JP4597551B2 - Software update device, software update system, software update method, and program - Google Patents

Description

  The present invention relates to a software update device that updates software of a device to be updated that can communicate via a network, a software update system configured by such a software update device and the device to be updated, and software update by the software update device described above. The present invention relates to a method and a program for causing a computer to function as the software update device. As software to be updated, for example, firmware and application programs can be considered.

2. Description of the Related Art Conventionally, in image processing apparatuses such as printers, FAX apparatuses, copiers, scanners, and digital multifunction peripherals, firmware that is software for performing basic hardware control can be updated. In Patent Document 1, when the service center acquires firmware version information from the image forming apparatus, and determines that the version is old and needs to be updated, the firmware is transmitted to the image forming apparatus via the communication control apparatus. An image forming apparatus management system for updating firmware is described.
JP 2002-288066 A

By the way, in the image forming apparatus management system described in Patent Document 1, communication between the service center and the communication control apparatus is basically performed between a public line (PSTN), a dedicated line, and between the communication control apparatus and the image forming apparatus. Communication is performed using a communication path of the RS-485 standard.
On the other hand, in recent years, a management system in which communication between a management device and a managed device is performed via a network such as the Internet or a local area network (LAN) has been proposed with emphasis on versatility and expandability. Yes. In such a management system as well, as in the case of Patent Document 1, it is conceivable that firmware is transmitted from the management apparatus to the managed apparatus to update the firmware.

What can be considered as processing in this case is, for example, the processing shown in the sequence diagram of FIG. In this case, it is considered that the management device is a firmware update device (firmware update device), and the managed device is a firmware update device (hereinafter also simply referred to as “firmware”).
In the processing shown in FIG. 26, the firmware update device 91 and the updated device 92 communicate using FTP (File Transfer Protocol). An ID and password for FTP are set in the firmware update device 91 in advance. These are stored in both the firmware update device 91 and the updated device 92.

In this processing, first, the firmware update device 91 executes version information acquisition processing at regular time intervals or when a predetermined event occurs, and sends an ID and password to the update target device 92 to request connection by FTP. To do. The ID and password comply with the FTP standard, and the update target device 92 that is requested to connect can authenticate the firmware update device 91 using these. Then, the ID and password are compared with those stored, and if they match, the connection is established as successful authentication (S11). If the IDs or passwords do not match, the connection is not established and an error occurs and the process ends.
When the connection is established, the firmware update device 91 requests the updated device 92 to transmit the firmware version information, and the updated device 92 transmits the firmware version information in response thereto (S12). Thereafter, the firmware update device 91 disconnects the connection with the update target device 92 (S13). The above is the version information acquisition process.

Next, the firmware update device 91 determines whether update is necessary based on the acquired firmware version information. If the latest version of the firmware is already installed in the update target device 92, the update is not necessary. If it is determined that the update is unnecessary, the process is terminated, and then the version information acquisition process is performed again when a trigger is generated. However, if it is determined that an update is necessary (S14), the next firmware transmission process is executed.
In this process, first, as in the case of step S11, the ID and password are transmitted to the updated apparatus 92 to establish a connection (S15). Then, the update firmware is transmitted to the update target device 92 (S16). Upon receiving this, the update target device 92 performs a firmware update process (S17). When the update is completed, it resets itself and restarts to enable a new firmware (S18). Further, the FTP connection is disconnected by resetting the device to be updated 92. The above is the firmware transmission process.
Through the above processing, the firmware of the update target device 92 can be updated when necessary. Even when version information acquisition processing or firmware transmission processing is performed again, the same processing is performed using the same password, as indicated by the same step number following the sequence diagram.

However, since communication by FTP does not encrypt data, the ID and password are transferred over the network with plain text. Therefore, as shown in FIG. 27, if the communication path between the firmware update device 91 and the updated device 92 is monitored by the packet monitor 93, the ID and password can be extracted from the transferred data packet. If this is exploited, it becomes possible for a third party to impersonate the firmware update device 91 and access the update target device 92 to update the firmware to an unauthorized one.
Therefore, as shown in FIG. 26, it can be said that it is problematic in terms of safety to repeatedly use a password transmitted by FTP.
The above-mentioned points are similarly problematic even when the software to be updated is not firmware, but other application programs, for example.

As described in Patent Document 1, when a communication path such as PSTN, dedicated line, or RS-485 is used, communication is performed using a unique communication protocol. Communication cannot be monitored without analysis and knowledge of the protocol. Therefore, since monitoring is difficult, such a safety problem does not occur, and therefore, a means for solving this problem is not particularly described.
However, when trying to build a software update system using Internet standard technology such as TCP / IP (Transmission Control Protocol / Internet Protocol), the solution of such a safety problem is an important issue. .

By the way, in order to solve the above problem, a protocol called SSL (Secure Socket Layer) has been developed and widely used as a communication protocol for encrypting communication contents. By performing communication using this protocol, it is possible to combine a public key cryptosystem and a common key cryptosystem to authenticate a communication partner and to prevent tampering and eavesdropping by encrypting information.
If such SSL communication is performed, the firmware update device 91 and the updated device 92 can securely exchange a common key, and communication can be performed safely. However, a communication method including encryption processing such as SSL has a larger processing load related to authentication and data transfer than a communication method that does not perform encryption such as FTP.
In particular, this effect is significant when transmitting large data, such as software. Of course, even when a protocol other than FTP and SSL is used, there is a similar problem in terms of processing load.

  An object of the present invention is to solve these problems and reduce the load of update processing while ensuring high safety when updating software of a device to be updated that can communicate via a network by a software update device. And

In order to achieve the above object, according to the present invention, in a software update device capable of communicating with an update target device via a network, when updating the software of the update target device, update authentication information is generated and encrypted. Authentication information setting means for requesting transmission and storage to the device to be updated through the first communication path, and transmitting the authentication information for updating to the device to be updated and requesting authentication processing by the authentication information Authentication requesting means for transmitting, when the authentication process is successful, transmitting means for transmitting the update software to the updated apparatus through a second communication path having a processing load smaller than that of the first communication path, and the updated data Based on the communication with the device, when it is determined that the update of the software to the update software has succeeded in the updated device, the update authentication information is overwritten. It generates erasing information order, which one provided the authentication information erasing means for requesting to store in sending to the target update device in the first communication path to overwrite the updated authentication information It is.

Oite Such software update device, a software update of the target update device performs in accordance with the software update request from the outside, it may be provided with means to return the result to the request source of the update request.

Further, means for receiving a start notification indicating that the device has been started from the device to be updated, and obtaining the software version information from the device to be updated when the start notification is received from the device to be updated after transmission of the update software And means for confirming the success / failure of the update by comparing with the version information of the transmitted update software.
Furthermore, the first communication path may be a communication path for performing SSL communication, and the second communication path may be a communication path for performing FTP communication.
Alternatively, the first communication path may be a communication path for encrypting data to be transmitted, and the second communication path may be a communication path for transmitting data to be transmitted without encryption.

The software update system of the present invention is a software update system configured by a software update device and an update target device that can communicate with each other via a network, and updates the software of the update target device to the software update device. Authentication information setting means for generating authentication information for updating and requesting that it be transmitted to and stored in the device to be updated via the encrypted first communication path, and for updating the device to be updated Authentication request means for transmitting information and requesting an authentication process based on the authentication information; and when the authentication process is successful, the update software is transmitted on the second communication path having a processing load smaller than that of the first communication path. Based on the communication between the transmission means for transmitting to the device to be updated and the device to be updated, the software on the device to be updated When it is determined that the update to the update software has been successfully completed, erasure information for overwriting the update authentication information is generated and transmitted to the update target device via the first communication path to An authentication information erasure unit that requests to store the update authentication information by overwriting, and a storage unit that stores the update authentication information when requested to store the update authentication information; When the authentication process is requested, the authentication means that performs the authentication process using the received update authentication information and the update authentication information stored in the storage means and returns the result, and the authentication process succeeded. If the receiving software for the update, and updating means for updating the software of its own to the update software, communicates with the update device software by the update means to the update unit Means for confirming that the update was successful, in which it when it is required to store the erasure information and a means for storing and overwrite in the update authentication information.

In such a software update system, as means for making the device to be updated confirm that the software update has been successful, means for restarting the own device after the software update by the update means, and the software update at startup Means for transmitting an activation notification to that effect to the device, and means for transmitting software version information to the device in response to a request from the software updating device. When the activation notification is received from the update target device after transmission, the update target device is requested to transmit software version information to acquire the version information, and compared with the transmitted version information of the update software. It is preferable to provide a means for confirming the success or failure of the update.
Furthermore, the first communication path may be a communication path for performing SSL communication, and the second communication path may be a communication path for performing FTP communication.
Alternatively, the first communication path may be a communication path for encrypting data to be transmitted, and the second communication path may be a communication path for transmitting data to be transmitted without encryption.

The software update method of the present invention is a software update method for updating software of a device to be updated that can be communicated via a network by the software update device. Is transmitted to the updated device via the encrypted first communication path and stored, and the updated authentication information is transmitted to the updated device to perform authentication processing using the authentication information. , the authentication process the update software transmitted to the target update device with a small second communication path processing load than the first communication path when succeeds to perform the software update, the target update device If it is determined that the update of the software to the update software is successful in the update target device based on communication with It generates erasing information for overwriting the new authentication information, which is obtained by the so that by sending to the target update device is stored by overwriting on the updated authentication information in the first communication path is there.

Oite Such software updating method, a software update of the target update device performs in accordance with the software update request from the outside, may be to return the result to the request source of the update request.

Further, when receiving an activation notification indicating that the device has been activated from the updated device, and receiving the activation notification from the updated device after the transmission of the update software, obtain software version information from the updated device, The success or failure of the update may be confirmed by comparing with the transmitted version information of the update software.
Furthermore, the first communication path may be a communication path that performs SSL communication, and the second communication path may be a communication path that performs FTP communication.
Alternatively, the first communication path may be a communication path for encrypting data to be transmitted, and the second communication path may be a communication path for transmitting data to be transmitted without encryption.

Further, the program of the present invention generates authentication information for update when a computer that controls a software update device that can communicate with the update target device via a network updates the software of the update target device, and encrypts this information. Authentication information setting means for requesting transmission and storage to the device to be updated through the first communication path, and transmitting the authentication information for updating to the device to be updated and requesting authentication processing by the authentication information Authentication requesting means for transmitting, when the authentication process is successful, transmitting means for transmitting the update software to the updated apparatus through a second communication path having a processing load smaller than that of the first communication path, and the updated data When it is determined that the update of the software to the update software has succeeded in the updated device based on communication with the device, the update authentication information is included in the update authentication information. Generates erasing information for write, which functions as the authentication information erasing means for requesting to store in sending to the target update device in the first communication path to overwrite the updated authentication information It is a program to make it.

In such a program, the computer performs in accordance with the software update request from outside the software update of the target update device, a program for functioning as a means for returning the result to the request source of the update request further Should be included.

A means for receiving a start notification indicating that the computer has been started from the device to be updated; A program for obtaining version information and making it function as a means for confirming the success or failure of the update by comparing with the version information of the transmitted update software may be further included.
Furthermore, the first communication path may be a communication path for performing SSL communication, and the second communication path may be a communication path for performing FTP communication.
Alternatively, the first communication path may be a communication path for encrypting data to be transmitted, and the second communication path may be a communication path for transmitting data to be transmitted without encryption.

According to the software update device, the software update system, and the software update method of the present invention as described above, high security is ensured when the software of the update target device that can communicate via the network is updated by the software update device. However, the load of update processing can be reduced.
Further, according to the program of the present invention, the software update device can be controlled by a computer to realize the features of such a software update device, and the same effect can be obtained.

Preferred embodiments of the present invention will be described below with reference to the drawings.
First, a configuration example of a software update device and a software update system according to the present invention will be described. FIG. 1 is a conceptual diagram showing an example of the configuration of a remote management system including the software update system. In this figure, the mediation device 101 is a software update device, and the managed device 10 is an updated device. The management device 102 can be a software update device, and in this case, the mediation device 101 can be an update target device. Here, however, the mediation device 101 is a software update device and the managed device 10 is an update target device. Will be described. Although the case where the software to be updated is firmware will be described as an example here, it is needless to say that this may be other software such as an application program.

This software update system includes image processing devices such as printers, fax machines, digital copiers, scanners, digital multifunction devices, network home appliances, vending machines, medical equipment, power supply devices, air conditioning systems, gas, water, electricity, etc. 1 is configured as a part of a remote management system in which a communication device having a communication function in a weighing system, a general-purpose computer, an automobile, an aircraft, or the like is used as the managed device 10. When necessary, the intermediary device 101 has a function of transmitting firmware to the managed device 10 and updating the firmware of the managed device 10.
Further, the remote management system described above is an intermediary device 101 that is a remote management mediation device connected to the managed device 10 via a LAN (local area network), and further the mediation device 101 and the Internet 103 (in other networks such as a public line). A management device 102 functioning as a server device connected via the mediation device 101, and the management device 102 can centrally and remotely manage each managed device 10 via the mediation device 101. The intermediary device 101 and the managed device 10 have various hierarchical structures depending on the usage environment.

  For example, in the installation environment A shown in FIG. 1, the intermediary device 101a capable of establishing a direct connection with the management device 102 by HTTP has a simple hierarchical structure that follows the managed devices 10a and 10b. In the installation environment B shown, since four managed devices 10 are installed, the load increases only by installing one intermediary device 101. Therefore, the intermediary device 101b that can establish a direct connection with the management device 102 by HTTP follows not only the managed devices 10c and 10d but also another intermediary device 101c, and the intermediary device 101c is managed by the managed devices 10e and 10f. A hierarchical structure is formed to further follow. In this case, the information issued from the management device 102 for remotely managing the managed devices 10e and 10f is sent to the managed device 10e or 10f via the mediation device 101b and the mediation device 101c which is a lower node. Will be reached.

Further, as in the installation environment C, managed devices 11a and 11b with an intermediary function in which the managed device 10 is also provided with the function of the intermediary device 101 are connected to the management device 102 via the Internet 103 without using an intermediary device. You may make it do.
Although not shown, the managed device 10 can be further connected to the lower level of the managed device 11 with a mediation function.
Note that a firewall 104 is installed in each installation environment in consideration of security.

In such a remote management system, the intermediary device 101 has an application program for control management of the managed device 10 connected thereto.
The management apparatus 102 is mounted with an application program for performing control management of each intermediary apparatus 101 and further performing control management of the managed apparatus 10 via the intermediary apparatus 101. Then, each of these nodes in the remote management system including the managed device 10 transmits a “request” which is a request for processing for the method of the application program to be implemented by RPC (Remote Procedure Call). The “response” that is the result of the processed processing can be acquired.

That is, the intermediary device 101 or the managed device 10 connected thereto can generate a request to the management device 102 and deliver it to the management device 102 to obtain a response to the request, while the management device 102 A request to the mediating apparatus 101 side is generated and delivered to the mediating apparatus 101 side, and a response to the request can be acquired. This request includes causing the mediation device 101 to transmit various requests to the managed device 10 and obtaining a response from the managed device 10 via the mediation device 101.
In order to realize RPC, a known protocol (communication) such as SOAP (Simple Object Access Protocol: SOAP), HTTP (HyperText Transfer Protocol), FTP, COM (Component Object Model), CORBA (Common Object Request Broker Architecture), etc. Standards), technology, specifications, etc. can be used.

The transmission / reception data transmission / reception model is shown in the conceptual diagram of FIG.
(A) is a case where a request to the management apparatus 102 has occurred in the managed apparatus 10. In this case, the managed device 10 generates a managed device-side request a, and the management device 102 that receives the request via the mediation device 101 returns a response a to the request. A case where there are a plurality of mediation apparatuses 101 shown in the figure can also be assumed (installation environment B shown in FIG. 1). Note that (A) shows a case in which not only the response a but also a response delay notification a ′ is returned. When the management device 102 receives a request from the managed device via the mediation device 101 and determines that the response to the request cannot be returned immediately, it notifies the response delay notification and temporarily disconnects the connection state. This is because the response to the request is delivered again at the next connection.

  (B) is a case where a request for the managed device 10 has occurred in the management device 102. In this case, the management apparatus 102 generates a management apparatus side request b, and the managed apparatus 10 that has received the request via the mediation apparatus 101 returns a response b to the request. Even in the case of (B), the response delay notification b ′ is returned in the same manner as in the case of (A) when the response cannot be returned immediately.

Next, the physical configuration of the management apparatus 102 shown in FIG. 1 will be described. The management apparatus 102 includes a CPU, a ROM, a RAM, a nonvolatile memory, a network interface card (hereinafter referred to as a NIC), and the like (not shown). .
The physical configuration of the mediation apparatus 101 shown in FIG. 1 is as shown in FIG.
That is, CPU 52, SDRAM 53, flash memory 54, RTC (real time clock) 55, Op-Port (operation unit connection port) 56, PHY (physical media interface) 57, modem 58, HDD control unit 59, expansion I / F (interface) ) 60, RS232 I / F 61, RS485 I / F 62, HDD (hard disk drive) 63, and the like. The intermediary device 15 is connected to the LAN via the PHY 57. In addition, it is connected to the managed device 10 via the LAN. Although it is possible to connect to the managed device 10 via the RS232 I / F 61 and the RS485 I / F 62, it is assumed here that this I / F is not used.

  As for the managed device 11 with a mediation function, these units may be simply added to the managed device 10 in order to realize the function of the mediation device 101. However, the CPU, ROM, and RAM provided in the managed device 10 The functions of the intermediary device 101 can be realized by causing the CPU to execute appropriate applications and program modules using hardware resources such as the above.

  FIG. 4 is a block diagram illustrating an example of a software configuration of the mediation apparatus 101. As shown in this figure, the software of the intermediary device 101 is composed of three layers: an application layer 70, a service layer 80, and a protocol layer 90. The programs constituting these software are stored in the HDD 63, the SDRAM 53, or the flash memory 54, read as necessary, and executed by the CPU 52. The CPU 52 executes these programs as necessary and controls the apparatus to realize each function (function as authentication information setting means, authentication request means, transmission means, and other means). it can.

In this software, the application layer 70 has a device control method group 71 and an NRS (New Remote Service) application method group 72.
The device control method group 71 includes methods for management object information setting, device setting, software update, polling setting change, log output, and activation processing, and includes firmware update processing according to the features of this embodiment, It is a program for performing device information management and communication settings.
The NRS application method group 72 includes methods for log collection, software download, device command execution, device setting change, supply notification, abnormality notification, device activation / introduction, and device life / death confirmation, and various notifications from the managed device 10. Or a request for causing the managed device 10 to perform an operation in accordance with a request from the management device 102.

Next, the service layer 80 includes a security service 81, a connection device communication service 82, a management device communication service 83, and a scheduler service 84.
The security service 81 is a module that generates and executes a job for preventing or preventing unauthorized outflow of internal information or the like to the outside.
The connected device communication service 82 is configured to search for a device that is a target of information acquisition, manage connection with the target device, send and receive files, This module generates and executes jobs such as parameter management and APL management.
The management device communication service 83 is a module that generates and executes jobs such as command reception, file transmission / reception, information request, and information transmission (information notification) with the management device 102.
The scheduler service 84 is a module that deploys a remote control application based on predetermined set time information.

  The next protocol layer 90 includes methods for generating and executing a job for exchanging information using a protocol corresponding to an information transmission / reception target. In other words, it can control SOAP (Simple Object Access Protocol), HTTP, HTTPS (Hypertext Transfer Protocol Security), FTP, etc. used as its lower protocols so that it can be widely applied to the communication environment of network connection devices via LAN. Have a good method.

  Hereinafter, as a more specific example of the remote management system shown in FIG. 1, an image processing apparatus remote management system in which the image processing apparatus is a managed apparatus will be described. This remote management system includes an embodiment of a software update system according to the present invention in which an image processing apparatus is an update target apparatus. FIG. 5 is a conceptual diagram showing an example of the configuration of the image processing device remote management system. The managed device 10 is the image processing device 100 and the managed device 11 with the mediation function is the image processing device 110 with the mediation function. Since only the changed points are different from those of FIG. Note that the software update system can be configured only by the mediation apparatus 101 that is an embodiment of the software update apparatus of the present invention and the image processing apparatus 100 that is the update target apparatus, and other configurations such as the management apparatus 102 and the firewall 104. The element is not mandatory.

  The image processing apparatus 100 is a digital multi-function peripheral having functions such as copying, facsimile, and scanner, and a function for communicating with an external device, and an application program for providing a service related to these functions is installed. It is what. The image processing apparatus with an intermediary function 110 is obtained by adding the functions of the intermediary apparatus 101 to the image processing apparatus 100.

The physical configuration of such an image processing apparatus 100 will be described with reference to FIG.
FIG. 6 is a block diagram illustrating an example of a physical configuration in the image processing apparatus 100. As shown in the figure, the image processing apparatus 100 includes a controller board 200, an HDD (hard disk drive) 201, an NV-RAM (nonvolatile RAM) 202, a PI (personal interface) board 203, a PHY 204, an operation panel 205, a plotter / A scanner engine board 206, a power supply unit 207, a finisher 208, an ADF (automatic document feeder) 209, a paper feed bank 210, and other peripheral devices 211 are provided.

  Here, the controller board 200 corresponds to a control unit, includes a CPU, a ROM, a RAM, and the like, and controls each function via a PCI-BUS (Peripheral Components Interconnect-Bus) 212. The HDD 201 corresponds to a storage unit. The NV-RAM 202 corresponds to a storage unit and is a non-volatile memory, for example, a flash memory.

Also, the PI board 203 and the PHY 204 correspond to communication means and are used for communication with the outside, and for example, correspond to a communication board. The PI board 203 has an interface conforming to the RS485 standard, and is connected to a public line via a line adapter. The PHY 204 is an interface for communicating with an external device via a LAN. The PHY 204 is an IEEE (Institute of Electrical and Electronic Engineers) 802.11b standard (for wireless LAN), an IEEE 1394 standard, an IEEE 802.3 standard (Ethernet (registered trademark)). ) Correspondence) is provided, respectively, to provide a plurality of communication means.
The operation panel 205 is a user interface corresponding to the operation unit and the display unit.

  Here, ENGRDY in the figure is a signal line for notifying the controller board 200 side that various initial settings on the engine side have been completed and preparation for transmission / reception of commands with the controller board 200 is completed. PWRCTL is a signal line for controlling power supply to the engine from the controller board 200 side. The operation of these signal lines will be described later.

Next, a software configuration in the image processing apparatus 100 will be described with reference to FIG.
FIG. 7 is a block diagram illustrating an example of a software configuration of the image processing apparatus 100. The software configuration of the image processing apparatus 100 includes an uppermost application module (application) layer and lower service module layers. The programs constituting these software are stored in the HDD 201 or the RAM on the controller board 200, read as necessary, and executed by the CPU on the controller board 200. And CPU can implement | achieve each function (function as a memory | storage means, an authentication means, an update means, another means) by performing these programs as needed.

In particular, the software in the application module layer is configured by a program for causing the CPU to function as a plurality of application control means that realizes a predetermined function by operating hardware resources. The software in the service module layer includes the CPU, Service control that intervenes between hardware resources and each application control means, and receives operation requests for hardware resources from a plurality of application control means, arbitrates the operation requests, and controls execution of operations based on the operation requests. It is comprised by the program for functioning as a means.
The OS 320 is an operating system such as UNIX (registered trademark), and executes the programs of the service module layer and the application module layer in parallel as processes.

  The service module layer includes an operation control service (OCS) 300, an engine control service (ECS) 301, a memory control service (MCS) 302, a network control service (NCS) 303, a fax control service (FCS) 304, a customer support system (CSS). 305, system control service (SCS) 306, system resource manager (SRM) 307, image memory handler (IMH) 308, delivery control service (DCS) 316, user control service (UCS) 317, data encryption security service (DESS) ) 318, a certificate cut control service (CCS) 319 is implemented. Further, a copy application 309, a fax application 310, a printer application 311, a scanner application 312, a net file application 313, a web application 314, and an NRS (New Remote Service) application 315 are installed in the application module layer.

These will be described in further detail.
The OCS 300 is a module that controls the operation panel 205.
The ECS 301 is a module that controls an engine such as hardware resources.
The MCS 302 is a module that performs memory control. For example, the MCS 302 acquires and releases an image memory, uses the HDD 201, and the like.
The NCS 303 is a module that performs mediation between the network and each application program in the application module layer.
The FCS 304 is a module that performs facsimile transmission / reception, facsimile reading, facsimile reception printing, and the like.

The CSS 305 is a module that converts data when data is transmitted / received via a public line, and is a module that summarizes functions related to remote management via a public line.
The SCS 306 is a module that performs startup management and termination management of each application program in the application module layer according to the content of the command.
The SRM 307 is a module that controls the system and manages resources.
The IMH 308 is a module that manages a memory for temporarily storing image data.

The DCS 316 is a module for transmitting / receiving an image file or the like stored in a memory on the HDD 201 or the controller board 200 using SMTP (Simple Mail Transfer Protocol) or FTP (File Transfer Protocol).
The UCS 317 is a module that manages user information such as destination information and address information registered by the user.
The DESS 318 is a module that authenticates each unit or external device using PKI or SSL and encrypts communication.
The CCS 319 is a module that performs an authentication process on the authentication information input to the image processing apparatus 100.

The copy application 309 is an application program for realizing a copy service.
The fax application 310 is an application program for realizing a fax service.
The printer application 311 is an application program for realizing a printer service.

The scanner application 312 is an application program for realizing a scanner service.
The net file application 313 is an application program for realizing a net file service.
The web application 314 is an application program for realizing a web service.
The NRS application 315 is an application program for realizing data conversion when data is transmitted / received via the network and functions related to remote management via the network (including functions related to communication with the management apparatus 102). . It also has a function of converting data received from an external device via a network into a data structure suitable for processing in each application.
For convenience of explanation, in the following explanation, processing executed by the CPU according to each program as described above will be explained as those programs executing the processing.

Here, the operation of the ENGRDY signal and the PWRCTL signal will be described with reference to FIG.
FIG. 8A shows an example of the operation of the ENGRDY signal and the PWRCTL signal when the device starts up. When the AC power of the AC-POWER is turned on, power supply is started, and at the same time, the ENGRDY signal becomes High. In this state, communication with the engine side is not possible. This is because the initial setting on the engine side has not been completed. Then, the initial setting on the engine side is completed after a lapse of a certain period, and communication with the engine side becomes possible when the ENGRDY signal becomes Low.

  Next, FIG. 5B shows an example of the operation of the ENGRDY signal and the PWRCTL signal when the mode is shifted to the energy saving mode. To shift to the energy saving mode, the controller board 200 turns off the PWRCTL signal. At the same time, the power supply will drop. Along with this, the ENGRDY signal becomes High and shifts to the energy saving mode. Next, the case of returning from the energy saving mode is shown in FIG.

  FIG. 3C shows an example of the operation of the ENGRDY signal and the PWRCTL signal when returning from the energy saving mode. When returning from the energy saving mode (B), the controller board 200 turns on the PWRCTL signal. At the same time, power is supplied. However, as shown in (A) above, the ENGRDY signal is in a high state until the initial setting on the engine side is completed, and when the initial setting is completed, communication with the engine side becomes possible and becomes Low.

Next, the internal configuration of the NRS application 315 included in the software configuration of the image processing apparatus 100 described above will be further described with reference to FIG.
FIG. 9 is a functional block diagram illustrating an example of the configuration of the NRS application. As shown in the figure, the NRS application 315 performs processing between the application module layer and the NCS 303. The web server function unit 500 performs response processing related to a request received from the outside. The request here may be a SOAP request by SOAP (Simple Object Access Protocol) described in XML (Extensible Markup Language) format which is a structured language, for example. The web client function unit 501 performs processing for issuing an external request. The libxml 502 is a library that processes data described in the XML format, and the libsoap 503 is a library that processes SOAP. Also, libwwww 504 is a library that processes HTTP, and libgw_ncs 505 is a library that performs processing with the NCS 303.

The SOAP request is received by the PHY 204, and a SOAP document including a SOAP header and a SOAP body is passed to the NRS application 315 via the NCS 303 in the form of an HTTP message. Then, in the NRS application 315, the SOAP body is extracted from the SOAP document using the libsoap 503, the SOAP body is interpreted using the libxml 502, and a DOM (Document Object Model) tree is generated. Is converted to a data structure suitable for processing in, and passed to the application corresponding to the command included in the SOAP body.
For example, when the application program is written in C language, the data structure is C language structure data. The data is passed to the application by calling the application program with the structure data as an argument. be able to.

Based on the above-described configuration, an example of a communication sequence for data transmission / reception performed in the image processing apparatus remote management system in FIG. 5 will be described with reference to FIG. FIG. 10 is a diagram illustrating an example of a communication sequence for data transmission / reception performed between the management device, the mediation device, and the image processing device.
In this example, first, the mediation apparatus 101 polls the management apparatus 102 (inquiry whether there is a transmission request) (S601). That is, a polling SOAP document to which an identifier which is its own identification information is added is generated and transmitted to the management apparatus 102 as an HTTP message. As shown in FIG. 5, since the firewall 104 is provided between the mediation apparatus 101 and the management apparatus 102, a communication session is established from the management apparatus 102 to the mediation apparatus 101 (communication is requested and a communication path is established). Therefore, even when it is desired to transmit a request from the management apparatus 102 to the mediation apparatus 101 (or the image processing apparatus 100 via the mediation apparatus 101), it is necessary to wait for polling from the mediation apparatus 101 in this way. There is.

  When the management apparatus 102 receives the HTTP message from the intermediary apparatus 101, the management apparatus 102 generates a SOAP document indicating a charging counter acquisition request, and sends an HTTP message in response to polling to the corresponding intermediary apparatus 101 (source of the received SOAP message). (S602). At this time, the corresponding intermediary device 101 is recognized based on the identifier added to the SOAP document in the received HTTP message. Thus, if it is a response (HTTP response) to communication (HTTP request) from the inside of the firewall 104, data can be transmitted from the outside of the firewall to the inside.

Upon receiving the HTTP message from the management apparatus 102, the mediation apparatus 101 generates a SOAP document indicating a charging counter acquisition request based on the HTTP message, and the NRS of the image processing apparatus 100 that is also connected to itself as an HTTP message. It transmits to the application 315 (S603).
The NRS application 315 notifies the SCS 306 of a charge counter acquisition request described in the SOAP document received as an HTTP message from the mediation apparatus 101 (S604).
When the SCS 306 receives a billing counter acquisition request notification from the NRS application 315, the SCS 306 reads billing counter data stored in the NV-RAM 202 (S605). Then, the read accounting counter data (response data) is delivered to the NRS application 315 (S606).

When the NRS application 315 receives (acquires) billing counter data from the SCS 306, the NRS application 315 generates a billing counter SOAP document indicating the contents thereof, and transmits it to the mediation apparatus 101 as an HTTP message (S607).
When the mediation apparatus 101 receives the SOAP document for the billing counter from the NRS application 315, the mediation apparatus 101 transmits the SOAP document as an HTTP message to the management apparatus 102 (S608).
Thus, data transmission / reception is performed by the communication sequence.

Next, unlike FIG. 10, an example of a communication sequence when data is transmitted from the image processing apparatus 100 to the management apparatus 102 via the mediation apparatus 101 will be described with reference to FIG.
FIG. 11 is a diagram illustrating an example of a communication sequence when data is transmitted from the image processing apparatus to the management apparatus 102.
In this example, first, the OCS 300 notifies the SCS 306 that the user call key has been pressed (S701).
Upon receiving notification from the OCS 300 that the user call key has been pressed, the SCS 306 notifies the NRS application 315 of a user call request (S702).

Upon receiving the user call request notification from the SCS 306, the NRS application 315 generates a SOAP document for user call, which is user call information notifying the user call, and transmits it as an HTTP message to the mediation apparatus 101 (S703).
When the mediation apparatus 101 receives the SOAP document for the user call from the NRS application 315, the mediation apparatus 101 adds an identifier, which is its identification information, to the SOAP document, and transmits the SOAP document to the management apparatus 102 as an HTTP message. Make user calls. That is, the user call SOAP document with its own identifier added is notified to the management apparatus 102 (S704). In this case, since the transmission is from the inside to the outside of the firewall 104, the mediation apparatus 101 can transmit data by creating a session toward the management apparatus 102 itself.
Here, the pattern after the process of step S704 will be described separately in the following (A) to (C).

First, in (A), the management apparatus 102 receives a SOAP document for user call as an HTTP message from the mediation apparatus 101 of the user destination, and if the reception ends normally, that fact (user call succeeds). If the call result does not end normally (abnormally ends), a SOAP document indicating the call result indicating that the user call has failed is generated and reported as an HTTP message response It transmits to the original mediation apparatus 101 (S705).
When the mediation apparatus 101 receives the SOAP document indicating the call result from the management apparatus 102, the mediation apparatus 101 transmits the SOAP document to the NRS application 315 of the image processing apparatus 100 in which the user call key is pressed again as an HTTP message (S706).

When the NRS application 315 receives the SOAP document indicating the call result from the mediation apparatus 101, the NRS application 315 interprets (determines) the call result indicated by the SOAP document and notifies the SCS 306 (S707).
When the SCS 306 receives the call result, it delivers it to the OCS 300.
When the OCS 300 receives the call result from the SCS 306, the OCS 300 displays a message indicating whether the user call is successful or unsuccessful on the character display on the operation panel 205 (S708).

Next, in (B), when the intermediary device 101 determines that there is no response from the management device 102 after a predetermined time (a predetermined time set in advance), a call result indicating that the user call has failed is displayed. A SOAP document to be shown is generated and transmitted to the NRS application 315 as an HTTP message (S709).
When the NRS application 315 receives the SOAP document indicating the call result indicating the failure, the NRS application 315 interprets the call result indicating the failure described in the SOAP document and notifies the SCS 306 of the call result (S710).
Upon receiving the call result from the NRS application 315, the SCS 306 delivers it to the OCS 300.
When the OCS 300 receives the call result from the SCS 306, the OCS 300 displays the content, that is, a message indicating that the user call has failed on the character display on the operation panel 205 (S711).

Next, in (C), when the NRS application 315 determines that there is no response from the mediation apparatus 101 even after the specified time has elapsed, the NRS application 315 notifies the SCS 306 of a call result indicating that the user call has failed (S712).
Upon receiving the call result from the NRS application 315, the SCS 306 delivers it to the OCS 300.
When the OCS 300 receives the call result from the SCS 306, the OCS 300 displays the content, that is, a message indicating that the user call has failed on the character display on the operation panel 205 (S713).

  Here, in order to transmit data from the management apparatus 102 to the mediation apparatus 101 (or the image processing apparatus 100 via the mediation apparatus 101) over the firewall 104, the data is transmitted in the form of a response to the HTTP request from the mediation apparatus 101. However, the means for going beyond the firewall 104 is not limited to this example. For example, using the Simple Mail Transfer Protocol (SMTP), the management apparatus 102 sends a mail describing or attaching data to be transmitted. Transmission to the mediation apparatus 101 is also conceivable. However, HTTP is superior in terms of reliability.

Here, a reference example of firmware update processing of the image processing apparatus 100 executed in the image processing apparatus remote management system shown in FIG. 5 having such basic functions will be described.
As means for improving the security of the processing shown in FIG. 26 in the background art section, it is conceivable to use a password list as shown in FIG. 12 in addition to encrypting communication. Processing using a list. An apparatus corresponding to the firmware update apparatus 91 is an intermediary apparatus 101, and an apparatus corresponding to the updated apparatus 92 is an image processing apparatus 100.
The password list used here is one in which a large number of passwords corresponding to the IDs set in the mediation apparatus 101 are generated and ordered. Such a password list is stored in a memory card or the like and sent to the administrator of the mediation apparatus 101 and the image processing apparatus 100 via a secure route other than a network such as registered mail, and each administrator stores the storage means of the apparatus. Remember me. Then, when requesting authentication from the mediation apparatus 101 to the image processing apparatus 100, the first password is selected from the unused passwords and used, and the used password is used and authentication is requested next. When doing so, use the following password.

The process corresponding to FIG. 26 in the case of using such a password list is as shown in the sequence diagram of FIG. 13, for example.
Also in the processing illustrated in FIG. 13, the mediation apparatus 101 and the image processing apparatus 100 communicate using FTP (File Transfer Protocol).
Also in this process, when a predetermined event occurs, the mediation apparatus 101 transmits an ID and a password to the image processing apparatus 100 to request an FTP connection, but before that, a password used by referring to the password list Is determined (S41). Here, it is assumed that no password has been used yet and the first password A is selected.

Thereafter, the mediation apparatus 101 performs version information acquisition processing in the same manner as in steps S11 to S13 of FIG. 26 to acquire the version information of the firmware of the image processing apparatus 100 (S42 to S44). Is the password A selected in step S11. Since the image processing apparatus 100 also stores the same password list, the authentication process can be performed by referring to the password list and comparing it with the first password A.
When the version information acquisition process ends, the mediation apparatus 101 starts a password update process and transmits a password update request to the image processing apparatus 100 using HTTP (Hyper Text Transfer Protocol) (S45). In accordance with this request, the image processing apparatus 100 sets the used password (password A) in the password list to be used (S46), and if this is successful, returns an update OK notification (S47).

  Upon receiving this notification, the mediation apparatus 101 sets the used password to “used” in the same manner as the image processing apparatus 100 (S48). The password update process has been described above. With this process, both the mediation apparatus 101 and the image processing apparatus 100 have already used the password transferred by FTP, and the next secure password (password B) that has not been used yet is used. Can be set to use. However, when the firmware transmission process is subsequently performed, the password used in the version information acquisition process is used as it is until the firmware transmission process is completed.

  Next, the intermediary device 101 determines whether update is necessary based on the firmware version information acquired in step S43. If it is determined that the update is unnecessary, the process is terminated. If necessary, the version information acquisition process is performed. However, if it is determined that the update is necessary (S49), the next firmware transmission process is executed (S50 to S53). This process is almost the same as the firmware transmission process shown in FIG. 26, except that the password used for the authentication process is the password A included in the password list.

Through the above processing, the firmware of the image processing apparatus 100 can be updated when necessary. When the version information acquisition process or the firmware transmission process is performed again, the password to be used is determined again by referring to the password list (S54). Here, since the password A has been used, Password B will be selected.
In steps S55 to S57, version information acquisition processing is performed in the same manner as in steps S42 to S44. The password used for authentication is password B here.
In the same manner, the password is sequentially changed to passwords C, D,.

If the password list is used in this way, the password once transferred using FTP is not used after the firmware update process, and the authentication process can always be performed using a secret password. Therefore, it is possible to improve security by preventing unauthorized access such as impersonation.
However, since the password list used in this reference example includes a large number of passwords, the amount of data increases, and if an area for storing the data is prepared, the cost of the memory is increased. Further, since the password is stored in the device, it is impossible to deny the possibility that a third party who has accessed the device steals the password for each list. In addition, since it is necessary to send the password list first by mail or the like and manually memorize it, there is a problem that it takes labor. In addition, when an error occurs in the process, the password No. If a different situation occurs, there is a problem that the authentication process cannot be performed normally. Also, since the number of passwords included in the password list is limited, after all the passwords have been used, a new list can be distributed and stored again, or the used passwords can be reused with some risk. There was also a problem that had to be done.

By the way, in the image processing apparatus remote management system shown in FIG. 5, communication between the mediation apparatus 101 and the image processing apparatus 100 can be performed after performing authentication using SSL as necessary. . Then, next, the communication procedure in the case of performing this authentication will be described focusing on the authentication processing part. As this authentication, mutual authentication in which each other authenticates each other and one-way authentication in which one authenticates the other can be considered. First, the case of mutual authentication will be described.
FIG. 14 is a diagram illustrating a flowchart of processing executed in each device when the mediation device 101 and the image processing device 100 perform mutual authentication by SSL, together with information used for the processing.

  As shown in FIG. 14, when performing mutual authentication by SSL, it is necessary to first store the root key certificate, private key A, and public key certificate A on the mediation apparatus 101 side. The private key A is a private key issued to the intermediary device 101 by a certificate authority (CA). The public key certificate A is a digital certificate in which the CA adds a digital signature to the public key corresponding to the private key. The root key certificate is a digital certificate obtained by attaching a digital signature to a root key that is a key for confirming the validity of a digital signature attached by a CA. The public key is a bibliographic information including a key body for decrypting a document encrypted using the corresponding private key, and information such as the issuer (CA) of the public key, the issuer, and the expiration date. It shall be constituted by.

  Further, it is necessary to store the root key certificate, private key B, and public key certificate B on the image processing apparatus 100 side. The private key B and the public key certificate B are a private key and a public key certificate issued by the CA to the image processing apparatus 100. Here, it is assumed that the same CA issues a certificate using the same root private key to the mediation apparatus 101 and the image processing apparatus 100. In this case, the root key certificate is the mediation apparatus 101 and the image processing apparatus 100. It becomes common.

  The description of the flowchart begins. In FIG. 14, the arrow between the two flowcharts indicates data transfer, the transmission side performs the transfer process at the root step of the arrow, and the reception side receives the information, the process at the tip of the arrow Shall be performed. In addition, if the process of each step is not completed normally, an authentication failure response is returned at that time and the process is interrupted. The same applies to the case where an authentication failure response is received from the other party or the process times out. In addition, each process is realized by a process performed by a CPU included in each of the mediation apparatus 101 and the image processing apparatus 100 according to a required control program.

When the mediation apparatus 101 requests connection to the image processing apparatus 100, the mediation apparatus 101 starts the processing of the flowchart shown on the left side of FIG. In step S21, a connection request is transmitted to the image processing apparatus 100.
On the other hand, when receiving this connection request, the image processing apparatus 100 starts the processing of the flowchart shown on the right side of FIG. In step S31, a first random number is generated, and this is encrypted using the private key B. In step S32, the encrypted first random number and public key certificate B are transmitted to the mediation apparatus 101.

Upon receiving this, the mediating apparatus 101 confirms the validity of the public key certificate B using the root key certificate in step S22. This includes processing for confirming that the image processing apparatus 100 is an appropriate communication partner with reference to bibliographic information included in the public key.
If it can be confirmed, the first random number is decrypted using the public key B included in the received public key certificate B in step S23. Here, if the decryption is successful, it can be confirmed that the first random number has been received from the image processing apparatus 100 to which the public key certificate B is issued. Then, the image processing apparatus 100 is authenticated as a valid communication partner.

  Thereafter, a second random number and a third random number are generated separately in step S24. In step S25, the second random number is encrypted using the private key A, the third random number is encrypted using the public key B, and these are transmitted to the image processing apparatus 100 together with the public key certificate A in step S26. To do. The encryption of the third random number is performed so that the random number is not known to apparatuses other than the image processing apparatus 100.

  When receiving this, the image processing apparatus 100 confirms the validity of the public key certificate A using the root key certificate in step S33. This also includes processing for confirming that the mediation apparatus 101 is an appropriate communication partner, as in step S22. If it can be confirmed, the second random number is decrypted using the public key A included in the received public key certificate A in step S34. Here, if the decryption is successful, it can be confirmed that the second random number has been received from the mediation apparatus 101 to which the public key certificate A is issued. Then, the image processing apparatus 100 is authenticated as a valid communication partner.

  Thereafter, in step S35, the third random number is decrypted using the private key B. Through the processing so far, the first to third random numbers common to the server side and the client side are shared. Then, at least the third random number is not known by devices other than the generated mediation device 101 and the image processing device 100 having the private key B. If the processing so far is successful, a response of authentication success is returned to the mediation apparatus 101 in step S36.

  Upon receiving this, the mediating apparatus 101 generates a common key from the first to third random numbers in step S27, and ends the authentication process as being used for subsequent communication encryption. On the image processing apparatus 100 side, the same processing is performed in step S37 and the process is terminated. Then, communication is established with the above processing, and thereafter, communication is performed by encrypting data by a common key encryption method using the common key generated in step S27 or S37.

  If mutual authentication by SSL is performed at the time of communication, the mediation apparatus 101 and the image processing apparatus 100 can securely exchange a common key after mutually authenticating the other party, and secure communication with a reliable party. Can be done. In the following description, when any one of these devices makes an SSL connection request to a communication partner, the mutual authentication process shown in FIG. 14 is performed in response to the request, and the authentication is successful. Communication shall be established. However, since FIG. 14 shows processing when the mediation apparatus 101 requests connection to the image processing apparatus 100, when the image processing apparatus 100 requests connection to the mediation apparatus 101, the image processing apparatus 100 performs processing corresponding to the mediation device 101 in FIG. 14, and the mediation device 101 performs processing corresponding to the image processing device 100 in FIG.

If one-way authentication is employed and, for example, the image processing apparatus 100 only needs to authenticate the mediation apparatus 101, the encryption of the first and third random numbers is omitted in the authentication process shown in FIG. be able to. In this case, only the root key certificate needs to be stored on the image processing apparatus 100 side. Then, the authentication process can be simplified as shown in FIG. That is, the processing of steps S22 and S23 on the mediating apparatus 101 side is not required, and the processing of step S35 on the image processing apparatus 100 side is also unnecessary.
Conversely, when the mediation apparatus 101 authenticates the image processing apparatus 100, encryption of the second random number can be omitted. In this case, only the root key certificate needs to be stored on the mediating apparatus 101 side. Then, the authentication process can be simplified as shown in FIG. That is, the processing of steps S23 and S24 on the mediating apparatus 101 side is not necessary.

Next, the firmware update processing of the image processing apparatus 100 and the configuration necessary for the operation, which are operations related to the features of this embodiment in the image processing apparatus remote management system shown in FIG. 5, will be described. This process is the process shown in the sequence diagram of FIG. 17, and is a process related to the software update method of the present invention. Each CPU of the management apparatus 102, the mediation apparatus 101, and the image processing apparatus 100 executes a required control program. It is done by executing. The intermediary device 101 functions as the software update device of the present invention, and the image processing device 100 becomes the updated device. These apparatuses implement the software update system of the present invention, and the management apparatus 102 corresponds to an external apparatus that issues a firmware update request to the software update system.
Prior to performing the processing shown in FIG. 17, it is assumed that the update firmware is stored in advance in the mediation apparatus 101. This storage may be performed by transferring from the management apparatus 102 or another apparatus, or may be performed by causing the mediation apparatus 101 to read what is recorded on the recording medium. Other suitable methods can also be taken.

In the image processing apparatus remote management system shown in FIG. 5, the management apparatus 102 makes a response to the mediation apparatus 101 when a predetermined event occurs, such as every predetermined time or when an instruction from the operator of the management apparatus 102 occurs. A firmware update request is transmitted (S101). Although not shown, this transmission can be performed as a response to polling from the mediation apparatus 101 as described with reference to FIG.
Upon receiving this request, the mediation apparatus 101 starts processing relating to firmware update of the image processing apparatus 100, but first performs one-time password sharing processing (S102).

  In this process, first, in step S102, the intermediary apparatus 101 generates a one-time password as update authentication information to be used for authentication processing at the time of firmware update, and stores it. Then, a connection request by SSL is made to the image processing apparatus 100 (S103). When this connection is established, a one-time password is transmitted to the image processing apparatus 100 and a request is made to store it (S104). This request can be made as RPC by SOAP.

  The image processing apparatus 100 stores the one-time password received in response to this request in the storage means (S105), and uses it as a password corresponding to the ID of the mediation apparatus 101 in the authentication process at the time of FTP connection thereafter. . Since the authentication is completed at the time of the SSL connection request, the one-time password is not used here for the authentication process. Although illustration is omitted, after the end of the storage, the image processing apparatus 100 returns a response to that effect to the mediation apparatus 101, and when the mediation apparatus 101 receives this response, the SSL connection is disconnected (S106). The communication in steps S103 to S106 is performed using HTTPS.

  The above process is a one-time password sharing process. In this process, the CPU 52 of the mediation apparatus 101 functions as an authentication information setting unit. By this process, the mediation apparatus 101 and the image processing apparatus 100 can safely share a one-time password using an encrypted communication path. The SSL communication path used here is the first communication path. The “communication path” is determined by a protocol (communication method) used for communication rather than a physical transmission path. Therefore, even if the physical transmission path is the same, if the communication protocol is different, the "communication path" will be different, and conversely, the physical transmission path will change depending on the situation, as in communication over the Internet. Even in this case, if a communication apparatus and a protocol used for communication are determined, the “communication path” is specified.

When the one-time password sharing process ends, the mediation apparatus 101 performs a version information acquisition process next.
This process is almost the same as steps S11 to S13 of the process shown in FIG. 26 in the section of the prior art. The password to be transmitted is the same one-time password as that transmitted in step S104. Then, the image processing apparatus 100 performs an authentication process using the one-time password stored in step S105. If they match, the connection is established as successful authentication (S107). If they do not match, the connection is not established and an error occurs and the process ends. In this processing, the CPU 52 of the mediation apparatus 101 functions as an authentication request unit, and the CPU of the image processing apparatus 100 functions as an authentication unit.

When the connection is established, the image processing apparatus 100 transmits firmware version information in response to a request from the mediation apparatus 101 (S108). The mediation apparatus 101 acquires this version information, and then disconnects from the image processing apparatus 100 (S109). The above is the version information acquisition process.
The processing in the next step S110 and the subsequent firmware transmission processing are substantially the same as steps S14 to S18 in the processing shown in FIG. 26 except that the one-time password is used.

That is, the intermediary device 101 determines whether update is necessary based on the firmware version information acquired in step S108, and if it is determined that update is necessary (S110), executes the next firmware transmission process. When it is determined that the update is unnecessary, it is preferable to notify the management apparatus 102 as a response to the firmware update request.
In the firm transmission process, the mediation apparatus 101 first transmits an ID and a one-time password to the image processing apparatus 100 in the same manner as in step S107, and the image processing apparatus 100 performs an authentication process. Is established (S111). Then, the mediation apparatus 101 transmits the update firmware to the image processing apparatus 100 (S112). In this process, the CPU 52 of the mediation apparatus 101 functions as a transmission unit.

When receiving this, the image processing apparatus 100 updates the firmware of its own device to the received update firmware (S113). In this process, the CPU of the image processing apparatus 100 functions as an updating unit. When the update is completed, it resets itself and restarts to enable a new firmware (S114). Further, the FTP connection is disconnected by resetting the image processing apparatus 100. The above is the firmware transmission process.
The FTP communication path used here is the second communication path. In the case of FTP, since the communication content is not encrypted, the processing load is much smaller than that of the first communication path using SSL.

  When the restart is completed, the image processing apparatus 100 may transmit a power ON notification to the mediation apparatus 101 as an activation notification indicating that the image processing apparatus 100 has been activated (S115). In this way, since it is possible to grasp that the firmware update has been completed in the image processing apparatus 100 on the mediation apparatus 101 side, it is possible to determine whether or not the update has been successful at an appropriate timing. The power-on notification can be described as a SOAP document and transmitted using HTTP.

When the mediation apparatus 101 receives this power-on notification, the mediation apparatus 101 performs version information acquisition processing in the same manner as in steps S107 to S109, establishes FTP communication with the image processing apparatus 100, and performs the image processing apparatus 100. Firmware version information is acquired from (S116 to S118). If the version information matches that of the update firmware transmitted in step S112, it is determined that the firmware has been successfully updated (S119), and the next one-time password deletion process is performed. If they do not match, it is determined that the update has failed, and the firmware transmission process is performed again, or the management apparatus 102 is notified that the update has failed as a response to the firmware update request.
Even when it is determined that the update has failed, it has been confirmed that communication using SSL (communication via a path through which a one-time password can be safely transmitted) is possible with the image processing apparatus 100. In this case, a one-time password deletion process may be performed.

In the next one-time password deletion process, the mediation apparatus 101 makes a connection request by SSL to the image processing apparatus 100 as in the case of the one-time password sharing process (S120). When this connection is established, an erasing password is transmitted to the image processing apparatus 100, and a request is made to store it (S121). This request is, so to speak, a one-time password invalidation request. In this process, the CPU 52 of the mediation apparatus 101 functions as an authentication information invalidation means. Note that the erasure password may be a random password created for each transmission or may be a fixed password. A password that is not transmitted by FTP and that is not transmitted by FTP may be used. In addition, when making this request, the one-time password stored by itself may be deleted.
The invalidation request for the one-time password may be a request for deleting the stored one-time password. However, if the password storage (overwrite) request is used as described above, the one-time password invalidation request may be used. By sharing the process with the case of password sharing, the program can be made compact and the development efficiency can be improved.

In response to this request, the image processing apparatus 100 overwrites the received one-time password with the received erasure password (S122), and thereafter, the one-time password stored in step S105 is not used for authentication processing at the time of FTP connection. . Since the authentication is completed at the time of the SSL connection request, the erasure password is not used here for the authentication process. After the end of the storage, the mediation apparatus 101 disconnects the SSL connection (S123).
The above process is the one-time password erasure process, and the one-time password stored in the image processing apparatus 100 can be invalidated by this process.
When the one-time password deletion process is completed, the mediation apparatus 101 notifies the management apparatus 102 that the update has been successful as a response to the firmware update request (S124).
By performing the above processing, the firmware of the update target apparatus that can communicate via the network can be updated by the software update apparatus.

This process is shown in flowcharts in FIGS. The above-described processing will be supplemented using these drawings. In these figures, the arrow between the two flowcharts indicates data transfer, the transmission side performs the transfer process at the step at the base of the arrow, and the reception side receives the information and performs the process at the step at the tip of the arrow. Assumed to be performed.
When the mediation apparatus 101 receives a firmware update request from the management apparatus 102, the mediation apparatus 101 starts the processing of the flowchart shown on the left side of FIG. In step S201, a one-time password is generated and stored. In step S202, an SSL connection request is made to the image processing apparatus 100.

Upon receiving this request, the image processing apparatus 100 starts the processing of the flowchart shown on the right side of FIG. In step S301, connection processing is performed with the mediation apparatus 101 side by SSL. The process performed in step S202 on the mediation apparatus 101 side and step S301 on the image processing apparatus 100 side is the mutual authentication process shown in FIG.
If the authentication is successful, the image processing apparatus 100 returns an authentication success response as shown in step S36 of FIG. Then, the mediation apparatus 101 transmits the one-time password generated in step S201 to the image processing apparatus 100 in step S203 and requests to store it. Upon receiving this, the image processing apparatus 100 stores it in step S302 and returns a response indicating completion of storage. When the response is received, the mediation apparatus 101 sends a disconnection request to the image processing apparatus 100 in step S204 to disconnect the SSL connection. The mediation apparatus 101 that has received this request also disconnects the connection in step S303. The process so far is the one-time password sharing process.

Next, the mediation apparatus 101 makes an FTP connection request to the image processing apparatus 100 in step S205. Then, since the image processing apparatus 100 requests an ID and password for authentication in step S304, the mediation apparatus 101 transmits the ID and the one-time password generated in step S201 in step S206 accordingly.
The image processing apparatus 100 performs authentication processing using this ID and password, and if they match those stored, it returns a response to that effect as successful authentication. In response to this, the mediation apparatus 101 transmits a version information acquisition request to the image processing apparatus 100 in step S207 to obtain firmware version information. In response to this, the image processing apparatus 100 transmits version information to the mediation apparatus 101 in step S306, and when the mediation apparatus 101 obtains the version information, the FTP connection is disconnected in step S208. The process so far is the version information acquisition process.
Note that if authentication fails in step S305, the process proceeds to step S307 to perform error processing. As this processing, the transition to a state in which the mediation apparatus 101 is notified of the authentication failure and waits for a connection request again. Conceivable.
Although illustration is omitted, similar processing may be performed when mutual authentication by SSL fails in step S301 or the like.

On the other hand, the mediation apparatus 101 proceeds to step S209 after step S208, and whether or not the firmware of the image processing apparatus 100 needs to be updated based on whether or not the version information acquired in step S207 is the latest version. Judge. If it is necessary to update, the process proceeds to step S210 to perform a firmware transmission process.
In this case, the mediation apparatus 101 establishes an FTP connection in step S210 by performing processing similar to steps S205 and S206, and the image processing apparatus 100 performs processing in step S308 similar to steps S304 and S305. The password used here is also the same one-time password as in step S206.

  When the connection is established, the mediation apparatus 101 transmits the update firmware to the image processing apparatus 100 in step S211, and when the image processing apparatus 100 receives the update firmware in step S309, in step S310 the own apparatus firmware is changed to the update firmware. Update. At this time, if another job is being executed or reserved, it may wait without being updated until it is completed. When the firmware update is completed, the image processing apparatus 100 resets itself in step S311 and restarts to enable the new firmware. Further, the FTP connection is disconnected by resetting the image processing apparatus 100. The above is the firmware transmission process.

  Subsequently, when the restart of the image processing apparatus 100 is completed, the image processing apparatus 100 transmits a power-on notification indicating that the image processing apparatus 100 has started to the mediation apparatus 101. In response to this, the mediation apparatus 101 requests FTP communication to the image processing apparatus 100 in step S212, and performs the same processing as in steps S205 to S208 up to step S214, from the image processing apparatus 100 to the firmware. Get version information for. On the image processing apparatus side as well, in steps S313 and S314, firmware version information is transmitted by performing the same processing as in steps S304 to S307.

  In step S215, the mediating apparatus 101 compares the version information acquired in step S213 with the version information of the update firmware transmitted in step S211. If they match, it is determined that the update has been successful, and step S217 in FIG. 20 is determined. Proceed to If they do not match, it is determined that the update has failed, and the process proceeds to step S216 to perform error processing. As this error processing, the firmware transmission processing from S210 is performed again to try to update the firmware of the image processing apparatus 100, or the management apparatus 102 that is the transmission source of the firmware update request indicates that the update has failed. Return a response. In the latter case, the process ends and a second firmware update request is awaited.

When the determination in step S215 is YES and the process proceeds to step S217 in FIG. 20, the one-time password invalidation process is started, and the mediation apparatus 101 connects to the image processing apparatus 100 using SSL in the same manner as in step S202. And performs mutual authentication together with the process of step S315 on the image processing apparatus 100 side. When the authentication success response is returned from the image processing apparatus 100 side, the mediation apparatus 101 transmits an erasing password to the image processing apparatus 100 in step S218 and requests to store it. Upon receiving this, the image processing apparatus 100 overwrites and stores the erasure password in the one-time password stored in step S316, and returns a storage completion response. If there is this response, the mediation apparatus 101 sends a disconnection request to the image processing apparatus 100 in step S219 to disconnect the connection by SSL. The mediation apparatus 101 that has received this request also disconnects the connection in step S317. The process so far is the one-time password invalidation process.
In this process, as described above, it is not always necessary to overwrite the stored one-time password as long as the stored one-time password can be deleted.

  This process is similar to the one-time password sharing process except that it is not always necessary to generate an erasure password each time. However, if the password used for the FTP authentication process by the image processing apparatus 100 is changed to another password by such processing, the original one-time password that may be leaked can be invalidated, and impersonation by a third party is performed. Can be prevented. Further, the erasure password is not transferred by FTP, but if it is transferred through a secure communication path using SSL, for example, it will not be leaked.

After the one-time password invalidation process, the mediation apparatus 101 notifies the management apparatus 102 of the result of the firmware update in step S220 and ends the process.
If it is determined in step S209 that updating of the firmware is unnecessary, the process directly proceeds to step S217 in FIG. 20 to perform a one-time password invalidation process, and the result is notified to the management apparatus 102 in step S220. The processing on the image processing apparatus 100 side is basically performed in response to a trigger from the mediation apparatus 101. Therefore, if there is no request in step S210 or step S212, the image processing apparatus 100 performs the processing of the portion shown in FIG. Not performed.

By performing the processing as described above, when updating the firmware of the update target device that can communicate via the network by the software update device, the update processing can be performed by a compact program while ensuring high safety. it can. As described above, the update target is the same for software other than firmware.
That is, first, the version information acquisition process and the software transmission process, which are essential for software update, are performed by FTP with a small processing load, so that the program can be collected in a compact manner. The software itself is not highly confidential data compared to authentication information such as passwords and user information of managed devices. There is a strong demand for compact programs. In addition, since the software is larger in size than authentication information such as a password, the processing load can be greatly reduced by transmitting the information through a communication path with a small processing load.

On the other hand, in order to prevent unauthorized software from being received, it is important to authenticate the communication partner, but a password used for FTP authentication processing is generated immediately before use to encrypt the communication contents. The mediation apparatus 101 and the image processing apparatus 100 are configured to share using SSL. Accordingly, the password is not leaked to the third party, and the third party impersonates the mediation apparatus 101 to transmit illegal software from another apparatus to the image processing apparatus 100 and update it. Can be prevented.
In addition, if the password used for the authentication process in FTP is invalidated immediately after confirming the successful software update, a third party illegally obtained a one-time password by monitoring FTP communication. However, there is no possibility of connection using the password later, and unauthorized access can be prevented.

Further, if the software version information is confirmed when the image processing apparatus 100 is restarted after the software update, the success or failure of the update can be easily known on the mediating apparatus 101 side. And when it fails, it can respond quickly, such as re-update. If the image processing apparatus 100 transmits a power ON notification to the mediation apparatus 101 at the time of restart, the timing of this confirmation can be easily measured.
Furthermore, if the mediation apparatus 101 causes the image processing apparatus 100 to update software in response to a request from the outside and return the result as a response, the software update status in each image processing apparatus 100 is managed. Can be managed by.

  Also, especially when considering firmware updates, the firmware includes software for basic hardware control. Therefore, if the firmware itself has an update function, the device will operate completely if the update fails. There is a risk of disappearing. Therefore, in order to avoid such a situation, an update program for update processing is separately prepared, and firmware of only the other part is updated. In such a case, it is not appropriate to use a large storage capacity for an update program that is not used during normal operation other than during firmware update, considering cost and the like. Therefore, there is a demand that an update program having a capacity as small as possible is preferable. Therefore, by performing the update process as described above, the process directly necessary for the update can be realized by using a compact program such as FTP, so that the capacity of the update program is reduced, and thus Can meet the demands.

  In addition, in the case of firmware, as described above, the device to be updated includes an update program for firmware update processing in addition to the firmware itself in preparation for a case where the update fails. If the update fails, if the one-time password is not invalidated, even if the update fails, it is possible to start over from the version information acquisition process that does not use SSL, so as an update program in the image processing apparatus 100 It is only necessary to prepare a program for version information acquisition processing and firmware transmission processing. Therefore, it is not necessary to include a part necessary for this processing in the update program while using SSL for passing the password to improve safety, and the update program can be made compact.

Regarding the invalidation of the one-time password, the above-described processing is performed by overwriting the erasure password, so that the processing is shared with the case of sharing the one-time password and the program is made compact. Yes.
However, instead of overwriting the erasure password, a request is made not to use the stored one-time password for authentication processing, and the image processing apparatus does not perform authentication processing using the one-time password accordingly. You may make it perform the setting to this effect. In this case, since it is not necessary to conceal the request itself, it is not always necessary to perform SSL communication. If the risk of the erasure password being stolen from the image processing apparatus 100 is taken into account, such a setting is effective.

[Modification]
Hereinafter, various modified examples applicable to the above-described embodiment will be described.
In the embodiment described above, an example has been described in which when the mediation apparatus 101 receives a firmware update request from the management apparatus 102, firmware update processing is started, and the mediation apparatus 101 generates a one-time password at this time. However, the firmware update process according to the present invention is not limited to this.

First, as a first modification, the one-time password may be generated on the image processing apparatus 100 side. In this case, the processing shown in FIG. 21 is performed instead of the processing in steps S101 to S106 in FIG.
That is, when the intermediary device 101 receives a firmware update request in step S101, the processing related to the firmware update of the image processing device 100 is started. First, a one-time password generation request is transmitted to the image processing device 100 (S401). ). Since the request itself does not need to be kept secret, it can be transmitted as a SOAP document by HTTP.

In response to this, the image processing apparatus 100 generates a one-time password and stores it (S402). Then, this one-time password is used as a password corresponding to the ID of the mediation apparatus 101 that is the transmission source of the one-time password generation request in the authentication process at the time of FTP connection.
Thereafter, the image processing apparatus 100 makes an SSL connection request to the mediation apparatus 101 (S403). When this connection is established, a one-time password is transmitted to the mediation apparatus 101 and a request is made to store it (S404). This request is made as RPC by SOAP.

The mediation apparatus 101 stores the one-time password received in response to this request in the storage means (S405), and transmits this one-time password in the authentication process at the time of FTP connection thereafter. Although illustration is omitted, after the end of the storage, the mediation apparatus 101 returns a response to that effect to the image processing apparatus 100, and upon receiving this response, the image processing apparatus 100 disconnects the SSL connection (S406). The communication in steps S403 to S406 is performed using HTTPS.
In the processes in steps S402 to S406, the CPU of the image processing apparatus 100 functions as an authentication information setting unit.
Even in such a process, as in the case of the process shown in FIG. 17, the mediation apparatus 101 and the image processing apparatus 100 can securely share a one-time password using an encrypted communication path. Accordingly, it is possible to obtain the same effect as when the processing shown in FIG. 17 is performed.

As a second modification, the image processing apparatus 100 may be able to accept a firmware update instruction directly from the operation panel 205 or the like. In this case, the processing shown in FIG. 22 is performed instead of the processing in steps S101 to S106 in FIG.
That is, when the image processing apparatus 100 receives a firmware update instruction (S411), the image processing apparatus 100 starts processing related to firmware update and transmits a one-time password generation request to the mediation apparatus 101. (S412). Upon receiving this request, the mediation apparatus 101 performs a one-time password sharing process in the same manner as when a firmware update request is received from the management apparatus 102 in the process shown in FIG. That is, in steps S413 to S417, processing similar to that in steps S102 to S106 in FIG. 17 is performed.

In this way, even when the image processing apparatus 100 directly receives a firmware update instruction, the firmware of the image processing apparatus 100 can be updated in the same manner as when a firmware update request is received from the management apparatus 102.
In this modification, there is no firmware update request from the management apparatus 102, but if the management apparatus 102 can be identified, the update result notification in step S124 may be performed. In this way, the management apparatus 102 can grasp the update status of the firmware according to instructions from other than itself, and can perform appropriate management.
In addition, the mediation apparatus 101 can directly receive a firmware update instruction from the operation unit connected to the Op-Port 56, and in response thereto, a process related to firmware update of the image processing apparatus 100 (process after the one-time password sharing process) can be started. You may do it.

As the third modification, it is conceivable to combine the first modification and the second modification. That is, the image processing apparatus 100 directly receives a firmware update instruction, and further generates a one-time password on the image processing apparatus 100 side.
In this case, the processing shown in FIG. 23 is performed in place of the processing in steps S101 to S106 in FIG.

This process is the same as the process in step S411 in FIG. 22 and the processes in steps S402 to S406 are the same as in FIG. 21, so detailed description thereof will be omitted. 101 recognizes that the processing related to the firmware update of the image processing apparatus 100 has been started when the one-time password is requested to be stored in step S404, and performs the subsequent processing.
The effect of this modification is a combination of the effect of the first modification and the effect of the second modification.

As a fourth modification, in the one-time password erasing process, a request for storing an erasing password can be made from the image processing apparatus 100 side. In this case, the processing shown in FIG. 24 is performed instead of the processing in steps S120 to S123 in FIG.
That is, the image processing apparatus 100 first makes an SSL connection request to the mediation apparatus 101 as in step S412 of FIG. 22 (S421). When this connection is established, an erasing password is transmitted to the mediation apparatus 101 and a request is made to store it (S422). This request is a request for invalidating a one-time password, and in this process, the CPU of the image processing apparatus 100 functions as an authentication information invalidating unit.

In response to this request, the mediation apparatus 101 overwrites the received one-time password with the received erasure password (S423), and prevents the one-time password stored so far from being transmitted during FTP connection. On the other hand, the image processing apparatus 100 itself also overwrites the stored one-time password with an erasure password (S424) so that the stored one-time password is not used for authentication processing at the time of FTP connection thereafter. To do. After the end of the storage, the image processing apparatus 100 disconnects the SSL connection (S425).
This modification can be applied to the above-described embodiment and each modification, but when applied to a case where a one-time password is generated on the image processing apparatus 100 side as in the first and third modifications, a password based on SSL is used. Can be unified on the image processing apparatus 100 side, which is effective in simplifying the program.
When this modification is applied, when the mediation apparatus 101 determines that the firmware update has succeeded in step S119 in FIG. 17, the image processing apparatus 101 is notified of this, and the image processing apparatus is notified. When 101 receives the notification, the processing shown in FIG. 24 may be started.

  Moreover, in the above embodiment and each modification, although the image processing apparatus provided with the communication function was mainly demonstrated as an example of a to-be-updated apparatus, this invention is not restricted to this, The communication function was provided. Network electronics, vending machines, medical equipment, power supplies, air conditioning systems, gas / water / electric metering systems, and other electronic devices with communication functions, including general-purpose computers that can be connected to networks, automobiles, aircraft, etc. Applicable to the device.

For example, in the remote management system shown in FIG. 1, each of these devices may be managed devices (updated devices), and a remote management system and a certificate setting system as shown in FIG. 25 may be configured. In this figure, network appliances such as a television receiver 12a and a refrigerator 12b, a medical device 12c, a vending machine 12d, a weighing system 12e, and an air conditioning system 12f are given as examples of managed devices separately provided with the mediation device 101. . As an example of a managed device that also has the function of the intermediary device 101, an automobile 13a and an aircraft 13b are cited. In addition, it is preferable that an apparatus that moves over a wide range, such as an automobile 13a or an aircraft 13b, also has a firewall (FW) 104 function.
Of course, the present invention can also be applied to the case where the software of each device to be managed is updated in such a remote management system.

Also, the software update device is not limited to the mediation device shown in FIG. 1, FIG. 3, FIG. 25, etc., and may be a software update dedicated device or a management device 102.
Furthermore, the software update system of the present invention is not necessarily included in the remote management system, and the configuration of the update target device, the software update device, the management device, and the connection form thereof are limited to the above embodiments. Is not something Communication between these devices can be performed using various communication lines (communication paths) capable of constructing a network regardless of wired or wireless.

Moreover, although the example which used the communication path by SSL as a 1st communication path and the communication path by FTP as a 2nd communication path was demonstrated about the communication path, it is not restricted to this, The 1st communication path is If the data to be transmitted is encrypted and transmitted, and the second communication path has a smaller processing load than the first communication path, the communication path (communication method) using another protocol is used. It doesn't matter. At this time, it is conceivable to reduce the processing load by setting the second communication path as a communication path for transmitting data to be transmitted without encryption. Further, the communication path when the update apparatus transmits the authentication information for update to the apparatus to be updated and requests authentication is different from the second communication path used for the transfer of the update software, for example, the original protocol for authentication May be a communication path.
Furthermore, it goes without saying that the above-described modifications may be applied in appropriate combination.

  In addition, the program according to the present invention provides the above-described functions (authentication information setting means, authentication request means, transmission means, and other means) to a computer that controls a software update apparatus that can communicate with an update target apparatus via a network. The above-described effects can be obtained by causing a computer to execute such a program.

Such a program may be stored in a storage means such as a ROM or HDD provided in the computer from the beginning, but a non-volatile recording such as a CD-ROM or flexible disk, SRAM, EEPROM, memory card or the like as a recording medium. It can also be recorded on a medium (memory) and provided. Each procedure described above can be executed by installing a program recorded in the memory in a computer and causing the CPU to execute the program, or causing the CPU to read and execute the program from the memory.
Furthermore, it is also possible to download and execute an external device that is connected to a network and includes a recording medium that records the program, or an external device that stores the program in the storage unit.

As described above, according to the software update device, the software update system, the software update method, or the program of the present invention, when the software of the update target device that can communicate via the network is updated by the software update device, The load of update processing can be reduced while ensuring high safety.
Therefore, by applying the present invention, for example, it is possible to provide a system that can safely and easily update software of a communication device sold to a user.

It is a conceptual diagram which shows the structural example of the remote management system containing the software update system by this invention. It is a conceptual diagram which shows the data transmission / reception model in the remote management system. It is a block diagram which shows the hardware structural example of the mediation apparatus which comprises the remote management system. It is a block diagram which shows the software structural example of the mediation apparatus. It is a conceptual diagram which shows the structural example of the image processing apparatus remote management system containing the software update system by this invention which used the image processing apparatus as the apparatus to be updated. It is a block diagram which shows the hardware structural example of the image processing apparatus which comprises the image processing apparatus remote management system. It is a block diagram showing a software configuration example of the image processing apparatus. It is a figure for demonstrating the ENGRDY signal and PWRCTL signal in the image processing apparatus. It is a functional block diagram which shows the structural example of the web service application in the image processing apparatus. It is a figure which shows an example of the communication sequence at the time of the data transmission / reception performed within the image processing apparatus remote management system shown in FIG.

FIG. 4 is a diagram illustrating an example of a communication sequence when data is transmitted from the image processing apparatus illustrated in FIG. 3 to a management apparatus. FIG. 4 is a diagram illustrating an example of a password list used in a reference example of processing for updating firmware of an image processing apparatus by the mediation apparatus illustrated in FIG. 3. It is a sequence diagram which shows the firmware update process of the reference example. It is a figure which shows the process example at the time of performing the mutual authentication using SSL between the mediation apparatus shown in FIG. 3, and an image processing apparatus. It is a figure which shows the process example at the time of similarly performing one-way authentication. It is a figure which shows the other example. FIG. 4 is a sequence diagram illustrating a processing example when updating firmware of the image processing apparatus by the mediation apparatus illustrated in FIG. 3. FIG. 4 is a flowchart illustrating a part of a processing example when updating firmware of the image processing apparatus by the mediation apparatus illustrated in FIG. 3. FIG. It is a flowchart which shows the process following FIG. 20 is a flowchart illustrating processing subsequent to FIG.

FIG. 18 is a sequence diagram illustrating a processing example of a portion that is replaced with the processing of FIG. 17 in the first modification of the processing illustrated in FIG. 17. FIG. 18 is a sequence diagram showing a processing example of a part that is replaced with the processing of FIG. 17 in the second modification example. FIG. 18 is a sequence diagram showing a processing example of a part that is replaced with the processing of FIG. 17 in the third modification example. It is a sequence diagram which shows the process example of the part similarly replaced with the process of FIG. 17 in a 4th modification. It is a figure which shows another structural example of the remote management system shown in FIG. It is a sequence diagram which shows the example of the firmware update process in the conventional firmware update system. It is a figure for demonstrating the danger of the process shown in FIG.

Explanation of symbols

10: Managed device 11: Managed device with mediation function 52: CPU 53: SDRAM
54: Flash memory 55: RTC
56: Op-Port 57: PHY
58: Modem 59: HDD controller 63: HDD 70: Application layer 80: Service layer 90: Protocol layer 100: Image processing device 101: Mediation device 102: Management device 103: Internet 104: Firewall 105: Terminal device 110: Mediation function Image processing apparatus 200: Controller board 201: HDD
202: NV-RAM 203: PI board 204: PHY 205: Operation panel 206: Plotter / scanner engine board 207: Power supply unit 212: PCI-BUS
300: OCS 301: ECS
302: MCS 303: NCS
304: FCS 305: CSS
306: SCS 307: SRM
308: IMH 309: Copy application 310: Fax application 311: Printer application 312: Scanner application 313: Net file application 314: Web application 315: NRS application 316: DCS
317: UCS 318: DESS
319: CCS

Claims (19)

A software update device capable of communicating with an update target device via a network,
Authentication information setting means for generating authentication information for updating when updating the software of the device to be updated, and requesting this to be transmitted to the device to be updated and stored in the encrypted first communication path;
Authentication request means for transmitting the update authentication information to the update target device and requesting an authentication process using the authentication information;
Transmitting means for transmitting the update software to the updated apparatus via a second communication path having a processing load smaller than that of the first communication path when the authentication process is successful ;
Based on the communication with the update target device, if it is determined that the update target device has been successfully updated to the update software, it generates erasure information for overwriting the update authentication information, A software updating apparatus, comprising: an authentication information erasing unit that transmits the information to the update target apparatus via the first communication path and requests to store the update authentication information by overwriting it . The software update device according to claim 1 ,
A software update apparatus comprising means for updating software of the update target apparatus in response to an external software update request and returning the result to a request source of the update request. The software updating apparatus according to claim 1 or 2 ,
Means for receiving a start-up notification indicating start-up from the updated device;
When the activation notification is received from the update target device after the update software is transmitted, the software version information is acquired from the update target device, and the success or failure of the update is confirmed by comparing with the transmitted version information of the update software. And a software updating device. The software update device according to any one of claims 1 to 3 ,
The first communication path is a communication path for performing communication by SSL,
The software update apparatus, wherein the second communication path is a communication path for performing communication by FTP. The software update device according to any one of claims 1 to 3 ,
The first communication path is a communication path for encrypting and transmitting data to be transmitted;
The software update apparatus, wherein the second communication path is a communication path for transmitting data to be transmitted without encryption. A software update system comprising a software update device and an updated device that can communicate with each other via a network,
In the software update device,
Authentication information setting means for generating authentication information for updating when updating the software of the device to be updated, and requesting this to be transmitted to the device to be updated and stored in the encrypted first communication path;
Authentication request means for transmitting the update authentication information to the update target device and requesting an authentication process using the authentication information;
Transmitting means for transmitting the update software to the updated apparatus via a second communication path having a processing load smaller than that of the first communication path when the authentication process is successful;
Based on the communication with the update target device, if it is determined that the update target device has been successfully updated to the update software, it generates erasure information for overwriting the update authentication information, An authentication information erasure unit that transmits the information to the update target device via the first communication path and requests to store the update authentication information by overwriting the authentication information;
In the updated device,
Storage means for storing the update authentication information when requested to store the update authentication information;
An authentication unit that performs an authentication process using the received update authentication information and the update authentication information stored in the storage unit and returns a result when the authentication process is requested;
An update unit that receives the update software when the authentication process is successful, and updates the software of the device to the update software;
Communicating with the update device, and means to confirm that the software update was successful by the update unit to the updating device,
A software update system comprising: means for storing the erasure information by overwriting the update authentication information when requested to store the erasure information. The software update system according to claim 6 ,
In the updated device,
As a means for confirming that the software update was successful,
Means for restarting the device after updating the software by the updating means;
Means for transmitting a startup notification to that effect to the software update device at startup;
Means for transmitting software version information to the device in response to a request from the software updating device;
In the software update device,
When the activation notification is received from the update target device after the update software is transmitted, the update target device is requested to transmit the version information of the software to acquire the version information. A software update system comprising means for confirming the success or failure of an update compared with version information. The software update system according to claim 6 or 7 ,
The first communication path is a communication path for performing communication by SSL,
The software update system, wherein the second communication path is a communication path for performing communication by FTP. The software update system according to claim 6 or 7 ,
The first communication path is a communication path for encrypting and transmitting data to be transmitted;
The software update system, wherein the second communication path is a communication path for transmitting data to be transmitted without encryption. A software update method for updating software of a device to be updated that can communicate via a network by a software update device,
When updating the software of the device to be updated, update authentication information is generated, and this is transmitted to the device to be updated through the encrypted first communication path to be stored,
Transmitting the authentication information for updating to the device to be updated and performing authentication processing by the authentication information;
When the authentication process is successful, the update software is transmitted to the update target device via the second communication path having a processing load smaller than that of the first communication path, and the software is updated .
Based on the communication with the update target device, if it is determined that the update target device has been successfully updated to the update software, the erasure information for overwriting the update authentication information is generated, software update method comprising Rukoto is stored by overwriting the updated authentication information it sends the to-be update device in the first communication path. The software update method according to claim 10 , comprising:
A software update method, comprising: updating software of the update target device in response to an external software update request, and returning the result to a request source of the update request. The software update method according to claim 10 or 11 ,
Accepting a start notification indicating that the device has been started from the updated device,
When the activation notification is received from the update target device after the update software is transmitted, the software version information is acquired from the update target device, and the success or failure of the update is confirmed by comparing with the transmitted version information of the update software. A software update method characterized by: A software update method according to any one of claims 10 to 12 , comprising:
The first communication path is a communication path for performing communication by SSL,
The software update method, wherein the second communication path is a communication path for performing communication by FTP. A software update method according to any one of claims 10 to 12 , comprising:
The first communication path is a communication path for encrypting and transmitting data to be transmitted;
The software update method, wherein the second communication path is a communication path for transmitting data to be transmitted without encryption. A computer that controls a software update device capable of communicating with the update target device via a network;
Authentication information setting means for generating authentication information for updating when updating the software of the device to be updated, and requesting this to be transmitted to the device to be updated and stored in the encrypted first communication path;
Authentication request means for transmitting the update authentication information to the update target device and requesting an authentication process using the authentication information;
Transmitting means for transmitting the update software to the updated apparatus via a second communication path having a processing load smaller than that of the first communication path when the authentication process is successful ;
Based on the communication with the update target device, if it is determined that the update target device has been successfully updated to the update software, it generates erasure information for overwriting the update authentication information, program for operating this as the authentication information erasing means for requesting to store and overwrite in said first of said update authentication information transmitted by the communication path to the target update device. The program according to claim 15 , wherein
The computer further includes a program for causing the computer to update the software of the update target device in response to a software update request from the outside and returning the result to a request source of the update request. program. The program according to claim 15 or 16 ,
The computer,
Means for receiving a start-up notification indicating start-up from the updated device;
When the activation notification is received from the update target device after the update software is transmitted, the software version information is acquired from the update target device and compared with the transmitted update software version information to confirm the success or failure of the update. A program further comprising a program for causing the function to function. A program according to any one of claims 15 to 17 ,
The first communication path is a communication path for performing communication by SSL,
The second communication path is a communication path for performing communication by FTP. A program according to any one of claims 15 to 17 ,
The first communication path is a communication path for encrypting and transmitting data to be transmitted;
The program according to claim 2, wherein the second communication path is a communication path for transmitting data to be transmitted without encryption.

Images