WO2022009429A1

WO2022009429A1 - Control device, control method, and drone device

Info

Publication number: WO2022009429A1
Application number: PCT/JP2020/027101
Authority: WO
Inventors: 裕之佐藤; 正一郎櫻木
Original assignee: さくら情報システム株式会社
Priority date: 2020-07-10
Filing date: 2020-07-10
Publication date: 2022-01-13
Also published as: JPWO2022009429A1

Abstract

A control device according to the present embodiment includes an acquisition unit, a verification unit, an access control unit, and a communication unit. When sending a message to an external device from an application having a code signature, the acquisition unit acquires an access request signal to a secure element from the application. The verification unit verifies the code signature of the application. The access control unit permits access to the secure element from the application only when the verification of the code signature is successful. The communication unit sends a signed message having a digital signature provided by the secure element to the external device.

Description

Control device, control method and drone device

The present invention relates to a control device, a control method and a drone device.

In recent years, as IoT (Internet of Things) devices, the number of devices that can communicate via the Internet, such as home appliances, gadgets that control home appliances, and medical devices, is increasing. Further, as IoT devices for industrial use, unmanned mobile objects such as drone devices and tractors that can be operated unmanned by remote control are attracting attention as new industrial machines. Such an IoT device can operate and control the device even if the user is not present. For example, a general operation of the drone device is performed by an operation within the field of view of the operator or an operation while checking an image acquired by a camera attached to the drone device, that is, a visual operation. However, as a control method for unmanned aerial vehicles such as drone devices in the future, controlled flight by the 5th generation mobile communication system (so-called 5G communication), which is the next-generation high-speed communication standard, is considered to be a promising option.

Japanese Patent Application Laid-Open No. 2018-511245 Japanese Patent Application Laid-Open No. 2019-032902

5G communication is a mobile communication standard, and communication is performed on a network that can be used simultaneously by an unspecified number of people. Therefore, in the control control of a mobile body using such 5G communication, hijacking by a malicious third party or unauthorized access from the outside becomes an important issue. In the above-mentioned example of the drone device, when 5G communication is used, the drone device can be accessed from outside the field of view, so that there is a risk that the drone device is exposed to unauthorized control or unauthorized access regardless of the location. be.
It is generally assumed that security measures will be taken on the application side against unauthorized access, but there is a limit to the security measures at the application layer running on the OS. Therefore, there is an urgent need for security measures that use secure elements such as SIM as security anchors when using 5G communication.

The present invention has been made in consideration of the above-mentioned circumstances, and an object of the present invention is to provide a control device, a control method, and a drone device capable of enhancing the security strength related to the control of IoT devices.

In order to solve the above-mentioned problems, the control device according to the present embodiment includes an acquisition unit, a verification unit, an access control unit, and a communication unit. When a message is sent from the acquisition unit and the code-signed application to the outside, the access request signal from the application to the secure element is acquired. The verification unit verifies the code signing of the application. The access control unit permits access to the secure element from the application only when the verification of the code signing is successful. The communication unit transmits a signed message digitally signed by the secure element to the outside.

According to the control device, control method and drone device of the present invention, it is possible to enhance the security strength related to the control of the IoT device.

FIG. 1 is a conceptual diagram showing a mobile control system including the control device according to the first embodiment. FIG. 2 is a block diagram showing a control device according to the first embodiment. FIG. 3 is a diagram showing a configuration example of software when performing authentication processing in the control unit according to the first embodiment. FIG. 4 is a flowchart showing an authentication process of the control device according to the first embodiment. FIG. 5 is a sequence diagram showing an access control process when communicating from a mobile body to the outside. FIG. 6 is a sequence diagram showing an access control process when communicating from a mobile body under unauthorized control to the outside. FIG. 7 is a conceptual diagram showing a mobile control system including the control device according to the second embodiment. FIG. 8 is a diagram showing an example of information registered in the public ledger on the blockchain network. FIG. 9 is a sequence diagram showing the operation of the control device according to the second embodiment.

Hereinafter, the control device, the control method, and the drone device according to the embodiment of the present invention will be described in detail with reference to the drawings. In the following embodiments, the same operation is performed for the portions with the same number, and the description thereof will be omitted.

(First Embodiment)
The control system including the control device according to the first embodiment will be described with reference to the conceptual diagram of FIG.
The control system 1 shown in FIG. 1 includes an IoT device 10, a control device 20, and a communication system 30.

The IoT device 10 is a device equipped with a control device described later in FIG. 2 and capable of remote control from the control device 20 through a communication line. Examples of the IoT device 10 include a drone device that flies in the air, a moving body 11 such as an agricultural tractor traveling on land, and an AI speaker 12 that controls home appliances and the like. In the present embodiment, a mobile body control system that controls a mobile body is assumed as the control system 1, and a mobile body 11 such as a drone device is described as an example of the IoT device 10.
Of course, the IoT device 10 shown in FIG. 1 is an example, and if the control device according to the present embodiment is installed, it is not limited to a drone device and an agricultural tractor, but also for a moving body such as a submersible that moves underwater. Can be controlled as well. Furthermore, remote controllable IoT devices such as manufacturing robots, construction machines, home appliances, home appliance control gadgets, and other devices that are installed in specific locations to perform work are not limited to devices that move their own locations such as mobile objects. If it is 10, it can be similarly controlled by mounting the control device according to the present embodiment.
The mobile body 11 receives an instruction signal from the control device 20 via the communication system 30, and moves according to the instruction signal. In addition, a plurality of IoT devices 10 may operate in the same system.

The control device 20 is an electronic device to which an instruction for controlling the mobile body 11 is input from the user, and may be a general-purpose electronic device such as a desktop PC, a notebook PC, a tablet PC, or a smartphone, or may be a general-purpose electronic device, or may be a control device for the mobile body 11. It may be an electronic device such as a controller designed exclusively for it.

The communication system 30 is, for example, a cellular network, and communication between the mobile body 11 and the control device 20 is controlled via the base station 31 based on communication standards such as 4G and 5G. Since the communication system itself uses a general cellular network, detailed description here will be omitted.

Next, the control device 15 according to the first embodiment will be described with reference to the block diagram of FIG.
The control device 15 according to the first embodiment includes a secure element 101, a control unit 103, and a communication unit 105. The secure element 101 includes a storage unit 1011 and a signature unit 1012.

The secure element 101 conforms to a secure chip standardized by a Global Platform® such as SIM (Subscriber Identity Module), USIM (Universal SIM), eSIM (Embedded SIM), or FeliCa®. It is hardware that has sex.
The storage unit 1011 included in the secure element 101 stores device-specific identification information, a code signing verification key used for verification of an application, a code signing key for digitally signing, and the like. The code signing verification key is assumed to be, for example, a public key of a public key cryptosystem. The code signing key is assumed to be, for example, a private key of a public key cryptosystem.
The signature unit 1012 included in the secure element 101 performs signature processing for the application.

The control unit 103 controls the device on which the control device 15 is mounted based on the control signal from the control device 20 acquired via the communication unit 105. In the present embodiment, the drive unit (not shown) of the mobile body 11 (drone device) is controlled. The drive unit is a unit that drives the own device, and is assumed to be a device such as a motor, an actuator, an engine, or a propeller. As for the drive of the moving body 11, any drone device may have a configuration capable of normal flight, and the description thereof is omitted here because it is a general configuration.
Further, the control unit 103 is equipped with an operation system in which an application related to control of a device such as a control application operates, and controls access from the control application to the secure element 101 and the like. For example, the authentication process is performed based on the hash value based on the code signing attached to the control application and the private key stored in the storage unit 1011. If the authentication is successful, the device is controlled based on the control application.

The communication unit 105 receives a control signal or the like from the control device 20. Further, the communication unit 105 transmits a message addressed to the outside from the control application to the outside such as the IoT device 10 including the control device 20 or another mobile body 11.
When the mobile body 11 on which the control device is mounted has a sensor, the communication unit 105 transmits the value acquired by the sensor (hereinafter referred to as the sensor value) to the outside. Sensors are various sensors that measure values such as temperature, altitude, and inclination of a moving object (hereinafter referred to as sensor values). Since a general sensor may be used for the sensor configuration, the description thereof is omitted here.

Next, the configuration of the software when performing the authentication process in the control unit 103 of the control device 15 according to the first embodiment will be described with reference to the block diagram of FIG.
In this embodiment, a secure mechanism by TrustZone (registered trademark) of ARM (registered trademark) is assumed, but it is not limited to this, and any secure mechanism such as Intel SGX of Intel (registered trademark) can be used. However, it can be implemented in the same way.

The concept of the software configuration according to the present embodiment includes an external device including the secure element 101, a normal world 32, and a secure world 33.
The normal world 32 and the secure world 33 are concepts configured by the control unit 103, and it is assumed that the secure element 101 is separate from the secure element 101 as hardware.
The normal world 32 represents a non-secure environment and includes a plurality of

control applications

321 and 322, and a TEE (Trusted Execution Environment) driver 323 (also referred to as an acquisition unit). The secure world 33 cannot be directly accessed from the

control applications

321 and 322 of the normal world 32.
The control application 321 is software that is freely downloaded and installed by the user of the control device 15. Basically, the control application is certified software, but malicious applications may also be downloaded.
The TEE driver 323 includes software that acts as a bridge for accessing the secure world 33 from the normal world 32.
The secure world 33 indicates a secure environment and includes an access control unit 331. The access control unit 331 includes a verification unit 332.

Next, the authentication process of the control device 15 according to the first embodiment based on FIGS. 2 and 3 will be described with reference to the flowchart of FIG.
In step S401, the TEE driver 323 acquires the access request signal from the control application to the secure element and the code signing attached to the control application.

In step S402, the access control unit 331 verifies the code signing of the control application that has sent the access request signal. Since a general method may be used for the code signing verification process, a specific description thereof will be omitted here.

In step S403, the access control unit 331 determines whether or not the code signing verification is successful. If the code signing verification is successful, the process proceeds to step S405, and if the code signing verification fails, that is, if the code signing values do not match, the process proceeds to step S404.

In step S404, it is determined that the control application may be an unauthorized application, not the authenticated software. Therefore, since there is a possibility that unauthorized access or falsification is performed by the control application, the access control unit 331 denies the access to the secure element 101 from the control application and ends the processing related to the access request signal.

In step S405, since the control application is considered to be authenticated software, the access control unit 331 permits access to the secure element 101 from the control application.

In step S406, the control application accesses the secure element and processes based on the access request signal are executed. For example, the digital signature with the private key stored in the secure element 101 is executed.

Next, the access control process in the case of communicating from the mobile body 11 to the outside from the control device 15 such as the control device 20 will be described with reference to the sequence diagram of FIG. In the example of FIG. 5, data communication between the control device 20, the communication unit 105, and the mobile body 11 including the secure element 101 is shown.
In the process shown in FIG. 5, it is premised that the authentication process of the control application shown in FIG. 4 is successful and the control application is the authenticated software.

In step S501, when the secure element 101 transmits the message generated by the control application to the outside of the mobile body 11 at the request of the control application, the secure element 101 acquires the message via the access control unit 331. The secure element 101 digitally signs the message and generates a signed message.
In step S502, the control application acquires a digitally signed message from the access control unit, and the communication unit 105 transmits the signed message to the control device 20 via the communication system 30.

In step S503, the control device 20 receives the signed message.
In step S504, the control device 20 verifies the signed message using the code signing verification key. Here, it is assumed that the verification of the signed message is successful because the control application is the authenticated software.

In step S505, the control device 20 can determine that the message is from the authenticated control application because the verification of the digital signature is successful. Therefore, the validity of the control by the control application can be confirmed.

Subsequently, an access control process in a state of being hijacked by an unauthorized application, that is, when communicating from a mobile body under unauthorized control to the outside will be described with reference to the sequence diagram of FIG.
If the mobile body communicates to the outside, that is, when the control application sends a message to the outside, the digital signature by the secure element 101 is always required, and the message from the unauthorized application is received. Less likely. However, it is assumed that the digital signature by the secure element 101 is not attached every time the sensor value or the like is transmitted to the outside, and there may be a situation where the communication can be performed to the outside without the digital signature. In the assumption shown in FIG. 6, it is assumed that an unauthorized application intervenes in a situation where communication with the outside can be performed without such a digital signature.

In step S601, the mobile body under unauthorized control sends a message to the outside. In this case, it is conceivable that the message is sent not to the control device 20 operated by the user but to another external device, but the control device 20 holds the ID of the mobile body under unauthorized control. Therefore, by specifying the ID of the mobile body under the illegal control, it is possible to receive the message transmitted to the outside from the mobile body under the illegal control. The message may also be a digitally signed message. The digital signature in this case is considered to be not the digital signature by the secure element 101 but the digital signature by the control application itself.

In step S602, the control device 20 receives the message.
In step S603, the control device 20 verifies the message using the code signing verification key. Here, it is assumed that the verification of the digitally signed message fails because the control application is a malicious application. When the verification fails, it is assumed here that the hash value obtained by decrypting the digital signature and the hash value generated from the code do not match.

In step S604, since the control device 20 is a message from an unauthorized application, filtering processing such as discarding the message may be performed. Since it can be determined that the message is from an unauthorized control application due to the failure of the verification of the digital signature, it can be determined that the mobile body 11 may be illegally controlled by the control application.

It should be noted that the emergency control mechanism of the mobile body 11 may be implemented, and if it is determined that improper control is being performed, the control device 20 may control to activate the emergency control mechanism of the mobile body 11. As the emergency control mechanism of the mobile body 11, for example, an alert signal may be transmitted to the control device without intervention of other controls, or the sensor of the mobile body may be turned off so that the sensor value is not transmitted to the outside. You can make an alert sound, fly back to the starting point, or land on a wide area such as a ground with no obstacles nearby.

The digitally signed message is not limited to being transmitted to the control device 20, but may be transmitted / received between a plurality of mobile bodies 11. In this case, a signed message may be transmitted from a certain mobile body 11 to the secure elements 101 of a plurality of mobile bodies 11, and verification of the digitally signed message may be executed in each mobile body 11.

According to the control device according to the first embodiment shown above, whether or not the software is authenticated by whether or not the code signing of the control application can be correctly verified by using the secure element represented by SIM. By determining, if the software is authenticated, access to the secure element is permitted. On the other hand, if the software is unauthenticated and malicious, access to the secure element is denied. By executing such access control, it is possible to enhance the security strength related to the control of IoT devices represented by mobile objects such as drone devices.
In other words, when an IoT device is infected with a virus, if a botnet or the like is incorporated, a DDos attack or spam mail may be sent, and the microphone or camera of the IoT device may be accessed. There is a risk of eavesdropping, see-through, interception of communication contents, and falsification. However, according to the control device according to the present embodiment, by enabling only the control application trusted by the secure element to be executed, such a risk can be avoided and the level of security can be significantly improved.

In addition, the control device determines whether the signal transmitted from the moving object to the outside is digitally signed by the secure element, and if it is not digitally signed by the secure element, a rogue control application. Since it can be determined that the state is controlled by the above, it is possible to give an instruction of necessary processing such as drive stop and sensor off to the moving body.

(Second embodiment)
In the second embodiment, the code signing verification key related to the control application is managed by the blockchain.

The control system according to the second embodiment will be described with reference to the conceptual diagram of FIG.
The control system shown in FIG. 7 includes a plurality of mobile bodies 11 and a blockchain network 70. In the second embodiment, the mobile control system for the mobile 11 is assumed, but as in the first embodiment, the IoT device 10 on which the control device 15 is mounted is not limited to the mobile. It is controllable.

The blockchain network 70 is a P2P (Peer to Peer) network that uses blockchain technology, and each of the communication media 71 participating in the network is connected to each other as a node. Unlike a centralized network, a P2P network does not have a server and a hierarchical structure, and basically all nodes are connected in a "flat" state so as to share the load related to the processing of services. The communication medium 71 participating in the blockchain network 70 is various communication media capable of communicating via a network, such as a mobile phone such as a smartphone, a tablet PC, a notebook PC, and a desktop PC. A P2P format network is constructed by such a communication medium 71.

Each communication medium 71 has a public ledger 75. Each public ledger 75 is data used in the blockchain technology, in which a history of information on a moving body so far is recorded. Each public ledger 75 is newly approved for a transaction by a mechanism such as proof of work or proof of stake, is taken in as a block, and is shared by each public ledger 75.

Next, an example of the information registered in the public ledger 75 on the blockchain network 70 will be described with reference to FIG.
FIG. 8 is a diagram showing an example of the information registered in the public ledger 75 in a table. The control application ID 801 and the code signing key 802, the code signing verification key 803, and the flag 804 are registered in the table 800 in association with each other.

The control application ID 801 is an identifier for uniquely identifying the control application downloaded to the mobile body. The code signing key 802 is assumed to be a private key, for example, but may be a hash value obtained by applying a hash function to a message or data from a control application. The code signing verification key 803 is assumed to be a public key, for example, but may be a hash value related to the public key. The flag 804 is a flag indicating the validity or invalidity of the associated code signing verification key, and is expressed by one bit in which the valid case is "1" and the invalid case is "0". The flag 804 is not limited to this, and other expression methods such as the character string itself of "valid" and "invalid" may be used.
Only the correspondence between the code signing verification key 803 and the flag 804 may be registered in the public ledger 75.

Next, the operation of the control device 15 according to the second embodiment will be described with reference to the flowchart of FIG.
It is assumed that a plurality of pairs of the code signing verification key 803 and the flag 804 are registered in the public ledger 75 of the blockchain network 70 in advance in the blockchain network 70.

In step S901, the access control unit 331 of the mobile body 11 acquires an access request signal from the control application.
In step S902, the access control unit 331 of the mobile body 11 accesses the public ledger 75 from the blockchain network 70. The access control unit 331 of the mobile body 11 determines whether or not the code signing verification key registered in the public ledger 75 on the blockchain network 70 is valid. Here, referring to the flag shown in FIG. 8, if the flag is "1", that is, the code signing verification key is valid, the process proceeds to step S903, and if the flag is "0", that is, the code signing verification key is invalid. , Rejects the access request from the control application and ends the process. Here, it is assumed that the code signing verification key is determined to be valid.

In step S903, the access control unit 331 of the mobile body 11 determines whether or not the code signing of the control application can be verified with the valid code signing verification key determined in step S902. If the verification of the code signing with a valid code signing verification key is successful, the process proceeds to step S904, and if the verification of the code signing with a valid code signing verification key fails, the process proceeds to step S905.
In step S904, the access control unit 331 of the mobile body 11 permits access to the secure element of the control application.
In step S905, the access control unit 331 of the mobile body 11 denies access to the secure element 101 of the control application because it may be an unauthorized control application.
In step S906, the control application accesses the secure element 101, and processing based on the access request signal is executed. This completes the operation of the control device 15 according to the second embodiment.

As an index of the validity of the code signing verification key, the value registered in the public ledger 75 of the blockchain network 70 may be determined based on the agreed conditional expression instead of the flag. The sequence for determining the validity of the code signing verification key based on the conditional expression may be performed by the process shown in step S903 in the flowchart of FIG. For example, a control application that can be used by satisfying conditional expressions such as "conditions related to a control area where the flight range that can be remotely controlled according to billing is expanded by a ticket system" and "pay the monthly usage fee by the specified date". If it exists, it can be said that using the control application has agreed to the conditional expression of "paying the monthly usage fee by the specified date". Therefore, if the monthly usage fee is paid by the designated date, it may be determined that the code signing verification key is valid in order to satisfy the conditional expression. On the other hand, if the monthly usage fee is unpaid even after the specified date, it may be determined that the code signing verification key is invalid because the conditional expression is not satisfied.

When determining the validity of the code signing verification key based on the above conditional expression, instead of registering the flag in the public ledger, register the value required for determining the conditional expression. For example, in the case of the conditional expression "pay the monthly usage fee by the specified date", if the date when the payment is completed and the value indicating how many months the usage fee is registered are registered in the public ledger. good.

For example, when managing the movement route plan of the mobile body 11 on the blockchain network 70, the mobile body 11 itself generates a transaction in order to confirm whether the mobile body 11 has correctly moved along the movement route plan. Then, it may be broadcast on the blockchain network 70. For example, when the route information such as the route history that the mobile body 11 has flown or passed is registered in the blockchain network 70, the mobile body 11 itself generates a transaction related to the route information. The mobile body 11 may digitally sign the transaction by the digital signature of the secure element 101 or a control application authenticated by the secure element 101, and broadcast the digitally signed transaction on the blockchain network 70.

That is, when the moving object is a drone device, the flight route is changed by an illegal control application when the flight route information is registered in the blockchain network at predetermined time intervals with the flight route specified in advance as a conditional expression. Assume that it has changed.
In this case, since the flight path shown in the transaction broadcast to the blockchain network 70 does not satisfy the conditional expression, the emergency control mechanism of the mobile body described in the first embodiment may be controlled to be activated. ..
As a result, the mobile body 11 can refer to the blockchain network 70 and autonomously execute defense control against unauthorized control such as tampering and hijacking.

The route information of the mobile body 11 is not limited to being registered in the blockchain network as a transaction, and is a general server as long as the route information is digitally signed by the secure element 101 or an authenticated control application. You may manage it with.

According to the control device according to the second embodiment shown above, by managing various information by the blockchain network, the history of contract conditions can be safely managed, so that, for example, a smart contract can be used. It is also possible to manage the contract and determine the contract information autonomously by the mobile body itself.

The instructions given in the processing procedure shown in the above-described embodiment can be executed based on a program that is software. It is also possible for a general-purpose computer system to store this program in advance and read this program to obtain an effect similar to the effect of the control device described above. The instructions described in the above embodiments are the programs that can be executed by the computer, such as a magnetic disk (flexible disk, hard disk, etc.) and an optical disk (CD-ROM, CD-R, CD-RW, DVD-ROM, DVD). It is recorded on a recording medium such as ± R, DVD ± RW, Blu-ray (registered trademark) Disc, etc.), a semiconductor memory, or a similar recording medium. The storage format may be any form as long as it is a recording medium that can be read by a computer or an embedded system. If the computer reads the program from the recording medium and causes the CPU to execute the instruction described in the program based on the program, the same operation as the control device of the above-described embodiment can be realized. Of course, when the computer acquires or reads the program, it may be acquired or read through the network.
In addition, the OS (operating system) running on the computer based on the instructions of the program installed in the computer or embedded system from the recording medium, database management software, MW (middleware) such as the network, etc. realize this embodiment. You may perform a part of each process for doing so.
Further, the recording medium in the present embodiment is not limited to a medium independent of a computer or an embedded system, but also includes a recording medium in which a program transmitted by a LAN, the Internet, or the like is downloaded and stored or temporarily stored.
Further, the recording medium is not limited to one, and when the processing in the present embodiment is executed from a plurality of media, the recording medium is included in the recording medium in the present embodiment, and the configuration of the medium may be any configuration.

The computer or the embedded system in the present embodiment is for executing each process in the present embodiment based on the program stored in the recording medium, and is a device including one such as a personal computer and a microcomputer, and a plurality of devices. The device may have any configuration such as a system connected to a network.
Further, the computer in the present embodiment is not limited to a personal computer, but also includes an arithmetic processing unit, a microcomputer, etc. included in an information processing device, and is a general term for devices and devices capable of realizing the functions in the present embodiment by a program. ing.

The invention of the present application is not limited to the above embodiment, and can be variously modified at the implementation stage without departing from the gist thereof. In addition, each embodiment may be carried out in combination as appropriate as possible, in which case the combined effect can be obtained. Further, the above-described embodiment includes inventions at various stages, and various inventions can be extracted by an appropriate combination in a plurality of disclosed constituent requirements.

1 ... Mobile control system 10 ... IoT device 11 ... Mobile 12 ... AI speaker 15 ... Control device 20 ... Control device 30 ... Communication system 31 ... Base station 32 ... Normal world 33 ... Secure world 70 ... Blockchain network 71 ... Communication Medium 75 ... Public ledger 101 ... Secure element 103 ... Control unit 105 ...

Communication unit

321, 322 ... Control application 323 ... TEE driver 331 ... Access control unit 332 ... Verification unit 800 ... Table 801 ... Control application ID
802 ... Code signing key 803 ... Code signing verification key 804 ... Flag 1011 ... Storage unit 1012 ... Signature unit

Claims

When sending a message from an application with a code sign to the outside, an acquisition unit that acquires an access request signal from the application to the secure element, and an acquisition unit.
A verification unit that verifies the code signing of the application,
An access control unit that permits access to the secure element from the application only when the verification of the code signing is successful.
A communication unit that sends a signed message digitally signed by the secure element to the outside,
A control device equipped with.
The first aspect of claim 1, wherein when the digital signature of the signed message is verified and the verification of the digital signature is inconsistent, it is determined that the control device that transmitted the signed message is mediated by an unauthorized application. Control device.
The control device according to claim 1 or 2, wherein the access control unit generates an alert signal when a mismatch occurs in the verification of the code signing or a mismatch occurs in the verification of the digital signature.
When a plurality of verification keys related to the code signing and a flag indicating whether each of the plurality of verification keys is valid or invalid are associated and registered in the blockchain.
The access control unit refers to the blockchain and permits access to the secure element from the application only when the code signing is successfully verified with a currently valid verification key, according to claim 1. Item 3. The control device according to any one of Items 3.
When multiple verification keys for the code signing and values for the agreed terms are registered in the blockchain
The access control unit refers to the blockchain, determines the validity of the verification key based on the conditional expression regarding the agreed condition for the value registered in the blockchain, and the code signing is: The control device according to any one of claims 1 to 3, which permits access to the secure element from the application only when the verification with the verification key determined to be valid is successful.
When the acquisition means sends a message from the code-signed application to the outside, the acquisition request signal from the application to the secure element is acquired.
Verification means verifies the code signing of the application and
Only when the access control means succeeds in the verification of the code signing, the access to the secure element is permitted from the application.
A control method in which a communication means transmits a signed message digitally signed by the secure element to the outside.
A drone device including the control device according to any one of claims 1 to 5.