Data erasure method, information processing system, and information processing device.
The described method enhances data erasure reliability in notebook PCs by using cryptographic verification to securely execute and validate erasure commands, addressing the vulnerability of conventional methods to tampering.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- レノボ·ジャパン合同会社
- Filing Date
- 2024-12-20
- Publication Date
- 2026-07-02
Smart Images

Figure 2026110198000001_ABST
Abstract
Description
Technical Field
[0001] The present invention relates to a data erasure method, an information processing system, and an information processing apparatus.
Background Art
[0002] In recent years, techniques for erasing data in information processing apparatuses such as notebook personal computers (notebook PCs) have been known (see, for example, Patent Document 1). In the technique described in Patent Document 1, a memory drive device such as a solid state drive (SSD) has a function of completely automatically erasing data, and data erasure has been performed by using this function from an information processing apparatus.
Prior Art Documents
Patent Documents
[0003]
Patent Document 1
Summary of the Invention
Problems to be Solved by the Invention
[0004] However, in the conventional techniques as described above, for example, when the function of completely automatically erasing data is tampered with, there is a possibility that the data may not be reliably erased. For example, when a company discards an information processing apparatus it has used, it is required to ensure that the data in the memory drive device built in the information processing apparatus has been completely erased, and reliability is required to be ensured.
[0005] The present invention has been made to solve the above problems, and an object thereof is to provide a data erasure method, an information processing system, and an information processing apparatus that can reliably erase data and ensure reliability in data erasure of a memory drive device.
Means for Solving the Problems
[0006] To solve the above problems, one aspect of the present invention is a data erasure method for an information processing device having a built-in memory drive device, comprising: a first transmission step in which a management server managing the information processing device transmits a data erasure program for the memory drive device to the information processing device using cryptographic processing with a first secret key which is the secret key of the management server; an installation step in which the information processing device verifies the validity of the data erasure program using a first public key which is the public key of the management server, and if the validity of the data erasure program is verified, installs the verified data erasure program into the memory drive device; a second transmission step in which the management server transmits an erase command to the information processing device, causing the processor of the memory drive device to execute the data erasure program, using cryptographic processing with the first secret key; and a data erasure step in which the information processing device verifies the validity of the erase command using the first public key, and if the validity of the erase command is verified, transmits the verified erase command to the memory drive device to execute data erasure processing by the data erasure program.
[0007] Furthermore, in one aspect of the present invention, the data erasure method described above may include a third transmission step in which the information processing device transmits the data erasure result, which is the result of the data erasure process, to the management server using encryption processing with a second secret key, which is the secret key of the information processing device; and a result storage step in which the management server verifies the validity of the data erasure result using a second public key, which is the public key of the information processing device, and, if the validity of the data erasure result is verified, stores the verified data erasure result in the erasure result storage unit.
[0008] Furthermore, in one aspect of the present invention, in the data erasure method described above, the information processing device includes a sub-control unit that can operate independently of the main control unit which executes processing based on the OS (Operating System) and BIOS (Basic Input Output System), and which is a secure area that is not directly accessible from the outside and has a security area that stores at least the first public key and the second private key, and in the installation step and the data erasure step, the sub-control unit may verify the validity of the data erasure program and the erasure command, and transmit the data erasure program and the erasure command to the memory drive device via the sub-control unit and the BIOS.
[0009] Furthermore, in one aspect of the present invention, in the data erasure method described above, in the third transmission step, the sub-control unit may transmit the data erasure result to the management server using encryption processing with the second secret key.
[0010] Furthermore, in one aspect of the present invention, in the data erasure method described above, in the first transmission step and the second transmission step, the management server generates signature information for the transmitted data using cryptographic processing with the first secret key, adds the signature information to the transmitted data on which the signature information has been generated, and sends it to the information processing device; in the installation step and the data erasure step, the information processing device verifies the validity of the data erasure program and the erasure command based on the signature information and the first public key; in the third transmission step, the information processing device generates signature information for the data erasure result using cryptographic processing with the second secret key, adds the signature information to the data erasure result, and sends it to the management server; and in the result storage step, the management server verifies the validity of the data erasure result based on the signature information of the data erasure result and the second public key.
[0011] Furthermore, in one aspect of the present invention, the memory drive device may be an SSD (Solid State Drive) in the above-described data erasure method.
[0012] Furthermore, one aspect of the present invention is an information processing system comprising an information processing device having a memory drive device built in, and a management server for managing the information processing device, wherein the management server performs a first transmission process that transmits a data erasure program for the memory drive device to the information processing device using cryptographic processing with a first secret key which is the secret key of the management server, and a second transmission process that transmits an erase command to the information processing device that causes the processor of the memory drive device to execute the data erasure program using cryptographic processing with the first secret key, wherein the information processing device verifies the validity of the data erasure program using a first public key which is the public key of the management server, and if the validity of the data erasure program is verified, performs an installation process that installs the verified data erasure program into the memory drive device, and if the validity of the data erasure program is verified, performs a data erasure process that verifies the validity of the erase command using the first public key, and if the validity of the erase command is verified, transmits the verified erase command to the memory drive device to execute the data erasure process using the data erasure program.
[0013] Furthermore, one aspect of the present invention is an information processing device for an information processing system comprising an information processing device having a built-in memory drive device and a management server for managing the information processing device, the information processing device comprising: an installation processing unit that uses cryptographic processing with a first secret key, which is the secret key of the management server, to acquire a data erasure program for the memory drive device transmitted by the management server, verifies the validity of the data erasure program using a first public key, which is the public key of the management server, and installs the data erasure program, whose validity has been verified, into the memory drive device if the validity of the data erasure program has been verified; and a data erasure processing unit that uses cryptographic processing with the first secret key, to acquire an erase command transmitted by the management server, which causes the processor of the memory drive device to execute the data erasure program, verifies the validity of the erase command using the first public key, and, if the validity of the erase command has been verified, transmits the erase command, whose validity has been verified, to the memory drive device to execute the data erasure process by the data erasure program. [Effects of the Invention]
[0014] According to the above-described aspect of the present invention, data erasure in a memory drive device can be reliably performed, ensuring reliability. [Brief explanation of the drawing]
[0015] [Figure 1] This is a configuration diagram showing an example of an information processing system according to the first embodiment. [Figure 2] This is a block diagram showing an example of the main hardware configuration of a notebook PC according to the first embodiment. [Figure 3] This is a functional block diagram showing an example of the functional configuration of an information processing system according to the first embodiment. [Figure 4] This figure shows an example of data in the device information storage unit in the first embodiment. [Figure 5] This figure shows an example of data in the erase program storage unit in the first embodiment. [Figure 6] It is a diagram showing a data example of the erasure result storage unit in the first embodiment. [Figure 7] It is a first diagram showing an example of the operation of the information processing system according to the first embodiment. [Figure 8] It is a second diagram showing an example of the operation of the information processing system according to the first embodiment. [Figure 9] It is a functional block diagram showing an example of the functional configuration of the information processing system according to the second embodiment. [Figure 10] It is a first diagram showing an example of the operation of the information processing system according to the second embodiment. [Figure 11] It is a second diagram showing an example of the operation of the information processing system according to the second embodiment. [Embodiments for Carrying Out the Invention]
[0016] Hereinafter, a data erasure method, an information processing system, and an information processing apparatus according to an embodiment of the present invention will be described with reference to the drawings.
[0017] [First Embodiment] FIG. 1 is a configuration diagram showing an example of an information processing system 100 according to the first embodiment. As shown in FIG. 1, the information processing system 100 includes a notebook PC 1 and a management server 5.
[0018] The notebook PC 1 is an information processing apparatus incorporating a memory drive device (for example, the SSD 40 described later), and executes processing based on an OS (Operating System). The notebook PC 1 is, for example, a personal computer used by a company, and in the information processing system 100, it is an information processing apparatus that completely erases the data stored in a memory drive device (for example, the SSD 40 described later). The notebook PC 1 can be connected to the management server 5 via the network NW1. The detailed configuration of the notebook PC 1 will be described later.
[0019] The management server 5 is, for example, a server device managed by the manufacturer of the notebook PC 1, and can be connected to the notebook PC 1 via the network NW1. The management server 5 is used for data erasure processing of the memory drive device (for example, the SSD 40 described later) built into the notebook PC 1.
[0020] Next, we will describe the main hardware configuration of Notebook PC1, referring to Figure 2. Figure 2 shows an example of the main hardware configuration of the notebook PC 1 according to this embodiment.
[0021] As shown in Figure 2, the notebook PC 1 comprises a CPU 11, main memory 12, video subsystem 13, display unit 14, chipset 21, BIOS memory 22, WLAN card 23, embedded controller 31, input unit 32, power supply circuit 33, and SSD 40.
[0022] In this embodiment, the CPU 11 and the chipset 21 correspond to the main control unit 10. The main control unit 10 is an example of a processor (main processor) that executes programs stored in memory (main memory 12).
[0023] The CPU (Central Processing Unit) 11 performs various calculations under program control and controls the entire notebook PC 1.
[0024] Main memory 12 is writable memory used as a reading area for the CPU 11's executable program, or as a work area for writing processing data for the executable program. Main memory 12 is composed of, for example, multiple DRAM (Dynamic Random Access Memory) chips. This executable program includes the BIOS, OS, various drivers for hardware operation of peripheral devices, various services / utilities, application programs, etc.
[0025] Furthermore, the main memory 12 is an example of system memory that stores programs and data, and is installed in the notebook PC 1 as a DIMM with multiple DRAMs.
[0026] The video subsystem 13 is a subsystem for implementing functions related to image display and includes a video controller. This video controller processes drawing commands from the CPU 11, writes the processed drawing information to video memory, reads this drawing information from video memory, and outputs it to the display unit 14 as drawing data (display data).
[0027] The display unit 14 is, for example, a liquid crystal display, and displays a screen based on drawing data (display data) output from the video subsystem 13.
[0028] The chipset 21 is equipped with controllers for USB, Serial ATA (AT Attachment), SPI (Serial Peripheral Interface) bus, PCI (Peripheral Component Interconnect) bus, PCI-Express bus, and LPC (Low Pin Count) bus, and multiple devices are connected to it. In Figure 2, as examples of devices, an SSD 40, BIOS memory 22, WLAN card 23, and embedded controller 31 are connected to the chipset 21.
[0029] The BIOS memory 22 consists of electrically rewritable non-volatile memory, such as EEPROM (Electrically Erasable Programmable Read Only Memory) or flash ROM. The BIOS memory 22 stores the BIOS program and the control program (firmware) for the embedded controller 31.
[0030] The WLAN (Wireless Local Area Network) card 23 connects to network NW1 via wireless LAN and performs data communication. The WLAN card 23 can connect to the management server 5 via network NW1.
[0031] The embedded controller 31 (an example of a sub-control unit) is a one-chip microcomputer that monitors and controls various devices (peripherals, sensors, etc.) regardless of the system state of the notebook PC 1. The embedded controller 31 also has a power management function that controls the power supply circuit 33. The embedded controller 31 is composed of a CPU, ROM, RAM, etc. (not shown), and is equipped with multiple channels of A / D input terminals, D / A output terminals, a timer, and digital input / output terminals. The embedded controller 31 is connected to, for example, the input unit 32 and the power supply circuit 33 via these input / output terminals, and the embedded controller 31 controls the operation of these components.
[0032] The input unit 32 is, for example, an input device such as a keyboard, a pointing device, or a touchpad.
[0033] The power supply circuit 33 includes, for example, a DC / DC converter, a charge / discharge unit, a battery unit, and an AC / DC adapter, and converts the DC voltage supplied from the AC / DC adapter or battery unit into multiple voltages necessary to operate the notebook PC 1. The power supply circuit 33 also supplies power to various parts of the notebook PC 1 based on control from the embedded controller 31.
[0034] SSD40 (an example of a memory drive device) stores the OS, various drivers, various services / utilities, application programs, and various data. SSD40 is connected to the chipset 21, for example, via Serial ATA or PCI-Express bus. Alternatively, SSD40 may be connected to the CPU 11. In this embodiment, SSD40 is assumed to be connected to the chipset 21 via an NVMe connection using the PCI-Express bus. The SSD 40 also includes multiple flash memory devices 41 and a memory controller 42.
[0035] The flash memory 41 is, for example, a NAND flash memory, which is an example of rewritable non-volatile memory. The flash memory 41 can be erased in page units or block units.
[0036] The memory controller 42 is a processor that includes, for example, a CPU, ROM, RAM, etc. (not shown), and comprehensively controls the SSD 40. The memory controller 42 performs processes such as controlling the host interface (host I / F) with the chipset 21, controlling the memory interface (memory I / F) with the flash memory 41, and managing the data of the flash memory 41.
[0037] Next, with reference to Figure 3, the functional configuration of the information processing system 100 according to this embodiment will be described. Figure 3 is a functional block diagram showing an example of the functional configuration of the information processing system 100 according to this embodiment. Note that Figure 3 only shows the configurations related to the present invention among the various functional configurations of the information processing system 100.
[0038] As shown in Figure 3, the information processing system 100 includes a notebook PC 1 and a management server 5. The management server 5 comprises a network communication unit 51, a server storage unit 52, and a server control unit 53.
[0039] The NW (Network) communication unit 51 is a network adapter that can connect to network NW1, for example, via a wired LAN, and can connect to notebook PC 1 via network NW1.
[0040] The server storage unit 52 is a storage unit implemented using, for example, RAM, SSD, HDD, etc., and stores various information used by the management server 5. The server storage unit 52 includes a device information storage unit 521, a key information storage unit 522, an erase program storage unit 523, a command storage unit 524, and an erase result storage unit 525.
[0041] The device information storage unit 521 stores device information for each notebook PC 1 manufactured and shipped by the manufacturer. For example, the device information storage unit 521 stores the serial number, product model name, and public key (PC public key) of the notebook PC 1. The device information storage unit 521 will now be described with reference to Figure 4.
[0042] Figure 4 shows an example of data in the device information storage unit 521 in this embodiment. As shown in Figure 4, the device information storage unit 521 stores the serial number, product model name, SSD model name, and public key in association with each other.
[0043] Here, the serial number is an example of identification information for Notebook PC1, and is the serial number assigned to Notebook PC1 during its manufacture. The product model name indicates the product model name or product name of Notebook PC1, and the SSD model name indicates the model name or model name of the SSD40 installed in Notebook PC1. The public key here refers to the PC's public key.
[0044] The PC public key is the public key for public-key cryptography assigned to Notebook PC1, and it forms a key pair with the private key (PC private key) similarly assigned to Notebook PC1. The key pair of the PC public key and PC private key is assigned when Notebook PC1 is manufactured, and one key pair is assigned to each Notebook PC1. Examples of public-key cryptography include RSA encryption and elliptic curve cryptography.
[0045] In the example shown in Figure 4, notebook PC1 with serial number "XXXXXXX" has a manufacturing model name "XPCXYZ-XX" and an SSD model name "SSDXXXXX". It also shows that the public key (PC public key) of notebook PC1 is "PUBKEY1".
[0046] Returning to the explanation of Figure 3, the key information storage unit 522 stores the key pair of the management server 5's private key (server private key) and public key (server public key). In this embodiment, the server private key and server public key are examples of the first private key and first public key, and the PC private key and PC public key are examples of the second private key and second public key.
[0047] The erasure program storage unit 523 stores the data erasure program to be installed on the SSD 40. The data erasure program is an executable program on the SSD 40 that completely and automatically erases the data stored on the SSD 40. The erasure program storage unit 523 may, for example, change the data erasure program for each model name (model name) of the SSD 40. Now, referring to Figure 5, an example of the data in the erasure program storage unit 523 will be explained.
[0048] Furthermore, the data erasure program may be, for example, the latest firmware for the SSD40 provided by the SSD40 vendor, and may be the firmware for the data erasure program itself, or it may be the entire firmware for the SSD40, including the data erasure program.
[0049] Figure 5 shows an example of data in the erase program storage unit 523 in this embodiment. As shown in Figure 5, the erase program storage unit 523 stores the SSD model name and the data erasure program in association. In the example shown in Figure 5, the erasure program storage unit 523 stores "PRGA" as the data erasure program corresponding to the SSD model name "SSDXXXXX", and "PRGB" as the data erasure program corresponding to the SSD model name "SSDYYYYY".
[0050] Returning to the explanation of Figure 3, the command storage unit 524 stores the erase command to be sent to the SSD 40 when the data on the SSD 40 is erased by the data erasure program. The command storage unit 524 may store, for example, the SSD model name and command information indicating the erase command in association.
[0051] The erasure result storage unit 525 stores the data erasure result, which is the result of executing the data erasure program described above on the SSD 40 of the notebook PC 1. Here, an example of the data in the erasure result storage unit 525 will be explained with reference to Figure 6.
[0052] Figure 6 shows an example of data in the erase result storage unit 525 in this embodiment. As shown in Figure 6, the erase result storage unit 525 stores, for example, the serial number, the date and time of erasure, and the erasure result in association with each other.
[0053] Here, the serial number is the serial number of Notebook PC1, and the erasure date and time is the date and time the data erasure program was executed. The erasure result is information indicating the execution result of the data erasure program, and may include, for example, an error code if the erasure failed.
[0054] In the example shown in Figure 6, Notebook PC1 with serial number "XXXXXXX" had a data erasure program executed on SSD40 at "2024 / 09 / 15 10:00:00" (10:00 AM on September 15, 2024), and the erasure result is "erasure complete".
[0055] Furthermore, Notebook PC1 with serial number "YYYYYYY" indicates that a data erasure program was executed on SSD40 on "2024 / 09 / 15 11:00:00" (11:00 AM on September 15, 2024), and the erasure result was "Erasure failed (Error code: XXX)".
[0056] Returning to the explanation of Figure 3, the server control unit 53 is a functional unit that is realized, for example, by having a CPU (not shown) execute a program stored in the server memory unit 52. The server control unit 53 performs various processes such as registering information stored in the device information storage unit 521 and erasing data stored in the SSD 40 of the notebook PC 1. The server control unit 53 comprises an erase program transmission processing unit 531, a command transmission processing unit 532, and an erase result storage processing unit 533.
[0057] The erasure program transmission processing unit 531 executes a first transmission process to send the data erasure program for the SSD 40 to the notebook PC 1, using encryption processing with the server secret key, which is the secret key of the management server 5. The erasure program transmission processing unit 531 obtains the data erasure program corresponding to the notebook PC 1 (SSD 40) to be erased from the erasure program storage unit 523. That is, the erasure program transmission processing unit 531 obtains the data erasure program corresponding to the serial number of the notebook PC 1 to be erased from the erasure program storage unit 523.
[0058] The erasure program transmission processing unit 531 generates an electronic signature of the data erasure program from the acquired data erasure program using the server secret key stored in the key information storage unit 522. The erasure program transmission processing unit 531 generates a hash value of the data erasure program using, for example, a hash function, and then performs public-key cryptography encryption on the hash value using the server secret key to generate an electronic signature of the data erasure program.
[0059] The erasure program transmission processing unit 531 adds an electronic signature to the data erasure program via the NW communication unit 51 and transmits it to the notebook PC 1.
[0060] The command transmission processing unit 532 performs a second transmission process that uses encryption processing with the server's secret key to send an erase command to the notebook PC 1, instructing the SSD 40's processor (e.g., the memory controller 42) to execute a data erasure program. The erase program transmission processing unit 531 obtains the erase command corresponding to the notebook PC 1 (SSD 40) to be erased from the command storage unit 524.
[0061] The command transmission processing unit 532 generates an electronic signature for the erase command from the acquired erase command using the server secret key stored in the key information storage unit 522. For example, the command transmission processing unit 532 generates a hash value of the erase command using a hash function, and then performs public-key cryptography encryption on the hash value using the server secret key to generate an electronic signature for the erase command.
[0062] The command transmission processing unit 532 adds an electronic signature to the erase command and sends it to the notebook PC 1 via the NW communication unit 51.
[0063] The erasure result storage processing unit 533 uses the PC public key (second public key), which is the public key of the notebook PC 1, to verify the validity of the data erasure result. If the validity of the data erasure result is verified, it performs a result storage process to store the verified data erasure result in the erasure result storage unit 525.
[0064] When the erasure result storage processing unit 533 receives the data erasure result and digital signature from the notebook PC 1 via the NW communication unit 51, it generates a hash value of the data erasure result, for example, using a hash function. The erasure result storage processing unit 533 also performs public-key cryptography decryption on the received digital signature using the PC's public key to generate the decrypted value (hash value) of the digital signature. The erasure result storage processing unit 533 obtains the PC's public key corresponding to the serial number of the notebook PC 1 to be erased from the device information storage unit 521.
[0065] The erasure result storage processing unit 533 determines the validity of the data erasure result by checking whether the hash value of the generated data erasure result matches the decrypted value (hash value) of the digital signature. The erasure result storage processing unit 533 determines that the data erasure result is valid if the hash value of the generated data erasure result matches the decrypted value (hash value) of the digital signature, and stores the data erasure result in the erasure result storage unit 525. For example, as shown in Figure 6, the erasure result storage processing unit 533 associates the serial number, the erasure date and time, and the erasure result and stores them in the erasure result storage unit 525.
[0066] Furthermore, the erasure result storage processing unit 533 determines that the data erasure result is invalid if the generated hash value of the data erasure result does not match the decrypted value (hash value) of the digital signature, and executes an abnormal termination process. For example, as an abnormal termination process, the erasure result storage processing unit 533 notifies the administrator of notebook PC 1 (for example, by email) that an abnormality has occurred in which the data erasure result is invalid.
[0067] Notebook PC 1 comprises a main control unit 10, an embedded controller 31, an SSD 40, and a network communication unit 230. The NW communication unit 230 is a functional unit implemented by, for example, a WLAN card 23, and can connect to the management server 5 via the network NW1.
[0068] The main control unit 10 is a functional unit that is realized by causing the CPU 11 to execute programs stored in the SSD 40, BIOS memory 22, and main memory 12, etc. The main control unit 10 executes processing based on the OS and BIOS. The main control unit 10 includes, for example, a BIOS processing unit 101 and an OS processing unit 102.
[0069] The BIOS processing unit 101 is a functional unit that is realized, for example, by causing the CPU 11 to execute the BIOS program stored in the BIOS memory 22, and performs processing based on the BIOS.
[0070] The OS processing unit 102 is a functional unit that is realized, for example, by having the CPU 11 execute the OS program stored in the SSD 40, and performs OS-based processing.
[0071] The embedded controller 31 communicates with the management server 5 when performing data erasure processing on the SSD 40 and performs various processes for executing data erasure processing on the SSD 40. The embedded controller 31 includes a key information storage unit 311, an installation processing unit 312, a data erasure processing unit 313, and an erasure result transmission processing unit 314.
[0072] The key information storage unit 311 is a storage unit implemented, for example, by the built-in storage unit of the embedded controller 31 or the firmware area of the embedded controller 31 in the BIOS memory 22, and stores key information such as the PC private key and the server public key. The key information storage unit 311 is a secure area that cannot be directly accessed from the outside, such as the OS, and is implemented by a security area that makes it impossible to illegally read the PC private key and the server public key from the outside. The key information stored in the key information storage unit 311 is stored, for example, during the manufacturing of the notebook PC 1.
[0073] The installation processing unit 312 uses the server public key (first public key), which is the public key of the management server 5, to verify the legitimacy of the data erasure program. If the legitimacy of the data erasure program is confirmed, it executes an installation process to install the verified data erasure program onto the SSD 40.
[0074] When the installation processing unit 312 receives the data erasure program and digital signature from the management server 5 via the network communication unit 230, it generates a hash value of the data erasure program, for example, using a hash function. The installation processing unit 312 also performs public-key cryptography decryption on the received digital signature using the server's public key stored in the key information storage unit 311, and generates a decrypted value (hash value) of the digital signature.
[0075] The installation processing unit 312 determines the legitimacy of the data erasure program by checking whether the hash value of the generated data erasure program matches the decrypted value (hash value) of the digital signature. If the hash value of the generated data erasure program matches the decrypted value (hash value) of the digital signature, the installation processing unit 312 determines that the data erasure program is legitimate and installs the data erasure program on the SSD 40.
[0076] The installation processing unit 312 sends a data erasure program to the SSD 40 via the BIOS processing unit 101 (BIOS) and causes the SSD 40 to install the latest data erasure program.
[0077] Furthermore, if the hash value of the generated data erasure program does not match the decrypted value (hash value) of the digital signature, the installation processing unit 312 determines that the data erasure program is not legitimate and executes an abnormal termination process. As an abnormal termination process, the installation processing unit 312, for example, stops the data erasure process of the SSD 40 and notifies the management server 5 of the abnormal termination.
[0078] The data erasure processing unit 313 uses the server's public key to verify the validity of the erasure command. If the validity of the erasure command is confirmed, it sends the verified erasure command to the SSD 40 and executes the data erasure process, which is then performed by the data erasure program.
[0079] When the data erasure processing unit 313 receives an erasure command and an electronic signature from the management server 5 via the network communication unit 230, it generates a hash value of the erasure command, for example, using a hash function. The data erasure processing unit 313 also performs public-key cryptography decryption on the received electronic signature using the server's public key stored in the key information storage unit 311, and generates a decrypted value (hash value) of the electronic signature.
[0080] The data erasure processing unit 313 determines the validity of the erasure command by checking whether the hash value of the generated erasure command matches the decrypted value (hash value) of the digital signature. The installation processing unit 312 determines that the erasure command is valid if the hash value of the generated erasure command matches the decrypted value (hash value) of the digital signature, and sends the erasure command to the SSD 40.
[0081] The data erasure processing unit 313 sends an erasure command to the SSD 40 via the BIOS processing unit 101 (BIOS), causing the SSD 40 to execute the data erasure process using the data erasure program.
[0082] Furthermore, the data erasure processing unit 313 determines that the erasure command is invalid if the hash value of the generated erasure command does not match the decrypted value (hash value) of the digital signature, and executes an abnormal termination process. As part of the erasure command abnormal termination process, for example, it stops the data erasure process of the SSD 40 and notifies the management server 5 of the abnormal termination.
[0083] The erasure result transmission processing unit 314 executes a third transmission process to send the data erasure result, which is the result of the data erasure process, to the management server 5 using encryption processing with the PC private key (second private key), which is the private key of the notebook PC 1.
[0084] The erasure result transmission processing unit 314 obtains the data erasure result, which is the result of executing the erasure command, from the SSD 40 via the BIOS processing unit 101 (BIOS), and generates a hash value of the obtained data erasure result using, for example, a hash function. The erasure result transmission processing unit 314 then performs public-key cryptography encryption on the generated hash value using the PC secret key stored in the key information storage unit 311 to generate an electronic signature of the data erasure result.
[0085] The erasure result transmission processing unit 314 adds an electronic signature to the data erasure result via the NW communication unit 230 and transmits it to the management server 5.
[0086] The SSD 40 comprises a memory controller 42 and a data storage unit 410. The data storage unit 410 is a storage unit realized by the multiple flash memories 41 described above, and is the storage unit that is subject to data erasure processing.
[0087] The memory controller 42 comprises a memory management unit 421, a command processing unit 422, and a command program storage unit 423. The command program storage unit 423 is a storage unit implemented, for example, in the RAM, ROM (such as flash memory) built into the memory controller 42, and the flash memory 41 of the SSD, and stores command processing programs installed from an external source. For example, if a data erasure program is installed on the SSD 40, the command program storage unit 423 stores the data erasure program.
[0088] The memory management unit 421 is a functional unit implemented by a CPU (processor) (not shown) of the memory controller 42, and manages the data storage unit 410.
[0089] The command processing unit 422 is a functional unit implemented by a CPU (processor) (not shown) of the memory controller 42, and executes various command processing for the SSD 40. For example, when the command processing unit 422 receives an erase command from the data erase processing unit 313 via the BIOS processing unit 101 (BIOS), it executes the data erase process of the data storage unit 410 by running the data erase program stored in the command program storage unit 423.
[0090] Next, the operation of the information processing system 100 according to this embodiment will be described with reference to the drawings. Figures 7 and 8 show an example of the operation of the information processing system 100 according to this embodiment.
[0091] As shown in Figures 7 and 8, first, the management server 5 generates an electronic signature for the data erasure program using the server's secret key (step S101). The erasure program transmission processing unit 531 of the management server 5 obtains the data erasure program corresponding to the notebook PC 1 (SSD 40) to be erased from the erasure program storage unit 523. The erasure program transmission processing unit 531 generates a hash value for the data erasure program using, for example, a hash function, and then performs public-key cryptography encryption on the hash value using the server's secret key to generate an electronic signature for the data erasure program.
[0092] The management server 5 may initiate the process in step S101 in response to a request from the notebook PC 1 whose data is to be erased, or it may initiate the process in step S101 on its own initiative in response to a request from the administrator of the notebook PC 1 or when the execution conditions (for example, a set date and time) are met. Additionally, the data erasure program may be the latest SSD40 firmware provided by the SSD40 vendor.
[0093] Next, the management server 5 sends the data erasure program and digital signature to the embedded controller 31 of the notebook PC 1 (step S102). The erasure program transmission processing unit 531 sends the data erasure program and digital signature to the notebook PC 1 (embedded controller 31) via the network communication unit 51.
[0094] Next, the embedded controller 31 verifies the digital signature of the data erasure program using the server's public key (step S103). When the installation processing unit 312 of the embedded controller 31 receives the data erasure program and digital signature from the management server 5 via the NW communication unit 230, it generates a hash value of the data erasure program, for example, using a hash function. The installation processing unit 312 also performs public-key cryptography decryption on the received digital signature using the server's public key stored in the key information storage unit 311 to generate a decrypted value (hash value) of the digital signature. The installation processing unit 312 verifies the legitimacy of the data erasure program by checking whether the generated hash value of the data erasure program matches the decrypted value (hash value) of the digital signature.
[0095] Next, the installation processing unit 312 determines whether the data erasure program is legitimate or not (step S104). The installation processing unit 312 determines that the data erasure program is legitimate if the hash value of the generated data erasure program matches the decrypted value (hash value) of the digital signature (step S104: YES), and proceeds to step S105. If the installation processing unit 312 determines that the data erasure program is not legitimate (step S104: NO), it proceeds to step S108 and executes abnormal termination processing.
[0096] In step S105, the embedded controller 31 sends a data erasure program to the BIOS processing unit 101 (BIOS), and the BIOS processing unit 101 (BIOS) sends the data erasure program to the SSD 40 (step S106).
[0097] Next, the memory controller 42 of the SSD 40 installs the data erasure program (step S106). The memory controller 42 installs the data erasure program received from the installation processing unit 312 via the BIOS by storing it in the command program storage unit 423, and makes it possible to execute erasure commands.
[0098] Next, SSD40 sends an installation completion notification to BIOS processing unit 101 (BIOS) (step S109), and BIOS processing unit 101 (BIOS) forwards the installation completion notification to embedded controller 31 (step S110). Next, the embedded controller 31 sends an installation completion notification to the management server 5 via the NW communication unit 230 (step S111).
[0099] Next, the management server 5 generates an electronic signature for the erase command using the server's secret key (step S112). The command transmission processing unit 532 of the management server 5 obtains the erase command corresponding to the notebook PC 1 (SSD 40) to be erased from the command storage unit 524. The command transmission processing unit 532 generates a hash value of the erase command, for example, using a hash function, and then performs public-key cryptography encryption on the hash value using the server's secret key to generate an electronic signature for the erase command.
[0100] Next, the management server 5 sends the erase command and digital signature to the embedded controller 31 of the notebook PC 1 (step S113). The command transmission processing unit 532 sends the erase command and digital signature to the notebook PC 1 (embedded controller 31) via the network communication unit 51.
[0101] Next, the embedded controller 31 verifies the digital signature of the erase command using the server's public key (step S114). When the data erasure processing unit 313 of the embedded controller 31 receives the erase command and digital signature from the management server 5 via the NW communication unit 230, it generates a hash value of the erase command, for example, using a hash function. The data erasure processing unit 313 also performs public-key cryptography decryption on the received digital signature using the server's public key stored in the key information storage unit 311 to generate a decrypted value (hash value) of the digital signature. The data erasure processing unit 313 verifies the validity of the erase command by checking whether the generated hash value of the erase command matches the decrypted value (hash value) of the digital signature.
[0102] Next, the data erasure processing unit 313 determines whether the erasure command is valid or not (step S115). The data erasure processing unit 313 determines that the erasure command is valid if the hash value of the generated erasure command matches the decrypted value (hash value) of the digital signature (step S115: YES), and proceeds to step S116. If the data erasure processing unit 313 determines that the erasure command is not valid (step S115: NO), it proceeds to step S119 and executes abnormal termination processing.
[0103] In step S116, the embedded controller 31 sends an erase command to the BIOS processing unit 101 (BIOS), and the BIOS processing unit 101 (BIOS) sends an erase command to the SSD 40 (step S117).
[0104] Next, the command processing unit 422 of the SSD 40 executes the data erasure process of the SSD 40 (step S118). In response to the received erasure command, the command processing unit 422 executes the data erasure program stored in the command program storage unit 423 to completely erase the data in the data storage unit 410.
[0105] Next, the command processing unit 422 sends the data erasure result, which is the result of executing the erase command, to the BIOS processing unit 101 (BIOS) (step S120), and the BIOS processing unit 101 (BIOS) transfers the data erasure result to the embedded controller 31 (step S121).
[0106] Next, the erasure result transmission processing unit 314 of the embedded controller 31 generates an electronic signature of the data erasure result using the PC secret key (step S122). The erasure result transmission processing unit 314 generates a hash value of the acquired data erasure result using, for example, a hash function, and then performs public-key cryptography encryption on the generated hash value using the PC secret key stored in the key information storage unit 311 to generate an electronic signature of the data erasure result.
[0107] Next, the erasure result transmission processing unit 314 transmits the data erasure result and the electronic signature to the management server 5 (step S123). The erasure result transmission processing unit 314 adds an electronic signature to the data erasure result via the NW communication unit 230 and transmits it to the management server 5.
[0108] Next, the management server 5 verifies the digital signature of the data erasure result using the PC's public key (step S124). The management server 5 generates a hash value of the data erasure result using, for example, a hash function. The erasure result storage processing unit 533 then performs a public-key cryptographic decryption process on the received digital signature using the PC's public key to generate a decrypted value (hash value) of the digital signature. The erasure result storage processing unit 533 verifies the validity of the data erasure result by checking whether the generated hash value of the data erasure result matches the decrypted value (hash value) of the digital signature.
[0109] The erasure result storage processing unit 533 determines whether the data erasure result is valid or not (step S125). The erasure result storage processing unit 533 determines that the data erasure result is valid if the hash value of the generated data erasure result matches the decrypted value (hash value) of the digital signature (step S125: YES), and proceeds to step S126. If the erasure result storage processing unit 533 determines that the data erasure result is not valid (step S125: NO), it proceeds to step S127 and executes abnormal termination processing.
[0110] In step S126, the erasure result storage processing unit 533 stores the data erasure result in the erasure result storage unit 525. For example, as shown in Figure 6, the erasure result storage processing unit 533 associates the serial number, the erasure date and time, and the erasure result and stores them in the erasure result storage unit 525.
[0111] In Figures 7 and 8, steps S101 and S102 correspond to the first transmission step, steps S112 and S113 correspond to the second transmission step, and steps S122 and S123 correspond to the third transmission step.
[0112] Furthermore, the processes from step S103 to step S106 (or step S107) correspond to the installation step, and the processes from step S114 to step S117 (or step S118) correspond to the data erasure step. In addition, the processes from step S124 to step S126 correspond to the result storage step.
[0113] As described above, the data erasure method according to this embodiment is a data erasure method for a notebook PC 1 (information processing device) equipped with an SSD 40 (memory drive device), and includes a first transmission step, an installation step, a second transmission step, and a data erasure step. In the first transmission step, the management server 5 that manages the notebook PC 1 transmits a data erasure program for the SSD 40 to the notebook PC 1 using encryption processing with the server secret key (first secret key), which is the secret key of the management server 5. In the installation step, the notebook PC 1 verifies the legitimacy of the data erasure program using the server public key (first public key), which is the public key of the management server 5, and if the legitimacy of the data erasure program is verified, the notebook PC 1 installs the verified data erasure program into the SSD 40. In the second transmission step, the management server 5 transmits an erasure command to the notebook PC 1, which causes the processor of the SSD 40 to execute the data erasure program, using encryption processing with the server secret key. In the data erasure step, Notebook PC 1 uses the server's public key to verify the validity of the erasure command. If the validity of the erasure command is verified, it sends the verified erasure command to SSD 40, causing the data erasure program to execute the data erasure process.
[0114] As a result, the data erasure method according to this embodiment uses the management server 5 and performs data erasure on the SSD 40 using a data erasure program and erasure command whose legitimacy is ensured by the server's private key (first private key) and server's public key (first public key). Therefore, in erasing data on the SSD 40, data can be reliably erased and reliability can be guaranteed. With the data erasure method according to this embodiment, for example, when a company disposes of a notebook PC 1 that has been used by the company, it is possible to guarantee that the data on the SSD 40 built into the notebook PC 1 has been completely erased.
[0115] Furthermore, the data erasure method according to this embodiment includes a third transmission step and a result storage step. In the third transmission step, the notebook PC 1 (erasure result transmission processing unit 314) transmits the data erasure result, which is the result of the data erasure process (erasure command), to the management server 5 using encryption processing with the PC private key (second private key), which is the private key of the notebook PC 1. In the result storage step, the management server 5 uses the PC public key (second public key), which is the public key of the notebook PC 1, to verify the validity of the data erasure result. If the validity of the data erasure result is verified, the management server 5 stores the verified data erasure result in the erasure result storage unit 525.
[0116] As a result, the data erasure method according to this embodiment allows the management server 5 to store data erasure results that are guaranteed to be reliable. For example, when a company disposes of a notebook PC 1 that has been used by the company, this can be used as evidence to prove that the data on the SSD 40 of the notebook PC 1 has been completely erased.
[0117] Furthermore, in this embodiment, the notebook PC 1 includes an embedded controller 31 (sub-control unit) which is a sub-control unit that can operate independently of the main control unit 10 that executes processing based on the OS and BIOS, and is a secure area that cannot be directly accessed from the outside and has a security area that stores at least the server public key and the PC private key. In the installation step and the data erasure step, the embedded controller 31 verifies the validity of the data erasure program and erasure command, and the notebook PC 1 transmits the data erasure program and erasure command to the SSD 40 via the embedded controller 31 and the BIOS.
[0118] As a result, the data erasure method according to this embodiment operates independently of the main control unit 10 and uses an embedded controller 31 (sub-control unit) having a security area to verify the legitimacy of the data erasure program and erasure command. Therefore, the possibility of data erasure being performed by an unauthorized data erasure program and erasure command can be further reduced. Thus, the data erasure method according to this embodiment can more reliably erase data and ensure even higher reliability when erasing data from the SSD 40.
[0119] Furthermore, in this embodiment, in the third transmission step, the embedded controller 31 transmits the data erasure result to the management server 5 using encryption processing with the PC secret key.
[0120] As a result, the data erasure method according to this embodiment can further enhance the reliability of the data erasure results by using the embedded controller 31.
[0121] Furthermore, in this embodiment, in the first and second transmission steps, the management server 5 generates signature information (e.g., digital signature) for the transmission data using cryptographic processing with the server's private key, adds the signature information (e.g., digital signature) to the transmission data, and sends it to the notebook PC 1. In the installation step and the data erasure step, the notebook PC 1 verifies the validity of the data erasure program and erasure command based on the signature information (e.g., digital signature) and the server's public key. In the third transmission step, the notebook PC 1 generates signature information (e.g., digital signature) for the data erasure result using cryptographic processing with the PC's private key, adds the signature information to the data erasure result, and sends it to the management server 5. In the result storage step, the management server 5 verifies the validity of the data erasure result based on the signature information (e.g., digital signature) and the PC's public key.
[0122] As a result, the data erasure method according to this embodiment can verify the legitimacy of the data erasure program and erasure command, as well as the legitimacy of the data erasure result, without imposing a heavy processing load, by using signature information (e.g., an electronic signature).
[0123] Furthermore, in this embodiment, the memory drive device is an SSD40. As a result, the data erasure method according to this embodiment can reliably erase data and ensure reliability when erasing data from the SSD 40.
[0124] Furthermore, the information processing system 100 according to this embodiment includes a notebook PC 1 with a built-in SSD 40 and a management server 5 that manages the notebook PC 1. The management server 5 performs a first transmission process and a second transmission process. In the first transmission process, the management server 5 uses encryption processing with the server secret key, which is the private key of the management server 5, to send the data erasure program for the SSD 40 to the notebook PC 1. In the second transmission process, the management server 5 uses encryption processing with the server secret key to send an erase command to the notebook PC 1 that causes the processor of the SSD 40 to execute the data erasure program. The notebook PC 1 also performs an installation process and a data erasure process. In the installation process, the notebook PC 1 uses the server public key, which is the public key of the management server 5, to verify the legitimacy of the data erasure program, and if the legitimacy of the data erasure program is verified, the notebook PC 1 installs the verified data erasure program into the SSD 40. During the data erasure process, Notebook PC 1 uses the server's public key to verify the validity of the erasure command. If the validity of the erasure command is confirmed, it sends the verified erasure command to SSD 40, causing the data erasure program to execute the data erasure process.
[0125] As a result, the information processing system 100 according to this embodiment achieves the same effects as the data erasure method described above, ensuring reliable data erasure and reliability in the SSD 40 data erasure process.
[0126] Furthermore, the notebook PC 1 (information processing device) according to this embodiment is a notebook PC 1 of an information processing system comprising a notebook PC 1 with a built-in SSD 40 and a management server 5 that manages the notebook PC 1, and comprises an installation processing unit 312 and a data erasure processing unit 313. The installation processing unit 312 uses encryption processing with the server secret key, which is the secret key of the management server 5, to obtain the data erasure program for the SSD 40 sent by the management server 5, and uses the server public key, which is the public key of the management server 5, to verify the legitimacy of the data erasure program, and if the legitimacy of the data erasure program is confirmed, installs the verified data erasure program into the SSD 40. The data erasure processing unit 313 uses encryption processing with the server secret key to obtain an erase command sent by the management server 5 that causes the processor of the SSD 40 to execute the data erasure program, and uses the server public key to verify the legitimacy of the erase command, and if the legitimacy of the erase command is confirmed, sends the verified erase command to the SSD 40 to execute the data erasure process by the data erasure program.
[0127] As a result, the notebook PC 1 (information processing device) according to this embodiment achieves the same effects as the data erasure method and information processing system 100 described above, and can reliably erase data and ensure reliability when erasing data from the SSD 40.
[0128] Next, with reference to the drawings, an information processing system 100a according to a second embodiment will be described. In the second embodiment, a modified example will be described in which the BIOS processing unit 101a performs the operations of the installation processing unit 312, the data erasure processing unit 313, and the erasure result transmission processing unit 314 instead of the embedded controller 31.
[0129] [Second Embodiment] Figure 9 is a functional block diagram showing an example of the functional configuration of the information processing system 100a according to the first embodiment. Note that Figure 9 only shows the configurations related to the present invention among the various functional configurations of the information processing system 100a.
[0130] The configuration diagram of the information processing system 100a and the main hardware configuration of the notebook PC 1a in this embodiment are the same as those of the first embodiment shown in Figures 1 and 2, so their explanation is omitted here. Furthermore, in Figure 9, components identical to those in Figure 3 are given the same reference numerals, and their explanations are omitted.
[0131] As shown in Figure 9, the information processing system 100a comprises a notebook PC 1a and a management server 5. The notebook PC 1a also comprises a main control unit 10a, an embedded controller 31a, an SSD 40, and a network communication unit 230.
[0132] The main control unit 10a is a functional unit that is realized by causing the CPU 11 to execute programs stored in the SSD 40, BIOS memory 22, and main memory 12, etc. The main control unit 10a executes processing based on the OS and BIOS. The main control unit 10a includes, for example, a BIOS processing unit 101a and an OS processing unit 102.
[0133] The BIOS processing unit 101a is a functional unit that is realized, for example, by causing the CPU 11 to execute the BIOS program stored in the BIOS memory 22, and performs processing based on the BIOS. The BIOS processing unit 101a includes an installation processing unit 112, a data erasure processing unit 113, and an erasure result transmission processing unit 114.
[0134] The installation processing unit 112, the data erasure processing unit 113, and the erasure result transmission processing unit 114 perform the same processing as the installation processing unit 312, the data erasure processing unit 313, and the erasure result transmission processing unit 314 of the first embodiment.
[0135] The embedded controller 31a communicates with the management server 5 when performing data erasure processing on the SSD 40, and performs various processes for executing data erasure processing on the SSD 40. The embedded controller 31a includes a key information storage unit 311.
[0136] The embedded controller 31a is similar to the embedded controller 31 of the first embodiment, except that most of the functions of the installation processing unit 312, the data erasure processing unit 313, and the erasure result transmission processing unit 314 have been moved to the BIOS processing unit 101a.
[0137] Furthermore, since the other functional configurations are the same as in the first embodiment, their explanation will be omitted here.
[0138] Next, with reference to the drawings, the operation of the information processing system 100a according to this embodiment will be described. Figures 10 and 11 show an example of the operation of the information processing system 100a according to this embodiment.
[0139] In Figures 10 and 11, the processes in steps S201 and S202 are the same as those in steps S101 and S102 shown in Figure 7, so their explanation is omitted here.
[0140] Next, the embedded controller 31a transmits the received data erasure program and digital signature to the BIOS processing unit 101a (step S203). As a result, the installation processing unit 112 of the BIOS processing unit 101a receives the data erasure program and digital signature.
[0141] Next, the BIOS processing unit 101a sends a request to the embedded controller 31a to send the server public key information (step S204). The installation processing unit 112 requests the server public key information from the embedded controller 31a in order to verify the digital signature of the data erasure program.
[0142] Next, the embedded controller 31a transmits the server public key information to the BIOS processing unit 101a (step S205). The embedded controller 31a transmits the server public key stored in the key information storage unit 311 to the BIOS processing unit 101a as server public key information.
[0143] Next, the BIOS processing unit 101a verifies the digital signature of the data erasure program using the server's public key (step S206). When the installation processing unit 112 receives the data erasure program and the digital signature, it generates a hash value of the data erasure program, for example, using a hash function. The installation processing unit 112 also performs a public-key cryptographic decryption process on the received digital signature using the server's public key to generate a decrypted value (hash value) of the digital signature. The installation processing unit 112 verifies the legitimacy of the data erasure program by checking whether the generated hash value of the data erasure program matches the decrypted value (hash value) of the digital signature.
[0144] Next, the installation processing unit 112 determines whether the data erasure program is legitimate (step S207). The installation processing unit 112 determines that the data erasure program is legitimate if the hash value of the generated data erasure program matches the decrypted value (hash value) of the digital signature (step S207: YES), and proceeds to step S208. If the installation processing unit 112 determines that the data erasure program is not legitimate (step S207: NO), it proceeds to step S210 and executes abnormal termination processing, including the destruction of the server public key.
[0145] The subsequent processes from steps S208 to S215 are the same as those from steps S106 to S113 shown in Figure 7, so their explanation is omitted here.
[0146] Next, in step S216, the embedded controller 31a sends an erase command and an electronic signature to the BIOS processing unit 101a. As a result, the data erasure processing unit 113 of the BIOS processing unit 101a receives the erase command and the electronic signature.
[0147] Next, the BIOS processing unit 101a sends a request to the embedded controller 31a to send the server public key information (step S217). The data erasure processing unit 113 requests the server public key information from the embedded controller 31a in order to verify the digital signature of the data erasure program.
[0148] Next, the embedded controller 31a transmits the server public key information to the BIOS processing unit 101a (step S218). The embedded controller 31a transmits the server public key stored in the key information storage unit 311 to the BIOS processing unit 101a as server public key information.
[0149] Next, the BIOS processing unit 101a verifies the digital signature of the erase command using the server's public key (step S219). When the data erasure processing unit 113 receives the erase command and digital signature, it generates a hash value of the erase command, for example, using a hash function. The data erasure processing unit 113 also performs public-key cryptography decryption on the received digital signature using the server's public key to generate a decrypted value (hash value) of the digital signature. The data erasure processing unit 113 verifies the validity of the erase command by checking whether the generated hash value of the erase command matches the decrypted value (hash value) of the digital signature.
[0150] Next, the data erasure processing unit 113 determines whether the erasure command is valid or not (step S220). The data erasure processing unit 113 determines that the erasure command is valid if the hash value of the generated erasure command matches the decrypted value (hash value) of the digital signature (step S220: YES), and proceeds to step S221. If the data erasure processing unit 113 determines that the erasure command is not valid (step S220: NO), it proceeds to step S223 and executes abnormal termination processing, including the destruction of the server public key.
[0151] The subsequent processes from steps S221 to S225 are the same as those from steps S117 to S121 shown in Figure 7, so their explanation is omitted here.
[0152] Next, in step S226, the embedded controller 31a generates an electronic signature of the data erasure result using the PC secret key. The embedded controller 31a generates a hash value of the acquired data erasure result using, for example, a hash function, and then performs public-key cryptography encryption on the generated hash value using the PC secret key stored in the key information storage unit 311 to generate an electronic signature of the data erasure result.
[0153] Next, the embedded controller 31a sends the digital signature to the BIOS processing unit 101a (step S227).
[0154] Next, the erasure result transmission processing unit 114 of the BIOS processing unit 101a transmits the data erasure result and digital signature to the embedded controller 31a (step S228), and the embedded controller 31a transmits the data erasure result and digital signature to the management server 5 (step S229). The embedded controller 31a adds a digital signature to the data erasure result via the NW communication unit 230 and transmits it to the management server 5.
[0155] The subsequent processes from step S230 to step S233 are the same as those from step S124 to step S127 shown in Figure 7, so their explanation is omitted here.
[0156] In Figures 10 and 11, steps S201 and S202 correspond to the first transmission step, steps S214 and S215 correspond to the second transmission step, and steps S226 to S229 correspond to the third transmission step.
[0157] Furthermore, the processes from step S204 to step S208 (or step S209) correspond to the installation step, and the processes from step S217 to step S221 (or step S222) correspond to the data erasure step. In addition, the processes from step S230 to step S232 correspond to the result storage step.
[0158] As described above, in the data erasure method and information processing system 100a according to this embodiment, instead of the embedded controller 31a, the BIOS processing unit 101a of the notebook PC 1a (information processing device) comprises an installation processing unit 112, a data erasure processing unit 113, and an erasure result transmission processing unit 114.
[0159] As a result, the data erasure method and information processing system 100a according to this embodiment have the same effects as the first embodiment described above, and can reliably erase data and ensure reliability when erasing data from the SSD 40.
[0160] It should be noted that the present invention is not limited to the embodiments described above, and can be modified without departing from the spirit of the invention. For example, in each of the embodiments described above, the information processing device was described as a notebook-type personal computer (notebook PC 1(1a)), but it is not limited to this, and may be other information processing devices such as a desktop personal computer or a tablet terminal device.
[0161] Furthermore, although the above embodiments describe an example where the memory drive device is an SSD 40, it is not limited to this, and other memory drive devices such as a flash memory card may be used. Also, although the above embodiments describe an example applied to a memory drive device, it may be applied to other drive devices such as an HDD (Hard Disk Drive).
[0162] Furthermore, while the above embodiments describe examples of verifying the legitimacy of the data erasure program, erasure command, and data erasure result using an electronic signature, the system is not limited to this, and the information processing system 100(100a) may verify legitimacy using other authentication information, signature information, etc.
[0163] Furthermore, instead of an electronic signature, the information processing system 100 (100a) may verify the authenticity of the data erasure program, erasure command, and data erasure result using encryption and decryption processes. Alternatively, the information processing system 100 may, for example, use the Diffie-Hellman key exchange method to exchange a common key between the management server 5 and the notebook PC 1, and verify the authenticity of the data erasure program, erasure command, and data erasure result using symmetric key cryptography.
[0164] Furthermore, each component of the information processing system 100(100a) described above has a computer system inside. The processing in each component of the information processing system 100(100a) may be performed by recording a program for realizing the functions of each component of the information processing system 100(100a) onto a computer-readable recording medium, loading the program recorded on this recording medium into the computer system, and executing it. Here, "loading the program recorded on the recording medium into the computer system and executing it" includes installing the program into the computer system. Here, "computer system" includes hardware such as the operating system and peripheral devices. Furthermore, "computer system" may include multiple computer devices connected via a network, including communication lines such as the Internet, WAN, LAN, and dedicated lines. "Computer-readable recording medium" refers to portable media such as flexible disks, magneto-optical disks, ROMs, and CD-ROMs, as well as storage devices such as hard disks built into computer systems. Thus, the recording medium storing the program may be a non-transient recording medium such as a CD-ROM.
[0165] Furthermore, the recording medium also includes internal or external recording media accessible from the distribution server for distributing the program. The program may be divided into multiple parts, downloaded at different times, and then combined in each configuration of the information processing system 100 (100a), and each divided program may be distributed by a different distribution server. Additionally, "computer-readable recording medium" includes volatile memory (RAM) within computer systems that act as servers or clients when a program is transmitted over a network, which retains the program for a certain period of time. Moreover, the program may be intended to implement only a portion of the functions described above. Furthermore, the program may be a so-called differential file (differential program) that can implement the functions described above in combination with a program already recorded in the computer system.
[0166] Furthermore, some or all of the above-mentioned functions may be implemented as integrated circuits such as LSIs (Large Scale Integrations). Each of the above-mentioned functions may be implemented as an individual processor, or some or all of them may be integrated into a single processor. In addition, the method of implementing integrated circuits is not limited to LSIs; they may also be implemented using dedicated circuits or general-purpose processors. Furthermore, if advances in semiconductor technology lead to the emergence of integrated circuit technologies that can replace LSIs, integrated circuits using such technologies may be used. [Explanation of symbols]
[0167] 1. 1a Notebook PC 5. Management Server 10, 10a Main control unit 11 CPU 12 Main Memory 13 Video Subsystems 14 Display section 21 Chipset 22 BIOS memory 23 WLAN cards 31, 31a Embedded controller (EC) 32 Input section 33 Power supply circuit 40 SSD 41 Flash memory 42 Memory Controllers 51, 230 NW Communications Department 52 Server Storage Unit 53 Server Control Unit 100, 100a Information Processing System 101, 101a BIOS processing unit 102 OS Processing Unit 311, 522 Key information storage unit 312, 112 Installation Processing Unit 313, 113 Data erasure processing unit 314, 114 Deletion Result Transmission Processing Unit 410 Data Storage Unit 421 Memory Management Section 422 Command Processing Unit 423 Command Program Storage Unit 521 Device information storage unit 523 Erasure program storage unit 524 Command Memory Unit 525 Erasure Result Storage Unit 531 Erasure program transmission processing unit 532 Command transmission processing unit 533 Deletion Result Storage Processing Unit NW1 Network
Claims
1. A method for erasing data in an information processing device that has a built-in memory drive device, A first transmission step in which a management server managing the information processing device transmits a data erasure program for the memory drive device to the information processing device using cryptographic processing with a first secret key which is the secret key of the management server. The information processing device verifies the validity of the data erasure program using a first public key, which is the public key of the management server, and if the validity of the data erasure program is verified, installs the verified data erasure program into the memory drive device in an installation step. The management server, using cryptographic processing with the first secret key, sends an erase command to the information processing device, causing the processor of the memory drive device to execute the data erasure program, in a second transmission step. The data erasure step includes the information processing device using the first public key to verify the validity of the erase command, and if the validity of the erase command is verified, transmitting the verified erase command to the memory drive device to execute the data erasure process by the data erasure program. A data erasure method that includes this.
2. The information processing device transmits the data erasure result, which is the result of the data erasure process, to the management server using encryption processing with the second secret key, which is the secret key of the information processing device, in a third transmission step. The management server uses the second public key, which is the public key of the information processing device, to verify the validity of the data erasure result, and if the validity of the data erasure result is verified, stores the verified data erasure result in the erasure result storage unit in the result storage step. A data erasure method according to claim 1, including the following:
3. The aforementioned information processing device includes a sub-control unit that operates independently of the main control unit, which executes processing based on the OS (Operating System) and BIOS (Basic Input Output System), and comprises a security area that is a secure area inaccessible directly from the outside and stores at least the first public key and the second private key. In the installation step and the data erasure step, the sub-control unit verifies the validity of the data erasure program and the erasure command, and transmits the data erasure program and the erasure command to the memory drive device via the sub-control unit and the BIOS. The data erasure method according to claim 2.
4. In the third transmission step, the sub-control unit transmits the data erasure result to the management server using encryption with the second secret key. The data erasure method according to claim 3.
5. In the first transmission step and the second transmission step, the management server generates signature information for the transmission data using cryptographic processing with the first secret key, adds the signature information to the transmission data on which the signature information was generated, and transmits it to the information processing device. In the installation step and the data erasure step, the information processing device verifies the validity of the data erasure program and the erasure command based on the signature information and the first public key. In the third transmission step, the information processing device generates signature information for the data erasure result using cryptographic processing with the second secret key, adds the signature information to the data erasure result, and transmits it to the management server. In the result storage step, the management server verifies the validity of the data erasure result based on the signature information of the data erasure result and the second public key. The data erasure method according to any one of claims 2 to 4.
6. The memory drive device is an SSD (Solid State Drive). A data erasure method according to any one of claims 1 to 4.
7. The system comprises an information processing device with a built-in memory drive device and a management server for managing the information processing device. The aforementioned management server A first transmission process that transmits a data erasure program for the memory drive device to the information processing device using encryption processing with the first secret key, which is the secret key of the management server, A second transmission process that uses the encryption process with the first secret key to send an erase command to the information processing device, causing the processor of the memory drive device to execute the data erasure program. Execute, The aforementioned information processing device is Using the first public key, which is the public key of the management server, the legitimacy of the data erasure program is verified, and if the legitimacy of the data erasure program is verified, an installation process is performed to install the verified data erasure program into the memory drive device. The data erasure process involves using the first public key to verify the validity of the erase command, and if the validity of the erase command is verified, transmitting the verified erase command to the memory drive device to execute the data erasure process by the data erasure program. Execute Information processing system.
8. An information processing device for an information processing system comprising an information processing device having a built-in memory drive device and a management server for managing the information processing device, An installation processing unit that uses encryption processing with the first private key, which is the private key of the management server, to obtain the data erasure program for the memory drive device transmitted by the management server, verifies the validity of the data erasure program using the first public key, which is the public key of the management server, and, if the validity of the data erasure program is verified, installs the verified data erasure program into the memory drive device. A data erasure processing unit, which uses cryptographic processing with the first secret key to obtain an erase command transmitted by the management server to the processor of the memory drive device to execute the data erasure program, verifies the validity of the erase command using the first public key, and, if the validity of the erase command is verified, transmits the verified erase command to the memory drive device to execute the data erasure process by the data erasure program. An information processing device equipped with the following features.