JP2017173893A - Information processing system, update method, information device, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an information processing system.SOLUTION: An information processing system 100 includes one or more information devices 150 and a management device 110. The management device 110 includes: acquisition means 212 of acquiring device information of accessory devices 180 connected to the information devices 150, from the information devices 150; selection means 214 of selecting control data corresponding to each of the accessory devices 180, on the basis of the device information; and generation means 218 of generating update data including the control data selected for each of the accessory devices 180. The information devices 150 include: receiving means 258 of receiving the update data from the management device 110; acquisition means 256 of acquiring certificate information issued from a provider of the accessory devices; verification means 260 of verifying a distribution source of the update data, on the basis of the acquired certificate information of the provider; and command means 254 of issuing a command to the accessory devices to update the control data, based on the verified update data, when the distribution source of the update data passes the verification.SELECTED DRAWING: Figure 4

Description

  The present invention relates to an information processing system, an updating method, an information device, and a program.

  Conventionally, techniques for updating firmware of peripheral devices are known. Also, in organizations such as government offices, educational institutions, companies, etc., there are cases where information devices such as multifunction peripherals are centrally managed, and there is also a technology that makes it possible to update the firmware of information devices by remote control. ing.

  When updating the firmware of a peripheral device such as a card reader connected to the information device described above, it may be necessary to remove the peripheral device from the information device and perform reconnection. This is because the firmware needs to be updated from the personal computer. In some cases, it is necessary to update the firmware for each peripheral device to be updated.

  In addition, peripheral devices such as card readers are not uniform in model and version, and in addition to the updating work, it takes much time to select the corresponding firmware. Further, when it is assumed that the peripheral device is removed and the firmware is updated, it is necessary to restrict physical access to the connection portion between the peripheral device and the information device for management.

  Japanese Patent No. 5419123 (Patent Document 1) is also known in connection with the firmware update of peripheral devices. However, it has not been possible to update all information devices managed in a unified manner. Moreover, it is necessary to select appropriate firmware for each peripheral device, which is not sufficient. Furthermore, there has been a demand for higher security protection in firmware updates.

  The present invention has been made in view of the above points, and the present invention can efficiently update the control data of an attached device connected to each of one or more information devices to be managed in a protected state. An object is to provide a possible information processing system.

  In one embodiment of the present invention, in order to solve the above problem, an information processing system including one or more information devices having the following characteristics and a management device connected to the one or more information devices via a network I will provide a. The management device obtains device information of an attached device connected to each of one or more information devices, and a selection for selecting control data corresponding to each of the attached devices based on the obtained device information Means for generating update data including control data selected for each of the attached devices.

  The information device provides the receiving unit that receives the generated update data from the management device, the acquisition unit that acquires the certification information issued from the provider of the accessory device, and the distribution source of the update data acquired. Verification means for verifying based on the original certification information, and instruction means for instructing the attached device to update the control data based on the verified update data when the distribution source of the update data passes verification .

  With the above-described configuration, it is possible to efficiently update the control data of the attached device connected to each of the one or more information devices to be managed in a protected state.

Schematic which shows the apparatus management system by this embodiment. The figure which shows the hardware constitutions of the apparatus management server by this embodiment. The figure which shows the hardware constitutions of the information equipment by this embodiment. The block diagram which shows the structure of the apparatus management system by this embodiment. The sequence diagram which shows the firmware update process performed between the apparatus management server which comprises the apparatus management system in this embodiment, an information device, and a peripheral device. (A) The figure which illustrates the data structure of the firmware update data produced | generated and (B) matching information. The flowchart which shows the apparatus verification process which the apparatus management server which comprises the apparatus management system in this embodiment performs. The flowchart which shows the delivery source verification process which the information equipment which comprises the apparatus management system in this embodiment performs. The figure explaining the delivery origin verification process in this embodiment. The figure which illustrates the certification chain in a specific embodiment.

  Hereinafter, although this embodiment is described, the embodiment is not limited to the embodiment described below. In the embodiment described below, the device management system 100 and the information device 150 will be described as examples of the information processing system and the information device.

  FIG. 1 is a schematic diagram showing a device management system 100 according to the present embodiment. As illustrated in FIG. 1, the device management system 100 includes a device management server 110 and one or more information devices 150 connected to each other via a network 102. The network 102 is not particularly limited, and is a wired or wireless network such as a local area network. The device management server 110 and the information device 150 are configured to be able to exchange data with each other via the network 102 according to a TCP / IP (Transmission Control Protocol / Internet Protocol) protocol.

  The device management server 110 is not particularly limited, and is configured as a general-purpose computer such as a personal computer, a workstation, or a server computer. In the embodiment to be described, the device management server 110 provides a function of monitoring and managing one or more information devices 150. Using the device management server 110, the administrator of the information device 150 can grasp the status of the information device 150 from a remote location and can update the internal firmware and application.

  In one example, the information device 150 is a multifunction device that provides various image processing functions such as copying, printing, scanning, and facsimile. The information device 150 is a management target information device managed by the device management server 110. In FIG. 1, two information devices 150a and 150b are shown as information devices, but the number of information devices is not particularly limited. The information device 150 is not particularly limited, but is preferably a multifunction device, a copier, a printer, or the like in which a status and firmware such as a power state are managed as a management target of the device management server 110. Image forming apparatuses, image reading apparatuses such as scanners, and image communication apparatuses such as facsimiles.

  In the embodiment to be described, a peripheral device 180 is connected to each information device 150. The peripheral device 180 is connected to the information device 150 and provides the information device 150 with an auxiliary function for realizing a partial function thereof. Examples of the peripheral device 180 include an authentication device such as a card reader and a card reader / writer, a biometric authentication device such as fingerprint authentication, vein authentication, and iris authentication, and a camera for face authentication.

  In the embodiment to be described, the information device 150 and the peripheral device 180 are described as being connected via a serial bus interface such as a USB (Universal Serial Bus). However, the connection method is not particularly limited, and any connection method can be adopted regardless of wired or wireless. In the embodiment to be described, each set 140 of the information device 150 and the peripheral device 180 is a management target of the device management server 110. In FIG. 1, peripheral devices 180a and 180b connected to the information devices 150a and 150b are shown as attached devices, but the number of attached devices to be managed per information device is particularly limited. It is not something.

  As described above, when the peripheral device 180 is externally attached to the information device 150, it is necessary to update the firmware of the information device 150 and to update the firmware of the peripheral device 180 for management of the information device 150. Sexuality may occur.

  At that time, if it is required to remove the peripheral device 180 from the information device 150 and connect it to a personal computer to update the firmware, the administrator needs to perform complicated work. Furthermore, depending on the operating environment, the peripheral device 180 may not have a uniform model and version, and may require more time and effort to select firmware suitable for each peripheral device. Further, if it is assumed that the peripheral device 180 is removed and the firmware is updated, physical access to the peripheral device 180 and its connection parts is separately performed so that only authorized workers can update the firmware. It may be necessary to apply restrictions.

  Thus, the device management server 110 according to the present embodiment has a function of remotely updating the firmware of each peripheral device 180 connected to each of the one or more information devices 150 in a protected state. Each of the information devices 150 has a function of updating the firmware of the peripheral device 180 after verifying the validity of the distribution source in response to a request for remote update from the device management server 110.

  More specifically, the device management server 110 acquires the device information of the peripheral device 180 connected to each of the one or more information devices 150, and transmits the device information to each of the peripheral devices 180 based on the acquired device information. Select the corresponding firmware data. The device management server 110 generates firmware update data including the selected firmware data for each peripheral device 180 and transmits the firmware update data to each corresponding information device 150.

  When the information device 150 receives the generated firmware update data from the device management server 110, the information device 150 acquires certification information issued from the provider of the peripheral device 180 in order to verify the distribution source. The information device 150 verifies the distribution source of the firmware update data based on the acquired certification information of the provider, and if the verification device passes the verification, the information device 150 transmits the firmware based on the verified firmware update data to the connected peripheral device 180. Command to update.

  The peripheral device 180 that has received the update command applies the firmware update after verifying itself as needed based on the received firmware update data.

  With the above configuration, it is possible to efficiently update the firmware of the peripheral device 180 connected to each of the one or more information devices 150 to be managed. Since the distribution source is verified based on the certification information issued by the provider, after confirming that the distribution source is a management device permitted by the provider of the accessory device, the accessory device can be safely The firmware can be updated.

  Hereinafter, with reference to FIGS. 2 to 10, the firmware update process with security protection executed by the device management system 100 according to the present embodiment will be described in more detail.

  Hereinafter, first, the hardware configuration of each device constituting the device management system 100 will be described with reference to FIGS. 2 and 3.

  FIG. 2 is a diagram illustrating a hardware configuration of the device management server 110 according to the present embodiment. The device management server 110 is configured as a general-purpose computer or the like. A device management server 110 shown in FIG. 2 includes a single-core or multi-core CPU (Central Processing Unit) 12, a RAM (Random Access Memory) 14, a ROM (Read Only Memory) 16, and an HDD (Hard Disk Drive) 18. And a communication interface device 24. The device management server 110 may include an input device 20 and a display device 22 as necessary.

  The CPU 12 performs overall control such as processing inside the device management server 110. The RAM 14 provides a work area for the CPU 12. The ROM 16 stores a control program such as BIOS (Basic Input / Output System). The HDD 18 stores an OS for controlling the computer device, a program for realizing a function unit described later, various system information, and various setting information.

  The input device 20 is an input device such as a mouse, a keyboard, or a touch screen panel. The display device 22 is a display device such as a liquid crystal display device or an organic EL (Electroluminescence) display. The input device 20 and the display device 22 provide a user interface for receiving input of various instructions from the administrator. The communication interface device 24 is an interface device that connects a device management server 110 such as a NIC (Network Interface Card) to the network 102.

  The device management server 110 according to the present embodiment reads out programs from the ROM 16 and the HDD 18 and develops them in a work space provided by the RAM 14, thereby realizing each unit and each process described later under the control of the CPU 12.

  FIG. 3 shows a hardware configuration of the information device 150 according to the present embodiment. The information device 150 is configured as an image forming apparatus having an image forming function and an image reading function. 3 includes a single-core or multi-core CPU 52, a ROM 54, a RAM 56 that provides a work area for the CPU 52, an image memory 58, and a communication interface device 60 on a controller board 50. Further, an operation panel 62, a scanner 64, and a plotter 66 are connected to the controller board 50.

  The CPU 52 controls operations such as image processing inside the information device 150. The ROM 54 stores a program for causing the information device 150 to function. The RAM 56 provides a work area for the CPU 52, and executes programs stored in the ROM 54, the HDD, and the like. The image memory 58 provides a work area used for image processing in scanning and printing. The communication interface device 60 is an interface device that connects an information device 150 such as a wireless LAN adapter or NIC according to a standard such as IEEE 802.11 to the network 102.

  The operation panel 62 is connected to the controller board 50 and includes a display device such as a liquid crystal panel or an organic EL, and an input device such as a touch screen panel. The operation panel 62 displays an operation screen, accepts input of various instructions from the operator, and provides a user interface for performing screen display. The scanner 64 executes an image reading process in response to an image reading execution command from the controller board 50. In response to an image formation execution command from the controller board 50, the plotter 66 executes image formation processing based on print data from the terminal device and image read data read by the scanner 64.

  The information device 150 according to the present embodiment reads out a program from the ROM 54 and the HDD and develops the program in a work space provided by the RAM 56, thereby realizing each unit and each process described below under the control of the CPU 52.

  Note that the hardware configurations of the device management server 110 and the information device 150 have been described with reference to FIGS. 2 and 3, respectively. The peripheral device 180 includes a hardware component appropriate for the application, but a detailed description thereof is omitted.

  Hereinafter, with reference to FIG. 4, functional blocks for executing a firmware update process with security protection in the device management system 100 according to the present embodiment will be described. FIG. 4 is a block diagram showing the configuration of the device management system 100 according to the present embodiment. FIG. 4 shows a module configuration 210 included in the device management server 110, a module configuration 250 included in the information device 150, and a module configuration 280 included in the peripheral device 180.

  First, a functional configuration on the device management server 110 side will be described. As shown in FIG. 4, the module configuration 210 of the device management server 110 includes an apparatus information collection unit 212, an update availability verification unit 214, a firmware information storage unit 216, a firmware update data generation unit 218, and firmware data storage. A unit 220, a signature unit 222, and a firmware update data distribution unit 226 are included.

  The device information collection unit 212 requests each of the one or more information devices 150 to acquire device information related to the peripheral device 180 connected thereto, and collects device information from each information device 150. Here, the device information includes information identifying the firmware of the peripheral device 180 such as vendor identification information and product identification information, and information identifying the current firmware generation (also referred to as version) of the peripheral device 180. It is assumed that information for communication with one or more information devices 150 of the other party that requests acquisition of device information is registered in advance as a management target. The device information collection unit 212 constitutes an acquisition unit on the management device side in the present embodiment.

  The firmware information storage unit 216 can apply information for identifying the firmware of the peripheral device 180 such as vendor identification information and product identification information, firmware entity data held in the device management server 110, firmware generation information, and firmware. The association information for associating various generation information is stored. In other words, the firmware information storage unit 216 manages what kind of firmware of what kind of peripheral device the held firmware is valid for.

  The update availability verification unit 214 refers to the association information stored in the firmware information storage unit 216 based on the acquired device information, and whether or not the peripheral device 180 that acquired the device information can update the firmware. Determine whether. If it is determined that the update is possible, the update availability verification unit 214 further selects firmware data corresponding to each peripheral device 180. The update availability verification unit 214 constitutes a selection unit in the present embodiment.

  The firmware data storage unit 220 stores firmware data that is actual data of firmware. In certain embodiments, the firmware data is signed by a vendor. In the firmware data storage unit 220, one or more generations of firmware data are prepared in advance for each peripheral device 180 that can be connected to the information device 150 to be managed by the device management server 110. For example, the firmware data may be acquired in advance from a server that provides the information device 150 or the peripheral device 180 via the Internet, or may be provided in advance via a recording medium such as a DVD. The firmware data constitutes control data for operating the peripheral device 180 in this embodiment.

  The firmware update data generation unit 218 reads the firmware data selected by the update availability verification unit 214 from the firmware data storage unit 220 and generates firmware update data. Here, the firmware update data is generated in a form having a secure data structure. The firmware update data generation unit 218 constitutes generation means in the present embodiment.

  In the embodiment shown in FIG. 4, the device management server 110 holds a management device secret key 224. The management device private key 224 is stored in a protected state on the storage device of the device management server 110. The signature unit 222 implements a signature algorithm and provides a function of signing data using the management apparatus private key 224. The storage device that stores the management device secret key 224 and the signature unit 222 constitute a secret key storage unit and a signature unit in the present embodiment, respectively.

  In the embodiment to be described, the firmware update data generation unit 218 calls the signature unit 222 to further apply the signature of the device management server 110 to the firmware data signed by the vendor. As a result, secure firmware update data is generated. By applying the signature of the device management server 110, it is guaranteed that the firmware has been distributed by a legitimate administrator. Note that the public key corresponding to the management apparatus private key 224 is distributed to the information device 150 in advance by an appropriate method as a management apparatus certificate as will be described later.

  The firmware update data distribution unit 226 distributes the firmware update data generated for each information device 150 that has transmitted the device information to each corresponding information device 150.

  Note that some or all of the modules 212 to 226 of the device management server 110 illustrated in FIG. 4 are installed on the device management server 110 as an application for managing the firmware update of the peripheral device 180 as an example.

  Next, the functional configuration on the information device 150 side will be described. As illustrated in FIG. 4, the module configuration 250 of the information device 150 includes a device information transmission unit 252, a device control unit 254, a device driver 256, a firmware update data reception unit 258, and a distribution source verification unit 260. included.

  In response to a device information acquisition request from the device management server 110, the device information transmission unit 252 transmits device information of the peripheral device 180 connected to the information device 150 to the device management server 110. In one example, the device information can be acquired from the peripheral device 180 as described later. The device information transmission unit 252 constitutes transmission means in the present embodiment.

  The firmware update data receiving unit 258 receives firmware update data generated corresponding to the device information from the device management server 110. The firmware update data receiving unit 258 constitutes a receiving unit in the present embodiment.

  The distribution source verification unit 260 verifies the distribution source of the firmware update data. The distribution source verification unit 260 implements a certification path verification algorithm, and verifies the distribution source using a vendor certificate. Further, the distribution source verification unit 260 has a signature verification algorithm implemented, and the signature applied to the received firmware update data based on the management device certificate 262 corresponding to the management device private key on the device management server 110 side. Can be verified. In the preferred embodiment, the distribution source verification unit 260 updates the firmware when the verification with the management device certificate 262 passes and the management device certificate 262 passes the verification based on the vendor certificate. It is determined that the data distribution source is valid. In this way, it is verified whether the received firmware update data has been distributed from a valid administrator. Details of the verification of the distribution source of the firmware update data will be described later. The distribution source verification unit 260 constitutes verification means in the present embodiment.

  The management device certificate 262 holds a public key corresponding to the management device private key 224 in the device management server 110, and is appropriately distributed in advance. The distribution method does not matter.

  The device control unit 254 is a module that controls firmware update of the peripheral device 180. The device control unit 254 communicates with the peripheral device 180 via the device driver 256. More specifically, device information can be acquired from the peripheral device 180 via the device driver 256 and passed to the device information transmission unit 252. The device control unit 254 further transmits the firmware update data distributed from the device management server 110 to the peripheral device 180 via the device driver 256 when the verification of the distribution source of the firmware update data is passed. Command update. The device control unit 254 constitutes command means in the present embodiment.

  The device driver 256 is driver software that communicates with the peripheral device 180 and controls the peripheral device 180. The device driver 256 is used for the information device 150 to control the firmware update for the peripheral device 180. The device driver 256 sends a control command to the peripheral device 180, thereby issuing a vendor certificate acquisition request or sending firmware update data. The device driver 256 constitutes an acquisition unit on the information device side in the present embodiment.

  Note that some or all of the modules 252 to 262 of the information device 150 illustrated in FIG. 4 are, for example, applications that control the firmware update of the peripheral device 180 in cooperation with the firmware update management application on the device management server 110. Is installed on the information device 150.

  Next, the functional configuration on the peripheral device 180 side will be described. As illustrated in FIG. 4, the module configuration 280 of the peripheral device 180 includes a communication unit 282, a firmware verification unit 290, and a firmware update application unit 292.

  The communication unit 282 receives a control command from the device driver 256 on the information device 150 side, receives firmware data, and reads and returns the device information 284 and the vendor certificate 286 held by the peripheral device 180 in response to the acquisition request. Or

  Here, the device information 284 will be described assuming that it is held in advance in the peripheral device 180 as describing the device of the peripheral device 180. The same applies to the vendor certificate 286, and it is assumed that the peripheral device 180 is recorded in advance in the peripheral device 180 by the manufacturer of the peripheral device 180 when the peripheral device 180 is manufactured. The vendor certificate 286 is used in the peripheral device 180 when verifying the vendor signature applied to the firmware. In the embodiment to be described, the vendor certificate 286 is further provided to the information device 150 side and used when verifying the distribution source of the firmware update data.

  When the communication unit 282 receives the firmware data from the information device 150, the communication unit 282 stores the firmware data in a predetermined storage area. The firmware data 288 is stored in the firmware data storage unit 220 of the device management server 110, and is communicated with the peripheral device 180 via the firmware update data receiving unit 258, the device control unit 254, and the device driver 256 of the information device 150. It is received and stored by the unit 282.

  The firmware verification unit 290 uses the vendor certificate 286 to verify whether the firmware data 288 has been issued by an appropriate manufacturer. The firmware update application unit 292 applies the update to the peripheral device 180 based on the firmware data 288 when the firmware data 288 passes verification.

  For example, a part or all of the modules 282 to 292 of the peripheral device 180 illustrated in FIG. 4 execute an actual firmware update operation under the instruction of the firmware update control application on the information device 150 side. It is mounted in advance on the peripheral device 180 as firmware of the above.

  The one set 240 of the information device 150 and the peripheral device 180 has been described with reference to FIG. However, as described above, the number of information devices 150 is not particularly limited, and the number of peripheral devices 180 per information device 150 is not particularly limited. When there are a plurality of information devices 150, a set 240 exists for each information device 150. When there are a plurality of peripheral devices 180 per information device 150, modules 280 on the plurality of peripheral devices 180 are provided in each set 240.

  Hereinafter, the overall flow of the firmware update process of the peripheral device 180 according to the present embodiment will be described with reference to FIG. FIG. 5 is a sequence diagram illustrating a firmware update process executed between the device management server 110, the information device 150, and the peripheral device 180 constituting the device management system 100 according to the present embodiment.

  The process shown in FIG. 5 is started from step S101 in response to the device management server 110 receiving a firmware batch update instruction from the administrator. The firmware batch update instruction may be issued via an input device included in the device management server 110, or the device management server 110 may receive it from an administrator terminal via a network. 5 shows one information device 150, and shows processing for one information device 150. When there are a plurality of information devices 150, the processing shown in FIG. It is executed for each device.

  In step S <b> 101, the device management server 110 transmits a device information acquisition request for the connected peripheral device 180 to the information device 150 by using the device information collection unit 212. In step S102, the information device 150 that has received the device information acquisition request issues a device information acquisition request via the device driver 256 to the peripheral device 180 connected to the information device 150 by the device control unit 254. Try to get information. If the device information can be acquired, the information device 150 uses the device information transmission unit 252 to return the device information to the requesting device management server 110. If the information device 150 cannot acquire the device information, the information device 150 sends a failure notification to the request source device management server 110. Here, the description will be continued assuming that the device information has been acquired successfully. In the description, for the sake of convenience, the description will be made assuming that there is one peripheral device 180 connected to the information device 150. However, when there are a plurality of peripheral devices 180 connected, the device information of each of the plurality of peripheral devices 180 is provided. Will be returned.

  In step S103, the device management server 110 that acquired the device information executes device verification based on the acquired device information. The device verification here includes verification of whether the firmware of the peripheral device 180 that acquired the device information can be updated. If the firmware can be updated, the device verification corresponds to the peripheral device 180 based on the acquired device information. Firmware data is selected. Details of the device verification process will be described later.

  When the verification ends normally, in step S104, the device management server 110 generates firmware update data including the firmware data selected for the peripheral device 180 by the firmware update data generation unit 218. In step S <b> 105, the device management server 110 transmits firmware update data to the information device 150 via the firmware update data distribution unit 226.

  FIG. 6A illustrates the data structure of the firmware update data that is generated. Firmware update data 300 that is a set of data for updating firmware includes firmware data 302. The firmware data 302 is signed (vendor signature) by the manufacturer (provider) of the peripheral device 180. This signature is for ensuring that the firmware data is generated by the manufacturer and is not tampered with. The private key for signature is managed by the manufacturing company.

  Firmware update data 300 shown in FIG. 6A further includes update target device information 306 in addition to vendor-signed firmware data 304. The update target device information 306 can include provider identification information and product identification information in order to specify the peripheral device 180 to be updated. The update target device information 306 may simply be the version of the firmware to be updated, and may be any information as long as it uniquely indicates the peripheral device or its firmware. Where a plurality of peripheral devices 180 can be connected to the information device 150, the update target device information 306 specifies the peripheral device 180 to which firmware update data is applied.

  In the firmware update data 300 shown in FIG. 6 (A), the signed firmware data 304 and the update target device information 306 are combined into a set based on the management device private key 224 by the device management server 110. (Management device signature) is applied. This signature is used to indicate that the firmware update data is generated by a valid device management server. Thus, the firmware data is not transmitted as it is in order to prevent alteration on the communication path.

  Here, FIG. 5 will be referred to again. In step S106, the information device 150 that has received the firmware update data by the firmware update data receiving unit 258 stores the received firmware update data. In step S <b> 107, the information device 150 uses the distribution source verification unit 260 to execute a verification process of the update data distribution source.

  The distribution source verification process here verifies whether the firmware update data is distributed from the trusted device management server 110. In the distribution source verification processing according to the present embodiment, in step S108, the information device 150 issues a vendor certificate acquisition request to the peripheral device 180 through the device control unit 254 and the device driver 256, and the vendor 180 sends the vendor certificate to the vendor. Obtain a certificate. In the embodiment to be described, the description will be made assuming that the vendor certificate is acquired from the peripheral device 180, but the acquisition method is not particularly limited. In the distribution source verification process shown in step S107, the validity of the distribution source of the firmware update data is verified based on the pre-distributed management device certificate 262 and the acquired vendor certificate. As a result, it is possible to prevent tampering on the communication path and to prevent updating by the tampered firmware.

  In step S <b> 109, the information device 150 uses the device control unit 254 to verify the firmware update target peripheral device 180. The verification here confirms whether or not the peripheral device 180 that has acquired the device information maintains a state of being connected to the information device 150 and whether or not the configuration has been changed. In step S110, the information device 150 can actually transmit the firmware update data, or the device control unit controls the peripheral device 180 indicated by information specifying the firmware of the peripheral device 180 such as vendor identification information or product identification information. A connection test is performed from 254 via the device driver 256.

  If the distribution source is valid and the connection test is passed, the information device 150 transmits firmware data to the peripheral device 180 in step S111. As a result, a firmware update command is issued based on the verified firmware data.

  In step S112, the peripheral device 180 that has received the firmware data by the communication unit 282 stores the received firmware data. In step S <b> 113, the peripheral device 180 uses the firmware verification unit 290 to execute firmware data verification processing. In this verification process, it is verified that the issuer of the firmware data is the manufacturer and there is no modification, and is typically performed using the vendor certificate 286. The vendor signature applied to the firmware data, the firmware data (or its digest), and the public key of the vendor certificate 286 are input to the verification algorithm and verified. Here, it is also verified whether the firmware data is damaged.

  If the verification is passed, in step S114, the peripheral device 180 applies the firmware update by the firmware update application unit 292. When the update ends normally, the update result is notified to the information device 150 by the communication unit 282. In step S115, the information device 150 notifies the device management server 110 of the update result. Note that if the signature is discarded in the verification, the firmware update is not applied.

  Hereinafter, the device verification process in step S103 shown in FIG. 5 will be described in more detail with reference to FIGS. 7 and 6B. FIG. 7 is a flowchart showing a device verification process executed by the device management server 110 constituting the device management system 100 according to the present embodiment. FIG. 6B is a diagram illustrating a data structure of association information stored in the firmware information storage unit 216. 7 is executed by the update availability verification unit 214.

  The process shown in FIG. 7 is called in step S103 shown in FIG. 5, and is started from step S200. As described above, the device information acquired in step S101 described above includes information identifying the peripheral device 180 such as vendor identification information and product identification information and firmware generation information. For example, in the case of a USB device, the device information is acquired as information called a USB descriptor. In step S201, the device management server 110 determines whether or not device information has been acquired as a result of attempting to acquire device information. If the device information cannot be acquired in step S201 (NO), the process branches to step S206. In step S206, the device management server 110 notifies the firmware update data generation unit 218 that update is not possible, and in step S207, the device management server 110 terminates the processing as having failed.

  If the device information can be acquired in step S201 (YES), the process proceeds to step S202. In step S202, the device management server 110 searches the association information stored in the firmware information storage unit 216 based on the acquired device information for firmware data that matches the provider identification information and product identification information. To do.

  As shown in FIG. 6B, the association information stored in the firmware information storage unit 216 associates the vendor ID, the product ID, the firmware version, the updatable version, and the firmware data. In the table shown in FIG. 6B, each line represents one piece of firmware data.

  In the association information shown in FIG. 6B, the vendor ID is an identifier that uniquely indicates the manufacturer (provider) of the peripheral device 180. In the case of a USB device, it is generally expressed as a 4-digit hexadecimal number. The product ID is an identifier that uniquely indicates the peripheral device 180. In the case of a USB device, it is generally expressed as a 4-digit hexadecimal number. The firmware version indicates the generation of firmware data represented by each row.

  Here, FIG. 7 will be referred to again. If no match is found in step S202 (NO), the process branches to step S206, and the device management server 110 notifies that the update is impossible, and ends the process in step S207 as a failure. .

  On the other hand, if there is at least one item that matches the device information in step S202 (YES), the process proceeds to step S203. In step S <b> 203, the device management server 110 determines whether there is firmware data that matches the device information that is included in the updateable version section of the current version included in the acquired device information.

  In the association information shown in FIG. 6B, the updatable version indicates to which version of firmware this firmware is valid. An updatable version is set so that too old firmware is not updated to the latest version at one time and new firmware is not updated with old firmware.

  In the example shown in FIG. 6B, it is expressed by mathematical interval notation. If no upper limit is listed, it indicates that the firmware version is valid. For example, the firmware in the first row has a firmware version of 1.23, so the upper limit of the updatable version is 1.23. Therefore, when the current version included in the acquired device information is a version greater than 1.01 and less than or equal to 1.23, it is determined that the firmware data can be updated.

  Here, FIG. 7 will be referred to again. If there is no firmware data that matches the device information and is included in the updateable version section in step S203 (NO), the process branches to step S206. In step S206, the device management server 110 issues a notification that updating is not possible, and in step S207, the device management server 110 terminates the processing assuming that it has failed.

  On the other hand, in step S203, if there is at least one device whose device information matches that is included in the section of the updatable version of the current version (NO), the process proceeds to step S204. As a result of the search, a plurality of versions of firmware data that can be updated may be found.

  In step S204, the device management server 110 acquires the latest version of the corresponding firmware data from the firmware data storage unit 220. In the association information shown in FIG. 6B, the firmware data column indicates the storage location of the actual firmware data in the firmware data storage unit 220. The format is not limited as long as the storage location is uniquely indicated. In step S205, the device management server 110 notifies the firmware update data generation unit 218 that the update has been successful, and in step S207, the device management server 110 terminates the processing as being successful.

  Hereinafter, the distribution source verification process executed by the information device 150 shown in steps S106 to S111 shown in FIG. 5 will be described in more detail with reference to FIGS. FIG. 8 is a flowchart showing a distribution source verification process executed by the information device 150 constituting the device management system 100 according to this embodiment. FIG. 9 is a diagram for explaining a distribution source verification process in the present embodiment.

  Here, first, generation of firmware update data which is a precondition for verification of the distribution source will be described. In a system in which firmware data for update is sent as it is and updates are performed, the signature verification private key may be leaked even if the firmware data has a signature for falsification verification. For this reason, it is desirable to prevent updating by falsified firmware.

  Therefore, in the present embodiment, the device management server 110 further signs the management data with the management device private key 224 on the firmware data that has been subjected to a vendor signature for falsification prevention, and confirms that the request is from a trusted administrator. Prove it. However, since the certificate itself can be issued by anyone, it is not preferable to use a private key and certificate that anyone can create. Therefore, in the embodiment to be described, the vendor certificate 286 is forced to be included in the certificate chain of the management device certificate 262 corresponding to the management device private key 224. As a result, it is proved that the device is distributed from the device management server that is permitted to distribute the firmware to the vendor of the peripheral device 180.

  The process shown in FIG. 8 is started from step S300 in response to the firmware update data generated in the form shown in FIG. 6A being transmitted from the device management server 110 to the information device 150. . The information device 150 receives the firmware update data from the device management server 110 in step S301, and stores the update data on the storage device in step S302.

  In step S <b> 303, the device management server 110 acquires a vendor certificate from the peripheral device 180 via the device control unit 254 and the device driver 256. In step S304, the process branches depending on whether the vendor certificate has been successfully acquired. If it is determined in step S304 that acquisition of the vendor certificate has failed (NO), the process branches to step S314, the firmware update is stopped, and the process ends in step S315.

  On the other hand, if it is determined in step S304 that the vendor certificate has been successfully acquired (YES), the process proceeds to step S305. In step S305, the information device 150 first verifies the correspondence between the management device certificate 262 and the signature of the firmware update data 300 by the distribution source verification unit 260, and branches the process according to the verification result in step S306. Let

  As shown in FIG. 9, the signature applied to the firmware update data 300 is a management device signature performed based on the management device private key 224 managed on the device management server 110 side. The management device public key 310 that is paired with the management device private key 224 is included in the management device certificate 262 held by the information device 150. Therefore, the information device 150 inputs the signature of the firmware update data 300, the part other than the signature of the firmware update data 300 (or its digest), and the management apparatus public key 310 to the signature verification algorithm, and the firmware update data It is verified whether the signature of 300 is signed with the management apparatus private key 224.

  If it is determined in step S306 that they do not match (NO), the process branches to step S314, the firmware update is stopped, and the process ends in step S315.

  On the other hand, if it is determined in step S306 that they match (YES), the process branches to step S307. In step S307, the information device 150 further verifies the certification chain, and in step S308, branches the processing depending on whether or not the vendor certificate is included in the certification chain.

  The management device certificate 262 is compulsory to include a vendor certificate in the certification chain. If it is valid, for example, as shown in FIG. 9, the management device certificate 262 includes a management device certificate 262 on the vendor side. A signature based on the managed vendor private key 320 is given. The vendor public key 330 paired with the vendor private key 320 is included in the vendor certificate 286 that can be acquired by the information device 150. Therefore, the information device 150 inputs the signature of the management device certificate 262, the portion other than the signature of the management device certificate 262 (or its digest), and the vendor public key 330 to the signature verification algorithm, and the management device It is verified whether the certificate 262 is signed with the vendor private key 320. The vendor certificate 286 is signed with a private key 340 managed by a higher-level certificate authority. FIG. 9 is an example, and the management apparatus certificate 262 may not be directly signed by the vendor.

  Note that the peripheral device 180 connected to the information device 150 may be provided by a plurality of vendors. FIG. 10 illustrates a certification chain in a specific embodiment. In the case of dealing with a plurality of vendors, as shown in FIG. 10, the certification chain may include signatures from a plurality of vendors. Alternatively, since the provider can be identified from the vendor ID, a management device private key and a management device certificate may be prepared for each vendor and used separately.

  If it is determined in step S308 that the vendor certificate is not included in the certification chain (NO), the process branches to step S314, the firmware update is stopped, and the process is terminated in step S315. On the other hand, if it is determined in step S308 that the vendor certificate is included in the certification chain (YES), the process branches to step S309.

  In step S309, the information device 150 further performs a connection test on the peripheral device 180 indicated by the device information. In step S310, the information device 150 branches the process according to the result of the connection test. If it is determined in step S310 that the connection test has failed (NO), the process branches to step S314, the firmware update is stopped, and the process ends in step S315.

  On the other hand, if it is determined in step S310 that the connection test is successful (YES), the process branches to step S311. In step S311, the information device 150 further confirms the configuration of the peripheral device 180. In step S312, the information device 150 branches the process according to the result of the configuration confirmation. If it is determined in step S312 that the configuration has been changed, for example, by changing the version after transmitting the device information (NO), the process branches to step S314 to stop the firmware update. In step S315, the process is terminated.

  If it is determined in step S312 that the configuration has not been changed (YES), the process branches to step S313. In step S313, the information device 150 transmits at least the vendor-signed firmware data 304 included in the firmware update data 300 to the peripheral device 180 via the device control unit 254 and the device driver 256, and applies the firmware update application. In step S315, the process is terminated.

  8, (1) the correspondence between the management device certificate 262 distributed in advance to the information device 150 and the management device signature of the firmware update data matches, and (2) the certification of the management device certificate 262. 3 points that the certificate chain includes the corresponding vendor certificate of the peripheral device 180, and (3) the peripheral device 180 identified by the signed update target device information is connected to the information device 150. Confirming that the signature made by the device management server 110 is valid. Therefore, it is possible to prevent tampering on the communication path, firmware tampering, and remote execution of firmware update from an unauthorized management device.

  As described above, according to the above-described embodiment, an information processing system capable of efficiently updating control data of an attached device connected to each of one or more information devices to be managed in a protected state. An update method, an information device, and a program can be provided.

  In the above description, the firmware of the peripheral device 180 connected to the information device 150 is updated from the device management server 110. However, when the firmware of the peripheral device 180 needs to be updated, the software component on the information device 150 needs to be updated. From the device management server 110, the firmware on the information device 150 side is updated along with the firmware update of the peripheral device 180. Updates of other software components can be controlled.

  The functional unit can be realized by a computer-executable program written in a legacy programming language such as an assembler, C, C ++, C #, Java (registered trademark), an object-oriented programming language, or the like. ROM, EEPROM, EPROM , Stored in a device-readable recording medium such as a flash memory, a flexible disk, a CD-ROM, a CD-RW, a DVD-ROM, a DVD-RAM, a DVD-RW, a Blu-ray disc, an SD card, an MO, or through an electric communication line Can be distributed.

  Although the embodiments of the present invention have been described so far, the embodiments of the present invention are not limited to the above-described embodiments, and those skilled in the art may conceive other embodiments, additions, modifications, deletions, and the like. It can be changed within the range that can be done, and any embodiment is included in the scope of the present invention as long as the effects of the present invention are exhibited.

12, 52 ... CPU, 14,56 ... RAM, 16, 54 ... ROM, 18 ... HDD, 20 ... input device, 22 ... display device, 24,60 ... communication interface device, 50 ... controller board, 58 ... image memory, 62 ... Operation panel, 64 ... Scanner, 66 ... Plotter, 100 ... Device management system, 102 ... Network, 110 ... Device management server, 150 ... Information device, 180 ... Peripheral device, 212 ... Device information collection unit, 214 ... Updability Verification unit, 216 ... Firmware information storage unit, 218 ... Firmware update data generation unit, 220 ... Firmware data storage unit, 222 ... Signature unit, 224 ... Management device secret key, 226 ... Firmware update data distribution unit, 252 ... Device information transmission , 254 ... Device control unit, 256 ... Device driver, 258 ... Firmware Update data receiving unit 260 ... Distribution source verification unit 262 ... Management device certificate, 282 ... Communication unit, 284 ... Device information, 286 ... Vendor certificate, 288 ... Firmware data, 290 ... Firmware verification unit, 292 ... Firmware Update application unit, 300 ... firmware update data, 304 ... vendor signed firmware data, 306 ... update target device information, 310 ... management device public key, 320 ... vendor private key, 330 ... vendor public key, 340 ... secret key

Japanese Patent No. 5419123

Claims (11)

An information processing system including one or more information devices and a management device connected to the one or more information devices via a network, the management device comprising:
Obtaining means for obtaining device information of an attached device connected to each of the one or more information devices;
Selection means for selecting control data corresponding to each of the attached devices based on the acquired device information;
Generation means for generating update data including control data selected for each of the accessory devices, and the information device includes:
Receiving means for receiving the generated update data from the management device;
Obtaining means for obtaining certification information issued from a provider of the accessory device;
Verification means for verifying the distribution source of the update data based on the acquired certification information of the provider;
An information processing system comprising: command means for instructing the attached device to update control data based on the verified update data when the update data distribution source passes verification. The management device
A secret key storage means for storing the secret key;
A signing means for signing update data based on the secret key;
And the verification means of the information device comprises:
The information processing system according to claim 1, further comprising: verifying a signature applied to the received update data based on certification information of the management apparatus corresponding to the secret key.   The verification means of the information device is the case where the signature applied to the received update data passes verification with the certification information of the management device corresponding to the secret key, and further the certification information of the management device The information processing system according to claim 2, wherein when the verification based on the proof information of the provider passes, the distribution source of the update data is determined to be valid.   The information processing system according to any one of claims 1 to 3, wherein the control data included in the update data is firmware data for operating the attached device, which is signed by the provider. .   The update data further includes device specifying information for specifying the attached device, and the verification means further includes whether the attached device indicated by the device specifying information included in the update data is connected to the information device. The information processing system according to claim 1, wherein the information processing system is verified.   The device information includes device specifying information for specifying an attached device and information for identifying a current control data generation of the attached device, and the selecting means includes device specifying information, control data, and the control data. Whether or not control data can be updated is determined based on the device information by referring to association information including information for identifying the generation and information representing the applicable generation. The information processing system according to any one of claims 1 to 5.   The information processing system includes one or more accessory devices connected to each of the one or more information devices, and one of the one or more accessory devices is a card reader or a card reader / writer, and the one or more accessory devices The information processing system according to claim 1, wherein each of the devices applies control data update based on the verified update data in response to the update.   The information processing system includes one or more accessory devices connected to each of the one or more information devices, and one of the one or more accessory devices is a biometric authentication device or a camera, and the one or more accessory devices 7. The information processing system according to claim 1, wherein each of the updates applies a control data update based on the verified update data in response to the update. An update method of control data executed between an information device and a management device connected to the information device via a network,
The management device acquiring device information of an attached device connected to the information device;
The management device selecting control data corresponding to the attached device based on the acquired device information; and
The management device generating update data including control data selected for the attached device;
The information device receiving update data from the management device;
The information device obtaining certification information issued from a provider of the accessory device;
The information device verifying the distribution source of the update data based on the acquired certification information of the provider;
And a step of instructing the auxiliary device to update the control data based on the verified update data when the distribution source of the update data passes verification. An information device connected to a management device via a network,
Transmitting means for transmitting device information of an attached device connected to the information device to the management device;
Receiving means for receiving update data including control data selected corresponding to the device information of the attached device from the management device;
Obtaining means for obtaining certification information issued from a provider of the accessory device;
Verification means for verifying the distribution source of the update data based on the acquired certification information of the provider;
An information device comprising: command means for instructing the attached device to update control data based on the verified update data when the distribution source of the update data passes verification. A program for realizing an information device connected to a management device via a network, comprising:
A transmission means for transmitting device information of an accessory device connected to the information device to the management device;
Receiving means for receiving update data including control data corresponding to device information of the attached device from the management device;
Obtaining means for obtaining certification information issued from a provider of the accessory device;
Verification means for verifying the distribution source of the update data based on the acquired proof information of the provider, and when the distribution source of the update data passes the verification, Program to function as command means for commanding update of control data based