JP2018073416A - Owner check system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To realize an IoT terminal device which is not affected by a computer virus, for example.SOLUTION: The IoT terminal device includes: a sensor unit for receiving a target operation or phenomenon and converting it into a sensor electric signal; an addition unit for adding an additive signal to the sensor signal or data output from the sensor unit; a signal processing unit for processing the sensor signal including the additive signal of the sensor unit and the addition unit and converting the sensor signal into sensor digital data; a control unit for detecting the additive signal from the sensor signal, determining whether the additive signal was output from an authentic addition unit, and forming authentication data; and a transmission unit for transmitting the sensor digital data including the authentication data; and a receiving unit for receiving data from the outside with the authentication data.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an owner check system that can be used for an IoT device.

Advances in computer technology and Internet technology have led to the provision of IoT (Internet of Things) such as smart home appliances, connected cars, home security, vending machines, healthcare and medical equipment.
As a result, the range of activities of computer viruses has increased, and the social effects of computer viruses have formed immeasurable situations, and the scope of cyber warfare has expanded and the effects are becoming familiar. Especially when there is no interface or limit like IoT devices, since the input / output operation via the Internet is highly automated, it becomes wireless communication centering on software, so it is unthinkable so far In the face of an infinite security hole, the possibility of malicious operation will be further increased.

  Japanese translation of PCT publication No. 2008-500353 discloses a method of forming a virtual area on software to form a sandbox, executing a computer virus, and performing heuristic detection of the computer virus from its behavior.

  Japanese Patent Laid-Open No. 2007-10297 discloses that a gateway device connected to a user terminal and installed at an entrance to an Internet network includes infection monitoring means for detecting whether or not the user terminal is infected with a computer virus. A terminal disconnecting means for disconnecting the user terminal from the Internet network when it is detected that the user terminal is disconnected from the Internet network by the terminal disconnecting means. In addition, there is described a combination configuration of quarantine means that includes a recovery connection means to be connected, and in which a recovery support apparatus connected to the gateway device executes a computer virus quarantine process on the connected user terminal.

Special table 2008-532133 is a system for detecting a computer virus that impersonates a domain name system (DNS). The system sends a URL to the DNS server and makes an IP request. The means for receiving the notification of the IP address corresponding to the returning URL, the received URL and IP address are compared with the URL data corresponding to the previously stored IP address, and the IP received from the DNS server is compared. A means for detecting whether or not the relationship between the address and the URL matches is described.

  In JP2009-157523A, the communication control apparatus 10 includes a first database 50 provided for each user, a user database 57 that stores a user ID and an IP address assigned to the user's terminal in association with each other. The user database update unit 460 that acquires the user ID of the terminal and the IP address assigned to the terminal from the connection management server 120 and registers it in the user database 57, and the IP address of the transmission source of the communication data including the data file are stored in the user database 57, a user identification unit that retrieves a user ID by searching from 57, a search circuit 30 that performs a search with reference to a record corresponding to the acquired user ID in the first database 50, and infection by a computer virus based on the search result Processing execution circuit 4 for filtering the processed data file Provided with a door. It is described.

The homepage (http://www.aist.go.jp/aistj/press release / pr2006 / pr20061122 / pr20061122.htm) AIST: Development of a high-speed virus check system with rewritable hardware)) A computer virus detection system using an array (FPGA, CPLD, etc.) is described.
Japanese Patent Laid-Open No. 2015-532756 discloses that when an administrator authority file of an IoT terminal is encrypted and moved to a server or the like that manages the terminal and the update program or the like is downloaded, the encrypted administrator authority file is downloaded and decrypted. The configuration to be executed and used is described.
JP-A-116116130 describes that a pairing code during data communication between an IoT terminal and a wireless receiver is encrypted.

In JP-A-2015-122744, a communication element for connecting an IoT device to a specific system is written in a blank column of a multicast IP address and a multicast MAC address, and the IoT device reads data from these address data, It is described that the IP address is always monitored to connect to a specific system.

JP 2013-137745 A Special table 2008-500653 gazette JP 2007-102697 A Special table 2008-532133 JP 2009-157523 A Japanese Patent Laying-Open No. 2015-532756 JP-A-2006-116130 JP2015-122744A

Excerpt from homepage (http://www.aist.go.jp/aistj/press release / pr2006 / pr20061122 / pr20061122.htm) AIST: Development of a high-speed virus check system using rewritable hardware)

In Japanese translations of PCT publication No. 2008-500653, a computer virus program is executed in a virtual space, and detection of a computer virus based on its behavior is disclosed. However, a computer virus attacks this virtual space program, There is a possibility of disguise display, and other prior arts are all detected as virus programs, and the detection method of the back hand is disclosed with the template registered in the security software. It does not disclose countermeasures against virus programs.
Computer viruses can be stored at least continuously and can be transmitted and received inside and outside, so that the purpose of hackers and hackers can be achieved to a minimum. Therefore, Internet-connected devices called IoT are now subject to computer viruses. , DDOS attacks have already been carried out to infect IoT devices, turn them into bots, and attack them.
At that time, we are facing a situation where the number of IoT devices exceeds 100,000.

    The method described on the homepage (http://www.aist.go.jp/aistj/press release / pr2006 / pr20061122 / pr20061122.htm) AIST: Development of a high-speed virus check system using rewritable hardware)) Computer viruses that already exist in a computer virus database and can be detected at high speed within this database range, but are not included in the database, such as recent targeted attack computer viruses. It is hard to say that it is possible to cope with.

In today's so-called cyber-warfare society, it is considered that the best defense is to always keep computer software versions up to date, and the response to unknown computer viruses remains unclear.
In addition, IoT terminals with limited interfaces are more likely to perform various operations using wireless communication as disclosed in Japanese Patent Application Laid-Open No. 2015-122744. The possibility increases and the possibility of infection of IoT devices increases more and more.

In view of the above, the present invention is a sensor unit that receives a desired operation and phenomenon and converts it into a sensor electrical signal, converts the sensor electrical signal of the sensor unit into sensor digital data, and transmits the sensor digital data together with an authentication signal to the outside. A signal processing unit having a transmitting unit for receiving data and a receiving unit for receiving data together with authentication data from the outside,
By verifying the authentication signal, the combination of authentication means (owner unit) for authenticating whether or not the data output from the signal processing unit is authentic data, the authentic data can be obtained without an interface. In addition to being able to send data, authentic data can also be received by confidential handling of authentication data, eliminating the effects of computer viruses that enter illegally from outside, and using a stable IoT terminal To realize.

The authentication signal in the present invention is, for example, data that can be collated such as preset symbols, codes, etc., and the IoT terminal converts a digital signal used for input / output operation of a built-in sensor into an analog signal. It may be a signal for using a unit (circuit).
For example, a digital signal obtained by converting an analog signal indicating a predetermined value with an ADC (a unit (circuit) that converts an analog signal into a digital signal) may be used as the authentication signal.

The predetermined value is, for example, data including a value that is outside or within the output range in which sensor information to be used is output but is not normally output (for example, the owner authentication signal is in the case of an IoT device using a temperature sensor). When the target temperature range for measurement is room temperature, it is 120 degree digital data or -50 degree digital data, which is the limit digital data obtained by AD conversion of the analog output of the sensor.) , A value having a range outside the normal range is converted into digital data and added to form output data.
The predetermined value may not be a value to which a constant value is periodically added, but may be a unique change, for example, a signal whose time or amplitude value changes periodically or randomly. Irregular changes have conditions specific to the owner, and even if they are hijacked by a computer virus, they form an additional signal that is independent of a terminal operating as an IoT that operates for a certain purpose. Thus, it is preferable that the characteristics of the signal be in a state that only the control unit can recognize.
The control unit may store the pattern provided in the additional signal in advance, or may recognize the characteristic by artificial intelligence such as machine learning.
The additional unit consisting of a computer equipped with a combination of CPU, GPU, eMMC, LAN, etc. is independent of other units having signal processing functions, and the characteristics of the signal output therefrom are machine learning such as ADABOOST. Is stored for a predetermined period. The additional unit has an independent storage memory, and sends an additional signal by itself, outputs an additional signal output command from the outside (mainly for a predetermined period after restart), and outputs data by its own timer. It is preferable that the command of the signal processing unit is not accepted except for a predetermined period after the restart.

  The predetermined period is preferably a period from restart until the first external signal is input. In the present invention, it is preferable to adopt a configuration in which an OS and an application stored in a read-only storage unit (memory) by hardware and software are booted, and this is performed every predetermined period. The additional signal output from the unit is learned, its characteristics are stored, and the additional signal output from the additional unit is added to the regular signal output from the sensor or the like. This is because a clean state is formed at least until the first external access after this restart. The time until the first input signal from the outside is received may be set in advance or an irregular state may be set until an external signal is received.

The authentication signal is a control unit that performs an owner check in addition to the additional digital signal added to the sensor data transmitted by the signal processing unit, and the additional digital signal added by replacing or converting the additional digital signal. It may be a signal.
This additional digital signal may be used as an owner authentication code as it is, or may be data in which identifiable text data is added or newly replaced.
In addition, when it is added to the transmission data as the owner authentication data, it may be partly embedded in a plurality of packets or may be added together as surplus data.
The owner authentication data may include a part of the IP address ipv6 and ipv4 of the communication partner and one's own, but when analog data is used, a value that exceeds the threshold when analog data is converted to digital data May change digitally indicating an IP address or the like, and this may be used by an authentication device or a control unit that performs an owner check.

The authentication signal indicating the owner is preferably derived from the sensor output of the IoT terminal as described above, but does not have a sensor, for example, an analysis unit that receives and analyzes an electrical signal as it is. In this case, data resulting from the operation of the analysis unit may be used.
Alternatively, data transmission / reception may be performed while detecting the destination IP address, MAC address, etc. and confirming the destination.

This digital data is further distributed and written in a plurality of packets, and identification at the time of detection is exemplified by adding an identification code, a predetermined time timing, a margin part of a predetermined size of a certain protocol, and the like.
Further, the authentication data may be encrypted to enhance the protection.
As the encryption, for example, a cryptographic algorithm such as a shared key method or a public key method, or a stream cipher such as a Burnham cipher may be used. In particular, the present invention may use a computer chip arranged in a very small space depending on the case called IoT, so that the memory capacity for storing digital data is also small, so that the configuration is relatively simple with hardware. Possible stream ciphers, synthetic ciphers, and other stream ciphers are preferably available.

The sensor unit in the present invention is a connected car, such as one that detects the state of each component of temperature, humidity, position, inclination, rotation speed, acceleration, pulse wave, electrocardiogram, blood flow, blood pressure, GPS, factory, plant, etc. Examples of sensors included in so-called IoT devices such as one or more arranged in smart home appliances, robots, wearable devices, plants, factories, public facilities, etc., are exemplified as ultra-small sensors that are made into chips. .
When the sensor unit is connected, the signal processing unit according to the present invention includes an AD converter and a DA converter depending on the case, and a program such as a microcomputer incorporating a unit for infrared input / output, electromagnetic wave input / output, etc. It may be digitally operated and used by an IoT device, but may be an IC that does not mainly use a program but operates by a gate array such as an FPGA or CPLD.

The storage unit in the present invention is ROM, RAM, NVRAM, FEPROM, SD card, USB memory, SSD, HD, or other media, and a writable storage unit is formed by a single unit or a combination thereof.
The input / output unit in the present invention is for transmitting and receiving packet signals for connection to an external network, and is a unit for inputting and transmitting data in a known format such as Ethernet (trademark) specifications. Indicated by
In the case of using another wireless medium such as an infrared LED or the like in addition to the antenna in the present invention, which is formed of a conductive member based on a frequency band forming a so-called wireless LAN, the antenna along the medium is exemplified. The

  Since the present invention mainly shows a configuration for an IoT device, the Internet using a communication standard such as TCP / IP or FTP is mainly used as a network. However, Bluetooth (registered trademark), infrared rays, etc. Since the wireless medium is also used in the local area, it includes not only the Internet but also other media and networks based on communication standards.

According to the present invention, for an IoT device with a limited interface, data can be input and executed only when owner authentication data can be detected. When data is output, the data that is specified by the owner is included in the output. In addition, by outputting data related to sensor output, it is possible to protect against external attacks, and even if a computer virus script is embedded inside and executed, the owner authentication data cannot be recognized or detected. In such a case, by not transmitting to the outside, an attack from a malicious site is prevented, and even if infected, data is not output to the outside, so that a stable IoT terminal can be used.
When the owner authentication data is inspected, comparison inspection as analog data makes it difficult to easily obtain the authentication data and makes it possible to protect against computer viruses.
Further, by encrypting the authentication data with a stream surfer with high secrecy, it is possible to protect against computer viruses and to form a system using a stable IOT terminal.

The figure which shows one Example of this invention. The figure for demonstrating operation | movement of the Example of this invention. The figure for demonstrating operation | movement of the Example of this invention. The figure which shows the other Example of this invention. The figure which shows the other Example of this invention. The figure which shows the other Example of this invention. The figure which shows the other Example of this invention.

  The present invention is composed of units (circuits) that are located at the entrance and exit of an IoT device and that are physically independent from the IoT device that performs an owner check with the IoT device as an owner or an assignee check as its proxy device. Preferably, the transmission source is confirmed from the transmission data, the authentication data based on the IP address of the transmission source server, the IoT device, etc., or the authentication code, and the communication with other transmission sources is blocked. By doing so, stable communication is performed.

In addition, the present invention is mainly a device whose main task is to convert sensor data into digital data and transmit / receive it. However, the present invention does not necessarily include a device for sensing, for example, receives data from the Internet and drives it. One-way equipment such as an electric drill is also included.
The authentication data and the owner authentication data are data for authenticating the transmission source, and for authenticating the data of the normal transmission source, and can prevent spoofing.
For example, there is provided means for obtaining genuine data only with a part of the legitimate source IP address.
This is exemplified by means for decrypting authentic data by, for example, storing and sharing in advance an encryption key created with the source IP address.

  Specifically, the source IP address was received from the input packet using the four numbers of the IP address converted to other symbols and numbers by a one-way function such as the HASH function as a shared key. At this time, numbers and symbols at predetermined positions are extracted from this, and are input to the decryption algorithm as key elements to decrypt the encrypted data. In addition, by including the traced authentication data replaced with the IP address and the exit data of the present invention, the transmission / reception data becomes the data whose owner is checked, and the influence of the computer virus or the like can be eliminated. .

Encryption protects against computer virus attacks, making it difficult to easily obtain authentication data. However, since the IOT terminal itself is small, the size of the encryption algorithm software cannot be increased.
Therefore, it is preferable to use, for example, an XOR (exclusive OR) IC chip, a random number generation circuit, or a stream cipher type encryption composed of a combination of a sequence generator and a selection circuit.
Since the random number generation circuit has periodicity, a composite type Burnham is provided in which a plurality of number sequence generation circuits are secretly prepared, for example, mounted in an IC chip, and a signal for selecting this is output together with the authentication data. By adopting an encryption method, it is possible to form an encryption circuit that is small, excellent in secrecy, and fast.
Furthermore, the present invention may separately utilize communication using infrared and electromagnetic waves as a wireless medium in addition to transmission / reception of data mainly using a wireless LAN.

Next, an embodiment of the present invention will be described in detail with reference to FIG.
Reference numeral 11a denotes an inlet control unit, which is composed of a microcomputer, a gate array, and the like, and preferably has an input / output port that can be connected to an AD converter (ADC) and other transmission / reception units such as Bluetooth (registered trademark) and infrared data. ing.
11b is an outlet control unit, which has the same configuration as the inlet control unit 11a. Both are separated for explanation, but may be integrated into one control unit. Good.

Reference numeral 11c denotes a D / A converter, which is a circuit for converting a digital signal into an analog signal, and may be built in the control unit, but is added for explanation.
Reference numeral 11d denotes a transmission / reception unit A, which includes infrared LEDs, phototransistors, photodiodes, antennas, and the like, and enables data transmission / reception via a wireless medium 11e including infrared rays, electromagnetic waves, and the like. The transmission / reception unit A11d transmits / receives data to / from the transmission / reception unit B17b. The transmission / reception unit A11d and the transmission / reception unit B 17b may be the same as those currently used for infrared communication and Bluetooth (registered trademark) communication with IoT devices. It is preferable to use one that includes a unit such as a port that supports communication.
An authentication device 12 includes a microcomputer, a storage memory, and the like. In the case of a microcomputer, the inlet control unit 11a or the outlet control unit 11b may be used instead.
The authentication device 12 includes a unit in which the recorded data indicating the input authentication data is stored in the packet and the authentication data are converted into true data.
Whether the data is true or not may store the authentication data of the transmission source stored in advance, and may also secretly store the encryption algorithm and key data for restoration.

For example, as shown in FIG. 1, a comparator 12a is included as a part, and a general circuit using an operational amplifier is illustrated.
The comparator 12a is a circuit in which the output of the output terminal 12a3 is inverted when the input voltage of the input terminal 12a1 exceeds the threshold voltage 12a2.
The comparator 12a is an example of a comparison detection unit, and is not limited thereto, and may be any circuit that changes the output of the output terminal 12a3 when the input voltage exceeds the threshold voltage 12a2.
A plurality of the comparators 12a are arranged, and threshold voltages are set to an upper limit and a lower limit,
A band-like threshold value may be used, or a signal obtained by exceeding the threshold voltage 12a2 may be pulsed to be output as a digital signal having code information.
In this case, since the code information indicates authentication data, authentication data that is more difficult to decipher can be obtained.
Reference numeral 13 denotes an entrance gate, which is mainly configured to block, limit, and delay the movement of the signal from the input / output unit 15 to the signal processing unit 17 and the signal of the input / output unit 15 to the entrance control unit 11a. It is preferable to form a state in which the movement of data is interrupted at least during authentication.

Reference numeral 14 denotes an exit gate, which mainly performs transmission transmission or branch transmission of transmission data from the signal processing unit 17 to the input / output unit 15 to the exit control unit 11b, and performs blocking and connection.
An input / output unit 15 demodulates the modulation signal transmitted from the antenna 16 and converts it into a digital signal, and includes a front-end circuit.
Reference numeral 16 denotes an antenna, which is made of a conductive member having a length, a width, and the like corresponding to a radio frequency to be used, and is formed of a smartphone antenna for several hundred MHz to GHz.

Reference numeral 17 denotes a signal processing unit, which preferably includes an AD converter and a Bluetooth (registered trademark) unit used in an IoT device.
Reference numeral 17a denotes an additional signal output unit, which is composed of RAM (received additional signal data is received from other continuous media when necessary) ROM, NVRAM, EEPROM, SD card, USB memory, etc. This is for storing signal data and outputting the data in response to a request from the signal processing unit 17.
Reference numeral 17b denotes a transmission / reception unit B, which has a configuration similar to that of the above-described transmission / reception unit A11d.

Reference numeral 18 denotes a storage unit that stores an OS program, an application program, and the like that operate the control signal unit 17, and is a sensor electrical output of the sensor unit 19, which temporarily stores the digitized data for a predetermined period. There is also a case of memorizing inside.
The storage unit 18 further includes specific additional data. This is data formed assuming that a legitimate program is activated and sensor digital data is output from the sensor unit, and is encrypted data that is decrypted by the encryption algorithm used by the control unit The value may be formed by, for example, a critical value of a value that can be converted into data by outputting a specific signal when the sensor is activated.

This additional data is decrypted and authenticated at the exit, indicating that normal data is output.
Reference numeral 19 denotes a sensor unit, as long as it is a sensor used in an IoT device as described above. At least a group is formed for each sensor, and the authentication device has a similar sensor for each group. However, it is not limited to this.

20 and 21 are an entrance-side electrical communication path and an exit-side electrical communication path, and wired and wireless are shown. Here, a wired connection is used as an example.
When wireless connection is used, data is transmitted / received via the transmission / reception unit A11d and the transmission / reception unit B17b.
22 is a wireless router, and in some cases, a gateway function is provided, so that authentication using authentication data may also be performed at this part.

Reference numeral 23 denotes a management server for operating the IoT terminal including the control unit 17 or uploading data to the signal processing unit and then executing it to update the program.
Reference numeral 24 denotes a network, which is mainly used as the Internet, but may also indicate an intranet, extranet, Bluetooth (registered trademark), or an infrared network.

Next, the inlet operation of FIG. 1 will be described with reference to FIG.
The program that operates in the signal processing unit 17 is, for example, a WEB server type program, and a signal processing unit that does not have an interface can perform upload / execution of an update program by performing packet communication using TCP / IP, FTP, or the like. This is exemplified automatically.
When data is transmitted from the management server 23 to the signal processing unit 17, a wireless modulated packet signal is output from the wireless router 22 and transmitted to the input / output unit 15 via the antenna 16. The The input / output unit 15 demodulates the modulated packet signal and transmits it to the entrance gate 13.
There are cases where the data addressed to the signal processing unit 17 is different from the update program and the authentication data, and packet data having different IP addresses may be transmitted. Data indicating the relationship is also included in both as authentication data. It is preferable that

The entrance gate 13 outputs this packet signal to the entrance control unit 11a. At that time, when the signal is a packet including data and the communication destination is the signal processing unit 17, the entrance gate 13 may pass it for a predetermined time after authentication, for example. In some cases.
When a program is supplied to the signal processing unit 17, there are updates, changes, additions, etc.
A signal processing unit that does not have an interface for performing artificial input is executed after downloading, but in this embodiment, it is not executed unless there is an execution permission signal from the transmission / reception unit B17b, or the input control unit 11a. As long as the execution permission signal is not transmitted to the signal processing unit 17 through the entrance gate 13, the execution is not performed.
The management server 23, which is the transmission source that transmits the program first, transmits packet data for starting supply to the signal processing unit 17. When the signal processing unit 17 receives this, the download execution code is automatically prepared for activation.
The entrance control unit 11a confirms whether or not the input of the packet addressed to the signal processing unit 17 has been received (201). If the packet data has been received, the owner is in the case of the packet addressed to the signal processing unit 17 (yes). It is confirmed whether or not the authentication has been completed (202), and if it has been completed (yes), it is further confirmed whether or not the predetermined time has passed (203). This predetermined time corresponds to the expiration date of the owner authentication. If this is shortened, the security can be further improved. However, if it is too short, time is taken only by this authentication. It is shown that the process is performed at intervals of several seconds to hundreds of seconds.

If it is within the predetermined time (no), the packet data is transmitted to the signal processing unit 17 in step 219. The signal processing unit 17 shows a case where a process of processing the data in the packet and extracting the payload data is shown. After combining the payload data decomposed within 1000 bytes into one code, A means for executing this is also provided.
When the owner authentication has been completed and a predetermined time has elapsed (203) (yes), or when the owner authentication has not been completed (202) (no),
It is confirmed whether it is the first packet data (204).
If it is the first packet data, an authenticable time limit (A time) is set and counting is started (205).
By making this authenticable time finite, it is possible to determine whether or not the management server 23 performs regular transmission and to check whether there is an abnormality in the network.
The entrance control unit 11a extracts data indicating the location of the authentication data from the authentication device in order to confirm whether or not the authentication data exists in the packet signal.

Since the size of one packet is determined to be 1500 bytes or less, the authentication data may be divided and embedded across all or a plurality of packets.
As the embedding location, for example, the first few digits are embedded after several bytes of a predetermined margin, and the predetermined margin may be stored in the authentication device 12.
Next, it is checked whether or not the owner authentication data is included in the packet by performing the above-described inspection (206). The inspection can exemplify whether or not an identification symbol indicating authentication data in the packet is included.

If it is included (yes), it is confirmed whether it is the first owner authentication data. If so (yes), the owner authentication data confirmation time timer (B time) starts counting (209).
If it is not reception of the owner authentication data (206), it is confirmed whether A time has passed (207) If it is within A time, the step (201) of receiving input packet data is performed next, and A time has passed. If yes (yes), it is determined that there is no input packet data, the A time and the B time are reset (216), and when the construction of authentication data is started, the built authentication data Is reset (217), and the process returns to the input packet data receiving step (201) again. When input / output of data is performed while temporarily storing data in the buffer, such as when the data communication speed is high, the processing time of the input packet at the time of authentication is limited so that there is no erasure due to data leakage etc. It is preferable.

If the next owner authentication data is received or no owner authentication data is received (208), it is confirmed whether or not the B time has elapsed (210).
When the time B has elapsed (yes), the authentication has timed out, the time A and time B are reset, and the data accumulated as authentication data is reset (217), and the input packet data reception step Go to (201) and wait for packet data.
If the B time has not elapsed (no), a part of the received owner authentication data is temporarily stored, and fragmented authentication data is combined (211).

It is confirmed whether or not some of the owner authentication data has been accumulated and the owner authentication data has been formed (212). If it is insufficient (no), reception of input packets is awaited in a reception step (201).
If all the authentication data can be acquired and combined to form the authentication data, the owner check authentication is performed in the next step (213).
In the owner check authentication, when the comparison is made with the owner check data stored in advance by the authentication device 12, the owner check authentication is performed. In some cases, decryption is performed to determine whether the value is true owner authentication data.
Further, when the authentication data is digital data representing analog data, it is converted into analog data by the DA converter 11 c and input to the input terminal 12 a 1 of the comparator 12 a of the authentication device 12.
The voltage of the input signal input to the input terminal 12a1 is compared with the threshold voltage 12a2, and when the voltage exceeds the threshold, the output of the output terminal 12a3 is inverted. When the inverted data is input to the entrance control unit 11a, it is determined that the authentication data is true.

When the owner authentication data is false (214) (no), the entrance gate 13 and the exit gate 14 stop transmitting or receiving data or enter a shut-off state, and further store all data such as A time, B time and authentication data. Reset and, depending on the case, an alert is output to the user (215). Note that the management server 23 can detect an abnormality at this terminal due to the interruption of communication due to physical interruption at the entrance gate 13 and the exit gate 14, so that an alert may not be necessary.
Furthermore, the entrance control unit 11a outputs a deletion signal to the transmission / reception unit A11d.
The transmission / reception unit A11d transmits a deletion signal via the wireless medium 11e and the transmission / reception unit B17b, and the signal processing unit 17 receives the signal and deletes data such as a downloaded program.
If the owner authentication data is true (214) (yes), the recording of the A time and the B time is reset (218), and the input packet data is transmitted to the signal processing unit 17 via the entrance-side electric communication path 20 ( 219). Further, an execution permission signal is output to the transmission / reception unit A11d, and the signal processing unit 17 receives the execution permission signal and executes the downloaded program.
The target update program or the like is downloaded to the signal processing unit 17 but cannot be executed unless, for example, a specific signal is input from the transmission / reception unit B 17b, and the authentication operation in the entrance control unit 11a is performed. At times, only downloading can prevent data confusion during high-speed communication.

The operation of the outlet control unit of the embodiment shown in FIG. 1 will be described with reference to FIG.
When the signal processing unit 17 transmits data to, for example, the management server 23, data to be transmitted in advance is transmitted, and a data supply path to the exit control unit 11b is formed.
When transmitting the sensor data of the sensor unit 19 to the management server 23 or the like, the signal processing unit 17 outputs output packet data including data for transmission to the exit control unit 11b via the transmission / reception unit B17b, and outputs the output control unit 11b. Receives the packet data for transmission (301).

At this time, the exit gate 14 may be blocked so that packet data including data in the payload is not output to the input / output unit 15, but is output when the payload does not particularly include data such as sensor data is not included. Sometimes it is okay.
The exit control unit 11b searches and detects whether additional data is included in the output packet data.

The additional data is stored in the additional signal output unit 17a, and includes data indicating sensor data processed in the first, intermediate, or last packet when the control processing unit 17 tries to transmit data. Digital data or digital data to be converted into analog data.
This data is preferably data unique to the signal processing unit 17, and in addition to preset data, the sensor belongs to the type of data output by the sensor, but the sensor is not sure whether it can be measured, etc. Data that is apparently unique is exemplified.
When the digital signal is converted to digital log data, analog data indicating the value is obtained when the digital signal is D / A converted. .

When this additional data is detected by the exit control unit 11b (step 302 (yes)), an owner check authentication step is activated (303).
The exit control unit 11b inputs the data to the D / A converter, and then inputs the obtained analog data to the comparator 12a in which a predetermined threshold is set.
When the output of the comparator 12a changes from high to low or from low to high, the value is shown to be owner-created data and the owner is permitted (yes).

If permission is not granted in step 304, the exit gate is blocked, or at least the packet including the payload is set not to be output to the outside (306).
When the exit gate is blocked, there may be a case where an abnormality can be indicated to the outside, for example, the management server 23.
If the owner permission is given in step 304 (yes), the additional data is deleted from the output packet (305), and a part of the preset authentication data is written in the margins of the plurality of subsequent output packets. The received packet data is instructed to the signal processing unit 17 (307).
In addition, you may instruct | indicate via the transmission / reception unit A11d to add new data to the site | part from which the additional data was deleted.
This additional data becomes authentication data of the main body, and newly added data becomes proxy authentication data. When this authentication data (additional signal) is deleted by replacement or conversion, the authentication data (additional signal) is not leaked to the outside, increasing confidentiality and newly used as authentication data. Is possible.
This packet data is output from the signal processing unit 17, but when deletion or replacement cannot be performed, deletion or replacement may not be performed, for example, only inspection is performed or a new packet data signal is added.

The embedded output packet is transmitted to the input / output unit 15 (308), and the input / output unit 15 modulates the packet data, amplifies the power, etc., and outputs it to the antenna 16 as a wireless output enabled state.
Data output from the antenna 16 is received by the wireless router 22 having a gateway function and transmitted to the management server 23 via the network 24.
The management server 23 separates and extracts the owner authentication data from the received packet data, and verifies whether the data is from a legitimate terminal.

Here, after the additional data is deleted, the owner authentication data divided and embedded in the packet is input to the DA converter, for example, like the additional data, and then compared with the threshold value by the comparison unit, and the true authentication is performed. There may be a case in which the data is confirmed.
Since IoT devices handle analog data, AD converters, microcomputers with built-in DA converters, FPGAs, and CPLDs are common, and the configuration can be simplified by using the authentication means, and physical Even if an IoT device is infected with a computer virus and controlled by a malicious program by a separate control unit, the connection with the outside is controlled based on the authentication data, so that the computer virus The influence can be cut off.

Further, unless the data input from the entrance gate includes authentication data, an executable computer virus is not formed in the signal processing unit, so that an attack from the outside can be blocked.
FIG. 3 shows that when the signal processing unit 17 tries to transmit data to the outside of the management server 23 or the like, in the case of sensor data to which a genuine additional signal is added after checking with the exit control unit 11b in advance. Although the instruction to replace the additional signal with the authentication data is given to the signal processing unit 17 and the output packet data is changed and outputted,
When a protocol capable of communication only between the exit control unit 11b and the signal processing unit 17 is used, the exit control unit 11b receives the packet data output from the signal processing unit via the exit gate 14 and performs inspection. In some cases, the additional signal may be deleted, packet data with new authentication data added may be created, and this may be transmitted from the exit control unit 11b to the management server 23. In this case, it is preferable that the IP address of the exit control unit 11b is registered in the management server 23. However, in the case of encryption, there is a case where registration is not necessary because the decryption process is authentication.
The signal processing unit 17 transmits only sensor data, the exit control unit 11b transmits authentication data, and the management server 23 authenticates using both to acquire authentic data.

Next, another embodiment will be described with reference to FIG.
Reference numeral 40a denotes an entrance / exit control device, which is a part for transmitting and receiving data from the outside. Reference numeral 40b denotes a sensor data processing unit that converts the sensor output signal into digital data and outputs the digital data to the transmission / reception unit B410 that performs near-field transmission / reception using infrared and radio waves as a medium.
401 is a control unit, which is composed of a microcomputer including the DA converter and AD converter shown in FIG. 1, FPGA, CPLD, other SoC, etc., and performs an owner authentication operation, and also a packet transmitted from the outside A means for separating and forming program data from data, and sensor data output from a sensor terminal are transmitted to the outside as packet data including authentication data.

  Reference numeral 402 denotes an authentication sensor unit that includes the comparator circuit shown in FIG. 1 and stores authentication data and the like in advance. The authentication sensor unit includes an analog-to-digital converter such as a photocoupler including a specific sensor, converts an input analog signal into an optical signal, converts it into an electrical signal again, and converts the analog electrical signal at that time The digital signal may be converted into a digital signal. The sensor unit includes, for example, an optical element that previously captures a part with poor conversion efficiency for each wavelength spectrum of light that is not rated, and can be converted into an analog signal that outputs the wavelength of the part with poor conversion efficiency It is also possible to authenticate the owner using simple digital authentication data.

Reference numeral 403 denotes a gate unit, which includes the entrance gate and the exit gate shown in FIG. 1, and has a configuration capable of blocking or regulating data when an abnormal signal is input / output.
Reference numeral 404 denotes an input / output unit, which includes a modulation unit for transmitting / receiving data in a desired frequency band, a demodulation unit, a power amplification circuit for transmitting / receiving packet data from an antenna, and the like.
Reference numeral 405 denotes an antenna for transmitting and receiving wireless packet data for wireless communication.

A transmission / reception unit 406 includes an input / output device that can use a medium such as Bluetooth (registered trademark) (inductor), infrared (LED, phototransistor), and direct WIFI.
The transmission / reception unit A406 may be used in combination with the antenna 405 or may be used via a network.

Reference numeral 407 denotes a signal processing unit, which is composed of a microcomputer, FPGA, CPLD, or other SoC (System-on-a-chip) that constitutes an IoT device, and digitally converts sensor signal data from the sensor unit 409. The sensor digital data is temporarily or continuously stored in the memory of the storage unit 408, and programs such as OS and applications stored in the storage unit 408 are read and executed.
Reference numeral 407a denotes an additional signal output unit for outputting an additional signal to an arbitrary part when sensor data or the like is output from the signal processing unit 407.
Reference numeral 409 denotes a sensor unit, and reference numeral 408 denotes a storage unit, which has the same configuration as that shown in FIG.

Reference numeral 410 denotes a transmission / reception unit B, which can communicate with the same configuration as the transmission / reception unit of the entrance / exit control device 40a.
Reference numeral 41 denotes a wireless router capable of wireless communication, and in some cases, a router having a gateway function for connecting to other networks is exemplified. Data is transmitted and received using radio waves of several MHZ to several tens of GHZ as the wireless medium 41a.

Reference numeral 42 denotes a network, which is mainly exemplified by the Internet, but may include a local area network and other mobile phone networks.
Reference numeral 43 denotes an administrator server for normally managing IoT devices.

The operation of the embodiment shown in FIG. 4 will be described.
Enter data

When the signal processing unit application program update, addition, or upgrade software is transmitted from the management server 43 or the like, the transmission data is received by the antenna 405 via the network 42 and the wireless router 41. Since the data is packet-type data using the TCP / IP protocol, transmission and reception are alternately performed. However, for the sake of explanation, explanation is limited to data input.

In addition, in the case of data input such as program upload from the regular management server 43, data to that effect is added to the packet data, and the control unit 401 recognizes this and forms a data reception mode. be able to. Therefore, the entrance / exit control device 40a has a configuration in which an IP address is automatically or fixedly assigned as a substitute for the sensor unit.
The data input to the input / output unit 404 is packet data cut to 1500 bytes or less, and this packet data is supplied to the control unit 401 via the gate unit 403.

The control unit 401 combines the divided program data described and embedded in the payload in the packet data, and detects the authentication data mainly from the part of the payload of the packet data. Perform the operation of stitching together.
The authentication data and the upload data may be written together in a state separated by a space or the like, or may be incorporated into different packets.
When the divided authentication data is combined, the control unit 401 transmits the authentication data to the authentication sensor unit 402 and compares it with the authentication data stored in advance to determine whether it is legitimate data. The analog signal may be input to the DA converter and converted into an analog signal, and this may be judged by an analog detection device such as a comparator as described in the operation of FIG.

When the data input by the control unit 401 can be authenticated as legitimate data based on the determination signal output from the authentication sensor unit 402, the signal processing unit 407 is transmitted via the transmission / reception unit A406 and the terminal transmission / reception unit B410. Send to.
Upon receiving this data, the signal processing unit 407 stores the data in the storage unit 408 and automatically executes the reception program as necessary.

Exit processing

The signal processing unit 407 explains the operation when transmitting the sensor unit 409 to the management server 43.
A transmission start signal indicating that the management server 43 data is to be transmitted is output to the terminal transceiver unit B410. The transmission start signal is received by the control unit 401 via the transmission / reception unit A406, and as a packet signal including the transmission source IP address (entrance / exit unit) and the transmission destination IP address (management server), the gate unit 403 and the input / output unit 404 are transmitted. And it transmits to the wireless router 41 via the antenna 405 and the wireless medium (radio wave) 41a.
The signal processing unit 407 organizes the sensor data and forms it as transmission data. Then, the signal processing unit 407 obtains the additional signal data from the additional signal output unit 407a and transmits it to the control unit 401 together with the sensor data.

  The control unit 401 separates the additional signal data from the received sensor data, and transmits this to the authentication sensor unit 402 or inputs the data to the built-in DA converter (shown in FIG. 1). After being converted to an analog signal, it is output to the authentication sensor unit 402. If it is determined that the additional signal is normally output from the signal processing unit 407, the authentication data composed of the additional signal or the authentication data adjusted in advance is divided or adjusted for packet transmission, and The sensor data is divided and adjusted into a packet signal format, the authentication data packet and the sensor data packet are identifiably combined and transmitted to the gate unit 403, and output to the antenna 405 through the gate unit 403 and the input / output unit 404.

When it is determined that the additional signal data is not normally created by the regular signal processing unit 407 due to verification, operation, or the like of the authentication sensor unit 402, the control unit 401 transmits the data to the gate unit 403. A signal for shutting off the packet is output and the creation of packet data is interrupted.
When the gate unit 403 interrupts transmission / reception of data, the management server 43 can recognize that the transmission / reception of data has been interrupted and can authenticate that there is an abnormality in the IoT terminal.
Even in the case of a computer virus attack, the control unit 401 is attacked, and when there is no authentication data, a data blocking state is formed by the gate unit 403, so that the signal processing unit 407 is not affected and stable data communication is performed. It can be carried out.

Next, another embodiment will be described with reference to FIG.
In FIG. 5, 50a is an authentication unit, and 50b is an IoT terminal unit.
Reference numeral 501 denotes a control unit including an AD converter, a DA converter, a Bluetooth (registered trademark) output, a microcomputer having a port for performing infrared output, an FPGA, a CPLD, and other SoCs. This is a unit that separates and extracts additional data and authentication data from input data and determines whether the data is legitimate.
Further, the control unit 501 outputs an instruction signal to the instruction output unit 504 based on the determined content.

Reference numeral 502 denotes an authentication sensor unit, which is shown in FIGS. 1 and 4, and includes authentication data input from the control unit 501, data for determining the authenticity of additional data, and a comparator circuit for determining the authenticity. Etc.
A transmission / reception unit 503 includes a Bluetooth (registered trademark) antenna, an infrared transmission / reception LED, a phototransistor, a direct WIFI, and the like.
An instruction output unit 504 includes the same elements as the transmission / reception unit A503, and may be used together with the transmission / reception unit A503.
Reference numeral 505 denotes a signal processing unit, which is composed of an A / D converter, a D / A converter, a microcomputer equipped with an analog converter, FPGA, CPLD, and other SoCs as in FIGS. 1 and 4, and receives data from the sensor unit 506. This is for receiving, forming sensor data together with the additional data, further converting it into a packet signal and transmitting it to the input / output unit 511.
Further, the signal processing unit 505 combines the packet data input from the outside with the transmission / reception unit B508, and then outputs it to the transmission / reception unit B508 without executing it.

Reference numeral 505a denotes an additional signal output unit for generating or previously storing an additional signal and outputting it to the signal processing unit 505 as in FIG. In this embodiment, the additional signal is directly used as authentication data.
Reference numeral 506 denotes a sensor unit, which is provided with a target sensor and outputs an analog electric signal, similar to that shown in FIG.
Reference numeral 507 denotes a storage unit, which is composed of a memory IC, a storage medium, a storage device, etc., similar to the one shown in FIG. 1, and temporarily or continuously stores an OS program, application program, and other sensor data. Is for the purpose.

Reference numeral 508 denotes a transmission / reception unit B, which has the same configuration as that of the transmission / reception unit A503.
Reference numeral 509 denotes an instruction input unit that receives an output from the instruction output unit 504 and converts it into instruction data. When the instruction output unit 504 is an infrared LED, the instruction input unit 509 receives infrared rays. It is composed of units.
Reference numeral 510 denotes an instruction unit that forms and outputs a signal for stopping the transmission / reception operation of the input / output unit 511 based on instruction data transmitted from the instruction input unit 509.
The instruction unit 510 transmits the executable instruction data to the signal processing unit 505 when the instruction data transmitted from the instruction input unit 509 is the executable instruction data of the program.

  Reference numeral 511 denotes an input / output unit for modulating and demodulating packet data, and for blocking and stopping input / output of packet data to be transmitted and received based on an instruction from the instruction unit 510.

Next, the operation will be described.
When inputting program data such as an update program transmitted from the management server 53,

Packet data consisting of program data transmitted via the network 52 is transmitted to an IP address provided in the IoT terminal unit 50b. The transmitted packet data is received by the antenna 512 via the wireless router 51 and the wireless medium 51a such as radio waves.
The packet data input via the antenna 512 is demodulated by the input / output unit 511 and transmitted to the signal processing unit 505. The signal processing unit 505 combines the program data and authentication data distributed in the packet data to generate one executable program. The authentication data is distributed and stored in several places in the program data, or is distributed and described in other payloads, and the part is recorded with a identifiable code or recorded so as to be identified by a predetermined blank. ing. The authentication data may be either text data or binary data, and may be output to the transmission / reception unit B 508 by being combined with a blank or the like as it is.

The transmission / reception unit A 503 receives this data and transmits it to the control unit 501.
The control unit 501 completes the distributed authentication data by detecting and combining the data, and transmits the authentication data to the authentication sensor unit 502 as it is. If it is binary data for DA conversion, it is sent to the DA converter, converted to an analog signal, and then input to the comparator circuit to check the threshold value. Confirm.
In the case of regular data, the fact is transmitted to the instruction output unit 504.
The instruction data of the instruction output unit 504 is received by the instruction input unit 509, and the executable instruction data is transmitted to the instruction unit 510. The instruction unit 510 outputs an execution permission signal to the signal processing unit 505.

This execution permission signal outputs a signal “1” to a specific digital input port, so that the program of the signal processing unit 505 recognizes this and causes the signal processing unit 505 to execute the program. .
If the data is not regular data, a signal indicating that is transmitted to the instruction output unit 504. The instruction output unit 504 outputs a signal indicating that the data is not regular data to the instruction input unit 509, and the instruction input unit 509 outputs this signal to the instruction unit 510.
The instruction unit 510 outputs a signal to the input / output unit 511 to interrupt the transmission / reception path. The input / output unit 511 blocks the transmission / reception path. The management server 53 detects the interruption of data and confirms that there is an abnormality in the IoT terminal.

  In addition, an erasure signal that is an execution non-permission signal is transmitted to the other input port of the signal processing unit 505. Based on this signal, the signal processing unit 505 monitors the signal input to the other input port and erases the combined program data existing inside.

When transmitting sensor data from the signal processing unit 505 to the management server 53

The signal processing unit 505 transmits the sensor data and the additional signal data transmitted from the additional signal output unit 505a to the transmission / reception unit B508.
The sensor data and additional signal data output to the transmission / reception unit B508 are transmitted to the transmission / reception unit A503 and supplied to the control unit 501.
For example, the additional signal data is transmitted to the authentication sensor unit 502 and collated with authentication data (additional signal data) stored in advance, or input to the DA converter and then compared with threshold data by a comparator circuit. If they match, a signal indicating that the signal is a normal signal is output to the instruction output unit 504 and transmitted to the instruction unit 510 via the instruction input unit 509.

The instruction unit 510 outputs a signal for permitting transmission to a specific port of the signal processing unit 505 and outputs a permission signal to a specific input port of the input / output unit 511.
The input / output unit 511 enables connection to the outside based on the permission signal.
If the control unit 501 determines that the data is not normal, the control unit 501 outputs that fact to the instruction output unit 504 and outputs a signal indicating that the data is not normal to the instruction unit 510 via the instruction input unit 509. The instruction unit 510 outputs an erasure signal to a specific input port of the signal processing unit 505, and the signal processing unit 505 erases the data.
Further, the instruction unit 510 blocks the data transmission / reception path of the input / output unit 511 and notifies the management server 53 of the abnormality of the IoT terminal.
In this embodiment, a configuration in which an authentication unit is used as an external unit centering on an IoT terminal is shown. By making this authentication unit easy to exchange, it is possible to perform authentication with a wider application range.

Next, another embodiment of the present invention will be described with reference to FIG.
The present invention transmits and receives packet data in which authentication data that can be authenticated in an analog or digital manner is embedded. At the time of authentication, it is separated and extracted, and by performing analog and digital comparison authentication, when checking the owner whether it is legitimate data, it is difficult to decipher outside, and stable authentication is performed. An embodiment to be performed will be described with reference to FIG.
In FIG. 6, reference numeral 601 denotes a control unit, which is composed of a microcomputer and other SoCs, and has the same configuration as the embodiment shown in FIG.
Reference numeral 601a denotes a transmission / reception unit A, which includes an LED, an infrared LED, an antenna, a phototransistor, and the like. For transmission / reception of data at a short distance by a medium radio 601a1 such as an infrared ray and a radio wave as in the transmission / reception unit of FIG. Is.
Reference numeral 602 denotes an entrance gate, which is a SoC device capable of preventing data transmission / reception such as a bus switch, an analog switch, a relay switch, a logic digital switch, or an IC chip that can turn on / off data transmission. Is formed.
Reference numeral 603 denotes an exit gate, which is formed of hardware switches similar to the entrance gate 602.

Reference numeral 604 denotes an XOR (exclusive OR) gate, which is preferably composed of an XOR gate IC and a logic IC, but may be composed of software of the control unit 601.
Reference numeral 605 denotes a sequence generator A that outputs a discontinuous numerical value or a binary data array in which a predetermined number is arrayed. Reference numeral 606 denotes a sequence generator B, and reference numeral 607 denotes a sequence generator C, which outputs sequence data of different patterns. This numerical sequence is displayed as a binary data sequence in the case of binary data and in the case of hardware processing.
Reference numeral 60a denotes a selector for selecting a combination of the sequence generator A605, the sequence generator B606, and the sequence generator C607, and performs selection by inputting a selection signal.
For example, in the case of BCA, the sequence generator B606 is output in a sequence for outputting a predetermined time, the sequence generator C607 is output for a predetermined time, and the sequence generator A605 is output for a predetermined time, and this is output to one signal path by the OR gate 60b. Add and output to XOR gate.
In the case of software, the sequence generators A605 to C607 are preferably sequence generators based on text data.
An OR gate 60b is composed of a CMOS, TTL, and general-purpose logic IC having three input terminals, and adds three digital signals to convert them into one digital signal.
Reference numeral 608 denotes a DA converter, which is a unit (circuit) that converts a digital signal into an analog signal. When the digital signal is incorporated in the control unit 601, the DA converter may be used.

Reference numeral 609 denotes an authentication device which is connected to the output of the DA converter 608 or the XOR (exclusive OR) gate 604 and compares the decrypted authentication data with previously stored authentication data, The output value is compared and checked with a threshold value.
This is for outputting the result of comparison and collation to the control unit 501.
Reference numeral 610 denotes an input / output unit, which is a circuit for performing modulation, demodulation, and power amplification for wireless communication.

Reference numeral 611 denotes an antenna, which is composed of a conductive member, a coil, and the like that transmit and receive modulated data in a predetermined frequency band.
A signal processing unit 612 includes an AD converter, a DA converter, Bluetooth (registered trademark), an infrared transmission / reception port, and has a configuration similar to that of FIG. Data for combining additional data is converted into packet data and output.
Reference numeral 612a denotes an additional data output unit, which is formed of analog or digital data including the content that it is regular output data, and has the same configuration as that shown in FIG.
The additional data output unit 612a may store the content of data in the storage unit 614 in advance, and may be read and used when necessary.
A transmission / reception unit B 612b includes a phototransistor, a CDS, a photodiode, an antenna, and the like. The transmission / reception unit B performs transmission / reception of data using a wireless medium 601a1 such as infrared rays and radio waves in a set with the transmission / reception unit A 613 1 is a sensor unit that takes the configuration shown in FIG. 1, for example, if it is a temperature sensor, it outputs analog data indicating the temperature value and is digitally converted by an AD converter built in the signal processing unit 612 or an independent AD converter. Convert to signal and output digital signal.
A storage unit 614 includes a digital memory and stores an OS program, an application program, and the like, and temporarily or continuously stores digital data output from the sensor in a binary format or a text format.

The operation of the embodiment shown in FIG. 6 will be described.

When the signal processing unit 612 outputs the sensor data to the management server 64 together with the additional data to be analog compared,

When the signal processing unit 612 intends to transmit sensor data or the like to the outside, the additional data is combined with the sensor data, and the packetized data is output in the direction of the transmission / reception unit 612b.
When receiving the packet data, the transmission / reception unit 612b transmits the packet data to the control unit 601 via the transmission / reception unit 601a.
The control unit 601 outputs the received additional data to the DA converter 608. The additional data input to the DA converter 608 is converted into an analog signal, compared with the threshold value by the comparator circuit of the authentication device 609, and the result is output to the control unit 601.

When the authentication result of the authentication device 609 is true, the control unit 601 ORs the output sequence of the sequence generator A605 to the sequence generator 607 in which this additional data is combined by the selector 60a based on the sequence selection signal. The combined composite number sequence data and the additional data are encrypted by the XOR gate 604 and the encrypted additional data and the sequence selection data are combined, and the transmission / reception means A 601a to the transmission / reception means B 612b are combined. To the signal processing unit 612. The signal processing unit 612 again creates packet data in which the encrypted additional data and the selection data are embedded, and outputs the packet data to the input / output unit 610 via the exit gate 603.
The input / output unit 610 modulates this, outputs it wirelessly from the antenna 611, and transmits it to the wireless router 62 via the wireless medium 62a. The sensor data that has reached the wireless router 62 is transmitted to the management server 64 via the network 63.

The management server 64 has the configuration shown in FIG. 6, separates and extracts the encrypted authentication data and selection data, selects C from the sequence generators A to C based on the selection data, and combines them with an OR gate. The encrypted additional data is restored by inputting the sequence data and the encrypted additional data to the XOR converter, and is input to the DA converter and the authentication device whether the data is legitimate data. And determined from the result.
When the additional data is false, the control unit 601 blocks the exit gate 603. Due to this blocking, the management server 64 can notice an abnormality because the packet data communication is blocked.

When executable data such as program data is transmitted from the external management server 64 to the signal processing unit 612

An executable data packet such as an update program is transmitted from the management server 64 or the like via the network 63, and the packet data includes encrypted authentication data and sequence generator selection data.
The wireless router 62 modulates this data packet with a carrier wave and outputs it wirelessly, and the antenna 611 receives it via the wireless medium 62a. The modulated packet data received by the antenna 611 is demodulated by the input / output unit 610 and transmitted to the control unit 601 through the entrance gate 602.

The control unit 601 extracts the encryption authentication data from the demodulated packet data, extracts selection data for selecting the sequence generator, and inputs the selection data to the selector 60a.
The selector 60a generates a composite number sequence by combining the generated data of the number sequence generator by the OR gate 60b in the order based on the selection data. The composite number sequence data and the encrypted authentication data are input to the XOR gate 604 to be decrypted, and the decryption authentication data is input to the DA converter 608. Synthetic sequence data at the time of encryption and decryption is synchronized.
The DA converter 608 converts the input digital signal into an analog signal, which is input to the comparator circuit of the authentication device 609 and compared with a threshold value.

As a result of the threshold comparison, if the threshold is exceeded, or if the data is in the upper and lower threshold voltage ranges, this is regarded as authentic authentication data, and the authentication device 609 transmits the data to that effect to the control unit 601, 601 transmits the packet data to the signal processing unit 612 via the entrance gate 602.
Here, when packet data is transmitted again to the signal processing unit 612, it takes time and there is a possibility that communication may be hindered. Therefore, packet data is transmitted to the signal processing unit 612 and the control unit 601 at the same time. The signal processing unit 612 performs processing until the divided data is combined to form executable program data, and the drive is based on the execution permission signal input to the transmission / reception means B 612b or the signal from the control unit 501. It is preferable to be performed.

If the restored authentication data is false, the control unit 501 blocks the input gate 602 and the input / output unit 610. By this interruption, the management server 64 can notice that an abnormality has occurred in the IoT terminal.
Further, when packet data and program data obtained by combining the packet data have already been transmitted to the signal processing unit 612, command data for deleting them is transmitted via the transmission / reception unit A601a.
The signal processing unit 612 receives this command data signal via the transmission / reception unit B 612b, and deletes the packet program and the combined program based on the command data.

The stream cipher method using an XOR (exclusive OR) gate is very simple and can form a strong encryption system. By making this a circuit device, the burden on the IoT device is reduced. It is preferable in that the owner check by the authentication data can be realized. In addition, we used a synthesis method in which multiple sequence generators were prepared and combined to form random number data. However, this is not limiting, and even one random number generator can be used sufficiently because the size of the authentication data is small. Sometimes it is possible.
In the case of a stream cipher using an XOR gate, it is preferable that the input random numbers are synchronized during encryption and decryption.

Further, another embodiment of the present invention will be described with reference to FIGS. 7 (a) and 7 (b).
Reference numeral 70 denotes an inspection unit, which includes a target sensing unit in temperature, humidity, atmospheric pressure, illuminance, noise, body temperature, electrocardiogram, other sensors, televisions, digital cameras, digital audio players, HD recorders, etc. Combine control unit for owner check.
Specifically, CPU, GPU, onboard memory, CFAST, CF, SD, USB memory, mSATA, other memory computers and IO ports such as GPIO, serial ports such as UART and RS232C, etc. It is composed of a custom small and ultra-small single board computer, and is composed of an independent terminal or an attached terminal that is used by connecting to a USB socket of a PC (personal computer). ing.
The configuration of the inspection unit 70 will be described.

Reference numeral 701 denotes a signal processing unit, which includes a CPU, GPU, FPGA, CPLD, and other memory as described above, and operates by software or hardware logic.
The signal processing unit 701 has a function of transmitting the sensor signal sent from the combining unit 709 to the center server 73, and also has a function of processing this and transmitting data to other IoT terminals. In some cases, a signal including a schedule signal or a signal that is separately distinguished is output to the input / output unit, or at least only the separated schedule signal is output to the control unit 707.

Reference numeral 702 denotes a sensor unit which performs a desired sensing in a temperature, humidity, atmospheric pressure, illuminance, noise, body temperature, electrocardiogram, other sensors, a television, a digital camera, a digital audio player, an HD recorder, etc. Output as an analog signal.
Reference numeral 703 denotes an additional unit, which is composed of a computer such as a PIC microcomputer or an ASIC such as FPGA or CPLD, and outputs scheduled feature signals. For the time schedule data and the signal output from the sensor unit 702 having the time schedule, a noisy signal is generated by the request signal from the signal processing unit 701 and the time schedule signal is generated by the signal processing unit 701 or the control. Output to unit 707.

The additional unit 703 stores at least a plurality of schedules and random numbers, is connected to the signal processing unit 701 for a predetermined period, and schedule setting is performed. The predetermined period is a period from the reset until the first external input via the network, and is a period in which a schedule can be set.
The signal output from the additional unit 703 is a kind of scheduled noise signal, and the frequency band is preferably narrow enough to be removed by a filter, and is preferably separated from the frequency band of the analog signal output from the sensor unit 702. However, signals that can be easily separated are preferred.

The schedule signal is preferably a signal whose amplitude value, pulse interval, and pulse amplitude of a narrow-band pulse signal that can be easily removed by filtering are variably output at a predetermined time,
Data in which the pulse interval, pulse width, and pulse amplitude of the schedule signal are time-scheduled is created. For example, in the case of a pixel value, a digital schedule such as a change in position coordinates and a luminance value is exemplified.
Reference numeral 704 denotes a storage unit A, which mainly stores an OS program, an application program, and the like, and is further controlled by a switch for manually enabling / disabling writing, a transistor for enabling / disabling writing by an electric signal, and a switch such as an FET relay. It has a configuration.
By default, it is preferably set to a write-disabled state (read-only read-only), and if necessary, the write-enabled state is enabled by an external operation, but preferably includes both a hardware switch and a software switch. When both of these switches are protected on, complete protection is performed.

For example, if the software switch is Windows, uwmggr. In the state where volume protection is enabled in exe, and in LINUX, Read Only conversion is performed by a combination of OverFS, UnionFs, or aufs + fsprotect.
Hardware protection is exemplified by the setting to output a Disable signal to the write terminal. If it is commercially available, a hardware protection switch is attached to the case (made by CUCTUS) or a write prohibition switch is attached to the attached reader. An example is a Cfast type memory, a usb memory with a write-protect switch (Buffalo, etc.).
By mounting both of these protects, it is possible to form a complete read-only configuration that compensates for the software protection security hole.

Further, a circuit that recognizes the state of protecting the writing of the SD card with the state of the switch on the side and controls reading / writing, such as an SD card, may be used.
The storage unit 704 is preferably configured by software that does not perform long-term version upgrades such as the LTSB mode, but the control unit 707 releases the hardware protection switch configured by a relay circuit when performing an update or the like. After that, the reset signal processing unit 701 is in a clean state until external processing is performed, and an instruction signal is sent from the control unit 707 to the signal processing unit 701, and the signal processing unit 701 releases the software protection. It is preferable to start the process module.

The signal processing unit 701 and the control unit 707 are preferably configured so that they can be connected until the signal processing unit 701 communicates with the outside after the restart.
Reference numeral 705 denotes a storage unit B, which is data and can be stored temporarily or continuously. Instead of the non-writable storage unit A704, data in a format that mainly does not affect the computer operation code is stored. The format that does not affect the computer operation code is a format in which at least the signal processing unit 701 cannot be directly referred to at the time of startup and is not read at startup, such as text, jpeg, exe, dll, etc. However, at least as it is, the signal processing unit 701 is always started in a predetermined process at the time of starting, but at that time, it is stored in a state where it cannot be referred to (for example, placed in a holder, a compression holder or the like).

Reference numeral 706 denotes an input / output unit, which is formed of a router, a wireless LAN unit called an access point-based master unit, and the like.
Reference numeral 707 denotes a control unit, which is formed of the same computer as the signal processing unit 701. The control unit 707 outputs a reset signal to the signal processing unit 701 and inputs data at a predetermined time of the control unit 701.

Reference numeral 708 denotes an antenna, which is made of, for example, a conductive member used in WiFi or the like.
In this embodiment, the electromagnetic wave communication of WiFi is used. However, in the case of using other transmission media such as infrared rays, for example, in the case of optical communication, a light emitting diode or the like is applicable.
Reference numeral 709 denotes a synthesis unit, which is configured by a computer, FPGA, CPLD, or the like, and synthesizes analog output signals or digital output signals of the sensor unit 702 and the additional unit 703. The composition is exemplified by operations such as OR, AND, and XOR.

Reference numeral 71 denotes a relay terminal, 72 denotes a network such as a wired or wireless Internet or an intranet, and 73 denotes a center server formed in a cloud format for managing and controlling the terminal. The relay terminal 71 includes a modem, an access point router, and the like, and is connected to a network 72 such as the Internet.
The center server 73 is exemplified by a server for unattended operation or manned operation in the position of obtaining information from the IOT terminal, performing processing according to the purpose, and managing transmission of command data.
Reference numeral 71a denotes a transmission medium, which indicates a LAN cable if wired, or an electromagnetic wave, laser light, infrared light, visible light, etc. if wireless.

Next, the operation of the embodiment will be described with reference to FIG.
The signal processing unit 701 reads and executes the program in the storage unit A 704.
Since the storage unit A 704 is in a Read Only state and is executed while the initial state is maintained, a clean state is always formed at startup.
Limited transmission / reception with the control unit 707 may be performed during this clean state.
For example, updating or correction of a program such as an OS or an application stored in the storage unit A 704 is performed.
Note that it is preferable that the firmware program or the like forming the BIOS can be updated and corrected only at this time.

Starting (or restarting) the inspection unit 70

After activation, the signal processing unit 701 outputs a schedule signal creation instruction signal to the additional unit 703. After forming the schedule signal, the additional unit 703 outputs the schedule signal to the signal processing unit 701. In the case of a schedule signal, for example, in the case of a pulse train, the parameters indicating the pulse interval, the pulse width, and the pulse amplitude are preferably different each time, and may have a periodicity of a random number.
The parameter data of the schedule signal created by the additional unit 703 is output to the signal processing unit 701.

The signal processing unit 701 outputs this parameter data to the control unit 707 from the time of restart until the first update with the outside.
The control unit 707 is preferably stored in a flash memory such as emmc, RAM, etc. only during the period when this data is used, and is overwritten and deleted when new schedule parameter data is sent.
The data indicates to which part of the combined signal output by the combining unit 709 the characteristic signal (noise signal) is added. For example, in the temperature sensor, the characteristic signal (planned noise) is added to the analog data output. Is added systematically. This feature signal is preferably a signal that can be deleted later by filtering. A plurality of feature points are set and added in advance, and a feature point to be used is selected and notified.

It is preferable that the above operation is performed after starting or restarting, at least until connection with the outside is started and data is input from the outside.
That is, since the signal processing unit 701 reads and executes the OS from the read-only storage unit A 704, a clean state is always formed until data is input from the outside.
After outputting the schedule data to the control unit 707, the signal processing unit 701 completely deletes and deletes related data and the like. As a result, even if the signal processing unit 701 is infected with malware and searches for related data, the data itself has disappeared, and the schedule signal cannot be acquired.

Execution of check by owner unit

Here, the owner unit indicates the control unit 707, and the sensor unit 702 performs target sensing and transmits an analog signal indicated by (i) in FIG. 7B to the signal processing unit. Alternatively, although not shown, the signal is converted into a digital signal by an AD converter and output.
The additional unit 703 outputs the schedule signal shown in FIG. 7 (ii) based on the set parameters via the terminal 703a. FIG. 7 (ii) shows an analog signal, but it may be converted into a digital signal.

The schedule data indicates to which part the characteristic signal is added to the sensor unit 702 by the additional unit 703. For example, in the temperature sensor, the characteristic data (planned noise) is added to the analog data to be output. ) Systematically. This feature signal is preferably a signal that can be deleted later by filtering. A plurality of characteristic signals are set and added in advance, and a feature point to be used is selected and notified.
Also, the schedule data does not have a certain regularity, but by machine learning algorithm,
A constant weight data value may be output.
The machine learning algorithm is stored in a ROM, eMMC, SD card or the like of the control unit (owner unit) 707.

In the learning algorithm, for example, predetermined schedule data is formed in advance as time-series data, and the additional unit 703 performs output according to the predetermined schedule data, but includes unique data by hardware or software processing. Yes. For example, there is a deviation, distortion, or the like such that the pulse width is slightly shifted at a constant interval with respect to a pulse signal having a predetermined cycle.
Although the difference exists in any of the different schedule data, it is preferable to output at random timing, and it is preferable that only the additional unit 703 stores the information.

The control unit (owner unit) 707 receives this signal, compares it with the pulse width of the schedule data stored in advance, and if different, forms weight data according to the different amount. This weight data has a format in which the amount, signal length, etc. can be compared. Depending on the degree of coincidence, the weight becomes so large that the weight becomes lighter, but if it is different, the weight becomes heavy. After measuring the change, the threshold characteristic of the schedule data is stored as the owner data by addition, and the change in the weight for each different schedule pattern is learned. Whether it is an additional signal is determined and detected.
The sensor unit 702 performs sensing in accordance with the purpose such as temperature, speed, and image, and outputs the result to the synthesis unit 709 via the output point 702a (FIGS. 7B and 7I). The sensed output has the form of a digital signal converted by AD converter processing and other numerical signals in addition to an analog signal. As this method, a boosting method managed by adding weak learners as described above is preferably used.

The additional unit 703 outputs an additional signal (FIG. 7B, (ii) set in the activation or restart setting to the synthesis unit 709 via the output terminal 703a.
The combining unit 709 combines these inputs as shown in FIG. 7B (iii), for example, and outputs the combined signal to the signal processing unit 701.
The signal processing unit 701 processes data according to the purpose and outputs the processed data to the input / output unit 706.
The input / output unit 706 outputs these data to the relay terminal 71 connected to the network 72 such as the Internet via the antenna 708.

The input / output unit 706 further transmits these data to the control unit 707.
The data format transmitted to the control unit 707 by the input / output unit 706 is exemplified by the same signal as the capture signal, but may be separately adjusted data for the control unit 707, but at least the signal processing Since the unit 701 itself may be infected with a computer virus or the like, the control unit 707 preferably obtains data from the input / output unit 706.

The control unit 707 may receive a sensor signal from the direct signal processing unit 701 in addition to the signal from the input / output unit 706.
When the combined signal output from the combining unit 709 is, for example, an analog signal, the signal processing unit 701 converts the digital signal into a digital signal and transmits the presence / absence of an additional signal in the sensor signal converted into a digital signal in advance. Based on the schedule data of the additional unit 703 transmitted from the signal processing unit 701, and searching based on the schedule signal, a signal permitting output from the input / output unit 706 to the outside is output as enable, If not, it is determined that there is an infection such as a computer virus or malware or other abnormality in the signal processing unit 701, and a reset signal 707a is output to the signal processing unit 701.

In response to the input of the reset signal, the signal processing unit 701 is restarted based on the storage contents of the read-only storage unit 704.
This restart returns to the original state, and if the computer virus is infected, the infection is completely erased, and schedule data that differs from the previous time is created in the additional unit 703. The signal is transmitted from the signal processing unit 701 to the control unit 707 within a predetermined time after restarting.
As described above, the transmission output schedule of the additional unit 703 based on the schedule data is difficult to obtain during the period in which the signal processing unit 701 can be infected (in the network connection state after restarting and after the first external access). Therefore, only the control unit 707 serving as the owner unit that stores the schedule can be inspected.

  In recent years, by realizing stable data transmission / reception by owner check in the rapidly expanding IoT device field, it is possible to solve the security problem and further spread the field widely.

11a Entrance control unit 11b Exit control unit 12 Authentication device 13 Entrance gate 14 Exit gate 15 Input / output unit 16 Antenna 17 Signal processing unit 18 Storage unit 19 Sensor unit 20 Entrance side electrical communication path 21 Exit side electrical communication path 22 Wireless router 23 Management server 24 network

Claims (11)

A sensor unit that receives a desired operation and phenomenon, converts it into an electrical signal and outputs it, a signal processing unit that converts the sensor electrical signal of the sensor unit into sensor digital data and processes it, and the signal processing unit sends an authentication signal to the outside When transmitting the sensor digital data together, the control unit for authenticating whether the sensor digital data is authentic data and outputting the authentication data, the transmitting unit for transmitting the authentication data and the sensor digital data to the outside, and the data from the outside An owner check system having a receiving unit for receiving authentication data.   2. The owner check system according to claim 1, wherein if the data is not authentic data, an abnormality is notified to an organization that manages these devices by gate means for cutting off connection with the outside.   The owner check system according to claim 1, wherein the authenticating unit converts the digital data in the authentication signal into an analog signal and compares the digital data to determine whether the authenticity is true or false.   The owner check system according to claim 1, wherein the authentication data is encrypted using a means for physically encrypting and decrypting.   The owner check system according to claim 1, wherein the digital data is packetized data, and the authentication data is divided and incorporated into a plurality of packets.   The sensor unit detects temperature, humidity, position, inclination, rotation speed, acceleration, pulse wave, electrocardiogram, blood flow, blood pressure, factory, plant, etc., such as a connected car, smart home appliance, robot 2. The owner check system according to claim 1, which is a sensor used in so-called IoT (Internet of Things), M2M, etc., which are arranged in one or a plurality of wearable devices, plants, factories, and public facilities.   5. The owner check system according to claim 4, wherein the encryption is formed by a hardware unit formed by randomly using one or more XOR logic IC chips and a number sequence generator. 6.   2. The owner check system according to claim 1, wherein the data authentication is performed by collecting and authenticating authentication data distributed and stored in a plurality of packet data within a predetermined time.   2. The owner check system according to claim 1, wherein the signal processing unit forms a read-only state and other difficult-to-write states in terms of hardware and software, and is restarted at predetermined intervals.   The authentication means creates schedule data and transmits it to the authentication means at least until the first external communication after the signal processing unit restarts, and the authentication means, based on the schedule data, The owner check system according to claim 1, wherein information output from the signal processing means is inspected and authenticated. 12. The owner check unit according to claim 11, further comprising an additional unit that adds a schedule signal to a signal that is additionally output to the sensor unit, wherein schedule data is formed based on the schedule signal output by the additional unit.

Images