JP2009071707A - Key sharing method, and key distribution system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a key sharing method where an encryption key for configuring a stable communication channel is shared only between entities assumed by installers while preventing wiretapping by others. <P>SOLUTION: The key sharing method between communication terminals includes the steps of installing a server 300 for holding information associated between communication terminals sharing the encryption key and a terminal 400 for transmitting the associated information to the server 300, storing a specific key of each communication terminal in the server 300, allowing the server 300 to authenticate the associated terminal 400, and allowing the associated terminal 400 to transmit the associated information to the server 300. Further, the method includes the steps of allowing the server 300 to encrypt the encryption key by the specific key based on the associated information so as to distribute the encrypted encryption key, and allowing a shared communication terminal to send a connection request to a sharing communication terminal. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a method for sharing an encryption key between communication terminals, and a key distribution system.

Conventionally, in a wireless LAN system, regarding a technology for delivering an access point (hereinafter abbreviated as AP) key to a wireless LAN terminal (hereinafter abbreviated as a terminal generically), it is assumed that the terminal and the AP are indoors together with the installer. Then, there has been proposed that a predetermined button is pressed at approximately the same timing on the terminal side and the AP side, and the terminal and the AP in a state where the button is pressed share a key (Non-patent Document 1).
It is generally considered difficult for an outside malicious person to enter the above key sharing procedure because the button is not predicted to be pressed, and this is regarded as the basis for the security of the above technology. Yes.

  Also, “a method, an apparatus, and a system for distributing user-specific information that can safely and easily set user-specific information in a user terminal are provided. As a technology for the purpose of the above, “When the public key K is read from the wireless tag 101 pasted to the terminal 10 by the wireless tag reader 20, the wireless LAN access point 21 encrypts the setting information using the public key K. To do. The encrypted setting information is stored in a beacon and transmitted wirelessly. When the terminal 10 receives the beacon, it decrypts and sets the encrypted setting information stored in the beacon using the secret key. Is proposed (Patent Document 1).

JP 2006-285826 A (summary) Wireless LAN security measures that change with Buffalo's “AOSS” that can be set with one touch, http://bb.watch.impress.co.jp/cda/shimizu/4007.html

In the technology described in Non-Patent Document 1, there is a possibility that a terminal and an AP that are not intended by the installer may establish a communication channel due to the presence of a terminal or AP that is always pressed in a button within the communicable area. It cannot be completely avoided.
Further, the technique described in Non-Patent Document 1 cannot be applied to a communication terminal that does not have an external interface other than the communication interface (that does not have a button as described above), for example, a wireless communication terminal in a sensor network.

In the technique described in Patent Document 1, when the tag information of the wireless tag 101 attached to the terminal 10 is read by a malicious person, for example, the key information from the malicious AP when the terminal rebuilds the network. May be received.
In addition, in case the tag information becomes unreadable, the tag information may be saved on another recording medium when it is first read. There is also a possibility of leakage to the outside.

  Therefore, a key sharing method and a key distribution system that can share an encryption key for establishing a secure communication channel only between entities assumed by the installer while making eavesdropping difficult have been desired.

  The key sharing method according to the present invention is a method of sharing an encryption key between communication terminals, and a server that holds association information between communication terminals that share the encryption key, and an association that transmits the association information to the server A terminal, storing a unique key of each communication terminal in the server in advance, the server authenticating the association terminal, and an association step in which the association terminal transmits the association information to the server; A key distribution step in which the server encrypts the encryption key with the unique key based on the association information and distributes the encrypted key, and a communication terminal of the sharing destination issues a connection request to the communication terminal of the sharing source. A connection step to be issued.

According to the key sharing method of the present invention, since the encryption key is shared only between communication terminals associated on the server, an external terminal does not break into the key sharing process and is assumed in advance. The encryption key can be shared only between the communication terminals that have been set.
Further, since the shared encryption key does not flow in plain text on the communication path, it is difficult to eavesdrop on the encryption key.

Embodiment 1 FIG.
FIG. 1 explains the possibility of leakage when performing key sharing between communication terminals.
In FIG. 1, the terminal 100a and AP200a are installed in the house A by the installer A. The terminal 100a and the AP 200a are connected by wireless communication.
The AP 200a is connected to the Internet 500, and provides the terminal 100a with an Internet connection via wireless communication.
In addition, in the house B, the same environment as the house A is laid by the installer B. Hereinafter, the environment in the house A will be described, but the same applies to the house B.

The following items are assumed as preconditions for the environment shown in FIG.
(1) There is no information that can be shared in advance between the terminal 100a and the AP 200a.
(2) The terminal 100a has no interface other than wireless communication.
(3) Public key cryptography cannot be used.

In general, an AP using wireless communication encrypts communication in order to ensure the safety of the wireless communication channel between the terminal 100a and the AP 200a. At the time of encryption, the encryption key is shared between the terminal 100a and the AP 200a. However, if this encryption key is leaked, for example, by eavesdropping by the external terminal 100c, there is a risk that the communication content is leaked to the outside.
Further, when the terminal 100a is connected to an AP not intended by the installer A (for example, the AP 200b in the house B) or a terminal unintended by the installer A (eg, the terminal 100b in the house B) is connected to the AP 200a, There is a risk of the information in A leaking to the outside.
Therefore, the following items are required as conditions for ensuring the safety of the communication environment of the house A.

(1) The terminal 100a connects to the AP 200a desired by the installer A.
(2) A person other than the installer A cannot intentionally connect the terminal 100a to an AP other than the AP 200a.
(3) A terminal other than the terminal 100a is not connected to the AP 200a.
(4) The encryption key sharing procedure is executed as desired by the installer A.

  Next, a method for securely sharing an encryption key between the terminal 100a and the AP 200a will be described. In the following description, the terminal 100 or the like is not particularly distinguished from the terminals 100a and 100b.

FIG. 2 is a schematic configuration diagram of the key distribution system according to the first embodiment. Hereinafter, according to each step of FIG. 2, a procedure in which the key distribution system of FIG. 2 shares a key between the terminal 100 and the AP 200 will be described.
The detailed processing sequence and the detailed configuration of each device will be described with reference to each drawing described later, and only the outline of the key distribution system according to the first embodiment is shown here.

First, the role of each device will be described as a premise.
The terminal 100 and the AP 200 correspond to the terminal 100a and the AP 200a described in FIG. These devices hold a unique ID and key inside.
The center server 300 includes a database that stores tables described in FIGS. 3 to 5 to be described later. The center server 300 mainly associates the terminal 100 with the AP 200 and distributes the shared encryption key.
The association terminal 400 is a terminal for performing an association operation between the terminal 100 and the AP 200. The association terminal 400 can be configured by a communication terminal having an Internet connection function, such as a mobile phone terminal.
The center server 300 is connected to the AP 200 and the association terminal 400 via the Internet 500.

  Hereinafter, each step of FIG. 2 will be described.

(1) Login A user (corresponding to the installer A in FIG. 1) uses the association terminal 400 to connect to the center server 300, and executes a login procedure to the center server 300. The center server 300 performs user authentication with reference to a user table described later with reference to FIG.

(2) ID acquisition The user acquires a unique ID assigned in advance to the terminal 100 and the AP 200. This ID is uniquely assigned at the time of manufacture of each device, and is printed on the case of each device, QR-coded and pasted on the case, output via an appropriate interface, etc. The association terminal 400 can be acquired by the method.
Also, the ID and unique key of each device are stored in advance in the terminal table and AP table described later with reference to FIGS.

(3) ID transmission The user transmits the unique ID between the terminal 100 and the AP 200 to the center server 300 using the association terminal 400.

(4) Association of each device and user The center saver 300 identifies each device based on the unique ID received in step (3), and recognizes that the user owns these devices. Next, the list of owned devices is reflected in a user table described later with reference to FIG.

(5) Association between AP and terminal The center server 300 associates each device based on the unique ID received in step (3), and reflects the association information in the AP table described later with reference to FIG.
The association here refers to presenting to the center server 300 that an encryption key is shared among the associated devices. That is, the center server 300 recognizes that the associated devices share the encryption key by the association processing in this step.

(6) Transmit the encrypted AP key to the AP The center server 300 reads the unique key of the terminal 100 and the AP 200 associated in step (5) from the terminal table described later with reference to FIG. Next, the unique key of AP 200 is encrypted with the unique key of terminal 100 and transmitted to AP 200.
The reason for not transmitting directly to the terminal 100 is that the terminal 100 cannot directly connect to the Internet, and the reason for encrypting and transmitting is to prevent the encryption key from flowing in the communication path in plain text.

(7) Key sharing The AP 200 and the terminal 100 share the unique key of the AP 200. Thereafter, communication between the terminal 100 and the AP 200 is encrypted using the shared AP 200 unique key.
Details of the processing in this step will be described again in the processing sequence described later with reference to FIG.

FIG. 3 is a configuration explanatory diagram of a terminal table held by the center server 300.
The terminal table has a “terminal ID” column and a “terminal unique key” column.
In the “terminal ID” column, the unique ID of the terminal 100 is stored.
In the “terminal unique key” column, the unique key of the terminal 100 is stored.
The values in any column are transmitted to the center server 300 at the time of manufacturing, shipping, etc. of the terminal 100, and each value is set before the terminal 100 reaches the user.

FIG. 4 is an explanatory diagram of the configuration of the AP table held by the center server 300.
The AP table includes an “APID” column, an “AP unique key” column, an “associated terminal ID” column, and an “associated terminal MAC address” column.
In the “APID” column, the unique ID of the AP 200 is stored.
In the “AP unique key” column, the unique key of the AP 200 is stored.
In the “associated terminal ID” column, the unique ID of the terminal 100 associated in step (5) of FIG. 2 is stored. There are as many values in this column as there are associated terminals 100.
The “MAC address of associated terminal” column stores the MAC address of the terminal 100 associated in step (5) of FIG. There are as many values in this column as there are associated terminals 100.
The values in the “APID” column and the “AP unique key” column are transmitted to the center server 300 at the time of manufacture, shipment, etc. of the AP 200, and each value is set before the AP 200 reaches the user. ing.

As for the value of the “MAC address of associated terminal” column, the associated terminal 400 may transmit the MAC address together with the transmission of the unique ID of the terminal 100 in step (3) of FIG. A “terminal MAC address” column may be provided in the table, and a terminal ID may be used as a key from the column.
In the latter case, the value of the “terminal MAC address” column is transmitted to the center server 300 in advance when the terminal 100 is manufactured or shipped.

FIG. 5 is an explanatory diagram of a configuration of a user table held by the center server 300.
The user table has a “user ID” column, a “password” column, a “owned AP list” column, and a “owned terminal list” column.
The “user ID” column stores a login ID when the user logs in to the center server 300.
The “password” column stores a login password when the user logs in to the center server 300.
The “owned AP list” column stores the unique ID of the AP 200 possessed by the user, which is associated in step (4) of FIG. There are as many values in this column as the number of associated APs 200.
The “owned terminal list” column stores the unique ID of the terminal 100 possessed by the user, which is associated in step (4) of FIG. There are as many values in this column as there are associated terminals 100.

  FIG. 6 illustrates a processing sequence in which the terminal 100a and the AP 200a share the unique key of the AP 200a as an encryption key. Here, the description will be made on the assumption that the environment is the same as in FIG. The terminal 100a operates as a ZigBee node, and the AP 200a operates as a ZigBee Coordinator.

FIG. 6A shows a pre-processing sequence before the key sharing procedure is executed.
FIG. 6B is a processing sequence when the terminal 100a attempts to connect to an AP (in this case, AP 200b) that is not intended by the installer A.
FIG. 6C shows a processing sequence when the terminal 100a attempts to connect to the AP intended by the installer A (here, the AP 200a).
FIGS. 6A to 6C are shown in time series. Hereinafter, each step of FIG. 6 will be described.

(S601)
The center server 300 transmits the MAC address of the terminal 100a to the AP 200a based on the association information stored in the AP table. Further, the unique key (K _auth1 ) of the _{AP 200a} is encrypted with the unique key (K _a ) of the terminal 100a (hereinafter referred to as C1), and simultaneously transmitted to the AP 200a.
This step corresponds to step (6) in FIG.

(S602)
The user turns on the terminal 100a. Since the terminal 100a does not know at first which AP to connect to, the terminal 100a waits for a beacon signal transmitted from the AP.
(S603)
It is assumed that the terminal 100a has received the beacon signal transmitted by the AP 200b (AP not intended by the installer A) before the beacon signal of the AP 200a.

(S604)
The terminal 100a issues a connection request to the AP 200b and transmits a random number R1.
(S605)
The AP 200b acquires the MAC address of the terminal 100a. Since the MAC address of the terminal 100a is not transmitted in advance from the center server 300, it can be seen that the connection request of the terminal 100a is not intended by the AP 200b.
(S606)
The AP 200b returns a connection rejection notification to the terminal 100a.

(S607)
The terminal 100a receives a beacon signal transmitted by the AP 200a (AP intended by the installer A).
(S608)
The terminal 100a issues a connection request to the AP 200a and transmits a random number R2.
(S609)
The AP 200a acquires the MAC address of the terminal 100a. Since the MAC address of the terminal 100a is transmitted in advance from the center server 300, it can be seen that the connection request of the terminal 100a is intended by the AP 200a.

(S610)
The AP 200a calculates the hash value C2 of the random number R2 using the unique key (K _auth1 ) of the _{AP 200a} as a key.
(S611)
The AP 200a transmits C1 received in step S601 and C2 calculated in step S610 to the terminal 100a.

(S612)
The terminal 100a decrypts C1 with its own unique key (K _a ), and acquires the unique key (K _auth1 ) of the _{AP 200a} .
(S613)
The terminal 100a calculates a hash value of the random number R2 using the unique key (K _auth1 ) of the _{AP 200a} as a key.

(S614)
The terminal 100a determines whether or not the hash value calculated in step S613 matches the C2 received in step S611. If they match, the process proceeds to step S615. If they do not match, the process waits as it is.
(S615)
The terminal 100a knows that the connection destination AP is the AP 200a because the calculation result in step S613 matches C2, and thus executes the ZigBee-join procedure and completes the connection to the AP 200a.

With the above procedure, the connection between the terminal 100a and the AP 200a is completed as intended by the installer A, and the unique key (K _auth1 ) of the _{AP 200a} is securely shared between the two.

  Note that even if the AP 200b is an unauthorized AP such as a fake AP installed by a malicious person and the terminal 100a is guided to connect the terminal 100a by returning a connection permission message in step S606, the terminal 100a is not connected to the AP 100b in FIG. Since the hash value collation described in (1) is performed, there is no possibility of erroneous connection to an unintended AP.

That is, since the AP 200b does not know the unique key (K _auth1 ) of the _{AP 200a} , the correct hash value that matches the hash value calculated by the terminal 100a cannot be obtained. A ZigBee-join procedure is not erroneously executed in the AP 200b.

The key sharing procedure of the key distribution system according to the first embodiment has been described above.
Below, the detailed structure of each apparatus is demonstrated.

FIG. 7 is a functional block diagram of the terminal 100.
The terminal 100 includes a wireless communication unit 101, a connection destination candidate storage unit 102, a connection destination determination unit 103, a random number generation unit 104, a random number storage unit 105, a keyed hash calculation unit 106, a collation unit 107, a unique key storage unit 108, and a decryption Unit 109 and AP key holding unit 110.

The wireless communication unit 101 performs communication using a wireless communication method such as ZigBee.
When receiving a beacon signal from an AP, the connection destination candidate holding unit 102 temporarily holds the address of the AP as a connection destination candidate.
The connection destination determination unit 103 determines a connection destination from a list of AP addresses and the like held by the connection destination candidate holding unit 102 based on the collation result of the collation unit 107.
The random number generation unit 104 generates a random number R by an appropriate method.
The random number holding unit 105 temporarily holds the random number R generated by the random number generation unit 104.
The keyed hash calculation unit 106 calculates a hash value of the random number R using the AP unique key.
The collation unit 107 collates the hash value calculated by the keyed hash calculation unit 106 with the hash value received from the AP, and outputs the collation result to the connection destination determination unit 103.
The unique key holding unit 108 holds the unique key of the terminal 100.
The decrypting unit 109 decrypts the encrypted AP unique key received from the AP using the unique key of the terminal 100.
The AP key holding unit 110 temporarily holds the AP unique key decrypted by the decrypting unit 109.

The connection destination determination unit 103, the random number generation unit 104, the keyed hash calculation unit 106, the collation unit 107, and the decryption unit 109 can be configured by hardware such as a circuit device that implements these functions, or a CPU or microcomputer It can also be configured as software executed on an arithmetic device such as.
The connection destination candidate holding unit 102, the random number holding unit 105, the unique key holding unit 108, and the AP key holding unit 110 can be configured by a storage device such as a memory. You may comprise these integrally.

FIG. 8 is a functional block diagram of the AP 200.
The AP 200 includes a wireless communication unit 201, a keyed hash calculation unit 202, an AP key holding unit 203, an information holding unit 204, and an Internet communication unit 205.

The wireless communication unit 201 performs communication using a wireless communication method such as ZigBee.
The keyed hash calculation unit 202 calculates a hash value of the random number R using the AP unique key.
The AP key holding unit 203 holds the unique key of the AP 200.
The information holding unit 204 temporarily holds data received by the Internet communication unit 205.
The Internet communication unit 205 transmits and receives data to and from an external device such as the center server 300 via the Internet 500.

The keyed hash calculation unit 202 can be configured by hardware such as a circuit device that realizes the function, or can be configured as software executed on an arithmetic device such as a CPU or a microcomputer.
The AP key holding unit 203 and the information holding unit 204 can be configured by a storage device such as a memory. You may comprise these integrally.

FIG. 9 is a functional block diagram of the center server 300.
The center server 300 includes an Internet communication unit 301, a key encryption unit 302, an association determination unit 303, an association reference child holding unit 304, a table operation unit 305, and a database storing each table described with reference to FIGS. .

The Internet communication unit 301 transmits / receives data to / from an external device such as the AP 200 via the Internet 500.
The key encryption unit 302 encrypts the unique key (K _auth ) of the AP 200 stored in the AP table with the unique key of the terminal 100 stored in the terminal table.
The association determination unit 303 receives the association information transmitted from the association terminal 400 from the Internet communication unit 301 and determines the association between the terminal 100 and the AP 200 or the like.
The association reference child holding unit 304 temporarily holds the association information determined by the association determination unit 303.
The table operation unit 305 performs processing such as generation and update of entries in each table stored in the database.

The key encryption unit 302, the association determination unit 303, and the table operation unit 305 can be configured by hardware such as a circuit device that realizes these functions, or software executed on an arithmetic device such as a CPU or a microcomputer. It can also be configured as.
The association reference child holding unit 304 can be configured by a storage device such as a memory.
The database can be configured by storing the data of each table in a writable storage device such as an HDD (Hard Disk Drive). Although the table is used from the viewpoint of simple explanation, the data format is not limited to the table format, and any format can be used.

FIG. 10 is a functional block diagram of the association terminal 400.
The association terminal 400 includes an Internet communication unit 401, a center server address holding unit 402, a device ID acquisition unit 403, a table operation request generation unit 404, an authentication information input unit 405, and an association designation unit 406.

The Internet communication unit 401 transmits / receives data to / from an external device such as the center server 300 via the Internet 500.
The center server address holding unit 402 holds the address of the center server 300.
The device ID acquisition unit 403 acquires a unique ID of the terminal 100 or the AP 200. As an acquisition method, a method in which an ID is directly input by a user, a QR code representing a unique ID attached to each device is captured and analyzed, or acquired through an appropriate interface can be used.
The table operation request generation unit 404 generates operation requests such as data creation and update for each table held by the center server 300.
The authentication information input unit 405 is used by the user to input the login ID and login password of the center server 300.
The association designation unit 406 designates the association between the terminal 100 and the AP 200 and outputs the result to the Internet communication unit 401 with the intention of the association yield.

The center server address holding unit 402 can be configured by a storage device such as a memory.
The table operation request generation unit 404 and the association designation unit 406 can be configured by hardware such as a circuit device that realizes these functions, or can be configured as software executed on a calculation device such as a CPU or a microcomputer. You can also.

  The detailed configuration of each device has been described above. These configurations are examples, and design changes within a range that does not depart from the gist are allowed as long as the processing sequences described in FIGS. 2 and 6 can be realized.

  In the description of the first embodiment, the terminal 100 and the AP 200 are described as using the ZigBee communication method, but the communication method is not limited to this. The same applies to the following embodiments.

As described above, in Embodiment 1, association terminal 400 associates terminal 100 with AP 200, stores the association information in the database of center server 300, and center server 300 obtains an encryption key based on the association information. To deliver.
Therefore, as long as the user authentication information is not leaked, the third party does not change the network configuration or the encryption key is not distributed to a device not intended by the user.

In the first embodiment, the center server 300 encrypts the unique key (K _auth1 ) of the _AP 200 with the unique key of the terminal 100 and transmits it to the AP 200, and the terminal 100 further transmits the unique key (K _auth1 ) of the _{AP 200} . Also when the message is acquired, transmission / reception is performed while encrypted.
Therefore, the unique key (K _auth1 ) of the _{AP 200} remains in plain text and does not flow through the communication path, and the risk of leakage of the key is reduced.

In the first embodiment, the center server 300 transmits the MAC address of the associated terminal 100 to the AP 200 in advance, and when the terminal 100 issues a connection request to the AP 200, the AP 200 The MAC address received from the server 300 is verified.
Therefore, even when an unauthorized terminal 100 not intended by the installer issues a connection request to the AP 200, the AP 200 can refuse the connection, and the security of the AP 200 is ensured.

Further, in the first embodiment, when the terminal 100 issues a connection request to the AP 200, a random number is also transmitted, and whether or not the hash values using the AP 200's unique key (K _auth1 ) as a key match, It is verified whether or not the AP 200 is an associated AP.
For this reason, the terminal 100 is not accidentally connected to an unauthorized AP not intended by the installer, and the safety of the terminal 100 is ensured.

Further, the unique key (K _auth1 ) of the _{AP 200} is securely shared between the terminal 100 and the AP 200 by the above key sharing procedure.

Embodiment 2. FIG.
In the second embodiment of the present invention, a method for securely sharing an encryption key between the terminal 100 and the AP 200 in an environment where the AP 200 cannot connect to the Internet will be described.

FIG. 11 is a schematic configuration diagram of a key distribution system according to the second embodiment. In the following, a procedure in which the key distribution system in FIG. 11 shares a key between the terminal 100 and the AP 200 according to the steps in FIG. 11 will be described.
The detailed processing sequence and the detailed configuration of each device will be described later with reference to FIG. 12, and only the outline of the key distribution system according to the second embodiment is shown here.

  The association terminal 400 has a communication function with the terminal 100. Further, the terminal 100 transmits a beacon signal for knowing the connection destination.

  Hereinafter, each step of FIG. 11 will be described.

(1) Login to (5) Association between AP and terminal These steps are the same as those described in FIG.
(6) Transmit encrypted AP key to associated terminal The center server 300 reads the unique key of the terminal 100 and the AP 200 associated in step (5) from the terminal table. Next, the unique key of AP 200 is encrypted with the unique key of terminal 100 and transmitted to association terminal 400.

(7) Key Distribution The association terminal 400 distributes the unique key of the AP 200 to the terminal 100. Thereafter, communication between the terminal 100 and the AP 200 is encrypted using the shared AP 200 unique key.
(8) Connection The terminal 100 connects to the AP 200. At this time, unlike the first embodiment, the AP 200 does not receive a notification of the MAC address or the like of the terminal 100 from the center server 300, and thus the terminal 100 needs to be authenticated.

  The details of the processing of steps (7) to (8) will be described again in the processing sequence described later with reference to FIG.

  FIG. 12 illustrates a processing sequence in which the terminal 100a and the AP 200a share the unique key of the AP 200a as an encryption key. Here, description will be made on the assumption of the environment of FIGS. As in the first embodiment, the terminal 100a operates as a ZigBee node, and the AP 200a operates as a ZigBee Coordinator.

FIG. 12A shows a pre-processing sequence before the key sharing procedure is executed.
FIG. 12B is a processing sequence when the unique key of the AP 200a is shared between the associating terminal 400 and the terminal 100a.
FIG. 12C shows a processing sequence when the terminal 100a attempts to connect to the AP intended by the installer A (here, the AP 200a).
FIGS. 12A to 12C are shown in time series. Hereinafter, each step of FIG. 12 will be described.

(S1201)
Based on the association information stored in the AP table, the center server 300 encrypts the unique key (K _auth1 ) of the _AP 200a with the unique key (K _a ) of the terminal 100a (hereinafter referred to as C1), and transmits it to the AP 200a. .
This step corresponds to step (6) in FIG.
(S1202)
The user turns on the terminal 100a. Since the terminal 100a does not know at first which AP to connect to, the terminal 100a waits for a beacon signal transmitted from the AP.

(S1203)
The terminal 100a receives the beacon signal transmitted from the association terminal 400.
(S1204)
The terminal 100a issues a connection request to the associating terminal 400 and transmits a random number R.

(S1205)
The associating terminal 400 requests the center server 300 for the hash value C2 of the random number R calculated using the unique key (K _auth1 ) of the _{AP 200a} as a key. The center server 300 transmits the hash value C2 to the association terminal 400.
(S1206)
The associating terminal 400 transmits C1 received in step S1201 and C2 received in step S1205 to the terminal 100a.

(S1207)
The terminal 100a decrypts C1 with its own unique key and acquires the unique key (K _auth1 ) of the _{AP 200a} .
(S1208)
The terminal 100a calculates the hash value of the random number R using the unique key (K _auth1 ) of the _{AP 200a} as a key.
(S1209)
The terminal 100a determines whether or not the hash value calculated in step S1208 matches the C2 received in step S1206.
If they match, the sharing of the unique key (K _auth1 ) of the _{AP 200a} has succeeded, and the process _proceeds to connection processing after step S1210. If they do not match, it waits as it is.

(S1210)
The terminal 100a receives the beacon signal transmitted by the AP 200a.
(S1211)
The terminal 100a issues a connection request to the AP 200a.
(S1212)
The AP 200a transmits a random number ρ to the terminal 100a.
(S1213)
The terminal 100a calculates the hash value C3 of the random number ρ using the unique key (K _auth1 ) of the _{AP 200a} as a key.

(S1214)
The terminal 100a transmits the hash value C3 to the AP 200a.
(S1215)
The terminal 100a executes the ZigBee-join procedure and tries to connect to the AP 200a.

(S1216)
The AP 200a calculates a hash value of the random number ρ using the unique key (K _auth1 ) of the _{AP 200a} as a key.
(S1217)
The AP 200a determines whether or not the hash value calculated in step S1216 matches the C3 received in step S1214. If they match, the connection of the terminal 100a is permitted, and if they do not match, the connection is rejected.

  In the processing sequence of FIG. 12, the terminal 100a may receive a beacon signal from the AP 200b. In this case, the hash value collation similar to that in FIG. Since it is known that the access point is a new AP, there is no possibility of connecting to the AP 200b by mistake.

Further, in the second embodiment, the AP 200 does not have an Internet connection function, and synchronization between the AP unique key stored in the AP table of the center server 300 and the AP unique key stored in the AP 200 is easy. Since there is no means to take, the unique key of the AP 200 cannot be arbitrarily updated. Therefore, the unique key of the AP 200 is not updated and is used for a long time in an old state, which is not preferable from the viewpoint of communication safety.
Therefore, instead of using the AP 200 unique key (K _auth1 ) for communication encryption, a randomly generated encryption key is encrypted with the AP 200 unique key and delivered to the terminal 100 a in, for example, step S 1212 in FIG. It may be.
The terminal 100a can decrypt the randomly generated key using the unique key (K _auth1 ) of the _{AP 200} and use it for encryption of subsequent communication.

The key sharing procedure of the key distribution system according to the second embodiment has been described above.
Below, the detailed structure of each apparatus is demonstrated.

FIG. 13 is a functional block diagram of the AP 200 according to the second embodiment.
The AP 200 according to the second embodiment does not include the Internet connection function, and thus does not include the information holding unit 204 and the Internet connection unit 205 described in FIG. 8 of the first embodiment. Further, an authentication unit 206 is provided instead of the keyed hash calculation unit 202.

The authentication unit 206 performs the authentication process of the terminal 100 as described with reference to FIG.
The authentication unit 206 can be configured by hardware such as a circuit device that realizes the function, or can be configured as software executed on an arithmetic device such as a CPU or a microcomputer.

FIG. 14 is a functional block diagram of the center server 300 according to the second embodiment.
The center server 300 according to the second embodiment includes a keyed hash calculation unit 306 in addition to the configuration of FIG. 9 described in the first embodiment.

When the hash calculation unit with key 306 receives a request for the hash value C2 from the associating terminal 400 in step S1205 of FIG. 12, it calculates the same value and transmits it to the associating terminal 400 via the Internet communication unit 301.
The keyed hash calculation unit 306 can be configured by hardware such as a circuit device that implements the function, or can be configured as software executed on an arithmetic device such as a CPU or a microcomputer.

FIG. 15 is a functional block diagram of association terminal 400 according to the second embodiment.
The association terminal 400 according to the second embodiment includes a wireless communication unit 407 in addition to the configuration of FIG. 10 described in the first embodiment.
The wireless communication unit 407 performs wireless communication with the terminal 100 and has the same type of communication function as the wireless communication unit 101 included in the terminal 100.

  The detailed configuration of each device has been described above. These configurations are examples, and design changes within a range that does not depart from the gist are allowed as long as the processing sequences described in FIGS. 11 and 12 can be realized.

As described above, in the second embodiment, the center server 300 transmits the unique key (K _auth1 ) of the _{AP 200a} to the associating terminal 400, and the associating terminal 400 transmits the unique key to the terminal 100a.
Therefore, even if the AP 200a does not have an Internet connection function, the unique key (K _auth1 ) of the AP 200a can be shared between the terminal 100a and the AP 200a as in the first embodiment.

In the second embodiment, the center server 300 encrypts the unique key (K _auth1 ) of the _AP 200 with the unique key of the terminal 100 and transmits it to the associating terminal 400, and the terminal 100 further transmits the unique key (K _{When auth1} ) is acquired, it is sent and received while encrypted.
Therefore, the unique key (K _auth1 ) of the _{AP 200} remains in plain text and does not flow through the communication path, and the risk of leakage of the key is reduced.

  In the second embodiment, both the terminal 100a and the AP 200a perform authentication by hash value collation as described in FIGS. 12B and 12C, respectively. Communication is ensured without connection.

In the second embodiment, the associating terminal 400 delivers the AP 200 unique key (K _auth1 ) encrypted with the unique key of the terminal 100 to the terminal 100 a without decrypting the C 1. The risk of leakage of the unique key (K _auth1 ) of the _{AP 200} is reduced.

In Embodiment 2, the AP 200 unique key (K _auth1 ) is not used for communication encryption, but a randomly generated encryption key is encrypted with the AP 200 unique key and distributed to the terminal 100 a. By doing so, the encryption key can always be changed without updating the unique key (K _auth1 ) of the _{AP 200} , so that the security of communication is improved.

Embodiment 3 FIG.
In the third embodiment of the present invention, another method for securely sharing an encryption key between the terminal 100 and the AP 200 in an environment where the AP 200 cannot connect to the Internet as in the second embodiment will be described.

FIG. 16 is a schematic configuration diagram of a key distribution system according to the third embodiment. The procedure for sharing the key between the terminal 100 and the AP 200 by the key distribution system of FIG. 16 will be described below according to the steps of FIG.
Assume that the association terminal 400 can exchange data with the AP 200 through data communication, data exchange via a recording medium, or the like.

(1) Login to (6) Send encrypted AP key to association terminal These steps are the same as those described in FIG.
(7) Key distribution The associating terminal 400 distributes the encrypted unique key of the AP 200 to the AP 200. The distribution means may be data communication or data exchange via a recording medium.
(8) Key sharing The AP 200 and the terminal 100 share the AP 200 unique key. Thereafter, communication between the terminal 100 and the AP 200 is encrypted using the shared AP 200 unique key.
The processing in this step is the same as step (7) described in FIG. 2 of the first embodiment.

FIG. 17 is a functional block diagram of AP 200 according to the third embodiment.
AP 200 according to the third embodiment includes an association terminal communication unit 207 instead of the Internet communication unit 205 described in FIG. 8 of the first embodiment. Other configurations are the same as those in FIG.
The association terminal communication unit 207 receives, from the association terminal 400, C1 obtained by encrypting the unique key (K _auth1 ) of the AP 200 with the unique key of the terminal 100. Instead of reception by communication, data exchange via a recording medium as described above may be used.

FIG. 18 is a functional block diagram of association terminal 400 according to the third embodiment.
The association terminal 400 according to the third embodiment includes an AP communication unit 408 instead of the wireless communication unit 407 described in FIG. 15 of the second embodiment. Other configurations are the same as those in FIG.
The AP communication unit 408 transmits C1 obtained by encrypting the unique key (K _auth1 ) of the AP 200 with the unique key of the terminal 100 to the AP 200. Instead of reception by communication, data exchange via a recording medium as described above may be used.

  The detailed configuration of each device has been described above. These configurations are merely examples, and design changes within a range that does not depart from the gist are allowed as long as the processing sequence described in FIG. 16 can be realized.

  As described above, according to the third embodiment, the same effect as in the second embodiment can be obtained.

Embodiment 4 FIG.
In the above first to third embodiments, it has been described that the center server 300 includes a database storing a terminal table and an AP table that hold the unique ID of each device. Further, it has been described that the association terminal 400 transmits the unique ID of each device as association information to the center server 300 and stores the association information in the AP table.
In the fourth embodiment of the present invention, a configuration that makes this unique ID difficult to be camouflaged by a malicious third party will be described.

If the authentication information of a user is leaked to a malicious third party, the third party transmits an arbitrarily generated ID to the center server 300 using the association terminal 400 or a terminal having a function equivalent thereto. By doing so, it becomes possible to associate devices that have not been purchased with each other.
Therefore, consider a mechanism that guarantees that the ID is a genuine product with a unique ID of the device.

  First, when assigning a unique ID of each device at the stage of manufacturing or shipping the terminal 100 or the AP 200, the unique ID is configured as follows.

(1) A random character string portion is formed in the unique ID.
(2) The authenticator uniquely generated by the random character string portion and the secret key of the center server 300 is included in the unique ID. When generating the authenticator, a one-way function having sufficient collision resistance is used.

If the unique ID of the device is configured as described above, it can be seen that the device to which the unique ID is assigned is a genuine product associated with the center server 300, thus reducing the possibility of impersonating the unique ID. The center server 300 can take appropriate measures such as refusing association of devices.
As a result, even if the user authentication information is leaked, it becomes difficult for a third party to associate each device in an unauthorized manner. Therefore, in addition to the safety when sharing the keys between the devices, the center server 300 side Security is ensured, and the key can be shared more securely, and a highly reliable key distribution system and key sharing procedure can be provided.

Embodiment 5 FIG.
In Embodiments 1 to 4 described above, it is described that the user associates the terminal 100 with the AP 200 using the association terminal 400. However, in addition to the association operation, registration of the device ID and the registration contents You may comprise so that processing, such as a change, cancellation of registration, transfer of apparatus ownership, can be performed.

  For example, the unique ID of each device may be set not only by the contractor in each table at the stage of manufacture, shipment, etc., but also manually set by the user using the association terminal 400.

  When the center server 300 has only one AP, the center server 300 automatically associates the newly purchased terminal with the AP, or registers the user's e-mail address or the like and performs association. A process for confirming with the user may be performed.

  In addition, when the unique ID of each device is converted into a QR code and pasted on the housing of each device, when the QR code is captured by the camera provided in the association terminal 400, the URL of the center server 300 is automatically jumped to. Such a configuration is convenient for the user.

Embodiment 6 FIG.
In the first to fifth embodiments described above, an example in which each authentication process is performed using a hash value has been described. However, an encrypted value may be used for authentication instead of the hash value. In this case, instead of sharing the hash function H (), the encryption / decryption function is shared, and the match determination is performed by comparing the encrypted values instead of comparing the hash values.
These hash values or encrypted values used for authentication are collectively referred to as “encrypted values” in the present invention.

  In the present invention, the hash value and the encrypted value are intended to securely authenticate using a one-way function or the like from which a unique value is obtained, so it is not always necessary to use a hash function or a cryptographic function. You may use the function etc. from which the effect equivalent to this is acquired.

When using an encrypted value instead of a hash value, the “keyed hash calculation unit” in each device is appropriately configured as an “encryption unit”, a “decryption unit”, etc., and configured to perform necessary processing. That's fine.
In addition, what is necessary is just to comprise so that the key used when calculating a hash value in each above-mentioned embodiment may be used for the key used for encryption / decryption.

The possibility of leakage when key sharing is performed between communication terminals will be described. 1 is a schematic configuration diagram of a key distribution system according to Embodiment 1. FIG. FIG. 4 is a configuration explanatory diagram of a terminal table held by a center server 300. It is a structure explanatory drawing of AP table which the center server 300 hold | maintains. It is a structure explanatory drawing of the user table which the center server 300 hold | maintains. A processing sequence in which the terminal 100a and the AP 200a share the unique key of the AP 200a as an encryption key will be described. 2 is a functional block diagram of a terminal 100. FIG. It is a functional block diagram of AP200. 4 is a functional block diagram of a center server 300. FIG. 4 is a functional block diagram of an association terminal 400. FIG. 5 is a schematic configuration diagram of a key distribution system according to Embodiment 2. FIG. A processing sequence in which the terminal 100a and the AP 200a share the unique key of the AP 200a as an encryption key will be described. 6 is a functional block diagram of an AP 200 according to Embodiment 2. FIG. 6 is a functional block diagram of a center server 300 according to Embodiment 2. FIG. 6 is a functional block diagram of an association terminal 400 according to Embodiment 2. FIG. FIG. 10 is a schematic configuration diagram of a key distribution system according to a third embodiment. It is a functional block diagram of AP200 which concerns on Embodiment 3. FIG. FIG. 10 is a functional block diagram of an association terminal 400 according to Embodiment 3.

Explanation of symbols

  100 terminal, 101 wireless communication unit, 102 connection destination candidate holding unit, 103 connection destination determining unit, 104 random number generation unit, 105 random number holding unit, 106 hash calculation unit with key, 107 collation unit, 108 unique key holding unit, 109 decryption Unit, 110 AP key holding unit, 200 AP, 201 wireless communication unit, 202 keyed hash calculation unit, 203 AP key holding unit, 204 information holding unit, 205 Internet communication unit, 206 authentication unit, 207 association terminal communication unit, 300 Center server, 301 Internet communication unit, 302 Key encryption unit, 303 Association determination unit, 304 Association reference holding unit, 305 Table operation unit, 306 Hash calculation unit with key, 400 Association terminal, 401 Internet communication unit, 402 Center server Address holding unit, 403 device D acquisition unit, 404 table operation request generating unit, 405 the authentication information input section, 406 associated with the specified unit, 407 wireless communication unit, 408 AP communication unit, 500 Internet.

Claims (12)

A method of sharing an encryption key between communication terminals,
A server holding association information between communication terminals sharing an encryption key;
An association terminal for transmitting the association information to the server;
Provided,
A unique key of each communication terminal is stored in advance in the server,
The server authenticating the association terminal;
An association step in which the association terminal transmits the association information to the server;
A key distribution step in which the server encrypts the encryption key with the unique key based on the association information and distributes the encrypted encryption key;
A connection step in which a sharing destination communication terminal issues a connection request to the sharing source communication terminal;
A key sharing method characterized by comprising: In the key distribution step,
The server encrypts the encryption key with the unique key of the communication terminal of the sharing destination, and transmits it to the communication terminal of the sharing source together with the address information of the communication terminal of the sharing destination,
After the connecting step,
A collation step of collating the address of the communication terminal from which the communication terminal of the sharing source has issued the connection request and the address information received in the key distribution step;
In the matching step,
Permit the connection request only when the address of the communication terminal that issued the connection request matches the address information received in the key distribution step,
The key sharing method according to claim 1, wherein the encryption key is shared between a sharing source communication terminal and a sharing destination communication terminal. In the connecting step,
The sharing destination communication terminal issues a connection request to the sharing source communication terminal and transmits a random number.
After the connecting step,
A sharing source communication terminal calculating an encryption value of the random number using the encryption key;
A sharing source communication terminal transmitting the encryption key encrypted with the encryption key and a unique key of the sharing destination communication terminal to a sharing destination communication terminal;
A sharing destination communication terminal decrypting the encryption key with a unique key of the communication terminal;
A verification step of calculating an encrypted value of the random number using the decrypted encryption key;
Have
Only when the encryption value transmitted by the sharing source communication terminal matches the encryption value calculated in the verification step,
The key sharing method according to claim 1, wherein the encryption key is shared between a sharing source communication terminal and a sharing destination communication terminal. In the key distribution step,
The server encrypts the encryption key with a unique key of a communication terminal of a sharing destination and transmits it to the association terminal,
After the connecting step,
A sharing destination communication terminal transmitting a first random number to the association terminal;
The association terminal requesting the encryption value of the first random number from the server;
The association terminal transmitting the encryption key encrypted with the encryption value of the first random number and the unique key of the communication terminal of the sharing destination to the communication terminal of the sharing destination;
A sharing destination communication terminal decrypting the encryption key with a unique key of the communication terminal;
A first verification step of calculating an encrypted value of the random number using the decrypted encryption key;
Have
Only when the encryption value transmitted by the association terminal matches the encryption value calculated in the first verification step,
The key sharing method according to claim 1, wherein the encryption key is shared between the association terminal and a shared communication terminal. After the connecting step,
A sharing source communication terminal transmitting a second random number to a sharing destination communication terminal;
A shared communication terminal calculating an encryption value of the second random number using the encryption key;
A sharing destination communication terminal transmitting the encryption value to a sharing source communication terminal;
A second verification step in which a sharing source communication terminal calculates an encryption value of the second random number using the encryption key;
Have
5. The key sharing method according to claim 4, wherein the connection request is permitted only when the encryption value transmitted by the communication terminal of the sharing destination matches the encryption value calculated in the second verification step. . After the connecting step,
A sharing source communication terminal transmitting a second encryption key encrypted with the encryption key to a sharing destination communication terminal;
The shared communication terminal
The key sharing method according to claim 5, wherein the second encryption key is decrypted with the encryption key and used for encryption or decryption of subsequent communication. In the key distribution step,
The server encrypts the encryption key with a unique key of a communication terminal of a sharing destination and transmits it to the association terminal,
After the key distribution step,
The key sharing method according to claim 1, wherein the association terminal includes a transfer step of transferring the encryption key to a sharing source communication terminal. After the connecting step,
A collation step of collating the address of the communication terminal from which the communication terminal of the sharing source has issued the connection request and the address information received in the key distribution step;
In the matching step,
Permit the connection request only when the address of the communication terminal that issued the connection request matches the address information received in the key distribution step,
The key sharing method according to claim 7, wherein the encryption key is shared between a sharing source communication terminal and a sharing destination communication terminal. In the connecting step,
The sharing destination communication terminal issues a connection request to the sharing source communication terminal and transmits a random number.
After the connecting step,
A sharing source communication terminal calculating an encryption value of the random number using the encryption key;
A sharing source communication terminal transmitting the encryption key encrypted with the encryption key and a unique key of the sharing destination communication terminal to a sharing destination communication terminal;
A sharing destination communication terminal decrypting the encryption key with a unique key of the communication terminal;
A verification step of calculating an encrypted value of the random number using the decrypted encryption key;
Have
Only when the encryption value transmitted by the sharing source communication terminal matches the encryption value calculated in the verification step,
The key sharing method according to claim 7 or 8, wherein the encryption key is shared between a communication terminal that is a sharing source and a communication terminal that is a sharing destination. Each of the communication terminals
A unique ID generated with the server's unique key and random number is assigned in advance,
In the association step,
The key association method according to any one of claims 1 to 9, wherein the association terminal transmits the ID of each of the communication terminals that shares the encryption key as the association information to the server. The server
The ID transmitted by the association terminal is verified using the unique key of the server,
The key sharing method according to claim 10, wherein when the ID is invalid, association of the communication terminal is rejected.   A key distribution system comprising: each communication terminal according to claim 1, a server, and an association terminal.

Images