(1) Field of the Invention
The present invention relates to a technique of managing a token for restoring user security information in a security chip such as a TPM (Trusted Platform Module).
(2) Description of the Related Art
In recent years, there has been known an information processing terminal (information processing apparatus) internally containing a security chip (security function module) such as a TPM (Trusted Platform Module) for the improvement of the security level.
The TPM is a security chip based upon a specification defined by the TCG (Trusted Computing Group) which is an industry standard group. For example, it is packaged in a mother board of an information processing terminal, and includes a non-volatile memory storing a cipher key (core cipher key) for use in secure communications and a microprocessor dedicated to cipher processing. Moreover, with the arrangement of the TPM, a core cipher key stored in the non-volatile memory cannot be fetched to the external.
For example, this TPM has various types of cipher processing functions (RSA cipher processing, random number generation, and others), combined with functions to make a verification as to whether or not a platform complies with the specification of the TCG and to make a check as to whether or not the hardware or software is falsified and further to protect a cipher key (core cipher key) stored in the TPM from being outputted to the external.
In addition, for example, through the use of a core cipher key (user key) stored in a non-volatile memory, the TPM is made to realize a security management on a hardware level by not only encrypting a cipher key to be used for applications or the like but also generating a cipher key (user key) for each user and even checking an illegal falsification of BIOS (Basic Input Output System), illegal replacement or the like at the activation of an information processing terminal so as to, if there is some illegality, prevent the activation thereof.
The core cipher key stored in the TPM is unique to each TPM and, hence, the TPM cannot operate normally in a case in which the TPM is shifted into a different information processing terminal, which makes it difficult for the illegally TPM-mounted information processing terminal to fulfill the functions of the TPM.
For example, the following patent document 1 discloses a technique of employing an encryption characteristic of a TPM for securing a boot-up process in a computer system, and the following patent document 2 discloses a technique of authenticating the owner having the legal authority of use by using initial data encrypted in a TPM.
In the TPM, at the setting thereof, a unique user key is generated on the basis of a core cipher key for each user using that information processing terminal, and this user key is encrypted with the core cipher key. Moreover, the generated user key is kept in a hard disk of the information processing terminal.
FIGS. 9A and 9B are illustrations for explaining the functions of the TPM. FIG. 9A is an illustration of a log-in technique to an information processing terminal in the case of no use of the functions of the TPM, and FIG. 9B is an illustration of a log-in technique to an information processing terminal in a case in which a log-in authentication is made by using the functions of the TPM.
In the information processing terminal, each user can carry out file encryption, electronic signature, log-in authentication to a terminal and others by using the user key and, for example, in a case in which the log-in to an information processing terminal is made without using the functions of the TPM, the user inputs a password (“aaa” in the example shown in FIG. 9A) for terminal log-in, set in advance, through the use of a keyboard (not shown) or the like as shown in FIG. 9A. Moreover, the information processing terminal conducts the processing such as user log-in authentication by using the terminal log-in password “aaa” inputted thereto.
On the other hand, as shown in FIG. 9B, in the case of use of the functions of the TPM, a terminal log-in password (“aaa” in the example shown in FIG. 9B) is encrypted in advance through the use of a user key and the user inputs a password (“bbb” in the example shown in FIG. 9B) for the use of the TPM through a keyboard or the like.
In addition, in the information processing apparatus, the TPM decrypts the terminal log-in password “aaa” by using this inputted password “bbb” and carries out the processing such as log-in authentication by use of the decrypted password “aaa”. As described above, in the case of the use of the TPM, the log-in authentication is made with higher security.
FIG. 10 is an illustration for explaining decryption data in the TPM.
Meanwhile, at the start of use of the TPM (at the initial setting), as shown in FIG. 10, for providing for the breakage of the TPM and others, archive and token which are data for restoration are generated, and a password (token password) is set with respect to this token.
In this case, the archive is backup file data for managing user information related to the TPM and is updated in the case of an increase/decrease in users using the TPM or a change of the password. Concretely, the user information related to the TPM includes, for example, a user ID, a user key, a password for the user key, and other information.
Moreover, in a conventional security management system, the archive is held in a hard disk or the like and, preferably, this archive is separately backed up regularly into an external storage medium.
The token is a cipher key related to the archive, and the archive is subjected to the encryption processing on the basis of this token. Moreover, for the use of the token, there is a need to use a password previously set in correspondence with this token. This enables the unauthorized use to be suppressed even in a case in which an external storage medium storing the token is stolen or in other cases. Moreover, so far, the token is kept in an external storage medium of an information processing terminal (or an external storage unit).
In the case of the loss of the token, the token can again be produced only when the TPM is newly reset and, preferably, the archive and the token are made to be unique to each information processing terminal for security.
Meanwhile, in a conventional information processing terminal equipped with a TPM and protected by encrypting the information in a hard disk through the use of this TPM or by monitoring the apparatus configuration, if the TPM is broken by any possibility, difficulty is experienced in using this information processing apparatus continuously.
Accordingly, the information processing terminal is returned to a state before the breakage of the TPM in a manner such that the broken TPM is replaced with a normal one (including the replacement in units of mother boards) and the original user information in the TPM is restored by using the archive and the token.
Referring to a flow chart (steps A10 to A100) of FIG. 11, a description will be given hereinbelow of a conventional method of restoring user information in a security management system.
The user information restoring method shown in the flow chart of FIG. 11 relates to an example of the restoration of user information in a TPM, i.e., a user ID, a user key, a password and others, and is carried out, for example, in a case in which the TPM in the information processing terminal is replaced with new one because of being broken to be placed into an unusable condition or when the data in the hard disk of the information processing terminal is duplicated and the data fully identical thereto is constructed (produced) in a different information processing terminal.
Let it be assumed that the archive is held in a hard disk of an information processing terminal while the token is stored in an external storage medium such as CD-ROM and the hard disk of the information processing terminal is in a non-replaced condition.
First of all, for making the TPM available, the TPM is changed to a use-permitted condition through the BIOS setting (activation) (step A10).
An operator of the information processing terminal (terminal manager) carries out the log-in to this information processing terminal on the basis of the manager authority, and the terminal manager again inputs a password. The information processing terminal confirms the legality of the operator because the log-in has been made legally on the basis of the manager authority, and resumes the re-construction of a terminal manager environment (step A20).
As a result of the conformation as to whether or not the operator is an illegal terminal manager, in a case in which the information processing terminal makes a judgment that the operator is an illegal terminal manager, for example, because the terminal manager does not input a correct password (see YES route from step A30), an error display or the like is made on a display unit of the information processing terminal (step A100). Then, the processing comes to an end.
On the other hand, if the information processing terminal makes a judgment that it is a legal or proper terminal manager (see NO route from step A30), the information processing terminal carries out a user information restoration process (step A40). The information processing terminal calls an archive and a token needed for the user information restoration process.
In this case, the archive is acquired from a hard disk of the information processing terminal, or the like, while the token is obtained from an external storage medium such as CD-ROM. The terminal manager further inputs a password for the use of the token, and the information processing terminal confirms whether or not the inputted password for the token is correct, thereby checking the legality of the user (terminal manager) of the token (step A50).
As a result of the confirmation as to whether or not the operator is an illegal terminal manager (step A60), when the information processing terminal makes a judgment that the operator is an illegal terminal manager (see YES route from step A60), the operational flow moves to the step A100. Moreover, in a case in which the information processing terminal makes a judgment that it is not an illegal terminal manager (see NO route from step A60), the password of the user is inputted (re-inputted) for the restoration of the environment (user environment) for each user (step A70).
The information processing terminal confirms the legality of the user on the basis of the password inputted by the user (step A80) and, if the judgment shows that the user is an illegal user (see YES route from step A80), the operational flow goes to the step A100. On the other hand, if the judgment indicates that the user is an legal user (see NO route from step A80), The user environment related to the user is re-constructed (step A90). Thereafter, the processing comes to an end.
Furthermore, in a case in which a plurality of information processing terminals carry out the replacement of the TPM or mother board, the above-mentioned restoration processing is conducted with respect to all the plurality of information processing terminals.
Patent Document 1: Japanese Patent Laid-Open No. 2006-092533
Patent Document 2: Japanese Patent Laid-Open No. 2004-282391
However, as mentioned above, it is preferable that the archive and the token are unique to each information processing terminal for security, and there exist the archives and the tokens corresponding in number to the information processing terminals.
This creates a problem to the terminal manager in that the number of archives which are an object of backup and the number of tokens to be managed increases with an increase in the number of information processing terminals which manage them, which leads to complicatedness. For example, if the information processing terminals are some hundreds in number, the tokens and archives to be kept are some hundreds in number, and it is troublesome to keep all some hundreds of tokens in external mediums and carry out these external mediums whenever the maintenance operation takes place, which is an impractical manner. Moreover, from the viewpoint of security, it is undesirable that a maintenance worker carries the token.
In addition, the token and the archive are basically made to be used at only the maintenance operation and the frequency of use is low and, in the case of the management by the retention in an external medium or the like, there is a possibility that it gets lost. Moreover, the password for the use of the token may also fall into oblivion.
Still additionally, there occurs a problem in that, if the token or the archive gets lost or if the password for the use of the token falls into oblivion, the restoration of the original user information in the TPM becomes impossible.
Although it is also considerable that, for reducing the troublesomeness of management, a password for the use of the token is not set (used) so as to eliminate the need for the management of the password, in the case of no setting of password, there is a problem in that difficulty is encountered in coping with conduct such as the illegal duplication of the token, which lowers the security level.
Yet additionally, there is a problem which arises with the conventional security management method in that, since the token is stored in an external medium such as CD-ROM, difficulty is experienced in managing and grasping the token using situation and measures cannot be taken to confirm the possible illegal use of the token.