JP5041833B2 - Data recovery method, image processing apparatus, controller board, and data recovery program - Google Patents

Description

  The present invention relates to a data recovery method, an image processing apparatus, a controller board, and a data recovery program, and more particularly to a data recovery method, an image processing apparatus, a controller board, and a data recovery program for recovering data encrypted with an encryption key.

  In recent years, there has been an increasing demand for security in image processing apparatuses such as printers, scanners, fax machines, copiers, and multifunction peripherals (MFPs). An image processing apparatus is an example of a peripheral device. Currently, IEEE P2600, which is a security standard for image processing apparatuses such as multifunction peripherals, has a requirement and requirement to protect data stored in the apparatus.

  Specifically, the image processing apparatus protects user data and security data by preventing theft and analysis of storage devices storing user data such as address books and image (image) information, and security data such as security logs. There is a need. As a method of protecting user data and security data stored in the storage device, it is conceivable to apply encryption with a certain strength or higher (see, for example, Patent Documents 1 to 3).

  Another method for protecting user data and security data stored in the storage device is to store the encryption key in a TPM (Trusted Platform Module) to prevent leakage of the encryption key.

  In a personal computer (PC), workstation, or the like that protects user data or the like, a method of inputting a password every time it is started is common. On the other hand, an image processing apparatus such as a multifunction peripheral is generally used by a plurality of users (operators) and everyone turns on / off the power. In an image processing apparatus of such a usage form, it is difficult to force a user to input a password every time it is activated even if it protects user data and the like.

Therefore, a conventional image processing apparatus automatically generates an encryption key for a storage device that stores user data and the like, encrypts the encryption key with another encryption key stored in the TPM, and stores it on a non-volatile memory on the controller board. Some of them are stored in non-volatile devices such as memory.
JP 2005-158043 A JP 2004-201038 A International Publication No. 99/038078 Pamphlet

  Automatically generates an encryption key for the storage device that stores user data, etc., encrypts the encryption key with another encryption key stored in the TPM, and stores it in a nonvolatile device such as a nonvolatile memory on the controller board In the conventional image processing apparatus, even if the storage device is stolen, it is difficult to decipher the storage device.

  However, in the conventional image processing apparatus, when the controller board needs to be replaced due to some component failure or component life expiration, user data encrypted and stored in the storage device cannot be decrypted.

  In fact, in home appliances such as multifunction peripherals, it is rare to replace only some of the faulty parts on the controller board, and it is common to replace the entire controller board. Therefore, it is expected that the controller board is frequently replaced in the image processing apparatus. In an image processing apparatus such as a multifunction machine, it is inconvenient if the user data cannot be decoded every time the controller board is replaced.

  The present invention has been made in view of the above points, and is a data recovery method capable of recovering data that is encrypted and stored in a storage device inside the apparatus even if the encryption key inside the apparatus becomes unusable An object is to provide an image processing apparatus, a controller board, and a data recovery program.

In order to solve the above-described problem, the present invention is a configuration including at least a controller board on which a secure memory and a first storage device are mounted, and a second storage device , storing a first encryption key in the secure memory, the second encryption key encrypted with the first encryption key stored in the first storage device, the data of the information processing apparatus the data encrypted with the second encryption key is stored in the second storage device A backup method that decrypts the second encryption key using the first encryption key and backs up the second encryption key as a backup key outside the information processing apparatus; and the first and first when two encryption key is not available, and restore step of restoring the backup key inside the information processing apparatus, said backup key restored inside the information processing apparatus Used, and having a decoding step of decoding data stored in the second storage device.

The present invention also includes a configuration including at least a controller board on which the secure memory and the first storage device are mounted, a second storage device, and at least one of a plotter and a scanner, and the first encryption key is stored in the secure memory. and stores the second encryption key encrypted with the first encryption key to the first storage device, images data encrypted with the second encryption key that has been stored in the second storage device A processing device for decrypting the second encryption key using the first encryption key and backing up the second encryption key as a backup key outside the device; and the first and second encryption keys, When the data cannot be used, the restoration means for restoring the backup key to the inside of the device and the data stored in the second storage device using the backup key restored to the inside of the device. And having a decoding means for decoding the.

Further, the present invention is configured to store a first encryption key in a secure memory, and store a second encryption key encrypted with the first encryption key in a first storage device. A controller board including at least the secure memory and the first storage device included in an image processing apparatus having at least one of a second storage device, a plotter, and a scanner storing data encrypted with a key; Backup means for decrypting the second encryption key using the first encryption key and backing up the second encryption key as a backup key outside the image processing apparatus, and the first and second encryption keys cannot be used Using the restoration means for restoring the backup key to the inside of the image processing apparatus and the backup key restored to the inside of the image processing apparatus. , And having a decoding means for decoding the data stored in the second storage device.

The present invention also includes a controller board on which at least a secure memory and a first storage device are mounted, and a second storage device, wherein the first encryption key is stored in the secure memory, and the first encryption key is used. storing the second cryptographic key encrypted in the first storage device, the data encrypted with the second encryption key with which the information processing apparatus is stored in the second storage device, the first encryption key A backup procedure for decrypting the second encryption key using the server and backing up the second encryption key as a backup key outside the information processing apparatus, and when the first and second encryption keys cannot be used, the backup key The data stored in the second storage device is restored using the restore procedure for restoring the information into the information processing device and the backup key restored in the information processing device. Characterized in that it is a data recovery program for executing the Gosuru decoding procedure.

  In addition, what applied the component, expression, or arbitrary combination of the component of this invention to a method, an apparatus, a system, a computer program, a recording medium, a data structure, etc. is also effective as an aspect of this invention.

  According to the present invention, a data recovery method, an image processing apparatus, a controller board, and a data recovery method capable of recovering data encrypted and stored in a storage device inside the apparatus even when the encryption key inside the apparatus becomes unusable A data recovery program can be provided.

  Next, the best mode for carrying out the present invention will be described based on the following embodiments with reference to the drawings. In the present embodiment, a multifunction peripheral is described as an example of the information processing apparatus and the image processing apparatus. However, other apparatuses or devices may be used.

  FIG. 1 is a hardware configuration diagram of an example of a multifunction machine according to the present invention. The multi-function device 100 includes a controller board 101, an operation port 109, a plotter 110, a scanner 111, an NVRAM 112, and an HDD 113. The controller board 101 includes a CPU 102, a ROM 103, a RAM 104, a LAN controller 105, a DCR 106, a TPM 107, a USB flash memory 108, and an OCR 501.

  The controller board 101 is a mother board (base) that performs overall control of the multifunction peripheral 100. The CPU 102 performs arithmetic processing. The ROM 103 stores a program. The RAM 104 operates a program or temporarily stores data. The LAN controller 105 is connected to a network such as Ethernet (registered trademark) or a wireless LAN. The DCR 106 converts image information (bitmap) into an electronic document.

  The TPM 107 is realized by a chip directly attached to the controller board 101. Japanese Patent Application Laid-Open No. 2004-282391 describes information encryption using a TPM (Trusted Platform Module) in a PC based on TCPA (Trusted Computing Platform Alliance) specifications. The TPM 107 is an example of a secure memory. The USB flash memory 108 is an example of a nonvolatile memory. The OCR 501 reads and encodes printed character information.

  The operation port 109 performs user operation input / output. The plotter 110 prints image information on paper. The scanner 111 reads image information from paper. The NVRAM 112 is an example of a nonvolatile memory and a storage device. The NVRAM 112 holds various parameters. A HDD (Hard Disk Drive) 113 holds a large amount of data such as an address book and image information. The HDD 113 is an example of a storage device.

  The multi-function device 100 stores an encryption key A for encrypting or decrypting the encryption keys B and C inside the TPM 107. In addition, the MFP 100 stores encryption keys B and C encrypted with the encryption key A in the USB flash memory 108. The encryption key B is for encrypting or decrypting the NVRAM 112. The encryption key C is for encrypting or decrypting the HDD 113.

  FIG. 2 is a software configuration diagram of an example of a multifunction machine according to the present invention. The MFP 100 includes an OS 114, an overall control software (CTL) 115, application control software 116 including copy software, printer software, fax software, scanner software, and document box software.

  The OS 114 is an operating system for operating software. The CTL 115 is software that aggregates and delivers data to each application control software 116. The application control software 116 is software that controls each application of the multifunction peripheral 100.

  The MFP 100 shown in FIGS. 1 and 2 is activated as shown in FIGS. 3 and 4, for example. FIG. 3 is a flowchart showing the start-up procedure of the multifunction machine according to the present invention. FIG. 4 is a sequence diagram showing the start-up procedure of the multifunction machine according to the present invention.

  First, in the flowchart of FIG. 3, when the MFP 100 is turned on, the process proceeds to step S <b> 1, and after the CTL 115 acquires the encryption key A from the TPM 107, it is determined whether the encryption key is set in the USB flash memory 108. . If the encryption key is set (YES in S2), the CTL 115 proceeds to step S3, and uses the encryption keys B and C encrypted by the encryption key A stored in the USB flash memory 108 as the encryption key. Decode using A.

  In step S4, the CTL 115 acquires the decrypted encryption key B from the USB flash memory 108, and decrypts the NVRAM 112 using the encryption key B. In step S5, the CTL 115 acquires the decrypted encryption key C from the USB flash memory 108, and decrypts the HDD 113 using the encryption key B. In step S 8, the multifunction peripheral 100 activates each application by the application control software 116.

  If the encryption key is not set (NO in S2), the CTL 115 determines that the NVRAM 112 and the HDD 113 are not encrypted. In step S 6, the CTL 115 reads various parameters from the NVRAM 112. In step S 7, the CTL 115 reads data from the HDD 113. In step S 8, the multifunction peripheral 100 activates each application by the application control software 116.

  The sequence diagram of FIG. 4 represents a startup procedure when the NVRAM 112 and the HDD 113 are encrypted. First, in the sequence diagram of FIG. 4, when the multifunction device 100 is powered on, the CTL 115 acquires the encryption key A from the TPM 107 in steps S11 and S12. In step S13, the CTL 115 uses the encryption key A to decrypt the encryption keys B and C that are stored in the USB flash memory 108 and encrypted with the encryption key A.

  In step S 14, the CTL 115 acquires the decrypted encryption keys B and C from the USB flash memory 108. In step S15, the CTL 115 decrypts the NVRAM 112 using the encryption key B. In step S16, the CTL 115 decrypts the HDD 113 using the encryption key C. Then, the multifunction peripheral 100 activates each application by the application control software 116.

  Here, in order to facilitate understanding of the present invention, a problem that occurs when the controller board 101 of the multifunction peripheral 100 is replaced will be described. FIG. 5 is a hardware configuration diagram of an example of a multifunction machine having a controller board replaced.

  As shown in FIG. 5, in the multi-function device 100 with the controller board 101 replaced, the USB flash memory 108 is in an initialized state, and the encryption keys B and C encrypted with the encryption key A are stored. It has not been. Therefore, in the MFP 100 with the controller board 101 replaced, parameters and data encrypted and stored with the encryption keys B and C in the NVRAM 112 and the HDD 113 cannot be decrypted, and therefore encrypted and stored in the NVRAM 112 and the HDD 113. There was a problem that it was not possible to recover the parameters and data. As a result, in the MFP 100 in which the controller board 101 has been replaced, the NVRAM 112 and the HDD 113 must be initialized even if the NVRAM 112 and the HDD 113 have not failed.

  The TPM 107 stores an encryption key A ′ that is different from the encryption key A for encrypting or decrypting the encryption keys B and C. The encryption key A ′ stored in the TPM 107 is different for each controller board 101, for example.

  FIG. 6 is a conceptual diagram showing a data recovery method according to the present invention. The upper part of FIG. 6 represents the multifunction peripheral 100 before the controller board 101 is replaced. The lower part of FIG. 6 represents the multifunction peripheral 100 after the controller board 101 has been replaced.

  The multifunction peripheral 100 according to the present invention outputs the encryption keys B and C stored in the USB flash memory 108 to the outside through the operation panel or the like while the controller board 101 is operating normally. After the controller board 101 is replaced, the MFP 100 according to the present invention restores the encryption keys B and C to the USB flash memory 108 by inputting the encryption keys B and C output from the outside through the operation panel or the like. To do.

  Therefore, the MFP 100 according to the present invention can decrypt parameters and data that are encrypted and stored in the NVRAM 112 and the HDD 113 with the encryption keys B and C even after the controller board 101 is replaced.

  FIG. 7 is a flowchart showing the encryption key setting procedure of the multifunction machine according to the present invention. Upon receiving a key change instruction (encryption key b, c → encryption key B, C) via the operation panel or the network, the CTL 115 proceeds to step S21 and acquires the encryption key A from the TPM 107. The CTL 115 uses the encryption key A to decrypt the encryption keys b and c stored in the USB flash memory 108 and encrypted with the encryption key A. The CTL 115 acquires the decrypted encryption keys b and c from the USB flash memory 108. The CTL 115 decrypts the NVRAM 112 using the encryption key b. The CTL 115 decrypts the HDD 113 using the encryption key c.

  In step S22, the CTL 115 outputs new encryption keys B and C to the outside via the operation panel or the network. In step S23, if the external output of the encryption keys B and C is successful (YES in S23), the CTL 115 proceeds to step S24 and encrypts the NVRAM 112 and the HDD 113 again with the new encryption keys B and C. Then, the process proceeds from step S24 to step S25, and the CTL 115 displays an operation screen on the operation panel and ends the encryption key setting.

  On the other hand, if the external output of the encryption keys B and C fails for some reason, such as user cancellation (NO in S23), the CTL 115 proceeds to step S26 and displays an error screen on the operation panel. Proceeding from step S26 to step S27, the CTL 115 displays an encryption key setting failure screen on the operation panel.

  The sequence diagram of FIG. 8 represents the encryption key setting procedure when the external output of the new encryption keys B and C is successful. In step S31, the CTL 115 receives a key change instruction (encryption keys b, c → encryption keys B, C) via the operation panel or the network. The CTL 115 proceeds to steps S32 and S33, and acquires the encryption key A from the TPM 107.

  Proceeding to steps S34 and S35, the CTL 115 decrypts the encryption keys b and c encrypted by the encryption key A, stored in the USB flash memory 108, using the encryption key A, and decrypted the encryption key b. And c are obtained from the USB flash memory 108. The CTL 115 proceeds to steps S36 and S37, and decrypts the NVRAM 112 and the HDD 113 using the encryption keys b and c.

  Proceeding to steps S38 and S39, the CTL 115 outputs the new encryption keys B and C to the external device 117. Since the external output of the encryption keys B and C has succeeded, the CTL 115 proceeds to steps S40 and S41, encrypts the encryption keys B and C with the encryption key A, and stores them in the USB flash memory 108.

  Then, the process proceeds to steps S42 and S43, and the CTL 115 encrypts the NVRAM 112 and the HDD 113 again with the new encryption keys B and C. Then, the CTL 115 proceeds to step S44, and since the new encryption keys B and C have been successfully set, the operation screen is displayed on the operation panel and the encryption key setting is completed.

  FIG. 9 is a flowchart showing a startup procedure in the multifunction machine. FIG. 10 is a sequence diagram showing a start-up procedure in the multi-function peripheral after replacing the controller board.

  When the MFP 100 is turned on, the process advances to steps S51 and S52, and the CTL 115 acquires the encryption key A or A ′ from the TPM 107, and then determines whether the encryption key is set in the USB flash memory 108.

  If the encryption key is set (YES in S52), the CTL 115 proceeds to step S53, and uses the encryption keys B and C encrypted by the encryption key A stored in the USB flash memory 108 as the encryption key. Decode using A.

  In step S54, the CTL 115 acquires the decrypted encryption key B from the USB flash memory 108, and decrypts the NVRAM 112 using the encryption key B. In step S55, the CTL 115 acquires the decrypted encryption key C from the USB flash memory 108 and decrypts the HDD 113. In step S 65, the multifunction peripheral 100 activates each application by the application control software 116.

  If the encryption key is not set (NO in S52), the CTL 115 determines that the NVRAM 112 and the HDD 113 are not encrypted. For example, after the controller board 101 is exchanged, the encryption key is not set in the USB flash memory 108.

  In step S56, the CTL 115 reads various parameters from the NVRAM 112 as plain text. In step S57, the CTL 115 reads data from the HDD 113 as plain text.

  In step S58, the CTL 115 determines whether or not a reading error has occurred in reading various parameters from the NVRAM 112 and reading data from the HDD 113. For example, if the parameters and data stored in the NVRAM 112 and the HDD 113 are encrypted after the controller board 101 is exchanged, a read error occurs when read as plain text. If a read error does not occur (NO in S58), the CTL 115 proceeds to step S65 and activates each application by the application control software 116.

  If a read error occurs (YES in S58), the CTL 115 proceeds to step S59 and displays on the operation panel a screen 1000 as shown in FIG. 11 for selecting restoration of the encryption key or initialization of the storage device.

  FIG. 11 is an image diagram of an example of a screen for selecting encryption key restoration or storage device initialization. The screen 1000 includes a button 1001 for selecting restoration of the encryption key and a button 1002 for selecting initialization of the storage device. When the button 1001 is pressed by the user, the CTL 115 displays a screen 1100 as shown in FIG. 12 on the operation panel.

  FIG. 12 is an image diagram of an example of a screen for restoring the encryption key. A screen 1100 in FIG. 12 includes an input field for inputting the encryption keys of the NVRAM 112 and the HDD 113. While the screen 1100 is displayed on the operation panel, the user inputs the encryption keys of the NVRAM 112 and the HDD 113 from the outside using manual input or the external device 117 or the like.

  When the encryption keys of the NVRAM 112 and the HDD 113 are input from the outside, the CTL 115 proceeds to steps S60 and S61, and tries to decrypt the NVRAM 112 and the HDD 113 with the input encryption key.

  In step S62, if no decryption error occurs (NO in S62), the CTL 115 proceeds to step S63 and encrypts with the encryption key A ′ using the encryption key of the NVRAM 112 and HDD 113 input to the screen 1100 as a new encryption key. After that, it is stored in the USB flash memory 108. Then, the CTL 115 proceeds to step S65 and activates each application by the application control software 116.

  If a decoding error occurs (YES in S62), the CTL 115 returns to step S59 and displays the screen 1000 on the operation panel again. When the button 1002 on the screen 1000 is pressed by the user, the CTL 115 proceeds to step S64 and initializes the NVRAM 112 and the HDD 113. In step S65, the CTL 115 activates each application by the application control software 116.

  When the encryption key that has been backed up is lost or the encryption key is not backed up, the parameters and data encrypted and stored in the NVRAM 112 and HDD 113 cannot be restored, so the NVRAM 112 and HDD 113 are initialized. The screen 1000 is provided with a button 1002 that allows the user to select whether or not.

  Although the screen 1100 shows an example in which both the NVRAM 112 and the HDD 113 are encrypted, one of them may be encrypted. In this case, the unencrypted storage device may not be included in the screen 1100. In addition, decryption of an unencrypted storage device may be skipped.

  The sequence diagram of FIG. 10 represents the startup procedure when restoring a new encryption key in the multifunction peripheral after the controller board is replaced. When the MFP 100 is turned on, the CTL 115 acquires the encryption key A ′ from the TPM 107 and then determines whether the encryption key is set in the USB flash memory 108.

  Since the controller board 101 has been replaced, no encryption key is set in the USB flash memory 108. Therefore, the CTL 115 determines that the NVRAM 112 and the HDD 113 are not encrypted.

  In step S71, the CTL 115 reads various parameters and data from the NVRAM 112 and the HDD 113 as plain text. After the controller board 101 is replaced, the parameters and data stored in the NVRAM 112 and the HDD 113 are encrypted, so a read error occurs when read as plain text.

  Since a read error has occurred, the CTL 115 proceeds to steps S73 and S74, and displays a screen 1000 as shown in FIG. 11 on the operation panel 118 for selecting restoration of the encryption key or initialization of the storage device. When the button 1001 is pressed by the user, the CTL 115 proceeds to steps S75 and S76, and reads the encryption keys B and C from the external device 117 where the encryption keys B and C are backed up. Note that the CTL 115 may display a screen 1100 as shown in FIG. 12 on the operation panel 118 to input the encryption keys of the NVRAM 112 and the HDD 113.

  Proceeding to steps S 77 and S 78, the NVRAM 112 and the HDD 113 are decrypted with the encryption keys B and C read from the external device 117. Since no decryption error occurs, the CTL 115 proceeds to steps S79 and S80, encrypts the encryption keys B and C read from the external device 117 with the encryption key A ′ as a new encryption key, and then stores them in the USB flash memory 108. . Then, the CTL 115 activates each application by the application control software 116.

  In the above description, the encryption keys B and C encrypted with the encryption key A are stored in the USB flash memory 108. For example, a configuration as shown in FIG. 13 is also conceivable. FIG. 13 is a conceptual diagram showing the storage location of the encryption key. In FIG. 13, the encryption key C of the HDD 113 encrypted with the encryption key B is stored in the NVRAM 112.

  As described above, the MFP 100 according to the present invention can also store the encryption key of another storage device in an encrypted state in the most reliable secure storage device among the plurality of storage devices. By storing the encryption key C of the HDD 113 encrypted with the encryption key B in the NVRAM 112, the multifunction peripheral 100 does not need to back up the encryption key C.

  The MFP 100 in FIG. 13 also stores the encryption key C of the HDD 113 in the USB flash memory 108 on the controller board 101. However, even if the encryption key C is not stored in the USB flash memory 108, The HDD 113 can be restored when the controller board 101 is replaced. However, storing the encryption key C in the USB flash memory 108 has an advantage that the MFP 100 can restore the HDD 113 even when the controller board 101 has no abnormality and the NVRAM 112 has an abnormality.

  FIG. 14 is a conceptual diagram of another example showing the storage location of the encryption key. In FIG. 14, the storage area of the HDD 113 is divided into a plurality of partitions, and each partition is encrypted with different encryption keys C1 to Cn. The HDD 113 may be encrypted with the encryption keys C1 to Cn by dividing the encryption keys C1 to Cn for each of a plurality of users. The MFP 100 stores the encryption keys C1 to Cn of the HDD 113 in the state encrypted with the encryption key B in the NVRAM 112.

  The MFP 100 storing the encryption key C as shown in FIG. 13 is activated as shown in the flowchart of FIG. FIG. 15 is a flowchart showing a startup procedure in the multifunction machine.

  When the MFP 100 is turned on, the process advances to steps S81 and S82, and the CTL 115 obtains the encryption key A or A ′ from the TPM 107, and then determines whether the encryption key is set in the USB flash memory 108.

  If the encryption key is set (YES in S82), the CTL 115 proceeds to step S83, and uses the encryption keys B and C encrypted by the encryption key A stored in the USB flash memory 108 as the encryption key. Decode using A.

  In step S84, the CTL 115 acquires the decrypted encryption key B from the USB flash memory 108, and decrypts the NVRAM 112 using the encryption key B. In step S85, the CTL 115 acquires the decrypted encryption key C from the USB flash memory 108 and decrypts the HDD 113. In step S 96, the multifunction peripheral 100 activates each application by the application control software 116.

  If the encryption key is not set (NO in S82), the CTL 115 determines that the NVRAM 112 and the HDD 113 are not encrypted. For example, after the controller board 101 is exchanged, the encryption key is not set in the USB flash memory 108.

  In step S86, the CTL 115 reads various parameters from the NVRAM 112 as plain text. In step S87, the CTL 115 reads data from the HDD 113 as plain text.

  In step S88, the CTL 115 determines whether or not a reading error has occurred in reading various parameters from the NVRAM 112 and reading data from the HDD 113. For example, if the parameters and data stored in the NVRAM 112 and the HDD 113 are encrypted after the controller board 101 is exchanged, a read error occurs when read as plain text. If a read error does not occur (NO in S88), the CTL 115 proceeds to step S96 and activates each application by the application control software 116.

  If a read error occurs (YES in S88), the CTL 115 proceeds to step S89, and displays a screen 1000 as shown in FIG. 11 on the operation panel for selecting encryption key restoration or storage device initialization. When the encryption key restoration is selected, the CTL 115 proceeds to step S90 and attempts to decrypt the NVRAM 112 with the encryption key of the NVRAM 112 input from the outside.

  In step S91, if no decryption error occurs (NO in S91), the CTL 115 proceeds to step S92, and after encrypting with the encryption key A ′ using the encryption key of the NVRAM 112 input to the screen 1100 as a new encryption key. And stored in the USB flash memory 108.

  In step S93, the CTL 115 extracts the encryption key C of the HDD 113 from the NVRAM 112. In step S94, the CTL 115 decrypts the HDD 113 with the encryption key C. The CTL 115 uses the encryption key C of the HDD 113 as a new encryption key, encrypts it with the encryption key A ′, and stores it in the USB flash memory 108. Then, the CTL 115 proceeds to step S96 and activates each application by the application control software 116.

  If a decoding error occurs (YES in S91), CTL 115 returns to step S89 and displays screen 1000 on the operation panel again. When the initialization of the storage device is selected, the CTL 115 proceeds to step S95 and initializes the NVRAM 112 and the HDD 113. Then, the CTL 115 proceeds to step S96 and activates each application by the application control software 116.

  The encryption keys B and C may be configured as shown in FIG. 16, for example. FIG. 16 is a conceptual diagram showing the configuration of the encryption key. In FIG. 16, for example, a fixed key common to models and an encryption key B are used for encryption of the NVRAM 112.

  A fixed key common to all models is stored in the controller board 101 in the manufacturing process. When a fixed key is used, the encryption key B has a shorter key length. For example, when the key length is 128 bits, the encryption key B is 64 bits by setting the fixed value common to the models to 64 bits, and 8 bytes (11 characters) may be input at the time of restoration.

  FIG. 17 is a conceptual diagram showing a data recovery method according to the present invention. The upper part of FIG. 17 represents the multifunction peripheral 100 before the controller board 101 is replaced. The lower part of FIG. 17 represents the multifunction peripheral 100 after the controller board 101 has been replaced.

  The MFP 100 according to the present invention stores the encryption keys B and C stored in the USB flash memory 108 in the external medium 119 such as an SD card or a USB memory while the controller board 101 is operating normally. deep. When storing the encryption keys B and C, the MFP 100 asks the user to input a password for restoring the encryption keys B and C, and encrypts the encryption keys B and C using the password.

  After the controller board 101 is replaced, the MFP 100 according to the present invention uses the password for restoring the encryption keys B and C input by the user when restoring the encryption keys B and C stored in the external medium 119. Thus, the encryption keys B and C are decrypted. Although the MFP 100 of FIG. 17 stores the encryption keys B and C in the external medium 119, an external server may be used instead of the external medium 119.

  Therefore, in the multi-function device 100 according to the present invention, the backed up encryption keys B and C are encrypted, so that the encryption keys B and C are not easily leaked even if they are stolen.

  FIG. 18 is a conceptual diagram showing a data recovery method according to the present invention. The upper part of FIG. 18 represents the multifunction peripheral 100 before the controller board 101 is replaced. The lower part of FIG. 18 represents the multifunction peripheral 100 after the controller board 101 has been replaced.

  The MFP 100 according to the present invention stores the encryption keys B and C stored in the USB flash memory 108 in the external server 121 while the controller board 101 is operating normally. When storing the encryption keys B and C, the MFP 100 asks the user to input a password for restoring the encryption keys B and C, and encrypts the encryption keys B and C using the password. In addition, the multifunction peripheral 100 transmits the serial number of the controller board 101 to the external server 121.

  It is assumed that the serial number of the controller board 101 is stored in the non-volatile memory on the controller board 101 at the time of factory shipment and printed on the controller board 101.

  Note that the serial number of the controller board 101 may be stored on an RFID tag or an IC card chip in addition to printing on the controller board 101. When the controller board 101 is replaced, since the entire controller board 101 is broken, the serial number of the controller board 101 can be read even if the controller board 101 is broken. Note that tampering can be prevented when the serial number of the controller board 101 is stored in the IC card chip.

  The external server 121 associates and manages the serial number of the controller board 101 and the encryption keys B and C encrypted with the password by using a server table as shown in FIG. FIG. 19 is a configuration diagram of an example of a server table.

  After the controller board 101 is replaced, when the MFP 100 according to the present invention restores the encryption keys B and C stored in the external server 121, the serial number printed on the controller board 101 before the replacement and the external server 121 are restored. The address is entered by an administrator or the like.

  When the serial number printed on the controller board 101 before the replacement and the address of the external server 121 are input, the multi-function device 100 and the encrypted encryption key B corresponding to the serial number input by the administrator or the like Get C. The multifunction device 100 decrypts the encryption keys B and C using the password for restoring the encryption keys B and C input by the user.

  In the MFP 100 of FIG. 18, the encryption keys B and C are stored in the external server 121, but an external medium 119 may be used instead of the external server 121. The external medium 119 can store encrypted encryption keys B and C of a plurality of multifunction peripherals 100 by using a table similar to the server table of FIG.

  The external server 121 may be a maintenance service server prepared by a manufacturer. The address of the external server 121 may be stored in a nonvolatile memory on the controller board 101 in the manufacturing process.

  Therefore, in the MFP 100 according to the present invention, the backed up encryption keys B and C are collected in the external server 121, so that maintenance when a plurality of MFPs 100 are introduced and encryption keys B and C are easily managed. It becomes.

  FIG. 20 is a flowchart showing a startup procedure in the multifunction machine. When the MFP 100 is turned on, the process advances to steps S101 and S102, and the CTL 115 obtains the encryption key A or A ′ from the TPM 107, and then determines whether the encryption key is set in the USB flash memory 108.

  If the encryption key is set (YES in S102), the CTL 115 proceeds to step S103, and uses the encryption keys B and C encrypted by the encryption key A, stored in the USB flash memory 108, as the encryption key. Decode using A.

  In step S104, the CTL 115 acquires the decrypted encryption key B from the USB flash memory 108, and decrypts the NVRAM 112 using the encryption key B. In step S105, the CTL 115 acquires the decrypted encryption key C from the USB flash memory 108 and decrypts the HDD 113. In step S 118, the multifunction peripheral 100 activates each application by the application control software 116.

  If the encryption key is not set (NO in S102), the CTL 115 determines that the NVRAM 112 and the HDD 113 are not encrypted. For example, after the controller board 101 is exchanged, the encryption key is not set in the USB flash memory 108.

  In step S106, the CTL 115 reads various parameters from the NVRAM 112 as plain text. In step S107, the CTL 115 reads data from the HDD 113 as plain text.

  In step S108, the CTL 115 determines whether or not a reading error has occurred in reading various parameters from the NVRAM 112 and reading data from the HDD 113. For example, if the parameters and data stored in the NVRAM 112 and the HDD 113 are encrypted after the controller board 101 is exchanged, a read error occurs when read as plain text.

  If a read error does not occur (NO in S108), the CTL 115 proceeds to step S118 and activates each application by the application control software 116.

  If a read error occurs (YES in S108), the CTL 115 proceeds to step S109, and displays a screen 1000 as shown in FIG. 11 on the operation panel for selecting encryption key restoration or storage device initialization. When restoration of the encryption key is selected, the CTL 115 displays a screen for inputting the serial number printed on the controller board 101 before replacement and the address of the external server 121 on the operation panel 118, etc. The number and the address of the external server 121 are input.

  In step S110, the CTL 115 determines whether or not the encrypted encryption keys B and C corresponding to the serial number input by the administrator or the like have been acquired from the external server 121. If the encrypted encryption keys B and C can be acquired from the external server 121 (YES in S110), the CTL 115 proceeds to step S111 and causes the user to input a password for restoring the encryption keys B and C. The CTL 115 decrypts the encryption keys B and C using the password for restoring the encryption keys B and C input by the user.

  In step S112, the CTL 115 attempts to decrypt the NVRAM 112 with the decrypted encryption key B. In step S113, the CTL 115 attempts to decrypt the HDD 113 with the decrypted encryption key C.

  The process proceeds to step S114, and if no decryption error occurs (NO in S114), the CTL 115 proceeds to step S115 and encrypts with the encryption key A ′ using the encryption keys B and C decrypted in step S111 as new encryption keys. After that, it is stored in the USB flash memory 108. In step S118, the CTL 115 activates each application by the application control software 116.

  If a decoding error occurs (YES in S114), CTL 115 returns to step S109 and displays screen 1000 on the operation panel again. When the initialization of the storage device is selected, the CTL 115 proceeds to step S117 and initializes the NVRAM 112 and the HDD 113. In step S118, the CTL 115 activates each application by the application control software 116. If the encrypted encryption keys B and C cannot be acquired from the external server 121 (NO in S110), the CTL 115 proceeds to step S116 and ends with an error.

  FIG. 21 is a conceptual diagram showing a data recovery method according to the present invention. The upper part of FIG. 21 represents the multifunction peripheral 100 before the controller board 101 is replaced. The lower part of FIG. 21 represents the multifunction peripheral 100 after the controller board 101 has been replaced.

  The MFP 100 according to the present invention stores the encryption keys B and C stored in the USB flash memory 108 in the external server 121 while the controller board 101 is operating normally. When storing the encryption keys B and C, the MFP 100 asks the user to input a password for restoring the encryption keys B and C, and encrypts the encryption keys B and C using the password. In addition, the multifunction peripheral 100 transmits the serial number of the controller board 101 to the external server 121. For example, the external server 121 is a maintenance service server prepared by a manufacturer.

  When there is a request for restoring the encryption key from the multi-function device 100, the external server 121 authenticates the restore request. The external server 121 holds information for authentication of a restore request in a server table as shown in FIG. FIG. 22 is a configuration diagram of an example of a server table. The server table of FIG. 22 manages the serial number of the controller board 101, the password obtained by encrypting the encryption keys B and C, and the encryption keys B and C encrypted by the password in association with each other.

  For example, the external server 121 in FIG. 21 uses a password obtained by encrypting the encryption keys B and C for authentication of the restore request. For authentication of the restore request, an independent authentication password that is not a password obtained by encrypting the encryption keys B and C may be used. For restoration request authentication, challenge-response authentication using an encryption key in the TPM 107, hash authentication, or the like may be used. Note that the external server 121 does not pass the encrypted encryption keys B and C to the multifunction peripheral 100 for which the restoration request authentication has failed.

  When the authentication of the restore request is successful, the external server 121 acquires encrypted encryption keys B and C corresponding to the serial number of the controller board 101 received from the multifunction device 100. The multi-function device 100 decrypts the encryption keys B and C using the password for restoring the encryption keys B and C input by the user.

  Therefore, since the multifunction peripheral 100 according to the present invention performs authentication at the time of restoration, it can detect attacks for decryption of encryption keys such as brute force attacks and dictionary attacks.

  FIG. 23 is a conceptual diagram showing a data recovery method according to the present invention. FIG. 23 shows the multifunction peripheral 100 before the controller board 101 is replaced. In FIG. 23, the storage area of the HDD 113 is divided into a plurality of partitions, and each partition is encrypted with different encryption keys C1 to Cn. The HDD 113 may divide the encryption keys C1 to Cn for each of a plurality of users, and may be encrypted with the encryption keys C1 to Cn.

  The multifunction peripheral 100 according to the present invention stores the encryption keys B and C1 to Cn stored in the USB flash memory 108 in a plurality of different external media 119 while the controller board 101 is operating normally. When storing the encryption keys B and C1 to Cn, the multi-function device 100 allows the user to input the passwords 0 to n for restoring the encryption keys B and C1 to Cn, so that the encryption key B and the passwords are used. C1 to Cn are encrypted.

  After the controller board 101 is replaced, when the MFP 100 according to the present invention restores the encryption keys B and C1 to Cn stored in the external medium 119, it uses the restore passwords 0 to n input by the user. To decrypt the encryption keys B and C1 to Cn. Although FIG. 23 shows an example in which a plurality of external media 119 are used, for example, different directories on one external media 119 may be used.

  Therefore, since the MFP 100 according to the present invention can back up the encryption keys C1 to Cn for each user, even the administrator cannot analyze the encryption keys C1 to Cn of the user.

  FIG. 24 is a conceptual diagram showing a data recovery method according to the present invention. FIG. 24 shows the multifunction peripheral 100 before the controller board 101 is replaced. In FIG. 24, the storage area of the HDD 113 is divided into a plurality of partitions, and each partition is encrypted with different encryption keys C1 to Cn. The HDD 113 divides the encryption keys C1 to Cn for each of a plurality of users and is encrypted with the encryption keys C1 to Cn.

  The multifunction peripheral 100 according to the present invention stores the encryption key B stored in the USB flash memory 108 in one external medium 119 and the encryption keys C1 to Cn are different while the controller board 101 is operating normally. It is transmitted to a plurality of mail servers 122. When storing the encryption key B, the MFP 100 encrypts the encryption key B using the password 0 by having the user input the password 0 for restoring the encryption key B.

  Further, when transmitting the encryption keys C1 to Cn, the multi-function device 100 allows the user to input the passwords 1 to n for restoring the encryption keys C1 to Cn, so that the encryption key C1 is used using the passwords 1 to n. ~ Cn is encrypted. The mail server 122 transfers the encrypted encryption keys C1 to Cn to each user by mail.

  FIG. 25 is an image diagram of mail transferred to the user. Note that the encrypted encryption keys C1 to Cn may be described in the body of an email, for example, or attached to an email as an attached file.

  After the controller board 101 is replaced, when the MFP 100 according to the present invention restores the encryption key B stored in the external medium 119, the MFP 100 decrypts the encryption key B using the restore password 0 input by the user. To do. In addition, when the MFP 100 according to the present invention restores the encryption keys C1 to Cn transferred to the user by mail, the MFP 100 acquires the encryption keys C1 to Cn from the received mail from the user and restores the passwords 1 to n. Is used to decrypt the encryption keys C1 to Cn.

  Therefore, in the multifunction peripheral 100 according to the present invention, the encryption keys C1 to Cn can be transferred by mail for each user, so that the user can save a backup of the encryption keys C1 to Cn.

  FIG. 26 is a flowchart showing the encryption key setting procedure of the multifunction machine according to the present invention. In step S121, the CTL 115 receives a key change instruction (encryption keys b, c → encryption keys B, C) via the operation panel or the network. In step S122, the CTL 115 acquires the encryption key A from the TPM 107. The CTL 115 uses the encryption key A to decrypt the encryption keys b and c stored in the USB flash memory 108 and encrypted with the encryption key A. The CTL 115 acquires the decrypted encryption keys b and c from the USB flash memory 108. The CTL 115 decrypts the NVRAM 112 using the encryption key b. The CTL 115 decrypts the HDD 113 using the encryption key c.

  In step S123, the CTL 115 converts the encryption keys B and C with BASE64. In step S124, the CTL 115 outputs the new encryption key B to the outside via the operation panel or the network.

  In step S125, if the external output of the encryption key B is successful (YES in S125), the CTL 115 proceeds to step S126 and transfers the encryption keys C1 to Cn to each user by mail. Proceeding to step S127, if the CTL 115 has successfully sent the encryption keys C1 to Cn (YES in S127), the CTL 115 proceeds to step S128 and re-encrypts the NVRAM 112 and the HDD 113 with the new encryption key B and encryption keys C1 to Cn. Then, the process proceeds from step S128 to step S129, and the CTL 115 displays an operation screen on the operation panel and ends the setting of the encryption key.

  On the other hand, if the external output of the encryption key B fails for some reason, such as user cancellation (NO in S125), the CTL 115 proceeds to step S130 and displays an error screen on the operation panel. In step S131, the CTL 115 determines whether or not the error situation has been recovered. If the error situation does not recover (NO in S131), the CTL 115 proceeds to step S132 and displays an encryption key setting failure screen on the operation panel. If the error situation is recovered (YES in S131), the CTL 115 proceeds to step S126.

  If the CTL 115 fails to transmit the encryption keys C1 to Cn (NO in S127), the CTL 115 proceeds to step S133 and displays an error screen on the operation panel. In step S134, the CTL 115 determines whether or not the error situation has been recovered. If the error condition does not recover (NO in S134), the CTL 115 proceeds to step S135 and displays an encryption key setting failure screen on the operation panel. If the error situation is recovered (YES in S134), the CTL 115 proceeds to step S128.

  FIG. 27 is a flowchart showing a startup procedure in the multifunction machine. In step S141, a recovery mail is received from the user. In step S142, the CTL 115 checks the USB flash memory 108. If recovery of the encryption key is necessary (YES in S143), the CTL 115 proceeds to step S144 and decrypts the HDD 113 with the encryption key acquired from the recovery mail. If no decryption error occurs (NO in S145), the CTL 15 stores the new key in the USB flash memory 108.

  If recovery of the encryption key is not required (NO in S143) or a decryption error occurs (YES in S145), the CTL 115 proceeds to step S147 and returns an error mail to the user.

  Therefore, the MFP 100 according to the present invention can decrypt parameters and data that are encrypted and stored in the NVRAM 112 and the HDD 113 with the encryption keys B and C1 to Cn even after the controller board 101 is replaced.

  The present invention is not limited to the specifically disclosed embodiments, and various modifications and changes can be made without departing from the scope of the claims.

FIG. 2 is a hardware configuration diagram of an example of a multifunction machine according to the present invention. FIG. 3 is a software configuration diagram of an example of a multifunction peripheral according to the present invention. 4 is a flowchart showing a start-up procedure of the multifunction machine according to the present invention. It is a sequence diagram showing the starting procedure of the multifunctional machine by this invention. FIG. 3 is a hardware configuration diagram of an example of a multifunction machine with a controller board replaced. It is a conceptual diagram showing the data recovery method by this invention. 6 is a flowchart showing a cryptographic key setting procedure of the multifunction machine according to the present invention. It is a sequence diagram showing the encryption key setting procedure when the external output of a new encryption key is successful. 6 is a flowchart showing a start-up procedure in the multifunction machine. It is a sequence diagram showing the starting procedure in the multifunctional machine after controller board replacement | exchange. It is an image figure of an example of the screen which selects restoration of an encryption key, or initialization of a storage device. It is an image figure of an example of the screen for restoring an encryption key. It is the conceptual diagram which showed the storage place of an encryption key. It is the conceptual diagram of the other example which showed the storage location of the encryption key. 6 is a flowchart showing a start-up procedure in the multifunction machine. It is the conceptual diagram which showed the structure of the encryption key. It is a conceptual diagram showing the data recovery method by this invention. It is a conceptual diagram showing the data recovery method by this invention. It is a block diagram of an example of a server table. 6 is a flowchart showing a start-up procedure in the multifunction machine. It is a conceptual diagram showing the data recovery method by this invention. It is a block diagram of an example of a server table. It is a conceptual diagram showing the data recovery method by this invention. It is a conceptual diagram showing the data recovery method by this invention. It is an image figure of the mail forwarded to the user. 6 is a flowchart showing a cryptographic key setting procedure of the multifunction machine according to the present invention. 6 is a flowchart showing a start-up procedure in the multifunction machine.

Explanation of symbols

100 MFP 101 Controller board 102 CPU
103 ROM
104 RAM
105 LAN controller 106 DCR
107 TPM
108 USB Flash Memory 109 Operation Port 110 Plotter 111 Scanner 112 NVRAM
113 HDD
114 OS
115 Overall control software (CTL)
116 Application control software 116
117 External device 118 Operation panel 119 External media 120 Media IO
121 External server 122 Mail server 501 OCR

Claims (22)

A configuration includes at least a controller board on which a secure memory and a first storage device are mounted, and a second storage device, wherein a second encryption key is stored in the secure memory and encrypted with the first encryption key. storing the encryption key to the first storage device, a second data recovery method for an information processing apparatus the encrypted data with the encryption key is stored in the second storage device,
A backup step of decrypting the second encryption key using the first encryption key and backing up the second encryption key as a backup key outside the information processing apparatus;
A restore step for restoring the backup key to the inside of the information processing apparatus when the first and second encryption keys cannot be used;
And a decrypting step of decrypting the data stored in the second storage device using the backup key restored in the information processing apparatus.   2. The data recovery according to claim 1, wherein, in the backup step, after the second encryption key is encrypted with a password input by an operator, the backup is backed up as the backup key in a removable third storage device. Method.   3. The data recovery method according to claim 2, wherein the restoring step decrypts the backup key with the password and restores the backup key into the information processing apparatus.   2. The data recovery according to claim 1, wherein, in the backup step, the second encryption key is encrypted with a password inputted by an operator, and then backed up as a backup key to a server connected via a network. Method.   The restore step transmits identification information of the information processing apparatus to the server, receives the backup key corresponding to the identification information from the server, decrypts the backup key with the password, and stores the backup key. 5. The data recovery method according to claim 4, wherein the restoration is performed inside the information processing apparatus.   6. The data recovery method according to claim 1, wherein the backup step backs up the backup key for each user or for each area of the second storage device.   The data recovery method according to claim 6, wherein the backup step transfers the backup key for each user.   When there are a plurality of the second encryption keys, one of the second encryption keys is backed up as a backup key outside the information processing apparatus, and the remaining second encryption key is encrypted with the one second encryption key The data recovery method according to claim 1, wherein the data is stored in the second storage device.   The second encryption key is composed of a fixed part and a variable part, and the restoring step is based on the fixed part of the second encryption key and the variable part of the second encryption key input by an operator. The data recovery method according to claim 1, wherein a key is generated and the backup key is restored in the information processing apparatus. The data recovery method according to claim 1 , wherein the secure memory stores the first encryption key in a read-only nonvolatile area. A configuration including at least a controller board on which a secure memory and a first storage device are mounted; a second storage device; and at least one of a plotter and a scanner; and storing a first encryption key in the secure memory; storing the second cryptographic key encrypted with a key to the first storage device, the data encrypted with the second encryption key to a images processing device that are stored in the second storage device,
Backup means for decrypting the second encryption key using the first encryption key and backing up the second encryption key as a backup key outside the apparatus;
Restore means for restoring the backup key to the inside of the apparatus when the first and second encryption keys cannot be used;
An image processing apparatus comprising: decrypting means for decrypting data stored in the second storage device using the backup key restored in the apparatus.   12. The image processing according to claim 11, wherein the backup unit encrypts the second encryption key with a password input by an operator and then backs up the backup key as a backup key in a removable third storage device. apparatus.   13. The image processing apparatus according to claim 12, wherein the restoration unit decrypts the backup key with the password and restores the backup key into the image processing apparatus.   12. The image processing according to claim 11, wherein the backup unit encrypts the second encryption key with a password input by an operator, and then backs up the image as a backup key to a server connected via a network. apparatus.   The restore means transmits identification information of the device itself to the server, receives the backup key corresponding to the identification information from the server, decrypts the backup key with the password, and stores the backup key in the device The image processing apparatus according to claim 14, wherein the image processing apparatus is restored.   The image processing apparatus according to claim 11, wherein the backup unit backs up the backup key for each user or each area of the second storage device.   The image processing apparatus according to claim 16, wherein the backup unit transfers the backup key for each user.   When there are a plurality of the second encryption keys, one second encryption key is backed up as a backup key outside the apparatus, and the remaining second encryption key is encrypted with one second encryption key. The image processing apparatus according to claim 11, wherein the image processing apparatus is stored in a storage device.   The second encryption key is composed of a fixed part and a variable part, and the restoring step is based on the fixed part of the second encryption key and the variable part of the second encryption key input by an operator. The image processing apparatus according to claim 11, wherein a key is generated, and the backup key is restored in the image processing apparatus. The image processing apparatus according to claim 11 , wherein the secure memory stores the first encryption key in a read-only nonvolatile area. A first encryption key is stored in a secure memory, and a second encryption key encrypted with the first encryption key is stored in a first storage device, and encrypted with the second encryption key A controller board having at least the secure memory and the first storage device included in an image processing apparatus having at least one of a second storage device storing data, a plotter, and a scanner,
Backup means for decrypting the second encryption key using the first encryption key and backing up the second encryption key as a backup key outside the image processing device;
Restore means for restoring the backup key to the inside of the image processing apparatus when the first and second encryption keys cannot be used;
A controller board comprising: decrypting means for decrypting data stored in the second storage device using the backup key restored in the image processing apparatus. A configuration includes at least a controller board on which a secure memory and a first storage device are mounted, and a second storage device, wherein a second encryption key is stored in the secure memory and encrypted with the first encryption key. storing the encryption key to the first storage device, to be that the information processing apparatus stores the encrypted data in the second encryption key to said second storage device,
A backup procedure for decrypting the second encryption key using the first encryption key and backing up the second encryption key as a backup key outside the information processing apparatus;
A restore procedure for restoring the backup key into the information processing apparatus when the first and second encryption keys cannot be used;
A data recovery program for executing a decryption procedure for decrypting data stored in the second storage device using the backup key restored in the information processing apparatus.

Images