CN104796256A - Communication device, authentication method and authentication system - Google Patents
Communication device, authentication method and authentication system Download PDFInfo
- Publication number
- CN104796256A CN104796256A CN201410643999.1A CN201410643999A CN104796256A CN 104796256 A CN104796256 A CN 104796256A CN 201410643999 A CN201410643999 A CN 201410643999A CN 104796256 A CN104796256 A CN 104796256A
- Authority
- CN
- China
- Prior art keywords
- equipment
- authentication information
- communicator
- authentication
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention provides a communication device, an authentication method and an authentication system. The authentication system provided by the invention has the following functions: a function that a set terminal (2) obtains authentication information establishing a correlation with equipment (3) and sends the authentication information to a communication device (1), a function that the communication device (1) receives the authentication information and generates a common key shared with the equipment (3), and a first encrypted communication function that the common key is used to perform first encrypted communication with the equipment (3). According to the invention, the common key of the equipment can be shared simply and safely without using a management server.
Description
Technical field
Embodiments of the present invention relate to a kind of communicator, authentication method and Verification System.
Background technology
As the method for establishing safe communication between communicator, there will be a known the encryption communication method utilizing Public key (Common key).When setting Public key, in order to prevent set information monitored, and in order to simplify the operation manually inputting setting item, such as, in patent documentation 1, propose following a kind of establishing method: described set information is encoded into Quick Response Code, utilize camera head to carry out certification.In addition, in patent documentation 2, propose a kind of following method: the authentication information being obtained each equipment by setting terminal, and be sent to management server (server), sharing of common key thus.
[background technology document]
[patent documentation]
[patent documentation 1] Japanese Patent Laid-Open 2006-261938 publication
[patent documentation 2] Japanese Patent Laid-Open 2009-71707 publication
Summary of the invention
[problem of invention for solving]
But in the method for patent documentation 1, the equipment carrying out being connected certification due to hypothesis and access point (access point) comprises camera head, so be unsuitable for originally without the need to the equipment of camera function.In addition, in the key sharing system of patent documentation 2, though obtain authentication information by a setting terminal, need the management server of storage key.Therefore, there is the problem that the product of the management server of storage key cannot be utilized not tackle.
[solving the means of problem]
Present embodiment provides a kind of Verification System, and it possesses following function: obtained by setting terminal and establish with the equipment of regulation the authentication information associated, and be sent to the function of communicator; Described communicator receives described authentication information, and generates the function with the Public key of described equipment; And first encrypted communication function, use described Public key and described equipment to carry out the first coded communication.
Execution mode provides a kind of authentication method, and it possesses following steps: obtained by setting terminal and establish with the equipment of regulation the authentication information associated, and be sent to the step of communicator; Described communicator generates the step with the Public key of described equipment based on described authentication information; And the first coded communication step, described in described communicator and described equipment use, Public key carries out the first coded communication.
A kind of Verification System that execution mode provides, comprising: equipment; Setting terminal, obtains and establishes with described equipment the authentication information associated, and be sent to communicator; And communicator, generate the Public key with described equipment based on described authentication information, and use described Public key and described equipment to carry out the first coded communication.
[effect of invention]
According to the embodiment of the present invention, can expect can simple and easy and effect that the is Public key of shared device safely.
Embodiment
The authentication method of embodiments of the present invention possesses following function: obtained by setting terminal and establish with the equipment of regulation the authentication information associated, and be sent to the function of communicator; Described communicator generates the function with the Public key of described equipment based on described authentication information; And first encrypted communication function, described in described communicator and described equipment use, Public key carries out the first coded communication.
Below, one side is with reference to accompanying drawing, and faced by one, embodiments of the present invention are described.
Fig. 1 is the pie graph of the formation of the system representing embodiments of the present invention.The system of Fig. 1 comprises communicator 1, setting terminal 2 and one or more equipment 3.Communicator 1 communicates by the first encrypted communication function with equipment 3.In addition, establish with equipment 3 authentication information 4 associated and obtain function by the authentication information of setting terminal 2 and be acquired, and be sent to communicator 1 via setting communication.
Communicator 1 carries out by the first coded communication and equipment 3 network (network) equipment, the function such as with control appliance 3 or the function processed the information sent from equipment 3 that communicate.Herein, so-called first coded communication is used to prevent the information of such as equipment 3 or communicator 1 from being monitored by the third party, and only carries out the coded communication that communicates with proper object.First coded communication both can utilize cable LAN (the Local Area Network such as Ethernet (registered trade mark), LAN) as transmission medium, also WLAN can be used as transmission medium, and the agreement (protocol) arbitrarily such as ECHONET/ECHONETLite, ZigBee (purple honeybee) can be utilized.The communicator 1 of present embodiment uses ECHONET/ECHONET Lite as the communication protocol with equipment 3, and is encrypted communication in Public key mode.In addition, when equipment 3 has multiple, different Public key is used to be encrypted communication.
And then as obtaining the method with the Public key of equipment 3, communicator 1 possesses the function receiving the setting communication function establishing the authentication information 4 associated with equipment 3 and the Public key generating equipment 3 according to authentication information 4 from setting terminal 2.Herein, setting communication function also can utilize arbitrary agreement, but comparatively ideal herein be also in order to prevent from being monitored authentication information by the third party, Content of Communication is encrypted.Therefore, setting communication function also can for carrying out the second encrypted communication function of the second coded communication.In addition, second encrypted communication function can utilize the communication protocol of the link layer (link-layer) such as using wire transmission medium or wireless medium, but when the next communication layers does not implement safety (secure) measure, suitable secure communication mode, such as procotol security architecture (Security Architecture for Internet Protocol is taked in upper communication layers, IPSec), Secure Hypertext Transfer Protocol (Hypertext Transfer Protocol Secure, https) etc.
Setting is the equipment connecting certification of supporting communicator 1 and equipment 3 by terminal 2.Setting terminal 2 is that the authentication information of the authentication information possessing acquisition equipment 3 obtains function and carries out the ordinary terminal of the setting communication function communicated with communicator 1, such as, be smart mobile phone (smart phone), dull and stereotyped (tablet), mobile phone etc.As mentioned above, by utilizing portable set, the safety handing-over of the authentication information of the equipment room being such as difficult to movement can be realized.
In the present embodiment, establishing with equipment 3 authentication information 4 associated is set to according to Japanese Industrial Standards (Japanese Industrial Standards, JIS) X 0510, International Organization for standardization (InternationalStandardization Organization, ISO)/International Electrotechnical Commissio (InternationalElectrotechnical Commission, IEC) quick response (the quick response of 18004 grades, QR) code (registered trade mark) standard and the authentication information of encoding, setting terminal 2 is set to smart mobile phone, this smart mobile phone can realize utilizing its image pickup part to read this QR code, the authentication information of decoding obtains function, and by setting communication function, the described information through decoding is sent to communicator 1.Herein, the order of decoding from QR code to authentication information 4 is according to described QR code standard.In addition, as mentioned above, in order to prevent the authentication information 4 when communicating from being monitored by the third party, setting communication is comparatively ideal is encrypted.In this case, setting terminal 2 has the second encrypted communication function.In addition, in the present embodiment, these functions realize at a terminal program of smart mobile phone by installing (install), but the function of the function and setting communication that obtain authentication information also can be realized by different programs.
Equipment 3 can carry out via the first coded communication and communicator 1 the network corresponding device that communicates, such as home appliance corresponding to the ECHONET Lite realizing controlling by the controlling functions of communicator 1, maybe measurement information can be sent to Measuring Device etc. corresponding to the ECHONET Lite of communicator 1.Equipment 3 stores authentication information and the Public key for the first coded communication, this authentication information and Public key comparatively ideal by resistance to distorting (reading of difficulty).In addition, equipment 3 has the general function of the communicator 1 being searched for connection by linker on network.
Authentication information 4 establishes with intrinsic equipment 3 information associated, and generates the Public key of equipment 3 based on this authentication information 4 and by the Public key systematic function of communicator 1.Authentication information 4 is preferably read simply by setting terminal 2, is prompted to the user (user) of equipment 3 or the setting person of network by any means.As reminding method, such as when authentication information 4 be encoded according to QR code standard, also can use the paper medias such as the paster printing this QR code, be pasted onto equipment 3 itself or the together bale packing when equipment 3 dispatches from the factory.In addition, also consider by such as inferior method prompting authentication information 4: after buying equipment 3, at any time point, the postcard printing described QR code is posted to user residence.
Next, use the precedence diagram shown in Fig. 2 to Fig. 3, embodiments of the present invention are described.
(the first execution mode)
Fig. 2 represents that the authentication information of present embodiment passes on the precedence diagram of flow process.
First, start the terminal program (S21) being arranged on setting terminal 2, and acquisition establishes with equipment 3 authentication information 4 (S22) associated.In the present embodiment, authentication information 4 realizes the acquisition of authentication information by such as inferior method: encoded according to QR code standards such as JIS X 0510, ISO/IEC18004, and read described QR code by the image pickup part of setting terminal 2, similarly carry out decode (S23) according to the order according to QR code standard.
Then, the described authentication information 4 through decoding sends (S25) to communicator 1 via setting communication by setting terminal 2.At this moment, communicator 1 at any time (timing) start authentication procedure and standby (S24).In addition, setting terminal 2, when realizing the communication with communicator 1, also can have the function storing described authentication information 4.Herein, setting communication function also can utilize any agreement, but is monitored authentication information in order to prevent by the third party, and comparatively ideal is carry out setting communication function by the second coded communication.
Communicator 1, when receiving authentication information 4 (S26), can generate and the Public key (S27) needed for the first coded communication of equipment 3 based on this authentication information 4.The flow process generating this Public key both together can be carried out with reception authentication information 4, also can the random time after receiving authentication information 4 carry out.The communicator 1 of present embodiment generates Public key with following connection identifying procedure.
Fig. 3 is the precedence diagram of the connection identifying procedure of the system representing present embodiment.Communicator 1 and equipment 3 are searched for as connecting object each other on network, and carry out connecting authentication processing and forming the communication path carrying out the first coded communication.In the present embodiment, the communication of communicator 1 and equipment 3 is realized by radio communication.
First, equipment 3, when not being connected with communicator 1 or when starting linker at any time, sends the instruction (S32) of search communicator 1.At this moment, if communicator 1 receives search instruction (command), so response itself channel (channel) information or comprise PAN (Personal Area Network) identification (Personal Area Network Identification, PANID), the message (S33) of medium education (MediaAccess Control, MAC) address (Media Access Control address) etc.
The order of described search also can be following form: when communicator 1 passes on flow process to receive arbitrary authentication information 4 according to described authentication information, within certain period, send the instruction that the equipment 3 establishing association is searched for, thus equipment 3 responds.In addition, passing through to use transmission control protocol (Transmission Control Protocol, TCP)/Internet protocol (Internet Protocol, IP) when wire communication realizes the communication of communicator 1 and equipment 3, also can consider as inferior method: communicator 1 propagates (broadcast) search instruction by suitable port (port) numbering and corresponding equipment 3 responds, or equipment 3 is by User Datagram Protocol (User Datagram Protocol, UDP) multicast (Multicast) search instruction and the communicator 1 with Public key respond.
Equipment 3 by receiving the response from described communicator 1, and is judged as to be connected with this communicator 1, thus together starts to be connected authentication processing (S34) with communicator 1.Connect authentication processing and can consider following method: such as, utilize network access authentication bearing protocol (Request for Comment (request forcomments, RFC) 5191; Protocol for Carrying Authentication for Network.Access, the agreement such as PANA), certification is carried out by Extensible Authentication Protocol-wildcard (A Pre-Shared KeyExtensible Authentication Protocol Method, EAP-PSK) mode.In this case, authentication information 4 example as shown in Figure 4 identifies (Identity, ID) by the authenticating identity of equipment 3 like that and forms with password (password), passes on flow process to remain on communicator 1 with described authentication information.This certification ID and password are endowed different equipment 3 respectively, so generate the intrinsic Public key of equipment 3 based on authentication information 4, between communicator 1 and equipment 3, carry out the connection authentication processing of the order according to PANA, thus utilize Public key to carry out the first coded communication.In addition, after also can completing in first certification formality, carry out Public key renewal termly, maintain the fail safe of communication thus.
(effect of the first execution mode)
According to the first execution mode, when forming safe communication path between equipment and communicator, when using Public key mode, even if user does not carry out miscellaneous input sequence, setting terminal also can be used simple and easy and sharing of common key safely.In addition, owing to not arranging the server of management Public key, so all applicable to multiple supplier (vendor) product.
(the second execution mode)
In this second embodiment, the system from the connection authentication processing of depositing despiteful equipment is avoided to be described to making the intrinsic information of authentication information attendant equipment.In addition, the System's composition figure of the second execution mode and authentication information pass on flow process, connection identifying procedure identical with the first execution mode shown in Fig. 1 to Fig. 3, indicate same-sign and omit its detailed description to the formation identical with the first execution mode.
Authentication information 4 example is as shown in Figure 5 made up of the certification ID given equipment 3 and password like that, and then subsidiary MAC Address is as the intrinsic information of equipment 3.Herein, intrinsic information also can be the ECHONET attribute etc. that such as described equipment 3 is intrinsic.
Communicator 1 is passed in flow process at authentication information, together receiving the intrinsic information of the equipment 3 for carrying out certification, making authentication information 4 be associated with the intrinsic information of equipment 3 and store together with authentication information 4.
Equipment 3, when communicating via Networks and Communications device 1, sends the packet (packet) comprising the information such as the intrinsic MAC Address of equipment 3, ECHONET attribute.Such as, when finding communicator 1 as shown in Figure 3 on network, the MAC Address of itself is included in search instruction.
Communicator 1, when receiving search instruction, judges to establish in the MAC Address associated whether there is corresponding MAC Address to stored authentication information 4.If be proper equipment, so MAC Address can be consistent, thus carry out responding and forwarding connection authentication processing to.
Herein, depositing under the Public key that despiteful equipment obtains equipment 3 or the state not obtaining Public key, fill device 3 is emitted and for carrying out being connected identifying procedure with communicator 1.Flow process is passed on to receive with according to described authentication information and the authentication information 4 stored establishes the MAC Address associated owing to being different from from this MAC Address of depositing represented by program package (package) that despiteful equipment sends, so communicator 1 is judged as and improper communication object, thus do not carry out omitting later process to the response of this equipment.
(effect of the second execution mode)
According to the second execution mode, even if deposit despiteful equipment for being connected with communicator 1, also can not communicating, response and subsequent the process to depositing despiteful equipment can being omitted.In addition, when using ECHONET attribute information as intrinsic information, also after utilizing protocol level (protocollevel) to confirm legitimacy, the certification of device levels can be carried out.
Thus, fail safe is higher, and when being deposited despiteful equipment and attacking, also can alleviate the load of communication process.
(the 3rd execution mode)
In the 3rd execution mode, following system is described: as shown in Figure 6, makes the subsidiary MAC (message authentication code of authentication information 4; Message Authentication Code), avoid storing the authentication information 4 through forging by communicator 1 by terminal 2 by the setting with MAC key and carry out with deposit despiteful equipment connect certification.In addition, the System's composition figure of the 3rd execution mode and authentication information pass on flow process, connection identifying procedure identical with the first execution mode shown in Fig. 1 to Fig. 3, indicate same-sign and omit its detailed description to the formation identical with the first execution mode.
MAC is the checking certification in message generation source and the complete data of data, implements the conversion process in encryption and generate by the data using MAC double secret key to become authentication object.There is Hash operation message authentication code (Hash-based MessageAuthentication Code in the algorithm (algorithm) of conversion process or verification algorithm, HMAC), key block link (Cipher Block Chaining, CBC)-MAC, control mobile decay code (Control Mobile Attenuation Code, the polyalgorithm such as CMAC), can use any one algorithm.In the present embodiment, determine the conversion/verification algorithm of MAC key and application in advance, the certification ID size (size) shown in Fig. 4 is converted to object to password by MAC.In addition, the verification algorithm of described MAC key and regulation to be set to by setting terminal 2 possess or remain on installed terminal program.
Pass in flow process at the authentication information shown in Fig. 2, setting terminal 2 obtains authentication information 4, and verifies the legitimacy of this authentication information 4.Specifically, use the MAC key held, utilize the verification algorithm of described regulation to decode to the MAC be included in authentication information 4, its result and the certification ID size be included in this authentication information 4 are compared to password.If be worth identical, be so judged as that described authentication information 4 is proper, and be sent to communicator 1.
In addition, in the present embodiment, carry out by setting terminal the checking using MAC, but when not making setting terminal 2 keep MAC key, also can carry out identical process by communicator 1.In addition, send be judged as just when authentication information 4 time, also can removing MAC and send, when being uncertain about the communication with communicator 1, also can directly send.
(effect of the 3rd execution mode)
According to the 3rd execution mode, can avoid storing the authentication information 4 through forging by communicator 1 and carrying out and the connection certification of depositing despiteful equipment.Thereby, it is possible to the Verification System providing fail safe higher.
In addition, the present invention is not directly defined in described execution mode, can implementation phase in the scope not departing from its purport, inscape be out of shape and specialize.
Such as, suppose that QR code is deposited the situation of despiteful third party deciphering, authentication information 4 also can be encrypted by the key shared with communicator 1 or setting terminal 2 further.
And then appropriately combined by the multiple inscapes disclosed in described execution mode, can form various invention.Such as, several inscapes can be deleted from all inscapes shown in execution mode, also can suitably combine across and the inscape of different execution mode.
Accompanying drawing explanation
Fig. 1 is the pie graph of the system of embodiments of the present invention.
Fig. 2 represents that the authentication information of embodiments of the present invention passes on order (sequence) figure of flow process.
Fig. 3 is the precedence diagram of the connection identifying procedure representing embodiments of the present invention.
Fig. 4 is the example of the authentication information of embodiments of the present invention.
Fig. 5 is the example attaching the authentication information of the intrinsic information of equipment of embodiments of the present invention.
Fig. 6 is the example attaching the authentication information of message (message) authentication code of embodiments of the present invention.
[explanation of symbol]
1: communicator
2: setting terminal
3: equipment
4: authentication information
S21 ~ S27, S31 ~ S34: step
Claims (7)
1. a communicator, is characterized in that possessing:
Setting communication module, can receive and establish with the equipment specified the authentication information associated;
Key production module, generates the Public key with described equipment based on described authentication information; And
First coded communication module, uses described Public key and described equipment to carry out the first coded communication.
2. communicator according to claim 1, is characterized in that:
Described setting communication module receives the second coded communication module of described authentication information from described setting terminal by carrying out the second coded communication with setting terminal.
3. communicator according to claim 1 and 2, is characterized in that:
Possess connection authentication module, this connection authentication module uses described authentication information to carry out being connected certification with described equipment, thus carry out the first coded communication with the described equipment through being connected certification.
4. communicator according to claim 1 and 2, is characterized in that:
When comprising the intrinsic information of described equipment in described authentication information, other not inconsistent with described intrinsic information equipment carry out being connected certification.
5. communicator according to claim 1 and 2, is characterized in that:
When comprising message authentication code in described authentication information, by the legitimacy of authentication information described in described setting terminal authentication, receiving only and being judged as proper described authentication information.
6. an authentication method, is characterized in that possessing following steps:
Obtained by setting terminal and establish with the equipment of regulation the authentication information associated, and be sent to the step of communicator;
Described communicator generates the step with the Public key of described equipment based on described authentication information; And
First coded communication step, described in described communicator and described equipment use, Public key carries out the first coded communication.
7. a Verification System, is characterized in that comprising:
Equipment;
Setting terminal, obtains and establishes with described equipment the authentication information associated, and be sent to communicator; And
Communicator, generates the Public key with described equipment based on described authentication information, and uses described Public key and described equipment to carry out the first coded communication.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| JP2014005601A JP6241658B2 (en) | 2014-01-16 | 2014-01-16 | Communication device, terminal program, authentication program, authentication method, and authentication system |
| JP2014-005601 | 2014-01-16 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104796256A true CN104796256A (en) | 2015-07-22 |
Family
ID=51609909
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410643999.1A Pending CN104796256A (en) | 2014-01-16 | 2014-11-07 | Communication device, authentication method and authentication system |
Country Status (2)
| Country | Link |
|---|---|
| JP (1) | JP6241658B2 (en) |
| CN (1) | CN104796256A (en) |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2009239573A (en) * | 2008-03-27 | 2009-10-15 | Sharp Corp | Radio communication mediation apparatus, radio communication mediation program, and av system |
| JP5443943B2 (en) * | 2009-10-27 | 2014-03-19 | 株式会社東芝 | Commerce system, commerce method, commerce server, user terminal, and user program |
| US9143402B2 (en) * | 2012-02-24 | 2015-09-22 | Qualcomm Incorporated | Sensor based configuration and control of network devices |
-
2014
- 2014-01-16 JP JP2014005601A patent/JP6241658B2/en active Active
- 2014-11-07 CN CN201410643999.1A patent/CN104796256A/en active Pending
Also Published As
| Publication number | Publication date |
|---|---|
| JP6241658B2 (en) | 2017-12-06 |
| JP2015135996A (en) | 2015-07-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108986261B (en) | Locker system access control | |
| KR101508360B1 (en) | Apparatus and method for transmitting data, and recording medium storing program for executing method of the same in computer | |
| CN111527762B (en) | System and method for end-to-end secure communication in a device-to-device communication network | |
| CN101406021B (en) | SIM based authentication | |
| EP2590356B1 (en) | Method, device and system for authenticating gateway, node and server | |
| US20180248694A1 (en) | Assisted device provisioning in a network | |
| CN101873588B (en) | Method and system for realizing service application safety | |
| US10652738B2 (en) | Authentication module | |
| CN108391238A (en) | Wireless MESH network matches network method | |
| CN110062382B (en) | Identity verification method, client, relay equipment and server | |
| CN105580310A (en) | Security management method and security management device in home network system | |
| CN104660602A (en) | Quantum key transmission control method and system | |
| CN106465105A (en) | Wireless nodes with security key | |
| CN104205899A (en) | Network security configuration using short-range wireless communication | |
| CN104539420B (en) | A kind of safety key managing method of general Intelligent hardware | |
| KR20120091635A (en) | Authentication method and apparatus in wireless communication system | |
| CN101990201B (en) | Method, system and device for generating general bootstrapping architecture (GBA) secret key | |
| US10841118B2 (en) | Automatic pairing method and server | |
| CN107181770A (en) | Method of data synchronization and system | |
| CN112202768B (en) | Data encryption method, device and system and readable storage medium | |
| CN111163107A (en) | Zigbee safety communication method and system | |
| US9065692B2 (en) | Information notification apparatus, method, and program product | |
| JP6392709B2 (en) | Setting information generating apparatus, method, setting terminal and method | |
| CN105208554A (en) | Method and system for realizing network access of zigbee terminal equipment, and equipment | |
| JP6659462B2 (en) | Data transmission / reception method and sensing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150722 |