JP2009169868A - Storage area access device and method for accessing storage area - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a storage area access device for solving a problem that can occur when an external storage medium provided with a protected area such as an SD in a computer system such as a portable terminal with a sandbox operating protects an access control policy for setting an operation of the sandbox and an additional function for complementing the operation of the sandbox, and to provide an method for accessing a storage area. <P>SOLUTION: A secure area access part 120 has a function which uses an access key 1020 to acquire a first decryption key 10411 stored in a secure area 210 in an encrypted state, and uses environment information 1030 and the access key 1020 to acquire a second decryption key 1060, and a function which uses the acquired decryption key 1060 to decrypt the encrypted first decryption key 10411. A data area access part 140 has a function which uses a first decryption key 1040 decrypted by the secure area access part 120 to decrypt encrypted access control data 10511. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention provides access control data for specifying the operation of an access control device when there is an access control device that operates on a system having a storage device with a secure protection area, such as an SD card conforming to the CPRM standard. The present invention relates to a storage area access device and a storage area access method for safely storing and applying a storage area.

  In a software execution environment in which an untrusted application operates, such as an application downloaded from a website that is not included in the official category of the telecommunications carrier among the websites that can be browsed via the Internet connection service of the mobile phone terminal, the terminal A security mechanism is required to restrict access to important resources such as the above files and devices. One of such security mechanisms is a mechanism called a sandbox. As shown in Non-Patent Document 1, there are various implementation forms according to the required environment, function, or performance.

  Regardless of what form of sandbox is implemented, an access control policy that defines what kind of access control is applied to which application is required. For example, in a system call sandbox in Linux (registered trademark), when it is desired to restrict access to a specific file by a specific application, the access to the file is detected by monitoring the open system call of the application.

  Figure 1 shows an example of a sandbox implementation. FIG. 1 shows a general configuration of a system call sandbox that controls access when an application accesses a resource using a system call by examining the issuer and argument of the system call. In FIG. 1, the trusted application is permitted to access the trusted resource on the computer, but the general application that may be malicious is not permitted to access the trusted resource.

  The access control policy is a sandbox operation setting, and determines whether or not each resource can be accessed for each application. For example, in the case of a system call sandbox, this is information that specifies a system call for which access is permitted or prohibited, a system call issuer, and a system call argument. The additional functions assume special monitoring applications to support sandbox operations.

  The system call sandbox is often implemented in the kernel space by being incorporated into the kernel. In this case, it is difficult to monitor the application, such as what authority the trusted application or general application has or whether it is not impersonated. If a malicious application impersonates a trusted application, the sandbox access control policy allows access to the trusted resource, resulting in unauthorized access to the resource. .

  The additional function compensates for such a weak point of the sandbox and is arranged in the user space according to the function. For example, in the Windows Mobile (registered trademark) OS, the authority and memory space of other applications can be acquired by using a system API that can be called from the user space.

  In the configuration shown in FIG. 1, when a malicious general application tries to access a trusted resource, the following method can be considered.

(1) Tamper with system call sandbox operation (2) Tamper with access control policy (3) Tamper with additional functions

  Of these, the method (1) is more difficult than the methods (2) and (3). Originally, recent OSs such as Windows (registered trademark) and Linux are designed so that the CPU operates in a plurality of privilege modes. For this reason, the accessible memory area, executable functions, and the like are greatly different between the user mode in which the application operates and the kernel mode in which the OS operates. It is very difficult to access the kernel space from the user space. Therefore, it is difficult for a general application that operates in the user space to falsify a program that operates in the kernel space. Further, since the main body of the program operating in the kernel space is usually placed in a ROM area that cannot be rewritten, it is difficult to access from a general application.

  On the other hand, since the access control policy and the additional function are arranged on the user space or the rewritable secondary storage, there is a possibility that the user or general application can rewrite. For example, in Windows Mobile, a function for linking with a PC called ActiveSync (see Non-Patent Document 2) is provided. By using this, it is possible to freely refer to a wide range of memory space from the PC. ActiveSync makes it easy to access access control policies and additional functions, so there is a high possibility of tampering.

  In order to solve such a problem, a method of arranging an access control policy and an additional function in a protection area can be considered. The protection area can be realized by using a chip set in which a hardware protection function is previously installed in the computer. For example, M-Shield (see Non-Patent Document 3), which is a hardware protection function developed by Texas Instruments (TI), is used. The protected area configured by M-Shield has an access control mechanism independent of the OS, and access is restricted even for applications with the same authority as the kernel. Since the data stored in the protected area is encrypted by the function of the protected area, there is no fear of leaking the contents even if it is accidentally leaked.

  As described above, the access control policy and the additional function can be protected by the protection area implemented by hardware. The configuration is shown in FIG. In advance, an access right to the protection area, an access control policy encrypted on the protection area, and a decryption key for the additional function are given to the sandbox. The sandbox decrypts the access control policy and additional functions read from the protection area, and applies or executes them as they are without saving them in the secondary storage. By doing so, the access control policy and the additional function are not leaked to the non-protected area that is easily accessed illegally, so that the above-described problems can be solved.

  The protection area as described above provides a very strong security function, but has the disadvantage that the hardware environment is limited. For example, the above-described M-Shield only supports TI-made secure chipsets, and is not applicable to computers configured with other chipsets. If a change from an existing chipset to a secure chipset is considered, it is accompanied by redesigning the programs and OS created for the current chipset. Further, since the chipset itself with secure hardware is also expensive, it can be said that improving the security using the protection area mounted on the chipset is a very expensive method.

  On the other hand, in recent years, an external storage device such as a USB flash memory or SD (see Non-Patent Document 4) is generally used particularly for backup of multimedia contents such as images and music. In particular, SD is widely used not only for PCs but also for mobile phones and smartphones (hereinafter abbreviated as mobile terminals as appropriate), and is becoming the de facto standard for external storage devices for mobile terminals.

  In a portable terminal, in particular, SD is used as a backup device for copyrighted media data, and therefore often has a copyright protection function on both the card and the card reader side. The copyright protection function in SD is called the CPRM standard (see Non-Patent Document 5) and is standardized by an organization called 4C (see Non-Patent Document 6).

  The CPRM standard is briefly described below. Fig. 3 shows the SD configuration conforming to the CPRM standard. In FIG. 3, the left side represents the device into which the SD is inserted, and the right side represents the SD. SD is divided into System Area, Hidden Area, Protected Area, and User Data Area. Among these, the System Area and the Hidden Area are areas that cannot be rewritten, and the Hidden Area is an area that cannot be accessed from outside. The media unique key stored in the Hidden Area is a secret key uniquely assigned to each SD. An MKB (Media Key Block) stored in the System Area is commonly given to SDs in a specific group, and is used by the device side to calculate a media unique key.

  On the device side, a media unique key is calculated using a device key uniquely assigned to each device, an MKB, and a media ID assigned to each media. The title key, CCI (Copy Control Information), and UR (Usage Rule) stored in the Protected Area are generated as a set with the content stored in the User Data Area, and are always associated with each other.

  Here, the title key is an encryption key for encrypting the content, and CCI and UR define the content usage rules such as copying permission / inhibition, and these are combined and encrypted with the media unique key. Is done. In order to access the Protected Area, mutual authentication using AKE authentication is required between the device and the medium. When using content on the device side, the corresponding title key, CCI, and UR can be specified after AKE authentication. Therefore, by calculating the media unique key, the title key, CCI, and UR are first decrypted, and thereby the content The content can be used by decrypting.

  The CPRM standard is based on the above-described configuration and defines an extended standard for each application. Representative examples include music data standard SD-Audio, video data standard SD-Video, or SD-Binding capable of managing content usage associated with specific information of devices and users. The following is a brief description of SD-Binding. As shown in FIG. 4, SD-Binding is characterized in that a device uses a media unique key and a bind ID when encrypting a title key. The bind ID is a bit string that can be arbitrarily set for each title key on the device side.

  For example, when a certain content is purchased in the mobile terminal, the title key corresponding to the content is encrypted with the bind ID as the model ID of the mobile terminal. In this case, since a terminal having a different model ID cannot decrypt the title key, even if the SD is inserted into another terminal, it is possible to prevent the content from being used on the terminal. . In particular, this is an effective standard when the copyright holder wants to use his / her content limited to a specific device.

  As examples of techniques using the SD-Binding standard, Patent Document 1 and Patent Document 2 are known.

  The technique disclosed in Patent Document 1 was invented so that the content on the SD can be smoothly used even on the new terminal side when content migration between mobile terminals occurs. If the content is encrypted with a bind ID that can be acquired on the old terminal, the management file in which the bind ID is registered is encrypted and stored on the SD. On the new terminal side, the bind ID in the old terminal can be obtained by decrypting the management file, so the content encrypted using the bind ID of the old terminal can also be used on the new terminal side. Become.

  The technology disclosed in Patent Document 2 was invented in order to make content bound to a specific device available to other devices under certain usage restrictions. Specifically, the reserved area defined by the SD-Binding standard is used. In the reserved area, at least the content usage rules and the bind ID generation method in other devices are described. On the other device side, the bind ID is generated by the bind ID generation method, the content is decrypted, and the content is used according to the content usage rule.

  As described above, content protected on the SD by the CPRM standard cannot be freely used by users or general applications without authority. Also, the CPRM standard does not specify the format of data that is specifically protected. Therefore, for example, even an access control policy or an additional function used by the sandbox can be protected. Fig. 5 shows the function expansion configuration of the sandbox in which the access control policy and additional functions are protected by the CPRM standard. The sandbox needs to be able to refer to at least the device key, so that it is possible to refer to or update the encrypted additional function and access control policy.

  Figure 6 shows the internal structure of the SD and sandbox for function expansion using the CPRM standard. The right side of FIG. 6 represents the internal configuration of the SD, and the left side of the figure represents a process from obtaining a policy from the SD according to a policy driving event and applying it to the sandbox.

  First, the structure of SD will be described. Here, description of System Area is omitted. A media unique key is stored in the Hidden Area. In the Protected Area, a policy key for encrypting the policy is stored, and in the User Data Area, the policy and the additional function are respectively encrypted and stored. A policy key is prepared for each policy. One policy may be associated with one or a plurality of additional functions.

  Next, the configuration of the sandbox will be described. The policy driven event is an event for applying a new access control policy to the sandbox. For example, it may be a terminal start or a specific service start. Depending on each event, for example, if the terminal is activated, the policy for starting the terminal is applied, and if the service is started, the policy for in-service is applied. When a policy-driven event is detected, the policy and additional functions are acquired from the SD, decrypted and applied to the sandbox. When obtaining secure data, the policy key is decrypted by obtaining the device key, and the policy is decrypted using the policy key.

  When the access control policy using the CPRM standard and the protection of additional functions as described above can be realized, the following effects can be obtained.

(1) Access control policy and legitimacy of additional functions can be guaranteed without using a special secure chipset (2) Support for hardware reset of smartphones, etc. (3) Security strength can be adjusted Effect (1 ) Since the hardware and secure protection area on SD is used to realize protection of policies and additional functions, it is possible to realize protection of access control policies and additional functions that were problems of existing sandboxes. Is possible. In addition, by using the SD-Binding standard and generating a bind ID based on the event that triggered the change of the system configuration or policy that operates the sandbox, it is possible to prevent the application of unauthorized policies that are not suitable for the situation. It becomes possible. Furthermore, considering that SD is generally widespread, it can be easily realized as compared to using a secure chipset.

  The effect (2) is described. Smartphone terminals such as Windows Mobile and other portable terminals usually have a hardware reset function, and the user can return his / her terminal to the factory default. In this case, all data written on the secondary storage device is erased. If policies and additional functions are stored on the secondary storage, these are also deleted at the same time. Therefore, for example, when a mobile phone carrier, an administrator in a company, or an administrator of another terminal imposes a policy on the user's terminal for the purpose of restricting the use of the terminal to the user. Even if it exists, it will be erased. However, since the data on the SD is not subject to initialization at hardware reset, if the policy and additional functions are placed on the SD, the same policies and additional functions as before the initialization can be safely performed after initialization. Applicable.

  The effect (3) is described. In general, interface access control using a sandbox may cause problems in application operations. This is because the application creation side is not developing on the premise that access to a specific function on the system is prohibited. On the other hand, access control itself may not always be necessary.

For example, only when a secure service is implemented or when the terminal is in a special environment, there may be a demand to limit a specific function on the system by a sandbox. In this way, if there is a difference in the level of access control required according to the usage scene of the terminal, the sandbox policy is applied only when access control is necessary, and otherwise the policy is disabled. If it is set as a computerized state, it is considered that the occurrence of problems in the application during normal use is reduced. However, when the access control policy is invalidated, the security of the system is not ensured. For this reason, the access control policy and the additional function can be easily tampered with, and then normal access control cannot be executed. Therefore, by using the CPRM standard, when policies are invalidated, policies and additional functions are placed on the SD to prevent attacks against these even when access control is not performed. .
“Sandbox technology for native code”, computer software Vol.20, No4 (20030725), pp. 375-392, http://ol-www.cs.uec.ac.jp/~oyama/publications/OyamaSandboxSurvey03 .pdf ActiveSync4.5, http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=9E641C34-6F7F-404D-A04B-DC09F8141141 TEXAS INSTRUMENTS M-Shield, http://focus.ti.com/general/docs/wtbu/wtbugencontent.tsp?templateId=6123&navigationId=12316&contentId=4629 SD Card Association, http://www.sdcard.org/home CPRM / CPPM, http://www.4centity.com/tech/cprm/ 4C Entity, http://www.4centity.com/ Japanese Patent Laid-Open No. 2004-139433 JP 2007-94992 A

  However, since the SD CPRM standard was originally defined as a use case for protecting multimedia content, it cannot cope with special issues that arise when it is used to protect access control policies. Examples of problems are shown below.

(1) When a system restart occurs in response to policy application (2) Protection method for the I / F part that receives a policy change or application request (3) Access control policy update method (4) Access control What to do if SD removal occurs while applying a policy

  Describe issue (1). Some sandboxes such as the system call sandbox that are built into the kernel and run may be restarted due to policy changes. This is to prevent the system from becoming unstable by changing the operation of the kernel space program or by restricting the access to the OS interface for the currently running program. Before and after rebooting, it is necessary to implement the access control policy stored in the SD securely and reliably.

  Describe issue (2). Consider a system that applies access control policies in response to events. An event is an opportunity to change a policy applied to a sandbox, and for example, when a specific network service is executed. The occurrence of an event can be detected by a service application or the like that generates the event by issuing a policy change request to the policy application function of the sandbox. However, when all requests are accepted, there is a possibility that a malicious application may apply an invalid policy or invalidate a policy. In order to accept a policy application / invalidation request only from a legitimate application, it is necessary to protect the I / F that receives the request by some means and prohibit unauthorized access.

  Describe issue (3). The update of the access control policy is divided into a writing stage to the protected area by calculating the policy key and a writing stage to the user data area of the policy encrypted with the policy key. Of these, the latter is the same as when writing multimedia content as indicated by the CPRM standard. The policy key generation method is exactly the same as long as it does not include a bind ID.

  However, in practice, in the use case that encrypts the access control policy, the policy to be applied differs depending on the request source event, the system environment where the sandbox operates, etc., so the bind ID should be generated based on this information. Therefore, it is necessary to prevent application of a wrong policy. When a policy key including such a bind ID is encrypted, a method for generating the policy key must be defined on the writing side.

  Describe issue (4). The CPRM standard only allows access to content when an SD is inserted, and does not stipulate special processing related to SD attachment / detachment. However, when applying an access control policy, special processing related to the attachment / detachment state of the SD is required, for example, processing of a policy at the time of insertion or processing of a policy application request at the time of non-insertion.

  The present invention has been made in view of such circumstances, and access control for setting sandbox operation by an external storage medium having a protection area such as SD in a computer system such as a portable terminal on which the sandbox operates. It is an object of the present invention to provide a storage area access device and a storage area access method that solve a problem that may occur when a policy or an additional function that complements sandbox operation is protected.

  In order to solve the problems described above, the present invention has the following features. First, the first feature of the present invention is that a data area (data area 220 and access prepared in advance) in which access control data (for example, access control data 1050) used for controlling access to resources on the system is stored. A storage device (storage device 200) including a secure area (secure area 210) that can be accessed only by a key (access key 1020), and an access control apparatus (access control apparatus) that controls execution of a program according to the access control data 300) and a program execution environment (hardware such as a CPU or an operating system) in which the program is executed, and the access from the storage device according to a predetermined event (for example, event 400) A storage area array for acquiring the access control data to be applied to the control device Access device (storage area access device 100), wherein the access control data is stored in the data area in a state where it can be decrypted by a first decryption key (for example, the first decryption key 1040). The first decryption key is stored in the secure area in a state where it can be decrypted by a second decryption key (second decryption key 1060), and the occurrence of the predetermined event is detected, An event detector that generates access control data specifying information (for example, access control data specifying information 1010) used for specifying the access control data to be applied and the first decryption key in accordance with the detected predetermined event (Event detection unit 110) and a secure area access unit for acquiring the first decryption key specified by the access control data specification information from the secure area (Secure area access unit 120), a data area access unit (data area access unit 140) for acquiring the access control data specified by the access control data specifying information from the data area, and an operating environment of the access control device An environment information generation unit (environment information generation unit 130) that generates first environment information (environment information 1030) for identifying the secure area, and the secure area access unit is stored in the secure area in an encrypted state The first decryption key (for example, the first decryption key 10411) is acquired using the access key, and the second decryption key is acquired using the first environment information and the access key. A function to obtain, and a function to decrypt the encrypted first decryption key using the obtained second decryption key, and the data area access unit includes: Using said first decryption key decrypted by the cured area access unit, the access control data that is encrypted (e.g., the access control data 10511) to increase the has a function of decoding the.

  A second feature of the present invention relates to the first feature of the present invention, wherein the access control data specifying information includes information specifying the predetermined event, and the environment information generating unit is configured to specify the access control data specifying The gist is to generate the first environment information based on the information.

  A third feature of the present invention relates to the first feature of the present invention, wherein the event detection unit is configured to start a first event (first event) that is activation of the system or incorporation of the storage device into the system. First access control data specifying information (first access control) for detecting event 410) and specifying first access control data (first access control data 2050) to be applied in response to the first event The gist is to generate data identification information 2010).

  A fourth feature of the present invention relates to the third feature of the present invention, wherein the first access control data specifies a second event (second event 420) to be detected by the event detector. The gist of the event detection unit is to detect only the second event.

  A fifth feature of the present invention relates to the third feature of the present invention, and further comprises a system restarting unit (system restarting unit 160) for restarting the system, wherein the event detection unit is configured to access the access control device. Second access control data specifying information (second access control data) corresponding to second access control data (second access control data 3050) that is access control data that requires restart of the system when applied to the system Specific information 3010), and the secure area access unit includes the first decryption key (first decryption key 3040) and a first encryption key (first decryption key) corresponding to the first decryption key. A function for generating a decryption key 3070), a function for encrypting the first decryption key with the second decryption key (second decryption key 3060), and a second encryption for the first encryption key. Encrypted with the encryption key (second decryption key 3061) The first access control data, the encrypted first decryption key (first decryption key 3041), and the encrypted first encryption key (first decryption key 3071). The data area access unit stores the second access control data acquired by the second access control data identification information in the first area. The function of encrypting with the encryption key and the encrypted second access control data (second access control data 3051) are stored in the data area that can be specified by the first access control data specifying information. The system restart unit has a function of notifying the event detection unit of the first event after restarting the system.

  A sixth feature of the present invention relates to the fifth feature of the present invention, wherein the secure area access unit performs the first access control after applying the first access control data to the access control device. A function of erasing the encrypted first decryption key specified by the data specifying information, wherein the data area access unit is configured to apply the first access control data to the access control device after the application. The gist of the present invention is to have a function of erasing the encrypted first access control data (first access control data 3081) specified by the first access control data specifying information.

  A seventh feature of the present invention relates to the fifth feature of the present invention, wherein the secure area access unit generates the second decryption key based on second environment information (environment information 3031), and The gist of the second environment information includes at least information that can uniquely identify the system.

  An eighth feature of the present invention relates to the fifth feature of the present invention, wherein the data area access unit generates at least the second event in an area that can be specified by the first access control data specifying information. The gist is to store data capable of specifying the above.

  A ninth feature of the present invention relates to the first feature of the present invention, in which, when the storage device is removed from the system, the event detection unit newly starts the storage device storing the access control data. The gist is to stop the generation of the access control data for an event detected after the storage device is removed from the system until it is incorporated or the system is terminated.

  A tenth feature of the present invention is a memory including a data area for storing access control data used for controlling access to stored data, and a secure area accessible only by an access key prepared in advance. Used in a system including a device, an access control device that controls execution of a program according to the access control data, and a program execution environment in which the program is executed, and from the storage device according to a predetermined event A method of accessing a storage area from which the access control data to be applied to an access control device is acquired, wherein the access control data is stored in the data area in a state where it is decrypted by a first decryption key. And the first decryption key is encrypted so as to be decrypted by the second decryption key. Access control data that is stored in the secure area, detects the occurrence of the predetermined event, and is used to identify the access control data to be applied and the first decryption key according to the detected predetermined event Generating specific information; obtaining the first decryption key specified by the access control data specifying information from the secure area; and specifying the access control data specified by the access control data specifying information Obtaining from the data area; and generating first environment information for specifying an operating environment of the access control device, and obtaining the first decryption key, in the encrypted state, The first decryption key stored in the secure area is acquired using the access key Both acquire the second decryption key using the first environment information and the access key, and decrypt the encrypted first decryption key using the acquired second decryption key. In the step of obtaining the access control data, the encrypted access control data is decrypted using the first decryption key decrypted by the secure area access unit.

  According to the features of the present invention, an access control policy for setting sandbox operation and an operation of the sandbox are complemented by an external storage medium having a protection area such as SD in a computer system such as a portable terminal on which the sandbox operates. It is possible to provide a storage area access device and a storage area access method that can solve problems that may occur when protecting additional functions.

  Next, an embodiment of the present invention will be described. In the following description of the drawings, the same or similar parts are denoted by the same or similar reference numerals. However, it should be noted that the drawings are schematic and ratios of dimensions and the like are different from actual ones.

  Accordingly, specific dimensions and the like should be determined in consideration of the following description. Moreover, it is a matter of course that portions having different dimensional relationships and ratios are included between the drawings.

(1) 1st Embodiment First, with reference to FIG.7 and FIG.8, 1st Embodiment of this invention is described.

(1.1) System Configuration Including Storage Area Access Device FIG. 7 shows the system configuration of the storage area access device 100 according to this embodiment. As illustrated in FIG. 7, the storage area access device 100 includes an event detection unit 110, a secure area access unit 120, an environment information generation unit 130, a data area access unit 140, and an access control application unit 150. The storage area access device 100 operates on a system (not shown). At least the storage device 200 and the access control device 300 exist in the system.

  The storage device 200 is a removable external storage device having a secure protection area, such as an SD card. Details of the SD card have already been described and will be omitted.

  The access control device 300 is a mechanism for controlling a program operation on a system including a program execution environment (hardware such as a CPU or an operating system) in which a program is executed, such as a sandbox. The details of the sandbox have already been described and will be omitted. In the following embodiment, it is assumed that the access control data 1050 is input to the access control apparatus 300 for the same purpose as the sandbox access control policy, and the control target program and access control contents are determined by the access control data 1050. . That is, the access control data 1050 is used for access control to resources on the system, and the access control device 300 controls the execution of the program according to the contents of the access control data 1050.

  The storage area access device 100 acquires the access control data 1050 to be applied from the storage device 200 based on a predetermined event 400 that has occurred on the system, and applies it to the access control device 300. First, the storage device 200 in which the access control data 1050 is stored will be described.

  The image of the data arrangement of the storage device 200 is as shown in FIG. Here, in this embodiment, the policy key is called the first decryption key 1040, and the policy and the additional function are replaced with the access control data 1050. The protected area is the secure area 210, and the user data area is the data area 220.

  In the secure area 210, the encrypted first decryption key 10411 is stored. The encrypted first decryption key 10411 is the same as the case where the title key is encrypted with the device key or the bind ID in the CPRM standard. In the present embodiment, the encrypted first decryption key 10411 is assumed to be obtained by encrypting the first decryption key 1040 with the second decryption key 1060 (actually, not the decryption key but the encryption key). However, if they comply with the CPRM standard, these keys are all generated by the common key cryptosystem, and they are equal).

  The second decryption key 1060 is generated by combining the access key 1020 and the environment information 1030. The access key 1020 is a key for accessing the secure area 210, and is equivalent to a device key in the CPRM standard. The secure area can be accessed only with the access key 1020 prepared in advance.

  The environment information 1030 is information that is given so that the first decryption key 1040 can be acquired only under a specific situation, and is equal to the bind ID in the CPRM standard. The environment information 1030 is information that can identify the basic operating environment of the system in which the access control apparatus 300 operates. For example, the system OS version, hardware model, and the like correspond to the environment information 1030. The environment information 1030 may be information that can identify the event 400. For example, when there is an access control setting to be applied when a specific network service is executed, the execution of the network service is an event, and an application ID or the like that executes the network service corresponds to the environment information 1030.

  The data area 220 stores access control data, specifically encrypted access control data 10511).

(1.2) Directory Configuration of Storage Device 200 As described above, the first decryption key 1040 for each access control setting is encrypted by the second decryption key 1060 generated from the various environment information 1030. FIG. 8 shows a directory structure of the storage device 200 using a CPRM standard SD card as an example.

  In FIG. 8, there is an SD-Bind-Policy directory unique to this embodiment under the SD-Bind directory based on the CPRM standard. Further, under the SD-Bind-Policy directory, there are an environment-dependent policy and a service-dependent policy. Files are stored under these directories. The file is the encrypted access control data 1050 on the data area 220 side, and the encrypted first decryption key 1040 on the secure area 210 side. Hereinafter, the encrypted access control data 1050 is appropriately labeled as access control data 10511, and the encrypted first decryption key 1040 is appropriately labeled as the first decryption key 10411.

  That is, the access control data 1050 is stored in the data area 220 in an encrypted state so as to be decrypted by the first decryption key 1040. Further, the first decryption key 1040 is stored in the secure area 210 in a state where it is encrypted by the second decryption key 1060 so that it can be decrypted.

In the data area 220, for example, a policy based on the environment of the system is stored under the environment-dependent policy. For example, the encrypted access control data 10511 is obtained by encrypting the access control data for the model A, and the encrypted access control data 10512 (10513) is the access for the model B (model C). The control data is encrypted. The access control data 1050 differs depending on the access control device to be applied, but when it is a system call sandbox, for example, the following contents are described.
-System call ID subject to access control
-Control target resource (argument of system call)
-Control target program (system call program)

  The reason why the access control data exists for each model as described above will be described. For example, the interfaces (system calls and APIs) that the system exposes to programs differ depending on factors such as differences in operating systems, security settings, or model manufacturers' unique extensions. Therefore, in the case of a sandbox that controls the interface, such as a system call sandbox or an API sandbox, it is necessary to prepare different access control data for each model. However, assuming that the storage device 200 is like an SD card, it is not known which model is actually inserted and used, and access control data corresponding to various models and environments is stored in advance. It is necessary to keep.

  Also, different access control data may be required for each service. The service mentioned here means that some kind of access control is required for the system. For example, it is assumed that there is a service for connecting from a mobile terminal to a specific APN. This service assumes that only a mobile terminal can be used, and links with external PCs and other mobile terminals are prohibited. In such a case, it is necessary to restrict the use of a short-range wireless device, a USB device, or the like used for a link with the outside in advance. Therefore, when the service is activated, the event 400 occurs, and appropriate access control data 1050 is applied so that the access control apparatus 300 limits the I / F to the corresponding device.

  According to the CPRM standard, the secure area 210 and the data area 220 have exactly the same directory structure. For example, the secure area 210 includes an encrypted first decryption key 10411 corresponding to the encrypted access control data 10511, and an encrypted first decryption key corresponding to the encrypted access control data 10512. 10412, the encrypted first decryption key 10413 corresponding to the encrypted access control data 10513 is stored under the corresponding environment dependent policy directory.

  Each first decryption key is encrypted by the second decryption key 1060 generated by the environment information 1030 corresponding to the access key 1020 as described above. For example, when the access control data 10511 is the access control data for the model A, the environment information 1030 is information that can identify the model A, and the corresponding encrypted first decryption key 10411 indicates the model A. It is encrypted by the second decryption key 1060 generated based on the identifiable information.

  Similarly, when the access control data 10512 is model B access control data, the corresponding encrypted first decryption key 10412 is generated based on information that can identify the model B. Encrypted with the decryption key 1060. In the case of a mobile terminal, such information that can identify the model may use the upper six digits of IMEI assigned to each mobile terminal. By doing so, for example, in model A, it is possible to prevent the access control data for model B from being applied accidentally. This is because when the storage device 200 is incorporated in the model A, the environment information 1030 using the IMEI of the model B is not generated, and therefore the corresponding second decryption key 1060 is not generated. .

(1.3) Operation of Storage Area Access Device The operation of the storage area access device 100 when the storage device 200 having the directory configuration shown in FIG. 8 exists will be described.

  As shown in FIG. 7, the event detection unit 110 detects an event 400 and generates access control data specifying information 1010. Specifically, the event detection unit 110 detects the occurrence of the event 400 and, according to the detected event 400, the access control data 1050 to be applied and the access control data used for specifying the first decryption key 1040 Specific information 1010 is generated. That is, the access control data specifying information 1010 includes information for specifying the event 400.

  Here, the event 400 is assumed to be, for example, application execution or system activation. When an event occurs, an issuing application or the like requests access control data to be applied from the event detection unit 110, and the event detection unit 110 generates access control data specifying information 1010 in response to the request. The access control data specifying information 1010 is information necessary for specifying the encrypted access control data 10511 stored in the data area 220 and the encrypted first decryption key 10411 stored in the secure area 210. Specifically, it is a URI that points to a file in the directory. For example, SD-Bind / SD-Binding-Policy / environment-dependent policy / xxx is specified. xxx is an ID individually assigned to each first decryption key in the title key UR management file (TKURMG) defined in the SD-Bind standard. The encrypted first decryption key 10411 can be uniquely identified by the URI as described above, and the associated encrypted access control data 10511 can also be uniquely identified.

  The secure area access unit 120 acquires the first decryption key 1040 specified by the access control data specifying information 1010. First, the secure area 210 is accessed according to the normal CPRM standard, and the encrypted first decryption key 10411 is acquired using the access key 1020. Next, the secure area access unit 120 acquires the environment information 1030 and generates a second decryption key 1060 using the environment information 1030 and the access key 1020. The environment information 1030 is generated in advance by the environment information generation unit 130, and a specific generation method will be described later.

  The second decryption key 1060 is generated from the access key 1020 and the environment information 1030. Specifically, it conforms to the SD-Bind standard when the access key 1020 is a device key and the environment information 1030 is a device ID. The secure area access unit 120 obtains the first decryption key 1040 by decrypting the first decryption key 10411 encrypted using the generated second decryption key. If it cannot be decoded, it is not access control data that should be adapted to this system, so error processing such as notifying the event issuer is performed.

  The environment information generation unit 130 generates environment information 1030 that identifies the operating environment of the access control device 300. Specifically, the environment information generation unit 130 generates environment information 1030 required by the secure area access unit 120. The environment information 1030 to be acquired can be specified by the access control data specifying information 1010, for example. If a policy below the model-dependent policy is applied, the environment information 1030 can be generated by acquiring IMEI.

  The data area access unit 140 acquires the access control data 1050 specified by the access control data specifying information 1010 from the data area 220. Specifically, the data area access unit 140 acquires the encrypted access control data 10511 from the data area 220 according to the CPRM standard. Thereafter, the data area access unit 140 acquires the access control data 1050 by decrypting the access control data 10511 encrypted using the first decryption key 1040 that has already been decrypted by the secure area access unit 120. .

  The access control application unit 150 applies the access control data 1050 to the access control device 300. Although the application method differs depending on the access control device 300, for example, in the case of the access control device 300 that reads the access control setting into its own memory space, the access control device 300 is restarted once, and then the access control data 1050 is restarted. Is read. If the access control device 300 is a system call sandbox, it may be incorporated into the kernel program of the system, so that the entire system may need to be restarted. This will be described in the third embodiment.

  The storage area access device 100 may have a mechanism for performing error processing when the storage device 200 cannot be accessed due to some factor. For example, when the storage device 200 is an SD card, it may be removed from the system. In such a case, when the event 400 occurs, the corresponding access control data 1050 cannot be normally applied. As described above, when the storage device 200 cannot be accessed, the event detection unit 110 rejects an access control data application request generated correspondingly for all events except for a predetermined event. The predetermined event is an event that occurs when the storage device 200 is incorporated into the system again. This will be described in the second embodiment.

(2) Second Embodiment Next, a second embodiment of the present invention will be described with reference to FIG. 9 and FIG. The storage area access device 100 according to the present embodiment corresponds to the case where a first event that is a special event occurs.

(2.1) System Configuration Including Storage Area Access Device FIG. 9 shows the system configuration of the storage area access device 100 according to this embodiment. In the present embodiment, the configuration of the storage area access device 100 is not changed compared to the first embodiment. In the present embodiment, a storage area access device 100 corresponding to a case where a first event that is a special event occurs will be described.

  Specifically, the first event refers to an event in which the storage device 200 is recognized for the first time in the system, such as system activation or card insertion. When the storage device 200 is an external device such as an SD card, a corresponding device driver always exists in the system. When the system recognizes the storage device 200, CPU control is forcibly transferred to the device driver by a hardware interrupt. Therefore, the event detection unit 110 detects the first event 410 by notifying the event detection unit 110 of the storage area access device 100 from the device driver.

  That is, the event detection unit 110 detects the first event 410 that is the activation of the system or the incorporation of the storage device 200 into the system. Further, the event detection unit 110 generates first access control data specifying information for specifying first access control data to be applied in response to the first event 410.

  Hereinafter, the access control data specifying information generated in response to the first event 410 is referred to as first access control data specifying information 2010, and the access control data specified by the first access control data specifying information 2010 is the first access control data specifying information 2010. The access control data 2050 is assumed. Since the first event 410 is access control data that is applied immediately after the storage device 200 is incorporated into the system, in this embodiment, there is access control data that should be forcibly applied at the time of system startup or the like. Etc. are assumed.

  As an example of such access control data, data that controls access to the event detection unit 110 can be considered. If any program or user can freely request the application of access control data to the event detection unit 110, the storage area access device 100 is an unauthorized program or a program impersonating a secure service program. There is a possibility that the access control data is applied to the access control apparatus 300 in response to the request.

  This is because the storage area access device 100 can safely apply the access control data protected by the storage device 200 to the access control device 300, but cannot determine the request source that requests the application of the access control settings. Therefore, the access control device 300 constantly monitors access to the event detection unit 110, and prohibits access to the event detection unit 110 from other than some programs while the storage device 200 is incorporated in the system. . This makes it possible to prevent access control data from being applied in response to an unauthorized request.

(2.2) Directory Configuration of Storage Device 200 FIG. 10 shows a directory configuration example of the storage device 200 in which the first access control data 2050 and the corresponding first decryption key 2040 are stored.

  As shown in FIG. 10, an initial policy directory is newly provided under the SD-Bind-Policy directory according to the first embodiment. The initial policy is a directory specified by the first access control data specifying information 2010. It is assumed that the encrypted first access control data 2051 is stored in the data area 220, and the encrypted first decryption key 2041 is stored in the secure area 210. The encrypted first decryption key 2041 uses the first decryption key 2040 as the second decryption key 2060 in order to decrypt the encrypted first access control data 2051 into the first access control data 2050. It is encrypted by The second decryption key 2060 is generated by the access key 1020 and the environment information 2030 as in the first embodiment.

(2.3) Operation of Storage Area Access Device The storage device 200 having the directory configuration shown in FIG. 10 and the operation of the storage area access device 100 when the first event 410 occurs will be described. First, in response to a notification from a device driver or the like, the event detection unit 110 generates first access control data specifying information 2010. The first access control data specifying information 2010 is a URI indicating a directory such as SD-Bind / SD-Bind-Policy / initial policy, for example.

  The secure area access unit 120 acquires the encrypted first decryption key 2041 as in the first embodiment, and decrypts the encrypted first decryption key 2041 with the second decryption key 2060.

  The environment information generation unit 130 generates environment information 2030. The environment information 2030 is special information that is generated when the first event 410 occurs and is common to all terminals. The environment information 2030 is different from information generated depending on other models or services. For example, the environment information 2030 is information in which all bits of the bind ID are set to 0. By setting the environment information 2030 in this way, the first access control data is not applied except when the system is activated.

  The data area access unit 140 decodes the first access control data 2051 acquired by the first access control data specifying information 2010 and acquires the first access control data 2050.

  The access control application unit 150 applies the first access control data 2050 to the access control device 300. Further, the access control application unit 150 may notify the device driver that has notified the first event 410 that the access control application processing has ended.

(3) Third Embodiment Next, a third embodiment of the present invention will be described with reference to FIGS. The storage area access device 100 according to the present embodiment includes a system restart unit that restarts the system.

(3.1) System Configuration Including Storage Area Access Device FIG. 11 shows the system configuration of the storage area access device 100 according to this embodiment. As shown in FIG. 11, the storage area access device 100 includes a system restart unit 160.

  In the present embodiment, the storage area access device 100 corresponding to the case where the second event 420 which is a special event occurs will be described. Specifically, the second event 420 is such that the system needs to be restarted before the second access control data 3050 corresponding to the second event 420 is applied. For example, consider a case where the access control device 300 is a system call sandbox that is implemented by being incorporated in a part of kernel code. In such a case, considering that the access control data is changed, the data read into the kernel space needs to be changed. Further, when a system call is called from a program at the time of changing the access control setting, there is a high possibility that a failure will occur in the program or the system itself by changing the access control setting.

  Therefore, in such a case, it is desirable to incorporate the access control setting into the access control apparatus 300 before starting the program by restarting the system. The storage area access device 100 according to the present embodiment can cope with such a case.

(3.2) Directory Configuration of Storage Device 200 FIG. 12 shows a directory configuration example of the storage device 200 according to the present embodiment. As shown in FIG. 12, the directory configuration according to the present embodiment is the same as the directory configuration according to the second embodiment (see FIG. 10).

  The first access control data stored under the initial policy is access control data that is always applied after activation. When the system is started, access control data is not stored in the initial policy directory. The service-dependent policy directory stores the encrypted second access control data 3051 and the encrypted first decryption key 3041 corresponding to the second access control data 3050. In this embodiment, the access control data stored in the directory under the service-dependent policy is used as the second access control data 3051 as an example, but it may be stored in the environment-dependent policy directory.

(3.3) Operation of Storage Area Access Device The operation of the storage area access device 100 when the storage device 200 has the directory configuration shown in FIG. 12 will be described based on FIG. Specifically, FIG. 13 shows the operation of the storage area access device 100 until the system is restarted.

  The purpose of the processing shown in FIG. 13 is to store the second access control data to be applied after the system is restarted in the storage device 200 as the first access control data described in the second embodiment. By executing such processing, the first access control data can be automatically applied to the access control device 300 after the system is restarted.

  In step S1000, the event detection unit 110 generates the second access control data specifying information 3010 in response to the second event 420. That is, in the present embodiment, the event detection unit 110 can set only the second event 420 as a detection target.

  The second access control data specifying information 3010 includes at least two pieces of information. One is a URI for specifying the access control data and the first decryption key. The information is the same as in the first embodiment. The other is information indicating that the system needs to be restarted to apply the access control policy. For example, in the second access control data specifying information 3010, 1 bit is used as a restart flag, and if the value of the restart flag is true, the storage area access device 100 applies the policy after the system is restarted. Transition to processing.

  In step S1010, the secure area access unit 120 uses the second decryption key 3060 generated in the same manner as in the first embodiment to generate the first decryption key 3041 specified using the second access control data specifying information 3010. Decrypt to obtain the first decryption key 3040. The environment information 3030 used for decryption is generated in step S1020. This is as described in the first embodiment.

  In step S1030, the secure area access unit 120 uses a second decryption key 3061 (target key) different from the second decryption key 3060 and a first decryption key 3070 (subject to the first decryption key 3040). Target key). The second decryption key 3061 is generated by the environment information 3031 and the access key 1020.

  That is, the secure area access unit 120 has a function of generating the first decryption key 3040, the first decryption key 3070, and the second decryption key 3061. The second decryption key 3061 is used for encryption and decryption of the first decryption key 3070. The first decryption key 3070 is used for encryption and decryption of the first access control data 3080. The second decryption key 3060 is used for encryption and decryption of the first decryption key 3040.

  The environmental information 3031 is special information generated in advance in step S1040 and generated when the first event 410 occurs, as in the second embodiment. The first decryption key 3070 is appropriately generated in the same way as when creating a CPRM standard title key.

  In step S1050, the secure area access unit 120 encrypts the first decryption key 3070 with the second decryption key 3061 to encrypt the first decryption key 3070. The secure area access unit 120 stores the first decryption key 3071 under the initial policy directory of the secure area 210 so that it can be specified by the first access control data specifying information 3090. That is, the secure area access unit 120 can identify the encrypted first decryption key 3041 and the first decryption key 3071 by using the first access control data identification information 3090 (described later), the secure area 210 (initial policy directory). Subordinates).

  In step S1060, the data area access unit 140 decrypts the second access control data 3051 identified using the second access control data identification information 3010 using the first decryption key 3040, Second access control data 3050 is acquired.

  In step S1070, the data area access unit 140 encrypts the second access control data 3050 into the first access control data 3081 using the first decryption key 3070. The data area access unit 140 stores the encrypted first access control data 3081 under the initial policy directory of the data area 220 so that it can be specified by the first access control data specifying information 3090. That is, the data area access unit 140 has a function of encrypting the second access control data 3050 acquired by the second access control data specifying information 3010 using the first decryption key 3070. The data area access unit 140 has a function of storing the encrypted second access control data 3051 in the data area 220 that can be specified by the first access control data specifying information 3090.

  The system restart is a process that is likely to cause an abnormality in the system due to processing such as program termination or device invalidation. For this reason, after the event detection unit 110 detects the second event 420 in step S1000, the processing from step S1010 to step S1070 may not be performed normally, and the system may be restarted in the middle.

  In this case, since the first access control data 3080 obtained by decoding the first access control data 3081 is not stored, the storage area access device 100 determines whether or not an abnormality has occurred in the processing after the system is restarted. It cannot be recognized. In order to avoid such a situation, in step S1001 immediately after step S1000, the data area access unit 140 may write a small amount of data under the initial policy directory. Such a small amount of data is called a restart flag. That is, after the second event 420 occurs, the data area access unit 140 specifies that at least the second event 420 has occurred in an area (data area 220) that can be specified by the first access control data specifying information 3090. Store possible data (restart flag).

  If the data corresponding to the first access control data 3080 is not stored in the secure area 210 or the data area 220 even though the restart flag is registered, it is possible to recognize that some abnormality has occurred in the processing. It becomes. The storage area access device 100 can notify the system, the generation program of the second event 420, and the like that the abnormality has occurred.

  Further, the environment information 1031 generated in step S1040 may include system identification information that can uniquely identify the system. For example, in a mobile terminal, it can be expressed by using IMEI for all digits. By including the system identification information in the environment information 3031, the first access control data 3080 is illegally applied to another terminal when the storage device 200 is replaced with another terminal before and after the system is restarted. There is no.

  Through the processing up to step S1070, the first access control data 3080 having the same contents as the second access control data 3050 that should have been applied after the system is restarted is stored in the data area 220 in an encrypted state. The first decryption key 3070 used for decrypting the first access control data 3081 obtained by encrypting the first access control data 3080 is stored in the secure area 210 in an encrypted state. FIG. 14 shows the directory structure of the storage device 200 at that time.

  The operation of the storage area access device 100 after the time when the first access control data 3080 and the first decryption key 3070 are stored will be described with reference to FIG. The purpose of the processing shown in FIG. 15 is to apply the first access control data 3080 registered in the preprocessing to the access control apparatus 300 after the system is restarted.

  In step S1080, the system restart unit 160 restarts the stem. The system restart unit 160 has at least a function for requesting the system to restart and a function for obtaining control after the system is restarted. In addition, the system restart unit 160 has a function of notifying the event detection unit 110 of the first event 410 after restarting the system.

  In step S1090, the event detection unit 110 receives the notification of the first event 410 from the system restart unit 160, and generates the first access control data specifying information 3090. Since the method for generating the first access control data specifying information 3090 is the same as that in the second embodiment, the description thereof is omitted.

  In step S1100, the secure area access unit 120 acquires the encrypted first decryption key 3071 using the first access control data specifying information 3090. Also, the secure area access unit 120 acquires the first decryption key 3070 by decrypting the first decryption key 3071 with the second decryption key 3061. The second decryption key 3061 is generated by the environment information 3031 and the access key 1020 generated in advance by the environment information generation unit 130 in step S1110. Details are the same as those in the second embodiment, and a description thereof will be omitted.

  In step S1120, the data area access unit 140 acquires the encrypted first access control data 3081 using the first access control data specifying information 3090. Further, the data area access unit 140 obtains the first access control data 3080 by decrypting the first access control data 3081 using the first decryption key 3070. Details are the same as those in the second embodiment, and a description thereof will be omitted.

  In step S1130, the access control applying unit 150 applies the first access control data 3080 to the access control apparatus 300. Details are the same as those in the second embodiment, and a description thereof will be omitted.

  When the processing up to step S1130 is completed, the secure area access unit 120 and the data area access unit 140 send the first decryption key 3071 and the first access control data 3081 that are no longer needed to the secure area 210 and the data area. Erase each from 220.

  That is, the secure area access unit 120 uses the encrypted first decryption key identified by the first access control data identification information 3090 after the application of the first access control data 3080 to the access control device 300. It has a function to delete 3071. In addition, the data area access unit 140 encrypts the first access control data specified by the first access control data specification information 3090 after the application of the first access control data 3080 to the access control device 300. It has a function of erasing data 3081.

(4) Operation / Effect According to the storage area access device 100, the access control data (for example, the access control data 1050) is encrypted so as to be decryptable by the first decryption key (for example, the first decryption key 1040). Stored in the data area 220. In addition, the first decryption key is stored in the secure area 210 accessible only by the access key in a state where the first decryption key is encrypted so as to be decryptable by the second decryption key (for example, the second decryption key 1060).

  For this reason, the first decryption key for decrypting the access control data is data accessible only by the secure area access unit 120 having the access key. That is, the first decryption key is safely protected as long as the access key does not leak.

  Further, the first decryption key can be decrypted only by the first decryption key (for example, the second decryption key 1060) generated from the first environment information (for example, the environment information 1030) and the access key. The encrypted access control data (for example, access control data 10511) is not decrypted for use in the wrong environment. For example, access control data originally generated for an environment with high security should be applied only to the environment, and should not be applied to an environment with particularly low security. In such a case, by making it possible to decrypt the first decryption key only with the second decryption key generated in accordance with the environment with respect to the access control data generated in advance according to the environment, Application of access control data can be prevented. That is, the access control data can be applied to the access control device 300 in a safe state at all times.

  In the embodiment described above, the access control data specifying information (for example, access control data specifying information 1010) includes information for specifying a predetermined event (for example, activation / termination of a secure service). Further, the environment information generation unit 130 generates first environment information based on the access control data specifying information. That is, the first decryption key can be decrypted only with the second decryption key generated in accordance with the predetermined event, with respect to the access control data generated in advance according to the predetermined event. Therefore, appropriate access control data can be applied to the access control apparatus 300 for each predetermined event.

  In the second embodiment described above, the event detection unit 110 generates the first access control data specifying information 2010 that specifies the first access control data 2050 to be applied according to the first event 410. For this reason, the dedicated access control data stored in the storage device 200 can be specified when the system is started or when the storage device 200 is installed by inserting or removing the SD card. That is, the special access control data can be applied to the access control device 300 immediately after the system incorporates the storage device 200 storing the access control data. For example, when there is access control data that should always be reflected during system startup, the access control data can be applied to the access control device 300 safely and reliably.

  In the third embodiment described above, the event detection unit 110 can set only the second event 420 as a detection target. That is, the access control device 300 restricts the events that the event detection unit 110 should detect using the first access control data 2050. For example, when the event detection unit 110 receives a request from the event detection unit 110 and generates corresponding access control data, the access control device 300 determines whether to permit the request. Therefore, it is possible to prevent unauthorized access control data from being applied when the event detection unit 110 receives an unauthorized event.

  In the third embodiment described above, the storage area access device 100 corresponds to a system restart before applying access control data to the access control device 300. In such a case, first, the second access control data to be applied is set as the first access control data, and then the first access control data is automatically applied to the access control device 300 by restarting the system. can do.

  In order to realize such processing, in the third embodiment described above, the first access control data 3080 is encrypted with the first decryption key 3070. The encrypted first access control data 3081 is registered in the data area 220 as the first access control data. On the other hand, the decryption key (first decryption key 3070) of the first access control data is also stored in the secure area 210 so that it can be identified by the first access control data identification information 3090.

  Thereafter, the system restart unit 160 restarts the system, and then the first event 410 is notified to the event detection unit 110. For this reason, the registered first access control data is applied to the access control apparatus 300 in response to the occurrence of the first event 410.

  In other words, the access control data can be safely reflected even when the system needs to be restarted to apply the access control data, for example, when applying the access control data that greatly affects the system. .

  In the third embodiment described above, after application of the first access control data to the access control apparatus 300, the encrypted first decryption key 3071 specified by the first access control data specifying information is erased. Is done. Further, the encrypted first access control data 3081 specified by the first access control data specifying information is deleted. Therefore, when the system is restarted again, it is possible to prevent the access control data from being applied to the access control device 300 by mistake.

  In the third embodiment described above, the second environment information (environment information 3031) includes at least information that can uniquely identify the system. Here, in the application of access control data that accompanies the occurrence of a system restart, it is assumed that the storage device 200 such as an SD card is removed from the system and applied to another system before and after the system restart. In this case, the storage device 200 stores the first access control data that should have been applied in the original system, and the access control data is erroneously applied to another system.

  Therefore, the corresponding first decryption key can be decrypted only by the second decryption key generated by the second environment information including the information that can uniquely identify the original system, thereby allowing another system to be decrypted. It is possible to prevent access control data from being applied accidentally or from being applied illegally.

  In the third embodiment described above, data that can specify that the second event has occurred is stored in an area that can be specified by the first access control data specifying information 3090. Since this process does not involve any encryption or decryption process, it can be executed at a relatively high speed.

  The system restart is a process that is likely to cause an abnormality in the system due to processing such as program termination or device invalidation. Therefore, a series of processes such as acquisition and storage of access control data by the storage area access device 100 may not be executed normally. In the third embodiment described above, since data that can specify that the second event 420 has occurred is stored in an area that can be specified by the first access control data specifying information 3090, the secure area access unit 120 is subsequently stored. Even if an abnormality occurs in a series of processes by the data area access unit 140 and the process is not performed normally, the data area access unit 140 is at least in response to the first event 410 that occurs after the system is restarted. The data can be acquired. That is, the system can recognize that the system is restarted due to the occurrence of the second event 420. For this reason, for example, error processing such as notifying that the program that issued the second event 420 did not normally apply the access control data becomes possible.

(5) Other Embodiments As described above, the contents of the present invention have been disclosed through the embodiments of the present invention. However, it is understood that the description and drawings constituting a part of this disclosure limit the present invention. Should not. From this disclosure, various alternative embodiments will be apparent to those skilled in the art.

  For example, when the storage device 200 is removed from the system, the event detection unit 110 stores the storage device until the storage device 200 in which the access control data is stored is newly installed or until the system is terminated (such as power off). The generation of access control data may be stopped for an event detected after 200 is removed from the system.

  That is, if the storage device 200 such as an SD card is removed from the system while the access control data is being applied to the access control device 300, the subsequent access control setting cannot be changed. Therefore, the event detection unit 110 does not generate access control data for all events that accompany changes in access control settings. According to such an operation, when the storage device 200 does not exist, it is possible to prevent an unauthorized access control setting from being applied.

  In the third embodiment described above, data that can specify that the second event has occurred is stored in an area that can be specified by the first access control data specifying information 3090. However, the data is not necessarily stored. You don't have to. In addition, the second environment information (environment information 3031) includes information that can uniquely identify the system, but the information may not be included.

  Furthermore, in the third embodiment described above, the first decryption key 3071 and the first access control data 3081 have been deleted after the application of the first access control data to the access control apparatus 300. The decryption key 3071 and the first access control data 3081 do not necessarily have to be deleted.

  As described above, the present invention naturally includes various embodiments that are not described herein. Therefore, the technical scope of the present invention is defined only by the invention specifying matters according to the scope of claims reasonable from the above description.

It is a figure which shows the implementation example of a sandbox. It is a figure which shows the security extension of the sandbox using a protection area. It is a figure which shows the structural example of CPRM specification conformity SD. It is a figure which shows the structural example of SD of SD-Binding specification. It is a figure which shows the function expansion of the sandbox using a CPRM standard. It is a figure which shows the internal structural example of SD and a sandbox. 1 is a system configuration diagram of a storage area access device 100 according to a first embodiment. FIG. It is a figure which shows the example of a directory structure of the memory | storage device 200 which concerns on 1st Embodiment. It is a system configuration figure of storage area access device 100 concerning a 2nd embodiment. It is a figure which shows the example of a directory structure of the memory | storage device 200 concerning 2nd Embodiment. It is a system configuration figure of storage area access device 100 concerning a 3rd embodiment. It is a figure which shows the example of a directory structure (before a process start) of the memory | storage device 200 concerning 3rd Embodiment. It is a sequence diagram which shows operation | movement (until restarting generation | occurrence | production) of the storage area access apparatus 100 concerning 3rd Embodiment. It is a figure which shows the directory structural example (just before restart) of the memory | storage device 200 concerning 3rd Embodiment. It is a sequence diagram which shows operation | movement (after restarting generation | occurrence | production) of the storage area access apparatus 100 concerning 3rd Embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 ... Storage area access device, 110 ... Event detection part, 120 ... Secure area access part, 130 ... Environment information generation part, 140 ... Data area access part, 150 ... Access control application part, 160 ... System restart part, 200 ... Storage device 210 ... Secure region 220 ... Data region 300 ... Access control device 400 ... Event 410 ... First event 420 ... Second event 1010 ... Access control data identification information 1020 ... Access key 1030 , 1031 ... environment information, 1040 ... first decryption key, 1050 ... access control data, 1060 ... second decryption key, 2010 ... first access control data specifying information, 2030 ... environment information, 2040, 2041 ... first 2050, 2051 ... first access control data, 2060 ... second decryption key, 3010 ... second access control data identification information, 3030,3031 ... environment information, 3040,3041 ... first decryption key , 3050, 3051 ... second access control data, 3 060, 3061 ... second decryption key, 3070, 3071 ... first decryption key, 3080, 3081 ... first access control data, 3090 ... first access control data specifying information, 10411 to 10411 ... first decryption Key, 10511-10513 ... access control

Claims (10)

A storage device including a data area in which access control data used for controlling access to resources on the system is stored, and a secure area accessible only by an access key prepared in advance;
Used in a system comprising an access control device for controlling execution of a program according to the access control data, and a program execution environment in which the program is executed;
A storage area access device that acquires the access control data to be applied to the access control device from the storage device in response to a predetermined event,
The access control data is stored in the data area in a state where the access control data is encrypted so as to be decrypted by a first decryption key,
The first decryption key is stored in the secure area in a state where the first decryption key is encrypted so as to be decryptable by the second decryption key,
Event detection for detecting occurrence of the predetermined event and generating access control data specifying information used for specifying the access control data to be applied and the first decryption key in accordance with the detected predetermined event And
A secure area access unit that acquires the first decryption key specified by the access control data specifying information from the secure area;
A data area access unit for acquiring the access control data specified by the access control data specifying information from the data area;
An environment information generating unit that generates first environment information for specifying an operating environment of the access control device;
The secure area access unit
The first decryption key stored in the secure area in an encrypted state is acquired using the access key, and the second decryption is performed using the first environment information and the access key. The ability to get a key,
Using the acquired second decryption key, decrypting the encrypted first decryption key,
The storage area access device, wherein the data area access unit has a function of decrypting the encrypted access control data using the first decryption key decrypted by the secure area access unit. The access control data specifying information includes information for specifying the predetermined event,
The storage area access device according to claim 1, wherein the environment information generation unit generates the first environment information based on the access control data specifying information. The event detector is
Detecting a first event that is the activation of the system or the incorporation of the storage device into the system;
The storage area access device according to claim 1, wherein the storage area access device generates first access control data specifying information for specifying first access control data to be applied in response to the first event. The first access control data specifies a second event to be detected by the event detection unit,
The storage area access device according to claim 3, wherein the event detection unit targets only the second event as a detection target. A system restarting unit for restarting the system;
The event detection unit generates second access control data specifying information corresponding to second access control data that is access control data that needs to be restarted when the system is applied to the access control device;
The secure area access unit
A function of generating the first decryption key and a first encryption key corresponding to the first decryption key;
A function of encrypting the first decryption key with the second decryption key;
A function of encrypting the first encryption key with a second encryption key;
A function of storing the encrypted first decryption key and the encrypted first encryption key in the secure area that can be specified by the first access control data specifying information;
The data area access unit
A function of encrypting the second access control data acquired by the second access control data specifying information with the first encryption key;
A function of storing the encrypted second access control data in the data area that can be specified by the first access control data specifying information;
The storage area access device according to claim 3, wherein the system restart unit has a function of notifying the event detection unit of the first event after restarting the system. The secure area access unit receives the encrypted first decryption key specified by the first access control data specifying information after application of the first access control data to the access control device. Has a function to erase,
The data area access unit includes the encrypted first access control data specified by the first access control data specifying information after application of the first access control data to the access control device. 6. The storage area access device according to claim 5, which has a function of erasing data. The secure area access unit generates the second decryption key based on second environment information,
6. The storage area access device according to claim 5, wherein the second environment information includes at least information capable of uniquely specifying the system.   6. The storage area access according to claim 5, wherein the data area access unit stores at least data that can specify that the second event has occurred in an area that can be specified by the first access control data specifying information. apparatus. If the storage device is removed from the system,
The event detection unit detects an event detected after the storage device is removed from the system until a storage device storing the access control data is newly installed or until the system is terminated. The storage area access device according to claim 1, wherein the generation of the access control data is stopped. A storage device including a data area in which access control data used for controlling access to stored data is stored, and a secure area accessible only by an access key prepared in advance;
Used in a system comprising an access control device for controlling execution of a program according to the access control data, and a program execution environment in which the program is executed;
In accordance with a predetermined event, a storage area access method for acquiring the access control data to be applied to the access control device from the storage device,
The access control data is stored in the data area in a state where the access control data is encrypted so as to be decrypted by a first decryption key,
The first decryption key is stored in the secure area in a state where the first decryption key is encrypted so as to be decryptable by the second decryption key,
Detecting the occurrence of the predetermined event and generating access control data specifying information used for specifying the access control data to be applied and the first decryption key according to the detected predetermined event; ,
Obtaining the first decryption key specified by the access control data specifying information from the secure area;
Obtaining the access control data specified by the access control data specifying information from the data area;
Generating first environment information for specifying an operating environment of the access control device,
In the step of obtaining the first decryption key,
The first decryption key stored in the secure area in an encrypted state is acquired using the access key, and the second decryption is performed using the first environment information and the access key. Get the key,
Decrypting the encrypted first decryption key using the acquired second decryption key;
In the step of acquiring the access control data, a storage area access method for decrypting the encrypted access control data using the first decryption key decrypted by the secure area access unit.

Images