JP2017033492A - Information processing apparatus, information processing system, and control method of information processing apparatus - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent falsification of a control program to be executed by an information processing apparatus.SOLUTION: An information processing apparatus includes: a main ROM 121 storing firmware and a digital signature corresponding to the firmware; a main control unit 130 for executing the firmware; a reader/writer 150 storing a public key, and connected to a smart card 200 having an arithmetic unit 202 which decodes the digital signature with the public key; and a second sub control unit 146 which calculates a first hash value from the firmware stored in the main ROM 121, causes the smart card 200 to decode the digital signature corresponding to the firmware, to acquire a second hash value, and compares the first hash value with the second hash value, to regulate the main control unit 130 executing the firmware, on the basis of the result of comparison.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an information processing device, an information processing system, and a control method for the information processing device.

  Conventionally, there has been an apparatus for processing data requiring legitimacy, such as fiscal information including information relating to transactions in stores that sell products (information relating to sales, information relating to taxation, etc.) (for example, see Patent Document 1). ). This type of device has a function of ensuring the validity of data. For example, the printer described in Patent Document 1 has a mechanism for detecting whether or not fiscal information has been tampered with.

JP 2012-103940 A

By the way, as a factor that impairs the validity of data, there is a concern that the control program executed by the information processing apparatus is falsified.
SUMMARY An advantage of some aspects of the invention is that it prevents falsification of a control program executed by an information processing apparatus.

To achieve the above object, an information processing apparatus of the present invention stores a control program, a storage unit that stores a digital signature corresponding to the control program, a control unit that executes the control program, and a decryption key. A medium connection unit connected to an external medium including an arithmetic unit that decrypts the digital signature with the decryption key, and the control unit calculates a first hash value from the control program stored in the storage unit The second hash value obtained by decrypting the digital signature corresponding to the control program is acquired from the external medium via the medium connection unit, and the first hash value and the second hash value are compared and do not match. In this case, the execution of the control program is restricted.
According to the present invention, it is possible to prevent the control unit processor from executing the tampered control program and to prevent tampering of the control program executed by the information processing apparatus.

In the information processing apparatus according to the aspect of the invention, the control unit executes a boot program stored in the storage unit when the information processing apparatus is activated, and the first hash value and the second hash value are stored. The control program is restricted from being executed in a case where the control program does not match.
According to the present invention, it is possible to limit the execution of the control program when the control unit executes the boot program and the first hash value and the second hash value do not match.

An information processing apparatus according to the present invention includes a control unit that executes a control program, an update control program that updates the control program, an input unit that inputs a digital signature corresponding to the update control program, and a decryption A medium connection unit connected to an external medium including a calculation unit that stores a key and decrypts the digital signature with the decryption key, and the control unit receives a third hash value from the input control program for update. To obtain a fourth hash value obtained by decrypting the digital signature corresponding to the control program for update from the external medium via the medium connection unit, and the third hash value and the fourth hash value And the update to the control program for update is restricted if they do not match.
According to the present invention, it is possible to prevent the control program from being updated to a tampered control program and to prevent tampering of the control program executed by the information processing apparatus.

  According to the present invention, in the information processing apparatus, the information processing apparatus is a fiscal printer including a storage unit that stores fiscal information.

An information processing system of the present invention is an information processing system including a medium storage unit that stores a decryption key, a medium that includes a calculation unit that decrypts a digital signature using the decryption key, and an information processing apparatus that can be connected to the medium. The information processing apparatus includes a control unit that executes a control program, a storage unit that stores the control program, and the digital signature corresponding to the control program, and the control unit stores the storage A first hash value is calculated from the control program stored in the storage unit, a second hash value obtained by decrypting the digital signature corresponding to the control program is obtained from the medium, and the first hash value and the second hash value are obtained. And the execution of the control program is restricted if they do not match.
According to the present invention, it is possible to prevent the control unit processor from executing the tampered control program and to prevent tampering of the control program executed by the information processing apparatus.

An information processing system of the present invention is an information processing system including a medium storage unit that stores a decryption key, a medium that includes a calculation unit that decrypts a digital signature using the decryption key, and an information processing apparatus that can be connected to the medium. The information processing apparatus includes: a control unit that executes a control program; an update control program that updates a control program executed by the control unit; and the digital signature that corresponds to the update control program. An input unit for inputting, and the control unit calculates a third hash value from the input control program for update, and decrypts the digital signature corresponding to the control program for update from the medium. A hash value is obtained, the third hash value and the fourth hash value are compared, and if they do not match, the update to the control program for update is controlled. Characterized in that it.
According to the present invention, it is possible to prevent the control unit processor from executing the tampered control program and to prevent tampering of the control program executed by the information processing apparatus.

According to the control method of the information processing apparatus of the present invention, the control program is read from a storage unit that stores a control program executed by the control unit and a digital signature corresponding to the control program, and a first hash of the control program is read. Calculating the value; storing the decryption key; and transmitting the digital signature read from the storage unit to an external medium including an arithmetic unit that decrypts the digital signature with the decryption key, and from the external medium Obtaining a second hash value obtained by decrypting a digital signature; comparing the first hash value with the second hash value; and restricting execution of the control program by the control unit if they do not match, It is characterized by providing.
According to the present invention, it is possible to prevent the control unit processor from executing the tampered control program and to prevent tampering of the control program executed by the information processing apparatus.

The control method of the information processing apparatus according to the present invention includes a step of inputting an update control program for updating a control program executed by the control unit, and a digital signature corresponding to the update control program; Calculating the third hash value of the control program for updating; storing the decryption key; and transmitting the input digital signature to an external medium including an operation unit that decrypts the digital signature with the decryption key The step of obtaining the fourth hash value obtained by decrypting the digital signature from the external medium is compared with the third hash value and the fourth hash value, and the control by the control program for updating is performed when they do not match. And a step of restricting update of the program.
According to the present invention, it is possible to prevent the control unit processor from executing the tampered control program and to prevent tampering of the control program executed by the information processing apparatus.

FIG. 2 is a block diagram illustrating a configuration of a printer. 6 is a flowchart illustrating the operation of a printer. FIG. 5 is a diagram for explaining the operation of a printer. FIG. 5 is a diagram for explaining the operation of a printer. FIG. 5 is a diagram for explaining the operation of a printer. FIG. 5 is a diagram for explaining the operation of a printer. FIG. 5 is a diagram for explaining the operation of a printer. FIG. 5 is a diagram for explaining the operation of a printer.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
FIG. 1 is a block diagram illustrating a configuration of a printer 1 as an information processing apparatus (or information processing system).
The printer 1 is connected to the host computer 10 and issues a receipt on which information related to sales transactions supplied from the host computer 10 is printed. Further, the printer 1 has a function as a fiscal printer that stores and holds information on sales transactions printed on each receipt and information on the total sales per day for the printer 1 as fiscal information. Fiscal information is used, for example, as information to be referred to by a national institution when a national institution such as the government collects taxes from a store to grasp the actual state of transactions at the store. In the present embodiment, there are two types of data as receipt information, receipt data and daily sales data, which will be described later.
The host computer 10 is connected to a bar code reader that reads a bar code attached to a product or a product packaging, and a card reader that reads information recorded on a card such as a membership card or a credit card held by a customer. The host computer 10 accesses the product DB (not shown) and the customer DB to obtain information on purchased products and information on customers as appropriate in response to inputs from these devices and operation inputs from the cashier. . The host computer 10 transmits information related to the sales transaction including the acquired information and a control command instructing printing to the printer 1 to cause the printer 1 to issue a receipt.

The printer 1 includes a fiscal control board 100 and a printer board 300.
The fiscal control board 100 includes a communication unit 110, a main ROM 121, an SRAM 122, an RTC (Real-time clock) 123, a main control unit 130, an EJ (Electorical Journal) memory 141, a first sub-control unit 142, and a fiscal. A memory 143, a CPLD (Complex programmable logic device) 144, a rewrite memory 145, a second sub-control unit 146, a reader / writer 150, and a smart card 200 are mounted.
In addition, a printer control unit 310 and a recording mechanism 320 are mounted on the printer substrate 300.

  A communication unit (input unit) 110 is connected to the host computer 10 and a fiscal data reading device (not shown), and transmits and receives data to and from these devices. The communication unit 110 outputs data such as a control command input from the host computer 10 to the main control unit 130. The fiscal data reading device is a device for reading the data stored in the EJ memory 141 and the fiscal memory 143, and is possessed only by a person who has obtained special permission, for example, a person concerned with a national organization (government, etc.). obtain.

The main ROM 121 is a non-volatile memory capable of rewriting data, such as a flash ROM and an EEPROM. The main ROM 121 stores activation firmware, application firmware (control program), and activation verification digital signature (digital signature corresponding to the control program). The startup firmware is a program that is executed by a processor (not shown) included in the main control unit 130 when the printer 1 is powered on. When the processor of the main control unit 130 executes the startup firmware, processing such as OS (Operating System) startup is executed.
The application firmware is firmware that controls the operation of the printer 1, and is executed by the processor of the main control unit 130. When the main control unit 130 executes the application firmware, processing such as receipt output and storage of fiscal information in the memory is executed. The application firmware stored in the main ROM 121 is hereinafter referred to as AP firmware.
The activation verification digital signature is data obtained by calculating a hash value of the AP firmware using a generally known hash function and encrypting the calculated hash value with a predetermined secret key. The predetermined secret key is, for example, a secret key managed by the manufacturer of the printer 1. The activation verification digital signature stored in the main ROM 121 is hereinafter referred to as a first activation verification digital signature.

The SRAM 122 is a volatile memory that functions as a work area when the main control unit 130 performs calculations, and temporarily stores various data.
The RTC 123 measures time and outputs data indicating the current date and time (year / month / day, time) to the main control unit 130.

The main control unit 130 that functions as a control unit includes a processor 131 and executes AP firmware to centrally control each unit of the printer 1.
For example, the main control unit 130 receives a control command for instructing rewriting of firmware from the host computer 10, and rewriting data for rewriting the AP firmware and the first activation verification digital signature stored in the main ROM 121. The rewriting data is data supplied from the host computer 10 and is generated by the printer 1 manufacturer in order to update the AP firmware when the function of the printer 1 is expanded or when the firmware is upgraded. Details of the rewriting data will be described later.
When the control command and the rewrite data are input, the main control unit 130 outputs the input rewrite data to the second sub control unit 146 and the second sub control unit 146 stores the data stored in the main ROM 121. Instruct to rewrite When the control command for instructing firmware rewriting and the rewriting data are input from the main control unit 130, the second sub control unit 146 stores the input rewriting data in the rewriting memory 145. Details of the operation in which the second sub control unit 146 rewrites data stored in the main ROM 121 will be described later.

The main control unit 130 also receives information related to sales transactions and a control command for instructing issue of a receipt from the host computer 10. The main control unit 130 generates receipt data by adding information such as a store name, a sales date, a payment amount, and a change to the input sales transaction information. The main control unit 130 outputs the generated receipt data to the printer control unit 310 to print the receipt data on roll paper. The receipt data includes, for example, information such as store name, sales date / time, product name, unit price, tax amount, total amount, payment method (cash, credit card), payment amount, and change. Further, the main control unit 130 outputs the receipt data printed on the roll paper to the first sub control unit 142 and stores it in the EJ memory 141.
Further, the main control unit 130 takes out receipt data for one day from the EJ memory 141 and passes it to the CPLD 144 at the end of the day. The CPLD 144 calculates daily sales data, which is the total daily sales, based on the receipt data for one day, and stores it in the fiscal memory 143. “One day” is a period from opening to closing in a store where the printer 1 is installed.

The EJ memory 141 is a non-volatile memory such as an OTPROM (One Time Programmable Read Only Memory), for example, and is a memory in which data can be written only once per address under the control of the first sub-control unit 142. Function. Therefore, the data written in the EJ memory 141 is prevented from being edited later, and the data written in the EJ memory 141 is prevented from being falsified.
The first sub-control unit 142 reads / writes data from / to the EJ memory 141. The first sub-control unit 142 writes the receipt data printed on the receipt, the writing date / time data, and the digital signature obtained by encrypting the hash value of the receipt data with a predetermined secret key into the EJ memory 141. The writing date / time data is data indicating the date / time (date and time) when the receipt data is written in the EJ memory 141, and the main control unit 130 acquires data indicating the date / time from the RTC 123, and sends it to the first sub-control unit 142. Output.
The EJ memory 141 and the first sub-control unit 142 are sealed on the fiscal control board 100 with an epoxy resin. The EJ memory 141 is physically removed from the fiscal control board 100, and the data stored in the EJ memory 141 is stored in the EJ memory 141. Prevent tampering.

The fiscal memory 143 is a non-volatile memory such as an OTPROM, for example, and functions as a memory in which data can be written only once per address under the control of the CPLD 144. Therefore, the data written in the fiscal memory 143 is prevented from being edited later, and the data written in the fiscal memory 143 is prevented from being falsified.
The CPLD 144 is a device in which a programmable logic circuit is written, and reads / writes data from / to the fiscal memory 143.
Data that the CPLD 144 writes to the fiscal memory 143 includes daily sales data and writing date / time data. The writing date and time data is data indicating the date and time (date and time) when the daily sales data is written in the fiscal memory 143. The main control unit 130 acquires data indicating the date and time from the RTC 123 and outputs the data to the CPLD 144.
The fiscal memory 143 and the CPLD 144 are sealed with an epoxy resin. For example, the fiscal memory 143 is physically removed from the fiscal control board 100, and data stored in the fiscal memory 143 is prevented from being falsified.

  The rewrite memory 145 is constituted by, for example, a flash memory, a non-volatile memory capable of rewriting data, such as an EPROM and an EEPROM, and temporarily stores the rewrite data supplied from the host computer 10.

The second sub-control unit 146 functioning as a control unit includes a processor 147 and a memory such as a ROM or a RAM (both not shown) as hardware. The ROM (storage unit) stores a control program executed by the processor 147, and the RAM is used as a work memory when the processor 147 performs an operation.
When the printer 1 is turned on, the processor 147 of the second sub-control unit 146 is activated before the main control unit 130 is activated, and whether or not rewrite data is written in the rewrite memory 145. Determine whether. When the rewrite memory 145 stores rewrite data, the second sub-control unit 146 determines whether or not the rewrite data has been tampered with. If the second sub-control unit 146 determines that the rewriting data has not been tampered with, the second sub control unit 146 reads the rewriting data from the rewriting memory 145 and uses the read rewriting data to store the data stored in the main ROM 121. rewrite. If the second sub-control unit 146 determines that the rewriting data has been tampered with, the second sub control unit 146 deletes the rewriting data stored in the rewriting memory 145.
Further, the processor 147 of the second sub-control unit 146 determines whether the AP firmware stored in the main ROM 121 has been tampered with when activated. If the second sub-control unit 146 determines that the AP firmware has been tampered with, the second sub-control unit 146 prohibits (limits) the main control unit 130 from executing the AP firmware.

  The rewrite data includes a rewrite AP firmware (update control program), an activation verification digital signature, and an update verification digital signature (digital signature corresponding to the update control program). Hereinafter, the activation verification digital signature stored in the rewrite memory 145 is referred to as a second activation verification digital signature.

The rewriting AP firmware is a program for rewriting the AP firmware stored in the main ROM 121.
The AP firmware may be rewritten by storing the rewriting AP firmware in the main ROM 121 instead of the AP firmware, or a part of the AP firmware may be rewritten by the rewriting AP firmware.

  The second activation verification digital signature is data obtained by calculating a hash value of the rewritable AP firmware using a generally known hash function and encrypting the calculated hash value with a predetermined secret key. The predetermined secret key is, for example, a secret key managed by the printer 1 manufacturer. This second activation verification digital signature is used to verify whether the rewrite AP firmware is a valid firmware that has not been tampered with.

  The update verification digital signature uses a generally known hash function to calculate the hash value of the rewrite AP firmware and the hash value of the second activation verification digital signature, and the calculated hash value Data obtained by encrypting the sum with a predetermined secret key. In the present embodiment, the predetermined secret key is, for example, a secret key managed by the manufacturer of the printer 1. This update verification digital signature is used to verify whether the rewrite AP firmware is a legitimate firmware that has not been tampered with when the rewrite AP firmware is read from the rewrite memory 145 and written to the main ROM 121.

The manufacturer of the printer 1 prepares a secret key used for creating a digital signature for activation verification and a secret key used for creating a digital signature for update verification separately. The manufacturer of the printer 1 creates a digital signature using a private key for activation verification when creating a digital signature for activation verification, and updates verification when creating a digital signature for update verification. Create a digital signature using your private key.
Also, the first startup verification digital signature, the second startup verification digital signature, and the update verification digital signature may be created with different private keys, or all digital signatures may be created with the same private key. May be.

The fiscal control board 100 is provided with a card mounting unit (not shown) in which the smart card 200 is mounted, and a reader / writer (medium connection unit) 150 that transmits / receives data to / from the smart card 200 is mounted.
The smart card (medium, external medium) 200 includes an IC module having an IC chip and contact electrodes (both not shown). The smart card 200 is a medium having a data storage function and an arithmetic function for performing arithmetic processing.
When the smart card 200 is attached to the card attachment portion, the contact electrode of the smart card 200 and the contact electrode of the reader / writer 150 provided in the card attachment portion come into contact with each other. When the contact electrode of the smart card 200 comes into contact with the contact electrode of the reader / writer 150, the reader / writer 150 can read and write data from / to the smart card 200. The smart card 200 may be mounted on the card mounting unit when the printer 1 is started or the firmware is rewritten, or the card is mounted on the card mounting unit at the time of shipment from the factory and cannot be removed from the card mounting unit. You may fix to a mounting part.

  The IC chip of the smart card 200 includes a CPU, ROM, RAM, and nonvolatile memory as hardware. The ROM stores a CPU control program, and the RAM is used as a CPU work memory. When the CPU performs calculations according to the control program, an interface unit (hereinafter abbreviated as I / F unit) 201 and a calculation unit 202 are configured as functional blocks. The nonvolatile memory functions as a storage unit (medium storage unit) 203.

The storage unit 203 stores an activation verification public key (decryption key) and an update verification public key (decryption key).
The activation verification public key is a public key that is paired with the private key used to create the activation verification digital signature. In other words, the first activation verification digital signature and the second activation verification digital signature can be decrypted with the activation verification public key to obtain a hash value. The update verification public key is a public key that is paired with the private key used to create the update verification digital signature. That is, the hash value can be obtained by decrypting the update verification digital signature with the update verification public key.

The printer control unit 310 mounted on the printer substrate 300 controls the recording mechanism 320 based on a control command output from the host computer 10 and issues a receipt.
The recording mechanism 320 includes a thermal head 321 that records an image by applying heat to the printing surface of the roll paper, a transport mechanism 322 that conveys the roll paper, a cutting mechanism 323 that cuts the roll paper at a predetermined position, and the like. The recording mechanism 320 operates these mechanisms and devices under the control of the printer control unit 310 to issue a receipt.
The printer board 300 is provided with a printer-side connector 350, and the fiscal control board 100 is provided with a fiscal-side connector 160. By connecting the printer-side connector 350 and the fiscal-side connector 160, the fiscal control board 100 and the printer board 300 are connected.

FIG. 2 is a flowchart showing the operation of the second sub control unit 146.
When the printer 1 is powered on, the second sub-control unit 146 is first activated to determine whether or not the rewrite memory 145 stores rewrite data (step S1). If the rewrite memory 145 does not store rewrite data (step S1 / NO), the second sub-control unit 146 proceeds to the process of step S9. The process of step S9 will be described later. When the rewriting memory 145 stores the rewriting data (step S1 / YES), the second sub-control unit 146 reads the update verification digital signature from the rewriting memory 145, and the reader / writer 150 stores it in the smart card 200. Transmit (step S2).

FIG. 3 is a diagram for explaining the operation of the printer 1.
When the update verification digital signature is input from the reader / writer 150 (see FIG. 3A), the arithmetic unit 202 of the smart card 200 reads the update verification public key from the storage unit 203 (see FIG. 3B). ). The computing unit 202 decrypts the update verification digital signature using the read update verification public key (see FIG. 3C).
The update verification digital signature is obtained by encrypting the sum of the hash value of the rewrite AP firmware and the hash value of the second activation verification digital signature with a secret key. Therefore, when the update verification digital signature is decrypted with the update verification public key, the sum of the hash value of the rewriting AP firmware and the hash value of the second activation verification digital signature is obtained.
As shown in FIG. 3, the calculation unit 202 transmits a hash value (fourth hash value) that is a decryption result to the second sub-control unit 146 via the reader / writer 150 (see FIG. 3D).

FIG. 4 is a diagram for explaining the operation of the printer 1.
Next, the second sub-control unit 146 determines whether or not a hash value has been input from the reader / writer 150 (step S3). When the reader / writer 150 receives the hash value from the smart card 200, the reader / writer 150 outputs the received hash value to the second sub-control unit 146. When no hash value is input (step S3 / NO), the second sub-control unit 146 waits until a hash value is input.
When the hash value is input (step S3 / YES) (see FIG. 4A), the second sub-control unit 146 rewrites the AP firmware stored in the rewrite memory 145 and the second activation verification digital. A hash value with the signature is calculated for each (step S4) (see FIG. 4B). Further, the second sub-control unit 146 calculates the sum (third hash value) of the calculated rewrite AP firmware and the hash value of the second activation verification digital signature. The sum of the calculated hash values is referred to as a calculation hash value, and the hash value received from the smart card 200 is referred to as an acquired hash value. The second sub-control unit 146 compares the calculated hash value and the acquired hash value (step S5), and determines whether or not the calculated hash value and the acquired hash value match (step S6) (FIG. 4 ( c)).

  When the calculated hash value does not match the acquired hash value (step S6 / NO), the second sub-control unit 146 erases the rewrite data from the rewrite memory 145 (step S8). That is, the second sub-control unit 146 determines that the rewriting data has been tampered with, the rewriting AP firmware stored in the rewriting memory 145, the second activation verification digital signature, the update verification digital signature, Erase.

FIG. 5 is a diagram for explaining the operation of the printer 1.
The second sub-control unit 146 rewrites the firmware when the calculated hash value matches the acquired hash value (step S6 / YES) (step S7). The second sub-control unit 146 reads the rewrite AP firmware from the rewrite memory 145, writes the read rewrite AP firmware in the main ROM 121, and rewrites (updates) the AP firmware in the main ROM 121 (FIG. 5A). reference). Hereinafter, the rewriting AP firmware that has been rewritten and written in the main ROM 121 is referred to as AP firmware.
The second sub-control unit 146 reads the second activation verification digital signature from the rewrite memory 145, writes the read second activation verification digital signature in the main ROM 121, and the first activation verification digital signature in the main ROM 121. Is rewritten (see FIG. 5B).
Hereinafter, the second activation verification digital signature written in the main ROM 121 after the activation verification digital signature is rewritten is referred to as a first activation verification digital signature.

FIG. 6 is a diagram for explaining the operation of the printer 1.
Further, when the second sub control unit 146 rewrites the firmware in step S7, the second sub control unit 146 erases the rewrite data from the rewrite memory 145 (step S8). That is, the second sub-control unit 146 deletes the rewriting AP firmware, the second activation verification digital signature, and the update verification digital signature stored in the rewriting memory 145. FIG. 6 shows a state where the rewriting data is erased from the rewriting memory 145.

In addition, when the second sub-control unit 146 performs the process of step S8 or when the rewrite memory 145 does not store the rewrite data in the determination of step S1 (step S1 / NO), the process of step S9 Migrate to
The second sub-control unit 146 reads the first activation verification digital signature from the main ROM 121 and transmits it to the smart card 200 by the reader / writer 150 (step S9).

FIG. 7 is a diagram for explaining the operation of the printer 1.
When the activation verification digital signature is input from the reader / writer 150 (see FIG. 7A), the arithmetic unit 202 of the smart card 200 reads the activation verification public key from the storage unit 203 (see FIG. 7B). ). The calculation unit 202 decrypts the activation verification digital signature using the read activation verification public key (see FIG. 7C). The activation verification digital signature is obtained by encrypting the hash value of the AP firmware with a secret key. Therefore, when the activation verification digital signature is decrypted with the activation verification public key, the hash value (second hash value) of the AP firmware is obtained.
As illustrated in FIG. 7, the arithmetic unit 202 transmits a hash value that is a decryption result to the second sub-control unit 146 via the reader / writer 150 (see FIG. 7D).

  Next, the second sub-control unit 146 determines whether or not a hash value has been input from the reader / writer 150 (step S10). When the reader / writer 150 receives the hash value from the smart card 200, the reader / writer 150 outputs the received hash value to the second sub-control unit 146. When no hash value is input (step S10 / NO), the second sub-control unit 146 waits until a hash value is input.

FIG. 8 is a diagram for explaining the operation of the printer 1.
When the hash value is input (step S10 / YES) (see FIG. 8A), the second sub-control unit 146 uses the AP firmware hash value (first hash value) stored in the rewrite memory 145. Calculate (step S11) (see FIG. 8B). Hereinafter, the calculated hash value is referred to as a calculation hash value, and the hash value received from the smart card 200 is referred to as an acquired hash value.
The second sub-control unit 146 compares the calculated hash value and the acquired hash value (step S12), and determines whether the calculated hash value and the acquired hash value match (step S13) (FIG. 8 ( c)). If the calculated hash value matches the acquired hash value (step S13 / YES), the second sub-control unit 146 permits the main control unit 130 to execute the AP firmware (step S14). The second sub control unit 146 writes permission information for permitting execution of the AP firmware in a memory such as the SRAM 122, for example. The main control unit 130 is activated after the second sub control unit 146 and executes the activation firmware in the main ROM 121. The main control unit 130 determines whether or not the SRAM 122 stores permission information. When the SRAM 122 stores permission information, the main control unit 130 executes the AP firmware following the startup firmware.
If the calculated hash value does not match the acquired hash value (step S13 / NO), the second sub-control unit 146 determines that the AP firmware stored in the main ROM 121 has been falsified. Then, the second sub control unit 146 restricts execution of the AP firmware to the main control unit 130 (step S15). In this case, the second sub-control unit 146 writes prohibition information that prohibits execution of the AP firmware, for example, in a memory such as the SRAM 122. The main control unit 130 does not execute the AP firmware when the SRAM 122 stores the prohibition information.

In the flowchart illustrated in FIG. 2, the second sub-control unit 146 calculates a hash value, transmits a digital signature to the smart card 200, compares the acquired hash value transmitted from the smart card 200 with the calculated hash value, and the like. However, the main control unit 130 may execute these processes instead of the second sub-control unit 146.
The main control unit 130 starts up and executes boot firmware as a boot program, calculates a hash value, transmits a digital signature to the smart card 200, and obtains an acquired hash transmitted from the smart card according to the flowchart shown in FIG. Processing such as comparison between the value and the calculated hash value is performed. When the calculated hash value matches the acquired hash value, the main control unit 130 executes the AP firmware, or reads the rewrite AP firmware from the rewrite memory 145 and writes it into the main ROM 121 to write the AP firmware. Erase.
If the calculated hash value does not match the acquired hash value, the main control unit 130 ends the process without executing the AP firmware. Alternatively, when the calculated hash value does not match the acquired hash value, the main control unit 130 erases the rewrite data in the rewrite memory 145 and does not rewrite the firmware.

As described above in detail, in the present embodiment, the second sub-control unit 146 calculates the operation hash value from the firmware stored in the main ROM 121, and obtains the smart card 200 by decrypting the digital signature corresponding to the firmware. Get hash value. Then, the second sub control unit 146 compares the calculated hash value and the acquired hash value, and restricts execution of firmware by the main control unit 130 based on the comparison result.
Also, the second sub-control unit 146 calculates a calculation hash value from the input update firmware, and causes the smart card 200 to decrypt the digital signature corresponding to the update firmware to acquire the acquired hash value. Then, the second sub-control unit 146 compares the calculated hash value and the acquired hash value, and restricts the update of the firmware by the update firmware based on the comparison result.
Accordingly, it is possible to prevent the processor 131 of the main control unit 130 from executing the altered firmware, thereby preventing the control program executed by the printer 1 from being altered.

The main control unit 130 executes activation firmware stored in the main ROM 121 when the printer 1 is activated, and restricts execution of the control program when the calculated hash value does not match the acquired hash value.
Therefore, it is possible to prevent the processor 131 of the main control unit 130 from executing the altered firmware.

  Further, by using the printer 1 having a function of storing and holding fiscal information as the information processing apparatus, leakage and falsification of fiscal information can be prevented.

Further, by using the smart card 200 as an external medium or a medium, it is possible to prevent the public key stored in the smart card 200 from being analyzed and falsified.
Therefore, it is possible to prevent the printer 1 from executing the altered firmware.

The above-described embodiment is a preferred embodiment of the present invention. However, the present invention is not limited to this, and various modifications can be made without departing from the scope of the present invention.
For example, the smart card 200 may be a contactless smart card that communicates with the reader / writer 150 by short-range wireless communication to transmit and receive data. When the smart card 200 is a contactless smart card, the user of the printer 1 holds the smart card 200 over the reader / writer 150 when the printer 1 is turned on or when the firmware is updated, and the smart card 200 decrypts the digital signature. Let me. Unless the smart card 200 is held over the reader / writer 150, the printer 1 does not execute the AP firmware, and therefore, receipt printing cannot be performed.

The configuration of the printer 1 may be a configuration that does not include the smart card 200, or may include the smart card 200 as a part of the configuration of the printer 1.
For example, when the manufacturer of the printer 1 provides the smart card 200, the printer 1 having the configuration in which the smart card 200 is mounted is provided, and when the smart card 200 is acquired later, the manufacturer of the printer 1 A printer 1 having a configuration in which the smart card 200 is not mounted is provided. For example, when the smart card 200 uses a card authenticated by the government or the like, the manufacturer of the printer 1 or the user of the printer 1 acquires the smart card 200 and attaches the smart card 200 to the printer 1 later.
In addition, the main control unit 130 may include functions of the first sub control unit 142 and the second sub control unit 146. Further, the main control unit 130 may include the function of the printer control unit 310.

  DESCRIPTION OF SYMBOLS 1 ... Printer (information processing apparatus, information processing system), 10 ... Host computer, 100 ... Fiscal control board, 110 ... Communication part (input part), 121 ... Main ROM (memory | storage part), 130 ... Main control part (control part) , 131 ... Processor, 141 ... EJ memory, 142 ... First sub-control unit, 143 ... Fiscal memory, 144 ... CPLD, 45 ... Rewrite memory, 146 ... Second sub-control unit (control unit), 147 ... Processor, 150: reader / writer (medium connection unit), 200: smart card (medium, external medium), 202: calculation unit, 203: storage unit (medium storage unit), 300: printer substrate.

Claims (8)

A storage unit for storing a control program and a digital signature corresponding to the control program;
A control unit for executing the control program;
A medium connection unit that stores a decryption key and connects to an external medium including an arithmetic unit that decrypts the digital signature with the decryption key;
The control unit calculates a first hash value from the control program stored in the storage unit, and decrypts the digital signature corresponding to the control program from the external medium via the medium connection unit. , And the first hash value and the second hash value are compared, and if they do not match, the execution of the control program is restricted.   The control unit executes a boot program stored in the storage unit when the information processing apparatus is activated, and executes the control program when the first hash value and the second hash value do not match. The information processing apparatus according to claim 1, wherein the information processing apparatus is limited. A control unit for executing a control program;
An input unit for inputting an update control program for updating the control program and a digital signature corresponding to the update control program;
A medium connection unit that stores a decryption key and connects to an external medium including an arithmetic unit that decrypts the digital signature with the decryption key;
The control unit calculates a third hash value from the input control program for update, and decrypts the digital signature corresponding to the control program for update from the external medium via the medium connection unit. An information processing apparatus that acquires a four-hash value, compares the third hash value and the fourth hash value, and restricts updating to the control program for updating if they do not match.   The information processing apparatus according to claim 1, wherein the information processing apparatus is a fiscal printer including a storage unit that stores fiscal information. An information processing system comprising: a medium storage unit that stores a decryption key; a medium that includes a calculation unit that decrypts a digital signature with the decryption key; and an information processing apparatus that can be connected to the medium.
The information processing apparatus includes:
A control unit for executing a control program;
A storage unit for storing the control program and the digital signature corresponding to the control program;
The control unit calculates a first hash value from the control program stored in the storage unit, acquires a second hash value obtained by decrypting the digital signature corresponding to the control program from the medium, and acquires the first hash An information processing system that compares a value with the second hash value and restricts execution of the control program if they do not match. An information processing system comprising: a medium storage unit that stores a decryption key; a medium that includes a calculation unit that decrypts a digital signature with the decryption key; and an information processing apparatus that can be connected to the medium.
The information processing apparatus includes:
A control unit for executing a control program;
An input unit that inputs an update control program for updating a control program executed by the control unit and the digital signature corresponding to the update control program;
The control unit calculates a third hash value from the input control program for update, acquires a fourth hash value obtained by decrypting the digital signature corresponding to the control program for update from the medium, and An information processing system that compares a third hash value and the fourth hash value, and restricts updating to the control program for updating if they do not match. Reading the control program from a storage unit storing a control program executed by the control unit and a digital signature corresponding to the control program, and calculating a first hash value of the control program;
A second key that stores the decryption key and transmits the digital signature read from the storage unit to an external medium including an arithmetic unit that decrypts the digital signature with the decryption key, and decrypts the digital signature from the external medium; Obtaining a hash value;
Comparing the first hash value and the second hash value and restricting the execution of the control program by the control unit if they do not match;
An information processing apparatus control method comprising: A step of inputting an update control program for updating a control program executed by the control unit, and a digital signature corresponding to the update control program;
Calculating a third hash value of the inputted control program for updating;
A fourth hash value obtained by storing the decryption key and transmitting the input digital signature to an external medium including an arithmetic unit that decrypts the digital signature with the decryption key and decrypting the digital signature from the external medium. A step to obtain,
Comparing the third hash value and the fourth hash value, and restricting the update of the control program by the control program for update if they do not match;
A method for controlling an information processing apparatus, comprising:

Images