| 主权项 |
1. A control device communicating with an administrative server by using system software including a first function and a second function, the first function performing message transmission and reception to and from the administrative server and the second function providing a network service different from the message transmission and reception for an external device, the external device being identical to or different from the administrative server, comprising:
a monitor program storage configured to store a monitor program inaccessible from the system software; an execution unit configured to read and execute the monitor program; a first storage configured to be accessible from the monitor program but inaccessible from the system software; a second storage configured to be writable from the monitor program and readable from the system software; a third storage configured to be readable from the monitor program and writable from the system software; a timer configured to be capable of being set by the monitor program and incapable of being set by the system software; a random number generating unit configured to generate a random number; a first setting unit configured to set the random number generated by the random number generating unit in the first storage, by the monitor program being executed; a message creating unit configured to encrypt the random number in the first storage using a public key of the administrative server and to create a request message that is to be transmitted to the administrative server, by the monitor program being executed; a second setting unit configured to set the request message in the second storage, by the monitor program being executed; a timer starting unit configured to designate a time and to start the timer, by the monitor program being executed; a system software starting unit configured to start the system software in a first operation mode in which both the first function and the second function can be executed, by the monitor program being executed, the system software being configured to read the request message from the second storage and send the request message to the administrative server based on the first function; an interruption accepting unit configured to accept an interruption, from the system software being executed which received a notification message that is a response to the request message from the administrative server, to the monitor program; a timer canceling unit configured to cancel the timer, by the monitor program being executed in response to the interruption; a message verifying unit configured to read the notification message from the third storage into which the notification message has been written by the system software being executed, a notification message that is a response to the request message from the administrative server, and to verify the notification message on the basis of the public key and the random number in the first storage, by the monitor program being executed in response to the interruption; and a restart unit configured to restart the system software in a second operation mode capable in which the first function can be executed but the second function cannot be executed, by the monitor program being executed, in a case where the timer expires before cancellation by the timer canceling unit, or in a case where verification by the message verifying unit fails. |
