JP2017033225A - Relay device, program, and information processing system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a relay device, a program, and an information processing system with which it is possible to determine the validity of a computer in use.SOLUTION: A gateway 1 for relaying data transmitted from a terminal 7 to a data collection server 8 comprises: an IC chip 3 having a non-rewritable secure storage unit 40 for storing a validity determination program 41a for verifying the validity of the gateway 1 and a validity verification data 42a referenced by the validity determination program 41a; a writable storage unit 20; a request processing unit 11 for performing a write process in response to an event that a request for write to the storage unit 20 is received from the terminal 7; a validity verification request unit 13 for executing the validity determination program 41a in response to an event that the request processing unit 11 has executed the process, and requesting the IC chip 3 that the validity of the gateway 1 be verified referring to the validity verification data 42a; and a result processing unit 14 for performing a process to cut off the power supply to the gateway 1 when the validity cannot be verified.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a relay device, a program, and an information processing system.

Conventionally, TCG (Trusted Computing Group), an industry group that develops standard technology for improving the reliability and security of computers, has developed TPM (Trusted Platform Module) chip specifications for security chips for computing platforms. (For example, Patent Document 1).
A computer with a built-in TPM chip can detect whether its own hardware or software has been tampered with by a third party at startup (boot), and the computer itself must be trusted. Can be confirmed.
Further, a device that verifies the integrity of the platform when the gateway is activated is disclosed (for example, Patent Document 2).

JP-A-2005-317026 Japanese Patent No. 5678094

  Recently, M2M (Machine to Machine) technology in which computers exchange information with each other via a communication network has been developed, and a relay device such as a gateway is used. The relay device is used for a long time with the power on, but in that case, there is a problem that even if tampering is performed from the outside during use, it may continue to be used without being detected. .

  Therefore, an object of the present invention is to provide a relay device, a program, and an information processing system that can determine the validity of a computer in use.

  The present invention solves the above problems by the following means. In addition, in order to make an understanding easy, although the code | symbol corresponding to embodiment of this invention is attached | subjected and demonstrated, it is not limited to this. In addition, the configuration described with reference numerals may be improved as appropriate, or at least a part thereof may be replaced with another configuration.

The first invention is a relay device (5) connected to one or more networks (N1, N2) and relaying data transmitted and received between external devices (7, 8) connected to the network. The validity determination program storage unit (41) for storing the validity determination program (41a) for confirming the validity of the relay device, and the validity confirmation data (42a) referred to by the validity determination program A legitimacy data storage unit (42), a writable / rewritable device storage unit (20), and a device control unit (10). The legitimacy data storage unit is connected to the relay device. Can be removed, or has a non-rewritable secure storage area built in the relay device, and the device control unit writes or writes to the device storage unit from the external device. In response to receiving the renewal request, the request processing unit (11) that performs writing or rewriting processing and the validity determination program are executed, and the validity of the relay device is confirmed by referring to the validity data storage unit. A legitimacy confirmation unit (13) to confirm, and a result processing unit (14) that performs processing according to the legitimacy confirmation result by the legitimacy confirmation unit, and the legitimacy confirmation unit of the device control unit includes: The validity of the relay device is confirmed in response to the request processing unit performing the processing, and the result processing unit of the device control unit has failed to confirm the validity of the confirmation result. In this case, a process of disconnecting the relay apparatus from the network or a process of notifying an error to at least one external apparatus connected by the network and transmitting data by the relay apparatus is performed. When a relay apparatus according to claim.
According to a second invention, in the relay device (1) according to the first invention, the validity confirmation unit (13) of the device control unit (10) is configured so that the power of the relay device is turned on. The relay device is characterized in that the validity of the relay device is confirmed.
According to a third aspect of the present invention, in the relay device (1) of the first or second aspect, the result processing unit (14) of the device control unit (10) is configured by the validity confirmation unit (13). If the confirmation result confirms the validity, device identification information for identifying the external device (7, 8) as a request transmission source is stored in the device storage unit (22), and the device control unit Determines whether information matching the device identification information for identifying the external device that is the request transmission source is stored in the device storage unit in response to the request processing unit (11) performing the processing. A device determination unit (12) that performs the validity check of the relay device when the device determination unit determines that the device identification information is not stored. It is a relay apparatus characterized by confirming.
According to a fourth invention, in the relay device (1) of the third invention, the device control unit (10) stores the device identification information stored in the device storage unit (22) when an erasure condition is satisfied. An information erasing unit (15) for erasing the information is provided.
According to a fifth invention, in the relay device according to the fourth invention, the information erasure unit of the device control unit stores the information stored in the device storage unit when the erasure condition is satisfied by reaching a reference date and time. The relay device is characterized in that the device identification information is erased.
According to a sixth invention, in the relay device (1) of the fourth invention, when the result processing unit (14) of the device control unit (10) confirms the validity of the confirmation result. The device identification information is stored in the device storage unit (22) in association with the processing date and time, and the information erasure unit (15) of the device control unit first stores the device identification information by the result processing unit. A relay device that erases the device identification information stored in the device storage unit when the erasure condition is satisfied by elapse of a reference time after being stored in the device storage unit .
A seventh invention is the relay device according to any one of the fourth to sixth inventions, wherein the device control unit determines that the device identification information is stored by the device determination unit. A determination frequency unit that stores the device identification information in the device storage unit in a manner in which the determined number of times is known, and the information erasure unit of the device control unit stores the device identification information stored in the device storage unit The relay device is characterized in that the device identification information stored in the device storage unit is erased when the erase condition is satisfied when the determined number of times reaches a reference number.
According to an eighth aspect of the present invention, in the relay device (1) from the first aspect to the seventh aspect, the validity determination program storage unit (41) can be removed from the relay device. Alternatively, the relay apparatus is characterized in that the relay apparatus has a non-rewritable secure storage area built in the relay apparatus.
The ninth invention is a program (21a) for causing a computer to function as any one of the relay devices (1) from the first invention to the eighth invention.
A tenth aspect of the invention is the relay device (1) according to any one of the first to eighth aspects of the invention, and the external device (7, 8) connected to the relay device by the network (N1, N2). Is an information processing system (100).

  ADVANTAGE OF THE INVENTION According to this invention, the relay apparatus, program, and information processing system which can determine the correctness of the computer in use can be provided.

It is a functional block diagram of the information processing system concerning this embodiment. It is a figure for demonstrating the software structure of the gateway which concerns on this embodiment, and the validity confirmation data of IC chip. It is a flowchart of the validity confirmation process of the gateway which concerns on this embodiment. It is a flowchart of the validity confirmation process of the gateway which concerns on this embodiment. It is a flowchart of the verification process of the gateway and IC chip concerning this embodiment.

DESCRIPTION OF EMBODIMENTS Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings. This is merely an example, and the technical scope of the present invention is not limited to this.
(Embodiment)
FIG. 1 is a functional block diagram of an information processing system 100 according to the present embodiment.
FIG. 2 is a diagram for explaining the software structure 50 of the gateway 1 and the validity confirmation data 42a of the IC chip 3 according to the present embodiment.

<Information processing system 100>
An information processing system 100 illustrated in FIG. 1 includes a gateway 1 (relay device), a terminal 7 (external device), and a data collection server 8 (external device). The information processing system 100 is a system that collects data of the terminal 7 by transmitting the data transmitted by each terminal 7 to the data collection server 8 via the gateway 1.
In the following description, it is assumed that the gateway 1 and the plurality of terminals 7 are provided in each factory that requires temperature management, and the data collection server 8 is provided in a head office or the like. Each terminal 7 is provided in each work section in the factory. The terminal 7 acquires temperature data and transmits it to the gateway 1, and the data collection server 8 is described as monitoring the temperature in the factory by collecting the data transmitted from the gateway 1 at regular intervals. .
In FIG. 1, one gateway 1 is connected to the data collection server 8, but a plurality of gateways 1 may be connected to the data collection server 8.

<Gateway 1>
The gateway 1 is a communication device that is connected to the terminal 7 via the communication network N1, is connected to the data collection server 8 via the communication network N2, and relays communication. The gateway 1 relays data transmitted and received between the plurality of terminals 7 and the data collection server 8.
The communication network N1 is a local area network for performing near field communication such as Wi-Fi and Bluetooth (registered trademark). The communication network N2 is a wide area network of an Internet connection line such as a public line, a mobile phone line (for example, 3G (3rd Generation) or LTE (Long Term Evolution)).

The gateway 1 includes an IC chip 3. Then, the gateway 1 executes the validity determination program 41a stored in the IC (Integrated Circuit) chip 3 at the time of activation, and the platform (hardware, software, etc.) of the gateway 1 is illegally altered by a third party. Check the validity of whether or not. In addition, the gateway 1 confirms the validity even when the storage unit 20 is written or rewritten while the power is on and continuously used.
The gateway 1 is turned on and used in a state where communication with the IC chip 3 is possible.

The gateway 1 includes a control unit 10 (device control unit), a storage unit 20 (device storage unit), a chip connection unit 25, a wide area communication unit 28, and a short-range communication unit 29.
The control unit 10 is a CPU (Central Processing Unit) that controls the entire gateway 1. The control unit 10 executes various functions in cooperation with the hardware described above by appropriately reading and executing an OS (operating system) and various application programs stored in the storage unit 20.
The control unit 10 includes a request processing unit 11, a device determination unit 12, a validity confirmation requesting unit 13 (validity confirmation unit), a result processing unit 14, and an information erasing unit 15.

The request processing unit 11 is a terminal 7, a data collection server 8, and other devices (not shown) connected via the communication network N1 or the communication network N2 (hereinafter, these are also collectively referred to as “external devices”). ) To the storage unit 20 in response to the reception of the write request. Here, the other device means, for example, a third-party device impersonating the terminal 7 or the data collection server 8.
The device determination unit 12 determines whether or not the external device is a device that has already been validated by using a device ID (IDentifier) that identifies the external device that has transmitted the write request.
The validity confirmation requesting unit 13 requests the IC chip 3 to confirm the validity of the gateway 1 when the external device is not a device that has confirmed the validity.
The result processing unit 14 performs a process according to the validity confirmation result.
The information erasure unit 15 erases the device ID stored in the log area 22.
Details of each process will be described later.

The storage unit 20 is a storage area such as a hard disk or a semiconductor memory element for storing programs, data, and the like necessary for the control unit 10 to execute various processes.
The storage unit 20 includes a program area 21 and a log area 22.
The program area 21 is a storage area for storing each program executed by the gateway 1 such as the OS and the apparatus program 21a.
The device program 21a is a program that executes each function of the control unit 10 described above.
The feature value measurement program 21 b is a program that calculates a hash value of each program stored in the program area 21. The hash value is, for example, a SHA-1 hash value.

As shown in FIG. 2A, the program area 21 of the gateway 1 includes a boot loader unit 51, an OS unit 52, and an application unit 53 as a software structure 50. The boot loader unit 51, the OS unit 52, and the application unit 53 have a hierarchical structure in which the boot loader unit 51 is in the lower level and the application unit 53 is in the upper level.
The boot loader unit 51 stores a boot loader, and the OS unit 52 stores an OS. The application unit 53 stores each application program. The program A is a device program 21a.
The feature value measurement program 21b is stored in a distributed manner in the boot loader unit 51 and the OS unit 52, for example. The feature value measurement program 21b of the boot loader unit 51 sets the boot loader as a measurement target. Further, the feature value measurement program 21b of the OS unit 52 sets the OS and each program of the application unit 53 as measurement targets.

Returning to FIG. 1, the log area 22 is a storage area for storing a log of processing related to validity confirmation.
The chip connection unit 25 is an interface unit with the IC chip 3. The chip connection unit 25 includes, for example, a terminal for external connection.
The wide area communication unit 28 is an interface for communicating with the data collection server 8.
The short-range communication unit 29 is an interface for communicating with the terminal 7.

<IC chip 3>
The IC chip 3 is a secure chip having tamper resistance. The IC chip 3 has a one-chip configuration. The IC chip 3 may be provided on a card medium, for example.
The IC chip 3 includes a control unit 30, a storage unit 40, and a device connection unit 45.
The control unit 30 is a CPU that controls the entire IC chip 3. The control unit 30 executes various functions in cooperation with the hardware described above by appropriately reading and executing the OS and various application programs stored in the storage unit 40.
The control unit 30 includes a validity confirmation processing unit 31 (a validity confirmation unit).

The validity confirmation processing unit 31 executes the validity determination program 41a stored in the storage unit 40 in response to accepting the process for confirming the validity of the gateway 1 from the gateway 1, and Check validity.
Specifically, the validity confirmation processing unit 31 obtains a feature value based on the hash value of each program stored in the program area 21 of the gateway 1. Then, the validity confirmation processing unit 31 confirms the validity of the gateway 1 by comparing the feature value with the validity confirmation data 42 a stored in the IC chip 3.
Here, the case where the gateway 1 is not valid means a case where a program of the gateway 1 is altered or an illegal program such as malware is written due to illegal connection to the gateway 1 or the like. Hereinafter, when the gateway 1 is not valid, the gateway 1 is also referred to as invalid. The case where the gateway 1 is valid means a case where the gateway 1 is not tampered with or illegally connected, and an illegal program such as malware is not executed.

The storage unit 40 is a storage area such as a semiconductor memory element for storing programs, data, and the like necessary for the control unit 30 to execute various processes.
The storage unit 40 includes a program area 41 and a data area 42.
The program area 41 and the data area 42 are, for example, in an EEPROM (Electrically Erasable and Programmable ROM).
The program area 41 stores a validity determination program 41a.
The validity determination program 41a is a program for determining the validity of the gateway 1. The validity determination program 41a executes, for example, a TPM function.
The data area 42 stores validity confirmation data 42a.
The validity confirmation data 42a prestores the hash value of each program stored in the program area 21 of the gateway 1 and the digital signature of the hash value as characteristic values of each program.
As shown in FIG. 2B, the validity confirmation data 42a has a characteristic value for each program (boot loader, OS, programs A, B,...).

Returning to FIG. 1, the device connection unit 45 is an interface unit with the gateway 1. The device connection unit 45 includes, for example, a terminal for external connection. The IC chip 3 communicates with the gateway 1 by being inserted into a slot portion (not shown) of the gateway 1.
Here, the IC chip 3 has tamper resistance as described above. The IC chip 3 cannot operate data and processing contents through a route other than the device connection unit 45. The function executed by the IC chip 3 operates independently of the software that operates on the gateway 1. Accordingly, the contents of the validity determination program 41a and the validity confirmation data 42a cannot be illegally changed by a program operating on the gateway 1.

<External device>
The terminal 7 includes a sensor unit (not shown) such as a temperature sensor, and transmits data periodically detected by the sensor unit to the gateway 1.
The data collection server 8 receives the data transmitted by each terminal 7 from the gateway 1 and collects and analyzes the data.

<Validity confirmation processing>
Next, processing in the gateway 1 will be described.
3 and 4 are flowcharts of the validity confirmation process of the gateway 1 according to the present embodiment.
FIG. 5 is a flowchart of verification processing of the gateway 1 and the IC chip 3 according to the present embodiment.
In step S (hereinafter referred to as “S”) 10 in FIG. 3, when the user operates a power button (not shown) of the gateway 1, the control unit 10 of the gateway 1 turns on the power of the gateway 1. To do.
In S11, the control unit 10 (validity confirmation request unit 13) performs a verification process.

Here, the verification process will be described with reference to FIG.
In S <b> 50 of FIG. 5, the control unit 10 (validity confirmation requesting unit 13) of the gateway 1 requests the IC chip 3 for validity confirmation processing.
In S51, the control unit 30 (validity confirmation processing unit 31) of the IC chip 3 receives the request from the gateway 1 and executes the validity determination program 41a.
In S52, the control unit 30 (validity confirmation processing unit 31) instructs the gateway 1 to execute the feature value measurement program 21b.
In S <b> 53, the control unit 10 (validity confirmation request unit 13) of the gateway 1 executes the feature value measurement program 21 b and calculates the hash value of each program stored in the program area 21. Specifically, first, the control unit 10 executes the feature value measurement program 21b of the boot loader unit 51 to calculate a hash value of the boot loader. Next, the control unit 10 executes the feature value measurement program 21b of the OS unit 52, and calculates the hash value of the OS and the hash value of each program of the application unit 53.
In S <b> 54, the control unit 10 (validity confirmation request unit 13) transmits the calculated hash value to the IC chip 3.

In S <b> 55, the control unit 30 (validity confirmation processing unit 31) of the IC chip 3 receives the hash value from the gateway 1.
In S56, the control unit 30 (validity confirmation processing unit 31) generates a digital signature from the received hash value.
In S <b> 57, the control unit 30 (validity confirmation processing unit 31) compares the received hash value and the feature value that is the generated digital signature with the validity confirmation data 42 a stored in the data area 42. The control unit 30 (validity confirmation processing unit 31) may verify the hash value of the validity confirmation data 42a using a digital signature and confirm whether the hash value has been tampered with.
In S <b> 58, the control unit 30 (validity confirmation processing unit 31) transmits the comparison result to the gateway 1. Then, the control part 30 complete | finishes this process.
In S59, the control unit 10 (validity confirmation request unit 13) of the gateway 1 receives the comparison result. Thereafter, the control unit 10 shifts the processing to FIG.

  Returning to FIG. 3, in S <b> 12, the control unit 10 of the gateway 1 determines whether or not the comparison results match. If the program area 21 of the gateway 1 has not been altered, that is, if the gateway 1 is valid, the comparison results match. On the other hand, if the program area 21 of the gateway 1 has been tampered with, the comparison results are inconsistent. When the comparison result is coincident (S12: YES), the control unit 10 moves the process to S13. On the other hand, if the comparison results are inconsistent (S12: NO), the control unit 10 (result processing unit 14) notifies the data collection server 8 of an error (S13a), turns off the power (S14a), This process ends.

  As described above, when the gateway 1 is turned on, the verification process for confirming the validity of the gateway 1 is performed to determine whether the gateway 1 is in a valid state in which it has not been tampered with. If it is determined that the gateway 1 is unfair, the gateway 1 disconnects the gateway 1 from the communication networks N1 and N2 by turning off its own power supply, and the altered gateway 1 is replaced with the terminal 7 or the data collection server. 8 can not be used.

In S13, the control unit 10 of the gateway 1 initializes the timer T1 and the timer T2 and starts measuring time. Here, the timer T1 is used to clear the log area 22. The timer T2 is used to transmit data received from the terminal 7 to the data collection server 8.
In S14, the control unit 10 determines whether or not the timer T1 has reached a specified time (erasing condition). By setting the specified time to, for example, 24 hours (reference time), the control unit 10 determines that the specified time has come when the timer T1 becomes 24 hours or longer. When the timer T1 has reached the specified time (S14: YES), the control unit 10 moves the process to S15. On the other hand, when the timer T1 has not reached the specified time (S14: NO), the control unit 10 moves the process to S17 of FIG.
In S <b> 15, the control unit 10 (information erasing unit 15) clears the log area 22.
In S16, the control unit 10 initializes the timer T1 and starts measuring time.

In S <b> 17 of FIG. 4, the control unit 10 (request processing unit 11) determines whether data is received from an external device. Here, the external device is not limited to the terminal 7 or the data collection server 8. The data is not limited to the temperature data received from the terminal 7. For example, an update program for changing the function of the program transmitted by the data collection server 8, change data of a set value of a transmission time (described later), and the like are included. When data is received (S17: YES), the control unit 10 moves the process to S18. On the other hand, when the data is not received (S17: NO), the control unit 10 moves the process to S30.
In S18, the control unit 10 acquires the device ID of the external device that has received the data. The device ID is, for example, an IP address (Internet Protocol Address) or a MAC address (Media Access Control address) of the external device, and is identification information that can identify the external device.

In S <b> 19, the control unit 10 (request processing unit 11) performs a writing process for writing the received data into the storage unit 20. At that time, the control unit 10 may encrypt the data.
It has been described that the writing of data includes an update program. In the case of an update program, if the update program is transmitted from a legitimate person, the feature value is transmitted together with the update program. In that case, the control unit 10 writes the update program to the storage unit 20 and instructs the IC chip 3 to write the feature value, so that the control unit 30 of the IC chip 3 can verify the validity of the data area 42. The feature value is written in the confirmation data 42a. On the other hand, if the update program is transmitted from an unauthorized person, only the update program is transmitted. In that case, the control unit 10 performs only the process of writing the update program to the storage unit 20.

In S <b> 20, the control unit 10 (device determination unit 12) determines whether or not the device ID acquired in S <b> 18 is stored in the log area 22. When the acquired device ID is stored in the log area 22 (S20: YES), the control unit 10 moves the process to S23. On the other hand, when the acquired device ID is not stored in the log area (S20: NO), the control unit 10 moves the process to S21.
In S21, the control unit 10 (validity confirmation requesting unit 13) performs the verification process shown in FIG. The verification process here is the same as that performed when the gateway 1 is powered on.
In S22, the control unit 10 determines whether or not the comparison results are the same. When the comparison result is coincident (S22: YES), the control unit 10 moves the process to S23. On the other hand, when the comparison results do not match (S22: NO), the control unit 10 (result processing unit 14) notifies the data collection server 8 of an error indicating that the gateway 1 has an illegal attack. (S23a), the process proceeds to S26.

  In S23, the control unit 10 (result processing unit 14) stores the apparatus ID acquired in S18 in the log area 22 in association with the current date and time. Note that, when the verification process is not performed, the control unit 10 may store the fact in the log area 22. Specifically, the control unit 10 stores the device ID acquired in S18, the current date and time, and the fact that the verification process is omitted in the log area 22 in association with each other. Thereafter, the control unit 10 moves the process to S25.

Thus, the control unit 10 confirms whether the gateway 1 is valid after the data writing process. Therefore, the validity of the gateway 1 can be confirmed even when the power is turned on for a long time. Even if the program is tampered with by writing data, in that case, the comparison result based on the feature values becomes inconsistent, so that tampering can be detected.
If the external device has already been verified, the verification process is omitted after the next data is received and written from the external device. Therefore, it is not always necessary to perform verification processing every time data is written.

In S25, when the user of the gateway 1 operates a power button (not shown), the control unit 10 determines whether or not the power OFF is accepted. When the power OFF is received (S25: YES), the control unit 10 moves the process to S26. On the other hand, when the power OFF is not received (S25: NO), the control unit 10 moves the process to S14 of FIG.
In S26, the control unit 10 turns off the power and ends the process.

On the other hand, in S30, the control unit 10 determines whether or not the timer T2 has reached the transmission time. The gateway 1 transmits the data received from the terminal 7 and stored in the storage unit 20 collectively to the data collection server 8 when the transmission timing is 30 minutes, for example. If the timer T2 has reached the transmission time (S30: YES), the control unit 10 moves the process to S31. On the other hand, when the timer T2 has not reached the transmission time (S30: NO), the control unit 10 moves the process to S25.
In S <b> 31, the control unit 10 transmits the write data stored in the storage unit 20 to the data collection server 8. Further, the control unit 10 deletes the transmitted data from the storage unit 20.
In S32, the control unit 10 initializes the timer T2 and starts measuring time. Thereafter, the control unit 10 moves the process to S25.

Thus, according to this embodiment, the gateway 1 has the following effects.
(1) Every time data is written, it can be verified whether or not the gateway 1 has been tampered with. When unauthorized tampering or the like is performed, for example, the power supply of the gateway 1 is disconnected, so that the gateway 1 can be disconnected from the communication networks N1 and N2, and the use of the gateway 1 can be restricted.
(2) The validity can be confirmed by performing the verification process even when the gateway 1 is activated. Therefore, even if an illegal act or the like is performed while the power of the gateway 1 is turned off, it can be detected.

(3) If the validity of the gateway 1 can be confirmed after writing to the storage unit 20 after the write data is transmitted to the storage unit 20, the validity is confirmed when the write data is subsequently received from the same external device. Not performed. Therefore, for a data write request from a reliable external device, the process can be simplified by omitting the verification process.
(4) The omission of the verification process is not always performed from a trusted external device. In a predetermined case, the verification process is performed again to confirm the validity. Therefore, it is possible to correct the adverse effect of always omitting the validity check.
As a predetermined case, for example, when 24 hours have passed since the first confirmation of validity, the validity can be confirmed as time passes.

(5) By notifying the data collection server 8 of an error before disconnecting the gateway 1 from the communication network N2, the data collection server 8 can determine that the gateway 1 of the data transmission source is illegal.
(6) By having the validity determination program 41a in the secure storage area of the IC chip 3, the validity determination program 41a can be prevented from being falsified. Therefore, the reliability of the validity determination program 41a can be increased.

  As mentioned above, although embodiment of this invention was described, this invention is not limited to embodiment mentioned above. In addition, the effects described in the embodiments are merely a list of the most preferable effects resulting from the present invention, and the effects of the present invention are not limited to those described in the embodiments. In addition, although embodiment mentioned above and the deformation | transformation form mentioned later can also be used in combination suitably, detailed description is abbreviate | omitted.

(Deformation)
(1) In the present embodiment, the gateway 1 as a dedicated device has been described. However, the gateway 1 may be various devices such as a personal computer (PC), a Wi-Fi router, a mobile phone, an information home appliance, an automobile, and an embedded system. The gateway 1 is useful for application to a system such as M2M (Machine to Machine) where devices and devices communicate autonomously with each other via a communication network and perform advanced control and operation autonomously. .
(2) In the present embodiment, the IC chip 3 is described as being connected to the gateway 1 via the connection unit. However, the IC chip is not limited to whether or not it can be removed from the gateway. Therefore, the IC chip may be a built-in one built in the gateway. For example, an IC chip may be mounted on a motherboard. By doing so, since the IC chip cannot be replaced, the legitimacy of the gateway can be confirmed more reliably.
(3) Although the present embodiment has been described as a system for temperature management in a factory, the present invention is not limited to this. For example, it can be utilized for various applications such as a system using IOT (Internet of Things).

(4) In the present embodiment, the IC chip 3 has been described as having the validity determination program 41a. However, the gateway may have a validity determination program. By doing so, the verification function possessed by the IC chip can be imparted to the gateway.
(5) In the present embodiment, the gateway 1 has been described as performing a process of receiving and writing a write request, but the present invention is not limited to this. Any process may be used as long as it is stored in the storage unit of the gateway. For example, a rewrite process may be included.

(6) In the present embodiment, the feature values used for verification are described as the hash value and the digital signature for the hash value. However, the present invention is not limited to this. For example, the hash value itself may be used. However, security is further improved by including a digital signature.
(7) Although the present embodiment has been described as confirming the validity of the gateway based on the hash value of each program, the present invention is not limited to this. In addition to each program, for example, the validity of the gateway may be confirmed based on a hash value of hardware such as a wide-area communication unit or a short-range communication unit.

(8) In the present embodiment, the feature value measurement program 21b of the gateway 1 has been described as being distributed and stored in the boot loader unit 51 and the OS unit 52. The feature value measurement program 21b of the OS unit 52 has been described as calculating the hash value of each program of the application unit 53. However, each program of the application unit may have a feature value measurement program. Further, there may be only one feature value measurement program, for example, it may be included only in the OS unit.
(9) In the present embodiment, the feature value measurement program 21b of the gateway 1 has been described as calculating a hash value and transmitting the hash value to the IC chip 3. However, the program for calculating the hash value and the program for transmitting the calculated hash value may be different programs. Further, the validity confirmation program may have a function of a feature value measurement program.

  (10) In the present embodiment, the erasure condition for the log area 22 has been described as being after 24 hours have passed since the first verification process. However, it is not limited to this. For example, it may be a case where the reference date / time is reached (such as ○ hour Δmin). Further, the gateway may be provided with a determination number section, and the log area may be deleted according to the number of times (for example, five times) when the verification process is omitted. Further, the log area erasing condition may be a combination of time and number of times.

DESCRIPTION OF SYMBOLS 1 Gateway 3 IC chip 7 Terminal 8 Data collection server 10, 30 Control part 11 Request processing part 12 Device determination part 13 Validity confirmation request part 14 Result processing part 15 Information erasure part 20, 40 Storage part 21, 41 Program area 21a Apparatus Program 21b Feature value measurement program 22 Log area 31 Validity confirmation processing unit 41a Validity determination program 42a Validity confirmation data 100 Information processing system N1, N2 Communication network

Claims (10)

A relay device connected to one or more networks and relaying data transmitted and received between external devices connected to the network,
A validity determination program storage unit that stores a validity determination program for confirming the validity of the relay device;
A legitimacy data storage unit that stores legitimacy confirmation data referred to by the legitimacy determination program;
A device storage unit capable of writing and rewriting; and
A device controller;
With
The legitimacy data storage unit can be removed from the relay device, or has a non-rewritable secure storage area built in the relay device,
The device controller is
A request processing unit that performs a writing or rewriting process in response to receiving a writing or rewriting request for the device storage unit from the external device;
Executing the validity determination program, referring to the validity data storage unit to confirm the validity of the relay device; and
A result processing unit that performs processing in accordance with the verification result of the correctness by the correctness verification unit;
With
The validity checking unit of the device control unit checks the validity of the relay device in response to the request processing unit performing the processing,
The result processing unit of the device control unit performs a process of disconnecting the relay device from the network when the confirmation result cannot be confirmed, or the relay device connected by the network transmits data. A process of notifying an error to at least one external device that transmits
A relay device characterized by The relay device according to claim 1,
The validity checking unit of the device control unit checks the validity of the relay device in response to the power supply of the relay device being turned on.
A relay device characterized by In the relay device according to claim 1 or 2,
The result processing unit of the device control unit includes device identification information for identifying the external device as a request transmission source when the confirmation result by the validity confirmation unit confirms validity. Memorize it in the memory,
The device control unit determines whether information matching the device identification information for identifying the external device that is a request transmission source is stored in the device storage unit in response to the request processing unit performing the processing. An apparatus determining unit for determining;
The validity check unit of the device control unit confirms the validity of the relay device when the device determination unit determines that the device identification information is not stored;
A relay device characterized by The relay device according to claim 3,
The device control unit includes an information erasure unit that erases the device identification information stored in the device storage unit when an erasure condition is satisfied;
A relay device characterized by The relay device according to claim 4,
The information erasure unit of the device control unit erases the device identification information stored in the device storage unit when the erasure condition is satisfied by reaching a reference date and time,
A relay device characterized by The relay device according to claim 4,
The result processing unit of the device control unit causes the device storage information to be stored in the device storage unit in association with the processing date and time when the confirmation result is confirmed as valid.
The information erasure unit of the device control unit, when the result processing unit first stores the device identification information in the device storage unit and satisfies the erasure condition by passing a reference time, the device Erasing the device identification information stored in the storage unit;
A relay device characterized by In the relay device according to any one of claims 4 to 6,
The device control unit includes a determination frequency unit that stores the device identification information in the device storage unit in a manner in which the determined number of times is known when the device determination unit determines that the device identification information is stored. Prepared,
The information erasure unit of the device control unit stores the information in the device storage unit when the number of times of determination of the device identification information stored in the device storage unit reaches the reference number and satisfies the erasure condition. Deleting said device identification information,
A relay device characterized by In the relay device according to any one of claims 1 to 7,
The validity determination program storage unit can be removed from the relay device, or has a non-rewritable secure storage area built in the relay device,
A relay device characterized by   The program for functioning a computer as a relay apparatus in any one of Claim 1-8. A relay device according to any one of claims 1 to 8,
An external device connected to the relay device by the network;
An information processing system comprising:

Images