JP2018026721A - Server device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technique which allows a server device to select a cipher system appropriately according to identification information received from a client device.SOLUTION: When receiving a print notification and ClientHello from a client device, i.e., a terminal 110, (T10, T30), a server device, i.e., a printer 10, selects a CBC capable of high speed processing as an encryption system to be used for encryption communication. As a result, communication of print data encrypted according to the CBC is executed between the printer 10 and terminal 110 (T50). When receiving the ClientHello without receiving the print notification (T110), the printer 10 selects a GCM having high security as an encryption system to be used for encryption communication. Consequently, communication of screen data encrypted according to the GCM is executed between the printer 10 and terminal 110 (T140).SELECTED DRAWING: Figure 3

Description

  The present specification discloses a server device that executes communication of encrypted data with a client device.

  The copying machine disclosed in Patent Document 1 has a function of encrypting data representing an image to be printed and transmitting the encrypted data to a printer. The copying machine specifies one or more encryption means that can be used by the copying machine itself from an encryption selection table including IDs of a plurality of encryption means, and stores one or more specified encryption means. For each, the time required to encrypt the data representing the image to be printed using the encryption means is calculated. Then, the copying machine encrypts the data using an encryption unit whose calculated time is shorter than the threshold, and transmits the encrypted data to the printer.

Japanese Patent Laid-Open No. 2006-054798

  When communication of encrypted data is to be executed between the server device and the client device, the client device transmits method information indicating a plurality of encryption methods that can be used by the client device itself to the server device. It is possible to do. Then, the server device selects one encryption method from the plurality of encryption methods indicated by the method information, and transmits selection information indicating the selected encryption method to the client device. As a result, communication of data encrypted using the selected encryption method is executed between the server device and the client device. The present specification provides a technology that allows a server device to appropriately select an encryption method in a situation where such a mechanism is used.

  The server device disclosed in the present specification can use N (N is an integer of 2 or more) encryption methods including a first encryption method and a second encryption method. A memory for storing possible information indicating that, a receiving unit for receiving method information indicating M (M is an integer of 2 or more) encryption methods usable by the client device from the client device, and a client device, In the first case where the method information and the function information indicating that at least one of the server device and the client device should execute the specific function is received, the first encryption method is the second encryption. The first target method is selected from two or more encryption methods included in both the N encryption methods and the M encryption methods so that the encryption method is preferentially selected over the encryption method. The first selection unit and the first target method The first transmission unit that transmits the first selection information indicating the selected first target method to the client device and the first selection information that is transmitted when the first selection information is transmitted. The first communication execution unit that executes communication of the first encrypted data obtained by encrypting the first target data using one target method with the client device, and the function information from the client device. In the second case where scheme information is received without being received, N encryption schemes and M encryption schemes are selected so that the second encryption scheme is preferentially selected over the first encryption scheme. Selected when the second target method and the second selection method are selected from the two or more encryption methods included in both the encryption method and the second target method. The second selection information indicating the second target method is transmitted to the client device Second encrypted data obtained by encrypting the second target data using the selected second target method when the second transmission unit and the second selection information are transmitted. And a second communication execution unit that executes the communication with the client device.

  According to the above configuration, the server device selects the first encryption method preferentially over the second encryption method in the first case of receiving the method information and the function information from the client device. In the second case of selecting the first target method and receiving the method information without receiving the function information from the client device, the second encryption method is selected with priority over the first encryption method. As described above, the second target method is selected. As described above, the server device changes the priority order of the first and second encryption methods depending on whether or not the function information is received from the client device, so that the encryption method can be appropriately selected.

  The server device disclosed in the present specification can use N (N is an integer of 2 or more) encryption methods including a first encryption method and a second encryption method. And first method information indicating M (M is an integer of 2 or more) encryption methods that can be used by the first client device from the first client device. First identification information for identifying the first method information and the first client device from the first receiving unit and the first client device, the first identification information including a predetermined character string N encryption schemes and M encryption schemes so that the first encryption scheme is preferentially selected over the second encryption scheme in the first case where information is received. Select the first target method from two or more encryption methods included in both A first selection unit that transmits the first selection information indicating the selected first target method to the first client device when the first target method is selected; When the first selection information is transmitted, communication of the first encrypted data obtained by encrypting the first target data using the selected first target method is performed in the first manner. Second method information indicating L (L is an integer of 2 or more) encryption methods that can be used by the second client device from the first communication execution unit that executes with the client device and the second client device. From the second receiving unit that receives the second client information, the second method information, and the second identification information for identifying the second client device, which does not include a predetermined character string. 2 in the second case where the second identification information is received. From among two or more encryption methods included in both of the N encryption methods and the L encryption methods, the encryption method is preferentially selected over the first encryption method. A second selection unit that selects the second target method, and when the second target method is selected, second selection information indicating the selected second target method is transmitted to the second client device. Second encryption unit obtained by encrypting the second target data using the selected second target method when the second selection information and the second selection information are transmitted A second communication execution unit that executes data communication with the second client device.

  According to the above configuration, in the first case where the server device receives the first method information and the first identification information including the predetermined character string from the first client device, the server device changes the first encryption method. The first target method is selected so that it is preferentially selected over the second encryption method, and second method information and second identification information not including a predetermined character string are received from the second client device. In the second case, the second target method is selected so that the second encryption method is preferentially selected over the first encryption method. As described above, the server device changes the priority order of the first and second encryption methods depending on whether or not the identification information received from the client device includes a predetermined character string. You can choose

  A control method, a computer program, and a computer-readable recording medium storing the computer program for realizing the server device are also novel and useful. A communication system including the server device and the client device is also new and useful.

1 shows a configuration of a communication system. 3 shows a flowchart of processing of the printer according to the first embodiment. A specific case of the first embodiment will be shown. 7 shows a flowchart of processing of a printer according to a second embodiment. A specific case of the second embodiment will be described.

(Configuration of communication system 2; FIG. 1)
As shown in FIG. 1, the communication system 2 includes a printer 10 and a plurality of terminal devices 110, 120, and 130. The printer 10, each terminal device 110, and the like belong to a wireless network formed by an AP (abbreviation of Access Point) 200. In a modified example, the printer 10 and each terminal device 110 may belong to a wired network. Hereinafter, the plurality of terminal apparatuses 110, 120, and 130 may be collectively referred to simply as “terminal apparatuses”.

  Encrypted communication can be executed between the printer 10 and the terminal device. The encrypted communication is communication according to SSL (abbreviation of Secure Sockets Layer) / TLS (abbreviation of Transport Layer Security) (hereinafter referred to as “SSL communication”). SSL communication is encrypted communication in which a common key encryption method and a public key encryption method are combined. In particular, in the present embodiment, the printer 10 functions as a server according to SSL, and the terminal device functions as a client according to SSL. In a modified example, IPsec (abbreviation of Security Architecture for Internet Protocol), SMB (Server Message Block) 3.0, or the like may be employed as encrypted communication.

(Configuration of Printer 10)
The printer 10 is a peripheral device that can execute at least a printing function (that is, a peripheral device of a terminal device). The printer 10 includes an operation unit 12, a display unit 14, a network interface (hereinafter referred to as “I / F”) 16, a print execution unit 18, and a control unit 30.

  The operation unit 12 includes a plurality of keys. The user can input various instructions to the printer 10 by operating the operation unit 12. The display unit 14 is a display for displaying various information. The display unit 14 also functions as a so-called touch panel. That is, the display unit 14 also functions as an operation unit. The network I / F 16 is an I / F for executing wireless communication according to the Wi-Fi system. The print execution unit 18 is a printing mechanism such as an inkjet method or a laser method.

  The control unit 30 includes a CPU 32 and a memory 34. The CPU 32 executes various processes according to the program 36 stored in the memory 34. The memory 34 is configured by a volatile memory, a nonvolatile memory, or the like. The memory 34 stores an encryption method table 38 and screen data 40 in addition to the program 36.

  In the encryption method table 38, the names of the plurality of encryption methods that can be used (that is, interpretable) by the printer 10 and the priorities of the encryption methods are associated with each other. The encryption method includes GCM (abbreviation of Galois / Counter Mode) and CBC (abbreviation of Cipher Block Chaining). In general, GCM has higher security than CBC. Further, the time required to encrypt (or decrypt) data using CBC is shorter than the time required to encrypt (or decrypt) the same data using GCM. In a situation where the printer 10 does not have to execute printing, the GCM priority is set higher in the table 38 than the CBC priority. In a situation where the printer 10 should execute printing, the priority of CBC can be changed in the table 38 so as to be higher than the priority of GCM.

  The printer 10 functions as a WEB server and can transmit screen data 40 representing a WEB page to the outside. For example, when the terminal device accesses the WEB server of the printer 10, the screen data 40 is transmitted to the terminal device.

(Configuration of terminal devices 110, 120, and 130)
The terminal device may be a portable terminal device such as a mobile phone or a smartphone, or may be a stationary terminal device such as a desktop PC. The two terminal devices 110 and 120 are manufactured by the same vendor “XXX”, and the terminal device 130 is manufactured by a vendor “YYY” different from the vendor “XXX”. The terminal device 110 has a printer application 112. The application 112 is an application for transmitting a print notification to the printer 10 before transmitting print data to the printer 10. The data size of the print data is relatively large, and the data size of the screen data 40 described above is relatively small. Therefore, in general, the data size of the print data is larger than the data size of the screen data 40. The application 112 is an application provided by the vendor of the printer 10 and is installed in the terminal device 110 from a server on the Internet, for example. The terminal devices 120 and 130 do not have the printer application 112.

(Printer processing; Fig. 2)
Next, processing executed by the printer 10 will be described with reference to FIG. The following communication executed by the printer 10 is communication via the network I / F 16. Therefore, the description “through the network I / F 16” is omitted below.

  In S12, the CPU 32 monitors whether a trigger signal is received from the terminal device. The trigger signal is a print notification, a status request, ClientHello, or the like.

  In S14, the CPU 32 determines whether the trigger signal is a print notification and a status request. The print notification is a signal transmitted from the terminal device when the printer application 112 is installed in the terminal device and an operation for transmitting encrypted print data is executed in the terminal device. The status request is a signal according to SNMP (abbreviation of Simple Network Management Protocol), and is a signal for requesting transmission of the status of the printer 10. If the CPU 32 determines that the trigger signal received in S12 is a print notification and status request (YES in S14), the CPU 32 proceeds to S16.

  In S16, the CPU 32 determines whether printing can be executed. Specifically, the CPU 32 confirms signals from various sensors (not shown), determines that printing is possible if it is not in an error state (YES in S16), proceeds to S18, and is in an error state. If it is determined that printing is not possible (NO in S16), the process proceeds to S40. The various sensors described above include, for example, a sensor for detecting the remaining amount of consumables (toner, ink, etc.), a sensor for detecting whether printing paper is stored in the paper tray, and the like.

  In S18, the CPU 32 transmits an OK signal indicating that printing is executable to the terminal device, and proceeds to S20. On the other hand, in S40, the CPU 32 transmits an NG signal indicating that printing cannot be performed to the terminal device. When S40 ends, no further communication with the terminal device is executed, and the process returns to S12. Accordingly, it is possible to suppress the communication of print data in a situation where the printer 10 cannot execute printing.

  In S <b> 20, the CPU 32 changes the priority order in the encryption method table 38. Specifically, the CPU 32 changes the CBC priority so that it is higher than the GCM priority. As a result, the CBC is selected with priority over the GCM.

  In S22, the CPU 32 receives ClientHello from the terminal device. ClientHello is a signal for requesting execution of SSL communication. The ClientHello includes information indicating one or more encryption methods that can be used by the terminal device.

  In S24, the CPU 32 selects an encryption method to be used for encrypting the print data. Specifically, the CPU 32 identifies one or more encryption methods included in both the encryption method table 38 and the ClientHello, and selects the one or more already specified encryption methods from the table 38. Select the encryption method with the highest priority. For example, when CBC and GCM are included in both the encryption method table 38 and ClientHello, the CPU 32 has been changed so that the priority of CBC becomes higher (S20). select.

  In S <b> 26, the CPU 32 transmits ServerHello including information indicating the selected encryption method to the terminal device. Thereby, an encryption method to be used for encryption of print data is agreed between the printer 10 and the terminal device. As a result, the terminal device generates encrypted data by encrypting the print data in accordance with the agreed encryption method.

  In S30, the CPU 32 receives the encrypted data from the terminal device. Next, in S32, the CPU 32 generates print data by decrypting the encrypted data using the selected encryption method. In S <b> 34, the CPU 32 supplies the print data to the print execution unit 18 and causes the print execution unit 18 to print the image represented by the print data.

  In S36, the CPU 32 returns the priority order in the encryption method table 38 changed in S20 to the original state. That is, the CPU 32 changes the priority order of the GCM to be higher than the priority order of the CBC. When S36 ends, the process returns to S12.

  If the CPU 32 determines that the trigger signal received in S12 is ClientHello (YES in S50), the CPU 32 proceeds to S52. When an operation for accessing the WEB server of the printer 10 is executed in the terminal device, ClientHello is transmitted without transmitting a print notification and a status request from the terminal device. In this case, YES is determined in S50. S52 and S54 are the same as S24 and S26. Prior to the execution of S52, the priority order in the encryption method table 38 is not changed (that is, the processing corresponding to S20 is not executed).

  In S60, the CPU 32 receives a screen data request from the terminal device. The screen data request is a signal for requesting the printer 10 functioning as a WEB server to transmit the screen data 40.

  In S62, the CPU 32 generates encrypted data by encrypting the screen data 40 using the selected encryption method.

  In S64, the CPU 32 transmits the encrypted data to the terminal device. As a result, in the terminal device, the encrypted data is decrypted using the encryption method included in the ServerHello transmitted in S54, and the WEB page represented by the screen data 40 is displayed on the terminal device. When S64 ends, the process returns to S12.

  If the CPU 32 determines that the trigger signal received in S12 includes only the status request without including the print notification (NO in S50), the process proceeds to S70. When an operation for transmitting unencrypted print data is executed in the terminal device, a status request is transmitted from the terminal device without transmitting a print notification. S70, S72, and S80 are the same as S16, S18, and S40.

  In S74, the CPU 32 receives print data from the terminal device. Since the print data received here is not encrypted, decryption is not executed. S76 is the same as S34. When S76 ends, the process returns to S12.

(Specific case: Fig. 3)
Next, specific cases A to C realized by the process of FIG. 2 will be described with reference to FIG.

(Case A)
In case A, the terminal device that should execute communication with the printer 10 is the terminal device 110 having the printer application 112. The terminal device 110 is set to execute data encryption communication. The encryption methods that can be used by the terminal device 110 are GCM, CBC, and CCM (abbreviation of Counter with CBC-MAC).

  The user executes an operation (for example, selection of a file representing an image to be printed) for causing the printer 10 to execute printing in the terminal device 110. In this case, at T10, the terminal device 110 generates a print notification according to the printer application 112, and then transmits a print notification according to SNMP and a status request to the printer 10 simultaneously.

  When the printer 10 receives the print notification and the status request from the terminal device 110 at T10 (YES in S14 of FIG. 2), the printer 10 transmits an OK signal to the terminal device 110 at T20 (YES at S16, S18). At T22, the printer 10 changes the priority order in the encryption method table 38 (S20).

  When the terminal device 110 receives an OK signal from the printer 10 at T20, the terminal device 110 transmits ClientHello to the printer 10 at T30. ClientHello includes information indicating GCM, CBC, and CCM.

  When the printer 10 receives ClientHello from the terminal device 110 at T30 (S22), first, the GCM and CBC included in both the encryption method table 38 and ClientHello are specified, and then the most GCM and CBC are selected. A CBC having a high priority is selected (S24). In T32, the printer 10 transmits ServerHello including information indicating CBC to the terminal device 110 (S26).

  When receiving the ServerHello from the printer 10 at T32, the terminal device 110 generates encrypted data by encrypting the print data according to the CBC indicated by the information included in the ServerHello at T40. Here, the print data is data obtained using a file selected by the user before T10 is executed. In T50, the terminal device 110 transmits the encrypted data to the printer 10.

  When the printer 10 receives the encrypted data from the terminal device at T50 (S30), the printer 10 generates print data by decrypting the encrypted data according to the CBC at T60 (S32). In T62, the printer 10 executes printing according to the print data (S34).

  When printing is completed, in T70, the printer 10 returns the encryption method table 38 to the state before the change (S36). Since the configuration in which the priority order in the table 38 is changed at T22 and T70 is adopted, the printer 10 can use the changed table 38 when a print notification is received from the terminal device 110. . On the other hand, when the print notification is not received (for example, when transmission of the screen data 40 is requested), the printer 10 can use the encryption method table 38 before the change.

(Case B)
In case B, as in case A, the printer 10 performs communication with the terminal device 110. The user executes an operation for accessing the WEB server of the printer 10 in the terminal device 110. In this case, in T110, the terminal device 110 transmits ClientHello to the printer 10 without transmitting a print notification and a status request.

  When the printer 10 receives ClientHello from the terminal device 110 at T110 (YES in S50), the printer 10 first specifies GCM and CBC included in both the encryption method table 38 and ClientHello, and then from GCM and CBC. The GCM having the highest priority is selected (S52). In T112, the printer 10 transmits ServerHello including information indicating the GCM to the terminal device 110 (S54).

  Upon receiving ServerHello from the printer 10 at T112, the terminal device 110 transmits a screen data request to the printer 10 at T120.

  When the printer 10 receives a screen data request from the terminal device 110 at T120 (S60), the printer 10 generates encrypted data by encrypting the screen data 40 according to the selected GCM at T130 (S62). In T140, the printer 10 transmits the encrypted data to the terminal device 110 (S64).

  When receiving the encrypted data from the printer 10 at T140, the terminal device 110 generates the screen data 40 by decrypting the encrypted data according to the GCM indicated by the information included in the ServerHello at T112 at T150. . In T152, the terminal device 110 displays the WEB page represented by the screen data 40.

(Case C)
In Case C, the terminal device that should execute communication with the printer 10 is the terminal device 120 that does not have the printer application 112. The terminal device 120 is not set to execute data encryption communication.

  The user performs an operation for causing the printer 10 to execute printing in the terminal device 120. In this case, at T210, the terminal device 120 transmits a status request in accordance with SNMP to the printer 10 without transmitting a print notification.

  When the printer 10 receives a status request without receiving a print notification from the terminal device 120 at T210 (NO at S50), the printer 10 transmits an OK signal to the terminal device 120 at T220 (YES at S70, S72).

  When receiving an OK signal from the printer 10 at T220, the terminal device 120 transmits print data to the printer 10 without executing encryption at T230.

  When the printer 10 receives the print data from the terminal device 120 at T230 (S74), the printer 10 executes printing according to the print data without executing decryption at T240 (S76).

(Effects of the first embodiment)
As described above, between the printer 10 and the terminal device 110, encrypted communication of print data having a relatively large data size and encrypted communication of screen data 40 having a relatively small data size are performed. Can be executed. Both the printer 10 and the terminal device 110 can use GCM and CBC. As described above, the time required to encrypt (or decrypt) data using CBC is shorter than the time required to encrypt (or decrypt) the same data using GCM. Therefore, in this embodiment, when the printer 10 receives a print notification from the terminal device 110 (T10 in FIG. 3), that is, when encrypted communication of print data having a relatively large data size is to be executed. Preferentially selects CBC (T22, T32). As a result, the time required for T40 and T60 can be shortened. As a result, the printed result of T62 can be quickly provided to the user. On the other hand, if the printer 10 does not receive a print notification from the terminal device 110, that is, if encrypted communication of the screen data 40 having a relatively small data size is to be executed, the printer 10 preferentially selects the GCM ( T112). Since the data size of the screen data 40 is small, the time required for T130 and T150 can be shortened, and encrypted communication according to GCM having relatively high security can be executed. As described above, the printer 10 can appropriately select the encryption method to be used for the encrypted communication depending on whether or not the print notification is received.

(Correspondence)
The printer 10 and the terminal device 110 are examples of “server device” and “client device”, respectively. The encryption method table 38 is an example of “possible information” and “priority table”. The print notification, client hello, and status request are examples of “function information”, “status request”, and “scheme information”, respectively. CBC is an example of a “first encryption scheme” and a “first target scheme”. The GCM is an example of a “second encryption method” and a “second target method”. The print data and the screen data 40 are examples of “first target data” and “second target data”, respectively. Printing is an example of a “specific function”. The print notification indicating that the printer 10 should execute the print function is an example of “function information indicating that the server apparatus should execute the specific function”.

(Second embodiment; FIG. 4)
A description will be given centering on differences from the first embodiment. In the present embodiment, the terminal device 110 does not have the printer application 112. The printer 10 does not change the priority for selecting the encryption method depending on whether or not the print notification is received, but changes the encryption method according to the vendor of the terminal device that requests execution of printing. Change the priority for selection. The CPU 32 executes the process of FIG. 4 instead of the process of FIG. CPU32 starts the process of FIG. 4, when receiving the status request according to SNMP from a terminal device.

  S112, S114, and S140 are the same as S16, S18, and S40 in FIG. In S120, the CPU 32 determines whether or not Client Hello has been received from the terminal device. CPU32 progresses to S122, when it is judged that ClientHello was received (it is YES at S120). On the other hand, if the CPU 32 receives unencrypted print data without receiving ClientHello, it determines NO in S120 and proceeds to S170. S170 is the same as S76 of FIG. That is, the case where the process proceeds with YES in S112, NO in S114, S120, and S170 is the same as the case where NO in S50, YES in S70, and S72, S74, and S76.

  In S122, the CPU 32 determines whether or not the terminal device is a terminal device manufactured by a specific vendor (for example, “XXX”). Specifically, the CPU 32 determines whether or not the MAC address of the terminal device included in the ClientHello includes a predetermined character string “XXX” indicating a predetermined vendor. As described above, the vendors of the terminal devices 110 and 120 are “XXX”, and when the ClientHello of S120 is transmitted from these terminal devices, the MAC address includes a predetermined character string “XXX”. That is, the predetermined character string “XXX” is a character string assigned in common to a plurality of terminal devices manufactured by the same vendor. In this case, the CPU 32 determines YES in S122, and proceeds to S124. S124 to S136 are the same as S20 and S24 to S36 of FIG.

  On the other hand, the vendor of the terminal device 130 is “YYY”, and when the Client Hello of S120 is transmitted from the terminal device 130, the MAC address does not include the predetermined character string “XXX”. In this case, the CPU 32 determines NO in S122, and proceeds to S150. S150 to S158 are the same as S126 to S134. However, the priority order in the encryption method table 38 is not changed before S150 is executed (that is, the processing corresponding to S124 is not executed).

(Specific case: Fig. 5)
Next, specific cases D and E realized by the processing of FIG. 4 will be described with reference to FIG.

(Case D)
In Case D, the terminal device that is to perform communication with the printer 10 is the terminal device 110 manufactured by the vendor “XXX”. T410, T420, and T430 are the same as T10, T20, and T30 of case A in FIG. Here, ClientH of T430 includes the MAC address of the terminal device 110, and the MAC address includes the character string “XXX” as a part thereof.

  When the printer 10 receives ClientHello from the terminal device 110 at T430 (YES in S120), the printer 10 determines that the MAC address includes the predetermined character string “XXX” (YES in S122), and the priority of CBC is high at T432. The priority order in the encryption method table 38 is changed so as to be (S124). T434 to T470 are the same as T32 to T70 of case A in FIG.

(Case E)
In case E, the terminal device that is to communicate with the printer 10 is the terminal device 130 manufactured by the vendor “YYY”. The terminal device 130 is set to execute data encryption communication. The encryption methods that can be used by the terminal device 130 are GCM, CBC, and CCM.

  T510 to T530 are the same as T410 to T430 of Case D. However, ClientH of T530 includes the MAC address of the terminal device 130, and the MAC address includes the character string “YYY” as a part thereof.

  When the printer 10 receives ClientHello from the terminal device 130 at T530 (YES in S120), the printer 10 determines that the MAC address does not include the predetermined character string “XXX” (NO in S122), and the encryption whose priority is not changed. The GCM is selected according to the conversion method table 38 (S150). T532 to T562 are the same as T434 to 462 of Case D except that GCM is used instead of CBC.

(Effect of the second embodiment)
In this embodiment, it is assumed that the vendor “XXX” of the terminal device 110 requests the vendor of the printer 10 to realize high-speed printing. Therefore, in this embodiment, when the printer 10 receives Client Hello from the terminal device 110 (T430 in FIG. 5), that is, when the MAC address of the terminal device 110 includes the predetermined character string “XXX”, the CBC is displayed. Select preferentially (T432, T434). As a result, the time required for T440 and T460 can be shortened, and as a result, the printed result of T462 can be quickly provided to the user. On the other hand, when the printer 10 receives ClientHello from the terminal device 130 manufactured by the vendor “YYY” different from the vendor “XXX” (T530), that is, the MAC address of the terminal device 130 indicates the predetermined character string “XXX”. If not included, the GCM is preferentially selected (T532). Thereby, the printer 10 can execute encrypted communication in accordance with GCM having relatively high security. As described above, the printer 10 changes the priority of the encryption method according to whether or not the MAC address received from the terminal device includes the predetermined character string “XXX”. Therefore, according to the vendor of the terminal device, It is possible to appropriately select an encryption method to be used for encrypted communication. In particular, since the present embodiment does not employ a configuration in which the priority order of the encryption method is changed depending on whether or not there is a print notification, the vendor of the printer 10 does not have to prepare the printer application 112 for transmitting the print notification. . The printer 10 can appropriately select an encryption method according to the vendor of the terminal device without using a printer application.

  Specific examples of the present invention have been described in detail above, but these are merely examples and do not limit the scope of the claims. The technology described in the claims includes various modifications and changes of the specific examples illustrated above. The modifications of the above embodiment are listed below.

(Modification 1) The printer 10 may be able to use three or more encryption methods (for example, GCM, CCM, and CBC). The time required to encrypt data using the CCM is shorter than the time required to encrypt the same data using the GCM, and the time required to encrypt the same data using the CBC. Longer than. In general, CCM has lower security than GCM and higher security than CBC. In the encryption method table 38, the GCM, the CCM, and the CBC may be arranged in the order from the higher priority to the lower priority before the change, and after the change, from the higher priority to the lower priority. On the other hand, they may be arranged in the order of CBC, CCM, and GCM.

(Modification 2) In the above embodiment, the CPU 32 performs data encryption and decryption according to the program 36 (S32 and S62 in FIG. 2, S132 and S156 in FIG. 4). Alternatively, data encryption and decryption may be executed by hardware such as a logic circuit. That is, the “encryption unit” and the “decryption unit” may be realized by software or hardware.

(Modification 3) The “server device” may be a scanner capable of executing a scan function, or may be a multi-function device capable of executing a multi-function including a print function and a scan function. The scan data has a relatively large data size like the print data. Therefore, when the “server device” is a scanner, for example, in S14 of FIG. 2, it is determined whether or not a scan notification for requesting execution of the scan has been received. After S26, the document is scanned to generate scan data, and the scan data is encrypted according to the encryption method selected in S24. In S30, encrypted data is transmitted, and S32 and S34 are not executed. In this modification, the scan notification and the scan data are examples of “function information” and “first target data”, respectively. Similarly, communication of encrypted scan data may also be executed in the second embodiment. In this case, the process of FIG. 4 is started when ClientHello is received without receiving the status request. Therefore, the processes of S112, S114, S120, S140, and S170 are omitted.

(Modification 4) The “client device” may be a scanner capable of executing a scan function, and the “server device” may be a terminal device such as a PC. In this case, scan data generated by the scanner may be displayed on the terminal device. For example, when the user performs an operation for transmitting encrypted scan data in the scanner, a scan notification is transmitted from the scanner to the terminal device. In this case, the terminal device changes the priority order of the encryption methods in the encryption method table so that the priority order of the CBC is higher than that of the GCM, as in the above embodiment. Thereafter, when the terminal device receives ClientHello including CBC and GCM from the scanner, the terminal device selects CBC according to the encryption method table, and transmits ServerHello including CBC to the scanner. As a result, scan data is generated in the scanner, and the scan data is encrypted according to the CBC. When the terminal device receives the encrypted data from the scanner, the terminal device decrypts the encrypted data according to the CBC to generate scan data, and displays an image represented by the scan data. In addition, for example, when the user performs an operation for transmitting a setting value (for example, default scan setting) in the scanner, Client Hello including CBC and GCM is transmitted from the scanner to the terminal device without transmitting a scan notification. Is done. In this case, the terminal device does not change the priority order of the encryption methods in the encryption method table. Accordingly, since the priority order of GCM is higher than that of CBC, the terminal device selects GCM and transmits Server Hello including GCM to the scanner. As a result, the setting value is encrypted according to the GCM in the scanner. When the terminal device receives the encrypted data from the scanner, the terminal device decrypts the encrypted data according to the GCM to generate a setting value, and executes processing using the setting value (for example, transmission to another scanner, display, etc.) . According to this modification, the terminal device can execute the encrypted communication of the scan data quickly, and can execute the encrypted communication of the set value according to the encryption method having high security. In this modification, the scan function, scan notification, scan data, and setting value are examples of “specific function”, “function information”, “first target data”, and “second target data”, respectively. The scan notification indicating that the scanner should execute the scan function is an example of “function information indicating that the client device should execute the specific function”.

(Modification 5) The “client device” may be a scanner that can execute a scan function, the “server device” may be a printer, and the scanner and the printer may cooperate to realize a copy function. For example, when the user performs an operation corresponding to the copy function in the scanner, a copy notification is transmitted from the scanner to the printer. When the printer receives the copy notification from the scanner, the printer executes S20 to S26 in FIG. 2 to transmit ServerHello including CBC to the scanner, as in the above-described embodiment. As a result, scan data is generated in the scanner, and the scan data is encrypted according to the CBC. When receiving the encrypted data from the scanner, the terminal device decrypts the encrypted data according to the CBC to generate scan data, and prints an image represented by the scan data. Further, for example, when the user executes an operation for transmitting setting values in the scanner (for example, login data (for example, user ID and password) for logging in to the scanner), the CBC and the copy notification are not transmitted. ClientHello including GCM is transmitted from the scanner to the printer. In this case, the printer does not change the priority order of the encryption methods in the encryption method table. Accordingly, since the priority of GCM is higher than that of CBC, the printer selects GCM and transmits Server Hello including GCM to the scanner. As a result, the setting value is encrypted according to the GCM in the scanner. When the printer receives the encrypted data from the scanner, the printer decrypts the encrypted data according to the GCM to generate a setting value, and executes processing using the setting value (for example, setting of login data to the printer itself). According to this modification, the printer can quickly execute the encrypted communication of the scan data, and can execute the encrypted communication of the set value according to the encryption method having high security. In this modification, the copy function (that is, the combination of the scan function and the print function), the copy notification, the scan data, and the setting value are “specific function”, “function information”, “first target data”, “first target data”, respectively. This is an example of “second target data”. Further, the copy notification indicating that the printer and the scanner should execute the copy function is an example of “function information indicating that the server device and the client device should execute the specific function”.

(Modification 6) S20 of FIG. 2 may not be executed, and S20 may be executed before S52. Then, after S60, the encryption method may be executed according to the changed table 38. That is, when receiving the screen data request, the printer 10 changes the priority of the encryption method and selects the encryption method (for example, CBC). When the printer 10 does not receive the screen data request, the printer 10 The encryption method (eg, GCM) may be selected without changing the priority order. According to this modification, the printer 10 can quickly execute encrypted communication of screen data representing a WEB page, and can execute encrypted communication of print data in accordance with an encryption method having high security. it can. In this modification, the screen data request, the screen data 40, and the print data are examples of “function information”, “first target data”, and “second target data”, respectively. In addition, the function of the terminal device that is the client device to display the WEB page is an example of the “specific function”.

(Modification 7) In the second embodiment, the printer 10 may further execute the following processing. That is, the printer 10 may execute the same processing as S122 when receiving the Client Hello from the terminal device without receiving the status request that is the trigger of the processing in FIG. When the printer 10 determines that the MAC address of the terminal device includes the predetermined character string “XXX” (for example, in the case of the terminal device 110), the printer 10 executes S20 and S52 to S64 in FIG. S52 to S64 are executed without executing S20 when it is determined that the MAC address does not include the predetermined character string “XXX” (for example, in the case of the terminal device 130). According to this modification, the printer 10 can appropriately select an encryption method to be used for encrypted communication according to the vendor of the terminal device. In the present modification, the screen data 40 is an example of “first target data” and “second target data”.

(Modification 8) The printer 10 may store the MAC addresses of the terminal devices 110, 120, and 130 in association with the number of times printing is requested from the terminal device. When the MAC address of the terminal device that is the transmission source of the ClientHello matches the MAC address associated with the number of times greater than the predetermined value in S122 of FIG. 4, the printer 10 proceeds to S124 and matches. If not, the process may proceed to S150. According to this modification, the printer 10 can quickly execute encrypted communication with a terminal device that frequently requests execution of printing, and can execute printing according to an encryption method having high security. It is possible to execute encrypted communication with a terminal device that is less frequently requested. In this modification, the MAC address associated with the number of times greater than the predetermined value is an example of “predetermined character string” and “first identification information”, and the number of times equal to or less than the predetermined value is associated with the MAC address. The MAC address is an example of “second identification information”. In this modification, the IP address of the terminal device may be used instead of the MAC address. In this case, the IP address is an example of “first (or second) identification information”.

(Modification 9) In each of the embodiments described above, the CPU 32 executes the program 36 (that is, software), thereby realizing the processes shown in FIGS. Instead, at least some of the processes in FIGS. 2 to 5 may be realized by hardware such as a logic circuit.

  The technical elements described in this specification or the drawings exhibit technical usefulness alone or in various combinations, and are not limited to the combinations described in the claims at the time of filing. In addition, the technology illustrated in the present specification or the drawings achieves a plurality of objects at the same time, and has technical utility by achieving one of the objects.

2: communication system, 10: printer, 12: operation unit, 14: display unit, 16: network I / F, 18: print execution unit, 30: control unit, 32: CPU, 34: memory, 36: program, 38 : Encryption method table, 40: WEB page, 110, 120, 130: Terminal device, 112: Printer application

Claims (14)

A server device,
A memory for storing possible information indicating that the server device can use N (N is an integer of 2 or more) encryption methods including a first encryption method and a second encryption method; ,
A receiving unit that receives method information indicating M (M is an integer of 2 or more) encryption methods usable by the client device from the client device;
In the first case, the method information and the function information indicating that at least one of the server apparatus and the client apparatus should execute a specific function is received from the client apparatus. Two or more encryption schemes included in both the N encryption schemes and the M encryption schemes so that the encryption scheme is preferentially selected over the second encryption scheme. A first selection unit for selecting a first target method from among the methods;
A first transmission unit configured to transmit, to the client device, first selection information indicating the selected first target method when the first target method is selected;
When the first selection information is transmitted, communication of the first encrypted data obtained by encrypting the first target data using the selected first target method is performed by the client. A first communication execution unit that executes with the apparatus;
In the second case where the function information is not received from the client device and the method information is received, the second encryption method is preferentially selected over the first encryption method. As described above, a second selection unit that selects a second target method from two or more encryption methods included in both of the N encryption methods and the M encryption methods;
A second transmission unit configured to transmit second selection information indicating the selected second target method to the client device when the second target method is selected;
When the second selection information is transmitted, communication of the second encrypted data obtained by encrypting the second target data using the selected second target method is performed by the client. A second communication execution unit for executing with the device;
A server device comprising: The server device further includes:
A function execution unit for executing the specific function;
The server apparatus according to claim 1, further comprising: a function control unit that causes the function execution unit to execute the specific function related to the first target data in the first case. The function execution unit includes a print execution unit,
The first selection unit receives the method information from the client device after receiving the function information, which is information indicating that the client device transmits data to be printed to the server device from the client device. Select the first target scheme in the first case that is received,
The first communication execution unit receives, from the client device, the first encrypted data obtained by the client device encrypting the first target data using the first target method. And
The server device further includes:
A decrypting unit configured to decrypt the first encrypted data using the first target method and generate the first target data when the first encrypted data is received;
The server device according to claim 2, wherein the function control unit causes the print execution unit to print an image represented by the first target data.   The first selection unit is a status request according to the function information and SNMP (abbreviation of Simple Network Management Protocol) from the client device, the status request for inquiring the status of the server device, 4. The server device according to claim 1, wherein the first target method is selected in the first case in which the method information is received from the client device after the message is received. 5. The server device further includes:
In the second case, the second target data, which is screen data representing a screen to be displayed on the client device, is encrypted using the selected second target method, and the second target data is encrypted. An encryption unit for generating encrypted data of
5. The second communication execution unit according to claim 1, wherein the second encrypted data is transmitted to the client device when the second encrypted data is generated. 6. Server device. The possible information includes a priority table in which priorities of the N encryption methods are described,
In the priority table, the priority of the second encryption method is higher than the priority of the first encryption method,
In the second case, the second selection unit is configured to select the second encryption method preferentially over the first encryption method according to the priority table. Select the target method of
The server device further includes:
When the function information is received from the client device, the priority table is changed so that the priority of the first encryption method is higher than the priority of the second encryption method. 1 change part,
In the first case, the first selection unit is configured such that the first encryption method is preferentially selected over the second encryption method in accordance with the changed priority table. Selecting the first target method;
The server device further includes:
When the first target method is selected, the priority table after the change is stored so that the priority of the second encryption method is higher than the priority of the first encryption method. The server apparatus according to claim 1, further comprising a second changing unit that changes the priority order table. A server device,
A memory for storing possible information indicating that the server device can use N (N is an integer of 2 or more) encryption methods including a first encryption method and a second encryption method; ,
A first receiver that receives first scheme information indicating M (M is an integer equal to or greater than 2) encryption schemes usable by the first client device from a first client device;
The first method information and the first identification information for identifying the first client device, the first identification information including a predetermined character string, from the first client device. The N encryption schemes and the M encryption schemes are selected so that the first encryption scheme is preferentially selected over the second encryption scheme in the received first case. A first selection unit that selects a first target method from two or more encryption methods included in both
A first transmission unit configured to transmit first selection information indicating the selected first target method to the first client device when the first target method is selected;
When the first selection information is transmitted, communication of the first encrypted data obtained by encrypting the first target data using the selected first target method is performed in the first A first communication execution unit that executes with one client device;
A second receiving unit for receiving second scheme information indicating L (L is an integer of 2 or more) encryption schemes usable by the second client device from a second client device;
From the second client device, the second method information, second identification information for identifying the second client device, the second identification information not including the predetermined character string, , The N encryption schemes and the L encryption schemes are selected such that the second encryption scheme is preferentially selected over the first encryption scheme. A second selection unit that selects a second target method from two or more encryption methods included in both of the encryption methods;
A second transmission unit configured to transmit second selection information indicating the selected second target method to the second client device when the second target method is selected;
When the second selection information is transmitted, communication of the second encrypted data obtained by encrypting the second target data using the selected second target method is performed. A second communication execution unit that executes with the two client devices;
A server device comprising:   The server device according to claim 7, wherein the predetermined character string includes a character string assigned in common to a plurality of devices including the first client device. The first identification information is a MAC address of the first client device,
The server device according to claim 7 or 8, wherein the second identification information is a MAC address of the second client device.   The server device according to claim 9, wherein the predetermined character string is a character string that constitutes a part of a MAC address, and is the character string that indicates a vendor of the first client device. The possible information includes a priority table in which priorities of the N encryption methods are described,
In the priority table, the priority of the second encryption method is higher than the priority of the first encryption method,
In the second case, the second selection unit is configured to select the second encryption method preferentially over the first encryption method according to the priority table. Select the target method of
The server device further includes:
When the first identification information is received from the first client device, the priority is set so that the priority of the first encryption method is higher than the priority of the second encryption method. A first changing unit for changing the ranking table;
In the first case, the first selection unit is configured such that the first encryption method is preferentially selected over the second encryption method in accordance with the changed priority table. Selecting the first target method;
The server device further includes:
When the first target method is selected, the priority table after the change is stored so that the priority of the second encryption method is higher than the priority of the first encryption method. The server device according to claim 7, further comprising a second changing unit that changes to the priority order table.   12. The time for encrypting data using the first encryption method is shorter than the time for encrypting the same data using the second encryption method. The server device according to any one of the above. A computer program for a server device,
The server device
A memory for storing possible information indicating that the server device can use N (N is an integer of 2 or more) encryption methods including a first encryption method and a second encryption method; ,
And a processor,
The computer program causes the processor to execute the following processes:
A receiving process for receiving, from a client device, method information indicating M (M is an integer of 2 or more) encryption methods usable by the client device;
In the first case, the method information and the function information indicating that at least one of the server apparatus and the client apparatus should execute a specific function is received from the client apparatus. Two or more encryption schemes included in both the N encryption schemes and the M encryption schemes so that the encryption scheme is preferentially selected over the second encryption scheme. A first selection process for selecting a first target method from the methods;
A first transmission process for transmitting, to the client device, first selection information indicating the selected first target method when the first target method is selected;
When the first selection information is transmitted, communication of the first encrypted data obtained by encrypting the first target data using the selected first target method is performed by the client. A first communication execution process to be executed with the apparatus;
In the second case where the function information is not received from the client device and the method information is received, the second encryption method is preferentially selected over the first encryption method. As described above, a second selection process for selecting a second target method from two or more encryption methods included in both of the N encryption methods and the M encryption methods;
A second transmission process for transmitting second selection information indicating the selected second target method to the client device when the second target method is selected;
When the second selection information is transmitted, communication of the second encrypted data obtained by encrypting the second target data using the selected second target method is performed by the client. A second communication execution process to be executed with the apparatus;
A computer program that executes A computer program for a server device,
The server device
A memory for storing possible information indicating that the server device can use N (N is an integer of 2 or more) encryption methods including a first encryption method and a second encryption method; ,
And a processor,
The computer program causes the processor to execute the following processes:
A first reception process for receiving first scheme information indicating M (M is an integer of 2 or more) encryption schemes usable by the first client device from a first client device;
The first method information and the first identification information for identifying the first client device, the first identification information including a predetermined character string, from the first client device. The N encryption schemes and the M encryption schemes are selected so that the first encryption scheme is preferentially selected over the second encryption scheme in the received first case. A first selection process for selecting a first target method from two or more encryption methods included in both
A first transmission process for transmitting, to the first client device, first selection information indicating the selected first target method when the first target method is selected;
When the first selection information is transmitted, communication of the first encrypted data obtained by encrypting the first target data using the selected first target method is performed in the first A first communication execution process to be executed with one client device;
A second reception process for receiving second scheme information indicating L (L is an integer of 2 or more) encryption schemes usable by the second client device from a second client device;
From the second client device, the second method information, second identification information for identifying the second client device, the second identification information not including the predetermined character string, , The N encryption schemes and the L encryption schemes are selected such that the second encryption scheme is preferentially selected over the first encryption scheme. A second selection process for selecting a second target method from two or more encryption methods included in both of the encryption methods;
A second transmission process of transmitting second selection information indicating the selected second target method to the second client device when the second target method is selected;
When the second selection information is transmitted, communication of the second encrypted data obtained by encrypting the second target data using the selected second target method is performed. 2nd communication execution processing performed with 2 client apparatuses,
A computer program that executes

Images