The present invention relates generally to a control system having a download function for receiving an execution program of a control function from a host control system and updating this execution program, and more particularly to a control system having a download function for safeguarding the system from programs which do not run correctly and are unlawful and for enabling system functions to be recovered even if failing to download.
With advancements and a spread of microprocessors, a variety of peripheral devices are so designed as to be controlled by programs, and their functions become complicated. Further, with an advent of new technologies such as E-commerce, etc., a security against a forgery, an unlawful act, etc. is strongly demanded of the system.
For example, in a password (personal identification number (PIN)) input function of an automatic machine (a cash dispenser (CD) or an automatic teller machine (ATM)) for accepting a cash accounting process in a way that surrogates a service window at a bank, a conventional method is that a control unit of the automatic machine directly processes signals from a key pad and the password is sent as it is to a host computer system. An up-to-date method, however, takes such an architecture that an input unit structured for the security accepts an input of the password and transfers the encrypted password to the control unit of the automatic machine. This architecture makes it difficult to steal the password either by a physical method or by a logical method.
Moreover, there is a technical trend toward a method that is more complicated and has a higher security in terms of an encryption algorithm and a management of an encryption key than before.
A majority of functions required of a peripheral system are actualized by software, and besides improvements of the functions are properly requested. Hence, there are proposed and carried out a variety of program download methods for updating an execution program of the control function of the peripheral system without any necessity of replacing physical parts.
In terms of the security, however, there exist a risk of stopping functions of the peripheral system i.e., a control system (which will hereinafter be referred to as a download control system in some cases) having a download function due to a download of an unlawful program and a risk of allowing the unlawful act to be conducted.
Further, there might be cases in which a wrong program is downloaded though not from a deliberate unlawful act, and the download control system falls into an unusable state due to an occurrence of an unexpected fault such as a disconnection of the power source in the middle of downloading.
An auto recovery function is effective in preventing a halt of the function of the download control system, however, a retry can be made after the auto recovery even if an error occurs in downloading an unlawful program created, resulting in encouraging a development of the unlawful program on a trial-and-error basis.
There is a method of preventing the wrong download by setting a version number (a version serial number) in the program transmitted from the host control system, and comparing this number with a program version number already stored on the download control system. Namely, an unexpected download is detected and inhibited in a way that does not accept downloading programs other than those having the consecutive version numbers.
Further, what is known as a technique of detecting the error in downloading is an error detection technique such as check sum, BCC (Block Check Code), etc. of padding a check digit.
An invention aiming at preventing a download target program from being fabricated and falsified and at detecting an error in download program data, is a [File Load System] disclosed in Japanese Patent Application Laid-Open Publication No. 5-173892. This system schemes to encrypt the program data and utilize a check digit generated from an output thereof.
A similar invention is a [Method of Implementing Cryptographic Authentication Function] disclosed in Japanese Patent Laid-Open Publication No. 9-282155. This method schemes to load and decrypt a program encrypted or undergoing a digital signature when executing this program and to erase the program code after the execution thereof.
It is also self-evident that a public-key cryptography for encrypting the download target program with a public key and decrypting the downloaded program data with a secret key generated in a download control system, ensures a security for the download target program.
The following is inventions of technologies for restoring the function when falling into a failure in downloading. To be specific, one invention (titled [Download Program Compensating Device and Method thereof] disclosed in Japanese Patent Application Laid-Open Publication No. 11-184705) is that the same program is stored on a plurality of memories, a check sum for the program is periodically calculated, and, if an error is detected, the program is copied from the memory with no error occurred. Another invention (titled [Control System for Vending Machine] disclosed in Japanese Patent Application Laid-Open Publication No. 11-265282) is that a memory is segmented into two areas A and B, a new control program is downloaded into the area B in a state of executing a control program in the area A, and the control program in the area B is executed only when getting successful. Still another invention (titled [Digital Television Image Receiver] disclosed in Japanese Patent Application Laid-Open Publication No. 2000-137607) is that a piece of identifying information showing whether the download becomes successful or not is written to a nonvolatile memory, and, if not successful, the download is again executed when started up.
Among the conventional technologies described above, according to the technology that does not encrypt a download module (such as the download target program data, etc.), there still exits a large possibility of obtaining and analyzing the download module, detecting a weak point in terms of security with respect to the download control system, and creating a falsified download module.
Further, the conventional technology utilizing the cryptography does not adopt any special method for generating and managing the encryption key. Accordingly, if the encryption key is obtained, it follows that even the encrypted download module is to be decrypted and altered. Management of a multiplicity of encryption keys (secret keys) while making them corresponding to the download modules, is troublesome, and it is therefore desired that the management of the encryption keys themselves be unnecessary.
Further, in case the download comes to a failure due to the unlawful act or an accident, according to the conventional technology for restoring the function of the download control system, the retry can be made from the same state owing to the restoration even if trying to download the unlawful module and ending up with a failure, thereby facilitating a development of the unlawful module.
As for the security module safeguarded physically and logically so that the internal data and program are neither stolen nor falsified, it is desirable that the program download method be adopted in order to facilitate modifying and adding the functions.
If the security module is easily decipherable, however, there must be a risk in which a logical weak point of this security module is revealed or the module is falsified for making the unlawful act.
It is also considered that an unexpected fault occurs due to mistakenly downloading a download module of a different module version number or executing a download module with an error occurred.
Such being the case, the control system having the download function of the encrypted security module is desired to meet the following requirements:
(1) Neither an unintended module having a different module version number nor a module with a data error occurred shall be accepted;
(2) If an error occurs midways of downloading (a download failure), a downloaded program shall be by no means executed;
(3) Even if the download falls into a failure, a function of the security module shall be restorable by downloading once again;
(4) The program shall not be decipherable from the download module;
(5) A downloadable download module shall not be creatable by falsifying the normal download module;
(6) A download try-and-error attempt for developing an unlawful download shall be restricted;
(7) The normal download module shall be downloaded without any necessity of inputting a keyword, and so on. Namely, redundant pieces of security data such as the keyword, etc. shall be unnecessary; and
(8) Any special data requiring a special management for the encryption key, the keyword, etc. shall not be used.