JP2015125533A - Information processing system, communication device, and storage device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information processing system capable of efficiently implementing confidential technology and authentication technology.SOLUTION: An encryption circuit 52 generates encrypted content data by encrypting decrypted content data that is generated by a decryption circuit 51. A storage device authentication circuit 43 authenticates a semiconductor storage device 3 on the basis of encrypted content data received from the semiconductor device 3 and the encrypted content data generated by the encryption circuit 52.

Description

  The present invention relates to an information processing system, and a communication device and a storage device included in the information processing system.

  In an information processing system including a communication device and a semiconductor storage device connected to the communication device, in order to prevent content data stored in the semiconductor storage device from being read illegally by an attacker, the communication device and the semiconductor are generally A technology (secret technology) for performing data communication with a storage device by encryption communication such as stream encryption or block encryption is implemented. In addition, in order to prevent the use of an unauthorized communication device or an unauthorized semiconductor storage device, a technology (authentication technology) in which the communication device and the semiconductor storage device authenticate each other has been put into practical use.

  Patent Document 1 listed below discloses a technique for switching between stream cipher and block cipher when encrypting content data stored in a semiconductor storage device.

JP 2010-257112 A

  However, in communication devices and semiconductor storage devices, resources such as circuit scale or computation processing time are limited. Therefore, if the concealment technology and the authentication technology are separately implemented independently, the resources increase and resource saving occurs. From the viewpoint of

  The present invention has been made in view of such circumstances, and obtains an information processing system capable of efficiently implementing a concealment technique and an authentication technique, and a communication device and a storage device included in the information processing system. With the goal.

  An information processing system according to a first aspect of the present invention includes a communication device and a storage device connected to the communication device, and the communication device encrypts a command to be transmitted to the storage device. A first encryption unit that generates an encrypted command, a first decryption unit that generates decrypted content data by decrypting the encrypted content data received from the storage device, and the storage device A storage device authentication unit, wherein the storage device stores content data, and a second decryption unit that generates a decryption command by decrypting the encrypted command received from the communication device And a second encryption unit that generates encrypted content data by encrypting content data to be transmitted to the communication device, and the first encryption unit includes: The encrypted content data is generated by encrypting the decrypted content data generated by the first decryption unit, and the storage device authenticating unit receives the encrypted content data received from the storage device, the first content data The storage device is authenticated based on the encrypted content data generated by the encryption unit.

  According to the information processing system according to the first aspect, the first encryption unit generates encrypted content data by encrypting the decrypted content data generated by the first decryption unit. Then, the storage device authentication unit authenticates the storage device based on the encrypted content data received from the storage device and the encrypted content data generated by the first encryption unit. As described above, the communication device authenticates the storage device based on the encrypted content data generated in the process of secure communication using the secret technology, instead of separately implementing the secret technology and the authentication technology separately. This makes it possible to efficiently implement the concealment technique and the authentication technique.

  The information processing system according to a second aspect of the present invention is the information processing system according to the first aspect, in particular, the storage device further includes a communication device authentication unit for authenticating the communication device, The encryption unit generates an encrypted command by encrypting the decryption command generated by the second decryption unit, and the communication device authentication unit includes the encrypted command received from the communication device, and the first command. The communication device is authenticated based on an encrypted command generated by the second encryption unit.

  According to the information processing system according to the second aspect, the second encryption unit generates an encrypted command by encrypting the decryption command generated by the second decryption unit. Then, the communication device authentication unit authenticates the communication device based on the encrypted command received from the communication device and the encrypted command generated by the second encryption unit. Accordingly, mutual authentication between the communication device and the storage device can be performed. In addition, the storage device authenticates the communication device based on the encryption command generated in the process of secure communication using the secret technology, rather than separately implementing the secret technology and the authentication technology. It becomes possible to efficiently implement the secret technology and the authentication technology.

  An information processing system according to a third aspect of the present invention includes a communication device and a storage device connected to the communication device, and the communication device encrypts a command to be transmitted to the storage device. A first encryption unit that generates an encrypted command; and a first decryption unit that generates decrypted content data by decrypting the encrypted content data received from the storage device, and the storage The device includes a storage unit storing content data, a second decryption unit that generates a decryption command by decrypting the encrypted command received from the communication device, and encrypts content data to be transmitted to the communication device. The second encryption unit that generates the encrypted content data and the communication device authentication unit that authenticates the communication device, and the second encryption unit includes: The encryption command is generated by encrypting the decryption command generated by the second decryption unit, and the communication device authentication unit includes the encryption command received from the communication device, and the second encryption unit. The communication device is authenticated on the basis of the encryption command generated by.

  According to the information processing system according to the third aspect, the second encryption unit generates an encrypted command by encrypting the decryption command generated by the second decryption unit. Then, the communication device authentication unit authenticates the communication device based on the encrypted command received from the communication device and the encrypted command generated by the second encryption unit. In this way, the storage device authenticates the communication device based on the encryption command generated in the process of secure communication using the secret technology, instead of separately implementing the secret technology and the authentication technology separately. Accordingly, it is possible to efficiently implement the secret technology and the authentication technology.

  An information processing system according to a fourth aspect of the present invention is the information processing system according to the first or second aspect, in particular, the communication device is configured to operate the first encryption unit and the first decryption unit. The mode further includes a first cipher mode control unit that selects a stream cipher mode and a block cipher mode, and the storage device operates as the operation modes of the second encryption unit and the second decryption unit, respectively. A second cipher mode control unit that selects a stream cipher mode and a block cipher mode; and the storage device authentication unit is configured to use block cipher as an operation mode of the first decryption unit and the second encryption unit. When the mode is selected, the storage device is authenticated.

  According to the information processing system according to the fourth aspect, the first encryption mode control unit selects the stream encryption mode and the block encryption mode as the operation modes of the first encryption unit and the first decryption unit. . Further, the second encryption mode control unit selects the stream encryption mode and the block encryption mode as the operation modes of the second encryption unit and the second decryption unit. In this way, by selecting the stream cipher mode and the block cipher mode by the first cipher mode control unit and the second cipher mode control unit, it is possible to perform an appropriate cipher process according to the situation and purpose. . For example, in situations where high processing speed is required, high-speed processing can be realized by selecting the stream cipher mode, and in situations where high attack resistance is required, high attack resistance can be achieved by selecting the block cipher mode. realizable. As a result, it is possible to achieve both improvement in processing speed and improvement in attack resistance.

  The storage device authentication unit authenticates the storage device when the block cipher mode is selected as the operation mode of the first decryption unit and the second encryption unit. As a result, the storage device authentication unit can use the encrypted content data generated by the first encryption unit in the authentication process related to the current block in the authentication process related to the next block. The storage device can be authenticated using the code.

  The information processing system according to the fifth aspect of the present invention is the information processing system according to the fourth aspect, in particular, the first encryption mode control unit and the second encryption mode control unit are the first decryption unit. A block cipher mode is selected as an operation mode of the first encryption unit and the second encryption unit, and a stream cipher mode is selected as an operation mode of the first encryption unit and the second decryption unit. It is.

  According to the information processing system according to the fifth aspect, the first encryption mode control unit and the second encryption mode control unit use the block encryption mode as the operation mode of the first decryption unit and the second encryption unit. The stream encryption mode is selected as the operation mode of the first encryption unit and the second decryption unit. Thereby, the command transmitted from the communication device to the storage device is encrypted by the stream cipher, and the content data transmitted from the storage device to the communication device is encrypted by the block cipher. In this way, by making the encryption mode different between the command and the content data, it becomes difficult for the attacker to analyze, so that the attack resistance can be further improved.

  In the information processing system according to the sixth aspect of the present invention, in particular in the information processing system according to the fourth or fifth aspect, the communication device receives encrypted content data from the storage device in units of blocks, and The storage device authenticating unit authenticates the storage device in correspondence with all blocks received from the storage device.

  According to the information processing system according to the sixth aspect, the storage device authentication unit authenticates the storage device corresponding to all the blocks received from the storage device. Therefore, even when transmission of a block from the storage device to the communication device is stopped when the communication device receives a desired block from the storage device (that is, when the communication device has not received the final block). The storage device authentication unit can authenticate the storage device.

  The information processing system according to a seventh aspect of the present invention is the information processing system according to the fourth or fifth aspect, in which the communication device receives encrypted content data from the storage device in units of blocks, and The storage device authenticating unit authenticates the storage device corresponding to a specific block received from the storage device.

  According to the information processing system according to the seventh aspect, the storage device authentication unit authenticates the storage device corresponding to the specific block received from the storage device. Therefore, it is possible to save resources as compared with the case where the authentication of the storage device is performed corresponding to all the blocks received from the storage device.

  The information processing system according to an eighth aspect of the present invention is the information processing system according to any one of the fourth to seventh aspects, particularly when the storage device authentication unit authenticates the storage device as illegal. The communication device is characterized by stopping transmission / reception of data to / from the storage device.

  With the information processing system according to the eighth aspect, when the storage device authentication unit authenticates the storage device as unauthorized, the communication device stops data transmission / reception to / from the storage device. As a result, the communication device does not transmit a command or receive content data to an unauthorized storage device, so that the unauthorized storage device can be prevented from being used.

  An information processing system according to a ninth aspect of the present invention is the information processing system according to the second or third aspect, in particular, the communication device is configured to operate the first encryption unit and the first decryption unit. The mode further includes a first cipher mode control unit that selects a stream cipher mode and a block cipher mode, and the storage device operates as the operation modes of the second encryption unit and the second decryption unit, respectively. A second cipher mode control unit that selects a stream cipher mode and a block cipher mode; and the communication device authenticating unit is configured to use a block cipher as an operation mode of the first encrypting unit and the second decrypting unit. When the mode is selected, the communication device is authenticated.

  According to the information processing system according to the ninth aspect, the first encryption mode control unit selects the stream encryption mode and the block encryption mode as the operation modes of the first encryption unit and the first decryption unit. . Further, the second encryption mode control unit selects the stream encryption mode and the block encryption mode as the operation modes of the second encryption unit and the second decryption unit. In this way, by selecting the stream cipher mode and the block cipher mode by the first cipher mode control unit and the second cipher mode control unit, it is possible to perform an appropriate cipher process according to the situation and purpose. . For example, in situations where high processing speed is required, high-speed processing can be realized by selecting the stream cipher mode, and in situations where high attack resistance is required, high attack resistance can be achieved by selecting the block cipher mode. realizable. As a result, it is possible to achieve both improvement in processing speed and improvement in attack resistance.

  The communication device authentication unit authenticates the communication device when the block cipher mode is selected as the operation mode of the first encryption unit and the second decryption unit. As a result, the communication device authentication unit can use the encrypted command generated by the second encryption unit in the authentication process related to the current block in the authentication process related to the next block. It becomes possible to perform authentication of the communication device using.

  The information processing system according to a tenth aspect of the present invention is the information processing system according to the ninth aspect, in particular, the first encryption mode control unit and the second encryption mode control unit are the first encryption unit. The block cipher mode is selected as the operation mode of the encryption unit and the second decryption unit, and the stream cipher mode is selected as the operation mode of the first decryption unit and the second encryption unit. It is.

  According to the information processing system according to the tenth aspect, the first encryption mode control unit and the second encryption mode control unit use the block encryption mode as the operation mode of the first encryption unit and the second decryption unit. The stream cipher mode is selected as the operation mode of the first decryption unit and the second encryption unit. Thereby, the command transmitted from the communication device to the storage device is encrypted by the block cipher, and the content data transmitted from the storage device to the communication device is encrypted by the stream cipher. In this way, by making the encryption mode different between the command and the content data, it becomes difficult for the attacker to analyze, so that the attack resistance can be further improved.

  An information processing system according to an eleventh aspect of the present invention is the information processing system according to the tenth aspect, in particular, when the communication device authentication unit authenticates the communication device as authentic, the second encryption unit The initial value of a counter used for stream encryption of content data is set based on the encryption command generated by the above.

  According to the information processing system according to the eleventh aspect, when the communication device authenticating unit authenticates the communication device as authentic, the communication device authenticating unit converts the content data stream cipher based on the encryption command generated by the second encrypting unit. Set the initial value of the counter to be used. As a result, the initial value of the counter can be made different for each access having a different content data address, so that the attack resistance can be improved.

  An information processing system according to a twelfth aspect of the present invention is the information processing system according to the eleventh aspect, in which the communication device authentication unit includes an encrypted command generated by the second encryption unit, and a predetermined A composite value with padding data is set as an initial value of the counter.

  According to the information processing system in the twelfth aspect, the communication device authentication unit sets a composite value of the encryption command generated by the second encryption unit and the predetermined padding data as the initial value of the counter. . In this way, attack resistance can be further improved by setting the combined value of the encrypted command and padding data as the initial value of the counter rather than setting the encrypted command itself as the initial value of the counter. It becomes.

  An information processing system according to a thirteenth aspect of the present invention is the information processing system according to the twelfth aspect, in particular, the communication device authentication unit changes padding data every time the communication device accesses the storage device. It is characterized by this.

  According to the information processing system in the thirteenth aspect, the communication device authentication unit changes the padding data every time the communication device accesses the storage device. Thereby, even if the address of the content data is the same, the initial value of the counter can be made different for each access, so that the attack resistance can be further improved.

  The information processing system according to the fourteenth aspect of the present invention is the information processing system according to any one of the ninth to thirteenth aspects, particularly when the communication device authentication unit authenticates the communication device as illegal. The storage device stops transmission / reception of data to / from the communication device.

  According to the information processing system in the fourteenth aspect, when the communication device authentication unit authenticates the communication device as unauthorized, the storage device stops transmission / reception of data to / from the communication device. As a result, the storage device does not receive commands or transmit content data to an unauthorized communication device, so that it is possible to prevent the unauthorized communication device from being used.

  An information processing system according to a fifteenth aspect of the present invention is the information processing system according to the second aspect, in particular, the communication device as an operation mode of the first encryption unit and the first decryption unit. A first cipher mode control unit that selects a stream cipher mode and a block cipher mode; and the storage device uses a stream cipher mode as an operation mode of the second encryption unit and the second decryption unit. And a second cipher mode control unit that selects a block cipher mode, and the first cipher mode control unit and the second cipher mode control unit include the first cipher unit, the second cipher mode control unit, and the second cipher mode control unit. Block encryption mode is selected as an operation mode of the encryption unit, the first decryption unit, and the second decryption unit, the storage device authentication unit authenticates the storage device, and the communication device authentication unit It is characterized in that to authenticate the serial communication device.

  According to the information processing system in the fifteenth aspect, the first encryption mode control unit selects the stream encryption mode and the block encryption mode as the operation modes of the first encryption unit and the first decryption unit. . Further, the second encryption mode control unit selects the stream encryption mode and the block encryption mode as the operation modes of the second encryption unit and the second decryption unit. In this way, by selecting the stream cipher mode and the block cipher mode by the first cipher mode control unit and the second cipher mode control unit, it is possible to perform an appropriate cipher process according to the situation and purpose. . For example, in situations where high processing speed is required, high-speed processing can be realized by selecting the stream cipher mode, and in situations where high attack resistance is required, high attack resistance can be achieved by selecting the block cipher mode. realizable. As a result, it is possible to achieve both improvement in processing speed and improvement in attack resistance.

  In addition, the first encryption mode control unit and the second encryption mode control unit are blocked as operation modes of the first encryption unit, the second encryption unit, the first decryption unit, and the second decryption unit. The encryption mode is selected, the storage device authentication unit authenticates the storage device, and the communication device authentication unit authenticates the communication device. As a result, mutual authentication between the communication device and the storage device can be performed.

  Furthermore, the storage device authentication unit can use the encrypted content data generated by the first encryption unit in the authentication process for the current block in the authentication process for the next block, and as a result, the cumulative message authentication code. It becomes possible to authenticate the storage device by using. In addition, the communication device authentication unit can use the encrypted command generated by the second encryption unit in the authentication process related to the current block in the authentication process related to the next block. It is possible to authenticate the communication device by using it.

  A communication device according to a sixteenth aspect of the present invention encrypts a command to be transmitted to a storage device, thereby decrypting encrypted content data received from the storage device and an encryption unit that generates an encrypted command Thus, a decryption unit that generates decryption content data and a storage device authentication unit that authenticates the storage device, and the encryption unit encrypts the decryption content data generated by the decryption unit, The encrypted content data is generated, and the storage device authentication unit authenticates the storage device based on the encrypted content data received from the storage device and the encrypted content data generated by the encryption unit. It is characterized by.

  According to the communication device of the sixteenth aspect, the encryption unit generates encrypted content data by encrypting the decrypted content data generated by the decryption unit. Then, the storage device authentication unit authenticates the storage device based on the encrypted content data received from the storage device and the encrypted content data generated by the encryption unit. As described above, the communication device authenticates the storage device based on the encrypted content data generated in the process of secure communication using the secret technology, instead of separately implementing the secret technology and the authentication technology separately. This makes it possible to efficiently implement the concealment technique and the authentication technique.

  A storage device according to a seventeenth aspect of the present invention includes a storage unit in which content data is stored, a decryption unit that generates a decryption command by decrypting an encrypted command received from the communication device, and the communication device. An encryption unit that generates encrypted content data by encrypting content data to be transmitted, and a communication device authentication unit that authenticates the communication device, wherein the encryption unit is generated by the decryption unit An encryption command is generated by encrypting a decryption command, and the communication device authenticating unit is based on the encrypted command received from the communication device and the encrypted command generated by the encryption unit. The communication apparatus is authenticated.

  According to the storage device of the seventeenth aspect, the encryption unit generates an encrypted command by encrypting the decryption command generated by the decryption unit. Then, the communication device authentication unit authenticates the communication device based on the encrypted command received from the communication device and the encrypted command generated by the encryption unit. In this way, the storage device authenticates the communication device based on the encryption command generated in the process of secure communication using the secret technology, instead of separately implementing the secret technology and the authentication technology separately. Accordingly, it is possible to efficiently implement the secret technology and the authentication technology.

  According to the present invention, it is possible to obtain an information processing system capable of efficiently implementing a concealment technique and an authentication technique, and a communication device and a storage device included in the information processing system.

It is a figure showing the whole information processing system composition concerning an embodiment of the invention. It is a figure which simplifies and shows the structure of a communication apparatus. It is a figure which simplifies and shows the structure of the security control circuit with which a communication apparatus is provided. It is a figure which simplifies and shows the structure of an encryption / decryption circuit. It is a figure which simplifies and shows the structure of the security control circuit with which a semiconductor memory device is provided. It is a figure which simplifies and shows the structure of an encryption / decryption circuit. It is a figure which shows the example of an encryption pattern. It is a figure which shows the processing content of a security control circuit in order. It is a figure which shows the processing content of a security control circuit in order. It is a figure which shows the processing content of a security control circuit in order. It is a figure which shows the processing content of a security control circuit in order. It is a figure which shows the processing content of a security control circuit in order. It is a figure which shows the processing content of a security control circuit in order. It is a figure which shows the processing content of a security control circuit in order. It is a figure which shows the processing content of a security control circuit in order. It is a figure which shows the processing content of a security control circuit in order. It is a figure which shows the processing content of a security control circuit in order.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. In addition, the element which attached | subjected the same code | symbol in different drawing shall show the same or corresponding element.

  FIG. 1 is a diagram showing an overall configuration of an information processing system 1 according to an embodiment of the present invention. The information processing system 1 includes a communication device 2 and a semiconductor storage device 3. The communication device 2 is a personal computer, for example. The semiconductor memory device 3 is, for example, a memory card that can be detachably connected to the communication device 2. Alternatively, an arbitrary storage device such as an optical disk or a magnetic disk can be used in place of the semiconductor storage device 3.

  The communication device 2 includes a microprocessor 11 and a security control circuit 12. The semiconductor memory device 3 includes a security control circuit 21 and a memory array 22. The security control circuits 12 and 21 perform secure communication with each other by cryptographic processing described later. The memory array 22 stores arbitrary content data such as images, sounds, texts, codes, and management information. The memory array 22 is configured using, for example, a NAND flash memory. However, the present invention is not limited to this example, and the memory array 22 may be configured using a NOR flash memory or the like.

  FIG. 2 is a diagram showing a simplified configuration of the communication device 2. The microprocessor 11 includes a CPU 31, an arithmetic unit 32, a RAM 33, and a ROM 34 that are connected to each other via a bus 30. The security control circuit 12 is connected to the microprocessor 11 via the bus 30.

  FIG. 3 is a diagram showing a simplified configuration of the security control circuit 12 included in the communication device 2. As shown by the connection relationship in FIG. 3, the security control circuit 12 includes an encryption mode control circuit 41, an encryption / decryption circuit 42, a storage device authentication circuit 43, and a control circuit 44. The encryption / decryption circuit 42 can switch between a stream cipher that encrypts plaintext in bit units and a block cipher that encrypts plaintext in block units of a fixed length (for example, 16-byte length) as encryption modes. is there. The encryption mode control circuit 41 sets the encryption mode of stream encryption or block encryption for the encryption / decryption circuit 42. The storage device authentication circuit 43 authenticates whether the semiconductor storage device 3 is legitimate or illegal by an authentication process described later.

  FIG. 4 is a diagram showing the configuration of the encryption / decryption circuit 42 in a simplified manner. As shown in the connection relationship of FIG. 4, the encryption / decryption circuit 42 includes a decryption circuit 51, an encryption circuit 52, arithmetic circuits 53, 54, 56, a counter 55, and selectors 57 to 59. .

  FIG. 5 is a diagram showing a simplified configuration of the security control circuit 21 provided in the semiconductor memory device 3. As shown by the connection relationship in FIG. 5, the security control circuit 21 includes an encryption mode control circuit 61, an encryption / decryption circuit 62, a communication device authentication circuit 63, and a control circuit 64. The encryption / decryption circuit 62 can be applied by switching between stream cipher and block cipher as cipher modes. The encryption mode control circuit 61 sets the encryption mode of stream encryption or block encryption for the encryption / decryption circuit 62. The communication device authentication circuit 63 authenticates whether the communication device 2 is legitimate or illegal by an authentication process described later.

  FIG. 6 is a diagram showing a simplified configuration of the encryption / decryption circuit 62. 6, the encryption / decryption circuit 62 includes a decryption circuit 71, an encryption circuit 72, arithmetic circuits 73, 74, and 76, a counter 75, and selectors 77 to 79. .

  In the example of the present embodiment, the encryption / decryption circuits 42 and 62 are implemented with an encryption algorithm having an SPN structure (SPN: Substitution Permutation Network), which is a kind of block cipher configuration method. For example, AES (Advanced Encryption Standard) is used as the encryption algorithm. A block cipher is realized by the AES CBC mode (CBC: Cipher Block Chaining), and a stream cipher is realized by the AES CTR mode (counter mode).

  Hereinafter, the operation of the information processing system 1 according to the present embodiment will be described. In the following example, a case where a read command is used as an access command for the communication device 2 to access the memory array 22 will be described.

  Referring to FIG. 1, first, the microprocessor 11 issues an encryption control command for setting an encryption pattern to be described later. The encryption control command includes a specific command ID for identifying that it is an encryption control command, and selection information for selecting a desired encryption pattern from a plurality of encryption patterns. The microprocessor 11 transmits the encryption control command to the security control circuit 21 via the security control circuit 12.

  Referring to FIG. 3, the encryption control command input to security control circuit 12 is input to control circuit 44 via encryption / decryption circuit 42. Since the encryption control command is not encrypted, the encryption / decryption circuit 42 passes the input encryption control command as it is and inputs it to the control circuit 44.

  Next, the control circuit 44 extracts selection information included in the encryption control command and transfers the selection information to the encryption mode control circuit 41. In addition, the control circuit 44 transmits an encryption control command to the security control circuit 21.

  Referring to FIG. 5, the encryption control command received by security control circuit 21 is input to control circuit 64 through encryption / decryption circuit 62.

  Next, the control circuit 64 extracts selection information included in the encryption control command and transfers the selection information to the encryption mode control circuit 61.

  FIG. 7 is a diagram illustrating an example of an encryption pattern. The command X is a read command transmitted from the communication device 2 to the semiconductor memory device 3, and the data Y is content data transmitted from the semiconductor memory device 3 to the communication device 2. This means that the block cipher is applied to the hatched part, and the stream cipher is applied to the part not hatched. These encryption patterns are shared by the security control circuits 12 and 21 and stored in the memory array 22. However, the encryption pattern may be stored in another nonvolatile memory that can be referred to by the security control circuits 12 and 21. Note that the encryption pattern shown in FIG. 7 is an example, and other arbitrary encryption patterns may be included.

  In the pattern P1, block cipher is applied to the command X and stream cipher is applied to the content data Y.

  In the pattern P2, stream cipher is applied to the command X, and block cipher is applied to the content data Y.

  In the pattern P3, block cipher is applied to both the command X and the content data Y.

  The patterns P1 to P3 are selected for each access by the microprocessor 11 shown in FIG. The microprocessor 11 selects an optimum pattern from the patterns P1 to P3 based on the required communication speed and the required attack resistance.

  For example, when reading large data such as images and sounds, a high communication speed is required, so the pattern P1 to which the stream cipher is applied for the content data Y is selected. In addition, when reading small data such as codes and management information, since a low communication speed is sufficient, patterns P2 and P3 to which block cipher is applied for the content data Y are selected.

  When high attack resistance is required for the content data Y, patterns P2 and P3 to which block cipher is applied for the content data Y are selected.

  Further, when the data size of the command X is large, a high communication speed is required, so the pattern P2 to which the stream cipher is applied is selected for the command X. In addition, when the data size of the command X is small, a slow communication speed is sufficient, and therefore the patterns P1 and P3 to which the block cipher is applied for the command X are selected.

  When high attack resistance is required for the command X, the patterns P1 and P3 to which the block cipher is applied for the command X are selected.

  Hereinafter, each processing content when the patterns P1 to P3 are selected will be described in order.

<Process when Pattern P1 is Selected>
8 to 11 are diagrams sequentially illustrating the processing contents of the security control circuits 12 and 21 when the pattern P1 is selected. FIG. 8 shows an encryption process for the first command X1 by the security control circuit 12 and a decryption process for the command X1 by the security control circuit 21. FIG. 9 shows an encryption process for the first content data Y1 by the security control circuit 21 and a decryption process for the content data Y1 by the security control circuit 12. FIG. 10 shows an encryption process for the second command X2 by the security control circuit 12 and a decryption process for the command X2 by the security control circuit 21. FIG. 11 shows an encryption process for the second content data Y2 by the security control circuit 21 and a decryption process for the content data Y2 by the security control circuit 12.

  Referring to FIG. 3, control circuit 44 extracts selection information included in the encryption control command as described above, and transfers the selection information to encryption mode control circuit 41.

  3 and 4, next, the encryption mode control circuit 41 controls the selectors 58 and 59 in accordance with the encryption pattern indicated by the selection information. In the pattern P1, since the block cipher is applied to the command X to be encrypted, the encryption mode control circuit 41 sets the flags of the selectors 58 and 59 to “0”.

  Referring to FIG. 5, as described above, control circuit 64 extracts selection information included in the encryption control command and transfers the selection information to encryption mode control circuit 61.

  5 and 6, the encryption mode control circuit 61 controls the selectors 77 to 79 in accordance with the encryption pattern indicated by the selection information. In the pattern P1, since the block cipher is applied to the command X to be decrypted, the cipher mode control circuit 61 sets the flags of the selectors 77 to 79 to “0”.

  Referring to FIG. 1, next, the microprocessor 11 issues a command X1A which is a read command. The read command includes a specific command ID for identifying that it is a read command, and address information indicating the location of content data to be read.

  4 and 8, command X1A is input to arithmetic circuit 56. In addition, a predetermined initialization vector IV held in a secret state is input to the arithmetic circuit 56. The arithmetic circuit 56 generates synthesized data of the command X1A and the initialization vector IV by performing an exclusive OR operation. The combined data is input to the encryption circuit 52 via the selector 58.

  Next, the encryption circuit 52 generates an encryption command X1B by encrypting the input composite data.

  With reference to FIGS. 3 and 4, the encryption command X <b> 1 </ b> B is input to the control circuit 44 via the selector 59. Next, the control circuit 44 transmits the encryption command X1B to the security control circuit 21. Further, the control circuit 44 sets the encryption command X1B as the initial value of the counter 55 (counter value C11).

  Next, the encryption mode control circuit 41 controls the selectors 57 and 58 in accordance with the encryption pattern indicated by the selection information. In the pattern P1, since the stream cipher is applied to the content data Y to be decrypted, the encryption mode control circuit 41 sets the flags of the selectors 57 and 58 to “1”.

  Referring to FIG. 5, the encryption command X1B received by the security control circuit 21 is input to the encryption / decryption circuit 62 and the communication device authentication circuit 63.

  6 and 8, the encryption command X1B is input to the decryption circuit 71. The decryption circuit 71 generates decrypted data by decrypting the encrypted command X1B. The decoded data is input to the arithmetic circuit 74.

  In addition, the same initialization vector IV as the above-described initialization vector IV is input to the arithmetic circuit 74. The arithmetic circuit 74 generates a decoding command X1A by performing an exclusive OR operation between the decoding data and the initialization vector IV. Referring to FIGS. 5 and 6, decryption command X 1 A is input from control circuit 74 to control circuit 64 via selector 77.

  Next, the control circuit 64 inputs the decryption command X1A to the arithmetic circuit 76. In addition, the same initialization vector IV as the above-described initialization vector IV is input to the arithmetic circuit 76. The arithmetic circuit 76 generates synthesized data of the decoding command X1A and the initialization vector IV by performing an exclusive OR operation. The combined data is input to the encryption circuit 72 via the selector 78.

  Next, the encryption circuit 72 generates an encryption command X1B ′ by encrypting the input composite data.

  5 and 6, the encryption command X1B 'is input to the communication device authentication circuit 63 via the selector 79.

  Next, the communication device authentication circuit 63 compares the encrypted command X1B input from the security control circuit 12 with the encrypted command X1B ′ input from the encryption / decryption circuit 62, thereby authenticating the communication device 2. I do. Specifically, when the encryption command X1B and the encryption command X1B ′ are the same, the communication device authentication circuit 63 authenticates the communication device 2 as authentic, while the encryption command X1B and the encryption command X1B ′ Are not identical, the communication device 2 is authenticated as illegal. The communication device authentication circuit 63 inputs the authentication result to the control circuit 64.

  When receiving an authentication result indicating that the communication device 2 is illegal, the control circuit 64 stops transmission / reception of all data to / from the communication device 2. That is, after that, reception of commands from the communication device 2 is rejected, and transmission of content data to the communication device 2 is prohibited.

  On the other hand, when the authentication result indicating that the communication device 2 is authentic is received, the control circuit 64 receives desired content data Y1 from the memory array 22 based on the decryption command X1A input from the arithmetic circuit 74 described above. Is read.

  The encryption mode control circuit 61 controls the selectors 78 and 79 in accordance with the encryption pattern indicated by the selection information. In the pattern P1, since the stream cipher is applied to the content data Y to be encrypted, the cipher mode control circuit 61 sets the flags of the selectors 78 and 79 to “1”.

  Further, the communication device authentication circuit 63 sets the encryption command X1B ′ as an initial value of the counter 75 (counter value C11).

  Referring to FIGS. 5, 6, and 9, next, control circuit 64 inputs content data Y <b> 11 </ b> A corresponding to the first block of content data Y <b> 1 read from memory array 22 to arithmetic circuit 73.

  The counter 75 also inputs the stream data generated based on the counter value C11 to the encryption circuit 72 via the selector 78. The encryption circuit 72 generates encrypted stream data by encrypting the input stream data, and inputs the encrypted stream data to the arithmetic circuit 73.

  Next, the arithmetic circuit 73 generates encrypted content data Y11B by performing an exclusive OR operation between the content data Y11A and the encrypted stream data. The encrypted content data Y11B is output via the selector 79 and transmitted from the encryption / decryption circuit 62 to the security control circuit 12.

  Referring to FIG. 3, the encrypted content data Y11B received by the security control circuit 12 is input to the encryption / decryption circuit 42 via the control circuit 44.

  Referring to FIG. 4, encrypted content data Y11B is input to arithmetic circuit 53. Further, the counter 55 inputs the stream data generated based on the counter value C11 to the encryption circuit 52 via the selector 58. The encryption circuit 52 generates encrypted stream data by encrypting the input stream data, and inputs the encrypted stream data to the arithmetic circuit 53.

  Next, the arithmetic circuit 53 generates the decrypted content data Y11A by performing an exclusive OR operation between the encrypted content data Y11B and the encrypted stream data. With reference to FIGS. 3 and 4, the decrypted content data Y11A is output via the selector 57 and input from the encryption / decryption circuit 42 to the microprocessor 11.

  Referring to FIG. 9, for content data Y12A to Y1NA corresponding to the second and subsequent blocks of content data Y1 read from memory array 22, the same processing as described above is performed while sequentially updating counter value C1. By being repeated, the reading process of the first content data Y1 corresponding to the first command X1 is completed.

  When the second read command (command X2A) is issued by the microprocessor 11, the second content data Y2 (content data Y21A to Y2NA) is read from the memory array 22 by repeating the same processing as described above. .

  Referring to FIG. 10, the security control circuit 12 generates composite data by performing an exclusive OR operation between the command X2A and the encrypted command X1B generated by the encryption process for the first command X1A. . Next, the encryption command X2B is generated by encrypting the composite data. Next, the encryption command X2B is transmitted to the security control circuit 21, and the encryption command X2B is set as the initial value of the counter 55 (counter value C21).

  The security control circuit 21 generates decrypted data by decrypting the received encrypted command X2B. Next, a decryption command X2A is generated by performing an exclusive OR operation between the decrypted data and the encrypted command X1B 'generated by the decryption process for the first encrypted command X1B. Next, synthesized data is generated by performing an exclusive OR operation between the decryption command X2A and the encryption command X1B '. Next, an encryption command X2B 'is generated by encrypting the combined data. Next, the communication device 2 is authenticated by comparing the encrypted command X2B and the encrypted command X2B '. If the communication device 2 is legitimate, next, the content data Y2 is read from the memory array 22 based on the decryption command X2A, and the encryption command X2B ′ is set as the initial value of the counter 75 (counter value C21). .

  Referring to FIG. 11, security control circuit 21 generates encrypted stream data by encrypting the stream data generated based on counter value C21. Next, the encrypted content data Y21B is generated by performing an exclusive OR operation between the encrypted stream data and the content data Y21A corresponding to the first block of the content data Y2. Next, the encrypted content data Y21B is transmitted to the security control circuit 12.

  The security control circuit 12 generates encrypted stream data by encrypting the stream data generated based on the counter value C21. Next, the decrypted content data Y21A is generated by performing an exclusive OR operation on the encrypted stream data and the received encrypted content data Y21B. Next, the decrypted content data Y21A is input to the microprocessor 11. Regarding the content data Y22A to Y2NA corresponding to the second and subsequent blocks of the content data Y2 read from the memory array 22, the same processing as described above is repeated while sequentially updating the counter value C2, so that the second The reading process of the second content data Y2 corresponding to the command X2 is completed.

  By repeating the same process as described above for the third and subsequent read commands, desired content data is read from the memory array 22.

<Processing when Pattern P2 is Selected>
12 to 15 are diagrams sequentially illustrating the processing contents of the security control circuits 12 and 21 when the pattern P2 is selected. FIG. 12 shows an encryption process for the first command X1 by the security control circuit 12 and a decryption process for the command X1 by the security control circuit 21. FIG. 13 shows an encryption process for the first content data Y1 by the security control circuit 21 and a decryption process for the content data Y1 by the security control circuit 12. FIG. 14 shows an encryption process for the second command X2 by the security control circuit 12 and a decryption process for the command X2 by the security control circuit 21. FIG. 15 shows an encryption process for the second content data Y2 by the security control circuit 21 and a decryption process for the content data Y2 by the security control circuit 12.

  Referring to FIG. 3, control circuit 44 extracts selection information included in the encryption control command as described above, and transfers the selection information to encryption mode control circuit 41.

  3 and 4, next, the encryption mode control circuit 41 controls the selectors 58 and 59 in accordance with the encryption pattern indicated by the selection information. Since the stream cipher is applied to the command X to be encrypted in the pattern P2, the cipher mode control circuit 41 sets the flags of the selectors 58 and 59 to “1”.

  Referring to FIG. 5, as described above, control circuit 64 extracts selection information included in the encryption control command and transfers the selection information to encryption mode control circuit 61.

  5 and 6, next, the encryption mode control circuit 61 controls the selectors 77 and 78 in accordance with the encryption pattern indicated by the selection information. In the pattern P2, since the stream cipher is applied to the command X to be decrypted, the cipher mode control circuit 61 sets the flags of the selectors 77 and 78 to “1”.

  Referring to FIG. 1, next, the microprocessor 11 issues a command X1A which is a read command.

  Referring to FIGS. 4 and 12, command X 1 A is input to arithmetic circuit 53. Further, the control circuit 44 sets an arbitrary constant value held in the secret state as an initial value (counter value C11) of the counter 55. The counter 55 inputs the stream data generated based on the counter value C11 to the encryption circuit 52 via the selector 58. The encryption circuit 52 generates encrypted stream data by encrypting the input stream data, and inputs the encrypted stream data to the arithmetic circuit 53.

  Next, the arithmetic circuit 53 generates an encrypted command X1B by performing an exclusive OR operation between the command X1A and the encrypted stream data.

  With reference to FIGS. 3 and 4, the encryption command X <b> 1 </ b> B is input to the control circuit 44 via the selector 59. Next, the control circuit 44 transmits the encryption command X1B to the security control circuit 21.

  Next, the encryption mode control circuit 41 controls the selectors 57 to 59 in accordance with the encryption pattern indicated by the selection information. Since the block cipher is applied to the content data Y to be decrypted in the pattern P2, the encryption mode control circuit 41 sets the flags of the selectors 57 to 59 to “0”.

  Referring to FIG. 5, the encryption command X1B received by the security control circuit 21 is input to the encryption / decryption circuit 62.

  6 and 12, the encryption command X1B is input to the arithmetic circuit 73. The control circuit 64 sets the constant value set as the initial value of the counter 55 as the initial value (counter value C11) of the counter 75. The counter 75 inputs the stream data generated based on the counter value C11 to the encryption circuit 72 via the selector 78. The encryption circuit 72 generates encrypted stream data by encrypting the input stream data, and inputs the encrypted stream data to the arithmetic circuit 73.

  Next, the arithmetic circuit 73 generates a decryption command X1A by performing an exclusive OR operation between the encryption command X1B and the encrypted stream data. Referring to FIGS. 5 and 6, decryption command X 1 A is input from arithmetic circuit 73 to control circuit 64 via selector 77.

  Next, the control circuit 64 reads desired content data Y1 from the memory array 22 based on the decryption command X1A.

  The encryption mode control circuit 61 controls the selectors 78 and 79 in accordance with the encryption pattern indicated by the selection information. Since the block cipher is applied to the content data Y to be encrypted in the pattern P2, the encryption mode control circuit 61 sets the flags of the selectors 78 and 79 to “0”.

  Referring to FIGS. 5, 6, and 13, next, control circuit 64 inputs content data Y <b> 11 </ b> A corresponding to the first block of content data Y <b> 1 read from memory array 22 to arithmetic circuit 76. In addition, a predetermined initialization vector IV held in a secret state is input to the arithmetic circuit 76. The arithmetic circuit 76 generates composite data of the content data Y11A and the initialization vector IV by performing an exclusive OR operation. The combined data is input to the encryption circuit 72 via the selector 78.

  Next, the encryption circuit 72 generates encrypted content data Y11B by encrypting the input composite data. The encrypted content data Y11B is output via the selector 79 and transmitted from the encryption / decryption circuit 62 to the security control circuit 12.

  With reference to FIG. 3, the encrypted content data Y11B received by the security control circuit 12 is input to the encryption / decryption circuit 42 and the storage device authentication circuit 43 via the control circuit 44.

  4 and 13, the encrypted content data Y11B is input to the decryption circuit 51. The decryption circuit 51 generates decrypted data by decrypting the encrypted content data Y11B. The decoded data is input to the arithmetic circuit 54.

  In addition, the same initialization vector IV as the above-described initialization vector IV is input to the arithmetic circuit 54. The arithmetic circuit 54 generates decrypted content data Y11A by performing an exclusive OR operation between the decrypted data and the initialization vector IV. Referring to FIGS. 3 and 4, decrypted content data Y11A is input from control circuit 54 to control circuit 44 via selector 57.

  Next, the control circuit 44 inputs the decrypted content data Y11A to the arithmetic circuit 56. In addition, the same initialization vector IV as the above-described initialization vector IV is input to the arithmetic circuit 56. The arithmetic circuit 56 generates combined data of the decrypted content data Y11A and the initialization vector IV by performing an exclusive OR operation. The combined data is input to the encryption circuit 52 via the selector 58.

  Next, the encryption circuit 52 generates encrypted content data Y11B 'by encrypting the input composite data.

  3 and 4, the encrypted content data Y11B ′ is input to the storage device authentication circuit 43 via the selector 59.

  Next, the storage device authentication circuit 43 compares the encrypted content data Y11B input from the control circuit 44 with the encrypted content data Y11B ′ input from the encryption / decryption circuit 42, so that the semiconductor storage device 3 Authenticate. Specifically, if the encrypted content data Y11B and the encrypted content data Y11B ′ are the same, the storage device authentication circuit 43 authenticates the semiconductor storage device 3 as authentic, while encrypting the encrypted content data Y11B and the encrypted content data Y11B. If the content data Y11B ′ is not the same, the semiconductor memory device 3 is authenticated as illegal. The storage device authentication circuit 43 inputs the authentication result to the control circuit 44.

  When receiving an authentication result indicating that the semiconductor memory device 3 is illegal, the control circuit 44 stops transmission / reception of all data to / from the semiconductor memory device 3. That is, thereafter, reception of content data from the semiconductor memory device 3 is rejected, and transmission of commands to the semiconductor memory device 3 is prohibited.

  On the other hand, when the authentication result indicating that the semiconductor memory device 3 is authentic is received, the control circuit 44 transfers the decrypted content data Y11A input from the arithmetic circuit 54 to the microprocessor 11.

  Referring to FIG. 13, the same processing as described above is repeated for content data Y12A to Y1NA corresponding to the second and subsequent blocks of content data Y1 read from memory array 22, thereby The reading process of the first content data Y1 corresponding to the command X1 is completed. In the process for the second and subsequent blocks, the security control circuit 21 uses the encrypted content data Y11B to Y1 (N-1) B generated in the process for the previous block instead of the initialization vector IV. . Similarly, the security control circuit 12 uses the encrypted content data Y11B 'to Y1 (N-1) B' generated in the process for the previous block, instead of the initialization vector IV.

  When the second read command (command X2A) is issued by the microprocessor 11, the second content data Y2 (content data Y21A to Y2NA) is read from the memory array 22 by repeating the same processing as described above. .

  Referring to FIG. 14, the security control circuit 12 generates encrypted stream data by encrypting the stream data generated based on the counter value C12. Next, the encryption command X2B is generated by performing an exclusive OR operation between the command X2A and the encrypted stream data. Next, the encryption command X2B is transmitted to the security control circuit 21.

  The security control circuit 21 generates encrypted stream data by encrypting the stream data generated based on the counter value C12. Next, a decryption command X2A is generated by performing an exclusive OR operation between the encryption command X2B and the encrypted stream data. Next, the desired content data Y2 is read from the memory array 22 based on the decryption command X2A.

  Referring to FIG. 15, security control circuit 21 generates content data Y21A corresponding to the first block of content data Y2 read from memory array 22 and the last block generated in the process for the previous access. Synthetic data is generated by performing an exclusive OR operation with the encrypted content data Y1NB. Next, encrypted content data Y21B is generated by encrypting the combined data. Next, the encrypted content data Y21B is transmitted to the security control circuit 12.

  The security control circuit 12 generates decrypted data by decrypting the received encrypted content data Y21B. Next, the decrypted content data Y21A is generated by performing an exclusive OR operation between the decrypted data and the encrypted content data Y1NB 'generated corresponding to the last block in the process for the previous access. Next, synthesized data is generated by performing an exclusive OR operation between the decrypted content data Y21A and the encrypted content data Y1NB '. Next, encrypted content data Y21B 'is generated by encrypting the combined data. Next, authentication of the semiconductor memory device 3 is performed by comparing the encrypted content data Y21B and the encrypted content data Y21B '. If the semiconductor memory device 3 is normal, then the decrypted content data Y21A is transferred to the microprocessor 11. Regarding the content data Y22A to Y2NA corresponding to the second and subsequent blocks of the content data Y2 read from the memory array 22, the same processing as above is repeated, so that the second corresponding to the second command X2 is obtained. The content data Y2 reading process is completed.

  By repeating the same process as described above for the third and subsequent read commands, desired content data is read from the memory array 22.

<Processing when Pattern P3 is Selected>
When the pattern P3 is selected, the security control circuit 12 performs command encryption processing by the same processing as in FIGS. 8 and 10, and the security control circuit 21 performs encryption by the same processing as in FIGS. Decrypts the command. Further, every time the security control circuit 21 receives an encrypted command from the communication device 2, the security control circuit 21 authenticates the communication device 2 based on the received encrypted command and the encrypted command generated by itself.

  When the pattern P3 is selected, the security control circuit 21 performs content data encryption processing by the same processing as in FIGS. 13 and 15, and the security control circuit 12 performs processing similar to that in FIGS. To decrypt the encrypted content data. Further, every time the encrypted content data is received from the semiconductor storage device 3, the security control circuit 12 authenticates the semiconductor storage device 3 based on the received encrypted content data and the encrypted content data generated by itself. I do.

<Summary>
According to the information processing system 1 according to the present embodiment, when the patterns P2 and P3 are selected, the encryption circuit 52 (first encryption unit) is generated by the decryption circuit 51 (first decryption unit). Encrypted content data is generated by encrypting the decrypted content data. Then, the storage device authentication circuit 43 authenticates the semiconductor storage device 3 based on the encrypted content data received from the semiconductor storage device 3 and the encrypted content data generated by the encryption circuit 52. Thus, the communication device 2 does not implement the encryption technology and the authentication technology separately, but based on the encrypted content data generated in the process of secure communication using the security technology, the communication device 2 By performing authentication, it is possible to efficiently implement the secret technology and the authentication technology.

  Further, according to the information processing system 1 according to the present embodiment, when the patterns P1 and P3 are selected, the encryption circuit 72 (second encryption unit) is the decryption circuit 71 (second decryption unit). The encrypted command is generated by encrypting the decryption command generated by. Then, the communication device authentication circuit 63 authenticates the communication device 2 based on the encrypted command received from the communication device 2 and the encrypted command generated by the encryption circuit 72. As described above, the semiconductor storage device 3 authenticates the communication device 2 based on the encryption command generated in the process of secure communication using the secret technology, rather than separately implementing the secret technology and the authentication technology. By performing the above, it becomes possible to efficiently implement the secret technology and the authentication technology.

  Further, according to the information processing system 1 according to the present embodiment, the encryption mode control circuit 41 (first encryption mode control unit) uses the stream encryption mode and the block encryption mode as the operation mode of the encryption / decryption circuit 42. And select. Further, the encryption mode control circuit 61 (second encryption mode control unit) selects the stream encryption mode and the block encryption mode as the operation mode of the encryption / decryption circuit 62. As described above, by selecting the stream cipher mode and the block cipher mode by the cipher mode control circuits 41 and 61, it is possible to perform appropriate cipher processing according to the situation and purpose. For example, in situations where high processing speed is required, high-speed processing can be realized by selecting the stream cipher mode, and in situations where high attack resistance is required, high attack resistance can be achieved by selecting the block cipher mode. realizable. As a result, it is possible to achieve both improvement in processing speed and improvement in attack resistance.

  The storage device authentication circuit 43 authenticates the semiconductor storage device 3 when the block cipher mode is selected for the content data (that is, when the patterns P2 and P3 are selected). Thereby, the storage device authentication circuit 43 can use the encrypted content data generated by the encryption circuit 52 in the authentication process related to the current block in the authentication process related to the next block, and as a result, the cumulative message authentication code. The semiconductor memory device 3 can be authenticated using the.

  Further, according to the information processing system 1 according to the present embodiment, when the pattern P2 is selected, the command transmitted from the communication device 2 to the semiconductor storage device 3 is encrypted by stream encryption, and the semiconductor storage device The content data transmitted from 3 to the communication device 2 is encrypted by block cipher. In this way, by making the encryption mode different between the command and the content data, it becomes difficult for the attacker to analyze, so that the attack resistance can be further improved.

  Further, according to the information processing system 1 according to the present embodiment, as shown in FIGS. 13 and 15, the storage device authentication circuit 43 corresponds to all blocks received from the semiconductor storage device 3. 3 authentication is performed. Therefore, when transmission of a block from the semiconductor storage device 3 to the communication device 2 is stopped when the communication device 2 receives a desired block from the semiconductor storage device 3 (that is, the communication device 2 has received the final block). Even when the storage device authentication circuit 43 does not exist, the semiconductor storage device 3 can be authenticated.

  Further, according to the information processing system 1 according to the present embodiment, when the storage device authentication circuit 43 authenticates the semiconductor storage device 3 as unauthorized, the communication device 2 stops transmission / reception of data to / from the semiconductor storage device 3. As a result, the communication device 2 does not transmit commands or receive content data to the unauthorized semiconductor storage device 3, thereby preventing unauthorized use of the semiconductor storage device.

  Further, according to the information processing system 1 according to the present embodiment, the communication device authentication circuit 63 allows the communication device 2 when the block cipher mode is selected for the command (that is, when the patterns P1 and P3 are selected). Authenticate. As a result, the communication device authentication circuit 63 can use the encrypted command generated by the encryption circuit 72 in the authentication process related to the current command in the authentication process related to the next command. It becomes possible to authenticate the communication apparatus 2 by using.

  Further, according to the information processing system 1 according to the present embodiment, when the pattern P1 is selected, the command transmitted from the communication device 2 to the semiconductor memory device 3 is encrypted by block cipher, and the semiconductor memory device The content data transmitted from 3 to the communication device 2 is encrypted by stream encryption. In this way, by making the encryption mode different between the command and the content data, it becomes difficult for the attacker to analyze, so that the attack resistance can be further improved.

  Further, according to the information processing system 1 according to the present embodiment, when the communication device authentication circuit 63 authenticates the communication device 2 as authentic, the communication device authentication circuit 63 determines the content data based on the encryption command generated by the encryption circuit 72. The initial value of the counter 75 used for stream cipher is set. As a result, the initial value of the counter 75 can be made different for each access with different content data addresses, so that the attack resistance can be improved.

  Further, according to the information processing system 1 according to the present embodiment, when the communication device authentication circuit 63 authenticates the communication device 2 as unauthorized, the semiconductor storage device 3 stops data transmission / reception to / from the communication device 2. As a result, the semiconductor storage device 3 does not receive commands or transmit content data to the unauthorized communication device 2, thereby preventing the unauthorized communication device 2 from being used.

  Further, according to the information processing system 1 according to the present embodiment, when the pattern P3 is selected, the storage device authentication circuit 43 authenticates the semiconductor storage device 3, and the communication device authentication circuit 63 communicates with the communication device 2. Authenticate. Thereby, mutual authentication between the communication device 2 and the semiconductor memory device 3 can be performed. Moreover, the storage device authentication circuit 43 can use the encrypted content data generated by the encryption circuit 52 in the authentication process for the current block in the authentication process for the next block, and as a result, the accumulated message authentication code can be used. It is possible to perform authentication of the semiconductor memory device 3 by using it. Further, the communication device authentication circuit 63 can use the encrypted command generated by the encryption circuit 72 in the authentication process for the current block in the authentication process for the next block, and as a result, using the cumulative message authentication code. Thus, the communication device 2 can be authenticated.

<Modification 1>
In the example of the above embodiment, when the patterns P2 and P3 are selected, the storage device authentication circuit 43 corresponds to all the blocks received from the semiconductor storage device 3 as shown in FIGS. Device 3 was authenticated. Not only this example, the memory device authentication circuit 43 may authenticate the semiconductor memory device 3 corresponding to only a specific block among all the blocks received from the semiconductor memory device 3. For example, the semiconductor memory device 3 may be authenticated corresponding to only the first block, only the last block, or only any intermediate block (or a combination thereof) in each access.

  According to the information processing system 1 according to the present modification, the storage device authentication circuit 43 performs authentication of the semiconductor storage device 3 corresponding to the specific block received from the semiconductor storage device 3. Therefore, resources can be saved as compared with the case where authentication of the semiconductor memory device 3 is performed corresponding to all the blocks received from the semiconductor memory device 3.

<Modification 2>
FIGS. 16 and 17 are diagrams showing processing contents of the security control circuits 12 and 21 when the pattern P1 is selected, corresponding to FIGS.

  Referring to FIG. 16, similarly to FIG. 8, the encryption circuit 52 encrypts the combined data of the command X1A and the initialization vector IV to generate an encryption command X1B.

  Next, the control circuit 44 generates the combined data X1PB by combining the encrypted command X1B and the predetermined padding data PD1 held in the secret state by an exclusive OR operation. Then, the composite data X1PB is set as the initial value (counter value C11) of the counter 55.

  Similarly to FIG. 8, the communication device authentication circuit 63 compares the encrypted command X1B input from the security control circuit 12 with the encrypted command X1B ′ input from the encryption / decryption circuit 62, Authentication of the communication device 2 is performed.

  When the communication device 2 is legitimate, the communication device authentication circuit 63 generates synthesized data X1PB ′ by synthesizing the encryption command X1B ′ and the padding data PD1 similar to the above by exclusive OR operation. . Then, the composite data X1PB 'is set as the initial value of the counter 75 (counter value C11).

  Referring to FIG. 17, as in FIG. 8, the encryption circuit 52 generates an encrypted command X2B by encrypting the combined data of the command X2A and the combined data X1PB.

  Next, the control circuit 44 generates the combined data X2PB by combining the encrypted command X2B and the padding data PD2 obtained by updating the padding data PD1 by an exclusive OR operation. Then, the composite data X2PB is set as the initial value of the counter 55 (counter value C21).

  Similarly to FIG. 8, the communication device authentication circuit 63 compares the encrypted command X2B input from the security control circuit 12 with the encrypted command X2B ′ input from the encryption / decryption circuit 62, Authentication of the communication device 2 is performed.

  When the communication device 2 is authentic, the communication device authentication circuit 63 generates the synthesized data X2PB ′ by synthesizing the encryption command X2B ′ and the padding data PD2 similar to the above by exclusive OR operation. . Then, the composite data X2PB 'is set as the initial value of the counter 75 (counter value C21).

  According to the information processing system 1 according to the present modification, the communication device authentication circuit 63 uses the combined data X1PB ′ obtained by combining the encryption command X1B ′ generated by the encryption circuit 72 and the predetermined padding data PD1 as a counter. Set as an initial value of 75. Thus, instead of setting the encryption command X1B ′ itself as the initial value of the counter 75, by setting the combined data X1PB ′ of the encryption command X1B ′ and the padding data PD1 as the initial value of the counter 75, The attack resistance can be further improved.

  Further, according to the information processing system 1 according to the present modification, the communication device authentication circuit 63 changes the padding data PD1 and PD2 every time the communication device 2 accesses the semiconductor memory device 3. Thereby, even if the addresses of the content data are the same, the initial value of the counter 75 can be made different for each access, so that the attack resistance can be further improved.

DESCRIPTION OF SYMBOLS 1 Information processing system 2 Communication apparatus 3 Semiconductor memory device 12,21 Security control circuit 22 Memory array 41,61 Encryption mode control circuit 42,62 Encryption / decryption circuit 43 Storage device authentication circuit 44,64 Control circuit 51,71 Decryption circuit 52, 72 Encryption circuit 55, 75 Counter 63 Communication device authentication circuit

Claims (17)

A communication device;
A storage device connected to the communication device;
With
The communication device
A first encryption unit for generating an encrypted command by encrypting a command to be transmitted to the storage device;
A first decryption unit that generates decrypted content data by decrypting the encrypted content data received from the storage device;
A storage device authentication unit for authenticating the storage device;
Have
The storage device
A storage unit storing content data;
A second decryption unit that generates a decryption command by decrypting the encrypted command received from the communication device;
A second encryption unit for generating encrypted content data by encrypting content data to be transmitted to the communication device;
Have
The first encryption unit generates encrypted content data by encrypting the decrypted content data generated by the first decryption unit,
The information processing system, wherein the storage device authentication unit authenticates the storage device based on encrypted content data received from the storage device and encrypted content data generated by the first encryption unit. The storage device further includes a communication device authentication unit that authenticates the communication device,
The second encryption unit generates an encrypted command by encrypting the decryption command generated by the second decryption unit,
The information according to claim 1, wherein the communication device authentication unit authenticates the communication device based on an encrypted command received from the communication device and an encrypted command generated by the second encryption unit. Processing system. A communication device;
A storage device connected to the communication device;
With
The communication device
A first encryption unit for generating an encrypted command by encrypting a command to be transmitted to the storage device;
A first decryption unit that generates decrypted content data by decrypting the encrypted content data received from the storage device;
Have
The storage device
A storage unit storing content data;
A second decryption unit that generates a decryption command by decrypting the encrypted command received from the communication device;
A second encryption unit for generating encrypted content data by encrypting content data to be transmitted to the communication device;
A communication device authentication unit for authenticating the communication device;
Have
The second encryption unit generates an encrypted command by encrypting the decryption command generated by the second decryption unit,
The information processing system, wherein the communication device authentication unit authenticates the communication device based on an encrypted command received from the communication device and an encrypted command generated by the second encryption unit. The communication device further includes a first cipher mode control unit that selects a stream cipher mode and a block cipher mode as operation modes of the first encryption unit and the first decryption unit,
The storage device further includes a second encryption mode control unit that selects a stream encryption mode and a block encryption mode as operation modes of the second encryption unit and the second decryption unit,
3. The storage device authentication unit according to claim 1, wherein the storage device authentication unit authenticates the storage device when a block cipher mode is selected as an operation mode of the first decryption unit and the second encryption unit. Information processing system.   The first encryption mode control unit and the second encryption mode control unit select a block encryption mode as an operation mode of the first decryption unit and the second encryption unit, and the first encryption mode 5. The information processing system according to claim 4, wherein a stream cipher mode is selected as an operation mode of each of the first and second decryption units. The communication device receives encrypted content data from the storage device in units of blocks,
The information processing system according to claim 4, wherein the storage device authentication unit authenticates the storage device in correspondence with all blocks received from the storage device. The communication device receives encrypted content data from the storage device in units of blocks,
The information processing system according to claim 4, wherein the storage device authentication unit authenticates the storage device in response to a specific block received from the storage device.   The information processing system according to any one of claims 4 to 7, wherein when the storage device authentication unit authenticates the storage device as illegal, the communication device stops transmission / reception of data to / from the storage device. The communication device further includes a first cipher mode control unit that selects a stream cipher mode and a block cipher mode as operation modes of the first encryption unit and the first decryption unit,
The storage device further includes a second encryption mode control unit that selects a stream encryption mode and a block encryption mode as operation modes of the second encryption unit and the second decryption unit,
The communication device authentication unit performs authentication of the communication device when a block cipher mode is selected as an operation mode of the first encryption unit and the second decryption unit. Information processing system.   The first encryption mode control unit and the second encryption mode control unit select a block cipher mode as an operation mode of the first encryption unit and the second decryption unit, and the first decryption unit The information processing system according to claim 9, wherein a stream cipher mode is selected as an operation mode of the second encryption unit.   The communication device authentication unit, when authenticating the communication device, sets an initial value of a counter used for stream encryption of content data based on an encryption command generated by the second encryption unit. Item 11. The storage device according to Item 10.   The storage device according to claim 11, wherein the communication device authentication unit sets, as an initial value of the counter, a combined value of the encrypted command generated by the second encryption unit and predetermined padding data.   The storage device according to claim 12, wherein the communication device authentication unit changes padding data every time the communication device accesses the storage device.   The information processing system according to claim 9, wherein when the communication device authentication unit authenticates the communication device as unauthorized, the storage device stops transmission / reception of data to / from the communication device. The communication device further includes a first cipher mode control unit that selects a stream cipher mode and a block cipher mode as operation modes of the first encryption unit and the first decryption unit,
The storage device further includes a second encryption mode control unit that selects a stream encryption mode and a block encryption mode as operation modes of the second encryption unit and the second decryption unit,
The first encryption mode control unit and the second encryption mode control unit include the first encryption unit, the second encryption unit, the first decryption unit, and the second decryption unit. Select the block cipher mode as the operation mode,
The storage device authentication unit authenticates the storage device,
The information processing system according to claim 2, wherein the communication device authentication unit authenticates the communication device. An encryption unit that generates an encrypted command by encrypting a command to be transmitted to the storage device;
A decryption unit that generates decrypted content data by decrypting the encrypted content data received from the storage device;
A storage device authentication unit for authenticating the storage device;
With
The encryption unit generates encrypted content data by encrypting the decrypted content data generated by the decryption unit,
The storage device authentication unit authenticates the storage device based on encrypted content data received from the storage device and encrypted content data generated by the encryption unit. A storage unit storing content data;
A decryption unit that generates a decryption command by decrypting the encrypted command received from the communication device;
An encryption unit for generating encrypted content data by encrypting content data to be transmitted to the communication device;
A communication device authentication unit for authenticating the communication device;
With
The encryption unit generates an encrypted command by encrypting the decryption command generated by the decryption unit,
The communication device authentication unit authenticates the communication device based on an encrypted command received from the communication device and an encrypted command generated by the encryption unit.

Images