201235804 六、發明說明: 【發明所屬之技術領域】 本發明係有關於用來防止使用可程式邏輯控制器之 控制系統之密碼流出之技術。 【先前技術】 在先前技術中,可程式邏輯控制器(Programmable Logic Controller : PLC)内藏有微處理器,且因應操作開 關或各種感測器等之輸入信號之狀態、和儲存在程式記憶 體之順序程式(sequence program)而動作,以進行各種致 動器和顯示機器等之電負載之驅動控制’已為眾所週知。 在PLC之各個單元(PLC單元)中具有複數之單元,其 各單元之構成包含有:輸入單元,内藏有輸入介面電路; 輸出單元’内藏有輸出介面電路和基本單元,根據順序程 式控制輸入單元和輸出單元等;該複數之單元係連接在具 有以匯流排互相連接之複數連接器之母板座板上(基座單 兀)之各個連接器,或以匯流排連接器互相連結成為互相匯 流排連接等,各個單元可以簡單地裝設或拆卸而成為可以 各種組合相連接之構造形態,已廣泛地實用化。 另外在上述方式之各種形態之PLC單元中,已提案 有各種之内部資料之保護手段,使系統管理者以外之人 不月b變更或盜用plc單元之順序程式和設定資訊等之 内部資料。 θ作為内部資料之保護手段者,在先前技術中,其方法 疋系統管理者在從ριχ單元變更内部資料或讀出資料時, 4 323151 201235804 PLC單元會將被設定 個人電腦I具等輸入之密^^#訊、和系統管理者從 源是否為系統管理者。 仃對照’以判別要求來201235804 VI. Description of the Invention: [Technical Field of the Invention] The present invention relates to a technique for preventing password outflow of a control system using a programmable logic controller. [Prior Art] In the prior art, a programmable logic controller (PLC) has a built-in microprocessor, and is responsive to the state of an input signal of a switch or various sensors, and stored in a program memory. The operation of the sequence program to drive the electric loads of various actuators and display devices is well known. Each unit (PLC unit) of the PLC has a plurality of units, and each unit comprises: an input unit having an input interface circuit therein; the output unit has an output interface circuit and a basic unit, and is controlled according to a sequence program. An input unit, an output unit, and the like; the plurality of units are connected to respective connectors on a motherboard board (base unit) having a plurality of connectors connected to each other by a bus bar, or are connected to each other by a bus bar connector Each of the units can be easily attached or detached to each other and can be connected in various combinations, and has been widely put into practical use. Further, in the PLC unit of each of the above-described modes, various internal data protection means have been proposed, so that people other than the system administrator can change or steal the internal data of the sequence program and setting information of the plc unit. θ is used as a means of protecting internal data. In the prior art, when the system administrator changes the internal data or reads the data from the ριχ unit, the PLC unit will set the density of the input of the personal computer I and so on. ^^#, and the system administrator from the source is the system administrator.仃 ’
這時,即有保存於ρΪΓ留_丄ώ β 之密碼資訊之保存對象之八%本身㈣作為狀於PLC 片斷化而保存在其他之二和:PLC單元之密碼資訊 '他之PLC早兀之方法等。以PLC罝分太 =存認證資訊之方法中,從資料保存之觀:本 ^ ° 7之手法°另—方面’使認證資訊片斷化而分散保 存之方法’為人所知者有(k,n)臨限值秘密 照非糊文獻υ,此方法可以容易地適用在PLC。專(參 另方面,PLC單元一般具備用來檢測故障、斷線、 單元脫落、系統上之其他PLC單元之裝卸等的機制。 除了此種機制外,在近年來,更要求在系統之運作中, 即使PLC單元有故障時,亦不需使系統停止,而經由交換 成與該PLC單元同種類之plc單元,即可以進行與故障前 相同不變之動作(參照寻利文獻1)。 [先前技術文獻] [專利文獻] [專利文獻1]日本專利特開2008-97369號公報 [非專利文獻] [非專利文獻 1]A. Shamir, "How to Share a Secret, "Commun. ACM,vol. 22 no. 11pp. 612-613, 1979. 【發明内容】 (發明所欲解決之問題) 5 323151 201235804 如上述,依先前技術時,PLC單元可以檢測其他單元 之單70脫落、和單元之裝設。但是,至目前為此,不屬於 控制系統上之交換對象之PLC單元(交換對象外單元),在 從裝設在作為交換對象之插槽號碼之PLC單元(交換前之 單元)置換成為交換後之PLC單元(交換後之單元)時,並未 判斷交換後之單元是否為控制系統管理者企圖裝設者。亦 即並不判別疋否為系統管理者要在控制系統上運作之 PLC單元(正規之單元)、或系統管理者無意在控制系統上 運作之PLC單兀(非正規之單元)。所以,由於控制系統單 元之交換,會有非正規之單元混入到控制系統之問題。 另外,PLC單元將本身之密碼資訊分割成為11個(11為 不包έ 0之自然數)資料(雄、碼分割資料)中,會因其中之匕 個以上之密碼分割資料(k為η以下之〇以外之自然數)的 齊備’而有可使該PLC單元之密碼資訊復元之情況。 例如,以此種復元方法而言,有上述之(k,η)臨限 值秘密分散法等。在使用此種方法之情況時,雖會將利用 (k ’ η)臨限值秘密分散法產生之密碼分割資料保存在其他 之PLC單元,但是在交換前之單元中亦保存有密碼分割資 料,所以在每次進行單元之交換時,密碼分割資料會變少, 在重複進行單元之交換時,必需防止密碼分割資料之減少。 系統管理者可以考慮在母次進行單元之交換時,從保 留在控制系統上之达、碼为割資料’利用(k,η)臨限值秘密 分散法使密碼資訊復元’再度利用(k,η)臨限值秘密分散 法製作密碼分割資料,將其分散地保存在包含交換後之單 323151 6 201235804 元之控制系統上PLC單元。這時,會有在交換前之單元所 保存之密碼分割資料與交換後之單元所保存之密碼分割資 料不同之情況下,具有惡意之作業者會為了盜取密碼資訊 而選擇任意之插槽號碼,且賴插槽號碼已經程式化設計 之PLC單元(具有惡意之單元)重複進行插卸時,傳送到具 有惡意之單元之密碼分割資料之資料量會增加。 結果,會有惡意之單元對取得之密碼分割資料使用 (k,η)臨限值秘密分散法,最後使密碼資訊得以復元的問 題。在此種狀況中,控制系統上之pLC單元要將本身之密 碼資吼分散地保存在控制系統上之其他pLC單元時,必需 使密碼不會被收集到具有惡意之pLC單元。 例如,將本身之密碼分割資料分散保存到控制系統上 之複數之其他之PLC單元(將密碼分散保存之pLC單元), 需要將密碼分割資料傳送到實際保管之其他之pLC單元。 适時,在密碼分割資料,若為例如密碼資訊單純分割之資 料之情況時,保管密碼分割資料之pLC單元會被具有惡专 之作業者將密碼分割資料擷取,或者分散保存密碼之pLc 單元會將密碼分割資料誤傳送到混入於控制系統之具有惡 意之單元的情形時,即使只是密碼資訊之一部分,亦會有 流出到外部之虞。 為了要防止此種情事,將密碼資訊分割並分散保存在 系統之其他之PLC單元之Ρ1Χ單元,必需在將分割密碼資 訊前,將密碼資訊變換成為其他之pLC單元不能解讀之資 訊。或是,在分割密碼資訊後,需要將密碼之片斷資訊變 7 323151 201235804 換成為其他之PLC單元不能解讀之資訊。在任一情況,成 為變換用之鍵之資料,將密碼資訊分割保存在其他PLC單 元之PLC單元,若不是系統上惟一知悉之資訊,即成為無 意義。 因此,對於將密碼分散保存之PLC單元而言,有必要 針對保管本身之密碼分割資料之PLC單元之單元交換、單 元交換之方法遭惡用而被置換成為具有惡意之單元、或因 單元之盜用等而導致之單元交換,使交換後之單元不是系 統管理者想要之單元時,對於誤傳送密碼分割資料之情形 需要有對策。另外,在具有惡意之單元收集各種之密碼分 割資料(在(k,η)臨限值秘密分散法之情況時為收集了相 當於k個之密碼分割資料之資料的情況),且使密碼資訊復 元的情形,或由於單元之盜用而使該單元内部之密碼分割 資料簡單地流出等問題,必需要有對該問題之對策。 本發明針對上述之問題而研發者,其目的是獲得可以 有效防止分散保存之密碼之流出之可程式邏輯控制器及可 程式邏輯控制器的密碼保存方法。 (解決問題之手段) 為了解決上述問題,並達成目的,本發明是一種具備 有主單元和1個以上之從屬單元之可程式邏輯控制器;其 中,上述主單元具有用來管理分配給上述從屬單元之10 號碼之編製資訊表,從被設定在上述主單元之密碼分割所 得之密碼分割資料,使用分配給上述從屬單元之10號碼, 產生密碼分散資訊;而上述從屬單元則保存從上述主單元 8 323151 201235804 傳送之上述密碼分散資訊。 (發明之效果) 依照本發明時,所具有之效果是,經由防止密碼資訊 之流出,可以減少系統管理者之密碼管理之成本。 【實施方式】 以下根據圖面詳細地說明本發明之可程式邏輯控制 器、及可程式邏輯控制器的密碼保存方法之實施形態。另 外,本發明不應受該實施形態之限定。 (實施形態) 以下參照圖面詳細地說明本發明之實施形態。第1圖 是用來表示本發明實施形態之可程式邏輯控制器丨〇〇之全 體構造的方塊圖。 〈單元交換前之狀態〉 在第1圖中,可程式邏輯控制器100具備有:基本單 元110(主單元);複數個輸入單元120,140,160 ;和複數 個輸出單元130,150。在此處,輸入單元120,140,160 和輸出單元130,150總稱為輸入出單元或從屬單元。 基本單元110係裝設在基座單元180之插槽181a之 裝卸連接器’連接在基座單元180之其他插槽181b,181c, 181d ’ 181e ’ 181f之裝卸連接器之輸入出單元(從屬單元) 120 ’ 130 ’ 140 ’ 150’ 160 之控制,和輸入出單元 120,130, 140,150 ’ 160之裝卸之檢測係協同基座單元180進行。 在基本單元110之内部設有:MPU114 ;記憶體(ROM) 111,作為補助記憶裝置;主記憶體裝置(RAM)112;和資料 9 323151 201235804 匯流排介面113,用來進行單元間之通信。 輸入出單元120,140,160分別連接在基座單元180 之插槽181b,181d,181f(輸入單元120連接在插槽i81b, 輸入出單元140連接在插槽181d,輸入出單元160連接在 插槽181f),並經由基座單元180連接到基本單元no。 在輸入單元120 ’經由輸入端子台(未圖示)連接到被 輸入外部之開閉信號/類比信號等191之輸入I/F(包含MPU) 122。在輸入出單元140,經由輸入端子台(未圖示)連接到 被輸入外部之開閉信號/類比信號等193之輸入I/F(包含 MPU)142。在輸入出單元160,經由輸入端子台(未圖示)連 接到被輸入外部之開閉信號/類比信號等194之輸入I/F (包含 MPU)162。 輸入單元120設有:輸入I/F(包含MPU)122、作為補 助記憶裝置之記憶體(R〇M)121、主記憶體裝置(RAM)123和 資料匯流排I/F124。輸入單元140, 160亦分別成為與第1 圖所示者同樣之構造。 輸出單元130設有:輸出I/F(包含MPU)132、作為補 助記憶裝置之記憶體(ROM)131、和主記憶體裝置(RAM) 133 和資料匯流排I/F134。輸出單元150和其後之與輸出單元 150交換之輸出單元170亦分別成為與第1圖所示者同樣 之構造。在輸出單元130,經由輸出端子台(未圖示),使 外部負載/類比負載等192連接到輸出I/F(包含MPI0132。 被保持在基本單元110之記憶體(ROM)lll之編製資訊 111a係成為資料群(編製資訊表),其中,儲存有:插槽181b 10 323151 201235804 之插槽號碼和分配給插槽181b之開頭10號碼;插槽181c 之插槽號碼和分配給插槽181c之開頭1〇號碼;插槽181d 和分配給插槽181d之開頭10號碼;插槽181e之插槽號碼 和分配給插槽181e之開頭10號碼;和插槽181f和分配給 插槽181 f之開頭10號碼。 密碼分散資訊111c係為一種可逆資料(密碼分散保存 用資料),該可逆資料係為將使用在對系統之認證(例如, 從工程工具讀出PLC單元内之資料用之認證等)而設定在 基本單元110本身之密瑪資訊’利用例如(k,η)秘密分散 法進行分割所得之密碼分割資料,使用基本單元11 〇之開 頭10號碼產生者。密碼分散資訊11 lc可以利用分配給義 本單元11 〇之開頭10號碼回到原來之密瑪分割資料。 交換用密碼111b之資料係用來在交換時,判別基本 單元110相對於交換後之單元’單元之交換是否為系統管 理者企圖交換者。 密碼分散資訊121a係與密碼分散資訊illc同樣地為 一種可逆資料(密碼分散保存用資料)’該可逆資料係為將 使用在對系統之s忍證而设疋在基本早元11 〇之密碼資訊利 用(k,η)秘密分散法進行分割所得之密碼分割資料,使用 輸入單元120之開頭10號瑪’在基本單元11〇内產生,且 傳送到輪入單元120者。 密碼分散資訊131a , 141a,151a,i6la亦同樣地是 一種可逆資料(密碼分散保存用資料),該等可逆資料係為 將使用在對系統之認證,而設定在基本單元11()之密喝資 323151 11 201235804 '訊,利用(k,η)秘密分散法進行分割所得之密碼分割資 • 料,使用各個輸入/輸出單元130,140,150,160之開頭 ' 10號碼,在基本單元110内產生,且分別被傳送到輸入/ 輸出單元 130,140,150,160 者。 輸出單元150是在運轉中之系統中要予以交換之單 元,相當於上述交換前之單元。 輸出單元170是代替輸出單元150在交換後追加在系 統之單元,相當於上述交換後之單元。 交換用密碼171b係為在單元交換時用以判別輸出單 元170是否為系統管理者企圖交換之單元所需之密碼資 訊。 <單元交換之流程> 其次,參照第2圖之流程圖用來詳細說明第1圖所示 之可程式邏輯控制器100之實施形態之單元交換時之動 作。第2圖之流程圖係有關於基本單元110内之動作。第 1圖所示之輸出單元170相當於第2圖之流程圖「交換後 之單元」,輸出單元150相當於第2圖之「交換前之單元」, 插槽181e相當於第2圖之「交換對象插槽」。 首先,在步驟S200,基本單元110從基座單元180檢 測「交換對象插槽」之插槽號碼之PLC單元(輸出單元150) 之折卸、和裝設新的PLC單元(輸出單元170)。 然後,在步驟S210,基本單元110讀入交換後之單元 (輸出單元170)内之交換用密碼171b。 其次,在步驟S220,由基本單元110判定在步驟S210 12 323151 201235804 從交換後之輸出單it 170所讀取之交換用密碼㈣,與被 保存在基本單元110内之交換用密碼丨丨“是否一致。在— 致之情況時(步驟S220 : Yes),就前進到步驟S23〇。在不 一致之情況時(步驟S220:N〇),就前進到步驟S29〇。另外, 當在步驟S2H)不能從交換後之單元(輸出單元⑽讀取交 換用密碼之情況時,亦判定為密竭不—致(步驟s22〇 :At this time, there are eight percent of the object to be stored in the password information stored in ρΪΓ _ 丄ώ β (4) as the shape of the PLC fragmentation and stored in the other two: the password information of the PLC unit 'the method of his PLC early Wait. In the method of dividing the data into too much = storing the authentication information, from the viewpoint of data preservation: the method of this ^ ° 7 ° - the other way - the method of fragmentation and preservation of the authentication information is known (k, n) The threshold is secretly photographed, and this method can be easily applied to the PLC. Special (In other respects, PLC units generally have mechanisms for detecting faults, disconnections, unit shedding, loading and unloading of other PLC units on the system, etc. In addition to this mechanism, in recent years, more requirements are required in the operation of the system. Even if the PLC unit has a fault, it is not necessary to stop the system, and by switching to the same type of plc unit as the PLC unit, the same action as before the fault can be performed (refer to the search document 1). [Patent Document] [Patent Document 1] Japanese Patent Laid-Open Publication No. 2008-97369 [Non-Patent Document] [Non-Patent Document 1] A. Shamir, "How to Share a Secret, "Commun. ACM, Vol. 22 no. 11 pp. 612-613, 1979. [Summary of the Invention] (Problems to be Solved by the Invention) 5 323151 201235804 As described above, according to the prior art, the PLC unit can detect the single unit of the other unit, and the unit For this reason, the PLC unit (external unit for exchange) that is not an exchange target on the control system is replaced by the PLC unit (unit before exchange) installed in the slot number as the exchange target. In the case of the exchanged PLC unit (the unit after the exchange), it is not determined whether the unit after the exchange is the control system administrator attempting installer. That is, it is not determined whether the system administrator is to operate on the control system. PLC unit (regular unit), or PLC unit (unconventional unit) that the system administrator does not intend to operate on the control system. Therefore, due to the exchange of control system units, there will be problems of irregular units being mixed into the control system. In addition, the PLC unit divides its own password information into 11 (11 is a natural number that does not contain έ 0) data (male, code segmentation data), and will divide the data by more than one of them (k is η In the case of a complete number of natural numbers other than the following, there is a case where the password information of the PLC unit can be recovered. For example, in the case of such a recovery method, there is a secret dispersion method such as the above (k, η) threshold. In the case of using this method, although the password division data generated by the (k ' η) threshold secret dispersion method is stored in other PLC units, it is also guaranteed in the unit before the exchange. There is password division data, so the password division data will be reduced every time the unit is exchanged. When the unit exchange is repeated, it is necessary to prevent the reduction of the password division data. The system administrator can consider the unit exchange in the parent and the child. At the same time, from the retention on the control system, the code is the cut data 'utilization (k, η) threshold secret dispersion method to make the password information recovery 'reuse the (k, η) threshold secret separation method to make the password division data It is stored in a distributed manner on the PLC unit on the control system including the exchanged single 323151 6 201235804 yuan. At this time, in the case where the password division data held by the unit before the exchange is different from the password division data held by the exchanged unit, the malicious operator selects an arbitrary slot number for stealing the password information. When the PLC unit (which has a malicious unit) whose slot number has been programmed is repeatedly inserted and unloaded, the amount of data transmitted to the password-divided data of the malicious unit increases. As a result, there is a problem that the malicious unit uses the (k, η) threshold secret dispersion method for the obtained password division data, and finally the password information is restored. In such a situation, when the pLC unit on the control system wants to keep its own secret code in a separate manner on other pLC units on the control system, the password must not be collected into a malicious pLC unit. For example, if the password division data itself is dispersed and stored in a plurality of other PLC units (pLC units in which the passwords are dispersed) on the control system, the password division data needs to be transferred to other pLC units actually stored. In a timely manner, in the case of a password-divided data, for example, in the case of simply dividing the data of the password information, the pLC unit that stores the password-divided data is retrieved by the fraudulent operator, or the pLc unit of the password is dispersed. When the password split data is mistakenly transmitted to a malicious unit mixed in the control system, even if it is only part of the password information, there will be an outflow to the outside. In order to prevent this, the cryptographic information is divided and distributed in other units of the PLC unit of the system. The cryptographic information must be converted into information that cannot be interpreted by other pLC units before the cryptographic information is split. Or, after splitting the password information, you need to change the information of the password to 7 323151 201235804 and change it into information that other PLC units cannot interpret. In either case, the data of the key used for the conversion is stored in the PLC unit of the other PLC unit. If it is not the only information on the system, it becomes meaningless. Therefore, in the PLC unit in which the password is stored in a distributed manner, it is necessary to replace the unit exchange and the unit exchange method of the PLC unit that stores the password division data itself into a malicious unit or to steal the unit. When the unit exchange is caused by the same, so that the unit after the exchange is not the unit that the system administrator wants, there is a need for countermeasures for the case of erroneously transmitting the password to divide the data. In addition, in the case of a malicious unit, various types of cryptographic data are collected (in the case of the (k, η) threshold secret distribution method, in the case where the data corresponding to the k cipher division data is collected), and the password information is made In the case of recovery, or the problem of simply circulating the cryptographic data within the unit due to the theft of the unit, countermeasures against the problem are necessary. SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and an object thereof is to obtain a password saving method of a programmable logic controller and a programmable logic controller which can effectively prevent the outflow of a dispersedly stored password. Means for Solving the Problems In order to solve the above problems and achieve the object, the present invention is a programmable logic controller having a master unit and one or more slave units; wherein the master unit has a function for managing allocation to the slaves a compilation information table of the number 10 of the unit, from the password division data set by the password division of the main unit, using the number assigned to the slave unit to generate the password dispersion information; and the slave unit is saved from the master unit 8 323151 201235804 The above-mentioned password-distributed information transmitted. (Effects of the Invention) According to the present invention, it is possible to reduce the cost of password management by the system administrator by preventing the outflow of the password information. [Embodiment] Hereinafter, embodiments of the programmable logic controller of the present invention and the password storage method of the programmable logic controller will be described in detail based on the drawings. Further, the present invention should not be limited by the embodiment. (Embodiment) Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. Fig. 1 is a block diagram showing the overall structure of a programmable logic controller according to an embodiment of the present invention. <State before unit exchange> In Fig. 1, the programmable logic controller 100 is provided with: a basic unit 110 (main unit); a plurality of input units 120, 140, 160; and a plurality of output units 130, 150. Here, the input units 120, 140, 160 and the output units 130, 150 are collectively referred to as input/output units or slave units. The base unit 110 is a loading and unloading connector that is attached to the slot 181a of the base unit 180. The input and output unit (slave unit) of the loading and unloading connector that is connected to the other slots 181b, 181c, 181d' 181e ' 181f of the base unit 180 The control of 120 '130 '140 '150' 160 and the detection of the input and output unit 120, 130, 140, 150' 160 are performed in cooperation with the base unit 180. Inside the basic unit 110, there are: an MPU 114; a memory (ROM) 111 as a supplementary memory device; a main memory device (RAM) 112; and a data 9 323151 201235804 bus interface 113 for communication between units. The input units 120, 140, 160 are respectively connected to the slots 181b, 181d, 181f of the base unit 180 (the input unit 120 is connected to the slot i81b, the input unit 140 is connected to the slot 181d, and the input unit 160 is connected to the slot The slot 181f) is connected to the base unit no via the base unit 180. The input unit 120' is connected to an input I/F (including MPU) 122 that is input to an external opening/closing signal/analog signal or the like 191 via an input terminal block (not shown). The input/output unit 140 is connected to an input I/F (including MPU) 142 to which an external opening/closing signal/analog signal or the like is input via an input terminal block (not shown). The input/output unit 160 is connected to an input I/F (including an MPU) 162 to which an external open/close signal/analog signal or the like is input via an input terminal block (not shown). The input unit 120 is provided with an input I/F (including MPU) 122, a memory (R〇M) 121 as a supplementary memory device, a main memory device (RAM) 123, and a data bus I/F 124. The input units 140 and 160 also have the same configuration as those shown in Fig. 1 . The output unit 130 is provided with an output I/F (including MPU) 132, a memory (ROM) 131 as a supplementary memory device, and a main memory device (RAM) 133 and a data bus I/F 134. The output unit 150 and the subsequent output unit 170 exchanged with the output unit 150 are also configured similarly to those shown in Fig. 1. In the output unit 130, an external load/analog load or the like 192 is connected to the output I/F via an output terminal block (not shown) (including the MPI0132. The preparation information 111a of the memory (ROM) 111 held in the base unit 110 It is a data group (formation information table) in which the slot number of slot 181b 10 323151 201235804 and the first 10 number assigned to slot 181b are stored; the slot number of slot 181c and the slot number assigned to slot 181c The first 1 number; the slot 181d and the first 10 number assigned to the slot 181d; the slot number of the slot 181e and the first 10 number assigned to the slot 181e; and the slot 181f and the beginning of the slot 181f The number 10. The password distribution information 111c is a kind of reversible data (data for decentralized storage of passwords), and the reversible data is used for authentication of the system (for example, authentication for reading data in the PLC unit from engineering tools, etc.) The cipher information set in the basic unit 110 itself is cipher-separated data obtained by dividing, for example, the (k, η) secret distribution method, and the first 10 number generator of the basic unit 11 使用 is used. The scattered information 11 lc can be returned to the original ML partition data by using the first 10 number assigned to the cryptographic unit 11 。 The data of the exchange password 111b is used to discriminate the basic unit 110 relative to the exchanged unit when exchanged. Whether the exchange of units is an attempt by the system administrator. The password-distributed information 121a is a reversible data (data for decentralized storage) similar to the password-distributed information illc. The reversible data is used for the system. And the password division data obtained by dividing the password information using the (k, η) secret distribution method in the basic early 11th is generated in the basic unit 11〇 by using the first 10th of the input unit 120, and transmitted to The round-up unit 120. The password-distributed information 131a, 141a, 151a, i6la is also a reversible data (data for cryptographically dispersed storage), and the reversible data is set in the basic unit for authentication to be used in the system. 11 () secret drink 323151 11 201235804 'Xun, use the (k, η) secret dispersion method to divide the password to obtain the information, use each The beginning '10 numbers of the input/output units 130, 140, 150, 160 are generated in the base unit 110 and transmitted to the input/output units 130, 140, 150, 160, respectively. The output unit 150 is in operation. The unit to be exchanged in the system corresponds to the unit before the exchange. The output unit 170 is a unit added to the system after the exchange of the output unit 150, and is equivalent to the unit after the exchange. The exchange password 171b is a unit exchange. It is used to determine whether the output unit 170 is the password information required by the system administrator to exchange units. <Flow of Unit Exchange> Next, the operation of the unit exchange of the embodiment of the programmable logic controller 100 shown in Fig. 1 will be described in detail with reference to the flowchart of Fig. 2 . The flowchart of Figure 2 relates to the actions within the base unit 110. The output unit 170 shown in Fig. 1 corresponds to the flow chart "unit after exchange" in Fig. 2, and the output unit 150 corresponds to the "unit before exchange" in Fig. 2, and the slot 181e corresponds to the second figure. Exchange object slot." First, in step S200, the base unit 110 detects the detachment of the PLC unit (output unit 150) of the slot number of the "exchange target slot" from the base unit 180, and installs a new PLC unit (output unit 170). Then, in step S210, the base unit 110 reads the exchange password 171b in the exchanged unit (output unit 170). Next, in step S220, the basic unit 110 determines the exchange password (4) read from the exchanged output unit it 170 in step S210 12 323151 201235804, and the exchange password 保存 stored in the base unit 110. If it is the case (step S220: Yes), the process proceeds to step S23. In the case of inconsistency (step S220: N〇), the process proceeds to step S29. In addition, when it is not possible in step S2H) When the exchanged unit (the output unit (10) reads the exchange password, it is also judged to be exhausted (step s22:
No) ’然後前進到步驟S290。 在步驟S230,因為在步驟S22〇判斷為所裝設之交換 後之輸出單元17G是系統管理者企圖裝設之單元’所以為 :要防止交換用密碼之流㈣,可以刪除保存在交換後之 早το内之交換用密碼171b。 其次,在步驟S240,基太 101 土本早兀110會收集被裝設在交 換對象插槽181e以外之插μ之六 ^ 栩糟之父換對象插槽號碼之插槽 之單7〇内所保存之密碼分| 1 % 袖& )刀政貝钒。在第1圖之情況時,所 明父換對象外插槽號碼之插枰 lQ1f 拖槽為插槽 181b,181c,181d, 181f,裝s又在该等插槽之單 刚,⑽。因此,基本單元11(^輪入出單元120’130’ 131a » 141a > 161a 〇 收集密碼分散資訊121a, 其次,在步驟S250基太置_ 對象外插賴碼之购之⑴會使從裝設在! 訊121a,131a,l41a,丨 所收集到的各個密碼分 限值秘密分散法, 當在步驟_收_ Μ之復凡。 $',分散資訊之個數4 頭ίο號碼,復元成為密用編製資訊⑴以 值秘密分散法,試2^,紐利瞭 323151 13 201235804 個之情況時,以(k,η)臨限值秘密分散法而言,不能使密 碼資訊復元(步驟S250 : No)。在此種情況時,前進到步驟 S290。在密碼資訊可以復元之情況時(步驟S250 : Yes), 就前進到步驟S260。 在步驟S260,利用基本單元110讀出從編製資訊111a 分配給交換對象插槽181e之插槽號碼之開頭10號碼。 其次,在步驟S270,使用(k,η)臨限值秘密分散法, 將在步驟S250復元之密碼資訊分割成為密碼分割資料,使 用分配給在步驟S260讀出之交換對象插槽號碼之開頭10 號碼,產生傳送到交換前之單元(輸出單元150)之密碼分 散資訊。 然後,在步驟S280,將在步驟S270產生之密碼分散 資訊發送到交換後之單元(輸出單元170),然後前進到步 驟 S290 。 步驟S290表示認證判定完成。 另外,在上述之實施形態中,所說明之例子是,使用 (k,η)臨限值秘密分散法作為分割密碼之手法來產生密碼 分割資料,但是以在分散保存密碼之PLC中所使用之密碼 之分割方法而言,並不只限於(k,η)臨限值秘密分散法。 在某PLC單元之密碼資訊被分割成為η個(η為不包含0之 自然數)之資料之情況時,η個之資料(密碼分割資料)中, 藉由使k個之密碼分割資料(k為不包含η以下之0之自然 數)齊備,則只要是可以使該PLC單元之密碼資訊復元之方 法,即使是(k,η)臨限值秘密分散法以外之手法,亦可與 14 323151 201235804 上述之實施形態同樣地實施。 如以上所說明之方式,本發明實施形 控制器的密碼保存方法’是在具備有基本單元::= 單元自由裝卸地連接之複數個輪入/輸出單元之可程式土邏 輯控制③中’為了保護順序程式和狀資訊 本單元之料❹例如臨限值歸分散料之手 之密碼分财料分散保存在“狀其他單元中。 實施形態之可程式邏輯控制器的密碼保存方 統内發生料交換之情況時,用來減少密碼之流出之技” 術’可以減少密碼之流出之意是可以減少系統管理者之密 碼管理成本’因而可以減少該以密碼保護之資料之流出之 危險。 實施形態之可程式邏輯控制器之PLC單元具有在基本 單元中’使被妓在本S之料分散保存在其他之凡c單 元之功能,具有可以檢測PLC單元之I卸之功能, 管理之HX單元可利们〇分配功能而接受ω分配,例如, 本身所管理之PIX單元以在系統上連接之順序具有插槽號 碼。實施形態之可程式邏輯控制器之PLC單元具有在:, 出時,將利用其他之PLC单元所委託之資料保j夺在本身之 功能’控制交換對象插槽號碼之基本單元係設為「交換$ 象插槽號碼之主單元」(第1圖之基本單元110)。 「交換對象插槽號碼之主單元」係使用裝設在欲分散 保存欲碼分割資料之插槽號碼之PLC單元之開頭10號石馬進 行加工,以產生對密碼分割資料為可逆資料之「密碼分散 323151 201235804 保存用資料」。以裝設在被「交換對象插槽號碼之主單元」 所管理之交換對象插槽號瑪以外之插槽之單元之插槽號 碼,作為「交換對象外插槽號碼」,將交換前單元換裝成為 交換後單元時,「交換對象插槽號碼之主單元」使裝設在交 換對象外插槽號碼之單元所保存之密碼分散保存用資料, 利用(k,η)臨限值秘密分散法復元成為密碼資訊。 在交換後之單元預先設定有單元交換用密碼,且和 「交換對象插槽號碼之主單元」所保持之單元交換用密碼 一致之情況時,「交換對象插槽號碼之主單元」即判定交換 後之單元為正規之單元。當判定為正規之單元時,「交換對 象插槽號碼之主單元」即刪除預先設定在交換後之單元之 單元交換用密碼。 然後,「交換對象插槽號碼之主單元」會使用被復元 之密碼資訊和分配給交換對象插槽號碼之10分配資訊,作 成密碼分散保存用資料(分散保存在交換前之單元之密碼 分散保存用資料),將其保存在經判定為正規之單元之交換 後之單元。 「交換對象插槽號碼之主單元」,在預先設定於交換 後之單元之交換用密碼若與「交換對象插槽號碼之主單元」 所保持之交換用密碼不一致時,則不將密碼資訊、密碼分 割資料、密碼分散保存用資料等發送到交換後之單元。 依照本發明之實施形態時,成為主單元之PLC單元, 例如,利用(k,η)臨限值秘密分散法,將用以保護被保存 在單元内部之程式或設定等資料的密碼,分散保存在系統 16 323151 201235804 上之複數之PLC單元之情況時,具有惡意之作業者即使拆 卸控制系統上之正規之單元,抽換成為具有惡意之單元時, 只要交換用之密碼未進入到具有惡意之單元,則不會有密 碼資訊、密碼分割資料、密碼分散保存用資料等被傳送到 具有惡意之單元之情形,所以可以防止密碼資訊之流出。 利用此種方式可以減少系統管理者之密碼管理成本。 另外,依照本發明之實施形態時,例如,利用(k,η) 臨限值秘密分散法,將用以保護被保存在單元内部之程式 或設定等資料之密碼,分散保存在系統上之複數之PLC單 元,其成為主單元之PLC單元,例如,交換用密碼被具有 惡意之作業者得知等,即使具有惡意之單元已知道密碼分 散保存用資料,因為密碼分散保存用資料已用10分配資訊 加工,所以要使密碼分割資料復元會有困難,即使可以復 元,因為密碼分割資料係利用(k,η)臨限值秘密分散法產 生,所以假如不使k個之密碼分散保存用資料復元成為密 碼分割資料的話,就可以防止密碼資訊之流出。利用此種 方式,可以減少系統管理者之密碼管理成本。 另外,本發明並不只限於上述之實施形態,在實施階 段,於不脫離其主旨之範圍内,可以有各種之變化。另外, 在上述之實施形態中包含各種階段之發明,利用所揭示之 複數之構成要件之適當組合可以衍生、擷出各種之發明。 例如,從上述實施形態所示之全部構成要件,即使刪 除若干個構成要件,亦可以解決(發明所欲解決之問題)欄 所述之問題,在獲得(發明之效果)欄所述之效果之情況 17 323151 201235804 時,該構成要件被刪除之構造亦可擷取作為發明。 . 亦可以使上述實施形態之構成要件適當地組合。 . (產業上之可利用性) 依照上述之方式,本發明之可程式邏輯控制器及可程 式邏輯控制器的密碼保存方法甚有用於防止密碼之流出, 特別適合於將密碼分散保存在複數之PLC單元之情況。 【圖式簡單說明】 第1圖用來表示本發明實施形態之可程式邏輯控制器 之全體構造之方塊圖。 第2圖是本發明實施形態之單元交換時之流程圖。 【主要元件符號說明】 100 可程式邏輯控制器 110 基本單元 120、140、160 輸入單元 130 輸出單元 150 單元交換之交換前之輸出單元 170 單元交換之交換後之輸出單元 111、 12 卜 13 卜 14 卜 15 卜 161、171 記憶體(ROM) 112、 123、133、143、153、163、173 主記憶裝置(RAM)No) ' Then proceeds to step S290. In step S230, since it is determined in step S22 that the output unit 17G after the exchange of the installation is the unit that the system administrator attempts to install, it is: to prevent the flow of the exchange password (4), it can be deleted and saved in the exchange. The password 171b is exchanged in the early το. Next, in step S240, the base meter 101 will collect the slot 7 of the slot of the parent slot number of the parent device that is installed outside the swap object slot 181e. Save the password points | 1% sleeve & In the case of Figure 1, the insertion of the outer slot number of the parent is the lQ1f tow slot 181b, 181c, 181d, 181f, and the s is again in the slots, (10). Therefore, the basic unit 11 (^ wheel input/exit unit 120'130' 131a » 141a > 161a 〇 collects the password dispersion information 121a, and secondly, in step S250, the base is placed _ the object is inserted into the code (1), and the slave device is installed. In !121a, 131a, l41a, 秘密 各个 收集 收集 收集 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 秘密 121 121 121 121 121 121 121 121 121 121 121 121 When using the compilation information (1) with the value secret dispersion method, try 2^, and Newley has 323151 13 201235804, the password information cannot be recovered by the (k, η) threshold secret dispersion method (step S250: No) In this case, the process proceeds to step S290. When the password information can be recovered (step S250: Yes), the process proceeds to step S260. In step S260, the basic unit 110 reads out the assignment information from the preparation information 111a. The first tenth number of the slot number of the exchange target slot 181e. Next, in step S270, the password information of the recovery in step S250 is divided into password division data by using the (k, η) threshold secret distribution method, and is allocated to the password division data. Read at step S260 The first 10 numbers of the exchange target slot number are generated, and the password dispersion information transmitted to the unit (output unit 150) before the exchange is generated. Then, in step S280, the password dispersion information generated in step S270 is transmitted to the exchanged unit ( The output unit 170) then proceeds to step S290. Step S290 indicates that the authentication determination is completed. Further, in the above-described embodiment, the illustrated example uses the (k, η) threshold secret dispersion method as a method of dividing the password. In order to generate the password division data, the method of dividing the password used in the PLC for decentralizing the password is not limited to the (k, η) threshold secret dispersion method. The password information of a PLC unit is divided into In the case of η (η is a natural number not including 0), in n pieces of data (cryptographically divided data), k is used to divide the data (k is a natural number not including 0 below η) ), as long as it is a method that can recover the password information of the PLC unit, even if it is a method other than the (k, η) threshold secret dispersion method, it can also be compared with 14 323151 20 1235804 The above-described embodiment is similarly implemented. As described above, the method for storing a password of the controller of the present invention is a plurality of wheel input/output units that are detachably connected to the base unit::= unit. In the programmable logic control 3, in order to protect the sequence program and the information of the information unit, for example, the password of the hand of the decentralized material is dispersed and stored in other units. The programmable logic control of the embodiment When the password is saved in the system, the technique used to reduce the outflow of the password can reduce the outflow of the password, which can reduce the password management cost of the system administrator', thus reducing the password protection. The danger of the outflow of data. The PLC unit of the programmable logic controller of the embodiment has the function of dispersing the material to be stored in the other unit in the basic unit, and has the function of detecting the unloading of the PLC unit, and managing the HX. The unit can accept the omega allocation by assigning functions, for example, the PIX units managed by themselves have slot numbers in the order in which they are connected on the system. The PLC unit of the programmable logic controller of the embodiment has a data unit that is commissioned by another PLC unit, and the basic unit of the control exchange target slot number is set to "exchange". $ main unit like slot number (base unit 110 of Fig. 1). The "master unit of the exchange target slot number" is processed by the first 10th stone horse installed in the PLC unit to which the slot number of the data to be divided and stored is to be distributed, so as to generate a password for the reversible data of the password division data. Distribute 323151 201235804 Save Data". The slot number of the unit that is installed in the slot other than the exchange target slot number managed by the "master unit of the exchange target slot number" is used as the "exchange target slot number", and the exchange unit is exchanged. When it is installed as a post-exchange unit, the "main unit of the exchange target slot number" uses the (k, η) threshold secret distribution method to store the password-preserved data stored in the unit of the slot number of the exchange target. The recovery becomes password information. When the unit after the exchange has a unit exchange password set in advance and the unit exchange password held by the "master unit of the exchange target slot number" is the same, the "main unit of the exchange target slot number" is judged to be exchanged. The latter unit is a regular unit. When it is determined that it is a regular unit, the "main unit for exchanging the object slot number" deletes the unit exchange password set in advance in the unit after the exchange. Then, the "master unit of the exchange target slot number" uses the password information of the recovery and the allocation information assigned to the slot number of the exchange target, and creates the password-distributed data (the password stored in the unit before the exchange is dispersed and stored). Use the data) to save it in the unit after the exchange of the unit determined to be regular. In the "main unit of the exchange target slot number", if the exchange password set in the unit after the exchange is inconsistent with the exchange password held by the "main unit of the exchange target slot number", the password information, The password division data, the password dispersion storage data, and the like are sent to the unit after the exchange. According to the embodiment of the present invention, the PLC unit serving as the main unit, for example, uses a (k, η) threshold secret distribution method to store and store a password for protecting a program or a setting such as a data stored in the unit. In the case of a plurality of PLC units on the system 16 323151 201235804, even if the malicious operator disassembles the regular unit on the control system and replaces it with a malicious unit, as long as the password for the exchange does not enter the malicious In the unit, there is no case where the password information, the password division data, and the password decentralized storage data are transmitted to the malicious unit, so that the outflow of the password information can be prevented. In this way, the password management cost of the system administrator can be reduced. Further, according to the embodiment of the present invention, for example, by using the (k, η) threshold secret distribution method, a password for protecting a program or a setting such as a data stored in the unit is dispersed and stored on the system. The PLC unit, which becomes the PLC unit of the main unit, for example, the exchange password is known to the malicious operator, and even if the malicious unit knows the password-distributed data, the password-distributed data has been allocated by 10 Information processing, so it is difficult to recover the password segmentation data, even if it can be recovered, because the password segmentation data is generated by the (k, η) threshold secret dispersion method, if the k passwords are not scattered, the data recovery is not used. By becoming a password-division data, you can prevent the flow of password information. In this way, the password management cost of the system administrator can be reduced. Further, the present invention is not limited to the above-described embodiments, and various changes can be made without departing from the spirit and scope of the invention. Further, the above-described embodiments include various stages of the invention, and various inventions can be derived and derived from the appropriate combination of the constituent elements of the plural. For example, from the constitutive elements described in the above embodiments, even if a plurality of constituent elements are deleted, the problem described in the column of the problem to be solved by the invention can be solved, and the effect described in the column of the effect of the invention can be obtained. In the case of the case 17 323151 201235804, the structure in which the constituent elements are deleted can also be taken as an invention. The constituent elements of the above embodiments may be combined as appropriate. (Industrial Applicability) According to the above manner, the password storage method of the programmable logic controller and the programmable logic controller of the present invention is used to prevent the outflow of passwords, and is particularly suitable for storing passwords in plurals. The case of the PLC unit. BRIEF DESCRIPTION OF THE DRAWINGS Fig. 1 is a block diagram showing the overall construction of a programmable logic controller according to an embodiment of the present invention. Fig. 2 is a flow chart at the time of unit exchange in the embodiment of the present invention. [Description of main component symbols] 100 programmable logic controller 110 Basic unit 120, 140, 160 Input unit 130 Output unit 150 Output unit before exchange of unit exchange 170 Output unit after exchange of unit exchange 111, 12 Bu 13 Bu 14卜15 161, 171 memory (ROM) 112, 123, 133, 143, 153, 163, 173 main memory device (RAM)
113、 124、134、144、154、164、174 資料匯流排 I/F113, 124, 134, 144, 154, 164, 174 data bus I/F
114 MPU 122、142、162 輸入 I/F 132、152、172 輸出 I/F 111a 編製資料 18 323151 201235804 lllb、 171b 交換用密碼 密碼分散資訊 插槽 lllc、 121a、131a、141a、151a、161a 180 基座單元 181a、181b、181c、181d、181e、181f 191、193、194 開閉信號/類比信號等 192 外部負載/類比負載等 S200至S290 步驟 19 323151114 MPU 122, 142, 162 Input I/F 132, 152, 172 Output I/F 111a Preparation data 18 323151 201235804 lllb, 171b Exchange password cryptographic information slot lllc, 121a, 131a, 141a, 151a, 161a 180 base Block units 181a, 181b, 181c, 181d, 181e, 181f 191, 193, 194 Open/close signals/analog signals, etc. 192 External load/analog load, etc. S200 to S290 Step 19 323151