. The key management unit 332 notifies what is stored.
The signature 857 is an electronic signature of the usage restriction device 350, and guarantees that the usage condition information is notified from the usage restriction device 350. This can prevent falsification and impersonation by a third party.

Further, the usage right 850 may include the following usage conditions.
Command result information. In other words, by dividing the command execution result into a plurality of parts and including a part of them in the usage right 850, the execution result cannot be used unless both the execution result notified separately and the both are obtained. .
Information about the issuer of command result information (issuer information). That is, it is information about the control target device 100 that created the execution result.
Information on the device used by the command result information (used device information). That is, it is information about the control device 200 that can use the execution result.
Information on the device that instructs the use of command result information (usage instruction device information). That is, it is information about the control device 200 that can instruct the use of the execution result.
Information of an instructor instructing use of command result information (use instruction information). That is, it is information about an operator who can operate the control device 200 that can use the execution result.
Network information (use network information) between the issuing device of command result information and the use device. That is, it is information about the connection state when the use is restricted depending on the state of the network connection (eg, only when a specific server is used).
Date / time information using command result information (use date / time information). That is, it is information about a period during which the execution result can be used.
Handling of command result information data (changeability, printability, video stop, pause, fast play, etc., resolution range, enlargement, reduction, etc.) That is, it is information about the usage mode of the execution result.
Whether or not the decoding result of the command result information may be stored (decoding result storage availability information). That is, it is information about whether the execution result used once can be stored and reused later.
Command result information is used count information (execution count information). This is information about the number of times that the user can use it again.
Command information that should be executed before using command result information (pre-use command history information). That is, it is information about a condition when an execution result cannot be used unless another command is executed.
Command result information executed before using command result information (status information before execution). That is, it is information about the execution result of another command when the use of the execution result is restricted based on the execution result of another command.

The usage right processing unit 371 acquires the selected usage right 830 notified from the control device 200.
The usage request acquisition unit 381 acquires the usage request 840 notified from the control device 200.
The use permission unit 351 has an authentication function, and performs authentication of the control device 200 that has issued the use right issue request or an operator who is operating the control device 200.

It is also conceivable to change usage conditions according to the result of authentication. For example, if the user is a registered user, the usage conditions may be relaxed (for example, one week can be used), and if the user is not registered, the usage conditions may be strict (for example, only one day may be used).
In addition, billing processing may be performed.

  The control device 200 has a usage right issuance request function for requesting issuance of a usage right for using the execution result, and a command result use function which is a client function for using the execution result.

  FIG. 23 is a flowchart showing an example of the control flow of the usage restriction device 350 in this embodiment.

  First, the control target device 100 executes a command. Prior to command execution, command execution may be restricted by the execution restriction device 300 described in the first or second embodiment. Alternatively, the usage restriction device 350 may have a function as the execution restriction device 300.

The command result encryption processing unit 363 encrypts the execution result generated by the control target device 100 (S31 in FIG. 23).
At this time, a different key is used for each execution result as an encryption key. Key selection may be performed randomly or according to some rules, but the regularity should not be known from the outside. Further, the same key may be used for several execution results.

  The execution result notifying unit 364 notifies the control device 200 of the execution result encrypted by the command result encryption processing unit 363 (S32 in FIG. 23). At this time, the encryption may be performed using a separately determined common key, or may be performed using the public key in the public key certificate of the control device 200.

  The processing so far may be performed by the control target device 100 and the control target device 100 may notify the control device 200 of the encrypted execution result directly.

The control device 200 acquires the execution result of the command notified by the execution result notification unit 364 and decrypts it using the common key or its own secret key. However, it cannot be used without further decryption, and the key for that purpose is unknown.
Therefore, in order to obtain a decryption key, the control device 200 notifies the usage restriction device 350 of a usage request 840.

FIG. 24 shows an example of the usage request 840 notified by the control device 200 in this embodiment.
The execution result identifier 841 is notified by the execution result notifying unit 364 together with the execution result, and is for identifying the execution result for which the usage right is requested.
The signature 842 is an electronic signature of the control device 200 and guarantees that the use right issuance request has been notified by the control device 200. Thereby, falsification and impersonation by the third party 999 can be prevented.
The usage request 840 is encrypted and notified. Encryption may be performed using a separately determined common key, or may be performed using a public key in the public key certificate of the usage restriction device 350.

  The usage request acquisition unit 381 of the usage restriction device 350 acquires the usage request notified by the control device 200 and decrypts it using the common key or its own secret key (S33 in FIG. 23).

  The use permission unit 351 verifies the signature 842 and confirms that the use request is surely notified by the control device 200. If the signature 842 is invalid, it is determined that the third party 999 pretending to be the control device 200 has notified, and the usage right is not issued (S34 in FIG. 23). In that case, you may notify the control apparatus 200 that authentication failed.

When the usage permission unit 351 determines that the signature 842 is correct, the usage right issuing unit 344 notifies the control device 200 of the usage right 850 (S35 in FIG. 17).
The usage right 850 is encrypted and notified. Encryption may be performed using a separately determined common key, or may be performed using a public key in the public key certificate of the control device 200. Thereby, eavesdropping and falsification by a third party can be prevented.

The control device 200 acquires the usage right 850 notified by the usage right issuing unit 344 and decrypts it using the common key or its own secret key.
Next, the control device 200 determines whether or not a usage condition in the usage right 850 is satisfied.
If it is determined that the condition is satisfied, the execution result is decrypted using the decryption key 856 and used.

  It should be noted that if the usage right has a condition that the decrypted data cannot be stored, the decrypted command result data needs to be a mechanism that cannot be stored anywhere on the control device 200.

As described above, since the command execution result is encrypted and the usage right is required for its use, not only the command execution but also the execution process result can be used only on the authenticated device. Therefore, it has the effect of becoming safe.
In other words, since the decryption key for using the execution result cannot be obtained unless the use request is authenticated, the third party cannot use it even if the execution result is intercepted. , Safe.

  Alternatively, the following authentication procedure may be taken.

  FIG. 25 is a flowchart showing another example of the control flow of the usage restriction device 350 in this embodiment.

  Since S31 to S34 are the same as those described in FIG. 23, the description thereof is omitted here.

When the usage permission unit 351 determines that the signature 842 is correct, the usage right issuing unit 344 notifies the control device 200 of the usage right 850. However, the decryption key 856 of the usage right 850 is fake, and even if this is used, the execution result encrypted by the command result encryption processing unit cannot be decrypted (S35 in FIG. 25).
Alternatively, the usage right 850 may not include the decryption key 856.

However, since the usage condition of the execution result included in the usage right 850 is genuine, the control device 200 can know the condition for using the execution result.
Therefore, when the usage condition of the execution result is satisfied, the control device 200 encrypts and notifies the selected usage right 860 to the usage restriction device 350. At this time, encryption may be performed using a separately determined common key, or encryption may be performed using a public key in a public key certificate of the usage restriction device 350.

  FIG. 26 shows an example of the selective usage right 860 notified by the control device 200 in this embodiment.

  The usage right processing unit 371 of the usage restriction device 350 acquires the selected usage right 860 notified by the control device, and decrypts it with the common key or its own private key (S36 in FIG. 25).

Next, the usage permission unit 351 verifies the selected usage right 860. The points of verification are whether the signature 866, usage conditions, etc. match those of the usage rights 850 notified earlier, and whether the usage conditions are satisfied.
When all these verifications are passed, the use permission unit 351 permits the use of the execution result on the assumption that the control device 200 has been successfully authenticated (S37 in FIG. 25).

When the usage permission unit 351 permits the use of the execution result, the usage right issuing unit 344 encrypts the usage right 850 including the decryption key 856 that can decrypt the execution result encrypted by the command result encryption processing unit 363. The control device 200 is notified. At this time, encryption may be performed using a separately determined common key, or encryption may be performed using a public key in the public key certificate of the control device 200.
Alternatively, only the decryption key may be encrypted and notified.

The control device 200 acquires the usage right 850 notified by the usage right issuing unit 344 and decrypts it using the common key or its own secret key.
The control device 200 uses the decryption key 856 to decrypt and use the execution result encrypted by the command result encryption processing unit 363.

Thereby, only when the usage condition is satisfied, the decryption key 856 is notified to the control device 200, so that more detailed condition setting is possible. Further, it is possible to prevent the control device 200 from ignoring the use condition and using the execution result.
Furthermore, since the control apparatus 200 can be authenticated at the same time in the procedure, spoofing by a third party 999 can be prevented efficiently.

Embodiment 6 FIG.
In the embodiment described above, the connection method between the execution restriction device 300 or the use restriction device 350 and the control target device 100 is not particularly mentioned.

These connections may also be made via an open network such as the Internet in the same manner as the connection with the control device 200.
In that case, since there is a risk of eavesdropping, falsification, and impersonation by a third party 999 for communication between the execution restriction device 300 or the use restriction device 350 and the control target device 100, an electronic signature can be attached. It is necessary to take measures such as encryption using a common key or a secret key.

  As a result, heavy processing such as issuance of encryption commands and issuance of usage rights and key management are performed by the usage right management server, which not only reduces the implementation on the controlled device side but also compromises safety. There is no effect. Furthermore, since there are no restrictions on the installation locations of the execution restriction device 300 and the use restriction device 350, a flexible design is possible.

  Alternatively, the control device 200 may have the function of the execution restriction device 300 or the use restriction device 350.

  As a result, since the encryption command is issued by the control device 200, the command to be executed by the control device 200 is registered. Therefore, the operation procedure of the control device is reduced, but the safety is not impaired.

  As described above, the right-of-use access control method performed by the execution restriction device 300 or the use restriction device 350 is a set of commands that can be executed on a controlled device in a system that controls the controlled device from a remote control device. An executed command information issuing function for issuing command information including information specifying a command to be executed on the device and information specifying the device, and the executed command information issuing function. A command execution function that confirms the issued command information and executes only the command included in the confirmed command information may be configured.

  In addition, as command information, information for identifying a command (command identification information), device identifier for identifying a device to be executed, information such as a device public key certificate (device identification information), and command information are issued. You may comprise from the electronic signature using the private key of the apparatus to do.

  Of course, these command information may be encrypted.

  Alternatively, in a system in which a controlled device is controlled from a remote controlled device, a command group including a set of commands that can be executed on the controlled device and a target that issues information specifying a command to be executed on the device. The execution command information issuing function, the command execution condition issuing function for issuing information (usage rights) on conditions under which the command can be executed, and the execution target only under the command execution conditions issued by the command execution condition issuing function You may comprise from the command execution function which performs only the command information issued by the command information issue function.

  In addition, a command execution condition issuing function for issuing a usage right having one or more of the following conditions as a command execution condition may be provided. That is, command information, command information issuer information (issuer information), device information that executes command information (execution device information), device information that instructs execution of command information (execution instruction device information), command Information of the instructor instructing execution of information (execution instructor information), network information (execution network information) when executing command information remotely, date information (execution date information) for executing command information, command information Execution permission confirmation necessity information (execution confirmation necessity information), command information execution count information (execution count information), command information execution result sending permission information (execution result sending availability information), executed before command information execution Command information (command history information before execution), command result information executed before command information execution (status before execution) Broadcast), event information (execution event information that triggers the command information execution), immediate-reservation information (reservation information of the command information execution) is a condition of such.

  Alternatively, a command with a command encryption processing function for encrypting each command in the command group, a key management function for managing command information and an encrypted key of the command, and a function for issuing the key including the usage right is added. It has an execution condition issue function and a command execution function that adds a function to decrypt command encrypted with the key extracted from the usage right and execute command information only under the command execution condition included in the usage right. It may be.

  Alternatively, encrypted command information using encrypted command group information that is an encrypted command may be included as command information.

  Furthermore, it may have a function having one or more of the following functions. In other words, a timer function with date / time information, a storage area for recording the number of executions of a command, a control function for counting up or clearing data in the storage area, and an interface for setting command execution permission information on the device And a storage area for storing the result, a control function such as setting or clearing data in the storage area, an interface for setting information on execution permission of a specific command on the device, and a storage area for storing the result Control function, such as setting or clearing data, interface before confirming execution of command to external device or user, storage area for holding the confirmation result, and setting or clearing data in that storage area Control function such as Set or clear data in the storage area Control functions, such as A, control functions, such as set or clear the data in the storage area the storage area that holds a history and execution status information of the command execution, and the like of the electronic signature verification function.

  In addition, an electronic signature using a device private key may be attached to the usage right, and a device identifier or a device public key certificate may be used as information for specifying the device.

  In addition, the usage right may be encrypted.

  Alternatively, communication between the non-control device and the control device may be performed after mutual authentication.

  Alternatively, device authentication may be performed using a public key certificate / private key embedded in a secure chip of the device.

  Furthermore, a usage right processing function for storing the usage right in a secure chip of the device and executing the usage right in the secure chip may be provided.

  In addition, when using the command result encryption processing function for encrypting the command execution result, the command result key management function for managing the encryption key, and the command result, the use request is accepted and the command is received. A usage right issuing function for issuing a usage right including the composite key information corresponding to the result may be provided.

  Alternatively, when a request for use of the control device is received, authentication of the device of the control device or authentication of the control device operating user may be performed.

  In addition, when using an encrypted command result, a usage right issue request for issuing a command usage right (command usage right) issue request to the controlled device based on the identification information of the corresponding command result. Check the usage conditions of the function and usage rights, and only have a command result usage function that decrypts the command result and prevents the decryption result from being left in any storage medium of the control device only when the usage condition is satisfied. May be.

  Further, the key management function for managing the usage right may be taken out to a third server different from the controlled device and the control device.

  Alternatively, the command execution condition issuing function is executed on a third server separate from the controlled device and the control device, and the command execution condition management function has a command execution condition instruction function for specifying the command execution condition. May be.

  Alternatively, the executed command information issuing function may be executed by the control device.

As a result, after mutual authentication, it is also checked whether the command is permitted to the outside device by the premises, and execution of unauthorized commands is prohibited regardless of intentional or negligence from the authenticated party. It can be.
Furthermore, even with an authorized command, the execution conditions can be finely controlled (for example, executable date and time).

The figure which shows an example of the external appearance of the execution restriction apparatus 300 in Embodiment 1- Embodiment 4. FIG. The figure which shows an example of the hardware constitutions of the execution restriction | limiting apparatus 300 and the control apparatus 200 in Embodiment 1- Embodiment 4. FIG. The figure which shows an example of the hardware constitutions of the control object apparatus 100 in Embodiment 1- Embodiment 4. FIG. 1 is a diagram illustrating an example of an overall configuration of a system in Embodiment 1. FIG. The flowchart figure which shows an example of the flow of control of the execution restriction apparatus 300 in Embodiment 1- Embodiment 4. FIG. FIG. 10 is a diagram illustrating an example of a command 400 stored in a command group storage unit 312 in the first to fourth embodiments. 6 is a diagram showing an example of command information 800 created by a command information issuing unit 314 in Embodiment 1. FIG. The figure which shows an example of the selection command information 810 which the control apparatus 200 produces in Embodiment 1- Embodiment 4. FIG. FIG. 4 is a diagram illustrating an example of an overall configuration of a system according to a second embodiment. The figure which shows an example of the key management information 600 which the key management part 332 memorize | stores in Embodiment 2-Embodiment 3. FIG. The figure which shows an example of the command information 800 which the command information issuing part 314 produces in Embodiment 2-Embodiment 3. FIG. In Embodiment 2, the figure which shows an example of the usage right 820 which the usage right issuing part 344 notifies. FIG. 10 is a diagram illustrating an example of an overall configuration of a system according to a third embodiment. FIG. 9 is a flowchart showing an example of a control flow of an execution restriction device 300 in the third embodiment. The figure which shows an example of the usage right 820 which the usage right issuing part 344 produces in Embodiment 3-4. FIG. 10 is a diagram illustrating an example of an overall configuration of a system according to a fourth embodiment. In Embodiment 4, it is a figure which shows an example of the selection use right 830 which the control apparatus 200 notifies. FIG. 14 is a flowchart showing an example of a control flow of the execution restriction device 300 according to the fourth embodiment. FIG. 14 is a flowchart showing an example of a control flow of the execution restriction device 300 according to the fourth embodiment. FIG. 10 is a diagram showing an example of the overall configuration of a system in a fifth embodiment. FIG. 18 is a diagram illustrating an example of command result key management information 610 stored in a command result key management unit 382 in the fifth embodiment. In Embodiment 5, it is a figure which shows an example of the usage right 850 which the usage right issuing part 344 notifies. FIG. 10 is a flowchart showing an example of a control flow of a usage restriction device 350 according to the fifth embodiment. In Embodiment 5, it is a figure which shows an example of the utilization request | requirement 840 which the control apparatus 200 notifies. In Embodiment 5, it is a flowchart figure which shows another example of the flow of control of the use restriction apparatus 350. In Embodiment 5, it is a figure which shows an example of the selection usage right 860 which the control apparatus 200 notifies.

Explanation of symbols

  100 control target device, 200 control device, 300 execution restriction device, 301 execution permission unit, 311 selection command information reception unit, 312 command group storage unit, 313 command encryption processing unit, 314 command information issue unit, 321 usage right processing unit, 322 Execution condition storage unit, 324 Command execution condition issue unit, 332 Key management unit, 334 Key notification unit, 344 Usage right issue unit, 350 Usage restriction device, 351 Use permission unit, 363 Command result encryption processing unit, 364 Execution result notification 371 Usage right processing unit 372 Usage condition storage unit 374 Usage condition notification unit 381 Usage request acquisition unit 382 Command result key management unit 400 Command 401 Command identifier 402 Execution device information 403 Command character string 404 Command description, 600 Key management information, 6 01 Encryption command identifier, 602 Decryption key, 610 Command result key management information, 611 Execution result identifier, 612 Decryption key, 800 Command information, 801 Command identifier, 802 Execution device information, 803 Signature, 804 Command description, 808 Encryption command Identifier, 809 encrypted command identifier, 810 selection command information, 811 command identifier, 812 execution device information, 813 signature, 820 use right, 821 use right identifier, 822 encrypted command identifier, 823 execution device information, 824 execution date and time Information, 825 user confirmation necessity information, 826 decryption key, 827 signature, 830 selection use right, 831 use right identifier, 832 encryption command identifier, 833 execution device information, 834 execution date / time information, 835 user confirmation necessity information, 36 signature, 840 use request, 841 execution result identifier, 842 signature, 850 use right, 851 use right identifier, 852 execution result identifier, 853 execution device information, 854 use date / time information, 855 user confirmation necessity information, 856 decryption key, 857 Signature, 860 Select usage right, 861 Usage right identifier, 862 Execution result identifier, 863 Execution device information, 864 Execution date / time information, 865 User confirmation necessity information, 866 Signature, 910 System unit, 911 CPU, 912 bus, 913 ROM , 914 RAM, 915 communication board, 920 magnetic disk unit, 921 OS, 922 window system, 923 program group, 924 file group, 940 Internet, 941 gateway, 942 LAN, 950 operation unit, 999 Three parties.

Claims (8)

In an execution restriction device that restricts execution of a control command from a control device to a control target device,
A control command storage unit that stores the control command that can be executed for the control target device;
A control command notification unit that notifies the control device of the control command stored in the control command storage unit;
A control command acquisition unit for acquiring a control command for the device to be controlled;
When the control command stored in the control command storage unit matches the control command acquired by the control command acquisition unit, the control target device is allowed to execute the control command acquired by the control command acquisition unit. An execution permission unit,
An execution restriction device characterized by comprising: The execution restriction device further includes:
A control command encryption unit that encrypts the control command stored in the control command storage unit using a predetermined key;
A key storage unit for storing a key used by the control command encryption unit to encrypt the control command;
A key notification unit for notifying the control device of the key stored in the key storage unit;
Have
The control command notification unit
The execution restriction device according to claim 1, wherein the control command encryption unit notifies the control command encrypted by the control command encryption unit. In an execution restriction device that restricts execution of a control command from a control device to a control target device,
An execution condition storage unit that stores, as an execution condition, a condition that allows the control target apparatus to execute the control command;
An execution condition notification unit that notifies the control device of the execution condition stored by the execution condition storage unit;
A control command acquisition unit that acquires a control command notified by the control device when the control device determines that the execution condition notified from the execution condition notification unit is satisfied;
When it is determined whether or not the execution condition stored in the execution condition storage unit is satisfied and it is determined that the execution condition is satisfied, the execution permission for allowing the control target device to execute the control command acquired by the control command acquisition unit And
An execution restriction device characterized by comprising: The execution restriction device further includes:
When the control device determines that the execution condition notified from the execution condition notification unit is satisfied, the control device has an execution condition acquisition unit that acquires the execution condition notified together with the control command,
The execution permission part
When the execution condition acquired by the execution condition acquisition unit matches the execution condition stored by the execution condition storage unit, the control target device is allowed to execute the control command acquired by the control command acquisition unit. The execution restriction apparatus according to claim 3, wherein The execution permission part
The execution according to any one of claims 1 to 4, wherein when the control command acquired by the control command acquisition unit is permitted to be executed, the control command is notified to the device to be controlled. Restriction device. In the use restriction device that restricts the use of the execution result generated by the control target device to the control device,
A use condition storage unit that stores, as a use condition, a condition that allows the use of the execution result to the control device;
A use condition notifying unit for notifying the use condition stored in the use condition storing unit to the control device;
A use request acquisition unit that acquires a use request notified by the control device when the control device determines that the use condition notified from the use condition notification unit is satisfied;
When the usage request acquisition unit acquires a usage request, it is determined whether or not the usage condition stored in the usage condition storage unit is satisfied. A permission section that permits the use of
A use restriction device characterized by comprising: The use restriction device further includes:
When the control device determines that the use condition notified from the use condition notification unit is satisfied, the control device has a use condition acquisition unit that acquires the use condition notified together with the use request,
The above usage permission section
The use of the execution result is permitted to the control device when the use condition acquired by the use condition acquisition unit matches the use condition stored by the use condition storage unit. 6. The use restriction device according to 6. The use restriction device further includes:
An execution result encryption unit that encrypts the execution result generated by the control target device using a predetermined key;
An execution result notifying unit for notifying the control device of the execution result encrypted by the execution result encrypting unit;
A key storage unit for storing a key used by the execution result encryption unit to encrypt the execution result;
A key notification unit for notifying the control device of the key stored in the key storage unit when permitting the control device to use the execution result;
The use restriction device according to claim 6 or 7, characterized by comprising:

Images