WO2016117211A1 - Wireless communication device, wireless communication method and program - Google Patents

Wireless communication device, wireless communication method and program Download PDF

Info

Publication number
WO2016117211A1
WO2016117211A1 PCT/JP2015/081540 JP2015081540W WO2016117211A1 WO 2016117211 A1 WO2016117211 A1 WO 2016117211A1 JP 2015081540 W JP2015081540 W JP 2015081540W WO 2016117211 A1 WO2016117211 A1 WO 2016117211A1
Authority
WO
WIPO (PCT)
Prior art keywords
wireless communication
authentication
network
information
terminal
Prior art date
Application number
PCT/JP2015/081540
Other languages
French (fr)
Japanese (ja)
Inventor
大介 川上
鈴木 英之
伊東 克俊
Original Assignee
ソニー株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ソニー株式会社 filed Critical ソニー株式会社
Publication of WO2016117211A1 publication Critical patent/WO2016117211A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • H04W88/04Terminal devices adapted for relaying to or from another terminal or user
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • H04W88/06Terminal devices adapted for operation in multiple networks or having at least two operational modes, e.g. multi-mode terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/40Security arrangements using identity modules
    • H04W12/43Security arrangements using identity modules using shared identity modules, e.g. SIM sharing

Definitions

  • the present disclosure relates to a wireless communication device, a wireless communication method, and a program.
  • a terminal having a WWAN (Wireless Wide Area Network) communication function such as a smartphone and a mobile phone, can access the Internet via a mobile communication network even when the user is away from home.
  • a terminal that does not have a WWAN communication function is required to access the Internet by using another communication method such as a wireless LAN (WLAN).
  • WLAN wireless LAN
  • a communication terminal that indirectly communicates with a service providing apparatus that provides a service via another communication terminal seamlessly receives a service provided by the service providing apparatus.
  • Techniques for enabling are disclosed.
  • the present disclosure proposes a new and improved wireless communication apparatus, wireless communication method, and program that can be more securely connected to a network.
  • the first wireless communication unit that performs wireless communication with a wireless terminal that performs wireless communication by connecting to the first network
  • the second wireless that performs wireless communication by connecting to the second network.
  • Authentication information generated by an authentication server using network information of the communication unit and the second network is received from the wireless terminal via the first wireless communication unit, and is transmitted via the second wireless communication unit.
  • a control unit that performs authentication to the second network using the authentication information.
  • the fourth wireless communication unit performs wireless communication with the third wireless communication unit that performs wireless communication by connecting to the first network and the wireless terminal that performs wireless communication by connecting to the second network.
  • the network information of the second network and the network information of the second network are transmitted to the authentication server via the third wireless communication unit, and to the second network generated using the network information in the authentication server And a control unit that transmits authentication information for authentication to the wireless terminal via the fourth wireless communication unit.
  • a third wireless communication unit that performs wireless communication by connecting to the first network
  • a fifth wireless communication unit that performs wireless communication by connecting to the second network
  • the first Network information of the second network is transmitted to the authentication server via the third wireless communication unit, and the authentication to the second network using the authentication information generated in the authentication server is performed to the fifth wireless communication
  • a control unit that is provided via the unit.
  • the first wireless communication unit performs wireless communication with a wireless terminal that performs wireless communication by connecting to the first network, and the second wireless communication unit enters the second network. Connecting and performing wireless communication; receiving authentication information generated by an authentication server using network information of the second network from the wireless terminal via the first wireless communication unit; and And performing authentication to the second network using the authentication information via the wireless communication unit of the wireless communication unit.
  • the third wireless communication unit connects to the first network to perform wireless communication
  • the fourth wireless communication unit connects to the second network to perform wireless communication. Performing wireless communication with a terminal, transmitting network information of the second network to an authentication server via the third wireless communication unit, and generating the first information generated using the network information in the authentication server And transmitting authentication information for authentication to the second network to the wireless terminal via the fourth wireless communication unit.
  • the third wireless communication unit connects to the first network to perform wireless communication
  • the fifth wireless communication unit connects to the second network to perform wireless communication. And transmitting network information of the second network to the authentication server via the third wireless communication unit, and authenticating the second network using the authentication information generated in the authentication server. 5 via a wireless communication unit, a wireless communication method is provided.
  • the computer is connected to the first network to perform wireless communication with the wireless terminal that performs wireless communication, and the computer is connected to the second network to perform wireless communication.
  • a second wireless communication unit that performs authentication information generated by an authentication server using network information of the second network, and receives the second wireless communication unit from the wireless terminal via the first wireless communication unit;
  • a program is provided for functioning as a control unit that performs authentication to the second network using the authentication information via a wireless communication unit.
  • wireless communication between a third wireless communication unit that performs wireless communication by connecting a computer to the first network and a wireless terminal that performs wireless communication by connecting to the second network is performed.
  • the fourth wireless communication unit to be performed and the network information of the second network are transmitted to the authentication server via the third wireless communication unit, and the second information generated using the network information in the authentication server.
  • a program for functioning as a control unit that transmits authentication information for authentication to the network to the wireless terminal via the fourth wireless communication unit.
  • the third wireless communication unit that connects the computer to the first network and performs wireless communication
  • the fifth wireless communication unit that connects to the second network and performs wireless communication
  • FIG. 1 is a diagram for describing an overview of a wireless communication system according to an embodiment of the present disclosure.
  • FIG. 1 is a diagram for describing an overview of a wireless communication system according to an embodiment of the present disclosure.
  • FIG. It is a block diagram which shows an example of a structure of the radio
  • It is a block diagram which shows an example of a logical structure of the WLAN terminal which concerns on this embodiment.
  • FIG.1 and FIG.2 is a figure for demonstrating the outline
  • the wireless communication system 1 includes a wireless communication device 100.
  • the wireless communication system 1 includes a wireless communication device 100 and a wireless communication device 200.
  • the wireless communication device 100 is a wireless terminal capable of wireless communication with other devices.
  • the wireless communication device 100 is a notebook PC.
  • the wireless communication device 100 is a WLAN terminal that can be connected to a WLAN according to a communication method such as IEEE (Institute of Electrical and Electronics Engineers) 802.11a, 11b, 11g, 11n, 11ac, or 11ad.
  • IEEE Institute of Electrical and Electronics Engineers
  • the WLAN terminal 100 can connect to a wireless network 500 via a base station 510 and use a service provided by the service network 400.
  • the WLAN terminal 100 can form a wireless connection with the wireless communication device 200.
  • This wireless connection can be formed according to an arbitrary communication method such as Bluetooth (registered trademark) or NFC (Near field communication).
  • the WLAN terminal 100 can be connected to a WLAN whose network information is known, such as a WLAN that is operated at the user's home, for example, but is difficult to connect to a WLAN whose network information such as whereabouts is unknown.
  • the wireless communication device 100 includes a PC, a tablet terminal, a PDA (Personal Digital Assistant), an HMD (Head Mounted Display), a headset, a digital camera, a digital video camera, a smartphone, a mobile phone terminal, a mobile phone, and the like. It may be realized as a music playback device, a portable video processing device, a portable game device, or the like.
  • the wireless communication device 200 is a wireless terminal capable of wireless communication with other devices.
  • the wireless communication device 200 is a smartphone.
  • the wireless communication apparatus 200 can form a wireless connection with the WLAN terminal 100, for example.
  • the wireless communication apparatus 200 is a WWAN terminal that has a WWAN communication function and can be connected to the WWAN.
  • the WWAN terminal 200 has subscriber identification information for connecting to a mobile communication network, performs authentication processing using the subscriber identification information, and establishes wireless connection with a wireless network 300 such as a mobile communication network. Can be formed.
  • the subscriber identification information is, for example, an IMSI (International Mobile Subscriber Identity) stored in a SIM card (Subscriber Identity Module Card).
  • IMSI International Mobile Subscriber Identity
  • SIM card Subscriber Identity Module Card
  • the WWAN terminal 200 can use the service provided by the service network 400 by connecting to the wireless network 300 using the WWAN communication function.
  • the wireless communication device 200 is not only a smartphone but also a notebook PC, PC, tablet terminal, PDA, HMD, headset, digital camera, digital video camera, mobile phone terminal, portable music player, portable video processing device. Alternatively, it may be realized as a portable game device or the like.
  • the wireless network 300 is a WWAN (first network) such as a mobile communication network.
  • the WWAN 300 is operated according to an arbitrary wireless communication system such as LTE (Long Term Evolution), LTE-A (LTE-Advanced), GSM (registered trademark), UMTS, W-CDMA, or CDMA2000.
  • the WWAN 300 is connected from the wireless communication device 200 located within the range of the cell operated by the base station 310.
  • the service network 400 is a public network such as the Internet.
  • the WWAN terminal 200 can access the service network 400 via the WWAN 300.
  • examples of means for realizing access to the Internet while away from home include tethering by a terminal capable of WWAN communication or use of a public WLAN.
  • Tethering is a technology for connecting other communication terminals to the WWAN 300 via a terminal having a WWAN communication function such as a smartphone.
  • the WWAN terminal 200 can be connected to the WWAN 300 and the WLAN terminal 100, the WWAN terminal 200 can function as an access point that relays communication between the WWAN 300 and the WLAN terminal 100, and can realize tethering.
  • the WLAN terminal 100 can use the service provided by the service network 400.
  • Tethering can be used wherever the WWAN terminal 200 is located in an area where WWAN communication is possible. However, since it is necessary to perform terminal setting for tethering use in both the WWAN terminal 200 and the WLAN terminal 100, the convenience of the user is impaired. Further, during tethering, the power consumption of the WWAN terminal 200 functioning as an access point is large.
  • a public WLAN is a service that provides a connection to the Internet using a WLAN.
  • a wireless network 500 shown in FIG. 2 is a public network (second network) operated by a WLAN, for example.
  • the WLAN terminal 100 can connect to the WLAN 500 to access the service network 400 or further access the service network 400 via the WWAN 300. As a result, the WLAN terminal 100 can use the service provided by the service network 400.
  • a wireless terminal having a WWAN communication function such as a smartphone is an ANDSF (Access Network Discovery and Selection Function) proposed by 3GPP (Third Generation Partnership Project), or Wi-Fi CERTIFIED proposed by Wi-Fi Alliance.
  • ANDSF Access Network Discovery and Selection Function
  • 3GPP Third Generation Partnership Project
  • Wi-Fi CERTIFIED Wi-Fi Alliance
  • the WLAN terminal 100 is not compatible with Wi-Fi CERTIFIED Passpoint, it will connect without confirming the safety of the WLAN 500, which may lead to the risk of connecting to the WLAN 500 with a high security risk and damage such as eavesdropping. There was a risk of encounter.
  • a wireless communication apparatus can easily and safely connect to a public WLAN and use the Internet.
  • a wireless communication system including the wireless communication apparatus according to an embodiment of the present disclosure will be described in detail with reference to FIGS.
  • FIG. 3 is a block diagram illustrating an example of a configuration of the wireless communication system 1 according to the present embodiment.
  • the wireless communication system 1 includes a WLAN terminal 100 and a WWAN terminal 200, and provides wireless connection to the WWAN 300, the WLAN 500, and the service network 400.
  • the WWAN 300 is operated by a base station 310, a gateway 320, a subscriber information server 330, an authentication server 340, and a network information providing server 350.
  • the base station 310 is a device that serves as a contact point when a wireless terminal having a WWAN communication function is connected to the WWAN 300.
  • the base station 310 accepts a connection from the WWAN terminal 200.
  • the base station 310 corresponds to an eNB.
  • the gateway 320 is a device that relays communication between the WWAN 300 and another network.
  • the gateway 320 relays communication between the WWAN 300 and the service network 400 and communication between the WWAN 300 and the WLAN 500.
  • the gateway 320 corresponds to a P-GW (Packet Data Network Gateway).
  • the subscriber information server 330 is a device that holds subscriber information for the WWAN 300.
  • the subscriber information server 330 also holds information used for authentication processing when a wireless terminal connects to the WWAN 300.
  • the subscriber information server 330 corresponds to an HSS (Home Subscriber Server).
  • the authentication server 340 is a device that authenticates that the connection to the WWAN 300 is a connection by a WWAN 300 subscriber.
  • the authentication server 340 can perform this authentication process with reference to the subscriber information server 330.
  • the authentication server 340 corresponds to an AAA (Authentication, Authorization and Accounting) server.
  • the authentication server 340 has a function of authenticating connection to the WLAN 500.
  • an authentication protocol using a certificate such as EAP (Extensible Authentication Protocol) -TLS or EAP-TTLS can be adopted as an authentication protocol for the WLAN 500.
  • the authentication server 340 issues an electronic certificate, an ID, a password, and the like, and performs an authentication process related to a terminal that connects to the WLAN 500.
  • an authentication protocol using subscriber identification information for the WWAN 300 such as EAP-AKA, EAP-SIM, or EAP-AKA ′, can be adopted. In that case, the authentication server 340 performs authentication processing with reference to the subscriber information server 330.
  • a terminal that has a WWAN communication function and can be connected to the WWAN 300 through authentication processing using subscriber identification information can be connected to the WLAN 500 through authentication processing using subscriber identification information.
  • IMS-AKA Security Token
  • a digital certificate (Credential, Certificate)
  • a public key or the like may be used as an authentication protocol for the WLAN 500.
  • the network information providing server 350 is a device that provides information on a connection destination wireless network, which is necessary when the connection destination is switched from the wireless network to which the wireless terminal is currently connected to another wireless network.
  • the network information providing server 350 can provide network information for connecting to the WLAN 500 to the WWAN terminal 200.
  • the network information providing server 350 corresponds to an ANDSF server.
  • the WLAN 500 is a public network operated by the base station 510.
  • the communication system of the public network is described as being WLAN, but may be operated according to any other communication system such as Bluetooth.
  • the base station 510 is a device that serves as a contact point when a wireless terminal having a WLAN communication function connects to the WLAN 500. For example, the base station 510 receives a connection from the WLAN terminal 100. When the communication method of the public network is WLAN, the base station 510 corresponds to an access point. Note that the base station 510 can support one or more authentication protocols.
  • FIG. 4 is a block diagram illustrating an example of a logical configuration of the WLAN terminal 100 according to the present embodiment. As illustrated in FIG. 4, the WLAN terminal 100 includes a wireless communication unit 110, a storage unit 120, and a control unit 130.
  • the wireless communication unit 110 is a communication module that transmits / receives data to / from an external device.
  • the wireless communication unit 110 can perform wireless communication using various communication methods.
  • the wireless communication unit 110 includes a WLAN module 112 and can perform wireless communication using Wi-Fi (registered trademark) or WLAN.
  • the wireless communication unit 110 includes a BT (Bluetooth) module 114 and can perform wireless communication using Bluetooth.
  • the wireless communication unit 110 includes an NFC module 116 and can perform wireless communication using NFC.
  • the wireless communication unit 110 can function as a first wireless communication unit that performs pairing and wireless communication with the WWAN terminal 200.
  • the wireless communication unit 110 performs pairing and wireless communication with the WWAN terminal 200 using a near field communication method such as NFC, Bluetooth, Bluetooth Low Energy, Wi-Fi Direct (registered trademark), or WLAN.
  • the wireless communication unit 110 may perform pairing and wireless communication with the WWAN terminal 200 using a short-range wireless communication method such as ZigBee (registered trademark) or IrDA (Infrared Data Association).
  • the wireless communication unit 110 can function as a second wireless communication unit that performs wireless communication by connecting to a public network.
  • the wireless communication unit 110 connects to the WLAN 500 using a wireless communication method such as WLAN.
  • the public network may support any wireless communication method other than WLAN, and in that case, the wireless communication unit 110 can connect to the public network using a wireless communication method according to the public network.
  • the wireless communication unit 110 may perform measurement processing such as measuring RSSI (Received Signal Strength Indicator) from the strength of the signal received from the WLAN 500.
  • RSSI Receiveived Signal Strength Indicator
  • the wireless communication unit 110 may perform wireless communication using the same communication method for wireless communication with the WWAN terminal 200 and wireless communication with the public network.
  • the wireless communication unit 110 may connect to the WLAN 500 while communicating with the WWAN terminal 200 using WLAN.
  • the storage unit 120 is a part that records and reproduces data on a predetermined recording medium.
  • the storage unit 120 may store information received from the WWAN terminal 200 by the wireless communication unit 110.
  • Control unit 130 functions as an arithmetic processing device and a control device, and controls the overall operation in the WLAN terminal 100 according to various programs.
  • the control unit 130 receives authentication information generated by the authentication server 340 using the network information of the WLAN 500 from the WWAN terminal 200 via the wireless communication unit 110 and uses the authentication information via the wireless communication unit 110.
  • the WLAN terminal 100 can connect to the secure WLAN 500 by using the authentication information generated by the authentication server 340, and avoids connection to a network with a high security risk such as the risk of eavesdropping. Can do. Thereby, even when the WLAN terminal 100 is not compatible with Wi-Fi CERTIFIED Passpoint, it is possible to obtain the same safety and connection convenience as the case where the WLAN terminal 100 is compatible.
  • the network information may include at least one of information obtained by probe processing, such as SSID of WLAN 500, channel information, RSSI information, and the like. Further, the network information may include information indicating an inquiry result using an ANQP (Access Network Query Protocol) such as a NAI (Network Access Identifier) related to an authentication method and a list of available service providers.
  • ANQP Access Network Query Protocol
  • NAI Network Access Identifier
  • the authentication server 340 uses the network information received from the WWAN terminal 200 to generate authentication information.
  • the network information may be collected by the WLAN terminal 100 or may be collected by the WWAN terminal 200.
  • the WLAN terminal 100 or the WWAN terminal 200 located near the WLAN terminal 100 actually collects network information. For this reason, the WLAN terminal 100 can receive a connection service with higher accuracy in the usable area and the radio wave intensity as compared with the method using the ANDSF.
  • the control unit 130 collects network information via the wireless communication unit 110. Specifically, the control unit 130 acquires the network information of the WLAN 500 by transmitting a probe request when a beacon emitted from the base station 510 is received by the wireless communication unit 110. In addition, when the WLAN terminal 100 is compatible with Wi-Fi CERTIFIED Passpoint, the control unit 130 may make an inquiry about ANQP information to the WLAN 500 via the wireless communication unit 110. Then, the control unit 130 transmits the collected network information to the WWAN terminal 200 via the wireless communication unit 110.
  • the control unit 130 may perform authentication to one WLAN 500 selected from one or more WLANs 500. For example, the control unit 130 may select the connection-destination WLAN 500 based on RSSI information or channel information. In addition, the control unit 130 may select the connection-destination WLAN 500 based on device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500.
  • the device information can include, for example, a MAC address, a model name, and the like.
  • the information indicating the use can include, for example, information indicating an application executed in the WLAN terminal 100 and information indicating a service used by the WLAN terminal 100. Based on such information, the control unit 130 can select a more suitable connection destination.
  • This selection may be performed by a device other than the WLAN terminal 100 such as the authentication server 340, the base station 310, or the WWAN terminal 200.
  • information indicating a selection result such as which WLAN 500 should be a connection destination may be taken as authentication information.
  • the WLAN terminal 100 may transmit information for supporting selection of an appropriate connection destination by another device to the WWAN terminal 200 on the assumption that the WLAN terminal 100 and the WWAN terminal 200 are paired.
  • the control unit 130 may transmit at least one of the device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500 to the WWAN terminal 200 via the wireless communication unit 110.
  • Other devices can select an appropriate connection destination for the WLAN terminal 100 based on these pieces of information.
  • the control unit 130 may authenticate the WLAN 500 by an authentication process using an electronic certificate.
  • the control unit 130 authenticates the WLAN 500 by EAP authentication using an electronic certificate issued by the authentication server 340.
  • the authentication information includes an electronic certificate issued by the authentication server 340.
  • EAP-TTLS is adopted as the authentication protocol, the authentication information includes an ID and password issued by the authentication server 340.
  • control unit 130 may authenticate the WLAN 500 by an authentication process using the subscriber identification information.
  • the control unit 130 authenticates the WLAN 500 by EAP authentication using subscriber identification information included in the WWAN terminal 200.
  • the control unit 130 receives authentication information based on the subscriber identification information from the WWAN terminal 200 by the wireless communication unit 110, and performs authentication to the WLAN 500 using the authentication information by the wireless communication unit 110.
  • the control unit 130 controls a relay process for relaying a message transmitted / received between the WWAN terminal 200 and the WLAN 500 for the authentication process performed by the WWAN terminal 200.
  • the control unit 130 transmits a message (first message) for authentication to the WLAN 500 received by the wireless communication unit 110 to the WWAN terminal 200 by the wireless communication unit 110.
  • This message is, for example, a message that requests generation of authentication information.
  • the control unit 130 receives a message (second message) received by the wireless communication unit 110 from the WWAN terminal 200 and containing the authentication information generated by the WWAN terminal 200, as a base for operating the WLAN 500 using the wireless communication unit 110. Transmit to station 510.
  • the WLAN terminal 100 can cause the WWAN terminal 200 to perform the authentication process to the WLAN 500 using EAP by proxy by the message relay process described above. For this reason, the WLAN terminal 100 can be easily connected to the WLAN 500 even when it does not have subscriber identification information.
  • the message relayed by the WLAN terminal 100 may be a message for authentication processing using EAP.
  • the first message may be EAP-Request / Identity
  • the second message may be EAP-Response / Identity.
  • the first message may be EAP-Request / AKA-Challenge and the second message may be EAP-Response / AKA-Challenge.
  • EAP-AKA is adopted as an example of an authentication protocol using subscriber identification information
  • subscriber information such as EAP-SIM or EAP-AKA 'is used for authentication processing.
  • Other authentication protocols may be employed.
  • EAP authentication using an electronic certificate or subscriber identification information is adopted, authentication to the WLAN 500 is performed without requiring a user operation, which improves user convenience. Further, even when the WLAN terminal 100 continues the search after switching to the WLAN 500 and switches the connection destination network, the user's convenience is improved because no user operation is required.
  • the configuration example of the WLAN terminal 100 according to the present embodiment has been described above.
  • a configuration example of the WWAN terminal 200 according to the present embodiment will be described with reference to FIG.
  • FIG. 5 is a block diagram illustrating an example of a logical configuration of the WWAN terminal 200 according to the present embodiment.
  • the WWAN terminal 200 includes a wireless communication unit 210, a storage unit 220, a subscriber identification module 230, and a control unit 240.
  • the wireless communication unit 210 is a communication module that transmits / receives data to / from an external device.
  • the wireless communication unit 210 can perform wireless communication using various communication methods.
  • the wireless communication unit 210 includes a WWAN module 212 and can perform wireless communication using the WWAN 300.
  • the wireless communication unit 210 includes a WLAN module 214 and can perform wireless communication using Wi-Fi or WLAN.
  • the wireless communication unit 210 includes a BT module 216 and can perform wireless communication using Bluetooth.
  • the wireless communication unit 210 includes an NFC module 218 and can perform wireless communication using NFC.
  • the wireless communication unit 210 can function as a fourth wireless communication unit that performs pairing and wireless communication with the WLAN terminal 100.
  • the wireless communication unit 210 performs pairing and wireless communication with the WLAN terminal 100 using a short-range wireless communication method such as NFC, Bluetooth, Bluetooth Low Energy, Wi-Fi Direct, or WLAN.
  • the wireless communication unit 210 may perform pairing and wireless communication with the WLAN terminal 100 using a short-range wireless communication method such as ZigBee or IrDA (Infrared Data Association).
  • the wireless communication unit 210 can function as a third wireless communication unit that performs wireless communication by connecting to the WWAN 300 using the WWAN module 212.
  • the wireless communication unit 210 communicates with the authentication server 340 via the WWAN module 212.
  • the wireless communication unit 210 can function as a fifth wireless communication unit that performs wireless communication by connecting to the WLAN 500 using the WLAN module 214.
  • the wireless communication unit 210 communicates with the base station 510 via the WLAN module 214.
  • the storage unit 220 is a part that records and reproduces data on a predetermined recording medium.
  • the storage unit 220 may store information received from the WWAN 300 by the wireless communication unit 210.
  • the storage unit 220 may store device information of the WLAN terminal 100 with which pairing has been established, capability information, or information indicating the purpose of wireless communication with the WLAN 500.
  • the subscriber identification module 230 has a function as a storage unit that stores subscriber identification information for the WWAN 300.
  • the subscriber identification module 230 is realized by a SIM card.
  • Control unit 240 functions as an arithmetic processing unit and a control unit, and controls the overall operation within the WWAN terminal 200 according to various programs.
  • the control unit 240 has a function of transmitting the network information of the WLAN 500 to the authentication server 340 via the wireless communication unit 210.
  • the control unit 240 has a function of transmitting authentication information for authentication to the WLAN 500 generated using the network information in the authentication server 340 to the WLAN terminal 100 via the wireless communication unit 210. That is, the WWAN terminal 200 relays transmission of authentication information from the authentication server 340 to the WLAN terminal 100.
  • the WLAN terminal 100 can successfully authenticate to the WLAN 500 even under circumstances where it is difficult for the WLAN terminal 100 to acquire authentication information from the authentication server 340 by itself, such as when the WLAN terminal 100 does not have a WWAN communication function. Is possible.
  • the network information may be collected by the WLAN terminal 100 or may be collected by the WWAN terminal 200.
  • the wireless communication unit 210 receives network information from the WLAN terminal 100.
  • the control unit 240 collects network information via the wireless communication unit 210. Specifically, the control unit 240 acquires the network information of the WLAN 500 by transmitting a probe request when a beacon emitted from the base station 510 is received by the wireless communication unit 210.
  • the control unit 240 may make an inquiry about ANQP information to the WLAN 500 via the wireless communication unit 210.
  • the control unit 240 may select the WLAN 500 to which the WLAN terminal 100 should connect from one or more WLANs 500. In that case, the control unit 240 may transmit authentication information for authentication to one WLAN 500 selected from one or more WLANs 500 to the WLAN terminal 100 via the wireless communication unit 210. For example, the control unit 240 selects the WLAN 500 to be connected to the WLAN terminal 100 based on RSSI information, channel information, device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500. Also good. The control unit 240 controls the wireless communication unit 210 to transfer the device information, capability information of the WLAN terminal 100 received from the WLAN terminal 100, or information indicating the purpose of wireless communication with the WLAN 500 to the authentication server 340. May be.
  • the control unit 240 may support authentication using an electronic certificate by the WLAN terminal 100.
  • the control unit 240 controls the wireless communication unit 210 to receive the electronic certificate or ID and password issued by the authentication server 340 from the authentication server 340 and transmit them to the WLAN terminal 100.
  • control unit 240 may support authentication using the subscriber identification information by the WLAN terminal 100.
  • the control unit 240 generates authentication information based on the subscriber identification information stored in the subscriber identification module 230, and transmits the authentication information to the WLAN terminal 100 by the wireless communication unit 210.
  • the control unit 240 performs an authentication process based on a message relayed by the WLAN terminal 100.
  • the control unit 240 performs authentication processing based on a message (first message) for the WLAN terminal 100 to authenticate to the WLAN 500 received from the WLAN terminal 100 by the wireless communication unit 210 and generates authentication information.
  • This message is, for example, a message that requests generation of authentication information.
  • the control unit 240 transmits a message (second message) including the generated authentication information to the WLAN terminal 100 by the wireless communication unit 210.
  • the control unit 240 may perform authentication processing using EAP based on a message relayed by the WLAN terminal 100 to generate authentication information. As described above, the control unit 240 may perform authentication processing using any authentication protocol that uses subscriber information for authentication processing, such as EAP-AKA, EAP-SIM, or EAP-AKA '. The control unit 240 can perform the authentication process for the WLAN 500 using EAP on behalf of the WLAN terminal 100 by receiving the relay of the message by the WLAN terminal 100. For this reason, the WWAN terminal 200 can realize easy connection to the WLAN 500 by the WLAN terminal 100 even when the WLAN terminal 100 does not have subscriber identification information. In addition, since the WWAN terminal 200 does not directly transmit subscriber identification information or the like to the WLAN terminal 100, security can be ensured.
  • FIG. 6 is a block diagram illustrating an example of a logical configuration of the authentication server 340 according to the present embodiment.
  • the authentication server 340 includes a communication unit 341, a storage unit 342, and a control unit 343.
  • the communication unit 341 is a communication module that transmits / receives data to / from an external device.
  • the communication unit 341 can perform wireless communication using various wired / wireless communication methods.
  • the communication unit 341 according to the present embodiment communicates with the WWAN terminal 200 that connects to the WWAN 300 and performs wireless communication, and the WLAN terminal 100 that connects to the WLAN 500 and performs wireless communication, either directly or via an arbitrary communication node. Indirectly.
  • the communication unit 341 receives network information from the WWAN terminal 200 and transmits authentication information to the WWAN terminal 200.
  • the storage unit 342 is a part that records and reproduces data on a predetermined recording medium.
  • the storage unit 342 stores information received from the WLAN terminal 100 or the WWAN terminal 200 by the communication unit 341.
  • Control unit 343 functions as an arithmetic processing device and a control device, and controls the overall operation in the authentication server 340 according to various programs.
  • the control unit 343 generates authentication information based on the received network information. For example, when EAP-TLS is included in the NAI included in the network information, the control unit 343 issues an electronic certificate. For example, when EAP-TTLS is included in the NAI included in the network information, the control unit 343 issues an ID and a password.
  • the control unit 343 selects the WLAN 500 to be connected to the WLAN terminal 100 based on RSSI information, channel information, device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500. May be.
  • the control unit 343 generates information indicating the contents issued or selected as authentication information.
  • control unit 343 may issue an electronic certificate for the base station 510.
  • the control unit 343 transmits the generated electronic certificate to the base station 510 via the communication unit 341. Thereby, authentication using the electronic certificate in the base station 510 becomes possible.
  • the configuration example of the authentication server 340 according to this embodiment has been described above. Subsequently, an operation process performed by the wireless communication system 1 according to the present embodiment will be described with reference to FIGS.
  • FIG. 7 is a sequence diagram showing an example of the flow of connection processing executed in the wireless communication system 1 according to the present embodiment. As shown in FIG. 7, the authentication server 340, the base station 310, the WWAN terminal 200, the WLAN terminal 100, and the base station 510 are involved in this sequence.
  • the WLAN terminal 100 and the WWAN terminal 200 establish pairing.
  • the WLAN terminal 100 and the WWAN terminal 200 establish a communication path using Bluetooth, Wi-Fi Direct, NFC, or the like.
  • the WLAN terminal 100 may transmit device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500 to the WWAN terminal 200.
  • step S104 the WWAN terminal 200 collects network information of the WLAN 500.
  • the WWAN terminal 200 makes an inquiry about probe processing or ANQP information.
  • the WWAN terminal 200 acquires network information from the base station 510 in step S106.
  • step S108 the WWAN terminal 200 transmits network information to the authentication server 340 via the base station 310.
  • the authentication server 340 generates authentication information. For example, when EAP-TLS is included in the NAI included in the network information, the authentication server 340 issues an electronic certificate. For example, when EAP-TTLS is included in the NAI included in the network information, the authentication server 340 issues an ID and a password. Further, the authentication server 340 may select the WLAN 500 to which the WLAN terminal 100 is connected based on at least one of channel information and RSSI information. The authentication server 340 generates information indicating these issuance and selected contents as authentication information.
  • step S112 the authentication server 340 transmits the generated authentication information to the WWAN terminal 200 via the base station 310.
  • step S114 the WWAN terminal 200 transmits the authentication information received from the authentication server 340 to the WLAN terminal 100.
  • step S116 the WLAN terminal 100 performs authentication processing with the base station 510 using the authentication information received from the WWAN terminal 200.
  • the WLAN terminal 100 performs an EAP-TLS authentication process using an electronic certificate or an EAP-TTL authentication process using an ID and a password.
  • the WLAN terminal 100 uses the service network 400 via the base station 510.
  • Examples of services that can be used include IMS services such as Voice over Wi-Fi and Video over Wi-Fi.
  • FIG. 8 is a sequence diagram showing an example of the flow of connection processing executed in the wireless communication system 1 according to the present embodiment. As shown in FIG. 8, the authentication server 340, the base station 310, the WWAN terminal 200, the WLAN terminal 100, and the base station 510 are involved in this sequence. This sequence is as described above with reference to FIG. 7 except for steps S110 and S117.
  • the authentication server 340 In step S110, the authentication server 340 generates authentication information. For example, when EAP-SIM, EAP-AKA, or EAP-AKA 'is included in the NAI included in the network information, the authentication server 340 may omit issuing an electronic certificate or ID and password. For example, the authentication server 340 selects the WLAN 500 to which the WLAN terminal 100 should be connected based on at least one of channel information and RSSI information. And the authentication server 340 produces
  • step S117 the WLAN terminal 100 performs an authentication process to the WLAN 500 using the subscriber identification information of the WWAN terminal 200. Since communication paths such as Bluetooth, Wi-Fi Direct, NFC, etc. have already been established between the WLAN terminal 100 and the WWAN terminal 200 in step S102, messages for EAP authentication processing can be transmitted and received using this communication path. Done. The detailed contents of the EAP authentication process using the subscriber identification information of the WWAN terminal 200 will be described below with reference to FIGS.
  • FIGS. 9 and 10 are sequence diagrams showing an example of the flow of EAP authentication processing executed in the wireless communication system 1 according to the present embodiment.
  • the base station 310, the WWAN terminal 200, the WLAN terminal 100, the base station 510, the authentication server 340, and the subscriber information server 330 are involved in this sequence.
  • communication modules used for message exchange are described with the term “module” omitted.
  • a message having a WLAN (Wi-Fi) module 112 as a starting point or an ending point indicates that the WLAN module 112 transmits and receives.
  • a communication path is established between the WLAN terminal 100 and the WWAN terminal 200, and a message for EAP authentication processing is transmitted / received using this communication path.
  • a wireless connection using Bluetooth is established between the WLAN terminal 100 and the WWAN terminal 200.
  • the wireless connection may be established by any communication method other than Bluetooth, such as Wi-Fi Direct.
  • step S ⁇ b> 202 the WLAN terminal 100 performs association to the base station 510.
  • the WLAN terminal 100 establishes a logical connection for authentication processing by association.
  • the WLAN terminal 100 cannot perform data communication other than authentication processing, for example.
  • step S204 the WLAN terminal 100 transmits EAPoL-Start to the base station 510.
  • step S206 the base station 510 transmits EAP-Request / Identity to the WLAN terminal 100.
  • step S208 the WLAN terminal 100 transmits the EAP-Request / Identity received in step S206 to the WWAN terminal 200.
  • This message is a message requesting the WWAN terminal 200 to generate an Identity required for EAP-AKA.
  • the WWAN terminal 200 refers to the subscriber identification module 230 that the WWAN terminal 200 has and generates an Identity.
  • the control unit 240 generates Identity based on information recorded on a SIM card that is the subscriber identification module 230.
  • the authentication protocol is EAP-AKA
  • Identity is generated based on IMSI.
  • the IMSI format is as follows. ⁇ MCC: 3 digits> ⁇ MNC: 2 or 3 digits> ⁇ MSIN: Maximum 10 digits>
  • MCC Mobile Country Code
  • MNC Mobile Network Code
  • MSIN Mobile Subscriber Identification Number
  • step S212 the WWAN terminal 200 returns EAP-Response / Identity to the WLAN terminal 100. This message stores the Identity generated in step S210.
  • step S214 the WLAN terminal 100 transfers the received EAP-Response / Identity to the base station 510.
  • step S216 the base station 510 transmits RADIUS-Access-Request to the authentication server 340.
  • the Identity generated by the WWAN terminal 200 is stored.
  • the authentication server 340 transmits a Retrieval-Authentication-Vector to the subscriber information server 330, and requests an authentication vector for Identity.
  • the Identity generated by the WWAN terminal 200 is stored.
  • An authentication vector is a set of information required for authenticating a connected terminal. In the case of EAP-AKA, the authentication vector includes the following information.
  • RAND random value. Used as a challenge.
  • AUTN A value for the terminal to authenticate the network.
  • XRES expected response value for challenge.
  • IK Message integrity verification key.
  • CK Key for message encryption.
  • step S220 the subscriber information server 330 executes the AKA algorithm and generates an authentication vector corresponding to the Identity stored in the received message.
  • step S222 the subscriber information server 330 transmits the generated authentication vector to the authentication server 340.
  • step S224 the authentication server 340 transmits RADIUS-Access-Challenge to the base station 510.
  • the authentication vector generated by the subscriber information server 330 is stored.
  • the authentication server 340 newly calculates a MAC (Message Authentication Code) and adds it to the message. This MAC is used by the WLAN terminal 100 to verify the integrity of this message.
  • MAC Message Authentication Code
  • step S226 the base station 510 transmits EAP-Request / AKA-Challenge to the WLAN terminal 100.
  • This message includes authentication vectors RAND and AUTN, and MAC.
  • the authentication vectors XRES, IK, and CK are held by the base station 510 and are not transmitted to the WLAN terminal 100.
  • This message is a message requesting the WWAN terminal 200 to generate a response value (RES) and a session key (IK, CK).
  • step S230 the WWAN terminal 200 executes the AKA algorithm and generates the RES, MAC, and session key (IK, CK) corresponding to the received EAP-Request / AKA-Challenge.
  • step S232 the WWAN terminal 200 transmits EAP-Response / AKA-Challenge to the WLAN terminal 100.
  • the RES, MAC, and session key generated by the WWAN terminal 200 are stored.
  • step S234 the WLAN terminal 100 transfers the received EAP-Response / AKA-Challenge to the base station 510.
  • step S 236 the base station 510 transmits RADIUS-Access-Request to the authentication server 340.
  • This message stores the RES, MAC, and session keys (IK, CK) generated by the WWAN terminal 200.
  • step S2308 the authentication server 340 verifies the received RES. Specifically, the authentication server 340 verifies that the RES generated by the WWAN terminal 200 matches the XRES generated by the subscriber information server 330 and the integrity of the message by MAC.
  • step S240 the authentication server 340 transmits RADIUS-Access-Accept to the base station 510. This message indicates that the connection is permitted.
  • step S242 the base station 510 transmits EAP-Success to the WLAN terminal 100. This message indicates that the authentication process has been successful for the WLAN terminal 100.
  • step S244 the base station 510 transmits EAPoL-Key to the WLAN terminal 100. This message is used to send a key for encrypted communication used between the WLAN terminal 100 and the base station 510.
  • step S246 the connection for WLAN communication is completed between the WLAN terminal 100 and the base station 510. Thereby, for example, data communication using Wi-Fi is started between the WLAN terminal 100 and the base station 510.
  • FIG. 11 is a sequence diagram showing an example of the flow of connection processing executed in the wireless communication system 1 according to the present embodiment. As shown in FIG. 11, the authentication server 340, the base station 310, the WWAN terminal 200, the WLAN terminal 100, and the base station 510 are involved in this sequence.
  • step S302 the WLAN terminal 100 and the WWAN terminal 200 perform tethering.
  • the WWAN terminal 200 functions as a tethering access point.
  • the WLAN terminal 100 connects to the WWAN terminal 200 as a WLAN client and uses the service network 400 via the base station 310.
  • the WLAN terminal 100 and the WWAN terminal 200 have established pairing.
  • the WLAN terminal 100 may transmit device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500 to the WWAN terminal 200.
  • step S304 the WWAN terminal 200 requests the WLAN terminal 100 to collect network information.
  • the WWLAN terminal 100 collects network information of the WLAN 500 in step S306.
  • the process here is the same as in step S104.
  • the WLAN terminal 100 acquires network information from the base station 510 in step S308.
  • step S310 the WLAN terminal 100 transfers the acquired network information to the WWAN terminal 200.
  • step S312 the WWAN terminal 200 transmits network information to the authentication server 340 via the base station 310.
  • step S314 the authentication server 340 generates authentication information.
  • the processing here is as described above with reference to FIG. 7 or FIG.
  • step S316 the authentication server 340 transmits the generated authentication information to the WWAN terminal 200 via the base station 310.
  • step S318 the WWAN terminal 200 transmits the authentication information received from the authentication server 340 to the WLAN terminal 100.
  • step S320 the WLAN terminal 100 performs authentication processing with the base station 510 using the authentication information received from the WWAN terminal 200.
  • the processing here is as described above with reference to FIG. 7 or FIG.
  • the first embodiment has been described above.
  • FIG. 12 is a diagram for explaining the outline of the wireless communication system 1 according to the present embodiment.
  • the wireless communication system 1 includes a WWAN terminal 200.
  • the WWAN terminal 200 itself connects to the WLAN 500 using the authentication information generated in the authentication server 340.
  • Each device included in the wireless communication system 1 according to the present embodiment has the same function as that of the first embodiment.
  • the WWAN terminal 200 has the function that the WLAN terminal 100 has in the first embodiment.
  • functions characteristic of the WWAN terminal 200 according to the present embodiment will be described.
  • the control unit 240 transmits the network information of the WLAN 500 to the authentication server 340 via the wireless communication unit 210, and performs authentication to the WLAN 500 using the authentication information generated in the authentication server 340 via the wireless communication unit 210. Do it.
  • the control unit 240 acquires network information via the wireless communication unit 210.
  • the control unit 240 transmits the acquired network information to the authentication server 340 via the base station 310, and acquires authentication information generated based on the network information by the authentication server 340.
  • the control unit 240 connects to the WLAN 500 using the acquired authentication information.
  • the control unit 240 may perform authentication processing using an electronic certificate, or may perform authentication processing using subscriber identification information that the control unit 240 has.
  • the WWAN terminal 200 can be connected to the secure WLAN 500 and can avoid connection to a network with a high security risk such as the risk of eavesdropping. . Thereby, even when the WWAN terminal 200 does not support the Wi-Fi CERTIFIED Passpoint, it is possible to obtain the same safety and connection convenience as the case where the WWAN terminal 200 is compatible.
  • control unit 240 may transmit at least one of device information of the WWAN terminal 200, capability information, or information indicating the purpose of wireless communication with the WLAN 500 to the authentication server 340 via the wireless communication unit 210.
  • devices other than the WWAN terminal 200 such as the authentication server 340 can select an appropriate connection destination for the WWAN terminal 200 based on these pieces of information.
  • FIG. 13 is a sequence diagram illustrating an example of the flow of connection processing executed in the wireless communication system 1 according to the present embodiment. As shown in FIG. 13, the authentication server 340, the base station 310, the WWAN terminal 200, and the base station 510 are involved in this sequence.
  • step S402 the WWAN terminal 200 collects network information of the WLAN 500.
  • the WWAN terminal 200 makes an inquiry about probe processing or ANQP information.
  • the WWAN terminal 200 acquires network information from the base station 510 in step S404.
  • step S406 the WWAN terminal 200 transmits network information to the authentication server 340 via the base station 310.
  • the authentication server 340 generates authentication information. For example, when EAP-TLS is included in the NAI included in the network information, the authentication server 340 issues an electronic certificate. For example, when EAP-TTLS is included in the NAI included in the network information, the authentication server 340 issues an ID and a password. For example, when EAP-SIM, EAP-AKA, or EAP-AKA 'is included in the NAI included in the network information, the authentication server 340 may omit issuing an electronic certificate or ID and password. Further, the authentication server 340 may select the WLAN 500 to which the WWAN terminal 200 should be connected based on at least one of the channel information and the RSSI information. The authentication server 340 generates information indicating these issuance and selected contents as authentication information.
  • step S410 the authentication server 340 transmits the generated authentication information to the WWAN terminal 200 via the base station 310.
  • the WWAN terminal 200 performs an authentication process with the base station 510 using the received authentication information.
  • the WWAN terminal 200 may perform an EAP-TLS authentication process using an electronic certificate or an EAP-TTL authentication process using an ID and a password.
  • the WWAN terminal 200 may perform authentication processing of the EAP-AKA, EAP-SIM, or EAP-AKA ′ method using the subscriber identification information stored in the subscriber identification module 230.
  • FIG. 14 is a diagram for explaining the outline of the wireless communication system 1 according to the present embodiment.
  • the wireless communication system 1 includes a WLAN terminal 100 and a WWAN terminal 200.
  • the WWAN terminal 200 is already connected to the WLAN 500 and can use the service provided by the service network 400.
  • the WWAN terminal 200 acquires authentication information for authenticating the WLAN 500 by the WLAN terminal 100 via the base station 510 and transmits it to the WLAN terminal 100.
  • the WLAN terminal 100 can be connected to the secure WLAN 500.
  • Each device included in the wireless communication system 1 according to the present embodiment has the same function as that of the first embodiment.
  • functions characteristic of the present embodiment will be described.
  • control unit 240 of the WWAN terminal 200 transmits a message requesting generation of authentication information to the base station 510 via the wireless communication unit 210.
  • This message may include at least one of device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500.
  • the authentication server 340 generates authentication information based on the message received from the base station 510.
  • the WWAN terminal 200 has already been connected to the WLAN 500. Therefore, the authentication server 340 may use network information of the WWAN terminal 200 (authentication method, channel information, RSSI information, connection time, etc.).
  • the authentication server 340 may use device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500 included in the message. As described above, the authentication server 340 can generate authentication information by using that the WWAN terminal 200 has already been connected to the WLAN 500.
  • the outline of the wireless communication system 1 according to the present embodiment has been described above. Subsequently, with reference to FIG. 15, an operation process performed by the wireless communication system 1 according to the present embodiment will be described.
  • FIG. 15 is a sequence diagram illustrating an example of the flow of connection processing executed in the wireless communication system 1 according to the present embodiment. As shown in FIG. 15, the WWAN terminal 200, the WLAN terminal 100, the base station 510, and the authentication server 340 are involved in this sequence.
  • step S502 the WWAN terminal 200 establishes a connection with the base station 510.
  • the WWAN terminal 200 may establish a connection by the method described above in the second embodiment, or may establish a connection by any other method.
  • step S504 the WLAN terminal 100 and the WWAN terminal 200 establish pairing.
  • the WLAN terminal 100 may transmit device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500 to the WWAN terminal 200.
  • step S506 the WWAN terminal 200 transmits a message requesting generation of authentication information to the authentication server 340 via the base station 510.
  • the authentication server 340 generates authentication information. For example, when EAP-TLS is included in the authentication method used by the WWAN terminal 200, the authentication server 340 issues an electronic certificate. For example, when EAP-TTLS is included in the authentication method used by the WWAN terminal 200, the authentication server 340 issues an ID and a password. Here, the authentication server 340 may issue an electronic certificate or an ID and password that can identify the WLAN terminal 100 using the device information of the WLAN terminal 100 or the like. For example, when the authentication method used by the WWAN terminal 200 includes EAP-SIM, EAP-AKA, or EAP-AKA ', the authentication server 340 may omit issuing an electronic certificate or ID and password. Further, the authentication server 340 may select the WLAN 500 to which the WLAN terminal 100 should be connected based on at least one of the channel information or RSSI information of the WWAN terminal 200. The authentication server 340 generates information indicating these issuance and selected contents as authentication information.
  • EAP-TLS is included in the authentication method used by the WWAN terminal 200
  • step S510 the authentication server 340 transmits the generated authentication information to the WWAN terminal 200 via the base station 510.
  • step S512 the WWAN terminal 200 transmits the authentication information received from the authentication server 340 to the WLAN terminal 100.
  • step S514 the WLAN terminal 100 performs authentication processing with the base station 510 using the authentication information received from the WWAN terminal 200.
  • the processing here is as described above with reference to FIG. 7 or FIG.
  • the third embodiment has been described above.
  • authentication information using device information is generated in the authentication server 340.
  • authentication information is acquired in stages.
  • Each device included in the wireless communication system 1 according to the present embodiment has the same function as that of the first embodiment.
  • functions characteristic of the present embodiment will be described.
  • the control unit 130 of the WLAN terminal 100 performs authentication to the WLAN 500 using the authentication information generated by the authentication server 340 using the device information of at least one of the WLAN terminal 100 or the WWAN terminal 200.
  • the device information includes, for example, the MAC address and BD address of the WLAN terminal 100, the MSISDN (Mobile Subscriber Integrated Services Digital Network Number) of the WWAN terminal 200, and the like.
  • the authentication server 340 can generate authentication information for a specific terminal based on the device information.
  • the control unit 130 of the WLAN terminal 100 authenticates to the WLAN 500 using another part of the authentication information acquired using the communication path formed after the authentication using a part of the authentication information.
  • the WLAN terminal 100 can increase the confidentiality of another part of the authentication information by using a communication path formed after authentication using a part of the authentication information. It is desirable that a part of the authentication information is information with a small amount of data such as a one-time password. This is to reduce the amount of data transmitted from the WWAN terminal 200 to the WLAN terminal 100 by Bluetooth or NFC.
  • FIG. 16 is a sequence diagram illustrating an example of the flow of connection processing executed in the wireless communication system 1 according to the present embodiment.
  • the base station 310, the WWAN terminal 200, the WLAN terminal 100, the base station 510, and the authentication server 340 are involved in this sequence.
  • the “authentication process” in each of the above embodiments is expressed in more detail by dividing it into a “connection authentication process” and a “service authentication process”.
  • step S602 the WLAN terminal 100 and the WWAN terminal 200 establish pairing. After the pairing is established, the WLAN terminal 100 may transmit the device information of the WLAN terminal 100 to the WWAN terminal 200.
  • the WWAN terminal 200 transmits an authentication information request message for requesting authentication information to the authentication server 340.
  • the WWAN terminal 200 authenticates with the authentication server 340 using EAP-AKA or the like, establishes an IP connection with the base station 510, and transmits an authentication information request message to the authentication server 340.
  • This authentication information request message may include at least one of the MAC address of the WLAN terminal 100, the BD address, or the MSISDN of the WWAN terminal 200. Further, the authentication information request message may include network information.
  • the authentication information request message may be transmitted to the authentication server 340 via the base station 510, or may be transmitted to the authentication server 340 via the base station 310.
  • the authentication server 340 generates authentication information using the device information received in step S604.
  • the authentication server 340 may generate an IMPI (IP Multimedia Private Identity), an IMPU (IP Multimedia Public Identity), and a password as authentication information for an IMS (IP Multimedia Subsystem) service.
  • the authentication server 340 generates a terminal identifier, a certificate, a one-time password used to access the authentication server 340, and the like as authentication information for connection authentication with an ePDG (Evolved Packet Data Gateway). May be.
  • the authentication server 340 may generate a certificate for encryption such as IPsec (Security Architecture for Internet Protocol) in addition to a certificate for EAP authentication such as EAP-TLS as a certificate.
  • the certificate for encryption such as IPsec may be originally included in the wireless terminal (WLAN terminal 100 or WWAN terminal 200).
  • the ePDG is a gateway to which a wireless terminal connects when a non-3GPP wireless access (Untrusted Non-3GPP IP Access) with low security such as a public WLAN is accommodated.
  • step S608 the authentication server 340 transmits authentication information to the WWAN terminal 200.
  • the authentication information transmitted at this time is a part of the authentication information generated in step S606.
  • the authentication server 340 transmits a one-time password and a certificate.
  • the authentication information may be transmitted to the WWAN terminal 200 via the base station 510, or may be transmitted to the WWAN terminal 200 via the base station 310.
  • step S610 the WWAN terminal 200 transmits the authentication information received from the authentication server 340 in the above step S608 to the WLAN terminal 100.
  • the WLAN terminal 100 transmits an additional authentication information request message for requesting additional authentication information to the authentication server 340 using the authentication information received from the WWAN terminal 200 in step S610.
  • the WLAN terminal 100 connects to the authentication server 340 using a one-time password.
  • the WLAN terminal 100 establishes a secure communication path such as a certificate-based TLS with the authentication server 340.
  • the WLAN terminal 100 requests the authentication server 340 to transmit additional authentication information using the established communication path.
  • step S614 the authentication server 340 transmits additional authentication information to the WLAN terminal 100.
  • the authentication information transmitted at this time is information that has not been transmitted in step S608 among the authentication information generated in step S606.
  • the authentication server 340 transmits authentication information for the IMS service and authentication information for connection authentication with the ePDG or the like to the WLAN terminal 100 as additional authentication information.
  • the WLAN terminal 100 performs connection authentication processing using the additional authentication information received from the authentication server 340 in step S614.
  • the WLAN terminal 100 performs authentication processing with the authentication server 340 using a terminal identifier and a certificate included in the additional authentication information received from the authentication server 340, and establishes a communication path using TLS or the like.
  • the WLAN terminal 100 may establish a secure communication path using IPsec or the like.
  • the WLAN terminal 100 may employ an authentication protocol such as EAP-AKA, EAP-SIM, or EAP-AKA ′ using the subscriber identification information of the WWAN terminal 200 at the time of authentication.
  • IKEv2 Internet Key Exchange
  • the WLAN terminal 100 performs service authentication processing using the additional authentication information received from the authentication server 340 in step S614.
  • the WLAN terminal 100 performs authentication processing such as IMS-AKA using authentication information for the IMS service, and establishes an IMS session.
  • the WLAN terminal 100 may use information such as IMPI or IMPU for authentication, and may establish a secure communication path using IPsec or the like as in step S616.
  • the WLAN terminal 100 may perform IMS authentication processing using the subscriber identification information of the WWAN terminal 200.
  • the authentication processing in steps S616 and S618 may be performed by a device other than the authentication server 340.
  • the service for the WLAN terminal 100 is started in step S620.
  • Examples of services include IMS services such as Voice over Wi-Fi and Video over Wi-Fi.
  • Table 1 shows the relationship between each EAP authentication method and the public WLAN access point in the Wi-Fi CERTIFIED Passpoint.
  • the Wi-Fi CERTIFIED Passpoint is also simply referred to as Passpoint
  • the public WLAN access point is also simply referred to as AP.
  • OSU AP indicates Online Sign up AP.
  • L2 Auth Layer 2 Authentication
  • authentication between a wireless terminal and a public WLAN is performed by Open Authentication or Anonymous EAP-TLS.
  • TLS Session a TLS Session for using HTTPS is constructed by using a Passpoint Root Certificate held by a wireless terminal in advance.
  • Registration the wireless terminal registers the user's contact information, fee plan, billing information, and the like.
  • the user name, password, or certificate information of the production AP used for using the public WLAN service is exchanged.
  • OSU AP is an AP specialized for sign-up.
  • the wireless terminal After completing the registration and provisioning, the wireless terminal temporarily disconnects and reconnects to the production AP.
  • the authentication information used when the wireless terminal reconnects is information received in provisioning.
  • the wireless terminal When the ePDG is used as a gateway, the wireless terminal establishes an IPsec session between the wireless terminal and the ePDG based on information received in provisioning, certificate information that the wireless terminal has in advance, and the like. . When this session is established, the wireless terminal uses IKEv2 key management. Furthermore, when using multimedia services such as Voice over Wi-Fi and Video over Wi-Fi, the wireless terminal performs IMS-AKA authentication and starts using IMS.
  • EAP-TLS / TTLS Online Sign up
  • authentication protocols such as EAP-AKA using subscriber identification information are out of scope.
  • OSU Online Sign up
  • FIG. 16 the technique described above with reference to FIG. 16 can be applied.
  • processing in steps S602 to S614 in FIG. 16 may be performed in the provisioning from the L2 Auth in the OSU AP. Further, the processing in steps S616 to S620 in FIG. 16 may be performed in the IMS from the L2 Auth of the Production AP.
  • EAK-AKA ′ or the like may be employed.
  • the control unit 130 of the WLAN terminal 100 transmits a part of the authentication information to the authentication server 340 using a communication path (IP communication path) formed by authentication using the WWAN terminal 200. Since a part of the authentication information is transmitted using the already formed secure communication path, it is possible to improve the confidentiality of the authentication information. It is desirable that a part of the authentication information is information with a small amount of data such as a one-time password. This is to reduce the amount of data when the WLAN terminal 100 receives a part of the authentication information from the WWAN terminal 200 via Bluetooth or NFC. It is desirable that the one-time password has an expiration date. The expiration date can be provided in various units such as 30 minutes, 1 hour, and the like.
  • Examples of authentication methods using the WWAN terminal 200 include EAP-SIM, EAP-AKA, and EAP-AKA ′.
  • the control unit 130 may form a communication path by an authentication method using a certificate such as EAP-TLS or EAP-TTLS.
  • the control part 130 authenticates to WLAN500 using the other part of the authentication information received from the authentication server 340 through the authentication using the part of the authentication information by the authentication server 340.
  • the other part of the authentication information may be information for authentication to services such as Voice over Wi-Fi and Video over Wi-Fi.
  • service authentication information such information for authentication to the service is also referred to as service authentication information.
  • the outline of the wireless communication system 1 according to the present embodiment has been described above. Next, with reference to FIG. 17, an operation process performed by the wireless communication system 1 according to the present embodiment will be described.
  • FIG. 17 is a sequence diagram showing an example of the flow of connection processing executed in the wireless communication system 1 according to the present embodiment.
  • the base station 310, the WWAN terminal 200, the WLAN terminal 100, the base station 510, and the authentication server 340 are involved in this sequence.
  • the “service authentication process (step S618)” in the fourth embodiment is replaced with “terminal authentication / terminal registration (step S716)” “transmission of service authentication information (step S718)” and “service authentication process”. (Step S720) ”is expressed in more detail.
  • step S702 the WLAN terminal 100 and the WWAN terminal 200 establish pairing.
  • the WWAN terminal 200 transmits an authentication information request message for requesting authentication information (that is, a one-time password) to the authentication server 340.
  • authentication information that is, a one-time password
  • the WWAN terminal 200 authenticates with the authentication server 340 by EAP-AKA using its own subscriber identification information
  • the WWAN terminal 200 establishes an IP connection with the base station 510 and the WWAN terminal 200 has Log in to the authentication server 340 using the current user account.
  • the WWAN terminal 200 requests the authentication server 340 for a one-time password for the WLAN terminal 100.
  • the authentication information request message may be transmitted to the authentication server 340 via the base station 510, or may be transmitted to the authentication server 340 via the base station 310.
  • the WWAN terminal 200 can connect to the authentication server 340 by performing predetermined authentication required for 3G / LTE wireless access instead of EAP-AKA or the like.
  • the authentication server 340 generates a one-time password as the authentication information requested in step S704.
  • the authentication server 340 may generate service authentication information such as an ID necessary for the service in addition to the one-time password.
  • the authentication server 340 may generate an IMPI (IP Multimedia Private Identity), an IMPU (IP Multimedia Public Identity), and a password as service authentication information for an IMS (IP Multimedia Subsystem) service.
  • IMPI IP Multimedia Private Identity
  • IMPU IP Multimedia Public Identity
  • IMS IP Multimedia Subsystem
  • the authentication server 340 transmits authentication information to the WWAN terminal 200.
  • the authentication information transmitted at this time may be a part of the authentication information generated in step S706.
  • the authentication server 340 transmits a one-time password.
  • the authentication information may be transmitted to the WWAN terminal 200 via the base station 510, or may be transmitted to the WWAN terminal 200 via the base station 310.
  • the authentication server 340 may use, for example, SMS (Short Message Service).
  • step S710 the WWAN terminal 200 transmits the authentication information received from the authentication server 340 in the above step S708 to the WLAN terminal 100.
  • the WWAN terminal 200 transmits a one-time password using an information code such as WLAN, Bluetooth, NFC, or a barcode.
  • the WLAN terminal 100 performs a connection authentication process.
  • the WLAN terminal 100 performs connection authentication processing by EAP-SIM, EAP-AKA, EAP-AKA ′, or the like using the subscriber identification information of the WWAN terminal 200 to establish an IP connection.
  • the processing here is as described above with reference to FIGS.
  • the WLAN terminal 100 may perform connection authentication processing by an authentication method using a certificate such as EAP-TLS or EAP-TTLS to establish an IP connection.
  • step S714 the WLAN terminal 100 transmits authentication information to the authentication server 340.
  • the WLAN terminal 100 transmits the one-time password received in step S710. This procedure may be performed automatically by the WLAN terminal 100, or may be performed manually by the user on the Web page of the authentication server 340 or the like.
  • the authentication server 340 performs terminal authentication and terminal registration. For example, the authentication server 340 authenticates whether the one-time password received from the WLAN terminal 100 in step S714 is correct. Then, the authentication server 340 performs terminal registration when the one-time password is correct. For example, the authentication server 340 generates service authentication information. If service authentication information has already been generated in step S706, the generation is omitted. The authentication server 340 may associate information such as the MAC address of the WLAN terminal 100 obtained from the base station 510 or the like with registration information (for example, service authentication information).
  • step S718 the authentication server 340 transmits service authentication information to the WLAN terminal 100.
  • the WLAN terminal 100 performs service authentication processing using the service authentication information received from the authentication server 340 in step S718. For example, regarding the IMS service, the WLAN terminal 100 establishes a service session using information such as IMPI and IPMU, and establishes a secure communication path using IPsec when necessary. In addition, the WLAN terminal 100 may perform authentication such as IMS-AKA using the subscriber identification information of the WWAN terminal 200.
  • the service for the WLAN terminal 100 is started in step S722.
  • Examples of services include IMS services such as Voice over Wi-Fi and Video over Wi-Fi.
  • the WLAN terminal 100 selects an appropriate authentication method according to the situation.
  • Each device included in the wireless communication system 1 according to the present embodiment has the same function as that of the first embodiment.
  • the wireless communication system 1 shown in FIG. 2 as an example, functions characteristic of the present embodiment will be described.
  • the control unit 130 of the WLAN terminal 100 selects an authentication method for the WLAN 500 based on whether or not the wireless communication unit 110 (first wireless communication unit) can communicate with a wireless terminal having subscriber identification information. .
  • the control unit 130 uses EAP-SIM, EAP-AKA, or EAP as an authentication method.
  • EAP-SIM EAP-SIM
  • EAP-AKA EAP-AKA
  • EAP EAP-Select an authentication protocol using subscriber identification information such as AKA '.
  • the control unit 130 uses an authentication protocol that does not use subscriber identification information such as EAP-TLS or EAP-TTLS as an authentication method. select.
  • the WLAN terminal 100 can select an appropriate authentication method according to the situation. Whether or not communication with a wireless terminal having subscriber identification information is possible refers to a wireless having subscriber identification information at a distance that can be communicated from the WLAN terminal 100 using a short-range wireless communication method such as NFC or Bluetooth. It can also be understood as whether or not a terminal exists.
  • a wireless terminal having subscriber identification information is also simply referred to as a SIM terminal.
  • the storage unit 120 of the WLAN terminal 100 may store authentication information, and the control unit 130 may authenticate to the WLAN 500 using the authentication information stored in the storage unit 120.
  • the WLAN terminal 100 stores the authentication information used when authenticating to the WLAN 500 in the past in the storage unit 120. Then, the control unit 130 performs authentication by using the stored authentication information again. As a result, the authentication information generation process and the notification process to the WLAN terminal 100 in the authentication server 340 are omitted, so that the authentication process becomes simpler and faster.
  • the storage unit 220 of the WWAN terminal 200 may store authentication information, and the control unit 240 transmits the authentication information stored in the storage unit 220 via the wireless communication unit 210 (fourth wireless communication unit). You may transmit to the WLAN terminal 100.
  • the WWAN terminal 200 receives from the authentication server 340 in the past and receives the authentication information used when the authentication to the WLAN 500 in the past or authentication by the WLAN terminal 100 to the W500 terminal.
  • the authentication information transmitted to 200 is stored in the storage unit 220.
  • the WWAN terminal 200 transmits the authentication information stored in the storage unit 220.
  • the authentication information generation process in the authentication server 340 and the authentication information acquisition process from the authentication server 340 are omitted, so that the authentication process becomes simpler and faster.
  • FIG. 18 is a sequence diagram illustrating an example of a flow of connection processing executed in the wireless communication system 1 according to the present embodiment.
  • the base station 310, the WWAN terminal 200, the WLAN terminal 100, the base station 510, and the authentication server 340 are involved in this sequence.
  • a basic processing flow will be described.
  • Detailed conditional branching will be described later in detail with reference to FIGS. 19 and 20.
  • step S802 the WLAN terminal 100 and the WWAN terminal 200 establish pairing.
  • the WLAN terminal 100 acquires network information from the base station 510.
  • the WLAN terminal 100 acquires network information by receiving a beacon signal, performing a probe process, or inquiring ANQP information.
  • the acquired network information includes, for example, information indicating the SSID of the base station 510 and the authentication method supported by the base station 510.
  • the WLAN terminal 100 confirms network information. Specifically, the WLAN terminal 100 confirms whether authentication information for authenticating to the base station 510 is stored in the storage unit 120 based on the network information acquired in step S804.
  • the authentication information for authenticating to the base station 510 includes a certificate for EAP-TLS or EAP-TTLS, or an ID and a password.
  • the authentication information is not limited to these.
  • the WLAN terminal 100 inquires of the WWAN terminal 200 about authentication information in step S808. If it is determined that the information is stored, the WLAN terminal 100 performs a connection authentication process (step S820) using the stored authentication information.
  • the WWAN terminal 200 that has received the inquiry confirms the authentication information in step S810. Specifically, the WWAN terminal 200 confirms whether authentication information for the WLAN terminal 100 to authenticate to the base station 510 is stored in the storage unit 220.
  • step S812 the WWAN terminal 200 transmits an authentication information request message for requesting authentication information (for example, certificate or ID and password) to the authentication server 340. Since the communication path between the WWAN terminal 200 and the authentication server 340 is the same as that described for step S704, a detailed description thereof will be omitted here. If it is determined that it is stored, the WWAN terminal 200 returns the stored authentication information to the WLAN terminal 100 (step S818), and the WLAN terminal 100 uses the returned authentication information to perform connection authentication processing ( Step S820) is performed.
  • authentication information for example, certificate or ID and password
  • step S814 the authentication server 340 generates authentication information.
  • the authentication server 340 generates a certificate or ID and password.
  • step S816 authentication information is transmitted to the WWAN terminal 200 in step S816. Since the communication path between the WWAN terminal 200 and the authentication server 340 is the same as that described with respect to step S708, detailed description thereof is omitted here.
  • the authentication server 340 causes the WWAN terminal 200 to transmit the authentication information received from the authentication server 340 in step S816 to the WLAN terminal 100.
  • the WWAN terminal 200 transmits authentication information using an information code such as WLAN, Bluetooth, NFC, or barcode.
  • the WLAN terminal 100 performs connection authentication processing.
  • the WLAN terminal 100 performs connection authentication processing by EAP-SIM, EAP-AKA, EAP-AKA ′, or the like using the subscriber identification information of the WWAN terminal 200 to establish an IP connection.
  • the processing here is as described above with reference to FIGS.
  • the WLAN terminal 100 may perform connection authentication processing by EAP-TLS using the electronic certificate received in step S818 or EAP-TTLS using an ID and a password to establish an IP connection. .
  • FIG. 19 is a flowchart illustrating an example of a flow of connection processing executed in the WLAN terminal 100 or the WWAN terminal 200 according to the present embodiment.
  • step S902 the WLAN terminal 100 acquires network information. This step corresponds to step S804 in FIG.
  • the WLAN terminal 100 determines whether or not the connection destination base station 510 supports SIM authentication.
  • SIM authentication means an authentication method using subscriber identification information, and corresponds to, for example, EAP-AKA.
  • the WLAN terminal 100 makes a determination based on the network information acquired in step S902. In this step, the WLAN terminal 100 may determine whether or not the connection destination SSID indicates a desired network.
  • step S906 the WLAN terminal 100 performs an authentication process using EAP-AKA.
  • the processing here is as described above with reference to FIGS.
  • EAP-SIM may be selected as the authentication method
  • EAP-AKA ′ with enhanced security may be selected as the authentication method.
  • step S908 the WLAN terminal 100 determines that the connected base station 510 supports EAP-TLS or EAP-TTLS authentication. It is determined whether or not. In this step, the WLAN terminal 100 may determine whether or not the connection destination SSID indicates a desired network.
  • step S908 / NO If it is determined that EAP-TLS or EAP-TTLS authentication is not supported (step S908 / NO), the process ends.
  • the WLAN terminal 100 stores authentication information for authenticating to the base station 510 in step S910. Whether it is stored in 120 or not is confirmed. In this step, the WLAN terminal 100 may determine whether or not the connection destination SSID indicates a desired network. This step corresponds to step S806 in FIG.
  • step S912 the WLAN terminal 100 uses the stored authentication information (for example, an electronic certificate or an ID and password) to perform EAP-TLS or EAP. -Perform authentication using TLS.
  • This step corresponds to step S820 in FIG. In this case, the processing related to steps S808 to S818 shown in FIG. 18 is omitted.
  • the WLAN terminal 100 inquires of the WWAN terminal 200 for authentication information in step S914. This step corresponds to step S808 in FIG.
  • step S916 the WWAN terminal 200 determines whether authentication information (for example, an electronic certificate or an ID and a password) for the WLAN terminal 100 to authenticate to the base station 510 is stored in the storage unit 220. judge. This step corresponds to step S810 in FIG.
  • the WWAN terminal 200 transmits the stored authentication information to the WLAN terminal 100 in step S918.
  • This step corresponds to step S818 in FIG. In this case, the processing related to steps S812 to S816 shown in FIG. 18 is omitted.
  • the WWAN terminal 200 acquires authentication information from the authentication server 340 in step S920. This step corresponds to steps S812 to S816 in FIG. In step S918, the WWAN terminal 200 transmits the acquired authentication information to the WLAN terminal 100. This step corresponds to step S818 in FIG.
  • step S912 the WLAN terminal 100 performs authentication processing using EAP-TLS or EAP-TTLS using authentication information (for example, an electronic certificate or ID and password) received from the WWAN terminal 200.
  • authentication information for example, an electronic certificate or ID and password
  • FIG. 20 is a flowchart showing an example of the flow of connection processing executed in the WLAN terminal 100 or the WWAN terminal 200 according to this embodiment.
  • the WLAN terminal 100 determines whether there is a SIM terminal in the vicinity. For example, the WLAN terminal 100 determines whether there is a wireless terminal having subscriber identification information within a communicable distance using a short-range wireless communication method such as NFC or Bluetooth. More specifically, the WLAN terminal 100 determines whether or not the paired WWAN terminal 200 can be found by NFC or Bluetooth.
  • a short-range wireless communication method such as NFC or Bluetooth.
  • step S1010 the WLAN terminal 100 and the WWAN terminal 200 use an authentication method (that is, an authentication method using subscriber identification information or not) corresponding to the network. An authentication process using the authentication method is performed, and the process ends.
  • the processing here is as described above with reference to FIG.
  • step S1004 the WLAN terminal 100 acquires network information. This step corresponds to step S804 in FIG. 18 and S902 in FIG.
  • step S1006 the WLAN terminal 100 determines whether there is authentication information in the WLAN terminal 100. This step corresponds to step S806 in FIG. 18 and S910 in FIG.
  • step S1008 the WLAN terminal 100 performs authentication processing using EAP-TLS or EAP-TTLS using the stored authentication information, and processing Ends. This step corresponds to step S820 in FIG. 18 and S912 in FIG.
  • step S1006 / NO the process ends. This is because the SIM terminal is not present in the surroundings, and even if it exists, it is a wireless terminal that does not have subscriber identification information. Therefore, the wireless terminal is not expected to acquire authentication information from the authentication server 340.
  • the wireless communication device 100 and the wireless communication device 200 include a smartphone, a tablet PC (Personal Computer), a notebook PC, a mobile terminal such as a portable game terminal or a digital camera, a television receiver, a printer, a digital scanner, a network storage, or the like. It may be realized as an in-vehicle terminal such as a fixed terminal or a car navigation device.
  • the wireless communication device 100 and the wireless communication device 200 are terminals (MTC (Machine Type Communication) such as smart meters, vending machines, remote monitoring devices, or point-of-sale (POS) terminals that perform M2M (Machine To Machine) communication. ) (Also referred to as a terminal).
  • the wireless communication device 100 and the wireless communication device 200 may be wireless communication modules (for example, integrated circuit modules configured by one die) mounted on these terminals.
  • FIG. 21 is a block diagram illustrating an example of a schematic configuration of a smartphone 900 to which the technology according to the present disclosure can be applied.
  • the smartphone 900 includes a processor 901, a memory 902, a storage 903, an external connection interface 904, a camera 906, a sensor 907, a microphone 908, an input device 909, a display device 910, a speaker 911, a wireless communication interface 913, an antenna switch 914, an antenna 915, A bus 917, a battery 918, and an auxiliary controller 919 are provided.
  • the processor 901 may be, for example, a CPU (Central Processing Unit) or a SoC (System on Chip), and controls the functions of the application layer and other layers of the smartphone 900.
  • the memory 902 includes a RAM (Random Access Memory) and a ROM (Read Only Memory), and stores programs and data executed by the processor 901.
  • the storage 903 can include a storage medium such as a semiconductor memory or a hard disk.
  • the external connection interface 904 is an interface for connecting an external device such as a memory card or a USB (Universal Serial Bus) device to the smartphone 900.
  • the camera 906 includes, for example, an image sensor such as a CCD (Charge Coupled Device) or a CMOS (Complementary Metal Oxide Semiconductor), and generates a captured image.
  • the sensor 907 may include a sensor group such as a positioning sensor, a gyro sensor, a geomagnetic sensor, and an acceleration sensor.
  • the microphone 908 converts sound input to the smartphone 900 into an audio signal.
  • the input device 909 includes, for example, a touch sensor that detects a touch on the screen of the display device 910, a keypad, a keyboard, a button, or a switch, and receives an operation or information input from a user.
  • the display device 910 has a screen such as a liquid crystal display (LCD) or an organic light emitting diode (OLED) display, and displays an output image of the smartphone 900.
  • the speaker 911 converts an audio signal output from the smartphone 900 into audio.
  • the wireless communication interface 913 supports one or more wireless LAN standards such as IEEE802.11a, 11b, 11g, 11n, 11ac, and 11ad, and performs wireless communication.
  • the wireless communication interface 913 can communicate with other devices via a wireless LAN access point in the infrastructure mode.
  • the wireless communication interface 913 can directly communicate with other devices in an ad hoc mode or a direct communication mode such as Wi-Fi Direct (registered trademark).
  • Wi-Fi Direct unlike the ad hoc mode, one of two terminals operates as an access point, but communication is performed directly between the terminals.
  • the wireless communication interface 913 can typically include a baseband processor, an RF (Radio Frequency) circuit, a power amplifier, and the like.
  • the wireless communication interface 913 may be a one-chip module in which a memory that stores a communication control program, a processor that executes the program, and related circuits are integrated.
  • the wireless communication interface 913 may support other types of wireless communication methods such as a short-range wireless communication method, a proximity wireless communication method, or a cellular communication method in addition to the wireless LAN method.
  • the antenna switch 914 switches the connection destination of the antenna 915 among a plurality of circuits (for example, circuits for different wireless communication schemes) included in the wireless communication interface 913.
  • the antenna 915 includes a single antenna element or a plurality of antenna elements (for example, a plurality of antenna elements constituting a MIMO antenna), and is used for transmission and reception of radio signals by the radio communication interface 913.
  • the smartphone 900 is not limited to the example in FIG. 21 and may include a plurality of antennas (for example, an antenna for a wireless LAN and an antenna for a proximity wireless communication method). In that case, the antenna switch 914 may be omitted from the configuration of the smartphone 900.
  • the bus 917 connects the processor 901, memory 902, storage 903, external connection interface 904, camera 906, sensor 907, microphone 908, input device 909, display device 910, speaker 911, wireless communication interface 913, and auxiliary controller 919 to each other.
  • the battery 918 supplies electric power to each block of the smartphone 900 shown in FIG. 21 through a power supply line partially shown by a broken line in the drawing.
  • the auxiliary controller 919 operates the minimum necessary functions of the smartphone 900 in the sleep mode.
  • one or more components included in the WLAN terminal 100 described with reference to FIG. 4 are implemented in the wireless communication interface 913. May be.
  • at least some of these components may be implemented in the processor 901 or the auxiliary controller 919.
  • the smartphone 900 may include a module including the wireless communication interface 913, the processor 901, and / or the auxiliary controller 919, and the one or more components may be mounted on the module.
  • the module stores a program for causing the processor to function as the one or more components (in other words, a program for causing the processor to execute the operation of the one or more components), and stores the program. May be executed.
  • a program for causing a processor to function as one or more components may be installed in the smartphone 900, and the wireless communication interface 913, the processor 901, and / or the auxiliary controller 919 may execute the program.
  • the smartphone 900 or the module may be provided as a device including the one or more components, and a program for causing a processor to function as the one or more components may be provided.
  • a readable recording medium in which the program is recorded may be provided.
  • the smartphone 900 illustrated in FIG. 21 one or more components (for example, at least one of the storage unit 220, the subscriber identification module 230, or the control unit 240) included in the WWAN terminal 200 described with reference to FIG.
  • the wireless communication interface 913 may be implemented.
  • at least some of these components may be implemented in the processor 901 or the auxiliary controller 919.
  • the smartphone 900 may include a module including the wireless communication interface 913, the processor 901, and / or the auxiliary controller 919, and the one or more components may be mounted on the module.
  • the module stores a program for causing the processor to function as the one or more components (in other words, a program for causing the processor to execute the operation of the one or more components), and stores the program.
  • a program for causing a processor to function as one or more components may be installed in the smartphone 900, and the wireless communication interface 913, the processor 901, and / or the auxiliary controller 919 may execute the program.
  • the smartphone 900 or the module may be provided as a device including the one or more components, and a program for causing a processor to function as the one or more components may be provided.
  • a readable recording medium in which the program is recorded may be provided.
  • the smartphone 900 may operate as a wireless access point (software AP) when the processor 901 executes the access point function at the application level. Further, the wireless communication interface 913 may have a wireless access point function.
  • FIG. 22 is a block diagram illustrating an example of a schematic configuration of a car navigation device 920 to which the technology according to the present disclosure can be applied.
  • the car navigation device 920 includes a processor 921, a memory 922, a GPS (Global Positioning System) module 924, a sensor 925, a data interface 926, a content player 927, a storage medium interface 928, an input device 929, a display device 930, a speaker 931, and wireless communication.
  • An interface 933, an antenna switch 934, an antenna 935, and a battery 938 are provided.
  • the processor 921 may be a CPU or SoC, for example, and controls the navigation function and other functions of the car navigation device 920.
  • the memory 922 includes RAM and ROM, and stores programs and data executed by the processor 921.
  • the GPS module 924 measures the position (for example, latitude, longitude, and altitude) of the car navigation device 920 using GPS signals received from GPS satellites.
  • the sensor 925 may include a sensor group such as a gyro sensor, a geomagnetic sensor, and an atmospheric pressure sensor.
  • the data interface 926 is connected to the in-vehicle network 941 through a terminal (not shown), for example, and acquires data generated on the vehicle side such as vehicle speed data.
  • the content player 927 reproduces content stored in a storage medium (for example, CD or DVD) inserted into the storage medium interface 928.
  • the input device 929 includes, for example, a touch sensor, a button, or a switch that detects a touch on the screen of the display device 930, and receives an operation or information input from the user.
  • the display device 930 has a screen such as an LCD or an OLED display, and displays a navigation function or an image of content to be reproduced.
  • the speaker 931 outputs the navigation function or the audio of the content to be played back.
  • the wireless communication interface 933 supports one or more wireless LAN standards such as IEEE802.11a, 11b, 11g, 11n, 11ac, and 11ad, and executes wireless communication.
  • the wireless communication interface 933 can communicate with other devices via a wireless LAN access point in the infrastructure mode.
  • the wireless communication interface 933 can directly communicate with other devices in an ad hoc mode or a direct communication mode such as Wi-Fi Direct.
  • the wireless communication interface 933 may typically include a baseband processor, an RF circuit, a power amplifier, and the like.
  • the wireless communication interface 933 may be a one-chip module in which a memory that stores a communication control program, a processor that executes the program, and related circuits are integrated.
  • the wireless communication interface 933 may support other types of wireless communication systems such as a short-range wireless communication system, a proximity wireless communication system, or a cellular communication system.
  • the antenna switch 934 switches the connection destination of the antenna 935 among a plurality of circuits included in the wireless communication interface 933.
  • the antenna 935 includes a single antenna element or a plurality of antenna elements, and is used for transmission and reception of a radio signal by the radio communication interface 933.
  • the car navigation device 920 may include a plurality of antennas without being limited to the example of FIG. In that case, the antenna switch 934 may be omitted from the configuration of the car navigation device 920.
  • the battery 938 supplies power to each block of the car navigation device 920 shown in FIG. 22 through a power supply line partially shown by a broken line in the drawing. Further, the battery 938 stores electric power supplied from the vehicle side.
  • the car navigation device 920 shown in FIG. 22 one or more components (for example, at least one of the storage unit 120 and the control unit 130) included in the WLAN terminal 100 described with reference to FIG. May be implemented. Further, at least a part of these functions may be implemented in the processor 921.
  • the car navigation device 920 may include a module including the wireless communication interface 933 and / or the processor 921, and the one or more components may be mounted on the module.
  • the module stores a program for causing the processor to function as the one or more components (in other words, a program for causing the processor to execute the operation of the one or more components), and stores the program. May be executed.
  • a program for causing a processor to function as one or more components may be installed in the car navigation device 920, and the wireless communication interface 933 and / or the processor 921 may execute the program.
  • the car navigation apparatus 920 or the module may be provided as an apparatus including the one or more components, and a program for causing a processor to function as the one or more components may be provided.
  • a readable recording medium in which the program is recorded may be provided.
  • one or more components included in the WWAN terminal 200 described with reference to FIG. 5 (for example, at least one of the storage unit 220, the subscriber identification module 230, or the control unit 240). May be implemented in the wireless communication interface 933. Further, at least a part of these functions may be implemented in the processor 921.
  • the car navigation device 920 may include a module including the wireless communication interface 933 and / or the processor 921, and the one or more components may be mounted on the module. In this case, the module stores a program for causing the processor to function as the one or more components (in other words, a program for causing the processor to execute the operation of the one or more components), and stores the program. May be executed.
  • a program for causing a processor to function as one or more components may be installed in the car navigation device 920, and the wireless communication interface 933 and / or the processor 921 may execute the program.
  • the car navigation apparatus 920 or the module may be provided as an apparatus including the one or more components, and a program for causing a processor to function as the one or more components may be provided.
  • a readable recording medium in which the program is recorded may be provided.
  • the technology according to the present disclosure may be realized as an in-vehicle system (or vehicle) 940 including one or more blocks of the car navigation device 920 described above, an in-vehicle network 941, and a vehicle side module 942.
  • vehicle-side module 942 generates vehicle-side data such as vehicle speed, engine speed, or failure information, and outputs the generated data to the in-vehicle network 941.
  • the WLAN terminal 100 can connect to the secure WLAN 500 by using the authentication information generated by the authentication server 340, and avoids connection to a network with a high security risk such as the risk of eavesdropping. Can do. Thereby, even when the WLAN terminal 100 does not support the Wi-Fi CERTIFIED Passpoint, it is possible to obtain the same safety and connection convenience as when the WLAN terminal 100 is compatible.
  • the WLAN terminal 100 transmits the collected network information to the WWAN terminal 200 in order to obtain authentication information from the authentication server 340. Since the network information is collected at the current location of the WLAN terminal 100, the WLAN terminal 100 can receive a connection service with higher accuracy in the available area and the radio wave intensity as compared with the method using the ANDSF.
  • a first wireless communication unit that performs wireless communication with a wireless terminal that performs wireless communication by connecting to the first network;
  • Authentication information generated by an authentication server using network information of the second network is received from the wireless terminal via the first wireless communication unit, and the authentication information is received via the second wireless communication unit.
  • a control unit for performing authentication to the second network using A wireless communication device comprising: (2) The control unit collects the network information via the second wireless communication unit, and transmits the collected network information to the wireless terminal via the first wireless communication unit.
  • the wireless communication apparatus includes at least one of SSID, channel information, RSSI (Received Signal Strength Indicator) information, and an inquiry result using ANQP.
  • the control unit transmits at least one of device information of the wireless communication device, capability information, or information indicating a purpose of wireless communication with the second network to the wireless terminal via the first wireless communication unit.
  • the wireless communication device according to any one of (1) to (3), wherein the wireless communication device transmits.
  • the wireless communication device performs authentication to one second network selected from one or more second networks.
  • the control unit performs authentication to the second network using the authentication information generated by the authentication server using device information of at least one of the wireless communication device or the wireless terminal.
  • the wireless communication device according to any one of (5) to (5).
  • the control unit performs authentication to the second network using another part of the authentication information acquired using a communication path formed after authentication using a part of the authentication information.
  • the radio communication device according to any one of 1) to (6).
  • the control unit transmits a part of the authentication information to the authentication server using a communication path formed by authentication using the wireless terminal, and performs authentication using the part of the authentication information by the authentication server.
  • the wireless communication apparatus according to any one of (1) to (7), wherein authentication to the second network is performed using another part of the authentication information received via the authentication information.
  • the wireless communication apparatus according to (7) or (8), wherein a part of the authentication information is a one-time password provided with an expiration date.
  • the control unit selects an authentication method for the second network based on whether or not the first wireless communication unit can communicate with the wireless terminal having subscriber identification information.
  • the wireless communication device according to any one of (9).
  • the wireless communication device further includes a storage unit that stores the authentication information, The wireless communication apparatus according to any one of (1) to (10), wherein the control unit authenticates to the second network using the authentication information stored in the storage unit.
  • EAP Extensible Authentication Protocol
  • the wireless communication device (13) The wireless communication device according to (12), wherein the authentication information includes an electronic certificate issued by the authentication server. (14) The wireless communication device according to (12), wherein the authentication information includes an ID and a password issued by the authentication server. (15) The wireless communication according to any one of (1) to (11), wherein the control unit performs authentication to the second network by EAP authentication using subscriber identification information included in the wireless terminal. apparatus. (16) The wireless communication apparatus according to any one of (1) to (15), wherein the first network is a mobile communication network. (17) The wireless communication apparatus according to any one of (1) to (16), wherein the second network is a public wireless LAN.
  • a third wireless communication unit that connects to the first network and performs wireless communication;
  • a fourth wireless communication unit that performs wireless communication with a wireless terminal that performs wireless communication by connecting to the second network; Authentication for authentication to the second network generated by transmitting the network information of the second network to the authentication server via the third wireless communication unit and using the network information in the authentication server
  • a control unit for transmitting information to the wireless terminal via the fourth wireless communication unit;
  • a wireless communication device comprising: (19) The wireless communication device according to (18), wherein the fourth wireless communication unit receives the network information from the wireless terminal. (20)
  • the wireless communication device further includes a fifth wireless communication unit that performs wireless communication by connecting to the second network, The wireless communication device according to (18), wherein the control unit collects the network information via the fifth wireless communication unit.
  • the control unit transmits the authentication information for authentication to one second network selected from one or more second networks to the wireless terminal via the fourth wireless communication unit.
  • the wireless communication device according to any one of (18) to (20).
  • the wireless communication device further includes a storage unit that stores the authentication information, The wireless communication unit according to any one of (18) to (21), wherein the control unit transmits the authentication information stored in the storage unit to the wireless terminal via the fourth wireless communication unit.
  • Communication device (23) A third wireless communication unit that connects to the first network and performs wireless communication; A fifth wireless communication unit for connecting to the second network and performing wireless communication; The network information of the second network is transmitted to the authentication server via the third wireless communication unit, and the authentication to the second network using the authentication information generated in the authentication server is performed in the fifth network.
  • a control unit that performs via a wireless communication unit;
  • a wireless communication device comprising: (24) Performing wireless communication with a wireless terminal that performs wireless communication by connecting to the first network by the first wireless communication unit; Connecting to the second network by the second wireless communication unit to perform wireless communication; Authentication information generated by an authentication server using network information of the second network is received from the wireless terminal via the first wireless communication unit, and the authentication information is received via the second wireless communication unit.
  • a wireless communication method including: (25) Connecting to the first network by the third wireless communication unit to perform wireless communication; Performing wireless communication with a wireless terminal that performs wireless communication by connecting to the second network by a fourth wireless communication unit; Authentication for authentication to the second network generated by transmitting the network information of the second network to the authentication server via the third wireless communication unit and using the network information in the authentication server Transmitting information to the wireless terminal via the fourth wireless communication unit;
  • a wireless communication device comprising: (26) Connecting to the first network by the third wireless communication unit to perform wireless communication; Connecting to the second network by the fifth wireless communication unit to perform wireless communication; The network information of the second network is transmitted to the authentication server via the third wireless communication unit, and the authentication to the second network using the authentication information generated in the authentication server is performed in the fifth network.
  • a wireless communication method including: (27) Computer A first wireless communication unit that performs wireless communication with a wireless terminal that performs wireless communication by connecting to the first network; A second wireless communication unit connected to the second network for wireless communication; Authentication information generated by an authentication server using network information of the second network is received from the wireless terminal via the first wireless communication unit, and the authentication information is received via the second wireless communication unit.
  • Computer A third wireless communication unit that connects to the first network and performs wireless communication; A fourth wireless communication unit that performs wireless communication with a wireless terminal that performs wireless communication by connecting to the second network; Authentication for authentication to the second network generated by transmitting the network information of the second network to the authentication server via the third wireless communication unit and using the network information in the authentication server A control unit for transmitting information to the wireless terminal via the fourth wireless communication unit; Program to function as.
  • a control unit that performs via a wireless communication unit; Program to function as.

Abstract

[Problem] To provide a wireless communication device, a wireless communication method and a program which enable securer connection to a network. [Solution] A wireless communication device is provided with: a first wireless communication unit which performs wireless communication with a wireless terminal that connects with a first network and performs wireless communication; a second wireless communication unit which connects with a second network and performs wireless communication; and a control unit which receives, from the wireless terminal via the first wireless communication unit, authentication information generated by an authentication server using network information of the second network, and performs authentication of the second network using the authentication information via the second wireless communication unit.

Description

無線通信装置、無線通信方法及びプログラムWireless communication apparatus, wireless communication method and program
 本開示は、無線通信装置、無線通信方法及びプログラムに関する。 The present disclosure relates to a wireless communication device, a wireless communication method, and a program.
 近年、インターネットを用いた多様なサービスが登場してきており、外出先でも容易にインターネットにアクセスする手段が求められている。例えばスマートフォン及び携帯電話等のWWAN(Wireless Wide Area Network)通信機能を有する端末は、外出先であっても、移動体通信網を介してインターネットにアクセスすることが可能である。一方、WWAN通信機能を有さない端末は、無線LAN(WLAN:Wireless Local Area Network)等の他の通信方式を用いてインターネットにアクセスすることが要されていた。WLAN等のネットワークへ接続する際は、アクセスポイントの検索、ID(identifier)及びパスワードの入力等の処理が要される場合があり、このような処理をより容易にするための技術が求められている。 In recent years, various services using the Internet have appeared, and there is a demand for means for easily accessing the Internet even when away from home. For example, a terminal having a WWAN (Wireless Wide Area Network) communication function, such as a smartphone and a mobile phone, can access the Internet via a mobile communication network even when the user is away from home. On the other hand, a terminal that does not have a WWAN communication function is required to access the Internet by using another communication method such as a wireless LAN (WLAN). When connecting to a network such as a WLAN, processing such as searching for an access point, inputting an ID (identifier) and a password may be required, and a technique for making such processing easier is required. Yes.
 例えば、下記特許文献1では、サービスを提供するサービス提供装置との間で、他の通信端末を介して間接的に通信する通信端末が、サービス提供装置において提供されるサービスをシームレスに受けることを可能にするための技術が開示されている。 For example, in Patent Document 1 below, a communication terminal that indirectly communicates with a service providing apparatus that provides a service via another communication terminal seamlessly receives a service provided by the service providing apparatus. Techniques for enabling are disclosed.
特開2009-253752号公報JP 2009-253752 A
 しかし、この技術分野では、さらなる性能向上が望まれている。例えば、WLANにより構築されるネットワークの中には、盗聴の危険性等のセキュリティリスクが高いネットワークが存在し得るため、より安全なネットワークに接続可能になることが望ましい。そこで、本開示では、より安全にネットワークに接続することが可能な、新規かつ改良された無線通信装置、無線通信方法及びプログラムを提案する。 However, further performance improvement is desired in this technical field. For example, in a network constructed by WLAN, there may be a network with a high security risk such as the risk of eavesdropping, so it is desirable to be able to connect to a safer network. Therefore, the present disclosure proposes a new and improved wireless communication apparatus, wireless communication method, and program that can be more securely connected to a network.
 本開示によれば、第1のネットワークに接続して無線通信を行う無線端末との無線通信を行う第1の無線通信部と、第2のネットワークに接続して無線通信を行う第2の無線通信部と、前記第2のネットワークのネットワーク情報を用いて認証サーバにより生成された認証情報を前記第1の無線通信部を介して前記無線端末から受信し、前記第2の無線通信部を介して前記認証情報を用いた前記第2のネットワークへの認証を行う制御部と、を備える無線通信装置が提供される。 According to the present disclosure, the first wireless communication unit that performs wireless communication with a wireless terminal that performs wireless communication by connecting to the first network, and the second wireless that performs wireless communication by connecting to the second network. Authentication information generated by an authentication server using network information of the communication unit and the second network is received from the wireless terminal via the first wireless communication unit, and is transmitted via the second wireless communication unit. And a control unit that performs authentication to the second network using the authentication information.
 また、本開示によれば、第1のネットワークに接続して無線通信を行う第3の無線通信部と、第2のネットワークに接続して無線通信を行う無線端末との無線通信を行う第4の無線通信部と、前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて前記ネットワーク情報を用いて生成された前記第2のネットワークへの認証のための認証情報を前記第4の無線通信部を介して前記無線端末へ送信する制御部と、を備える無線通信装置が提供される。 In addition, according to the present disclosure, the fourth wireless communication unit performs wireless communication with the third wireless communication unit that performs wireless communication by connecting to the first network and the wireless terminal that performs wireless communication by connecting to the second network. The network information of the second network and the network information of the second network are transmitted to the authentication server via the third wireless communication unit, and to the second network generated using the network information in the authentication server And a control unit that transmits authentication information for authentication to the wireless terminal via the fourth wireless communication unit.
 また、本開示によれば、第1のネットワークに接続して無線通信を行う第3の無線通信部と、第2のネットワークに接続して無線通信を行う第5の無線通信部と、前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて生成された認証情報を用いた前記第2のネットワークへの認証を前記第5の無線通信部を介して行う制御部と、を備える無線通信装置が提供される。 According to the present disclosure, a third wireless communication unit that performs wireless communication by connecting to the first network, a fifth wireless communication unit that performs wireless communication by connecting to the second network, and the first Network information of the second network is transmitted to the authentication server via the third wireless communication unit, and the authentication to the second network using the authentication information generated in the authentication server is performed to the fifth wireless communication And a control unit that is provided via the unit.
 また、本開示によれば、第1の無線通信部により第1のネットワークに接続して無線通信を行う無線端末との無線通信を行うことと、第2の無線通信部により第2のネットワークに接続して無線通信を行うことと、前記第2のネットワークのネットワーク情報を用いて認証サーバにより生成された認証情報を前記第1の無線通信部を介して前記無線端末から受信し、前記第2の無線通信部を介して前記認証情報を用いた前記第2のネットワークへの認証を行うことと、を含む無線通信方法が提供される。 Further, according to the present disclosure, the first wireless communication unit performs wireless communication with a wireless terminal that performs wireless communication by connecting to the first network, and the second wireless communication unit enters the second network. Connecting and performing wireless communication; receiving authentication information generated by an authentication server using network information of the second network from the wireless terminal via the first wireless communication unit; and And performing authentication to the second network using the authentication information via the wireless communication unit of the wireless communication unit.
 また、本開示によれば、第3の無線通信部により第1のネットワークに接続して無線通信を行うことと、第4の無線通信部により第2のネットワークに接続して無線通信を行う無線端末との無線通信を行うことと、前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて前記ネットワーク情報を用いて生成された前記第2のネットワークへの認証のための認証情報を前記第4の無線通信部を介して前記無線端末へ送信することと、を備える無線通信装置が提供される。 Further, according to the present disclosure, the third wireless communication unit connects to the first network to perform wireless communication, and the fourth wireless communication unit connects to the second network to perform wireless communication. Performing wireless communication with a terminal, transmitting network information of the second network to an authentication server via the third wireless communication unit, and generating the first information generated using the network information in the authentication server And transmitting authentication information for authentication to the second network to the wireless terminal via the fourth wireless communication unit.
 また、本開示によれば、第3の無線通信部により第1のネットワークに接続して無線通信を行うことと、第5の無線通信部により第2のネットワークに接続して無線通信を行うことと、前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて生成された認証情報を用いた前記第2のネットワークへの認証を前記第5の無線通信部を介して行うことと、を含む無線通信方法が提供される。 According to the present disclosure, the third wireless communication unit connects to the first network to perform wireless communication, and the fifth wireless communication unit connects to the second network to perform wireless communication. And transmitting network information of the second network to the authentication server via the third wireless communication unit, and authenticating the second network using the authentication information generated in the authentication server. 5 via a wireless communication unit, a wireless communication method is provided.
 また、本開示によれば、コンピュータを、第1のネットワークに接続して無線通信を行う無線端末との無線通信を行う第1の無線通信部と、第2のネットワークに接続して無線通信を行う第2の無線通信部と、前記第2のネットワークのネットワーク情報を用いて認証サーバにより生成された認証情報を前記第1の無線通信部を介して前記無線端末から受信し、前記第2の無線通信部を介して前記認証情報を用いた前記第2のネットワークへの認証を行う制御部と、として機能させるためのプログラムが提供される。 According to the present disclosure, the computer is connected to the first network to perform wireless communication with the wireless terminal that performs wireless communication, and the computer is connected to the second network to perform wireless communication. A second wireless communication unit that performs authentication information generated by an authentication server using network information of the second network, and receives the second wireless communication unit from the wireless terminal via the first wireless communication unit; A program is provided for functioning as a control unit that performs authentication to the second network using the authentication information via a wireless communication unit.
 また、本開示によれば、コンピュータを、第1のネットワークに接続して無線通信を行う第3の無線通信部と、第2のネットワークに接続して無線通信を行う無線端末との無線通信を行う第4の無線通信部と、前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて前記ネットワーク情報を用いて生成された前記第2のネットワークへの認証のための認証情報を前記第4の無線通信部を介して前記無線端末へ送信する制御部と、として機能させるためのプログラムが提供される。 In addition, according to the present disclosure, wireless communication between a third wireless communication unit that performs wireless communication by connecting a computer to the first network and a wireless terminal that performs wireless communication by connecting to the second network is performed. The fourth wireless communication unit to be performed and the network information of the second network are transmitted to the authentication server via the third wireless communication unit, and the second information generated using the network information in the authentication server There is provided a program for functioning as a control unit that transmits authentication information for authentication to the network to the wireless terminal via the fourth wireless communication unit.
 また、本開示によれば、コンピュータを、第1のネットワークに接続して無線通信を行う第3の無線通信部と、第2のネットワークに接続して無線通信を行う第5の無線通信部と、前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて生成された認証情報を用いた前記第2のネットワークへの認証を前記第5の無線通信部を介して行う制御部と、として機能させるためのプログラムが提供される。 According to the present disclosure, the third wireless communication unit that connects the computer to the first network and performs wireless communication, and the fifth wireless communication unit that connects to the second network and performs wireless communication; , Transmitting network information of the second network to the authentication server via the third wireless communication unit, and authenticating the second network using the authentication information generated in the authentication server. And a program for functioning as a control unit performed via the wireless communication unit.
 以上説明したように本開示によれば、より安全にネットワークに接続することが可能である。なお、上記の効果は必ずしも限定的なものではなく、上記の効果とともに、または上記の効果に代えて、本明細書に示されたいずれかの効果、または本明細書から把握され得る他の効果が奏されてもよい。 As described above, according to the present disclosure, it is possible to connect to a network more safely. Note that the above effects are not necessarily limited, and any of the effects shown in the present specification, or other effects that can be grasped from the present specification, together with or in place of the above effects. May be played.
本開示の一実施形態に係る無線通信システムの概要について説明するための図である。1 is a diagram for describing an overview of a wireless communication system according to an embodiment of the present disclosure. FIG. 本開示の一実施形態に係る無線通信システムの概要について説明するための図である。1 is a diagram for describing an overview of a wireless communication system according to an embodiment of the present disclosure. FIG. 本実施形態に係る無線通信システムの構成の一例を示すブロック図である。It is a block diagram which shows an example of a structure of the radio | wireless communications system which concerns on this embodiment. 本実施形態に係るWLAN端末の論理的な構成の一例を示すブロック図である。It is a block diagram which shows an example of a logical structure of the WLAN terminal which concerns on this embodiment. 本実施形態に係るWWAN端末の論理的な構成の一例を示すブロック図である。It is a block diagram which shows an example of a logical structure of the WWAN terminal which concerns on this embodiment. 本実施形態に係る認証サーバの論理的な構成の一例を示すブロック図である。It is a block diagram which shows an example of a logical structure of the authentication server which concerns on this embodiment. 本実施形態に係る無線通信システムにおいて実行される接続処理の流れの一例を示すシーケンス図である。It is a sequence diagram which shows an example of the flow of the connection process performed in the radio | wireless communications system which concerns on this embodiment. 本実施形態に係る無線通信システムにおいて実行される接続処理の流れの一例を示すシーケンス図である。It is a sequence diagram which shows an example of the flow of the connection process performed in the radio | wireless communications system which concerns on this embodiment. 本実施形態に係る無線通信システムにおいて実行されるEAP認証処理の流れの一例を示すシーケンス図である。It is a sequence diagram which shows an example of the flow of the EAP authentication process performed in the radio | wireless communications system which concerns on this embodiment. 本実施形態に係る無線通信システムにおいて実行されるEAP認証処理の流れの一例を示すシーケンス図である。It is a sequence diagram which shows an example of the flow of the EAP authentication process performed in the radio | wireless communications system which concerns on this embodiment. 本実施形態に係る無線通信システムにおいて実行される接続処理の流れの一例を示すシーケンス図である。It is a sequence diagram which shows an example of the flow of the connection process performed in the radio | wireless communications system which concerns on this embodiment. 本実施形態に係る無線通信システムの概要について説明するための図である。It is a figure for demonstrating the outline | summary of the radio | wireless communications system which concerns on this embodiment. 本実施形態に係る無線通信システムにおいて実行される接続処理の流れの一例を示すシーケンス図である。It is a sequence diagram which shows an example of the flow of the connection process performed in the radio | wireless communications system which concerns on this embodiment. 本実施形態に係る無線通信システムの概要について説明するための図である。It is a figure for demonstrating the outline | summary of the radio | wireless communications system which concerns on this embodiment. 本実施形態に係る無線通信システムにおいて実行される接続処理の流れの一例を示すシーケンス図である。It is a sequence diagram which shows an example of the flow of the connection process performed in the radio | wireless communications system which concerns on this embodiment. 本実施形態に係る無線通信システムにおいて実行される接続処理の流れの一例を示すシーケンス図である。It is a sequence diagram which shows an example of the flow of the connection process performed in the radio | wireless communications system which concerns on this embodiment. 本実施形態に係る無線通信システムにおいて実行される接続処理の流れの一例を示すシーケンス図である。It is a sequence diagram which shows an example of the flow of the connection process performed in the radio | wireless communications system which concerns on this embodiment. 本実施形態に係る無線通信システムにおいて実行される接続処理の流れの一例を示すシーケンス図である。It is a sequence diagram which shows an example of the flow of the connection process performed in the radio | wireless communications system which concerns on this embodiment. 本実施形態に係るWLAN端末又はWWAN端末において実行される接続処理の流れの一例を示すフローチャートである。It is a flowchart which shows an example of the flow of the connection process performed in the WLAN terminal or WWAN terminal which concerns on this embodiment. 本実施形態に係るWLAN端末又はWWAN端末において実行される接続処理の流れの一例を示すフローチャートである。It is a flowchart which shows an example of the flow of the connection process performed in the WLAN terminal or WWAN terminal which concerns on this embodiment. スマートフォンの概略的な構成の一例を示すブロック図である。It is a block diagram which shows an example of a schematic structure of a smart phone. カーナビゲーション装置の概略的な構成の一例を示すブロック図である。It is a block diagram which shows an example of a schematic structure of a car navigation apparatus.
 以下に添付図面を参照しながら、本開示の好適な実施の形態について詳細に説明する。なお、本明細書及び図面において、実質的に同一の機能構成を有する構成要素については、同一の符号を付することにより重複説明を省略する。 Hereinafter, preferred embodiments of the present disclosure will be described in detail with reference to the accompanying drawings. In addition, in this specification and drawing, about the component which has the substantially same function structure, duplication description is abbreviate | omitted by attaching | subjecting the same code | symbol.
 なお、説明は以下の順序で行うものとする。
  1.概要
  2.第1の実施形態
   2.1.無線通信システムの構成例
   2.2.WLAN端末の構成例
   2.3.WWAN端末の構成例
   2.4.認証サーバの構成例
   2.5.動作処理
  3.第2の実施形態
   3.1.概要
   3.2.動作処理例
  4.第3の実施形態
   4.1.概要
   4.2.動作処理例
  5.第4の実施形態
   5.1.概要
   5.2.動作処理例
   5.3.認証方式と公衆WLANとの関係
  6.第5の実施形態
   6.1.概要
   6.2.動作処理例
  7.第6の実施形態
   7.1.概要
   7.2.動作処理例
  8.応用例
  9.まとめ The description will be made in the following order.
1. Overview 2. First embodiment 2.1. Configuration example of wireless communication system 2.2. Configuration example of WLAN terminal 2.3. Configuration example of WWAN terminal 2.4. Configuration example of authentication server 2.5. 2. Operation processing Second Embodiment 3.1. Overview 3.2. Example of operation processing Third Embodiment 4.1. Outline 4.2. Example of operation processing Fourth embodiment 5.1. Outline 5.2. Example of operation processing 5.3. 5. Relationship between authentication method and public WLAN Fifth embodiment 6.1. Outline 6.2. Example of operation processing Sixth Embodiment 7.1. Outline 7.2. Example of operation processing Application example 9. Summary
 <<1.概要>>
 まず、図1、図2を参照して、本開示の一実施形態に係る無線通信システム1の概要について説明する。 << 1. Overview >>
First, an overview of a wireless communication system 1 according to an embodiment of the present disclosure will be described with reference to FIGS. 1 and 2.
 図1及び図2は、本開示の一実施形態に係る無線通信システム1の概要について説明するための図である。図1に示す例では、無線通信システム1は、無線通信装置100を含む。また、図2に示す例では、無線通信システム1は、無線通信装置100及び無線通信装置200を含む。 FIG.1 and FIG.2 is a figure for demonstrating the outline | summary of the radio | wireless communications system 1 which concerns on one Embodiment of this indication. In the example illustrated in FIG. 1, the wireless communication system 1 includes a wireless communication device 100. In the example illustrated in FIG. 2, the wireless communication system 1 includes a wireless communication device 100 and a wireless communication device 200.
 無線通信装置100は、他の装置との無線通信が可能な無線端末である。図1の例では、無線通信装置100は、ノートPCである。無線通信装置100は、例えばIEEE(Institute of Electrical and Electronics Engineers)802.11a、11b、11g、11n、11ac又は11adなどの通信方式に従って、WLANに接続することができるWLAN端末である。図1に示すように、WLAN端末100は、基地局510を介して無線ネットワーク500に接続し、サービスネットワーク400により提供されるサービスを利用可能である。また、WLAN端末100は、無線通信装置200との無線接続を形成することができる。この無線接続は、例えばBluetooth(登録商標)、NFC(Near field communication)等の任意の通信方式に従って形成され得る。WLAN端末100は、例えばユーザの自宅等で運用されるWLANなどのネットワーク情報が既知のWLANとの接続は可能であるが、外出先等のネットワーク情報が未知のWLANとの接続は困難である。なお、無線通信装置100は、ノートPC以外にも、PC、タブレット端末、PDA(Personal Digital Assistants)、HMD(Head Mounted Display)、ヘッドセット、デジタルカメラ、デジタルビデオカメラ、スマートフォン、携帯電話端末、携帯用音楽再生装置、携帯用映像処理装置または携帯用ゲーム機器等として実現されてもよい。 The wireless communication device 100 is a wireless terminal capable of wireless communication with other devices. In the example of FIG. 1, the wireless communication device 100 is a notebook PC. The wireless communication device 100 is a WLAN terminal that can be connected to a WLAN according to a communication method such as IEEE (Institute of Electrical and Electronics Engineers) 802.11a, 11b, 11g, 11n, 11ac, or 11ad. As shown in FIG. 1, the WLAN terminal 100 can connect to a wireless network 500 via a base station 510 and use a service provided by the service network 400. Further, the WLAN terminal 100 can form a wireless connection with the wireless communication device 200. This wireless connection can be formed according to an arbitrary communication method such as Bluetooth (registered trademark) or NFC (Near field communication). The WLAN terminal 100 can be connected to a WLAN whose network information is known, such as a WLAN that is operated at the user's home, for example, but is difficult to connect to a WLAN whose network information such as whereabouts is unknown. In addition to the notebook PC, the wireless communication device 100 includes a PC, a tablet terminal, a PDA (Personal Digital Assistant), an HMD (Head Mounted Display), a headset, a digital camera, a digital video camera, a smartphone, a mobile phone terminal, a mobile phone, and the like. It may be realized as a music playback device, a portable video processing device, a portable game device, or the like.
 無線通信装置200は、他の装置との無線通信が可能な無線端末である。図2の例では、無線通信装置200は、スマートフォンである。無線通信装置200は、例えばWLAN端末100との無線接続を形成することができる。また、無線通信装置200は、WWAN通信機能を有し、WWANに接続することができるWWAN端末である。WWAN端末200は、移動体通信網に接続するための加入者識別情報を有しており、加入者識別情報を用いた認証処理を行って、移動体通信網等の無線ネットワーク300との無線接続を形成することができる。加入者識別情報は、例えばSIMカード(Subscriber Identity Module Card)に格納されるIMSI(International Mobile Subscriber Identity)である。WWAN端末200は、WWAN通信機能を用いて無線ネットワーク300に接続し、サービスネットワーク400により提供されるサービスを利用可能である。なお、無線通信装置200は、スマートフォン以外にも、ノートPC、PC、タブレット端末、PDA、HMD、ヘッドセット、デジタルカメラ、デジタルビデオカメラ、携帯電話端末、携帯用音楽再生装置、携帯用映像処理装置または携帯用ゲーム機器等として実現されてもよい。 The wireless communication device 200 is a wireless terminal capable of wireless communication with other devices. In the example of FIG. 2, the wireless communication device 200 is a smartphone. The wireless communication apparatus 200 can form a wireless connection with the WLAN terminal 100, for example. The wireless communication apparatus 200 is a WWAN terminal that has a WWAN communication function and can be connected to the WWAN. The WWAN terminal 200 has subscriber identification information for connecting to a mobile communication network, performs authentication processing using the subscriber identification information, and establishes wireless connection with a wireless network 300 such as a mobile communication network. Can be formed. The subscriber identification information is, for example, an IMSI (International Mobile Subscriber Identity) stored in a SIM card (Subscriber Identity Module Card). The WWAN terminal 200 can use the service provided by the service network 400 by connecting to the wireless network 300 using the WWAN communication function. The wireless communication device 200 is not only a smartphone but also a notebook PC, PC, tablet terminal, PDA, HMD, headset, digital camera, digital video camera, mobile phone terminal, portable music player, portable video processing device. Alternatively, it may be realized as a portable game device or the like.
 無線ネットワーク300は、移動体通信網等のWWAN(第1のネットワーク)である。例えば、WWAN300は、LTE(Long Term Evolution)、LTE-A(LTE-Advanced)、GSM(登録商標)、UMTS、W-CDMA、又はCDMA2000などの任意の無線通信方式に従って運用される。例えば、WWAN300は、基地局310により運用されるセルの範囲内に位置する無線通信装置200から接続される。 The wireless network 300 is a WWAN (first network) such as a mobile communication network. For example, the WWAN 300 is operated according to an arbitrary wireless communication system such as LTE (Long Term Evolution), LTE-A (LTE-Advanced), GSM (registered trademark), UMTS, W-CDMA, or CDMA2000. For example, the WWAN 300 is connected from the wireless communication device 200 located within the range of the cell operated by the base station 310.
 サービスネットワーク400は、インターネットなどの公衆ネットワークである。WWAN端末200は、WWAN300を介してサービスネットワーク400にアクセスすることができる。 The service network 400 is a public network such as the Internet. The WWAN terminal 200 can access the service network 400 via the WWAN 300.
 ここで、WWAN通信機能を有さない端末は、WWAN300を介したインターネットへのアクセスは困難である。このような場合であっても、外出先等でのインターネットへのアクセスを実現するための手段として、例えばWWAN通信可能な端末によるテザリング、又は公衆WLANの利用が挙げられる。 Here, it is difficult for a terminal having no WWAN communication function to access the Internet via the WWAN 300. Even in such a case, examples of means for realizing access to the Internet while away from home include tethering by a terminal capable of WWAN communication or use of a public WLAN.
 テザリングとは、スマートフォン等のWWAN通信機能を有する端末を介して、他の通信端末がWWAN300に接続する技術である。例えば、WWAN端末200は、WWAN300及びWLAN端末100と接続可能であるので、WWAN300とWLAN端末100との通信を中継するアクセスポイントとして機能して、テザリングを実現することができる。これにより、WLAN端末100は、サービスネットワーク400により提供されるサービスを利用可能となる。 Tethering is a technology for connecting other communication terminals to the WWAN 300 via a terminal having a WWAN communication function such as a smartphone. For example, since the WWAN terminal 200 can be connected to the WWAN 300 and the WLAN terminal 100, the WWAN terminal 200 can function as an access point that relays communication between the WWAN 300 and the WLAN terminal 100, and can realize tethering. As a result, the WLAN terminal 100 can use the service provided by the service network 400.
 テザリングは、WWAN端末200がWWAN通信可能なエリアのどこに位置していても利用可能である。しかし、テザリング利用のための端末設定を、WWAN端末200及びWLAN端末100の両方で行うことが要されるため、ユーザの利便性が損なわれていた。また、テザリング中はアクセスポイントとして機能するWWAN端末200の電力消費が大きい。 Tethering can be used wherever the WWAN terminal 200 is located in an area where WWAN communication is possible. However, since it is necessary to perform terminal setting for tethering use in both the WWAN terminal 200 and the WLAN terminal 100, the convenience of the user is impaired. Further, during tethering, the power consumption of the WWAN terminal 200 functioning as an access point is large.
 他方、公衆WLANとは、WLANを利用したインターネットへの接続を提供するサービスである。以下、図2を参照して、公衆WLANを用いた通信について説明する。図2に示す無線ネットワーク500は、例えばWLANにより運用される公衆ネットワーク(第2のネットワーク)である。WLAN端末100は、WLAN500へ接続して、サービスネットワーク400に、又はWWAN300をさらに介してサービスネットワーク400にアクセスすることができる。これにより、WLAN端末100は、サービスネットワーク400により提供されるサービスを利用可能となる。 On the other hand, a public WLAN is a service that provides a connection to the Internet using a WLAN. Hereinafter, communication using a public WLAN will be described with reference to FIG. A wireless network 500 shown in FIG. 2 is a public network (second network) operated by a WLAN, for example. The WLAN terminal 100 can connect to the WLAN 500 to access the service network 400 or further access the service network 400 via the WWAN 300. As a result, the WLAN terminal 100 can use the service provided by the service network 400.
 ここで、スマートフォンのようなWWAN通信機能を有する無線端末は、3GPP(Third Generation Partnership Project)によって提案されたANDSF(Access Network Discovery and Selection Function)、又はWi-Fi Allianceによって提案されたWi-Fi CERTIFIED Passpointの技術を用いて、周囲の公衆WLANへ接続し自身が有する加入者識別情報を用いてユーザ認証を実施することが可能である。しかし、ノートPCの様にWWAN通信機能を持たず、加入者識別情報を有さない無線端末では、ユーザ自ら利用可能な公衆WLANを選択し、認証手続きを実施することが要される場合があり、利便性が損なわれていた。 Here, a wireless terminal having a WWAN communication function such as a smartphone is an ANDSF (Access Network Discovery and Selection Function) proposed by 3GPP (Third Generation Partnership Project), or Wi-Fi CERTIFIED proposed by Wi-Fi Alliance. Using Passpoint technology, it is possible to connect to the surrounding public WLAN and perform user authentication using the subscriber identification information possessed by itself. However, in a wireless terminal that does not have a WWAN communication function and does not have subscriber identification information like a notebook PC, it may be necessary to select a public WLAN that can be used by the user and perform an authentication procedure. Convenience was impaired.
 さらに、WLAN端末100は、Wi-Fi CERTIFIED Passpointに対応していない場合、WLAN500の安全性を確認しないまま接続することとなり、セキュリティリスクが高いWLAN500に接続してしまうリスクや、盗聴等の被害に遭うリスクがあった。 Furthermore, if the WLAN terminal 100 is not compatible with Wi-Fi CERTIFIED Passpoint, it will connect without confirming the safety of the WLAN 500, which may lead to the risk of connecting to the WLAN 500 with a high security risk and damage such as eavesdropping. There was a risk of encounter.
 そこで、上記事情を一着眼点にして本開示の一実施形態に係る無線通信装置を創作するに至った。本開示の一実施形態に係る無線通信装置は、容易且つ安全に公衆WLANに接続してインターネットを利用することが可能である。以下、図3~図22を参照して、本開示の一実施形態に係る無線通信装置を含む無線通信システムについて詳細に説明する。 Accordingly, the wireless communication apparatus according to an embodiment of the present disclosure has been created with the above circumstances in mind. A wireless communication apparatus according to an embodiment of the present disclosure can easily and safely connect to a public WLAN and use the Internet. Hereinafter, a wireless communication system including the wireless communication apparatus according to an embodiment of the present disclosure will be described in detail with reference to FIGS.
 <<2.第1の実施形態>>
  <2.1.無線通信システムの構成例>
 図3は、本実施形態に係る無線通信システム1の構成の一例を示すブロック図である。図3に示すように、無線通信システム1は、WLAN端末100及びWWAN端末200を含み、WWAN300、WLAN500、及びサービスネットワーク400への無線接続を提供する。 << 2. First Embodiment >>
<2.1. Configuration example of wireless communication system>
FIG. 3 is a block diagram illustrating an example of a configuration of the wireless communication system 1 according to the present embodiment. As shown in FIG. 3, the wireless communication system 1 includes a WLAN terminal 100 and a WWAN terminal 200, and provides wireless connection to the WWAN 300, the WLAN 500, and the service network 400.
  (1)WWAN300
 図3に示すように、WWAN300は、基地局310、ゲートウェイ320、加入者情報サーバ330、認証サーバ340、及びネットワーク情報提供サーバ350により運用される。 (1) WWAN300
As shown in FIG. 3, the WWAN 300 is operated by a base station 310, a gateway 320, a subscriber information server 330, an authentication server 340, and a network information providing server 350.
  (1-1)基地局310
 基地局310は、WWAN通信機能を有する無線端末が、WWAN300に接続する際の接点となる装置である。例えば、基地局310は、WWAN端末200からの接続を受け付ける。LTEにおいては、基地局310はeNBに相当する。 (1-1) Base station 310
The base station 310 is a device that serves as a contact point when a wireless terminal having a WWAN communication function is connected to the WWAN 300. For example, the base station 310 accepts a connection from the WWAN terminal 200. In LTE, the base station 310 corresponds to an eNB.
  (1-2)ゲートウェイ320
 ゲートウェイ320は、WWAN300と他のネットワークとの通信を中継する装置である。例えば、ゲートウェイ320は、WWAN300とサービスネットワーク400との通信、及びWWAN300とWLAN500との通信を中継する。LTEにおいては、ゲートウェイ320はP-GW(Packet Data Network Gateway)に相当する。 (1-2) Gateway 320
The gateway 320 is a device that relays communication between the WWAN 300 and another network. For example, the gateway 320 relays communication between the WWAN 300 and the service network 400 and communication between the WWAN 300 and the WLAN 500. In LTE, the gateway 320 corresponds to a P-GW (Packet Data Network Gateway).
  (1-3)加入者情報サーバ330
 加入者情報サーバ330は、WWAN300への加入者情報を保持する装置である。加入者情報サーバ330は、無線端末がWWAN300へ接続する際の認証処理に利用される情報も保持する。LTEにおいては、加入者情報サーバ330はHSS(Home Subscriber Server)に相当する。 (1-3) Subscriber information server 330
The subscriber information server 330 is a device that holds subscriber information for the WWAN 300. The subscriber information server 330 also holds information used for authentication processing when a wireless terminal connects to the WWAN 300. In LTE, the subscriber information server 330 corresponds to an HSS (Home Subscriber Server).
  (1-4)認証サーバ340
 認証サーバ340は、WWAN300への接続がWWAN300の加入者による接続であることを認証する装置である。認証サーバ340は、加入者情報サーバ330を参照してこの認証処理を行い得る。LTEにおいては、認証サーバ340はAAA(Authentication, Authorization and Accounting)サーバに相当する。 (1-4) Authentication server 340
The authentication server 340 is a device that authenticates that the connection to the WWAN 300 is a connection by a WWAN 300 subscriber. The authentication server 340 can perform this authentication process with reference to the subscriber information server 330. In LTE, the authentication server 340 corresponds to an AAA (Authentication, Authorization and Accounting) server.
 また、認証サーバ340は、WLAN500への接続を認証する機能を有する。例えば、WLAN500への認証プロトコルとして、EAP(Extensible Authentication Protocol)-TLS又はEAP-TTLS等の証明書を用いた認証プロトコルが採用され得る。その場合、認証サーバ340は、電子証明書、ID、パスワード等を発行して、WLAN500への接続を行う端末に係る認証処理を行う。また、WLAN500への認証プロトコルとして、EAP-AKA、EAP-SIM、又はEAP-AKA´等の、WWAN300への加入者識別情報を用いた認証プロトコルが採用され得る。その場合、認証サーバ340は、加入者情報サーバ330を参照して認証処理を行う。なお、WWAN通信機能を有し、加入者識別情報を用いた認証処理を経てWWAN300への接続が可能な端末は、同じく加入者識別情報を用いた認証処理を経てWLAN500への接続が可能である。他にも、WLAN500への認証プロトコルとして、IMS-AKA、Security Token、電子証明書(Credential, Certificate)、公開鍵などが用いられてもよい。 The authentication server 340 has a function of authenticating connection to the WLAN 500. For example, an authentication protocol using a certificate such as EAP (Extensible Authentication Protocol) -TLS or EAP-TTLS can be adopted as an authentication protocol for the WLAN 500. In that case, the authentication server 340 issues an electronic certificate, an ID, a password, and the like, and performs an authentication process related to a terminal that connects to the WLAN 500. Further, as an authentication protocol for the WLAN 500, an authentication protocol using subscriber identification information for the WWAN 300, such as EAP-AKA, EAP-SIM, or EAP-AKA ′, can be adopted. In that case, the authentication server 340 performs authentication processing with reference to the subscriber information server 330. A terminal that has a WWAN communication function and can be connected to the WWAN 300 through authentication processing using subscriber identification information can be connected to the WLAN 500 through authentication processing using subscriber identification information. . In addition, IMS-AKA, Security Token, a digital certificate (Credential, Certificate), a public key, or the like may be used as an authentication protocol for the WLAN 500.
  (1-5)ネットワーク情報提供サーバ350
 ネットワーク情報提供サーバ350は、無線端末が現在接続されている無線ネットワークから他の無線ネットワークへ接続先を切り替える際に必要となる、接続先の無線ネットワークの情報を提供する装置である。例えば、ネットワーク情報提供サーバ350は、WWAN端末200に対して、WLAN500に接続するためのネットワーク情報を提供し得る。LTEにおいては、ネットワーク情報提供サーバ350はANDSFサーバに相当する。 (1-5) Network information providing server 350
The network information providing server 350 is a device that provides information on a connection destination wireless network, which is necessary when the connection destination is switched from the wireless network to which the wireless terminal is currently connected to another wireless network. For example, the network information providing server 350 can provide network information for connecting to the WLAN 500 to the WWAN terminal 200. In LTE, the network information providing server 350 corresponds to an ANDSF server.
  (2)WLAN500
 図3に示すように、WLAN500は、基地局510により運用される公衆ネットワークである。本明細書では、公衆ネットワークの通信方式はWLANであるものとして説明するが、Bluetooth等の他の任意の通信方式に従って運用されてもよい。 (2) WLAN500
As shown in FIG. 3, the WLAN 500 is a public network operated by the base station 510. In the present specification, the communication system of the public network is described as being WLAN, but may be operated according to any other communication system such as Bluetooth.
 基地局510は、WLAN通信機能を有する無線端末が、WLAN500に接続する際の接点となる装置である。例えば、基地局510は、WLAN端末100からの接続を受け付ける。公衆ネットワークの通信方式がWLANの場合、基地局510はアクセスポイントに相当する。なお、基地局510は、ひとつ以上の認証プロトコルをサポートし得る。 The base station 510 is a device that serves as a contact point when a wireless terminal having a WLAN communication function connects to the WLAN 500. For example, the base station 510 receives a connection from the WLAN terminal 100. When the communication method of the public network is WLAN, the base station 510 corresponds to an access point. Note that the base station 510 can support one or more authentication protocols.
  <2.2.WLAN端末の構成例>
 図4は、本実施形態に係るWLAN端末100の論理的な構成の一例を示すブロック図である。図4に示すように、WLAN端末100は、無線通信部110、記憶部120、及び制御部130を有する。 <2.2. Configuration example of WLAN terminal>
FIG. 4 is a block diagram illustrating an example of a logical configuration of the WLAN terminal 100 according to the present embodiment. As illustrated in FIG. 4, the WLAN terminal 100 includes a wireless communication unit 110, a storage unit 120, and a control unit 130.
  (1)無線通信部110
 無線通信部110は、外部機器との間でのデータの送受信を行う通信モジュールである。無線通信部110は、多様な通信方式を用いて無線通信を行うことができる。例えば、無線通信部110は、WLANモジュール112を有し、Wi-Fi(登録商標)、WLANを用いて無線通信可能である。また、無線通信部110は、BT(Bluetooth)モジュール114を有し、Bluetoothを用いて無線通信可能である。また、無線通信部110は、NFCモジュール116を有し、NFCを用いて無線通信可能である。 (1) Wireless communication unit 110
The wireless communication unit 110 is a communication module that transmits / receives data to / from an external device. The wireless communication unit 110 can perform wireless communication using various communication methods. For example, the wireless communication unit 110 includes a WLAN module 112 and can perform wireless communication using Wi-Fi (registered trademark) or WLAN. The wireless communication unit 110 includes a BT (Bluetooth) module 114 and can perform wireless communication using Bluetooth. The wireless communication unit 110 includes an NFC module 116 and can perform wireless communication using NFC.
 例えば、無線通信部110は、WWAN端末200とのペアリング及び無線通信を行う第1の無線通信部として機能し得る。例えば、無線通信部110は、NFC、Bluetooth、Bluetooth Low Energy、Wi-Fi Direct(登録商標)又はWLAN等の近距離無線通信方式を用いて、WWAN端末200とのペアリング及び無線通信を行う。他にも、無線通信部110は、ZigBee(登録商標)、IrDA(Infrared Data Association)等の近距離無線通信方式を用いて、WWAN端末200とのペアリング及び無線通信を行ってもよい。 For example, the wireless communication unit 110 can function as a first wireless communication unit that performs pairing and wireless communication with the WWAN terminal 200. For example, the wireless communication unit 110 performs pairing and wireless communication with the WWAN terminal 200 using a near field communication method such as NFC, Bluetooth, Bluetooth Low Energy, Wi-Fi Direct (registered trademark), or WLAN. In addition, the wireless communication unit 110 may perform pairing and wireless communication with the WWAN terminal 200 using a short-range wireless communication method such as ZigBee (registered trademark) or IrDA (Infrared Data Association).
 例えば、無線通信部110は、公衆ネットワークに接続して無線通信を行う第2の無線通信部として機能し得る。例えば、無線通信部110は、WLAN等の無線通信方式を用いて、WLAN500に接続する。公衆ネットワークは、WLAN以外の任意の無線通信方式をサポートしていてもよく、その場合、無線通信部110は公衆ネットワークに応じた無線通信方式を用いて公衆ネットワークに接続し得る。また、無線通信部110は、WLAN500から受信される信号の強度からRSSI(Received Signal Strength Indicator)を測定する等の測定処理を行ってもよい。 For example, the wireless communication unit 110 can function as a second wireless communication unit that performs wireless communication by connecting to a public network. For example, the wireless communication unit 110 connects to the WLAN 500 using a wireless communication method such as WLAN. The public network may support any wireless communication method other than WLAN, and in that case, the wireless communication unit 110 can connect to the public network using a wireless communication method according to the public network. Further, the wireless communication unit 110 may perform measurement processing such as measuring RSSI (Received Signal Strength Indicator) from the strength of the signal received from the WLAN 500.
 無線通信部110は、WWAN端末200との無線通信及び公衆ネットワークとの無線通信について、同一の通信方式を用いて無線通信を行ってもよい。例えば、無線通信部110は、WLANを用いてWWAN端末200と通信しつつ、WLAN500に接続してもよい。 The wireless communication unit 110 may perform wireless communication using the same communication method for wireless communication with the WWAN terminal 200 and wireless communication with the public network. For example, the wireless communication unit 110 may connect to the WLAN 500 while communicating with the WWAN terminal 200 using WLAN.
  (2)記憶部120
 記憶部120は、所定の記録媒体に対してデータの記録再生を行う部位である。例えば、記憶部120は、無線通信部110によりWWAN端末200から受信された情報を記憶してもよい。 (2) Storage unit 120
The storage unit 120 is a part that records and reproduces data on a predetermined recording medium. For example, the storage unit 120 may store information received from the WWAN terminal 200 by the wireless communication unit 110.
  (3)制御部130
 制御部130は、演算処理装置および制御装置として機能し、各種プログラムに従ってWLAN端末100内の動作全般を制御する。 (3) Control unit 130
The control unit 130 functions as an arithmetic processing device and a control device, and controls the overall operation in the WLAN terminal 100 according to various programs.
 例えば、制御部130は、WLAN500のネットワーク情報を用いて認証サーバ340により生成された認証情報を、無線通信部110を介してWWAN端末200から受信し、無線通信部110を介して認証情報を用いたWLAN500への認証を行う機能を有する。即ち、WLAN端末100は、認証サーバ340により生成された認証情報をWWAN端末200を介して取得して、取得した認証情報を用いてWLAN500への認証を行う。これにより、WLAN端末100は、WWAN通信機能を有していない等の独力では認証サーバ340から認証情報を取得することが困難な状況下においても、WWAN端末200を介することで認証情報を取得することが可能となる。また、WLAN端末100は、認証サーバ340により生成された認証情報を用いることで、安全なWLAN500に接続することが可能となり、盗聴の危険性等のセキュリティリスクが高いネットワークへの接続を回避することができる。これにより、WLAN端末100がWi-Fi CERTIFIED Passpointに対応していない場合であっても、対応している場合と同等の安全性と接続利便性とを得る事ができる。 For example, the control unit 130 receives authentication information generated by the authentication server 340 using the network information of the WLAN 500 from the WWAN terminal 200 via the wireless communication unit 110 and uses the authentication information via the wireless communication unit 110. Has a function of authenticating to the existing WLAN 500. That is, the WLAN terminal 100 acquires authentication information generated by the authentication server 340 via the WWAN terminal 200, and performs authentication to the WLAN 500 using the acquired authentication information. Thereby, the WLAN terminal 100 acquires the authentication information via the WWAN terminal 200 even in a situation where it is difficult to acquire the authentication information from the authentication server 340 by itself, such as having no WWAN communication function. It becomes possible. Also, the WLAN terminal 100 can connect to the secure WLAN 500 by using the authentication information generated by the authentication server 340, and avoids connection to a network with a high security risk such as the risk of eavesdropping. Can do. Thereby, even when the WLAN terminal 100 is not compatible with Wi-Fi CERTIFIED Passpoint, it is possible to obtain the same safety and connection convenience as the case where the WLAN terminal 100 is compatible.
 ネットワーク情報は、例えばWLAN500のSSID、チャネル情報、RSSI情報等の、プローブ処理により得られる情報の少なくともいずれかを含み得る。また、ネットワーク情報は、認証方法に関するNAI(Network Access Identifier)や利用可能なサービスプロバイダリスト等の、ANQP(Access Network Query Protocol)を用いた問い合わせ結果を示す情報を含み得る。 The network information may include at least one of information obtained by probe processing, such as SSID of WLAN 500, channel information, RSSI information, and the like. Further, the network information may include information indicating an inquiry result using an ANQP (Access Network Query Protocol) such as a NAI (Network Access Identifier) related to an authentication method and a list of available service providers.
 認証サーバ340は、WWAN端末200から受信したネットワーク情報を用いて、認証情報を生成する。ネットワーク情報は、WLAN端末100により収集されてもよいし、WWAN端末200により収集されてもよい。いずれにしろ、WLAN端末100又はWLAN端末100の近くに位置するWWAN端末200がネットワーク情報を実際に収集する。このため、WLAN端末100は、ANDSFを用いた方式と比較して、利用可能エリア及び電波強度においてより精度の高い接続サービスを受けることができる。 The authentication server 340 uses the network information received from the WWAN terminal 200 to generate authentication information. The network information may be collected by the WLAN terminal 100 or may be collected by the WWAN terminal 200. In any case, the WLAN terminal 100 or the WWAN terminal 200 located near the WLAN terminal 100 actually collects network information. For this reason, the WLAN terminal 100 can receive a connection service with higher accuracy in the usable area and the radio wave intensity as compared with the method using the ANDSF.
 WLAN端末100が収集する場合、例えば制御部130は、無線通信部110を介してネットワーク情報を収集する。詳しくは、制御部130は、無線通信部110により基地局510が発するビーコンが受信された場合にプローブリクエストを送信させて、WLAN500のネットワーク情報を取得する。他にも、WLAN端末100がWi-Fi CERTIFIED Passpointに対応している場合、制御部130は、無線通信部110を介してWLAN500へのANQP情報の問い合わせを行ってもよい。そして、制御部130は、収集したネットワーク情報を無線通信部110を介してWWAN端末200へ送信する。 When the WLAN terminal 100 collects, for example, the control unit 130 collects network information via the wireless communication unit 110. Specifically, the control unit 130 acquires the network information of the WLAN 500 by transmitting a probe request when a beacon emitted from the base station 510 is received by the wireless communication unit 110. In addition, when the WLAN terminal 100 is compatible with Wi-Fi CERTIFIED Passpoint, the control unit 130 may make an inquiry about ANQP information to the WLAN 500 via the wireless communication unit 110. Then, the control unit 130 transmits the collected network information to the WWAN terminal 200 via the wireless communication unit 110.
 接続候補のWLAN500がひとつ以上ある場合、制御部130は、ひとつ以上のWLAN500から選択した一のWLAN500への認証を行ってもよい。例えば、制御部130は、RSSI情報又はチャネル情報等に基づいて、接続先のWLAN500を選択し得る。他にも、制御部130は、WLAN端末100の機器情報、ケイパビリティ情報、又はWLAN500との無線通信の用途を示す情報に基づいて、接続先のWLAN500を選択してもよい。機器情報には、例えばMACアドレス、モデル名等が含まれ得る。用途を示す情報には、例えばWLAN端末100において実行されるアプリケーションを示す情報、WLAN端末100が利用するサービスを示す情報が含まれ得る。このような情報に基づくことで、制御部130は、より適した接続先を選択することが可能となる。なお、この選択は、認証サーバ340、基地局310又はWWAN端末200等のWLAN端末100以外の装置により行われてもよい。その場合、どのWLAN500を接続先とすべきかといった選択結果を示す情報も、認証情報として捉えてもよい。WLAN端末100は、WLAN端末100とWWAN端末200とがペアリングされていることを前提として、他の装置による適切な接続先の選択を支援するための情報をWWAN端末200へ送信してもよい。例えば、制御部130は、WLAN端末100の機器情報、ケイパビリティ情報、又はWLAN500との無線通信の用途を示す情報の少なくともいずれかを、無線通信部110を介してWWAN端末200へ送信してもよい。他の装置は、これらの情報に基づいて、WLAN端末100にとって適切な接続先を選択することが可能となる。 When there are one or more connection candidate WLANs 500, the control unit 130 may perform authentication to one WLAN 500 selected from one or more WLANs 500. For example, the control unit 130 may select the connection-destination WLAN 500 based on RSSI information or channel information. In addition, the control unit 130 may select the connection-destination WLAN 500 based on device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500. The device information can include, for example, a MAC address, a model name, and the like. The information indicating the use can include, for example, information indicating an application executed in the WLAN terminal 100 and information indicating a service used by the WLAN terminal 100. Based on such information, the control unit 130 can select a more suitable connection destination. This selection may be performed by a device other than the WLAN terminal 100 such as the authentication server 340, the base station 310, or the WWAN terminal 200. In that case, information indicating a selection result such as which WLAN 500 should be a connection destination may be taken as authentication information. The WLAN terminal 100 may transmit information for supporting selection of an appropriate connection destination by another device to the WWAN terminal 200 on the assumption that the WLAN terminal 100 and the WWAN terminal 200 are paired. . For example, the control unit 130 may transmit at least one of the device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500 to the WWAN terminal 200 via the wireless communication unit 110. . Other devices can select an appropriate connection destination for the WLAN terminal 100 based on these pieces of information.
 制御部130は、電子証明書を用いた認証処理により、WLAN500への認証を行ってもよい。例えば、制御部130は、認証サーバ340により発行される電子証明書を用いたEAP認証により、WLAN500への認証を行う。認証プロトコルとしてEAP-TLSが採用される場合、認証情報は認証サーバ340により発行された電子証明書を含む。認証プロトコルとしてEAP-TTLSが採用される場合、認証情報は認証サーバ340により発行されたID及びパスワードを含む。認証サーバ340により生成された認証情報を用いることで、WLAN端末100は、加入者識別情報を有さない場合であっても、容易にWLAN500に接続することができる。 The control unit 130 may authenticate the WLAN 500 by an authentication process using an electronic certificate. For example, the control unit 130 authenticates the WLAN 500 by EAP authentication using an electronic certificate issued by the authentication server 340. When EAP-TLS is adopted as the authentication protocol, the authentication information includes an electronic certificate issued by the authentication server 340. When EAP-TTLS is adopted as the authentication protocol, the authentication information includes an ID and password issued by the authentication server 340. By using the authentication information generated by the authentication server 340, the WLAN terminal 100 can easily connect to the WLAN 500 even when it does not have subscriber identification information.
 また、制御部130は、加入者識別情報を用いた認証処理により、WLAN500への認証を行ってもよい。例えば、制御部130は、WWAN端末200が有する加入者識別情報を用いたEAP認証により、WLAN500への認証を行う。具体的には、例えば、制御部130は、無線通信部110によりWWAN端末200から加入者識別情報に基づく認証情報を受信して、無線通信部110により認証情報を用いたWLAN500への認証を行う。詳しくは、制御部130は、WWAN端末200により行われる認証処理のために、WWAN端末200とWLAN500との間で送受信されるメッセージを中継する中継処理を制御する。例えば、制御部130は、無線通信部110により受信された、WLAN500への認証のためのメッセージ(第1のメッセージ)を、無線通信部110によりWWAN端末200へ送信する。このメッセージは、例えば認証情報の生成を要求するメッセージである。また、制御部130は、無線通信部110によりWWAN端末200から受信された、WWAN端末200により生成された認証情報を含むメッセージ(第2のメッセージ)を、無線通信部110によりWLAN500を運用する基地局510へ送信する。WLAN端末100は、上述したメッセージの中継処理によって、EAPを用いたWLAN500への認証処理をWWAN端末200に代理で行わせることができる。このため、WLAN端末100は、加入者識別情報を有さない場合であっても、容易にWLAN500に接続することができる。 Further, the control unit 130 may authenticate the WLAN 500 by an authentication process using the subscriber identification information. For example, the control unit 130 authenticates the WLAN 500 by EAP authentication using subscriber identification information included in the WWAN terminal 200. Specifically, for example, the control unit 130 receives authentication information based on the subscriber identification information from the WWAN terminal 200 by the wireless communication unit 110, and performs authentication to the WLAN 500 using the authentication information by the wireless communication unit 110. . Specifically, the control unit 130 controls a relay process for relaying a message transmitted / received between the WWAN terminal 200 and the WLAN 500 for the authentication process performed by the WWAN terminal 200. For example, the control unit 130 transmits a message (first message) for authentication to the WLAN 500 received by the wireless communication unit 110 to the WWAN terminal 200 by the wireless communication unit 110. This message is, for example, a message that requests generation of authentication information. In addition, the control unit 130 receives a message (second message) received by the wireless communication unit 110 from the WWAN terminal 200 and containing the authentication information generated by the WWAN terminal 200, as a base for operating the WLAN 500 using the wireless communication unit 110. Transmit to station 510. The WLAN terminal 100 can cause the WWAN terminal 200 to perform the authentication process to the WLAN 500 using EAP by proxy by the message relay process described above. For this reason, the WLAN terminal 100 can be easily connected to the WLAN 500 even when it does not have subscriber identification information.
 なお、WLAN端末100により中継されるメッセージは、EAPを用いた認証処理のためのメッセージであってもよい。例えば、第1のメッセージはEAP-Request/Identityであり、第2のメッセージはEAP-Response/Identityであってもよい。また、第1のメッセージはEAP-Request/AKA-Challengeであり、第2のメッセージはEAP-Response/AKA-Challengeであってもよい。なお、以下では、加入者識別情報を用いる認証プロトコルの一例として、EAP-AKAが採用される例を説明するが、EAP-SIM、又はEAP-AKA’等の、加入者情報を認証処理に用いる他の認証プロトコルが採用されてもよい。 Note that the message relayed by the WLAN terminal 100 may be a message for authentication processing using EAP. For example, the first message may be EAP-Request / Identity, and the second message may be EAP-Response / Identity. Further, the first message may be EAP-Request / AKA-Challenge and the second message may be EAP-Response / AKA-Challenge. In the following, an example in which EAP-AKA is adopted as an example of an authentication protocol using subscriber identification information will be described, but subscriber information such as EAP-SIM or EAP-AKA 'is used for authentication processing. Other authentication protocols may be employed.
 電子証明書又は加入者識別情報を用いたEAP認証が採用される場合、ユーザ操作を要することなくWLAN500への認証が行われるので、ユーザの利便性は向上する。また、WLAN端末100が、WLAN500に接続後にも探索を継続して接続先のネットワークを切り替える場合にも、ユーザ操作を要さないのでユーザの利便性は向上する。 When EAP authentication using an electronic certificate or subscriber identification information is adopted, authentication to the WLAN 500 is performed without requiring a user operation, which improves user convenience. Further, even when the WLAN terminal 100 continues the search after switching to the WLAN 500 and switches the connection destination network, the user's convenience is improved because no user operation is required.
 以上、本実施形態に係るWLAN端末100の構成例を説明した。続いて、図5を参照して、本実施形態に係るWWAN端末200の構成例を説明する。 The configuration example of the WLAN terminal 100 according to the present embodiment has been described above. Next, a configuration example of the WWAN terminal 200 according to the present embodiment will be described with reference to FIG.
  <2.3.WWAN端末の構成例>
 図5は、本実施形態に係るWWAN端末200の論理的な構成の一例を示すブロック図である。図5に示すように、WWAN端末200は、無線通信部210、記憶部220、加入者識別モジュール230、及び制御部240を有する。 <2.3. Configuration example of WWAN terminal>
FIG. 5 is a block diagram illustrating an example of a logical configuration of the WWAN terminal 200 according to the present embodiment. As illustrated in FIG. 5, the WWAN terminal 200 includes a wireless communication unit 210, a storage unit 220, a subscriber identification module 230, and a control unit 240.
  (1)無線通信部210
 無線通信部210は、外部機器との間でのデータの送受信を行う通信モジュールである。無線通信部210は、多様な通信方式を用いて無線通信を行うことができる。例えば、無線通信部210は、WWANモジュール212を有し、WWAN300を用いて無線通信可能である。また、無線通信部210は、WLANモジュール214を有し、Wi-Fi、WLANを用いて無線通信可能である。また、無線通信部210は、BTモジュール216を有し、Bluetoothを用いて無線通信可能である。また、無線通信部210は、NFCモジュール218を有し、NFCを用いて無線通信可能である。 (1) Wireless communication unit 210
The wireless communication unit 210 is a communication module that transmits / receives data to / from an external device. The wireless communication unit 210 can perform wireless communication using various communication methods. For example, the wireless communication unit 210 includes a WWAN module 212 and can perform wireless communication using the WWAN 300. The wireless communication unit 210 includes a WLAN module 214 and can perform wireless communication using Wi-Fi or WLAN. The wireless communication unit 210 includes a BT module 216 and can perform wireless communication using Bluetooth. The wireless communication unit 210 includes an NFC module 218 and can perform wireless communication using NFC.
 例えば、無線通信部210は、WLAN端末100とのペアリング及び無線通信を行う第4の無線通信部として機能し得る。例えば、無線通信部210は、NFC、Bluetooth、Bluetooth Low Energy、Wi-Fi Direct又はWLAN等の近距離無線通信方式を用いて、WLAN端末100とのペアリング及び無線通信を行う。他にも、無線通信部210は、ZigBee、IrDA(Infrared Data Association)等の近距離無線通信方式を用いて、WLAN端末100とのペアリング及び無線通信を行ってもよい。また、無線通信部210は、WWANモジュール212により、WWAN300に接続して無線通信を行う第3の無線通信部として機能し得る。例えば、無線通信部210は、WWANモジュール212を介して認証サーバ340との間で通信を行う。また、無線通信部210は、WLANモジュール214により、WLAN500に接続して無線通信を行う第5の無線通信部として機能し得る。例えば、無線通信部210は、WLANモジュール214を介して基地局510との間で通信を行う。 For example, the wireless communication unit 210 can function as a fourth wireless communication unit that performs pairing and wireless communication with the WLAN terminal 100. For example, the wireless communication unit 210 performs pairing and wireless communication with the WLAN terminal 100 using a short-range wireless communication method such as NFC, Bluetooth, Bluetooth Low Energy, Wi-Fi Direct, or WLAN. In addition, the wireless communication unit 210 may perform pairing and wireless communication with the WLAN terminal 100 using a short-range wireless communication method such as ZigBee or IrDA (Infrared Data Association). Further, the wireless communication unit 210 can function as a third wireless communication unit that performs wireless communication by connecting to the WWAN 300 using the WWAN module 212. For example, the wireless communication unit 210 communicates with the authentication server 340 via the WWAN module 212. In addition, the wireless communication unit 210 can function as a fifth wireless communication unit that performs wireless communication by connecting to the WLAN 500 using the WLAN module 214. For example, the wireless communication unit 210 communicates with the base station 510 via the WLAN module 214.
  (2)記憶部220
 記憶部220は、所定の記録媒体に対してデータの記録再生を行う部位である。例えば、記憶部220は、無線通信部210によりWWAN300から受信された情報を記憶してもよい。例えば、記憶部220は、ペアリングが確立されたWLAN端末100の機器情報、ケイパビリティ情報、又はWLAN500との無線通信の用途を示す情報を記憶してもよい。 (2) Storage unit 220
The storage unit 220 is a part that records and reproduces data on a predetermined recording medium. For example, the storage unit 220 may store information received from the WWAN 300 by the wireless communication unit 210. For example, the storage unit 220 may store device information of the WLAN terminal 100 with which pairing has been established, capability information, or information indicating the purpose of wireless communication with the WLAN 500.
  (3)加入者識別モジュール230
 加入者識別モジュール230は、WWAN300への加入者識別情報を格納する格納部としての機能を有する。例えば、加入者識別モジュール230は、SIMカードにより実現される。 (3) Subscriber identification module 230
The subscriber identification module 230 has a function as a storage unit that stores subscriber identification information for the WWAN 300. For example, the subscriber identification module 230 is realized by a SIM card.
  (4)制御部240
 制御部240は、演算処理装置および制御装置として機能し、各種プログラムに従ってWWAN端末200内の動作全般を制御する。 (4) Control unit 240
The control unit 240 functions as an arithmetic processing unit and a control unit, and controls the overall operation within the WWAN terminal 200 according to various programs.
 例えば、制御部240は、WLAN500のネットワーク情報を無線通信部210を介して認証サーバ340へ送信する機能を有する。そして、制御部240は、認証サーバ340においてネットワーク情報を用いて生成されたWLAN500への認証のための認証情報を、無線通信部210を介してWLAN端末100へ送信する機能を有する。即ち、WWAN端末200は、認証サーバ340からWLAN端末100への認証情報の送信を中継する。これにより、WLAN端末100がWWAN通信機能を有していない等の、独力では認証サーバ340から認証情報を取得することが困難な状況下においても、WLAN端末100によるWLAN500への認証を成功させることが可能となる。 For example, the control unit 240 has a function of transmitting the network information of the WLAN 500 to the authentication server 340 via the wireless communication unit 210. The control unit 240 has a function of transmitting authentication information for authentication to the WLAN 500 generated using the network information in the authentication server 340 to the WLAN terminal 100 via the wireless communication unit 210. That is, the WWAN terminal 200 relays transmission of authentication information from the authentication server 340 to the WLAN terminal 100. As a result, the WLAN terminal 100 can successfully authenticate to the WLAN 500 even under circumstances where it is difficult for the WLAN terminal 100 to acquire authentication information from the authentication server 340 by itself, such as when the WLAN terminal 100 does not have a WWAN communication function. Is possible.
 ネットワーク情報は、WLAN端末100により収集されてもよいし、WWAN端末200により収集されてもよい。WLAN端末100により収集される場合、例えば、無線通信部210は、WLAN端末100からネットワーク情報を受信する。また、WWAN端末200が収集する場合、例えば制御部240は、無線通信部210を介してネットワーク情報を収集する。詳しくは、制御部240は、無線通信部210により基地局510が発するビーコンが受信された場合にプローブリクエストを送信させて、WLAN500のネットワーク情報を取得する。他にも、WWAN端末200がWi-Fi CERTIFIED Passpointに対応している場合、制御部240は、無線通信部210を介してWLAN500へのANQP情報の問い合わせを行ってもよい。 The network information may be collected by the WLAN terminal 100 or may be collected by the WWAN terminal 200. When collected by the WLAN terminal 100, for example, the wireless communication unit 210 receives network information from the WLAN terminal 100. Further, when the WWAN terminal 200 collects, for example, the control unit 240 collects network information via the wireless communication unit 210. Specifically, the control unit 240 acquires the network information of the WLAN 500 by transmitting a probe request when a beacon emitted from the base station 510 is received by the wireless communication unit 210. In addition, when the WWAN terminal 200 is compatible with Wi-Fi CERTIFIED Passpoint, the control unit 240 may make an inquiry about ANQP information to the WLAN 500 via the wireless communication unit 210.
 接続候補のWLAN500がひとつ以上ある場合、制御部240は、ひとつ以上のWLAN500からWLAN端末100が接続すべきWLAN500を選択してもよい。その場合、制御部240は、ひとつ以上のWLAN500から選択した一のWLAN500への認証のための認証情報を、無線通信部210を介してWLAN端末100へ送信してもよい。例えば、制御部240は、RSSI情報、チャネル情報、WLAN端末100の機器情報、ケイパビリティ情報、又はWLAN500との無線通信の用途を示す情報に基づいて、WLAN端末100が接続すべきWLAN500を選択してもよい。なお、制御部240は、WLAN端末100から受信されたWLAN端末100の機器情報、ケイパビリティ情報、又はWLAN500との無線通信の用途を示す情報を、認証サーバ340へ転送するよう無線通信部210を制御してもよい。 When there are one or more connection candidate WLANs 500, the control unit 240 may select the WLAN 500 to which the WLAN terminal 100 should connect from one or more WLANs 500. In that case, the control unit 240 may transmit authentication information for authentication to one WLAN 500 selected from one or more WLANs 500 to the WLAN terminal 100 via the wireless communication unit 210. For example, the control unit 240 selects the WLAN 500 to be connected to the WLAN terminal 100 based on RSSI information, channel information, device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500. Also good. The control unit 240 controls the wireless communication unit 210 to transfer the device information, capability information of the WLAN terminal 100 received from the WLAN terminal 100, or information indicating the purpose of wireless communication with the WLAN 500 to the authentication server 340. May be.
 制御部240は、WLAN端末100による電子証明書を用いた認証を支援してもよい。例えば、制御部240は、認証サーバ340により発行された電子証明書又はID及びパスワードを、認証サーバ340から受信してWLAN端末100へ送信するよう無線通信部210を制御する。 The control unit 240 may support authentication using an electronic certificate by the WLAN terminal 100. For example, the control unit 240 controls the wireless communication unit 210 to receive the electronic certificate or ID and password issued by the authentication server 340 from the authentication server 340 and transmit them to the WLAN terminal 100.
 また、制御部240は、WLAN端末100による加入者識別情報を用いた認証を支援してもよい。例えば、制御部240は、加入者識別モジュール230に格納された加入者識別情報に基づく認証情報を生成して、無線通信部210により認証情報をWLAN端末100へ送信する。詳しくは、制御部240は、WLAN端末100により中継されるメッセージに基づいて、認証処理を行う。例えば、制御部240は、無線通信部210によりWLAN端末100から受信された、WLAN端末100がWLAN500へ認証するためのメッセージ(第1のメッセージ)に基づいて認証処理を行って認証情報を生成する。このメッセージは、例えば認証情報の生成を要求するメッセージである。また、制御部240は、生成した認証情報を含むメッセージ(第2のメッセージ)を、無線通信部210によりWLAN端末100へ送信する。 Also, the control unit 240 may support authentication using the subscriber identification information by the WLAN terminal 100. For example, the control unit 240 generates authentication information based on the subscriber identification information stored in the subscriber identification module 230, and transmits the authentication information to the WLAN terminal 100 by the wireless communication unit 210. Specifically, the control unit 240 performs an authentication process based on a message relayed by the WLAN terminal 100. For example, the control unit 240 performs authentication processing based on a message (first message) for the WLAN terminal 100 to authenticate to the WLAN 500 received from the WLAN terminal 100 by the wireless communication unit 210 and generates authentication information. . This message is, for example, a message that requests generation of authentication information. In addition, the control unit 240 transmits a message (second message) including the generated authentication information to the WLAN terminal 100 by the wireless communication unit 210.
 制御部240は、WLAN端末100により中継されるメッセージに基づいて、EAPを用いた認証処理を行って認証情報を生成してもよい。上述したように、制御部240は、EAP-AKA、EAP-SIM、又はEAP-AKA’等の、加入者情報を認証処理に用いる任意の認証プロトコルを用いて認証処理を行ってもよい。制御部240は、WLAN端末100によるメッセージの中継を受けることで、EAPを用いたWLAN500への認証処理を、WLAN端末100に代理して行うことができる。このため、WWAN端末200は、WLAN端末100が加入者識別情報を有さない場合であっても、WLAN端末100によるWLAN500への容易な接続を実現することができる。また、WWAN端末200は、加入者識別情報等を直接WLAN端末100へ送信しないので、セキュリティを担保することが可能である。 The control unit 240 may perform authentication processing using EAP based on a message relayed by the WLAN terminal 100 to generate authentication information. As described above, the control unit 240 may perform authentication processing using any authentication protocol that uses subscriber information for authentication processing, such as EAP-AKA, EAP-SIM, or EAP-AKA '. The control unit 240 can perform the authentication process for the WLAN 500 using EAP on behalf of the WLAN terminal 100 by receiving the relay of the message by the WLAN terminal 100. For this reason, the WWAN terminal 200 can realize easy connection to the WLAN 500 by the WLAN terminal 100 even when the WLAN terminal 100 does not have subscriber identification information. In addition, since the WWAN terminal 200 does not directly transmit subscriber identification information or the like to the WLAN terminal 100, security can be ensured.
 以上、本実施形態に係るWWAN端末200の構成例を説明した。続いて、図6を参照して、本実施形態に係る認証サーバ340の構成例を説明する。 The configuration example of the WWAN terminal 200 according to the present embodiment has been described above. Next, a configuration example of the authentication server 340 according to the present embodiment will be described with reference to FIG.
  <2.4.認証サーバの構成例>
 図6は、本実施形態に係る認証サーバ340の論理的な構成の一例を示すブロック図である。図6に示すように、認証サーバ340は、通信部341、記憶部342、及び制御部343を有する。 <2.4. Configuration example of authentication server>
FIG. 6 is a block diagram illustrating an example of a logical configuration of the authentication server 340 according to the present embodiment. As illustrated in FIG. 6, the authentication server 340 includes a communication unit 341, a storage unit 342, and a control unit 343.
  (1)通信部341
 通信部341は、外部機器との間でのデータの送受信を行う通信モジュールである。通信部341は、有線/無線の多様な通信方式を用いて無線通信を行うことができる。本実施形態に係る通信部341は、WWAN300に接続して無線通信を行うWWAN端末200、及びWLAN500に接続して無線通信を行うWLAN端末100との通信を直接的に又は任意の通信ノードを介して間接的に行う。通信部341は、WWAN端末200からネットワーク情報を受信して、WWAN端末200へ認証情報を送信する。 (1) Communication unit 341
The communication unit 341 is a communication module that transmits / receives data to / from an external device. The communication unit 341 can perform wireless communication using various wired / wireless communication methods. The communication unit 341 according to the present embodiment communicates with the WWAN terminal 200 that connects to the WWAN 300 and performs wireless communication, and the WLAN terminal 100 that connects to the WLAN 500 and performs wireless communication, either directly or via an arbitrary communication node. Indirectly. The communication unit 341 receives network information from the WWAN terminal 200 and transmits authentication information to the WWAN terminal 200.
  (2)記憶部342
 記憶部342は、所定の記録媒体に対してデータの記録再生を行う部位である。例えば、記憶部342は、通信部341によりWLAN端末100又はWWAN端末200から受信された情報を記憶する。 (2) Storage unit 342
The storage unit 342 is a part that records and reproduces data on a predetermined recording medium. For example, the storage unit 342 stores information received from the WLAN terminal 100 or the WWAN terminal 200 by the communication unit 341.
  (3)制御部343
 制御部343は、演算処理装置および制御装置として機能し、各種プログラムに従って認証サーバ340内の動作全般を制御する。 (3) Control unit 343
The control unit 343 functions as an arithmetic processing device and a control device, and controls the overall operation in the authentication server 340 according to various programs.
 例えば、制御部343は、受信されたネットワーク情報に基づいて、認証情報を生成する。例えば、ネットワーク情報に含まれるNAIにEAP-TLSが含まれる場合、制御部343は、電子証明書を発行する。例えば、ネットワーク情報に含まれるNAIにEAP-TTLSが含まれる場合、制御部343は、ID及びパスワードを発行する。他にも、制御部343は、RSSI情報、チャネル情報、WLAN端末100の機器情報、ケイパビリティ情報、又はWLAN500との無線通信の用途を示す情報に基づいて、WLAN端末100が接続すべきWLAN500を選択してもよい。制御部343は、これらの発行又は選択した内容を示す情報を、認証情報として生成する。 For example, the control unit 343 generates authentication information based on the received network information. For example, when EAP-TLS is included in the NAI included in the network information, the control unit 343 issues an electronic certificate. For example, when EAP-TTLS is included in the NAI included in the network information, the control unit 343 issues an ID and a password. In addition, the control unit 343 selects the WLAN 500 to be connected to the WLAN terminal 100 based on RSSI information, channel information, device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500. May be. The control unit 343 generates information indicating the contents issued or selected as authentication information.
 また、制御部343は、基地局510のための電子証明書を発行してもよい。制御部343は、生成した電子証明書を、通信部341を介して基地局510へ送信する。これにより、基地局510における電子証明書を用いた認証が可能となる。 In addition, the control unit 343 may issue an electronic certificate for the base station 510. The control unit 343 transmits the generated electronic certificate to the base station 510 via the communication unit 341. Thereby, authentication using the electronic certificate in the base station 510 becomes possible.
 以上、本実施形態に係る認証サーバ340の構成例を説明した。続いて、図7~図10を参照して、本実施形態に係る無線通信システム1による動作処理を説明する。 The configuration example of the authentication server 340 according to this embodiment has been described above. Subsequently, an operation process performed by the wireless communication system 1 according to the present embodiment will be described with reference to FIGS.
  <2.5.動作処理>
  (1)第1の接続処理例
 本接続処理例は、WWAN端末200がネットワーク情報を収集し、認証プロトコルとして電子証明書を用いたEAP認証が採用される例である。図7は、本実施形態に係る無線通信システム1において実行される接続処理の流れの一例を示すシーケンス図である。図7に示すように、本シーケンスには、認証サーバ340、基地局310、WWAN端末200、WLAN端末100、及び基地局510が関与する。 <2.5. Operation processing>
(1) First Connection Processing Example This connection processing example is an example in which the WWAN terminal 200 collects network information and EAP authentication using an electronic certificate as an authentication protocol is employed. FIG. 7 is a sequence diagram showing an example of the flow of connection processing executed in the wireless communication system 1 according to the present embodiment. As shown in FIG. 7, the authentication server 340, the base station 310, the WWAN terminal 200, the WLAN terminal 100, and the base station 510 are involved in this sequence.
 図7に示すように、まず、ステップS102で、WLAN端末100及びWWAN端末200はペアリングを確立する。例えば、WLAN端末100及びWWAN端末200は、Bluetooth、Wi-Fi Direct、NFC等を用いて通信路を確立する。ペアリング確立後、WLAN端末100は、WLAN端末100の機器情報、ケイパビリティ情報、又はWLAN500との無線通信の用途を示す情報をWWAN端末200へ送信してもよい。 As shown in FIG. 7, first, in step S102, the WLAN terminal 100 and the WWAN terminal 200 establish pairing. For example, the WLAN terminal 100 and the WWAN terminal 200 establish a communication path using Bluetooth, Wi-Fi Direct, NFC, or the like. After the pairing is established, the WLAN terminal 100 may transmit device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500 to the WWAN terminal 200.
 次いで、ステップS104で、WWAN端末200は、WLAN500のネットワーク情報を収集する。例えば、WWAN端末200は、プローブ処理又はANQP情報の問い合わせを行う。これにより、ステップS106で、WWAN端末200は、基地局510からネットワーク情報を取得する。 Next, in step S104, the WWAN terminal 200 collects network information of the WLAN 500. For example, the WWAN terminal 200 makes an inquiry about probe processing or ANQP information. Thereby, the WWAN terminal 200 acquires network information from the base station 510 in step S106.
 次に、ステップS108で、WWAN端末200は、基地局310を介して認証サーバ340へネットワーク情報を送信する。 Next, in step S108, the WWAN terminal 200 transmits network information to the authentication server 340 via the base station 310.
 次いで、ステップS110で、認証サーバ340は、認証情報を生成する。例えば、ネットワーク情報に含まれるNAIにEAP-TLSが含まれる場合、認証サーバ340は、電子証明書を発行する。例えば、ネットワーク情報に含まれるNAIにEAP-TTLSが含まれる場合、認証サーバ340は、ID及びパスワードを発行する。また、認証サーバ340は、チャネル情報又はRSSI情報の少なくともいずれかに基づいて、WLAN端末100が接続すべきWLAN500を選択してもよい。認証サーバ340は、これらの発行及び選択した内容を示す情報を、認証情報として生成する。 Next, in step S110, the authentication server 340 generates authentication information. For example, when EAP-TLS is included in the NAI included in the network information, the authentication server 340 issues an electronic certificate. For example, when EAP-TTLS is included in the NAI included in the network information, the authentication server 340 issues an ID and a password. Further, the authentication server 340 may select the WLAN 500 to which the WLAN terminal 100 is connected based on at least one of channel information and RSSI information. The authentication server 340 generates information indicating these issuance and selected contents as authentication information.
 次に、ステップS112で、認証サーバ340は、基地局310を介してWWAN端末200へ、生成した認証情報を送信する。 Next, in step S112, the authentication server 340 transmits the generated authentication information to the WWAN terminal 200 via the base station 310.
 次いで、ステップS114で、WWAN端末200は、認証サーバ340から受信した認証情報をWLAN端末100へ送信する。 Next, in step S114, the WWAN terminal 200 transmits the authentication information received from the authentication server 340 to the WLAN terminal 100.
 そして、ステップS116で、WLAN端末100は、WWAN端末200から受信した認証情報を用いて基地局510との間で認証処理を行う。例えば、WLAN端末100は、電子証明書を用いたEAP-TLS方式の認証処理、又はID及びパスワードを用いたEAP-TTLS方式の認証処理を行う。 In step S116, the WLAN terminal 100 performs authentication processing with the base station 510 using the authentication information received from the WWAN terminal 200. For example, the WLAN terminal 100 performs an EAP-TLS authentication process using an electronic certificate or an EAP-TTL authentication process using an ID and a password.
 これにより、ステップS118で、WLAN端末100と基地局510との間で接続が確立する。WLAN端末100は、基地局510を介してサービスネットワーク400を利用する。利用し得るサービスとしては、例えばVoice over Wi-Fi、Video over Wi-Fi等のIMSサービスが考えられる。 Thereby, a connection is established between the WLAN terminal 100 and the base station 510 in step S118. The WLAN terminal 100 uses the service network 400 via the base station 510. Examples of services that can be used include IMS services such as Voice over Wi-Fi and Video over Wi-Fi.
  (2)第2の接続処理例
 本接続処理例は、WWAN端末200がネットワーク情報を収集し、認証プロトコルとして加入者識別情報を用いたEAP認証が採用される例である。図8は、本実施形態に係る無線通信システム1において実行される接続処理の流れの一例を示すシーケンス図である。図8に示すように、本シーケンスには、認証サーバ340、基地局310、WWAN端末200、WLAN端末100、及び基地局510が関与する。なお、本シーケンスは、ステップS110及びS117を除いて、図7を参照して上記説明した通りである。 (2) Second Connection Processing Example This connection processing example is an example in which the WWAN terminal 200 collects network information and adopts EAP authentication using subscriber identification information as an authentication protocol. FIG. 8 is a sequence diagram showing an example of the flow of connection processing executed in the wireless communication system 1 according to the present embodiment. As shown in FIG. 8, the authentication server 340, the base station 310, the WWAN terminal 200, the WLAN terminal 100, and the base station 510 are involved in this sequence. This sequence is as described above with reference to FIG. 7 except for steps S110 and S117.
 ステップS110において、認証サーバ340は、認証情報を生成する。例えば、ネットワーク情報に含まれるNAIにEAP-SIM、EAP-AKA又はEAP-AKA’が含まれる場合、認証サーバ340は、電子証明書又はID及びパスワードの発行を省略してもよい。例えば、認証サーバ340は、チャネル情報又はRSSI情報の少なくともいずれかに基づいて、WLAN端末100が接続すべきWLAN500を選択する。そして、認証サーバ340は、選択した内容を示す情報を、認証情報として生成する。 In step S110, the authentication server 340 generates authentication information. For example, when EAP-SIM, EAP-AKA, or EAP-AKA 'is included in the NAI included in the network information, the authentication server 340 may omit issuing an electronic certificate or ID and password. For example, the authentication server 340 selects the WLAN 500 to which the WLAN terminal 100 should be connected based on at least one of channel information and RSSI information. And the authentication server 340 produces | generates the information which shows the selected content as authentication information.
 ステップS117において、WLAN端末100は、WWAN端末200の加入者識別情報を用いて、WLAN500への認証処理を行う。WLAN端末100とWWAN端末200との間では既にステップS102でBluetooth、Wi-Fi Direct、NFC等の通信路が確立されているため、この通信路を用いてEAP認証処理のためのメッセージの送受信が行われる。以下、図9及び10を参照して、WWAN端末200の加入者識別情報を用いたEAP認証処理の詳細な内容を説明する。 In step S117, the WLAN terminal 100 performs an authentication process to the WLAN 500 using the subscriber identification information of the WWAN terminal 200. Since communication paths such as Bluetooth, Wi-Fi Direct, NFC, etc. have already been established between the WLAN terminal 100 and the WWAN terminal 200 in step S102, messages for EAP authentication processing can be transmitted and received using this communication path. Done. The detailed contents of the EAP authentication process using the subscriber identification information of the WWAN terminal 200 will be described below with reference to FIGS.
 図9及び図10は、本実施形態に係る無線通信システム1において実行されるEAP認証処理の流れの一例を示すシーケンス図である。図9及び図10に示すように、本シーケンスには、基地局310、WWAN端末200、WLAN端末100、基地局510、認証サーバ340、及び加入者情報サーバ330が関与する。なお、WLAN端末100及びWWAN端末200に関しては、メッセージのやり取りに用いられる通信モジュールを、「モジュール」という文言を省略して記載している。例えば、WLAN(Wi-Fi)モジュール112を起点又は終点とするメッセージは、WLANモジュール112により送受信されることを示している。BTモジュール114、WWANモジュール212、及びBTモジュール216についても同様である。 9 and 10 are sequence diagrams showing an example of the flow of EAP authentication processing executed in the wireless communication system 1 according to the present embodiment. As shown in FIGS. 9 and 10, the base station 310, the WWAN terminal 200, the WLAN terminal 100, the base station 510, the authentication server 340, and the subscriber information server 330 are involved in this sequence. Note that with regard to the WLAN terminal 100 and the WWAN terminal 200, communication modules used for message exchange are described with the term “module” omitted. For example, a message having a WLAN (Wi-Fi) module 112 as a starting point or an ending point indicates that the WLAN module 112 transmits and receives. The same applies to the BT module 114, the WWAN module 212, and the BT module 216.
 ここで、上述したように、WLAN端末100とWWAN端末200との間では通信路が確立されており、この通信路を用いてEAP認証処理のためのメッセージの送受信が行われる。一例として、本シーケンスでは、WLAN端末100とWWAN端末200との間でBluetoothを用いた無線接続が確立されているものとする。もちろん、Bluetooth以外の、例えばWi-Fi Direct等の任意の通信方式により無線接続が確立されていてもよい。 Here, as described above, a communication path is established between the WLAN terminal 100 and the WWAN terminal 200, and a message for EAP authentication processing is transmitted / received using this communication path. As an example, in this sequence, it is assumed that a wireless connection using Bluetooth is established between the WLAN terminal 100 and the WWAN terminal 200. Of course, the wireless connection may be established by any communication method other than Bluetooth, such as Wi-Fi Direct.
 図9に示すように、まず、ステップS202で、WLAN端末100は、基地局510へAssociationを行う。WLAN端末100は、Associationにより、認証処理のための論理的な接続を確立する。WLAN端末100は、認証処理以外の、例えばデータ通信を行うことはまだできない。 As shown in FIG. 9, first, in step S <b> 202, the WLAN terminal 100 performs association to the base station 510. The WLAN terminal 100 establishes a logical connection for authentication processing by association. The WLAN terminal 100 cannot perform data communication other than authentication processing, for example.
 次いで、ステップS204で、WLAN端末100は、基地局510へ、EAPoL-Startを送信する。 Next, in step S204, the WLAN terminal 100 transmits EAPoL-Start to the base station 510.
 次いで、ステップS206で、基地局510は、WLAN端末100へEAP-Request/Identityを送信する。 Next, in step S206, the base station 510 transmits EAP-Request / Identity to the WLAN terminal 100.
 次に、ステップS208で、WLAN端末100は、WWAN端末200へ、ステップS206で受信したEAP-Request/Identityを送信する。このメッセージは、WWAN端末200に対して、EAP-AKAで必要となるIdentityを生成するよう要求するメッセージである。 Next, in step S208, the WLAN terminal 100 transmits the EAP-Request / Identity received in step S206 to the WWAN terminal 200. This message is a message requesting the WWAN terminal 200 to generate an Identity required for EAP-AKA.
 次いで、ステップS210で、WWAN端末200は、自身が有する加入者識別モジュール230を参照して、Identityを生成する。例えば、制御部240は、加入者識別モジュール230であるSIMカードに記録された情報に基づいて、Identityを生成する。認証プロトコルがEAP-AKAの場合、IMSIをもとにIdentityが生成される。 Next, in step S210, the WWAN terminal 200 refers to the subscriber identification module 230 that the WWAN terminal 200 has and generates an Identity. For example, the control unit 240 generates Identity based on information recorded on a SIM card that is the subscriber identification module 230. When the authentication protocol is EAP-AKA, Identity is generated based on IMSI.
 なお、IMSIのフォーマットは以下の通りである。
  <MCC:3桁><MNC:2又は3桁><MSIN:最大10桁> The IMSI format is as follows.
<MCC: 3 digits><MNC: 2 or 3 digits><MSIN: Maximum 10 digits>
 ここで、MCC(Mobile Country Code)は、国を示す情報であり、MNC(Mobile Network Code)は、事業者を示す情報であり、MSIN(Mobile Subscriber Identification Number)は、加入者識別コードを示す情報である。 Here, MCC (Mobile Country Code) is information indicating the country, MNC (Mobile Network Code) is information indicating the operator, and MSIN (Mobile Subscriber Identification Number) is information indicating the subscriber identification code. It is.
 また、Identityのフォーマットは以下の通りである。
  0<IMSI>@wlan.mnc<MNC>.mcc<MCC>.3gppnetwork.org Also, the format of Identity is as follows.
0 <IMSI> @wlan. mnc <MNC>. mcc <MCC>. 3gppnetwork. org
 例えば、MNCが3桁であり、IMSIが「123456012345678」であった場合を想定する。この場合、Identityは、「0123456012345678@wlan.mnc456.mcc123.3gppnetwork.org」となる。以上、ステップS210におけるIdentityの生成処理について説明した。 For example, it is assumed that the MNC is 3 digits and the IMSI is “1234560125345678”. In this case, Identity is “01234560125345678@wlan.mnc456.mcc123.3gppnetwork.org”. The identity generation processing in step S210 has been described above.
 次に、ステップS212で、WWAN端末200は、EAP-Response/Identityを、WLAN端末100へ返信する。このメッセージには、ステップS210において生成されたIdentitiyが格納されている。 Next, in step S212, the WWAN terminal 200 returns EAP-Response / Identity to the WLAN terminal 100. This message stores the Identity generated in step S210.
 次いで、ステップS214で、WLAN端末100は、受信したEAP-Response/Identityを、基地局510へ転送する。 Next, in step S214, the WLAN terminal 100 transfers the received EAP-Response / Identity to the base station 510.
 次に、ステップS216で、基地局510は、RADIUS-Access-Requestを認証サーバ340へ送信する。このメッセージには、WWAN端末200により生成されたIdentityが格納される。 Next, in step S216, the base station 510 transmits RADIUS-Access-Request to the authentication server 340. In this message, the Identity generated by the WWAN terminal 200 is stored.
 次いで、ステップS218で、認証サーバ340は、Retreive-Authentication-Vectorを加入者情報サーバ330へ送信して、Identitiyに対する認証ベクタを要求する。このメッセージには、WWAN端末200により生成されたIdentityが格納される。認証ベクタとは、接続してきた端末を認証する際に必要とされる情報の集合であり、EAP-AKAの場合は以下の情報から構成される。 Next, in step S218, the authentication server 340 transmits a Retrieval-Authentication-Vector to the subscriber information server 330, and requests an authentication vector for Identity. In this message, the Identity generated by the WWAN terminal 200 is stored. An authentication vector is a set of information required for authenticating a connected terminal. In the case of EAP-AKA, the authentication vector includes the following information.
  RAND:ランダム値。チャレンジとして利用される。
  AUTN:端末がネットワークを認証するための値。
  XRES:チャレンジに対して期待される応答値。
  IK  :メッセージ完全性検証用鍵。
  CK  :メッセージ暗号化用鍵。 RAND: random value. Used as a challenge.
AUTN: A value for the terminal to authenticate the network.
XRES: expected response value for challenge.
IK: Message integrity verification key.
CK: Key for message encryption.
 次に、ステップS220で、加入者情報サーバ330は、AKAアルゴリズムを実行して、受信したメッセージに格納されたIdentitiyに対応する認証ベクタを生成する。 Next, in step S220, the subscriber information server 330 executes the AKA algorithm and generates an authentication vector corresponding to the Identity stored in the received message.
 次いで、図10に示すように、ステップS222で、加入者情報サーバ330は、生成した認証ベクタを認証サーバ340へ送信する。 Next, as shown in FIG. 10, in step S222, the subscriber information server 330 transmits the generated authentication vector to the authentication server 340.
 次に、ステップS224で、認証サーバ340は、RADIUS-Access-Challengeを基地局510へ送信する。このメッセージには、加入者情報サーバ330により生成された認証ベクタが格納される。ここで、認証サーバ340は、新たにMAC(Message Authentication Code)を算出して、メッセージに追加する。このMACは、WLAN端末100がこのメッセージの完全性(Integrity)を検証するために用いられる。 Next, in step S224, the authentication server 340 transmits RADIUS-Access-Challenge to the base station 510. In this message, the authentication vector generated by the subscriber information server 330 is stored. Here, the authentication server 340 newly calculates a MAC (Message Authentication Code) and adds it to the message. This MAC is used by the WLAN terminal 100 to verify the integrity of this message.
 次いで、ステップS226で、基地局510は、EAP-Request/AKA-ChallengeをWLAN端末100へ送信する。このメッセージには、認証ベクタのRAND及びAUTN、並びにMACが含まれる。認証ベクタのXRES、IK及びCKは基地局510により保持され、WLAN端末100へは送信されない。 Next, in step S226, the base station 510 transmits EAP-Request / AKA-Challenge to the WLAN terminal 100. This message includes authentication vectors RAND and AUTN, and MAC. The authentication vectors XRES, IK, and CK are held by the base station 510 and are not transmitted to the WLAN terminal 100.
 次に、ステップS228で、WLAN端末100は、EAP-Request/AKA-ChallengeをWWAN端末200へ送信する。このメッセージは、WWAN端末200に対して、応答値(RES)及びセッション鍵(IK,CK)を生成するよう要求するメッセージである。 Next, in step S228, the WLAN terminal 100 transmits EAP-Request / AKA-Challenge to the WWAN terminal 200. This message is a message requesting the WWAN terminal 200 to generate a response value (RES) and a session key (IK, CK).
 次いで、ステップS230で、WWAN端末200は、AKAアルゴリズムを実行して、受信したEAP-Request/AKA-Challengeに対応するRES、MAC、及びセッション鍵(IK、CK)を生成する。 Next, in step S230, the WWAN terminal 200 executes the AKA algorithm and generates the RES, MAC, and session key (IK, CK) corresponding to the received EAP-Request / AKA-Challenge.
 次に、ステップS232で、WWAN端末200は、EAP-Response/AKA-ChallengeをWLAN端末100へ送信する。このメッセージには、WWAN端末200が生成したRES、MAC、及びセッション鍵が格納される。 Next, in step S232, the WWAN terminal 200 transmits EAP-Response / AKA-Challenge to the WLAN terminal 100. In this message, the RES, MAC, and session key generated by the WWAN terminal 200 are stored.
 次いで、ステップS234で、WLAN端末100は、受信したEAP-Response/AKA-Challengeを基地局510へ転送する。 Next, in step S234, the WLAN terminal 100 transfers the received EAP-Response / AKA-Challenge to the base station 510.
 次に、ステップS236で、基地局510は、RADIUS-Access-Requestを認証サーバ340へ送信する。このメッセージには、WWAN端末200により生成されたRES、MAC、及びセッション鍵(IK、CK)が格納される。 Next, in step S 236, the base station 510 transmits RADIUS-Access-Request to the authentication server 340. This message stores the RES, MAC, and session keys (IK, CK) generated by the WWAN terminal 200.
 次いで、ステップS238で、認証サーバ340は、受信したRESを検証する。詳しくは、認証サーバ340は、WWAN端末200により生成されたRESと加入者情報サーバ330により生成されたXRESとが一致すること、及びMACによりメッセージの完全性を検証する。 Next, in step S238, the authentication server 340 verifies the received RES. Specifically, the authentication server 340 verifies that the RES generated by the WWAN terminal 200 matches the XRES generated by the subscriber information server 330 and the integrity of the message by MAC.
 次に、ステップS240で、認証サーバ340は、RADIUS-Access-Acceptを基地局510へ送信する。このメッセージは、接続を許可することを示すものである。 Next, in step S240, the authentication server 340 transmits RADIUS-Access-Accept to the base station 510. This message indicates that the connection is permitted.
 次いで、ステップS242で、基地局510は、EAP-SuccessをWLAN端末100へ送信する。このメッセージは、WLAN端末100に対して、認証処理が成功したことを示すものである。 Next, in step S242, the base station 510 transmits EAP-Success to the WLAN terminal 100. This message indicates that the authentication process has been successful for the WLAN terminal 100.
 次に、ステップS244で、基地局510は、EAPoL-KeyをWLAN端末100へ送信する。このメッセージは、WLAN端末100と基地局510との間で使用する暗号化通信用の鍵を送付するものである。 Next, in step S244, the base station 510 transmits EAPoL-Key to the WLAN terminal 100. This message is used to send a key for encrypted communication used between the WLAN terminal 100 and the base station 510.
 以上説明したEAP認証処理を経て、ステップS246で、WLAN端末100と基地局510との間で、WLAN通信のための接続が完了する。これにより、WLAN端末100と基地局510との間で、例えばWi-Fiを用いたデータ通信が開始される。 Through the EAP authentication process described above, in step S246, the connection for WLAN communication is completed between the WLAN terminal 100 and the base station 510. Thereby, for example, data communication using Wi-Fi is started between the WLAN terminal 100 and the base station 510.
  (3)第3の接続処理例
 本接続処理例は、WLAN端末100がネットワーク情報を収集し、認証プロトコルとして電子証明書を用いたEAP認証、又は加入者識別情報を用いたEAP認証が採用される例である。図11は、本実施形態に係る無線通信システム1において実行される接続処理の流れの一例を示すシーケンス図である。図11に示すように、本シーケンスには、認証サーバ340、基地局310、WWAN端末200、WLAN端末100、及び基地局510が関与する。 (3) Third connection processing example In this connection processing example, the WLAN terminal 100 collects network information, and EAP authentication using an electronic certificate as an authentication protocol or EAP authentication using subscriber identification information is adopted. This is an example. FIG. 11 is a sequence diagram showing an example of the flow of connection processing executed in the wireless communication system 1 according to the present embodiment. As shown in FIG. 11, the authentication server 340, the base station 310, the WWAN terminal 200, the WLAN terminal 100, and the base station 510 are involved in this sequence.
 図11に示すように、まず、ステップS302で、WLAN端末100及びWWAN端末200はテザリングを実施する。詳しくは、WWAN端末200は、テザリングアクセスポイントとして機能する。そして、WLAN端末100は、WLANクライアントとしてWWAN端末200に接続して、基地局310を経由してサービスネットワーク400を利用する。なお、テザリングの前提として、WLAN端末100及びWWAN端末200はペアリングを確立している。ペアリング確立後、WLAN端末100は、WLAN端末100の機器情報、ケイパビリティ情報、又はWLAN500との無線通信の用途を示す情報をWWAN端末200へ送信していてもよい。 As shown in FIG. 11, first, in step S302, the WLAN terminal 100 and the WWAN terminal 200 perform tethering. Specifically, the WWAN terminal 200 functions as a tethering access point. Then, the WLAN terminal 100 connects to the WWAN terminal 200 as a WLAN client and uses the service network 400 via the base station 310. As a premise of tethering, the WLAN terminal 100 and the WWAN terminal 200 have established pairing. After the pairing is established, the WLAN terminal 100 may transmit device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500 to the WWAN terminal 200.
 次いで、ステップS304で、WWAN端末200は、WLAN端末100にネットワーク情報の収集を行うよう要求する。この要求をトリガとして、ステップS306で、WWLAN端末100は、WLAN500のネットワーク情報を収集する。ここでの処理は、上記ステップS104と同様である。これにより、ステップS308で、WLAN端末100は、基地局510からネットワーク情報を取得する。次いで、ステップS310で、WLAN端末100は、取得したネットワーク情報をWWAN端末200へ転送する。 Next, in step S304, the WWAN terminal 200 requests the WLAN terminal 100 to collect network information. With this request as a trigger, the WWLAN terminal 100 collects network information of the WLAN 500 in step S306. The process here is the same as in step S104. Thereby, the WLAN terminal 100 acquires network information from the base station 510 in step S308. Next, in step S310, the WLAN terminal 100 transfers the acquired network information to the WWAN terminal 200.
 次に、ステップS312で、WWAN端末200は、基地局310を介して認証サーバ340へネットワーク情報を送信する。 Next, in step S312, the WWAN terminal 200 transmits network information to the authentication server 340 via the base station 310.
 次いで、ステップS314で、認証サーバ340は、認証情報を生成する。ここでの処理は、図7又は図8を参照して上記説明した通りである。 Next, in step S314, the authentication server 340 generates authentication information. The processing here is as described above with reference to FIG. 7 or FIG.
 次に、ステップS316で、認証サーバ340は、基地局310を介してWWAN端末200へ、生成した認証情報を送信する。 Next, in step S316, the authentication server 340 transmits the generated authentication information to the WWAN terminal 200 via the base station 310.
 次いで、ステップS318で、WWAN端末200は、認証サーバ340から受信した認証情報をWLAN端末100へ送信する。 Next, in step S318, the WWAN terminal 200 transmits the authentication information received from the authentication server 340 to the WLAN terminal 100.
 そして、ステップS320で、WLAN端末100は、WWAN端末200から受信した認証情報を用いて基地局510との間で認証処理を行う。ここでの処理は、図7又は図8を参照して上記説明した通りである。 In step S320, the WLAN terminal 100 performs authentication processing with the base station 510 using the authentication information received from the WWAN terminal 200. The processing here is as described above with reference to FIG. 7 or FIG.
 これにより、ステップS322で、WLAN端末100と基地局510との間で接続が確立する。 Thereby, a connection is established between the WLAN terminal 100 and the base station 510 in step S322.
 以上、第1の実施形態について説明した。 The first embodiment has been described above.
 <<3.第2の実施形態>>
  <3.1.概要>
 以下、図12を参照して、本実施形態に係る無線通信システム1の概要を説明する。 << 3. Second Embodiment >>
<3.1. Overview>
Hereinafter, an overview of the wireless communication system 1 according to the present embodiment will be described with reference to FIG.
 図12は、本実施形態に係る無線通信システム1の概要について説明するための図である。図12に示す例では、無線通信システム1は、WWAN端末200を含む。本実施形態では、WWAN端末200自身が、認証サーバ340において生成された認証情報を用いてWLAN500へ接続する。本実施形態に係る無線通信システム1に含まれる各装置は、第1の実施形態と同様の機能を有する。また、WWAN端末200は、第1の実施形態においてWLAN端末100が有していた機能を有する。以下、本実施形態に係るWWAN端末200に特徴的な機能を説明する。 FIG. 12 is a diagram for explaining the outline of the wireless communication system 1 according to the present embodiment. In the example illustrated in FIG. 12, the wireless communication system 1 includes a WWAN terminal 200. In the present embodiment, the WWAN terminal 200 itself connects to the WLAN 500 using the authentication information generated in the authentication server 340. Each device included in the wireless communication system 1 according to the present embodiment has the same function as that of the first embodiment. Further, the WWAN terminal 200 has the function that the WLAN terminal 100 has in the first embodiment. Hereinafter, functions characteristic of the WWAN terminal 200 according to the present embodiment will be described.
 例えば、制御部240は、WLAN500のネットワーク情報を無線通信部210を介して認証サーバ340へ送信し、認証サーバ340において生成された認証情報を用いたWLAN500への認証を、無線通信部210を介して行う。例えば、制御部240は、無線通信部210を介してネットワーク情報を取得する。次いで、制御部240は、取得したネットワーク情報を、基地局310を介して認証サーバ340へ送信し、認証サーバ340によりネットワーク情報に基づいて生成された認証情報を取得する。そして、制御部240は、取得した認証情報を用いてWLAN500へ接続する。制御部240は、電子証明書を用いた認証処理を行ってもよいし、自身が有する加入者識別情報を用いた認証処理を行ってもよい。WWAN端末200は、認証サーバ340により生成された認証情報を用いることで、安全なWLAN500に接続することが可能となり、盗聴の危険性等のセキュリティリスクが高いネットワークへの接続を回避することができる。これにより、WWAN端末200がWi-Fi CERTIFIED Passpointに対応していない場合であっても、対応している場合と同等の安全性と接続利便性とを得る事ができる。 For example, the control unit 240 transmits the network information of the WLAN 500 to the authentication server 340 via the wireless communication unit 210, and performs authentication to the WLAN 500 using the authentication information generated in the authentication server 340 via the wireless communication unit 210. Do it. For example, the control unit 240 acquires network information via the wireless communication unit 210. Next, the control unit 240 transmits the acquired network information to the authentication server 340 via the base station 310, and acquires authentication information generated based on the network information by the authentication server 340. Then, the control unit 240 connects to the WLAN 500 using the acquired authentication information. The control unit 240 may perform authentication processing using an electronic certificate, or may perform authentication processing using subscriber identification information that the control unit 240 has. By using the authentication information generated by the authentication server 340, the WWAN terminal 200 can be connected to the secure WLAN 500 and can avoid connection to a network with a high security risk such as the risk of eavesdropping. . Thereby, even when the WWAN terminal 200 does not support the Wi-Fi CERTIFIED Passpoint, it is possible to obtain the same safety and connection convenience as the case where the WWAN terminal 200 is compatible.
 例えば、制御部240は、WWAN端末200の機器情報、ケイパビリティ情報、又はWLAN500との無線通信の用途を示す情報の少なくともいずれかを、無線通信部210を介して認証サーバ340へ送信してもよい。これにより、認証サーバ340等のWWAN端末200以外の装置は、これらの情報に基づいてWWAN端末200にとって適切な接続先を選択することが可能となる。 For example, the control unit 240 may transmit at least one of device information of the WWAN terminal 200, capability information, or information indicating the purpose of wireless communication with the WLAN 500 to the authentication server 340 via the wireless communication unit 210. . As a result, devices other than the WWAN terminal 200 such as the authentication server 340 can select an appropriate connection destination for the WWAN terminal 200 based on these pieces of information.
 以上、本実施形態に係る無線通信システム1の概要を説明した。続いて、図13を参照して、本実施形態に係る無線通信システム1による動作処理を説明する。 The outline of the wireless communication system 1 according to the present embodiment has been described above. Subsequently, an operation process performed by the wireless communication system 1 according to the present embodiment will be described with reference to FIG.
  <3.2.動作処理例>
 図13は、本実施形態に係る無線通信システム1において実行される接続処理の流れの一例を示すシーケンス図である。図13に示すように、本シーケンスには、認証サーバ340、基地局310、WWAN端末200、及び基地局510が関与する。 <3.2. Example of operation processing>
FIG. 13 is a sequence diagram illustrating an example of the flow of connection processing executed in the wireless communication system 1 according to the present embodiment. As shown in FIG. 13, the authentication server 340, the base station 310, the WWAN terminal 200, and the base station 510 are involved in this sequence.
 図13に示すように、まず、ステップS402で、WWAN端末200は、WLAN500のネットワーク情報を収集する。例えば、WWAN端末200は、プローブ処理又はANQP情報の問い合わせを行う。これにより、ステップS404で、WWAN端末200は、基地局510からネットワーク情報を取得する。 As shown in FIG. 13, first, in step S402, the WWAN terminal 200 collects network information of the WLAN 500. For example, the WWAN terminal 200 makes an inquiry about probe processing or ANQP information. Thereby, the WWAN terminal 200 acquires network information from the base station 510 in step S404.
 次いで、ステップS406で、WWAN端末200は、基地局310を介して認証サーバ340へネットワーク情報を送信する。 Next, in step S406, the WWAN terminal 200 transmits network information to the authentication server 340 via the base station 310.
 次に、ステップS408で、認証サーバ340は、認証情報を生成する。例えば、ネットワーク情報に含まれるNAIにEAP-TLSが含まれる場合、認証サーバ340は、電子証明書を発行する。例えば、ネットワーク情報に含まれるNAIにEAP-TTLSが含まれる場合、認証サーバ340は、ID及びパスワードを発行する。例えば、ネットワーク情報に含まれるNAIにEAP-SIM、EAP-AKA又はEAP-AKA’が含まれる場合、認証サーバ340は、電子証明書又はID及びパスワードの発行を省略してもよい。また、認証サーバ340は、チャネル情報又はRSSI情報の少なくともいずれかに基づいて、WWAN端末200が接続すべきWLAN500を選択してもよい。認証サーバ340は、これらの発行及び選択した内容を示す情報を、認証情報として生成する。 Next, in step S408, the authentication server 340 generates authentication information. For example, when EAP-TLS is included in the NAI included in the network information, the authentication server 340 issues an electronic certificate. For example, when EAP-TTLS is included in the NAI included in the network information, the authentication server 340 issues an ID and a password. For example, when EAP-SIM, EAP-AKA, or EAP-AKA 'is included in the NAI included in the network information, the authentication server 340 may omit issuing an electronic certificate or ID and password. Further, the authentication server 340 may select the WLAN 500 to which the WWAN terminal 200 should be connected based on at least one of the channel information and the RSSI information. The authentication server 340 generates information indicating these issuance and selected contents as authentication information.
 次いで、ステップS410で、認証サーバ340は、基地局310を介してWWAN端末200へ、生成した認証情報を送信する。 Next, in step S410, the authentication server 340 transmits the generated authentication information to the WWAN terminal 200 via the base station 310.
 そして、ステップS412で、WWAN端末200は、受信した認証情報を用いて基地局510との間で認証処理を行う。例えば、WWAN端末200は、電子証明書を用いたEAP-TLS方式の認証処理、又はID及びパスワードを用いたEAP-TTLS方式の認証処理を行ってもよい。また、WWAN端末200は、加入者識別モジュール230に格納された加入者識別情報を用いたEAP-AKA、EAP-SIM、又はEAP-AKA´方式の認証処理を行ってもよい。 In step S412, the WWAN terminal 200 performs an authentication process with the base station 510 using the received authentication information. For example, the WWAN terminal 200 may perform an EAP-TLS authentication process using an electronic certificate or an EAP-TTL authentication process using an ID and a password. Further, the WWAN terminal 200 may perform authentication processing of the EAP-AKA, EAP-SIM, or EAP-AKA ′ method using the subscriber identification information stored in the subscriber identification module 230.
 これにより、ステップS118で、WWAN端末200と基地局510との間で接続が確立する。 Thereby, a connection is established between the WWAN terminal 200 and the base station 510 in step S118.
 以上、第2の実施形態について説明した。 The second embodiment has been described above.
 <<4.第3の実施形態>>
  <4.1.概要>
 以下、図14を参照して、本実施形態に係る無線通信システム1の概要を説明する。 << 4. Third Embodiment >>
<4.1. Overview>
Hereinafter, an overview of the wireless communication system 1 according to the present embodiment will be described with reference to FIG.
 図14は、本実施形態に係る無線通信システム1の概要について説明するための図である。図14に示す例では、無線通信システム1は、WLAN端末100及びWWAN端末200を含む。本実施形態では、WWAN端末200は、すでにWLAN500に接続済みであり、サービスネットワーク400により提供されるサービスを利用可能な状態であるものとする。WWAN端末200は、WLAN端末100によるWLAN500への認証のための認証情報を、基地局510を介して取得してWLAN端末100へ送信する。これにより、WLAN端末100は、安全なWLAN500に接続することが可能となる。本実施形態に係る無線通信システム1に含まれる各装置は、第1の実施形態と同様の機能を有する。以下、本実施形態に特徴的な機能を説明する。 FIG. 14 is a diagram for explaining the outline of the wireless communication system 1 according to the present embodiment. In the example illustrated in FIG. 14, the wireless communication system 1 includes a WLAN terminal 100 and a WWAN terminal 200. In the present embodiment, it is assumed that the WWAN terminal 200 is already connected to the WLAN 500 and can use the service provided by the service network 400. The WWAN terminal 200 acquires authentication information for authenticating the WLAN 500 by the WLAN terminal 100 via the base station 510 and transmits it to the WLAN terminal 100. Thereby, the WLAN terminal 100 can be connected to the secure WLAN 500. Each device included in the wireless communication system 1 according to the present embodiment has the same function as that of the first embodiment. Hereinafter, functions characteristic of the present embodiment will be described.
 例えば、WWAN端末200の制御部240は、認証情報の生成を要求するメッセージを、無線通信部210を介して基地局510に送信する。このメッセージには、WLAN端末100の機器情報、ケイパビリティ情報、又はWLAN500との無線通信の用途を示す情報の少なくともいずれかが含まれていてもよい。 For example, the control unit 240 of the WWAN terminal 200 transmits a message requesting generation of authentication information to the base station 510 via the wireless communication unit 210. This message may include at least one of device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500.
 例えば、認証サーバ340は、基地局510から受信した上記メッセージに基づいて認証情報を生成する。ここで、WWAN端末200はすでにWLAN500に接続済みである。そのため、認証サーバ340は、WWAN端末200のネットワーク情報(認証方式、チャネル情報、RSSI情報、接続時間等)を用いてもよい。もちろん、認証サーバ340は、上記メッセージに含まれるWLAN端末100の機器情報、ケイパビリティ情報、又はWLAN500との無線通信の用途を示す情報を用いてもよい。このように、認証サーバ340は、WWAN端末200がすでにWLAN500に接続済みであることを用いて、認証情報を生成することができる。 For example, the authentication server 340 generates authentication information based on the message received from the base station 510. Here, the WWAN terminal 200 has already been connected to the WLAN 500. Therefore, the authentication server 340 may use network information of the WWAN terminal 200 (authentication method, channel information, RSSI information, connection time, etc.). Of course, the authentication server 340 may use device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500 included in the message. As described above, the authentication server 340 can generate authentication information by using that the WWAN terminal 200 has already been connected to the WLAN 500.
 以上、本実施形態に係る無線通信システム1の概要を説明した。続いて、図15を参照して、本実施形態に係る無線通信システム1による動作処理を説明する。 The outline of the wireless communication system 1 according to the present embodiment has been described above. Subsequently, with reference to FIG. 15, an operation process performed by the wireless communication system 1 according to the present embodiment will be described.
  <4.2.動作処理例>
 図15は、本実施形態に係る無線通信システム1において実行される接続処理の流れの一例を示すシーケンス図である。図15に示すように、本シーケンスには、WWAN端末200、WLAN端末100、基地局510及び認証サーバ340が関与する。 <4.2. Example of operation processing>
FIG. 15 is a sequence diagram illustrating an example of the flow of connection processing executed in the wireless communication system 1 according to the present embodiment. As shown in FIG. 15, the WWAN terminal 200, the WLAN terminal 100, the base station 510, and the authentication server 340 are involved in this sequence.
 図15に示すように、まず、ステップS502で、WWAN端末200は、基地局510との間で接続を確立する。WWAN端末200は、例えば第2の実施形態において上記説明した方法で接続を確立してもよいし、他の任意の方法で接続を確立してもよい。 As shown in FIG. 15, first, in step S502, the WWAN terminal 200 establishes a connection with the base station 510. For example, the WWAN terminal 200 may establish a connection by the method described above in the second embodiment, or may establish a connection by any other method.
 次いで、ステップS504で、WLAN端末100及びWWAN端末200はペアリングを確立する。ペアリング確立後、WLAN端末100は、WLAN端末100の機器情報、ケイパビリティ情報、又はWLAN500との無線通信の用途を示す情報をWWAN端末200へ送信してもよい。 Next, in step S504, the WLAN terminal 100 and the WWAN terminal 200 establish pairing. After the pairing is established, the WLAN terminal 100 may transmit device information of the WLAN terminal 100, capability information, or information indicating the purpose of wireless communication with the WLAN 500 to the WWAN terminal 200.
 次に、ステップS506で、WWAN端末200は、基地局510を介して認証サーバ340へ、認証情報の生成を要求するメッセージを送信する。 Next, in step S506, the WWAN terminal 200 transmits a message requesting generation of authentication information to the authentication server 340 via the base station 510.
 次いで、ステップS508で、認証サーバ340は、認証情報を生成する。例えば、WWAN端末200が用いた認証方式にEAP-TLSが含まれる場合、認証サーバ340は、電子証明書を発行する。例えば、WWAN端末200が用いた認証方式にEAP-TTLSが含まれる場合、認証サーバ340は、ID及びパスワードを発行する。ここで、認証サーバ340は、WLAN端末100の機器情報等を用いて、WLAN端末100を特定することが可能な電子証明書、又はID及びパスワードを発行してもよい。例えば、WWAN端末200が用いた認証方式にEAP-SIM、EAP-AKA又はEAP-AKA’が含まれる場合、認証サーバ340は、電子証明書又はID及びパスワードの発行を省略してもよい。また、認証サーバ340は、WWAN端末200のチャネル情報又はRSSI情報の少なくともいずれかに基づいて、WLAN端末100が接続すべきWLAN500を選択してもよい。認証サーバ340は、これらの発行及び選択した内容を示す情報を、認証情報として生成する。 Next, in step S508, the authentication server 340 generates authentication information. For example, when EAP-TLS is included in the authentication method used by the WWAN terminal 200, the authentication server 340 issues an electronic certificate. For example, when EAP-TTLS is included in the authentication method used by the WWAN terminal 200, the authentication server 340 issues an ID and a password. Here, the authentication server 340 may issue an electronic certificate or an ID and password that can identify the WLAN terminal 100 using the device information of the WLAN terminal 100 or the like. For example, when the authentication method used by the WWAN terminal 200 includes EAP-SIM, EAP-AKA, or EAP-AKA ', the authentication server 340 may omit issuing an electronic certificate or ID and password. Further, the authentication server 340 may select the WLAN 500 to which the WLAN terminal 100 should be connected based on at least one of the channel information or RSSI information of the WWAN terminal 200. The authentication server 340 generates information indicating these issuance and selected contents as authentication information.
 次に、ステップS510で、認証サーバ340は、基地局510を介してWWAN端末200へ、生成した認証情報を送信する。 Next, in step S510, the authentication server 340 transmits the generated authentication information to the WWAN terminal 200 via the base station 510.
 次いで、ステップS512で、WWAN端末200は、認証サーバ340から受信した認証情報をWLAN端末100へ送信する。 Next, in step S512, the WWAN terminal 200 transmits the authentication information received from the authentication server 340 to the WLAN terminal 100.
 そして、ステップS514で、WLAN端末100は、WWAN端末200から受信した認証情報を用いて基地局510との間で認証処理を行う。ここでの処理は、図7又は図8を参照して上記説明した通りである。 In step S514, the WLAN terminal 100 performs authentication processing with the base station 510 using the authentication information received from the WWAN terminal 200. The processing here is as described above with reference to FIG. 7 or FIG.
 これにより、ステップS516で、WLAN端末100と基地局510との間で接続が確立する。 Thereby, a connection is established between the WLAN terminal 100 and the base station 510 in step S516.
 以上、第3の実施形態について説明した。 The third embodiment has been described above.
 <<5.第4の実施形態>>
  <5.1.概要>
 本実施形態は、認証サーバ340において機器情報を用いた認証情報が生成される形態である。また、本実施形態は、認証情報が段階的に取得される形態である。本実施形態に係る無線通信システム1に含まれる各装置は、第1の実施形態と同様の機能を有する。以下、一例として図2に示した無線通信システム1を想定して、本実施形態に特徴的な機能を説明する。 << 5. Fourth Embodiment >>
<5.1. Overview>
In the present embodiment, authentication information using device information is generated in the authentication server 340. In the present embodiment, authentication information is acquired in stages. Each device included in the wireless communication system 1 according to the present embodiment has the same function as that of the first embodiment. Hereinafter, assuming the wireless communication system 1 shown in FIG. 2 as an example, functions characteristic of the present embodiment will be described.
 例えば、WLAN端末100の制御部130は、WLAN端末100又はWWAN端末200の少なくともいずれかの機器情報を用いて認証サーバ340により生成された認証情報を用いたWLAN500への認証を行う。機器情報としては、例えばWLAN端末100のMACアドレス、BDアドレス、WWAN端末200のMSISDN(Mobile Subscriber Integrated Services Digital Network Number)等が挙げられる。認証サーバ340は、これらの機器情報により、特定の端末向けの認証情報を生成することが可能となる。 For example, the control unit 130 of the WLAN terminal 100 performs authentication to the WLAN 500 using the authentication information generated by the authentication server 340 using the device information of at least one of the WLAN terminal 100 or the WWAN terminal 200. The device information includes, for example, the MAC address and BD address of the WLAN terminal 100, the MSISDN (Mobile Subscriber Integrated Services Digital Network Number) of the WWAN terminal 200, and the like. The authentication server 340 can generate authentication information for a specific terminal based on the device information.
 例えば、WLAN端末100の制御部130は、認証情報の一部を用いた認証後に形成された通信路を用いて取得した認証情報の他の一部を用いて、WLAN500への認証を行う。WLAN端末100は、認証情報の一部を用いた認証後に形成された通信路を用いることで、認証情報の他の一部に関する機密性を高めることが可能となる。この認証情報の一部は、ワンタイムパスワード等のデータ量が少ない情報であることが望ましい。WWAN端末200からWLAN端末100へBluetooth又はNFC等により送信されるデータ量を少なくするためである。 For example, the control unit 130 of the WLAN terminal 100 authenticates to the WLAN 500 using another part of the authentication information acquired using the communication path formed after the authentication using a part of the authentication information. The WLAN terminal 100 can increase the confidentiality of another part of the authentication information by using a communication path formed after authentication using a part of the authentication information. It is desirable that a part of the authentication information is information with a small amount of data such as a one-time password. This is to reduce the amount of data transmitted from the WWAN terminal 200 to the WLAN terminal 100 by Bluetooth or NFC.
 以上、本実施形態に係る無線通信システム1の概要を説明した。続いて、図16を参照して、本実施形態に係る無線通信システム1による動作処理を説明する。 The outline of the wireless communication system 1 according to the present embodiment has been described above. Then, with reference to FIG. 16, the operation process by the radio | wireless communications system 1 which concerns on this embodiment is demonstrated.
  <5.2.動作処理例>
 図16は、本実施形態に係る無線通信システム1において実行される接続処理の流れの一例を示すシーケンス図である。図16に示すように、本シーケンスには、基地局310、WWAN端末200、WLAN端末100、基地局510及び認証サーバ340が関与する。なお、本シーケンスでは、上記各実施形態における「認証処理」を「接続認証処理」及び「サービス認証処理」に分けてより詳しく表現している。 <5.2. Example of operation processing>
FIG. 16 is a sequence diagram illustrating an example of the flow of connection processing executed in the wireless communication system 1 according to the present embodiment. As shown in FIG. 16, the base station 310, the WWAN terminal 200, the WLAN terminal 100, the base station 510, and the authentication server 340 are involved in this sequence. In this sequence, the “authentication process” in each of the above embodiments is expressed in more detail by dividing it into a “connection authentication process” and a “service authentication process”.
 図16に示すように、まず、ステップS602で、WLAN端末100及びWWAN端末200はペアリングを確立する。ペアリング確立後、WLAN端末100は、WLAN端末100の機器情報をWWAN端末200へ送信してもよい。 As shown in FIG. 16, first, in step S602, the WLAN terminal 100 and the WWAN terminal 200 establish pairing. After the pairing is established, the WLAN terminal 100 may transmit the device information of the WLAN terminal 100 to the WWAN terminal 200.
 次いで、ステップS604で、WWAN端末200は、認証情報を要求するための認証情報要求メッセージを認証サーバ340へ送信する。例えば、WWAN端末200は、EAP-AKA等を用いて認証サーバ340との認証を行った後、基地局510とIP接続を確立して、認証サーバ340へ認証情報要求メッセージを送信する。この認証情報要求メッセージには、WLAN端末100のMACアドレス、BDアドレス又はWWAN端末200のMSISDNの少なくともいずれかが含まれ得る。さらに、認証情報要求メッセージに、ネットワーク情報が含まれてもよい。なお、認証情報要求メッセージは、基地局510を経由して認証サーバ340へ送信されてもよいし、基地局310を経由して認証サーバ340へ送信されてもよい。 Next, in step S604, the WWAN terminal 200 transmits an authentication information request message for requesting authentication information to the authentication server 340. For example, the WWAN terminal 200 authenticates with the authentication server 340 using EAP-AKA or the like, establishes an IP connection with the base station 510, and transmits an authentication information request message to the authentication server 340. This authentication information request message may include at least one of the MAC address of the WLAN terminal 100, the BD address, or the MSISDN of the WWAN terminal 200. Further, the authentication information request message may include network information. The authentication information request message may be transmitted to the authentication server 340 via the base station 510, or may be transmitted to the authentication server 340 via the base station 310.
 次に、ステップS606で、認証サーバ340は、上記ステップS604において受信した機器情報を用いて、認証情報を生成する。例えば、認証サーバ340は、IMS(IP Multimedia Subsystem)サービスのための認証情報として、IMPI(IP Multimedia Private Identity)、IMPU(IP Multimedia Public Identity)及びパスワードを生成してもよい。他にも、認証サーバ340は、ePDG(Evolved Packet Data Gateway)等との接続認証のための認証情報として、端末識別子、証明書、認証サーバ340へのアクセスに用いられるワンタイムパスワード等を生成してもよい。なお、認証サーバ340は、証明書として、EAP-TLS等のEAP認証のための証明書の他、IPsec(Security Architecture for Internet Protocol)等の暗号化のための証明書を生成してもよい。ただし、IPsec等の暗号化のための証明書は、無線端末(WLAN端末100又はWWAN端末200)が元々有していてもよい。なお、ePDGは、公衆WLAN等のセキュリティ上信頼性の低い非3GPPな無線アクセス(Untrusted Non-3GPP IP Access)が収容される場合に、無線端末が接続するゲートウェイである。 Next, in step S606, the authentication server 340 generates authentication information using the device information received in step S604. For example, the authentication server 340 may generate an IMPI (IP Multimedia Private Identity), an IMPU (IP Multimedia Public Identity), and a password as authentication information for an IMS (IP Multimedia Subsystem) service. In addition, the authentication server 340 generates a terminal identifier, a certificate, a one-time password used to access the authentication server 340, and the like as authentication information for connection authentication with an ePDG (Evolved Packet Data Gateway). May be. The authentication server 340 may generate a certificate for encryption such as IPsec (Security Architecture for Internet Protocol) in addition to a certificate for EAP authentication such as EAP-TLS as a certificate. However, the certificate for encryption such as IPsec may be originally included in the wireless terminal (WLAN terminal 100 or WWAN terminal 200). The ePDG is a gateway to which a wireless terminal connects when a non-3GPP wireless access (Untrusted Non-3GPP IP Access) with low security such as a public WLAN is accommodated.
 次いで、ステップS608で、認証サーバ340は、認証情報をWWAN端末200へ送信する。このとき送信される認証情報は、上記ステップS606で生成された認証情報の一部である。例えば、認証サーバ340は、ワンタイムパスワード及び証明書を送信する。なお、認証情報は、基地局510を経由してWWAN端末200へ送信されてもよいし、基地局310を経由してWWAN端末200へ送信されてもよい。 Next, in step S608, the authentication server 340 transmits authentication information to the WWAN terminal 200. The authentication information transmitted at this time is a part of the authentication information generated in step S606. For example, the authentication server 340 transmits a one-time password and a certificate. The authentication information may be transmitted to the WWAN terminal 200 via the base station 510, or may be transmitted to the WWAN terminal 200 via the base station 310.
 次に、ステップS610で、WWAN端末200は、上記ステップS608において認証サーバ340から受信した認証情報をWLAN端末100へ送信する。 Next, in step S610, the WWAN terminal 200 transmits the authentication information received from the authentication server 340 in the above step S608 to the WLAN terminal 100.
 次いで、ステップS612で、WLAN端末100は、上記ステップS610においてWWAN端末200から受信した認証情報を用いて、追加の認証情報を要求するための追加認証情報要求メッセージを認証サーバ340へ送信する。例えば、WLAN端末100は、ワンタイムパスワードを用いて認証サーバ340へ接続する。その後、WLAN端末100は、認証サーバ340との間で証明書ベースのTLS等の安全な通信路を確立する。そして、WLAN端末100は、確立した通信路を用いて追加の認証情報を送信するよう、認証サーバ340へ要求する。 Next, in step S612, the WLAN terminal 100 transmits an additional authentication information request message for requesting additional authentication information to the authentication server 340 using the authentication information received from the WWAN terminal 200 in step S610. For example, the WLAN terminal 100 connects to the authentication server 340 using a one-time password. Thereafter, the WLAN terminal 100 establishes a secure communication path such as a certificate-based TLS with the authentication server 340. Then, the WLAN terminal 100 requests the authentication server 340 to transmit additional authentication information using the established communication path.
 次に、ステップS614で、認証サーバ340は、追加認証情報をWLAN端末100へ送信する。このとき送信される認証情報は、上記ステップS606で生成された認証情報のうち、上記ステップS608で送信されなかった情報である。例えば、認証サーバ340は、IMSサービスのための認証情報、及びePDG等との接続認証のための認証情報を、追加認証情報としてWLAN端末100へ送信する。 Next, in step S614, the authentication server 340 transmits additional authentication information to the WLAN terminal 100. The authentication information transmitted at this time is information that has not been transmitted in step S608 among the authentication information generated in step S606. For example, the authentication server 340 transmits authentication information for the IMS service and authentication information for connection authentication with the ePDG or the like to the WLAN terminal 100 as additional authentication information.
 次いで、ステップS616で、WLAN端末100は、上記ステップS614において認証サーバ340から受信した追加認証情報を用いて接続認証処理を行う。例えば、WLAN端末100は、認証サーバ340から受信した追加認証情報に含まれる端末識別子、及び証明書等を用いて認証サーバ340との間で認証処理を行い、TLS等を用いた通信路を確立する。さらに、WLAN端末100は、IPsec等を用いて安全な通信路を確立してもよい。また、WLAN端末100は、認証の際に、WWAN端末200の加入者識別情報を用いたEAP-AKA、EAP-SIM又はEAP-AKA´等の認証プロトコルを採用してもよい。また、WLAN端末100は、IPsecを用いる場合、鍵管理の方法としてIKEv2(Internet Key Exchange)等を利用してもよい。 Next, in step S616, the WLAN terminal 100 performs connection authentication processing using the additional authentication information received from the authentication server 340 in step S614. For example, the WLAN terminal 100 performs authentication processing with the authentication server 340 using a terminal identifier and a certificate included in the additional authentication information received from the authentication server 340, and establishes a communication path using TLS or the like. To do. Further, the WLAN terminal 100 may establish a secure communication path using IPsec or the like. Further, the WLAN terminal 100 may employ an authentication protocol such as EAP-AKA, EAP-SIM, or EAP-AKA ′ using the subscriber identification information of the WWAN terminal 200 at the time of authentication. Further, when IPsec is used, the WLAN terminal 100 may use IKEv2 (Internet Key Exchange) as a key management method.
 次に、ステップS618で、WLAN端末100は、上記ステップS614において認証サーバ340から受信した追加認証情報を用いてサービス認証処理を行う。例えば、WLAN端末100は、IMSサービスのための認証情報を用いて、IMS-AKA等の認証処理を行い、IMSのセッションを確立する。WLAN端末100は、認証にIMPI又はIMPU等の情報を用い、さらに上記ステップS616と同様にIPsec等を用いて安全な通信路を確立してもよい。なお、WLAN端末100は、WWAN端末200の加入者識別情報を用いてIMSの認証処理を行ってもよい。なお、上記ステップS616及びS618における認証処理は、認証サーバ340以外の装置により行われてもよい。 Next, in step S618, the WLAN terminal 100 performs service authentication processing using the additional authentication information received from the authentication server 340 in step S614. For example, the WLAN terminal 100 performs authentication processing such as IMS-AKA using authentication information for the IMS service, and establishes an IMS session. The WLAN terminal 100 may use information such as IMPI or IMPU for authentication, and may establish a secure communication path using IPsec or the like as in step S616. Note that the WLAN terminal 100 may perform IMS authentication processing using the subscriber identification information of the WWAN terminal 200. Note that the authentication processing in steps S616 and S618 may be performed by a device other than the authentication server 340.
 これにより、ステップS620で、WLAN端末100に対するサービスが開始される。サービスとしては、例えばVoice over Wi-Fi、Video over Wi-Fi等のIMSサービスが考えられる。 Thereby, the service for the WLAN terminal 100 is started in step S620. Examples of services include IMS services such as Voice over Wi-Fi and Video over Wi-Fi.
  <5.3.認証方式と公衆WLANとの関係>
 下記の表1に、EAPの各認証方式とWi-Fi CERTIFIED Passpointにおける公衆WLANのアクセスポイントとの関係を示した。なお、以下では、Wi-Fi CERTIFIED Passpointを単にPasspointとも称し、公衆WLANのアクセスポイントを単にAPとも称する。 <5.3. Relationship between authentication method and public WLAN>
Table 1 below shows the relationship between each EAP authentication method and the public WLAN access point in the Wi-Fi CERTIFIED Passpoint. Hereinafter, the Wi-Fi CERTIFIED Passpoint is also simply referred to as Passpoint, and the public WLAN access point is also simply referred to as AP.
Figure JPOXMLDOC01-appb-T000001
Figure JPOXMLDOC01-appb-T000001
 表1における「OSU AP」は、Online Sign up APを示している。L2 Auth(Layer 2 Authentication)では、Open Authentication又はAnonymous EAP-TLSにより、無線端末と公衆WLANとの認証が行われる。TLS Sessionでは、予め無線端末が保有するPasspointのRoot Certificateを用いて、HTTPSを利用するためのTLS Sessionが構築される。Registrationでは、無線端末がユーザの連絡先、料金プラン、課金情報等を登録する。Provisioningでは、公衆WLANサービスを利用するために用いられる、Production APのusername、password、或いは証明書情報等がやり取りされる。 “OSU AP” in Table 1 indicates Online Sign up AP. In L2 Auth (Layer 2 Authentication), authentication between a wireless terminal and a public WLAN is performed by Open Authentication or Anonymous EAP-TLS. In TLS Session, a TLS Session for using HTTPS is constructed by using a Passpoint Root Certificate held by a wireless terminal in advance. In Registration, the wireless terminal registers the user's contact information, fee plan, billing information, and the like. In the provisioning, the user name, password, or certificate information of the production AP used for using the public WLAN service is exchanged.
 OSU APはサインアップに特化したAPである。無線端末は、Registration及びProvisioning完了後、一旦切断(Disassociation)してProduction APへ再接続を行う。無線端末がこの再接続の際に利用する認証情報は、Provisioningにおいて受信した情報である。また、ゲートウェイとしてePDGを経由する場合、無線端末は、Provisioningにおいて受信した情報、及び予め無線端末が有している証明書情報等に基づいて、無線端末とePDGとの間でIPsecセッションを確立する。このセッション確立の際に、無線端末は、IKEv2の鍵管理を利用する。更に、Voice over Wi-Fi、Video over Wi-Fi等のマルチメディアサービスを利用する場合、無線端末は、IMS-AKA認証を実施してIMS利用を開始する。 OSU AP is an AP specialized for sign-up. After completing the registration and provisioning, the wireless terminal temporarily disconnects and reconnects to the production AP. The authentication information used when the wireless terminal reconnects is information received in provisioning. When the ePDG is used as a gateway, the wireless terminal establishes an IPsec session between the wireless terminal and the ePDG based on information received in provisioning, certificate information that the wireless terminal has in advance, and the like. . When this session is established, the wireless terminal uses IKEv2 key management. Furthermore, when using multimedia services such as Voice over Wi-Fi and Video over Wi-Fi, the wireless terminal performs IMS-AKA authentication and starts using IMS.
 上記説明したように、PasspointにおけるOSU(Online Sign up)では、EAP-TLS/TTLSの利用が想定されており、加入者識別情報を用いたEAP-AKA等の認証プロトコルはスコープ外となっている。しかしながら、OSUにおいて、図16を参照して上記説明した技術は適用可能である。 As explained above, the use of EAP-TLS / TTLS is assumed in OSU (Online Sign up) in Passpoint, and authentication protocols such as EAP-AKA using subscriber identification information are out of scope. . However, in the OSU, the technique described above with reference to FIG. 16 can be applied.
 例えば、図16のステップS602~S614における処理が、OSU APでのL2 AuthからProvisioningにおいて行われてもよい。また、図16のステップS616~S620における処理が、Production APのL2 AuthからIMSにおいて行われてもよい。なお、表1に示したEAP-AKAの他、EAK-AKA´等が採用されてもよい。 For example, the processing in steps S602 to S614 in FIG. 16 may be performed in the provisioning from the L2 Auth in the OSU AP. Further, the processing in steps S616 to S620 in FIG. 16 may be performed in the IMS from the L2 Auth of the Production AP. In addition to EAP-AKA shown in Table 1, EAK-AKA ′ or the like may be employed.
 以上、第4の実施形態について説明した。なお、本実施形態及び上述した各実施形態は適宜組み合わせることが可能である。 The fourth embodiment has been described above. In addition, this embodiment and each embodiment mentioned above can be combined suitably.
 <<6.第5の実施形態>>
  <6.1.概要>
 本実施形態は、WLAN端末100と認証サーバ340との通信路が形成された後に、ワンタイムパスワードを用いた端末認証を行う形態である。また、本実施形態は、認証情報が段階的に取得される形態である。本実施形態に係る無線通信システム1に含まれる各装置は、第1の実施形態と同様の機能を有する。以下、一例として図2に示した無線通信システム1を想定して、本実施形態に特徴的な機能を説明する。 << 6. Fifth embodiment >>
<6.1. Overview>
In the present embodiment, terminal authentication using a one-time password is performed after a communication path between the WLAN terminal 100 and the authentication server 340 is formed. In the present embodiment, authentication information is acquired in stages. Each device included in the wireless communication system 1 according to the present embodiment has the same function as that of the first embodiment. Hereinafter, assuming the wireless communication system 1 shown in FIG. 2 as an example, functions characteristic of the present embodiment will be described.
 例えば、WLAN端末100の制御部130は、WWAN端末200を用いた認証により形成された通信路(IP通信路)を用いて認証情報の一部を認証サーバ340へ送信する。認証情報の一部が、すでに形成された安全な通信路を用いて送信されるので、認証情報の機密性を高めることが可能となる。この認証情報の一部は、ワンタイムパスワード等のデータ量が少ない情報であることが望ましい。WLAN端末100が、WWAN端末200からBluetooth又はNFC等により認証情報の一部を受け取る際のデータ量を少なくするためである。また、ワンタイムパスワードには、有効期限が設けられていることが望ましい。有効期限は、30分、1時間等の多様な単位で設けられ得る。これにより、リプレイアタック及びなりすまし等の攻撃が防止され得る。WWAN端末200を用いた認証方式としては、例えばEAP-SIM、EAP-AKA及びEAP-AKA´等が挙げられる。他にも、制御部130は、EAP-TLS、EAP-TTLS等の証明書等を用いた認証方式により、通信路を形成してもよい。 For example, the control unit 130 of the WLAN terminal 100 transmits a part of the authentication information to the authentication server 340 using a communication path (IP communication path) formed by authentication using the WWAN terminal 200. Since a part of the authentication information is transmitted using the already formed secure communication path, it is possible to improve the confidentiality of the authentication information. It is desirable that a part of the authentication information is information with a small amount of data such as a one-time password. This is to reduce the amount of data when the WLAN terminal 100 receives a part of the authentication information from the WWAN terminal 200 via Bluetooth or NFC. It is desirable that the one-time password has an expiration date. The expiration date can be provided in various units such as 30 minutes, 1 hour, and the like. Thereby, attacks such as replay attack and spoofing can be prevented. Examples of authentication methods using the WWAN terminal 200 include EAP-SIM, EAP-AKA, and EAP-AKA ′. In addition, the control unit 130 may form a communication path by an authentication method using a certificate such as EAP-TLS or EAP-TTLS.
 そして、制御部130は、認証サーバ340による認証情報の一部を用いた認証を経て認証サーバ340から受信した認証情報の他の一部を用いて、WLAN500への認証を行う。この認証情報の他の一部とは、例えばVoice over Wi-Fi、Video over Wi-Fi等のサービスへの認証のための情報であってもよい。以下では、このようなサービスへの認証のための情報を、サービス認証情報とも称する。 And the control part 130 authenticates to WLAN500 using the other part of the authentication information received from the authentication server 340 through the authentication using the part of the authentication information by the authentication server 340. The other part of the authentication information may be information for authentication to services such as Voice over Wi-Fi and Video over Wi-Fi. Hereinafter, such information for authentication to the service is also referred to as service authentication information.
 以上、本実施形態に係る無線通信システム1の概要を説明した。続いて、図17を参照して、本実施形態に係る無線通信システム1による動作処理を説明する。 The outline of the wireless communication system 1 according to the present embodiment has been described above. Next, with reference to FIG. 17, an operation process performed by the wireless communication system 1 according to the present embodiment will be described.
  <6.2.動作処理例>
 図17は、本実施形態に係る無線通信システム1において実行される接続処理の流れの一例を示すシーケンス図である。図17に示すように、本シーケンスには、基地局310、WWAN端末200、WLAN端末100、基地局510及び認証サーバ340が関与する。なお、本シーケンスでは、上記第4の実施形態における「サービス認証処理(ステップS618)」を「端末認証・端末登録(ステップS716)」「サービス認証情報の送信(ステップS718)」及び「サービス認証処理(ステップS720)」に分けてより詳しく表現している。 <6.2. Example of operation processing>
FIG. 17 is a sequence diagram showing an example of the flow of connection processing executed in the wireless communication system 1 according to the present embodiment. As shown in FIG. 17, the base station 310, the WWAN terminal 200, the WLAN terminal 100, the base station 510, and the authentication server 340 are involved in this sequence. In this sequence, the “service authentication process (step S618)” in the fourth embodiment is replaced with “terminal authentication / terminal registration (step S716)” “transmission of service authentication information (step S718)” and “service authentication process”. (Step S720) ”is expressed in more detail.
 図17に示すように、まず、ステップS702で、WLAN端末100及びWWAN端末200はペアリングを確立する。 As shown in FIG. 17, first, in step S702, the WLAN terminal 100 and the WWAN terminal 200 establish pairing.
 次いで、ステップS704で、WWAN端末200は、認証情報(即ち、ワンタイムパスワード)を要求するための認証情報要求メッセージを認証サーバ340へ送信する。例えば、WWAN端末200は、自身の加入者識別情報を用いたEAP-AKA等により認証サーバ340との認証を行った後、基地局510とIP接続を確立して、WWAN端末200が予め有しているユーザアカウントを用いて認証サーバ340へログインする。その後、WWAN端末200は、認証サーバ340に対してWLAN端末100のためのワンタイムパスワードを要求する。なお、認証情報要求メッセージは、基地局510を経由して認証サーバ340へ送信されてもよいし、基地局310を経由して認証サーバ340へ送信されてもよい。ただし、基地局310を経由する場合、WWAN端末200は、EAP-AKA等ではなく、3G/LTEの無線アクセスに必要な所定の認証を実施して認証サーバ340へ接続し得る。 Next, in step S704, the WWAN terminal 200 transmits an authentication information request message for requesting authentication information (that is, a one-time password) to the authentication server 340. For example, after the WWAN terminal 200 authenticates with the authentication server 340 by EAP-AKA using its own subscriber identification information, the WWAN terminal 200 establishes an IP connection with the base station 510 and the WWAN terminal 200 has Log in to the authentication server 340 using the current user account. Thereafter, the WWAN terminal 200 requests the authentication server 340 for a one-time password for the WLAN terminal 100. The authentication information request message may be transmitted to the authentication server 340 via the base station 510, or may be transmitted to the authentication server 340 via the base station 310. However, when passing through the base station 310, the WWAN terminal 200 can connect to the authentication server 340 by performing predetermined authentication required for 3G / LTE wireless access instead of EAP-AKA or the like.
 次に、ステップS706で、認証サーバ340は、上記ステップS704で要求された認証情報として、ワンタイムパスワードを生成する。また、認証サーバ340は、ワンタイムパスワードに加えて、サービスに必要なID等のサービス認証情報を生成してもよい。例えば、認証サーバ340は、IMS(IP Multimedia Subsystem)サービスのためのサービス認証情報として、IMPI(IP Multimedia Private Identity)、IMPU(IP Multimedia Public Identity)及びパスワードを生成してもよい。 Next, in step S706, the authentication server 340 generates a one-time password as the authentication information requested in step S704. The authentication server 340 may generate service authentication information such as an ID necessary for the service in addition to the one-time password. For example, the authentication server 340 may generate an IMPI (IP Multimedia Private Identity), an IMPU (IP Multimedia Public Identity), and a password as service authentication information for an IMS (IP Multimedia Subsystem) service.
 次いで、ステップS708で、認証サーバ340は、認証情報をWWAN端末200へ送信する。このとき送信される認証情報は、上記ステップS706で生成された認証情報の一部であってもよい。例えば、認証サーバ340は、ワンタイムパスワードを送信する。なお、認証情報は、基地局510を経由してWWAN端末200へ送信されてもよいし、基地局310を経由してWWAN端末200へ送信されてもよい。ただし、基地局310を経由する場合、認証サーバ340は、例えばSMS(Short Message Service)等を利用してもよい。 Next, in step S708, the authentication server 340 transmits authentication information to the WWAN terminal 200. The authentication information transmitted at this time may be a part of the authentication information generated in step S706. For example, the authentication server 340 transmits a one-time password. The authentication information may be transmitted to the WWAN terminal 200 via the base station 510, or may be transmitted to the WWAN terminal 200 via the base station 310. However, when passing through the base station 310, the authentication server 340 may use, for example, SMS (Short Message Service).
 次に、ステップS710で、WWAN端末200は、上記ステップS708において認証サーバ340から受信した認証情報をWLAN端末100へ送信する。例えば、WWAN端末200は、WLAN、Bluetooth、NFC又はバーコード等の情報コードを用いて、ワンタイムパスワードを送信する。 Next, in step S710, the WWAN terminal 200 transmits the authentication information received from the authentication server 340 in the above step S708 to the WLAN terminal 100. For example, the WWAN terminal 200 transmits a one-time password using an information code such as WLAN, Bluetooth, NFC, or a barcode.
 次いで、ステップS712で、WLAN端末100は、接続認証処理を行う。例えば、WLAN端末100は、WWAN端末200の加入者識別情報を用いたEAP-SIM、EAP-AKA又はEAP-AKA´等により接続認証処理を行い、IP接続を確立する。ここでの処理は、図9及び図10を参照して上記説明した通りである。他にも、WLAN端末100は、EAP-TLS、EAP-TTLS等の証明書等を用いた認証方式により接続認証処理を行い、IP接続を確立してもよい。 Next, in step S712, the WLAN terminal 100 performs a connection authentication process. For example, the WLAN terminal 100 performs connection authentication processing by EAP-SIM, EAP-AKA, EAP-AKA ′, or the like using the subscriber identification information of the WWAN terminal 200 to establish an IP connection. The processing here is as described above with reference to FIGS. In addition, the WLAN terminal 100 may perform connection authentication processing by an authentication method using a certificate such as EAP-TLS or EAP-TTLS to establish an IP connection.
 次に、ステップS714で、WLAN端末100は、認証情報を認証サーバ340へ送信する。例えば、WLAN端末100は、上記ステップS710で受信したワンタイムパスワードを送信する。この手続は、WLAN端末100により自動的に行われてもよいし、認証サーバ340のWebページ等におけるユーザによる手入力により行われてもよい。 Next, in step S714, the WLAN terminal 100 transmits authentication information to the authentication server 340. For example, the WLAN terminal 100 transmits the one-time password received in step S710. This procedure may be performed automatically by the WLAN terminal 100, or may be performed manually by the user on the Web page of the authentication server 340 or the like.
 次いで、ステップS716で、認証サーバ340は、端末認証及び端末登録を行う。例えば、認証サーバ340は、上記ステップS714においてWLAN端末100から受信したワンタイムパスワードが正しいか否かを認証する。そして、認証サーバ340は、ワンタイムパスワードが正しい場合は端末登録を実施する。例えば、認証サーバ340は、サービス認証情報を生成する。なお、上記ステップS706においてサービス認証情報が既に生成されている場合、生成は省略される。認証サーバ340は、基地局510等から得られるWLAN端末100のMACアドレス等の情報を、登録情報(例えば、サービス認証情報)と紐付けてもよい。 Next, in step S716, the authentication server 340 performs terminal authentication and terminal registration. For example, the authentication server 340 authenticates whether the one-time password received from the WLAN terminal 100 in step S714 is correct. Then, the authentication server 340 performs terminal registration when the one-time password is correct. For example, the authentication server 340 generates service authentication information. If service authentication information has already been generated in step S706, the generation is omitted. The authentication server 340 may associate information such as the MAC address of the WLAN terminal 100 obtained from the base station 510 or the like with registration information (for example, service authentication information).
 次に、ステップS718で、認証サーバ340は、サービス認証情報をWLAN端末100へ送信する。 Next, in step S718, the authentication server 340 transmits service authentication information to the WLAN terminal 100.
 次いで、ステップS720で、WLAN端末100は、上記ステップS718において認証サーバ340から受信したサービス認証情報を用いたサービス認証処理を行う。例えば、IMSサービスに関しては、WLAN端末100は、IMPI及びIPMU等の情報を用いてサービスのセッションを確立し、必要な場合はIPsecによる安全な通信路を確立する。他にも、WLAN端末100は、WWAN端末200の加入者識別情報を用いたIMS-AKA等の認証を実施してもよい。 Next, in step S720, the WLAN terminal 100 performs service authentication processing using the service authentication information received from the authentication server 340 in step S718. For example, regarding the IMS service, the WLAN terminal 100 establishes a service session using information such as IMPI and IPMU, and establishes a secure communication path using IPsec when necessary. In addition, the WLAN terminal 100 may perform authentication such as IMS-AKA using the subscriber identification information of the WWAN terminal 200.
 これにより、ステップS722で、WLAN端末100に対するサービスが開始される。サービスとしては、例えばVoice over Wi-Fi、Video over Wi-Fi等のIMSサービスが考えられる。 Thereby, the service for the WLAN terminal 100 is started in step S722. Examples of services include IMS services such as Voice over Wi-Fi and Video over Wi-Fi.
 以上、第5の実施形態について説明した。なお、本実施形態及び上述した各実施形態は適宜組み合わせることが可能である。 The fifth embodiment has been described above. In addition, this embodiment and each embodiment mentioned above can be combined suitably.
 <<7.第6の実施形態>>
  <7.1.概要>
 本実施形態は、WLAN端末100が状況に応じて適切な認証方式を選択する形態である。本実施形態に係る無線通信システム1に含まれる各装置は、第1の実施形態と同様の機能を有する。以下、一例として図2に示した無線通信システム1を想定して、本実施形態に特徴的な機能を説明する。 << 7. Sixth Embodiment >>
<7.1. Overview>
In the present embodiment, the WLAN terminal 100 selects an appropriate authentication method according to the situation. Each device included in the wireless communication system 1 according to the present embodiment has the same function as that of the first embodiment. Hereinafter, assuming the wireless communication system 1 shown in FIG. 2 as an example, functions characteristic of the present embodiment will be described.
 (1)WLAN端末100
 例えば、WLAN端末100の制御部130は、無線通信部110(第1の無線通信部)により加入者識別情報を有する無線端末と通信可能か否かに基づいて、WLAN500への認証方式を選択する。具体的には、WLAN端末100が加入者識別情報を有する無線端末(例えば、WWAN端末200)と通信可能である場合、制御部130は、認証方式として、EAP-SIM、EAP-AKA、又はEAP-AKA´等の加入者識別情報を用いる認証プロトコルを選択する。一方で、WLAN端末100が加入者識別情報を有する無線端末と通信可能でない場合、制御部130は、認証方式として、EAP-TLS、又はEAP-TTLS等の加入者識別情報を用いない認証プロトコルを選択する。このような認証方式の選択により、WLAN端末100は、状況に応じた適切な認証方式を選択することが可能である。なお、加入者識別情報を有する無線端末と通信可能か否か、とは、WLAN端末100からNFC又はBluetooth等の近距離無線通信方式を用いて通信可能な距離に、加入者識別情報を有する無線端末が存在するか否か、として捉えることも可能である。以下では、加入者識別情報を有する無線端末のことを、単にSIM端末とも称する。 (1) WLAN terminal 100
For example, the control unit 130 of the WLAN terminal 100 selects an authentication method for the WLAN 500 based on whether or not the wireless communication unit 110 (first wireless communication unit) can communicate with a wireless terminal having subscriber identification information. . Specifically, when the WLAN terminal 100 can communicate with a wireless terminal having subscriber identification information (for example, the WWAN terminal 200), the control unit 130 uses EAP-SIM, EAP-AKA, or EAP as an authentication method. -Select an authentication protocol using subscriber identification information such as AKA '. On the other hand, when the WLAN terminal 100 cannot communicate with a wireless terminal having subscriber identification information, the control unit 130 uses an authentication protocol that does not use subscriber identification information such as EAP-TLS or EAP-TTLS as an authentication method. select. By selecting such an authentication method, the WLAN terminal 100 can select an appropriate authentication method according to the situation. Whether or not communication with a wireless terminal having subscriber identification information is possible refers to a wireless having subscriber identification information at a distance that can be communicated from the WLAN terminal 100 using a short-range wireless communication method such as NFC or Bluetooth. It can also be understood as whether or not a terminal exists. Hereinafter, a wireless terminal having subscriber identification information is also simply referred to as a SIM terminal.
 例えば、WLAN端末100の記憶部120は、認証情報を記憶してもよく、制御部130は、記憶部120に記憶された認証情報を用いてWLAN500への認証を行ってもよい。例えば、WLAN端末100は、過去にWLAN500への認証を行った際に用いた認証情報を記憶部120に記憶しておく。そして、制御部130は、記憶された認証情報を再度利用して認証を行う。これにより、認証サーバ340における認証情報の生成処理、及びWLAN端末100への通知処理が省略されるので、認証処理がより簡易になり、より高速になる。 For example, the storage unit 120 of the WLAN terminal 100 may store authentication information, and the control unit 130 may authenticate to the WLAN 500 using the authentication information stored in the storage unit 120. For example, the WLAN terminal 100 stores the authentication information used when authenticating to the WLAN 500 in the past in the storage unit 120. Then, the control unit 130 performs authentication by using the stored authentication information again. As a result, the authentication information generation process and the notification process to the WLAN terminal 100 in the authentication server 340 are omitted, so that the authentication process becomes simpler and faster.
 (2)WWAN端末200
 例えば、WWAN端末200の記憶部220は、認証情報を記憶してもよく、制御部240は、記憶部220に記憶された認証情報を無線通信部210(第4の無線通信部)を介してWLAN端末100へ送信してもよい。例えば、WWAN端末200は、過去に自身がWLAN500への認証を行った際用いた認証情報、又はWLAN端末100によるWLAN500への認証を支援するために、過去に認証サーバ340から受信してWWAN端末200へ送信した認証情報を、記憶部220に記憶しておく。そして、WWAN端末200は、WLAN端末100が再度WLAN500への認証を行う場合に、記憶部220に記憶された認証情報を送信する。これにより、認証サーバ340における認証情報の生成処理、及び認証サーバ340からの認証情報の取得処理が省略されるので、認証処理がより簡易になり、より高速になる。 (2) WWAN terminal 200
For example, the storage unit 220 of the WWAN terminal 200 may store authentication information, and the control unit 240 transmits the authentication information stored in the storage unit 220 via the wireless communication unit 210 (fourth wireless communication unit). You may transmit to the WLAN terminal 100. For example, the WWAN terminal 200 receives from the authentication server 340 in the past and receives the authentication information used when the authentication to the WLAN 500 in the past or authentication by the WLAN terminal 100 to the W500 terminal. The authentication information transmitted to 200 is stored in the storage unit 220. Then, when the WLAN terminal 100 authenticates to the WLAN 500 again, the WWAN terminal 200 transmits the authentication information stored in the storage unit 220. As a result, the authentication information generation process in the authentication server 340 and the authentication information acquisition process from the authentication server 340 are omitted, so that the authentication process becomes simpler and faster.
 以上、本実施形態に係る無線通信システム1の概要を説明した。続いて、図18~図21を参照して、本実施形態に係る無線通信システム1による動作処理を説明する。 The outline of the wireless communication system 1 according to the present embodiment has been described above. Subsequently, an operation process performed by the wireless communication system 1 according to the present embodiment will be described with reference to FIGS.
  <7.2.動作処理例>
 図18は、本実施形態に係る無線通信システム1において実行される接続処理の流れの一例を示すシーケンス図である。図18に示すように、本シーケンスには、基地局310、WWAN端末200、WLAN端末100、基地局510及び認証サーバ340が関与する。なお、本シーケンスでは、基本的な処理の流れを説明する。詳細な条件分岐については、図19及び図20を参照して後に詳しく説明する。 <7.2. Example of operation processing>
FIG. 18 is a sequence diagram illustrating an example of a flow of connection processing executed in the wireless communication system 1 according to the present embodiment. As shown in FIG. 18, the base station 310, the WWAN terminal 200, the WLAN terminal 100, the base station 510, and the authentication server 340 are involved in this sequence. In this sequence, a basic processing flow will be described. Detailed conditional branching will be described later in detail with reference to FIGS. 19 and 20.
 図18に示すように、まず、ステップS802で、WLAN端末100及びWWAN端末200はペアリングを確立する。 As shown in FIG. 18, first, in step S802, the WLAN terminal 100 and the WWAN terminal 200 establish pairing.
 次いで、ステップS804で、WLAN端末100は、基地局510からネットワーク情報を取得する。例えば、WLAN端末100は、ビーコン信号の受信、プローブ処理又はANQP情報の問い合わせを行うことで、ネットワーク情報を取得する。取得されたネットワーク情報には、例えば基地局510のSSID及び基地局510が対応する認証方式を示す情報が含まれる。 Next, in step S804, the WLAN terminal 100 acquires network information from the base station 510. For example, the WLAN terminal 100 acquires network information by receiving a beacon signal, performing a probe process, or inquiring ANQP information. The acquired network information includes, for example, information indicating the SSID of the base station 510 and the authentication method supported by the base station 510.
 次いで、ステップS806で、WLAN端末100は、ネットワーク情報の確認を行う。詳しくは、WLAN端末100は、ステップS804において取得したネットワーク情報に基づいて、基地局510に認証するための認証情報が記憶部120に記憶されているか否かを確認する。ここで、基地局510に認証するための認証情報としては、EAP-TLS又はEAP-TTLSのための証明書、又はID及びパスワードが挙げられる。もちろん、認証情報はこれらに限定されない。 Next, in step S806, the WLAN terminal 100 confirms network information. Specifically, the WLAN terminal 100 confirms whether authentication information for authenticating to the base station 510 is stored in the storage unit 120 based on the network information acquired in step S804. Here, the authentication information for authenticating to the base station 510 includes a certificate for EAP-TLS or EAP-TTLS, or an ID and a password. Of course, the authentication information is not limited to these.
 記憶されていないと判定された場合、ステップS808で、WLAN端末100は、WWAN端末200へ認証情報の問い合わせを行う。なお、記憶されていると判定された場合、WLAN端末100は、記憶された認証情報を用いて接続認証処理(ステップS820)を行う。 If it is determined that it is not stored, the WLAN terminal 100 inquires of the WWAN terminal 200 about authentication information in step S808. If it is determined that the information is stored, the WLAN terminal 100 performs a connection authentication process (step S820) using the stored authentication information.
 問い合わせを受けたWWAN端末200は、ステップS810で、認証情報の確認を行う。詳しくは、WWAN端末200は、WLAN端末100が基地局510に認証するための認証情報が記憶部220に記憶されているか否かを確認する。 The WWAN terminal 200 that has received the inquiry confirms the authentication information in step S810. Specifically, the WWAN terminal 200 confirms whether authentication information for the WLAN terminal 100 to authenticate to the base station 510 is stored in the storage unit 220.
 記憶されていないと判定された場合、ステップS812で、WWAN端末200は、認証情報(例えば、証明書、又はID及びパスワード)を要求するための認証情報要求メッセージを認証サーバ340へ送信する。WWAN端末200と認証サーバ340との通信経路に関しては、ステップS704に関して説明した通りであるので、ここでの詳細な説明は省略する。なお、記憶されていると判定された場合、WWAN端末200は、記憶された認証情報をWLAN端末100へ返信し(ステップS818)、WLAN端末100は返信された認証情報を用いて接続認証処理(ステップS820)を行う。 If it is determined that it is not stored, in step S812, the WWAN terminal 200 transmits an authentication information request message for requesting authentication information (for example, certificate or ID and password) to the authentication server 340. Since the communication path between the WWAN terminal 200 and the authentication server 340 is the same as that described for step S704, a detailed description thereof will be omitted here. If it is determined that it is stored, the WWAN terminal 200 returns the stored authentication information to the WLAN terminal 100 (step S818), and the WLAN terminal 100 uses the returned authentication information to perform connection authentication processing ( Step S820) is performed.
 次いで、ステップS814で、認証サーバ340は、認証情報を生成する。例えば、認証サーバ340は、証明書、又はID及びパスワードを生成する。 Next, in step S814, the authentication server 340 generates authentication information. For example, the authentication server 340 generates a certificate or ID and password.
 次に、ステップS816で、認証情報をWWAN端末200へ送信する。WWAN端末200と認証サーバ340との通信経路に関しては、ステップS708に関して説明した通りであるので、ここでの詳細な説明は省略する。 Next, authentication information is transmitted to the WWAN terminal 200 in step S816. Since the communication path between the WWAN terminal 200 and the authentication server 340 is the same as that described with respect to step S708, detailed description thereof is omitted here.
 次いで、ステップS818で、認証サーバ340は、WWAN端末200は、上記ステップS816において認証サーバ340から受信した認証情報をWLAN端末100へ送信する。例えば、WWAN端末200は、WLAN、Bluetooth、NFC又はバーコード等の情報コードを用いて、認証情報を送信する。 Next, in step S818, the authentication server 340 causes the WWAN terminal 200 to transmit the authentication information received from the authentication server 340 in step S816 to the WLAN terminal 100. For example, the WWAN terminal 200 transmits authentication information using an information code such as WLAN, Bluetooth, NFC, or barcode.
 次いで、ステップS820で、WLAN端末100は、接続認証処理を行う。例えば、WLAN端末100は、WWAN端末200の加入者識別情報を用いたEAP-SIM、EAP-AKA又はEAP-AKA´等により接続認証処理を行い、IP接続を確立する。ここでの処理は、図9及び図10を参照して上記説明した通りである。他にも、WLAN端末100は、上記ステップS818において受信した電子証明書を用いたEAP-TLS、又はID及びパスワードを用いたEAP-TTLSにより接続認証処理を行い、IP接続を確立してもよい。 Next, in step S820, the WLAN terminal 100 performs connection authentication processing. For example, the WLAN terminal 100 performs connection authentication processing by EAP-SIM, EAP-AKA, EAP-AKA ′, or the like using the subscriber identification information of the WWAN terminal 200 to establish an IP connection. The processing here is as described above with reference to FIGS. In addition, the WLAN terminal 100 may perform connection authentication processing by EAP-TLS using the electronic certificate received in step S818 or EAP-TTLS using an ID and a password to establish an IP connection. .
 以上、基本的な処理の流れを説明した。続いて、図19及び図20を参照して、詳細な条件分岐について説明する。 The basic process flow has been described above. Next, detailed conditional branching will be described with reference to FIGS. 19 and 20.
 図19は、本実施形態に係るWLAN端末100又はWWAN端末200において実行される接続処理の流れの一例を示すフローチャートである。 FIG. 19 is a flowchart illustrating an example of a flow of connection processing executed in the WLAN terminal 100 or the WWAN terminal 200 according to the present embodiment.
 図19に示すように、まず、ステップS902で、WLAN端末100は、ネットワーク情報を取得する。本ステップは、図18におけるステップS804に対応する。 As shown in FIG. 19, first, in step S902, the WLAN terminal 100 acquires network information. This step corresponds to step S804 in FIG.
 次いで、ステップS904で、WLAN端末100は、接続先の基地局510がSIM認証に対応しているか否かを判定する。SIM認証とは、加入者識別情報を用いた認証方式を意味し、例えばEAP-AKA等が該当する。例えば、WLAN端末100は、ステップS902で取得したネットワーク情報に基づいて判定する。なお、WLAN端末100は、本ステップにおいて、接続先のSSIDが所望するネットワークを示すか否かを判定してもよい。 Next, in step S904, the WLAN terminal 100 determines whether or not the connection destination base station 510 supports SIM authentication. SIM authentication means an authentication method using subscriber identification information, and corresponds to, for example, EAP-AKA. For example, the WLAN terminal 100 makes a determination based on the network information acquired in step S902. In this step, the WLAN terminal 100 may determine whether or not the connection destination SSID indicates a desired network.
 SIM認証に対応していると判定された場合(ステップS904/YES)、ステップS906で、WLAN端末100は、EAP-AKAを用いた認証処理を行う。ここでの処理は、図9及び図10を参照して上記説明した通りである。なお、WWAN端末200のSIMがGSM SIMの場合はEAP-SIMが認証方式として選択されてもよく、USIMの場合はよりセキュリティが強化されたEAP-AKA´が認証方式として選択されてもよい。なお、本ステップが実行される場合、図18に示したステップS806~S818に係る処理は省略される。これにより、処理は終了する。 If it is determined that SIM authentication is supported (step S904 / YES), in step S906, the WLAN terminal 100 performs an authentication process using EAP-AKA. The processing here is as described above with reference to FIGS. When the SIM of the WWAN terminal 200 is a GSM SIM, EAP-SIM may be selected as the authentication method, and in the case of USIM, EAP-AKA ′ with enhanced security may be selected as the authentication method. When this step is executed, the processing related to steps S806 to S818 shown in FIG. 18 is omitted. Thereby, the process ends.
 一方で、SIM認証に対応していないと判定された場合(ステップS904/NO)、ステップS908で、WLAN端末100は、接続先の基地局510がEAP-TLS又はEAP-TTLS認証に対応しているか否かを判定する。なお、WLAN端末100は、本ステップにおいて、接続先のSSIDが所望するネットワークを示すか否かを判定してもよい。 On the other hand, if it is determined that SIM authentication is not supported (step S904 / NO), in step S908, the WLAN terminal 100 determines that the connected base station 510 supports EAP-TLS or EAP-TTLS authentication. It is determined whether or not. In this step, the WLAN terminal 100 may determine whether or not the connection destination SSID indicates a desired network.
 EAP-TLS又はEAP-TTLS認証に対応していないと判定された場合(ステップS908/NO)、処理は終了する。 If it is determined that EAP-TLS or EAP-TTLS authentication is not supported (step S908 / NO), the process ends.
 一方で、EAP-TLS又はEAP-TTLS認証に対応していると判定された場合(ステップS908/YES)、ステップS910で、WLAN端末100は、基地局510に認証するための認証情報が記憶部120に記憶されているか否かを確認する。なお、WLAN端末100は、本ステップにおいて、接続先のSSIDが所望するネットワークを示すか否かを判定してもよい。本ステップは、図18におけるステップS806に対応する。 On the other hand, if it is determined that EAP-TLS or EAP-TTLS authentication is supported (YES in step S908), the WLAN terminal 100 stores authentication information for authenticating to the base station 510 in step S910. Whether it is stored in 120 or not is confirmed. In this step, the WLAN terminal 100 may determine whether or not the connection destination SSID indicates a desired network. This step corresponds to step S806 in FIG.
 記憶されていると判定された場合(S910/YES)、ステップS912で、WLAN端末100は、記憶された認証情報(例えば、電子証明書、又はID及びパスワード)を用いて、EAP-TLS又はEAP-TTLSを用いた認証処理を行う。本ステップは、図18におけるステップS820に対応する。なお、この場合は図18に示したステップS808~S818に係る処理は省略される。 If it is determined that it is stored (S910 / YES), in step S912, the WLAN terminal 100 uses the stored authentication information (for example, an electronic certificate or an ID and password) to perform EAP-TLS or EAP. -Perform authentication using TLS. This step corresponds to step S820 in FIG. In this case, the processing related to steps S808 to S818 shown in FIG. 18 is omitted.
 一方で、記憶されていないと判定された場合(S910/NO)、ステップS914で、WLAN端末100は、WWAN端末200へ認証情報の問い合わせを行う。本ステップは、図18におけるステップS808に対応する。 On the other hand, if it is determined that it is not stored (S910 / NO), the WLAN terminal 100 inquires of the WWAN terminal 200 for authentication information in step S914. This step corresponds to step S808 in FIG.
 次に、ステップS916で、WWAN端末200は、WLAN端末100が基地局510に認証するための認証情報(例えば、電子証明書、又はID及びパスワード)が記憶部220に記憶されているか否かを判定する。本ステップは、図18におけるステップS810に対応する。 Next, in step S916, the WWAN terminal 200 determines whether authentication information (for example, an electronic certificate or an ID and a password) for the WLAN terminal 100 to authenticate to the base station 510 is stored in the storage unit 220. judge. This step corresponds to step S810 in FIG.
 記憶されていると判定された場合(S916/YES)、ステップS918で、WWAN端末200は、記憶された認証情報をWLAN端末100へ送信する。本ステップは、図18におけるステップS818に対応する。なお、この場合は図18に示したステップS812~S816に係る処理は省略される。 If it is determined that it is stored (S916 / YES), the WWAN terminal 200 transmits the stored authentication information to the WLAN terminal 100 in step S918. This step corresponds to step S818 in FIG. In this case, the processing related to steps S812 to S816 shown in FIG. 18 is omitted.
 一方で、記憶されていないと判定された場合(S916/NO)、ステップS920で、WWAN端末200は、認証サーバ340から認証情報を取得する。本ステップは、図18におけるステップS812~S816に対応する。そして、ステップS918で、WWAN端末200は、取得された認証情報をWLAN端末100へ送信する。本ステップは、図18におけるステップS818に対応する。 On the other hand, if it is determined that it is not stored (S916 / NO), the WWAN terminal 200 acquires authentication information from the authentication server 340 in step S920. This step corresponds to steps S812 to S816 in FIG. In step S918, the WWAN terminal 200 transmits the acquired authentication information to the WLAN terminal 100. This step corresponds to step S818 in FIG.
 そして、ステップS912で、WLAN端末100は、WWAN端末200から受信した認証情報(例えば、電子証明書、又はID及びパスワード)を用いて、EAP-TLS又はEAP-TTLSを用いた認証処理を行う。本ステップは、図18におけるステップS820に対応する。これにより、処理は終了する。 In step S912, the WLAN terminal 100 performs authentication processing using EAP-TLS or EAP-TTLS using authentication information (for example, an electronic certificate or ID and password) received from the WWAN terminal 200. This step corresponds to step S820 in FIG. Thereby, the process ends.
 図20は、本実施形態に係るWLAN端末100又はWWAN端末200において実行される接続処理の流れの一例を示すフローチャートである。 FIG. 20 is a flowchart showing an example of the flow of connection processing executed in the WLAN terminal 100 or the WWAN terminal 200 according to this embodiment.
 まず、ステップS1002で、WLAN端末100は、近傍にSIM端末があるか否かを判定する。例えば、WLAN端末100は、NFC又はBluetooth等の近距離無線通信方式を用いて通信可能な距離に加入者識別情報を有する無線端末が存在するか否かを判定する。より具体的には、WLAN端末100は、NFC又はBluetooth等でペアリング済みのWWAN端末200を発見できるか否かを判定する。 First, in step S1002, the WLAN terminal 100 determines whether there is a SIM terminal in the vicinity. For example, the WLAN terminal 100 determines whether there is a wireless terminal having subscriber identification information within a communicable distance using a short-range wireless communication method such as NFC or Bluetooth. More specifically, the WLAN terminal 100 determines whether or not the paired WWAN terminal 200 can be found by NFC or Bluetooth.
 近傍にSIM端末があると判定された場合(S1002/YES)、ステップS1010で、WLAN端末100及びWWAN端末200は、ネットワークが対応する認証方式(即ち、加入者識別情報を用いる認証方式又は用いない認証方式)を用いた認証処理を行い、処理は終了する。ここでの処理は、図19を参照して上記説明した通りである。 If it is determined that there is a SIM terminal in the vicinity (S1002 / YES), in step S1010, the WLAN terminal 100 and the WWAN terminal 200 use an authentication method (that is, an authentication method using subscriber identification information or not) corresponding to the network. An authentication process using the authentication method is performed, and the process ends. The processing here is as described above with reference to FIG.
 近傍にSIM端末がないと判定された場合(S1002/NO)、ステップS1004で、WLAN端末100は、ネットワーク情報を取得する。本ステップは、図18におけるステップS804及び図19におけるS902に対応する。 When it is determined that there is no SIM terminal in the vicinity (S1002 / NO), in step S1004, the WLAN terminal 100 acquires network information. This step corresponds to step S804 in FIG. 18 and S902 in FIG.
 次いで、ステップS1006で、WLAN端末100は、WLAN端末100内に認証情報があるか否かを判定する。本ステップは、図18におけるステップS806及び図19におけるS910に対応する。 Next, in step S1006, the WLAN terminal 100 determines whether there is authentication information in the WLAN terminal 100. This step corresponds to step S806 in FIG. 18 and S910 in FIG.
 記憶されていると判定された場合(ステップS1006/YES)、ステップS1008で、WLAN端末100は、記憶された認証情報を用いて、EAP-TLS又はEAP-TTLSを用いた認証処理を行い、処理は終了する。本ステップは、図18におけるステップS820及び図19におけるS912に対応する。 If it is determined that it is stored (step S1006 / YES), in step S1008, the WLAN terminal 100 performs authentication processing using EAP-TLS or EAP-TTLS using the stored authentication information, and processing Ends. This step corresponds to step S820 in FIG. 18 and S912 in FIG.
 一方で、記憶されていないと判定された場合(ステップS1006/NO)、処理は終了する。SIM端末が周囲に存在せず、存在したとしても加入者識別情報を有さない無線端末であるので、当該無線端末が認証サーバ340から認証情報を取得することが期待されないためである。 On the other hand, if it is determined that it is not stored (step S1006 / NO), the process ends. This is because the SIM terminal is not present in the surroundings, and even if it exists, it is a wireless terminal that does not have subscriber identification information. Therefore, the wireless terminal is not expected to acquire authentication information from the authentication server 340.
 以上、第6の実施形態について説明した。なお、本実施形態及び上述した各実施形態は適宜組み合わせることが可能である。 The sixth embodiment has been described above. In addition, this embodiment and each embodiment mentioned above can be combined suitably.
 <<8.応用例>>
 本開示に係る技術は、様々な製品へ応用可能である。例えば、無線通信装置100及び無線通信装置200は、スマートフォン、タブレットPC(Personal Computer)、ノートPC、携帯型ゲーム端末若しくはデジタルカメラなどのモバイル端末、テレビジョン受像機、プリンタ、デジタルスキャナ若しくはネットワークストレージなどの固定端末、又はカーナビゲーション装置などの車載端末として実現されてもよい。また、無線通信装置100及び無線通信装置200は、スマートメータ、自動販売機、遠隔監視装置又はPOS(Point Of Sale)端末などの、M2M(Machine To Machine)通信を行う端末(MTC(Machine Type Communication)端末ともいう)として実現されてもよい。さらに、無線通信装置100及び無線通信装置200は、これら端末に搭載される無線通信モジュール(例えば、1つのダイで構成される集積回路モジュール)であってもよい。 << 8. Application example >>
The technology according to the present disclosure can be applied to various products. For example, the wireless communication device 100 and the wireless communication device 200 include a smartphone, a tablet PC (Personal Computer), a notebook PC, a mobile terminal such as a portable game terminal or a digital camera, a television receiver, a printer, a digital scanner, a network storage, or the like. It may be realized as an in-vehicle terminal such as a fixed terminal or a car navigation device. The wireless communication device 100 and the wireless communication device 200 are terminals (MTC (Machine Type Communication) such as smart meters, vending machines, remote monitoring devices, or point-of-sale (POS) terminals that perform M2M (Machine To Machine) communication. ) (Also referred to as a terminal). Further, the wireless communication device 100 and the wireless communication device 200 may be wireless communication modules (for example, integrated circuit modules configured by one die) mounted on these terminals.
  <8.1.第1の応用例>
 図21は、本開示に係る技術が適用され得るスマートフォン900の概略的な構成の一例を示すブロック図である。スマートフォン900は、プロセッサ901、メモリ902、ストレージ903、外部接続インタフェース904、カメラ906、センサ907、マイクロフォン908、入力デバイス909、表示デバイス910、スピーカ911、無線通信インタフェース913、アンテナスイッチ914、アンテナ915、バス917、バッテリー918及び補助コントローラ919を備える。 <8.1. First application example>
FIG. 21 is a block diagram illustrating an example of a schematic configuration of a smartphone 900 to which the technology according to the present disclosure can be applied. The smartphone 900 includes a processor 901, a memory 902, a storage 903, an external connection interface 904, a camera 906, a sensor 907, a microphone 908, an input device 909, a display device 910, a speaker 911, a wireless communication interface 913, an antenna switch 914, an antenna 915, A bus 917, a battery 918, and an auxiliary controller 919 are provided.
 プロセッサ901は、例えばCPU(Central Processing Unit)又はSoC(System on Chip)であってよく、スマートフォン900のアプリケーションレイヤ及びその他のレイヤの機能を制御する。メモリ902は、RAM(Random Access Memory)及びROM(Read Only Memory)を含み、プロセッサ901により実行されるプログラム及びデータを記憶する。ストレージ903は、半導体メモリ又はハードディスクなどの記憶媒体を含み得る。外部接続インタフェース904は、メモリーカード又はUSB(Universal Serial Bus)デバイスなどの外付けデバイスをスマートフォン900へ接続するためのインタフェースである。 The processor 901 may be, for example, a CPU (Central Processing Unit) or a SoC (System on Chip), and controls the functions of the application layer and other layers of the smartphone 900. The memory 902 includes a RAM (Random Access Memory) and a ROM (Read Only Memory), and stores programs and data executed by the processor 901. The storage 903 can include a storage medium such as a semiconductor memory or a hard disk. The external connection interface 904 is an interface for connecting an external device such as a memory card or a USB (Universal Serial Bus) device to the smartphone 900.
 カメラ906は、例えば、CCD(Charge Coupled Device)又はCMOS(Complementary Metal Oxide Semiconductor)などの撮像素子を有し、撮像画像を生成する。センサ907は、例えば、測位センサ、ジャイロセンサ、地磁気センサ及び加速度センサなどのセンサ群を含み得る。マイクロフォン908は、スマートフォン900へ入力される音声を音声信号へ変換する。入力デバイス909は、例えば、表示デバイス910の画面上へのタッチを検出するタッチセンサ、キーパッド、キーボード、ボタン又はスイッチなどを含み、ユーザからの操作又は情報入力を受け付ける。表示デバイス910は、液晶ディスプレイ(LCD)又は有機発光ダイオード(OLED)ディスプレイなどの画面を有し、スマートフォン900の出力画像を表示する。スピーカ911は、スマートフォン900から出力される音声信号を音声に変換する。 The camera 906 includes, for example, an image sensor such as a CCD (Charge Coupled Device) or a CMOS (Complementary Metal Oxide Semiconductor), and generates a captured image. The sensor 907 may include a sensor group such as a positioning sensor, a gyro sensor, a geomagnetic sensor, and an acceleration sensor. The microphone 908 converts sound input to the smartphone 900 into an audio signal. The input device 909 includes, for example, a touch sensor that detects a touch on the screen of the display device 910, a keypad, a keyboard, a button, or a switch, and receives an operation or information input from a user. The display device 910 has a screen such as a liquid crystal display (LCD) or an organic light emitting diode (OLED) display, and displays an output image of the smartphone 900. The speaker 911 converts an audio signal output from the smartphone 900 into audio.
 無線通信インタフェース913は、IEEE802.11a、11b、11g、11n、11ac及び11adなどの無線LAN標準のうちの1つ以上をサポートし、無線通信を実行する。無線通信インタフェース913は、インフラストラクチャーモードにおいては、他の装置と無線LANアクセスポイントを介して通信し得る。また、無線通信インタフェース913は、アドホックモード又はWi-Fi Direct(登録商標)等のダイレクト通信モードにおいては、他の装置と直接的に通信し得る。なお、Wi-Fi Directでは、アドホックモードとは異なり2つの端末の一方がアクセスポイントとして動作するが、通信はそれら端末間で直接的に行われる。無線通信インタフェース913は、典型的には、ベースバンドプロセッサ、RF(Radio Frequency)回路及びパワーアンプなどを含み得る。無線通信インタフェース913は、通信制御プログラムを記憶するメモリ、当該プログラムを実行するプロセッサ及び関連する回路を集積したワンチップのモジュールであってもよい。無線通信インタフェース913は、無線LAN方式に加えて、近距離無線通信方式、近接無線通信方式又はセルラ通信方式などの他の種類の無線通信方式をサポートしてもよい。アンテナスイッチ914は、無線通信インタフェース913に含まれる複数の回路(例えば、異なる無線通信方式のための回路)の間でアンテナ915の接続先を切り替える。アンテナ915は、単一の又は複数のアンテナ素子(例えば、MIMOアンテナを構成する複数のアンテナ素子)を有し、無線通信インタフェース913による無線信号の送信及び受信のために使用される。 The wireless communication interface 913 supports one or more wireless LAN standards such as IEEE802.11a, 11b, 11g, 11n, 11ac, and 11ad, and performs wireless communication. The wireless communication interface 913 can communicate with other devices via a wireless LAN access point in the infrastructure mode. In addition, the wireless communication interface 913 can directly communicate with other devices in an ad hoc mode or a direct communication mode such as Wi-Fi Direct (registered trademark). In Wi-Fi Direct, unlike the ad hoc mode, one of two terminals operates as an access point, but communication is performed directly between the terminals. The wireless communication interface 913 can typically include a baseband processor, an RF (Radio Frequency) circuit, a power amplifier, and the like. The wireless communication interface 913 may be a one-chip module in which a memory that stores a communication control program, a processor that executes the program, and related circuits are integrated. The wireless communication interface 913 may support other types of wireless communication methods such as a short-range wireless communication method, a proximity wireless communication method, or a cellular communication method in addition to the wireless LAN method. The antenna switch 914 switches the connection destination of the antenna 915 among a plurality of circuits (for example, circuits for different wireless communication schemes) included in the wireless communication interface 913. The antenna 915 includes a single antenna element or a plurality of antenna elements (for example, a plurality of antenna elements constituting a MIMO antenna), and is used for transmission and reception of radio signals by the radio communication interface 913.
 なお、図21の例に限定されず、スマートフォン900は、複数のアンテナ(例えば、無線LAN用のアンテナ及び近接無線通信方式用のアンテナ、など)を備えてもよい。その場合に、アンテナスイッチ914は、スマートフォン900の構成から省略されてもよい。 Note that the smartphone 900 is not limited to the example in FIG. 21 and may include a plurality of antennas (for example, an antenna for a wireless LAN and an antenna for a proximity wireless communication method). In that case, the antenna switch 914 may be omitted from the configuration of the smartphone 900.
 バス917は、プロセッサ901、メモリ902、ストレージ903、外部接続インタフェース904、カメラ906、センサ907、マイクロフォン908、入力デバイス909、表示デバイス910、スピーカ911、無線通信インタフェース913及び補助コントローラ919を互いに接続する。バッテリー918は、図中に破線で部分的に示した給電ラインを介して、図21に示したスマートフォン900の各ブロックへ電力を供給する。補助コントローラ919は、例えば、スリープモードにおいて、スマートフォン900の必要最低限の機能を動作させる。 The bus 917 connects the processor 901, memory 902, storage 903, external connection interface 904, camera 906, sensor 907, microphone 908, input device 909, display device 910, speaker 911, wireless communication interface 913, and auxiliary controller 919 to each other. . The battery 918 supplies electric power to each block of the smartphone 900 shown in FIG. 21 through a power supply line partially shown by a broken line in the drawing. For example, the auxiliary controller 919 operates the minimum necessary functions of the smartphone 900 in the sleep mode.
 図21に示したスマートフォン900において、図4を用いて説明したWLAN端末100に含まれるひとつ以上の構成要素(例えば、記憶部120又は制御部130の少なくともいずれか)は、無線通信インタフェース913において実装されてもよい。また、これら構成要素の少なくとも一部は、プロセッサ901又は補助コントローラ919において実装されてもよい。一例として、スマートフォン900は、無線通信インタフェース913、プロセッサ901、及び/又は補助コントローラ919を含むモジュールを搭載し、当該モジュールにおいて上記ひとつ以上の構成要素が実装されてもよい。この場合に、上記モジュールは、プロセッサを上記ひとつ以上の構成要素として機能させるためのプログラム(換言すると、プロセッサに上記ひとつ以上の構成要素の動作を実行させるためのプログラム)を記憶し、当該プログラムを実行してもよい。別の例として、プロセッサを上記ひとつ以上の構成要素として機能させるためのプログラムがスマートフォン900にインストールされ、無線通信インタフェース913、プロセッサ901、及び/又は補助コントローラ919が当該プログラムを実行してもよい。以上のように、上記ひとつ以上の構成要素を備える装置としてスマートフォン900又は上記モジュールが提供されてもよく、プロセッサを上記ひとつ以上の構成要素として機能させるためのプログラムが提供されてもよい。また、上記プログラムを記録した読み取り可能な記録媒体が提供されてもよい。 In the smartphone 900 illustrated in FIG. 21, one or more components (for example, at least one of the storage unit 120 and the control unit 130) included in the WLAN terminal 100 described with reference to FIG. 4 are implemented in the wireless communication interface 913. May be. In addition, at least some of these components may be implemented in the processor 901 or the auxiliary controller 919. As an example, the smartphone 900 may include a module including the wireless communication interface 913, the processor 901, and / or the auxiliary controller 919, and the one or more components may be mounted on the module. In this case, the module stores a program for causing the processor to function as the one or more components (in other words, a program for causing the processor to execute the operation of the one or more components), and stores the program. May be executed. As another example, a program for causing a processor to function as one or more components may be installed in the smartphone 900, and the wireless communication interface 913, the processor 901, and / or the auxiliary controller 919 may execute the program. As described above, the smartphone 900 or the module may be provided as a device including the one or more components, and a program for causing a processor to function as the one or more components may be provided. In addition, a readable recording medium in which the program is recorded may be provided.
 図21に示したスマートフォン900において、図5を用いて説明したWWAN端末200に含まれるひとつ以上の構成要素(例えば、記憶部220、加入者識別モジュール230又は制御部240の少なくともいずれか)は、無線通信インタフェース913において実装されてもよい。また、これら構成要素の少なくとも一部は、プロセッサ901又は補助コントローラ919において実装されてもよい。一例として、スマートフォン900は、無線通信インタフェース913、プロセッサ901、及び/又は補助コントローラ919を含むモジュールを搭載し、当該モジュールにおいて上記ひとつ以上の構成要素が実装されてもよい。この場合に、上記モジュールは、プロセッサを上記ひとつ以上の構成要素として機能させるためのプログラム(換言すると、プロセッサに上記ひとつ以上の構成要素の動作を実行させるためのプログラム)を記憶し、当該プログラムを実行してもよい。別の例として、プロセッサを上記ひとつ以上の構成要素として機能させるためのプログラムがスマートフォン900にインストールされ、無線通信インタフェース913、プロセッサ901、及び/又は補助コントローラ919が当該プログラムを実行してもよい。以上のように、上記ひとつ以上の構成要素を備える装置としてスマートフォン900又は上記モジュールが提供されてもよく、プロセッサを上記ひとつ以上の構成要素として機能させるためのプログラムが提供されてもよい。また、上記プログラムを記録した読み取り可能な記録媒体が提供されてもよい。 In the smartphone 900 illustrated in FIG. 21, one or more components (for example, at least one of the storage unit 220, the subscriber identification module 230, or the control unit 240) included in the WWAN terminal 200 described with reference to FIG. The wireless communication interface 913 may be implemented. In addition, at least some of these components may be implemented in the processor 901 or the auxiliary controller 919. As an example, the smartphone 900 may include a module including the wireless communication interface 913, the processor 901, and / or the auxiliary controller 919, and the one or more components may be mounted on the module. In this case, the module stores a program for causing the processor to function as the one or more components (in other words, a program for causing the processor to execute the operation of the one or more components), and stores the program. May be executed. As another example, a program for causing a processor to function as one or more components may be installed in the smartphone 900, and the wireless communication interface 913, the processor 901, and / or the auxiliary controller 919 may execute the program. As described above, the smartphone 900 or the module may be provided as a device including the one or more components, and a program for causing a processor to function as the one or more components may be provided. In addition, a readable recording medium in which the program is recorded may be provided.
 なお、スマートフォン900は、プロセッサ901がアプリケーションレベルでアクセスポイント機能を実行することにより、無線アクセスポイント(ソフトウェアAP)として動作してもよい。また、無線通信インタフェース913が無線アクセスポイント機能を有していてもよい。 Note that the smartphone 900 may operate as a wireless access point (software AP) when the processor 901 executes the access point function at the application level. Further, the wireless communication interface 913 may have a wireless access point function.
  <8.2.第2の応用例>
 図22は、本開示に係る技術が適用され得るカーナビゲーション装置920の概略的な構成の一例を示すブロック図である。カーナビゲーション装置920は、プロセッサ921、メモリ922、GPS(Global Positioning System)モジュール924、センサ925、データインタフェース926、コンテンツプレーヤ927、記憶媒体インタフェース928、入力デバイス929、表示デバイス930、スピーカ931、無線通信インタフェース933、アンテナスイッチ934、アンテナ935及びバッテリー938を備える。 <8.2. Second application example>
FIG. 22 is a block diagram illustrating an example of a schematic configuration of a car navigation device 920 to which the technology according to the present disclosure can be applied. The car navigation device 920 includes a processor 921, a memory 922, a GPS (Global Positioning System) module 924, a sensor 925, a data interface 926, a content player 927, a storage medium interface 928, an input device 929, a display device 930, a speaker 931, and wireless communication. An interface 933, an antenna switch 934, an antenna 935, and a battery 938 are provided.
 プロセッサ921は、例えばCPU又はSoCであってよく、カーナビゲーション装置920のナビゲーション機能及びその他の機能を制御する。メモリ922は、RAM及びROMを含み、プロセッサ921により実行されるプログラム及びデータを記憶する。 The processor 921 may be a CPU or SoC, for example, and controls the navigation function and other functions of the car navigation device 920. The memory 922 includes RAM and ROM, and stores programs and data executed by the processor 921.
 GPSモジュール924は、GPS衛星から受信されるGPS信号を用いて、カーナビゲーション装置920の位置(例えば、緯度、経度及び高度)を測定する。センサ925は、例えば、ジャイロセンサ、地磁気センサ及び気圧センサなどのセンサ群を含み得る。データインタフェース926は、例えば、図示しない端子を介して車載ネットワーク941に接続され、車速データなどの車両側で生成されるデータを取得する。 The GPS module 924 measures the position (for example, latitude, longitude, and altitude) of the car navigation device 920 using GPS signals received from GPS satellites. The sensor 925 may include a sensor group such as a gyro sensor, a geomagnetic sensor, and an atmospheric pressure sensor. The data interface 926 is connected to the in-vehicle network 941 through a terminal (not shown), for example, and acquires data generated on the vehicle side such as vehicle speed data.
 コンテンツプレーヤ927は、記憶媒体インタフェース928に挿入される記憶媒体(例えば、CD又はDVD)に記憶されているコンテンツを再生する。入力デバイス929は、例えば、表示デバイス930の画面上へのタッチを検出するタッチセンサ、ボタン又はスイッチなどを含み、ユーザからの操作又は情報入力を受け付ける。表示デバイス930は、LCD又はOLEDディスプレイなどの画面を有し、ナビゲーション機能又は再生されるコンテンツの画像を表示する。スピーカ931は、ナビゲーション機能又は再生されるコンテンツの音声を出力する。 The content player 927 reproduces content stored in a storage medium (for example, CD or DVD) inserted into the storage medium interface 928. The input device 929 includes, for example, a touch sensor, a button, or a switch that detects a touch on the screen of the display device 930, and receives an operation or information input from the user. The display device 930 has a screen such as an LCD or an OLED display, and displays a navigation function or an image of content to be reproduced. The speaker 931 outputs the navigation function or the audio of the content to be played back.
 無線通信インタフェース933は、IEEE802.11a、11b、11g、11n、11ac及び11adなどの無線LAN標準のうちの1つ以上をサポートし、無線通信を実行する。無線通信インタフェース933は、インフラストラクチャーモードにおいては、他の装置と無線LANアクセスポイントを介して通信し得る。また、無線通信インタフェース933は、アドホックモード又はWi-Fi Direct等のダイレクト通信モードにおいては、他の装置と直接的に通信し得る。無線通信インタフェース933は、典型的には、ベースバンドプロセッサ、RF回路及びパワーアンプなどを含み得る。無線通信インタフェース933は、通信制御プログラムを記憶するメモリ、当該プログラムを実行するプロセッサ及び関連する回路を集積したワンチップのモジュールであってもよい。無線通信インタフェース933は、無線LAN方式に加えて、近距離無線通信方式、近接無線通信方式又はセルラ通信方式などの他の種類の無線通信方式をサポートしてもよい。アンテナスイッチ934は、無線通信インタフェース933に含まれる複数の回路の間でアンテナ935の接続先を切り替える。アンテナ935は、単一の又は複数のアンテナ素子を有し、無線通信インタフェース933による無線信号の送信及び受信のために使用される。 The wireless communication interface 933 supports one or more wireless LAN standards such as IEEE802.11a, 11b, 11g, 11n, 11ac, and 11ad, and executes wireless communication. The wireless communication interface 933 can communicate with other devices via a wireless LAN access point in the infrastructure mode. In addition, the wireless communication interface 933 can directly communicate with other devices in an ad hoc mode or a direct communication mode such as Wi-Fi Direct. The wireless communication interface 933 may typically include a baseband processor, an RF circuit, a power amplifier, and the like. The wireless communication interface 933 may be a one-chip module in which a memory that stores a communication control program, a processor that executes the program, and related circuits are integrated. In addition to the wireless LAN system, the wireless communication interface 933 may support other types of wireless communication systems such as a short-range wireless communication system, a proximity wireless communication system, or a cellular communication system. The antenna switch 934 switches the connection destination of the antenna 935 among a plurality of circuits included in the wireless communication interface 933. The antenna 935 includes a single antenna element or a plurality of antenna elements, and is used for transmission and reception of a radio signal by the radio communication interface 933.
 なお、図22の例に限定されず、カーナビゲーション装置920は、複数のアンテナを備えてもよい。その場合に、アンテナスイッチ934は、カーナビゲーション装置920の構成から省略されてもよい。 Note that the car navigation device 920 may include a plurality of antennas without being limited to the example of FIG. In that case, the antenna switch 934 may be omitted from the configuration of the car navigation device 920.
 バッテリー938は、図中に破線で部分的に示した給電ラインを介して、図22に示したカーナビゲーション装置920の各ブロックへ電力を供給する。また、バッテリー938は、車両側から給電される電力を蓄積する。 The battery 938 supplies power to each block of the car navigation device 920 shown in FIG. 22 through a power supply line partially shown by a broken line in the drawing. Further, the battery 938 stores electric power supplied from the vehicle side.
 図22に示したカーナビゲーション装置920において、図4を用いて説明したWLAN端末100に含まれるひとつ以上の構成要素(例えば、記憶部120又は制御部130の少なくともいずれか)は、無線通信インタフェース933において実装されてもよい。また、これら機能の少なくとも一部は、プロセッサ921において実装されてもよい。一例として、カーナビゲーション装置920は、無線通信インタフェース933、及び/又はプロセッサ921を含むモジュールを搭載し、当該モジュールにおいて上記ひとつ以上の構成要素が実装されてもよい。この場合に、上記モジュールは、プロセッサを上記ひとつ以上の構成要素として機能させるためのプログラム(換言すると、プロセッサに上記ひとつ以上の構成要素の動作を実行させるためのプログラム)を記憶し、当該プログラムを実行してもよい。別の例として、プロセッサを上記ひとつ以上の構成要素として機能させるためのプログラムがカーナビゲーション装置920にインストールされ、無線通信インタフェース933、及び/又はプロセッサ921が当該プログラムを実行してもよい。以上のように、上記ひとつ以上の構成要素を備える装置としてカーナビゲーション装置920又は上記モジュールが提供されてもよく、プロセッサを上記ひとつ以上の構成要素として機能させるためのプログラムが提供されてもよい。また、上記プログラムを記録した読み取り可能な記録媒体が提供されてもよい。 In the car navigation device 920 shown in FIG. 22, one or more components (for example, at least one of the storage unit 120 and the control unit 130) included in the WLAN terminal 100 described with reference to FIG. May be implemented. Further, at least a part of these functions may be implemented in the processor 921. As an example, the car navigation device 920 may include a module including the wireless communication interface 933 and / or the processor 921, and the one or more components may be mounted on the module. In this case, the module stores a program for causing the processor to function as the one or more components (in other words, a program for causing the processor to execute the operation of the one or more components), and stores the program. May be executed. As another example, a program for causing a processor to function as one or more components may be installed in the car navigation device 920, and the wireless communication interface 933 and / or the processor 921 may execute the program. As described above, the car navigation apparatus 920 or the module may be provided as an apparatus including the one or more components, and a program for causing a processor to function as the one or more components may be provided. In addition, a readable recording medium in which the program is recorded may be provided.
 図22に示したカーナビゲーション装置920において、図5を用いて説明したWWAN端末200に含まれるひとつ以上の構成要素(例えば、記憶部220、加入者識別モジュール230又は制御部240の少なくともいずれか)は、無線通信インタフェース933において実装されてもよい。また、これら機能の少なくとも一部は、プロセッサ921において実装されてもよい。一例として、カーナビゲーション装置920は、無線通信インタフェース933、及び/又はプロセッサ921を含むモジュールを搭載し、当該モジュールにおいて上記ひとつ以上の構成要素が実装されてもよい。この場合に、上記モジュールは、プロセッサを上記ひとつ以上の構成要素として機能させるためのプログラム(換言すると、プロセッサに上記ひとつ以上の構成要素の動作を実行させるためのプログラム)を記憶し、当該プログラムを実行してもよい。別の例として、プロセッサを上記ひとつ以上の構成要素として機能させるためのプログラムがカーナビゲーション装置920にインストールされ、無線通信インタフェース933、及び/又はプロセッサ921が当該プログラムを実行してもよい。以上のように、上記ひとつ以上の構成要素を備える装置としてカーナビゲーション装置920又は上記モジュールが提供されてもよく、プロセッサを上記ひとつ以上の構成要素として機能させるためのプログラムが提供されてもよい。また、上記プログラムを記録した読み取り可能な記録媒体が提供されてもよい。 In the car navigation device 920 shown in FIG. 22, one or more components included in the WWAN terminal 200 described with reference to FIG. 5 (for example, at least one of the storage unit 220, the subscriber identification module 230, or the control unit 240). May be implemented in the wireless communication interface 933. Further, at least a part of these functions may be implemented in the processor 921. As an example, the car navigation device 920 may include a module including the wireless communication interface 933 and / or the processor 921, and the one or more components may be mounted on the module. In this case, the module stores a program for causing the processor to function as the one or more components (in other words, a program for causing the processor to execute the operation of the one or more components), and stores the program. May be executed. As another example, a program for causing a processor to function as one or more components may be installed in the car navigation device 920, and the wireless communication interface 933 and / or the processor 921 may execute the program. As described above, the car navigation apparatus 920 or the module may be provided as an apparatus including the one or more components, and a program for causing a processor to function as the one or more components may be provided. In addition, a readable recording medium in which the program is recorded may be provided.
 また、本開示に係る技術は、上述したカーナビゲーション装置920の1つ以上のブロックと、車載ネットワーク941と、車両側モジュール942とを含む車載システム(又は車両)940として実現されてもよい。車両側モジュール942は、車速、エンジン回転数又は故障情報などの車両側データを生成し、生成したデータを車載ネットワーク941へ出力する。 Also, the technology according to the present disclosure may be realized as an in-vehicle system (or vehicle) 940 including one or more blocks of the car navigation device 920 described above, an in-vehicle network 941, and a vehicle side module 942. The vehicle-side module 942 generates vehicle-side data such as vehicle speed, engine speed, or failure information, and outputs the generated data to the in-vehicle network 941.
 <<9.まとめ>>
 以上、図1~図22を参照して、本開示の一実施形態について詳細に説明した。上述した実施形態によれば、WWAN300に接続して無線通信を行うWWAN端末200との無線通信、及びWLAN500に接続して無線通信を行うWLAN端末100において、認証サーバ340により生成された認証情報をWWAN端末200から受信し、当該認証情報を用いたWLAN500への認証が行われる。これにより、WLAN端末100は、WWAN通信機能を有していない等の独力では認証サーバ340から認証情報を取得することが困難な状況下においても、WWAN端末200を介することで認証情報を取得することが可能となる。また、WLAN端末100は、認証サーバ340により生成された認証情報を用いることで、安全なWLAN500に接続することが可能となり、盗聴の危険性等のセキュリティリスクが高いネットワークへの接続を回避することができる。これにより、WLAN端末100がWi-Fi CERTIFIED Passpointに対応していない場合であっても、対応している場合と同等の安全性と接続利便性とを得る事ができる。 << 9. Summary >>
The embodiment of the present disclosure has been described in detail above with reference to FIGS. According to the above-described embodiment, the authentication information generated by the authentication server 340 in the wireless communication with the WWAN terminal 200 that connects to the WWAN 300 and performs wireless communication and the WLAN terminal 100 that connects to the WLAN 500 and performs wireless communication. Authentication from the WWAN terminal 200 to the WLAN 500 using the authentication information is performed. Thereby, the WLAN terminal 100 acquires the authentication information via the WWAN terminal 200 even in a situation where it is difficult to acquire the authentication information from the authentication server 340 by itself, such as having no WWAN communication function. It becomes possible. Also, the WLAN terminal 100 can connect to the secure WLAN 500 by using the authentication information generated by the authentication server 340, and avoids connection to a network with a high security risk such as the risk of eavesdropping. Can do. Thereby, even when the WLAN terminal 100 does not support the Wi-Fi CERTIFIED Passpoint, it is possible to obtain the same safety and connection convenience as when the WLAN terminal 100 is compatible.
 また、WLAN端末100は、認証サーバ340から認証情報を得るために、収集したネットワーク情報をWWAN端末200へ送信する。WLAN端末100の現在位置においてネットワーク情報が収集されるため、WLAN端末100は、ANDSFを用いた方式と比較して、利用可能エリア及び電波強度においてより精度の高い接続サービスを受けることができる。 Also, the WLAN terminal 100 transmits the collected network information to the WWAN terminal 200 in order to obtain authentication information from the authentication server 340. Since the network information is collected at the current location of the WLAN terminal 100, the WLAN terminal 100 can receive a connection service with higher accuracy in the available area and the radio wave intensity as compared with the method using the ANDSF.
 以上、添付図面を参照しながら本開示の好適な実施形態について詳細に説明したが、本開示の技術的範囲はかかる例に限定されない。本開示の技術分野における通常の知識を有する者であれば、請求の範囲に記載された技術的思想の範疇内において、各種の変更例または修正例に想到し得ることは明らかであり、これらについても、当然に本開示の技術的範囲に属するものと了解される。 The preferred embodiments of the present disclosure have been described in detail above with reference to the accompanying drawings, but the technical scope of the present disclosure is not limited to such examples. It is obvious that a person having ordinary knowledge in the technical field of the present disclosure can come up with various changes or modifications within the scope of the technical idea described in the claims. Of course, it is understood that it belongs to the technical scope of the present disclosure.
 また、本明細書においてフローチャート及びシーケンス図を用いて説明した処理は、必ずしも図示された順序で実行されなくてもよい。いくつかの処理ステップは、並列的に実行されてもよい。また、追加的な処理ステップが採用されてもよく、一部の処理ステップが省略されてもよい。 In addition, the processes described using the flowcharts and sequence diagrams in this specification do not necessarily have to be executed in the order shown. Some processing steps may be performed in parallel. Further, additional processing steps may be employed, and some processing steps may be omitted.
 また、本明細書に記載された効果は、あくまで説明的または例示的なものであって限定的ではない。つまり、本開示に係る技術は、上記の効果とともに、または上記の効果に代えて、本明細書の記載から当業者には明らかな他の効果を奏しうる。 In addition, the effects described in this specification are merely illustrative or illustrative, and are not limited. That is, the technology according to the present disclosure can exhibit other effects that are apparent to those skilled in the art from the description of the present specification in addition to or instead of the above effects.
 なお、以下のような構成も本開示の技術的範囲に属する。
(1)
 第1のネットワークに接続して無線通信を行う無線端末との無線通信を行う第1の無線通信部と、
 第2のネットワークに接続して無線通信を行う第2の無線通信部と、
 前記第2のネットワークのネットワーク情報を用いて認証サーバにより生成された認証情報を前記第1の無線通信部を介して前記無線端末から受信し、前記第2の無線通信部を介して前記認証情報を用いた前記第2のネットワークへの認証を行う制御部と、
を備える無線通信装置。
(2)
 前記制御部は、前記第2の無線通信部を介して前記ネットワーク情報を収集し、収集した前記ネットワーク情報を前記第1の無線通信部を介して前記無線端末へ送信する、前記(1)に記載の無線通信装置。
(3)
 前記ネットワーク情報は、SSID、チャネル情報、RSSI(Received Signal Strength Indicator)情報、又はANQPを用いた問い合わせ結果の少なくともいずれかを含む、前記(1)又は(2)に記載の無線通信装置。
(4)
 前記制御部は、前記無線通信装置の機器情報、ケイパビリティ情報、又は前記第2のネットワークとの無線通信の用途を示す情報の少なくともいずれかを前記第1の無線通信部を介して前記無線端末へ送信する、前記(1)~(3)のいずれか一項に記載の無線通信装置。
(5)
 前記制御部は、ひとつ以上の前記第2のネットワークから選択した一の前記第2のネットワークへの認証を行う、前記(1)~(4)のいずれか一項に記載の無線通信装置。
(6)
 前記制御部は、前記無線通信装置又は前記無線端末の少なくともいずれかの機器情報を用いて前記認証サーバにより生成された前記認証情報を用いた前記第2のネットワークへの認証を行う、前記(1)~(5)のいずれか一項に記載の無線通信装置。
(7)
 前記制御部は、前記認証情報の一部を用いた認証後に形成された通信路を用いて取得した前記認証情報の他の一部を用いて前記第2のネットワークへの認証を行う、前記(1)~(6)のいずれか一項に記載の無線通信装置。
(8)
 前記制御部は、前記無線端末を用いた認証により形成された通信路を用いて前記認証情報の一部を前記認証サーバへ送信し、前記認証サーバによる前記認証情報の一部を用いた認証を経て受信した前記認証情報の他の一部を用いて前記第2のネットワークへの認証を行う、前記(1)~(7)のいずれか一項に記載の無線通信装置。
(9)
 前記認証情報の一部は、有効期限が設けられたワンタイムパスワードである、前記(7)又は(8)に記載の無線通信装置。
(10)
 前記制御部は、前記第1の無線通信部により加入者識別情報を有する前記無線端末と通信可能か否かに基づいて、前記第2のネットワークへの認証方式を選択する、前記(1)~(9)のいずれか一項に記載の無線通信装置。
(11)
 前記無線通信装置は、前記認証情報を記憶する記憶部をさらに備え、
 前記制御部は、前記記憶部に記憶された前記認証情報を用いて前記第2のネットワークへの認証を行う、前記(1)~(10)のいずれか一項に記載の無線通信装置。
(12)
 前記制御部は、電子証明書を用いたEAP(Extensible Authentication Protocol)認証により、前記第2のネットワークへの認証を行う、前記(1)~(11)のいずれか一項に記載の無線通信装置。
(13)
 前記認証情報は、前記認証サーバにより発行された電子証明書を含む、前記(12)に記載の無線通信装置。
(14)
 前記認証情報は、前記認証サーバにより発行されたID及びパスワードを含む、前記(12)に記載の無線通信装置。
(15)
 前記制御部は、前記無線端末が有する加入者識別情報を用いたEAP認証により、前記第2のネットワークへの認証を行う、前記(1)~(11)のいずれか一項に記載の無線通信装置。
(16)
 前記第1のネットワークは、移動体通信網である、前記(1)~(15)のいずれか一項に記載の無線通信装置。
(17)
 前記第2のネットワークは、公衆無線LANである、前記(1)~(16)のいずれか一項に記載の無線通信装置。
(18)
 第1のネットワークに接続して無線通信を行う第3の無線通信部と、
 第2のネットワークに接続して無線通信を行う無線端末との無線通信を行う第4の無線通信部と、
 前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて前記ネットワーク情報を用いて生成された前記第2のネットワークへの認証のための認証情報を前記第4の無線通信部を介して前記無線端末へ送信する制御部と、
を備える無線通信装置。
(19)
 前記第4の無線通信部は、前記無線端末から前記ネットワーク情報を受信する、前記(18)に記載の無線通信装置。
(20)
 前記無線通信装置は、前記第2のネットワークに接続して無線通信を行う第5の無線通信部をさらに備え、
 前記制御部は、前記第5の無線通信部を介して前記ネットワーク情報を収集する、前記(18)に記載の無線通信装置。
(21)
 前記制御部は、ひとつ以上の前記第2のネットワークから選択した一の前記第2のネットワークへの認証のための前記認証情報を前記第4の無線通信部を介して前記無線端末へ送信する、前記(18)~(20)のいずれか一項に記載の無線通信装置。
(22)
 前記無線通信装置は、前記認証情報を記憶する記憶部をさらに備え、
 前記制御部は、前記記憶部に記憶された前記認証情報を前記第4の無線通信部を介して前記無線端末へ送信する、前記(18)~(21)のいずれか一項に記載の無線通信装置。
(23)
 第1のネットワークに接続して無線通信を行う第3の無線通信部と、
 第2のネットワークに接続して無線通信を行う第5の無線通信部と、
 前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて生成された認証情報を用いた前記第2のネットワークへの認証を前記第5の無線通信部を介して行う制御部と、
を備える無線通信装置。
(24)
 第1の無線通信部により第1のネットワークに接続して無線通信を行う無線端末との無線通信を行うことと、
 第2の無線通信部により第2のネットワークに接続して無線通信を行うことと、
 前記第2のネットワークのネットワーク情報を用いて認証サーバにより生成された認証情報を前記第1の無線通信部を介して前記無線端末から受信し、前記第2の無線通信部を介して前記認証情報を用いた前記第2のネットワークへの認証を行うことと、
を含む無線通信方法。
(25)
 第3の無線通信部により第1のネットワークに接続して無線通信を行うことと、
 第4の無線通信部により第2のネットワークに接続して無線通信を行う無線端末との無線通信を行うことと、
 前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて前記ネットワーク情報を用いて生成された前記第2のネットワークへの認証のための認証情報を前記第4の無線通信部を介して前記無線端末へ送信することと、
を備える無線通信装置。
(26)
 第3の無線通信部により第1のネットワークに接続して無線通信を行うことと、
 第5の無線通信部により第2のネットワークに接続して無線通信を行うことと、
 前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて生成された認証情報を用いた前記第2のネットワークへの認証を前記第5の無線通信部を介して行うことと、
を含む無線通信方法。
(27)
 コンピュータを、
 第1のネットワークに接続して無線通信を行う無線端末との無線通信を行う第1の無線通信部と、
 第2のネットワークに接続して無線通信を行う第2の無線通信部と、
 前記第2のネットワークのネットワーク情報を用いて認証サーバにより生成された認証情報を前記第1の無線通信部を介して前記無線端末から受信し、前記第2の無線通信部を介して前記認証情報を用いた前記第2のネットワークへの認証を行う制御部と、
として機能させるためのプログラム。
(28)
 コンピュータを、
 第1のネットワークに接続して無線通信を行う第3の無線通信部と、
 第2のネットワークに接続して無線通信を行う無線端末との無線通信を行う第4の無線通信部と、
 前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて前記ネットワーク情報を用いて生成された前記第2のネットワークへの認証のための認証情報を前記第4の無線通信部を介して前記無線端末へ送信する制御部と、
として機能させるためのプログラム。
(29)
 コンピュータを、
 第1のネットワークに接続して無線通信を行う第3の無線通信部と、
 第2のネットワークに接続して無線通信を行う第5の無線通信部と、
 前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて生成された認証情報を用いた前記第2のネットワークへの認証を前記第5の無線通信部を介して行う制御部と、
として機能させるためのプログラム。 The following configurations also belong to the technical scope of the present disclosure.
(1)
A first wireless communication unit that performs wireless communication with a wireless terminal that performs wireless communication by connecting to the first network;
A second wireless communication unit connected to the second network for wireless communication;
Authentication information generated by an authentication server using network information of the second network is received from the wireless terminal via the first wireless communication unit, and the authentication information is received via the second wireless communication unit. A control unit for performing authentication to the second network using
A wireless communication device comprising:
(2)
The control unit collects the network information via the second wireless communication unit, and transmits the collected network information to the wireless terminal via the first wireless communication unit. The wireless communication device described.
(3)
The wireless communication apparatus according to (1) or (2), wherein the network information includes at least one of SSID, channel information, RSSI (Received Signal Strength Indicator) information, and an inquiry result using ANQP.
(4)
The control unit transmits at least one of device information of the wireless communication device, capability information, or information indicating a purpose of wireless communication with the second network to the wireless terminal via the first wireless communication unit. The wireless communication device according to any one of (1) to (3), wherein the wireless communication device transmits.
(5)
The wireless communication device according to any one of (1) to (4), wherein the control unit performs authentication to one second network selected from one or more second networks.
(6)
The control unit performs authentication to the second network using the authentication information generated by the authentication server using device information of at least one of the wireless communication device or the wireless terminal. The wireless communication device according to any one of (5) to (5).
(7)
The control unit performs authentication to the second network using another part of the authentication information acquired using a communication path formed after authentication using a part of the authentication information. The radio communication device according to any one of 1) to (6).
(8)
The control unit transmits a part of the authentication information to the authentication server using a communication path formed by authentication using the wireless terminal, and performs authentication using the part of the authentication information by the authentication server. The wireless communication apparatus according to any one of (1) to (7), wherein authentication to the second network is performed using another part of the authentication information received via the authentication information.
(9)
The wireless communication apparatus according to (7) or (8), wherein a part of the authentication information is a one-time password provided with an expiration date.
(10)
The control unit selects an authentication method for the second network based on whether or not the first wireless communication unit can communicate with the wireless terminal having subscriber identification information. The wireless communication device according to any one of (9).
(11)
The wireless communication device further includes a storage unit that stores the authentication information,
The wireless communication apparatus according to any one of (1) to (10), wherein the control unit authenticates to the second network using the authentication information stored in the storage unit.
(12)
The wireless communication apparatus according to any one of (1) to (11), wherein the control unit authenticates to the second network by EAP (Extensible Authentication Protocol) authentication using an electronic certificate. .
(13)
The wireless communication device according to (12), wherein the authentication information includes an electronic certificate issued by the authentication server.
(14)
The wireless communication device according to (12), wherein the authentication information includes an ID and a password issued by the authentication server.
(15)
The wireless communication according to any one of (1) to (11), wherein the control unit performs authentication to the second network by EAP authentication using subscriber identification information included in the wireless terminal. apparatus.
(16)
The wireless communication apparatus according to any one of (1) to (15), wherein the first network is a mobile communication network.
(17)
The wireless communication apparatus according to any one of (1) to (16), wherein the second network is a public wireless LAN.
(18)
A third wireless communication unit that connects to the first network and performs wireless communication;
A fourth wireless communication unit that performs wireless communication with a wireless terminal that performs wireless communication by connecting to the second network;
Authentication for authentication to the second network generated by transmitting the network information of the second network to the authentication server via the third wireless communication unit and using the network information in the authentication server A control unit for transmitting information to the wireless terminal via the fourth wireless communication unit;
A wireless communication device comprising:
(19)
The wireless communication device according to (18), wherein the fourth wireless communication unit receives the network information from the wireless terminal.
(20)
The wireless communication device further includes a fifth wireless communication unit that performs wireless communication by connecting to the second network,
The wireless communication device according to (18), wherein the control unit collects the network information via the fifth wireless communication unit.
(21)
The control unit transmits the authentication information for authentication to one second network selected from one or more second networks to the wireless terminal via the fourth wireless communication unit. The wireless communication device according to any one of (18) to (20).
(22)
The wireless communication device further includes a storage unit that stores the authentication information,
The wireless communication unit according to any one of (18) to (21), wherein the control unit transmits the authentication information stored in the storage unit to the wireless terminal via the fourth wireless communication unit. Communication device.
(23)
A third wireless communication unit that connects to the first network and performs wireless communication;
A fifth wireless communication unit for connecting to the second network and performing wireless communication;
The network information of the second network is transmitted to the authentication server via the third wireless communication unit, and the authentication to the second network using the authentication information generated in the authentication server is performed in the fifth network. A control unit that performs via a wireless communication unit;
A wireless communication device comprising:
(24)
Performing wireless communication with a wireless terminal that performs wireless communication by connecting to the first network by the first wireless communication unit;
Connecting to the second network by the second wireless communication unit to perform wireless communication;
Authentication information generated by an authentication server using network information of the second network is received from the wireless terminal via the first wireless communication unit, and the authentication information is received via the second wireless communication unit. Authenticating to the second network using
A wireless communication method including:
(25)
Connecting to the first network by the third wireless communication unit to perform wireless communication;
Performing wireless communication with a wireless terminal that performs wireless communication by connecting to the second network by a fourth wireless communication unit;
Authentication for authentication to the second network generated by transmitting the network information of the second network to the authentication server via the third wireless communication unit and using the network information in the authentication server Transmitting information to the wireless terminal via the fourth wireless communication unit;
A wireless communication device comprising:
(26)
Connecting to the first network by the third wireless communication unit to perform wireless communication;
Connecting to the second network by the fifth wireless communication unit to perform wireless communication;
The network information of the second network is transmitted to the authentication server via the third wireless communication unit, and the authentication to the second network using the authentication information generated in the authentication server is performed in the fifth network. Doing via the wireless communication part,
A wireless communication method including:
(27)
Computer
A first wireless communication unit that performs wireless communication with a wireless terminal that performs wireless communication by connecting to the first network;
A second wireless communication unit connected to the second network for wireless communication;
Authentication information generated by an authentication server using network information of the second network is received from the wireless terminal via the first wireless communication unit, and the authentication information is received via the second wireless communication unit. A control unit for performing authentication to the second network using
Program to function as.
(28)
Computer
A third wireless communication unit that connects to the first network and performs wireless communication;
A fourth wireless communication unit that performs wireless communication with a wireless terminal that performs wireless communication by connecting to the second network;
Authentication for authentication to the second network generated by transmitting the network information of the second network to the authentication server via the third wireless communication unit and using the network information in the authentication server A control unit for transmitting information to the wireless terminal via the fourth wireless communication unit;
Program to function as.
(29)
Computer
A third wireless communication unit that connects to the first network and performs wireless communication;
A fifth wireless communication unit for connecting to the second network and performing wireless communication;
The network information of the second network is transmitted to the authentication server via the third wireless communication unit, and the authentication to the second network using the authentication information generated in the authentication server is performed in the fifth network. A control unit that performs via a wireless communication unit;
Program to function as.
 1   無線通信システム
 100 WLAN端末
 110  無線通信部
 112  WLANモジュール
 114  BTモジュール
 116  NFCモジュール
 120  記憶部
 130  制御部
 200 WWAN端末
 210  無線通信部
 212  WWANモジュール
 214  WLANモジュール
 216  BTモジュール
 218  NFCモジュール
 220  記憶部
 230  加入者識別モジュール
 240  制御部
 300 WWAN
 310 基地局
 320 ゲートウェイ
 330 加入者情報サーバ
 340 認証サーバ
 341  通信部
 342  記憶部
 343  制御部
 350 ネットワーク情報提供サーバ
 400 サービスネットワーク
 500 WLAN
 510 基地局 DESCRIPTION OF SYMBOLS 1 Wireless communication system 100 WLAN terminal 110 Wireless communication part 112 WLAN module 114 BT module 116 NFC module 120 Storage part 130 Control part 200 WWAN terminal 210 Wireless communication part 212 WWAN module 214 WLAN module 216 BT module 218 NFC module 220 Storage part 230 Subscription Identification module 240 Control unit 300 WWAN
310 Base station 320 Gateway 330 Subscriber information server 340 Authentication server 341 Communication unit 342 Storage unit 343 Control unit 350 Network information providing server 400 Service network 500 WLAN
510 base station

Claims (29)

  1.  第1のネットワークに接続して無線通信を行う無線端末との無線通信を行う第1の無線通信部と、
     第2のネットワークに接続して無線通信を行う第2の無線通信部と、
     前記第2のネットワークのネットワーク情報を用いて認証サーバにより生成された認証情報を前記第1の無線通信部を介して前記無線端末から受信し、前記第2の無線通信部を介して前記認証情報を用いた前記第2のネットワークへの認証を行う制御部と、
    を備える無線通信装置。     A first wireless communication unit that performs wireless communication with a wireless terminal that performs wireless communication by connecting to the first network;
    A second wireless communication unit connected to the second network for wireless communication;
    Authentication information generated by an authentication server using network information of the second network is received from the wireless terminal via the first wireless communication unit, and the authentication information is received via the second wireless communication unit. A control unit for performing authentication to the second network using
    A wireless communication device comprising:
  2.  前記制御部は、前記第2の無線通信部を介して前記ネットワーク情報を収集し、収集した前記ネットワーク情報を前記第1の無線通信部を介して前記無線端末へ送信する、請求項1に記載の無線通信装置。 2. The control unit according to claim 1, wherein the control unit collects the network information via the second wireless communication unit, and transmits the collected network information to the wireless terminal via the first wireless communication unit. Wireless communication device.
  3.  前記ネットワーク情報は、SSID、チャネル情報、RSSI(Received Signal Strength Indicator)情報、又はANQPを用いた問い合わせ結果の少なくともいずれかを含む、請求項1に記載の無線通信装置。 The wireless communication apparatus according to claim 1, wherein the network information includes at least one of an SSID, channel information, RSSI (Received Signal Strength Indicator) information, or an inquiry result using ANQP.
  4.  前記制御部は、前記無線通信装置の機器情報、ケイパビリティ情報、又は前記第2のネットワークとの無線通信の用途を示す情報の少なくともいずれかを前記第1の無線通信部を介して前記無線端末へ送信する、請求項1に記載の無線通信装置。 The control unit transmits at least one of device information of the wireless communication device, capability information, or information indicating a purpose of wireless communication with the second network to the wireless terminal via the first wireless communication unit. The wireless communication apparatus according to claim 1, which transmits the wireless communication apparatus.
  5.  前記制御部は、ひとつ以上の前記第2のネットワークから選択した一の前記第2のネットワークへの認証を行う、請求項1に記載の無線通信装置。 The wireless communication device according to claim 1, wherein the control unit performs authentication to one second network selected from one or more second networks.
  6.  前記制御部は、前記無線通信装置又は前記無線端末の少なくともいずれかの機器情報を用いて前記認証サーバにより生成された前記認証情報を用いた前記第2のネットワークへの認証を行う、請求項1に記載の無線通信装置。 The said control part authenticates to the said 2nd network using the said authentication information produced | generated by the said authentication server using the apparatus information of at least any one of the said radio | wireless communication apparatus or the said radio | wireless terminal. A wireless communication device according to 1.
  7.  前記制御部は、前記認証情報の一部を用いた認証後に形成された通信路を用いて取得した前記認証情報の他の一部を用いて前記第2のネットワークへの認証を行う、請求項1に記載の無線通信装置。 The control unit performs authentication to the second network using another part of the authentication information acquired using a communication path formed after authentication using a part of the authentication information. The wireless communication device according to 1.
  8.  前記制御部は、前記無線端末を用いた認証により形成された通信路を用いて前記認証情報の一部を前記認証サーバへ送信し、前記認証サーバによる前記認証情報の一部を用いた認証を経て受信した前記認証情報の他の一部を用いて前記第2のネットワークへの認証を行う、請求項1に記載の無線通信装置。 The control unit transmits a part of the authentication information to the authentication server using a communication path formed by authentication using the wireless terminal, and performs authentication using the part of the authentication information by the authentication server. The wireless communication apparatus according to claim 1, wherein authentication to the second network is performed using another part of the authentication information received via the authentication information.
  9.  前記認証情報の一部は、有効期限が設けられたワンタイムパスワードである、請求項8に記載の無線通信装置。 The wireless communication device according to claim 8, wherein a part of the authentication information is a one-time password provided with an expiration date.
  10.  前記制御部は、前記第1の無線通信部により加入者識別情報を有する前記無線端末と通信可能か否かに基づいて、前記第2のネットワークへの認証方式を選択する、請求項1に記載の無線通信装置。 2. The control unit according to claim 1, wherein the control unit selects an authentication method for the second network based on whether the first wireless communication unit can communicate with the wireless terminal having subscriber identification information. Wireless communication device.
  11.  前記無線通信装置は、前記認証情報を記憶する記憶部をさらに備え、
     前記制御部は、前記記憶部に記憶された前記認証情報を用いて前記第2のネットワークへの認証を行う、請求項1に記載の無線通信装置。     The wireless communication device further includes a storage unit that stores the authentication information,
    The wireless communication apparatus according to claim 1, wherein the control unit performs authentication to the second network using the authentication information stored in the storage unit.
  12.  前記制御部は、電子証明書を用いたEAP(Extensible Authentication Protocol)認証により、前記第2のネットワークへの認証を行う、請求項1に記載の無線通信装置。 The wireless communication apparatus according to claim 1, wherein the control unit authenticates to the second network by EAP (Extensible Authentication Protocol) authentication using an electronic certificate.
  13.  前記認証情報は、前記認証サーバにより発行された電子証明書を含む、請求項12に記載の無線通信装置。 The wireless communication device according to claim 12, wherein the authentication information includes an electronic certificate issued by the authentication server.
  14.  前記認証情報は、前記認証サーバにより発行されたID及びパスワードを含む、請求項12に記載の無線通信装置。 The wireless communication device according to claim 12, wherein the authentication information includes an ID and a password issued by the authentication server.
  15.  前記制御部は、前記無線端末が有する加入者識別情報を用いたEAP認証により、前記第2のネットワークへの認証を行う、請求項1に記載の無線通信装置。 The wireless communication apparatus according to claim 1, wherein the control unit authenticates to the second network by EAP authentication using subscriber identification information included in the wireless terminal.
  16.  前記第1のネットワークは、移動体通信網である、請求項1に記載の無線通信装置。 The wireless communication device according to claim 1, wherein the first network is a mobile communication network.
  17.  前記第2のネットワークは、公衆無線LANである、請求項1に記載の無線通信装置。 The wireless communication apparatus according to claim 1, wherein the second network is a public wireless LAN.
  18.  第1のネットワークに接続して無線通信を行う第3の無線通信部と、
     第2のネットワークに接続して無線通信を行う無線端末との無線通信を行う第4の無線通信部と、
     前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて前記ネットワーク情報を用いて生成された前記第2のネットワークへの認証のための認証情報を前記第4の無線通信部を介して前記無線端末へ送信する制御部と、
    を備える無線通信装置。     A third wireless communication unit that connects to the first network and performs wireless communication;
    A fourth wireless communication unit that performs wireless communication with a wireless terminal that performs wireless communication by connecting to the second network;
    Authentication for authentication to the second network generated by transmitting the network information of the second network to the authentication server via the third wireless communication unit and using the network information in the authentication server A control unit for transmitting information to the wireless terminal via the fourth wireless communication unit;
    A wireless communication device comprising:
  19.  前記第4の無線通信部は、前記無線端末から前記ネットワーク情報を受信する、請求項18に記載の無線通信装置。 The wireless communication device according to claim 18, wherein the fourth wireless communication unit receives the network information from the wireless terminal.
  20.  前記無線通信装置は、前記第2のネットワークに接続して無線通信を行う第5の無線通信部をさらに備え、
     前記制御部は、前記第5の無線通信部を介して前記ネットワーク情報を収集する、請求項18に記載の無線通信装置。     The wireless communication device further includes a fifth wireless communication unit that performs wireless communication by connecting to the second network,
    The wireless communication device according to claim 18, wherein the control unit collects the network information via the fifth wireless communication unit.
  21.  前記制御部は、ひとつ以上の前記第2のネットワークから選択した一の前記第2のネットワークへの認証のための前記認証情報を前記第4の無線通信部を介して前記無線端末へ送信する、請求項18に記載の無線通信装置。 The control unit transmits the authentication information for authentication to one second network selected from one or more second networks to the wireless terminal via the fourth wireless communication unit. The wireless communication apparatus according to claim 18.
  22.  前記無線通信装置は、前記認証情報を記憶する記憶部をさらに備え、
     前記制御部は、前記記憶部に記憶された前記認証情報を前記第4の無線通信部を介して前記無線端末へ送信する、請求項18に記載の無線通信装置。     The wireless communication device further includes a storage unit that stores the authentication information,
    The wireless communication apparatus according to claim 18, wherein the control unit transmits the authentication information stored in the storage unit to the wireless terminal via the fourth wireless communication unit.
  23.  第1のネットワークに接続して無線通信を行う第3の無線通信部と、
     第2のネットワークに接続して無線通信を行う第5の無線通信部と、
     前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて生成された認証情報を用いた前記第2のネットワークへの認証を前記第5の無線通信部を介して行う制御部と、
    を備える無線通信装置。     A third wireless communication unit that connects to the first network and performs wireless communication;
    A fifth wireless communication unit for connecting to the second network and performing wireless communication;
    The network information of the second network is transmitted to the authentication server via the third wireless communication unit, and the authentication to the second network using the authentication information generated in the authentication server is performed in the fifth network. A control unit that performs via a wireless communication unit;
    A wireless communication device comprising:
  24.  第1の無線通信部により第1のネットワークに接続して無線通信を行う無線端末との無線通信を行うことと、
     第2の無線通信部により第2のネットワークに接続して無線通信を行うことと、
     前記第2のネットワークのネットワーク情報を用いて認証サーバにより生成された認証情報を前記第1の無線通信部を介して前記無線端末から受信し、前記第2の無線通信部を介して前記認証情報を用いた前記第2のネットワークへの認証を行うことと、
    を含む無線通信方法。     Performing wireless communication with a wireless terminal that performs wireless communication by connecting to the first network by the first wireless communication unit;
    Connecting to the second network by the second wireless communication unit to perform wireless communication;
    Authentication information generated by an authentication server using network information of the second network is received from the wireless terminal via the first wireless communication unit, and the authentication information is received via the second wireless communication unit. Authenticating to the second network using
    A wireless communication method including:
  25.  第3の無線通信部により第1のネットワークに接続して無線通信を行うことと、
     第4の無線通信部により第2のネットワークに接続して無線通信を行う無線端末との無線通信を行うことと、
     前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて前記ネットワーク情報を用いて生成された前記第2のネットワークへの認証のための認証情報を前記第4の無線通信部を介して前記無線端末へ送信することと、
    を備える無線通信装置。     Connecting to the first network by the third wireless communication unit to perform wireless communication;
    Performing wireless communication with a wireless terminal that performs wireless communication by connecting to the second network by a fourth wireless communication unit;
    Authentication for authentication to the second network generated by transmitting the network information of the second network to the authentication server via the third wireless communication unit and using the network information in the authentication server Transmitting information to the wireless terminal via the fourth wireless communication unit;
    A wireless communication device comprising:
  26.  第3の無線通信部により第1のネットワークに接続して無線通信を行うことと、
     第5の無線通信部により第2のネットワークに接続して無線通信を行うことと、
     前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて生成された認証情報を用いた前記第2のネットワークへの認証を前記第5の無線通信部を介して行うことと、
    を含む無線通信方法。     Connecting to the first network by the third wireless communication unit to perform wireless communication;
    Connecting to the second network by the fifth wireless communication unit to perform wireless communication;
    The network information of the second network is transmitted to the authentication server via the third wireless communication unit, and the authentication to the second network using the authentication information generated in the authentication server is performed in the fifth network. Doing via the wireless communication part,
    A wireless communication method including:
  27.  コンピュータを、
     第1のネットワークに接続して無線通信を行う無線端末との無線通信を行う第1の無線通信部と、
     第2のネットワークに接続して無線通信を行う第2の無線通信部と、
     前記第2のネットワークのネットワーク情報を用いて認証サーバにより生成された認証情報を前記第1の無線通信部を介して前記無線端末から受信し、前記第2の無線通信部を介して前記認証情報を用いた前記第2のネットワークへの認証を行う制御部と、
    として機能させるためのプログラム。     Computer
    A first wireless communication unit that performs wireless communication with a wireless terminal that performs wireless communication by connecting to the first network;
    A second wireless communication unit connected to the second network for wireless communication;
    Authentication information generated by an authentication server using network information of the second network is received from the wireless terminal via the first wireless communication unit, and the authentication information is received via the second wireless communication unit. A control unit for performing authentication to the second network using
    Program to function as.
  28.  コンピュータを、
     第1のネットワークに接続して無線通信を行う第3の無線通信部と、
     第2のネットワークに接続して無線通信を行う無線端末との無線通信を行う第4の無線通信部と、
     前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて前記ネットワーク情報を用いて生成された前記第2のネットワークへの認証のための認証情報を前記第4の無線通信部を介して前記無線端末へ送信する制御部と、
    として機能させるためのプログラム。     Computer
    A third wireless communication unit that connects to the first network and performs wireless communication;
    A fourth wireless communication unit that performs wireless communication with a wireless terminal that performs wireless communication by connecting to the second network;
    Authentication for authentication to the second network generated by transmitting the network information of the second network to the authentication server via the third wireless communication unit and using the network information in the authentication server A control unit for transmitting information to the wireless terminal via the fourth wireless communication unit;
    Program to function as.
  29.  コンピュータを、
     第1のネットワークに接続して無線通信を行う第3の無線通信部と、
     第2のネットワークに接続して無線通信を行う第5の無線通信部と、
     前記第2のネットワークのネットワーク情報を前記第3の無線通信部を介して認証サーバへ送信し、前記認証サーバにおいて生成された認証情報を用いた前記第2のネットワークへの認証を前記第5の無線通信部を介して行う制御部と、
    として機能させるためのプログラム。     Computer
    A third wireless communication unit that connects to the first network and performs wireless communication;
    A fifth wireless communication unit for connecting to the second network and performing wireless communication;
    The network information of the second network is transmitted to the authentication server via the third wireless communication unit, and the authentication to the second network using the authentication information generated in the authentication server is performed in the fifth network. A control unit that performs via a wireless communication unit;
    Program to function as.
PCT/JP2015/081540 2015-01-19 2015-11-10 Wireless communication device, wireless communication method and program WO2016117211A1 (en)

Applications Claiming Priority (8)

Application Number Priority Date Filing Date Title
JP2015007424 2015-01-19
JP2015-007424 2015-01-19
JP2015-030906 2015-02-19
JP2015030906 2015-02-19
JP2015-077471 2015-04-06
JP2015077471 2015-04-06
JP2015111170 2015-06-01
JP2015-111170 2015-06-01

Publications (1)

Publication Number Publication Date
WO2016117211A1 true WO2016117211A1 (en) 2016-07-28

Family

ID=56416772

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2015/081540 WO2016117211A1 (en) 2015-01-19 2015-11-10 Wireless communication device, wireless communication method and program

Country Status (1)

Country Link
WO (1) WO2016117211A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001333451A (en) * 2000-05-22 2001-11-30 Sharp Corp Method for inter-terminal communication service and inter-terminal communication service system
JP2003235076A (en) * 2002-02-07 2003-08-22 Sharp Corp Wireless communication authentication system, and communication apparatus and mobile terminal used for the system
JP2007306312A (en) * 2006-05-11 2007-11-22 Nippon Telegraph & Telephone East Corp Radio communication connecting system
JP2009510947A (en) * 2005-09-28 2009-03-12 クゥアルコム・インコーポレイテッド System and method for distributing wireless network access parameters

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001333451A (en) * 2000-05-22 2001-11-30 Sharp Corp Method for inter-terminal communication service and inter-terminal communication service system
JP2003235076A (en) * 2002-02-07 2003-08-22 Sharp Corp Wireless communication authentication system, and communication apparatus and mobile terminal used for the system
JP2009510947A (en) * 2005-09-28 2009-03-12 クゥアルコム・インコーポレイテッド System and method for distributing wireless network access parameters
JP2007306312A (en) * 2006-05-11 2007-11-22 Nippon Telegraph & Telephone East Corp Radio communication connecting system

Similar Documents

Publication Publication Date Title
US9967748B2 (en) Network access via telephony services
US9648019B2 (en) Wi-Fi integration for non-SIM devices
US9204299B2 (en) Extended service set transitions in wireless networks
US20140359278A1 (en) Secure Remote Subscription Management
JP6904446B2 (en) Wireless communication equipment, wireless communication methods and programs
KR20160099396A (en) Using method for communication service and electronic device supporting the same
US20160226861A1 (en) Terminal device and information processing device
JP6465108B2 (en) Wireless communication device
WO2017038179A1 (en) Device, system and method
US10292187B2 (en) Wireless communication apparatus, server, payment apparatus, wireless communication method, and program
US10051671B2 (en) Terminal device and information processing device
US10225794B2 (en) Terminal device, information processing device, and information providing device
WO2016117211A1 (en) Wireless communication device, wireless communication method and program
WO2016027545A1 (en) Wireless communication device and wireless communication method
WO2023121947A1 (en) Offloading network communications to a shared modem

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15878900

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: JP

122 Ep: pct application non-entry in european phase

Ref document number: 15878900

Country of ref document: EP

Kind code of ref document: A1