JP2012064228A - Storage device and authentication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To invalidate stored data regardless of user's access authority when accessed from an environment different from an available system environment.SOLUTION: According to an embodiment, an apparatus authentication module executes apparatus authentication based on second apparatus authentication information received from a current host device newly connected and first apparatus authentication information, and disposes of a first partial key when the apparatus authentication is failed. After the apparatus authentication, a third partial key writing module generates a third partial key by combining a second partial key received from the current host device and the first partial key in a partial key storage module, and writes the generated third partial key in a volatile memory. After user authentication, an encryption key writing module generates an encryption key by combining the third partial key and second user authentication information, and writes the generated encryption key in the volatile memory. When the user authentication is successful, a decryption module decrypts encryption data based on the encryption key in the volatile memory, and outputs acquired data to the current host device.

Description

  Embodiments described herein relate generally to a storage device and an authentication method.

  Conventionally, an HDD (Hard Disk Drive) device (hereinafter referred to as a storage device) having an encryption function encrypts data using an encryption key held in advance, and stores the obtained encrypted data. When this type of storage device succeeds in password authentication of a user with access rights, the encryption key stored in advance is set as the decryption key, and the data obtained by decrypting the encrypted data with this decryption key is output. As described above, the conventional storage device can output correct data to a user having access rights.

JP 2008-5408 A

  However, when a conventional storage device stores encrypted data and is taken out to an external system environment by a user having access rights, there is a concern that the decrypted data may be leaked due to a successful password authentication. .

  In addition, since a small storage device can be taken out easily, theft is likely to occur, and if the password is broken after theft, the decrypted data is leaked. For this reason, in order to prevent data leakage at the time of theft, it is necessary to securely invalidate the data at the takeout destination.

  As described above, when the conventional storage device is accessed from an environment different from the usable system environment, there is a problem that it is desired to invalidate the stored data regardless of the user's access right. .

  An object of the present invention is to provide a storage device and an authentication method capable of invalidating stored data regardless of whether or not the user has access rights when accessed from an environment different from the usable system environment. That is.

  According to the embodiment, the storage device has a volatile memory from which data is erased when the power is turned off, and can be detachably connected to an arbitrary host device.

  The storage device includes an authentication information storage means, a partial key storage means, an encrypted data storage means, a device authentication means, a third partial key writing means, a user authentication means, an encryption key writing means, Decoding means.

  The authentication information storage means authenticates first device authentication information for authenticating a proper host device having connection authority among the arbitrary host devices, and a normal user who uses the normal host device. First user authentication information is stored in advance.

  The partial key storage unit stores in advance a first partial key that constitutes a part of an encryption key written in the volatile memory.

  The encrypted data storage means stores encrypted data that is data encrypted based on the encryption key.

  The device authentication means executes device authentication based on the second device authentication information received from the newly connected current host device and the first device authentication information in the authentication information storage means. When the key fails, the first partial key is discarded.

  The third partial key writing means combines the second partial key received from the current host device after the device authentication and the first partial key in the partial key storage means to generate a third part Write the key to the volatile memory.

  The user authentication means performs user authentication based on the second user authentication information received from the current host device and the first user authentication information in the authentication information storage means after the writing of the third partial key. Execute.

  The encryption key writing means combines the third partial key in the volatile memory and the second user authentication information after the user authentication, and writes the generated encryption key into the volatile memory.

  The decryption means decrypts the encrypted data based on the encryption key in the volatile memory based on the read request received from the current host device when the user authentication is successful, and the obtained data Is output to the current host device.

It is a block diagram which shows an example of a structure of the encryption data storage system which concerns on 1st Embodiment. It is a schematic diagram for demonstrating the data in the disk in the same embodiment. It is a schematic diagram for demonstrating the data in the static RAM in the same embodiment. It is a schematic diagram for demonstrating the data in the memory in the embodiment. It is a flowchart for demonstrating the operation | movement in the embodiment. It is a flowchart for demonstrating the read-out process in the embodiment. It is a schematic diagram for demonstrating the data in the disk in 2nd Embodiment. It is a schematic diagram for demonstrating the data in the memory in the embodiment. It is a flowchart for demonstrating the operation | movement in the embodiment. It is a flowchart for demonstrating the operation | movement in the embodiment. It is a schematic diagram which shows operation | movement of the storage system which performs only general password authentication. It is a schematic diagram which shows operation | movement when a regular host apparatus is connected to the memory | storage device in the embodiment. It is a schematic diagram which shows operation | movement when an unauthorized host device is connected to the memory | storage device in the embodiment. It is a schematic diagram for demonstrating the data in the disk in 3rd Embodiment. It is a schematic diagram for demonstrating the data in the memory in the embodiment. It is a flowchart for demonstrating the operation | movement in the embodiment. It is a flowchart for demonstrating the operation | movement in the embodiment. It is a flowchart for demonstrating the operation | movement in 4th Embodiment. It is a schematic diagram for demonstrating the data in the disk in 5th Embodiment. It is a flowchart for demonstrating the operation | movement in the embodiment. It is a schematic diagram for demonstrating the data in the disc in 6th Embodiment. It is a flowchart for demonstrating the operation | movement in the embodiment. It is a schematic diagram for demonstrating the data in the disk in 7th Embodiment. It is a schematic diagram for demonstrating the discard log information in the same embodiment. It is a schematic diagram for demonstrating the data in the disk in 8th Embodiment. It is a schematic diagram for demonstrating the revocation certificate in the same embodiment. It is a schematic diagram for demonstrating the data in the memory in the embodiment. It is a flowchart for demonstrating the operation | movement in 10th Embodiment. It is a schematic diagram for demonstrating the data in the disk in the modification of 1st Embodiment. It is a schematic diagram for demonstrating the data in the memory in the modification. It is a flowchart for demonstrating the operation | movement in the modification of 2nd Embodiment. It is a flowchart for demonstrating the operation | movement in the modification.

  Each embodiment will be described below with reference to the drawings.

<First Embodiment>
FIG. 1 is a block diagram showing an example of the configuration of an encrypted data storage system according to the first embodiment, and FIGS. 2 to 4 are schematic diagrams for explaining data in a disk, SRAM, and memory. This storage system has a volatile memory from which data is erased when the power is turned off, and can be detachably connected to any host device 30A, 30B,... And any host device 30A, 30B,. Among them, a regular host device 30A having an authority to connect to the storage device 10 is provided.

  The storage device 10 includes a disk 11, which is a magnetic storage medium, a spindle motor (SPM) 12, a head 13, an actuator 14, a motor driver 15, a head amplifier 16, a read / write (R / W) channel 17, and a flash memory (FLROM). 18, a buffer memory 19 and a hard disk controller (HDC, simply referred to as a disk controller) 20.

  As shown in FIG. 2, the disk 11 includes a system area 11 a that cannot be accessed by a general user, and a user area 11 b that can be accessed by a general user. The system area 11a stores in advance a first partial key, first device authentication information, and first user authentication information.

  Here, the first partial key is key data constituting a part of the encryption key written in the static RAM 25 (volatile memory). For example, the internal information G of the storage device 10 is used as the first partial key. The internal information G is written in advance from the encryption module 23 into the system area 11a, for example, at the time of initial setting. As such internal information G, a random number is used as an example, but is not limited to this example. In the following description, the first partial key is described as internal information G.

  The first device authentication information is used for device authentication of a legitimate host device 30A having connection authority among arbitrary connectable host devices 30A, 30B,..., And device authentication information of an arbitrary device authentication method. Can be used. For example, the unique information “AA” of the host device 30A or the signature generation key Ksig-30a of the host device 30A can be used as the first device authentication information, but is not limited to these examples. Such first device authentication information is written in advance in the system area 11a from the device authentication module 21 at the time of initial setting, for example. As the device authentication method, a method of collating the same first device authentication information and second device authentication information with each other, as described in the second or third embodiment, different first device authentication information and second device authentication information as described in the second or third embodiment. Any method based on device authentication information may be used. As the unique information of the host device 30A, for example, a MAC address can be used, but is not limited to this example.

  The first user authentication information is for authenticating an authorized user who uses the authorized host device 30A. As the first user authentication information, the password P and the user ID of a legitimate user are used as an example, but the first user authentication information is not limited to this example. The first user authentication information is written in advance from the user authentication module 22 to the system area 11a at the time of initial setting, for example.

  The user area 11b stores encrypted data Eg (Kg, D) which is data D encrypted based on the encryption key Kg. The encrypted data Eg (Kg, D) is written into the user area 11b by the encryption module 23. Here, in the case of the internal information G, the lowercase letter “g” of “G” is used as a subscript to indicate “Eg” and “Kg”. For example, in the case of the internal information I, the lowercase letter “i” of “I” is used as a subscript and expressed as “Ei” and “Ki”.

  The SPM 12 rotates the disk 11. The head 13 includes a read head element and a write head element, reads data from the disk 11, and writes data.

  The actuator 14 includes a suspension on which the head 13 is mounted, an arm, and a voice coil motor (VCM), and moves the head in the radial direction on the disk 11.

  The motor driver 15 includes an SPM driver that supplies a drive current to the SPM 12 and a VCM driver that supplies a drive current to the VCM of the actuator 14.

  The head amplifier 16 amplifies the signal (read data) read by the head 13 and transmits the amplified signal to the disk controller 20 via the R / W channel 17. The head amplifier 16 converts a signal (write data) output from the disk controller 20 via the R / W channel 17 into a write current and transmits the write current to the head 13.

  The R / W channel 17 is a data read / write signal processing circuit, and has a function of decoding read data read by the head 13 and encoding write data.

  The flash memory 18 is a nonvolatile memory that stores data under the control of the disk controller 20. The flash memory 18 may be used to store data in the system area 11a instead of the system area 11a described above.

  The buffer memory 19 is a volatile memory such as a DRAM, and is controlled by the disk controller 20 to temporarily store read data and write data. The buffer memory 19 may be used to store data in the static RAM 25 instead of the static RAM 25.

  The disk controller 20 is an interface that controls data transmission between the R / W channel 17 and the host device 30 </ b> A using the buffer memory 19. Further, the disk controller 20 controls the data read / write operation via the R / W channel 17, and controls the encryption process and the decryption process. In this embodiment, the disk controller 20 further controls device authentication processing and user authentication processing. The user authentication processing here includes processing other than the conventional password authentication (eg, destruction of the encryption key when authentication fails).

  In the following, functional blocks used for controlling the device authentication process, the user authentication process, the encryption process, and the decryption process in the control by the disk controller 20 will be described.

  The disk controller 20 includes a device authentication module 21, a user authentication module 22, an encryption module 23, a decryption module 24, and a static RAM 25.

  The device authentication module 21 executes device authentication based on the second device authentication information received from the newly connected current host device 30A (or 30B,...) And the first device authentication information in the system area 11a. When the device authentication fails, the device authentication function is provided to discard the internal information G in the system area 11a.

  The device authentication module 21 combines the second partial key received from the current host device 30A (or 30B,...) And the internal information G (first partial key) in the system area 11a after device authentication. , A third partial key writing function for writing the generated third partial key K3 into the static RAM 25 is provided.

  After the third partial key K3 is written by the device authentication module 21, the user authentication module 22 receives the second user authentication information received from the current host device 30A (or 30B,...) And the first user in the system area 11a. It has a user authentication function for executing user authentication based on authentication information.

  In addition to this, the user authentication module 22 may have a key destruction function for destroying the internal information G in the system area 11a and the third partial key in the static RAM 25 when the user authentication fails a specified number of times. Further, instead of the key destruction function, the user authentication module 22 does not operate the encryption module 23 and the decryption module 24 when the user authentication has failed for a specified number of times, and reports the user authentication error to the current host device 30A (or 30B). , ...) may have an error output function. In the present embodiment, an example using a key destruction function will be described.

  Further, the user authentication module 22 has an encryption key writing function for combining the third partial key in the static RAM 25 and the second user authentication information after the user authentication and writing the generated encryption key in the static RAM 25. .

  When the user authentication is successful, the encryption module 23 follows the write request including the data D received from the current host device 30A (or 30B,...) And writes the write request based on the encryption key Kg in the static RAM 25. The data D is encrypted, and the obtained encrypted data Eg (Kg, D) is encrypted in the user area 11b.

  Based on the read request received from the current host device 30A (or 30B,...) When the user authentication is successful, the decryption module 24 converts the encrypted data in the user area 11b based on the encryption key in the static RAM 25. It has a decoding function of decoding and outputting the obtained data to the current host device 30A (or 30B,...).

  The static RAM 25 is a volatile memory that can be read / written from each of the modules 21 to 24. As shown in FIG. 3, the static RAM 25 includes unique information “AA” as the second partial key before the generation of the third partial key K3. The internal information G as the first partial key is temporarily stored, and when generating the third partial key K3, the unique information “AA” and the internal information G are erased and the third partial key K3 is temporarily written. Similarly, when generating the encryption key Kg, the composite second user authentication information is temporarily stored, the third partial key K3 and the second user authentication information are erased, and the encryption key Kg is written. The word “written” is also referred to as “set”. The encryption key Kg is deleted from the static RAM 25 when the storage device 10 is powered off. Further, the temporary storage of the unique information “AA”, the internal information G, the third partial key K3 and the second user authentication information, and the storage of the encryption key Kg until the power is turned off are replaced with a buffer. The memory 19 may execute. Further, the second partial key is not limited to the unique information “AA” of the host device 30A, and any data managed by the authorized host device 30A can be used.

  On the other hand, the host device 30 </ b> A is a normal computer that can be connected to the storage device 10 and is used by a user with access rights.

  Specifically, the host device 30A includes an interface 31, a memory 32A, an input module 33, a CPU 34, and an output module 35. The host device 30A and the other host device 30B described later have substantially the same configuration except for the stored contents of the memory 32A. For this reason, among the elements 31 to 35, only the memory 32 </ b> A is marked with “A”.

  The interface 31 is a module for connecting the storage device 10 to the host device 30A. For simplification of description, in the following description, description that the data transmission with the storage device 10 is performed via the interface 31 is omitted.

  The memory 32A is a storage unit that can be read / written from the input module 33, the CPU 34, and the output module 35. For example, as shown in FIG. 4, the second partial key, the second device authentication information, and the device authentication program And a user authentication program and an application program. Further, in the memory 32A, data during processing and processing results are stored as appropriate according to the execution of each program.

  Here, the second partial key is key data constituting another part of the encryption key created in the storage device 10. As the second partial key, for example, the unique information “AA” of the own device (host device 30A) is used, but is not limited to this example. In the following description, the second partial key is described as unique information “AA”.

  The second device authentication information is used to cause the storage device 10 to authenticate the authorized host device 30A having the authority to connect to the storage device 10, and device authentication information of an arbitrary device authentication method can be used. Yes.

  The device authentication program is executed by the CPU 34. When the storage device 10 is connected to the host device 30A, the device authentication program is stored in the memory 32A in accordance with a prescribed authentication sequence of device authentication executed by the device authentication module 21 of the storage device 10. The second device authentication information is operated as device authentication information transmitting means for transmitting to the storage device 10.

  The user authentication program is executed by the CPU 34 and causes the host device 30 </ b> A to operate as a user authentication information transmitting unit that transmits the second user authentication information received by the input module 33 to the storage device 10.

  The application program is an arbitrary program executed by the CPU 34. For example, the host device 30A operates as a read request transmission unit that transmits a read request received by the input module 33 to the storage device 10. is there.

  In addition to this, for example, the application program may cause the host device 30 </ b> A to operate as a write request transmission unit that transmits a write request that has received the input to the storage device 10.

  Furthermore, the application program causes, for example, the host device 30A to operate as a means for reading data from the storage device 10 and a means for executing business processing based on the read data and writing the processing result in the storage device 10. There may be.

  The input module 33 is an input interface with a user. For example, a user authentication information receiving unit that receives input of second user authentication information in response to a user operation, and a read request in response to a user operation. It operates as a read request receiving means for receiving an input. In addition, the input module may be operated as a write request receiving unit that receives an input of a write request including data in accordance with a user operation. As the input module, for example, input devices such as a keyboard and a mouse can be used as appropriate.

  The CPU 34 is an arithmetic processing unit that executes each program in the memory 32A based on data in the memory 32A.

  The output module 35 is an output interface with the user. For example, an output device such as a display device can be used as appropriate.

  Next, the operation of the storage system configured as described above will be described with reference to the flowcharts of FIGS. Note that the storage device 10 stores encrypted data Eg (Kg, D). In the host device 30A, the CPU 34 is executing the device authentication program, the user authentication program, and the application program stored in the memory 32A.

  In this situation, it is assumed that the storage device 10 is connected to the authorized host device 30A and turned on by the authorized user. Thereby, the storage device 10 performs device authentication for the host device 30A (ST10).

  Specifically, when the storage device 10 is connected, the CPU 34 of the host device 30A transmits the second device authentication information in the memory 32A to the storage device 10 in accordance with a predetermined authentication sequence for device authentication.

  The device authentication module 21 of the storage device 10 executes device authentication based on the second device authentication information received from the newly connected current host device 30A and the first device authentication information in the system area 11a. When the device authentication module 21 fails, the device authentication module 21 discards the internal information G in the system area 11a as the internal information I. Here, it is assumed that the device authentication is successful.

  After the device authentication, the device authentication module 21 combines the fixed information “AA” received from the current host device 30A and the internal information G in the system area 11a, and writes the generated third partial key K3 to the static RAM 25. Include. This third partial key K3 is a correct partial key. If the above-described device authentication fails, an incorrect partial key K3i including the discarded internal information I is written.

  In any case, the device authentication in step ST10 is completed by writing the encryption key.

  Next, the storage device 10 performs user authentication for the host device 30A (ST20).

  Specifically, the input module 33 of the host device 30A accepts input of second user authentication information in response to a user operation. The CPU 34 transmits the second user authentication information that has been accepted to the storage device 10.

  The user authentication module 22 of the storage device 10 executes user authentication based on the second user authentication information received from the current host device 30A and the first user authentication information in the system area 11a. Here, it is assumed that user authentication is successful.

  After user authentication, the user authentication module 22 combines the third partial key in the static RAM 25 and the second user authentication information, and writes the generated encryption key into the static RAM 25.

  If user authentication fails, an incorrect encryption key is written in the static RAM 25 by the key destruction function of the user authentication module 22 as in the case of device authentication failure.

  Thereby, the user authentication of step ST20 is completed.

  After the user authentication is completed, the storage device 10 proceeds to steps ST30 to ST50 according to the operation of the host device 30A by the user. Here, a case where steps ST40 to ST50 are executed without executing the setting operation at the time of authentication failure in step ST30 will be described.

  The input module 33 of the host device 30A accepts a read request input in response to a user operation. The CPU 34 transmits a read request that accepted the input to the storage device 10.

  The decryption module 24 of the storage device 10 decrypts the encrypted data Eg (Kg, D) in the user area 11b based on the encryption key Kg in the static RAM 25 based on the read request received from the current host device 30A. The obtained data D is output to the current host device 30A (ST40). Thereby, step ST40 is completed.

  In the data reading process of step ST40, as shown in FIG. 6, when the encrypted data Eg (Kg, D) is decrypted with the correct encryption key Kg (ST41 to ST43), the correct data D is output. Normal operation is realized. When the encrypted data Eg (Kg, D) is decrypted with the wrong encryption key Ki (ST41, ST42, ST44), the incorrect data Di is output and the correct data D is discarded. .

  Next, the input module 33 of the host device 30A accepts an input of a write request including, for example, data D1, in accordance with a user operation. The CPU 34 transmits the write request that accepted the input to the storage device 10.

  The encryption module 23 of the storage device 10 is obtained by encrypting the data D1 in the write request based on the encryption key Kg in the static RAM 25 in accordance with the write request including the data D1 received from the current host device 30A. The encrypted data Eg (Kg, D1) is written in the user area 11b (ST50). Thereby, step ST50 is completed.

  Hereinafter, the storage device 10 repeatedly executes the reading process of step ST40 and the writing process of step ST50 as appropriate in accordance with the operation of the host device 30A by the user.

  Thereafter, the storage device 10 is turned off in response to a user operation (ST60). Thereby, in the storage device 10, the data in the buffer memory 19 and the static RAM 25 are erased. At this time, the encryption key in the static RAM 25 is also deleted.

  As described above, according to the present embodiment, device authentication is performed on the host devices 30A, 30B,..., Depending on the configuration in which the encryption key is discarded by discarding the internal information G (first partial key) when device authentication fails. Data leakage when taken out to the system can be prevented.

  Further, even after the encryption key Kg is destroyed by destroying the internal information G, even if the storage device 10 is reconnected to the legitimate host device 30A, the encryption key Kg cannot be restored because there is no internal information G, and the correct data D is stored. Cannot read. Thereby, the data D can be reliably discarded when the storage device 10 is stolen, and data leakage can be prevented.

  Further, with the configuration in which the encryption key is discarded when the user authentication fails, the data D can be discarded before the user's password P is analyzed when the device is stolen.

  Furthermore, by storing the encryption key in the static RAM 25 (volatile memory) when the power is turned on, the encryption key can be securely destroyed when the power is turned off.

<Second Embodiment>
Next, a second embodiment will be described with reference to FIG. 1 described above.

  The second embodiment is a specific example of the first and second device authentication information in the first embodiment. That is, the first device authentication information is a hash value h (AA) of the unique information “AA” of the authorized host device 30A as shown in FIG.

  As shown in FIG. 8, the second device authentication information is unique information “AA” of the current host device 30A that is also used as the second partial key. The second partial key is unique information “AA” of the current host device 30A that is also used as the second device authentication information.

  Accordingly, the device authentication module 21 of the storage device 10 calculates the hash value h (AA) of the second device authentication information “AA” received from the current host device 30A, and the hash value h (AA) The first device authentication information h (AA) in the system area 11a is collated, and when both do not match, it has a function of determining that device authentication has failed.

  Next, the operation of the storage system configured as described above will be described with reference to the flowcharts of FIGS.

  Assume that device authentication in step ST10 is started.

  When the storage device 10 is connected, the CPU 34 of the host device 30 </ b> A transmits the unique information “AA” in the memory 32 </ b> A to the storage device 10 in accordance with a predetermined authentication sequence for device authentication.

  The device authentication module 21 of the storage device 10 receives the specific information “AA” of the newly connected current host device 30A (ST11). If an unauthorized host device 30B is connected, the device authentication module 21 receives the unique information “BB”.

  The device authentication module 21 calculates a hash value h (AA) of the received unique information “AA”, and this hash value h (AA) and a hash value h (AA) of the unique information “AA” in the system area 11a. (ST12), and it is determined whether or not they match (ST13).

  If the determination result in step ST13 indicates NO, the device authentication module 21 determines whether there is another hash value stored in advance in the system area 11a (ST14). The process returns to step ST12 so that the matching process is retried using the hash value. Since this step ST14 is processing when there are a plurality of connectable regular host devices 30A,..., It can be omitted when there is one regular host device 30A.

  If the determination result in step 14 indicates NO, the device authentication module 21 discards the encryption key (ST15). Specifically, as shown in FIG. 10, the device authentication module 21 discards the regular internal information G in the system area 11a (ST15-1) and newly creates internal information I such as a random number (ST15- 2). The device authentication module 21 discards the hash value of the unique information “AA” in the system area 11a (ST15-3), and creates the hash value of the unique information “BB” received in step ST11 (ST15-4). ). In steps ST15-1 to ST15-2, the internal information I constituting the third partial key K3 is discarded and the internal information I is newly created, so that the third partial key K3 is discarded. Further, since the third partial key K3 is discarded, the encryption key Kg based on the third partial key K3 is discarded.

  On the other hand, if the determination result in step ST13 indicates a match, the device authentication module 21 reads the internal information G in the system area 11a (ST16). Thereafter, the device authentication module 21 combines the unique information “AA” received in step ST11 and the internal information G read in step ST16, and writes the generated correct third partial key K3 in the static RAM 25 (ST17a). .

  If the third partial key K3 is discarded in step ST15, the device authentication module 21 combines the unique information “BB” received in step ST11 with the internal information I created in step ST15-2. The generated erroneous third partial key K3i is written into the static RAM 25 (ST17b).

  In any case, the device authentication in step ST10 is completed by writing the third partial key.

  Thereafter, similarly to the first embodiment, steps ST20 to ST60 are executed.

  Next, a supplementary description will be given of the case where the regular host device 30A is connected and the case where the unauthorized host device 30B is connected during the operation of the second embodiment. First, a general password authentication case will be briefly described.

  FIG. 11 is a schematic diagram showing the operation of a storage system that executes only general password authentication. The reference numerals of the devices 1, 3A, 3B in this system are 1/10 of the reference numerals of the devices 10, 30A, 30B of the present embodiment.

  The storage device 1 stores user data P, encryption key K, and encrypted data E (K, D) obtained by encrypting data D with the encryption key K.

  In this storage device 1, if the correct password P is transmitted from any one of the regular host device 3A and the unauthorized host device 3B, the encrypted data E (K, D ) Can be decoded and correct data D can be output.

  Therefore, a malicious user having access authority can take out the storage device 1 from the legitimate host device 3A, connect to the home host device 3B, and correctly acquire the data D including confidential information. End up.

  Therefore, it is desirable that correct data D can be read from the storage device 1 only when the regular host device 3A is used, and the data D is discarded when the host device 3B is used.

  FIG. 12 is a schematic diagram showing an operation when a regular host device 30A is connected to the storage device 10 in the second embodiment, and FIG. 13 is an illegal host device 30B in the storage device 10 in the second embodiment. It is a schematic diagram which shows operation | movement when is connected.

  When the operation shown in FIG. 9 is executed in a state where the storage device 10 is connected to the regular host device 30A, the hash value h (AA) obtained by hashing the unique information “AA” transmitted by the host device 30A. ) Matches the hash value h (AA) previously stored in the storage device 10. When the hash values h (AA) match, the storage device 10 combines the received unique information “AA” of the host device 30A and the internal information G to generate the third partial key K3. In addition, the storage device 10 combines the third partial key K3 and the second user authentication information, and sets the generated encryption key Kg as a decryption key. When a read request for data D is received from the host device 30A, the data D is correctly decrypted with the set decryption key Kg and transmitted.

  When the storage device 10 is taken out to an unauthorized host device 30B system, the hash value h (BB) obtained by hashing the unique information “BB” transmitted by the host device 30B is held in the storage device 10 in advance. Does not match the hash value h (AA). For this reason, the storage device 10 discards the internal information G and the previously stored hash value h (AA), and newly regenerates the internal information I by random number generation or the like. This time, the unique information “BB” of the host device 30B is generated. Is created and written to the system area 11a. At this time, the encryption key Kg is in a discarded state.

  When there is a read request for data D from the host device 30B, the storage device 10 combines the unique information “BB” of the host device 30B and the internal information I, and generates the generated third partial key K3i, the second user authentication information, And decrypting the encrypted data Eg (Kg, D) with the generated encryption key Ki. In this decryption process, an incorrect encryption key Ki is used, so that correct data D cannot be read.

Further, since the encryption key Kg has already been destroyed, the user cannot read the correct data D even if the storage device 10 is reconnected to the host device 30A.
As described above, according to the present embodiment, the first device authentication information is the hash value h (AA) of the unique information “AA” of the authorized host device 30A, and the second device authentication information is also used as the second partial key. Even if the configuration embodying the first embodiment is the specific information “AA” of the current host device 30A to be used, the same effect as the first embodiment can be obtained.

<Third Embodiment>
Next, a third embodiment will be described with reference to FIG. 1 described above.

  The third embodiment is another specific example of the first and second device authentication information in the first embodiment. That is, the first device authentication information is the signature verification key Kveri-30A of the authorized host device 30A as shown in FIG.

  As shown in FIG. 15, the second device authentication information is a digital signature generated using the signature generation key Ksig-30A of the current host device 30A and signature target data used to generate the digital signature. The digital signature is generated by applying a signature process based on the signature generation key Ksig-30A to the hash value calculated from the signature target data. Along with this, the memory 32A of the host device 30A stores the signature generation key Ksig-30A.

  As the signature generation key Ksig-30A, a private key of a public key pair can be used. As the signature verification key Kveri-30A, a public key of a public key pair can be used. For this reason, the signature generation key Ksig-30A may be read as a private key, and the signature verification key Kveri-30A may be read as a public key. The same applies to a signature generation key Ksig-10 and a signature verification key Kveri-10 of the storage device 10 to be described later.

  The device authentication module 21 of the storage device 10 decrypts the digital signature in the second device authentication information based on the signature verification key Kveri-30A, and the obtained decrypted data and the signature object in the second device authentication information. It has a function of collating a hash value calculated from data and determining that device authentication has failed when the two values do not match.

  Next, the operation of the storage system configured as described above will be described with reference to the flowcharts of FIGS.

  Assume that device authentication in step ST10 is started.

  When the storage device 10 is connected, the CPU 34 of the host device 30A generates signature target data such as a random number in accordance with a prescribed authentication sequence for device authentication, and calculates a hash value of the signature target data. Subsequently, the CPU 34 performs a signature process on the hash value based on the signature generation key Ksig-30A in the memory 32A to generate a digital signature. Thereafter, the CPU 34 writes the signed data including the signature target data and the digital signature as the second device authentication information in the memory 32 </ b> A, and transmits the signed data (second device authentication information) to the storage device 10.

  The device authentication module 21 of the storage device 10 receives the signed data of the newly connected current host device 30A (ST11 '). When authentication fails, signed data is received from the current host device 30B.

  The device authentication module 21 verifies the signed data with the signature verification key Kveri-30A in the system area 11a (ST12 '). Specifically, the device authentication module 21 decrypts the digital signature in the received signed data based on the signature verification key Kveri-30A, and the decrypted data obtained and the signature target data in the second device authentication information The hash value calculated from the above is verified to verify that they match.

  If the verification result is not valid (ST13 ′; no), the device authentication module 21 determines whether there is another signature verification key Kveri held in advance in the system area 11a (ST14 ′), and the other signature. If there is a verification key Kveri, the process returns to step ST12 ′ so that the verification process is retried using another signature verification key Kveri. This step ST14 'is processing when there are a plurality of connectable regular host devices 30A,..., And can be omitted when there is one regular host device 30A.

  On the other hand, if the determination result in step 14 'indicates NO, the device authentication module 21 discards the third partial key (ST15'). Specifically, as shown in FIG. 17, the device authentication module 21 discards the regular internal information G in the system area 11a (ST15-1) and newly creates internal information I such as a random number (ST15- 2). Further, the device authentication module 21 receives the unique information “BB” from the current host device 30B (ST15-4). Note that, as described above, the third partial key K3 is discarded in steps ST15-1 to ST15-2, so that the encryption key Kg is discarded.

  On the other hand, if the verification result in step ST12 'is valid (ST13'; yes), the device authentication module 21 receives the unique information "AA" from the current host device 30A (ST16 '). Thereafter, as described above, the device authentication module 21 writes the correct third partial key K3 in the static RAM 25 (ST17a).

  When the third partial key K3 is discarded in step ST15, the device authentication module 21 writes the erroneous third partial key K3i in the static RAM 25 as described above (ST17b).

  In any case, the device authentication in step ST10 is completed by writing the encryption key.

  Thereafter, similarly to the first embodiment, steps ST20 to ST60 are executed.

  As described above, according to the present embodiment, the first device authentication information is the signature verification key Kveri-30A of the authorized host device 30A, and the second device authentication information is the digital signature and signature target data of the host device 30A. As described above, even when the configuration of the first embodiment is embodied, the same effect as that of the first embodiment can be obtained.

  In addition, the present embodiment is not limited to signature authentication, and authentication based on transmission / reception of one-time information by challenge and response may be used. This type of authentication may be performed as in the following [1] to [3], for example.

  [1] The device authentication module 21 generates a random number r, encrypts the random number r with a signature verification key Kveri-30A (a public key of the host device 30A), and obtains a value C (= r ^ Kveri). -30A) is transmitted to the host device 30A (or 30B, ...) (^ is a symbol representing a power).

  [2] The host device 30A (or 30B,...) Decrypts this value C with the signature generation key Ksig-30A (the secret key of the host device 30A), and the obtained value t = (C ^ Ksig-30A ) To the device authentication module 21.

  [3] The device authentication module 21 determines that the device authentication is successful when the generated random number r matches the returned value t (when r = t).

<Fourth Embodiment>
Next, a fourth embodiment will be described with reference to FIG.

  The fourth embodiment is another specific example of the device authentication in the first to third embodiments.

  That is, the device authentication module 21 of the storage device 10 has an authentication sequence when the current host device 30A (or 30B,...) Transmits the second device authentication information in addition to the functions described above as a specified authentication sequence. It has a function of determining that device authentication has failed when a difference is detected.

  Next, the operation of the storage system configured as described above will be described with reference to the flowchart of FIG.

  Assume that device authentication in step ST10 is started.

  When the storage device 10 is connected, the CPU 34 of the host device 30A transmits an authentication command in accordance with a prescribed authentication sequence for device authentication, and then transmits second device authentication information to the storage device 10.

  The device authentication module 21 of the storage device 10 determines whether or not the first command received from the newly connected current host device 30A (or 30B,...) Is an authentication command (ST1).

  If the result of determination in step ST1 is negative, the device authentication module 21 detects that the authentication sequence is different from the prescribed authentication sequence, determines that device authentication has failed, and proceeds to step ST15 (or ST15 ′). .

  If the result of determination in step ST1 is that the first command is an authentication command, the device authentication module 21 proceeds to step ST2 and executes device authentication. Here, the device authentication in step ST2 is a process excluding the discard of the third partial key and the setting of the third partial key in step ST10 (device authentication) of each embodiment. For example, in the case of the second embodiment, steps ST11 to ST14 and ST16 shown in FIG. 9 correspond to step ST2 shown in FIG. In the case of the third embodiment, steps ST11 'to ST14' and ST16 'shown in FIG. 16 correspond to step ST2 shown in FIG.

  If the device authentication in step ST2 is successful, the device authentication module 21 proceeds to step ST17. If the device authentication is unsuccessful, the device authentication module 21 proceeds to step ST17 via step ST15 (or ST15 ').

  In any case, the device authentication in step ST10 is completed by writing the third partial key in step ST17.

  Thereafter, steps ST20 to ST60 are executed in the same manner as in the first to third embodiments.

  As described above, according to the present embodiment, the authentication sequence when the device authentication module 21 transmits the second device authentication information by the current host device 30A (or 30B,...) Is different from the prescribed authentication sequence. Even when the first to third embodiments are embodied so as to determine that the device authentication has failed when the device is detected, the same effects as those of the first to third embodiments are obtained. be able to.

  Further, since the host device that can use the storage device 10 is limited to the host device 30A having the same authentication sequence as the authentication sequence of the storage device 10, the data D is discarded when the storage device 10 is stolen, and data leakage is prevented. Can be prevented.

<Fifth Embodiment>
Next, a fifth embodiment will be described with reference to FIG. 1 described above.

  The fifth embodiment is another specific example of device authentication in each of the first to fourth embodiments.

  That is, as shown in FIG. 19, the system area 11a of the storage device 10 stores availability information indicating whether or not to discard the first partial key, in addition to the above-described information.

  In addition to the functions described above, the device authentication module 21 has a setting function for setting the availability information in the system area 11a when a setting request including availability information is received from the authorized host device 30A. The term “set” may be read as “write”.

  Further, the device authentication module 21 has a destruction prevention function for preventing the destruction of the first partial key (internal information G) based on the availability information in the system area 11a when the device authentication fails. Supplementally, when the availability information is set to discard or not, discard is prevented.

  Further, when the destruction of the first partial key is prevented, the device authentication module 21 does not operate the above-described third partial key writing function, the user authentication module 22 and the decryption module 24, and sends an error in device authentication to the present time. It has an error output function for outputting to the host device 30A (or 30B,...).

  On the other hand, in addition to the functions described above, the input module 33 of the host device 30A has a setting request receiving function that receives an input of a setting request including availability information in response to a user operation.

  In addition to the functions described above, the CPU 34 of the host device 30 </ b> A has a setting request transmission function for transmitting a setting request that has received an input to the storage device 10.

  Next, the operation of the storage system configured as described above will be described with reference to the flowchart of FIG.

  First, an operation setting at the time of authentication failure at step ST30 after the device authentication at step ST10 'and the user authentication at step ST20 are successfully performed by the authorized host device 30A and the authorized user will be described.

  The input module 33 of the host device 30A accepts an input of a setting request including availability information in response to a user operation. The CPU 34 of the host device 30 </ b> A transmits a setting request that accepted the input to the storage device 10.

  When the device authentication module 21 of the storage device 10 receives the setting request including the permission information from the authorized host device 30A, the device authentication module 21 sets the permission information in the system area 11a.

  Thereby, step ST30 is completed. Thereafter, steps ST40 to ST50 are executed as appropriate, and the power supply is once turned off to complete the operation (ST60). Even after the power is turned off, the availability information is not erased and is stored in the system area 11a.

  Next, it is assumed that the storage device 10 is connected to the current host device 30B and turned on by the user. Thereby, the storage device 10 executes device authentication for the host device 30B (ST10 '). It is assumed that the current host device 30B is an unauthorized device.

  When the storage device 10 is connected, the CPU 34 of the host device 30B transmits the second device authentication information in the memory 32B to the storage device 10 in accordance with a predetermined authentication sequence for device authentication.

  The device authentication module 21 of the storage device 10 executes device authentication based on the second device authentication information received from the newly connected current host device 30B and the first device authentication information in the system area 11a.

  However, device authentication for an unauthorized host device 30B fails. In the second to fourth embodiments, the time when the device authentication has failed is immediately before steps ST15 and ST15 '.

  When the device authentication fails, the device authentication module 21 of the storage device 10 prevents the first partial key (internal information G) from being discarded based on the availability information in the system area 11a.

  Thereafter, when the destruction of the first partial key is prevented, the device authentication module 21 does not operate the above-described third partial key writing function, the user authentication module 22 and the decryption module 24, and presents a device authentication error. To the host device 30B.

  As described above, according to the present embodiment, with the configuration in which whether or not the first partial key can be discarded can be set based on the permission information, the effect of each of the first to fourth embodiments is obtained when the discard is permitted. If the decision is made to discard or not, the destruction of the encrypted data can be prevented.

<Sixth Embodiment>
Next, a sixth embodiment will be described with reference to FIG. 1 described above.

  The sixth embodiment is another specific example of the device authentication in the first to fourth embodiments. In other words, the sixth embodiment has a configuration in which the allowable number of connections is used instead of the availability information of the fifth embodiment.

  That is, in the system area 11a of the storage device 10, as shown in FIG. 21, in addition to the above-described information, the permitted number of connections (retry is possible) indicating the number of new connections permitted until the first partial key is discarded. Frequency) and the number of errors indicating the number of times device authentication has failed.

  In addition to the functions described above, the device authentication module 21 has a setting function for setting the allowable connection count in the system area 11a when a setting request including the allowable connection count is received from the authorized host device 30A.

  In addition, the device authentication module 21 has an error count update function that updates the number of errors in the system area 11a when device authentication fails.

  Furthermore, the device authentication module 21 has a destruction prevention function for preventing the destruction of the first partial key (internal information G) based on the updated error count and the allowable connection count in the system area 11a.

  In addition, when the destruction of the first partial key is prevented, the device authentication module 21 does not operate the above-described third partial key writing function, the user authentication module 22 and the decryption module 24, and sends a device authentication error to the current It has an error output function for outputting to the host device 30A (or 30B,...).

  On the other hand, in addition to the functions described above, the input module 33 of the host device 30A has a setting request receiving function that receives an input of a setting request including availability information in response to a user operation.

  In addition to the functions described above, the CPU 34 of the host device 30 </ b> A has a setting request transmission function for transmitting a setting request that has received an input to the storage device 10.

  Next, the operation of the storage system configured as described above will be described with reference to the flowchart of FIG.

  First, the allowable number of connections is set in the system area 11a of the storage device 10 in the operation setting at the time of authentication failure in step ST30, as in the fifth embodiment. Thereafter, similarly, the power is once turned off and the operation ends (ST60). Even after the power is turned off, the allowable number of connections is not erased but is stored in the system area 11a.

  Next, it is assumed that the storage device 10 is connected to the current host device 30B and turned on by the user. Thereby, the storage device 10 performs device authentication for the host device 30B (ST10 "). It is assumed that the current host device 30B is an unauthorized device.

  For this reason, as in the fifth embodiment, device authentication for an unauthorized host device 30B fails. In the second to fourth embodiments, the time when the device authentication has failed is immediately before steps ST15 and ST15 '.

  When the device authentication fails, the device authentication module 21 of the storage device 10 is updated so as to increase the number of errors in the system area 11a, and the first partial key (internal) is based on the updated number of errors and the allowable number of connections. Prevent destruction of information G).

  Thereafter, when the destruction of the first partial key is prevented, the device authentication module 21 does not operate the above-described third partial key writing function, the user authentication module 22 and the decryption module 24, and presents a device authentication error. To the host device 30B.

  As described above, according to the present embodiment, with the configuration in which whether or not the first partial key can be discarded can be set according to the allowable number of connections, the encrypted data can be prevented from being discarded until the allowable number of connections is reached, and the allowable number of connections can be reduced. After reaching, the effects of the first to fourth embodiments can be obtained.

<Seventh Embodiment>
Next, a seventh embodiment will be described with reference to FIG. 1 described above.

  The seventh embodiment stores the discard log information when the first partial key is discarded in each of the first to sixth embodiments.

  Specifically, as shown in FIGS. 23 and 24, the system area 11a of the storage device 10 includes, in addition to the above-described information, discard date information indicating the date when the first partial key was discarded, and device authentication. Discard log information Lg including discard reason information indicating failure is stored. The discard reason information is not limited to failure of device authentication, but may be indicated when it is discarded with a regular discard command.

  In addition to the functions described above, the device authentication module 21 has a discard log writing function for creating discard log information Lg and writing it to the system area 11a when the first partial key is discarded. The discard log information Lg can be read from the system area 11a by a read request from the authorized host device 30A.

  According to the above configuration, as described above, it is assumed that the device authentication has failed and the internal information G (first partial key) has been discarded. For example, in the second to fourth embodiments, the time point of discard is immediately after steps ST15 and ST15 '.

  At this time, the device authentication module 21 creates the discard log information Lg including the discard date information indicating the discarded date and the discard reason information indicating failure of the device authentication, and writes it in the system area 11a. Thus, for example, after the storage device 10 is collected from the theft destination, the discard log information Lg is read from the system area 11a by a read request from the authorized host device 30A.

  As described above, according to the present embodiment, when the internal information G (first partial key) is discarded, the configuration of storing the discard log information Lg, in addition to the effects of the first to sixth embodiments, A legitimate user can know the date and time of destruction and the reason for destruction.

<Eighth Embodiment>
Next, an eighth embodiment will be described with reference to FIG. 1 described above.

  In the eighth embodiment, a discard certificate in which a digital signature is added to the discard log information Lg of the seventh embodiment is stored.

  Specifically, as shown in FIG. 25, the system area 11a of the storage device 10 stores in advance the signature generation key Ksig-10 of its own device in addition to the above-described information. Here, the signature generation key Ksig-10 of the own device is not limited to the signature generation key for each storage device 10 (for each manufacturing number or model number), for example, the signature generation key for each manufacturer of the storage device 10, or the storage device The signature generation key for every ten vendors (vendors) can be used. Further, as shown in FIGS. 25 and 26, the system area 11a stores the discard log Cert composed of the discard log information Lg and the digital signature.

  In addition to the above-described functions, the device authentication module 21 performs a signature process on the discard log information Lg in the system area 11a based on the signature generation key Ksig-10 in the system area 11a, thereby obtaining a digital signature Sig (Ksig-10). , Lg) has a signature generation function.

  Further, the device authentication module 21 creates a revocation certificate Cert composed of revocation log information Lg and digital signature Sig (Ksig-10, Lg), and writes the revocation certificate Cert to the system area 11a. Have more.

  As described above, the discard log certificate Cert can be read from the system area 11a by a read request from the authorized host device 30A.

  On the other hand, as shown in FIG. 27, the memory 32A of the host device 30A stores in advance the signature verification key Kveri-10 of the storage device 10 in addition to the above-described information.

  In addition to the above-described functions, the CPU 34 of the host device 30A has a function of verifying the discard log certificate Cert read from the storage device 10 by the read request based on the signature verification key Kveri-10 in the memory 32A.

  According to the above configuration, when the discard log information Lg is written in the system area 11a in the seventh embodiment described above, the device authentication module 21 is based on the signature generation key Ksig-10 in the system area 11a. The signature processing is performed on the discard log information Lg in the system area 11a to generate a digital signature Sig (Ksig-10, Lg).

  Further, the device authentication module 21 creates a revocation certificate Cert composed of revocation log information Lg and digital signature Sig (Ksig-10, Lg), and writes this revocation certificate Cert in the system area 11a. Thus, after the storage device 10 is collected from the theft destination, the revocation certificate Cert is read from the system area 11a by a read request from the authorized host device 30A.

  The CPU 34 of the legitimate host device 30A verifies the read discard log certificate Cert based on the signature verification key Kveri-10 in the memory 32A, and outputs the discard certificate Cert to the output module 35 when the verification result is valid. To do.

  As described above, according to the present embodiment, the validity of the discard log information Lg is verified in addition to the effect of the seventh embodiment by storing the discard certificate Cert with the digital signature added to the discard log information Lg. can do.

<Ninth Embodiment>
Next, a ninth embodiment will be described with reference to FIG.

  The ninth embodiment is another specific example of user authentication in each of the first to eighth embodiments.

  That is, the user authentication module 22 of the storage device 10 includes, in addition to the functions described above, an authentication sequence when the current host device 30A (or 30B,...) Transmits the second user authentication information is a specified authentication sequence. It has a function of determining that user authentication has failed when a difference is detected. For example, the user authentication module 22 determines whether or not the first command received from the newly connected current host device 30A (or 30B,...) Is an authentication command. Detect that it is different from the authentication sequence.

  According to the above configuration, the user authentication module 22 is configured to determine the failure of user authentication when the current authentication sequence of the host device 30A (or 30B,...) Is different from the specified authentication sequence. In addition to the effects of the first to eighth embodiments, even an unauthorized host device 30B that has succeeded in device authentication can detect fraud from the difference in the authentication sequence of user authentication.

<Tenth Embodiment>
Next, a tenth embodiment will be described with reference to FIG.

  In the first to ninth embodiments, the tenth embodiment sets whether or not to discard when user authentication fails.

  Specifically, the system area 11a of the storage device 10 stores availability information indicating whether or not to discard the first partial key and the third partial key, in addition to the above-described information.

  In addition to the functions described above, the user authentication module 22 has a setting function for setting the availability information in the system area 11a when a setting request including availability information is received from the authorized host device 30A.

  Further, the user authentication module 22 has a destruction prevention function for preventing the destruction of the first partial key and the third partial key based on the availability information in the system area 11a when the user authentication fails.

  Further, when the destruction of the first partial key and the third partial key is prevented, the user authentication module 22 does not operate the decryption module 24 and sends a user authentication error to the current host device 30A (or 30B,...). Has an error output function to output.

  On the other hand, in addition to the functions described above, the input module 33 of the host device 30A has a setting request receiving function that receives an input of a setting request including availability information in response to a user operation.

  In addition to the functions described above, the CPU 34 of the host device 30 </ b> A has a setting request transmission function for transmitting a setting request that has received an input to the storage device 10.

  Next, the operation of the storage system configured as described above will be described with reference to the flowchart of FIG.

  First, the permission information indicating whether or not to discard is set in the system area 11a of the storage device 10 in the operation setting at the time of authentication failure in step ST30, as in the fifth embodiment. Thereafter, similarly, the power is once turned off and the operation ends (ST60). Even after the power is turned off, the availability information is not erased and is stored in the system area 11a.

  Next, it is assumed that the storage device 10 is connected to the authorized host device 30A and turned on by an unauthorized user. Thereby, the storage device 10 executes device authentication for the host device 30A (ST10 or ST10 '). Since the host device 30A is legitimate, the device authentication is successful.

  Subsequently, the storage device 10 executes user authentication for the host device 30A (ST20 ').

  Specifically, the input module 33 of the host device 30A accepts an input of unauthorized second user authentication information in response to an unauthorized user operation. The CPU 34 transmits the illegal second user authentication information that has been accepted to the storage device 10.

  The user authentication module 22 of the storage device 10 executes user authentication based on the unauthorized second user authentication information received from the current host device 30A and the first user authentication information in the system area 11a. Here, user authentication for an unauthorized user fails.

  When the user authentication fails, the user authentication module 22 discards the internal information G (first partial key) in the system area 11a and the third partial key K3 in the static RAM 25 based on the availability information in the system area 11a. To prevent.

  Also, when the discarding is prevented, the user authentication module 22 does not operate the decryption module 24 and outputs a user authentication error to the current host device 30A.

  As described above, according to the present embodiment, when it is possible to set the destruction of the first partial key and the encryption key by the availability information, when the destruction is set, the first to ninth embodiments An effect can be obtained, and the destruction of the encrypted data can be prevented when the cancellation is set.

<Eleventh embodiment>
Next, an eleventh embodiment will be described with reference to FIG.

  The eleventh embodiment sets the allowable number of connections (the number of retries allowed) when user authentication fails in the ninth embodiment. In other words, the eleventh embodiment has a configuration using the allowable number of connections in place of the availability information of the tenth embodiment.

  That is, in the system area 11a of the storage device 10, in addition to the above-described information, an allowable connection count indicating the number of new connections allowed until the first partial key and the third partial key are discarded, and user authentication are performed. The number of failures indicating the number of failures is stored.

  In addition to the functions described above, the user authentication module 22 has a setting function for setting the allowable number of connections in the system area 11a when a setting request including the allowable number of connections is received from the authorized host device 30A.

  In addition, the user authentication module 22 has an error count update function for updating so as to increase the number of errors in the system area 11a when user authentication fails.

  Furthermore, the user authentication module 22 has a destruction prevention function for preventing the destruction of the first partial key (internal information G) and the third partial key based on the updated error count and the allowable connection count in the system area 11a.

  In addition, when the destruction of the first partial key and the third partial key is prevented, the user authentication module 22 does not operate the decryption module 24 and sends a user authentication error to the current host device 30A (or 30B,...). Has an error output function to output.

  On the other hand, in addition to the functions described above, the input module 33 of the host device 30A has a setting request receiving function that receives an input of a setting request including availability information in response to a user operation.

  In addition to the functions described above, the CPU 34 of the host device 30 </ b> A has a setting request transmission function for transmitting a setting request that has received an input to the storage device 10.

  According to the above configuration, when user authentication fails, encrypted data can be set until the allowable number of connections is reached by the configuration in which whether or not the first partial key and the third partial key can be discarded can be set by the allowable number of connections. Can be prevented, and after reaching the allowable number of connections, the effect of the ninth embodiment can be obtained.

<Twelfth Embodiment>
Next, a twelfth embodiment will be described with reference to FIG.

  In the twelfth embodiment, in each of the first to eleventh embodiments, discard log information when the user authentication module 22 discards the first partial key and the third partial key is stored in the system area 11a. .

  Here, as described above, the discard log information Lg includes discard date information indicating the date when the first partial key and the third partial key are discarded, and discard reason information indicating failure of user authentication. The discard reason information is not limited to failure of user authentication, and may be indicated when it is discarded by a regular discard command.

  In addition to the functions described above, the user authentication module 22 has a discard log writing function for creating the discard log information Lg and writing it to the system area 11a when the first partial key and the third partial key are discarded. The discard log information Lg can be read from the system area 11a by a read request from the authorized host device 30A.

  According to the above configuration, when the user authentication fails and the internal information G (first partial key) and the third partial key K3 are discarded, the user authentication module 22 displays the discarded date and time indicating the discarded date and time. Discard log information Lg including information and discard reason information indicating failure of user authentication is created and written to the system area 11a. Thus, for example, after the storage device 10 is collected from the theft destination, the discard log information Lg is read from the system area 11a by a read request from the authorized host device 30A.

  As described above, according to the present embodiment, when the internal information G (first partial key) and the third partial key K3 are discarded, the first to eleventh implementations are configured to store the discard log information Lg. In addition to the effects of the form, a legitimate user can know the date and time of destruction and the reason for destruction.

<13th Embodiment>
Next, a thirteenth embodiment will be described with reference to FIG.

  In the thirteenth embodiment, a discard certificate in which a digital signature is added to the discard log information Lg in the twelfth embodiment is stored.

  Specifically, as in the eighth embodiment, the system area 11a of the storage device 10 previously stores the signature generation key Ksig-10 of its own device in addition to the above-described information as shown in FIG. . Further, as shown in FIGS. 25 and 26, the system area 11a stores the discard log Cert including the discard log information Lg and the digital signature.

  In addition to the above-described functions, the user authentication module 22 performs a signature process on the discard log information Lg in the system area 11a based on the signature generation key Ksig-10 in the system area 11a, thereby obtaining a digital signature Sig (Ksig-10). , Lg) has a signature generation function.

  Also, the user authentication module 22 creates a revocation certificate Cert composed of revocation log information Lg and digital signature Sig (Ksig-10, Lg), and writes this revocation certificate Cert to the system area 11a. Have more.

  As described above, the discard log certificate Cert can be read from the system area 11a by a read request from the authorized host device 30A.

  On the other hand, the configuration of the host device 30A is the same as that of the eighth embodiment.

  According to the above configuration, when the discard log information Lg is written in the system area 11a in the twelfth embodiment, the user authentication module 22 is based on the signature generation key Ksig-10 in the system area 11a. The signature processing is performed on the discard log information Lg in the system area 11a to generate a digital signature Sig (Ksig-10, Lg).

  Further, the user authentication module 21 creates a revocation certificate Cert composed of revocation log information Lg and digital signature Sig (Ksig-10, Lg), and writes this revocation certificate Cert in the system area 11a. Thus, after the storage device 10 is collected from the theft destination, the revocation certificate Cert is read from the system area 11a by a read request from the authorized host device 30A.

  The CPU 34 of the legitimate host device 30A verifies the read discard log certificate Cert based on the signature verification key Kveri-10 in the memory 32A, and outputs the discard certificate Cert to the output module 35 when the verification result is valid. To do.

  As described above, according to the present embodiment, the configuration in which the user authentication module 22 stores the discard certificate Cert in which the digital signature is added to the discard log information Lg in the system area 11a, in addition to the effects of the twelfth embodiment, The validity of the discard log information Lg can be verified.

  According to at least one embodiment described above, when the device authentication of the connected host device 30A (or 30B,...) Is executed and the device authentication fails, the first partial key that is a part of the encryption key is obtained. When the storage device 10 includes the device authentication module 21 to be discarded, the stored data is invalidated regardless of whether or not the user has access rights when accessed from an environment different from the usable system environment. Can be.

<Modification of each embodiment>
In each of the first to thirteenth embodiments, the internal information G (first partial key) in the storage device 10 and the unique information “AA” (second partial key) transmitted from the host device 30A are combined. The second user authentication information is combined with the generated third partial key to create an encryption key, and this encryption key is stored in the static RAM 25 (volatile memory).

  On the other hand, each of the first to thirteenth embodiments omits the first partial key in the system area 11a and the second partial key in the memory 32A, as shown in FIGS. 29 and 30, for example. The encryption key Kg may be held in advance in 32A, and the device authentication module 21 may be modified to write the encryption key Kg transmitted from the host device 30A into the static RAM 25 when the device authentication is successful.

  Here, the timing at which the host device 30A transmits the encryption key may be any time after the device authentication is successful (after ST13; yes) and before the first step ST40 or ST50 using the encryption key. The process may be performed immediately before step ST17 in which the third partial key has been set. Steps ST15 and ST15 ′ in which the third partial key has been discarded are steps in which an erroneous encryption key is received from the host device 30B that has failed in device authentication and discarded, and an incorrect encryption key such as a random number is generated. It only has to be transformed. If the device authentication fails, in step ST17b, the wrong encryption key is written in the static RAM 25 as described above.

  29 and 30 correspond to a modification of the first embodiment. Although not shown, in the modified examples of the second to thirteenth embodiments, the first partial key in the system area 11a and the second partial key in the memory 32A are omitted, while the encryption key Kg is stored in the memory 32A. The point to hold in advance is the same.

  Hereinafter, it demonstrates in order.

<Modification of First Embodiment>
As shown in FIG. 29, the system area 11a of the storage device 10 stores in advance the first device authentication information and the first user authentication information described above.

  The device authentication module 21 executes device authentication based on the second device authentication information received from the newly connected current host device 30A (or 30B,...) And the first device authentication information in the system area 11a. It has a device authentication function.

  The device authentication module 21 has a first encryption key writing function for writing the encryption key Kg received from the current host device 30A into the static RAM 25 (volatile memory) when the device authentication is successful.

  When the device authentication fails, the device authentication module 21 discards the encryption key received from the current host device 30B,..., And writes the encryption key different from this encryption key into the static RAM 25. Has a key writing function.

  After the device authentication module 21 writes the encryption key, the user authentication module 22 receives the second user authentication information received from the current host device 30A (or 30B,...) And the first user authentication information in the system area 11a. It has a user authentication function to execute user authentication based on the above.

  In addition to this, the user authentication module 22 may have a key destruction function for destroying the encryption key Kg in the static RAM 25 when the user authentication fails a predetermined number of times. Further, instead of the key destruction function, the user authentication module 22 does not operate the encryption module 23 and the decryption module 24 when the user authentication has failed for a specified number of times, and reports the user authentication error to the current host device 30A (or 30B). , ...) may have an error output function.

  The encryption module 23 and the decryption module 24 are the same as those in the first embodiment.

  The static RAM 25 is a volatile memory that can be read / written from each of the modules 21 to 24, and an encryption key is written from the device module 21. The encryption key is deleted from the static RAM 25 when the storage device 10 is powered off. Note that the storage of the encryption key from the time of writing until the power is turned off may be executed by the buffer memory 19 instead of the static RAM 25.

  On the other hand, as shown in FIG. 30, the memory 32A of the host device 30A stores an encryption key Kg instead of the second partial key. Here, the encryption key Kg is the encryption key Kg used to create the encrypted data Eg (Kg, D) stored in the user area 11 b of the storage device 10. Based on the encryption key Kg, the encrypted data Eg (Kg, D) can be decrypted to obtain correct data D.

  The second device authentication information, the user authentication program, and the application program in the memory 32A are the same as described above.

  In addition to the above-described device authentication program in the memory 32A, the host device 30A stores the encryption key in the memory 32A in accordance with a predetermined authentication sequence of device authentication executed by the device authentication module 21. It is also made to operate as an encryption key transmission means for transmitting to the network.

  The input module 33, the CPU 34, and the output module 35 are the same as described above.

  As described above, even when the device authentication module 21 writes the encryption key Kg transmitted from the host device 30A to the static RAM 25 when the device authentication is successful, when the device authentication fails, the encryption key is discarded as described above. Therefore, the same effect as that of the first embodiment can be obtained.

<Modification of Second Embodiment>
In the modification of the second embodiment, steps ST15 ″ to ST17 ″ are modified as shown in FIGS. 31 and 32 in accordance with the above description.

  In step ST15 ″, the device authentication module 21 discards the encryption key received from the current host device 30B (ST15-5), and creates an incorrect encryption key using a random number or the like (ST15-6).

  On the other hand, if the determination result in step ST13 indicates a match, the device authentication module 21 receives the encryption key Kg from the current host device 30A (ST16 ") and writes this encryption key Kg into the static RAM 25 (ST17a").

  When the encryption key is discarded in step ST15 ″, the device authentication module 21 writes the incorrect encryption key created in step ST15-6 in the static RAM 25 (ST17b ″).

  As described above, even when the encryption key is received from the host device 30A (or 30B,...), If the device authentication fails, the encryption key is discarded in the same manner as described above, and thus the same effect as in the second embodiment. Can be obtained.

<Modification of Third Embodiment>
Although a modification of the third embodiment is not illustrated, the steps 15 ′, ST16 ′, and ST17 described above are shown in steps ST15 ″, ST16 ″, and ST17 ″ as in the modification of the second embodiment. It has been transformed into.

  As described above, even when the encryption key is received from the host device 30A (or 30B,...), If the device authentication fails, the encryption key is discarded in the same manner as described above, so the same effect as in the third embodiment. Can be obtained.

<Modification of Fourth Embodiment>
Although not shown, the modification of the fourth embodiment is modified as shown in steps ST15 ″, ST16 ″, and ST17 ″, similarly to the modifications of the first to third embodiments.

  As described above, even when the encryption key is received from the host device 30A (or 30B,...), If the device authentication fails, the encryption key is discarded in the same manner as described above, and thus the same effect as in the fourth embodiment. Can be obtained.

<Modification of Fifth Embodiment>
In the modification of the fifth embodiment, as described above, the first partial key in the system area 11a and the second partial key in the memory 32A are omitted, while the encryption key Kg is held in the memory 32A in advance.

  Accordingly, in the modification of the fourth embodiment, instead of availability information indicating whether or not the first partial key is discarded, availability information indicating whether or not to destroy the encryption key is stored in the system area 11a. Remembered.

  In addition to the above-described functions, the device authentication module 21 has a setting function for setting the availability information in the system area 11a when a setting request including availability information is received from the authorized host device 30A.

  Further, the device authentication module 21 has a destruction prevention function for preventing the destruction of the encryption key based on the availability information in the system area 11a when the device authentication fails. Supplementally, when the availability information is set to discard or not, discard is prevented.

  Further, when the destruction of the encryption key is prevented, the device authentication module 21 does not operate the encryption key writing function, the user authentication module 22 and the decryption module 24 described above, and sends a device authentication error to the current host device 30B, Has an error output function that outputs to….

  The input module 33 and the CPU 34 of the host device 30A are the same as those in the fifth embodiment.

  As described above, the same effect as that of the fifth embodiment can be obtained even in a configuration in which whether or not the encryption key can be discarded can be set based on the permission information.

<Modification of Sixth Embodiment>
In the modification of the sixth embodiment, instead of the allowable number of connections (number of retries allowed) indicating the number of new connections allowed until the first partial key is discarded, the encryption key is allowed to be discarded. The allowable number of connections (number of retries possible) indicating the number of new connections to be made is stored in the system area 11a.

  The setting function and error number update function of the device module 21 are the same as described above.

  The device authentication module 21 has a destruction prevention function for preventing the destruction of the encryption key based on the number of updated errors and the number of allowable connections in the system area 11a.

  Further, when the destruction of the encryption key is prevented, the device authentication module 21 does not operate the encryption key writing function, the user authentication module 22 and the decryption module 24 described above, and sends a device authentication error to the current host device 30A ( Or 30B,...)).

  The configuration of the host device 30A is the same as that of the sixth embodiment.

  As described above, the same effect as that of the sixth embodiment can be obtained even in a configuration in which whether or not the encryption key can be discarded can be set according to the allowable number of connections.

<Modification of the seventh embodiment>
In the modification of the seventh embodiment, instead of the discard log information when the first partial key is discarded, the discard log information when the encryption key is discarded is stored in the system area 11a.

  The discard log information Lg includes discard date information indicating the date when the encryption key is discarded, and discard reason information indicating failure of device authentication.

  In addition to the functions described above, the device authentication module 21 has a discard log writing function that creates discard log information Lg and writes it to the system area 11a when the encryption key is discarded. The discard log information Lg can be read from the system area 11a by a read request from the authorized host device 30A.

  As described above, the same effect as that of the seventh embodiment can be obtained even when the discard log information Lg is stored when the encryption key is discarded.

<Modification of Eighth Embodiment>
The modification of the eighth embodiment is configured to store the revocation certificate Cert when the encryption key is revoked, and the same effect as that of the eighth embodiment can be obtained.

<Modification of Ninth Embodiment>
The modification of the ninth embodiment is the same as the ninth embodiment because the user authentication module 22 discards the encryption key by the key discard function when the user authentication module 22 determines the failure of user authentication from the difference in the prescribed authentication sequence. The effect of can be obtained.

<Modification of Tenth Embodiment>
In the modification of the tenth embodiment, instead of the availability information indicating whether or not to destroy the first partial key and the third partial key, the availability information indicating whether or not to destroy the encryption key is the system area 11a. Is remembered.

  In addition to the functions described above, the user authentication module 22 has a setting function for setting the availability information in the system area 11a when a setting request including availability information is received from the authorized host device 30A.

  Further, the user authentication module 22 has a destruction prevention function for preventing the destruction of the encryption key based on the availability information in the system area 11a when the user authentication fails. Supplementally, when the availability information is set to discard or not, discard is prevented.

  Further, the user authentication module 22 has an error output function for outputting a user authentication error to the current host device 30A (or 30B,...) Without operating the decryption module 24 when the destruction of the encryption key is prevented. .

  The input module 33 and the CPU 34 of the host device 30A are the same as those in the tenth embodiment.

  As described above, the same effect as that of the tenth embodiment can be obtained even if the encryption key can be discarded based on the permission information.

<Modification of Eleventh Embodiment>
In the modification of the eleventh embodiment, instead of the allowable number of connections (number of retries allowed) indicating the number of new connections allowed until the first partial key and the third partial key are discarded, the encryption key is used. The allowable number of connections (number of retries allowed) indicating the number of new connections allowed before being discarded is stored in the system area 11a.

  The setting function and error frequency update function of the user module 22 are the same as described above.

  The user authentication module 22 has a destruction prevention function for preventing the destruction of the encryption key based on the number of updated errors and the number of allowable connections in the system area 11a.

  Further, the user authentication module 22 has an error output function for outputting a device authentication error to the current host device 30A (or 30B,...) Without operating the decryption module 24 when destruction of the encryption key is prevented. .

  The configuration of the host device 30A is the same as that of the eleventh embodiment.

  As described above, the same effect as that of the eleventh embodiment can be obtained even if the encryption key can be discarded depending on the allowable number of connections.

<Modification of Twelfth Embodiment>
In the modification of the twelfth embodiment, instead of the discard log information when the first partial key and the third partial key are discarded, the discard log information when the encryption key is discarded is stored in the system area 11a. .

  The discard log information Lg includes discard date information indicating the date when the encryption key is discarded, and discard reason information indicating failure of user authentication.

  In addition to the functions described above, the user authentication module 22 has a discard log writing function for creating the discard log information Lg and writing it to the system area 11a when the encryption key is discarded. The discard log information Lg can be read from the system area 11a by a read request from the authorized host device 30A.

  As described above, when the encryption key Kg is destroyed, the same effect as that of the twelfth embodiment can be obtained even when the discard log information Lg is stored.

<Modification of the thirteenth embodiment>
The modification of the thirteenth embodiment is configured to store the revocation certificate Cert when the encryption key is revoked, and the same effect as that of the 13th embodiment can be obtained.

  In addition, although some embodiment of this invention was described, these embodiment is shown as an example and is not intending limiting the range of invention. These novel embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made without departing from the scope of the invention. These embodiments and modifications thereof are included in the scope and gist of the invention, and are included in the invention described in the claims and the equivalents thereof.

  DESCRIPTION OF SYMBOLS 10 ... Memory | storage device, 11 ... Disk, 12 ... Spindle motor (SPM), 13 ... Head, 14 ... Actuator, 15 ... Motor driver, 16 ... Head amplifier, 17 ... Read / write (R / W) channel, 18 ... Flash Memory (FLROM), 19 ... Buffer memory, 20 ... Disk controller, 21 ... Device authentication module, 22 ... User authentication module, 23 ... Encryption module, 24 ... Decryption module, 25 ... Static RAM, 30A, 30B ... Host device, 31 ... Interface, 32A ... Memory, 33 ... Input module, 34 ... CPU, 35 ... Output module.

Claims (16)

A storage device having a volatile memory from which data is erased when the power is turned off and detachably connected to an arbitrary host device,
First device authentication information for authenticating a regular host device having a connection authority among the arbitrary host devices, and first user authentication information for authenticating a regular user who uses the regular host device are stored in advance. Authentication information storage means for storing;
Partial key storage means for storing in advance a first partial key constituting a part of an encryption key written in the volatile memory;
Encrypted data storage means for storing encrypted data which is data encrypted based on the encryption key;
When the device authentication is executed based on the second device authentication information received from the newly connected current host device and the first device authentication information in the authentication information storage means, Device authentication means for destroying the first partial key;
After the device authentication, the second partial key received from the current host device and the first partial key in the partial key storage means are combined, and the generated third partial key is written into the volatile memory. Three-part key writing means;
User authentication means for performing user authentication based on the second user authentication information received from the current host device and the first user authentication information in the authentication information storage means after the writing of the third partial key; ,
After the user authentication, an encryption key writing unit that combines the third partial key in the volatile memory and the second user authentication information and writes the generated encryption key to the volatile memory;
When the user authentication is successful, based on a read request received from the current host device, the encrypted data is decrypted based on an encryption key in the volatile memory, and the obtained data is converted to the current host. Decoding means for outputting to the device;
A storage device comprising: The storage device according to claim 1,
The first device authentication information is a hash value of unique information of the authorized host device,
The second device authentication information is unique information of the current host device that is also used as the second partial key,
The second partial key is unique information of the current host device that is also used as the second device authentication information,
The device authentication means calculates a hash value of the second device authentication information, compares the hash value with the first device authentication information, and indicates that the device authentication has failed when they do not match. A storage device to determine. The storage device according to claim 1,
The first device authentication information is a signature verification key of the authorized host device,
The second device authentication information is a digital signature generated using the signature generation key of the current host device and signature target data used to generate the digital signature,
The device authentication means decrypts the digital signature based on the signature verification key, and compares the obtained decrypted data with a hash value calculated from the signature target data, and when the two do not match, A storage device that determines that authentication has failed. The storage device according to claim 1,
The device authentication means is a memory for determining that the device authentication has failed when it is detected that an authentication sequence when the current host device transmits the second device authentication information is different from a prescribed authentication sequence. apparatus. The storage device according to claim 1,
Availability information storage means for storing availability information indicating whether to discard the first partial key;
When receiving a setting request including the permission information from the regular host device, setting means for setting the permission information in the permission information storage means;
When the device authentication fails, a discard blocking unit that blocks the destruction of the first partial key based on the permission information in the permission information storage unit;
When the destruction of the first partial key is prevented, the third partial key writing means, the user authentication means, the encryption key writing means, and the decryption means are not operated, and the device authentication error is Error output means for outputting to the host device of
A storage device further comprising: The storage device according to claim 1,
An allowable connection number storage means for storing an allowable connection number indicating the number of new connections permitted until the first partial key is discarded;
Error number storage means for storing the number of errors indicating the number of times the device authentication has failed;
When receiving a setting request including the allowable connection number from the regular host device, setting means for setting the allowable connection number in the allowable connection number storage unit;
When the device authentication fails, an error number update unit that updates to increase the number of errors in the error number storage unit;
A discard blocking unit for blocking the destruction of the first partial key based on the updated error count and the allowable connection count in the allowable connection count storage unit;
When the destruction of the first partial key is prevented, the third partial key writing means, the user authentication means, the encryption key writing means, and the decryption means are not operated, and the device authentication error is Error output means for outputting to the host device of
A storage device further comprising: The storage device according to claim 1,
A discard log storage unit for storing discard log information including the discard date information indicating the discarded date and time and the discard reason information indicating failure of the device authentication;
A discard log writing unit that creates the discard log information and writes it to the discard log storage unit when the first partial key is discarded;
A storage device further comprising: The storage device according to claim 7.
Signature generation key storage means for storing in advance the signature generation key of its own device;
Signature generation means for generating a digital signature by applying signature processing to the discard log information in the discard log storage means based on the signature generation key;
Creating a revocation certificate consisting of the revocation log information and the digital signature, and a revocation certificate creation means for writing the revocation certificate in the revocation log storage means;
A storage device further comprising: The storage device according to claim 1,
The user authentication means includes a key destruction means for destroying the first partial key in the partial key storage means and the third partial key in the volatile memory when the user authentication has failed a specified number of times. apparatus. The storage device according to claim 9.
Availability information storage means for storing availability information indicating whether to discard the first partial key and the third partial key;
When receiving a setting request including the permission information from the regular host device, setting means for setting the permission information in the permission information storage means;
When the user authentication is unsuccessful, a revocation prevention unit that prevents revocation of the first partial key and the third partial key based on the availability information in the availability information storage unit;
An error output means for outputting the user authentication error to the current host device without operating the decryption means when destruction of the first partial key and the third partial key is prevented;
A storage device further comprising: An authentication method executed by a storage device having a volatile memory from which data is erased when the power is turned off and detachably connected to an arbitrary host device,
The storage device
Authentication information storage means, partial key storage means, encrypted data storage means, encryption means, device authentication means, third partial key writing means, user authentication means, encryption key writing means, and decryption means,
The device authentication means executes a process of previously writing first device authentication information for device authentication of a regular host device having connection authority among the arbitrary host devices to the authentication information storage means,
The user authentication means executes a process of previously writing first user authentication information for authenticating a legitimate user using the legitimate host device into the authentication information storage means;
The encryption unit executes a process of pre-writing a first partial key constituting a part of an encryption key written in the volatile memory into the partial key storage unit;
The encryption means encrypts data based on the encryption key, and executes a process of writing the obtained encrypted data into the encrypted data storage means;
The device authentication means executes device authentication based on the second device authentication information received from the newly connected current host device and the first device authentication information in the authentication information storage means. When the first partial key is destroyed,
The third partial key writing means combines the second partial key received from the current host device after the device authentication and the first partial key in the partial key storage means, and generates the generated encryption key. Performing a process of writing to the volatile memory;
The user authentication means performs user authentication based on the second user authentication information received from the current host device and the first user authentication information in the authentication information storage means after the writing of the third partial key. Run,
The encryption key writing means, after the user authentication, combines the third partial key in the volatile memory and the second user authentication information, and writes the generated encryption key into the volatile memory Run
The decrypting means decrypts the encrypted data based on the encryption key in the volatile memory based on the read request received from the current host device when the user authentication is successful, and the obtained data Is output to the current host device. The authentication method according to claim 11,
The first device authentication information is a hash value of unique information of the authorized host device,
The second device authentication information is unique information of the current host device that is also used as the second partial key,
The second partial key is unique information of the current host device that is also used as the second device authentication information,
The device authentication means calculates a hash value of the second device authentication information, compares the hash value with the first device authentication information, and indicates that the device authentication has failed when they do not match. The authentication method to judge. The authentication method according to claim 11,
The first device authentication information is a signature verification key of the authorized host device,
The second device authentication information is a digital signature generated using the signature generation key of the current host device and signature target data used to generate the digital signature,
When the device authentication means decrypts the digital signature based on the signature verification key, the decrypted data obtained is compared with the hash value calculated from the signature target data, and when both do not match, the device An authentication method for determining that authentication has failed. The authentication method according to claim 11,
The device authentication means determines that the device authentication has failed when it detects that an authentication sequence when the current host device transmits the second device authentication information is different from a prescribed authentication sequence, Authentication method. The authentication method according to claim 11,
The storage device
Further comprising availability information storage means for storing availability information indicating whether or not to destroy the first partial key, setting means, destruction prevention means and error output means,
When the setting means receives a setting request including the availability information from the regular host device, the availability information is set in the availability information storage means,
The destruction prevention means prevents the destruction of the first partial key based on the availability information in the availability information storage means when the device authentication fails;
When the error output means prevents the destruction of the first partial key, the third partial key writing means, the user authentication means, the encryption key writing means, and the decryption means are not operated, and the device An authentication method for outputting an authentication error to the current host device. The authentication method according to claim 11,
The storage device
An allowable connection number storage means for storing an allowable connection number indicating the number of new connections allowed until the first partial key is discarded; and an error number storage means for storing an error number indicating the number of times the device authentication has failed. , Further comprising setting means, error number updating means, discard prevention means and error output means,
When the setting unit receives a setting request including the allowable connection number from the regular host device, a setting unit that sets the allowable connection number in the allowable connection number storage unit;
When the device authentication fails, the error number update unit updates the error number update unit to update the error number in the error number storage unit;
The destruction prevention means, the destruction prevention means for preventing the destruction of the first partial key based on the updated error count and the allowable connection count storage means;
When the error output means prevents the destruction of the first partial key, the third partial key writing means, the user authentication means, the encryption key writing means, and the decryption means are not operated, and the device An authentication method for outputting an authentication error to the current host device.

Images