JP2010170276A - Memory device and memory control method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To allow an external memory device having an authentication function to be used without installing any special API (Application Programming Interface) or the like at a computer device side. <P>SOLUTION: This memory device includes first and second data storage parts 100 and 110, wherein the first data storage part is configured such that the write and read of input data can be performed according to an instruction from connected external equipment 1 and the second data storage part is configured such that the write of data for securing security can be performed, and that the read of the data can be restricted. This memory device also includes a control part for preparing a file 102 for input and a file 103 for output for the first data storage part, and for making the first data storage part read out the data for securing security stored in the second data storage part based on the input data written from the external equipment in the file for input, and perform an arithmetic operation using the read data for securing security and the input data, and write the arithmetic result in the file for output. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to, for example, a memory device that is used to connect to a personal computer device to store and transfer data, and a memory control method applied to the memory device.

In recent years, a small memory device called a USB (Universal Serial Bus) memory has become widespread as a memory device used by being connected to an information processing device such as a personal computer device.
The USB memory includes a USB standard terminal and is used by connecting to a USB standard socket included in the information processing apparatus. The connected information processing apparatus can use the flash memory built in the USB memory as data storage means. The USB memory has a relatively small size and can be freely carried. In the following description, an information processing apparatus to which a memory device such as a USB memory is connected is referred to as a host PC.

  Some USB memories have security measures. For example, in the case of a password input type USB memory, when connected to the host PC, a password input screen is displayed on the screen of the host PC, and the user is allowed to input the password based on the screen display. When the input password matches the password stored in the USB memory, the host PC can access the data stored in the USB memory.

  Alternatively, there is a type in which a function for performing biometric authentication such as fingerprint authentication processing is provided in a USB memory so that the host PC can access data stored in the USB memory as a result of the biometric authentication.

  Furthermore, there is a memory device that is used as a security token, similar to a USB memory. This security token is a memory device that stores an ID (Identity Document) necessary for device authentication when performing communication, data for certificate authentication, an encryption key, and the like. The stored data such as ID (or data obtained using the stored data) is supplied to the host PC connected via the USB terminal by an operation according to a predetermined procedure. The host PC that has acquired the ID and the like performs connection to a network that requires authentication processing, data encryption, and the like.

  FIG. 12 is a flowchart illustrating an example of a case where a USB memory that has been subjected to security measures by inputting a password is connected to a host PC and authentication processing using a password is performed. In FIG. 12, the left side shows processing in the host PC, and the right side shows processing in the USB memory. In this example, a special area is prepared as a data storage area of the memory included in the USB memory, a password is stored in the special area, and data can be written to and read from the special area using the password. It will be.

  Referring to FIG. 12, the host PC first displays a screen prompting the input of a password on detection of the installation of the USB memory or the like (step S11). When the user inputs a password based on the display (step S12), the input password is sent to the USB memory (step S13). At this time, a specially defined command is used to transmit the password.

In the USB memory, when this password is transmitted, it is compared with the password stored in the special area (step S14). If the result of the comparison is a match, writing and reading of data into the special area is permitted, and if not, writing and reading of data from the host PC to the special area is not permitted.
Then, data indicating whether or not the verification by the password is correct is returned to the host PC (step S15).

  In the host PC, if the verification by the password is correct, data can be written to and read from the special area in the USB memory (step S16). Further, when the token function for security is provided, a command related to the token is permitted.

FIG. 13 is a flowchart illustrating an example in which authentication processing is performed by connecting a USB memory that has been subjected to security measures by fingerprint authentication to a host PC. In FIG. 13, the left side shows processing in the host PC, the right side shows processing in the USB memory, and the USB memory has a built-in fingerprint sensor.
First, in the host PC, a screen prompting a biometric authentication process such as “Place your finger on the fingerprint sensor” is displayed on the screen upon detecting the installation of the USB memory or the like (step S21). Then, a fingerprint verification command is sent from the host PC to the USB memory (step S22). Further, following the fingerprint collation command, a command for receiving the fingerprint collation result is continuously issued until the result information is received (step S23).

  In the USB memory, when a fingerprint collation command is received from the host PC, reading of fingerprint image data by the fingerprint sensor is started, and collation processing with fingerprint data registered in the USB memory is performed (step S24). ). If the fingerprint collation result is correct, writing and reading of data into the special area is permitted, and if not matching, writing and reading of data from the host PC to the special area is not permitted (step S25). Then, data indicating whether the fingerprint collation result is correct is returned to the host PC as a reply to the command for receiving the fingerprint collation result (step S26).

  When the fingerprint collation is correct, the host PC can write and read data to a special area in the USB memory (step S27). Further, when the token function for security is provided, a command related to the token is permitted.

  Patent Document 1 describes an example of a memory device that performs password authentication. Patent Document 2 describes an example of an apparatus having a token function.

JP 2008-71367 A JP 2004-234331 A

  Conventionally, in order to perform password authentication, fingerprint authentication, and the like in a memory device such as a USB memory, it has been necessary to install dedicated software or the like for executing such authentication processing on the host PC side. That is, it is necessary to install application software and API (Application Programming Interface) for performing authentication processing with a USB memory in the host PC. As for the processing described in FIG. 12 and FIG. 13, the processing on the host PC side is performed by executing the API.

  However, depending on the mode in which the computer device is used, installation of application software and API may be restricted. That is, usually, a personal computer device used by an individual is operated in an administrator mode (administrator mode), which is a mode in which access to the computer resources of the computer device is not restricted. On the other hand, a computer device used in a company or school often operates in a user mode, which is a mode in which access to computer resources is restricted, to add a certain degree of restriction. In addition, computer devices prepared in an environment where an unspecified user is used, such as an Internet cafe, are generally operated in a user mode.

In the case of a computer device operated in the user mode, which is a mode in which access to computer resources is restricted, it is impossible to install an API for performing password authentication or the like with a USB memory. Therefore, in such a computer device, it is impossible to use a USB memory for password authentication or fingerprint authentication unless the mode is changed to the administrator mode, and the use of a memory device having an authentication function is restricted. There is a problem that.
For example, by incorporating a token function for accessing a computer network of a specific company in a USB memory, a computer device to which the USB memory is connected can originally access the corresponding network. In reality, however, computer devices in the city are restricted by being operated in the above-described user mode, and there is a problem that the token function cannot be utilized.

  SUMMARY An advantage of some aspects of the invention is that an external memory device having an authentication function or the like can be used without installing a special API or the like on the computer device side.

The present invention is applied to a memory device including an input / output unit that inputs and outputs data, and first and second data storage units.
The first data storage unit is a data storage unit that can write and read data input to the input / output unit in accordance with instructions from an external device connected via the input / output unit.
The second data storage unit is a data storage unit in which data cannot be written or read from an external device connected via the input / output unit, and at least data for ensuring security is written.
In the first data storage unit, an input file for writing data from an external device and an output file for reading data by the external device are prepared.
Then, based on the input data written from the external device to the input file, the security ensuring data stored in the second data storage unit is read out, and the read security ensuring data and the input data are read out. Performs the used calculation. Control is performed to write the calculation result to an output file.

As a result, if the external device has a file system that can access the input file and the output file, the external device uses the security ensuring data stored in the second data storage unit in the memory device. Security processing becomes possible. That is, by writing commands and passwords from an external device to the input file, security processing using the written data and the data for ensuring security stored in the second data storage unit is performed. Executed. Then, when the external device acquires the processing result for security from the output file, it is possible to perform the same processing as when the API is installed in the external device.
For the input file and the output file, by adopting a general file system that is widely used for computer devices, the input file and the output file can be read and written by almost all computer devices.

  According to the present invention, it is possible to write a password, a command, and the like from an external device to a data input file, obtain the result from the output file, and perform desired security processing. For this reason, even if the computer device is limited to a state where an API or the like cannot be installed, if the input file and the output file can be accessed, the security processing using the connected memory device can be performed. Have. Even if the computer device can install an API or the like, it is not necessary to install access software or the like, so that the burden on the computer device side can be reduced.

1 is a block diagram showing a configuration example of a memory device according to a first embodiment of the present invention. 1 is a perspective view showing a shape example of a memory device according to a first embodiment of the present invention. It is a principle figure which shows the outline | summary of the processing state which concerns on the 1st Embodiment of this invention. It is explanatory drawing which showed the storage area structural example which concerns on the 1st Embodiment of this invention. It is explanatory drawing which showed the example of the in file and the out file which concern on the 1st Embodiment of this invention. It is a flowchart which shows the example of a password authentication process which concerns on the 1st Embodiment of this invention. It is a flowchart which shows the example of a write-in process of ID which concerns on the 1st Embodiment of this invention. It is a flowchart which shows the collation process example of ID which concerns on the 1st Embodiment of this invention. It is the block diagram which showed the example of a structure of the memory device based on the 2nd Embodiment of this invention. It is a perspective view which shows the example of a shape of the memory device based on the 2nd Embodiment of this invention. It is a flowchart which shows the example of fingerprint authentication processing which concerns on the 2nd Embodiment of this invention. It is a flowchart which shows the example of the conventional password authentication process. It is a flowchart which shows the example of the conventional fingerprint authentication process.

Hereinafter, embodiments of the present invention will be described in the following order.
1. Configuration example of an apparatus to which the first embodiment is applied (FIGS. 1 and 2)
2. Example of processing state of the first embodiment (FIGS. 3 to 5)
3. Example of password authentication processing according to the first embodiment (FIG. 6)
4). Example of ID writing and verification processing according to the first embodiment (FIGS. 7 and 8)
5). Configuration example of apparatus to which second embodiment is applied (FIGS. 9 and 10)
6). Example of fingerprint authentication processing according to the second embodiment (FIG. 11)
7). Modification of each embodiment

[1. Configuration example of apparatus to which the first embodiment is applied: FIGS. 1 and 2]
An example of the first embodiment of the present invention will be described with reference to FIGS.
First, an apparatus configuration to which the example of the present embodiment is applied will be described with reference to FIGS.
As shown in FIG. 1, the example of the present embodiment is configured as a memory device that is used by being connected to a USB standard socket of a computer device (host PC) that is an information processing device. The memory device connected to the USB standard socket is called a USB memory, and has a relatively large capacity flash memory, and the connected host PC can use the flash memory as a storage means. . However, as will be described later, the memory device of the example of the present embodiment also stores data for performing authentication processing and the like, and is also used as a security token for performing authentication.

  1 will be described. The USB terminal 11 of the memory device 10 is connected to the USB standard socket of the host PC 1. As shown in FIG. 2, the memory device 10 has a small shape in which a USB terminal 11 is arranged on a side surface of a housing constituting the memory device 10 main body, and can be freely carried. . As shown in FIG. 2, a terminal contact portion 11a is disposed in the USB terminal 11, and the contact portion 11a is electrically connected to the contact portion of the socket on the host PC 1 side. In addition, the shape of FIG. 2 shows an example, and is not limited to this shape.

Returning to the description of FIG. 1, the USB terminal 11 of the memory device 10 is connected to the USB interface unit 21, and data transfer between the host PC 1 and the memory device 10 is performed via the USB interface unit 21.
The memory device 10 includes a central control unit (CPU) 22. Under the control of the central control unit 22, storage of input data in the flash memory 30 and reading from the flash memory 30 are performed. The flash memory 30 is connected to the internal bus via the flash memory interface unit 23. The configuration of the data storage area of the flash memory 30 will be described later.

Further, an EEPROM 24 in which data for ensuring security such as an encryption key is stored is prepared, and data stored in the EEPROM 24 can be read out under the control of the central control unit 24. An encryption engine unit 25 is connected to the EEPROM 24, and data to be written to the EEPROM 24 and decryption of the read data can be performed as necessary.
Further, a memory 26 composed of a read-only ROM and a readable / writable RAM is prepared. The ROM stores a program necessary for the memory device. The RAM is used as a working RAM.

  A clock necessary for the operation in the memory device 10 is obtained by a PLL (Phase locked loop) circuit 27 based on the oscillation output of the crystal resonator 12.

[2. Example of processing state of first embodiment: FIGS. 3 to 5]
3. Password Authentication Processing According to First Embodiment Next, a processing state when the memory device 10 according to the present embodiment is used connected to the host PC 1 and a configuration for the processing will be described.
The memory device 10 of the present embodiment has a special area 110 in addition to the normal area 100 as a storage area of the flash memory 30 as shown in FIG.

The normal area 100 is a first storage area where data can be freely written and read from the connected host PC 1 side. However, as will be described later, some data is stored as a hidden file so that file attributes and the like cannot be displayed on the host PC 1 side.
The special area 110 is a second storage area used as a limited area in which data cannot be directly written or read from the connected host PC 1. In this example, the host PC 1 can read and write data in the special area 110 by performing personal authentication processing such as password entry. However, the data related to authentication stored in the special area 110 cannot be read from the host PC 1 even if a password is input. The special area 110 stores an authentication ID (Identity Document), an authentication certificate, a password, and the like as authentication data. A part or all of the authentication data in the data stored in the special area 110 may be stored in the EEPROM 24 which is a memory different from the flash memory 30.
As shown in FIG. 3, the data related to authentication in the special area 110 is sent to the host via the authentication control (token control) firmware 120 executed by the central control unit 22 in the memory device 10. The PC side reads and writes.
In the case of this example, authentication data such as an encryption key and a password is stored in the EEPROM 24. Further, when these data are stored and stored in the special area 110 or the EEPROM 24 in the flash memory 30, the encryption engine 25 may perform encryption.

  In the normal area 100 in the storage area of the flash memory 30, in-file 102 and out-file 103 are prepared in addition to storing data of the application 101 as shown in FIG. The application 101 is an application for the host PC 1 to use the in file 102 and the out file 103. The application 101 is an application that can be executed without special authority on the host PC 1 side, and can be executed in the user mode. The application 101 also includes software for performing personal authentication.

  The in-file 102 is a file in which data can be written from the host PC 1 side. The outfile 103 is a file from which the host PC 1 can read out the written file data. The in-file 102 and the out-file 103 are files written by applying an OS (Operating System) file system adopted by the host PC 1. However, the in-file 102 and the out-file 103 are preferably designated as hidden files whose details such as file attributes are not displayed on the host PC 1 side. Further, it is desirable to specify that the data read from the in-file 102 and the out-file 103 is not saved in the cache or buffer in the host PC 1.

FIG. 5 is a diagram illustrating a configuration example of the in-file 102 and the out-file 103.
The in-file 102 has a file name (content), command code, reservation status, and data length arranged at a predetermined length such as 4 bytes at each address, and an area in which data is written following the data length is prepared. The data arrangement area of the in-file 102 is an area in which data is written by the host PC 1 described above. The written data and commands are determined by firmware executed by the central control unit 22 in the memory device 10. That is, as shown in FIG. 5, the data D-IN transmitted from the host PC 1 is written in the data arrangement area. The command from the host PC 1 is written in the command area.

  In the outfile 103, a file name (contents), a result code, a reservation status, and a data length are arranged at a predetermined length such as 4 bytes at each address, and an area in which data is written is prepared following the data length. The data arrangement area of the outfile 103 is an area written by firmware executed by the central control unit 22, and the written data is read by the host PC 1. That is, as shown in FIG. 5, the data D-OUT written in the data area of the outfile 103 and the result that is the execution result of the command are read by the host PC 1.

In the firmware executed by the central control unit 22, an authentication calculation process using the written data and the authentication data stored in the special area 110 in accordance with a command according to the command written in the in-file 102. Is done. The calculation processing result is written in the data area of the outfile 103. Alternatively, a process of reading data in the special area 110 specified by the data may be performed, and the read data may be written in the data area of the outfile 103.
Further, only the distinction of whether the authentication result is acceptable or not may be written in the result column of the outfile 103.

  The command code and the result code used in the in-file 102 and the out-file 103 are determined in advance so that the host PC 1 can understand by executing the application 101. Note that the initial values described in the corresponding columns of the in-file 102 and the out-file 103 are also determined in the absence of commands or results. When a command or data is written in the in-file 102, for example, the firmware 120 in the memory device 10 that has received the command or data performs a process of restoring the initial value. When a result or data is written in the outfile 103, for example, the host PC 1 that has received the result or data performs a process of restoring the initial value by executing the application 101.

Note that the data written in the special area 110 is decrypted by the encryption engine 25 when the data written in the special area 110 is read as data encrypted by the encryption engine 25. Also good.
Further, data written to the in-file 102 and data read by the out-file 103 may be encrypted.

[3. Example of password authentication processing according to the first embodiment: FIG. 6]
Next, with reference to the flowchart of FIG. 6, an example of performing personal authentication by inputting a password will be described as processing according to the present embodiment. When the personal authentication by the password input is completed, the special area 110 of the memory can be read and written.
In this example, a process example in which a password is stored in the special area 110 of the memory and the password input on the host PC 1 side is authenticated will be described.
In each flowchart described in FIG. 6 and subsequent figures, the left side is the processing in the host PC, and the right side is the processing in the memory device. For example, when the memory device 10 is connected to the host PC 1, the processing of the flowchart of FIG. 6 is started.

First, in the host PC 1, a message for prompting the input of a password is displayed on the display (step S31). In the example of FIG. 6, “Please enter your password” is displayed. This display is displayed, for example, when the memory device 10 is connected to the host PC 1.
Assume that the user inputs a password using the keyboard of the host PC 1 or the like in the state where the display is performed (step S32). At this time, the host PC 1 writes the input password in the data column of the in-file 102 and writes a “password verification command” in the command column (step S33).

When the firmware 120 of the memory device 10 is written in step S33, processing based on the password verification command is executed. That is, the password written in the data field of the in-file 102 is compared with the password stored in the special area 110. If it is determined that the comparison result is the input of a correct password, reading / writing from the host PC 1 to the special area 110 of the flash memory 30 is permitted (step S34).
Then, the collation result in the firmware 120 of the memory device 10 is written in the result column of the outfile 103 by the process of the firmware 120 (step S35).

The host PC 1 determines the collation result written in the result column of the outfile 103 and proceeds to the next process. Specifically, when the password verification is correct, the special area 110 can be read and written, and the special area 110 displays a file. When the password verification is not correct, for example, a display for inputting the password again is performed.
When the password is a password input as a security token for obtaining some authentication data, processing based on the data obtained by the permission is performed.

[4. Example of ID writing and verification processing according to the first embodiment: FIGS. 7 and 8]
Next, an example in which ID writing and collation are performed as processing according to the present embodiment will be described with reference to the flowcharts of FIGS. Here, as authentication processing by collation, authentication is performed using information unique to the memory device 10.
First, the ID writing process will be described with reference to FIG. 7. Assume that an ID input screen is displayed on the display of the host PC 1, and the user inputs an ID based on the display (step S41). When the ID is input, a command for reading the VID (vendor ID: manufacturer number), PID (product ID: product number), and serial number is issued to the memory device 10 (step S42). When this command is issued, the VID, PID, and serial number held by the host PC 1 are transferred from the memory device 10 to the host PC 1 (step S43). The reading of the VID, the PID, and the serial number is executed according to a procedure determined for authentication of a device connected by the USB standard, for example.

Thereafter, the host PC 1 encrypts the ID input in step S41, the VID, PID, and serial number read from the memory device 10 using the encryption key (k) described in the application 101, An encrypted value (x) is obtained. The host PC 1 writes this encrypted value (x) in the data column of the in-file 102 of the memory device 10, and writes the “ID write command” in the command column (step S44). As the encryption key, keys of various known encryption methods such as RSA encryption method, AES encryption method, and DES encryption method can be applied.
When the memory device 10 determines the “ID write command”, it writes the encrypted value (x) written in the data column into the special area (step S45). The special area here is an area that cannot be seen from the host PC 1.
When the writing is completed, the memory device 10 writes result data indicating the completion of writing to the outfile 103 (step S46), and the host PC1 confirms the result and ends.

The flowchart of FIG. 8 is an example of collation processing of IDs thus encrypted.
At the time of this collation, the host PC 1 issues a command for reading the VID, PID, and serial number to the memory device 10 (step S51). When this command is issued, the VID, PID, and serial number held by the host PC 1 are transferred from the memory device 10 to the host PC 1 (step S52). The reading of the VID, PID, and serial number so far is executed, for example, according to a procedure determined for authentication of a device connected according to the USB standard.
Next, the host PC 1 writes “ID read command” in the command column of the in-file 102 of the memory device 10 (step S53).
When the firmware 120 of the memory device 10 determines the “ID write command”, it reads the encrypted ID written in the special area (step S54). Then, the read ID (encrypted value (x) here) is written in the data field of the outfile 103 (step S55).

  The host PC 1 reads the written encrypted value (x), and decrypts the read encrypted value (x) using the encryption key (k) described in the application 101 (step). S56). The ID thus decrypted is compared with the VID, PID and serial number transferred in step S52. Here, it is determined whether or not the decrypted VID, PID, and serial number match the VID, PID, and serial number transferred from the memory device 10 (step S57). If they match, it is determined that the decrypted ID is correct, and processing using the decrypted ID is executed (step S58). If they do not match, it is determined that the decrypted ID is not correct, and error processing is performed (step S59).

As described above, according to the present embodiment, various authentication processes using the memory device can be performed without installing dedicated application software for the authentication process on the host PC side to which the memory device is connected. For this reason, for example, by using the memory device as a token for authentication, it becomes possible to connect to a LAN of a specific company with a computer device without administrator authority at the place of going out.
In addition, even when the data in the memory device is protected by password authentication, it is not necessary to install application software for the password authentication processing on the computer device side, and the burden on the computer device side is reduced. .

[5. Configuration example of apparatus to which second embodiment is applied: FIGS. 9 and 10]
Next, an example of the second embodiment of the present invention will be described with reference to FIGS. 9 to 11, the same reference numerals are given to the same portions as those in FIGS. 1 to 8 described in the first embodiment.

The example of the present embodiment is also applied to a memory device called a USB memory incorporating a flash memory. In the example of the present embodiment, the first feature is that a biometric authentication function is provided. This is different from the memory device of the embodiment.
FIG. 10 shows an example of the shape of the memory device 10 ′ of the example of the present embodiment.
It is a small shape in which the USB terminal 11 is arranged on the side surface of the housing constituting the main body of the memory device 10 ′, and is a shape that can be freely carried. A terminal contact portion 11a is disposed in the USB terminal 11, and the contact portion 11a is electrically connected to the contact portion of the socket on the host PC 1 side. A fingerprint collation sensor 13 is disposed on the surface of the housing as a biometric authentication means. The fingerprint collation sensor 13 is a sensor that detects a fingerprint of a finger touching the surface of the sensor as image data. In addition, a light emitting diode 14 is arranged beside the fingerprint verification sensor 13.

FIG. 9 is a diagram showing an internal configuration of the memory device 10 ′. The USB terminal 11 of the memory device 10 ′ is connected to the USB interface unit 21, and data transfer between the host PC 1 and the memory device 10 ′ is performed via the USB interface unit 21.
In the memory device 10 ′, a central control unit 22 is provided. Under the control of the central control unit 22, input data is stored in the flash memory 30 and read from the flash memory 30. The flash memory 30 is connected to the internal bus via the flash memory interface unit 23. As the data storage area of the flash memory 30, for example, as described with reference to FIG. 4, the normal area 100 in which reading / writing from the host PC is not restricted and the special area 110 in which reading / writing is restricted are configured.

Further, an EEPROM 24 in which an encryption key and the like are stored is prepared, and data stored in the EEPROM 24 can be read out under the control of the central control unit 24. An encryption engine unit 25 is connected to the EEPROM 24, and data to be written to the EEPROM 24 and decryption of the read data can be performed as necessary.
Further, a memory 26 composed of a read-only ROM and a readable / writable RAM is prepared. The ROM stores a program necessary for the memory device. The RAM is used as a working RAM.

A clock necessary for the operation in the memory device 10 ′ is obtained by a PLL (Phase locked loop) circuit 27 based on the oscillation output of the crystal resonator 12.
The internal configuration so far is basically the same as that of the memory device 10 shown in FIG. However, the memory 26 stores a program necessary for biometric authentication processing.

The memory device 10 ′ of the example of the present embodiment includes a fingerprint verification sensor 13 as a biometric authentication unit and is connected to a fingerprint verification engine 28. The fingerprint collation engine 28 performs a process of comparing the fingerprint data read by the fingerprint collation sensor 13 with the fingerprint data stored in the memory device 10 ', and outputs the collation result to the central control unit 22 side. Fingerprint collation using the fingerprint collation sensor 13 is used for protection of data stored in the memory device 10 ', authentication processing using the memory device 10', and the like.
The light emitting diode controller 29 controls the lighting of the light emitting diode 14. The light emitting diode controller 29 is supplied with a lighting command from the central control unit 22. For example, the light emitting diode 14 is controlled to light up when the fingerprint collation sensor 13 is ready to read a fingerprint.

As described above, the flash memory 30 includes the normal area 100 and the special area 110, and the special area 110 is limited. The control for enabling reading / writing to the special area 110 is performed by executing the firmware 120 shown in FIG. 3, for example. However, the content of the firmware 120 is different from the firmware 120 described in the first embodiment in that fingerprint collation processing is performed.
Furthermore, the normal area 100 includes, for example, an in-file 102 and an out-file 103, and application software 101 for using the in-file 102 and the out-file 103 as shown in FIG. The in-file 102 and the out-file 103 are basically the same as the processing configuration described in the first embodiment.

[6. Example of fingerprint authentication processing according to second embodiment: FIG. 11]
Next, an example in which fingerprint matching processing is performed in the memory device 10 ′ of this embodiment will be described with reference to the flowchart of FIG.
In this example, the user's fingerprint image data registered in advance is stored in the special area 110 of the memory. Then, for example, the processing of the flowchart of FIG. 11 is started by connecting the memory device 10 ′ to the host PC 1.

In the host PC 1, a message for instructing to put a finger on the fingerprint collation sensor 13 is displayed on the display (step S61). In the example of FIG. 11, “Please place your finger on the fingerprint sensor” is displayed.
With the display being performed, the host PC 1 writes a fingerprint collation command into the in-file 102 of the memory device 10 ′ (step S62). The fingerprint sensor 13 is activated by detecting the fingerprint verification command of the in-file 102 on the memory device 10 ′ side. The activation of the fingerprint sensor 13 is also notified to the user by, for example, lighting of the light emitting diode 14.
When the user's finger is placed on the fingerprint sensor 13 in this state (step S63), the fingerprint image is read by the fingerprint sensor 13 on the memory device 10 'side, and the fingerprint collation processing is performed by the fingerprint collation engine 28 ( Step S64). In the fingerprint collation process, it is determined whether or not the data matches the pre-registered fingerprint data (step S65). If the determination here is correct, that is, if the fingerprints match, reading / writing to the special area 110 of the flash memory 30 is permitted.
The result of whether or not the collation is correct in step S65 is written as a result in the outfile 103 (step S66).

The host PC 1 determines the collation result written in the result column of the outfile 103, and proceeds to the next process (step S67). Specifically, when the fingerprint collation is correct, the special area 110 can be read and written, and the special area 110 is displayed as a file. When the fingerprint collation is not correct, the mismatch of the fingerprint collation result is displayed, and a display for executing the fingerprint collation again is performed if necessary.
Further, when the fingerprint collation is a fingerprint collation as a security token for obtaining some kind of authentication data, processing based on the data obtained by permission is performed.
In the example of the flowchart of FIG. 11, an example of accessing a special area of a memory by fingerprint verification and fingerprint verification as a security token has been described, but other various security processes are similarly performed by biometric authentication such as fingerprints. You may make it perform. The ID writing and collation shown in FIGS. 7 and 8 in the first embodiment may be performed by biometric authentication such as fingerprints.

  As described above, according to this embodiment, biometric authentication processing such as fingerprint verification using a connected memory device can be performed without installing dedicated application software on the host PC side. Therefore, even if the computer device is limited in software installation, the biometric authentication process using the connected memory device can be performed.

[7. Modification of each embodiment]
Note that the processing and configuration in the memory device described in the first and second embodiments described so far are only suitable examples, and the present invention is not limited to the configuration or the configuration described in these embodiments. It is not limited to processing.
For example, in each of the above-described embodiments, the present invention is applied to a memory device called a USB memory, but may be applied to other memory devices such as various memory cards. The internal configuration of the memory device is also a preferred example, and is not limited to the configuration shown in FIGS.

In addition, reading / writing to some storage areas in the memory device is performed by personal authentication such as password entry, but other data cannot be written in the normal area where in-file and out-file are prepared. It is good also as a structure. That is, only in-files, out-files, and application software that uses these files may be stored in the normal area, and other data may not be written to the normal area. In this way, virtually all stored data is stored with security secured.
Also, when performing various security-related processes such as encryption and decryption of files and data, and digital signatures and certificate authentication, commands and data are set in the same way, and the results are output in the outfile. You may make it receive.

  Further, in the example of the second embodiment, the fingerprint detection process is performed as the biometric authentication process, but other biometric information may be detected to perform the authentication process. In the example of the second embodiment described above, the sensor for detecting biological information is integrated with the memory device, but may not be integrated with the memory device.

  DESCRIPTION OF SYMBOLS 1 ... Host PC (host computer apparatus), 10 ... Memory device, 11 ... USB terminal, 11a ... Contact part for terminal, 12 ... Crystal oscillator, 13 ... Fingerprint verification sensor, 14 ... Light emitting diode, 21 ... USB interface part , 22 ... Central control unit (CPU), 23 ... Flash memory interface unit, 24 ... EEPROM, 25 ... Encryption engine unit, 26 ... Program memory, 27 ... PLL circuit, 28 ... Fingerprint verification engine, 29 ... Light emitting diode controller 30 ... Flash memory, 100 ... Normal area, 101 ... Application, 102 ... In file, 103 ... Out file, 110 ... Special area

Claims (10)

An input / output unit for inputting and outputting data;
A first data storage unit capable of writing and reading data input to the input / output unit in response to an instruction from an external device connected via the input / output unit;
From the external device connected via the input / output unit, data cannot be written and read, and at least a second data storage unit to which data for ensuring security is written;
An input file for writing data from the external device and an output file for reading data from the external device are prepared in the first data storage unit, and the input data written from the external device to the input file is prepared. Based on this, the security ensuring data stored in the second data storage unit is read, a predetermined calculation is performed using the read security ensuring data and the input data, and the calculation result is calculated as the calculation result. A memory device comprising a control unit for writing to an output file. The memory device according to claim 1, wherein the input file and the output file prepared in the first data storage unit are files according to a file system accessible by the external device. The memory device according to claim 2, wherein the input file and the output file are hidden files having attributes that are not displayed on the external device. The input file and the output file are files that are prohibited from being cached or buffered in the external device when the data written therein is read out to the external device. 4. The memory device according to 3. It has an encryption / decryption processing unit that performs encryption and decryption,
The data written in the second data storage unit is encrypted by the encryption / decryption processing unit, and the data read from the second data storage unit is decrypted by the encryption / decryption processing unit. The memory device described. The predetermined calculation performed by the control unit is a calculation that compares a password written in the input file with a password for ensuring security stored in the second data storage unit, and the control unit The calculation result is written to the output file, and the external device connected via the input / output unit writes or reads the second data storage area when the password matches the calculation result. The memory device according to claim 1, wherein the memory device is controlled so as to be able to perform. The predetermined calculation performed by the control unit is a calculation for performing authentication using information unique to the memory device,
The memory device according to claim 1, wherein the control unit causes an authentication result as the calculation result to be written in the output file. With a biometric input
The control unit, based on a biometric authentication start command written in the input file, biometric authentication data input by the biometric authentication input unit, and security ensuring data stored in the second data storage unit The memory device according to claim 1, wherein collation processing is performed on the collation data as the data, and the collation result is written in the output file. The memory device according to claim 8, wherein the biometric authentication input unit is a fingerprint reading unit. I / O processing function to input and output data,
An input file for writing data from the external device and the external device enabling writing and reading of data input by an instruction input from the external device by the input / output processing function to the first data storage area; A first data storage area control process for preparing an output file for reading data in the first data storage area;
Input data written from the external device to the input file is limited to a state in which data cannot be written to or read from the second data storage area by an instruction input from the external device by the input / output processing function. The security ensuring data stored in the second data storage area is read out, a predetermined calculation is performed using the read security ensuring data and the input data, and the calculation result is obtained. A memory control method for performing a first data storage area control process for writing to the output file.

Images