WO2021075475A1 - Système de gestion de dispositif - Google Patents

Système de gestion de dispositif Download PDF

Info

Publication number
WO2021075475A1
WO2021075475A1 PCT/JP2020/038838 JP2020038838W WO2021075475A1 WO 2021075475 A1 WO2021075475 A1 WO 2021075475A1 JP 2020038838 W JP2020038838 W JP 2020038838W WO 2021075475 A1 WO2021075475 A1 WO 2021075475A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
managed
management system
manufacturing
update
Prior art date
Application number
PCT/JP2020/038838
Other languages
English (en)
Japanese (ja)
Inventor
篤 古城
航洋 竹之下
Original Assignee
株式会社ウフル
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社ウフル filed Critical 株式会社ウフル
Priority to JP2021552418A priority Critical patent/JPWO2021075475A1/ja
Publication of WO2021075475A1 publication Critical patent/WO2021075475A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H01ELECTRIC ELEMENTS
    • H01LSEMICONDUCTOR DEVICES NOT COVERED BY CLASS H10
    • H01L21/00Processes or apparatus adapted for the manufacture or treatment of semiconductor or solid state devices or of parts thereof
    • H01L21/02Manufacture or treatment of semiconductor devices or of parts thereof

Definitions

  • the present invention relates to a device management system.
  • Patent Document 1 describes that the management of semiconductor devices can be easily realized by providing minute identification information on a semiconductor chip or the like. In the technical field of using various devices connected via communication, it is desired to be able to accurately determine whether or not the device is reliable.
  • the information related to the manufacturing process of the device provided with the storage area for holding the identification information and the manufacturing time information including the identification information and the information related to the activation process of the device and the identification information can be obtained.
  • a first information processing device that stores at least one piece of information, including start-up information and update-time information that is information related to a device update process and includes identification information, in a storage unit, and manufacturing stored in the storage unit. Of at least one piece of time information, startup information, and update time information, at least one piece of information including identification information read from the managed storage area is read, and the read information is used to trust the managed device.
  • a device management system including a second information processing device for determining the sex is provided.
  • FIG. 1 is a diagram showing a device management system according to an embodiment.
  • the symbols Da, Db, and Dc are devices to be managed, respectively.
  • the device management system 1 stores information (appropriately referred to as trust information) used for evaluating the reliability of the device to be managed in the storage unit DL1.
  • the trust information includes at least one of manufacturing information, startup information, and update information of the managed device.
  • the device management system 1 includes a storage unit DL1, a network 3 connected to the storage unit DL1, and an information processing device (described later) that stores trust information in the storage unit DL1 via the network 3.
  • the managed device has identification information for each device, and the manufacturing information, the startup information, and the update information are associated with the device identification information, respectively.
  • the identification information will be described as an ID as appropriate.
  • the manufacturing information corresponding to the first device to be managed includes the ID of the first device and can be distinguished from the manufacturing information corresponding to the second device different from the first device.
  • the startup information corresponding to the first device to be managed includes the ID of the first device and can be distinguished from the startup information corresponding to the second device different from the first device.
  • the update information corresponding to the first device to be managed includes the ID of the first device and can be distinguished from the update information corresponding to the second device different from the first device.
  • the storage unit DL1 is, for example, a distributed ledger, but may be a storage unit (for example, centralized storage) in a form other than the distributed ledger. In the following description, the storage unit DL1 is appropriately referred to as a distributed ledger DL1.
  • reference numeral TD is a terminal constituting a distributed ledger.
  • the terminal TD is, for example, a computer.
  • the terminal TD includes, for example, a processing unit (processor) such as a CPU, a volatile memory such as RAM, a non-volatile storage device such as an HDD or SSD, and a communication unit conforming to a predetermined communication standard such as LAN.
  • the terminal TD is connected to the network 3.
  • the device management system 1 reads the trust information from the storage unit (for example, the distributed ledger DL1).
  • the device management system 1 evaluates the reliability of the managed device by using the read trust information.
  • the process of evaluating the reliability of a device is called an audit.
  • a device evaluated as reliable by an audit is referred to as a "trusted device” or a “trusted device” as appropriate.
  • the device management system 1 provides a secure system, for example, by limiting the use of devices that have been assessed as unreliable by an audit.
  • reference numeral FA is a factory that manufactures device Da.
  • the device Da is, for example, a computer including a plurality of parts.
  • the device Da is, for example, a device that operates independently.
  • the device Da may be a component that constitutes a device that operates independently.
  • the device Da may be an unfinished device in the process of being manufactured.
  • the device Da may be a finished product and a device to be inspected.
  • the factory FA includes a control device FA1 and a processing device FA2.
  • the processing device FA2 is a device that performs processing on the device Da.
  • the processing device FA2 includes, for example, a robot that mounts a component on a device Da in the manufacturing process.
  • the processing device FA2 may include an inspection device that inspects the device Da after completion.
  • the factory FA may include a plurality of processing devices. In FIG. 1, one processing device FA2 is typically illustrated.
  • the control device FA1 controls each part of the factory FA.
  • the control device FA1 controls the processing device FA2 and causes the processing device FA2 to execute a predetermined process for the device Da.
  • the control device FA1 is an example of an information processing device that stores manufacturing information in the distributed ledger DL1.
  • the control device FA1 specifies the ID of the device Da to be processed by the processing device FA2.
  • the device Da has a non-rewritable storage area, which stores the ID of the device Da.
  • the ID of the device Da may be written in the storage area by the processing device FA2.
  • the control device FA1 generates manufacturing time information of the device Da after the processing by the processing device FA2 is completed for the device Da.
  • the manufacturing information is, for example, information generated before the device is shipped and is not updated after the device is shipped. Information indicating the state of the device after shipment is included in, for example, start-up information or update-time information.
  • the manufacturing information of the device Da includes, for example, the ID of the device Da and the information of the device related to the manufacturing of the device Da.
  • Devices related to the manufacture of the device Da include, for example, a component of the device Da, a processing device FA2 that has processed the device Da, and a control device FA1 that has processed the device Da.
  • the device information related to the manufacture of the device Da includes, for example, the ID of the component of the device Da, the ID of the processing device FA2, and the ID of the control device FA1.
  • the control device FA1 is communicably connected to the terminal TD constituting the distributed ledger DL1 via the network 3.
  • the control device FA1 transmits the manufacturing information of the device Da.
  • the terminal TD constituting the distributed ledger DL1 stores the manufacturing information transmitted by the control device FA1.
  • the first information processing device includes the manufacturing device used for manufacturing the device or the device communicably connected to the manufacturing device, and stores the manufacturing time information generated before the device is shipped. You may memorize it in.
  • FIG. 2 is a diagram showing an example of a process of storing trust information at the time of manufacturing.
  • the control device FA1 of the factory FA allocates the identification information to the device Da.
  • the processing device FA2 is controlled by the control device FA1 and writes the identification information allocated in step S11 to the storage area of the device Da.
  • the control device FA1 acquires the identification information of the component to be mounted on the device Da.
  • step S14 the processing device FA2 is controlled by the control device FA1 and mounts the components on the device Da.
  • step S15 the control device FA1 generates manufacturing time information of the device Da.
  • the control device FA1 includes the device Da identification information assigned in step S11, the component identification information acquired in step S13, and the devices related to the manufacture of the device Da (eg, control device FA1, processing device FA2).
  • the identification information and the manufacturing information are generated as a set.
  • step S16 the control device FA1 stores the manufacturing time information, which is the manufacturing time trust information, in the storage unit DL1.
  • the control device FA1 is, for example, when information related to the manufacture of the device is generated (eg, when a component is mounted), this information (eg, the ID of the mounted component, the process of mounting the component).
  • the ID of the device and the ID of the manufacturing line on which the parts are mounted) are associated with the ID of this device to generate manufacturing information.
  • the control device FA1 detects the generation of information related to the manufacture of the device, the control device FA1 generates the manufacturing time information.
  • the control device FA1 executes a process of making changes (eg, mounting parts, writing data) to a device in a manufacturing process including inspection, information related to the manufacturing of the device is generated. Detect (eg, judge).
  • the control device FA1 causes a processing device to execute a process of manufacturing or inspecting a device according to a predetermined procedure, and generates manufacturing information by using the execution of this process as a trigger.
  • the device Db is a device controlled by the host device MD.
  • the device Db is, for example, an edge device in an IoT system.
  • the device Db includes, for example, at least one of a sensor, an actuator, and a processor.
  • the device Db is communicably connected to the host device MD via the network 3.
  • the host device MD transmits a command to the device Db via the network 3.
  • the device Db executes the operation specified in the command transmitted from the host device MD.
  • the device Db may be a device that operates continuously or a device that operates intermittently.
  • the device Db operates intermittently.
  • the device Db has a first mode that performs a predetermined operation and a second mode that saves more power than the second mode.
  • the device Db waits in the second mode and transitions to the first mode by a predetermined trigger.
  • the transition from the second mode to the first mode corresponds to, for example, booting the device.
  • the transition from the first mode to the second mode corresponds to, for example, shutting down the device.
  • the device Db is an example of an information processing device that stores startup information in the distributed ledger DL1.
  • the device Db includes a non-rewritable storage area and a processing unit. This storage area stores a program that causes the processing unit to execute a predetermined process.
  • the processing unit of the device Db scans the device configuration of the device Db at the time of starting the device Db according to the program stored in the storage area.
  • the device configuration includes one or both of a hardware configuration and a software configuration. For example, the device Db compares the current scan result with the previous scan result, and if the current scan result is different from the previous scan result, the device Db generates start-up information.
  • the processing unit of the device Db executes a process of generating startup information according to a program stored in a non-rewritable storage area.
  • the startup information includes, for example, the ID of the added or deleted part when the hardware configuration is changed.
  • the startup information includes, for example, information (eg, hash value) that identifies the file used for the change when the software configuration is changed.
  • Device Db transmits the generated startup information via the network.
  • the processing unit of the device Db transmits the startup information according to the program stored in the non-rewritable storage area.
  • the terminal TD constituting the distributed ledger DL1 stores the startup information transmitted by the device Db.
  • the device Db may transmit the startup information to the terminal TD, or may transmit the startup information to the host device MD.
  • the host device MD may receive the startup information transmitted by the device Db and store the startup information in the terminal TD.
  • the first information processing apparatus may include the device to be managed, generate startup information when the own device is activated, and store the generated startup information in the storage unit. Note that the device Db does not have to generate startup information.
  • the host device MD may cause the device Db to scan the device configuration and generate startup information of the device Db based on the scan result.
  • the host device MD has a non-rewritable storage area, and generates start-up information according to a program stored in this storage area.
  • the host device MD stores the startup information in an external storage unit (for example, a storage unit in the terminal of the node of the distributed ledger) according to the program stored in the non-rewritable storage area.
  • the host device MD is an example of an information processing device that stores update information in the distributed ledger DL1.
  • the host device MD updates a program (for example, firmware) stored in the device Db to be controlled.
  • the host device MD transmits a file containing the update program that causes the device Db to execute the program update.
  • the device Db executes the update process according to the received update program.
  • the device Db notifies the host device MD of the completion of the update process.
  • the host device MD receives the notification of the completion of the update process and generates the update time information.
  • the update information includes, for example, the ID of the device Db and information (eg, hash value) that identifies the file used for the update.
  • the host device MD has a non-rewritable storage area, and generates update information according to a program stored in this storage area.
  • the host device MD may generate update information before the update process is executed on the device Db or in parallel with the update process.
  • the host device MD may generate update information including the information for identifying the file including the update program and the ID of the device Db at the stage when the schedule for causing the device Db to execute the update process is registered.
  • the host device MD transmits the generated update information via the network 3.
  • the terminal TD constituting the distributed ledger DL1 stores the update information transmitted by the host device MD.
  • the host device MD stores the update information in an external storage unit (for example, a storage unit in the terminal of the node of the distributed ledger) according to the program stored in the non-rewritable storage area.
  • the first information processing device includes a higher-level device that controls the device to be managed, and based on the information acquired from the device to be managed, one or both of the startup information and the update information can be obtained. It may be stored in the storage unit.
  • the update information may be generated by the device Db.
  • the processing unit of the device Db may generate update information according to a program stored in a non-rewritable storage area.
  • the processing unit of the device Db may generate update information before executing the update process.
  • the device Db may generate update information including the file identification information and the device Db ID after receiving the file including the update program and before starting the update process.
  • the source of the update program may be a higher-level device MD or a device different from the higher-level device MD.
  • the device Db may store the generated update information in the terminal TD.
  • the processing unit of the device Db may store the update information in the terminal TD according to the program stored in the non-rewritable storage area.
  • the processing unit of the device Db may store the update information in the terminal TD before starting the update process.
  • the first information processing device may include the device to be managed, generate update information when updating its own device, and store the generated update information in the storage unit.
  • the device Db may transmit the generated update information to the host device MD, and the host device MD may store the received update information in the terminal TD.
  • the processing unit of the device Db may transmit the update information according to the program stored in the non-rewritable storage area.
  • the processing unit of the device Db may transmit the update time information before starting the update process.
  • Each of the above programs may be stored in a rewritable storage area.
  • the device ID may be stored in a rewritable storage area.
  • the device may include a device body including a processing unit and a storage area externally attached to the device body. This storage area may be, for example, a part of a circuit (eg, RF tag, NFC tag) that receives an electromagnetic wave from the outside, generates electricity by electromagnetic dielectric, and outputs (eg, transmits) an electric signal by the electric power.
  • a circuit eg, RF tag, NFC tag
  • an RF tag may be bonded to the outside of the device body, and the RF tag may transmit an electric signal including the ID of the device.
  • the force for joining the RF tag and the device body may be stronger than the force for breaking the circuit.
  • the force destroys the circuit, makes the device ID unusable, and prevents the device ID from being misused. ..
  • the device provided with the RF tag is a component.
  • the device on which this component is mounted may be provided with an RF reader, for example, and may detect at least a part of the hardware configuration of its own device by acquiring an ID transmitted from the component by the RF reader.
  • the power source that supplies power when the device operates may supply power to the RF reader.
  • the device including the RF reader may transmit the ID acquired from the component to an external device (eg, higher-level device MD).
  • FIG. 3 is a diagram showing a process of storing trust information at the time of startup or update.
  • the processing unit of the device Db scans the device configuration of the device Db.
  • the processing unit of the device Db determines whether or not there is a change in the configuration. For example, when the current scan result is different from the previous scan result, the processing unit of the device Db determines that the configuration has been changed (step S22; Yes).
  • step S22 When it is determined that the configuration has been changed (step S22; Yes), the processing unit of the device Db generates trust information in step S23.
  • the processing unit of the device Db When the process of step S21 is executed at the time of starting the device Db, the processing unit of the device Db generates the start-up information as trust information in step S23.
  • the processing unit of the device Db When the process of step S21 is executed at the time of updating the device Db, the processing unit of the device Db generates the update information as trust information in step S23.
  • the processing unit of the device Db is used, for example, to change the ID of the device Db, the ID when there is a hardware element (eg, a part) added or deleted by the change, and the software configuration when the software configuration is changed.
  • Trust information is generated by combining the information that identifies the created file with the information that identifies the file.
  • the processing unit of the device Db stores the trust information generated in step S23 in the storage unit DL1 in step S24. At least a part of the processes from steps S21 to S24 may be executed by a device different from the device Db (eg, higher-level device MD).
  • the device management system 1 includes an audit device CD and a storage unit DL2.
  • the audit device CD is an example of an information processing device that stores trust information in a storage unit.
  • the audit device CD executes an audit using the trust information stored in the distributed ledger DL1 and generates trust information indicating the audit result.
  • trust information indicating the audit result is referred to as trust information at the time of audit as appropriate.
  • the trust information at the time of audit is, for example, information (eg, white list) in which information indicating whether or not the managed device is reliable is associated with the device ID (eg, white list).
  • the audit device CD stores the generated trust information in a storage unit DL2 different from the distributed ledger DL1.
  • the storage unit DL2 is, for example, a distributed ledger, but may be a storage unit (for example, centralized storage) having a form other than the distributed ledger.
  • the storage unit DL2 is appropriately referred to as a distributed ledger DL2.
  • the storage destination of the trust information at the time of audit may be the same as the storage destination of at least a part of the manufacturing information, the startup information, and the updating information.
  • FIG. 4 is a diagram showing a process of storing trust information at the time of audit. For each part of the device management system 1, refer to FIG. 1 as appropriate.
  • the auditing device CD identifies the ID of the audited device.
  • the device to be audited is the device Da manufactured in the factory FA.
  • the audit device CD identifies the ID of the device Da, for example, by acquiring the ID read from the storage area of the device Da to be audited from the device Da.
  • the audit device CD may specify the ID of the device Da by another method.
  • the auditing device CD may specify the ID of the device Da by designating the ID of the device Da from the device connected to the device Da.
  • step S32 the audit device CD acquires the trust information of the device to be audited.
  • the auditing apparatus CD acquires the trust information of the device Da by searching the trust information including the ID specified in step S31 in the trust information stored in the distributed ledger DL1.
  • the audit device CD acquires the manufacturing time information of the device Da as the trust information of the device Da.
  • the audit device CD identifies the identification information of the device (appropriately referred to as the related device) related to the device Da to be audited.
  • the manufacturing information includes the ID of the control device FA1 of the factory FA, the ID of the processing device FA2, and the parts of the device Da as the IDs of the devices related to the device Da.
  • the ID of the device is included.
  • the audit device CD identifies the ID of the related device by referring to the manufacturing information.
  • step S33 the audit device CD acquires the trust information of the related device in step S34.
  • the related devices are parts of the control device FA1, the processing device FA2, and the device Da of the factory FA, and the audit device CD has been audited for these devices.
  • step S34 the audit device CD acquires the trust information at the time of auditing of the control device FA1 from the distributed ledger DL2 by using the ID of the control device FA1 specified in step S33.
  • step S35 the audit device CD selects one of the devices whose ID is specified in step S33 (eg, control device FA1) as the related device, and determines whether or not this device is reliable.
  • the audit device CD refers to the trust information at the time of auditing of the control device FA1 acquired in step S34, and determines whether or not the control device FA1 is reliable.
  • the audit device CD includes information that the control device FA1 is a reliable device in the trust information at the time of audit, or information that the control device FA1 is an unreliable device in the trust information at the time of audit. If not, the device is determined to be reliable (step S35; Yes).
  • step S35 when the trust information about the related device does not exist, when the trust information at the time of audit contains information that the control device FA1 is an unreliable device, or when the trust information at the time of audit contains the information that the control device FA1 is used. If the information indicating that the device is reliable is not included, the device is determined to be unreliable (step S35; No).
  • step S35 determines whether or not there is another related device in step S36. If the process of step S35 is not executed for at least one of the devices whose ID is specified in step S33, the audit device CD determines that there are other related devices (step S36; Yes). When the audit device CD determines that there is another related device (step S36; Yes), the audit device CD returns to step S34, selects the next device (eg, processing device FA2) whose ID is specified in step S33, and selects this device. Determines if is reliable.
  • step S37 the device Da to be audited is used as trust information at the time of audit.
  • the audit device CD generates trust information at the time of audit by combining the ID of the device Da to be audited and the information (eg, flag) indicating that the device Da is reliable.
  • the audit device CD stores the generated trust information at the time of audit in the distributed ledger DL2.
  • the audit device CD determines that the related device is unreliable for at least one of the related devices (step S35; No).
  • the audit device CD performs a series of processes without storing information that the device Da to be audited is reliable. finish.
  • the audit device CD determines that the related device is unreliable for at least one of the related devices (step S35; No)
  • the audit device CD generates information (eg, blacklist) that the device Da to be audited is unreliable. Then, this information may be stored in a storage unit (eg, distributed ledger DL2).
  • the audit device CD identifies the ID of the device Db to be audited.
  • the audit device CD may read the ID from the storage area of the device Db, or may acquire the ID of the device Db from the host device MD that controls the device Db.
  • the audit device CD acquires update time information as trust information of the device Db to be audited.
  • the audit device CD identifies the identification information of the related device related to the device Db to be audited.
  • the update information includes the ID of the host device MD related to the update of the device Db as the ID of the related device.
  • the device Db to be audited is one of the related devices.
  • the audit device CD acquires the trust information of the related device.
  • the audit device CD selects the device Db as one of the related devices, and the device Db is before the current update for the device Db, and is after the previous update for the device Db. Get the trust information of.
  • the device Db has been updated last time, and then the audit device CD has been audited for the device Db.
  • the audit device S34 uses the ID of the device Db specified in step S31 to search the trust information of the device Db at the time of the previous audit from the distributed ledger DL2, and acquires the trust information of the device Db at the time of the previous audit. ..
  • step S35 the audit device CD uses the trust information of the device Db at the time of the previous audit to determine whether or not the related device (eg, the device Db before this update) is reliable.
  • the auditing apparatus CD determines whether or not there is another related device in step S36.
  • the auditing device CD determines that the related device exists (step S36; Yes).
  • the audit device CD determines that there is another related device (step S36; Yes)
  • the audit device CD returns to step S34 and acquires the trust information of the host device MD as the next related device.
  • step S35 the audit device CD determines whether or not the related device (eg, higher-level device MD) is reliable.
  • the audit device CD determines that all the related devices are reliable and the file used for updating the device Db to be audited is reliable.
  • the audit device CD determines that the updated device Db is reliable.
  • the audit device CD stores the updated device Db in a storage unit (eg, distributed ledger DL2) as trust information at the time of this audit, indicating that the device Db to be audited is reliable.
  • a storage unit eg, distributed ledger DL2
  • the audit device CD if the trust information at the time of the previous audit does not exist for at least one of the device to be audited and the related device, the device that does not have the trust information at the time of the previous audit is used as the second device. Set to the device to be audited. Then, the audit device CD determines whether or not the related devices can be trusted based on the existing information of the manufacturing time information, the startup information, and the updating time information for each of the related devices of the second audit target device. To judge. Then, when the audit device CD determines that all the related devices are reliable, the audit device CD determines that the second audit target device is reliable. The audit device CD supplements the trust information at the time of audit by repeating such processing, and executes an audit on the device to be audited first.
  • the device Dc is a device scheduled to be incorporated in a system including the host device MD (eg, an IoT system).
  • the host device MD for example, executes a process of incorporating the device Dc into the system after confirming the reliability of the device Dc.
  • FIG. 5 is a diagram showing a process of incorporating a device into the system. For each part of the device management system 1, refer to FIG. 1 as appropriate.
  • step S41 the host device MD identifies the ID of the device Dc to be incorporated into the system. For example, the host device MD identifies the ID of the device Dc by reading the ID from the storage area of the device Dc.
  • step S42 the host device MD acquires the trust information of the device Dc to be incorporated.
  • the host device MD uses the ID specified in step S41 to search the trust information at the time of auditing the device Dc in the distributed ledger DL2.
  • the host device MD acquires the trust information at the time of auditing the device Dc from the distributed ledger DL2.
  • the host device MD uses the ID specified in step S41 to manufacture the device Dc, start-up information, and update the device Dc. Among the information, the trust information stored in the distributed ledger DL1 is searched. When the trust information of the device Dc is stored in the distributed ledger DL1, the host device MD acquires the trust information of the device Dc from the distributed ledger DL1.
  • step S43 the host device MD uses the trust information acquired in step S42 to determine whether or not the device Dc to be embedded is reliable. For example, when the host device MD acquires the trust information at the time of audit in step S42, it determines whether or not the device Dc is reliable based on the trust information at the time of audit. The host device MD can trust the device Dc when the trust information at the time of audit contains information that the device Dc can be trusted, or when the trust information at the time of audit does not include the information that the device Dc cannot be trusted. (Step S43; Yes).
  • the host device MD acquires existing information among the manufacturing information, the startup information, and the updating information as trust information in step S42, the device Dc is subjected to the same processing as the auditing device CD described with reference to FIG. Perform an audit. If the trust information at the time of auditing the device Dc does not exist, the host device MD requests the audit device CD to perform an audit on the device Dc, and uses the audit result to execute the process of step S43. You may.
  • the host device MD determines that the device Dc to be incorporated is reliable (step S43; Yes)
  • the host device MD executes a process of incorporating the device Dc into the system in step S44.
  • the host device MD determines that the device Dc to be incorporated is unreliable (step S43; No)
  • the host device MD ends a series of processes without executing the process of incorporating the device Dc into the system.
  • the device management system includes a management device (eg, a higher-level device) that manages a system including a plurality of devices, and the management device determines whether or not the device to be managed is reliable. Based on the result of the determination by the information processing apparatus of the above, it may be determined whether or not to incorporate the device to be managed into the system.
  • the device management system 1 of the present embodiment stores, for example, information indicating the reliability of the second device related to the first device in the storage unit. Therefore, the device management system 1 can evaluate the reliability of the first device based on the reliability of the second device. For example, when the device management system 1 determines that all the related devices related to the change of the first device are reliable, the device management system 1 also determines that the first device is also reliable. In this case, the device management system 1 can evaluate the reliability of a plurality of devices in a chained manner. The device management system 1 contributes to easily constructing a secure system, for example, by increasing the number of devices whose reliability has been evaluated.
  • the device management system 1 includes one or both of a first information processing device that stores trust information and a second information processing device that reads trust information and determines the reliability of the device.
  • the device management system 1 may not include the first information processing device or the second information processing device.
  • the device management system 1 includes a first information processing device that stores trust information, and a second information processing device that reads trust information and determines the reliability of the device is an external device of the device management system 1.
  • it may be a device that uses the information provided by the device management system 1.
  • the device management system 1 includes a second information processing device that reads trust information and determines the reliability of the device, and the first information processing device that stores the trust information is an external device of the device management system 1. It may be a device that provides information to the device management system 1.
  • the device management system 1 does not have to include a device different from any of the first information processing device and the second information processing device.
  • the device management system 1 may not include one or both of the storage unit DL1 and the storage unit DL2.
  • One or both of the storage unit DL1 and the storage unit DL2 may be an external device of the device management system 1 and may be a device that provides information to the device management system 1.
  • the device management system 1 does not have to include the audit device CD.
  • the device management system 1 does not have to generate trust information at the time of auditing, and in this case, the storage unit DL2 may not be provided.
  • the device management system 1 determines whether or not the device is reliable by using the trust information existing among the manufacturing information, the startup information, and the updating information even when the audit device CD is not included. be able to.
  • the device management system 1 determines that the device is unreliable when the predetermined information among the manufacturing information, the startup information, and the update information is insufficient, and determines that the device is reliable in other cases. May be good.
  • the manufacturing information includes information on the parts of the device to be managed.
  • the second information processing device When the second information processing device confirms the reliability (eg, evaluation, judgment) of the managed device using the manufacturing information, for example, the second information processing device acquires the manufacturing information about the managed device from the storage unit. , It is determined whether or not each part is reliable by using the information of the parts included in the manufacturing information. For example, the second information processing apparatus determines that the component is reliable when the ID of the component satisfies a predetermined condition.
  • the predetermined condition includes, for example, that the ID of the component to be managed is included in the database in which the ID of the reliable component is registered.
  • the database may be, for example, a database in which an inspection organization that inspects whether or not a device meets a predetermined standard registers an ID of a device that meets the standard.
  • the second information processing device determines that the device to be managed is reliable, for example, when all the IDs of the parts included in the manufacturing information satisfy a predetermined condition.
  • the second information processing apparatus may determine that the device to be managed is unreliable when at least one of the IDs of the parts included in the manufacturing information does not satisfy a predetermined condition.
  • the second information processing apparatus externally determines whether or not the parts corresponding to the IDs that do not meet the predetermined conditions are reliable. You may contact us.
  • the second processing device may accept input from the owner or user of the managed device for a component corresponding to an ID that does not satisfy a predetermined condition, indicating whether or not the component is reliable. ..
  • the second information processing device determines that the managed device can be trusted when the owner or user of the managed device receives an input indicating that the component corresponding to the ID that does not satisfy the predetermined condition is reliable. You may judge.
  • the host device MD may determine whether or not the device Db is reliable based on one or both of the startup information and the update information. For example, the host device MD causes the device Db to execute a process of updating the software of the device Db, and the device Db generates one or both of the startup information and the update information. The host device MD compares the hash value assumed from the software provided to the device Db when the device Db updates the software with the hash value included in the startup information or the update information generated by the device Db. The host device MD may determine that the device Db is unreliable when the hash value included in the startup information or the update information generated by the device Db is different from the assumed value. The host device MD may limit the function of the device Db that is determined to be unreliable.
  • the host device MD may execute at least one of processes such as not using the information output by the device Db, stopping at least a part of the functions of the device Db, and blocking the device Db from the network.
  • the control unit eg, higher-level device
  • the update information includes information that identifies an update program file used for device update processing and a hash value of this file.
  • the information that identifies the legitimate update file and the information associated with the hash value of this file may be registered in the database in advance.
  • a legitimate update is, for example, a program provided by a provider certified by a public authority.
  • the second information processing device is included in the update information for the managed device, and the information associated with the information that identifies the update program file used for the update process and the hash value of this file is the above database. If it is registered in, it may be determined that the update process executed on the managed device is a regular process. In the second information processing device, if it is determined that the managed device before the update process is reliable and the update process is determined to be a regular process, the managed device after the update process is reliable. May be determined.
  • the first information processing apparatus includes, for example, a computer system.
  • the first information processing apparatus includes a storage unit and a processing unit, reads a program stored in the storage unit, and the processing unit executes various processes according to the program.
  • the second information processing device includes, for example, a computer system.
  • the second information processing apparatus includes a storage unit and a processing unit, reads a program stored in the storage unit, and the processing unit executes various processes according to the program.
  • FIG. 6 is a diagram showing a device management system according to the embodiment.
  • the device management system 1 includes a plurality of information processing devices 2 and a network 3. Each of the plurality of information processing devices 2 is connected to the information processing devices 2 other than the own device among the plurality of information processing devices 2 via the network 3.
  • the network 3 is, for example, a P2P (peer-to-peer) type network.
  • the network 3 may be a wired network or a wireless network.
  • the network 3 is, for example, an internet network.
  • the device management system 1 uses a distributed ledger technology (Distributed Ledger Technology). Each of the plurality of information processing devices 2 constitutes a node in the distributed ledger technology.
  • the device management system 1 of the present embodiment uses the IOTA Tangle as the distributed ledger, but other distributed ledger may be used.
  • a distributed ledger a blockchain of Ethereum (Ethereum (registered trademark)) may be used.
  • FIG. 7 is a diagram showing a device managed by the device management system.
  • the device management system 1 manages the IoT device 5.
  • the IoT device 5 is connected to the information processing device 2 by the network 4.
  • the information processing device 2 controls the operation of the IoT device 5.
  • the network 4 may be a wired network or a wireless network.
  • the network 4 is, for example, an internet network.
  • the IoT device 5 may be any sensor that detects natural phenomena such as temperature, humidity, pressure, light amount, and volume, and known fluctuation amounts such as the moving speed of the direction and position of an object and its acceleration. Further, the IoT device 5 may be a camera capable of photographing the surroundings.
  • the IoT device 5 may be any product such as a home electric appliance such as an air conditioner, an automobile, or a robot.
  • the device management system 1 of the present embodiment assumes that the device to be managed is an IoT device, but may manage a device that is not connected to the network.
  • the IoT device 5 may be a device that constitutes a node in the distributed ledger technology.
  • FIG. 8 is a diagram showing an information processing device.
  • the information processing device 2 may be a device generally called a personal computer, a workstation, a mainframe, or a device called a supercomputer. Further, the information processing device 2 may be a device called a smartphone or a tablet. Further, the information processing device 2 may be various devices having a function peculiar to the device such as a sensor function and a camera function in addition to the function of the computer.
  • the configuration of the terminal device 11 as an example of the information processing device 2 will be described.
  • the terminal device 11 includes a processing unit 12 that performs various processes, an input / output unit 13 that performs input / output to and from the operator, a storage unit 14 that stores programs and various data operated by the processing unit 12, a network 3, and a network 3. It is configured to include a communication unit 15 that performs communication via the network 4.
  • the terminal device 11 may be a device managed by the device management system 1 of the present embodiment. All devices that can be connected to the Internet are IoT devices managed by the device management system 1 of the present embodiment.
  • the processing unit 12 is an arithmetic unit called a CPU or MPU.
  • the processing unit 12 executes the program stored in the storage unit 14.
  • the input / output unit 13 is an input / output device such as a keyboard, a mouse, and a display.
  • the storage unit 14 may be any known storage device such as a RAM, a ROM, a hard disk, a magnetic storage device, and an optical storage device.
  • Each of the plurality of information processing devices 2 may have the same configuration, or each device may have a configuration different from that of the other devices.
  • FIG. 9 is a diagram showing a device managed by the device management system.
  • the device 16 includes a processing unit 17 that performs various processes, a device function execution unit 18 that executes a function peculiar to the device, a storage unit 19 that stores programs and various data operated by the processing unit 17, and a network 4. It is configured to include a communication unit 20 that performs communication via the above.
  • the processing unit 17 is an arithmetic unit called a CPU or MPU.
  • the processing unit 17 executes the program stored in the storage unit 19.
  • the storage unit 14 may be any known storage device such as a RAM, a ROM, a hard disk, a magnetic storage device, and an optical storage device.
  • Each of the plurality of information processing devices 2 may have the same configuration, or each device may have a configuration different from that of the other devices.
  • the device function execution unit 18 is configured to execute a function peculiar to the device.
  • the device function execution unit 18 includes a detection element that detects an object, a control unit that controls the detection element, and the like.
  • the device function execution unit 18 includes an image sensor that images the surroundings, an image processing unit that performs image processing on the image captured by the image sensor, and an image sensor and an image processing unit. It has a control unit to control.
  • the device function execution unit 18 includes a drive unit that drives each configuration related to the refrigeration cycle, a detection unit that detects temperature and humidity, a control unit that controls the drive unit and the detection unit, and the like. Has.
  • the device function execution unit 18 is a drive unit that drives each configuration related to the running of the automobile, a detection unit that detects a situation related to safety outside the vehicle, a situation related to comfort inside the vehicle, and the like. It also has a control unit that controls a drive unit and a detection unit.
  • the device function execution unit 18 includes a drive unit that drives the robot, a detection unit that detects the surrounding conditions of the robot, and a control unit that controls the drive unit and the detection unit.
  • the robot may manufacture an IoT device to be managed by the device management system 1 of the present embodiment. By doing so, a more reliable IoT device can be manufactured.
  • FIG. 10 is a diagram showing a distributed ledger which is an example of a storage unit.
  • the device management system 1 of the present embodiment has, as nodes, a full node having tangles, which is an example of a distributed ledger, and a light wallet having no tangles.
  • a full node synchronizes its own tangle with the tangles of other full nodes.
  • a light wallet is also called a light node.
  • the light wallet is called a light node. Since the light node does not have tangles by itself, there is no need to manage the tangles, so the operational burden is small, but when operating with information obtained from the full node, there is a slight delay in processing due to communication time. There is a risk.
  • a charge may be made for the exchange of information between or within each device. Although the amount charged is small when a small amount of information is exchanged, it is possible to build a system suitable for micropayment by paying the amount charged with IOTA, which is a virtual currency.
  • the information processing device 2, the IoT device 5, the terminal device 11, and the device 16 may be full nodes or light nodes.
  • FIG. 11 is a diagram showing a tangle which is an example of a distributed ledger.
  • the tangle uses a DAG (Directed Acyclic Graph).
  • recording information in the distributed ledger means recording a transaction (TX) in the tangle.
  • Proof of work (PoW) is performed when recording a new transaction.
  • FIG. 12 is a diagram showing a device management system that stores device manufacturing information.
  • the device manufacturing distributed ledger 101 is a distributed ledger that records manufacturing information, which is information related to the manufacturing process of a device managed by the device management system 1 (hereinafter, referred to as “managed device”).
  • the device manufacturing distributed ledger 101 is a tangle possessed by the full nodes constituting the device management system 1.
  • the terminal device 11 records the manufacturing time information 16a in the device manufacturing time distributed ledger 101.
  • the terminal device 11 is a device arranged in the equipment for manufacturing the device (eg, the factory FA in FIG. 1, the production line), or a device communicably connected to the device arranged in the equipment for manufacturing the device.
  • the terminal device 11 corresponds to, for example, the control device FA1 in FIG.
  • the terminal device 11 has a non-rewritable storage area (eg, TrustZone®). This storage area stores a program that causes the processing unit of the terminal device 11 to execute a process of generating manufacturing information.
  • the processing unit of the terminal device 11 detects that the component is incorporated into the device in the manufacturing process according to the above program, and uses the ID of the component and the information of the manufacturing line into which the component is incorporated as the ID of the device to be manufactured.
  • the information on the production line includes, for example, information (for example, ID) of a processing device (for example, the processing device FA2 of FIG. 1) that executes processing.
  • the program stored in the storage area of the terminal device 11 causes the processing unit of the terminal device 11 to execute the process of recording the generated manufacturing information in the distributed ledger.
  • the manufacturing time information 16a is a transaction in the distributed ledger 101 for device manufacturing.
  • the manufacturing information 16a is information when manufacturing the managed device.
  • the manufacturing time information 16a is generated each time the parts constituting the managed device are selected and assembled in the manufacturing process of the managed device. For example, in the manufacturing process of a managed device, when the circuit board A, which is a component constituting the managed device, is selected and the electronic component B (CPU, memory, etc.) is mounted on the circuit board A, the managed device is used. On the other hand, the manufacturing time information 16a for the circuit board A is generated, and the manufacturing time information 16a for the electronic component B is generated.
  • the manufacturing time information 16a can specify a device ID that can identify the managed device, a component ID that can identify the parts constituting the managed device, and a manufacturing line that incorporates the component indicated by the component ID into the managed device.
  • the production line ID and the production time information indicating the time when the component indicated by the component ID is incorporated into the managed device are included. Further, the manufacturing time information 16a is information in which the part ID, the manufacturing line ID, and the manufacturing time information are associated with the device ID.
  • the manufacturing line ID may include a worker person in charge ID or a manufacturing device (robot) ID in order to identify a worker or a manufacturing device.
  • FIG. 13 is a diagram showing a process of storing device manufacturing information.
  • FIG. 13 shows a process executed by the terminal device 11.
  • the processing unit 12 of the terminal device 11 detects whether or not there is newly generated manufacturing time information 16a (step S801).
  • the manufacturing information 16a may be input to the terminal device 11 by a person in charge of manufacturing operating the input / output unit 13 of the terminal device 11.
  • the robot may input the manufacturing information 16a to the terminal device 11 via the communication unit 15 of the terminal device 11.
  • the processing unit 12 records the manufacturing time information 16a in the device manufacturing distributed ledger 101 (step S802), and ends the process. .. If there is no newly generated manufacturing information 16a in step S801, the processing unit 12 ends the processing as it is.
  • the terminal device 11 recorded in the distributed ledger 101 for device manufacturing may be either the information processing device 2, the IoT device 5, or the device 16, or may be the managed device itself.
  • the device manufacturing process is divided into a plurality of processes such as component mounting, assembly, and inspection.
  • the manufacturing information 16a may be recorded for each process, or may be recorded at least once in the final assembly / inspection process.
  • FIG. 14 is a diagram showing a device management system that stores device startup information.
  • the device change history distributed ledger 102 is a distributed ledger for recording startup information 16b, which is information related to the startup process of the managed device.
  • the device change history distributed ledger 102 is a tangle possessed by the full nodes constituting the device management system 1.
  • the device change history distributed ledger 102 may be the same distributed ledger as the device manufacturing distributed ledger 101.
  • the terminal device 11 records the startup information 16b in the device change history distributed ledger 102.
  • the terminal device 11 is, for example, a device to be managed (eg, device Db in FIG. 1) or a device to control the device to be managed (eg, higher-level device MD in FIG. 1).
  • the startup information 16b is a transaction in the distributed ledger 102 for device change history.
  • the startup information 16b is information when the managed device is activated.
  • the controlled device manufactured in the manufacturing process carries out the activation process at the time of activation. In this activation process, the managed device is initialized and activated.
  • the managed device has a ROM that stores the program, a CPU that executes the program stored in the ROM, and a secure element.
  • the secure element may be a TPM (Trusted Platform Module) having tamper resistance, a SIM (Subscriber Identity Module), a SAM (Secure Application Module), or any other known configuration.
  • the secure element does not necessarily have to have tamper resistance as long as it has a function that can store the verification key of the digital signature. For example, it uses a mechanism called TrustZone that exists in the CPU separately from the normal memory. You may.
  • the activation information 16b is generated.
  • the secure element stores a program that causes the processing unit 12 of the terminal device 11 to execute a process of generating startup information.
  • the processing unit 12 generates a hash value and a startup log of a file in which the source code that defines the processing at the time of startup is described at the timing of starting the device.
  • the processing unit 12 generates startup information including at least a part of the generated hash value and startup log, and a device ID.
  • a program for executing a process of recording the start-up information in the distributed ledger is stored in the processing unit 12 of the terminal device 11.
  • the processing unit 12 records the generated startup information in the distributed ledger according to this program.
  • the startup information 16b includes a device ID that can identify the managed device, verification time information indicating the time when the management device startup process was performed, and a hash of a program or data file used in the management device startup process. Includes values and digital signatures by managed devices. Further, the startup information 16b is information in which the verification time information, the hash value, and the digital signature are associated with the device ID.
  • FIG. 15 is a diagram showing a process of storing device startup information.
  • FIG. 15 shows a process executed by the terminal device 11.
  • the processing unit 12 of the terminal device 11 detects whether or not there is newly generated start-up information 16b (step S1001).
  • the managed device may input the startup information 16b into the terminal device 11 via the communication unit 15 of the terminal device 11.
  • the managed device itself may record the startup information 16b in the device change history distributed ledger 102.
  • step S1001 If there is newly generated startup information 16b in step S1001, the processing unit 12 records the current startup information 16b in the device change history distributed ledger 102 (step S1002), and ends the process. .. If there is no newly generated start-up information 16b in step S1001, the processing unit 12 ends the processing as it is.
  • the terminal device 11 recorded in the device change history distributed ledger 102 may be either the information processing device 2, the IoT device 5, or the device 16, or may be the managed device itself.
  • FIG. 16 is a diagram showing a device management system that stores device update information.
  • the device change history distributed ledger 102 is a distributed ledger that records the update information 16c, which is information related to the update process of the managed device, in addition to the startup information 16b.
  • the device change history distributed ledger 102 is a tangle possessed by the full nodes constituting the device management system 1.
  • the terminal device 11 records the update information 16c in the device change history distributed ledger 102.
  • the terminal device 11 is, for example, a device to be managed (eg, device Db in FIG. 1) or a device to control the device to be managed (eg, higher-level device MD in FIG. 1).
  • the update information 16c is a transaction in the distributed ledger 102 for device change history.
  • the update information 16c is information when updating the managed device.
  • the managed device activated in the activation process executes an update process for updating the program during operation.
  • a managed device is a program that receives a firmware patch, a program that adds a new function in a function specific to the managed device, a program that fixes a bug, and various data via the Internet, and is a management target. Update the program that runs on the device.
  • the managed device has a firmware (FW) to be executed by the managed device, a program to be executed by the managed device, and a data file (File) to be used for execution.
  • Firmware is also a type of program.
  • the update information 16c is generated.
  • the process of updating the managed device may include updating the firmware and the config file of the managed device by, for example, the terminal device 11.
  • the terminal device 11 records the update information 16c regarding the update in the device change history distributed ledger 102.
  • the secure element stores a program that causes the processing unit 12 of the terminal device 11 to execute a process of generating update information.
  • the processing unit 12 At the timing of updating the device, the processing unit 12 generates a hash value of a file in which the source code that defines the processing at the time of updating is described and an update log.
  • the processing unit 12 generates startup information including at least a part of the generated hash value and update log, and a device ID.
  • a program for causing the processing unit 12 of the terminal device 11 to execute a process of recording the update information in the distributed ledger is stored.
  • the processing unit 12 records the generated update information in the distributed ledger according to this program.
  • the update information 16c includes a device ID that can identify the managed device, verification time information indicating the time when the update process of the managed device is performed, and a hash of a file of a program or data used in the update process of the managed device. Includes values and digital signatures by managed devices. Further, the update information 16c is information in which the verification time information, the hash value, and the digital signature are associated with the device ID.
  • FIG. 17 is a diagram showing a process of storing device startup information.
  • FIG. 17 shows a process executed by the terminal device 11.
  • the processing unit 12 of the terminal device 11 detects whether or not there is newly generated update information 16c (step S1201).
  • the managed device may input the update information 16c to the terminal device 11 via the communication unit 15 of the terminal device 11.
  • the managed device itself may record the update information 16c in the device change history distributed ledger 102.
  • the processing unit 12 records the current update information 16c in the device change history distributed ledger 102 (step S1202), and ends the process. .. If there is no newly generated update information 16c in step S1201, the processing unit 12 ends the processing as it is.
  • the terminal device 11 recorded in the device change history distributed ledger 102 may be either the information processing device 2, the IoT device 5, or the device 16, or may be the managed device itself.
  • the terminal device 11 is not only when there is new update information 16c (when it is updated), but also when it is updated, which indicates the current state of the managed device at predetermined time intervals even if it is not updated.
  • the information 16c may be recorded in the distributed ledger 102 for device change history.
  • the update information 16c indicating the status of the current managed device includes a device ID that can identify the managed device, verification time information indicating the current time, and a file of programs and data currently being executed on the managed device. Includes the hash value of and the digital signature of the managed device. Further, the update information 16c is information in which the verification time information, the hash value, and the digital signature are associated with the device ID.
  • FIG. 18 is a diagram showing a process of storing device update information at predetermined time intervals.
  • FIG. 18 shows a process executed by the terminal device 11.
  • the processing unit 12 of the terminal device 11 confirms whether a predetermined time has elapsed from the recording of the previous update information 16c (step S1301).
  • the predetermined time determined in step S1301 may be determined according to the frequency at which the managed device may be tampered with. Further, the predetermined time may be a fixed time or may be varied.
  • the managed device may input the update information 16c to the terminal device 11 via the communication unit 15 of the terminal device 11.
  • the managed device itself may record the update information 16c in the device change history distributed ledger 102.
  • step S1301 when the predetermined time has elapsed, the processing unit 12 records the current startup information 16b in the device change history distributed ledger 102 (step S1302), and ends the process. If the predetermined time does not elapse in step S1301, the processing unit 12 ends the processing as it is.
  • the terminal device 11 recorded in the device change history distributed ledger 102 may be either the information processing device 2, the IoT device 5, or the device 16, or may be the managed device itself. According to the process shown in FIG. 18, even though the managed device has been updated, it is possible to respond to tampering that pretends to be in an unupdated state, and the current status of the managed device is correct. It is reflected in the distributed ledger 102 for device change history.
  • FIG. 19 is a diagram showing a device management system that refers to a plurality of trust information.
  • the terminal device 11 has manufacturing information 16a recorded in the device manufacturing distributed ledger 101, startup information 16b recorded in the device change history distributed ledger 102, and device change history. Refer to the update information 16c recorded in the distributed ledger 102.
  • FIG. 20 is a diagram showing a process of referencing a plurality of trust information.
  • FIG. 20 shows a process executed by the terminal device 11.
  • the terminal device 11 determines whether or not a process for confirming the reliability of the managed device has occurred (step S1501).
  • the process of confirming the reliability of a managed device includes, for example, a process of confirming the state of the managed device when there is some suspicious movement in the operation of the managed device.
  • the process of confirming the reliability of a managed device includes, for example, a process of confirming the reliability of the managed device when using data from a certain managed device.
  • the process of confirming the reliability of the managed device includes, for example, a process of confirming the reliability of the managed device when driving and controlling a certain managed device.
  • the process of confirming the reliability of a managed device includes, for example, a process of confirming the status of a managed device when an audit of the managed device becomes necessary.
  • step S1502 the terminal device 11 determines which device is the managed device for which the reliability is confirmed this time. get.
  • the device ID may be acquired by being input from the input / output unit 13, received from the outside via the communication unit 15, or read from the storage unit 14. You may get it by.
  • step S1502 the terminal device 11 reads the manufacturing time information 16a about the acquired device ID from the device manufacturing distributed ledger 101, and reads the acquired device ID startup information 16b from the device change history distributed type.
  • the update information 16c about the device ID read from the ledger 102 is read from the distributed ledger 102 for device change history.
  • the terminal device 11 determines the manufacturing information 16a, the startup information 16b, and the update information 16c read in step S1501 and confirms the current reliability of the managed device (step S1503).
  • step S1504 the process is terminated after performing control based on the current reliability of the managed device, which is the determination result of step S1503. For example, if the manufacturing information 16a read from the distributed ledger 101 for device manufacturing contains information about parts other than the originally planned parts, it is possible to perform control without using the managed device. it can. Further, for example, when the update information 16c read from the device change history distributed ledger 102 includes information about a non-genuine update, control can be performed without using the managed device. ..
  • the terminal device 11 that executes the process of FIG. 20 may be either the information processing device 2, the IoT device 5, or the device 16, or may be the managed device itself.
  • FIG. 21 is a diagram showing an example in which the device management system according to the embodiment is applied.
  • This embodiment is an example in which the device management system according to the embodiment is applied to a person tracking system that follows in the footsteps of a person.
  • the person tracking system 1600 has surveillance cameras 1606, 1607 and 1608 that are managed devices. Information at the time of manufacture, start-up, and update of the surveillance cameras 1606, 1607, and 1608 is recorded in the distributed ledger 1602 at any time. The reliability of surveillance cameras 1606, 1607 and 1608 is guaranteed by the distributed ledger 1602.
  • the distributed ledger 1602 refers to the distributed ledger 1601 in which the evidence on which the reliable device is sufficient is recorded.
  • the face image of the person 1605 is recorded in the distributed ledger 1604.
  • the surveillance cameras 1606, 1607 and 1608 match the face image recorded in the distributed ledger 1604 with the face image of the person photographed by the person 1605, so that the person 1605 can set the installation positions of the surveillance cameras 1606, 1607 and 1608. Acquire the action history of passing.
  • This action history is recorded in the distributed ledger 1603.
  • the distributed ledger 1602 is referred to, and the reliability of the shooting results of the surveillance cameras 1606, 1607 and 1608 is guaranteed.
  • the distributed ledger 1603 can be referred to, the behavior pattern and purchasing tendency of the person 1605 can be analyzed, and the product can be used for product purchasing and product development.
  • FIG. 22 is a diagram showing an example in which the device management system according to the embodiment is applied.
  • This embodiment is an example in which the device management system according to the embodiment is applied to a dangerous vehicle discrimination system for discriminating a dangerous driving vehicle.
  • the dangerous vehicle discrimination system 1700 has surveillance cameras 1705 and 1706 which are managed devices.
  • the surveillance cameras 1705 and 1706 are mounted on the vehicle 1704.
  • the surveillance camera 1705 photographs the front of the vehicle 1704 and captures the driving situation of the preceding vehicle 1707.
  • the surveillance camera 1706 photographs the rear of the vehicle 1704 and captures the driving situation of the following vehicle 1708.
  • Information at the time of manufacture, start-up, and update of the surveillance cameras 1705 and 1706 is recorded in the distributed ledger 1702 at any time.
  • the reliability of surveillance cameras 1705 and 1706 is guaranteed by the distributed ledger 1702.
  • the distributed ledger 1702 refers to the distributed ledger 1701 in which the evidence on which the reliable device is sufficient is recorded.
  • the driving status and vehicle number of the preceding vehicle and the following vehicle taken by the surveillance cameras 1705 and 1706 are recorded in the distributed ledger 1703.
  • the surveillance cameras 1705 and 1706 can acquire the vehicle number of the vehicle that has performed dangerous driving in the past by referring to the contents recorded in the distributed ledger 1703 in the past.
  • the surveillance cameras 1705 and 1706 match the vehicle numbers of the preceding vehicle and the following vehicle currently being photographed with the vehicle numbers of the vehicles that have been dangerously driven in the past obtained from the distributed ledger 1703, thereby collating the preceding vehicle and the following vehicle. It is possible to notify the smartphone 1710 of the driver who drives the vehicle 1704 about the risk of the vehicle driving dangerously, or notify the navigation system 1709 mounted on the vehicle 1704.
  • One form of the device management system is a distributed ledger (distributed ledger 101 for device manufacturing, distributed ledger 102 for device change history), manufacturing information which is information related to the device manufacturing process, and activation of the device.
  • Bookkeeping means (S802, S1002, S1202, S1302) for recording at least one of the start-up information which is the information related to the process and the update information which is the information related to the update process of the device in the distributed ledger.
  • an information reading means S1502 for reading the information recorded in the distributed ledger.
  • This provides a device management system capable of improving the reliability of the device. Further, by recording the information about the device in the distributed ledger, it is possible to prevent the information from being tampered with. In addition, by recording in a public distributed ledger, it is possible to provide a system in which anyone can refer to information about the device, and anyone can confirm the reliability of the device.
  • the distributed ledger is a tangle (see FIG. 6). As a result, it is possible to record in the distributed ledger in real time. In addition, unlike other decentralized ledgers that require a fee for bookkeeping, the decentralized ledger can be booked free of charge. In addition, it is possible to provide a scalable system. In addition, it is possible to provide a system having a high affinity with micropayments using the virtual currency IOTA.
  • the manufacturing information incorporates a device ID that can identify the device, a component ID that can identify a component constituting the device, and a component indicated by the component ID into the device.
  • the startup information includes a device ID that can identify the device, verification time information indicating the time when the device activation process is performed, and a file used for the device activation process.
  • This is information in which each information is associated with the device ID, including the hash value of the device and the digital signature by the device.
  • the update time information includes a device ID that can identify the device, verification time information indicating the time when the device update process is performed, and a file used for the device update process.
  • This is information in which each information is associated with the device ID, including the hash value of the device and the digital signature by the device.
  • the digital signature is a digital signature obtained by encrypting the hash value of the file with a private key. This also makes it possible to make it more difficult for the information about the device recorded in the distributed ledger to be tampered with.
  • the device is an IoT device.
  • IoT device As a result, it is possible to improve the reliability of IoT devices that may be attacked by malware or the like by being connected to the Internet. Further, according to this form, even if the program that controls the IoT device is rewritten by malware, for example, the rewritten program is recorded in the distributed ledger, so that the current state of the IoT device can be known. , The operator can obtain a judgment material when deciding whether or not to utilize the IoT device.
  • One form of the device management method is a device management method for managing a device using a computer, which is manufacturing information which is information related to a device manufacturing process and startup information which is information related to the device starting process.
  • This provides a device management method that can improve the reliability of the device. Further, by recording the information about the device in the distributed ledger, it is possible to prevent the information from being tampered with. In addition, by posting in a public distributed ledger, it is possible to provide a method in which anyone can refer to information about the device, and anyone can confirm the reliability of the device.
  • the information processing apparatus has manufacturing information which is information related to the manufacturing process of the device, startup information which is information related to the starting process of the device, and information related to the updating process of the device. It has a bookkeeping means for recording at least one of the update information in the distributed ledger.
  • the information processing device records the information about the device in the distributed ledger, so that the information about the device is less likely to be tampered with, and highly reliable information can be provided.
  • the IoT device is composed of manufacturing time information which is information related to the device manufacturing process, startup information which is information related to the device starting process, and information related to the device updating process. It has a bookkeeping means for recording at least one piece of information at the time of update in a distributed ledger. As a result, the IoT device records the information about the device in the distributed ledger, so that the information about the device is less likely to be tampered with, and highly reliable information can be provided.
  • One form of the program is out of manufacturing information which is information related to the manufacturing process of the device, startup information which is information related to the activation process of the device, and update information which is information related to the updating process of the device.
  • the computer functions as a bookkeeping means for recording at least one piece of information in a distributed ledger. This provides a program that can improve the reliability of the device. Further, by recording the information about the device in the distributed ledger, it is possible to prevent the information from being tampered with. In addition, by recording in a public distributed ledger, it is possible to provide a program in which anyone can refer to information about the device, and anyone can confirm the reliability of the device.
  • the distributed ledger is a tangle. As a result, it is possible to record in the distributed ledger in real time. In addition, unlike other decentralized ledgers that require a fee for bookkeeping, the decentralized ledger can be booked free of charge. In addition, it is possible to provide a scalable program. In addition, it is possible to provide a program having a high affinity with micropayments using the virtual currency IOTA.
  • the manufacturing information includes a device ID that can identify the device, a component ID that can identify a component constituting the device, and a manufacturing that incorporates the component indicated by the component ID into the device. It is information including a manufacturing line ID capable of specifying a line and manufacturing time information indicating a time when the component indicated by the component ID is incorporated into the device, and each information is associated with the device ID. This makes it possible to provide a program with increased reliability during the manufacture of the device.
  • the startup information includes a device ID that can identify the device, verification time information indicating the time when the device activation process was performed, and a hash of a file used in the device activation process. It is information in which each information is associated with the device ID, including a value and a digital signature by the device. As a result, it is possible to provide a program with improved reliability at the time of starting the device.
  • the update information includes a device ID that can identify the device, verification time information indicating the time when the device update process was performed, and a hash of a file used in the device update process. It is information in which each information is associated with the device ID, including a value and a digital signature by the device. As a result, it is possible to provide a program with improved reliability when updating the device.
  • the bookkeeping means records the manufacturing information in the distributed ledger when the device is manufactured by the manufacturing process. This makes it possible to provide a program with increased reliability during the manufacture of the device.
  • the bookkeeping means records the startup information in the distributed ledger when the device is activated by the activation step.
  • the bookkeeping means records the update time information in the distributed ledger when the device is updated by the update process.
  • the bookkeeping means records the update information in the distributed ledger at predetermined time intervals.
  • the status of the device can be confirmed at predetermined time intervals, and a program with enhanced device reliability can be provided.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Condensed Matter Physics & Semiconductors (AREA)
  • General Physics & Mathematics (AREA)
  • Manufacturing & Machinery (AREA)
  • Computer Hardware Design (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Power Engineering (AREA)
  • Debugging And Monitoring (AREA)

Abstract

La présente invention concerne un système de gestion de dispositif qui comporte : un premier dispositif de traitement d'informations qui amène une unité de stockage à stocker au moins un élément d'informations parmi des informations de fabrication qui concernent une étape de fabrication d'un dispositif ayant une zone de stockage pour conserver des informations d'identification et comprennent des informations d'identification, des informations de démarrage qui concernent une étape de démarrage d'un dispositif et comprennent des informations d'identification, et des informations de mise à jour qui concernent une étape de mise à jour d'un dispositif et comprennent des informations d'identification ; et un second dispositif de traitement d'informations qui lit, parmi les informations de fabrication, les informations de démarrage et les informations de mise à jour stockées dans l'unité de stockage, au moins un élément d'informations comprenant les informations d'identification lues à partir de la zone de stockage d'un objet qui est géré, et qui utilise les informations qui ont été lues pour déterminer la fiabilité d'un dispositif qui est géré.
PCT/JP2020/038838 2019-10-15 2020-10-14 Système de gestion de dispositif WO2021075475A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2021552418A JPWO2021075475A1 (fr) 2019-10-15 2020-10-14

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2019-189021 2019-10-15
JP2019189021 2019-10-15

Publications (1)

Publication Number Publication Date
WO2021075475A1 true WO2021075475A1 (fr) 2021-04-22

Family

ID=75538119

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2020/038838 WO2021075475A1 (fr) 2019-10-15 2020-10-14 Système de gestion de dispositif

Country Status (2)

Country Link
JP (1) JPWO2021075475A1 (fr)
WO (1) WO2021075475A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011108225A (ja) * 2009-11-20 2011-06-02 Intel Corp 商品パッケージのマイクロエレクトロニクスシステムの無線周波数再構成
JP2012532466A (ja) * 2009-07-10 2012-12-13 サーティコム コーポレーション デバイスのシリアライゼーションを実行するためのシステムおよび方法

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012532466A (ja) * 2009-07-10 2012-12-13 サーティコム コーポレーション デバイスのシリアライゼーションを実行するためのシステムおよび方法
JP2011108225A (ja) * 2009-11-20 2011-06-02 Intel Corp 商品パッケージのマイクロエレクトロニクスシステムの無線周波数再構成

Also Published As

Publication number Publication date
JPWO2021075475A1 (fr) 2021-04-22

Similar Documents

Publication Publication Date Title
US11256818B2 (en) System and method for enabling and verifying the trustworthiness of a hardware system
JP6936396B2 (ja) ブロックチェーンベースのトランザクション処理方法および装置
US11017399B2 (en) Method and electronic device for paymnet using biometric authentication
US9940114B2 (en) Seal-based regulation for software deployment management
WO2020195746A1 (fr) Système de gestion de dispositif, procédé de gestion de dispositif, appareil de traitement d'informations et programme
US8316421B2 (en) System and method for device authentication with built-in tolerance
CN107077574A (zh) 用于客户端设备的信任服务
US10250616B2 (en) Server and user terminal
CN103124973B (zh) 证明引导过程期间交互式组件的使用
US20140123255A1 (en) System and method for device authentication with built-in tolerance
CN109313690A (zh) 自包含的加密引导策略验证
US9047450B2 (en) Identification of embedded system devices
CN102693379A (zh) 保护操作系统配置值
CN106462711B (zh) 经验证启动
US11316693B2 (en) Trusted platform module-based prepaid access token for commercial IoT online services
JP5360192B2 (ja) 個人認証システムおよび個人認証方法
CN104252377B (zh) 虚拟化主机id密钥共享
US8103878B2 (en) Control device, update method and control software
CN111461722A (zh) 一种智能合约的部署方法、装置及设备
US11489854B2 (en) Techniques for incentivized intrusion detection system
CN111931160A (zh) 权限验证方法、装置、终端和存储介质
WO2021075475A1 (fr) Système de gestion de dispositif
AU2019272261A1 (en) Method for processing a secure financial transaction using a commercial off-the-shelf or an internet of things device
US11609996B2 (en) Data processing apparatus, system, and method for proving or checking the security of a data processing apparatus
CN115688092A (zh) 终端弱管控方法、装置、电子设备及存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20877323

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2021552418

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20877323

Country of ref document: EP

Kind code of ref document: A1