KR101643334B1 - Gateway apparatus for interlocking of Machine to Machine local network and Machine to Machine network and system for it - Google Patents

Abstract

The present invention relates to a gateway device that is located between a Machine to Machine network and an MBMS area network and enables data transmission between the two networks. The gateway device performs data communication with an MTMS device connected to the MTMS network through a gateway ; A control unit for collecting data from the TMU device and performing monitoring and remote state management for the TMU device; And an identification module for performing an authentication procedure for the TMU device connected to the gateway through communication with the control unit and generating a predetermined data packet for storing data related to the TMU device in an encrypted form, Wherein the identification module includes at least one of an identification information of the TMU device, identification information of the identification module, frequency channel identification information, subscriber identification information, and data collected from the TMU device in a single data packet for encryption .

Description

Technical Field [0001] The present invention relates to an M2M security gateway device and a communication system for controlling a billing and a remote monitoring,

The present invention relates to a gateway device and a communication system for supporting communication through an interworking between an M2M (machine to machine) network and an M2M local network, and more particularly, to a gateway device and a communication system for encrypting information of devices belonging to an M2M local network, And the gateway device and communication system for interworking between the M2M network and the M2M local network to secure the integrity.

The development of modern information and communication technology is changing not only for computers but also for networking of smart phones and portable multimedia devices. Small devices such as computation and communication networking functions used in such computers, smart phones, and the like enable a communication network between objects that are used not only in information devices but also in various objects around human beings to acquire information around them and share them with each other.

One of such technologies is Machine to Machine (M2M) communication. M2M is a technology related to the networking of devices and devices that are widely used in everyday life. M2M communication enables a series of devices to be connected and used from the computer mainframe to everyday products (eg, home appliances, buildings or transportation).

The M2M communication is a concept to construct a network using a small communication device in the M2M device and to share collected information. It started from USN (Ubiquitous Sensor Network), which mainly targets local area without human intervention, As range and purpose vary, various wired / wireless networks can be used for M2M communication. This M2M communication uses low-cost, low-power short-range wireless communication such as Zigbee, Bluetooth, WiFi, etc. and uses cellular-based high-speed mobile communication technology such as 3GPP and LTE for various convergence services such as situation recognition, It is possible.

Therefore, the concept of M2M communication extends beyond the concept of simple mobile communication network to the concept of utilizing wired / wireless network. In particular, in the existing mobile communication system, the network always manages the mobility of the terminal, and procedures for transmitting and receiving data between terminals are defined for each mobile communication system.

However, in M2M communication, there is a characteristic that the network does not always manage the mobility of devices (e.g., a camera, an eBook, and a home appliance), and also has a characteristic of transmitting and receiving data and contents M2M-enabled devices for authentication, registration, and provisioning of equipment without specific methods or over-the-air (OTA) protection of spare configuration identifiers The authentication and key agreement used in the preliminary authentication of the M2M-enabled equipment, which does not use the information in the Trusted State (TS) of the M2M- ) Does not guarantee credentials, does not provide software and firmware security updates or reconfiguration of M2M-capable equipment, and M2 M tampering is detected and not responded to equipment.

Also, there is no definition of the role of M2M capable equipment users / subscribers. Therefore, various methods and devices for improving M2M performance, security and reliability are required.

Mutual Authentication and Key Exchange Protocol for Establishing Secure M2M Communication, Hyeon-Sei Lee, KISA Bulletin 20 (1)

It is an object of the present invention to solve the above-mentioned problems, and it is an object of the present invention to provide a communication system and a communication method for supporting communication between an M2M network and an M2M area network, We propose a gateway device and a communication protocol that can secure the integrity of the devices belonging to the M2M network and present the methodology for the network join, operation, management and security problems when the M2M network is connected to the M2M network.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are not restrictive of the invention, unless further departing from the spirit and scope of the invention as defined by the appended claims. It will be possible.

According to an aspect of the present invention, there is provided a gateway device for transferring data between two networks, which is located between a Machine to Machine network and an MBMS area network according to an embodiment of the present invention, A communication unit for performing data communication with an associated TM device; A control unit for collecting data from the TMU device and performing monitoring and remote state management for the TMU device; And an identification module for performing an authentication procedure for the TMU device connected to the gateway through communication with the control unit and generating a predetermined data packet for storing data related to the TMU device in an encrypted form, The identification module encrypts at least one of the identification information of the TMU device, the identification information of the identification module, the frequency channel identification information, the subscriber identification information, and the data collected from the TMU device in a single data packet.

The identification module according to an embodiment of the present invention may include a smart card web server (SCWS), a database, a database management system, And an interface port of the multimedia network, wherein the database includes at least one of frequency channel identification information, a personal area network identification (PAN ID), network identification information, And at least one of routing information for routing the network path and the identification information for each of the routing information.

At this time, the identification module may perform an authentication procedure for the TMU device connected to the gateway, based on the database.

Next, the control unit according to the embodiment of the present invention may assign a PAN ID to the TMU device connected to the gateway after confirming the network configuration through communication with the identification module.

Also, the control unit may derive subscriber identification information corresponding to the identification information of the TMU device through communication with the identification module, map the identification information to the identification information of the TMU device, and store the mapped information in the database.

On the other hand, the identification module may include personal area network (PAN) identification information, network identification information, frequency channel identification information, device identification information, subscriber identification information, and the like collected from the TMU device Data can be encrypted by putting it in the payload area of the data packet.

The identification module may further include a hashing function used to encrypt the data payload area with a predetermined asymmetric key using a public key infrastructure or to convert a key value to an address of a storage location, Can be used to encrypt.

Furthermore, the identification module may generate a data packet based on the HTTPS protocol in accordance with the communication standard for the encrypted data packet.

Meanwhile, the data collected from the TMU device may include at least one of identification information, operation state information, battery remaining amount information, sensing information, environment information, and settlement related information of the TMU device.

Preferably, the SMT gate apparatus according to the embodiment of the present invention may further include a non-volatile type memory for storing the encrypted data packet in the identification module. At this time, the control unit may transmit requested data from the memory when requesting data transmission from a remote operation server performing TCP / IP communication with the Ethernet gateway, and transmit the requested data to the remote operation server through the communication unit have.

More preferably, the MBMS gateway device according to the embodiment of the present invention may further include a baseband communication modem for performing TCP / IP communication with a remote operation server through a mobile communication network.

Meanwhile, the data packet generated by the identification module according to the present invention includes a header area; And a second area including a first area including data to be transmitted encrypted and a block check code for checking whether an error occurs in data transmission. In this case, the first area may include frequency channel information, a destination PAN ID, a destination address, a source PAN ID, a source address, network identification information, identification information of the SMT device, mapping to the SMT device And data to be collected from the < RTI ID = 0.0 > SMTemap. ≪ / RTI >

It is to be understood that both the foregoing general description and the following detailed description of the present invention are exemplary and explanatory and are intended to provide further explanation of the present invention by those skilled in the art. And can be understood and understood.

 According to the present invention, the M2M gateway according to the embodiment of the present invention serves as a coordinator of a local network in order to link the M2M network and the M2M local network, encrypts the device data to interlock the M2M device with the M2M network, Can be stored and managed in a large amount of memory, and can be managed and operated while maintaining the integrity and confidentiality of each device in the M2M regional network.

Further, if the configuration information and data of the M2M local network are encrypted based on the data stored in the identification module, even if the third party hack the M2M device and illegally access the M2M local network, the integrity of the M2M device can be confirmed by the M2M gateway Which can further enhance data security.

According to another aspect of the present invention, when data collected by the M2M gateway is transmitted to the management server, the data can be transmitted in the HTTPS standard, which is a standard protocol for use in the public network, so that a compatible system having no additional conversion device can be constructed .

BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of the specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention.
1 is a diagram illustrating an example of an M2M communication network structure related to an embodiment of the present invention.
2 is a block diagram illustrating a configuration of an M2M gateway according to an exemplary embodiment of the present invention.
FIG. 3 is a flowchart illustrating an exemplary process of data integrity for an M2M gateway according to an exemplary embodiment of the present invention. Referring to FIG.
4 is a diagram illustrating an example of a data packet structure generated in the M2M gateway according to the embodiment of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The present invention is capable of various modifications and various embodiments, and specific embodiments are illustrated in the drawings and described in detail in the detailed description. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the accompanying drawings. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS The following detailed description, together with the accompanying drawings, is intended to illustrate exemplary embodiments of the invention and is not intended to represent the only embodiments in which the invention may be practiced. The following detailed description includes specific details in order to provide a thorough understanding of the present invention. However, those skilled in the art will appreciate that the present invention may be practiced without these specific details.

M2M communication can be utilized in various fields in our life. For example, it can be used in a variety of applications, from a Vehicle Area Network (VAN) using devices installed in various vehicles to a smart grid, security, remote monitoring and control, communication connection for payment settlement, And the monitoring of the surrounding environment. Among them, Smart Grid, Vehicle Communication Network, and e-Health (electronic-Health) are the applications of M2M communication technology.

When the M2M network is connected to the existing M2M network, there may be problems of management subjects, technical difficulties in management and operation of a large amount of equipment connected to the network.

Therefore, the present invention supports interworking between the M2M network and the M2M local network so that the existing M2M network and the communication method between the different types of networks can be interworked, and the information of the devices belonging to the M2M network is encrypted to secure the integrity This paper proposes a gateway device and a communication protocol that can propose a methodology for network join, operation, management, and security problems when an M2M local network is connected to an M2M network.

1 is a diagram illustrating an example of an M2M communication network structure related to an embodiment of the present invention.

Referring to FIG. 1, the M2M communication network structure 100 includes a network area 101 and an M2M device area 102.

The network area 101 includes a transmission network 110 for transmitting data transmitted from the M2M device through M2M communication, an M2M application unit 120 associated with the transmission network, and a network management unit 130 for performing network management do.

The transmission network 110 includes an access network 111, a core network 113, and an M2M service function 115 associated with the M2M network access of the M2M device.

The access network 111 is a network configured to connect various devices to the communication network in the M2M communication, and includes a wired access network and / or a radio access network.

In recent years, M2M communication using wireless communication has been mainly performed. In the wireless access network, WCDMA (Wideband Code Division Multiple Access), WiMAX (Worldwide Interoperability for Microwave Access), WiFi (Wireless Fidelity), LTE .

The access network 111 includes an M2M function unit 111a for performing functions of the M2M network and an access network security unit 111b for performing security procedures in the process of connecting the M2M devices to the access network 111. [

The core network 113 is a high speed backbone network of a large communication network capable of providing large capacity, long distance voice and data services and can be used for a wide area network such as a public switched telephone network (PSTN), an integrated information network (ISDN), an IMT-2000, a wide area network (WAN) LAN), and general cable broadcasting (CATV). It mainly uses the Internet backbone network, connecting the Internet, controlling services and networks, providing interconnection and roaming with other networks.

Similarly, the core network 113 includes an M2M function unit 113a that performs an M2M network function.

The access network 111 and the core network 113 serve as a transport network for data communication between the M2M network and the application area 110 and the M2M device area 120 and transmit control information and M2M data.

The M2M service function unit 115 identifies and stores information for providing application functions, performs communication selection, remote object management, security, transaction management, interworking and the like, and configures an M2M core together with the core network 113 do.

Next, the M2M application unit 120 performs an operation related to the execution of application programs related to various services that can be provided to the M2M device, and associates with the transmission network 110, So that the connection can be performed using the network.

Next, the network management unit 130 includes an M2M management unit 131 for managing the M2M network, and can manage the radio access network and the core network. Specifically, the network management unit 130 performs security management functions required in the network configuration management, the failure management, the subscriber management and the performance management, and the M2M service configuration. The M2M management unit 131 performs configuration management, Can be performed.

The M2M device area 102 is composed of a direct communication type M2M device 140, an indirect communication type M2M device 150, an M2M gateway 160 and an M2M area network 170. [

The direct communication type M2M device 140 includes an M2M function unit 141, an M2M application unit 143 and a device security unit 145. [ The direct communication type M2M device 140 includes an M2M function unit 141 and an M2M application unit 143. The direct communication type M2M device 140 performs one or more application applications through a communication function, Can be directly connected to.

The indirect communication type M2M device 150 is a device that uses the M2M area network and is used to distinguish the communication type M2M device 140 from the direct communication type M2M device 140. For example, the indirect communication type M2M device 150 may be a device used for healthcare or an offline payment (payment using a card or a smart card) Or a remote terminal such as a payment terminal for mobile payment (payment using a smart phone or the like). The indirectly communicating M2M device 150 is indirectly connected to the M2M gateway 160 via the M2M gateway 160 and is connected to the M2M gateway 160 via the local network 170 which is distinct from the M2M network.

Specifically, since the indirect communication type M2M device 150 can not directly connect to the M2M network and does not include a separate M2M function unit or an M2M application unit, it can access the network through a separate gateway or router. That is, the M2M gateway 160 serves as a medium for connecting the indirect communication type M2M device 150 to the connection network 111. [

The M2M network 170 is a network for connecting the indirect communication type M2M device 150 and the M2M gateway 160. The M2M network 170 is a network for connecting the indirect communication type M2M device 150 and the M2M gateway 160, And the like, and data processing is performed in the local network.

Local networks include personal area network (PAN) such as IEEE 802.15, ZigBee, Bluetooth, RFID, automotive communication technology, industrial network, building automation communication technology, and communication technology used for home automation. Vehicle communication technology is CAN (Controller Area Network). Local Interconnect Network (LIN), and FlexRay. BACnet (Building Automation and Control Networks) is a communication technology for building automation, and CEBus (Consumer Electronics Bus) and LonTalk are network technologies for home automation. All of these technologies can be used as M2M regional networks.

In order to extend the M2M network, it is necessary to accommodate the local network. The M2M local network 170 may be a separate network from the M2M network, and bilateral communication may correspond to inter-species communication.

The M2M gateway 160 connects the indirectly communicating M2M device 150 to the access network 111 via the M2M local network 170. [ The M2M gateway 160 includes an M2M application unit 161 and an M2M function unit 163 and connects the indirect communication M2M device 150 connected through the M2M area network 170 to the connection network 111 And performs network entry, routing, and communication functions.

In addition, the M2M gateway 160 collects device operation data, environment data, sensing data, and the like from the indirect communication type M2M device 150 or, when the indirect communication type M2M device 150 is a payment terminal, Lt; / RTI > Here, the settlement related information includes at least one of card information used for offline settlement or mobile settlement, settlement amount information, and authentication information for settlement.

In this way, the direct communication type M2M device 140 and the M2M gateway 160 provide functions such as data collection and reporting, remote control function, group communication or one-to-one communication function and transaction processing in order to provide M2M service.

The M2M communication service, which is an inter-device communication in the above-described M2M communication network structure with reference to FIG. 1, requires security of important information of the device. In the case of wireless communication, Security light is required.

In particular, as described above, in the M2M area network, an independent network is formed using common wireless communication technologies such as Zigbee, UWB, and bluetooth among the indirect communication type M2M devices. There is a problem in that all the data can be captured and illegally connected to the network using the captured information. Network illegal connections can be extended to secondary problems such as hacking and cyber threats, threats of personal privacy exposure, falsification of resource usage and billing information. Therefore, security of data in M2M communication itself and transmission security And restrictions on access rights are increasing.

Accordingly, the present invention can be applied to both the direct communication type M2M device 140 and the indirect communication type communication network 111 for the purpose of securing the secondary data or placing the connection network security unit 111b in the access network 111 for the primary data security as shown in FIG. The M2M device 150 may propose a network structure that implements to include the device security units 145 and 151, respectively.

The access network security unit 111b may share the key information between the M2M nodes or the node and the gateway in case the M2M device joins the network through the supply process through the asymmetric key encryption, so that the link layer encryption, integrity, If provided, it can prevent an external attack. In addition, since the e-UICC performs the authentication function for the nodes constituting the M2M network, it is possible to apply a conventional networking security technology such that the external attacking node can not participate in the network easily.

The device security units 145 and 151 perform an integrity verification function to prevent the data from being forged or falsified during transmission in the case of falsification when data is stored in the terminal or in transmission to the outside and perform security of the M2M device itself.

In addition, the M2M gateway 160 according to the embodiment of the present invention further includes a gateway security unit 165 for securing tertiary data in order to implement the integrity of the gateway itself except for the M2M application unit 161 and the M2M function unit 163 .

Specifically, the M2M gateway 160 maintains the integrity and confidentiality of the indirectly communicating M2M device 150 of the M2M local network through the gateway security 165, And the monitoring data on the network routing fluctuation situation can be encrypted and transmitted to the business side. In addition, when data collected by the M2M gateway 160 is transmitted to the management server, the data can be transmitted in the HTTPS standard, which is a standard protocol for use in the public network, so that a compatible system having no separate conversion device can be constructed.

2, an indirect communication type M2M device that forms an M2M area network for simplicity of description and uses an external communication network through an M2M gateway is referred to as an 'M2M device '.

2 is a block diagram illustrating a configuration of an M2M gateway according to an exemplary embodiment of the present invention.

2, the M2M gateway 200 according to the embodiment of the present invention includes a communication unit 210, a communication modem 220, a controller 230, a memory 240, and an identification module 250. The components shown in FIG. 2 are not essential, and an M2M gateway having more or fewer components may be implemented.

Hereinafter, the components will be described in order.

The communication unit 210 includes a reception antenna 211, a reception RF communication unit 213, a transmission antenna 215, and a transmission RF communication unit 217. For example, it receives data from the M2M device belonging to the M2M local network through the receive antenna 211 and the receive RF communication unit 213, and transmits the data to the encrypted device and network using the transmit antenna 215 and the transmit RF communication unit 217 To the external provider. The data received from the M2M device via the communication unit 210 is transmitted to the control unit 230.

The communication modem 220 is a baseband modem and is largely divided into two parts for transmission and reception and performs operations for data transmission and reception such as digital processing, encoding, modulation and D / A conversion.

The controller 230 generally controls an overall operation performed by the M2M gateway 200, and may include an MCU (Micro Controller Unit) having software installed therein to perform various functions.

The control unit 230 includes an MCU core unit 231 for controlling overall data operation processing and operation related to the gateway configuration or function, a memory control module 233 for controlling an external memory, And a USB interface 235 that plays a role.

When the data of the M2M device is transferred from the communication unit 210 to the MCU core unit 231, the MCU core unit 231 stores the data in the memory 240 via the memory control module 233 and the identification module 250 through the USB interface 235 And performs communication. When the communication and authentication procedures between the controller 230 and the identification module 250 are completed, the data stored in the memory 240 is transmitted to the identification module 250 to perform data encryption, And transmits the data packet to the vendor through the communication modem 220 and the communication unit 210. [

In addition, the MCU core unit 231 monitors the network state or the operation state of the M2M device based on operation data, environmental data, sensing data, and the like transmitted from the M2M device in real time or at predetermined intervals, Operation can be performed. The monitoring result can be transmitted by including it in the data packet transmitted to the provider side.

In addition, the M2M gateway 200 can perform a communication connection for payment settlement with the provider when the M2M device is a payment terminal. The MCU core unit 231 securely processes the payment related information collected from the payment terminal through the communication with the identification module 250 to enhance information security so that the information can not be read from the M2M gateway or other communication equipment have.

Preferably, the controller 230 may include a nonvolatile memory type internal memory (not shown in FIG. 2) having a limited capacity for storing measurement data. At this time, since the memory capacity of the control unit is limited, the control unit can add the external memory 240 as needed.

The memory 240 is a nonvolatile memory added to the outside of the controller 230 as needed, and is a recording device for temporarily storing data collected or measured by the M2M gateway 200 before being transmitted to the outside through a communication network . As the identification module of the gateway has become smaller in recent years, it becomes difficult to further attach the memory capacity to the inside of the identification module 250. Therefore, the external memory 240 connected to the internal memory of the controller 230 is separately configured as shown in FIG. 2 .

The identification module 250 is a chip for storing various kinds of information for authenticating the use right of the M2M gateway 200. The identification module 250 includes registered M2M device information (e.g., e-UICC information) using M2M communication, UICC information, Stored and available for provisioning. Examples of the identification module 250 include a UIM (User Identity Module), a SIM (Subscriber Identity Module), a USIM (Universal Subscriber Identity Module), a UICC (Universal Integrated Circuit Card) (Hereinafter referred to as "identification device") may be manufactured in the form of a smart card.

For example, the UICC includes the UICC MCU 251 and the UICC interface 253, as an example of the UICC (e-UICC) in the identification module 250. The UICC MCU 251 includes a Java platform, a USIM applet, a Smart Card Web Server (SCWS), a DBMS (Data Base Management System), a DB (database) and a gateway, The controller 253 may be connected to the controller 230 through a port (e.g., IC-USB, ISO-7816, etc.).

Here, the use of SCWS allows remote management of services (or applets) and contents provided by UICC at the provider side, security management that supports HTTPS itself, authentication management for PKI authentication procedures, By providing compatibility with data exchange in accordance with the HTTPS standard, the efficiency of the M2M network system connected to various platforms of various equipment can be increased. In addition, when SCWS is used, the M2M gateway acts as a server through real-time monitoring of hardware in case of security threat caused by the intrusion of the equipment itself, so that it is convenient to provide network log data.

Even if data is stored in the external memory 240 when the encrypted data is stored, the DB for managing the DB may be embedded in the identification module 250 to further enhance security. That is, when transmission of specific data is requested from the outside, requested data stored in the memory 240 can be searched and transmitted based on the DB storing the index of the corresponding data, So that data retrieval can be performed more easily. In addition, it is not necessary to decrypt the data stored in the memory 240 to confirm the data and to reset the data to be transmitted, thereby improving the speed of the data processing scheme. At this time, it is possible to securely process the payment information received from the payment terminal by mounting an authentication applet of a fixed key or public key type for authenticating the payment information to the identification module 250.

In addition, the identification module 250 may include an authentication process for the indirect communication type M2M device received by the M2M gateway 200, a security process and encryption process for the collected data, a public network And can perform data conversion based on a standard protocol so as to utilize the data. The data supplement process performed by the identification module 250 will be described later with reference to FIG.

The data of the indirect communication type M2M device encrypted in the identification module 250 is stored in the memory 240 through the control unit 230 and transmitted to the business side through the communication modem 220 and the communication unit 210.

1, the gateway security module 163 of FIG. 1 corresponds to the identification module 250 that is connected to the control module 230 of FIG. 2 in an interfaced manner in comparison with the configuration of the M2M gateway 200 and the above- .

Hereinafter, the data processing for integrity in the M2M gateway according to the embodiment of the present invention will be described with reference to FIG.

FIG. 3 is a flowchart illustrating an exemplary process of data integrity for an M2M gateway according to an exemplary embodiment of the present invention. Referring to FIG.

The M2M device 150 shown in FIG. 3 represents one of a plurality of M2M devices forming the M2M area network described above with reference to FIG. 1 and using an external communication network through the M2M gateway.

3, when the M2M device 150 requests a connection for data communication with the M2M gateway S301, the control unit 230 of the M2M gateway 200 confirms the network address NWK_Config, (Personal Area Network) ID for the mobile terminal 150 (S302). The provision of the PAN ID for each device is to prevent collision between a plurality of devices connected to the gateway when forming a network.

When the communication between the M2M gateway 200 and the M2M device 150 is connected, the control unit 230 receives the data from the M2M device 150 in step S303 and communicates with the M2M device 150 through the communication with the identification module 250. [ ) (S304).

At this time, the data received from the M2M device 150 may be stored in the temporary buffer (internal memory) of the controller 230 until the authentication procedure is completed.

Specifically, the identification module 250 performs the authentication procedure and the identification information mapping operation for the M2M device 150 based on the device-specific information stored in advance through the communication with the controller 230. [ For example, the control unit 230 maps an IMSI (International Mobile Subscriber Identity) and an M2M device ID through communication with the identification module 250, and transmits an Integrated Circuit Card Identifier ICC ID) and a device ID.

This is because, if the data of the M2M device 150 is transmitted to the operation server of the provider via the M2M gateway by giving the identification information to the device to which the access right is granted according to the authentication procedure for the device connected to the gateway, To manage the M2M device directly.

After the authentication of the M2M device 150 is confirmed, the identification module 250 receives the M2M device data through the control unit 230 (S305). Based on the device ID, the UICC ID, the M2M device data, (Operation data, environment data, sensing data, etc.) or settlement related information received from the payment terminal into a single payload (S306).

The payload may further include a PAN ID assigned to the M2M device 150 in step S302 and an ICC ID and an IMSI mapped to the device ID in the authentication procedure in the previous step S304. The frame structure of the data packet to be used in the M2M communication according to the present invention will be described later with reference to FIG.

Next, the identification module 250 performs an encryption process on the entire data packet including the data collected from the device (S307).

For example, the encryption process can encrypt data using a predetermined encryption key using a public key infrastructure (PKI) used in provisioning of the identification module 250 have. In this case, the provider side can read the data packet received from the M2M gateway 200 using the decryption key corresponding to the encryption key of the PKI. Alternatively, the data can be encrypted using a hashing function that is used to convert the key value to the address of the storage location. Alternatively, the payment related information collected from the payment terminal can be securely processed using an authentication applet of a fixed key or public key type for performing authentication on the payment information.

The identification module 250 configures the encrypted data packet in a format conforming to the communication standard using the HTTPS protocol so as to be suitable for external data communication so that when the M2M device performs data communication with external communication equipment, (S308).

The data of the M2M device 150 formed with the security processing and the standard communication standard is transmitted to the control unit 230 through the steps S304 through S306 in the identification module 250. The control unit 230 transmits the data The processed M2M device data is stored (S309).

Thereafter, the controller 230 transmits the securely processed M2M device data stored in the memory 240 (S310) when an event (for example, a data transmission request of the remote operation server) is generated, And transmits the data to the server (S311).

In step S307, the M2M device data secured in the identification module 250 is transmitted to the controller 230 using the TCP / IP (Transmission Control Protocol / Internet Protocol) and is stored in the memory 240. [ Since the M2M device 150 is given an individual IP, the M2M device 150 can perform TCP / IP communication with an external communication device or a server.

4 is a diagram illustrating an example of a data packet structure generated in the M2M gateway according to the embodiment of the present invention.

4, a data packet 400 according to an exemplary embodiment of the present invention is divided into a header area 410 and a payload area 420. The payload area 420 includes data to be transmitted through a data packet And a BCC area 4230 including a block check code (BCC) for checking whether an error occurs in data transmission.

At this time, the data payload field 4210 may include identification information, frequency channel information, environment information, and the like for external communication of the M2M device, as described above with reference to FIG. 3, The encryption process of the data security processing is performed.

Referring again to FIG. 4, the data payload field 4210 includes an M2M area network device field A including information on devices using an M2M local network to be transmitted through the data packet, an M2M gateway field B ).

The M2M area network device field (A) includes the PAN ID and the network address information given from the M2M gateway when the M2M device requests to connect to the M2M gateway to access the M2M network. Specifically, it may include at least one of a frequency channel ID 4214, a destination PAN ID 4215, a destination address 4216, a source PAN ID 4217, a source address 4218 and a network ID 4219 have.

Here, the frequency channel ID and the PAN ID information used by the M2M device in the data communication are allocated to the M2M device in the M2M gateway as the M2M device is connected to the M2M gateway and the data communication is performed between the M2M gateway and the M2M gateway Information.

The M2M gateway field B may include at least one of the subscriber identification information (ICC ID) 4211, the subscriber identification information (IMSI) 4212, and the M2M device ID 4213 information of the mobile terminal. ICC ID and IMSI are information to be mapped to the corresponding M2M device ID while performing a predetermined authentication procedure for the M2M device in the M2M gateway.

Here, the frequency channel ID and the device ID included in the single data payload 4210 as shown in FIG. 4 are important clustering factors in short-range wireless RF communication (e.g., Zigbee). For example, if different frequency channel IDs are assigned to each device grouped by wireless RF communication, more networks can be formed, and a gateway of the second RF communication area, which is physically separated from the M2M gateway of the first RF communication area, Because the network of the same frequency as the M2M gateway of the first RF communication area can be used. That is, since device IDs and frequency channel IDs are mapped and assigned for each device connected to each gateway, it is possible to prevent communication collision for each device, You can manage it.

In this manner, the M2M gateway can form the data packet by putting the information 4211 to 4219 necessary for the external communication of the M2M device in the data payload 4210 based on the information table stored in the DB of the UICC which is the identification module. In addition, ICC ID, IMSI, and device ID can be provided at the time of data transmission to monitor illegal change of the probe terminal, UICC, MNO (Mobile Network Operator), and the like. In the identification module of the M2M gateway, , Network IDs, and routing table information, and can also monitor illegal changes in the M2M local network.

Referring again to FIG. 4, the generated data payload 4210 is transmitted to a data payload 4210 secured through a data encryption process using a PKI-based encryption key or a hashing function as described above with reference to FIG. 3 And generates the data packet 400 using the HTTPS protocol according to the communication standard. At this time, the M2M gateway can use the SCWS and the gateway of the identification module to generate a data packet according to the data encryption process and the communication standard as shown in FIG.

Meanwhile, the M2M gateway according to the embodiment of the present invention performs data communication with the M2M device, and can monitor the network status and the status of the M2M device, and perform the functions accordingly.

For example, the M2M gateway can monitor the battery power status in real time while monitoring the operation status of the M2M device. As a result of the monitoring, the M2M gateway transmits the remaining battery level information to the payload at the time of data packet transmission to the operator, and the operator can predict the sustainable operation time of the M2M device and remotely grasp the cause of the operation failure . If the power of the M2M device is driven not by the battery but by the constant power supply, it is possible to distinguish the power supply type by setting a specific code such as 0xFFFF.

In addition, the M2M gateway real-time monitors changes in environmental data in consideration of environmental factors such as high temperature, high pressure, and high humidity that can affect the device state when the M2M device is installed outside, Or monitoring results can be used to prevent pre-failure.

In addition to the M2M device's main function sensors, the M2M gateway uses a built-in temperature sensor, humidity sensor, pressure sensor, etc. to monitor the environmental condition of the device itself to remotely monitor whether the M2M device is operating within the operable range can do.

The status information (e.g., battery remaining amount, environment data, sensing data, etc.) of the M2M device monitored by the M2M gateway can be transmitted in the data payload area 4210 in the data packet 400 shown in FIG. 4 have. The status information of the M2M device (e.g., the remaining battery level, the environment, and the like) is stored in the payload area 4220 excluding the areas 4211 to 4219 containing information necessary for data communication of the M2M device in the data payload area 4210, Data, sensing data, etc.) can be loaded and transmitted to the business operation server.

The M2M gateway according to the embodiment of the present invention acts as a coordinator of the local network in order to interwork the M2M network and the M2M local network, encrypts the device data in order to link the M2M device to the M2M network, . In order to manage and maintain the integrity and confidentiality of each device in the M2M regional network, the M2M gateway also includes a frequency channel ID, a PAN ID, a network ID (ID) for the M2M local network in the identification module (e-UICC) , Device ID information, a routing table for routing the network path, and the like. If the setting information and the data of the M2M local network are encrypted based on the data stored in the identification module, even when a third party hack the M2M device and illegally access the M2M local network, the integrity of the M2M device can be checked by the M2M gateway, Security can be further enhanced.

The foregoing description is merely illustrative of the technical idea of the present invention, and various changes and modifications may be made by those skilled in the art without departing from the essential characteristics of the present invention. Therefore, the embodiments of the present invention are not intended to limit the scope of the present invention but to limit the scope of the present invention. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents thereof should be construed as being included in the scope of the present invention.

Claims (15)

1. A gateway apparatus for transferring data between two networks, the network apparatus being located between a Machine to Machine network and an MBMS area network,
A communication unit for performing data communication with an IMT device connected to the IMT network through a gateway;
A control unit for collecting data from the TMU device and performing monitoring and remote state management for the TMU device; and data collected from the TMU device includes identification information of the TMU device, operation state information, battery remaining amount information, sensing information, Environmental information and payment related information; And
And an identification module for performing an authentication procedure for the TMU device connected to the gateway through communication with the control unit and generating a predetermined data packet for storing data related to the TMU device in an encrypted form,
The identification module comprising:
Wherein at least one of the identification information of the TMU device, the identification information of the identification module, the frequency channel identification information, the subscriber identification information, and the data collected from the TMU device is contained in a single data packet and is encrypted. The method according to claim 1,
The identification module comprising:
A Smart Card Web Server (SCWS), a database, a database management system, and a predetermined interface port for providing a service in which the web server is installed in the identification module,
A network identification information, identification information on each of a plurality of TMT devices belonging to the IMT-area network, and a network ID, And at least one routing table for routing the route. 3. The method of claim 2,
The identification module comprising:
And performs an authentication procedure for the SSLM device connected to the gateway based on the database. The method of claim 3,
Wherein,
And gives a PAN ID for the TMU device connected to the gateway after confirming the network configuration through communication with the identification module. 3. The method of claim 2,
Wherein,
Derives subscriber identification information corresponding to the identification information of the TMU device through communication with the identification module, maps the identification information to the identification information of the TMU device, and stores the mapped information in the database. 3. The method of claim 2,
The identification module comprising:
(PAN) identification information, network identification information, frequency channel identification information, device identification information, subscriber identification information, and data collected from the MIT device on the basis of the database, Area, and encrypts it. The method according to any one of claims 1, 2, and 6,
The identification module comprising:
A method of encrypting the data payload area with a predetermined asymmetric key using a public key infrastructure (a public key infrastructure), and a method of encrypting using a hashing function used to convert a key value to an address of a storage location And a method of using an authentication applet of a fixed key or public key scheme for performing authentication of the settlement related information of the gateway device. The method according to claim 1,
The identification module comprising:
And generates the encrypted data packet as a data packet based on an HTTPS protocol according to a communication standard. delete The method according to claim 1,
The payment-
Card information used for offline / mobile settlement, payment amount information, and authentication information for settlement. The method according to claim 1,
Further comprising a non-volatile type memory for storing encrypted data packets in said identification module. 12. The method of claim 11,
Wherein,
And transmits the requested data from the memory when requesting data transmission from a remote operation server that performs TCP / IP communication with the Ethernet gateway, and transmits the requested data to the remote operation server through the communication unit. The method according to claim 1,
Further comprising a baseband communication modem for performing TCP / IP communication with a remote operation server via a mobile communication network. The method according to claim 1,
Wherein the data packet comprises:
Header area; And
And a second area including a first area in which data to be transmitted is encrypted and includes a block check code for checking whether an error occurs in data transmission, . 15. The method of claim 14,
Wherein the first region comprises:
A destination PAN ID, a source PAN ID, a source address, network identification information, identification information of the SMT device, subscriber identification information to be mapped to the SMT device, And data to be collected from the gateway.

Images