JP4965512B2 - Authentication system, information processing device, storage device, authentication method and program thereof - Google Patents

Description

  The present invention relates to a user authentication technique using encryption means.

  In recent years, with the development of IT technology, various storage media such as flash memory, hard disk, MO, and DVD have become widespread. In the case where confidential information or the like is stored in such a storage medium, an apparatus that can access the storage medium only when user authentication is successful has been developed in order to prevent information leakage due to loss or theft of the storage medium.

JP 2004-362516 A JP 2007-156775 A

  However, it is troublesome for the user to input a password every time the storage medium is accessed.

  In view of the above problems, the problem to be solved by the present invention is to improve the convenience of users when accessing a storage medium while maintaining a certain level of security in a storage device that requires user authentication. It is.

  SUMMARY An advantage of some aspects of the invention is to solve at least a part of the problems described above, and the invention can be implemented as the following forms or application examples.

Application Example 1 An authentication system including an information processing device and a storage device,
A key generation means for generating a public key and a secret key of a public key encryption method;
Identification information receiving means for receiving identification information input by a user of the storage device;
A first key is generated based on the first identification information received by the identification information receiving means, and the first key is encrypted with the first public key generated by the key generation means. First initial setting means for generating two keys and storing the first public key and the second key in a storage medium in the storage device;
A third key is generated based on the second identification information received by the identification information receiving means, the third key is encrypted with the stored first public key, and a fourth key is generated. A first authenticating means for authenticating a user for allowing the user to access the storage medium by comparing the fourth key with the stored second key;
The third key generated based on the second identification information is encrypted with the second public key out of the second public key and the secret key generated by the key generation unit, and the fifth key is encrypted. A second initial setting means for storing the second public key and the fifth key in the storage medium and storing the secret key only in the information processing device;
Registration means for accepting a registration instruction for a predetermined storage device connected to the information processing apparatus and performing an operation for registration of the predetermined storage device;
When a storage device is newly connected to the information processing device, it is determined whether the connected storage device is the registered storage device, and it is determined that the storage device is the registered storage device A secret key providing means for providing the stored secret key for authentication;
Receiving the secret key from the secret key providing means, decrypting the stored fifth key with the secret key, generating a sixth key, and storing the sixth key in the stored first key To generate a seventh key and collate the seventh key with the stored second key so that the user can access the storage medium. An authentication system comprising: a second authentication means for authenticating a user.

  The authentication system having such a configuration generates a secret key used for user authentication and stores it only in the information processing apparatus. The information processing device stores the secret key, and when the storage device is newly connected, if the storage device determines that the storage device is a registered storage device, the information processing device provides the secret key for authentication. This is used to authenticate the user. Therefore, the user can authenticate the user without inputting a password or the like. In addition, since the secret key used for user authentication is stored only in the information device, even if the storage device is in the hands of a third party, the third party can easily authenticate the storage device. It cannot be done and security can be secured.

  In this application, the storage device is a device that is integrally provided with a storage medium and a storage medium control device that writes data to the storage medium, such as a USB flash memory, an external hard disk drive, a computer, etc. Various devices and control devices that can be detachably connected to a storage medium and write data to the storage medium, for example, various devices such as a CD drive, a DVD drive, an MO drive, a Blu-ray drive, and a memory card reader Is a collective term.

[Application Example 2] An information processing apparatus connected to a storage device, which receives a secret key generated by the storage device from the storage device and stores it, and a predetermined storage device connected to the information processing apparatus When a storage device that does not have a secret key is newly connected to the information processing device and a registration unit that accepts a registration instruction and performs an operation for registration of a predetermined storage device, the connected storage device is registered. Information processing apparatus comprising: a secret key providing unit that determines whether or not the storage device is a registered storage device and passes the stored secret key to a storage device that does not have the secret key when the storage device is determined to be a registered storage device apparatus.
The information processing apparatus having such a configuration also has the same effect as Application Example 1.

Application Example 3 In the information processing apparatus according to Application Example 2, the storage unit encrypts and stores the acquired secret key, and the secret key providing unit decrypts the encrypted secret key and is connected. Information processing device to be passed to the storage device.

  Since the information processing apparatus configured as described above encrypts and stores the private key received from the storage device, even if the encrypted private key is delivered to the third party, the third party can easily store it. Since the device cannot be authenticated, security can be improved.

Application Example 4 A storage device connected to an information processing device, a key generation unit that generates a public key and a secret key of a public key encryption method, and an identification that receives identification information input by a user of the storage device A first key is generated based on the information receiving means and the first identification information received by the identification information receiving means, and the first key is encrypted with the first public key generated by the key generating means. The first initial setting means for generating the second key and storing the first public key and the second key in the storage medium; and the second identification information received by the identification information receiving means. Generate a third key, encrypt the third key with the stored first public key, generate a fourth key, and collate the fourth key with the stored second key A first authentication means for authenticating the user for enabling the user to access the storage medium, and a second identification The third key generated based on the information is encrypted with the second public key out of the second public key and the secret key generated by the key generation unit to generate a fifth key, The second public key and the fifth key are stored in the storage medium, the secret key is transferred to the information processing device, the second initial setting means for deleting the secret key from the storage device, and the secret key from the information processing device. Receive and decrypt the stored fifth key with the private key to generate the sixth key, encrypt the sixth key with the stored first public key and generate the seventh key And a second authentication unit that compares the seventh key with the stored second key to authenticate the user so that the user can access the storage medium.
The storage device having such a configuration also has the same effect as in Application Example 1.

Application Example 5 In the storage device according to Application Example 4, the storage medium includes a hidden area that can be accessed only by a specific program prepared in advance, and the first initial setting means includes the first public key and the first public key. The second key is stored in the hidden area, and the second initial setting means stores the second public key and the fifth key in the hidden area.

  Since the storage device having such a configuration stores information related to user authentication in a hidden area, even if the storage device is in the hands of a third party, it is possible to easily access such information. I can't. Therefore, the security of the storage device can be increased.

[Application Example 6] The storage device according to Application Example 4 or Application Example 5, wherein the second initial setting means is a second disclosure generated by the key generation means for each information processing apparatus connected to the storage apparatus. A fifth key is generated by encrypting with a second public key out of a key and a private key, and the storage medium includes a partitioned storage area that is pre-determined and partitioned and managed in a predetermined number, The second initial setting means is a storage device that stores at least the second public key and the fifth key in one of the partition storage areas for each connected information processing device.

  The storage device having such a configuration is a partitioned storage area in which the fifth key and the second public key generated for each connected information processing device are pre-determined and partitioned and managed in a predetermined number One of them is memorized. Therefore, the information processing apparatus connected to the storage device can easily determine the presence or absence of the key used for the second authentication by referring to the partition storage area. Contributes to the determination of whether or not is registered for the second authentication.

  The present invention can be configured as an authentication method or a program thereof, in addition to the configuration as the authentication system, the information processing apparatus, and the storage device described above.

Examples of the present invention will be described.
A. Schematic configuration of the authentication system 20:
The authentication system 20 as an embodiment of the present invention includes a host computer PC and a USB flash memory UM. The host computer PC corresponds to the information processing apparatus as claimed, and the USB flash memory UM corresponds to the storage device as claimed.

A-1. General configuration of USB flash memory:
FIG. 1 is an explanatory diagram showing a schematic configuration of a USB flash memory UM as an embodiment of the present application. The USB flash memory UM includes a general-purpose input / output port 32, a CPU 40, a ROM 33, an SRAM 34, an encryption circuit 35, an internal interface 36, a flash memory 50, a USB connector 38, and a voltage control unit 37, which are connected via an internal bus. Has been.

  The general-purpose input / output port 32 is a parallel interface used when an additional device such as a fingerprint authentication device (not shown) is connected to the USB flash memory UM.

  The CPU 40 operates as a functional unit such as user authentication and data writing to the flash memory 50 by developing a program related to the control of the USB flash memory UM stored in the flash memory 50 or the ROM 33 in the SRAM 34 and executing the program. To do. The CPU 40 also functions as a first initial setting unit 41, a second initial setting unit 42, an identification information authentication unit 43, and an automatic authentication unit 44 by executing a program stored in the flash memory 50 or the ROM 33. To do. Details of these functional units will be described later.

  The ROM 33 is a nonvolatile memory, and stores firmware for starting up the USB flash memory UM when the USB flash memory UM is connected to the computer PC.

  The SRAM 34 is a buffer used when the CPU 40 performs various processes. In the present embodiment, although shown as a single buffer for simplification, for example, a configuration comprising a buffer for the flash memory 50 and a buffer for the encryption circuit 35 for speeding up each process. It is good.

  The encryption circuit 35 is a circuit for encrypting / decrypting data to be input / output to / from the flash memory 50, a password for performing user authentication for enabling the use of the USB flash memory UM, and the like. Both key encryption and common key encryption circuits are provided. The public key cryptosystem is mainly used for encryption / decryption of a password or the like, and the common key cryptosystem is used for encryption / decryption of data in a secure area to be described later. In the present embodiment, the public key cryptosystem employs the RSA system, and the common key system employs the AES system. In this embodiment, the encryption circuit 35 is used as the encryption means, but another method such as encryption software may be used.

  The internal interface 36 includes an interface for exchanging data with the flash memory 50.

  The flash memory 50 is a non-volatile memory that erases data in units of blocks. In this embodiment, the flash memory 50 is a NAND flash memory suitable for increasing the capacity.

  The USB connector 38 is a serial interface that can use a bus-powered power source, and is connected to a host computer PC having a USB port.

  The voltage control unit 37 adjusts the 5V bus-powered power supplied from the host computer PC connected via the USB connector 38 to, for example, 3.3V, and supplies it to each unit.

  FIG. 2 is an explanatory diagram showing an internal area of the flash memory 50 shown in FIG. The flash memory 50 includes a hidden area 51, a free area 52, and a secure area 53. The free area 52 and the secure area 53 are respectively a free area or secure area master boot record area, partition information area, file system information area, and data information area (61 to 64, 66 to 69).

  The hidden area 51 is an area outside the management of the file system, and is secured as an area for storing programs used by the CPU 40, information related to encryption of data stored in the flash memory 50, information related to user authentication described later, and the like. ing. The free area 52 is an area that can be accessed without performing user authentication. The secure area 53 is an area that can be accessed only when the user authentication is successful.

  The master boot record areas 61 and 66 are areas that are first read when the USB flash memory UM is activated, and are areas for storing information for activating the driver of the USB flash memory UM. The partition information areas 62 and 67 are areas for storing a partition table in which the positions and sizes of the internal areas described above are recorded. The file system information areas 63 and 68 are areas for storing information for managing files and directories. The data information areas 64 and 69 are areas for storing data to be stored in the flash memory 50.

  The above-described hidden area 51 is an area that can only be viewed using a dedicated program. Therefore, it cannot normally be seen on the OS of the host computer PC to which the USB flash memory UM is connected. In the present embodiment, the CPU 40 can access the hidden area 51 by a program for directly addressing a physical device placed outside the area handled as a logical device without going through the file system. On the other hand, the free area 52 is an area that can be viewed on the OS of the host computer PC just by connecting the USB flash memory UM to the host computer PC. In addition, the secure area 53 is an area that can be viewed after successful user authentication.

  The USB flash memory UM includes an encryption function and a user authentication function as security functions when information that is not desired to be known by others is stored in the secure area data information area 69 of the flash memory 50. The encryption function encrypts the data stored in the host computer PC connected to the USB flash memory UM using the encryption circuit 35 described above and stores it in the secure area data information area 69. This function decrypts the encrypted data stored in the data information area 69 and outputs it to the host computer PC. When the user uses the USB flash memory UM, the user authentication function allows the user to input information such as a password, and confirms whether or not the user is permitted to use in advance. This is a function that permits use of the secure area 53 of the USB flash memory UM only when it is confirmed that the user is permitted.

A-2. General configuration of host computer PC:
A schematic configuration of the host computer PC is shown in FIG. The computer PC in this embodiment is a general-purpose personal computer in which a predetermined program is installed, and includes a CPU 70, a hard disk drive 81, a ROM 82, a RAM 83, an input mechanism 84, a display 85, and a USB interface 86, each of which is a bus. Connected with.

  The CPU 70 controls the entire host computer PC by developing and executing the firmware and OS stored in the hard disk drive 81 and ROM 82 in the RAM 93. Further, the CPU 70 functions as a storage unit 71, a registration unit 72, a secret key providing unit 74, and an encryption unit 75 by executing a program stored in the hard disk drive 81. Details of these functional units will be described later.

  The input mechanism 84 includes a keyboard and a pointing device. The display 85 is a liquid crystal display. The USB interface 86 is a USB port on the host side, and is connected to the USB flash memory UM.

B. Password authentication process:
A password authentication process of the USB flash memory UM will be described. The password authentication process is a process for performing user authentication for using the secure area 53 of the USB flash memory UM based on the password input by the user.
B-1. Initial settings for password authentication:
An initial setting necessary for performing password authentication processing will be described. FIG. 4 shows an initial setting process procedure for performing password authentication. The series of processing shown in the figure is performed by a user of the USB flash memory UM connecting the USB flash memory UM to the host computer PC and selecting “initial setting” from the selection screen displayed on the display 85 to The CPU 40 of the memory UM performs the processing of the first initial setting unit 41. When this process is started, the CPU 40 receives a desired password PW1 input by the user who performs the initial setting using the input mechanism 84 via the host computer PC (step S100).

  Next, the CPU 40 generates a key A1 from the accepted password PW1 (step S110). In this embodiment, the key A1 is a numerical value converted from the character string of the accepted password PW1 by UNICODE. However, the present invention is not limited to this, and a key that is uniquely obtained from the input password is generated. Any method can be used. For example, another method such as generating a salt using a pseudo-random number generator and generating the key A1 using the one-way hash function from the salt and the password PW1 may be used.

  When the key A1 is generated, the CPU 40 uses the encryption circuit 35 to generate a public key B and a secret key C, which are RSA encryption key pairs (step S120).

  The CPU 40 encrypts the key A1 generated in step S110 with the public key B generated in step S120, generates a key A1B (step S130), and uses the key A1B and the public key B as the flash memory 50. Are stored in the hidden area 51 (steps S140 and S150). Note that the key A1B and the public key B are information used for password authentication processing to be described later. If such information is stored in the hidden area 51 as described above, the USB flash memory UM may be lost due to loss or the like. Even in the case of three parties, password authentication cannot be performed easily, and the confidentiality of data stored in the USB flash memory UM can be ensured.

  With the above process, the initial setting process is completed. Thereafter, the user can use the secure area 53 of the USB flash memory UM by password authentication processing described later. The key A1 and the key A1B described above correspond to the first key and the second key of claim 1, respectively, and the public key B corresponds to the first public key of claim 1.

B-2. Password authentication process:
FIG. 5 shows a user authentication procedure using a password when the user uses the secure area 53 of the USB flash memory UM. The series of processes shown in the drawing is a selection that is performed by the user after connecting the USB flash memory UM for which the initial setting has been completed to the host computer PC after executing the initial setting process described above. This is a process performed by the CPU 40 of the USB flash memory UM as the identification information authentication unit 43 by selecting “use secure area” from the screen. When this process is started, the CPU 40 of the USB flash memory UM receives the password PW2 that the user inputs using the input mechanism 84 via the host computer PC (step S200).

  Next, the CPU 40 generates a key A2 from the accepted password PW2 (step S210). This process is the same process as step S110.

  When the key A2 is generated, the CPU 40 reads out the public key B stored in step S150 from the hidden area 51 of the flash memory 50, encrypts the key A2 generated in step S210 with the public key B, and A key A2B is generated (step S220).

  When the key A2B is generated, the CPU 40 collates the key A2B generated in step S220 with the key A1B stored in the hidden area 51 of the flash memory 50 in step S140 (step 230).

  As a result, if both keys do not match (step S230: NO), it means that the password PW2 input in step S200 is not correct, and the CPU 40 displays the display 85 of the host computer PC to which the USB flash memory UM is connected. Error display (step S240), and the process returns to step S200.

  On the other hand, if the two keys match (step S230: YES), it means that the password PW2 input in step S200 is correct, and the CPU 40 stores the key A2 in the RAM 83 of the host computer PC (step S250). The secure area data information area 69 of the secure area 53 is opened (step S260). Thus, the password authentication process ends. Although the key A2 is stored in the RAM 83 of the host computer PC in step S250, the key A2 may be stored in the SRAM 34 of the USB flash memory UM. In any configuration, when the USB flash memory UM is removed from the host computer PC, the key A2 does not remain in the USB flash memory UM, so that security can be ensured.

  The key A2 generated in step S210 corresponds to the third key of claim 1, and the key A2B generated in step S220 corresponds to the fourth key of claim 1.

C. Automatic authentication process:
An automatic authentication process of the USB flash memory UM will be described. The automatic authentication process is a combination of a host computer PC and a USB flash memory UM registered in advance, and user authentication can be performed simply by connecting the USB flash memory UM to the host computer PC without requiring the user to enter a password. This process is performed to allow the user to use the secure area 53.

C-1. Initial settings for automatic authentication:
An initial setting necessary for performing the automatic authentication process will be described. FIG. 6 shows the procedure for starting the setting mode for performing various settings for automatic authentication processing. In this process, when the user connects the USB flash memory UM to the host computer PC, a GUI (Graphical User Interface) of the free area data information area 64 is displayed on the display 85, and the free area data information area 64 is displayed. This is started by starting a predetermined program stored in. This program is executed by the CPU 40 of the USB flash memory UM. When this process is started, first, the CPU 40 receives an instruction to shift to the setting mode, which is input by the user using the input mechanism 84 (step S300).

  When receiving the instruction to shift to the setting mode, the CPU 40 executes a password authentication process (step S310). This process is the same as S200 to S230 of the password authentication process described above with reference to FIG.

  When the password authentication process is successfully authenticated, the CPU 40 displays the host computer registration list stored in the hidden area 51 of the USB flash memory UM and the USB flash memory registration list stored in the hard disk drive 81 on the display 85. (Step S320). The host computer registration list is a list of pre-registered host computers that can perform automatic authentication processing in combination with a registered USB flash memory. In this embodiment, the host computer registration list is a list of host computer identification information. It has a display and a corresponding registration deletion button. The USB flash memory registration list is a list of pre-registered USB flash memories that can perform automatic authentication processing in combination with the above registered host computer. In this embodiment, the USB flash memory registration list is a USB flash memory registration list. A memory name, a product name (model number), a list display of registration date and time, and a corresponding registration deletion button are provided. These registration methods will be described later. Although the GUI as a setting mode including such a list can also be instructed in a registration process to be described later, the registration limit number is provided as will be described later, so the user can register with the GUI. While easily grasping the situation, it is possible to issue a registration / deletion instruction so as to be within the limits of registration, improving the convenience for the user.

  When the list is displayed, the CPU 40 shifts to the setting mode (step S330) and ends the process. In this setting mode, the above-described host computer and USB flash memory can be registered and deleted.

C-2. registration process:
FIG. 7 shows the flow of registration processing between the host computer PC and the USB flash memory UM, which is necessary for performing automatic authentication processing. This process is started when the user inputs a desired name for the USB flash memory to be registered and inputs a registration instruction using the above-described setting mode GUI. When this process is started, the CPU 70 of the host computer PC first accepts the USB flash memory name and registration instruction input by the user (step S400).

  Then, the CPU 70 refers to the hard disk drive 81 of the host computer PC to determine whether the prescribed number of USB flash memories UM have been registered, and refers to the hidden area 51 of the USB flash memory UM to refer to the host computer PC Is determined whether or not a predetermined number has been registered (step S410). In this embodiment, from the viewpoint of efficient use of the registration information storage area and speeding up of the automatic authentication process described later, the registration upper limit of the host computer PC is three and the registration upper limit of the USB flash memory UM is ten. This determination is made.

  As a result, if the USB flash memory UM has been registered in a specified number, or if the host computer PC has been registered in a specified number (step S410: YES), no further registration is possible. The fact is displayed on the display 85 (not shown), and the process returns to step S400.

  On the other hand, if the number of registrations of the USB flash memory UM is less than the prescribed number and the number of registrations of the host computer PC is less than the prescribed number (step S410: NO), it means that further registration is possible. Advances the process and determines whether or not the USB flash memory name accepted in step S400 has already been registered (step S420).

  As a result, if there is a registration with the same name (step S420: YES), it is necessary to avoid the confusion of identification caused by the registration of a plurality of units with the same name, so the CPU 70 displays that fact (not shown) and performs processing. Is returned to step S400.

  On the other hand, if there is no registration with the same name (step S420: NO), the confusion of identification does not occur, so the CPU 70 proceeds with the process, and the USB flash memory UM connected to the host computer PC is already registered. It is determined whether or not it is a memory UM (step S430). In this embodiment, this determination is made by registering the USB flash memory UM, registering the registration date and time stored in the hard disk drive 81 of the host computer PC, and the identification information of the host computer PC. The registration date and time stored in the hidden area 51 of the flash memory UM is read, and when there is a combination that matches both, it is determined that the USB flash memory UM has been registered. This determination may be made based on the coincidence by storing the registered identification information (such as a serial number) of the USB flash memory UM by the host computer PC.

  As a result, if it is a registered USB flash memory UM (step S430: YES), there is no need to register again, so the CPU 70 displays that fact (not shown) and returns the process to step S400.

  On the other hand, if it is not a registered USB flash memory UM (step S430: NO), the CPU 70 sends an instruction for creating an automatic authentication key to the USB flash memory UM (step S440).

  In response to this, in the USB flash memory UM, the CPU 40 uses the encryption circuit 35 to generate a public key D and a secret key E, which are RSA encryption key pairs, as an automatic authentication key, and at the same time, the host computer PC In response, the generated secret key E is transmitted (step S500). The CPU 40 deletes the secret key E after sending the secret key E, and does not store it on the USB flash memory UM side, but stores it only in the SRAM 34, and the USB flash memory UM is removed from the host computer PC. In this case, the secret key E may be deleted. The public key D corresponds to the second public key of claim 1, and the secret key E corresponds to the secret key of claim 1.

  In response to this, in the host computer PC, the CPU 70 receives the secret key E, and encrypts the secret key E with the unique information F that can be used in the host computer PC as a process of the encryption unit 75 to generate the key EF. (Step S450). In this embodiment, the MAC address F of the host computer PC is used as the unique information F. The CPU 70 associates the generated key EF, the USB flash memory name received in step S400, the current date and time (registration date and time), and the product name of the USB memory as the processing of the storage unit 71, and the hard disk While registering in the drive 81, identification information of the host computer PC (hereinafter referred to as PC identification information; here, MAC address), registration date and time, and USB flash memory name are sent to the USB flash memory UM (step S460). Note that steps S400 to S460 are performed as processing of the registration unit 72 unless otherwise noted.

  On the other hand, in the USB flash memory UM, when the public key D and the secret key E are generated in step S500, the key A2 read from the RAM 83 is encrypted with the public key D to generate the key A2D (step S510). Then, the CPU 40 receives the PC identification information, the registration date and time, and the USB flash memory name received in S400 from the host computer PC, and stores them in the hidden area 51 together with the public key D and the key A2D (step S520). As described above, even if the USB flash memory UM is transferred to a third party due to loss or the like, the password authentication cannot be performed easily and the USB flash memory is stored in the hidden area 51. This is because the confidentiality of the data stored in the UM can be ensured.

  In this way, by sharing common information between the host computer PC and the USB flash memory, the registration process is completed. Note that the processing of steps S500 to S520 is performed as processing of the second initial setting unit 42. The key A2D corresponds to the fifth key of claim 1.

C-3. Automatic authentication process:
The flow of the automatic authentication process will be described with reference to FIG. In this process, after executing the initial setting process (FIG. 4) and the registration process (FIG. 7), the user newly connects the USB flash memory UM to the host computer PC and displays it on the display 85 of the host computer PC. This is a process performed by the CPU 70 of the host computer PC and the CPU 40 of the USB flash memory UM by selecting “automatic authentication” from the selection screen and starting a predetermined program. Another program may be used to detect that the USB flash memory UM has been inserted into the host computer PC and start the “automatic authentication” program. The CPU 40 performs this process as the process of the automatic authentication unit 44. When this process is started, the CPU 70 of the host computer PC determines whether or not the automatic authentication key (public key D) is stored in the hidden area 51 of the USB flash memory UM (step S610).

  In the present embodiment, as illustrated in FIG. 9, the hidden area 51 includes a partition storage area MA. The partition storage area MA has a predetermined position, and is managed by being partitioned into a predetermined number of partition areas MA1 to MA10 (here, the registration upper limit number of the host computer PC is 10). In this example, each partition area MAi (i = 1 to 10) has a public key D area of 128 bytes, a key A2D area of 64 bytes, a PC identification information area of 16 bytes, and a USB flash memory name area. 16 bytes, 4 bytes for the registration date and time, and 1 byte for the location information of the hard disk drive 81 of the host computer PC (total of 229 bytes) are secured at predetermined positions. In addition, a flag bit indicating whether or not there is data in the partition area is secured at the head of each partition area MAi (i = 1 to 10). In step S610, the CPU 70 The presence or absence of the automatic authentication key is determined with reference to the flag bit in the storage area MA. With such a configuration, the CPU 70 can easily determine the presence / absence of a key for automatic authentication.

  As a result, if there is a key for automatic authentication (step S610: YES), the CPU 70 determines whether or not PC identification information that matches its own PC identification information is stored in the partition storage area MA (step S620). ). In this embodiment, as described above, the presence / absence of the key for automatic authentication and the presence / absence of the matching PC identification information are used to efficiently determine whether the USB flash memory UM is registered. It is configured.

  As a result, if there is a match in the PC identification information (step S620: YES), the connected USB flash memory UM is a USB flash memory UM registered for automatic authentication, and the CPU 70 As the processing of the encryption unit 75, the key EF corresponding to the USB flash memory name associated with the matching PC identification information and stored in the hidden area 51 is decrypted with the MAC address F to generate the secret key E, and The secret key E is transferred to the USB flash memory UM (step S630). Note that the processing of steps S610 to S630 is performed as processing of the secret key providing unit 74 unless otherwise noted.

  If there is no key for automatic authentication in step S610 (step S610: NO), or if the PC identification information does not match in step S620 (step S620: NO), the connected USB flash memory This means that the UM is not a USB flash memory UM registered for automatic authentication, and the process ends.

  In step S620, if the PC identification information does not match (step S620: NO), the same determination is repeated a predetermined number of times, and if it is determined that the PC identification information does not match in all of them, the process ends. It is good also as composition to do. In this way, the accuracy of judgment can be improved.

  On the other hand, in the USB flash memory UM, when receiving the secret key E from the host computer PC (step S700), the CPU 40 decrypts the key AD2 stored in the hidden area 51 with the received secret key E to generate the key A3. (Step S710). When the key A3 is generated, the CPU 40 encrypts the generated key A3 with the public key B stored in the hidden area 51, and generates the key A3B (step S720).

  Then, the CPU 40 collates the key A1B stored in the hidden area 51 with the generated key A3B (step S730). As a result, if the two keys do not match (step S730: NO), it means that the received secret key E is not correct, and the CPU 40 ends the process.

  On the other hand, if the two keys match (step S730: YES), it means that the received secret key E is correct, and the CPU 40 opens the secure area data information area 69 of the secure area 53 (step S740). Thus, when the automatic authentication is successful, the automatic authentication process is terminated. The key A3 described above corresponds to the sixth key of claim 1 and the key A3B corresponds to the seventh key of claim 1.

C-4. Registration deletion process:
The flow of registration deletion processing in the authentication system 20 is shown in FIG. The registration deletion process is a process for deleting the registration of the host computer PC and the USB flash memory UM performed in the registration process shown in FIG. This process is performed by the user using the setting mode GUI transferred in the process shown in FIG. 6, a list of USB flash memory UM registrations stored in the hard disk drive 81 of the host computer PC, or the USB flash memory UM. This is started by clicking the delete button corresponding to the device desired to be deleted from the list of registrations of the host computer PC stored in the hidden area 51. When this process is started, the CPU 70 of the host computer PC first accepts a deletion instruction input by the user (step S800).

  When receiving the registration deletion instruction, the CPU 70 determines whether or not the instruction is to delete the registration of the USB flash memory UM stored in the host computer PC (step S810). As a result, if the registration of the USB flash memory UM stored in the host computer PC is to be deleted (step S810: YES), the CPU 70 connects the selected USB flash memory UM to the host computer PC. It is determined whether or not the USB flash memory UM is present (step S820). In this embodiment, if the USB flash memory name and registration date and time stored in the hidden area 51 of the connected USB flash memory UM are already registered in the hard disk drive 81 of the host computer PC, it is selected. The USB flash memory UM is determined to be a USB flash memory UM connected to the host computer PC.

  As a result, if the selected USB flash memory UM is a connected USB flash memory UM (step S820: YES), the CPU 70 identifies its own PC from the hidden area 51 of the connected USB flash memory UM. The registration data (public key D, key AD2, PC identification information, registration date and time, USB flash memory name) of the USB flash memory UM corresponding to the information is deleted (step S830).

  If the registered data in the USB flash memory UM is deleted, or if the selected USB flash memory UM is not connected in the determination in the above step S820 (step S820: NO), the CPU 70 executes the hard disk drive of the host computer PC. The registration data (key EF, registration date, USB flash memory name, product name) of the corresponding USB flash memory UM is deleted from 81 (step S840).

  If the determination in step S810 does not delete the registration of the USB flash memory UM stored in the host computer PC, that is, the registration of the host computer PC stored in the USB flash memory UM is deleted. If there is (step S820: NO), the CPU 70 determines whether or not the selected registration is its own (step S850). In this embodiment, this determination is made if the USB flash memory name and the registration date and time stored in the hidden area 51 of the USB flash memory UM are already registered in the hard disk drive 81, the selected registration is It was assumed that it was a thing.

  As a result, if the selected registration is its own (step S850: YES), the CPU 70 sends from the hard disk drive 81 registration data (key EF, USB flash memory name, registration) regarding the connected USB flash memory UM. (Date, product name) is deleted (step S860).

  If the registration data of the hard disk drive 81 is deleted, or if the selected registration is not its own in the determination in step S850 (step S850: NO), the CPU 70 starts from the hidden area 51 of the USB flash memory UM. Registration data (public key D, key AD2, PC identification information, registration date and time, USB flash memory name) including its own PC identification information is deleted (step S870). Thus, the registration deletion process ends.

  In the authentication system 20 having such a configuration, the USB flash memory UM generates a secret key E used for user authentication, passes it to the host computer PC, and erases it without holding it. The host computer PC stores the received secret key E, and when the USB flash memory UM is newly connected, whether or not the USB flash memory UM is a USB flash memory UM registered in advance. A determination is made, and if it is registered, the stored key EF is decrypted to obtain a secret key E, which is transferred to the USB flash memory UM. On the other hand, the USB flash memory UM authenticates the user using the received secret key E. Therefore, since the user can easily authenticate the user without inputting a password or the like, the convenience for the user is improved. Also, since the key EF encrypted by the secret key E is stored only in the host computer PC, even if the USB flash memory UM is in the hands of a third party, the third party can easily User authentication cannot be performed, and security can be ensured.

D. Variations:
A modification of the above embodiment will be described.
D-1. Modification 1:
In the embodiment, in the registration process shown in FIG. 7, the host computer PC uses the MAC address as the unique information F for encrypting the secret key E received from the USB flash memory UM (step S450). The information F is not particularly limited. For example, a key generated by encrypted software may be used.

  Further, in the automatic authentication process shown in FIG. 8, the MAC address is used as PC identification information for determining whether or not the USB flash memory UM connected to the host computer PC is a registered USB flash memory UM. Although used (step S620), the PC identification information is not particularly limited. For example, any information that can identify the host computer PC, such as a serial number of the host computer PC, may be used.

D-2. Modification 2:
In the embodiment, in the registration process shown in FIG. 7, the host computer PC encrypts the secret key E received from the USB flash memory UM and stores it in the hard disk drive 81 (steps S450 and S460), as shown in FIG. In the automatic authentication process, the encrypted key EF is decrypted to generate a secret key E, and the secret key E is transferred to the USB flash memory UM (step S630). In this way, the host computer PC encrypts and stores the secret key E, so that even if the encrypted secret key E is delivered to the third party, the third party can easily obtain the secret key E. This is because it cannot be decrypted and security can be improved. However, this configuration is not essential, and the host computer PC may store the secret key E without encryption.

D-3. Modification 3:
In the embodiment, the USB flash memory UM generates the public key B and the secret key C and encrypts the key A1 with the public key B in the initial setting process shown in FIG. The generation and / or encryption may be performed by encryption means provided on the host computer PC side. For example, the host computer PC generates a public key B and a secret key C, passes the public key B to the USB flash memory UM, and the USB flash memory UM encrypts the key A1 using the received public key B. It is good also as a structure. Similarly, in the registration process shown in FIG. 7, the USB flash memory UM generates the public key D and the secret key E, and encrypts the key A2 with the public key D. Alternatively, the encryption may be performed by encryption means provided on the host computer PC side. For example, the host computer PC generates a public key D and a secret key E, passes the public key D to the USB flash memory UM, and the USB flash memory UM encrypts the key A2 using the received public key D. It is good.

  Of course, the above-described key generation is not limited to the configuration performed by the USB flash memory UM or the host computer PC, but may be a configuration using a key generated elsewhere. For example, a server connected to the host computer PC via the network may generate the key, and the host computer PC may acquire and use the key via the network. In the manufacturing stage of the USB flash memory, A key may be generated in advance and stored in the hidden area 51 or the like. In this way, the host computer PC and the USB flash memory UM do not need to include a key generation unit, which contributes to cost reduction and processing efficiency.

  In the embodiment, the password authentication process shown in FIG. 5 and the automatic authentication process shown in FIG. 8 are configured to be performed on the USB flash memory UM side. However, both or either of these processes is performed. On the other hand, some of them may be performed on the host computer PC side. For example, the CPU 70 of the host computer PC may be configured to perform the processing from steps S700 to S740 in FIG. 8, or the CPU 70 performs the processing from steps S700 to S720. It is good also as a structure to perform.

D-4. Modification 4:
In the embodiment, the configuration of the USB flash memory UM is illustrated as an embodiment of the storage device of the present invention. However, the storage device of the present invention is not limited to the USB flash memory, but an external hard disk drive, a CD drive. It can be realized as various storage devices such as a DVD drive, an MO drive, a Blu-ray drive, and a memory card reader.

  In the examples, the configuration of the personal computer is illustrated as an embodiment of the information processing apparatus of the present invention. However, the information processing apparatus of the present invention is not limited to the personal computer, and the above-described functions are implemented in hardware. If it can be realized by resources, it can be realized as various information processing apparatuses such as a PDA (Personal Digital Assistant), a mobile phone, and various digital home appliances.

  As mentioned above, although the Example of this invention was described, this invention is not limited to such an Example, Of course, in the range which does not deviate from the summary of this invention, it can implement in a various aspect. For example, the present invention can be realized in the form of an automatic authentication method, a program thereof, a storage medium in which the program is recorded so as to be readable.

It is explanatory drawing which shows schematic structure of the USB flash memory UM. 3 is an explanatory diagram showing an internal area of a flash memory 50. FIG. It is explanatory drawing which shows schematic structure of host computer PC. It is a flowchart which shows the procedure of the initial setting for performing password authentication of USB flash memory UM. It is a flowchart which shows the procedure of a password authentication process. It is a flowchart which shows the starting procedure of the setting mode which performs various settings of an automatic authentication process. It is a flowchart which shows the procedure of the registration process for performing the automatic authentication process of USB flash memory UM. It is a flowchart which shows the procedure of the automatic authentication process of USB flash memory UM. 4 is an explanatory diagram showing an internal area of a hidden area 51 of the flash memory 50. FIG. It is a flowchart which shows the procedure of the registration deletion process which deletes the information registered by the registration process.

Explanation of symbols

20 ... Authentication system 32 ... General purpose input / output port 33 ... ROM
34 ... SRAM
35 ... Cryptographic circuit 36 ... Internal interface 37 ... Voltage control unit 38 ... USB connector 40 ... CPU
DESCRIPTION OF SYMBOLS 41 ... 1st initial setting part 42 ... 2nd initial setting part 43 ... Identification information authentication part 44 ... Automatic authentication part 50 ... Flash memory 51 ... Hidden area 52 ... Free area 53 ... Secure area 61 ... Master boot for free areas Record area 62 ... Free area partition information area 63 ... Free area file system information area 64 ... Free area data information area 66 ... Secure area master boot record area 67 ... Secure area partition information area 68 ... Secure area file System information area 69 ... Data information area for secure area 70 ... CPU
71 ... Storage unit 72 ... Registration unit 74 ... Secret key providing unit 75 ... Encryption unit 81 ... Hard disk drive 82 ... ROM
83 ... RAM
84 ... Input mechanism 85 ... Display 86 ... USB interface MA ... Partition storage area MA1-MA10 ... Partition area PC ... Host computer UM ... USB flash memory

Claims (8)

An authentication system comprising an information processing device and a storage device,
A key generation means for generating a public key and a secret key of a public key encryption method;
Identification information receiving means for receiving identification information input by a user of the storage device;
A first key is generated based on the first identification information received by the identification information receiving means, and the first key is encrypted with the first public key generated by the key generation means. First initial setting means for generating two keys and storing the first public key and the second key in a storage medium in the storage device;
A third key is generated based on the second identification information received by the identification information receiving means, the third key is encrypted with the stored first public key, and a fourth key is generated. A first authenticating means for authenticating a user for allowing the user to access the storage medium by comparing the fourth key with the stored second key;
The third key generated based on the second identification information is encrypted with the second public key out of the second public key and the secret key generated by the key generation unit, and the fifth key is encrypted. A second initial setting means for storing the second public key and the fifth key in the storage medium and storing the secret key only in the information processing device;
Registration means for accepting a registration instruction for a predetermined storage device connected to the information processing apparatus and performing an operation for registration of the predetermined storage device;
When a storage device is newly connected to the information processing device, it is determined whether the connected storage device is the registered storage device, and it is determined that the storage device is the registered storage device A secret key providing means for providing the stored secret key for authentication;
Receiving the secret key from the secret key providing means, decrypting the stored fifth key with the secret key, generating a sixth key, and storing the sixth key in the stored first key To generate a seventh key and collate the seventh key with the stored second key so that the user can access the storage medium. An authentication system comprising: a second authentication unit that authenticates a user. An information processing apparatus connected to a storage device,
Storage means for receiving and storing a secret key generated by the storage device from the storage device;
Registration means for accepting a registration instruction for a predetermined storage device connected to the information processing apparatus and performing an operation for registration of the predetermined storage device;
When a storage device that does not have the secret key is newly connected to the information processing device, it is determined whether or not the connected storage device is the registered storage device, and the registered storage device An information processing apparatus comprising: a secret key providing unit that transfers the stored secret key to a storage device that does not have the secret key when it is determined that the apparatus is a device. An information processing apparatus according to claim 2,
The storage means encrypts and stores the acquired secret key,
The secret key providing means decrypts the encrypted secret key and passes it to the connected storage device. A storage device connected to the information processing device,
A key generation means for generating a public key and a secret key of a public key encryption method;
Identification information receiving means for receiving identification information input by a user of the storage device;
A first key is generated based on the first identification information received by the identification information receiving means, and the first key is encrypted with the first public key generated by the key generation means. First initial setting means for generating two keys and storing the first public key and the second key in a storage medium;
A third key is generated based on the second identification information received by the identification information receiving means, the third key is encrypted with the stored first public key, and a fourth key is generated. A first authenticating means for authenticating a user for allowing the user to access the storage medium by comparing the fourth key with the stored second key;
The third key generated based on the second identification information is encrypted with the second public key out of the second public key and the secret key generated by the key generation unit, and the fifth key is encrypted. The second public key and the fifth key are stored in the storage medium, the secret key is passed to the information processing device, and the secret key is deleted from the storage device. Initial setting means,
Receiving the secret key from the information processing apparatus, decrypting the stored fifth key with the secret key, generating a sixth key, and storing the sixth key in the stored first key A user for encrypting with a public key to generate a seventh key, collating the seventh key with the stored second key, and enabling the user to access the storage medium And a second authentication means for performing authentication. The storage device according to claim 4,
The storage medium includes a hidden area that can be accessed only by a specific program prepared in advance.
The first initial setting means stores the first public key and the second key in the hidden area,
The second initial setting means stores the second public key and the fifth key in the hidden area. The storage device according to claim 4 or 5, wherein
The second initial setting means uses the second public key out of the second public key and the secret key generated by the key generation means for each information processing apparatus connected to the storage device. Encrypt to generate a fifth key,
The storage medium is provided with a partitioned storage area whose position is determined in advance and partitioned and managed in a predetermined number,
The second initial setting means stores at least the second public key and the fifth key in one of the partition storage areas for each of the connected information processing devices. An information processing apparatus connected to a storage device is a computer program for authenticating a user of the storage device,
A storage function that is generated by the storage device and receives and stores a secret key used for the authentication from the storage device;
A registration function for accepting a registration instruction of a predetermined storage device connected to the information processing apparatus and performing an operation for registration of the predetermined storage device;
When a storage device that does not have the secret key is newly connected to the information processing device, it is determined whether or not the connected storage device is the registered storage device, and the registered storage device A program for causing a computer to realize a secret key providing function of transferring the stored secret key to a storage device that does not have the secret key when it is determined to be a device. An authentication method for authenticating a user of a storage device connected to an information processing device,
As a first initial setting, a first public key is generated, a first key is generated based on first identification information input by a user of the storage device, and the first key is converted to the first key. Generating a second key encrypted with one public key, storing the first public key and the second key in a storage medium;
As a second initial setting, a third key is generated based on the second identification information input by the user, a second public key and a secret key are generated, and the third key is 2 to generate a fourth key, store the second public key and the fourth key in the storage medium, pass the secret key to the information processing apparatus, and Deleting the key from the storage device;
When the information processing device and the storage device are newly connected, the information processing device passes the newly connected storage device when it is determined that the storage device has been registered in advance by performing a registration operation. Receiving a secret key, decrypting the stored fourth key with the secret key, generating a fifth key, encrypting the fifth key with the stored first public key; An authentication method for generating a fifth key, comparing the fifth key with the stored second key, and authenticating the user so that the user can access the storage medium .

Images