WO2016075792A1 - 情報処理装置、制御方法、及び、プログラム - Google Patents
情報処理装置、制御方法、及び、プログラム Download PDFInfo
- Publication number
- WO2016075792A1 WO2016075792A1 PCT/JP2014/080094 JP2014080094W WO2016075792A1 WO 2016075792 A1 WO2016075792 A1 WO 2016075792A1 JP 2014080094 W JP2014080094 W JP 2014080094W WO 2016075792 A1 WO2016075792 A1 WO 2016075792A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- certificate
- command
- communication
- processing apparatus
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 125
- 230000010365 information processing Effects 0.000 title claims abstract description 59
- 238000004891 communication Methods 0.000 claims abstract description 175
- 238000012545 processing Methods 0.000 claims abstract description 94
- 230000004044 response Effects 0.000 claims abstract description 53
- 230000005540 biological transmission Effects 0.000 claims abstract description 10
- 238000003384 imaging method Methods 0.000 claims description 163
- 238000012217 deletion Methods 0.000 claims description 5
- 230000037430 deletion Effects 0.000 claims description 5
- 230000006870 function Effects 0.000 description 37
- 230000008569 process Effects 0.000 description 35
- 238000010586 diagram Methods 0.000 description 8
- 230000008859 change Effects 0.000 description 4
- 238000012546 transfer Methods 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 230000000295 complement effect Effects 0.000 description 1
- 229910044991 metal oxide Inorganic materials 0.000 description 1
- 150000004706 metal oxides Chemical class 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3265—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/24—Key scheduling, i.e. generating round keys or sub-keys for block encryption
Definitions
- This relates to the setting of security functions in an information processing apparatus that transmits a captured image to a client apparatus via a network.
- the client device can instruct the imaging device to generate a key used for communication processing using the SSL (Secure Sockets Layer) protocol and to set a certificate.
- SSL Secure Sockets Layer
- a command group defined by a standard established by ONVIF is known as a command for setting a security function from a client device to an imaging device.
- ONVIF standardizes SSL, IEEE802.1X, client authentication settings, etc. related to security functions.
- the client device can send a command defined in the ONVIF Device Management service (Non-patent Document 1) to the imaging device, and the key can be generated and the certificate can be set in the imaging device compatible with the Device Management service.
- Non-patent Document 1 the ONVIF Device Management service
- the client device can send a command defined in the ONVIF Advanced Security service (Non-Patent Document 2) to the imaging device, and a key can be generated and a certificate can be set in the imaging device that conforms to the Advanced Security service.
- ONVIF Advanced Security service Non-Patent Document 2
- ONVIF-Core-Specification-v242 http://www.onvif.org/specs/core/ONVIF-Core-Specification-v242.pdf
- ONVIF-AdvancedSecurity-Service-Spec-v102 http://www.onvif.org/specs/srv/security/ONVIF-AdvancedSecurity-Service-Spec-v102.pdf
- the present invention provides a first processing means for performing setting for performing encrypted communication on the information processing apparatus in response to an instruction performed based on a first communication procedure. And a second processing means for performing settings for performing encrypted communication on the information processing apparatus in response to a command performed based on the second communication procedure, and encrypting the information processing apparatus. If a command to be performed based on the second communication procedure is received from the receiving device after the first processing means has performed the setting for performing encrypted communication, the setting for performing encrypted communication is set. Transmitting means for transmitting to the receiving apparatus information indicating that it has been performed in response to a command to be performed based on the first communication procedure.
- the client device using the second communication procedure different from the first communication procedure can refer to the setting content related to the security function set in the information processing device by the first communication procedure. it can.
- FIG. 1 is a block diagram illustrating a security communication system according to a first embodiment.
- 1 is a block diagram illustrating a security communication system according to a first embodiment.
- Diagram showing certificate setting processing Diagram showing certificate setting processing Flow chart showing certificate generation processing Flow chart showing the certificate loading process Flow chart showing certificate acquisition processing Flow chart showing certificate deletion process Flowchart showing the certificate status setting process Flow chart showing certificate status acquisition processing Flowchart showing the certificate status setting process Flow chart showing certificate status acquisition processing
- FIG. 5 is a block diagram showing a security communication system according to the second embodiment. Figure showing an example of the user interface of the SSL settings page Flow chart showing the process of generating a self-signed certificate Flow chart showing the process of using a certificate signed by a CA
- the first client device performs settings related to the security function for the imaging device using a Device management service (hereinafter referred to as “DM service”) (first procedure) defined by ONVIF.
- DM service Device management service
- AS service Advanced Security service
- the DM service specified by ONVIF and the AS service are independent services.
- the client device that communicates with the imaging device based on the other service cannot refer to the setting content set on the imaging device based on the one service.
- the first client device performs settings related to the security function for the imaging device based on the DM service.
- the second client device refers to the setting related to the security function set for the imaging device using a command defined in the AS service.
- the second client device cannot refer to the contents of the security setting set by the first client device based on the DM service.
- the second client device cannot notice that the setting has already been made on the imaging device. Therefore, the user of the second client device may perform a new security setting for the imaging device and overwrite the existing setting.
- the image capturing apparatus records information indicating that the setting for the image capturing apparatus is performed using a command defined in the DM service in the image capturing apparatus as Alias information defined in the AS service. In this way, it is possible to confirm that the setting related to the security function is made by the DM service even from the client device using the AS service. In this way, a client device that makes settings for the imaging device using one protocol can know that the setting is made using the other protocol.
- the imaging apparatus when the security setting is performed based on the DM service, the imaging apparatus according to the present embodiment automatically generates and records the setting content according to the AS service using the set content. Then, as Alias information, it is recorded that the setting content corresponding to the AS service is generated in accordance with the security setting command by the DM service.
- the imaging apparatus receives a command for causing the imaging apparatus to generate a certificate used for encrypted communication based on the DM service.
- the imaging apparatus automatically performs certification path setting and key pair setting, which are not defined in the security setting based on the DM service, but are required in the security setting based on the AS service.
- information indicating that the setting of the certification path and the key pair has been performed in response to reception of the DM service command is recorded as Alias information.
- the user can know that the security setting conforming to the AS service has been made according to the command based on the DM service.
- FIG. 1A A hardware configuration example of the imaging system according to the first embodiment will be described with reference to FIG. 1A.
- the imaging device 100 In the first embodiment, an example in which the imaging device 100 is connected to the client device 200 and the client device 300 via the network 108 will be described.
- the imaging device 100 transmits the captured image to the client device 200 and the client device 300 via the network.
- the imaging unit 101 is provided inside the imaging apparatus 100
- the present invention is not limited thereto. It is only necessary to be able to manage security-related settings for transmission of captured images.
- the information processing device receives a captured image from an external imaging device and relays it to the client device 200 and the client device 300. It may be.
- Image data captured by the image capturing unit 101 of the image capturing apparatus 100 is processed by an image processing unit 102 described later, and then transmitted to the client device 200 and the client device 300 via the network 108.
- the imaging unit 101 images a subject and generates an image signal.
- the imaging unit 101 includes a lens, an imaging element such as a CMOS (Complementary Metal Oxide Semiconductor), and the like.
- the image sensor converts an image of a subject formed by the lens into an image signal.
- the image processing unit 102 performs image processing on the image signal generated by the imaging unit 101.
- the image processing unit 102 encodes an image captured by the imaging unit 101.
- the image processing unit 102 can be, for example, a processor such as a CPU (Central Processing Unit). Alternatively, it can be a processor for image processing such as GPU (Graphics (Processing Unit).
- the control unit 103 of the imaging apparatus 100 controls each component of the imaging apparatus 100 illustrated in FIG. 1A.
- the control unit 103 can be a processor such as a CPU, for example.
- the control unit 103 controls each component of the imaging apparatus 100 by executing a program recorded in the recording unit 104 described later.
- the control unit 103 performs control for realizing the function of the imaging apparatus 100 described later with reference to FIG. 1B.
- it includes a first processing unit 106 for realizing the function of a DeviceManagement service unit 112 (hereinafter, “DM service unit 112”), which will be described later with reference to FIG.
- the control unit 103 also includes a second processing unit 107 for realizing an AdvancedSecurity service unit 113 (hereinafter referred to as “AS service unit 113”), which will be described later.
- the control unit 103 performs control to cause the recording unit 104 to record information indicating that the imaging apparatus 100 has been set by a command performed based on one communication procedure among a plurality of different communication procedures.
- the recording unit 104 records a captured image captured by the imaging unit 101 and processed by the image processing unit 102. Further, the recording unit 104 records programs and control parameters used by the control unit 103. The recording unit 104 records various setting contents recorded by a keystore unit 114 described later.
- the recording unit 104 may be a memory such as a RAM (Random Access Memory) or a ROM (Read Only Memory). Alternatively, it may be a recording medium such as an HDD (Hard Disk Drive). The recording unit 104 may be a removable medium such as a flash memory or a memory card.
- a RAM Random Access Memory
- ROM Read Only Memory
- HDD Hard Disk Drive
- the recording unit 104 may be a removable medium such as a flash memory or a memory card.
- the communication unit 105 transmits, to the client device 200 and the client device 300, a captured image captured by the imaging unit 101 and generated by image processing in the image processing unit 102.
- a captured image captured by the imaging unit 101 and generated by image processing in the image processing unit 102.
- communication encrypted based on the setting information recorded in the recording unit 104 is used.
- the communication unit 105 transmits information indicating that setting has been made to the imaging apparatus 100 in accordance with a command performed based on one communication procedure of the first communication procedure and the second communication procedure. It is transmitted to the client device 200 or 300 in accordance with a command performed based on the procedure. Further, the communication unit 105 receives a control command for the imaging device 100 from the client device 200 and the client device 300.
- the communication unit 105 receives an instruction to be performed based on the second communication procedure from the client device 300 after the first processing unit performs the setting for performing encrypted communication with the imaging device 100. If so, send the following information: That is, the communication unit 105 transmits information indicating that the setting for performing encrypted communication has been performed in accordance with a command to be performed based on the first communication procedure, to the client device 300.
- the client device 200 and the client device 300 make settings related to communication security for the imaging device 100.
- the client device 200 includes, for example, a communication unit 201 for communicating with the imaging device 100.
- the client device 200 includes a control unit 202 for controlling each configuration of the client device 200.
- the control unit 202 can be, for example, a processor such as a CPU.
- the control unit 202 controls each component of the client device 200 by executing a program recorded in a recording unit 203 described later.
- the client device 200 includes a recording unit 203 that records programs and control parameters used by the control unit 202.
- the recording unit 203 can be a memory such as a RAM or a ROM, for example. Alternatively, it may be a recording medium such as an HDD.
- the recording unit 203 may be a removable medium such as a flash memory or a memory card.
- the configuration of the client device 200 is not particularly limited, and is not limited to the above example. A part of the above configuration may be replaced with another configuration, or a new configuration may be added.
- the configuration of the client device 300 is the same as the configuration of the client device 200, and thus the description thereof is omitted.
- the client device 200 and the client device 300 can be, for example, a PC (Personal Computer). Or it can be set as portable terminals, such as a tablet terminal and a smart phone.
- PC Personal Computer
- portable terminals such as a tablet terminal and a smart phone.
- the network 108 includes, for example, the Internet, a wired LAN (Local Area Network), a wireless LAN (Wireless LAN), a WAN (Wide Area Network), or an analog cable.
- the network 108 may be any communication standard, scale, or configuration.
- a LAN communication standard for example, Ethernet (registered trademark) or the like can be used.
- the client apparatus 200 shown in FIG. 1B has a function of transmitting DM-related security-related commands to the imaging apparatus 100. Further, the client device 300 has a function of transmitting an AS service command to the imaging device 100.
- the client device 200 and the client device 300 have a function of setting a key and a certificate for the imaging device 100 via the network 108.
- the certificate indicates that the key described in the certificate is a key registered with the certificate authority. For example, information indicating the public key registered with the certificate authority, information on the owner of the public key, and issuing a certificate Information of the certificate authority that has been issued and the signature of the issuing certificate authority.
- the imaging apparatus 100 is compatible with DM service and AS service defined by ONVIF. That is, the imaging apparatus 100 according to the present embodiment performs settings related to the security function in response to reception of a command used in the DM service. Further, the imaging apparatus 100 according to the present embodiment can also perform settings related to the security function in response to reception of a command used in the AS service.
- the HTTP server unit 111 of the imaging apparatus 100 receives the SOAP message transmitted from the client apparatus 200 or the client apparatus 300.
- a SOAP message is a message transmitted and received using SOAP (Simple Object Access protocol).
- the HTTP server unit 111 receives the SOAP message transmitted from the client device 200 and the client device 300. Then, the received message is transmitted to the DM service unit 112 or the AS service unit 113.
- the client devices 200 and 300 POST the SOAP message to a URI (Uniform Resource Identifier) that designates the DM service unit 112 or the AS service unit 113 of the imaging device 100. In this way, a SOAP message can be transmitted.
- the POST of the message is executed using a POST method of HTTP (Hypertext Transfer Protocol).
- HTTP Hypertext Transfer Protocol
- the function of the HTTP server unit 111 is realized by the communication unit 105 shown in FIG. 1A.
- Each of the DM service unit 112 and the AS service unit 113 analyzes the received SOAP message, and returns, as a response, a security-related setting or set content of the imaging apparatus 100 according to the command and the setting content.
- the functions of the DM service unit 112 and the AS service unit 113 are realized by the control unit 103 illustrated in FIG. 1A.
- the client device 200 When the control unit 103 realizes the function of the DM service unit 112, the client device 200 functions as a first processing unit that executes an instruction to the imaging device 100 using the DM service (first communication procedure). . Further, when the control unit 103 realizes the function of the AS service unit 113, the client device 300 executes an instruction to the imaging device 100 using the AS service (second communication procedure different from the first communication procedure). It functions as a second processing means.
- the DM service unit 112 executes a command that the client device 200 performs to the imaging device 100 based on the DM service.
- the command to be executed based on the DM service corresponds to the command for setting the public key (first public key information) used for performing encrypted communication in the imaging apparatus 100, and the first public key information.
- a command for setting the private key (first private key information) in the imaging apparatus 100 is included.
- the command to be performed based on the DM service includes a command for setting a certificate (first certificate information) for proving that the public key is valid key information in the imaging apparatus 100.
- the DM service unit 112 does not necessarily execute all these instructions, and may execute at least any one instruction.
- the AS service unit 113 executes a command that the client device 300 performs to the imaging device 100 based on the AS service. It is shown that a public key (second public key information) and a private key (second private key information) used for performing encrypted communication correspond to an instruction performed based on the AS service. A command for setting the key pair information in the imaging apparatus 100 is included. Further, the command to be executed based on the AS service includes a command for setting the certificate (second certificate information) for proving that the public key is valid key information in the imaging apparatus 100. . Further, the command to be performed based on the AS service includes a command for setting a certification path (certificate path information) indicating other certificate information related to the certificate in the imaging apparatus 100. The AS service unit 113 does not necessarily execute all these instructions, and may execute at least any one instruction.
- the keystore unit 114 is a database that stores keystore information of the keystore defined in Advanced IV Security of ONVIF.
- the function of the Keystore unit 114 is realized by the recording unit 104 illustrated in FIG. 1A.
- the keystore unit 114 includes the following recording units.
- Keypair unit 115 Records a private key (Privatekey), a public key (Publickey), an Alias for which the client sets an arbitrary character string, and a KeyID that uniquely indicates the Keypair in association with each other.
- Certificate unit 116 Records CertificateID (certificate ID) information that uniquely indicates a certificate (Certificate), Alias, and the KeyID of the Keypair in which the public key of the certificate is stored.
- CertificateID certificate ID
- CertificationPath unit 117 Records certification path ID (certification path ID) information that uniquely indicates a certification path ID, an alias, and a certification path (CertificationPath) in association with each other.
- the certification path ID (CertificationPathID) indicates the order associated with a plurality of certificates by one or a plurality of CertificateIDs.
- the certificate path represents the order in which the image capturing apparatus 100 refers to the certificate for performing encrypted communication and the hierarchical structure of a plurality of certificates.
- the second certificate authority issues a second certificate to prove that the first certificate authority that issued the first certificate is a reliable certificate authority.
- the root certificate authority issues a third certificate to prove that the second certificate authority is a trusted certificate authority.
- the first certificate, the second certificate, and the third certificate form a hierarchical structure.
- the certification path is information indicating the hierarchical structure of such a certificate.
- the case where the hierarchical structure of the certificate is three layers has been described.
- the certificate is not limited to three layers, and an arbitrary hierarchical structure may be adopted.
- the imaging device 100 refers to the first certificate when performing communication encrypted using the certificate.
- the second certificate is referred to with reference to the signature of the certificate authority included in the first certificate.
- the third certificate is referenced with reference to the signature of the certificate authority included in the second certificate.
- the imaging apparatus 100 refers to the certificates in the order of the first certificate, the second certificate, and the third certificate.
- the order of the three certificates has been described.
- the number of certificates is not limited and may be an arbitrary number.
- Each of the Keypair unit 115, the Certificate unit 116, and the CertificationPath unit 117 is provided with a recording area (Alias) for recording an arbitrary character string.
- the client device 200 sets a public key, a private key, and a certificate in the imaging device 100 based on the DM service will be described with reference to FIGS. 2A and 2B.
- the public key, the private key, and the certificate need to be recorded in advance by the imaging apparatus 100 in order to start security communication using HTTPS between the imaging apparatus 100 and the client apparatus 200.
- processing performed by the client device 200 will be described with reference to the flowchart of FIG. 2A.
- the determination process illustrated in FIG. 2A can be executed by the client device 200 in response to a user instruction.
- the processing shown in the flowchart of FIG. 2A may be executed by the control unit 202 reading and executing the program recorded in the recording unit 203.
- the client apparatus 200 acquires status information indicating whether or not the HTTPS (Hypertext Transfer Protocol Secure) service is valid in the imaging apparatus 100 (S201).
- HTTPS Hypertext Transfer Protocol Secure
- the state where the setting by HTTPS is valid is a state in which HTTPS communication using SSL or TLS (Transport Layer Security) can be started. That is, a public key, a private key, and a certificate used for HTTPS communication are already set in the imaging apparatus 100.
- the state in which the setting by HTTPS is invalid is a state in which the public key, the private key, and the certificate used for performing HTTPS communication are not set in the imaging apparatus 100.
- this includes a state in which the certificate has expired, is in a discarded state, or is in a suspended state, and HTTPS communication cannot be performed using the certificate.
- step S201 the client apparatus 200 transmits a GetNetworkProtocols command to the imaging apparatus 100.
- the client device 200 requests acquisition of status information of HTTP, HTTPS, and RTSP (Real Time Streaming Protocol) services provided by the imaging device 100.
- This status information includes information indicating whether each service is valid or invalid.
- the client device 200 requests acquisition of information on a port number for which a service is provided by a GetNetworkProtocols command.
- the imaging apparatus 100 responds to the client apparatus 200 with a GetNetworkProtocols response.
- the client device 200 confirms the GetNetworkProtocols response and determines whether the setting by HTTPS is valid (S202). If the HTTPS setting is invalid (NO in S202), the process proceeds to step S207 described later.
- the client device 200 determines whether to use the HTTPS setting as it is or to set the HTTPS separately (S203). When the already set HTTPS setting is used (YES in S203), the setting of the public key, private key, and certificate for the current imaging apparatus 100 is terminated.
- the client device 200 acquires all the certificates possessed by the imaging device 100 (S204).
- step S204 the client device 200 transmits a GetCertificates command to the device 100.
- the imaging apparatus 100 returns a GetCertificates response to the client apparatus 200.
- the GetCertificates command is a command for requesting the client device 200 to acquire information indicating all certificates that the imaging device 100 has.
- a certificate (Certificate) possessed by the imaging apparatus 100 is acquired.
- the client device 200 determines whether to use a certificate selected from the acquired certificates or to generate a new certificate (S205).
- the determination in step S205 can be performed in accordance with, for example, an instruction from the user regarding which certificate to use.
- the client apparatus 200 uses a certificate selected from among the certificates acquired from the imaging apparatus 100 in HTTPS communication (YES in S205), the client apparatus 200 sets the selected certificate in the imaging apparatus 100 (S206).
- the SetCertificatesStatus command can be used to set the certificate.
- the SetCertificatesStatus command is a command for causing the recording unit 104 to record setting information used for performing encrypted communication.
- the SetCertificatesStatus command is a command that the client device 200 (first receiving device) performs to the imaging device 100 based on the DM service (first communication procedure).
- step S205 If it is determined in step S205 that a new certificate is to be generated (NO in S205), the client apparatus 200 determines whether to newly generate a public key, a private key, and a certificate in the imaging apparatus 100 ( S207).
- the client apparatus 200 When generating a public key, a private key, and a certificate in the imaging apparatus 100 (YES in S207), the client apparatus 200 generates a public key, a private key, and a self-signed certificate in the imaging apparatus 100. Instruct.
- the self-signed certificate is appropriately expressed as SelfSignedCertificate.
- the client device 200 uses the CreateCertificate command to generate a public key and a private key for the imaging device 100, and requests that the self-signed certificate be generated using the public key and the private key.
- the client apparatus 200 uses the public key, private key, and certificate in its own apparatus. A document is generated (S210). Then, the client device 200 loads the generated private key and certificate into the imaging device 100 using the LoadCertificateWithPrivateKey command (S211). Details of the private key and certificate loading process from the client apparatus 200 to the imaging apparatus 100 will be described later with reference to FIG.
- the client apparatus 200 sets the generated public key, private key, and certificate to the imaging apparatus 100 to be used for HTTPS communication.
- the client device 200 uses the GetCertificatesStatus command to obtain status information indicating whether the certificate is in a state of being used for HTTPS communication.
- the client apparatus 200 sets the Status to True by transmitting a SetCertificatesStatus command to the imaging apparatus 100. In this way, the generated certificate can be set to be used for HTTPS communication.
- the SetNetworkProtocols command is a command that sets the valid / invalid status of HTTP, HTTPS, and RTSP services and the port numbers that provide those services.
- HTTPS is enabled
- the imaging apparatus 100 sets the HTTP server unit 111 to use a certificate with Status True for HTTPS communication.
- FIG. 2B A setting sequence for performing HTTPS communication between the imaging apparatus 100 and the client apparatus 200 is shown in FIG. 2B.
- the client device 200 performs settings for the imaging device 100 based on the DM service.
- the client device 300 sets HTTPS communication based on the AS service
- the key pair (KeyPair), the certificate (Certificate), and the certification path (CertificationPath) are set in the imaging device 100.
- the client device 300 uses the AddServerCertificateAssignment command to set a certification path used for performing HTTPS communication in the imaging device 100.
- Key pairs and certification paths are AS service concepts not found in DM services.
- the client apparatus 200 After the client apparatus 300 uses the AS service to set the HTTPS communication for the imaging apparatus 100, the client apparatus 200 starts the HTTPS communication setting for the imaging apparatus 100 using the DM service. Can occur.
- the client device 200 executes a GetNetworkProtocols command in step S201 in FIG. 2A to check whether the HTTPS of the imaging device 100 is set.
- the imaging device 100 responds to the client device 200 that the HTTPS communication setting is valid. That is, a response that the public key, private key, and certificate used for HTTPS communication are set in the imaging apparatus 100 is returned.
- the certificate set by the client device 300 is not transmitted to the client device 200. This is because the AS service does not stipulate that the certificate set in the imaging apparatus 100 using the AS service command is transmitted in response to the DM service GetCertificates command.
- the client device 200 executes the GetCertificatesStatus command in step S212, the client device 200 is notified of the certificate status as empty. This is because the DM service does not have the concept of the certification path or key pair of the AS service, and there is nothing to reply with GetCertificatesStatus.
- the DM service cannot express the setting.
- the AS does not have the concept of certificate status, and the contents set by the DM service cannot be referred to by the AS service.
- the imaging apparatus 100 uses the specified Keystore for the AS service, and matches the settings of the imaging apparatus 100 referred to by the client apparatus 200 with the settings of the imaging apparatus 100 referred to by the client apparatus 300. Try to get sex.
- a detailed configuration for ensuring consistency of settings of the imaging device 100 referred to in the client device 200 and the client device 300 will be described with reference to a flowchart of FIG.
- FIG. 3 shows processing executed by the imaging apparatus 100.
- the control unit 103 of the imaging apparatus 100 includes a processor and a memory
- the processing illustrated in FIG. 3 executes the procedure illustrated in FIG. 3 by expanding and executing the program stored in the recording unit 104 by the control unit 103. Is realized. Alternatively, a part or the whole of the processing shown in FIG. 3 may be performed by hardware.
- FIG. 3 is a flowchart showing the process of the CreateCertificate command in the DM service unit 112 shown in FIG. 2A.
- the CreateCertificate command is a command for the client device 200 to instruct the imaging device 100 to generate a certificate.
- the imaging apparatus 100 receives a command for instructing certificate generation from the client apparatus 200 (S0301).
- the imaging device 100 receives a CreateCertificate command from the client device 200.
- the client device 200 sets the following content for the imaging device 100 in step S301.
- the DM service unit 112 When the DM service unit 112 receives the CreateCertificate command via the HTTP server unit 111, the DM service unit 112 generates a public key and a private key (S302). According to the CreateRSAKeyPair command of AS service, you can set the RSA key length by specifying KeyLength. However, since such a setting cannot be made in the CreateCertificate command of the DM service, it is generated with a fixed key length such as 2048 bits.
- the DM service unit 112 generates a self-signed certificate using the generated public key and private key (S303).
- the self-signed certificate is certificate information for certifying that the public key is valid key information, and is certificate information to which signature information is added by the DM service unit 112.
- the subject is a string type, and there is no definition how to set the country name (Country) or common name (CommonName).
- Set “sample.com”, which is the string after “CN ”, to the subject and issuer of the self-signed certificate, “ValidNOtBefore” is the certificate expiration date, and “ValidNOtAfter” is the certificate expiration date. End date of
- step S304 the public key, the private key, and the self-signed signature certificate are stored in the Keypair unit 115.
- a unique character string not recorded in the Keypair unit 115 is generated as KeyID (key pair information) and stored in the Keypair unit 115.
- KeyID is associated with both the public key and the private key generated in step S304, and indicates that the public key and the private key correspond to each other.
- step S304 information indicating that key pair information has been generated by a command using the DM service is recorded in Alias of the Keypair unit 115.
- the information recorded in Alias of the Keypair unit 115 can be a character string such as “ONVIF Device Management”, for example.
- key pair information that has no concept in the DM service can be automatically generated according to a command for generating a certificate provided by the DM service. Further, it is possible to leave a record in the recording unit 104 so that it can be seen that this key pair information has been generated by a DM service command.
- step S305 the generated self-signed certificate is stored in the certificate unit 116.
- step S305 a unique character string that does not exist in the certificate unit 116 is generated as a certificate ID and recorded in the certificate unit 116.
- step S305 a character string indicating that the setting related to HTTPS has been made to the imaging apparatus 100 by a command using the DM service is recorded in the alias of the certificate unit 116.
- step S305 the KeyID recorded in the Keypair unit 115 is also stored in the Certificate unit 116 in order to associate the information recorded in the Certificate unit 116 with the information recorded in the Keypair unit 115.
- step S306 When generating a certificate according to the CreateCertificate command, the self-signed certificate is used, so the certificate hierarchy is only 1. Therefore, in step S306, only the CertificateID generated in step S305 is set in the CertificationPath unit 117 as the CertificationPathID. Also, in the Alias of the CertificationPath unit 117, information indicating that certification path information has been generated by a command using the DM service is recorded in the recording unit 104.
- certification path information which has no concept in the AS service, can be automatically generated according to a command for generating a certificate provided by the DM service. Further, it is possible to leave a record in the recording unit 104 so that it can be seen that the certification path information has been generated by an instruction of the DM service.
- the client device 300 can refer to the public key and the private key set by the client device 200 with respect to the imaging device 100 as a Keypair.
- the client device 300 transmits a GetAllKeys command to the imaging device 100 in order to refer to the Keypair.
- a character string indicating that a public key and a private key are already set by a command using the DM service is described.
- the content of this Alias is transmitted from the imaging device 100 to the client device 300 as a response to the GetAllKeys command. Therefore, the user of the client device 300 can know that the public key and the private key are set in the imaging device 100 by the client device 200 using the DM service.
- the user of the client device 300 can know that the certificate and the certification path are set by the client device 200 using the DM service.
- the client device 300 can be set to use the self-signed certificate generated by the client device 200 for HTTPS communication by specifying the CertificationPathID using the AddServerCertificateAssignment command.
- the process illustrated in FIG. 4 is a process executed by the imaging apparatus 100.
- the control unit 103 of the imaging apparatus 100 includes a processor and a memory
- the processing illustrated in FIG. 4 executes the procedure illustrated in FIG. 4 by expanding and executing the program stored in the recording unit 104 by the control unit 103. Is realized. Alternatively, a part or the whole of the processing shown in FIG. 4 may be performed by hardware.
- the imaging apparatus 100 receives a command (LoadCertificates) for loading a certificate from the client apparatus 200 (S401).
- the LoadCertificates command includes the following: CertificateID: CertificateID specified when generating CSR (Certificate Signing Request) with GetPkcs10Request Certificate: A certificate signed by a certification authority (CA)
- CA certification authority
- the keystore unit 114 acquires information (Keypair information) stored in the Keypair unit 115 ( S402).
- a public key is obtained from the certificate unit 116 (S403).
- the public key and the private key are recorded in the Keypair unit 115 of the Keystore unit 114.
- a certificate signed to a CSR (Certificate Signing Request) generated based on the certificate ID of the self certificate also has an associated key pair.
- the imaging apparatus 100 determines whether the public key recorded in the keypair unit 115 matches the public key acquired in step S403 (S404).
- the certification path including the designated Certificate ID is deleted (S405). In this way, the certification path set for the self-signed certificate can be deleted.
- the certificate having the CertificateID indicated by the information recorded by the Certificate unit 116 of the Keystore unit 114 is deleted (S406).
- a certification path including a certificate loaded from the client device 200 is set.
- Alias indicating that it has been set by a command using the DM service is stored in the CertificationPath unit 117 of the Keystore unit 114 (S407).
- a certificate path in which CertificateID is set is generated.
- the unique CertificationPath ID and Alias indicating that the setting has been made by the DM service are stored in the CertificationPath unit 117 of the Keystore unit 114.
- the LoadCertificates command can specify loading of a plurality of certificates, it is further determined whether there are other certificates to be loaded (S409). If there is a certificate to be further loaded (YES in 409), the process returns to step S403. When all the certificates have been processed (NO in 409), a response to the LoadCertificates command is transmitted to the client device 200 (S411).
- the certificate loaded by the client apparatus 200 can be set as a certificate used when the client apparatus 300 performs encrypted communication with the imaging apparatus 100 according to the following procedure.
- the client device 300 designates the CertificationPathID by using the AddServerCertificateAssignment command, it can be set to use HTTPS communication (for example, SSL).
- the CACertificate private key is not in the Keypair unit 115 of the Keystore unit 114. Therefore, a key pair is acquired from the Keystore unit 114. An error can be determined if the combination of the public key of the loaded certificate matches the combination of the private key stored in the Keypair unit 115. If there is no match, the public key and unique KeyID acquired from the Certificate unit 116 are stored in the Keypair unit 115 of the Keystore unit 114, and information indicating that it is set according to the DM service command is set in the Alias To do. Further, the certificate and the unique CertificateID are stored in the Certificate unit 116 of the Keystore unit 114, and information indicating that the setting is made according to the DM service command is set in the Alias.
- FIG. 5 is realized in the DM service unit 112 in FIG. 2B.
- the DM service unit 112 When receiving GetCertificates from the client device 200 (S501), the DM service unit 112 acquires a key pair and a certificate from the Keystore unit 114 (S502).
- step S502 If a plurality of certificates can be acquired in step S502, it is determined whether or not to include each certificate in the response (S505). If there is a next certificate, the processing from step S503 is repeated. When all the certificates have been determined (NO in S505), a response is transmitted to the client device 200 (S506).
- the certificate determined as NO in step S503 in FIG. 5 may be returned to the response.
- FIG. 6 is a flowchart showing certificate deletion processing in the DM service unit 112.
- the DM service security-related commands do not have the concept of a certification path or a key pair.
- the certification path and key pair based on the AM service are also deleted.
- the DeleteCertificates command is a command that is executed based on the DM service, and is a command that requests deletion of the certificate information recorded in the recording unit 104.
- the certificate deletion process will be described.
- the certificate may be invalidated, and the old certificate may be invalidated by overwriting the old certificate with a new certificate.
- the DM service unit 112 When the DM service unit 112 receives the DeleteCertificates command (S601), the key pair, certificate, and certification path are acquired from the Keystore unit 114 (S602).
- step S603 If it is determined that there is a certificate path including the CertificateID specified in step S603 (YES in S603), it is determined whether the certificate path is used for SSL or the like. If it is used (YES in S605), the certificate cannot be deleted, so the AS service unit 113 transmits an error as a response to the client device 200 (S611).
- the certification path is not used (NO in S605), the certification path is deleted (S606), and the certificate specified by CertificateID is deleted (S607). Next, the key pair associated with the certificate is deleted. There is no DM service security related command to delete the key pair, so it is necessary to delete it with the DeleteCertificates command.
- step S610 since the key pair may be associated with another certificate, it is determined in step S610. If the key pair is not associated with another certificate (YES in S608), the key pair associated with the certificate to be deleted is deleted (S609). If the key pair is associated with another certificate (NO in S608), it is not deleted. Since the DeleteCertificates command can specify a plurality of CertificateIDs, if there is a next CertificateID (YES in S610), the process deletes the CertificateID (returns to S603). When all the CertificateIDs have been processed (NO in S610), the DM service unit 112 transmits success to the reply to the client device 200.
- the DM service unit 112 deletes the key pair information corresponding to the certificate information specified by the DeleteCertificates command (first command) from the recording unit 104. In addition, the DM service unit 112 deletes the certification path information corresponding to the certificate specified by the DeleteCertificates command from the recording unit 104. As described above, the certificate may be invalidated, and the certificate may be invalidated by overwriting the certificate or adding invalid information to the certificate.
- the SetCertificatesStatus command is an instruction to be executed based on the DM service, and is an instruction to specify a certificate to be used for performing HTTPS communication such as SSL.
- HTTPS communication such as SSL.
- an example of performing encrypted communication using SSL will be described.
- the certificate can be set to be used for SSL, and by disabling Status, the certificate is SSL Can be set not to be used.
- CertificateID the certificate identification information specified by the SetCertificatesStatus command matches the identification information of the first certificate in the certificate order indicated by the certificate path, that certificate path is used for SSL settings.
- the identification information of the certificate is expressed as CertificateID in ONVIF.
- the processing is performed when the certification path whose certificate identification information matches the certificate identification information specified by the SetCertificatesStatus command is not recorded in the recording unit 104.
- a one-stage certificate path using the certificate with the CertificateID specified by the SetCertificatesStatus command is generated, and recorded and set in the recording unit 104 as a certificate path used for SSL.
- the execution process of the SetCertificatesStatus command in the DM service unit 112 will be described with reference to FIG.
- the certificate path is used for SSL setting.
- the DM service unit 112 receives SetCertificatesStatus (S701), the key pair, certificate, and certification path are acquired from the Keystore unit 114 (S702).
- the certificate path unit 117 searches for a certificate whose first certificate ID matches the specified certificate ID (S703). If there is no match (NO in S703), the DM service unit 112 transmits an error to the client device 200 (S704).
- the client apparatus 200 can also set a certification path including a plurality of Certificate IDs as SSL.
- the GetCertificatesStatus command is an instruction performed based on the DM service.
- the GetCertificatesStatus command is a command for requesting transmission of information indicating the status of the certificate recorded by the recording unit 104 (for example, whether the certificate is set to be used for encrypted communication). is there.
- the GetCertificatesStatus command provided by the DM service returns its status for a single certificate, and cannot represent the AS service certification path.
- the certificate path information based on the AS service includes identification information (CertificateID) of a plurality of certificates. Therefore, when the GetCertificatesStatus command from the DM service is received, it becomes a problem which of the plurality of certificates the status should be returned to. Therefore, in the present embodiment, information (for example, Status) that indicates the first certificate in the order that the imaging apparatus 100 refers to perform encrypted communication among a plurality of certificates indicated by the certification path. Information) as a response.
- the DM service unit 112 When the DM service unit 112 receives the GetCertificatesStatus command (S801), the certificate and the certification path are acquired from the Keystore unit 114 (S802). If there is no certificate ID in the certificate of the keystore unit 114 that matches the certificate ID at the beginning of the certificate path (NO in S803), it cannot be used for SSL setting. Therefore, the process proceeds to step S807 without being included in the reply to the GetCertificatesStatus command. If there is, it is determined whether the certification path is used for SSL (S804). If it is used (YES in S804), the CertificateID and the status set to True are added to the response.
- the AS service unit 113 transmits a response to the client device 200 (S808).
- FIG. 9 is a flowchart showing the processing of the SetCertificatesStatus command in the DM service unit 112.
- that certificate path is used for SSL setting.
- a one-stage certificate path using the certificate with the specified CertificateID is generated and used for SSL setting.
- the DM service unit 112 When the DM service unit 112 receives the SetCertificatesStatus command (S901), the key pair, certificate, and certification path are acquired from the Keystore unit 114 (S902).
- step S903 When it is determined that there is no certificate path that matches the CertificateID specified in step S903 (NO in S903), it is determined whether there is a certificate with the CertificateID specified in the certificate of the Keystore unit 114 (S904). If there is not, an error is transmitted in the reply (S905).
- a one-stage certificate path is generated with the CertificateID (S906), and the specified Status is reflected (S907). Since the SetCertificatesStatus command can specify a plurality of CertificateIDs, if there is a next CertificateID (YES in S908), the process returns to Step S903 and the processing of the next CertificateID is continued. When processing of all CertificateIDs is completed (NO in S908), the DM service unit 112 transmits success as a response to the client device 200.
- the DM service unit 112 performs the following process to generate a certification path even if a CertificateID not at the beginning of the certification path is specified by the SetCertificatesStatus command. That is, in response to the GetCertificatesStatus command, a CertificateID not at the beginning of the certification path is also returned.
- the DM service unit 112 receives the GetCertificatesStatus command (S1001), the certification path, certificate, and key pair are acquired from the Keystore unit 114 (S1001). Next, a certificate whose CertificateID specified by the GetCertificatesStatusates command matches the first CertificateID in the order indicated by the certification path is searched. If there is a matching certificate (YES in S1003), it is determined whether the certification path is used for SSL (S1004).
- the DM service unit 112 requests acquisition of information indicating whether the certificate information recorded in the recording unit 104 is set as certificate information used for encrypted communication. Process the instructions. Then, according to the third command, fourth certificate information indicating that the certification path information is at the head of the order is set as certificate information used for encrypted communication. Information (for example, Status is True) is recorded in the recording unit 104. The DM service unit 112 also indicates that the fifth certificate information different from the fourth certificate information is not set to be used for encrypted communication (for example, Status is False). Is recorded in the recording unit 104.
- a certificate response that can be used as a self-signed certificate is generated.
- a certificate that can be used as a self-signed certificate is one in which a private key is set in a key pair associated with the certificate. If there is a private key in the Keypair unit 115 (YES in S1006), the CertificateID of the certificate is added to the response, and the Status is set to False. If there is no private key in the Keypair unit 115 (NO in S1006), the CertificateID is not included in the response.
- the DM service unit 112 executes GetCertificatesStatus (third instruction), the certificate information that is not associated with the key pair information among a plurality of certificates indicated by the certification path is not transmitted. can do.
- the process returns to Step S1003 to continue the process of the next CertificateID.
- the DM service unit 112 transmits a response to the client device 200.
- the “LoadCertificatesWithPrivatekey” command is a command for loading a certificate, a private key, and a public key associated therewith into the imaging apparatus 100.
- the public key is acquired from the certificate and the private key, and error processing is performed if they do not match. If they match, the private key, public key, and unique KeyID are stored in the Keystore unit 114, and the Alias sets information indicating that it has been set by a DM service command. Further, the certificate and the Certificate ID are stored in the Certificate unit 116 of the Keystore unit 114, and information indicating that it is set by the DM service command is described in the Alias.
- the communication unit 105 when storing a key pair, a certificate, and a certification path in the Keystore unit 114, information indicating that each Alias is set based on the DM service is recorded. Then, the communication unit 105 generates information indicating that the setting has been made for the imaging apparatus 100 in accordance with a command performed based on the DM service, according to a command (command for referring to the setting) performed based on the AS service. Can be sent. In this way, even the security-related settings set by the client device 200 can be known by the client device 300.
- the communication unit 105 records information indicating that the setting has been made for the imaging apparatus 100 in accordance with a command performed based on the AS service, and a command (command for referring to the setting) that performs the information based on the DM service. ). In this way, even the security-related settings set by the client device 300 can be known by the client device 200.
- the imaging apparatus 100 enables settings for the imaging apparatus 100 by means other than the ONVIF communication procedure.
- the imaging apparatus 100 as an information processing apparatus activates a WEB page for the client apparatus 1100 to set the imaging apparatus 100.
- the user can access the camera through the web browser on the client device 1100 and change the setting.
- the imaging apparatus 100 prepares a Web page for setting SSL, and performs certificate setting and SSL service start / end control.
- the setting web page is referred to as a setting page.
- the client device 1100 can check the contents of the settings made to the imaging device 100 by using the setting page also in the client devices 200 and 300 of the first embodiment.
- ONVIF defines a command group for setting a private key, public key, and certificate, a command group for setting it to be used for SSL and IEEE802.1X, and a command for setting the start / end of a service.
- the usage of the certificate is not determined at that time.
- the certificate usage is determined by the SetCertificatesStatus command if it is a security related command used in the DM service when used for SSL. If it is a command used in the AS service, it is an Add / ReplaceServerCertificateAssignment command.
- the Keystore unit 114 it is common to set multiple certificates, but in the SSL setting page, usually one certificate for the SSL server, or in addition to that, a middle-tier certificate It is enough to set one set.
- the control unit 103 of the imaging apparatus 100 executes the function of the setting page control unit 118 described later in addition to the functions of the DM service unit 112 and the AS service unit 113.
- the first processing unit 106 can execute the function of the setting page control unit 118.
- FIG. 11 is a diagram illustrating the imaging apparatus 100 and the client apparatus 1100 that performs security settings for the imaging apparatus 100 using a setting page.
- the imaging apparatus 100 according to the present embodiment includes an HTTP server unit 111, a DM service unit 112, an AS service unit 113, and a Keystore unit 114.
- the imaging apparatus 100 according to the second embodiment is different from the configuration shown in the first embodiment in that the keystore unit 114 can be operated from the setting page control unit 118.
- the setting page unit 118 executes a command that the client device 1100 (first receiving device) using the setting page performs on the imaging device 100 based on HTTP (first communication procedure).
- An instruction based on HTTP includes a public key (first public key information) used for performing encrypted communication and a private key (first private key) used for performing encrypted communication. Information) corresponds to the first key pair information indicating that the recording unit 104 records the first key pair information.
- the command to be executed based on HTTP includes a command for transmitting from the communication unit 105 key pair information (first key pair information) indicating the correspondence between the public key and the private key.
- the command based on HTTP includes a command for invalidating (eg, deleting) the key pair information recorded in the recording unit 104.
- a self-signed certificate is generated that is certificate information for certifying that the public key information is valid key information and the signature information is added by the setting page control unit 118 Instructions to be included.
- the setting page control unit 118 does not necessarily execute all these instructions, and may execute at least one of the instructions.
- the imaging apparatus 100 returns a setting page as shown in FIG. 12 when there is a request for an SSL setting page from the client apparatus 1100.
- Radio buttons (1201, 1202, 1203) are displays for selecting whether to disable SSL, use a self-signed certificate, or use a certificate signed by a CA.
- Subject 1204 is an input field for setting a subject used for a self-signed certificate.
- the input field 1205 and the input field 1206 are input fields for setting the start date and end date of the validity period of the self-signed certificate.
- a generation button 1207 is pressed, a self-signed certificate is generated.
- a display button 1208 is a button for popping up and displaying the generated self-signed certificate in another window.
- a delete button 1209 is a button for deleting the self-signed certificate.
- Subject 1210 sets the subject of the certificate signing request, and the setting method is the same as that of subject 1204.
- the generation button 1211 generates a certificate signature request according to the subject set in the subject 1210, and the display button 1212 pops up and displays the certificate signature request in another window.
- the install button 1213 is a button for instructing to install a certificate signed by the CA based on the certificate signing request.
- the certificate file is selected by referring to the file system of the device executing the client device 1100.
- a display button 1214 is a button for instructing to display the certificate in another window.
- the delete button 1215 is a button for instructing to delete the certificate.
- the install button 1216 is a button for instructing to install a CA certificate (middle layer certificate or cross-root certificate) provided by the CA.
- a certificate file is selected with reference to the file system of the device executing the client device 1100.
- a display button 1217 is a button for displaying the certificate in another window.
- the delete button 1218 is a button for deleting a certificate.
- An apply button 1219 is a button for reflecting the setting.
- a cancel button 1220 is a button for canceling the setting.
- the imaging apparatus 100 is set to generate a self-signed certificate and use it for SSL.
- the imaging apparatus 100 reflects the setting contents in the Keystore unit 114.
- the imaging apparatus 100 first generates a public key and a private key (S1302). You may be able to set the encryption / signature algorithm and key length, but here we set sha-2WithRSAEncryption and 2048 bits fixed.
- the control unit 103 can create a public key, a private key, and a self-signed certificate.
- the HTTP server unit 111 can generate the function.
- a self-signed certificate is generated according to the set value (S1302). Next, it is stored in the Keystore unit 114 so that the certificate set on the setting page can be referred to by the DM security-related command and the AS command.
- a unique KeyID is generated and stored in the Keypair of the Keystore unit 114. Further, information indicating that the self-signed certificate on the setting page is set is recorded in the Alias (S1303). Then, in addition to the self-signed certificate, a unique CertificateID is generated and stored in the Certificate unit 116 of the Keystore unit 114. In the alias, information indicating that the self-signed certificate on the setting page is set is set (S1304).
- a certification path including only one CertificateID and a unique CertificationPathID are generated and stored in the CertificationPath unit 117 of the Keystore unit 114. Then, information indicating that the self-signed certificate on the setting page is set is set in the Alias (S1303). Furthermore, since the self-signed certificate generated on the SSL setting page is determined to be used for SSL, the generated certificate path is set to be used for SSL (S1306).
- the client device 300 can refer to the private key and public key of the self-signed certificate generated on the setting page using the GetAllKeys command.
- the self-signed certificate can be referenced using the GetAllCertificates command.
- the self-signed certificate is set in one row using the GetCertificationPath command.
- the self-signed certificate is not set from the SSL setting page according to the operation of the display button 1208, the following can be performed.
- the certification path unit 117 is set to use a self-signed certificate
- the self-signed certificate set by the client device 200 or 300 may be displayed.
- a certification path unit 117 searches for one used for SSL. If it exists, the certificate is referenced from the CertificateID set in the CertificationPath unit 117, and if it is a self-signed certificate, it is displayed on the client device 1100.
- the delete button 1209 only needs to be set to use the self-signed certificate in the CertificationPath section 117 even if the self-signed certificate is not set from the SSL setting page.
- the self-signed certificate set by the client device 200 or 300 may be deleted.
- a certificate path unit 117 searches for one used for SSL, and if it exists, refers to the certificate from the certificate ID set in the certification path unit 117. If the certificate is a self-signed certificate, set the certificate path not to be used for SSL, and delete the certificate path, certificate, and key pair in this order.
- FIG. 14 is a flowchart of processing when a certificate and a CA certificate are set by the install button 1213 and the install button 1216 when using a certificate signed by the CA.
- the issuer of the certificate and the common name of the CA certificate are checked.
- an Alias key pair that means that a certificate signed by a CA is used is acquired from the Keypair unit 115 of the Keystore unit 114 (S1401).
- a public key is acquired from the certificate installed with the install button 1213 (S1402).
- the public key of the acquired keypair and the public key of the certificate are compared, and if they do not match (NO in S1403), an error process is performed because the combination of the public key and the private key does not match (S1412). If they match (YES in S1403), Issuer is acquired from the certificate to confirm the certificate path (S1404), and Subject is acquired from the CA certificate (S1405).
- the obtained Issuer and Subject are compared, and if they do not match (NO in S1406), the certificate path does not match and error processing is performed (S1402). If they match (YES in S1406), the process proceeds to step S1407.
- the CA certificate is handled on the premise, but if there are a plurality of CA certificates, it is necessary to check the path of the certificate in the same manner.
- the certificate set by the install button 1213 is set in the Certificate of the Keystore unit 114.
- the certificate, the unique CertificateID, and the KeyID of the Keypair acquired in Step S1401 are stored in the Certificate of the Keystore unit 114.
- information indicating that the certificate signed by the CA certificate is used is set in the Alias (S1407).
- the CA certificate set by the install button 1216 is set in the Keypair unit 115 and the Certificate unit 116 of the Keystore unit 114.
- the CA certificate public key and unique KeyID are stored in the Keypair unit 115 of the Keystore unit 114, and information indicating that the certificate signed by the CA certificate is used in the Alias (S1408). Further, the CA certificate, the unique CertificateID, and the KeyID set in Step S1408 are associated and stored in the Certificate of the Keystore unit 114.
- information indicating that the certificate signed by the CA certificate is used is set (S1409).
- the certificate path set with the CertificateID of the certificate set in step S1407 and then set with the CertificateID of the CA certificate is stored in the CertificationPath unit 117 of the Keystore unit 114.
- the Alias information indicating that the certificate signed by the CA certificate is used is set (S1410).
- the generated CertificationPath is set to be used in SSL (S1411).
- the key store unit 114 searches for a certification path having information that means that Alias uses the certificate signed by the CA certificate. If it exists, set it not to be used for SSL, and delete the certification path. Next, Alias searches for information that means that the certificate signed by the CA certificate is used, and if there is a private key in the KeyID associated with the certificate, it is deleted.
- the keystore unit 114 searches for a certification path in which information indicating that a certificate signed by the CA certificate is used in Alias is recorded. If it exists, set it not to be used for SSL, and delete the certification path. Next, Alias searches for information that means that the certificate signed by the CA certificate is used, and deletes it if there is no private key in the KeyID associated with the certificate.
- Apply button 1219 performs processing to start or stop the SSL service according to radio button (1201, 1202, 1203) options. If the cancel button 1220 is pressed, the setting of the subject or certificate in the middle of setting is canceled.
- the same Alias is set for the certificate and the CA certificate, but different certificates may be used. You may search using Alias to delete a certificate or CA certificate, and to delete the certificate path, certificate and key pair.
- the communication unit 105 transmits information indicating that the setting has been made to the imaging device 100 in accordance with the command performed based on HTTP using the setting page, based on the command (setting the setting performed based on the AS service). Can be transmitted in response to a command for reference). In addition, the communication unit 105 transmits information indicating that the setting has been made to the imaging device 100 in accordance with a command performed based on HTTP using the setting page based on a command (referring to the setting). Can be transmitted in accordance with
- the SSL setting has been described, but the setting can be reflected by setting Alias in other functions that handle certificates.
- the present invention supplies a program that realizes one or more functions of the above-described embodiments to a system or apparatus via a network or a recording medium, and one or more processors in the computer of the system or apparatus read and execute the program This process can be realized. It can also be realized by a circuit (for example, ASIC) that realizes one or more functions.
- a circuit for example, ASIC
- Imaging device 100 Imaging device 103 Control unit 104 Recording unit 105 Communication unit 106 First processing unit 107 Second processing unit 200 First client device 300 Second client device
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Studio Devices (AREA)
- Television Signal Processing For Recording (AREA)
- Telephonic Communication Services (AREA)
- Storage Device Security (AREA)
- Accessory Devices And Overall Control Thereof (AREA)
- Facsimiles In General (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
本実施形態では、第1のクライアント装置及び第2のクライアント装置が、ONVIFにより規定された手順を用いて、情報処理装置としての撮像装置に対してセキュリティ機能に関する設定を行う例について説明する。
クライアント装置200及び300は、撮像装置100のDMサービス部112もしくはASサービス部113を指定するURI(Uniform Resource Identifier)に、SOAPメッセージをPOSTする。このようにしてSOAPメッセージを送信することができる。メッセージのPOSTは、HTTP(Hypertext Transfer Protocol)のPOSTメソッドを用いて実行される。本実施形態において、HTTPサーバ部111の機能は、図1Aに示した通信部105により実現される。
Subject CN=sample.com
ValidNOtBefore 2015-01-01T01:00:00Z
ValidNOtAfter 2020-12-31T23:59:59Z
CertificateID:GetPkcs10RequestでCSR(Certificate Signing Request:証明書署名要求)を生成した時に指定したCertificateID
証明書:認証局(Certification Authority: CA)が署名(Sign)した証明書
DMサービス部112がLoadCertificatesコマンドを受信すると、Keystore部114からKeypair部115に格納された情報(Keypair情報)を取得する(S402)。次にCertificate部116から公開鍵を取得する(S403)。
以下、図11から15を参照して、本発明の第2の実施形態による、セキュリティ機能の設定機能を備えた撮像装置について説明する。
表示ボタン1212が押された場合、生成ボタン1211で生成した証明書署名要求をクライアント装置1100に別ウィンドウを生成して表示する。
本発明は、上述の実施形態の1以上の機能を実現するプログラムを、ネットワーク又は記録媒体を介してシステム又は装置に供給し、そのシステム又は装置のコンピュータにおける1つ以上のプロセッサがプログラムを読出し実行する処理でも実現可能である。また、1以上の機能を実現する回路(例えば、ASIC)によっても実現可能である。
103 制御部
104 記録部
105 通信部
106 第1処理部
107 第2処理部
200 第1のライアント装置
300 第2のクライアント装置
Claims (19)
- 情報処理装置であって、
第1の通信手順に基づいて行う命令に応じて、暗号化された通信を行うための設定を前記情報処理装置に対して行う第1の処理手段と、
第2の通信手順に基づいて行う命令に応じて、暗号化された通信を行うための設定を前記情報処理装置に対して行う第2の処理手段と、
前記情報処理装置に対して暗号化された通信を行うための設定を前記第1の通信手順に基づいて行う命令に応じて前記第1の処理手段が行った後に受信装置から前記第2の通信手順に基づいて行う命令を受信した場合、暗号化された通信を行うための設定が前記第1の通信手順に基づいて行う命令に応じて行われたことを示す情報を前記受信装置に送信する送信手段と
を有することを特徴とする情報処理装置。 - 前記第1の通信手順に基づいて行う命令によって前記情報処理装置に対して設定がなされたことを示す情報を記録手段に記録させる制御を行う制御手段を有することを特徴とする請求項1に記載の情報処理装置。
- 前記第1の処理手段は、暗号化された通信を行うために用いる第1の公開鍵情報、前記第1の公開鍵情報に対応し暗号化された通信を行うために用いる第1の非公開鍵情報、又は、前記公開鍵情報が正当な鍵情報であることを証明するための第1の証明書情報の少なくともいずれか一つを前記情報処理装置に設定するための命令であって、第1の受信装置が前記情報処理装置に対して前記第1の通信手順に基づいて行う命令を実行し、
前記第2の処理手段は、暗号化された通信を行うために用いる第2の公開鍵情報と暗号化された通信を行うために用いる第2の非公開鍵情報とが対応することを示す鍵ペア情報、前記第2の公開鍵情報が正当な鍵情報であることを証明するための第2の証明書情報、又は、前記第2の証明書情報に関連する第3の証明書情報を示す証明書パス情報のうち少なくともいずれか一つを前記情報処理装置に設定するための命令であって、第2の受信装置が前記情報処理装置に対して前記第2の通信手順に基づいて行う命令を実行することを特徴とする請求項2に記載の情報処理装置。 - 前記第1の処理手段は、暗号化された通信を行うために用いる第1の公開鍵情報と暗号化された通信を行うために用いる第1の非公開鍵情報とが対応することを示す第1の鍵ペア情報を前記記録手段に記録させる命令、前記第1の鍵ペア情報を前記送信手段から送信させる命令、前記記録手段に記録された前記第1の鍵ペア情報を無効にする命令、又は、前記第1の公開鍵情報が正当な鍵情報であることを証明するための証明書情報であって前記第1の処理手段により署名情報が付加された証明書情報を生成させる命令の少なくともいずれか一つの命令であって、第1の受信装置が前記情報処理装置に対して前記第1の通信手順に基づいて行う命令を実行し、
前記第2の処理手段は、暗号化された通信を行うために用いる第2の公開鍵情報と暗号化された通信を行うために用いる第2の非公開鍵情報とが対応することを示す鍵ペア情報、前記第2の公開鍵情報が正当な鍵情報であることを証明するための第2の証明書情報、又は、前記第2の証明書情報に関連する第3の証明書情報を示す証明書パス情報のうち少なくともいずれか一つを前記記録手段に記録させるための命令であって、第2の受信装置が前記情報処理装置に対して前記第2の通信手順に基づいて行う命令を実行し、
前記送信手段は、前記第1の通信手順に基づいて行う命令に応じて前記情報処理装置に対して設定がなされたことを示す情報を、前記第2の通信手順に基づいて行う命令に応じて送信することを特徴とする請求項2に記載の情報処理装置。 - 前記第1の処理手段は、前記第1の通信手順に基づいて行う命令であって前記第1の証明書情報の生成を指示する命令に応じて、前記公開鍵情報が正当な鍵情報であることを証明するための証明書情報であって前記第1の処理手段により署名情報が付加された証明書情報と、前記鍵ペア情報と、前記証明書パス情報とを生成して前記記録手段に記録させ、
前記制御手段は、前記第1の通信手順に基づいて行った命令に応じて、前記証明書情報と、前記鍵ペア情報と、前記証明書パス情報とを生成したことを示す情報を前記記録手段に記録させる制御を行うことを特徴とする請求項3に記載の情報処理装置。 - 前記第1の処理手段は、前記第1の通信手順に基づいて行う命令であって前記記録手段に記録された証明書情報を無効にすることを要求する第1の命令を実行し、前記第1の命令によって指定された証明書情報に対応する前記鍵ペア情報、又は、前記第1の命令によって指定された証明書情報に対応する前記証明書パス情報を無効にすることを特徴とする請求項3に記載の情報処理装置。
- 前記証明書パス情報は、暗号化された通信を行うために前記情報処理装置が前記記録手段に記録された複数の証明書情報を参照する順序を示す情報であり、
前記第1の処理手段は、暗号化された通信を行うために用いる証明書情報を指定する命令であって前記第1の通信手順に基づいて行う第2の命令に応じて、前記第2の命令によって指定された識別情報に対応する証明書情報が前記順序における先頭であることを示す前記証明書パス情報を、前記暗号化された通信を行うために用いる証明書パス情報として前記記録手段に記録させることを特徴とする請求項3に記載の情報処理装置。 - 前記証明書パス情報は、暗号化された通信を行うために前記情報処理装置が前記記録手段に記録された複数の証明書情報を参照する順序を示す情報であり、
前記送信手段は、前記第1の通信手順に基づいて行う命令であって前記記録手段に記録された証明書情報についての情報の送信を要求する命令に応じて、前記記録手段に記録された複数の証明書情報のうち前記証明書パス情報が前記順序における先頭であることを示す証明書情報を示す情報を送信することを特徴とする請求項3に記載の情報処理装置。 - 前記証明書パス情報は、暗号化された通信を行うために前記情報処理装置が前記記録手段に記録された複数の証明書情報を参照する順序を示す情報であり、
前記第1の処理手段は、前記記録手段に記録された証明書情報が暗号化された通信を行うために用いる証明書情報として設定されているかを示す情報の取得を要求する第3の命令に応じて、前記複数の証明書情報のうち前記証明書パス情報が前記順序の先頭であることを示す第4の証明書情報が暗号化された通信を行うために用いる証明書情報として設定されていることを示す情報を前記記録手段に記録させ、前記複数の証明書情報のうち前記第4の証明書情報と異なる第5の証明書情報が暗号化された通信を行うために用いることが設定されていないことを示す情報を前記記録手段に記録させることを特徴とする請求項3に記載の情報処理装置。 - 前記送信手段は、前記第1の処理手段が前記第3の命令を実行した場合、前記複数の証明書情報のうち、前記鍵ペア情報に関連付けられていない証明書情報を送信しないことを特徴とする請求項9に記載の情報処理装置。
- 前記第1の通信手順は、ONVIFにより規定されるDeviceManagementサービスが提供する通信手順であり、前記第2の通信手順はONVIFにより規定されるAdvancedSecurityサービスが提供する通信手順であり、
前記制御手段は、前記第2の通信手順に基づくKeystore情報及びAlias情報を前記記録手段に記録させ、前記第1の通信手順に基づいて行う命令によって前記情報処理装置に対して設定がなされたことを示す情報を、前記Alias情報として前記記録手段に記録させることを特徴とする請求項3に記載の情報処理装置。 - 前記第1の処理手段は、前記第1の通信手順に基づく命令であって前記第1の証明書情報を前記情報処理装置にロードするための命令であるLoadCertificatesコマンド、LoadCACertificatesコマンド、LoadCertificateWithPrivateKeyコマンド、又は、LoadCertificateWithPrivateKeyコマンドのうち少なくとも一つの命令を実行し、
前記制御手段は、前記第1の通信手順によって前記LoadCertificatesコマンド、前記LoadCACertificatesコマンド、前記LoadCertificateWithPrivateKeyコマンド、又は、前記LoadCertificateWithPrivateKeyコマンドのうち少なくとも一つの命令を前記第1の処理手段が実行した場合、前記第1の通信手順によって証明書のロードが行われたことを示す情報を前記Alias情報として前記記録手段に記録させることを特徴とする請求項11に記載の情報処理装置。 - 前記制御手段は、前記鍵ペア情報に前記第2の証明書情報を関連付けて前記記録手段に記録させ、
前記第1の処理手段は、前記第1の通信手順に基づく命令であって証明書情報の送信を前記情報処理装置に要求する命令であるGetCertificatesコマンド、及び、前記第1の通信手順によって提供される命令であって認証局により発行された証明書情報の送信を前記情報処理装置に要求する命令であるGetCACertificatesコマンドを実行し、
前記送信手段は、前記第1の処理手段が前記GetCertificatesコマンドの実行した場合には前記鍵ペア情報に関連付けられている前記第2の証明書情報を送信し、前記第1の処理手段が前記GetCACertificatesコマンドを実行する場合には前記鍵ペア情報に関連付けられていない第3の証明書情報を送信することを特徴とする請求項11に記載の情報処理装置。 - 前記第1の処理手段は、前記第1の通信手順に基づく命令であって前記記録手段に記録された証明書情報の削除を要求する命令であるDeleteCertificatesコマンドを実行し、前記DeleteCertificatesコマンドによって指定された証明書情報に対応する前記鍵ペア情報、又は、前記DeleteCertificatesコマンドによって指定された証明書情報に対応する前記証明書パス情報を前記記録手段から削除することを特徴とする請求項11に記載の情報処理装置。
- 撮像手段を有し、
前記送信手段は、前記撮像手段が撮像した撮像画像を、前記記録手段に記録された情報に基づいて暗号化された通信によって送信することを特徴とする請求項2に記載の情報処理装置。 - 情報処理装置の制御方法であって、
第1の通信手順に基づいて行う命令に応じて、暗号化された通信を行うための設定を前記情報処理装置に対して行う第1の処理ステップと、
第2の通信手順に基づいて行う命令に応じて、暗号化された通信を行うための設定を前記情報処理装置に対して行う第2の処理ステップと、
前記情報処理装置に対して暗号化された通信を行うための設定を前記第1の通信手順に基づいて行う命令に応じて前記第1の処理ステップにおいて行った後に受信装置から前記第2の通信手順に基づいて行う命令を受信した場合、暗号化された通信を行うための設定が前記第1の通信手順に基づいて行う命令に応じて行われたことを示す情報を前記受信装置に送信する送信ステップと
を有することを特徴とする制御方法。 - 前記第1の通信手順に基づいて行う命令によって前記情報処理装置に対して設定がなされたことを示す情報を記録手段に記録させる制御を行う制御ステップを有することを特徴とする請求項16に記載の制御方法。
- 前記第1の処理ステップにおいて、暗号化された通信を行うために用いる第1の公開鍵情報、前記第1の公開鍵情報に対応し暗号化された通信を行うために用いる第1の非公開鍵情報、又は、前記公開鍵情報が正当な鍵情報であることを証明するための第1の証明書情報の少なくともいずれか一つを前記情報処理装置に設定するための命令であって、第1の受信装置が前記情報処理装置に対して前記第1の通信手順に基づいて行う命令を実行し、
前記第2の処理ステップにおいて、暗号化された通信を行うために用いる第2の公開鍵情報と暗号化された通信を行うために用いる第2の非公開鍵情報とが対応することを示す鍵ペア情報、前記第2の公開鍵情報が正当な鍵情報であることを証明するための第2の証明書情報、又は、前記第2の証明書情報に関連する第3の証明書情報を示す証明書パス情報のうち少なくともいずれか一つを前記情報処理装置に設定するための命令であって、第2の受信装置が前記情報処理装置に対して前記第2の通信手順に基づいて行う命令を実行することを特徴とする請求項17に記載の制御方法。 - コンピュータに、
第1の通信手順に基づいて行う命令に応じて、暗号化された通信を行うための設定を前記コンピュータに対して行う第1の処理工程と、
第2の通信手順に基づいて行う命令に応じて、暗号化された通信を行うための設定を前記コンピュータに対して行う第2の処理工程と、
前記コンピュータに対して暗号化された通信を行うための設定を前記第1の通信手順に基づいて行う命令に応じて前記第1の処理工程において行った後に受信装置から前記第2の通信手順に基づいて行う命令を受信した場合、暗号化された通信を行うための設定が前記第1の通信手順に基づいて行う命令に応じて行われたことを示す情報を前記受信装置に送信する送信工程と
を実行させるためのプログラム。
Priority Applications (7)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
RU2017120178A RU2682926C2 (ru) | 2014-11-13 | 2014-11-13 | Устройство обработки информации, способ управления и программа |
PCT/JP2014/080094 WO2016075792A1 (ja) | 2014-11-13 | 2014-11-13 | 情報処理装置、制御方法、及び、プログラム |
EP14906116.0A EP3252989B1 (en) | 2014-11-13 | 2014-11-13 | Information processing apparatus, control method, and program |
CN201480083365.3A CN107005405B (zh) | 2014-11-13 | 2014-11-13 | 信息处理装置、控制方法及存储介质 |
JP2016558507A JP6381667B2 (ja) | 2014-11-13 | 2014-11-13 | 情報処理装置、制御方法、及び、プログラム |
SG11201703705TA SG11201703705TA (en) | 2014-11-13 | 2014-11-13 | Information processing apparatus, control method, and program |
US14/938,607 US10193871B2 (en) | 2014-11-13 | 2015-11-11 | Information processing apparatus, control method, and program |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2014/080094 WO2016075792A1 (ja) | 2014-11-13 | 2014-11-13 | 情報処理装置、制御方法、及び、プログラム |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016075792A1 true WO2016075792A1 (ja) | 2016-05-19 |
Family
ID=55953905
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2014/080094 WO2016075792A1 (ja) | 2014-11-13 | 2014-11-13 | 情報処理装置、制御方法、及び、プログラム |
Country Status (7)
Country | Link |
---|---|
US (1) | US10193871B2 (ja) |
EP (1) | EP3252989B1 (ja) |
JP (1) | JP6381667B2 (ja) |
CN (1) | CN107005405B (ja) |
RU (1) | RU2682926C2 (ja) |
SG (1) | SG11201703705TA (ja) |
WO (1) | WO2016075792A1 (ja) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2019057793A (ja) * | 2017-09-20 | 2019-04-11 | 富士ゼロックス株式会社 | 情報処理装置及びプログラム |
JP2022528070A (ja) * | 2019-03-25 | 2022-06-08 | マイクロン テクノロジー,インク. | 運転中の緊急車両のidの検証 |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP7208707B2 (ja) | 2017-02-17 | 2023-01-19 | キヤノン株式会社 | 情報処理装置及びその制御方法とプログラム |
JP6968610B2 (ja) * | 2017-08-01 | 2021-11-17 | キヤノン株式会社 | 撮像装置、情報処理方法及びプログラム |
JP7262938B2 (ja) | 2018-06-29 | 2023-04-24 | キヤノン株式会社 | 情報処理装置、情報処理装置の制御方法、及び、プログラム |
JP7147405B2 (ja) * | 2018-09-18 | 2022-10-05 | セイコーエプソン株式会社 | 印刷装置の制御方法および印刷装置 |
US11233650B2 (en) | 2019-03-25 | 2022-01-25 | Micron Technology, Inc. | Verifying identity of a vehicle entering a trust zone |
JP7337601B2 (ja) * | 2019-08-28 | 2023-09-04 | キヤノン株式会社 | 印刷装置、制御方法およびプログラム |
US20220141033A1 (en) * | 2020-10-15 | 2022-05-05 | Jelurida IP B.V. | Method of verifying origin of a signed file |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6538668B1 (en) * | 1999-04-09 | 2003-03-25 | Sun Microsystems, Inc. | Distributed settings control protocol |
US6980658B1 (en) * | 1999-09-30 | 2005-12-27 | Qualcomm Incorporated | Method and apparatus for encrypting transmissions in a communication system |
US8174712B2 (en) * | 2003-10-21 | 2012-05-08 | Sharp Laboratories Of America, Inc. | Generating passive metadata from user interface selections at an imaging device |
JP4345796B2 (ja) * | 2006-09-29 | 2009-10-14 | ブラザー工業株式会社 | 通信方法、通信システムならびに通信システムを構成するサーバ、クライアントおよびコンピュータプログラム |
JP4613969B2 (ja) | 2008-03-03 | 2011-01-19 | ソニー株式会社 | 通信装置、及び通信方法 |
JP2013054441A (ja) * | 2011-09-01 | 2013-03-21 | Canon Inc | 印刷システム、画像形成装置、印刷方法、およびプログラム |
RU2485710C1 (ru) * | 2011-12-23 | 2013-06-20 | Общество с ограниченной ответственностью "ЕвроКомСервис" | Криптокамера |
JP5875463B2 (ja) * | 2012-05-21 | 2016-03-02 | キヤノン株式会社 | 撮像装置、マスク画像設定方法、および、プログラム |
JP5955171B2 (ja) * | 2012-09-11 | 2016-07-20 | キヤノン株式会社 | 送信装置、受信装置、送信方法、受信方法、及びプログラム |
JP6184133B2 (ja) * | 2013-03-07 | 2017-08-23 | キヤノン株式会社 | 撮像装置 |
KR102015955B1 (ko) * | 2013-03-27 | 2019-10-21 | 한화테크윈 주식회사 | 클라이언트 인증 방법 |
US9432390B2 (en) * | 2013-12-31 | 2016-08-30 | Prometheus Security Group Global, Inc. | Scene identification system and methods |
CN103780900B (zh) * | 2014-01-16 | 2016-02-17 | 国家电网公司 | 一种onvif模拟测试装置及方法 |
-
2014
- 2014-11-13 SG SG11201703705TA patent/SG11201703705TA/en unknown
- 2014-11-13 JP JP2016558507A patent/JP6381667B2/ja active Active
- 2014-11-13 RU RU2017120178A patent/RU2682926C2/ru active
- 2014-11-13 WO PCT/JP2014/080094 patent/WO2016075792A1/ja active Application Filing
- 2014-11-13 CN CN201480083365.3A patent/CN107005405B/zh active Active
- 2014-11-13 EP EP14906116.0A patent/EP3252989B1/en active Active
-
2015
- 2015-11-11 US US14/938,607 patent/US10193871B2/en active Active
Non-Patent Citations (3)
Title |
---|
"ONVIF Advanced SecurityServiceSpecification, Version 1.0.2", June 2014 (2014-06-01), pages 7 - 26 , 31-38, XP055396884, Retrieved from the Internet <URL:http://www.onvif.org/specs/srv/security/ ONVIF-AdvancedSecurity-Service-Spec-v102.pdf> * |
"ONVIF Core Specification, Version 2.4.2", June 2014 (2014-06-01), pages 82 - 98, XP055382279, Retrieved from the Internet <URL:http://www.onvif. org/specs/core/ONVIF-Core-Specification-v242. pdf> * |
ISAO TANIGUCHI ET AL., MASTERING TCP/IP IPSEC HEN, 23 May 2006 (2006-05-23), pages 156 - 164, XP008185678 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2019057793A (ja) * | 2017-09-20 | 2019-04-11 | 富士ゼロックス株式会社 | 情報処理装置及びプログラム |
JP2022528070A (ja) * | 2019-03-25 | 2022-06-08 | マイクロン テクノロジー,インク. | 運転中の緊急車両のidの検証 |
Also Published As
Publication number | Publication date |
---|---|
CN107005405A (zh) | 2017-08-01 |
RU2682926C2 (ru) | 2019-03-22 |
EP3252989B1 (en) | 2020-05-20 |
US10193871B2 (en) | 2019-01-29 |
RU2017120178A3 (ja) | 2018-12-13 |
US20160142383A1 (en) | 2016-05-19 |
RU2017120178A (ru) | 2018-12-13 |
EP3252989A4 (en) | 2018-10-24 |
SG11201703705TA (en) | 2017-08-30 |
EP3252989A1 (en) | 2017-12-06 |
JP6381667B2 (ja) | 2018-08-29 |
CN107005405B (zh) | 2020-12-15 |
JPWO2016075792A1 (ja) | 2017-08-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6381667B2 (ja) | 情報処理装置、制御方法、及び、プログラム | |
KR102500461B1 (ko) | 정보처리장치, 화상형성장치, 시스템, 그 제어 방법, 및 기억매체 | |
CN105706416B (zh) | 用于网络接入的用户设备和计算机可读介质 | |
US10194297B2 (en) | Information processing apparatus, information processing method, and non-transitory computer readable medium | |
JP6064800B2 (ja) | 情報処理装置及びプログラム | |
JP7278802B2 (ja) | サービス利用装置、方法、及びプログラム | |
JP7030476B2 (ja) | 画像処理装置、画像処理装置の制御方法、プログラム、システム、およびシステムの制御方法 | |
JP2019087145A (ja) | 管理システムおよびその制御方法、並びにプログラム | |
JP6385100B2 (ja) | 情報処理装置、情報処理システム、情報処理装置の制御方法およびコンピュータプログラム | |
JP7479923B2 (ja) | 名刺情報処理装置、名刺情報処理方法、およびプログラム | |
CN109479054B (zh) | 服务提供系统、服务通信系统、服务提供方法和记录介质 | |
JP2017167661A (ja) | システム、携帯端末、情報処理装置、情報処理方法及びプログラム | |
US11076010B2 (en) | Service providing system, service delivery system, service providing method, and non-transitory recording medium | |
JP6306866B2 (ja) | 通信装置及びその制御方法、並びにプログラム | |
US11645027B2 (en) | Information processing system and method for processing data output requests and identification information | |
JP6366668B2 (ja) | 設定方法、情報処理装置、携帯端末及びプログラム | |
JP5779987B2 (ja) | 選択プログラム、画像処理装置、及び、コンピュータ | |
JPWO2009031197A1 (ja) | 通信装置、認証情報取得方法、接続要求方法、接続認証方法、認証情報取得プログラム、接続要求プログラムおよび接続認証プログラム | |
JP6492670B2 (ja) | 中継装置、中継システム及びプログラム | |
JP6192347B2 (ja) | システム、サーバ装置、サーバ装置の制御方法 | |
JP6494201B2 (ja) | 電子機器 | |
JP6759638B2 (ja) | 文字変換装置、情報端末、文字変換システム、変換候補登録方法、および、変換候補登録プログラム | |
JP6887746B2 (ja) | 端末管理システム、端末制御装置、端末管理方法及び通信制御プログラム | |
JP2023007110A (ja) | 認証システム、端末装置、認証方法、及びプログラム | |
JP2018039143A (ja) | 情報処理装置及びプログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14906116 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2016558507 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2017120178 Country of ref document: RU Kind code of ref document: A |
|
REEP | Request for entry into the european phase |
Ref document number: 2014906116 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 11201703705T Country of ref document: SG |