KR100917706B1 - Information management device and information management method - Google Patents

Abstract

The security chip 215 is connected to the communication I / F 209, the biometric sensor 211, the CPU 201, and the memory / storage 300 via a bus. Moreover, in the information processing apparatus 101, various software 301 is provided, and the information regarding these software 301 can also be acquired. Moreover, the information regarding the peripheral device 302 connected to the information processing apparatus 101 can also be acquired. The security chip 215 is composed of communication authentication hardware 311, biometric hardware 312, in-device information authentication hardware 313, monitoring hardware 314, and verification hardware 315. .

Description

Information management device and information management method {INFORMATION MANAGEMENT DEVICE AND INFORMATION MANAGEMENT METHOD}

The present invention relates to an information management apparatus and an information management method for managing information in an information processing apparatus.

In recent years, the introduction of IPv6 (Internet Protocol Version 6) has led to information processing devices connected to communication networks such as the Internet, as well as personal computers, server computers, and mobile phones, as well as home appliances such as refrigerators, microwave ovens, air conditioners, TVs, DVDs, Copiers, furthermore, robots and the like can also be connected to a communication network to transmit and receive information. As the information processing apparatus connected to the communication network increases in this way, the security is deteriorated.

In particular, home appliances have low safety and may be a source of a program that causes a problem in normal operation of the device from the outside, or may become a foothold of DDoS (Distributed Denial of Service). Thus, in order to increase the safety of such an information processing apparatus, an attempt has been made to mount a biometric authentication function using a fingerprint or the like into the information processing apparatus (see Patent Document 1, for example).

Further, when performing electronic commerce using these information processing apparatuses, whether the information processing apparatus is used by a legitimate owner, the owner owns a transaction using the information processing apparatus, or a device which impairs the safety of the information processing apparatus is connected, or an OS ( Operating system), browsers, plug-in software, etc., it is preferable to perform commerce first after securing safety, such as whether or not software is installed.

In addition, biometric authentication using biometric information, personal authentication (PKI (Public Key Infrastructure) authentication) using an electronic certificate using a certification authority, and environmental authentication for confidentially managing information about an information processing device are also performed. In addition, a storage medium driving apparatus capable of performing various security without causing an increase in manufacturing cost has been proposed (see, for example, Patent Document 2 below).

Patent Document 1

Japanese Patent Laid-Open No. 3-58174

Patent document 2

Japanese Patent Application Laid-Open No. 10-283190

However, in the above conventional technology, there is a problem that fingerprint information for authentication may leak, and it is difficult to secure high security only by biometric authentication.

In addition, if software for patching, firmware, or the like is provided to these information processing apparatuses, the software being transmitted to a third party may be forged, so it is necessary to sufficiently secure the safety between the information transmitting apparatus and the information processing apparatus. there was. On the other hand, when the level of safety is raised too much, there exists a problem that it becomes difficult to send and receive information smoothly.

In addition, when a plurality of types of authentication processing such as biometric authentication, personal authentication, environmental authentication, etc. are performed independently by one information processing apparatus, mutual authentication is required when exchanging information between each authentication processing. Therefore, in addition to each authentication function, an authentication function for exchanging information with other authentication functions is provided, and there is a concern that a product cost and an authentication processing time increase.

On the other hand, since the above-mentioned biometric authentication, personal authentication, and environmental authentication are originally authentication functions used for different purposes, the update frequency, update amount, and update method for programs or data such as firmware for executing each authentication process are different.

Therefore, when the above-described biometric authentication, identity authentication, and environmental authentication functions are embedded in a single chip, each time the program or data related to each authentication function is updated, the entire chip is updated, and in many cases, the cost is increased. In virtually impossible. In addition, it is inconvenient because the user cannot use it in the meantime when a work to be recreated occurs every time it is updated.

Therefore, since the update of these individual authentication functions must be performed as soon as possible for the purpose of the original authentication, it is not meaningful to perform authentication by waiting for other updates and updating them simultaneously.

SUMMARY OF THE INVENTION The present invention has been made in view of the above-described problems, and can improve safety by making it possible to flexibly and strictly execute programs and data updates in biometric authentication, identity authentication (PKI authentication), and environmental authentication. An object of the present invention is to provide an information management apparatus and an information management method.

Disclosure of Invention

In order to solve the above-described problems and achieve the object, the information management apparatus of the present invention is mounted in an information processing apparatus, and is provided with a communication authentication hardware that authenticates the safety of communications other than the information processing apparatus, and a predetermined different from the communication authentication hardware. An information management apparatus comprising a single chip having processing hardware for processing the data, wherein the safety of communication between the provider of any execution program provided in the single chip and the information processing apparatus is authenticated by the communication authentication hardware. A correction program for modifying the execution program sent from the provider to the information processing apparatus, input means for accepting input of the digital signature generated by the correction program and the secret key of the provider; Execution program modified by the fix entered by the input means Program determination means for determining whether a gram is an executable program installed in either the communication authentication hardware or the processing hardware, a message digest of the modified program, an electronic signature input by the input means, and Validity verification means for verifying whether or not it is legitimate to update the execution program determined by the program determining means on the basis of the public key of the provider, and the verification result verified by the validity verification means. And updating means for updating the execution program determined by the program determining means on the basis of the corrected program.

According to the present invention, it is possible to authenticate the security of the cipher that receives the modified program and the validity of the renewal by the received modified program by a single chip.

1 is an explanatory diagram showing a schematic configuration of an information management system according to an embodiment of the present invention.

2 is a block diagram showing a hardware configuration of the information processing apparatus.

3 is a block diagram showing a hardware configuration of a security chip.

FIG. 4 is a block diagram showing a specific configuration of each hardware shown in FIG.

5 is an explanatory diagram showing an electronic certificate stored in a memory / storage.

6 is an explanatory diagram showing registration information stored in a memory / storage.

7 is an explanatory diagram showing information in a device stored in a memory / storage.

8 is a flowchart showing a communication authentication processing procedure of the information management apparatus according to the embodiment of the present invention.

9 is an explanatory diagram showing an example of update information.

10 is an explanatory diagram showing update information when the identification information is any one of A to C. FIG.

11 is an explanatory diagram showing update information when the identification information is information of D. FIG.

Fig. 12 is a flowchart showing an update processing procedure of the security chip when the communication safety is authenticated by the communication authentication hardware.

13 is a flowchart showing an update processing procedure of the communication authentication program (or the information authentication program in the device).

14 is a flowchart showing an update processing procedure of a biometric authentication program.

15 is a flowchart showing a procedure of updating an electronic certificate of a user.

16 is a flowchart showing a communication authentication processing procedure in the case of recording registration information.

17 is an explanatory diagram showing input information.

18 is a flowchart showing a recording processing procedure of registration information.

19 is an explanatory diagram showing registration instruction information.

20 is a flowchart showing a normal operation processing procedure by the security chip.

EMBODIMENT OF THE INVENTION Below, embodiment of this invention is described in detail, referring drawings.

(Schematic Configuration of Information Management System)

1 is an explanatory diagram showing a schematic configuration of an information management system according to an embodiment of the present invention. In FIG. 1, the information management system 100 includes an information processing apparatus 101 of a user, an information providing apparatus 102 for providing an execution program or data in the information processing apparatus 101, and an authentication apparatus 103 of an authentication station. ) Is connected via a network 104 such as the Internet.

The information processing apparatus 101 of the user includes, for example, a mobile phone, a personal computer, another refrigerator, a microwave oven, an air conditioner, a home appliance such as a TV, a DVD, a copy machine, a robot, and the like. A security chip is mounted on this information processing apparatus 101.

The information providing device 102 is managed by a vendor or a maker that develops or sells an execution program or various data, a vendor who manufactures or sells the information processing device 101, or the like. The information providing apparatus 102 stores a modified program such as a patch of an executable program or various data, or uploads it on the network 104. It also generates electronic signatures of executable programs and various data. The authentication device 103 issues and manages electronic certificates of users, manufacturers, vendors, vendors, and the like. In addition, an electronic signature of the issued electronic certificate is generated.

[Hardware Configuration of Information Processing Device 101]

Next, the hardware configuration of the information processing apparatus 101 will be described. 2 is a block diagram showing a hardware configuration of the information processing apparatus 101. In FIG. 2, the information processing apparatus 101 includes a CPU 201, a ROM 202, a RAM 203, a hard disk drive (HDD) 204, an HD (hard disk) 205, FDD (flexible disk drive) 206, FD (flexible disk) 207 as an example of a removable recording medium, display 208, communication I / F (interface) 209, input key (keyboard) , Including a mouse) 210, a biometric sensor 211, and a security chip 215. In addition, each component is connected by the bus 200, respectively.

Here, the CPU 201 is in charge of controlling the entire information processing apparatus 101. The ROM 202 stores a program such as a booting program. The RAM 203 is used as a work area of the CPU 201. The HDD 204 controls the recording / reading of data to the HD 205 under the control of the CPU 201. The HD 205 stores data recorded under the control of the HDD 204.

The FDD 206 controls the writing / reading of data to the FD 207 under the control of the CPU 201. The FD 207 stores the data recorded under the control of the FDD 206 or causes the information processing apparatus 101 to read the data stored in the FD 207.

In addition to the FD 207, a removable recording medium may be a CD-ROM (CD-R, CD-RW), MO, Digital Versatile Disk (DVD), a memory card, or the like. Display 208 displays data such as documents, images, function information, as well as cursors, icons or toolboxes. The display 208 can employ, for example, a CRT, a TFT liquid crystal monitor, a plasma display, or the like.

The communication I / F 209 is connected to a network 104 such as the Internet via a communication line, and is connected to another device via this network 104. The communication I / F 209 is in charge of the interface with the network 104 and controls the input / output of data from an external device. As the communication I / F 209, for example, a modem, a LAN adapter, or the like can be adopted.

The input key 210 includes keys for inputting letters, numbers, various instructions, and the like, and inputs data. It may also be a touch panel input pad or numeric keys.

As an example, the biometric sensor 211 includes a fingerprint sensor 212, a camera 213, and a microphone 214. The fingerprint sensor 212 is a device for detecting irregularities of a fingerprint of a finger at an interval of approximately 50 µm and converting the fingerprint into an electrical signal. Examples of the fingerprint reading method include a semiconductor type, an optical type, a pressure sensitive type, and a thermosensitive type. The camera 213 is a biometric sensor 211 that picks up the eye's iris or retina. In addition, the microphone 214 is a biometric sensor 211 that detects a voiceprint representing a sound feature.

The security chip 215 is called a TPM (Trusted Platform Module) and is mounted on the main board of the information processing apparatus 101. The security chip 215 is a chip that provides only basic functions for realizing security or privacy. This security chip 215 is also defined by the specification of the Trusted Computing Group (TCG). The TPM mounted on one information processing apparatus 101 cannot be mounted on another information processing apparatus 101. When the TPM is removed from the information processing apparatus 101, the information processing apparatus 101 can be started. There will be no. This security chip 215 is an information management apparatus according to an embodiment of the present invention.

[Hardware Configuration of Security Chip 215]

Next, the hardware configuration of the security chip 215 described above will be described. 3 is a block diagram showing a hardware configuration of the security chip 215. In FIG. 3, the security chip 215 is in contact with the communication I / F 209, the biometric sensor 211, the CPU 201, and the memory / storage 300 via a bus. Moreover, in the information processing apparatus 101, various software 301 is provided, and the information regarding these software 301 can also be acquired. Moreover, the information regarding the peripheral device 302 connected to the information processing apparatus 101 can also be acquired.

The memory / storage 300 may be provided in any area of the security chip 215 or other than the security chip 215 as long as it is in the information processing apparatus 101. When installed in the security chip 215, it is possible to prevent the removal or forgery of the memory / storage 300.

The security chip 215 also includes communication authentication hardware 311, biometric hardware 312, in-device information authentication hardware 313, monitoring hardware 314, and verification hardware 315. It is.

The communication authentication hardware 311 authenticates the safety of the communication of the information server 101, for example, the providing server and the authentication server shown in FIG. Specifically, the communication authentication hardware 311 performs identity authentication [PKI (Public Key Infrastructure) authentication] using an electronic certificate using a certificate authority, so that the person who communicates with the outside is a person registered regularly by the certificate authority. Can be determined. The communication authentication hardware 311 is provided with a communication authentication program 321 for executing communication authentication processing.

The biometric authentication hardware 312 authenticates whether or not the biometric information detected by the biometric sensor 211 and the registered biometric information of a user registered in the information processing apparatus 101 match. The biometric authentication hardware 312 can determine whether the person operating the information processing apparatus 101 is a regular user. The biometric authentication hardware 312 is provided with a biometric authentication program 322 that performs biometric authentication processing.

In-device information authentication hardware 313 authenticates the information processing device 101 or information in the single chip (in-device information). The information in this apparatus is called environmental information, and information (for example, device name and version information) about this peripheral apparatus 302 acquired from the peripheral apparatus 302 connected to the information processing apparatus 101, or the information processing apparatus 101 is known. ) Includes information (eg, software name, version information) related to the software 301 installed in the system, and various types of information (eg, electronic certificates) stored in the memory / storage 300. For this reason, the in-device information authentication hardware 313 is also called environmental authentication hardware.

In-device information authentication hardware 313 also confidentially manages information stored in memory / storage 300. Specifically, the information acquired by the in-device information authentication hardware 313 is encrypted with a unique encryption key and stored in the memory / storage 300. On the other hand, when there is a call from other hardware, the information stored by encrypting with the unique decryption key paired with the encryption key is decrypted. By this encryption and decryption process, it can authenticate that it is not forged in the information processing apparatus 101. FIG. The in-device information authentication hardware 313 is provided with an in-device information authentication program 323 for performing the above-described processing.

In addition, the resident program 324 is provided in the monitoring hardware 314 to monitor the exchange of information in the information management apparatus. A specific monitoring process will be described later.

In addition, a verification program 325 is provided in the verification hardware 315, and when the safety of communication with the outside is authenticated by the communication authentication hardware 311, the verification hardware 315 is inputted to the security chip 215 from the outside. Validation of information, verification of correspondence, etc. are performed. Specific verification processing will be described later.

(Specific configuration of each hardware)

Next, the specific structure of each hardware 311-315 shown in FIG. 3 is demonstrated. FIG. 4 is a block diagram showing a specific configuration of each hardware 311 to 315 shown in FIG. In FIG. 4, each hardware 311-315 includes a processor 401, a ROM 402, a RAM 403, an EEPROM 404, an input I / F (interface) 405, and a cryptographic processor. It consists of 406. In addition, the components 401 to 406 are connected to each other by the bus 400.

Here, the processor 401 is in charge of controlling the entire hardware 311 to 315. The ROM 402 stores a program such as a booting program. The RAM 403 is used as a working area of the processor 401. The EEPROM 404 stores a program executed by each hardware 311 to 315. The cryptographic processor 406 generates an asymmetric cryptographic key, encrypts, decrypts, generates a message digest (generates a hash value), generates an electronic signature, and the like.

[Memory Contents of Memory / Storage 300]

Next, the storage contents of the memory / storage 300 shown in FIG. 3 will be described. 5 is an explanatory diagram showing an electronic certificate stored in the memory / storage 300. FIG. 6 is an explanatory diagram showing registration information stored in the memory / storage 300. FIG. 7 is an explanatory diagram showing information in a device stored in the memory / storage 300. FIG.

In Fig. 5, the electronic certificates Ca to Cz are stored for each subject. The term "certificate name" includes a person certified by electronic certificates (Ca to Cz), for example, a user, a manufacturer, a vendor, a certification authority, and the like. The electronic certificates Ca to Cz also contain version information, signature algorithms, issuer names, expiration dates, public keys, and other related information. The electronic certificates Ca to Cz are encrypted and stored by the in-device information authentication hardware 313 shown in FIG.

6, the registration information 600 is comprised by the registrant name 601, the sensor type information 602, and the biometric information 603. In FIG. 6, as an example, the registrant "X" which is a user registers the image data "Xa" of the fingerprint of the registrant "X" detected by the "fingerprint sensor" as the biometric information 603. In FIG. The registration information 600 is encrypted and stored by the in-device information authentication hardware 313 shown in FIG.

In addition, as the device information in FIG. 7, names and versions of execution programs such as the peripheral device 302, the software 301, and the communication authentication program 321 installed in each hardware, shown in FIG. 3, are stored.

(Communication Authentication Processing Order)

Next, the contents of the communication authentication process of the information management device (security chip 215) according to the embodiment of the present invention will be described. 8 is a flowchart showing a communication authentication processing procedure of the information management apparatus (security chip 215) according to the embodiment of the present invention.

In Fig. 8, first, in the communication I / F 209, it is determined whether update information has been received (step S801). Here, update information will be described. 9 is an explanatory diagram showing an example of update information.

In FIG. 9, the update information 900 includes identification information 901, update data 902, an electronic signature 903 of the provider, and an electronic certificate of the provider (if the park is an authentication station, Digital certificate) 904, and a digital signature 905 of a certification authority. The identification information 901 is information specifying the content of the update data 902.

For example, when the identification information 901 is "A", the update data 902 is "a patch of the communication authentication program 321". When the identification information 901 is "B", the update data 902 is "a patch of the in-device information authentication program 323". When the identification information 901 is "C", the update data 902 is "a patch of the biometric authentication program 322". When the identification information 901 is "D", the update data 902 is "a new electronic certificate of the user".

The update data 902 is a patch or electronic certificate specified by the identification information 901. The update data 902 is also accompanied by an electronic signature 903 of the provider. The provider's electronic signature 903 is data obtained by encrypting the hash value 911 of the update data 902 with the provider's secret key.

In addition, the electronic certificate 904 of the provider is an electronic certificate issued by an arbitrary certification authority. The electronic certificate 904 is attached with an electronic signature 905 of the certification authority. The digital signature 905 of the certification authority is data obtained by encrypting the hash value 912 of the electronic certificate 904 with the private key of the certification authority.

Here, update information in the case where the identification information 901 is any one of A to C will be described. 10 is an explanatory diagram showing update information when the identification information is any one of A to C. FIG.

In the update information 1000 shown in FIG. 10, the pre-update program 1001 and the patch 1002 are programs created by a provider such as a manufacturer or a vendor. The post-update program 1003 is also a program created by a provider such as a maker or a vendor, and is a program in which the pre-update program 1001 is modified by the patch 1002.

The provider's electronic signature 1004 is an electronic signature that encrypts the hash value 1011 of the patch 1002 with the provider's secret key. In addition, the electronic signature 1005 of the provider may also be attached. This electronic signature 1005 is an electronic signature which encrypts the hash value 1012 of the program 1003 after update with the secret key of the provider.

The update information when the identification information 901 is the D information will be described. 11 is an explanatory diagram showing update information when the identification information 901 is D information. This update information 1100 has a new electronic certificate 1101 of the user issued by the certification authority. This electronic certificate 1101 is, for example, update data issued as soon as possible by the authentication device 103 of the authentication station when the expiration date of the current electronic certificate has passed. It may also be an electronic certificate newly issued to the user.

The digital signature 1102 of the certification authority is an electronic signature obtained by encrypting the hash value 1111 of the user's new electronic certificate 1101 with the private key of the certification authority. The electronic certificate 1104 of the certification authority is an electronic certificate issued by the certification authority itself or another certification authority. The digital signature 1105 of the certificate authority is data obtained by encrypting the hash value 1112 of the electronic certificate 1104 with the secret key of the certificate authority that issued the electronic certificate 1104.

In addition, when the update information 900 (or 1000, 1100) is received in FIG. 8 (step S801: Yes), the electronic certificate of the source of the provider to the communication authentication hardware 311 through the communication I / F 209 is provided. 904 (or the electronic certificate 1104 of the certification authority) and the electronic signature 905 (or 1105) of the certification authority are input (step S802). In addition, it communicates with the certificate authority of the issuer included in the electronic certificate 904 (or the electronic certificate 1104) here to verify whether the electronic certificate 904 (or the electronic certificate 1104) is valid at this time. You may do it. This can improve the safety of the communication.

Then, the communication authentication hardware 311 extracts the certificate authority name included in the inputted electronic certificate 904 (or the electronic certificate 1104 of the certification authority) of the input provider, and the electronic certificate 904 (or 1104). The authentication station that issued the certificate is specified (step S803).

The communication authentication hardware 311 outputs the specified authentication station to the in-device information authentication hardware 313. The in-device information authentication hardware 313 extracts the electronic certificate of the authentication station specified by the communication authentication hardware 311 from within the electronic certificate stored encrypted in the memory / storage 300. The extracted electronic certificate is then decrypted with a decryption key of the in-device information authentication hardware 313 to obtain the public key of the specified authentication station (step S804). The fact that this public key could be obtained means that the information in the memory / storage 300 is not forged, and that it is authenticated as secure.

The obtained public key of the authentication station is output to the communication authentication hardware 311. The communication authentication hardware 311 decodes the digital signature 905 (or 1105) of the authentication station with the obtained public key of the authentication station to generate a hash value (step S805). Next, the communication authentication hardware 311 generates a message digest (hash value) of the inputted electronic certificate 904 (or the electronic certificate 1104 of the authentication station) of the input provider (step S806).

Then, the communication authentication hardware 311 determines whether or not the hash value generated in step S805 and the hash value generated in step S806 match (step S807). If there is a match (step S807: Yes), the safety of communication with the provider (or authentication station) is authenticated (step S808), and a highly stable communication path is generated. On the other hand, when there is a mismatch (step S807: No), the safety of communication with the provider (or authentication station) is not authenticated and cannot be communicated.

[Update Process of Security Chip 215]

Next, the update processing procedure of the security chip 215 when the communication safety is authenticated by the communication authentication hardware 311 will be described. 12 is a flowchart showing an update processing procedure of the security chip 215 when the communication safety is authenticated by the communication authentication hardware 311.

In Fig. 12, when the safety of communication is first authenticated (step S1201: Yes), the monitoring hardware 314 receives the identification information 901, update data 902, and update data 902 received at the communication I / F 209. Is inputted (step S1202).

The monitoring hardware 314 then refers to the input identification information 901. When the identification information 901 is "A" (step S1203: A), the update data 901 is judged as a patch 1002 of the communication authentication program 321, and performs the update process of the communication authentication program 321 ( Step S1204).

In addition, when the identification information 901 is "B" (step S1203: B), the update data 901 is determined as the patch 1002 of the in-device information authentication program 323, and the in-device information authentication program 323 Update processing is performed (step S1205).

If the identification information 901 is "C" (step S1203: C), the update data 901 is determined to be a patch 1002 of the biometric authentication program 322, and the update processing of the biometric authentication program 322 is performed. (Step S1206).

If the identification information 901 is "D" (step S1203: D), the update data 901 is determined to be the user's new electronic certificate 1101, and the user's electronic certificate is updated (step S1207). .

[Update Process of Communication Authentication Program 321]

Next, an update processing procedure of the communication authentication program 321 (or the in-device information authentication program 323) will be described. 13 is a flowchart showing an update processing procedure of the communication authentication program 321 (or the device information authentication program 323).

In Fig. 13, the monitoring hardware 314 obtains the public key of the provider of the patch (step S1301). Specifically, the monitoring hardware 314 requests the in-device information authentication hardware 313 to acquire the public key of the provider of the patch. The in-device information authentication hardware 313 extracts the electronic certificate of the source of the patch from the electronic certificate stored in the memory / storage 300 encrypted.

The electronic certificate extracted with the decryption key of the in-device information authentication hardware 313 is decrypted, and the public key is extracted from the decrypted electronic certificate. By supplying this extracted public key to the monitoring hardware 314, the monitoring hardware 314 can obtain the public key of the provider of the patch.

The monitoring hardware 314 then decrypts the provider's digital signature with the acquired provider's public key to generate a hash value (step S1302). The monitoring hardware 314 also generates a message digest (hash value) of the patch (step S1303). The monitoring hardware 314 then outputs the hash value generated in step S1302 and the hash value generated in step S1303 to the verification hardware 315.

The verification hardware 315 determines whether or not the hash value generated in step S1302 and the hash value generated in step S1303 match (step S1304). If they do not match (step S1304: No), there is a possibility that the patch may be forged, so that the series of processing is terminated without updating processing.

On the other hand, if there is a match (step S1304: Yes), the patch is not forged, and the right thing is authenticated (step S1305). Then, an update process of the communication authentication program 321 (in the case of the update processing procedure of the in-device information authentication program 323, the in-device information authentication program 323) is performed by the patch certified as legitimate (step S1306). .

In addition, the monitoring hardware 314 detects whether or not there is an electronic signature 1005 of the program 1003 after updating in the input update information (step S1307). If there is no electronic signature 1005 of the program 1003 after the update (step S1307: No), the series of processing ends.

On the other hand, if there is an electronic signature 1005 of the program 1003 after the update (step S1307: Yes), the monitoring hardware 314 decrypts the electronic signature 1005 with the public key obtained in step S1301 to generate a hash value (step S1307). S1308).

The monitoring hardware 314 is further configured to execute the communication authentication program 321 (in the device information authentication program 323 in the case of the update processing procedure of the device information authentication program 323) updated by the update process in step S1306. A message digest (hash value) is generated (step S1309). The monitoring hardware 314 then outputs the hash value generated in step S1308 and the hash value generated in step S1309 to the verification hardware 315.

The verification hardware 315 determines whether or not the hash value generated in step S1308 and the hash value generated in step S1309 match (step S1310). If they do not match (step S1310: No), the normal update is not performed and the series of processing ends. On the other hand, if there is a match (step S1310: Yes), the updated communication authentication program 321 (in the case of the update processing procedure of the device information authentication program 323, the device information authentication program 323 in the device) is determined by the provider. After the update, it becomes the same program as the program 1003, and it can be confirmed that normal update has been performed (step S1311).

Accordingly, it can be confirmed that the update processing of the entire updated program only by the patch and the electronic signature is normally performed even if the entire program 1003 is not downloaded from the provider. Therefore, a safe and quick authentication process can be realized.

[Update Process of Biometric Authentication Program 322]

Next, an update processing procedure of the biometric authentication program 322 will be described. 14 is a flowchart showing an update processing procedure of the biometric authentication program 322. In Fig. 14, first, the in-device information authentication hardware 313 acquires sensor type information of the biometric sensor 211 specified by the user (step S1401). The in-device information authentication hardware 313 notifies the monitoring hardware 314 of the acquired sensor type information.

Then, it is determined whether the sensor type information of the biometric authentication program 322 to be corrected by the patch in the inputted update information and the sensor type information notified by the in-device information authentication hardware 313 match ( Step S1402).

If it does not match (step S1402: No), it is not a user specified biometric authentication, and a series of processing is finished. On the other hand, when the sensor type information is matched (step S1402: Yes), the monitoring hardware 314 acquires the public key of the provider of the patch (step S1403). Specifically, the monitoring hardware 314 requests the in-device information authentication hardware 313 to obtain the public key of the provider of the patch. The in-device information authentication hardware 313 extracts the electronic certificate of the source of the patch from the electronic certificate stored in the memory / storage 300 encrypted.

Then, the electronic certificate extracted with the decryption key of the in-device information authentication hardware 313 is decrypted, and the public key is extracted from the decrypted electronic certificate. By supplying this extracted public key to the monitoring hardware 314, the monitoring hardware 314 can obtain the public key of the provider of the patch.

Next, the monitoring hardware 314 decrypts the digital signature of the provider with the obtained provider's public key to generate a hash value (step S1404). The monitoring hardware 314 also generates a message digest (hash value) of the patch (step S1405). The monitoring hardware 314 then outputs the hash value generated in step S1404 and the hash value generated in step S1405 to the verification hardware 315.

The verification hardware 315 determines whether or not the hash value generated in step S1404 and the hash value generated in step S1405 match (step S1406). If they do not match (step S1406: No), there is a possibility that the patch is forged, so that the series of processing is terminated without updating.

On the other hand, if there is a match (step S1406: Yes), the patch is not forged, and the right thing is authenticated (step S1407). Then, the update process of the biometric authentication program 322 is performed by the patch certified as legitimate (step S1408).

In addition, the monitoring hardware 314 detects whether the electronic signature 1005 of the program 1003 after the update is among the input update information (step S1409). If there is no electronic signature 1005 of the program 1003 after the update (step S1409: No), the series of processing ends.

On the other hand, if there is an electronic signature 1005 of the program 1003 after the update (step S1409: Yes), the monitoring hardware 314 decrypts the electronic signature 1005 with the public key obtained in step S1403 to generate a hash value (step S1410).

The monitoring hardware 314 also generates a message digest (hash value) of the biometric authentication program 322 updated by the update process in step S1408 (step S1411). The monitoring hardware 314 then outputs the hash value generated in step S1410 and the hash value generated in step S1411 to the verification hardware 315.

The verification hardware 315 determines whether or not the hash value generated in step S1410 coincides with the hash value generated in step S1411 (step S1412). If it matches (step S1412: Yes), the updated biometric authentication program 322 becomes the same program as the program 1003 after the provider's update, and it can be confirmed that normal update is performed (step S1413). On the other hand, if there is a mismatch (step S1412: No), the normal update is not performed and the series of processing ends.

(Update process of electronic certificate of user)

Next, the update processing procedure of the user's electronic certificate will be described. 15 is a flowchart showing a procedure of updating an electronic certificate of a user. In Fig. 15, the monitoring hardware 314 acquires the public key of the authentication station that provided the user's new electronic certificate 1101 (step S1501). Specifically, the monitoring hardware 314 extracts the name of the certificate authority that issued this electronic certificate 1101 from within the electronic certificate 1101, and specifies the certificate authority of the issuer. The monitoring hardware 314 requests to obtain the public key of the authentication authority specified for the in-device information authentication hardware 313. The in-device information authentication hardware 313 extracts the electronic certificate of the specified authentication station from the electronic certificate stored encrypted and stored in the memory / storage 300.

The electronic certificate extracted with the decryption key of the in-device information authentication hardware 313 is decrypted, and the public key is extracted from the decrypted electronic certificate. By supplying this extracted public key to the monitoring hardware 314, the monitoring hardware 314 can obtain the public key of the specified authentication station.

The monitoring hardware 314 then decrypts the digital signature 1102 of the authentication station with the obtained public key of the authentication station to generate a hash value (step S1502). The monitoring hardware 314 also generates a message digest (hash value) of the electronic certificate 1101 (step S1503). The monitoring hardware 314 then outputs the hash value generated in step S1502 and the hash value generated in step S1503 to the verification hardware 315.

The verification hardware 315 determines whether or not the hash value generated in step S1502 and the hash value generated in step S1503 match (step S1504). If it does not match (step S1504: No), there is a possibility that the electronic certificate 1101 may be forged, so that the series of processing is terminated without performing an update process.

On the other hand, if there is a match (step S1504: Yes), the electronic certificate 1101 is not forged and authenticates that it is legitimate (step S1505). Then, an update process is performed from the user's current electronic certificate to the electronic certificate 1101 which is certified as legitimate (step S1506).

As a result, the electronic certificate of the user whose expiration date has passed can be safely and promptly updated.

(Communication authentication processing procedure when recording registration information)

Next, the communication authentication processing procedure in the case of recording the registration information will be described. 16 is a flowchart showing a communication authentication processing procedure in the case of recording registration information.

In Fig. 16, the communication authentication hardware 311 first inputs an electronic certificate of a provider who provides an electronic registration instruction via the communication I / F 209, and an electronic signature by the authentication station of the electronic certificate (step S1601). ). 17 is an explanatory diagram showing input information input by step S1601. In FIG. 17, the input information 1700 includes an electronic certificate 1701 of a provider who provides an electronic registration instruction, and an electronic signature 1702 by a certificate authority of the electronic certificate 1701. As shown in FIG. The digital signature 1702 is an electronic signature obtained by encrypting the hash value 1703 of the electronic certificate 1701 with the secret key of the certificate authority.

In Fig. 16, the communication authentication hardware 311 extracts the name of the authentication station that issued this electronic certificate 1701 from the electronic certificate 1701, and specifies the authentication station of the issuer (issuer) (step S1602).

The communication authentication hardware 311 outputs the specified authentication station to the in-device information authentication hardware 313. The in-device information authentication hardware 313 extracts the electronic certificate of the authentication station specified by the communication authentication hardware 311 from within the electronic certificate that is encrypted and stored in the memory / storage 300. The extracted electronic certificate is then decrypted with a decryption key of the in-device information authentication hardware 313 to obtain the public key of the specified authentication station (step S1603). The fact that this public key could be obtained means that the information in the memory / storage 300 is not forged, and that it is authenticated as secure.

The obtained public key of the authentication station is output to the communication authentication hardware 311. The communication authentication hardware 311 decrypts the digital signature 1702 of the authentication station with the obtained public key of the authentication station to generate a hash value (step S1604). Next, the communication authentication hardware 311 generates a message digest (hash value) of the inputted electronic certificate 1701 (step S1605).

The communication authentication hardware 311 then determines whether or not the hash value generated in step S1604 and the hash value generated in step S1605 match (step S1606). If it matches (step S1606: Yes), the safety of communication with the authentication station is authenticated (step S1607), and a high stability communication path is generated. On the other hand, if there is a mismatch (step S1606: No), the safety of communication with the authentication station is not authenticated and communication cannot be performed.

(Recording procedure of registration information)

Next, the procedure for recording the registration information will be described. 18 is a flowchart showing a recording processing procedure of registration information. In Fig. 18, first, sensor type information of the biometric sensor 211 designated by the user is obtained (step S1801). When the safety of communication is authenticated in the communication authentication processing procedure shown in Fig. 16 (step S1802: Yes), registration instruction information is input from the provider via the communication I / F 209 (step S1803).

Here, the registration instruction information will be described. 19 is an explanatory diagram showing registration instruction information. In FIG. 19, the registration instruction information 1900 includes an electronic registration instruction 1901 and an electronic signature 1902 of a provider (provider of the electronic registration instruction 1901).

The electronic registration instruction 1901 is data relating to an instruction for registering the biometric information detected by the biometric sensor 211 specified by the user, and a provider name and a biometric sensor 211 available to the user's information processing apparatus 101. Sensor type information is described. Further, the provider's electronic signature 1902 is an electronic signature obtained by encrypting the hash value 1903 of the electronic registration instruction 1901 with the secret key of the provider.

In addition, in FIG. 18, the monitoring hardware 314 determines whether the sensor type information acquired in step S1801 is included in the electronic registration instruction 1901 (step S1804). If the acquired sensor type information is not included (step S1804: No), the biometric sensor 211 that the user wants to use cannot be used, and thus the series of processing is finished.

On the other hand, when the acquired sensor type information is included (step S1804: Yes), the monitoring hardware 314 acquires the public key of the provider of the electronic registration instruction 1901 (step S1805). Specifically, the monitoring hardware 314 requests the in-device information authentication hardware 313 to obtain the public key of the provider of the electronic registration instruction 1901. The in-device information authentication hardware 313 extracts the electronic certificate of the source of the electronic registration instruction 1901 from within the electronic certificate stored encrypted in the memory / storage 300.

The electronic certificate extracted with the decryption key of the in-device information authentication hardware 313 is decrypted, and the public key is extracted from the decrypted electronic certificate. By supplying this extracted public key to the monitoring hardware 314, the monitoring hardware 314 can obtain the public key of the provider of the electronic registration instruction 1901.

The monitoring hardware 314 then decrypts the digital signature of the provider with the obtained provider's public key to generate a hash value (step S1806). In addition, the monitoring hardware 314 generates a message digest (hash value) of the electronic registration instruction 1901 (step S1807). The monitoring hardware 314 then outputs the hash value generated in step S1806 and the hash value generated in step S1807 to the verification hardware 315.

The verification hardware 315 determines whether or not the hash value generated in step S1806 and the hash value generated in step S1807 match (step S1808). If there is a mismatch (step S1808: No), there is a possibility that the electronic registration instruction 1901 is forged, so that a series of processing is terminated without performing registration processing.

On the other hand, if there is a match (step S1808: Yes), the verification hardware 315 instructs the biometric authentication hardware 312 to register the biometric information (step S1809). At this time, the information processing apparatus 101 is waiting for input of biometric information.

When biometric information is input from the biometric sensor 211 designated by the user (step S1810: Yes), user name (registrant name), sensor type information (e.g., fingerprint sensor, etc.), and biometric information (e.g., fingerprint image of the user). Data) is recorded in the memory / storage 300 (step S1811). This recording process is stored in the memory / storage 300 by the in-device information authentication hardware 313 encrypting the registration information via the biometric authentication hardware 312. As a result, the user's registration information can be safely and promptly performed.

[Operational Operation Processing Procedure by the Security Chip 215]

Next, the normal operation processing procedure by the security chip 215 will be described. 20 is a flowchart showing a normal operation processing procedure by the security chip 215. When the biometric information detected by the biometric sensor 211 is input in FIG. 20 (step S2001: Yes), the in-device information authentication hardware 313 extracts the encrypted registration information from the memory / storage 300 and uses the decryption key. Decode (step S2002).

The biometric authentication hardware 312 then collates the input biometric information with the decoded biometric information. If the biometric information does not match (step S2003: No), access is denied, and the series of processing ends. On the other hand, when the biometric information matches (step S2003: Yes), the communication authentication hardware 311 performs communication authentication with a transmission destination that performs environmental authentication (step S2004).

If the safety of communication is not authenticated (step S2005: No), there is a risk of forgery, so the series of processing ends. On the other hand, when the safety of communication is verified (step S2005: Yes), the information authentication hardware 313 in the device collects the information in the device of the peripheral device 302, the software 301, and the execution program of each hardware (step S2006). ), An environment report is generated (step S2007).

The in-device information authentication hardware 313 encrypts the environment report (step S2008), attaches an electronic signature to the encrypted environment report, and transmits it to the transmission destination (step S2009). At the transmission destination, this environmental report can be received and decoded and used for environmental authentication.

As described above, since the communication authentication hardware 311, the biometric hardware 312, and the in-device information authentication hardware 313 are originally authentication functions used for different purposes, the update frequency for a program or data for executing each process, The renewal amount and renewal method are different.

However, according to this embodiment, communication authentication hardware 311, biometric hardware 312, and in-device information authentication hardware 313 are embedded in a single security chip 215 to communicate input of update information or registration instruction information. The integrated hardware is integrated into a secure cryptographic path formed by the authentication hardware 311, and the hardware to be updated is identified by the monitoring hardware 314 (resident program 324).

Therefore, mutual authentication between the hardwares is not necessary, and secure and fast update processing can be realized. Even if communication authentication hardware 311, biometric hardware 312, and in-device information authentication hardware 313 are embedded in a single security chip 215, it is necessary to create a new security chip 215 when updating a program. As a result, the user's convenience can be improved.

Also, the monitoring hardware 314 and the verification hardware 315, which are data, patches, electronic certificates, electronic registration instructions, and electronic signatures are relatively small amounts of data. Since it is a relatively simple process, it can implement at low cost.

As described above, according to the present invention, it is possible to flexibly and strictly execute the program and data update in biometric authentication, communication authentication (PKI authentication), and in-device information authentication (environmental authentication), thereby improving safety. The effect that can be planned is shown.

As described above, the present invention is suitable for mounting in home appliances such as refrigerators, microwave ovens, air conditioners, TVs, DVDs, copiers, and even robots in addition to personal computers, server computers, and mobile phones.

Claims (18)

An information management device comprising a single chip 215, wherein the single chip 215, First hardware 311 for authenticating the stability of communication performed by the information processing apparatus 101 incorporating the information management apparatus; Second hardware (312, 313) for performing authentication processing different from the first hardware (311), At least one program 321 executed by the first hardware 311 or the second hardware 312 and 313 from the information providing apparatus 102 in which communication stability is verified by the first hardware 311. Third hardware 314, 315 for receiving update program 1002 for, 322, 323 and updating the programs 321, 322, 323 with the update program 1002. Including, The second hardware 312, 313, In-device information authentication hardware 313 for authenticating environmental information of the information processing apparatus 101 or the single chip 215; Information comprising biometric authentication hardware 312 that determines whether the biometric information detected by the biometric sensor 211 and the biometric information 603 held in the information processing apparatus 101 match. Management device. The method of claim 1, wherein the third hardware (314, 315), Receiving means for receiving, from the information providing apparatus 102, the update program 1002 and an electronic signature 1004 generated using the secret key of the information providing apparatus 102 from the update program 1002; , The program 321, 322, 323 is transferred to the update program 1002 based on the message digest of the update program 1002, the electronic signature 1004, and the public key of the information providing apparatus 102. Judging means for judging whether or not to update; Update means for updating the programs 321, 322, 323 with the update program 1002 on the basis of the determination result by the determination means. Information management apparatus comprising a. The method of claim 2, wherein the receiving means, An electronic certificate 904 of the information providing apparatus 102 and a second electronic signature 905 generated from the electronic certificate 904 using a secret key of a certification authority are added from the information providing apparatus 102. To receive, The first hardware 311 is Communication between the information processing device 101 and the information providing device 102 based on the message digest of the electronic certificate 904, the second digital signature 905, and the public key of the authentication station. An information management apparatus, characterized by authenticating stability. The information management apparatus according to claim 3, wherein the public key of the authentication station is obtained by decrypting the electronic certificates (Ca to Cz) of the authentication station held in the information processing device (101). The method of claim 2, wherein the receiving means, Further receives a third electronic signature 1005 from the information providing apparatus 102, The third hardware (314, 315), The program 321, based on the message digest of the program 321, 322, 323 after the update by the updating means, the third electronic signature 1005, and the public key of the information providing apparatus 102, And verification means for verifying whether or not 322, 323 has been updated to normal. The method of claim 5, The public key of the information providing device (102) is obtained by decoding the electronic certificates (Ca to Cz) of the information providing device (102) held in the information processing device (101). delete delete The method of claim 2, wherein the third hardware (314, 315), Second determination means for determining whether the sensor type of the biometric sensor 211 input from the user of the information processing apparatus 101 and the sensor type 602 held in the information processing apparatus 101 match. Including, The determination means, On the basis of the determination result by the second determination means, further determining whether or not the program (322) may be updated with the update program (1002). The method of claim 2, wherein the third hardware (314, 315), An electronic signature 1902 generated using an electronic registration instruction 1901 for instructing registration of biometric information to the information processing apparatus 101 and a secret key of the information providing apparatus 102 from the electronic registration instruction 1901. ) Second receiving means for receiving from the information providing apparatus 102, When the sensor type specified in the electronic registration instruction 1901 and the sensor type of the biometric sensor 211 input from the user of the information processing apparatus 101 match, the electronic registration instruction 1901 and the Second judging means for judging whether or not biometric information may be registered based on the electronic signature 1902 and the public key of the information providing apparatus 102; Registration means for registering the biometric information input from the user based on the determination result by the second determination means Information management apparatus comprising a. The method of claim 10, The information management device characterized in that the public key of the information providing device (102) is obtained by decrypting the electronic certificates (Ca to Cz) of the information providing device (102) held in the information processing device (101). The method of claim 10, The third hardware 314, 315 includes encryption means 406 for encrypting the biometric information using the public key of the information providing apparatus 102, And said registration means registers the biometric information encrypted by said encryption means. A first hardware 311 that is embedded in the information processing apparatus 101 and authenticates the safety of the communication performed by the information processing apparatus 101, and second hardware 312 which performs authentication processing different from the first hardware; An information management method of an information management device comprising a single chip 215 including 313, At least one program 321 executed by the first hardware 311 or the second hardware 312 and 313 from the information providing apparatus 102 in which communication stability is verified by the first hardware 311. A receiving step of receiving the update program 1002 for, 322, 323, An update step of updating the programs 321, 322, 323 with the update program 1002 Including, The second hardware 312, 313, In-device information authentication hardware 313 for authenticating environmental information of the information processing apparatus 101 or the single chip 215; Information comprising biometric authentication hardware 312 that determines whether the biometric information detected by the biometric sensor 211 and the biometric information 603 held in the information processing apparatus 101 match. How to manage. delete delete delete delete delete

Images