JP2004215232A - Encryption key setting system, access point, and encryption key setting method, and authentication code setting system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To realize a newly addition of a terminal that utilizes a wireless LAN by a simple method while preventing leak of data representing an encryption key. <P>SOLUTION: An access point 20 uses a register button 127 to change the coverage range of a radio wave transmitted from the access point 20 from a radio communication area AR1 that is an ordinary range, into a security communication area MR1 that is a narrower range. Thereafter, the access point 20 distributes a WEP (wired equivalent privacy) key to be used to a terminal 50 and registers a MAC (media access control) address of the terminal 50 after distribution is confirmed. The terminal 50 sets the distributed WEP key to itself. <P>COPYRIGHT: (C)2004,JPO&NCIPI

Description

  The present invention relates to an encryption key used for encrypting wireless communication data wirelessly communicated between an access point, which is a relay device for wireless LAN, and a terminal having a device for wireless LAN connection prior to communication. To the terminal and the access point.

  2. Description of the Related Art In recent years, an access point, which is a repeater for a wireless LAN, is a device that connects a plurality of distant computers to the Internet, and is a place where a specific person continuously works, such as in a home or office (hereinafter, private space). Not only), but also hotels, airports, shopping streets, parks, stations, and other places where a large number of unspecified people are temporarily active (hereinafter referred to as public spaces). For example, by connecting an access point to a broadband line that realizes a high-speed Internet connection service such as an xDSL line or a CATV line, and arranging the access point in a public space, a range where radio waves transmitted from the access point reach (wireless communication area) There has been proposed a service that provides a space (hereinafter, referred to as a free spot) that allows free connection to the Internet to an unspecified number of people inside the building. In other words, the broadband line subscribed to by the public space manager is opened to the terminal owned by the public space user using the wireless LAN access point. Thereby, the convenience of the Internet connection by the user is enhanced, and the use of the public space can be promoted.

  In such a free spot, the right to connect to the Internet via a wireless LAN in a wireless communication area may be granted only to a limited person (for example, a customer). It was necessary to prevent unauthorized entry into the network by humans. Also, in free spots where many people gather, radio waves for wireless communication frequently fly between the terminal and access point owned by each person, so in order to fully protect the privacy of many people, There was a need to reliably prevent communication contents from leaking to a third party due to interception of radio waves in the wireless communication area.

  On the other hand, regarding the wireless LAN, various security technologies for preventing unauthorized intrusion into a network and leakage of communication contents to a third party have been conventionally proposed. For example, a MAC (Media Access Control) address, which is a unique identification number assigned in advance to a wireless LAN connection device (for example, a wireless LAN adapter) attached to a terminal, is used, and the MAC address is registered in an access point. In addition, the access point authenticates the MAC address in accordance with the access from the terminal, and if the MAC address is a MAC address other than the registered MAC address, a technology for rejecting the connection request from the terminal to the network (hereinafter, MAC address). Address restriction) has been proposed (for example, see Patent Document 1). In addition, a WEP (Wired Equivalent Privacy) key is set in the terminal and the access point as a common encryption key, and the content of data exchanged between the terminal and the access point is encrypted using the WEP key, and the data is encrypted. A technology has also been proposed that makes it difficult to analyze the contents of data even if it leaks (hereinafter referred to as WEP encryption) (for example, see Patent Document 2).

JP 2001-320373 A JP 2001-345819 A

  Therefore, in order to realize a free spot in which security is ensured, a MAC address is registered and a WEP key is set for the terminal of each person who intends to use the free spot before using the free spot. Needed.

  However, in the above-described conventional security technology, it is necessary to manually register a MAC address in an access point and set a WEP key in a terminal, and when a terminal using a wireless LAN is newly added. However, there is a problem that it is complicated and inconvenient. In particular, in the free spot provided in the public space, there are many people who try to use the free spot, and the number gradually increases. It is extremely inconvenient and impractical to impose such a large number of terminal owners with a terminal operation for registering a MAC address and setting a WEP key as a condition for using a free spot.

  Also, in order to set the WEP key set using an arbitrary character string on the terminal side also on the access point side, it is necessary to set the WEP key using a wireless LAN, that is, to transmit the WEP key data from the terminal to a radio wave. It is reasonable for the access point to carry it wirelessly and to set a WEP key for the terminal. This is because the terminal owner can use various services (for example, Internet connection) via the wireless LAN immediately after transmitting the WEP key. When the WEP key is transmitted wirelessly as described above, the WEP key may be leaked to a third party due to interception of radio waves between the terminal and the access point. In this case, a third party who has obtained the leaked WEP key can analyze all data exchanged between the terminal in which the WEP key is set and the access point to know the contents of the data, In this case, the security system using encryption will not function. In particular, at a free spot access point, WEP keys are set for terminals of a large number of persons who intend to use the free spot, so that leakage of the WEP key is completely prevented, and communication of a large number of users is prevented. It is necessary to secure a secret.

  Therefore, the present invention solves the above-mentioned problem, and aims to realize a new addition of a terminal using a wireless LAN by a simple method while preventing leakage of data representing an encryption key. Was taken.

The encryption key setting system of the present invention
An encryption key used for encrypting wireless communication data wirelessly communicated between an access point, which is a relay device for a wireless LAN, and a terminal having a device for wireless LAN connection prior to communication; An encryption key setting system for setting
Communication range limiting means for narrowing the wireless communication range between the access point and the terminal than a normal communication range,
When the wireless communication range is narrowed by the communication range limiting unit, the terminal device located within the communication range and the access point wirelessly communicate encryption key data representing the contents of the encryption key, thereby enabling the wireless communication range to be reduced. And an encryption key setting means for setting an encryption key.

  The wireless LAN connection device is a device that is attached to the terminal so that wireless communication can be performed between the terminal and the access point. As an example of the wireless LAN connection device, a wireless LAN adapter or a wireless LAN card can be considered.

  In the encryption key setting system of the present invention, an encryption key used when encrypting wireless communication data communicated between an access point and a terminal is set. When the wireless communication range between the access point and the terminal is narrower than the normal communication range, the encryption key is set between the terminal and the access point using encryption key data representing the contents of the encryption key. Is performed by wireless communication. In this way, even if the encryption key data is communicated wirelessly, the encryption key data is exchanged in a narrow range centered on the access point, so that it is difficult to intercept the wireless communication with the encryption key data, Leakage of encryption key data is prevented. Therefore, it is possible to easily add a new terminal using the wireless LAN while preventing the leakage of the encryption key data, and it is possible to realize a wireless LAN that can be easily joined with a high security level.

  Various modes can be considered as modes for realizing the communication range limiting unit. For example, it can be realized on the access point side. Specifically, instructing means for instructing an access point to start setting of the encryption key, and condition determining means for determining a condition for narrowing the wireless communication range from a normal communication range based on an instruction from the instruction means. And the communication range limiting unit may be a unit that narrows the wireless communication range under the conditions determined by the condition determining unit. In this way, when an instruction to start setting the encryption key is issued, the wireless communication range is narrowed under the conditions determined based on the instruction, and the encryption key is set. Therefore, it is not necessary to keep the access point in a state of always accepting the setting of the encryption key. In addition, as the above-mentioned instruction means, in addition to an instruction by operating an operation unit physically provided in the access point, a wireless communication with the access point such as a terminal equipped with a device for wireless LAN connection or a remote controller can be used. A device that gives an instruction by operating a device that can remotely control the device can be considered.

  When the access point receives an instruction to set an encryption key from the terminal, the access point performs control to narrow the wireless communication range from a normal communication range. Control for returning the communication range to the normal communication range may be performed. This allows the terminal owner to set the encryption key without touching the access point. Further, the communication range limiting means may be a means for narrowing the wireless communication range by adjusting the transmission output of the access point.

  The communication range limiting unit may be a shield that shields a terminal and an access point on which the encryption key is set from the wireless signal. In this way, the radio on which the encryption key data is carried (hereinafter referred to as encryption key radio) may be sent out of the shield, or the radio for intercepting the encryption key radio may enter the interior of the shield. It is reliably prevented. Therefore, leakage of the encryption key data to a third party can be completely prevented.

  The access point may include a registration unit that registers information unique to the terminal to be communicated. By doing so, it is possible to allow only the terminal in which the unique information is registered to connect to the wireless LAN, and it is possible to prevent a person who does not have connection authority from connecting to the wireless LAN. Further, it is possible to prevent a person without connection authority from invading a terminal or an access point on the LAN and acquiring various data such as encryption key data.

The access point of the present invention
A wireless LAN repeater for performing wireless communication with a terminal equipped with a wireless LAN connection device, wherein communication is performed using a set encryption key prior to wireless communication with the terminal. An access point that performs wireless communication with the terminal by encrypting the target wireless communication data and using the encrypted wireless communication data,
Communication range limiting means for narrowing the wireless communication range between the terminal and the normal communication range,
When the wireless communication range is narrowed by the communication range limiting unit, the encryption key is set by wirelessly communicating encryption key data representing the content of the encryption key with a terminal existing within the communication range. And an encryption key setting unit that performs

  In the access point of the present invention, an encryption key used for encrypting wireless communication data to be communicated with the terminal is wirelessly communicated to the terminal, and the encryption key is set in the terminal. Such an encryption key is set by wirelessly communicating encryption key data representing the contents of the encryption key with the terminal when the wireless communication range with the terminal is narrower than the normal communication range. Done. In this way, even if the encryption key data is communicated wirelessly, the encryption key data is exchanged in a narrow range centered on the access point, so that it is difficult to intercept the wireless communication with the encryption key data, Leakage of encryption key data is prevented. Therefore, it is possible to easily add a new terminal using the wireless LAN while preventing the leakage of the encryption key data, and it is possible to realize a wireless LAN that can be easily joined with a high security level.

The encryption key setting method of the present invention includes:
An encryption key used for encrypting wireless communication data wirelessly communicated between an access point, which is a relay device for a wireless LAN, and a terminal having a device for wireless LAN connection prior to communication; Is set to
The wireless communication range between the access point and the terminal is narrower than a normal communication range,
When the wireless communication range is narrowed, the encryption key is set by wirelessly communicating encryption key data representing the content of the encryption key between a terminal existing in the communication range and the access point. That is the gist.

  According to the encryption key setting method of the present invention, an encryption key used for encrypting wireless communication data communicated between an access point and a terminal is set in the terminal. When the wireless communication range between the access point and the terminal is narrower than the normal communication range, the encryption key is set between the terminal and the access point using encryption key data representing the contents of the encryption key. Is performed by wireless communication. In this way, even if the encryption key data is communicated wirelessly, the encryption key data is exchanged in a narrow range centered on the access point, so that it is difficult to intercept the wireless communication with the encryption key data, Leakage of encryption key data is prevented. Therefore, it is possible to easily add a new terminal using the wireless LAN while preventing the leakage of the encryption key data, and it is possible to realize a wireless LAN that can be easily joined with a high security level.

The authentication code setting system of the present invention includes:
An authentication code required when a terminal including a device for wireless LAN connection wirelessly communicates with an access point, which is a relay device for wireless LAN, to access predetermined data on a network, is transmitted to the terminal and the access point. An authentication code setting system for setting at least one of the following,
Range limiting means for narrowing the wireless communication range between the access point and the terminal than a normal communication range,
When the wireless communication range is narrowed by the communication range limiting unit, the authentication code is transmitted by wirelessly communicating data representing the content of the authentication code between a terminal existing in the communication range and the access point. And a setting means for setting.

  As the above authentication code, personal information (for example, the name of the terminal owner, ID, password, and the like) necessary for obtaining the pay information from the access point can be considered.

  In the authentication code setting system of the present invention, an authentication code required when a terminal wirelessly communicates with an access point to access predetermined data on a network is set in at least one of the terminal and the access point. When the wireless communication range between the access point and the terminal is narrower than the normal communication range, the authentication code is set between the terminal and the access point by data representing the content of the authentication code (hereinafter, referred to as “authentication code”). , Authentication code data) by wireless communication. In this way, even when the authentication code data is wirelessly communicated, the authentication code data is exchanged in a narrow range centered on the access point, so that it is difficult to intercept the wireless communication carrying the authentication code data, The leakage of the authentication code data is prevented. Therefore, it is possible to easily set the authentication code for the terminal using the wireless LAN while preventing the leakage of the authentication code data, and to increase the security level of the wireless LAN.

In order to further clarify the configuration and operation of the present invention described above, embodiments of the present invention will be described below in the following order.
A. First embodiment (encryption key setting system LH1)
A-1. Outline of encryption key setting system LH1 A-2. Content of processing related to WEP key setting A-3. Action and effect B. Second embodiment (encryption key setting system LH2)
C. Modified example

A. Example:
A-1. Overview of encryption key setting system LH1:
FIG. 1 is an explanatory diagram showing a configuration of hardware for realizing an encryption key setting system LH1 according to a first embodiment of the present invention, and FIG. 2 is an explanatory diagram showing a configuration of an access point 20. The encryption key setting system LH1 carries out wireless communication between the terminal 50 and the access point 20 by carrying key data representing the contents of a WEP key as an encryption key on a radio wave in the wireless communication area AR1 of the wireless LAN. , A WEP key used by the access point 20 in the terminal 50.

  As shown in FIG. 1, an access point (radio base station) 20, which is a repeater for a wireless LAN, is installed in the wireless communication area AR1. As shown in FIG. 2, the access point 20 includes a CPU 11, a non-volatile storage device 14, such as a ROM 12, a RAM 13, and a hard disk, a WAN port 17 as a network interface, a wired LAN, and the like. , A wireless communication interface 18, a display controller 15, an input / output controller 16, and the like.

  The ROM 12 stores various programs related to communication with the terminals 50, 60, and 70 in the wireless communication area AR1 and connection to the Internet IN, and data necessary for executing the programs. A push-type registration button 127 is connected to the input / output controller 16. The registration button 127 is provided in a state where the pressing portion is exposed on the housing surface of the access point 20. The display controller 15 is connected to various display lamps 19 for displaying the connection state and the communication state of the wireless LAN by lighting and blinking.

  The wireless communication interface 18 is connected to a transmitter 25 for transmitting radio waves and a receiver 26 for receiving radio waves. The transmitter 25 and the receiver 26 are built in the access point 20 in a state where transmission of radio waves to the outside and reception of radio waves from the outside are possible. In FIG. 1, when the output of the transmitter 25 and the reception sensitivity of the receiver 26 are set to standard values, the radio wave transmitted from the transmitter 25 reaches and the receiver 26 receives signals from the terminals 50, 60, 70. The range in which radio waves can be received is represented as a wireless communication area AR1. By installing such an access point 20, a wireless LAN with the normal communication range within the wireless communication area AR1 is established.

  In the ROM 12, as a program relating to communication with the terminals 50, 60, and 70, an output value change program in which the contents of a process of temporarily changing the standard setting value of the output of the transmitter 25 are described, and a program for the receiver 26 are described. A receiving sensitivity value changing program in which the content of the process of temporarily changing the standard setting value of the receiving sensitivity is described is stored in advance. The process of changing the set value is specifically realized by an arithmetic process of multiplying the standard set value by 1 / n (n is a predetermined constant). The CPU 11 outputs the changed output value and receiving sensitivity value to the transmitter 25 and the receiver 26 via the wireless communication interface 18 by executing the output value changing program and the receiving sensitivity value changing program. Thereby, the output of the radio wave transmitted from the transmitter 25 and the reception sensitivity of the radio wave at the receiver 26 are changed.

  The terminals 50, 60, and 70 are well-known notebook personal computers, and include a control device including a CPU, a ROM, a RAM, and the like, as well as a hard disk and a CD-ROM drive as storage devices. Of course, another terminal such as a portable information terminal (Personal Digital Assistant) may be used.

  The terminals 50, 60, and 70 are provided with wireless LAN adapters 52, 62, and 72 as wireless LAN connection devices that enable transmission and reception of radio waves to and from the access point 20. By incorporating the device drivers of the wireless LAN adapters 52, 62, and 72 into the terminal 50, the terminals 50, 60, and 70 recognize the attached wireless LAN adapters 52, 62, and 72, and the wireless LAN adapters 52, 62. , 72 can be controlled. The wireless LAN adapters 52, 62, and 72 are provided with MAC addresses, which are identification numbers unique to the adapters.

  The terminals 50, 60, and 70 as computers that have entered the wireless communication area AR1 communicate with the access point 20 by transmitting and receiving radio waves between the attached wireless LAN adapters 52, 62, and 72 and the access point 20. Wireless communication. The access point 20 and the wireless LAN adapters 52, 62, 72 can convert the exchanged data into a format suitable for communication, that is, a so-called packet. Between them, it is theoretically possible to exchange data off-line (without being connected to the Internet).

  Next, a configuration for connecting the access point 20 to the Internet IN will be described. As shown in FIG. 1, a router 28 having a built-in modem is connected to a WAN port 24 of the access point 20 via a cable. The router 28 can identify a plurality of terminals 50, 60, 70 in the wireless LAN based on the MAC addresses of the wireless LAN adapters 52, 62, 72 and distinguish them.

  The modem in the router 28 is connected to the Internet IN via a broadband communication line CL such as a CATV line or xDSL line, and a dedicated line of the provider PV. That is, the router 28 functions as a gateway that connects the wireless LAN to the Internet IN.

  In the present embodiment, a terminal having a MAC address registered in the access point 20 (hereinafter, referred to as a registered terminal) among terminals equipped with a wireless LAN adapter owned by a person in the wireless communication area AR1 Allow connection to LAN. The owner of the registered terminal can connect his / her terminal to the Internet IN through the access point 20 and acquire various information such as web contents stored in the server SV on the Internet IN. On the other hand, a terminal whose MAC address is not registered in the access point 20 (referred to as a non-registered terminal) cannot connect to the wireless LAN even in the wireless communication area AR1. That is, the wireless communication area AR1 is a free spot that provides a connection service to the Internet IN only to the owner of the registered terminal. In FIG. 1, the terminals 50 and 60 correspond to registered terminals, and the terminal 70 corresponds to a non-registered terminal.

  Between these registered terminals and the access point 20, data having various contents such as contracts and services (hereinafter referred to as data with contents) is transmitted and received on radio waves. In the present embodiment, the device (registration terminal, access point 20) that transmits the data with content encrypts the data with content using the above-described encryption key called the WEP key before transmission, and (Hereinafter referred to as “encrypted data”) is transmitted to the receiving device (the access point 20 and the registration terminal). The device on the receiving side decrypts the received encrypted data using the WEP key to obtain data with contents.

  WEP is an encryption technology of a secret key encryption method (a method of using the same encryption key for both data encryption and decryption of encrypted data) used in IEEE802.11. A 64-bit or 128-bit WEP key is used.

  Such encryption using the WEP key makes it difficult to analyze data with content when radio waves carrying data with content in the wireless communication area AR1 are intercepted, thereby preventing leakage of communication content to a third party. Is prevented. For example, when a contract document including a credit card number is transmitted from the registration terminal to the access point 20, it is possible to prevent a third party from knowing the credit card number by interception of a transmission radio wave. .

A-2. Details of processing related to WEP key setting:
Next, a method of setting the WEP key in the terminals 50 and 60 will be described.

  In the ROM 12 of the access point 20, a program (MAC registration program) related to registration of the MAC addresses of the wireless LAN adapters 52 and 62 is stored in advance as a program related to communication with the terminals 50 and 60. On the other hand, the utility programs installed in the terminals 50 and 60 when using the wireless LAN include a program relating to the setting of the WEP key (WEP key setting program).

  The CPUs of the terminals 50 and 60 execute the contents of the WEP key setting program, and the CPU 11 of the access point 20 executes the contents of the MAC registration program and the output value changing program along with the execution of the WEP key setting program. Thus, the security data setting process shown in FIG. 3 is performed. By performing the security data setting process, the MAC addresses of the wireless LAN adapters 52 and 62 are registered in the access point 20, and a common WEP key is set in the access point 20 and the terminals 50 and 60.

  The contents of the security data setting process will be described with reference to FIGS. FIG. 3 is a flowchart showing a security data setting processing routine. FIG. 4 is an explanatory diagram showing, as the security communication area MR1, the transmittable range of the radio wave in the transmitter 25 after the output value is changed. In the following description regarding FIGS. 3 and 4, it is assumed that the terminal to be registered with the MAC address or the target to be set with the WEP key is the terminal 50.

  The security data setting processing routine includes a routine A executed by the CPU on the terminal 50 side and a routine B executed by the CPU 11 on the access point 20 side. Prior to registration by this routine, the administrator of the access point 20 confirms that the terminal 50 is in the security communication area MR1, and activates the registration button 127 (steps S200, S210). The security communication area MR1 is a range in which radio waves can be transmitted by the transmitter 25 when the standard setting value is temporarily reduced by executing the output value changing program described above (see FIG. 4). By the operation of the registration button 127, the access point 20 changes the operation mode from the normal mode to the registration mode, executes the output value change program described above, and changes the output value of the transmitter 25 to the standard setting value of 1 / N is performed (step S220). Thereby, the range in which the transmitter 25 can transmit radio waves is within the security communication area MR1 shown in FIG. 4, and is smaller than the wireless communication area AR1. Therefore, even if the registered terminal is in the wireless communication area AR1, if it is not in the security communication area MR1, it cannot access the access point 20.

  Next, the terminal 50 specifies the MAC address of the wireless LAN adapter 52, and adds a packet in which the MAC address is added as header information to data representing an instruction to join the wireless LAN (hereinafter, referred to as joining instruction) to the access point. 20 is transmitted (step S100).

  Subsequently, the access point 20 performs a process of reading the MAC address from the header information of the received packet and temporarily storing the read MAC address in the buffer area of the RAM 13 (Step S230).

  Subsequently, the access point 20 performs a process of transmitting data representing the WEP key to be used (hereinafter, referred to as WEP key data) to the terminal 50 (step S250), and determines whether the WEP key data has been distributed to the terminal 50. A determination process is performed (step S255). This determination as to whether or not distribution has been made can be realized by using the data return function of the wireless LAN adapter 52 described above. If it is determined that the WEP key data has not been distributed to the terminal 50, the MAC address stored in the RAM 13 is deleted (step S260), and this routine ends.

  On the other hand, when it is determined that the WEP key data has been delivered to the terminal 50, the output value changing program described above is executed to perform a process of returning the output value of the transmitter 25 to the standard setting value (step S270). As a result, the range in which the transmitter 25 can transmit radio waves becomes a normal range (wireless communication area AR1), and the registered terminal can access the access point 20 if it is within the wireless communication area AR1.

  Subsequently, the access point 20 performs a process of registering the MAC address of the terminal 50 in the management area of the storage device 14 (Step S280), returns the operation mode to the normal mode, and ends this routine. This completes the registration of the MAC address for the terminal 50 on the access point 20 side.

  On the other hand, the terminal 50 that has received the WEP key data in the process of step S250 performs a process of automatically setting the WEP key in association with the IP address of the access point 20 (step S110), and terminates this routine. This completes the setting of the WEP key for the access point 20 on the terminal 50 side. Thereafter, encrypted data obtained by encrypting the data with content using the set WEP key is transmitted and received between the terminal 50 and the access point 20.

A-3. Effect:
In the encryption key setting system LH1 of the first embodiment described above, the WEP key is automatically set in the terminal 50 by executing the above security data setting processing. By performing such “automatic setting of the WEP key by wireless communication”, it is possible to easily add a new terminal 50 using the wireless LAN, and to provide a wireless LAN that is easy to join. . For example, when setting the WEP key, the owner of the terminal 50 or the administrator of the access point 20 does not need to connect the terminal 50 and the access point 20 with a cable or the like, and manually creates and sets the WEP key. There is no need to do this. In particular, it is more preferable to employ the above-described encryption key setting system LH1 for a wireless LAN provided at a free spot. This is because the wireless LAN of the free spot is one in which many people who intend to use the wireless LAN newly join one after another, and the necessary work can be greatly reduced according to the setting of each person.

  Further, when transmitting the WEP key data to the terminal 50 by transmitting the data of the WEP key to the terminal 50, the access point 20 narrows the range in which the radio wave transmitted from the access point 20 reaches from the normal radio communication area AR1. The area is changed to the security communication area MR1. Therefore, the possibility that the radio wave carrying the WEP key data is intercepted is reduced. For example, in FIG. 4, when the WEP key data is transmitted from the access point 20 to the terminal 50, the radio wave carrying the WEP key data only reaches within the narrow security communication area MR1 (see arrow Q1). ), It is not received by the registered terminal 60 or the non-registered terminal 70 outside the security communication area MR1. Therefore, even when the WEP key data is transmitted wirelessly as described above, the leakage of the WEP key can be prevented, and a wireless LAN with a high security level can be realized. In particular, when such an access point 20 is installed in a free spot, the WEP key may leak to a third party when setting the WEP key for the terminals of a large number of persons who intend to use the free spot. It is reliably prevented. Therefore, it is possible to ensure the confidentiality of communication of a large number of users.

  Further, in the encryption key setting system LH1 of the first embodiment, the access point 20 creates a WEP key by temporarily reducing the communication range in accordance with the reception of the data indicating the join instruction from the terminal 50, and creates the WEP key. After transmitting the key to the terminal 50, the communication range is restored. Therefore, the owner of the terminal 50 can set the WEP key without touching the access point 20, which is simple and hygienic.

  In the encryption key setting system LH1 of the first embodiment, the access point 20 registers the MAC address of the terminal 50 together with the setting of the WEP key, and permits only the registered terminals 50 and 60 to connect to the wireless LAN. Thereby, the connection to the wireless LAN by the unregistered terminal 70 can be prevented by a simple method. Further, it is possible to prevent the unregistered terminal 70 from invading the registered terminals 50 and 60 and the access point 20 on the LAN and acquiring various data such as WEP key data.

  In the first embodiment, the period for narrowing the communication range is as follows: (a) While the registration button 127 is being pressed, (b) From when the registration button 127 is pressed until the MAC address and the WEP key are registered. (C) The period from pressing the registration button 127 to pressing it again may be considered.

  Further, in the first embodiment, the registration button 127 physically provided on the access point 20 is used as a trigger for narrowing the communication range. It is also possible to realize the "means" and narrow the communication range. Specifically, a configuration in which the access point changes the operation mode to the registration mode when receiving specific data from a predetermined device to narrow the communication range can be considered. As the predetermined device, a device capable of performing remote control of an access point wirelessly, specifically, a remote controller 30 with a registration button 127A shown in FIG. A terminal equipped with a device for LAN connection can be considered. The transmission of specific data from these devices can be performed by touching a button or a key provided in the device (for example, pressing a registration button 127A shown in FIG. 6A), or selecting an option on a screen provided in the device. (For example, when the registration tab TB displayed on the screen of the terminal 50 shown in FIG. 6B is clicked) or the like is performed. When the predetermined device is the terminal 50 to which the wireless LAN adapter 52 is attached, in the first embodiment, when the access point 20 receives the data indicating the subscription instruction from the terminal 50, the access point 20 goes into the registration mode. May be changed. In this case, it is possible to determine that the terminal 50 is in the security communication area MR1 based on the communication response time.

  According to such a configuration, it becomes possible for the terminal owner and the access point manager to set the WEP key without touching a switch or the like on the access point side, thereby increasing the degree of freedom of the installation position of the access point. Can be. For example, even when an access point is installed in a place that is difficult to reach (for example, a ceiling in a store), setting of a WEP key with a terminal can be performed smoothly.

B. Second embodiment (encryption key setting system LH2):
Next, a second embodiment will be described. In the first embodiment, the interception of the radio wave carrying the data of the WEP key is prevented by a software method of temporarily narrowing the communication range when setting the WEP key. On the other hand, in the encryption key setting system LH2 of the second embodiment, the fact that the radio wave carrying the WEP key data is intercepted is determined by a hardware method called “shield box 95 covering the access point 20 and the terminal 50”. Realize.

  FIG. 6 is an explanatory diagram showing an apparatus configuration for realizing the encryption key setting system LH2 according to the second embodiment of the present invention. The access point 20 and the terminals 50, 60, and 70 have substantially the same configuration as in the first embodiment, and the access point 20 forms a wireless communication area AR1 similar to that in the first embodiment. As shown in FIG. 6, the access point 20 and the terminal 50 are arranged on a floor plate 96. This shield plate 95 is covered with a shield box 95 having a hollow portion capable of containing the access point 20 and the terminal 50. The shield box 95 and the floor plate 96 are formed of a metal such as iron.

  In the second embodiment, the setting of the WEP key is performed in the following procedure. First, a person who wants to join the wireless LAN goes to the installation location of the access point 20 and places his / her own terminal 50 and the access point 20 on the floor board 96. At this time, the access point 20 may be arranged on the floor plate 96 in advance. Next, the person who wants to join the wireless LAN operates the terminal 50 to give an instruction to join the wireless LAN, and then puts the shield box 95 on the floor plate 96. The access point 20 receives the data indicating the join instruction from the terminal 50, and after a lapse of a predetermined time (for example, the time required to cover the shield box 95) from the reception, registers the same MAC address as in the first embodiment. Processing and WEP key setting processing (steps S100, S230, to S260, step S280, and step S110) are performed. Thereby, the registration of the MAC address for the terminal 50 on the access point 20 side is completed, the data of the WEP key created by the access point 20 is transmitted to the terminal 50, and the setting of the WEP key for the terminal 50 is completed.

  In the encryption key setting system LH2 of the second embodiment described above, the terminal 50 and the access point 20 that exchange WEP key data are shielded by the shield box 95 when setting the WEP key. Therefore, it is possible to reliably prevent a radio wave carrying WEP key data from being intercepted. For example, in FIG. 6, when WEP key data is transmitted from the access point 20 to the terminal 50, the radio wave carrying the WEP key data cannot pass through the shield box 95 (see arrow Q2). It is not received by the registered terminal 60 or the non-registered terminal 70 in the area AR1. Further, even when the registered terminal 60 or the non-registered terminal 70 in the wireless communication area AR1 tries to intercept the radio wave carrying the WEP key data, the radio wave cannot pass through the shield box 95 (arrow Q3). ), The radio wave carrying the WEP key data cannot be caught. Therefore, even when the WEP key data is transmitted wirelessly, it is possible to prevent the leakage of the WEP key data, and to realize a wireless LAN with a high security level.

C. Modification:
Although the embodiments of the present invention have been described based on the embodiments, the present invention is not limited to these embodiments and can be implemented in various modes without departing from the gist of the present invention. Of course.

  For example, in the above embodiment, a configuration may be adopted in which an external antenna is connected to the access point 20 by wire, and a MAC address is registered and a WEP key is set by wireless communication between the external antenna and the terminal 50. By doing so, the degree of freedom of the installation location of the access point 20 can be increased. For example, an external antenna can be installed in a corner of a store to set a WEP key near the external antenna, and an access point 20 can be installed in the center of the store to secure a wide wireless communication area throughout the store. .

  In the above embodiment, WEP was used as a technique for encrypting the content of data exchanged between the terminal and the access point, but other encryption techniques than WEP may be used. For example, an encryption technique of a public key encryption method (a method using different encryption keys for data encryption and decryption of encrypted data) may be used. It is also conceivable to use WPA (Wi-Fi Protected Access), which is an encryption technique stronger than WEP.

  In the above-described embodiment, the setting of the WEP key is realized by transmitting and receiving radio waves between the wireless LAN adapter 52 attached to the terminal 50 and the transmitter 25 and the receiver 26 of the access point 20. The WEP key may be set by wireless communication. As such other radio, infrared, light, voice signal, ultrasonic wave, weak radio wave and the like can be considered. In addition, wireless communication between the terminal 50 and the access point 20 can be realized using a short-range wireless communication method called Bluetooth (trademark).

  Further, the data transmission by other radio as described above may be used in combination with the configuration of the above embodiment. As an example, a configuration using data transmission by infrared rays together will be described below. The difference from the configuration of the above embodiment is that the access point 20 is provided with an infrared receiving interface interconnected by the CPU 11 and the bus, and an infrared receiving unit connected to the infrared receiving interface. An infrared transmitting interface connected to the infrared transmitting interface and an infrared transmitting unit connected to the infrared transmitting interface are provided.

  The infrared receiving unit on the access point 20 side is configured by a photodiode having sensitivity in the infrared region, and the infrared transmitting unit on the terminal 50 side is configured by an LED that outputs light having a wavelength in the infrared region. The infrared transmission interface of the terminal 50 converts the command signal from the CPU into a transmission wave on which the command signal is superimposed. The converted transmission wave is transmitted from the infrared transmitting unit. The transmission wave transmitted from the terminal 50 in this way is received by the infrared receiving unit on the access point 20 side when the terminal 50 is within the security reception area SR1 (the area where the transmission wave can be received by the infrared receiving unit). The infrared receiving interface that receives the transmission wave thus received converts the transmission wave into a binary command signal, and sends the converted command signal to the CPU 11.

The setting of the WEP key in the terminal 50 and the access point 20 configured as described above is performed by executing the above-described security data setting processing routine. The contents of the executed security data setting processing routine are as follows (p). (S) is different from that of the above embodiment.
(P) In the processing of steps S200 and S210 on the access point 20 side, the administrator of the access point 20 operates the registration button 127 after confirming that the terminal 50 is in the security communication area MR1 and the security reception area SR1. The point to make.
(Q) In the process of step S100 on the terminal 50 side, a packet having MAC address information is transmitted from the wireless LAN adapter 52 to the access point 20, and a transmission wave on which the MAC address information is superimposed is transmitted from the infrared transmitting unit. To the access point 20.
(R) In the process of step S230 on the access point 20 side, the access point 20 reads the MAC address from each of the packet received by the receiver 26 and the transmission wave received by the infrared receiver, and replaces the two read MAC addresses with each other. A point that is temporarily stored in the RAM 13.
(S) After execution of the processing of step S230 described in (r), the two read MAC addresses are collated, and only when the two MAC addresses match, the processing of step S250 (the WEP key data is (The process of transmitting the data to 50).

  According to such a process, before setting the WEP key, the MAC address of the terminal 50 is confirmed by collating two systems of information, radio waves and infrared rays. Therefore, it is possible to more strictly check the terminals that are allowed to connect to the wireless LAN, and it is possible to completely prevent unregistered terminals from connecting to the wireless LAN. In particular, when infrared light or light is used, since the infrared light or light has directivity, the range in which the transmission wave can reach the access point is more limited than that of radio waves. Therefore, it is possible to prevent a third party who abuses another person's MAC address from registering the own terminal in the access point 20 using the MAC address.

  The above-mentioned infrared transmission interface and infrared transmission unit may be realized by incorporating them into the terminal 50 in advance, or may be realized by connecting an infrared transmitter to the audio output terminal of the terminal 50.

  As described above, the configuration in which infrared data transmission is used in combination with data communication using radio waves has been described as an example. It may be used in combination with the used data communication. When data transmission using visible light is also used, a liquid crystal display unit of a personal computer, a portable information terminal, or the like may be used as a light emitting element. This makes it possible to transmit an optical signal on which the information of the MAC address is superimposed to the access point 20 from the liquid crystal display unit of the terminal.

  Further, in the above embodiment, the wireless communication range during the setting of the WEP key is limited. However, such a limitation of the wireless communication range is set not only by the WEP key but also by the exchange between the access point 20 and the terminal 50. It can also be applied to other information that is performed. For example, in a free spot where pay content is transmitted only to a specific person, information for authenticating that the owner of the accessed terminal is a specific person (for example, the name of the terminal owner, ID and password, etc.) ) May be registered in the access point 20 or the terminal 50 in advance. The registration of the information for authenticating the individual may be performed by wireless communication while limiting the wireless communication range between the access point 20 and the terminal 50. This eliminates the need to manually set personal authentication information such as an ID and a password.

FIG. 2 is an explanatory diagram illustrating a configuration of hardware that implements an encryption key setting system LH1 according to the first embodiment of the present invention. FIG. 2 is an explanatory diagram illustrating a configuration of an access point 20. It is a flowchart which shows a security data setting processing routine. FIG. 7 is an explanatory diagram showing a radio wave transmittable range of the transmitter 25 after an output value is changed, as a security communication area MR1. It is an explanatory view showing an apparatus configuration for realizing an encryption key setting system LH2 according to a second embodiment of the present invention. FIG. 11 is an explanatory diagram showing another mode in which an instruction to change the operation mode is given.

Explanation of reference numerals

11 ... CPU
12 ... ROM
13 ... RAM
14 ... Storage device 15 ... Display controller 16 ... I / O controller 17 ... WAN port 18 ... Wireless communication interface 19 ... Indicator lamp 20 ... Access point 22 ... LAN port 25 ... transmitter 26 ... receiver 28 ... router 30 ... remote controller 50,60,70 ... terminal 52,62,72 ... wireless LAN adapter 95 ... shield box 96 ... Sill 127, 127A ... Registration button AR1 ... Wireless communication area CL ... Communication line IN ... Internet LH1, LH2 ... Encryption key setting system MR1 ... Security communication area PV .. .Provider SV ... Server TB ... Registration tab

Claims (10)

An encryption key used for encrypting wireless communication data wirelessly communicated between an access point, which is a relay device for a wireless LAN, and a terminal having a device for wireless LAN connection prior to communication; An encryption key setting system for setting
Communication range limiting means for narrowing the wireless communication range between the access point and the terminal than a normal communication range,
When the wireless communication range is narrowed by the communication range limiting unit, the terminal device located within the communication range and the access point wirelessly communicate encryption key data representing the contents of the encryption key, thereby enabling the wireless communication range to be reduced. An encryption key setting system comprising: an encryption key setting unit configured to set an encryption key. The encryption key setting system according to claim 1, wherein
Instructing means for instructing the access point to start setting the encryption key,
Condition determining means for determining a condition for narrowing the wireless communication range from a normal communication range based on an instruction from the instruction means,
The encryption key setting system, wherein the communication range limiting unit is a unit that narrows the wireless communication range under the condition determined by the condition determining unit.   3. The device according to claim 1, wherein the instructing unit is a unit that instructs the access point by operating an operation unit provided in the access point or a device capable of remotely controlling the access point wirelessly. 4. Encryption key setting system. The encryption key setting system according to claim 1, wherein:
The communication range limiting means, wherein the access point,
When receiving an instruction to set an encryption key from the terminal, perform control to narrow the wireless communication range than the normal communication range,
An encryption key setting system realized by performing control to return the wireless communication range to a normal communication range when the setting of the encryption key by the wireless setting unit is completed.   The encryption key setting system according to claim 1, wherein the communication range limiting unit is a unit that narrows the wireless communication range by adjusting a transmission output of the access point.   The encryption key setting system according to claim 1, wherein the communication range limiting unit is a shield that shields a terminal and an access point on which the encryption key is set from the wireless signal.   7. The encryption key setting system according to claim 1, wherein said access point includes a registration unit for registering information unique to a terminal to be communicated. A wireless LAN repeater for performing wireless communication with a terminal equipped with a wireless LAN connection device, wherein communication is performed using a set encryption key prior to wireless communication with the terminal. An access point that performs wireless communication with the terminal by encrypting the target wireless communication data and using the encrypted wireless communication data,
Communication range limiting means for narrowing the wireless communication range between the terminal and the normal communication range,
When the wireless communication range is narrowed by the communication range limiting unit, the encryption key is set by wirelessly communicating encryption key data representing the content of the encryption key with a terminal existing within the communication range. An access point comprising: An encryption key used for encrypting wireless communication data wirelessly communicated between an access point, which is a relay device for a wireless LAN, and a terminal having a device for wireless LAN connection prior to communication; Is set to
The wireless communication range between the access point and the terminal is narrower than a normal communication range,
When the wireless communication range is narrowed, the encryption key is set by wirelessly communicating encryption key data representing the content of the encryption key between a terminal existing in the communication range and the access point. Encryption key setting method. An authentication code required when a terminal including a device for wireless LAN connection wirelessly communicates with an access point, which is a relay device for wireless LAN, to access predetermined data on a network, is transmitted to the terminal and the access point. An authentication code setting system for setting at least one of the following,
Range limiting means for narrowing the wireless communication range between the access point and the terminal than a normal communication range,
When the wireless communication range is narrowed by the communication range limiting unit, the authentication code is transmitted by wirelessly communicating data representing the content of the authentication code between a terminal existing in the communication range and the access point. An authentication code setting system comprising: a setting unit configured to set the authentication code.

Images