JP5067390B2 - Replacement part data recovery system - Google Patents

Description

  The present invention relates to a system for restoring data in a replacement part of an image forming apparatus.

  Image forming apparatuses such as printers, digital copiers, and digital multi-function peripherals (devices that have functions of printers, scanners, copiers, etc.) are detachably mounted with replacement parts such as toner cartridges and photosensitive drum cartridges. There is. In addition, a non-volatile storage medium (for example, an RFID tag) that stores management data such as a count value indicating the amount of replacement parts used (for example, how many sheets have been used) and user information is provided in the replacement parts, and the image forming apparatus Management data in the nonvolatile storage medium is read or written. In order to prevent such illegal use and falsification of management data, the management data is encrypted in the main body of the image forming apparatus and then written to the nonvolatile storage medium in the replacement part. In addition, in order to increase the encryption strength, a key for encryption / decryption is generated using unique management information (for example, manufacturing serial number, manufacturing date, etc.) stored in each nonvolatile storage medium. (See Patent Document 1).

  By the way, if the specific management information stored in the nonvolatile storage medium cannot be read for some reason, the data encrypted using the key based on the management information and written in the nonvolatile storage medium cannot be decrypted. . For example, if the life count value written on the replacement part medium cannot be decoded normally, the amount of film loss on the drum becomes abnormal, the process control does not operate normally, and image quality abnormalities (black stripes, etc.) occur. This may happen.

  In Patent Document 2, in order to be able to restore a secret key in an IC card when it is damaged, the data obtained by dividing and encrypting the secret key data is distributed and stored in a plurality of IC cards. The mechanism is disclosed.

JP 2005-149416 A JP 2004-023138 A

  The present invention decrypts the data that is encrypted based on the unique information and stored in the storage medium even if the specific information stored in the storage medium in the replacement part of the image forming apparatus cannot be read for some reason. The object is to provide a system for increasing the possibilities.

The invention according to claim 1 includes a first apparatus, an image forming apparatus, and a second apparatus, wherein the first apparatus is in a storage medium provided in a replacement part of the image forming apparatus. Means for reading out the unique information from a first storage location storing unique information as a key used for encryption and decryption of management data written to the storage medium by the image forming apparatus among the storage locations; Encryption key information is generated by encrypting the issued unique information or a key generated based on the unique information using a method that can be decrypted only by the second device , and the encryption key information is stored in the storage medium. e Bei means for writing the second memory location a predetermined, wherein the image forming apparatus includes means for reading the specific information from the first storage location in the storage medium provided in the replacement part The read unique information Means for generating a key used for encryption and decryption based on the error detection code, and adding the error detection code to the management data of the image forming apparatus, and adding the error detection code to the management data Means for encrypting with the key used for the encryption generated based on the data, and writing the data of the encryption result to a third storage location for management data in the storage medium, and the storage provided in the replacement part The data of the encryption result read from the third storage location in the medium is decrypted with the key used for the decryption generated based on the unique information, and the error detection code included in the data of the decryption result Based on this, it is determined whether the management data included in the data of the decryption result is correctly decrypted. If it is determined that the management data is not decrypted correctly, the replacement part cannot be used. Comprising a determining means for presenting a message indicating that the said second apparatus comprises means for reading the encrypted key information from said second storage location in the storage medium provided in the replacement part a key generating unit for generating the key by decrypting the encrypted key information read out, the data of the encryption result read from the third memory location before Symbol in the storage medium, the key The decryption is performed using the key generated by the generation means, and the management data included in the data obtained as a result of the decryption is correctly decrypted based on the error detection code included in the data obtained as a result of the decryption. A decoding means for determining whether or not the replacement part is provided with a message indicating that the determination means of the image forming apparatus cannot use the replacement part. When the data of the encryption result read from the third storage location in the storage medium provided in is determined that the management data is correctly decrypted by the decryption means of the second device In addition, it is possible to determine that the unique information stored in the first storage location has been destroyed .

  According to the first aspect of the present invention, even when the specific information stored in the storage medium in the replacement part of the image forming apparatus cannot be read for some reason, it is encrypted based on the specific information and stored in the storage medium. The possibility that the stored data can be decoded can be increased.

It is a figure showing an example of a system of an embodiment roughly. It is a figure for demonstrating the flow of the normal data encryption and writing to CRUM. It is a figure for demonstrating that it becomes impossible to decode the data written by destruction of the specific information in CRUM. It is a figure for demonstrating the flow which decodes the data in CRUM with a spare key when specific information is destroyed.

  In the system illustrated in FIG. 1, the control unit 100 of the image forming apparatus main body such as a printer, a copier, or a multifunction machine performs various controls using management data 102 regarding replacement parts such as a toner cartridge and a drum cartridge. The management data includes, for example, a count value indicating the amount of replacement parts used and user information. The control unit 100 writes the management data in a memory (CRUM (Customer Replaceable Unit Monitor) 200) in the replacement part at a predetermined timing such as when the power is turned off or every time a predetermined number of sheets are printed. For example, the usage count value of the toner cartridge is written in the CRUM of the toner cartridge. The control unit 100 is realized, for example, when a processor in the image forming apparatus executes a control program stored in a nonvolatile storage medium such as a read-only memory provided in the image forming apparatus. .

  The CRUM 200 is a memory attached to a replacement part of the image forming apparatus. The CRUM 200 is a memory unit including a communication interface that performs wireless communication with the control unit 100 of the image forming apparatus main body, such as an RFID tag. Of course, this is only an example, and the CRUM 200 may perform wired communication with the image forming apparatus main body. The CRUM 200 includes a nonvolatile storage medium such as an EEPROM (Electrically Erasable and Programmable Read Only Memory), and stores data written from the control unit 100 in this medium. Also, each CRUM 200 stores unique information different from other CRUMs. In the example of FIG. 1, the serial ID 202 is an example of unique information. The serial ID 202 is identification information written in the CRUM by the manufacturer (for example, the RFID tag manufacturer) that produced the CRUM 200 for individual identification of the CRUM. In addition, a CRUM manufacturer may write production information 204 such as a manufacturing date, a manufacturing location, and a lot number into the CRUM 200 from the viewpoint of quality control of the CRUM. The serial ID 202 and the production information 204 are written in an area that cannot be generally rewritten by a replacement part manufacturer that incorporates the CRUM 200 into a replacement part.

  Returning to the description of the control unit 100 again, when the control unit 100 of the image forming apparatus main body writes the management data 102 to the CRUM 200, a code for error detection or error correction such as a CRC (Cyclic Redundancy Check) 104 is managed data. 102. Then, the encryption / decryption unit 106 in the control unit 100 encrypts the management data 102 with the CRC 104. For this encryption, the encryption key generation unit 108 in the control unit 100 reads the unique information from the CRUM 200 and generates a cryptographic key by applying a predetermined calculation to the unique information. Then, the encryption / decryption unit 106 encrypts the management data 102 with the CRC 104 using this encryption key. In this example, a combination of the serial ID 202 and the production information 204 (one or more of the production information items such as the manufacturing date and lot number) is read from the CRUM 200 as specific information. Since the serial ID 202 and the production information 204, which are the source of the encryption key, are written at predetermined addresses in the memory space of the CRUM 200, the encryption key generation unit 108 reads values from these predetermined addresses.

  Note that the serial ID 202 and the production information 204 are only used as information serving as a seed for the encryption key. The type of encryption key is not limited to this example, and any information that is unique to the CRUM 200 stored in the CRUM 200 may be used.

  In the illustrated example, the control unit 100 writes the encrypted data 206a, which is the encryption result of the management data 102, to an address predetermined for the management data on the CRUM 200 and an encryption that is a copy of the encrypted data 206a. Data 206b and 206c are written to predetermined addresses for those copies in CRUM 200.

  In the example illustrated in FIG. 2, the encryption key generation unit 108 applies a function or algorithm for key generation to a value “00011010” obtained by merging (merging) the serial ID “0001” and the production information “1010”. Thus, an encryption key is generated. Then, the encryption / decryption unit 106 adds the data obtained by adding the CRC 104 to the usage amount count value “001234” (of the replacement part provided with the CRUM 200), which is the management data 102 to be written to the CRUM 200. Encrypt with that encryption key. The control unit 100 sets the encrypted value as the three encrypted data 206a, 206b, and 206c including the spare to the address predetermined in the CRUM 200 as the usage count value and the place where the spare data is written. Write.

  The control unit 100 reads the encrypted data 206a from the CRUM 200 at a predetermined timing such as when the power is turned on. Then, the read encrypted data 206 a is decrypted by the encryption / decryption unit 106. For this decryption process, the encryption key generation unit 108 reads the serial ID 202 and the production information 204 from the CRUM 200, generates a decryption key based on these information, and the encryption / decryption unit 106 Is used to decrypt the encrypted data 206a. Here, the decryption key may have the same value as the encryption key, or may have a different value (however, a value corresponding to the encryption key). The decryption result of the encrypted data 206 a is divided into management data 102 and CRC 104. The control unit 100 performs an error check on the management data 102 using the CRC 104. If it is determined that there is no error in the management data 102, the control process is executed using the management data 102. For example, when the management data 102 is a replacement part usage amount count value, the control unit 100 starts from the decoded count value, and then increments the count value every time the printing process is executed, and the power is turned off. When the predetermined condition is satisfied, the count value is encrypted by the above-described process and written back to the CRUM 200.

  When it is determined that there is an error in the error check by the CRC 104, the control unit 100 reads the spare encrypted data 206b, decrypts it as described above, and performs error check. If this check reveals that there is no error, the control unit 100 may perform control processing using the management data of the decoding result.

  When an error is also detected in the decryption result of the encrypted data 206b, the control unit 100 reads and decrypts the last spare encrypted data 206c, and performs an error check. If this check reveals that there is no error, the control unit 100 may perform control processing using the management data of the decoding result.

  On the other hand, if it is determined by error detection that the last spare encrypted data 206c is also an error, there is a possibility that the replacement part on which the CRUM 200 is mounted has been illegally used. Therefore, for example, the control unit 100 temporarily stops the operation (for example, printing) of the image forming apparatus main body, and displays a message on the display unit of the image forming apparatus main body prompting replacement because the replacement part cannot be used. For example, the replacement part that has been made unusable is picked up by the producer of the replacement part, and the cause of the unusable part is investigated.

  Here, when all the encrypted data 206a to 206c cannot be correctly decrypted in this way, the cause may be that the encrypted data 206a, 206b, 206c are all broken or falsified for some reason. In addition, there is a possibility that any of the data (the serial ID 202 and the production information 204 in the illustrated example) serving as a key seed for encryption and decryption is broken. The latter possibility will be described with reference to FIG.

  The example of FIG. 3 shows a case where the serial ID 212 is broken for some reason after the encryption and writing shown in the example of FIG. That is, when the value of the serial ID 202 is “0001” at the time illustrated in FIG. 2, the reason serial ID 212 is changed to “1001” at the subsequent time of FIG. In this case, the encryption key generation unit 108 generates a key for encryption and decryption using the value “10011010” obtained by merging the serial ID 212 and the production information 204 as a seed. Here, since the seed value is different from the value “00011010” in the case of FIG. 2, a key having a value different from that in the case of FIG. 2 is obtained. Therefore, for example, the encrypted data 206a to 206c encrypted with the key generated from the seed “00011010” at the time of FIG. 2 is correctly decrypted even if the encrypted data 206a to 206c is decrypted with the key generated from the seed “10011010” at the time of FIG. It is not possible. That is, in this case, for any of the encrypted data 206a to 206c, the combination of the decryption result management data 112 and the CRC 114 is determined to have an error by an error check.

  Since the unique information such as the serial ID 202 is not rewritten, it is not destroyed by deterioration due to an increase in the number of rewrites unlike data in other rewritable areas. For this reason, the conventional CRUM has not been provided with a mechanism for dealing with the case where the unique information is broken. However, in reality, the unique information may be corrupted due to a device-related memory disturb failure or the like. In such a case, if it is found that the decryption failure of the encrypted data 206a to 206c is due to destruction of the unique information, it may be possible to compensate the customer such as free replacement of replacement parts or reduction of the replacement fee.

  Therefore, in this embodiment, the encryption spare key information 208 is written in the CRUM 200 in order to cope with the case where the unique information of the CRUM 200 as a key seed is destroyed. The encrypted spare key information 208 is information (referred to as spare key information) that is a source for generating a key for encryption and decryption corresponding to the unique information even when the unique information in the CRUM 200 is broken. Is encrypted by an encryption algorithm kept secret by the manufacturer of the replacement part. That is, the spare key information may be, for example, unique information of the CRUM 200 (for example, serial ID 202 and production information 204), or may be a key generated by the encryption key generation unit 108 based on the unique information. In either case, the encrypted spare key information 208 is encrypted so that it can be decrypted only by the production / data collection tool 300 on the replacement part producer side. Neither the control unit 100 nor a third party can correctly decrypt the encrypted preliminary key information 208 unless the production / data collection tool 300 knows the decryption key and encryption algorithm.

  The encrypted spare key information 208 is generated by, for example, a production / data collection tool 300 provided in a factory that produces replacement parts with a CRUM 200. As shown in FIG. 1, the spare key information generation unit 302 provided in the production / data collection tool 300 reads unique information such as the serial ID 202 and the production information 204 from the CRUM 200, and encrypts the spare data based on these values. Key information 208 is generated. At this time, the backup key information generation unit 302 encrypts the backup key information using a unique key or encryption algorithm. Then, the encryption spare key information 208 generated by the encryption is written to a predetermined address in the CRUM 200.

  As described above, when it is determined that all the encrypted data 206a to 206c in the CRUM 200 are in error at the time of decryption, the replacement part is picked up by the producer side or the producer side engineer is in charge of the image forming apparatus. The CRUM 200 is investigated using the production / data collection tool 300 by the manufacturer of the replacement parts, such as by going to the installed customer.

  That is, the encryption key recovery unit 304 of the production / data recovery tool 300 reads and decrypts the encryption spare key information 208 from a predetermined address of the CRUM 200 of the replacement part to be investigated, and encrypts the encrypted data based on the decryption result. A key for decrypting 206a to 206c is generated. For this purpose, the encryption key recovery unit 304 has a key and an encryption algorithm for decrypting the data encrypted by the backup key information generation unit 302. Then, using the decryption key generated by the encryption key recovery unit 304, the decryption unit 306 decrypts the encrypted data 206a, and performs CRC error detection on the decryption result. Accordingly, if it is determined that there is no error in the decoding result, it can be determined that the CRUM 200 is determined to be unusable because the unique information (such as the serial ID 202 and the production information 204) of the CRUM 200 has been destroyed. Even if the decryption result of the encrypted data 206a is incorrect, if it is determined that there is no error in the decryption result of either the spare encrypted data 206b or 206c, it can be determined that the unique information has been destroyed.

  For example, in the example of FIG. 4, even if the unique information in the CRUM 200 has changed as illustrated in FIG. 3, if the encryption spare key information 208 has not been destroyed or changed, the production / data collection tool 300 The encryption key recovery unit 304 can obtain a decryption key corresponding to the correct unique information “00011010”. Therefore, if the encrypted data 206a is not destroyed or changed, the decryption unit 306 can correctly decrypt the encrypted data 206a using the key, and the CRC check is also passed.

  In this way, when the encrypted data 206a to 206c can be correctly decrypted using the encrypted spare key information 208, the customer is followed up based on the management data 102 (for example, count value) of the decryption result. May be performed.

  In the example shown above, the production / data collection tool 300 is shown as an integrated device, but this is only an example. For example, instead, a configuration for writing the encrypted backup key information 208 in the tool 300 (backup key information generation unit 302) and a configuration for decryption using the encryption backup key information 208 in the CRUM 200 ( Of course, the encryption key recovery unit 304 and the decryption unit 306) may be configured as separate devices.

  In addition, since the control unit 100 cannot decrypt the encrypted spare key information 208 in the CRUM 200, the control unit 100 does not perform processing using the encrypted spare key information 208. However, in order to make third party analysis difficult, The control unit 100 may perform dummy access to the address of the encrypted backup key information 208.

  The production / data collection tool 300 is realized, for example, by causing a general-purpose computer to execute a program representing the above-described processing. Here, the computer, for example, via a microprocessor such as a CPU, a memory (primary storage) such as a random access memory (RAM) and a read-only memory (ROM), and an HDD (hard disk drive) controller as hardware. The connected HDDs, various I / O (input / output) interfaces, and the like have a circuit configuration connected via a bus. A network interface for connecting to a network such as a local area network may be connected to the bus. Also, portable non-volatile recording of various standards such as a disk drive and a flash memory for reading and / or writing to a portable disk recording medium such as a CD or a DVD via the I / O interface, for example. A memory reader / writer or the like for reading from and / or writing to a medium may be connected. A program in which the processing contents of each functional module exemplified above are described is stored in a fixed storage device such as a hard disk drive via a recording medium such as a CD or DVD, or via a communication means such as a network, and stored in a computer. Installed. The function of the tool 300 exemplified above is realized by reading the installed program into the RAM and executing it by a microprocessor such as a CPU.

  100 control unit of image forming apparatus main body, 102 management data, 104 CRC, 106 encryption / decryption unit, 108 encryption key generation unit, 200 CRUM, 202 serial ID, 204 production information, 206a to 206c encrypted data, 208 encryption Spare key information, 300 production / data recovery tool, 302 spare key information generation unit, 304 encryption key recovery unit, 306 decryption unit.

Claims (1)

A first apparatus, an image forming apparatus, and a second apparatus;
The first device includes:
Wherein among the storage locations in the storage medium provided in the replacement part of the image forming apparatus, and stores the unique information by the image forming apparatus is the original key used for encryption and decryption of management data to be written to the storage medium Means for reading out the specific information from the first storage location;
Encryption key information is generated by encrypting the read unique information or a key generated based on the read unique information using a method that can be decrypted only by the second device , and the encryption key information is stored in the storage medium. Means for writing to a predetermined second storage location;
Bei to give a,
The image forming apparatus includes:
Means for reading out the unique information from the first storage location in the storage medium provided in the replacement part;
Means for generating a key used for encryption and decryption based on the read unique information;
An error detection code is added to the management data of the image forming apparatus, and the management data after adding the error detection code is encrypted with a key used for the encryption generated based on the unique information Means for writing encryption result data to a third storage location for management data in the storage medium;
The encryption result data read from the third storage location in the storage medium provided in the replacement part is decrypted with the key used for the decryption generated based on the unique information, and the decryption result Based on the error detection code included in the data, it is determined whether or not the management data included in the decoding result data is correctly decoded. A determination means for presenting a message indicating that there is,
With
The second device includes:
Means for reading out the encryption key information from the second storage location in the storage medium provided in the replacement part;
Key generation means for generating the key by decrypting the read encryption key information;
The data of the encryption result read from the third memory location in the previous term memory medium, while decoding using the key generated by the key generating means, contained in the resulting data of the decoding Decoding means for determining whether or not the management data included in the data obtained as a result of the decoding is correctly decoded based on the error detection code to be obtained ;
Equipped with a,
The encryption read from the third storage location in the storage medium provided in the replacement part for the replacement part for which the message indicating that the determination unit of the image forming apparatus cannot be used is presented When it is determined that the management data is correctly decoded by the decoding unit of the second device, the specific data stored in the first storage location can be determined to have been destroyed. Like,
A data restoration system for replacement parts, which is characterized by that .

Images