JP2005295297A - Authentication method, communication device, and authentication device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To detect layer 2 repeating connection in order to limit a connection range of communication which requires protection of copyright in a home. <P>SOLUTION: An authentication method authenticates that a communication distance is in a predetermined range between two communication devices which are mutually connected by a communication means with a communication mode which can predict communication delay time, and is provided with a measuring process which measures round trip time of communication between the own communication device and a partner's communication device in the communication mode which can predict the communication delay time, and an authentication process which authenticates the partner's communication device if the measured round trip time falls within a predetermined range. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a device authentication method and apparatus for providing a connection distance restriction in an internet home appliance.

  In recent years, the IP (Internet Protocol) network centering on the Internet has rapidly expanded, and various home appliances such as video devices, surveillance cameras, and IP telephones tend to connect to the IP network in addition to personal computers. In particular, there is a concept in which video content is transmitted and received between video devices through communication using an IP network to improve user convenience. In such a case, it is necessary to limit the communication range of the device in order to protect the copyright of content such as video.

  However, since the conventional IP network technology places importance on seamless connection of the whole world and it is not necessary to limit the physical distance, there is no general technology that can meet such a request from the copyright holder.

  In the current network technology, for example, there is a technology described in Patent Document 1 for providing such a restriction. FIG. 5 shows an internal configuration of a conventional communication apparatus described in Patent Document 1.

  The communication apparatus in FIG. 5 generates and stores AV data, and transports AV data such as an AV data generation / storage unit 511 that is a source of AV data to be transmitted to the network, time stamp processing, sequence number processing, and the like. RTP processing unit 512 that performs layer layer processing, TCP / IP packet transmission / reception unit 513 that transmits / receives these packets as TCP / IP packets, and encryption of AV data with respect to data that requires copyright protection processing such as encryption Copyright protection encryption unit 514 that performs the conversion process, Ethernet (R) frame transmission / reception unit 515 that transmits and receives Ethernet (R) frames, and IP / Ethernet (R) address for correspondence between IP address and Ethernet (R) address Correspondence table unit 516, AV receiver for copyright protection Copyright protection authentication and key exchange unit 517 for performing authentication and key exchange, etc. between, and includes an interface unit (wireless network I / F section) 518 of the wireless network.

Here, the copyright protection authentication / key exchange unit 517 exchanges data for authentication / key exchange procedures for encryption and decryption as copyright protection with the wireless network I / F unit 518. Directly between. That is, the conventional communication device described in Patent Document 1 is characterized in that information relating to copyright is directly transferred on a physical network frame or a data link layer network frame. This utilizes the fact that information on a physical network or a data link network cannot be transferred to a remote location via an IP network as it is.
JP 2003-224556 A

  However, the conventional distance limiting technology using communication equipment can be invalidated by a technology for relaying the data link network itself to a remote location, so-called layer 2 tunnel technology. As such a layer 2 relay technology, for example, a layer 2 tunneling protocol known by the name of “L2TP” as described in RFC2661 is raised. With these technologies, the data link layer protocol can be relayed via a protocol higher than the network layer of the IP network, and the data link layer networks at remote locations can be combined to form a single network.

  In addition, since high-level functions such as key exchange depend on characteristics of the data link layer protocol and physical layer protocol and higher interfaces, a high-level function suitable for each different data link layer protocol and physical layer protocol is required, which is not preferable.

  Furthermore, since the service can be provided only by a single data link network, it cannot cope with a network constituted by a plurality of different networks.

  In addition, it may be possible to estimate the communication distance by using the tendency that the communication delay time in the outside network is relatively large in the sufficiently low-speed outside network. However, with the recent trend toward broadband, the communication delay time of out-of-home networks has become considerably small. On the other hand, depending on the communication method of a normal home network, it may be difficult to accurately predict the communication delay time. Such a method cannot completely satisfy the requirements.

  An object of the present invention is to provide an authentication method, a communication apparatus, and an authentication apparatus that limit the communication distance of the communication apparatus in order to solve such problems and protect the copyright of content such as video.

  In order to solve the above-described problems, the present invention provides that the communication distance in two communication devices connected to each other by communication means having a communication mode in which a communication delay time can be predicted is within a predetermined range. An authentication method for authenticating, wherein a measurement step of measuring a round trip time of communication between the own communication device and a partner communication device in a communication mode in which a communication delay time can be predicted, and the measured round trip time is within a predetermined range The authentication method is characterized by having an authentication process for authenticating the counterpart communication device.

  Further, in the two communication devices connected to each other by the second communication means, the authentication method for authenticating that the communication distance is within a predetermined range, and further the first communication in which the communication delay time can be predicted A measuring step of measuring a first round trip time in communication between the authentication device and one communication device, and an authentication device and the other communication A measurement step of measuring a second round trip time in communication with a device, and an authentication step of establishing an authentication relationship between communication devices if each measured round trip time is within a predetermined range An authentication method is disclosed.

  Further, in the two communication devices connected to each other by the second communication means, the authentication method for authenticating that the communication distance is within a predetermined range, and further the first communication in which the communication delay time can be predicted Having an authentication device connected to each communication device by means, and synchronizing a time of each of the communication device and the authentication device, and measuring a first communication delay time in communication from the authentication device to one communication device A measuring step of measuring, a measuring step of measuring a second communication delay time in communication from the authentication device to the other communication device, and authentication between the communication devices if each measured communication delay time is within a predetermined range An authentication method is disclosed that includes an authentication step of establishing a relationship.

  Here, the first communication unit may use radio wave communication or infrared communication, and the second communication unit may perform communication via a wired or wireless communication network using an Internet protocol. .

  Further, the first communication means and the second communication means are provided by a communication method capable of selecting a plurality of modes using a common communication medium such as a commercial power line or radio wave communication, and the first communication In the means, an authentication method is disclosed in which a mode in which a communication delay time can be predicted is selected.

  Also, a communication device that authenticates that the communication distance is within a predetermined range, which is connected to another communication device and has a communication mode capable of predicting the communication delay time, and the communication delay time can be predicted. The measurement function that measures the round trip time by sending / receiving information to / from the other communication device using a different communication mode, and the measurement result of the other communication device and the measurement result of the own communication device both match within the predicted value and error range. A communication device is provided that includes an authentication function for authenticating a partner communication device when it is determined to have been viewed.

  A communication device that authenticates that the communication distance is within a predetermined range, the first communication function being connected to the authentication device and predicting the communication delay time, and the first communication function being connected to another communication device. The communication function of 2 and the measurement function that measures the round-trip time of communication by sending and receiving information to and from the authentication device, and the measurement result of the other communication device and the measurement result of the own communication device both match within the predicted value and error range A communication device is provided that includes an authentication function for authenticating a partner communication device when it is determined that the device has been viewed. Here, the first communication function and the second communication function are provided by a communication method using a common communication medium, and the first communication function is a communication mode in which a communication delay time included in the communication method can be predicted. May be used.

  An authentication device that authenticates that a communication distance between communication devices is within a predetermined range, the first communication function being connected to the communication device and predicting a communication delay time, and a round trip of the communication device Disclosed is an authentication device comprising a time measurement function and a response function for transmitting and receiving information.

  Here, at least a part of the information transmitted and received by the measurement step and the measurement function may be subjected to an electronic signature or encryption, and further, a communication quality for ensuring QoS quality on the network. A label for designating may be included.

  Also disclosed is a communication apparatus in which authentication processing is configured so that verification processing of electronic signatures and decryption processing of ciphertexts do not affect the transmission / reception timing of information for measurement.

  According to the present invention, the communication distance between communication devices is restricted by measuring the communication delay time of information between communication devices and confirming that this matches within the range of error with the predicted value. It is. At this time, even when the communication means used normally has a large error range and the communication delay time is substantially unpredictable, the communication distance between the communication devices can be reduced by using the communication means that can predict the communication delay time. It is possible to add constraints to

  Furthermore, it is possible to prevent the application of a technology for avoiding restrictions on communication distance by performing digital signature or encryption on communication information used for measurement.

  Furthermore, the accuracy of measurement can be increased by the electronic signature and encryption processing method and network control method according to the present invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

(Embodiment 1)
FIG. 1 is a block diagram showing a configuration of communication apparatus 100 according to Embodiment 1 of the present invention.

  Here, the communication device 100 transmits / receives information between the opposite communication device and the communication function 101 that is connected to the home network and performs information transmission / reception processing via the opposite communication device (not shown) and the home network. A measurement function 102 that measures the round trip time, an authentication function 103 that authenticates the connection with the opposite communication device, a time measurement function 104 that measures the time, and an electronic device that performs an operation related to the electronic signature on the given information. It comprises a signature calculation function 105, an encryption / decryption function 106 that encrypts or decrypts given information, and a bus 107 that connects these functions.

  In the present embodiment, it is assumed that the opposite communication device has the same function and performs the same operation.

  These functions may be realized as software as a whole, but will be described separately for each function for ease of understanding.

  The communication apparatus of the present embodiment configured as described above operates as follows. FIG. 2 is a sequence diagram of the following operations.

  In order to authenticate communication with the opposite communication device, the measurement function 102 of the communication device requests the communication function 101 to transmit round trip time measurement information to the opposite communication device.

  In the present embodiment, the round trip time measurement information includes a value obtained by encrypting the time value at the time of transmission acquired from the time measuring function 104 by the encryption / decryption function 106, and identifies that the communication delay time is sensitive. Including the QoS label to be generated by the measurement function 102.

  The communication function 101 has a plurality of communication modes, one of which is a communication mode in which a communication delay time can be predicted. The communication function 101 transmits the round trip time measurement information requested by the measurement function 102 to the opposite communication device using a communication mode in which the communication delay time can be predicted (ST1). Such multiple communication modes are expressed as so-called QoS (Quality of Service), and the communication mode in which the communication delay time can be predicted is the highest priority class or communication based on the classification of the real-time traffic class with restrictions on the communication delay time. is there. The communication information in which the QoS class is designated may include a QoS label. The QoS label is reflected in, for example, VLAN tag information defined in the IEEE 802.1p standard, ToS (Type of Service) information in the IP protocol header, and the like.

  When the measurement function 102 on the opposite communication device side receives the round trip time measurement information, a value obtained by encrypting the received information with an electronic signature and a time value at the time of response transmission obtained from the time measurement function 104 by the encryption / decryption function 106 Round trip time response information is generated and sent back via the communication function 101. Similar to the above, the communication function 101 on the opposite communication apparatus side transmits using the communication mode in which the communication delay time can be predicted (ST2).

  The measuring function 102 of the communication device 100 confirms the reception time of the round trip time response information by the time measuring function 104. Furthermore, it generates round trip time re-response information in which an electronic signature is combined with the received round trip time response information, and returns it to the opposite communication device via the communication function 101. As described above, the communication function 101 transmits using a communication mode in which a communication delay time can be predicted (ST3).

  In the measuring function 102 on the opposite communication device side, the reception time of the round trip time reresponse information is confirmed by the time measuring function 104.

  After the information is exchanged as described above, the measurement function 102 of each of the communication devices of the self and the opposite device encrypts the transmission time value encrypted by itself contained in the received round trip time response information or round trip time reresponse information. Decoding is performed by the decoding function 106, and a round trip time is obtained for each time difference between this and the reception time of each information (ST4).

  Further, the authentication function 103 of each of the communication devices of the self and the opposite uses the electronic signature calculation function 105 to verify the electronic signature included in the round trip time response information or the round trip time reresponse information. If it is determined that this is a legitimate electronic signature, it is checked whether the next measured round trip time matches the predicted value within the range of errors (ST5). If they match, each of the opposing communication devices is authenticated, and a communication service can be executed. If an abnormality is detected by authentication function 103, authentication of the opposite communication device is rejected (ST6).

  Since the communication device according to the present embodiment that operates as described above measures the round trip time using a communication mode in which the communication delay time can be predicted, the round trip time is relayed using the layer 2 relay technology. However, this can be detected. This is because there is a discrepancy between the predicted value because the structure of the layer 2 network relayed and joined by the IP network does not match the network structure assumed by the predicted value.

  Also, since the transmission time value is encrypted, it cannot be altered, and the response information cannot be forged by the electronic signature of the response side, so that erroneous measurement cannot be performed intentionally.

  Note that the electronic signature in this embodiment may be applied to a part or all of the information received and returned, but random information that is difficult to predict is exchanged between communication devices before the round trip time is measured. On the other hand, a digital signature calculated may be used. Thereby, it is possible to prevent the return timing of the round trip time response information and the round trip time reresponse information from being delayed by the electronic signature calculation, and there is an effect that a more accurate measurement value can be obtained.

  Note that information such as an encryption key and a digital signature key may be embedded or exchanged in advance, and is not specified in this embodiment. Also, any method may be used for the electronic signature calculation method and encryption method as long as they are not contrary to the purpose of confidentiality.

(Embodiment 2)
FIG. 3 is a block diagram showing the configuration of the communication device 300 and the authentication device 310 according to Embodiment 2 of the present invention.

  Here, the communication device 300 includes a first communication function 301 that performs transmission / reception processing of information with the authentication device 310 via an infrared communication link, and an opposite communication device (not shown) and information via a home network. A second communication function 302 that performs transmission / reception processing, a measurement function 303 that transmits and receives information to and from the authentication device 310 and measures a round trip time, an authentication function 304 that authenticates a connection with the opposite communication device, A timekeeping function 305 that measures time, an electronic signature calculation function 306 that performs an operation related to an electronic signature on given information, an encryption / decryption function 307 that encrypts or decrypts given information, and these functions The bus 308 is connected.

  In the present embodiment, it is assumed that the opposite communication device has the same function and performs the same operation.

  In addition, the authentication apparatus 310 includes a first communication function 311 that performs transmission / reception processing with the communication apparatus 300 via an infrared communication link, a response function 312 that returns a response to received information, and the given information An electronic signature calculation function 313 for performing calculations related to the electronic signature.

  The communication apparatus of the present embodiment configured as described above operates as follows. FIG. 4 is a sequence diagram of the following operations.

  In order to authenticate the opposite communication device, the measurement function 303 of the communication device requests the first communication function 301 to transmit round trip time measurement information to the authentication device. This operation is activated by an instruction from the authentication device or an instruction from another device or another function of the communication device.

  In the present embodiment, it is assumed that the round trip time measurement information includes a value obtained by encrypting the transmission time value acquired from the time measurement function 305 by the encryption / decryption function 307 and is generated by the measurement function 303.

  The first communication function 301 uses an infrared communication link, and the communication delay time can be predicted. The first communication function 301 transmits round trip time measurement information requested by the measurement function 303 to the authentication device 310 (ST1).

  When the response function 312 of the authentication device 310 receives the round trip time measurement information, it adds an electronic signature to this and returns it as the round trip time response information via the first communication function 311 (ST2).

  The measuring function 303 of the communication device 300 confirms the reception time of the round trip time response information by the time measuring function 305.

  After exchanging information as described above, the measurement function 303 of the communication device decrypts the transmission time value encrypted by itself by the encryption / decryption function 307 included in the received round trip time response information, The round trip time is obtained with the time difference (ST4).

  The authentication function 304 of the communication device 300 verifies the electronic signature included in the round trip time response information using the electronic signature calculation function 306. If it is determined that this is a valid electronic signature, it is checked whether the next measured round trip time matches the predicted value within an error range (ST5). The authentication function 304 stores the inspection result and transmits the inspection result to the opposite communication device by the second communication function 302. If verification of the electronic signature fails or the measured value of the round trip time is abnormal, the abnormal inspection result is stored, and the abnormal inspection result is transmitted to the opposite communication apparatus by the second communication function 302.

  Also in the opposite communication device, the round trip time is measured by the same procedure as described above. If the electronic signature received from the authentication device 310 is verified and determined to be a valid electronic signature, it is checked whether the measured round trip time matches the predicted value within the error range (ST5), and the test result is stored. At the same time, the inspection result is transmitted to the communication device 300 by the second communication function (ST6).

  Both the self-facing and opposing authentication functions 304 receive the inspection result of the other party. If the inspection results in both communication apparatuses are normal, the opposite communication apparatus is authenticated, and a service by communication can be executed. Otherwise, authentication of the opposite communication device is rejected (ST7).

  Since the communication device according to the present embodiment that operates as described above measures the round trip time using the infrared communication link, the second communication means that connects the communication devices predicts the communication delay time. Even if the error is large, the present invention can be applied.

  Further, even if the information of the infrared communication link itself is relayed using the layer 2 relay technology, it can be detected. This is because the communication delay time is sufficiently predictable because the infrared communication link itself is not a network. Also. The possibility of sampling a physical signal and relaying it remotely over an IP network is questionable because it must utilize a very large bandwidth on the IP network, even if possible.

  Further, since the transmission time value is encrypted, it cannot be altered, and the response information cannot be forged by the electronic signature on the response side, so that erroneous measurement cannot be performed.

  Note that the electronic signature in this embodiment may be applied to a part or all of the received information.

  The digital signature is not necessarily required, and part of the round trip time response information may be encrypted with an encryption key agreed in advance between the authentication device and the communication device.

  Note that information such as an encryption key and a digital signature key may be embedded or exchanged in advance, and is not specified in this embodiment. Also, any method may be used for the electronic signature calculation method and encryption method as long as they are not contrary to the purpose of confidentiality.

  In this embodiment, the authentication device and the communication device are connected using an infrared communication link. However, the present invention is not limited to this, and communication means that can predict a communication delay time or a communication that includes a predictable communication mode. Any method can be used.

  Note that if the authentication device further includes a timekeeping function, and if the time of the authentication device and each communication device is synchronized, the communication delay time from the authentication device to the communication device is measured instead of the round trip time in this embodiment. By doing so, the effect of the present invention can be obtained similarly.

  The authentication method, the communication device, and the authentication device of the present invention can accurately carry out distance restriction between communication devices. Therefore, it is useful in devices and systems that exchange copyrighted materials via a home network. It is also useful for security systems that need to constrain the physical size of the network.

Block diagram of a communication apparatus according to Embodiment 1 of the present invention The sequence diagram which shows an example of operation | movement of the communication apparatus in Embodiment 1 of this invention. Block diagram of communication apparatus and authentication apparatus in embodiment 2 of the present invention The sequence diagram which shows an example of operation | movement of the communication apparatus and authentication apparatus in Embodiment 2 of this invention The figure which shows the internal structure of the prior art example of this invention

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 Communication apparatus 101 Communication function 102 Measurement function 103 Authentication function 104 Timekeeping function 105 Electronic signature calculation function 106 Encryption / decryption function 107 Bus 300 Communication apparatus 301 1st communication function 302 2nd communication function 303 Measurement function 304 Authentication function 305 Timekeeping function 306 Electronic Signature Operation Function 307 Encryption / Decryption Function 308 Bus 310 Authentication Device 311 First Communication Function 312 Response Function 313 Electronic Signature Operation Function 511 AV Data Generation / Storage Unit 512 RTP Processing Unit 513 TCP / IP Packet Transmission / Reception Unit 514 Copyright Protection Encryption unit 515 Ethernet (R) frame transmission / reception unit 516 IP / Ethernet (R) address correspondence table unit 517 Copyright protection authentication / key exchange unit 518 Wireless network I / F unit

Claims (23)

An authentication method for authenticating that a communication distance is within a predetermined range in two communication devices connected to each other via a network by a communication means having a communication mode capable of predicting a communication delay time,
A measurement step of measuring a round trip time of communication between the own communication device and the partner communication device in a communication mode in which a communication delay time can be predicted;
An authentication method comprising: an authentication step of authenticating a counterpart communication device when a measured round trip time is within a predetermined range. An authentication method for authenticating that a communication distance is within a predetermined range in two communication devices connected to each other by a second communication means,
Furthermore, it has the authentication apparatus mutually connected to each communication apparatus by the 1st communication means with which communication delay time can be estimated,
A measuring step of measuring a first round trip time in communication between the authentication device and one of the communication devices;
A measurement step of measuring a second round trip time in communication between the authentication device and the other communication device;
An authentication method comprising an authentication step of establishing an authentication relationship between communication devices when each measured round trip time falls within a predetermined range. An authentication method for authenticating that a communication distance is within a predetermined range in two communication devices connected to each other by a second communication means,
Furthermore, it has the authentication apparatus connected to each communication apparatus by the 1st communication means which can predict communication delay time,
Synchronizing the time of each of the communication device and the authentication device;
A measurement step of measuring a first communication delay time in communication from the authentication device to the one communication device;
A measurement step of measuring a second communication delay time in communication from the authentication device to the other communication device;
An authentication method comprising: an authentication step of establishing an authentication relationship between communication devices when each measured communication delay time is within a predetermined range. The authentication method according to claim 2 or 3, wherein the first communication means uses radio wave communication. The authentication method according to claim 2, wherein the first communication unit uses infrared communication. The authentication method according to any one of claims 2 to 5, wherein the second communication means is via a wired or wireless communication network using an Internet protocol. The first communication means and the second communication means use a network having a communication method capable of selecting a plurality of modes using a common communication medium,
4. The authentication method according to claim 2, wherein a mode in which a communication delay time can be predicted is selected in the first communication unit. 8. The authentication method according to claim 1, wherein the communication method used by the communication means uses commercial power line communication. The authentication method according to claim 1 or 7, wherein the communication method used by the communication means uses radio wave communication. The authentication method according to claim 1, wherein the communication information used in the measurement step includes at least an electronic signature. The authentication method according to any one of claims 1 to 10, wherein at least a part of communication information used in the measurement step is encrypted. A communication device for authenticating that a communication distance is within a predetermined range,
A communication function connected to another communication device via a network and having a communication mode in which a communication delay time can be predicted;
A measurement function for measuring round trip time by transmitting / receiving information to / from a partner communication device using a communication mode in which a communication delay time can be predicted;
A communication apparatus comprising: an authentication function for authenticating a partner communication apparatus when it is determined that the measurement result of the partner communication apparatus and the measurement result of the own communication apparatus match the predicted value within an error range. . A communication device for authenticating that a communication distance is within a predetermined range,
A first communication function connected to the authentication device and predicting a communication delay time;
A second communication function connected to another communication device;
A measurement function that transmits / receives information to / from the authentication device and measures communication round trip time;
A communication apparatus comprising: an authentication function for authenticating a partner communication apparatus when it is determined that the measurement result of the partner communication apparatus and the measurement result of the own communication apparatus match the predicted value within an error range. . The first communication function and the second communication function use a network having a communication method capable of selecting a plurality of modes using a common communication medium,
The communication apparatus according to claim 13, wherein a mode in which a communication delay time can be predicted is selected in the first communication function. The communication apparatus according to claim 12, wherein an electronic signature is included in at least a part of information transmitted and received by the measurement function. The communication apparatus according to claim 12, wherein at least a part of information transmitted and received by the measurement function is encrypted. The authentication function verifies the electronic signature without affecting the timing at which the measurement function transmits and receives information, and does not authenticate the partner communication apparatus if the verification is not successful. The communication apparatus as described in. Further, the authentication function performs the decryption process of the encrypted information without affecting the timing at which the measurement function transmits and receives information, and does not authenticate the partner communication device if the decrypted information is abnormal. The communication device according to claim 16. An authentication device for authenticating that a communication distance between communication devices is within a predetermined range,
A first communication function connected to a communication device and capable of predicting a communication delay time;
A function for measuring the round trip time of a communication device and a response function for transmitting and receiving information;
An authentication device comprising: The authentication apparatus according to claim 19, wherein at least a part of the information transmitted by the response function is an electronic signature. The authentication apparatus according to claim 19 or 20, wherein at least a part of the information transmitted by the response function is encrypted. The authentication method according to any one of claims 1 to 11, wherein the communication information used in the measurement step includes at least a communication quality label indicating that a restriction on a communication delay time is required. . 19. The communication apparatus according to claim 12, wherein the information transmitted and received by the measurement function includes at least a communication quality label indicating that a restriction on a communication delay time is requested. .

Images