JP2014191659A - Server device, and hash value processing method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve reliability of a server device regarding certification of unfalsification.SOLUTION: A hash value log transmitting/receiving section 371 stores a hash value received from a maintenance server 100 as a hash value log and further calculates a hash value in unit of, for example, n (n is a natural number) value logs. The hash value log transmitting/receiving section 371 transmits to an H-EMA (Hyper-Environment Management Authority) server 400 a hash value based on the collected n hash value logs. A program execution monitoring section 375 acquires an operation log accompanying execution of all programs operating in a P-EMA (Private-Environment Management Authority) server 300. For each operation log including identification information of a program, operation contents and an operation date accompanying execution of the program, the program execution monitoring section 375 calculates a hash value based on the operation log. The program execution monitoring section 375 transmits each hash value based on each operation log to the H-EMA server 400.

Description

  The present invention relates to a server device and the like.

  Conventionally, a server device manages a hash value of information managed by an electric device for non-falsification certification of information managed by the electric device, and a hash value calculated based on the information managed by the electric device, and the server device There is a technique for comparing the hash value managed by. Non-falsification proof is a proof based on proof that information is authentic. According to this technique, when the hash value calculated based on the information managed by the electrical device matches the hash value managed by the server device, there is no possibility that the information managed by the electrical device has been falsified. judge. On the other hand, when the hash value calculated based on the information managed by the electric device and the hash value managed by the server device do not match, it is determined that the information managed by the electric device may have been falsified.

JP 2009-230457 A

Fujitsu Limited “Systemwalker IT Change Manager V14g”

  However, in the above-described conventional technology, it is not clear whether the server device itself is reliable for non-tampering proof, so even if the server device determines that the information managed by the electrical device has not been tampered with. The credibility cannot be guaranteed.

  In an example of an embodiment of the disclosed technology, in view of the above-described problem, an object is to increase the reliability of a server device related to non-tampering proof.

  In an example of an embodiment of the disclosed technology, the server device includes a calculation unit, a transmission unit, and an operation log processing unit. The calculation unit calculates a second hash value based on a first hash value based on information managed by the first device received from the first device. The transmission unit transmits the second hash value to the second device. The operation log processing unit transmits an operation log of processing for receiving the first hash value by the receiving unit, an operation log of processing for calculating the second hash value by the calculating unit, and a second hash value by the transmitting unit. Acquire the operation log of the processing to be performed. Then, the operation log processing unit calculates a third hash value based on the acquired operation log, and transmits the third hash value to the second device.

  According to an example of an embodiment of the disclosed technology, the reliability of an authentication server related to non-tampering proof is increased.

FIG. 1 is a diagram illustrating a system configuration according to the embodiment. FIG. 2 is a block diagram illustrating a configuration of the P-EMA server according to the embodiment. FIG. 3 is a diagram illustrating a policy table included in the P-EMA server. FIG. 4 is a diagram illustrating a pairing table included in the P-EMA server. FIG. 5 is a diagram showing a program management table included in the P-EMA server. FIG. 6 is a diagram illustrating a file group included in the P-EMA server. FIG. 7 is a diagram illustrating a hash value log included in the P-EMA server. FIG. 8 is a diagram illustrating a pairing table update log included in the P-EMA server. FIG. 9 is a diagram illustrating an access log included in the P-EMA server. FIG. 10 is a diagram illustrating a program update log included in the P-EMA server. FIG. 11 is a diagram illustrating a program operation log included in the P-EMA server. FIG. 12 is a flowchart illustrating hash value log hash value calculation processing executed by the P-EMA server. FIG. 13 is a flowchart showing hash value calculation processing of the pairing table update log executed by the P-EMA server. FIG. 14 is a flowchart showing the access log hash value calculation processing executed by the P-EMA server. FIG. 15 is a flowchart showing a hash value calculation process of the program management table update log executed by the P-EMA server. FIG. 16 is a flowchart showing a hash value calculation process of a program execution log executed by the P-EMA server. FIG. 17 is a flowchart showing a malicious program detection process executed by the P-EMA server. FIG. 18 is a block diagram illustrating a configuration of the H-EMA server according to the embodiment. FIG. 19 is a diagram illustrating a policy table included in the H-EMA server. FIG. 20 is a flowchart showing a P-EMA server audit process executed by the H-EMA server.

  Hereinafter, an example of an embodiment of the disclosed technology will be described with reference to the drawings. The following embodiments are merely examples, and do not limit the disclosed technology. Further, the following embodiments may be appropriately combined within a consistent range.

(System configuration)
FIG. 1 is a diagram illustrating a system configuration according to the embodiment. As shown in FIG. 1, the system 1 according to the embodiment includes a maintenance server 100A, maintenance terminals 200A-1 to 200A-x,..., A maintenance server 100N, maintenance terminals 200N-1 to 200N-y, and P-EMA. The server 300 and the H-EMA server 400 are included. Maintenance server 100A, maintenance terminals 200A-1 to 200A-x,..., Maintenance server 100N, maintenance terminals 200N-1 to 200N-y, and P-EMA server 300 are connected via network 2 that is a public network or a closed network. Connected. The P-EMA server 300 and the H-EMA server 400 are communicably connected via a cable or a network.

  In the system 1, one maintenance server 100A and a plurality of maintenance terminals 200A-1 to 200A-x form one device group, and one maintenance server 100N and a plurality of maintenance terminals 200N-1 to 100N-y are one. Form one device group. The number of maintenance servers and maintenance terminals included in one device group is an arbitrary number according to the configuration requirements of the system 1. The number of device groups in the system 1 is also an arbitrary number according to the configuration requirements of the system 1.

  The maintenance server 100A includes a TPM (Trusted Platform Module) chip 10A. Maintenance terminals 200A-1 to 200A-x have TPM chips 20A-1 to 20A-x, respectively. Similarly, the maintenance server 100N has a TPM chip 10N. Maintenance terminals 200N-1 to 200N-x have TPM chips 20N-1 to 20N-y, respectively.

  Hereinafter, the maintenance servers 100A to 100N are collectively referred to as the maintenance server 100. In addition, when the maintenance terminals 200A-1 to 200A-x,..., The maintenance terminals 200N-1 to 200N-y are generically referred to as the maintenance terminal 200. Further, the TPM chip included in the maintenance server 100 is collectively referred to as the TPM chip 10, and the TPM chip included in the maintenance terminal 200 is collectively referred to as the TPM chip 20.

  Although not shown, the network 2 is connected to a CA (Certificate Authority) server that manages a key for performing encrypted communication with the maintenance server 100 and the maintenance terminal 200.

  The maintenance terminal 200 is a terminal device used by a maintenance worker connected to an electrical device (not shown) to be maintained. The electric device is, for example, a personal computer, a server computer, a printer, a network device, an external storage, a mobile phone, a smartphone, a refrigerator, a washing machine, a television, a stereo component, a medical device, a machine tool, or the like. The maintenance worker connects the electrical device and the maintenance terminal 200 after arriving at the work site where the electrical device is installed. When the maintenance terminal 200 is connected to the electrical device, the maintenance terminal 200 acquires various information related to the operation of the electrical device, such as configuration information of the electrical device and information on a failure that has occurred in the electrical device, from an agent of the electrical device, To 100. The maintenance server stores a communication history including all communication contents between the maintenance terminal and the electrical equipment sent from the maintenance terminal, and a communication history including all communication contents between the maintenance terminal and the maintenance server. At the same time, the hash value of each communication history is calculated and stored in the maintenance server, or the hash value is transmitted to the P-EMA server 300 without being stored. This hash value may be accompanied by attribute information related to the communication history, for example, the name of the communication device pair, the communication device ID, and the communication time. The P-EMA server 300 stores the hash value sent from the maintenance server together with the attribute information. Further, this hash value and attribute information accompanying it may be attached with an electronic signature.

  P-EMA is an abbreviation for Private (or Personal) -Environment Management Authority. The P-EMA server 300 is a device having a function for ensuring the authenticity of the communication history stored in the maintenance server 100 and the correctness of the operation of the maintenance server 100. The P-EMA server 300 is installed and managed by a private organization or the like in order to provide this function. The P-EMA server 300 may be installed for each industry, for example.

  H-EMA is an abbreviation for Hyper-Environment Management Authority. The H-EMA server 400 is positioned above the P-EMA server 300 in the system audit system. The H-EMA server 400 is a device having a function for managing various kinds of information related to the operation of the electrical equipment received from the P-EMA server 300 and auditing its authenticity. The H-EMA server 400 manages the hash values and the like stored in the P-EMA server 300 and the operation status of the P-EMA server 300, and provides a function for ensuring the validity of the operation of the P-EMA server. Installed and managed by public or semi-public organizations.

  The P-EMA server 300 and the H-EMA server 400 described above are similar to the environmental management station disclosed in Japanese Patent No. 4818664. The P-EMA server 300 and the H-EMA server 400 include a TPM chip in a station. For example, the P-EMA server 300 and the H-EMA server 400 manage the genuine product information of software and hardware incorporated in the management target electronic device such as the maintenance server 100A and the maintenance terminal 200A-1, and make it necessary. Accordingly, the maintenance server 100A, the maintenance terminal 200A-1, etc. are audited. In addition, the action concerning authentication of the maintenance server 100A, the maintenance terminal 200A-1, etc. follows the PKI system which is a conventional technology. At that time, the TCG technology disclosed in IETF RFC 5792/5793 may be applied to signature key management and the like.

  Incidentally, it is assumed that the maintenance server 100, the maintenance terminal 200, the P-EMA server 300, and the H-EMA server 400 shown in FIG. 1 execute data communication securely by using TCG (Trusted Computing Group) technology. To do. An example of the TCG technology used in the embodiment will be described. Terminals and devices connected to the Internet are always exposed to security threats, and there are cases where unexpected modifications are made to the software structure constituting the platform due to viruses, spyware, other malicious scripts, unauthorized access, and the like. For such risks, TCG realizes a safe computing environment by ensuring the reliability of the platform. Here, the platform indicates hardware, OS, application, and the like.

  For example, there is a limit to conventional security measures that depend only on software against the threat of software tampering. For this reason, TCG embeds a TPM chip in a platform, and uses this TPM chip as a root of trust to construct a reliable computing environment that is extremely difficult to falsify. In addition, by using the TPM chip, it is possible to protect hardware-based data and certificates and to realize a secure cryptographic processing environment.

  Next, the TPM chip will be described. The TPM chip is a birdware chip bound to an electronic device and has tamper resistance. The TPM chip is physically bound to the main components of the electronic device so that it cannot be removed from the electronic device. For example, the component parts of the electronic device correspond to a motherboard or the like. The TPM chip is designed to operate with the functions, memory area, and processor power to be suppressed as much as possible. Therefore, the TPM chip can be manufactured at low cost and can be applied to various electric devices and platforms.

  For example, the TPM functions include a function for generating and storing an RSA (Rivest Shamir Adleman) secret key, and a function for signing, encrypting, and decrypting with an RSA secret key. In RSA, a pair of a private key and a public key is created. The TPM functions include a function for calculating a hash value of SHA-1 (Secure Hash Algorithm 1) and a function for holding environment information of the electrical device. The TPM measures the software code in the boot process to the BIOS (Basic Input / Output System), the OS (Operating System) loader, and the OS kernel when the bound electric device is activated. Then, the TPM hashes the measured software code and registers it in a register inside the TPM. Further, the TPM collects hardware information of the bound electronic device, hashes the hardware information, and registers the hashed information in a register in the TPM.

  In TCG, a software stack and a software interface are defined in order to use a TPM chip that is a hardware device from a higher-level application or library. This software stack is called TSS (TCG Software Stack), and is composed of software modules that store the functions of TPM chips with limited resources. An application of the electronic device can access the above-described function of the TPM chip using an interface provided by the TSS.

(Configuration of P-EMA server)
FIG. 2 is a block diagram illustrating a configuration of the P-EMA server according to the embodiment. As illustrated in FIG. 2, the P-EMA server 300 according to the embodiment includes a communication unit 310, an input unit 320, a display unit 330, an interface unit 340, a TPM chip 350, a storage unit 360, and a control unit 370. Each component included in the P-EMA server 300 is connected to each other by a bus 380.

  The communication unit 310 communicates with the maintenance server 100 and the maintenance terminal 200 via the network 2. The communication unit 310 communicates with the H-EMA server 400. The input unit 320 is an input device that receives input of various information to the P-EMA server 300, and is, for example, a keyboard, a mouse, a touch panel, or the like. The display unit 330 is a display device that displays various types of information output from the control unit 370, and is, for example, a liquid crystal display. The interface unit 340 is an interface for connecting to the H-EMA server 400.

  The TPM chip 350 is a TPM chip that conforms to the above-described TCG technology, and operates in cooperation with the control unit 370 to guarantee the safety of communication with the maintenance server 100 and the maintenance terminal 200, as will be described later. For example, in response to a request from each unit of the control unit 370, the TPM chip 350 calculates a hash value (hashing) of information and decrypts information encrypted by the TPM chip.

  The storage unit 360 includes a policy table 361a, a hash value log 362b, a pairing table 363a, a pairing table update log 363b, and an access log 364b. The storage unit 360 includes a program management table 365a, a program update log 365b, a file group 366, a program operation log 367b, a TPM extended protection area 368, and a temporary table 369. The TPM extended protection area 368 is an area secured in the storage unit 360 by the TPM chip 350 and is an area accessible only by the TPM chip 350. The storage unit 360 is, for example, a storage device such as a hard disk device, a semiconductor memory element such as a random access memory (RAM), a read only memory (ROM), and a flash memory. Details of various types of information stored in the storage unit 360 will be described later. Hereinafter, the region in the TPM chip and the TPM extended protection region 368 are referred to as a region secured by the TPM chip.

  The control unit 370 includes a hash value log transmission / reception unit 371, a table update unit 372, an access monitoring unit 373, a program update unit 374, a program execution monitoring unit 375, and an unauthorized program detection unit 376. The control unit 370 operates according to a policy described in a policy table 361a described later. The control unit 370 is, for example, an integrated device such as an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA). Alternatively, the control unit 370 is an electronic circuit such as a CPU (Central Processing Unit) or MPU (Micro Processing Unit).

  The hash value log transmission / reception unit 371 receives various information received from the maintenance server 100 (or the maintenance terminal 200) and added with the hash values calculated by the TPM chip 10 (or TPM chip 20), for example, the operation of the electrical device Receive various information related to. Various information received from the maintenance server 100 (or the maintenance terminal 200) and added with the hash value calculated, for example, various information related to the operation of the electric device is referred to as a hash value log. Then, the hash value log transmission / reception unit 371 stores the hash value log in the hash value log 362b of the storage unit 360. The hash value log includes basic information used as a basis for calculating a hash value and a hash value calculated based on the basic information. The hash value log transmission / reception unit 371 stores the identification information of the maintenance server 100 or the maintenance terminal 200 that is the transmission source in the hash value log 362b one by one in association with the hash value log. In calculating the hash value, a policy is appropriately determined and executed according to the policy.

  In addition, the hash value log transmission / reception unit 371 uses the TPM chip 350 to store, for example, n (n is a natural number) hash value logs stored in the hash value log 362b as a unit. Is further calculated. Then, the hash value log transmission / reception unit 371 transmits hash values based on the collected n hash value logs to the H-EMA server 400 together with the n hash value logs.

  Note that n hash value logs can be collected by combining, for example, n hash value logs in the order of the time stamp of the hash value log in the combination of the maintenance server 100 and the maintenance terminal 200 that are the hash value log transmission sources. To summarize. That is, the hash value log transmission / reception unit 371 generates n records in the order of the time stamp of the hash value log for each combination of the maintenance terminal 200 connected to the electrical device to be maintained and the maintenance server 100 that manages the maintenance terminal 200. Collect hash value logs. In other words, the hash value log received from the maintenance server 100 and the maintenance terminal 200 is accumulated in the P-EMA server 300 as time passes. The hash value log transmission / reception unit 371 calculates the hash value of the n hash value logs by the TPM chip 350 at the timing when the n hash value logs are accumulated, and transmits the calculated hash value to the H-EMA server 400. To do. As a result, the H-EMA server 400 can identify whether the hash value log at which time of which group unit of the electrical equipment to be maintained contains fraud.

  The table update unit 372 performs initial writing and rewriting of the pairing table 363a. Instructions for initial writing and rewriting of the pairing table 363a are input from the input unit 320, the maintenance server 100, or the like. The pairing table 363a is a table that manages the association between the maintenance server 100 and the maintenance terminal 200, as will be described later. Then, the table update unit 372 calculates a hash value based on the latest pairing table 363a every time the pairing table 363a is initially written and rewritten, and stores the hash value together with the latest pairing table 363a in the pairing table update log 363b. . Then, the table update unit 372 transmits a hash value based on the latest pairing table to the H-EMA server 400. Note that the table update unit 372 performs the above processing also when the P-EMA server 300 is started or restarted.

  The access monitoring unit 373 monitors access from the external device via the network 2 to the P-EMA server 300. And the access monitoring part 373 memorize | stores the monitoring result of the access to the P-EMA server 300 from the external apparatus via the network 2 in the access log 364b as an access control log. For example, the access monitoring unit 373 accesses, as an access control log, that access from other devices other than the maintenance server 100 permitted to connect to the P-EMA server 300 and other than the maintenance terminal 200 is made inaccessible. Store in the log 364b. Then, the access monitoring unit 373 calculates the hash value of the access control log stored in the access log 364b by the TPM chip 350. Then, the access monitoring unit 373 stores the calculated hash value in the access log 364b in association with the access control log stored in the access log 364b, and transmits the calculated hash value to the H-EMA server 400.

  The program update unit 374 performs initial installation and update of all programs operating on the P-EMA server 300. The program installed on the P-EMA server 300 can be initially installed and updated only by the program update unit 374. Hereinafter, programs that operate on the P-EMA server 300 include a program that causes the computer to function as the hash value log transmission / reception unit 371 and a program that causes the computer to function as the table update unit 372. The programs that operate on the P-EMA server 300 include a program that causes the computer to function as the access monitoring unit 373 and a program that causes the computer to function as the program update unit 374. The programs operating on the P-EMA server 300 include a program that causes the computer to function as the program execution monitoring unit 375 and a program that causes the computer to function as the unauthorized program detection unit 376.

  An instruction for initial installation and update of a program operating on the P-EMA server 300 is input from the input unit 320 or the like. Alternatively, an instruction for initial installation and update of a program operating on the P-EMA server 300 may be received from an external reliable device via the network 2. All programs running on the P-EMA server 300 are managed by the program management table 365a. The program management table 365a is a table that manages program identification information, installation date / time, initial version, last update date / time, and latest version in association with each other, as will be described later.

  The program update unit 374 rewrites the program management table 365a each time an initial installation or update of a program operating on the P-EMA server 300 is performed. Then, the program update unit 374 stores the program data before update in the program update log 365b. Then, the program update unit 374 calculates a hash value based on the updated program data by the TPM chip 350, and stores it in the program update log 365b together with the updated program data. Then, the program update unit 374 transmits a hash value based on the updated program data to the H-EMA server 400 together with the updated program data. In addition, the program update unit 374 calculates a hash value based on the updated program management table 365a with the TPM chip 350 at each initial installation and update, and transmits the hash value together with the updated program management table 365a to the H-EMA 400. The program update unit 374 causes the TPM chip 350 to store the updated program data and the hash value based on the updated program management table 365a in the TPM extended protection area 368.

  The program execution monitoring unit 375 monitors the execution of all programs operating on the P-EMA server 300. Note that, as described above, the program that operates on the P-EMA server 300 includes a program that causes the computer to function as the hash value log transmission / reception unit 371 and a program that causes the computer to function as the table update unit 372. The programs that operate on the P-EMA server 300 include a program that causes the computer to function as the access monitoring unit 373 and a program that causes the computer to function as the program update unit 374. The programs operating on the P-EMA server 300 include a program that causes the computer to function as the program execution monitoring unit 375 and a program that causes the computer to function as the unauthorized program detection unit 376.

  The program execution monitoring unit 375 acquires an operation log associated with the execution of all programs operating on the P-EMA server 300 and stores the operation log in a program operation log 367b described later. The program execution monitoring unit 375 calculates a hash value based on the operation log for each operation log including the program identification information, the operation content, and the operation date as an operation log accompanying the execution of the program, and corresponds to the operation log. In addition, it is stored in the program operation log 367b. Then, the program execution monitoring unit 375 transmits each hash value based on each operation log to the H-EMA server 400. Note that the program execution monitoring unit 375 may calculate a hash value for each operation log and transmit the hash value to the H-EMA server 400. Alternatively, the program execution monitoring unit 375 may collect a plurality of operation logs in units of programs or operation date and time, calculate a hash value in units of the combined operation logs, and transmit the hash value to the H-EMA server 400.

  The malicious program detection unit 376 checks the file attributes of the file group 366 existing in the P-EMA server 300 when the P-EMA server 300 is started or at a predetermined cycle. Then, the malicious program detection unit 376 extracts a file having an executable attribute from among the files existing in the P-EMA server 300. Then, the malicious program detection unit 376 expands a list of files other than the OS operating on the P-EMA server 300 and the middleware file among the extracted files having executable attributes in the temporary table 369.

  Then, the malicious program detection unit 376 determines whether or not the file included in the temporary table 369 is registered in the program management table 365a. Then, when there is a program that is not registered in the program management table 365a among the files (programs) included in the temporary table 369, the unauthorized program detection unit 376 performs the following operation. That is, the malicious program detection unit 376 outputs a warning or the like from the display unit 330 or stops the P-EMA server 300, for example, according to the policy described in the policy table 361a. The malicious program detection unit 376 calculates a hash value based on the generated temporary table 369 and transmits the hash value together with the temporary table 369 to the H-EMA server 400.

(Policy table of P-EMA server)
FIG. 3 is a diagram illustrating a policy table included in the P-EMA server. The policy table 361a included in the P-EMA server 300 describes the operation policy of the P-EMA server 300. In the policy table 361a, for example, “the unit of the number of data for calculating the hash value of the hash value log” is “n”, “the hash value log is collected for each of the n hash value logs, and the combined hash “Hash value is calculated based on value log”.

  The policy table 361a describes policies such as “Pairing table update log storage period”, “Pairing table update log hash value calculation cycle”, and “Access log storage period”. The P-EMA server 300 performs each process according to these policies described in the policy table 361a. The hash value calculation cycle for each log can be set to any time, such as hourly, daily, weekly, or monthly. Further, the retention period of each log described in the policy table 361a is equal to or longer than the retention period of each corresponding log described in the policy table 361a of the P-EMA server 300. That is, the same log is stored longer by the H-EMA server 400 than by the P-EMA server 300.

(Pairing table of P-EMA server)
FIG. 4 is a diagram illustrating a pairing table included in the P-EMA server. The pairing table 363a stores the association between the maintenance server 100 and the maintenance terminal 200. As shown in FIG. 4, for example, the maintenance server 100 of “AAA” is associated with maintenance terminals 200 of “A001”, “A002”,. That is, the maintenance server 100 of “AAA” and the maintenance terminal 200 of “A001”, “A002”,... Constitute a set of management units. In other words, the maintenance terminals 200 of “A001”, “A002”,... Transmit various types of information related to the operation of the electrical device targeted by each maintenance terminal 200 to the maintenance server 100 of “AAA”. .

(Program management table of P-EMA server)
FIG. 5 is a diagram showing a program management table included in the P-EMA server. As shown in FIG. 5, the program management table 365a associates the identification information of each program with the (initial) installation date / time of the program, the initial version of the program, the last update date / time of the program, and the latest version of the program. Manage. Referring to FIG. 5, for example, it can be seen that a program whose “program (identification information)” is “PE1” has an “installation date / time” of “y1 / m1 / d1 / h1 / mm1 / s1”. Further, for example, a program whose “program (identification information)” is “PE1” has an “initial version” of “V1” and a “last update date” of “Y1 / M1 / D1 / H1 / MM1 / S1”. It can be seen that the “latest version” is “V3”.

(File group possessed by P-EMA server)
FIG. 6 is a diagram illustrating a file group included in the P-EMA server. A file group 366 shows all the files held by the P-EMA server 300. As can be seen from FIG. 6, the P-EMA server 300 includes, for example, files “F1”, “F2”,. The file group 366 holds files in a hierarchical format. For example, a file having an execution format attribute is held in a storage area indicated by a specific path ahead of a specific hierarchy.

(Hash value log of the P-EMA server)
FIG. 7 is a diagram illustrating a hash value log included in the P-EMA server. As shown in FIG. 7, the hash value log 362b includes each hash value log including at least a hash value and a calculation date and time, and associates hash values calculated based on data obtained by collecting n hash value logs. Remember. Although not shown in FIG. 7, in the hash value log 362b, each hash value log may be stored together with the identification information of the transmission source device of the hash value log. Alternatively, according to the policy described in the policy table 361a, n hash value logs are collected for each device group of the maintenance server 100 and the maintenance terminal 200, and hash values calculated based on the collected data are stored in association with each other. It is good to do.

(Pairing table update log of P-EMA server)
FIG. 8 is a diagram illustrating a pairing table update log included in the P-EMA server. Each time the pairing table 363a is newly created, a new record is added, or a record is updated, the pairing table update log 363b saves the data of the pairing table 363a before the update. Then, the pairing table update log 363b stores the hash value based on the updated data in the pairing table 363a in association with the saved data in the pairing table 363a before the update. Note that when the pairing table 363a is newly created, the “pre-update table data” is “− (Null)”, and the “update date / time” is “new creation date / time”. For example, as shown in FIG. 8, “pre-update table data” of the pairing table 363 a whose “update date and time” is “Y3 / M3 / D3 / H3 / MM3 / S3” is “pairing table data 1”. The “hash value” based on “pairing table data 1” is “pairing table hash value 1”.

(Access log of P-EMA server)
FIG. 9 is a diagram illustrating an access log included in the P-EMA server. When there is an access from an external device via the network 2, the access log 364 b stores access date / time, access content, corresponding action, and hash value in association with the access identification information. According to FIG. 9, the access log 364b is, as an access log, for example, “access” is “access 1”, and “access date” is “y5 / m5 / d5 / h5 / mm5 / s5”. It shows that. Then, “access contents and corresponding action” for the access of “access 1” includes “access from maintenance server X → block”. Then, “access hash value 1” is calculated as “hash value” based on the access log of “access 1”, and stored in association with the access log of “access 1”. Note that “access content and corresponding action” blocks access from an external device that is not permitted access according to the policy described in the policy table 361a, and permits only access from an external device that is permitted access. Including.

(Program update log of P-EMA server)
FIG. 10 is a diagram illustrating a program update log included in the P-EMA server. The program update log 365b saves the data of the program before the update and the data of the program management table 365a before the update every time the program operating on the P-EMA server 300 is updated. The program update log 365b stores the hash value based on the updated program data and the hash value based on the updated program management table 365a in association with each other. For example, as shown in FIG. 10, the “update date and time” is “Y5 / M5 / D5 / H5 / MM5 / S5”, the “pre-update program” is “pre-update program data 1”, and the “update program” is The program update log includes “updated program data 1” and “pre-update program management table data” is “pre-update program management table data 1”. The “hash value” based on the program update log in which “pre-update program” is “pre-update program data 1” and “updated program” is “updated program data 1” is “updated program data hash value 1”. ". The “hash value” based on the updated program management table 365a corresponding to the update log whose “pre-update program management table data” is “pre-update program data 1” is “updated program management table data hash value 1”. It is.

(Program operation log of P-EMA server)
FIG. 11 is a diagram illustrating a program operation log included in the P-EMA server. The program operation log 367b stores a program operation log including program identification information, operation contents, and operation date / time in association with each time the program operates on the P-EMA server 300. Then, hash values based on the data of each program operation log are stored in association with each other. For example, as shown in FIG. 11, a program operation log indicating that “program” “PE1” has performed “operation content” “startup” on “operation date and time” “y7 / m7 / d7 / h7 / mm7 / s7”. Remember. In the program operation log 367b, the “hash value” based on the program operation log including “program”, “operation content”, and “operation date / time” is “program operation log hash value 1”.

(Hash value calculation process of hash value log executed by P-EMA server)
FIG. 12 is a flowchart illustrating hash value log hash value calculation processing executed by the P-EMA server. First, the hash value log transmission / reception unit 371 of the control unit 370 of the P-EMA server 300 determines whether it is the hash value calculation timing of the hash value log (step S11). For example, the hash value calculation timing of the hash value log is whether or not the hash value log received from the maintenance server 100 or the maintenance terminal 200 has reached n (n is a natural number). When it is determined that it is the hash value calculation timing of the hash value log (Yes in step S11), the hash value log transmission / reception unit 371 moves the process to step S12. On the other hand, when it is determined that it is not the hash value calculation timing of the hash value log (No in step S11), the hash value log transmission / reception unit 371 repeats step S11.

  In step S12, the hash value log transmission / reception unit 371 calculates hash values of n hash value logs. The hash value log transmission / reception unit 371 stores the calculated hash value in the hash value log 362b in association with the hash value log that is the basis of the calculation, and transmits the calculated hash value to the H-EMA server 400. (Step S13). When the process of step S13 ends, the hash value log transmission / reception unit 371 ends the process.

(Hash value calculation processing of pairing table update log executed by P-EMA server)
FIG. 13 is a flowchart showing hash value calculation processing of the pairing table update log executed by the P-EMA server. First, the table update unit 372 of the control unit 370 of the P-EMA server 300 saves the pairing table 363a before update in the pairing table update log 363b (step S21). Then, the table update unit 372 updates the pairing table 363a (Step S22).

  Then, the table update unit 372 calculates a hash value of the updated pairing table 363a. Then, the table update unit 372 stores the calculated hash value in the pairing table update log 363b in association with the pre-update pairing table 363a that is the basis of calculation (step S23). Then, the table update unit 372 transmits the calculated hash value to the H-EMA server 400 (step S24). When the process of step S24 ends, the table update unit 372 ends the process.

(Access log hash value calculation processing executed on the P-EMA server)
FIG. 14 is a flowchart showing the access log hash value calculation processing executed by the P-EMA server. First, the access monitoring unit 373 of the control unit 370 of the P-EMA server 300 determines whether there is an access from the maintenance server 100 or the maintenance terminal 200 that is permitted to access (step S31). When there is an access from the maintenance server 100 or the maintenance terminal 200 to which access is permitted (step S31 Yes), the access monitoring unit 373 moves the process to step S32. On the other hand, when there is no access from the maintenance server 100 or the maintenance terminal 200 to which access is permitted (No at Step S31), the access monitoring unit 373 repeats Step S31.

  Note that the case where there is no access from the maintenance server 100 or the maintenance terminal 200 to which access is permitted (No in step S31) includes the case where access from an external device that is not permitted to access is made. Also in this case, the access monitoring unit 373 stores “access”, “access date / time”, “access content and corresponding action”, and “hash value” in the access log 364b shown in FIG. In this case, the “access content and corresponding action” has the content “access from an external device not permitted to access → block”.

  In step S32, the access monitoring unit 373 stores an access log from the maintenance server 100 or the maintenance terminal 200 to which access is permitted in the access log 364b. Then, the access monitoring unit 373 calculates a hash value based on the access log from the maintenance server 100 or the maintenance terminal 200 to which access is permitted, and stores the hash value in the access log 364b in association with the access log that is the basis of the calculation. Store (step S33). Then, the access monitoring unit 373 transmits the calculated hash value to the H-EMA server 400 (step S34). When step S34 ends, the access monitoring unit 373 ends the process.

(Hash value calculation processing of program management table update log executed by P-EMA server)
FIG. 15 is a flowchart showing a hash value calculation process of the program management table update log executed by the P-EMA server. First, the program update unit 374 of the control unit 370 of the P-EMA server 300 saves the program before update in the program update log 365b (step S41). Then, the program update unit 374 updates the corresponding program and the corresponding program part of the program management table 365a (step S42). Then, the program update unit 374 calculates the updated program and the hash value of the program management table using the TPM chip 350 (step S43). Then, the program update unit 374 transmits the calculated updated program and the hash value of the program management table to the H-EMA server 400 (step S44). Then, the program update unit 374 causes the TPM chip 350 to store the calculated updated program and the hash value of the program management table in the TPM extended protection area 368 (step S45). When the process of step S45 ends, the program update unit 374 ends the process.

  The updated program and the hash value of the program management table stored in the TPM extended protection area 368 are used to confirm the authenticity of the program and the program management table when the P-EMA server 300 is restarted or at a predetermined cycle. Referenced to.

(Hash value calculation processing of program execution log executed by P-EMA server)
FIG. 16 is a flowchart showing a hash value calculation process of a program execution log executed by the P-EMA server. First, the program execution monitoring unit 375 of the control unit 370 of the P-EMA server 300 acquires the execution log of the program being executed by the P-EMA server 300 and stores it in the program operation log 376b (step S51). Then, the program execution monitoring unit 375 calculates a hash value based on the execution log of the program for each execution log of the program. Then, the program execution monitoring unit 375 stores the hash value based on the program execution log in the program operation log 367b in association with the execution log of the program that is the basis of calculation (step S52). Then, the program execution monitoring unit 375 transmits a hash value based on the calculated program execution log to the H-EMA server 400 (step S53). When the process of step S53 ends, the program execution monitoring unit 375 ends the process.

(Unauthorized program detection process executed by P-EMA server)
FIG. 17 is a flowchart showing a malicious program detection process executed by the P-EMA server. First, the malicious program detection unit 376 of the control unit 370 of the P-EMA server 300 checks the attributes of all files in the P-EMA server 300 (step S61). Then, the malicious program detection unit 376 stores a file having an execution attribute among the files in the P-EMA server 300 in the temporary table 369 (step S62). Then, the malicious program detection unit 376 excludes the OS and middleware files of the P-EMA server 300 from the files having execution attributes stored in the temporary table 369 (step S63). Then, the unauthorized program detection unit 376 compares the temporary management table 369 storing the file having the execution attribute excluding the OS and middleware files with the program management table 365a (step S64).

  When the contents of the temporary table 369 storing the file having the execution attribute excluding the OS and middleware files match the contents of the program management table 365a (Yes in step S65), the malicious program detection unit 376 terminates the process. To do. On the other hand, when the contents of the temporary table 369 storing the file having the execution attribute excluding the OS and middleware files and the program management table 365a do not match (No in step S65), the malicious program detection unit 376 proceeds to step S66. Move processing.

  In step S66, the unauthorized program detection unit 376 acquires the operation log of the program that exists in the temporary table 369 and does not exist in the program management table 365a from the program operation log 367b and stores it. Then, the unauthorized program detection unit 376 calculates a hash value based on the operation log of the program that exists in the temporary table 369 and does not exist in the program management table 365a acquired in step S66 (step S67). Then, the malicious program detection unit 376 calculates a hash value based on the contents of the temporary table 369 (step S68). Then, the unauthorized program detection unit 376 transmits each hash value calculated in Step S67 and Step S68 to the H-EMA server 400 (Step S69).

(Configuration of H-EMA server)
FIG. 19 is a block diagram illustrating a configuration of the H-EMA server according to the embodiment. As illustrated in FIG. 18, the H-EMA server 400 according to the embodiment includes an input unit 420, a display unit 430, an interface unit 440, a TPM chip 450, a storage unit 460, and a control unit 470. Each component included in the H-EMA server 400 is connected to each other by a bus 480. The input unit 420 and the display unit 430 have the same functions as the input unit 320 and the display unit 330 of the P-EMA server 300. The interface unit 440 is an interface for connecting to the P-EMA server 300.

  The TPM chip 450 is the same as the TPM chip 350 of the P-EMA server 300, and operates in cooperation with the control unit 470 to guarantee the safety of communication with the P-EMA server 300, as will be described later. For example, in response to a request from each unit of the control unit 470, the TPM chip 450 calculates a hash value (hashing) of information and decrypts information encrypted by the TPM chip.

  The storage unit 460 includes a policy table 461, a hash value log hash value 462, and a pairing table update log hash value 463. The storage unit 460 also includes an access log hash value 464, a program management table update log hash value 465, a program operation log hash value 466, and a temporary table hash value 467. The policy table 461 will be described later. The storage unit 460 is, for example, a storage device such as a hard disk device, a semiconductor memory element such as a RAM (Random Access Memory), a ROM (Read Only Memory), and a flash memory (Flash Memory).

  The control unit 470 includes a hash value transmission / reception unit 471 and an audit processing execution unit 472. The control unit 470 operates according to the policy described in the policy table 461. The control unit 470 is an integrated device such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array). Alternatively, the control unit 470 is an electronic circuit such as a CPU (Central Processing Unit) or MPU (Micro Processing Unit).

  The hash value transmission / reception unit 471 receives the various information added by the hash value calculated by the TPM chip 350 received from the P-EMA server 300 and stores the received information in the storage unit 460. The various information is a hash value of the hash value log 362b and a hash value of the pairing table update log 363b. The various information includes a hash value of the access log 364b, a hash value of the program update log 365b, a hash value of the program operation log 367b, and a hash value of the temporary table 369.

  The hash value of the hash value log 362b is stored in the hash value 462 of the hash value log. Further, the hash value of the pairing table update log 363b is stored in the hash value 463 of the pairing table update log. Further, the hash value of the access log 364b is stored in the hash value 464 of the access log. The hash value of the program update log 365b is stored in the hash value 465 of the program update log. Further, the hash value of the program operation log 367b is stored in the hash value 466 of the program operation log. The hash value of the temporary table 369 is stored in the hash value 467 of the temporary table.

  The audit process execution unit 472 executes an audit process to be described later, and executes an action according to the audit result in accordance with the policy described in the policy table 461.

(Policy table of H-EMA server)
FIG. 19 is a diagram illustrating a policy table included in the H-EMA server. The policy table 461 describes the operation policy of the H-EMA server 400. In the policy table 461, for example, “the action when hash values do not match” “P-EMA server stop” specifically refers to the following processing. In step S65 of FIG. 17, the result is No, and in step S69, the P-EMA server 300 transmits the operation log of the program that exists in the temporary table 369 and does not exist in the program management table 365a and the hash value based on the temporary table 369. Suppose that In this case, it refers to stopping the P-EMA server 300 because the non-falsification of the P-EMA server 300 cannot be guaranteed. In addition, as shown in FIG. 19, the policy table 461 includes each hash received from the P-EMA server 300 such as “the storage period of the hash value of the hash value log” and “the storage period of the hash value of the pairing table update log”. Rules such as the retention period of values are described.

  Similarly, the hash value 462 of the hash value log, the hash value 463 of the pairing table update log, and the hash value 464 of the access log are hash values transmitted from the P-EMA server 300 and stored. The hash value 465 of the program update log, the hash value 466 of the program operation log, and the hash value 467 of the temporary table are hash values transmitted from the P-EMA server 300 and stored.

(P-EMA server audit process executed by H-EMA server)
FIG. 20 is a flowchart showing a P-EMA server audit process executed by the H-EMA server. First, the audit process execution unit 472 of the H-EMA server 400 determines a hash value to be audited by the P-EMA server 300 (step S71). And the audit process execution part 472 acquires the hash value of the applicable part of an audit target from the P-EMA server 300 (step S72). And the audit process execution part 472 determines whether the hash value which the H-EMA server 400 which is an own apparatus memorize | stores, and the hash value acquired from the P-EMA server 300 correspond (step S73). When the hash value stored in the H-EMA server 400 that is the own device matches the hash value acquired from the P-EMA server 300 (Yes in step S73), the audit process execution unit 472 determines that there is no audit abnormality and performs the process. finish.

  On the other hand, when the hash value stored in the H-EMA server 400 that is the device itself does not match the hash value acquired from the P-EMA server 300 (No in step S73), the audit processing execution unit 472 determines that there is an audit abnormality. . For example, the audit process execution unit 472 instructs the P-EMA server 300 to stop operating according to the policy table 461 (step S74). That is, the authority of P-EMA is deprived from the P-EMA server 300. When the process of step S74 ends, the audit process execution unit 472 ends the process. Note that the process of step S74 is merely an example. For example, if the policy table 461 describes a policy that goes to the installation site of the P-EMA 300 and outputs an instruction to investigate the cause, that fact is described. Is output from the display unit 430. That is, the process in step S74 is in accordance with the specified contents described in the policy table 461.

  According to the above embodiment, the hash value transmitted from the P-EMA server 300 to the H-EMA server 400 is transmitted together with the log that is the basis for calculating the hash value. However, any information may be used as long as it is information for identifying a log as a basis for calculating a hash value. The information that identifies the log that is the basis for calculating the hash value is transmitted to the H-EMA server 400 together with the hash value, so that the log held by the P-EMA server 300 can be audited.

  In addition, the hash value transmitted from the P-EMA server 300 to the H-EMA server 400 may be a hash value based on each log. Alternatively, the hash value transmitted from the P-EMA server 300 to the H-EMA server 400 may be a hash value based on a plurality of each log collected based on the device group, date and time, contents or type of each log, and the like. Good.

(Effect by embodiment)
According to the above embodiment, for example, the P-EMA server 300 accumulates hash value logs received from the maintenance server 100 or the maintenance terminal 200, and calculates a hash value based on information obtained by collecting the accumulated logs according to a policy. To do. Further, for example, the P-EMA server 300 accumulates an access log to the own device, a program execution log, and a program update log, and calculates a hash value based on the accumulated log. Then, for example, the P-EMA server 300 causes the H-EMA server 400 to store the calculated hash value. Thereby, for example, the H-EMA server 400 can audit the P-EMA server 300 at any time based on the hash value stored in the own apparatus, and can ensure the non-tampering property of the P-EMA server 300.

  In addition, for example, the P-EMA server 300 can install and update a program that operates on its own device only with a dedicated update program. For this reason, for example, the P-EMA server 300 can prevent an unintended unauthorized program from being installed or an unintended update of the program, and can ensure the validity of the program operating on its own device.

  Further, for example, the P-EMA server 300 manages a program that operates on its own device using a management table, and updates the management table every time the program is installed and updated. For example, the P-EMA server 300 accumulates an operation log when installing and updating a program with a dedicated update program. For example, the P-EMA server 300 accumulates the change history of the management table as a log, and calculates a hash value together with an operation log of a dedicated update program. Then, for example, the P-EMA server 300 causes the H-EMA server 400 to store the calculated hash value. Thereby, for example, the H-EMA server 400 can audit the program operating on the P-EMA server 300 at any time based on the hash value stored in its own device, and the non-falsification of the program of the P-EMA server 300 is further strengthened. Can be secured.

1 System 100A, ..., 100N Maintenance server 200A-1, ..., 200A-x, 200N-1, ..., 200N-y Maintenance terminal 300 P-EMA server 310 Communication unit 320 Input unit 330 Display unit 340 Interface unit 350 TPM chip 360 Storage unit 361a Policy table 362b Hash value log 363a Pairing table 363b Pairing table update log 364b Access log 365a Program management table 365b Program update log 366 File group 367b Program operation log 368 TPM extended protection area 369 Temporary table 370 Control unit 371 Hash value log transmission / reception unit 372 Table update unit 373 Access monitor unit 374 Program update unit 375 Program execution monitor unit 376 Unauthorized program Detection unit 400 H-EMA server 420 input unit 430 display unit 440 interface unit 450 TPM chip 460 storage unit 461 policy table 462 hash value log hash value 463 pairing table update log hash value 464 access log hash value 465 program Hash value 466 of update log Hash value 467 of program operation log Hash value 470 of temporary table Control unit 471 Hash value transmission / reception unit 472 Audit processing execution unit

Claims (6)

A calculating unit that calculates a second hash value based on a first hash value based on information managed by the first device received from the first device;
A transmission unit for transmitting the second hash value to the second device;
An operation log of a process for receiving the first hash value by the receiving unit, an operation log of a process for calculating the second hash value by the calculating unit, and the second hash value by the transmitting unit. An operation log processing unit that acquires an operation log of a process to be transmitted, calculates a third hash value based on the acquired operation log, and transmits the third hash value to the second device. Server device. The first hash value is calculated by a TPM chip mounted on the first device,
The server device according to claim 1, wherein the second hash value and the third hash value are calculated by a TPM chip mounted on the server device. It further has a management unit that manages the programs installed in its own device,
The operation log processing unit acquires an operation log of the addition, update, and deletion processing when there is addition, update, and deletion of a program managed by the management unit, and the acquired operation log The server device according to claim 1 or 2, wherein a fourth hash value based on the fourth hash value is calculated and the fourth hash value is transmitted to the second device. The calculation unit calculates the second hash value based on the first hash value by collecting the first hash values received from the first device in units of n (n is a natural number). The server device according to claim 1, 2, or 3. The server device according to any one of claims 1 to 4, wherein the server device is provided for each of the plurality of first devices provided for the same type of industry. A hash value processing method executed by a computer,
Calculating a second hash value based on a first hash value based on information managed by the first device received from the first device;
Sending the second hash value to a second device;
An operation log of a process for receiving the first hash value, an operation log of a process for calculating the second hash value, and an operation log of a process for transmitting the second hash value are acquired and acquired. A hash value processing method comprising: calculating a third hash value based on a log and transmitting the third hash value to the second device.

Images