JP6341421B2 - Unauthorized device detection method, unauthorized device detection server, unauthorized device detection system - Google Patents

Description

  The present invention relates to a method for detecting unauthorized devices in a system in which a plurality of devices are connected.

In recent years, home appliances and AV devices in the home are connected to a network, and various services using various history information collected in the cloud are expected.
At this time, a controller is installed in the home, and the controller relays transmission of history information from each home appliance to the manufacturer server. By performing authentication so that communication can be safely performed between the controller and the home appliance, for example, connection to a home network due to information leakage or spoofing in wireless communication is prevented.

  For this reason, conventionally, the Wi-Fi Alliance has developed a standard for easily connecting devices called Wi-Fi Protected (for example, Non-Patent Document 1). However, the Wi-Fi wireless connection only guarantees the interoperability of the device between the device of the access point corresponding to the controller and the home appliance, and whether or not the connection partner is a legitimate device. Is not guaranteed. Thus, it is known to use a public key infrastructure (PKI) as a method for authenticating the validity of a device (for example, Non-Patent Document 2).

In PKI authentication, when a private key leaks, the public key certificate needs to be revoked to prevent fraud using the public key certificate. A CRL (Certificate Revocation List), which is a certificate revocation list, is represented as a technique for revoking a public key certificate (for example, Non-Patent Document 2).
The CRL is a list indicating a revoked public key certificate, and is generally distributed with the signature of the revoked public key certificate ID by the certificate authority that issued the public key certificate. The home appliance or controller entity verifies whether the public key certificate of another entity to be connected is described in the CRL. Therefore, it is necessary to use the latest CRL.

  Further, when information held by a certain device is copied to another device and there are a plurality of unauthorized devices having the same identifier, it is necessary to detect the plurality of unauthorized devices and reflect them in the CRL. Therefore, when there are multiple unauthorized devices with the same identifier, the random numbers used after mutual authentication using random numbers are stored in order to detect the unauthorized devices. There is a method of using a random number stored for confirmation of the other party (for example, Patent Document 1).

Japanese Patent No. 0457123

Wi-Fi CERTIFIED Wi-Fi Protected Setup Mitsuko Miyaji, Hiroaki Kikuchi, “Information Security” (2003) NSA Suite B Implementer's Guide to FIPS 186-3 (ECDSA) NIST Special Publication 800-56A Revision 2 RFC 5191 Protocol for Carrying Authentication for Network Access (PANA)

By the way, in order to reduce the cost of home appliances, it is generally desirable to reduce the storage capacity of the memory as much as possible. By using the method described in Patent Document 1, a random number is assigned to the home appliance as described above. There is a desire to avoid memorizing as much as possible.
Accordingly, the present invention has been made in view of the above problems, and can detect an unauthorized device that can detect a device that has copied data necessary for authentication as an unauthorized device without storing extra information in the device. It aims to provide a method.

  In order to solve the above problems, the present invention is an unauthorized device detection method in an unauthorized device detection system, wherein the unauthorized device detection system is an area including at least one controller and one or more devices connected to the controller. A fraudulent device detection server that holds correspondence information that associates a plurality of networks, information about the area network with each of the area networks, and a device identifier that indicates one or more devices that have been successfully authenticated in the area network; Each of the devices holds information regarding an area network including the controller that has succeeded in the authentication processing when the authentication processing with the controller has succeeded, and the unauthorized device detection server is one of the controllers New authentication device with the controller If there is a device identifier of the device to be newly authenticated, it is detected whether the acquired device identifier is included in the correspondence information, and the acquired device identifier is included in the correspondence information. If the information regarding the area network is acquired from the newly authenticating device and the information regarding the area network is acquired from the newly authenticating device, the information regarding the area network and the corresponding In the information, it is determined whether or not the information related to the area network associated with the device identifier of the device to be newly authenticated matches, and if it is determined that they do not match, the device to be newly authenticated is It is characterized by detecting that it is a device.

  With the configuration as described above, when the controller and the device are connected, the information about the area network associated with the device held by the server does not match the information about the area network held by the device. Unauthorized equipment can be detected. As a result, it is possible to prevent unauthorized devices from entering the area network.

System diagram showing system configuration of unauthorized device detection system Block diagram showing the functional configuration of the controller Block diagram showing the functional configuration of the device Block diagram showing the functional configuration of the manufacturer server Block diagram showing the functional configuration of the portal server Data conceptual diagram showing the structure of correspondence information held by the manufacturer server Data conceptual diagram showing the configuration of controller information held by the device Data conceptual diagram showing the configuration of device information held by the controller Data conceptual diagram showing the structure of a public key certificate Data conceptual diagram showing the structure of CRL Flow chart showing device operation Flow chart showing the operation of the controller (1) Flowchart 2 showing the operation of the controller continuing from FIG. Flow chart showing the operation of the manufacturer server Sequence diagram showing system operation when a legitimate device is connected to a new controller Sequence diagram showing system operation when an unauthorized device is connected to the controller Data conceptual diagram showing configuration of controller information held by device according to modification Data conceptual diagram showing configuration of correspondence information held by manufacturer server according to modification Data conceptual diagram showing another configuration of controller information held by device according to modification

An embodiment of an unauthorized device detection system according to the present invention will be described with reference to the drawings.
<Embodiment 1>
<Configuration>
FIG. 1 is a diagram showing a system configuration of an unauthorized device detection system. As shown in FIG. 1, the unauthorized device detection system includes a plurality of area networks (home area network a and home area network b), a maker server 300, and a portal server 400 connected via a network 500. . In FIG. 1, the approximate range of each home area network is assumed to be a range surrounded by a dotted line.

Each home area network includes at least one controller, and one or more devices are connected to the controller. The device here is assumed to be a general home appliance (for example, a television, a refrigerator, a microwave oven, an air conditioner, etc.).
In the example of FIG. 1, the home area network a includes a controller 100a and devices 200a, 200b, and 200c, and each device is connected to the controller 100a. The controller 100a is connected to the network 500.

The home area network b includes a controller 100b and devices 200d and 200e, and each device is connected to the controller 100b. The controller 100b is connected to the network 500.
The controllers 100a and 100b are connected to the manufacturer server 300 via the network 500.

  In the present embodiment, the maker server 300 holds correspondence information indicating a correspondence relationship when a connection is established between the device and the controller. When a new connection setting is made between the device and the controller, the manufacturer server 300 determines whether the device to be newly authenticated has already been associated with the controller in the correspondence information. And when it is matched, it is detected whether it is an unauthorized apparatus according to whether the said apparatus hold | maintains the information regarding the matched controller as the information regarding an area network.

Hereinafter, each device constituting the unauthorized device detection system will be described in detail.
<Configuration of controller>
FIG. 2 is a block diagram illustrating a functional configuration of the controllers 100a and 100b. Since each controller has the same configuration except that the devices to be connected are different from each other, the controller 100a will be described as a representative here.

As illustrated in FIG. 2, the controller 100 a includes a communication unit 110, a control unit 120, an authentication processing unit 130, an authentication information holding unit 140, and a device information holding unit 150.
The communication unit 110 has a function of performing communication with the connected device and the manufacturer server 300 and the portal server 400 via the network 500.

  The control unit 120 controls each unit of the controller 100a, and has a function of managing devices connected to the controller 100a. When receiving a connection request from a device via the communication unit 110, the control unit 120 transmits a public key certificate to the authentication processing unit 130 and requests authentication processing. When the control unit 120 accepts that the public key certificate transmitted from the authentication processing unit 130 has been successfully authenticated, the control unit 120 issues a confirmation request as to whether or not the device ID of the device that has transmitted the connection request is registered. It transmits to the manufacturer server 300. When receiving a connection controller ID request for requesting a controller ID held by the device from the maker server 300, the control unit 120 transfers it to the device. In addition, when the controller 120 received by the device in response to the transferred connection controller ID request is received, the control unit 120 transfers it to the manufacturer server 300. When the control unit 120 receives an authentication stop notification from the manufacturer server 300, the control unit 120 stops the authentication process and transmits an error notification to the device that has transmitted the connection request. When receiving the authentication continuation notification from the maker server 300, the control unit 120 notifies the authentication processing unit 130 of the continuation of the authentication process.

Then, the control unit 120 receives the authentication result from the authentication processing unit 130. When the received authentication result indicates that the authentication is successful, the control unit 120 includes, in the device information held by the device information holding unit 150, the device ID of the device that has been successfully authenticated and the ID of the public key certificate held by the device. Are stored in association with each other.
The authentication processing unit 130 has a function of executing authentication processing of a device that has transmitted a connection request. Upon receiving an authentication request from the control unit 120, the authentication processing unit 130 executes an authentication process for the public key certificate transmitted together with the authentication request. Upon receiving an authentication request from the control unit 120, the authentication processing unit 130 accesses the authentication information holding unit 140 and acquires a CRL. The authentication processing unit 130 verifies whether the ID of the public key certificate transmitted from the control unit 120 is registered in the acquired CRL. In addition, the authentication processing unit 130 authenticates the signature of the public key certificate using the public key of the portal server 400. When the public key certificate ID is not registered in the CRL and the signature verification of the public key certificate is successful, the authentication processing unit 130 notifies the control unit 120 of the successful verification of the public key certificate. When the ID of the public key certificate is registered in the CRL or when the signature verification of the public key certificate fails, the authentication processing unit 130 notifies the control unit 120 of the public key certificate authentication failure.

  Further, upon receiving the authentication continuation notification from the control unit 120, the authentication processing unit 130 generates a random number and transmits the random number to the device via the communication unit 110. In addition, when a random number is received from a device via the communication unit 110, the signature of the received random number is verified. If any verification fails, the authentication processing unit 130 determines that the device that has made the connection request is an unauthorized device. Then, the authentication processing unit 130 notifies the control unit 120 of the authentication result.

  The authentication information holding unit 140 is a database, and holds a key pair of a private key and a public key certificate, and CRL information used in authentication. Specifically, the authentication information holding unit 140 is realized by a recording medium such as a flash memory, an HDD (Hard Disc Drive), or an SSD (Solid State Drive). Details of the public key certificate and the CRL will be described later.

The device information holding unit 150 is a database, and holds device information for managing a device that is connected to the controller 100a and successfully authenticated. Specifically, the device information holding unit 150 is realized by a recording medium such as a flash memory, an HDD, or an SSD. Details of the device information will be described later.
The authentication information holding unit 140 and the device information holding unit 150 may be realized by separate recording media, or may be realized by dividing a storage area in one recording medium.

The above is the configuration of the controller 100a.

<Device configuration>
FIG. 3 is a block diagram illustrating a functional configuration of the devices 200a, 200b, 200c, 200d, and 200e. Since each device has substantially the same configuration, the device 200a will be described as a representative here. Each device has a unique function, and in this respect, if the device is a different type of device, it is not common to other devices. Each unique function is, for example, a washing function for a washing machine, or a function such as heating or cooling for an air conditioner, and is a general function. Omitted and only functions related to unauthorized device detection will be described.

As illustrated in FIG. 3, the device 200 a includes a communication unit 210, a control unit 220, an authentication processing unit 230, an authentication information holding unit 240, a controller information holding unit 250, and a device history holding unit 260. Composed.
The communication unit 210 has a function of executing communication with the connected controller.
The control unit 220 has a function of controlling each unit of the device. The control unit 220 transmits a connection request to the connected controller via the communication unit 210.

  The controller 220 stores the controller ID stored in the controller information holding unit 250 when a connection controller ID, which is information related to the area network, is requested from the manufacturer server 300 via the connected controller and the communication unit 210. Is transmitted to the maker server 300. At this time, when the controller ID cannot be acquired, the control unit 220 transmits information indicating that the controller ID is not held to the manufacturer server 300.

In addition, when the controller 220 receives controller ID, public key certificate, and random number information from the connected controller, the controller 220 requests the authentication processing unit 230 to perform controller authentication processing.
When information indicating successful authentication is received from the authentication processing unit 230 in response to the request, the control unit 220 identifies the controller ID of the connected controller and the public key certificate possessed by the controller. The ID pair is added to the controller information, and the authentication process ends. When information indicating an authentication failure is received from the authentication processing unit 230 in response to the request, it is determined that the connection destination controller is an unauthorized controller, and the connection process is terminated.

Further, when an error is received from the controller via the communication unit 210 during the authentication process, the control unit 220 recognizes that the authentication process has failed and ends the authentication process.
The authentication processing unit 230 has a function of executing authentication processing with a connected controller via the communication unit 210. When the authentication processing unit 230 receives an authentication request including the controller ID of the controller, the public key certificate, and the random number from the control unit 220, the authentication processing unit 230 accesses the authentication information holding unit 240 and acquires the CRL. Then, the authentication processing unit 230 verifies whether or not the ID of the received public key certificate is registered in the acquired CRL. Further, the authentication processing unit 230 verifies the signature of the public key certificate using the public key of the portal server 400 that is the certificate authority. When the signature of the public key certificate is successfully verified, the authentication processing unit 230 generates a random number and transmits the generated random number to the controller via the communication unit 210. Further, the authentication processing unit 230 verifies the signature of the random number received from the controller. In any verification, when the verification fails, the authentication processing unit 230 notifies the control unit 220 of the authentication failure. If the authentication is successful, the authentication processing unit 230 notifies the control unit 220 to that effect.

The authentication information holding unit 240 is a database, and holds a key pair of a private key and a public key certificate, and CRL information used in authentication. Details of the public key certificate and the CRL will be described later.
The controller information holding unit 250 is a controller connected to the device 200a and has a function of holding controller information about a controller that has been successfully authenticated for connection. Details of the controller information will be described later.

The device history holding unit 260 is a database and holds operation history information of the device 200a. Specifically, the device history holding unit 260 is realized by a recording medium such as a flash memory, an HDD, or an SSD. Note that the operation history information is a general operation history, and therefore, detailed description thereof is omitted. To briefly explain an example, the operation history information is information in which which function is executed at which date and time and the execution result is associated with the device.

<Manufacturer server 300>
FIG. 4 is a block diagram illustrating a functional configuration of the maker server 300. As illustrated in FIG. 4, the maker server 300 includes a communication unit 310, a control unit 320, a CRL management unit 330, a correspondence information holding unit 340, and a CRL holding unit 350.

The communication unit 310 has a function of performing communication with the controllers 100a and 100b via the network 500.
The control unit 320 has a function of controlling the correspondence information holding unit 340 and managing correspondence information indicating a connection relationship between the controller and the device, an ID of the controller or device to be connected, a certificate ID, and an operation history of the device.

  When the control unit 320 receives a confirmation request for confirming whether or not the device is already registered in the correspondence information from the controller via the communication unit 310, the control unit 320 reads the correspondence information from the correspondence information holding unit 340, It is detected whether or not the device ID included in the confirmation request is registered in the correspondence information. If not registered, the control unit 320 transmits an authentication continuation notice permitting continuation of authentication to the controller that has transmitted the confirmation request via the communication unit 310. If registered, the control unit 320 transmits, via the communication unit 310, controller ID information held by the device as information related to the area network to the device having the device ID included in the confirmation request. The connection controller ID request for requesting is transmitted. When the controller ID is transmitted from the device in response to the request, it is determined whether or not the received controller ID matches the controller ID associated with the device ID of the device on the correspondence information. . If they match, the control unit 320 transmits an authentication continuation notification that permits continuation of authentication to the controller that has transmitted the confirmation request. If they do not match, the control unit 320 transmits an authentication stop notification instructing the controller that has transmitted the confirmation request to stop authentication. Further, the control unit 320 additionally registers, in the correspondence information, a pair of the device ID and the controller ID that have been successfully authenticated via the communication unit 310. When receiving a new CRL from the portal server 400 via the communication unit 310, the control unit 320 requests the CRL management unit 330 to register the CRL.

The CRL management unit 330 controls the CRL holding unit 350 and updates the CRL stored in the CRL holding unit 350 when a new CRL is received from the control unit 320.
The correspondence information holding unit 340 is a database, and holds correspondence information indicating a device / controller pair that has been successfully authenticated, information such as a device ID, a controller ID, and a certificate ID. Specifically, the correspondence information holding unit 340 is realized by a recording medium such as a flash memory, an HDD, or an SSD.

The CRL holding unit 350 is a database and holds CRL information used in authentication. Specifically, the CRL holding unit 350 is realized by a recording medium such as a flash memory, an HDD, or an SSD. Details of the public key certificate and the CRL will be described later.

<Portal server 400>
FIG. 5 is a block diagram illustrating a functional configuration of the portal server 400. As shown in FIG. 5, the portal server 400 includes a communication unit 410, an encryption processing unit 420, a CRL management unit 430, an encryption key holding unit 440, and a CRL holding unit 450.

The communication unit 410 has a function of communicating with the manufacturer server 300, the controller, and the device via the network 500.
The cryptographic processing unit 420 has a function of generating a CRL signature. Upon receiving a signature generation request from the CRL management unit 430, the cryptographic processing unit 420 generates a CRL signature using the private key held in the encryption key holding unit 440. Also, the encryption processing unit 420 transmits the generated CRL signature to the CRL management unit 430.

  The CRL management unit 430 has a function of controlling the CRL holding unit 450 and managing the CRL. When the CRL management unit 430 receives a CRL issuance request from the manufacturer server 300, the CRL management unit 430 sets data other than the CRL signature, and requests the cryptographic processing unit 420 to generate a CRL signature. The CRL management unit 430 receives the signature generated by the encryption processing unit 420 in response to the request and records it in the CRL holding unit 450. In addition, the CRL management unit 430 transmits the newly issued CRL to the manufacturer server 300, the controller, and the device via the communication unit 410.

The encryption key holding unit 440 is a database and holds information on encryption keys used in authentication. Specifically, the encryption key holding unit 440 is realized by a recording medium such as a flash memory, an HDD, or an SSD.
The CRL holding unit 450 is a database and holds information on CRLs generated by the CRL management unit 430 and used for authentication. Specifically, the CRL holding unit 450 is realized by a recording medium such as a flash memory, an HDD, or an SSD.

<Data>
Various data related to the unauthorized device detection system will now be described.

FIG. 6 is a data conceptual diagram showing a data configuration example of correspondence information held by the maker server 300. As illustrated in FIG. 6, the correspondence information 600 is information in which a device ID 601 and a controller ID 602 are associated with each other.
The device ID 601 is identification information for uniquely identifying a device on the network. In FIG. 6, in order to make the correspondence with the system diagram of FIG. 1 easier to understand, the symbols given to the devices of FIG. 1 are used as device IDs. Information is a combination of numbers, alphabets and symbols. The device ID is the same in the drawings after FIG.

  The controller ID 602 is identification information for uniquely identifying a controller on the network. For the controller ID, the reference numerals attached to the controllers in FIG. 1 are used so that the correspondence with the system diagram in FIG. 1 can be easily understood. Use a combination of numbers, alphabets and symbols. The device ID is the same in the drawings after FIG.

By holding the correspondence information 600 in the maker server 300, the maker server can recognize the association between the device ID and the controller ID as the area network information. Therefore, if the device indicated by the device ID in the correspondence information does not hold the controller ID associated in the correspondence information as the area network information, the manufacturer server 300 is regarded as an unauthorized device. Can be identified. Therefore, it is possible to detect an unauthorized device that could not be determined only by authentication between the conventional device and the controller.

FIG. 7 is a data conceptual diagram showing a data configuration example of the controller information held by the device 200a. As shown in FIG. 7, the controller information 700 is information in which a controller ID 701 and a certificate ID 702 are associated with each other.

  The controller ID 701 is identification information for uniquely identifying a controller to which a device is connected or has been connected in the past on the network. Since the controller does not belong across a plurality of area networks, the controller ID 701 can be used as information related to the area network to which the device 200a belongs or has belonged.

The certificate ID 702 is information indicating the ID of the controller public key certificate corresponding to the controller ID 701. Note that the certificate ID shown in FIG. 7 is an example, and may be in any form as long as it is identification information uniquely issued to each controller. Generally, numbers, alphabets, symbols, etc. Use a combination of.
By holding the controller information, the device can transmit a controller ID as area network information in response to a controller ID request from the manufacturer server 300. FIG. 7 shows a case where the device holds information about a plurality of controllers. However, this may be one or not. If there is a plurality of controllers in the home area network and connection authentication with the plurality of controllers is performed, entries for the plurality of controllers are included, and even if not connected to one controller at the present time If connection authentication with the controller has been performed in the past, an entry for the controller is included.

FIG. 8 is a data conceptual diagram showing a data configuration example of device information held by the controller 100a. As illustrated in FIG. 8, the device information 800 is information in which a device ID 801 and a certificate ID 802 are associated with each other.

The device ID 801 is identification information for uniquely identifying a device on the network.
The certificate ID 802 is information indicating the ID of the public key certificate of the controller corresponding to the device ID 801. Note that the certificate ID shown in FIG. 8 is an example, and may be in any form as long as it is identification information issued uniquely to each controller. Generally, numbers, alphabets, symbols, etc. Use a combination of.

By holding the device information, the controller can recognize which device is connected to the device that has succeeded in connection authentication.

FIG. 9 is a data conceptual diagram showing a data configuration example of a public key certificate. As shown in FIG. 9, the public key certificate 900 is information including a version 901, an issuer 902, a valid period start date 903, a valid period end date 904, a certificate ID 905, and a signature 906. is there.

The version 901 is information indicating the version of the public key certificate 900.
The issuer 902 is information indicating the certificate authority that issued the public key certificate 900, and is unique information that can identify the certificate authority.
The valid period start date 903 is information indicating the start date of the date when the public key certificate becomes valid.

The expiration date 904 of the valid period indicates the last date when the public key certificate is valid, and is information indicating the day before the date when the public key certificate becomes invalid.
The certificate ID 905 is identification information for uniquely specifying the public key certificate.
The signature 906 is information indicating the portal server 400 which is a certificate authority.

FIG. 10 is a data conceptual diagram illustrating a data configuration example of CRL information. As illustrated in FIG. 10, the CRL information 1000 is information including a CRL version 1001, an issuer 1002, an issue date 1003, a next issue date 1004, a revoked certificate ID 1005, and a signature 1006.

  The CRL version 1001 is information indicating the version of the CRL information 1000. Since CRL information needs to be updated every time a certificate that becomes invalid in sequence is generated, devices, controllers, and maker servers recognize whether the information is newer by performing generation management. Used for. That is, each device can determine whether to update the CRL information with the received CRL information or to discard the received CRL information by comparing the versions of the held CRL information.

The issuer 1002 is information for uniquely identifying the certificate authority that issued the CRL information 1000.
The issue date 1003 is information indicating a date when the CRL information 1000 is issued.
The next issue date 1004 is information indicating a date when new CRL information 1000 is issued.

The revoked certificate ID 1005 is information indicating the certificate ID of the revoked public key certificate, and includes one or more certificate IDs. The public key certificate in which the certificate ID is described in this field has expired, and authentication using the public key certificate having this certificate ID will fail.
The signature 1006 is information indicating the portal server 400 which is a certificate authority.

The above is the description of data used in the unauthorized device detection system.

<Operation>
From here, operation | movement of each apparatus which concerns on an unauthorized device detection system is demonstrated.
FIG. 11 is a flowchart showing an operation during device authentication. Here, the operation of the device 200a will be described as a representative, but other devices operate in the same manner. In the description using FIG. 11, the case where the device 200a is connected to the controller 100a will be described as an example. However, like the device, the connection destination controller is not limited to the controller 100a.

When the device 200a is connected to the controller 100a, the control unit 220 acquires the public key certificate held by itself from the authentication information holding unit 240. Then, the control unit 220 transmits a connection request including the acquired public key certificate and its own device ID to the connected controller 100a via the communication unit 210 (step S1101).
If a connection controller ID request is received after the connection request is transmitted (YES in step S1102), the control unit 220 is held as information related to the area network from the controller information 700 stored in the controller information holding unit 250. Connection controller ID (controller ID 701) is acquired. Then, the control unit 220 transmits the acquired connection controller ID to the connected controller 100a via the communication unit 210 (step S1103). In addition, when the controller ID is not registered in the controller information 700, information indicating that the controller ID (information regarding the area network) is not held is transmitted. If the connection controller ID request is not received after the connection request is transmitted (NO in step S1102), the process proceeds to step S1104.

  When the device 200a receives the controller ID, the public key certificate, and the random number from the controller 100a after transmitting the connection request (YES in step S1104), the control unit 220 receives the public key received by the authentication processing unit 230. Request certificate verification. Then, the authentication processing unit 230 determines whether or not the certificate ID of the accepted public key certificate is registered in the CRL (step S1106). The authentication processing unit 230 determines whether or not the CRL certificate ID recorded in the authentication information holding unit 240 matches the ID of the public key certificate received from the control unit 220. It is verified whether or not the certificate ID is registered in the CRL. If the controller ID, the public key certificate, and the random number have not been received (NO in step S1104) and an error has been received (step S1105), it is determined that the authentication has failed, and the process ends. If no error has been received (NO in step S1105), the process returns to step S1102.

If the ID of the accepted public key certificate is not registered in the CRL (NO in step S1106), the authentication processing unit 230 verifies whether the accepted public key certificate is valid. It executes (step S1107). Since the public key certificate verification method is a well-known technique, a description thereof is omitted here.
If the accepted public key certificate is valid (YES in step S1107), the authentication processing unit 230 generates a random number and a signature and transmits them to the controller 100a via the communication unit 210 (step S1109). ).

  If the certificate ID is registered in the CRL (YES in step S1106) or if the public key certificate authentication has failed (NO in step S1107), the authentication processing unit 230 notifies the control unit 220 of the authentication failure. . Upon receiving the notification, the control unit 220 transmits an error notification to the controller 100a via the communication unit 210 (step S1108). Then, it is determined that the connection process with the controller 100a has failed, and the process ends. At this time, the control unit 220 may record the device ID in the controller information holding unit 250 with the controller 100a to be connected as an unauthorized device.

  If the signature is received after transmission of the random number and the signature (YES in step S1110), the authentication processing unit 230 determines whether or not the received signature matches the generated signature (step S1112). . If it is determined that the signatures match (YES in step S1112), the authentication processing unit 230 notifies the control unit 220 of successful authentication. Upon receiving the notification, the control unit 220 registers the controller ID of the controller 100a as the connection controller ID in the controller information holding unit 250 (step S1114), and ends the authentication process.

If it is determined in step S1110 that an error notification is received instead of a signature (YES in step S1111), it is determined that authentication has failed, and the process ends. Control unit 220 stands by until it receives a signature or error notification (NO in step S1111).
If the signature verification fails (NO in step S1112), the authentication processing unit 230 notifies the control unit 220 of the authentication failure, and the control unit 220 notifies the controller 100a of an error via the communication unit 210. Transmit (step S1113), and the process ends. At this time, the controller 220 may hold the controller ID of the controller 100a in the controller information holding unit 250 as an unauthorized device.

The above is the processing in device authentication.

12 and 13 are flowcharts showing the operation at the time of authentication of the controller. Here, as an example, the operation of the controller 100a will be described as an example, but the other controllers also operate in the same manner. Here, the operation when the device 200a issues a connection request to the controller 100a will be described, but the device connected to the controller 100a is not limited to the device 200a.

As illustrated in FIG. 12, the communication unit 110 of the controller 100a receives a connection request from the newly connected device 200a (step S1201). The connection request includes the device ID of the device 200a and the public key certificate held by the device 200a.
The control unit 120 that has received the connection request transmits the received public key certificate to the authentication processing unit 130 and requests authentication of the public key certificate. Upon receiving the request, the authentication processing unit 130 reads the CRL from the authentication information holding unit 140, and detects whether the ID of the public key certificate received from the control unit 120 is registered in the CRL (step S1202).

When the received public key certificate ID is not registered in the CRL (NO in step S1202), the authentication processing unit 130 executes verification of the public key certificate.
When the ID of the public key certificate is registered in the CRL (YES in step S1202) or when verification of the public key certificate has failed (NO in step S1203), the authentication processing unit 130 controls that fact. Notification to the unit 120. In response to the notification, the control unit 120 sends an error notification to the device 200a that has made the connection request via the communication unit 110 (step S1204), and ends the authentication process.

  If the verification of the public key certificate is successful (YES in step S1203), the authentication processing unit 130 notifies the control unit 120 of the successful verification of the public key certificate. In response to the notification, the control unit 120 includes the device ID of the device and whether the device ID is registered in order to check whether or not the device that has made the connection request is registered in the manufacturer server 300. A confirmation request requesting whether or not is transmitted to the manufacturer server 300 (step S1205).

If the controller 120 of the controller 100a receives a connection controller ID request held by the device having the transmitted device ID from the manufacturer server 300 (YES in step S1206), the control unit 120 replaces the request with the device 200a that has made the connection request. (Step S1207).
Thereafter, upon receiving the controller ID transmitted from the device 200a in response to the connection controller ID request (step S1208), the controller 100a transfers this to the manufacturer server 300 (step S1209).

  When the authentication continuation notification is received from the manufacturer server 300 (YES in step S1210), the process proceeds to step S1212 in FIG. When the authentication cancellation notification is received from the manufacturer server 300 (YES in step S1211), the control unit 120 transmits an error notification to the device 200a via the communication unit 110 (step S1204), and ends the authentication process. .

When the authentication continuation notification is received from the maker server 300 (YES in step S1210), the control unit 120 transmits the authentication continuation to the authentication processing unit 130. Then, the authentication processing unit 130 generates a random number (step S1212).
Then, the authentication processing unit 130 transmits the controller ID of the controller 100a, the public key certificate of the controller 100a, and the generated random number to the device 200a that has made the connection request via the communication unit 110 (step S1213). ).

  In response to this, when an error is received from the device 200a (YES in step S1215), the controller 100a ends the authentication process. On the other hand, when a signature and a random number are received from the device 200a (YES in step S1214), the authentication processing unit 130 verifies the received signature (step S1216). If the verification of the signature is successful (YES in step S1216), the authentication processing unit 130 generates a signature from the random number received in step S1214 (step S1218). The authentication processing unit 130 transmits the generated signature to the device 200a via the communication unit 110 (step S1219). If the signature verification fails (NO in step S1216), the authentication processing unit 130 notifies the control unit 120 of the authentication failure, and the control unit 120 notifies the device 200a of an error (step S1217). The process ends.

  After transmitting the signature (step S1219), upon receiving information indicating a successful verification from the device 200a (YES in step S1220), the control unit 120 associates the device ID of the device 200a with the public key certificate ID of the device 200a. In addition, the device information is additionally registered in the device information held in the device information holding unit 150 (step S1222). Then, the control unit 120 transmits a pair of the device ID of the additionally registered device (device ID of the device 200a) and its own controller ID (controller ID of the controller 100a) to the manufacturer server 300 via the communication unit 110. (Step S1223). As a result, the device 200a and the controller 100a are stored in association with the correspondence information of the maker server 300, and are effectively used for detecting unauthorized devices.

If information indicating a verification failure, that is, an error is received from the device 200a (YES in step S1221), the authentication process is terminated.

FIG. 14 is a flowchart illustrating processing performed by the manufacturer server 300 in authentication processing performed between the device and the controller.

When the control unit 320 of the manufacturer server 300 receives a device confirmation request that requests confirmation of whether or not the device ID is registered in the correspondence information (YES in step S1401), the control unit 320 reads the correspondence information from the correspondence information holding unit 340. Then, the control unit 320 detects whether or not the received device ID is registered in the correspondence information (step S1402).
If the received device ID is registered in the correspondence information (YES in step S1402), the control unit 320 determines whether the controller ID is registered as information regarding the area network for the device ID. Detection is performed (step S1403).

When the controller ID is registered (YES in step S1403), the control unit 320 stores the controller ID that is stored as information related to the area network (that is, that the connection has been made) with respect to the device having the received device ID. A connection controller ID request for requesting a controller ID of a certain controller is transmitted (step S1404).
When manufacturer server 300 receives the controller ID from the device (YES in step S1405), control unit 320 determines whether or not the received controller ID matches the controller ID associated with the device ID in the correspondence information. Is detected (step S1406). When the received controller ID information indicates that there is no controller ID, the control unit 320 determines that they do not match.

  If they match, the control unit 320 transmits an authentication continuation notification to the controller that has made the confirmation request (step S1408). Note that the controller 320 does not associate the controller ID with the controller ID even if the device ID is not registered in the correspondence information in step S1402 (NO in step S1402) or the device ID is registered in the correspondence information. Even in the case of NO (Step S1403: NO), an authentication continuation notice is transmitted to the controller (Step S1408).

  When the controller ID received from the device does not match the controller ID associated with the device ID included in the confirmation request in the correspondence information (NO in step S1406), the control unit 320 displays the communication unit 310. Then, an authentication stop notification is transmitted to the controller (step S1407), and the process ends. If it is determined in step S1406 that they do not match, the manufacturer server 300 retains the device ID included in the confirmation request, and detects the newly requested device as an unauthorized device.

When the controller 320 of the manufacturer server 300 receives a pair of the controller ID and the device ID from the controller (YES in step S1409), the controller 320 receives the correspondence information 600 of the correspondence information holding unit 340. A pair of controller ID and device ID is additionally registered (step S1410), and the process ends.
As a result, a new pair of device ID and controller ID is registered in the correspondence information and used for subsequent detection of unauthorized devices.

Next, as shown in FIG. 11 to FIG. 14, FIG. 15 and FIG. 16 are flowcharts of the sequence diagrams regarding the exchanges between the devices when each device operates.
FIG. 15 is a sequence diagram showing exchanges between devices in the system when a device is already registered in the manufacturer server 300 and connection with a new controller is successful. Here, an example is shown in which the device 200a has been connected to the controller 100a up to now and the connection destination is changed to the controller 100b. Therefore, when the device 200a starts the authentication process with the controller 100b, the device ID of the device 200a and the controller ID of the controller 100a are associated with each other in the correspondence information held by the manufacturer server 300. become.

The device 200a transmits a connection request including its own device ID to the controller 100b (step S1501).
When receiving the connection request, the controller 100b transmits a confirmation request for inquiring whether or not the device ID of the device 200a is registered in the manufacturer server 300 to the manufacturer server 300 (step S1502).

  When receiving the confirmation request, the manufacturer server 300 verifies whether or not the device ID of the device 200a is registered in the correspondence information. Here, since the device 200a has already performed connection authentication with the controller 100a, the device ID of the device 200a is registered in the correspondence information. Then, the manufacturer server 300 transmits a connection controller ID request for requesting a controller ID held by the device 200a to the controller 100b as information regarding the area network to the device 200a (step S1503).

The controller 100b that has received the connection controller ID request transfers it directly to the device 200a (step S1504).
The device 200a to which the connection controller ID request has been transferred acquires the controller ID (here, the controller ID of the controller 100a) from the held controller information. Then, the device 200a transmits the acquired controller ID to the controller 100b (step S1505).

The controller 100b that has received the controller ID transfers it to the maker server 300 as it is (step S1506).
Upon receiving the controller ID, manufacturer server 300 determines whether or not the received controller ID matches the controller ID associated with the device ID included in the confirmation request received in step S1502 in the correspondence information. Determination is made (step S1507). Here, the received controller ID (controller ID of the controller 100a) matches the controller ID (controller ID of the controller 100a) associated with the device ID (device ID of the device 200a) in the correspondence information.

Then, the manufacturer server 300 instructs the controller 100b to continue device authentication (step S1508).
Upon receiving the instruction, the controller 100b and the device 200a perform an authentication process using a public key certificate, a random number, and a signature (FIG. 11, steps S1104 to S1112, and FIG. 13, steps S1212 to S1220). reference). Here, it is assumed that the device 200a and the controller 100b succeed in mutual authentication (step S1509).

Then, the device 200a registers the controller ID of the connection destination controller 100b and the certificate ID in association with the controller information (step S1510). The controller 100b also registers the device ID of the connected device 200a and its certificate ID in the device information in association with each other (step S1511).
Then, the controller 100b transmits connection information including its own controller ID and information of the device 200a that has been successfully authenticated and newly connected to the manufacturer server 300 (step S1512).

The manufacturer server 300 that has received the connection information associates the received device ID with the controller ID and additionally registers them in the correspondence information (step S1513). As a result, even if another unauthorized device having the device ID of the device 200a is newly connected to the system later, the unauthorized device should not have the controller ID. The connected device can be detected as an unauthorized device.

FIG. 16 is a sequence diagram showing exchanges between devices in the system when an unauthorized device is detected.

  Here, it is assumed that the device 200a ′ is a device to be newly connected to the controller 100b and is an unauthorized device having the same device ID as the device 200a. In addition, it is assumed that the device 200a which is a legitimate device is connected to the controller 100a, that is, in the correspondence information, the device ID of the device 200a is associated with the controller ID of the controller 100a. The device 200a ′ holds a controller ID different from that of the controller 100a.

The exchange between the devices in the system in this case is a common process until the process of step S1506 shown in FIG.
In step S1607, when the manufacturer server 300 receives the controller ID, the received controller ID matches the controller ID associated with the device ID included in the confirmation request received in step S1502 in the correspondence information. It is determined whether or not (step S1707). Here, the received controller ID (controller ID of a controller different from the controller 100a) does not match the controller ID (controller ID of the controller 100a) associated with the device ID (device ID of the device 200a) in the correspondence information. It will be.

Then, the manufacturer server 300 detects the device 200a ′ as an unauthorized device (step S1608).
Then, the manufacturer server 300 instructs the controller 100b to cancel the authentication process (step S1609).
Upon receiving the instruction to stop the authentication process, the controller 100b stops the authentication process and notifies the device 200a ′ of an error (step S1610).

Upon receiving the error notification, the device 200a ′ stops the authentication process.
Further, the maker server 300 executes processing related to unauthorized devices such as processing for identifying the device 200a ′ as needed (where and where the actual unauthorized device 200a ′ is installed) (step S1611). In addition, about the process regarding an unauthorized device, since it performs a general process, the detail is omitted here.

<Summary>
As shown in the present embodiment, when the authentication process between the device and the controller is successful, the manufacturer server 300 holds correspondence information indicating the pair, so that the new device is connected to the controller. When authentication is started, if the device ID of the new device has already been registered in the correspondence information, and the device does not have a controller ID associated with the correspondence information, the new device is illegal. Can be detected as a simple device.

Therefore, it is possible to prevent a situation where a plurality of devices having the same device ID exist on the network. For example, a device that does not need to operate in the control of home appliances from outside the network operates. Such a situation can be prevented.

<Modification>
Although the unauthorized device detection method according to the present invention has been described according to the above-described embodiment, the present invention is not limited to this. Hereinafter, various modifications included as the idea of the present invention will be described.

(1) In the above embodiment, the controller ID is used as the information related to the area network, but this is not limited thereto. Any information may be used as long as the information identifies the area network.
For example, in addition to the identifier unique to the controller, the MAC address of the controller unique to the controller or an area network identifier for identifying the area network on the system may be used. The area network identifier may be set by an operator who manages the unauthorized device detection system or a user who uses the unauthorized device detection system, or an area network name may be set in advance in the controller when the controller is shipped. .

Furthermore, information indicating the configuration of the area network may be used as the information regarding the area network.
Here, the case where information indicating the configuration of the area network is used as the information regarding the area network will be described in detail.
The information indicating the configuration of the area network is group information indicating which device belongs to the area network. For example, when considering in each household, the area network differs in the type and number of TVs, refrigerators, air conditioners, etc. used depending on the preferences of each resident, and it is extremely rare that they are completely matched. . Therefore, information on a group of devices constituting the area network can be used as the information regarding the area network.

  That is, first, when a device has succeeded in connection with the controller (successful authentication), the device acquires information related to another device to which the controller is connected from the connected controller. The device identifier of the device is used as the information related to the other device here. In addition, as shown in the above embodiment, the controller itself holds the device information 800 as information on a device that has been successfully authenticated. Therefore, a device that transmits information about the device included in the area network to the device. As the ID, all device IDs registered in the device information 800 are used. The manufacturer server 300 is further associated with correspondence information as information on other devices included in the area network to which the device belongs.

  Therefore, when using information on devices constituting the area network as information on the area network, the device holds information on the area network as shown in FIG. 17, for example. That is, the controller information 1700 held by the device in this case includes a controller ID 1701 that is an identifier of the controller that has succeeded in connection authentication, a certificate ID 1702 that is an identifier of the public key certificate of the controller, and a device that belongs to the same area network. This is information associated with other device IDs 1703 that are the respective identifiers. The device is requested by the manufacturer server 300 for information regarding the area network instead of the connection controller ID request in step S1503 of FIG. 15 or FIG. 16, and transmits information included in the other device ID 1703 of the controller information 1700.

The manufacturer server 300 holds correspondence information as shown in FIG. In the correspondence information 1800 illustrated in FIG. 18, the device ID 1801 is associated with the controller ID 1802 and another device ID 1803.
Note that the correspondence information 1800 may be information in which all device IDs to which the controller is connected are associated with the controller ID. In this case, the maker server 300 searches for a device ID included in the confirmation request made from the controller from all the device IDs, and whether other device IDs acquired from the devices match. By detecting whether or not, unauthorized devices are detected.

  Further, when area network configuration information is used as information about the area network, information on the type of device (for example, an air conditioner, a refrigerator, a television, etc.) is associated with each other in order to increase the uniqueness of each area network. Also good. An example of the controller information held by the device in that case is shown in FIG. Although only the controller information held by the device is shown here, the device information held by the controller and the correspondence information held by the maker server 300 are further stored in association with the device type information of the device, Used as information about area networks for detecting unauthorized devices. Further, in the case of using controller information as shown in FIG. 19, the manufacturer server 300 designates any model type, and the device transmits a device ID of another device corresponding to the device type. Good. In this case, the maker server 300 does not have to execute the comparison of the IDs of all the other devices, so that the processing time can be reduced and the processing load can be reduced.

  In addition, in the case of using information on a group of devices constituting the area network as information on the area network, in consideration of the possibility of including a large number of devices, other device IDs held by the newly authenticating device May be determined as a legitimate device when the IDs of a certain number (or a certain percentage) of devices match, not whether or not all other device IDs indicated by the correspondence information match. Further, in order to further increase the uniqueness, the operation history information of each device may be associated.

(2) In the above embodiment, when a device ID is requested from the manufacturer server 300 as information regarding an area network, the device transmits the controller ID. However, the controller ID may be transmitted before being requested from the manufacturer server 300.
In other words, when a device sends a connection request to the controller, the device sends the device ID and the public key certificate it holds together with the connection request. The controller ID may also be transmitted as information regarding the area network being used.

Then, when the device confirmation is transmitted to the maker server 300, the controller also transmits a controller ID as information on the area network transmitted from the device, in addition to the device ID and its own controller ID.
By configuring in this way, the maker server 300 is an area where the controller ID corresponding to the device ID in the correspondence information is transmitted from the controller when the device ID transmitted in the correspondence information is included. It is possible to compare with the controller ID held by the device as information relating to the network to determine whether or not they match.

Therefore, it is possible to eliminate the trouble of communication for the manufacturer server 300 to request the controller ID from the device.
(3) In the above embodiment, each device is connected to the network via the controller and updates each CRL or software. However, this is not necessarily performed via the connected controller. Also good. That is, each device is provided with a line that connects to the network 500 without using a controller, and communicates with other devices (for example, the manufacturer server 300 and the portal server 400) directly via the network 500. Also good. With such a configuration, even if the controller fails for some reason, the CRL can be updated.

  (4) In the above embodiment, when the manufacturer server 300 succeeds in the authentication between the device and the controller, the manufacturer server 300 additionally registers the association between the device ID and the controller ID in the correspondence information. When the device ID is registered in the correspondence information, the controller ID that is newly associated with the already associated controller ID may be overwritten.

(5) In the above embodiment, the correspondence information is held by the manufacturer server 300. However, the correspondence information is recorded in an external storage medium accessible from the manufacturer server 300, and the manufacturer server 300 The authentication process may be executed by accessing a storage medium.
(6) In the above embodiment, authentication using a public key certificate or a random number has been described. However, the authentication method is not limited to this. Other authentication methods may be used as long as mutual validity can be verified. As another authentication method, for example, authentication using shared key encryption, password authentication, or the like may be used.

(7) Communication by the communication unit of each device in the above embodiment may be wireless or wired as long as communication with a communication partner can be performed.
(8) In the above embodiment, there is no particular description about deleting an entry consisting of a device ID and a certificate ID pair from the device information and deleting an entry consisting of a controller ID and a certificate ID pair from the controller information. May be arbitrarily deleted by the user of each device as necessary, or an entry for a device or controller that has not performed communication for a certain period (for example, three months) may be deleted.

However, it is desirable not to delete the latest controller ID and its certificate ID information for the device. When deleting the latest controller ID and its certificate ID from the device, it is preferable to delete the entry of the correspondence between the device ID of the device and the controller ID in the correspondence information of the manufacturer server 300 together.
(9) Although not particularly described in the above-described embodiment, communication between devices (between the maker server 300 and the portal server 400, between the device and the controller, between the controller and the maker server 300, etc.) is encrypted communication (for example, , SSL (Secure Socket Layer) communication). Thereby, in communication between each apparatus, it can prevent that the information transmitted / received is acquired and misused by the third party.

(10) In the above embodiment, the public key certificate has been described in a state where it has already been issued to each controller or each device. Therefore, although not particularly described, the portal server 400 may further have a function of issuing a public key certificate as a certificate authority.
(11) In the above embodiment, the area network is described by taking the home area network as an example. However, if it is a single closed local network, this does not need to be a home area network. For example, a controller and a plurality of devices may belong to a single building (for example, a building), or a controller and a plurality of devices may belong to a certain range (for example, within a certain facility site). It may be a thing. That is, the area network of the present invention is not limited to one household.

  (12) In the above embodiment, the manufacturer server 300 transmits a connection controller ID request to the device that has made the connection request, and acquires the controller ID as area network information held by the device. . This is a configuration necessary for comparing the controller ID acquired by the maker server 300 and the correspondence information to detect unauthorized devices, but the following method may be used instead of the configuration. Good.

  That is, when the manufacturer server 300 receives a confirmation request from the controller, the manufacturer server 300 determines whether the device ID included in the confirmation request is registered in the correspondence information. If registered, the controller associated with the device ID is identified on the correspondence information. Then, the device ID included in the confirmation request is transmitted to the identified controller, and an inquiry is made as to whether the identified controller holds the device ID in the device information. If it is held, it is determined that the device is a legitimate device, and if it is not registered, it is determined that the device is an unauthorized device.

Even if such a method is used, an unauthorized device can be detected.
(13) The above embodiment and each modification may be combined as appropriate.
(14) The communication, the operation related to the authentication process, the unauthorized device detection process, and the like shown in the above-described embodiment are realized by executing a program code for executing the process by a processor installed in each device. Also good.

  Further, a program code for causing a processor such as a maker server and various circuits connected to the processor to perform the communication, the operation related to the authentication process, the unauthorized device detection process and the like (see FIG. 14) shown in the above embodiment. It is also possible to record a control program consisting of the above in a recording medium, or to distribute and distribute the program via various communication paths. Such recording media include IC cards, hard disks, optical disks, flexible disks, ROMs, and the like. The distributed and distributed control program is used by being stored in a memory or the like that can be read by the processor, and the processor executes the control program, thereby realizing various functions as shown in the embodiment. Will come to be.

(15) Each functional unit of each device (device, controller, manufacturer server, portal server) according to the unauthorized device detection system shown in the above embodiment may be realized as a circuit that executes the function, Alternatively, the program may be executed by a plurality of processors.
In addition, each functional unit of each device of the above embodiment may be configured as a package of an integrated circuit (IC), a large scale integration (LSI), or other integrated circuit. This package is incorporated into various devices for use, whereby the various devices realize the functions as shown in the embodiments.

Each functional block is typically realized as an LSI which is an integrated circuit. These may be individually made into one chip, or may be made into one chip so as to include a part or all of them. The name used here is LSI, but it may also be called IC, system LSI, super LSI, or ultra LSI depending on the degree of integration. Further, the method of circuit integration is not limited to LSI's, and implementation using dedicated circuitry or general purpose processors is also possible. An FPGA (Field Programmable Gate Array) that can be programmed after manufacturing the LSI, or a reconfigurable processor that can reconfigure the connection and setting of circuit cells inside the LSI may be used.

<Supplement>
An embodiment of the unauthorized device detection method according to the present invention and its effects will be described.

  (A) The present invention is an unauthorized device detection method in an unauthorized device detection system, wherein the unauthorized device detection system includes at least one controller (100a, 100b) and one or more devices (200a, 200b, 200c, 200d, 200e), a plurality of area networks (home area networks a, b), and information regarding the area network for each of the area networks and one or more authentication processes included in the area network. A fraudulent device detection server (300) that holds correspondence information (600) in association with a device identifier indicating a device, and each of the devices succeeds in the authentication process when the authentication process with the controller is successful. Regarding the area network that includes the controller The unauthorized device detection server obtains a device identifier of a device to be newly authenticated when there is a device to be newly authenticated with any one of the controllers. (Step S1401), it is detected whether or not the acquired device identifier is included in the correspondence information (Step S1402). If the acquired device identifier is included in the correspondence information (YES in Step S1402) If an attempt is made to acquire information related to an area network from the newly authenticated device (step S1404), and information related to the area network can be acquired from the newly authenticated device (step S1405), Information and the device identifier of the device to be newly authenticated in the correspondence information. It is determined whether or not the information regarding the attached area network matches (step S1406), and if it does not match (NO in step S1406), the newly authenticated device is an unauthorized device. It is characterized by detecting.

  The unauthorized device detection server (300) according to the present invention includes at least one controller (100a, 100b) and one or more devices (200a) that are connected to the controller and hold information related to the area network including the controller. , 200b, 200c, 200d, 200e), a fraudulent device detection server in a fraudulent device detection system including a plurality of area networks (home area networks a, b) and a fraudulent device detection server. If the authentication process is successful, the device identifier of the device and the information on the area network including the controller are stored in association with each other, and either one of the controllers New authentication with other controllers When there is a device to perform, a device identifier acquisition unit (320) that acquires a device identifier of the device to be newly authenticated, and a registration detection unit that detects whether or not the acquired device identifier is included in the correspondence information (320) and, if the acquired device identifier is included in the correspondence information, an area network information acquisition means (320) that attempts to acquire information on an area network from the newly authenticated device, and the area When the network information acquisition means can acquire information related to the area network from the newly authenticated device, the acquired information regarding the area network is associated with the device identifier of the newly authenticated device in the correspondence information. Determining means for determining whether or not the information relating to the area network matches (320) When it is determined that they do not match, characterized in that it comprises a fraud unit detector (320) for detecting a device to perform the new authentication is an unauthorized device.

  In addition, the unauthorized device detection system according to the present invention includes an area network composed of at least one controller and one or more devices that are connected to the controller and hold information related to the area network including the controller. In the unauthorized device detection system including the device detection server, when the authentication process is successful between the device and the controller, the device identifier of the device is associated with information on the area network including the controller And a corresponding information storage unit that stores the device identifier and a device identifier acquisition unit that acquires a device identifier of the device to be newly authenticated when there is a device to be newly authenticated between any one of the controllers. Detecting whether the acquired device identifier is included in the correspondence information A registration detection unit; an area network information acquisition unit that attempts to acquire information about an area network from the newly authenticating device when the acquired device identifier is included in the correspondence information; and the area network information acquisition. When the information about the area network can be acquired from the newly authenticated device, the area network associated with the acquired information regarding the area network and the device identifier of the newly authenticated device in the correspondence information A determination unit that determines whether or not the information on the device matches, and an unauthorized device detection unit that detects that the device to be newly authenticated is an unauthorized device when it is determined that the information does not match. And

  If the device identifier of the device to be newly authenticated has already been registered in the correspondence information, the device has previously performed authentication processing with another controller. Therefore, when the device does not hold information related to the area network that matches the information related to the area network associated with the correspondence information, the device can be detected as an unauthorized device. Prevent entry of devices into the network.

In addition, when the device succeeds in authentication with the controller, the device generally stores and holds information about the controller as a communication destination. If the information related to the controller is used as the information related to the area network, more information is stored for authentication, and the storage capacity of the device is not compressed.
(B) In the fraudulent device detection method according to (a), the server fraudulently authenticates the newly authenticated device even when the server cannot acquire information about the area network from the newly authenticated device. It is good also as detecting that it is a proper apparatus.

As a result, when a device having a device identifier already registered in the server tries to perform new authentication, the device has succeeded in authentication with one of the controllers in the past and retains information on the area network. If the information is not held, the newly authenticated device can be detected as an unauthorized device.
(C) In the unauthorized device detection method according to (a), the information regarding the area network may be an identifier unique to the controller included in the area network.

Thereby, the identifier of the controller can be used as information for specifying the area network. Since each area network includes at least one controller, the identifier can be used as information for specifying the area network.
(D) In the unauthorized device detection method according to (a), the information related to the area network may be a MAC address of the controller included in the area network.

  Thereby, the MAC address of the controller can be used as information for specifying the area network. Since each area network includes at least one controller, the MAC address is originally unique to the controller on the network, so that it can be used as information for specifying the area network.

(E) In the unauthorized device detection method according to (a), the information related to the area network may be unique area network identification information predetermined for the area network.
Thereby, the identification information of the area network individually attached to the area network can be used as the information for specifying the area network. By using the identification information individually assigned to the area network, for example, it is possible to improve the ease of recognizing which area network the system manager or the like recognizes.

(F) In the unauthorized device detection method according to (a) above, the information on the area network may be device information including one or more device identifiers of each device included in the area network.
As a result, information on a group of devices included in the area network can be used as information for specifying the area network. It is assumed that each area network includes various devices, and the device configuration is likely to be a configuration specific to each area network, and thus can be used as information for specifying the area network.

  (G) In the fraudulent device detection method according to (a) above, the device identifier of the device to be newly authenticated is registered in the correspondence information, and is an area acquired from the device to be newly authenticated When it is determined that the information on the network matches the information on the area network registered in association with the device identifier of the device to be newly authenticated in the correspondence information, the device identifier of the device to be newly authenticated And information related to the area network including the controller to which the device to be newly authenticated is connected may be registered in association with each other.

  Thereby, when a device that newly authenticates holds information about the area network and the information about the area network matches the information about the area network associated with the device in the correspondence information, The device can be detected as a legitimate device that has been authenticated in the past with another controller.

  The unauthorized device detection method according to the present invention can be used for detecting each unauthorized device newly connected to a network system, for example, for controlling each device in a home network system.

100a, 100b Controller 110 Communication unit 120 Control unit 130 Authentication processing unit 140 Authentication information holding unit 150 Device information holding unit 200a, 200b, 200c, 200d, 200e Device 210 Communication unit 220 Control unit 230 Authentication processing unit 240 Authentication information holding unit 250 Controller information holding unit 260 Device history holding unit 300 Manufacturer server 310 Communication unit 320 Control unit 330 CRL management unit 340 Corresponding information holding unit 350 CRL holding unit 400 Portal server 410 communication unit 420 Encryption processing unit 430 CRL management unit 440 Encryption key holding unit 450 CRL holder

Claims (9)

An unauthorized device detection method in an unauthorized device detection system,
The unauthorized device detection system includes a plurality of area networks including at least one controller and one or more devices connected to the controller, information on the area network for each of the area networks, and authentication processing included in the area network Including a fraudulent device detection server that holds correspondence information associated with device identifiers indicating one or more devices that have been successfully
When each of the devices succeeds in the authentication process with the controller, each of the devices holds information regarding the area network including the controller that has been successfully authenticated.
The unauthorized device detection server is:
If there is a device to be newly authenticated with any one of the controllers, obtain the device identifier of the device to be newly authenticated,
Detecting whether or not the acquired device identifier is included in the correspondence information;
When the acquired device identifier is included in the correspondence information, from the newly authenticating device, an attempt is made to acquire information about the area network,
When information related to the area network can be acquired from the newly authenticating device, information related to the area network and information related to the area network associated with the device identifier of the newly authenticating device in the correspondence information; Determine whether they match,
An unauthorized device detection method, wherein when it is determined that they do not match, the newly authenticated device is detected as an unauthorized device. The server detects the newly authenticating device as an unauthorized device even when the information regarding the area network cannot be acquired from the newly authenticating device. The unauthorized device detection method described. The unauthorized device detection method according to claim 1, wherein the information related to the area network is an identifier unique to the controller included in the area network. The unauthorized device detection method according to claim 1, wherein the information related to the area network is a MAC address of the controller included in the area network. The unauthorized device detection method according to claim 1, wherein the information related to the area network is unique area network identification information predetermined for the area network. 2. The unauthorized device detection method according to claim 1, wherein the information related to the area network is device information including one or more device identifiers of each device included in the area network. In the case where the device identifier of the device to be newly authenticated is registered in the correspondence information, information relating to the area network acquired from the device to be newly authenticated and the new authentication is performed in the correspondence information When it is determined that the information related to the area network registered in association with the device identifier of the device matches, the controller includes the device identifier of the device to be newly authenticated and the controller to which the device to be newly authenticated is connected. The illegal device detection method according to claim 1, wherein information relating to the area network to be registered is registered in association with each other. In an unauthorized device detection system including a plurality of area networks including at least one controller and one or more devices connected to the controller and holding information regarding the area network including the controller, and an unauthorized device detection server An unauthorized device detection server,
A correspondence information storage unit that stores correspondence information in which a device identifier of the device and information on an area network including the controller are associated with each other when the authentication process is successful between the device and the controller;
When there is a device that newly authenticates with any one of the controllers, device identifier acquisition means for acquiring a device identifier of the device that is newly authenticated,
Registration detection means for detecting whether or not the acquired device identifier is included in the correspondence information;
If the acquired device identifier is included in the correspondence information, an area network information acquisition unit that attempts to acquire information about an area network from the newly authenticated device;
When the area network information acquisition means can acquire information about the area network from the newly authenticated device, it corresponds to the acquired area network information and the device identifier of the newly authenticated device in the correspondence information Determining means for determining whether or not the information about the attached area network matches;
An unauthorized device detection server, comprising: an unauthorized device detection unit that detects that the newly authenticated device is an unauthorized device when it is determined that they do not match. A fraudulent device detection system including a plurality of area networks including at least one controller and one or more devices connected to the controller and holding information regarding the area network including the controller, and a fraudulent device detection server. There,
A correspondence information storage unit that stores correspondence information in which a device identifier of the device and information on an area network including the controller are associated with each other when the authentication process is successful between the device and the controller;
When there is a device that newly authenticates with any one of the controllers, device identifier acquisition means for acquiring a device identifier of the device that is newly authenticated,
Registration detection means for detecting whether or not the acquired device identifier is included in the correspondence information;
If the acquired device identifier is included in the correspondence information, an area network information acquisition unit that attempts to acquire information about an area network from the newly authenticated device;
When the area network information acquisition means can acquire information about the area network from the newly authenticated device, it corresponds to the acquired area network information and the device identifier of the newly authenticated device in the correspondence information Determining means for determining whether or not the information about the attached area network matches;
An unauthorized device detection system comprising: an unauthorized device detection unit that detects that a device to be newly authenticated is an unauthorized device when it is determined that they do not match.

Images