JP2011053909A - Information processor incorporating control function for security management of password - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a means for authenticating authorized use, based on the validity of a combination of an information processing apparatus to be utilized and a removable storage medium storing a password, and that provides a password to a program, etc. requesting the password. <P>SOLUTION: Information representing a production number which is unique to a removable storage medium encrypted, by using a serial number unique to an information processor in valid combination with the removable storage medium is stored in the removable storage medium. When the removable storage medium is attached to the information processing apparatus, the encrypted information is decrypted using the production number as a key; and if the decrypted information agrees with the production number, then a combination of the information processor and the removable storage media can be determined as being valid. Similarly, if a password encrypted using the serial number is stored in the removable storage medium, the password can be decrypted by using the correct serial number. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a method and apparatus for safely and easily managing passwords by using the validity of a combination of a specific storage medium and an information processing apparatus using the same for authentication.

  Until now, in order to refer to and use confidential information, a method has been widely used for authentication in which a password that only an authorized person knows can be set and if a correct password is entered, it is recognized as a legitimate person. . However, passwords tend to be composed of information related to the characteristics of information owners, and there is a problem that they are easily deciphered. In addition, if the same password is frequently used, there are problems that the chance of leakage increases and the danger increases, and it is generally recommended to change the password regularly.

  Renewing passwords that rely on the user's initiative is troublesome and difficult to spread. In order to solve this problem, there has been proposed a method for prompting a periodic update of a password as in Patent Document 1. In this method, when a password and an expiration date are initially set, after the expiration date, the password is subjected to random number processing, and a new password is automatically generated and provided.

  Further, when the inventor purchases a commercially available removable storage medium, the patent document 2 proposes a method for obtaining information necessary for authentication from the network by using the password provided by the purchaser only once. did. After that, the host machine to which the removable storage medium is mounted is used as a regular combination, and the combination itself is used for authentication. Therefore, it is a mechanism for rejecting other combinations.

JP 2008-217230 A Japanese Patent Application No. 2009-120991

  However, in the management method that performs the forced password update recommended in Patent Document 1, when the password input is necessary, the updated password must be stored each time. Furthermore, if there are a plurality of information and devices that use passwords, many types of passwords will be handled, and password confusion and forgetting will become even worse. As a result, it is undeniable that it will lead to a problem in terms of safety management, such as writing in a notebook so as not to forget or pasting a memo with a password on the device.

  Even if the password is entered only once, there is no danger in managing the password.

  The present invention has been made in order to solve the above-described problems. The object of the present invention is to eliminate the password manually, and to verify the validity of the user if the user device and the encrypted password storage medium match. It provides the convenience of authenticating and selecting an appropriate password.

  An information processing apparatus having a password safety management function according to the present invention operates as a validity judgment means for a removable storage medium attached to the information processing apparatus, a means for decrypting the encrypted password, and a password operated by the information processing apparatus. A password providing means for providing the program to be provided, and having an automatic password updating means for generating a new password when the information processing apparatus and the removable storage medium are mounted and the password update period has elapsed. Features.

  In order to authenticate a user who can use an information processing apparatus such as a PC, a terminal, or a mobile phone, there is a means for inputting a password. According to the present invention, the user releases the password from being stored by using the password recorded in the removable storage medium attached to the information processing apparatus, instead of the user inputting the password. However, this password is encrypted with the serial number of the legitimate information processing apparatus (a number unique to the information processing apparatus) and cannot be used as it is. In order to perform decryption, it is necessary to obtain a serial number from the information processing apparatus, and decryption is performed using this information. If it is a different information processing apparatus or a different removable storage medium, even if decryption is performed with an incorrect serial number, a correct password cannot be obtained.

  In the present invention, the information processing apparatus is targeted, but the same effect can be obtained even if the object is a file. Even if there is a plurality of passwords corresponding to a plurality of media and different devices in one information processing apparatus, the same processing as one password management is possible if a simple identification means for specifying the object is provided. The present invention also includes this multiple password management means.

  Further, the removable storage medium may store various / multiple password configurations for a plurality of information processing apparatuses. In this case, a partition is set for the information processing apparatus. If a section is selected, it can be managed in the same manner as described in paragraph 0011. Therefore, the case of a plurality of information processing apparatuses is also included in the technical scope of the present invention.

  In the present invention, the legitimacy judging means uses a value obtained by decrypting the encrypted information stored in the removable storage medium attached to the information processing apparatus using the serial number unique to the information processing apparatus as a key, and is specific to the attached removable storage medium. If the serial number matches the serial number, the combination of the information processing apparatus and the removable storage medium is valid.

  This encrypted information is obtained by encrypting the serial number unique to the removable storage medium with the serial number unique to the information processing apparatus. In the removable storage medium, the serial number is not recorded as it is, but is characterized only by the combination of both. Thus, it is necessary for safety management not to have one information related to authentication or encryption in the other.

  The password decryption means of the present invention converts the encrypted password information stored in the removable storage medium into a serial number when the validity judgment means determines that the combination of the information processing apparatus and the removable storage medium is valid. It is a value obtained by decrypting with a key.

  For encryption, the method of XORing the data to be encrypted is simple, and if the key data length is increased, it becomes stronger in exhaustive search. However, if the zero value continues, the original value may remain, and it is desirable to combine the method of applying XOR by concealing the zero value by subtracting 255 for each byte. Further, it is more preferable to perform bit shifting by a predetermined numerical value because an irreversible relationship is generated between encryption and decryption. However, this means may be deciphered from the program.

  In order to prevent decryption, the value of a part of the serial NO that cannot be seen in the removable storage medium is used. For example, if the data to be encrypted is bit-shifted by the numerical value in the latter half of the byte, the bit-shift value is unknown in program decryption, so that a more effective irreversible mechanism can be provided.

  The password providing means in the present invention is characterized in that a flag indicating a valid password is added to a program running on an information processing apparatus that requests a password.

  There must be a way to exchange data between programs. If there is no means, a memory area that can be referenced and accessed is used for sharing. The present invention provides a mechanism that can use either a password or a flag (indicating valid authentication).

  The password automatic update means in the present invention generates a new password by random number generation based on the password decrypted by the password decryption means, and encrypts the new password using the serial NO as a key, It is characterized by being replaced with encrypted password information.

  As a means for generating a random number, a known method is used. In the present invention, the original password may be shifted by bits, or a method of rearranging bytes at random may be used. This is because passwords are processed invisible to human eyes.

  According to the present invention, when a user installs his / her predetermined removable storage medium when using a device, file, or program, there is an advantage that operation can be performed without storing a password for obtaining permission for use. is there.

  In addition, according to the present invention, when trying to operate an information processing device that cannot be used or using a removable storage medium that stores a password owned by another person, the correct password is not provided. Therefore, there is an effect that a strong defense management system against unauthorized use is possible.

  Furthermore, according to the present invention, even if the user does not create a password by himself / herself, a password irrelevant to the personal information of the user is automatically generated and updated, so that robustness against decryption is enhanced. In addition, there is an effect not found in the prior art such as not providing a basis for inferring password generation origin.

It is the form figure which illustrated the structure which implement | achieves the method of the password safety management control in this invention. It is a block diagram of the information processing apparatus which implements this invention. Example 1 It is a flowchart which judges the correctness of the combination of the removable storage medium with which the information processing apparatus in this invention was mounted | worn, and provides a password. Example 1

  The present invention is characterized in that a password is not managed by a human but is left to a device or a system. In this case, both the information processing apparatus to be used and the removable storage medium for storing the password need to be legitimate owners. In the present invention, the correctness is authenticated by checking the matching of the combination of the information processing apparatus and the removable storage medium.

  That is, even if an information processing device without a legitimate right is used, the password stored in the removable storage medium is rejected because it is not correct. Similarly, even if an incorrect removable storage medium is attached to the information processing apparatus, the use is rejected. In this way, authentication can be easily performed in combination without human judgment. In particular, the removable storage medium has a role like an authentication card, and the owner manages intangible information such as passwords with something like a seal, instead of storing it in memory, which is natural for humans. It can be said to be a figure.

  The information processing apparatus is targeted for PCs, mobile phones and the like. On the other hand, the removable storage medium is preferably an SD memory card or a memory stick. Also, some devices in the information processing apparatus may be used. Furthermore, files and programs can be targeted if they can be given unique information.

  A specific mechanism of password safety management according to the present invention will be described with reference to FIG. In FIG. 1, a PC is assumed as the information processing apparatus. An SD memory card is used as a removable storage medium.

  The application unit 4 and the password management unit 5 are generic names of processing functions including programs, and operate on the PC 1. Further, the serial NO storage unit 7 exists in the control mechanism of the PC 1, and stores the serial NO as a unique manufacturing serial number of the PC. The screen 3 is connected to the PC 1. Although the SD memory card 2 stores various files and the like, they are omitted from the description because they are not involved in the present invention. As information related to the present invention, a serial number unique to the SD memory card is stored in the serial number storage unit 8 in the SD memory card 2. Further, the encrypted manufacturing number storage unit 9 stores the encrypted information of the SD memory card manufacturing number using the serial number of the host in which the combination is established, that is, the serial number of the PC as an encryption key. The encrypted password storage unit 10 stores the encrypted information-encrypted password using the serial number as the encryption key.

  The mechanism of the present invention will be described with reference to FIG. Insert the SD memory card 2 into the card slot 11 and run the application. The application unit 4 requests a password to permit execution. Since the password is automatically introduced from the SD memory card 2, the automatic password input button 6 is clicked. Here, the password management unit 5 operates to check authentication.

  It should be noted that the operation that requires a human like button click is because it is assumed that the password may be manually entered when the SD memory card is forgotten. If the application program automatically changes to a mechanism that requests a password from the password management program, no manual operation is required.

  In the authentication method, the encrypted manufacturing number in the encrypted manufacturing number storage unit 9 of the SD memory card 2 is encrypted with the serial number of the PC 1 which is a valid host device. At present, if the PC to be used is PC1, the serial number is correct. Therefore, if the encrypted serial number is decrypted with the serial number, the correct serial number is generated. This serial number matches the serial number stored in the serial number storage unit, and the correct combination of the correct PC and the correct SD memory card is authenticated.

  Since the combination of the PC and the SD memory card is correct, the password encrypted with the serial number of the PC 1 can also be correctly decrypted. If the password in the encrypted password storage unit is decrypted with the serial number, the password can be obtained, and if this is passed to the application unit 4, the application can be permitted to continue.

  In the present invention, there is means for periodically updating the password. The password management unit 5 determines the update period. This information may be set in the SD memory card 2 or in the nonvolatile memory 208 of the PC 1. If it is found that the update period has passed, a random number is generated, the current password is processed, a new password is generated, and the serial number of the PC 1 is encrypted and stored in the encrypted password storage unit 10.

  As described above, it has been described that the password can be secured by automatically using the password recorded in the SD memory card in which the present invention is authenticated. According to the present invention, neither the host PC nor the SD memory card contains information for identifying the other party. For example, the password does not exist in the PC. A password exists in the SD memory card, which is encrypted with the serial number of the PC. Moreover, the serial number does not exist in the SD memory card. Therefore, when both are separated, there is an advantage that even if one information is decoded, the other information cannot be extracted. In other words, while being a simple method that does not rely on memory, more secure safety management is possible.

  Furthermore, the encrypted information often includes information on the other side, and assuming the case where the other information is leaked after being decrypted, the relationship between encryption and decryption is irreversible. Is preferred. For example, the serial number of the SD memory card is encrypted with the serial number. Encryption is also combined with a method of concealing zero value by subtracting 255 per byte and applying XOR. Furthermore, if 1 is added to the hexadecimal number of the lower half byte of the serial number and the encrypted data is bit-shifted by the numerical value, it becomes irreversible. Since the bit shift value does not exist in the SD memory card, it is impossible to decipher it. Although not shown, in the present embodiment, such processing is assumed for encryption.

  FIG. 2 is a hardware configuration diagram of an information processing apparatus that executes the present invention, and a PC is assumed as an embodiment. 1 is a PC and 2 is an SD memory card. The memory interface 206 controls I / O with the SD memory card 2 in accordance with a command from the CPU 203. Each functional unit transmits and receives data via the I / O bus 207. A ROM 201 stores a control system program such as a PC OS. Reference numeral 202 denotes a RAM, which is a memory that executes information processing, and constitutes the application unit 4 and the password management unit 5. A CPU 8 executes computer processing and control such as a program execution mechanism and an I / O control mechanism. A non-volatile memory 208 stores fixed information such as serial number and information that should be maintained. This may include an external storage device such as a disk. The operation unit 204 is a general term for a keyboard, a mouse, and the like and a control mechanism. The display unit 205 is a general term for a screen and a screen control mechanism.

  FIG. 3 is a flowchart for determining the validity of the combination of the removable storage media attached to the information processing apparatus according to the present invention and providing a password. The information processing apparatus uses a PC, and the removable storage medium uses an SD memory card. The processing flow will be described below with reference to FIG.

  The user attaches the SD memory card 2 to the PC 1 (S300), and starts executing the application (S301, S302). The application displays a screen (S303), and requests input of a password in S304. The user selects to input the password automatically and clicks the automatic password input button 6. By this click, the password management unit 5 starts operating (S305).

  The password management unit 5 requests the serial number from the SD memory card 2 (S306), and the SD memory card 2 extracts the serial number from the serial number storage unit 8 (S307) and passes it (S308). Next, the password management unit 5 requests an encrypted manufacturing number from the SD memory card 2 (S309), and the SD memory card 2 extracts the encrypted manufacturing number from the encrypted manufacturing number storage unit 9 (S310) and passes it (S311). ). The password management unit 5 extracts the serial number of its own PC 1 from the serial number storage unit (S312).

  In step S313, the password management unit 5 starts to decrypt the encrypted manufacturing number. In this embodiment, the serial number of the SD memory card before encryption is encrypted with serial NO. For encryption, subtract 255 per byte to hide the zero value and XOR with serial NO. Further, bit shift is performed in a rotation type upward by the number of hexadecimal + 1 of the lower half bytes of the serial number. This is the encryption serial number. Decoding reverses this. That is, the encrypted serial number is shifted in the lower direction by the number of hexadecimal + 1 of the lower half byte of the serial number in the downward direction, and the modified serial number is XORed with the serial number.

  In S314, if the decrypted manufacturing number matches the manufacturing number of the current SD memory card, the PC 1 and the SD memory card 2 authenticate the correct combination. If they do not match, an unauthorized authentication screen is displayed and the process ends in error (S315).

  If they match correctly, next, the password management unit 5 requests an encrypted password from the SD memory card 2 (S316), and the SD memory card 2 takes out the encrypted password from the encrypted password storage unit 10 (S317). (S318). The encrypted password is decrypted with the serial number (S319), but the encryption method is the same as the above-mentioned encryption serial number. If the data to be encrypted is shorter than the serial NO, only the upper byte is used to perform XOR. If longer, the serial NO is repeated and XOR is performed up to the last byte of the target data.

  Although not shown, the password expiration date in the SD memory card 2 or the non-volatile memory 208 of the PC 1 is compared with the current password existence period. If the expiration date is exceeded, the password update process is performed (S320). . If it is within the time limit, the password management unit 5 delivers the password to the application program (S321) and reports the password properly. Next, the program processing is controlled by the application (S322).

  If the password has expired, a random number is generated based on the current password to form a new password of a predetermined size (S323). The new password is encrypted by the encryption method described above (S324). The new password is transferred to the SD memory card 2 (S325), the SD memory card 2 stores the new password in the encrypted password storage unit 10 (S326), and then the password management unit 5 transfers the new password to the application program. (S321) and a valid report of the password. Control of program processing is an application (S322). Note that. The random number generation method may be a known method.

  In this embodiment, the password is passed to the application, but at the same time, a report is made that the password is valid. This report allows the application to skip password checking.

  The combination process from the initial state before combining the PC 1 and the SD memory card 2 is not shown. After the use, in the initialization process for performing a new combination authentication, the user requests the password management unit 5 to perform initialization. After checking whether the password management unit 5 is in the correct combination, the password management unit 5 clears the encrypted password storage unit and ends. In this state, the SD memory card 2 cancels the combination authentication with the PC. The next time you use it, you must set up authentication.

  In the authentication setup process, the user attaches the SD memory card to a new PC, and requests authentication setup from the password management unit of the PC. Here, the production number is encrypted and stored, and the password is generated, encrypted and stored. For example, information such as the current time is sufficient for the password.

  As an example of encryption, in order to make the encryption and decryption irreversible, in this embodiment, the serial number of the SD memory card before encryption is subtracted by 255 per byte to hide the zero value, and the serial NO. Then, XOR is applied, and the number of hexadecimals in the lower half of the serial number is incremented by one bit in the upward direction, and this is used as the encryption manufacturing number. On the other hand, the order is reversed, and first, the lower half byte of the serial number is shifted by the number of hexadecimal + 1 in the upper direction, and then the data is subtracted 255 per byte. The processing order may be such that the zero value is hidden and XOR is applied with serial NO.

  In addition, since the validity is obtained by the combination authentication, there may be a system that does not bother to enter the password check process. That is, since the SD memory card serves as an electronic seal as an authentication card, it is not necessary to use a password.

  The system that distributes the SD memory card to each person using the present invention can be used in the industry related to security management.

1 PC
2 SD memory card 3 Screen 4 Application unit 5 Password management unit 6 Automatic password input button 7 Serial NO storage unit 8 Serial number storage unit 9 Encrypted serial number storage unit 10 Password storage unit 11 Card slot 201 ROM
202 RAM
203 CPU
204 Operation unit 205 Display unit 206 Memory interface 207 I / O bus 208 Non-volatile memory

Claims (5)

An information processing apparatus having a password safety management function,
Means for determining the validity of a removable storage medium attached to the information processing apparatus;
Means for decrypting the encrypted password;
Password providing means for providing the password to a program running on the information processing apparatus,
A password automatic update means for generating a new password when the information processing apparatus and the removable storage medium are being mounted and a password update period has elapsed;
An information processing apparatus having a password safety management function. The legitimacy judging means is configured such that a value obtained by decrypting the encrypted information stored in the removable storage medium attached to the information processing apparatus using a serial number unique to the information processing apparatus as a key is a production unique to the removal storage medium. If it matches the number,
The information processing apparatus having a password safety management function according to claim 1, wherein the combination of the information processing apparatus and the removable storage medium is valid. The password decryption means, when the validity judgment means determines that the combination of the information processing apparatus and the removable storage medium is valid,
3. The information processing apparatus having a password safety management function according to claim 1, wherein the information is a value obtained by decrypting the encrypted password information stored in the removable storage medium using the serial number as a key.   4. The password providing means adds and passes a flag indicating that the password is valid to the program running on the information processing apparatus that requests the password. An information processing apparatus having the password safety management function described in 1.   The automatic password updating means generates a new password based on random number generation based on the password decrypted by the password decrypting means, and encrypts the new password with the serial NO as a key. 5. The information processing apparatus having a password safety management function according to claim 1, wherein the information is replaced with the encrypted password information.

Images