The present invention relates to a technique for authenticating an authentication-target apparatus by an authentication apparatus, and an image forming apparatus.
An image forming apparatus has a replaceable unit. For example, a fixing unit that causes a toner image formed on a print material to be fixed to the print material is used in a high temperature environment, and thus its lifespan is short in comparison to that of a main body of the image forming apparatus. Accordingly, the fixing unit is normally designed as a replaceable unit. In addition, there are cases where an expansion unit that can be attached to the image forming apparatus is prepared as an option in accordance with a selection by a user. For example, a feeder or a sheet discharge unit may be prepared as an expansion unit. There are cases where imitation goods of these replaceable units or expansion units, which are designed to be able to be detached from the main body of the image forming apparatus, are circulating in the market. When such an imitation good is installed in the image forming apparatus and used, there is the possibility of a problem occurring, such as the image forming apparatus main body malfunctioning. For this reason, there is a need to identify whether a unit attached to the image forming apparatus is a genuine product.
Authentication techniques which are a type of cryptography are already being used to determine/authenticate whether an attached unit is a genuine product. NIST_FIPS_PUB 180-4 discloses the AES algorithm which is shared key encryption. NIST_FIPS_PUB 197 discloses the SHA-256 algorithm, which is a cryptographic hash function. As described by Japanese Patent Laid-Open No. 2003-162986, challenge-response authentication, which uses shared key encryption or a cryptographic hash function, is typically used for authentication. Japanese Patent Laid-Open No. 2003-162986 discloses a configuration in which authentication is performed by an authentication-target apparatus encrypting random number data (the challenge) received from an authentication apparatus and sending back encryption data (the response), and the authentication apparatus determining whether the encryption data is correct. Note that NIST SP 800-38B discloses a method for calculating a message authentication code (a response) based on shared key encryption. Furthermore, NIST_FIPS_PUB 198-1 discloses a method for calculating a message authentication code (a response) based on a cryptographic hash function. Challenge-response authentication assumes that an authentication apparatus and an authentication-target apparatus have the same cryptographic key. Accordingly, it is important to conceal the cryptographic key. Accordingly, storage and authentication processing of the cryptographic key is performed using a tamper-resistant chip having high security, such as a secure LSI.
However, techniques for analyzing secure LSIs are improving year by year, and even if security performance was high when initially developed, there is a possibility that the security performance will decrease in a short period. In Japanese Patent Laid-Open No. 2003-162986, because the authentication apparatus and the authentication-target apparatus hold a shared cryptographic key, it is possible to manufacture an authentication-target apparatus that can be successfully authenticated by the authentication apparatus when analysis of either the authentication apparatus or the authentication-target apparatus succeeds.
According to an aspect of the present invention, a method of authenticating an authentication-target apparatus by an authentication apparatus that holds a first original key out of a plurality of original keys, and an identifier of the first original key is presented. The authentication-target apparatus holds a first value, and a plurality of derived keys generated by taking each of the plurality of original keys and the first value as inputs to a one-way function. The method includes: the authentication-target apparatus selecting a selected key from the plurality of derived keys based on the identifier of the first original key which was notified from the authentication apparatus; the authentication-target apparatus generating authentication data based on challenge data which was notified from the authentication apparatus, and a first generated key based on the selected key; the authentication apparatus generating an authentication key by taking the first original key and the first value which was notified from the authentication-target apparatus as inputs to the one-way function; the authentication apparatus generating comparison data based on the challenge data and a second generated key based on the authentication key; and the authentication apparatus authenticating the authentication-target apparatus by comparing the comparison data and the authentication data which was notified from the authentication-target apparatus.
Further features of the present invention will become apparent from the following description of exemplary embodiments with reference to the attached drawings.
Exemplary embodiments of the present invention will be described hereinafter, with reference to the drawings. Note, the following embodiments are examples and the present invention is not limited to the content of the embodiments. Also, for the following drawings, elements that are not necessary in the explanation of the embodiment are omitted from the drawings.
In addition, the authentication-target chip 103 receives a command from the control apparatus 105 via the communication I/F circuit 104, and, as a reply, transmits a response to the control apparatus 105 via the communication I/F circuit 104. An input/output unit 301 of the authentication-target chip 103 transmits and receives responses/commands to and from the communication I/F circuit 104. A microcontroller 302 executes internal processing in accordance with a command from the control apparatus 105. Note that, in such a case, the microcontroller 302 stores temporary data in a volatile memory 303. An encryptor 304 executes an encryption calculation in the authentication processing, in accordance with an instruction from the microcontroller 302. Note that the encryptor 204 and the encryptor 304 perform calculations for encryption in accordance with the same algorithm. A non-volatile memory 305 holds a key used in the encryption calculation, and data necessary for authentication processing. A starting point of the authentication processing is the control apparatus 105. In other words, the control apparatus 105 transmits a command to the authentication chip 106 and the authentication-target chip 103, and the authentication chip 106 and the authentication-target chip 103 perform processing in accordance with the command and transmit responses to the control apparatus 105.
In contrast, a derived key (DK) is stored in the non-volatile memory 305 of the authentication-target chip 103. One derived key is derived in accordance with a one-way function, from one original key and one unique value. Below, a derived key that is derived from a unique value j and an original key MK_i is denoted as a derived key DK_ij. The derived key DK_ij is obtained in accordance with the calculation of DK_ij=F(MK_i, j). Note that F( ) is a one-way function, and can be a function used in a cryptographic hash function, or a shared key encryption calculation. As illustrated by
The non-volatile memory 305 of the authentication-target chip 103 stores one unique value and n derived keys that are respectively generated from the unique value and n original keys.
For the one-way function F( ), it is possible to use a cryptographic hash function or a shared key encryption function, as described above. In the case of a cryptographic hash function, it is possible to use SHA-256 which is disclosed in NIST_FIPS_PUB 180-4. In this case, the derived key DK_ij is obtained by taking data resulting from concatenating an original key MK_i and a unique value j as an input to a cryptographic hash function in accordance with SHA-256. In addition, in the case of a shared key encryption function, it is possible to use AES which is standardized in NIST_FIPS_PUB 197. In this case, the derived key DK_ij can be obtained by taking the unique value j as a message, and encrypting the message with the original key MK_i, by a method in accordance with AES. The unique value stored in the non-volatile memory 305 is decided so as to be different for each process cartridge 102, when the process cartridge 102 is manufactured. Note that, instead of a configuration where differing unique values are stored in all process cartridges 102, there may be a configuration where one unique value selected from a plurality of unique values is assigned to a process cartridge 102. In a manufacturing step, the unique value assigned to the process cartridge 102 and n derived keys respectively generated from the unique value and n original keys are stored in the non-volatile memory 305 of this process cartridge 102.
At C04, the control apparatus 105 transmits the original key ID to the authentication-target chip 103. At OP02, the authentication-target chip 103 selects the derived key corresponding to the original key ID as a selected key. Accordingly, when the authentication-target chip 103 is legitimate, the selected key selected by the authentication-target chip 103 is the same as the authentication key DK_ij generated by the authentication chip 106 at OP01. When the selected key is selected, the authentication-target chip 103, at R04, notifies the control apparatus 105 that selection of the selected key is complete. At OP03, the control apparatus 105 generates random number data as challenge data. At C05, the control apparatus 105 transmits a command to generate authentication data to the authentication-target chip 103. This command includes the random number data (challenge data).
At OP04, the authentication-target chip 103 uses the encryptor 304 to generate authentication data, which is response data, from the selected key DK_ij and the random number data. At R05, the authentication-target chip 103 notifies the authentication data (response data) to the control apparatus 105. At C06, the control apparatus 105 issues a command to the authentication chip 106 to generate comparison data. This command includes the random number data and the authentication data. At OP05, the authentication chip 106 uses the encryptor 204 to generate the comparison data from the authentication key DK_ij and the random number data, and compares the comparison data with the authentication data. Because the encryptor 204 and the encryptor 304 perform the same encryption calculation, authentication data and the comparison data match when the authentication-target chip 103 is legitimate. At R06, the authentication chip 106 notifies a comparison result to the control apparatus 105, in other words, whether the comparison data and the authentication data match. At OP06, the control apparatus 105 determines authentication OK upon receiving a notification that the comparison data and the authentication data match, and determines authentication NG (no good) when there is no match.
The control apparatus 105 determines that the process cartridge 102 is a genuine article upon determining authentication OK, and determines that the process cartridge 102 is not a genuine article upon determining authentication NG. Upon determining that the process cartridge 102 is not a genuine article, the control apparatus 105 displays to a user that the process cartridge 102 is not a genuine article, for example. Alternatively, upon determining that the process cartridge 102 is not a genuine article, for example, the control apparatus 105 suspends image forming processing, and performs a display, on a display unit (not shown) of the image forming apparatus, for entrusting a user with a decision of whether to permit image formation.
Note that the order of the sequence of
For calculation of the authentication data, it is possible to use CMAC, which is based on a shared key encryption technology and described in NIST SP 800-38B, for example. In such a case, the random number data is taken as a message, encryption of the message is performed with the selected key DK_ij, and the encrypted data for the message is taken as the authentication data. For calculation of the authentication data, it is possible to use HMAC, which is based on a cryptographic hash function and described in NIST_FIPS_PUB 198-1, for example. In such a case, the random number data is taken as a text, and an encrypted hash value of a message is obtained with the selected key DK_ij. It is similar for the calculation of the comparison data. Of course, the same algorithm is used for the calculation of the authentication data and the comparison data.
For example, assume that the authentication chip 106 is attacked, and the original key MK_i held by the authentication chip 106 leaks. In such a case, the attacker could generate the derived key that is generated by using the obtained original key MK_i, but they could not generate the derived keys that correspond to other original keys. In such a case, the attacker could manufacture a unit that could authenticate as legitimate with an image forming apparatus 100 storing the original key MK_i in the authentication chip 106, but this unit would not have success in authenticating with an image forming apparatus 100 storing other original keys in the authentication chip 106.
For example, assume that the authentication-target chip 103 is attacked, and a derived key held by the authentication-target chip 103 leaks. Here, as illustrated by the sequence of
By the above configuration, it is possible to suppress the impact from the leakage of original keys or derived keys due to an attack. In this way, by virtue of the present embodiment, it is possible to have the difficulty of analysis with respect to the authentication chip 106 and the authentication-target chip 103 be higher than in the past. In particular, it is possible to provide an authentication system for making analysis of the authentication chip 106 essentially meaningless.
Subsequently, description is given regarding the second embodiment focusing on points of difference with the first embodiment. Note that the same reference numerals are used for elements that are the same as those described in the first embodiment, and description thereof is omitted.
For calculation of the authentication data, it is possible to use CMAC, which is based on a shared key encryption technology and described in NIST SP 800-38B, for example. In such a case, the concatenated data resulting from concatenating the random number data and the unit identifier is taken as a message, and encryption of the message is performed with the selected key DK_ij. For calculation of the authentication data, it is possible to use HMAC, which is based on a cryptographic hash function and described in NIST_FIPS_PUB 198-1 for example. In such a case, the concatenated data resulting from concatenating the random number data and the unit identifier is taken as a text, and an encrypted hash value of the text is obtained with the selected key DK_ij. It is similar for the calculation of the comparison data. Of course, the same algorithm is used for the calculation of the authentication data and the comparison data.
In the present embodiment, the unit identifier is used in generation of the authentication data and the comparison data. Accordingly, in addition to a similar effect as in the first embodiment, it is possible to verify whether the unit identifier is a value used in a genuine product. In other words, although illustration is not made in
Subsequently, description is given regarding the third embodiment focusing on points of difference with the first embodiment. An authentication system according to the present embodiment has the same configuration as in
At C34, the control apparatus 105 issues a command to the authentication chip 106 for instructing authentication key generation. This command includes the unique value j. At OP32, in accordance with the command, the authentication chip 106 generates the authentication key DK_ij based on the original key MK_i stored in the non-volatile memory 205 and the received unique value j. Note that a method of generating the authentication key is the same as the method of generating a derived key. When the authentication key DK_ij is generated, the authentication chip 106, at R34, notifies the control apparatus 105 that generation of the authentication key is complete.
At C35, the control apparatus 105 issues a command to the authentication-target chip 103 for instructing generated key generation. At OP33, firstly the authentication-target chip 103 selects the derived key corresponding to the original key ID as a selected key. Note that the original key ID is notified at C33. When the authentication-target chip 103 is legitimate, the selected key selected by the authentication-target chip 103 is the same as the authentication key DK_ij generated by the authentication chip 106 at OP32. Subsequently, the authentication-target chip 103 performs an update to increase by 1 the register value stored in the register Rg_ij corresponding to the selected key. A generated key is generated by taking the updated register value and the selected key as inputs for a one-way function. When the generated key is generated, the authentication-target chip 103, at R35, notifies the control apparatus 105 that generation of the generated key is complete.
At C36, the control apparatus 105 issues a command to the authentication chip 106 for instructing generated key generation. This command includes the register value. Note that it is possible to have a configuration in which the register value is notified to the authentication chip 106 in advance at the timing of C34, and in this case only the instruction of the command is made at C36. At OP34, the authentication chip 106 generates a generated key based on the authentication key DK_ij generated at OP32, and a value resulting from causing the notified register value to increase by 1. Note that an algorithm for generating the generated key is the same as the algorithm for generating the generated key in the authentication-target chip 103 at OP33. When the generated key is generated, at R36 the authentication chip 106 notified the control apparatus 105 of the completion of the generation of the generated key.
At OP35, the control apparatus 105 generates a predetermined fixed value as challenge data. At C37, the control apparatus 105 transmits to the authentication-target chip 103 a command for generating authentication data. This command includes the fixed value (challenge data). At OP36, the authentication-target chip 103 uses the encryptor 304 to generate the authentication data which is response data, from the generated key and the fixed value. At R37, the authentication-target chip 103 notifies the authentication data (response data) to the control apparatus 105.
Similarly, at C38, the control apparatus 105 transmits to the authentication chip 106 a command for generating comparison data. This command includes the fixed value (challenge data) generated at OP35. At OP37, the authentication chip 106 uses the encryptor 204 to generate the comparison data from the generated key and the fixed value. At R38, the authentication chip 106 notifies the comparison data (response data) to the control apparatus 105.
At OP38, the control apparatus 105 compares authentication data received from the authentication-target chip 103, and the comparison data received from the authentication chip 106. Because the encryptor 204 and the encryptor 304 perform the same encryption calculation, authentication data and the comparison data match when the authentication-target chip 103 is legitimate. The control apparatus 105 determines authentication OK if they match, and determines authentication NG if they do not match.
The control apparatus 105 determines that the process cartridge 102 is a genuine article upon determining authentication OK, and determines that the process cartridge 102 is not a genuine article upon determining authentication NG. Upon determining that the process cartridge 102 is not a genuine article, for example, the control apparatus 105 suspends image forming processing, and performs a display, on a display unit (not shown) of the image forming apparatus, for entrusting a user with a decision of whether to permit image formation.
Note that the order of the sequence of
One method for cracking a key for encryption is a method in which inputs and outputs to and from an encryptor are observed while the encryptor is caused to repeatedly operate. For example, with the same combination of the image forming apparatus 100 and the process cartridge 102, because the authentication key and the selected key used in authentication are always the same, there is the possibility that the authentication key or the selected key will leak due to this method. However, in the present embodiment, in place of the authentication key and the selected key of the first embodiment, generated keys that are derived from the authentication key and the selected key are used to generate authentication data and comparison data. Because register values that change in value each time of authentication are used for generation of the generated keys, the generated keys change every time for authentication. Accordingly, with the configuration of the present embodiment, it is very difficult to derive the authentication key or the selected key even with a method that observes inputs and outputs with respect to an encryptor while causing the encryptor to repeatedly operate. In addition, in the present embodiment, the generated keys are generated based on values resulting from performing a predetermined operation on register values, and not based on register values that are transmitted and received between the control apparatus 105 and the authentication chip 106 or the authentication-target chip 103. Accordingly, as long as the details of the predetermined calculation do not leak, an updated register value used in generation of a generated key is unclear even if it is possible to obtain register values that are transmitted and received, and it is possible to reduce the danger of the authentication key or the selected key leaking.
Note that, in the present embodiment, because a generated key used in generation of authentication data or comparison data changes each time for authentication, although the challenge data was given as fixed predetermined data, it is possible to have the challenge data be random data, similarly to in the first embodiment. Note that, in the present embodiment, comparison of authentication data and the comparison data is performed in the control apparatus 105, but configuration may be taken such that the comparison is performed by the authentication chip 106, similarly to in the first embodiment.
Subsequently, description is given regarding the fourth embodiment focusing on points of difference with the third embodiment. An authentication system according to the present embodiment has the same configuration as in
In the present embodiment, the unit identifier is used in generation of the authentication data and the comparison data. Accordingly, in addition to a similar effect as in the third embodiment, it is possible to verify whether the unit identifier is a value used in a genuine product. In other words, although illustration is not made in
Subsequently, description is given regarding the fifth embodiment focusing on points of difference with the third embodiment. An authentication system according to the present embodiment has the same configuration as in
At C45, the control apparatus 105 transmits the original key ID to the authentication-target chip 103, and issues a command to the authentication-target chip 103, instructing it to generate the generated key. At OP43, firstly the authentication-target chip 103 selects the derived key corresponding to the original key ID as a selected key. Accordingly, when the authentication-target chip 103 is legitimate, the selected key selected by the authentication-target chip 103 is the same as the authentication key DK_ij generated by the authentication chip 106 at OP42. Next, the authentication-target chip 103 generates the generated key based on the selected key and the register value. Note that the method of generating the generated key is similar to that in the third embodiment, excepting that the register value is used unchanged. When the generated key is generated, the authentication-target chip 103, at R45, notifies the control apparatus 105 that generation of the generated key is complete. The processing from C46 to R46 is the same as the processing of C36 to R36 of the third embodiment. Note that, at OP44, the authentication chip 106 generates the generated key by using the notified register value unchanged.
At OP45, the control apparatus 105 generates random number data as challenge data. At C47, the control apparatus 105 transmits to the authentication-target chip 103 a command for generating authentication data. This command includes the random number data (challenge data). At OP46, the authentication-target chip 103 uses the encryptor 304 to generate the authentication data which is response data, from the generated key and the random number data. At R47, the authentication-target chip 103 notifies the authentication data (response data) to the control apparatus 105.
Similarly, at C48, the control apparatus 105 transmits to the authentication chip 106 a command for generating comparison data. This command includes the random number data (challenge data) generated at OP45, and the authentication data. At OP47, the authentication chip 106 uses the encryptor 204 to generate the comparison data from the generated key and the random number data, and compares the comparison data with the received authentication data. Because the encryptor 204 and the encryptor 304 perform the same encryption calculation, authentication data and the comparison data match when the authentication-target chip 103 is legitimate. At R48, the authentication chip 106 notifies a comparison result to the control apparatus 105, in other words, whether the comparison data and the authentication data match.
At OP48, the control apparatus 105 determines authentication OK upon receiving a notification that the comparison data and the authentication data match, and determines authentication NG when there is no match. Note that, in the present embodiment, a comparison between authentication data and the comparison data is performed by the authentication chip 106 similarly to in the first embodiment, but it may be performed by the control apparatus 105, similarly to in the third embodiment. In addition, in the present embodiment, because the generated key is randomly changed each time of authentication, similarly to in the third embodiment, it is possible to use a fixed value for the challenge data instead of a random number. In addition, because the register value is randomly generated for each authentication in the present embodiment, it is possible to have a configuration in which it is updated by performing a predetermined calculation for each authentication, similarly to in the third embodiment. In other words, in the third embodiment, registers corresponding to respective derived keys are provided, but it is also possible to have a configuration in which one common register is provided for all derived keys. Furthermore, in the second embodiment, it is possible to generate authentication data and comparison data by also using a unit identifier UID, similarly to in the second embodiment or the fourth embodiment.
Note that, in the embodiments described above, the process cartridge 102 or the fixing unit 802 of an image forming apparatus was authenticated as a replaceable unit, but any replaceable unit (expansion unit) of the image forming apparatus can be authenticated as an authentication-target apparatus. In addition, the present invention can be applied, not only to an image forming apparatus, but also in the case where any apparatus is set as an authentication apparatus, and any unit that can be detached from the main body of this apparatus is set as an authentication-target apparatus.
Embodiments of the present invention can also be realized by a computer of a system or apparatus that reads out and executes computer executable instructions (e.g., one or more programs) recorded on a storage medium (which may also be referred to more fully as ‘non-transitory computer-readable storage medium’) to perform the functions of one or more of the above-described embodiments and/or that includes one or more circuits (e.g., application specific integrated circuit (ASIC)) for performing the functions of one or more of the above-described embodiments, and by a method performed by the computer of the system or apparatus by, for example, reading out and executing the computer executable instructions from the storage medium to perform the functions of one or more of the above-described embodiments and/or controlling the one or more circuits to perform the functions of one or more of the above-described embodiments. The computer may comprise one or more processors (e.g., central processing unit (CPU), micro processing unit (MPU)) and may include a network of separate computers or separate processors to read out and execute the computer executable instructions. The computer executable instructions may be provided to the computer, for example, from a network or the storage medium. The storage medium may include, for example, one or more of a hard disk, a random-access memory (RAM), a read only memory (ROM), a storage of distributed computing systems, an optical disk (such as a compact disc (CD), digital versatile disc (DVD), or Blu-ray Disc (BD)™), a flash memory device, a memory card, and the like.
While the present invention has been described with reference to exemplary embodiments, it is to be understood that the invention is not limited to the disclosed exemplary embodiments. The scope of the following claims is to be accorded the broadest interpretation so as to encompass all such modifications and equivalent structures and functions.
This application claims the benefit of Japanese Patent Application No. 2017-198753, filed on Oct. 12, 2017 and No. 2018-140710, filed on Jul. 26, 2018, which are hereby incorporated by reference herein in their entirety.
Number | Date | Country | Kind |
---|---|---|---|
2017-198753 | Oct 2017 | JP | national |
2018-140710 | Jul 2018 | JP | national |