JP2021022830A - Communication apparatus, communication system, communication method, and program - Google Patents

Abstract

To provide a communication apparatus, system, method, and program capable of detecting group key inconsistency.SOLUTION: A communication apparatus (HEMS controller) that communicates with a plurality of devices using first key information set per device and second key information set commonly to the devices comprises: a transmission unit for encrypting with the first key information and transmitting a response request packet that stores broadcast or multicast addresses as a source IP address and a MAC address of a target device as a destination MAC address, and requests a response from the device; and a detection unit for not detecting inconsistency of the second key information between the target device and the communication apparatus when a response packet for the response request packet is received, and detecting inconsistency of the second key information between the target device and the communication apparatus when the response packet for the response request packet is not received.SELECTED DRAWING: Figure 2

Description

The present invention relates to communication devices, communication systems, communication methods, and programs.

Conventionally, for example, a technique for monitoring and controlling home appliances in a house has been known. This kind of technology is a technology for realizing a so-called smart house. A smart house is a concept that realizes a comfortable and energy-saving lifestyle by connecting home appliances and housing equipment in the house to a network. In order to realize a smart house, for example, a device called a HEMS (Home Energy Management System) controller is set in the house. The HEMS controller monitors and controls the operating status and power consumption of home appliances and housing equipment connected to the in-house network.

The HEMS controller automatically detects the target device in order to monitor and control home appliances and housing equipment (hereinafter referred to as the target device). In order to realize this, the HEMS controller uses multicast communication or broadcast communication. Similarly, communication protocols for home networks such as DLNA (Digital Living Network Alliance, registered trademark) and personal computers and AV devices, and communication protocols for personal computers such as UPnP (Universal Plug and Play) are also used. The target device is automatically detected by multicast communication or broadcast communication. Further, the ECHONET Lite standard is known as a communication protocol for realizing a smart house. The ECHONET Lite standard also uses multicast communication to automatically detect the target device.

According to the Wifi (registered trademark) standard defined by the Institute of Electrical and Electronics Engineers (IEEE) 802.11, the infrastructure mode residential network is an access point (AP) and a target device (station) connected to the access point. , STA) and. The access point has a function equivalent to a switching hub in Ethernet (registered trademark), and a plurality of target devices are connected to the access point. Usually, a wireless router in a residential network is a device in which the functions of a home broadband router and the functions of an access point are integrated. Functions of a home broadband router include a routing function, an IP masquerade function, and a DHCP (Dynamic Host Configuration Protocol) server function.

In the in-house network using Ethernet (registered trademark), communication is performed using two MAC addresses, the source MAC (Media Access Control) address and the destination MAC address, but the in-house network conforming to IEEE802.11. In, communication is performed using four MAC addresses. The four MAC addresses include, for example, a source MAC address, a destination MAC address, an access point MAC address, and a MAC address of a device connected via Ethernet®.

When the target device connects to the access point, each target device authenticates with WPA (Wi-Fi Protected Access) or WPA2 (Wi-Fi Protected Access version 2) to prevent eavesdropping between the target devices. Get two types of keys. The two types of keys are PTK (Pair-wise Transient Key) and GTK (Group Transient Key). The PTK is a key used to send and receive unicast packets. The PTK is a key that is set every time the target device connects to the access point, and is a key that is used unless the target device is disconnected from the access point. GTK is a key used to send and receive broadcast and multicast packets. The GTK is one key set for each access point, and is a key commonly set for a plurality of target devices. Each target device updates GTK according to the request of the access point. The GTK is updated, for example, triggered by the passage of a certain interval or the withdrawal of the target device.

Packets sent and received between target devices in infrastructure mode pass through the access point. When the target device transmits a packet by broadcast or multicast, the target device first transmits a unicast packet encrypted by PTK to the access point, and the access point targets the broadcast packet or multicast packet encrypted by GTK. Send to device.

ECHONET Lite System Design Guidelines 2nd Edition, Chapter 2 Guidelines for Implementation of ECHONET Lite, "2.12 Notes on Wireless LAN Networks" June 24, 2019 ECHONET CONSORTIUM

By the way, the GTK update trigger and update interval are not standardized. Therefore, depending on the compatibility between the access point and the target device, a GTK mismatch may occur between the access point and the target device. The GTK discrepancy is disclosed, for example, in Non-Patent Document 1. If the GTK does not match between the target device and the access point, the target device cannot connect to the Internet via the access point, so it cannot benefit from various cloud services, and convenience is reduced. There is a problem of doing it. Further, there is a problem that the HEMS controller cannot automatically detect the target device via the access point and cannot monitor or control the target device.

Regarding the connectivity with the access point, the method of confirming the connectivity (disconnection detection) between the access point and the target device is not standardized in IEEE802.11. Normally, the target device periodically transmits a null frame to the access point, and confirms whether or not the access point can be connected based on whether or not the target device can receive a response. However, even with this connectivity confirmation method, the target device cannot detect the GTK mismatch and cannot eliminate the decrease in convenience due to the GTK mismatch.

In response to the decrease in connectivity due to GTK mismatch, in Non-Patent Document 1, the target device periodically (for example, about 10 minutes) sends a DHCP Discover with the broadcast flag set to ON to the access point and responds (DHCP). It is stated that it will reconnect to the access point if there is no Offer).

However, in the method described in Non-Patent Document 1, if there is an access point that does not correspond to the broadcast flag, the DHCP Offer cannot be transmitted from the access point to the target device. That is, even when the access point wants the target device to transmit the DHCP Offer by broadcasting, the target device must first transmit the DHCP Discover set with the broadcast flag to the access point by unicasting. However, if the access point cannot support the broadcast flag, the access point cannot broadcast the DHCP Offer. Therefore, there is a problem that the target device cannot distinguish whether the access point does not support the broadcast flag or the GTK mismatch with the access point occurs because the DHCP Offer cannot be received. ..

The present invention has been made in view of the above problems, and an object of the present invention is to provide a communication device, a communication system, a communication method, and a program capable of detecting a mismatch of group keys.

(1) One aspect of the present invention is a communication device that communicates with a device by using a first key information set for each device and a second key information commonly set for a plurality of devices. The first key information is a packet in which a broadcast or multicast address is stored as a source IP address and a MAC address of a target device is stored as a destination MAC address, and a response request packet requesting a response from the device is obtained. When a response packet for the response request packet is received with the transmission unit encrypted by the above, the mismatch of the second key information between the target device and the own device is not detected, and the response request packet is received. It is a communication device including a detection unit that detects a mismatch of the second key information between the target device and the own device when the response packet is not received.

(2) One aspect of the present invention is the above-mentioned communication device, wherein when the transmission unit receives the response request packet in which a broadcast or a multicast address is stored, it is encrypted with the second key information. The response request packet may be transmitted to a device capable of transmitting the response packet.

(3) One aspect of the present invention is the above-mentioned communication device, and the transmission unit is the device having an access point function in the wireless LAN to which the own device belongs, or the device having the access point function and the router function. A response request packet may be sent.

(4) One aspect of the present invention is the communication device, wherein the detection unit has the second key of the response packet transmitted from the target device to which the response request packet is transmitted. If the information can be used for decryption, the mismatch of the second key information is not detected, and if the second key information of the own device cannot be used for decoding, the second key information between the target device and the own device is used. A mismatch in key information may be detected.

(5) One aspect of the present invention is the above-mentioned communication device, which is a control unit that updates the second key information of its own device when a mismatch of the second key information is detected by the detection unit. You may prepare further.

(6) One aspect of the present invention is the above-mentioned communication device, which may further include a notification unit that notifies when a mismatch of the second key information is detected by the detection unit.

(7) One aspect of the present invention is a communication method for communicating with a device by using the first key information set for each device and the second key information set in common for a plurality of devices. The first key information is a packet in which a broadcast or multicast address is stored as a source IP address and a MAC address of a target device is stored as a destination MAC address, and a response request packet requesting a response from the device is obtained. When the response packet for the response request packet is received, the response packet for the response request packet is sent without detecting the mismatch of the second key information between the target device and the own device. This is a communication method for detecting a discrepancy in the second key information between the target device and the own device when no reception is performed.

(8) One aspect of the present invention is a communication device that communicates with a device by using a first key information set for each device and a second key information commonly set for a plurality of devices. This is a packet in which a broadcast or multicast address is stored as a source IP address and a MAC address of a target device is stored as a destination MAC address in the computer of the communication device, and a response requesting the device to respond. When the request packet is encrypted with the first key information and transmitted and the response packet for the response request packet is received, the mismatch of the second key information between the target device and the own device is not detected. This is a communication device program that detects a mismatch in the second key information between the target device and the own device when the response packet for the response request packet is not received.

(9) In one aspect of the present invention, the first key information set for each device and the second key information commonly set for a plurality of devices are set in the device in the wireless LAN, and the second key information is set. A packet that stores the broadcast or multicast address as the source IP address and the MAC address of the target device as the destination MAC address, and is a response request that requests a response from the access point. When a transmission unit that encrypts a packet with the first key information and transmits it and a response packet for the response request packet are received, a mismatch between the access point and the own device is detected. Communication including a communication device including a detection unit for detecting a mismatch of the second key information between the access point and the own device when the response packet for the response request packet is not received. It is a system.

(10) One aspect of the present invention is the terminal device, and the access point and the communication device may be subjected to processing according to IEEE802.11.

(11) In one aspect of the present invention, the access point sets the first key information set for each device and the second key information commonly set for a plurality of devices in the device in the wireless LAN. A packet in which the access point updates the second key information according to a predetermined condition, and the communication device stores a broadcast or multicast address as the source IP address and the MAC address of the target device as the destination MAC address. When a response request packet requesting a response from the access point is encrypted with the first key information and transmitted, and the communication device receives a response packet for the response request packet, the access point and its own device Communication that detects the mismatch of the second key information between the access point and the own device when the mismatch of the second key information is not detected between the access points and the response packet for the response request packet is not received. The method.

According to one aspect of the present invention, a group key mismatch can be detected.

It is a block diagram which shows an example of the wireless communication system which concerns on embodiment to which this invention is applied. It is a block diagram which shows an example of the functional configuration of the HEMS controller, the wireless router device, and the home electric appliance which concerns on embodiment to which this invention is applied. It is a figure which shows an example of a device database. It is a figure which shows an example of the network NW2 in a house in an embodiment. It is explanatory drawing for demonstrating a passive scan. It is a figure which shows an example of a device database. This is an example of a flowchart for detecting a mismatch of group keys (GTK) in the in-house network of the embodiment. It is a flowchart which shows an example of the process (step S100) which confirms the mismatch of the group key of the HEMS controller. It is a figure which shows an example of the operation (step S100) which detects the mismatch of a group key by a HEMS controller. It is a flowchart which shows an example of the process (step S200) which detects the target device in the network in a house by active scan. It is a figure which shows an example of the packet sent and received in active scan. It is a figure for demonstrating an example of the operation (step S200) when the active scan is executed in embodiment. It is a figure which shows an example of the apparatus database which added the detection date and time. It is a figure which shows an example of the process of updating a device database. It is a flowchart which shows an example of the process (step S300) which detects the mismatch of a group key for the device which was not detected by active scan. It is a figure which shows an example of a device database. It is a figure for demonstrating the operation which confirms the mismatch of the group key of each device. It is a figure which shows an example of the device database which updated the detection date and time about the device whose group key does not match. It is a figure for demonstrating another operation which confirms the mismatch of the group key of each device. It is a figure which shows an example of the device database which deleted the record about the device which the group key does not match. It is a figure explaining the operation which performs the active scan for the device which does not respond to the ARP request. It is a figure which shows the device database which updated the IP address etc. based on the result of an active scan.

Hereinafter, a communication device, a communication system, a communication method, and a program to which the present invention is applied will be described with reference to the drawings.

(Overview of the system)
FIG. 1 is a block diagram showing an example of a wireless communication system according to an embodiment to which the present invention is applied. The wireless communication system of the embodiment includes, for example, a HEMS controller 100, a wireless router device 200, home appliances 300A, 300B and 300C, and a mobile terminal device 400. The wireless communication system of the embodiment is, for example, a HEMS that monitors the state of the home electric appliance 300 or controls the operation of the home electric appliance 300 by transmitting an instruction based on a user's operation to the home electric appliance 300 (controlled device). (Home Energy Management System (Home Energy Management System)) is provided.

The wireless router device 200 and the mobile terminal device 400 are connected to the wide area network NW1. Each device connected to the wide area network NW1 is provided with a communication interface such as a NIC (Network Interface Card) or a wireless communication module (not shown in FIG. 1). The wide area network NW1 is, for example, the Internet. The HEMS controller 100, the wireless router device 200, and the home appliance 300 are connected to the in-house network NW2. The in-house network NW2 is, for example, a wireless LAN (Wifi (registered trademark) network) standardized by IEEE802.11. Each device connected to the in-house network NW2 is provided with a communication interface such as a NIC or a wireless communication module (not shown in FIG. 1). Although three home appliances 300A, 300B, and 300C are shown in FIG. 1, when the home appliances 300A, 300B, and 300C are collectively referred to in the following description, they are simply described as "home appliances 300". Further, the number of home appliances 300 is not limited to a plurality of units, and may be one.

FIG. 2 is a block diagram showing an example of functional configurations of a HEMS controller, a wireless router device, and a home electric appliance according to an embodiment to which the present invention is applied.

The HEMS controller 100 includes, for example, a communication unit 110, a detection unit 120, a control unit 130, a notification unit 140, and a device database 150. The communication unit 110 is a communication interface such as a NIC or a wireless communication module connected to the in-house network NW2. The detection unit 120 detects a mismatch of group keys in the in-house network NW2. The control unit 130 controls various processes and operations in the HEMS controller 100. The control unit 130 performs, for example, a signal collection process regarding the operating status of the home electric appliance 300, a control process of the home electric appliance 300, an acquisition process of a control result of the home electric appliance 300, and the like. The notification unit 140 is, for example, a display device such as an indicator. Functional units such as the detection unit 120 and the control unit 130 are realized by, for example, a processor such as a CPU (Central Processing Unit) executing a program stored in the program memory. In addition, some or all of these functional parts may be realized by hardware such as LSI (Large Scale Integration), ASIC (Application Specific Integrated Circuit), or FPGA (Field-Programmable Gate Array). It may be realized by the cooperation of software and hardware.

The device database 150 is realized by a storage device such as an HDD (Hard Disc Drive), a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), a ROM (Read Only Memory), and a RAM (Random Access Memory). The device database 150 is a database that stores information on home appliances 300 in the in-house network NW2. FIG. 3 is a diagram showing an example of a device database. The device database 150 is, for example, information in which an IP address, a MAC address, and a detection date and time are associated with each other.

The wireless router device 200 includes, for example, a router unit 210 and an access point unit 220. The router unit 210 relays communication between the wide area network NW1 and the in-house network NW2. The router unit 210, for example, converts an IP address between a global IP address and a private IP address. The router unit 210 executes, for example, a process called NAPT (Network Address Port Translation).

The access point unit 220 relays communication in the in-house network NW2. The access point unit 220 sets a unicast key with the HEMS controller 100 and with the home electric appliance 300. The unicast key is key information used for unicast communication, and is different for each HEMS controller 100 and each home appliance 300. The access point unit 220 sets the group key. The group key is the key information common to the in-house network NW2, and is the same key information in the HEMS controller 100 and the home appliance 300.

Hereinafter, the process of detecting the mismatch of the group key (GTK) in the in-house network NW2 will be described. FIG. 4 is a diagram showing an example of the in-house network NW2 in the embodiment. In the following description, the in-house network NW2 will be described, for example, when a network configuration, an IP address, and a MAC address as shown in FIG. 4 are given. In this in-house network NW2, the HEMS controller 100, the home appliances 300A and 300B, and the home appliances 300C are connected to the wireless router device 200 by Wifi communication.

FIG. 5 is an explanatory diagram for explaining the passive scan. The HEMS controller 100 always executes a passive scan in the process of detecting the mismatch of the group keys. For example, it is assumed that the home electric appliance 300C has transmitted an ARP (Address Resolution Protocol) request P1 in order to communicate with an arbitrary device. This ARP request P1 is received by the wireless router device 200. The wireless router device 200 broadcasts the ARP request P2 to all the devices in the residential network NW2. The HEMS controller 100 receives the ARP request P2 from the wireless router device 200. The HEMS controller 100 adds the source IP address, the source MAC address, and the detection date and time of the ARP request P2 included in the ARP request P2 to the device database 150.

FIG. 6 is a diagram showing an example of the device database 150. When the HEMS controller 100 receives the ARP request P2, it searches the device database 150 using the source MAC address of the ARP request P2 as a key, and if there is no source MAC address, a new record is added. When the source MAC address exists in the device database 150, the HEMS controller 100 updates the detection date and time corresponding to the source MAC address.

FIG. 7 is an example of a flowchart for detecting a mismatch of group keys (GTK) in the in-house network of the embodiment. For example, the HEMS controller 100 repeatedly executes the processes shown in FIG. 7 (steps S100 to S300) at regular intervals. The fixed period is, for example, 10 minutes. The HEMS controller 100 executes the process shown in FIG. 7 in parallel with the above-mentioned passive scan.

First, the HEMS controller 100 confirms the mismatch of its own group keys (step S100). Next, the HEMS controller 100 detects the target devices (wireless router device 200, home appliances 300A, 300B and 300C) in the in-house network NW2 by active scanning (step S200). Next, the HEMS controller 100 confirms the mismatch of the group keys in the target device (step S300).

As a result, the HEMS controller 100 first detects whether or not the group key held by itself does not match the group key held by another device (step S100), and then the group key held by a device other than itself is used. , Detects whether or not it does not match the group key held by itself (step S300).

FIG. 8 is a flowchart showing an example of a process (step S100) for confirming a mismatch of group keys of the HEMS controller.
First, the HEMS controller 100 acquires its own network setting information (step S102). The network setting information includes, for example, an IP address, a network address, a subnet mask, an IP address of a default gateway, and a type of network interface. Next, the HEMS controller 100 transmits a response request packet (step S104). The response request packet is a packet that requests the device that has received the response request packet to transmit the response packet to the HEMS controller 100. The HEMS controller 100 sets the source IP address of the response request packet to the broadcast or multicast IP address, and sets the destination IP address of the response request packet to the IP address of any device.

Next, the HEMS controller 100 determines whether or not a response to the response request packet has been received (step S106). When the HEMS controller 100 receives the response (step S106: YES), the HEMS controller 100 ends the process of this flowchart. When the HEMS controller 100 has not received the response (step S106: NO), the HEMS controller 100 notifies the group key mismatch (step S108). The HEMS controller 100 notifies the user to restart the HEMS controller 100 and the wireless router device 200, for example, by displaying or voice on a smartphone. It is desirable that the control unit 130 of the HEMS controller 100 updates the group key of the HEMS controller 100 when a mismatch of the group keys is detected. The HEMS controller 100 may perform a process of reconnecting to the wireless router device 200, a process of requesting (prompting) the restart of the wireless router device 200, and the like as a process of updating the group key. As a result, the HEMS controller 100 can cause the wireless router device 200 to reset the group key in the residential network NW2.

FIG. 9 is a diagram showing an example of an operation (step S100) of detecting a mismatch of group keys by the HEMS controller. First, the HEMS controller 100 transmits an ICMP (Internet Control Message Protocol) echo request P10 as a response request packet to the wireless router device 200. The HEMS controller 100 sets the source IP address of the ICMP echo request P10 to the broadcast or multicast IP address, and sets the destination IP address of the ICMP echo request P10 to the IP address of the wireless router device 200. Since the destination IP address of the HEMS controller 100 is the IP address (unicast transmission) of the wireless router device 200, the ICMP echo request P10 is encrypted with PTK.

The wireless router device 200 transmits the ICMP echo reply P12 to the broadcast or multicast IP address in response to receiving the ICMP echo request P10. Since the destination IP address of the wireless router device 200 is a broadcast IP address (broadcast transmission) or a multicast IP address (multicast transmission), the ICMP echo reply P12 is encrypted with a group key. When the destination IP address is a broadcast IP address or a multicast IP address, the wireless router device 200 determines the MAC address from the broadcast IP address or the multicast IP address. Since the destination MAC address is determined from the MAC address from the broadcast IP address or the multicast IP address, the wireless router device 200 encrypts the ICMP echo reply P12 with the group key.

When the ICMP echo reply P12 can be decoded (received) by the group key possessed by the HEMS controller 100, the HEMS controller 100 does not detect the mismatch of the group keys. When the ICMP echo reply P12 cannot be decoded (received) by the group key possessed by the HEMS controller 100, the HEMS controller 100 detects a mismatch of the group keys.

The destination of the response request packet must be a device that has the ability to encrypt the response packet with the group key and send the response packet when the request packet containing the broadcast address or multicast address is received among multiple devices. desirable. Further, the destination of the response request packet may be the device that executed the communication at the closest date and time among the devices that the HEMS controller 100 executed the communication. This is because there is a high possibility that a response to the response request packet can be obtained. Further, it is desirable that the destination of the response request packet is a device having an access point function in the residential network NW2 to which the HEMS controller 100 belongs, or a device having an access point function and a router function. This is because there is always a device having an access point function in the in-house network NW2.

The HEMS controller 100 is supposed to transmit an ICMP echo request as a response request packet, but the present invention is not limited to this, and a Get request in ECHONET Lite may be used.

FIG. 10 is a flowchart showing an example of a process (step S200) of detecting a target device in a residential network by an active scan.
The HEMS controller 100 first calculates the range of the IP address of the device in the in-house network NW2 based on the network address and the subnet mask (step S202). The HEMS controller 100 then sets one of the IP addresses within the calculated range as a target and performs an active scan. The active scan includes a process of broadcasting or multicasting an ARP request including one IP address set as a target as a target IP address, and a process of registering according to an ARP reply to the ARP request.

FIG. 11 is a diagram showing an example of packets transmitted / received in the active scan.
In the active scan, the HEMS controller 100 transmits a plurality of ARP requests while changing the target IP address within the range of the IP address of the device in the residential network NW2. For example, the HEMS controller 100 sets the target IP address of ARP request # 1 to "192.168.1.3", sets the target IP address of ARP request # 2 to "192.168.1.4", and sets the target IP of ARP request # 3. Set the address to "192.168.1.5" and send each ARP request # 1, # 2, # 3. Since the home appliances with the IP addresses "192.168.1.3 and 192.168.1.4" do not exist, the HEMS controller 100 cannot receive the ARP reply to the ARP requests # 1 and # 2. When the HEMS controller 100 receives the ARP reply to the home appliance 300 ARP reply # 3, it determines that the home appliance 300 with the IP address "192.168.1.5" exists and registers it in the device database 150.

Next, the HEMS controller 100 determines whether or not an ARP reply has been received as a response to the ARP request (step S206). When the HEMS controller 100 does not receive the ARP reply (step S206: NO), the process proceeds to step S214. When the HEMS controller 100 receives the ARP reply (step S206: YES), the HEMS controller 100 determines whether or not the MAC address of the device that sent the response is registered in the device database 150 (step S208).

When the MAC address of the device that sent the response is not registered in the device database 150 (step S208: NO), the HEMS controller 100 sets the combination of the IP address, MAC address, and detection date and time of the device that sent the response in the device database. Register with 150 (step S210). The HEMS controller 100 advances the process to step S214 after step S210. When the MAC address of the device that sent the response is registered in the device database 150 (step S208: YES), the HEMS controller 100 updates the combination of the IP address and the detection date and time for the entry of the MAC address in the device database 150 (step S208: YES). Step S212). The HEMS controller 100 advances the process to step S214 after step S212.

In step S214, the HEMS controller 100 determines whether or not all the IP addresses within the range calculated in step S202 have been actively scanned. If the HEMS controller 100 has not actively scanned all the IP addresses in the range (step S214: NO), the process returns to step S204. When the HEMS controller 100 actively scans all the IP addresses in the range, the process proceeds to step S216.

In step S216, the HEMS controller 100 searches the device database 150 using one of the IP addresses within the range calculated in step S202 as a key (step S216). As a result of the search, the HEMS controller 100 determines whether or not a plurality of records including the IP address as the key have been searched (step S218). When a plurality of records including the IP address as a key are searched (step S218: YES), the HEMS controller 100 blanks the IP address column of the records other than the record having the latest search date and time among the searched records. (Step S220). If a plurality of records including the IP address as the key are not searched (step S218: NO), the process proceeds to step S222.

Next, the HEMS controller 100 determines whether or not all the IP addresses within the range calculated in step S202 have been searched (step S222). When the HEMS controller 100 does not search for all the IP addresses in the range (step S222: NO), it repeats the processes after step S216 and searches for all the IP addresses in the range (step S222: YES). , End the processing of this flowchart.

FIG. 12 is a diagram for explaining an example of the operation (step S200) when the active scan is executed in the embodiment. The HEMS controller 100 stores the start date and time of the active scan, and executes the active scan for all the IP addresses in the residential network NW2. As a result, the ARP request P20 including each IP address as the target IP address is unicast transmitted from the HEMS controller 100 to the wireless router device 200.

The wireless router device 200 broadcasts or multicasts the ARP request to the residential network NW2 in response to receiving the ARP request P20. The wireless router device 200 encrypts the ARP request with the group key. As a result, the ARP request P21 is transmitted to the home appliance 300A, the ARP request P22 is transmitted to the home appliance 300B, and the ARP request P23 is transmitted to the home appliance 300C. When the home appliance 300 has a group key that matches the group key of the wireless router device 200, it can receive the ARP request and respond to the ARP request. It is assumed that among the home electric appliances 300, only the home electric appliance 300A has a group key that matches the group key of the wireless router device 200. In this case, the home appliance 300A unicasts the ARP reply P24 to the wireless router device 200, and the home appliances 300B and 300C cannot transmit the ARP reply. When the wireless router device 200 receives the ARP reply P24 from the home appliance 300A, the wireless router device 200 unicasts the ARP reply P25 to the HEMS controller 100.

In response to receiving the ARP reply P25, the HEMS controller 100 adds the MAC address stored in the destination MAC address field in the ARP reply P25, the IP address stored in the destination IP address field, and the detection date and time to the device database 150. To do. FIG. 13 is a diagram showing an example of a device database in which the detection date and time are added. At this time, as described in steps S208 to S212, the HEMS controller 100 updates the IP address and the detection date and time when the MAC address is registered in the device database 150, and the MAC address is stored in the device database 150. If it is not registered, the MAC address, IP address, and detection date and time are newly registered.

FIG. 14 is a diagram showing an example of a process of updating the device database.
Since the MAC address is managed as key information in the device database 150, the same IP address may be registered in a plurality of MAC address entries. For example, the IP address used in the mobile terminal may be reused in another terminal because the mobile terminal has left the in-house network NW2 and is no longer used.
Therefore, the HEMS controller 100 searches the device database 150 using the IP address as a key after completing the active scan. When the number of records in the search result is 2 or more (FIG. 14 (a)), the HEMS controller 100 updates the IP address of the record other than the record with the latest detection date and time to a blank (FIG. 14 (b), step S220. ).

Even if the IP address corresponding to the MAC address registered in the device database 150 is updated to the blank, the HEMS controller 100 does not delete the record including the MAC address. This is because the device having the MAC address may be communicating with the HEMS controller 100 using another IP address.

FIG. 15 is a flowchart showing an example of a process (step S300) of detecting a group key mismatch for a device that was not detected by the active scan.
First, the HEMS controller 100 extracts a record whose detection date and time is older than the start time of the active scan from the device database 150 (step S302). FIG. 16 is a diagram showing an example of an equipment database. For example, when the start time of the active scan is "2019-06-20 10:15:00", the HEMS controller 100 extracts records before the start time.

Next, the HEMS controller 100 unicasts the ARP request to the device of the combination of the IP address and the MAC address included in the extracted record (step S304). Next, the HEMS controller 100 determines whether or not an ARP reply has been received as a response to the ARP request (step S306). When the HEMS controller 100 can receive the ARP reply (step S306: YES), the HEMS controller 100 notifies that the group key possessed by the device to which the ARP request is transmitted does not match the group key possessed by the HEMS controller 100. (Step S308). The HEMS controller 100 notifies the user to restart the device or the wireless router device 200 whose group key does not match, for example, by displaying or voice on a smartphone. When the HEMS controller 100 cannot receive the ARP reply (step S306: NO), the HEMS controller 100 determines whether or not the ARP request has been transmitted to all the extracted devices (step S310).

FIG. 17 is a diagram for explaining an operation of confirming a mismatch of group keys of each device. The HEMS controller 100 unicasts the ARP request P30 to the device of the combination of the IP address (192.168.1.4) and the MAC address (00-00-00-00-00-04) extracted from the device database 150. The wireless router device 200 unicasts the ARP request P31 to the home appliance 300B in response to the reception of the ARP request P30. The home electric appliance 300B unicasts the ARP reply P32 to the wireless router device 200 in response to receiving the ARP request P31. The wireless router device 200 unicasts the ARP reply P33 to the HEMS controller 100 in response to receiving the ARP reply P32. In response to receiving the ARP reply P33, the HEMS controller 100 updates the date and time when the ARP reply P33 is received as the detection date and time of the device database 150, as shown in FIG. FIG. 18 is a diagram showing an example of a device database in which the detection date and time for devices whose group keys do not match are updated.

FIG. 19 is a diagram for explaining another operation of confirming the mismatch of the group keys of each device. The HEMS controller 100 unicasts the ARP request P40 to the device having the combination of the IP address (192.168.1.5) and the MAC address (00-00-00-00-00-05) extracted from the device database 150. In response to receiving the ARP request P40, the wireless router device 200 unicasts the ARP request P41 to the home appliance 300C. The home electric appliance 300C cannot receive the ARP request P41, or does not have a function of returning an ARP reply even if the ARP request P41 is received. Therefore, the HEMS controller 100 cannot receive the ARP reply. In this case, as shown in FIG. 20, the HEMS controller 100 deletes the record related to the home electric appliance 300C from the device database 150. FIG. 20 is a diagram showing an example of a device database in which records for devices whose group keys do not match are deleted. As a result, the HEMS controller 100 can delete the record related to the device that has left the in-house network NW2 from the device database 150.

When the HEMS controller 100 does not transmit the ARP request to all the extracted devices (step S310: NO), the process after step S304 is repeated and the ARP request is transmitted to all the extracted devices (step S310: NO). YES), the process of this flowchart ends.

When the HEMS controller 100 does not respond to the ARP request, the record relating to the device to which the ARP request is transmitted is deleted, but the active scan may be performed again. FIG. 21 is a diagram illustrating an operation of performing an active scan on a device that does not respond to an ARP request, and FIG. 22 shows a device database 150 whose IP address and the like are updated based on the result of the active scan. It is a figure which shows. If there is no response to the ARP request, for example, the home appliance 300C temporarily withdrew from the in-house network NW2, causing the IP address of the home appliance 300C to change from "192.168.1.5" before withdrawal to "192.168" after withdrawal. This is the case when it is changed to ".1.6".

When there is no response to the ARP request, the HEMS controller 100 unicasts the ARP request P50 to the MAC address of the ARP request while changing the IP address within the range of the IP address of the device in the residential network NW2. .. The ARP request P50 is received by the wireless router device 200, and the wireless router device 200 unicasts the ARP request P51 to the home appliance 300C.

The home appliance 300C unicasts the ARP reply P52 to the wireless router device 200 in response to the ARP request P51. The wireless router device 200 unicasts the ARP reply P53 to the HEMS controller 100 in response to receiving the ARP reply P52.

According to the HEMS controller 100 of the embodiment described above, a packet in which a broadcast or multicast address is stored as a source IP address and a MAC address of a target device is stored as a destination MAC address, and a response request packet is a first key. When the response packet to the response request packet is received after being encrypted by the information (PTK) and transmitted, the response request is made without detecting the mismatch of the second key information (GTK) between the wireless router device 200 and the own device. When the response packet to the packet is not received, the mismatch of the second key information (GTK) between the wireless router device 200 and the own device is detected. Specifically, according to the HEMS controller 100 of the embodiment, when the response packet transmitted from the target device to which the response request packet is transmitted can be decrypted by the second key information possessed by the own device, the second key When the information mismatch is not detected and the decryption cannot be performed by the second key information possessed by the own device, the mismatch of the second key information between the wireless router device 200 and the own device is detected. As a result, according to the HEMS controller 100, it is possible to detect a mismatch in the group key (GTK) of the HEMS controller 100 itself. As a result, according to the HEMS controller 100, it is possible to suppress a decrease in convenience.

Further, according to the HEMS controller 100 of the embodiment, when a response request packet containing a broadcast or multicast address is received, the response request packet is sent to a device having the ability to encrypt with the second key information and transmit the response packet. Send. Further, according to the HEMS controller 100 of the embodiment, the response request packet is transmitted to the device having the access point function in the wireless LAN to which the own device belongs, or the device having the access point function and the router function. As a result, according to the HEMS controller 100, it is possible to increase the possibility of receiving the response packet for the response request packet and detect the mismatch of the group key (GTK).

Further, according to the HEMS controller 100 of the embodiment, when a mismatch of the second key information is detected, the second key information held by the own device is updated, so that the period during which communication using the second key information cannot be performed is shortened. be able to.

Further, according to the HEMS controller 100 of the embodiment, when a mismatch of the second key information is detected, the user is notified, so that the user is updated with the second key information by restarting the HEMS controller 100 or the wireless router device 200. Can be prompted.

Further, according to the HEMS controller 100 of the embodiment, an active scan is executed in which the first response request packet is encrypted by the second key information (GTK) and transmitted within the range of the predetermined IP address, and the first response is performed. When there is no response in the request packet, when the IP address of the first response request packet that does not respond is stored in the device database 150, the IP address of the first response request packet that does not respond is used as the destination IP address. When the response request packet is encrypted by the first key information (PTK) and transmitted, and the response to the second response request packet is received, the first device (home appliance device 300) that transmitted the response and the own device 2 Detects a mismatch in key information. As a result, according to the HEMS controller 100, it is possible to detect the home electric appliance 300 whose group key does not match the HEMS controller 100. As a result, according to the HEMS controller 100, it is possible to suppress a decrease in convenience of the home electric appliance 300.

Further, according to the HEMS controller 100 of the embodiment, the active scan can be executed in a state where it is confirmed that there is no mismatch of the second key information between the HEMS controller 100 and the wireless router device 200.

Although each embodiment and modification have been described, the present invention is not limited to these, and is not limited to these. For example, one of each embodiment or each modification, a part of each embodiment, or one of each modification. The unit may be combined with another one or more embodiments or another one or more modifications to realize one aspect of the invention.

By recording a program for executing each process of the HEMS controller 100 in the present embodiment on a computer-readable recording medium, and causing the computer system to read and execute the program recorded on the recording medium. , The various processes described above for the HEMS controller 100 may be performed.

The "computer system" here may include hardware such as an OS and peripheral devices. In addition, the "computer system" includes a homepage providing environment (or display environment) if a WWW system is used. The "computer-readable recording medium" includes a flexible disk, a magneto-optical disk, a ROM, a writable non-volatile memory such as a flash memory, a portable medium such as a CD-ROM, and a hard disk built in a computer system. It refers to the storage device of.

Furthermore, the "computer-readable recording medium" is a volatile memory inside a computer system that serves as a server or client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line (for example, DRAM (Dynamic)).
It also includes those that hold the program for a certain period of time, such as Random Access Memory)). Further, the program may be transmitted from a computer system in which this program is stored in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium.

Here, the "transmission medium" for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the above program may be for realizing a part of the above-mentioned functions. Further, a so-called difference file (difference program) may be used, which can realize the above-mentioned functions in combination with a program already recorded in the computer system.

Although the embodiment of the present invention has been described in detail with reference to the drawings, the specific configuration is not limited to this embodiment, and the design within a range not deviating from the gist of the present invention is also included. In the above-described embodiment, as shown in FIG. 1, the in-house network NW2 in which the wireless router device 200 and the home appliance 300 are wirelessly connected has been described, but the present invention is not limited to this, and the in-house network NW2 To solve the problem of detecting the mismatch of the group key of the HEMS controller 100 and the problem of detecting the mismatch of the group key of the home electric appliance 300 even if the device included in the wireless router device 200 is connected by wire. Can be done.

100 HEMS controller 110 Communication unit 120 Detection unit 130 Control unit 140 Notification unit 150 Device database 200 Wireless router device 210 Router section 220 Access point section 300 Home appliances 400 Mobile terminal device

Claims (11)

A communication device that communicates with a device using the first key information set for each device and the second key information set in common for a plurality of devices.
A packet that stores a broadcast or multicast address as the source IP address and stores the MAC address of the target device as the destination MAC address, and the response request packet that requests a response from the device is encrypted with the first key information. The transmitter to send and
When the response packet for the response request packet is received, the mismatch of the second key information between the target device and the own device is not detected, and when the response packet for the response request packet is not received, the target A detector that detects a mismatch in the second key information between the device and its own device,
A communication device. When the transmission unit receives the response request packet in which the broadcast or multicast address is stored, the transmission unit transmits the response request packet to a device having the ability to encrypt the response request packet with the second key information and transmit the response packet.
The communication device according to claim 1. The transmitting unit transmits the response request packet to a device having an access point function in the wireless LAN to which the own device belongs, or a device having the access point function and the router function.
The communication device according to claim 1 or 2. The detection unit detects a mismatch in the second key information when the response packet transmitted from the target device to which the response request packet is transmitted can be decrypted by the second key information possessed by the own device. Any one of claims 1 to 3 for detecting a discrepancy in the second key information between the target device and the own device when the second key information of the own device cannot be used for decoding. The communication device described in. When the detection unit detects a mismatch in the second key information, the detection unit further includes a control unit that updates the second key information of the own device.
The communication device according to any one of claims 1 to 4. A notification unit for notifying when a mismatch of the second key information is detected by the detection unit is further provided.
The communication device according to any one of claims 1 to 4. It is a communication method for communicating with a device by using the first key information set for each device and the second key information set in common for a plurality of devices.
A packet that stores a broadcast or multicast address as the source IP address and stores the MAC address of the target device as the destination MAC address, and the response request packet that requests a response from the device is encrypted with the first key information. Send and
When the response packet for the response request packet is received, the mismatch of the second key information between the target device and the own device is not detected, and when the response packet for the response request packet is not received, the target Detects a mismatch in the second key information between the device and its own device,
Communication method. It is a program of a communication device that communicates with a device by using the first key information set for each device and the second key information set in common for a plurality of devices.
To the computer of the communication device
A packet that stores a broadcast or multicast address as the source IP address and stores the MAC address of the target device as the destination MAC address, and the response request packet that requests a response from the device is encrypted with the first key information. Send,
When the response packet for the response request packet is received, the mismatch of the second key information between the target device and the own device is not detected, and when the response packet for the response request packet is not received, the target Detect the mismatch of the second key information between the device and the own device.
Communication device program. An access point that sets the first key information set for each device and the second key information commonly set for a plurality of devices in the device in the wireless LAN, and updates the second key information according to a predetermined condition. ,
A packet that stores a broadcast or multicast address as the source IP address and stores the MAC address of the target device as the destination MAC address, and the response request packet that requests a response from the access point is encrypted with the first key information. When a response packet for the response request packet is received with the transmission unit to be transmitted, the response packet for the response request packet is sent without detecting a mismatch of the second key information between the access point and the own device. A communication device including a detection unit that detects a mismatch of the second key information between the access point and the own device when no reception is performed.
A communication system. The access point and the communication device perform processing according to 802.11.
The communication system according to claim 9. The access point sets the first key information set for each device and the second key information commonly set for a plurality of devices in the device in the wireless LAN.
The access point updates the second key information according to a predetermined condition.
The first key is a packet in which the communication device stores a broadcast or multicast address as the source IP address and stores the MAC address of the target device as the destination MAC address, and requests a response from the access point. Encrypted by information and sent
When the communication device receives the response packet for the response request packet, it does not detect the mismatch of the second key information between the access point and the own device, and does not receive the response packet for the response request packet. In this case, the mismatch of the second key information between the access point and the own device is detected.
Communication method.

Images