JP2011045104A - Access point for wireless lan, program, and recording medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To improve a technique for selecting an encryption system, in which an access point (AP) for a wireless LAN and each terminal to be wirelessly connected to the AP have the common security level, in the AP for a wireless LAN that has a function for relaying signals between a plurality of the terminals. <P>SOLUTION: An AP 10 includes a plurality of logical or physical sub APs, each of which has a unique identifier so as to be identifiable from each other and is mutually independently operable. Each sub AP has a plurality of normal sub APs 1, 2, and 3. Each normal sub AP has at least one encryption system SecType which allows each normal sub AP to correspond thereto when each normal sub AP is used. Each normal sub AP is configured that at least one encryption system is previously assigned so that the types of the encryption systems, respectively having the highest security level for each normal sub AP, are different from each other for each normal sub AP. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a wireless LAN access point having a function of constructing a wireless LAN (Local Area Network) in cooperation with a plurality of terminals and relaying a signal between the plurality of terminals, in particular, for the wireless LAN. The present invention relates to an improvement in technology for selecting an encryption method having a common security level for an access point and each terminal to be wirelessly connected thereto.

  Wireless LAN (Local Area Network) is a technology that enables wireless communication between a plurality of terminals (for example, a personal computer PC, a portable terminal such as a personal digital assistant PDA, an information processing apparatus equipped with a computer, etc.) that are located apart from each other. ) Is already popular.

  This wireless LAN is constructed by wirelessly connecting a plurality of terminals (slave units) to an access point (base unit) common to these terminals. In this wireless LAN, the access point is a plurality of terminals. It serves to relay signals between them.

  On the other hand, a user of each terminal participating in the wireless LAN may desire to communicate with other terminals participating in the same wireless LAN in a secure environment. In order to satisfy this demand, for example, as disclosed in Patent Documents 1 and 2, encrypted communication is performed between an access point and each terminal in a wireless LAN.

JP 2005-175524 A JP 2005-311653 A

  In order to perform encrypted communication between an access point and each terminal in a wireless LAN, prior to its start, an encryption method having a security level common to the access point and each terminal is used. Must be set.

  On the other hand, a plurality of terminals participating in the same access point always include a profile for encryption (a condition regarding an encryption capability which means the highest one among a plurality of security levels that can be supported by each terminal). ) Are not necessarily common to each other. This is because a terminal having a low encryption capability (for example, a game machine) and a terminal having a high encryption capability (for example, a PC) may share the same access point.

  If multiple terminals trying to participate in the same access point do not agree with each other in terms of encryption capability, the security level that they will eventually adopt will have the lowest encryption capability among those terminals. The security level that represents the encryption capability of the terminal that the user has is reduced uniformly.

  Against the background described above, the present invention provides a wireless LAN access point having a function of constructing a wireless LAN in cooperation with a plurality of terminals and relaying signals between the plurality of terminals. An object of the present invention is to improve a technique for selecting an encryption method having a security level common to a LAN access point and each terminal to be wirelessly connected thereto.

According to one aspect of the present invention, in order to solve the above problem, a wireless LAN access point having a function of constructing a wireless LAN in cooperation with a plurality of terminals and relaying signals between the plurality of terminals. A plurality of logical or physical sub-access points, each having a unique identifier, identifiable from each other and each operable independently of each other;
The sub-access points include a plurality of normal sub-access points and special sub-access points that are commonly used for the normal sub-access points. Each normal sub-access point has at least one encryption method that can be supported, and the at least one encryption method has the highest security level for each normal sub-access point. It is assigned in advance to be different for each normal sub-access point,
When the wireless LAN access point is connected to the target terminal specified by the user as a request to join the wireless LAN among the plurality of terminals, the special sub access point is activated, The special sub access point exchanges security information regarding the security level with the target terminal,
When the exchange of the security information is completed, based on the security information, the security level of the encryption method that the target terminal will eventually adopt when it is selected from among the plurality of normal sub-access points Is selected as the target normal sub-access point,
Based on the security information, an encryption method common to the selected target normal sub access point and the target terminal is selected,
Based on the selected encryption method, the target normal sub-access point is provided that can communicate with the target terminal .

  The following aspects are obtained by the present invention. Each aspect is divided into sections, each section is given a number, and is described in a form that cites other section numbers as necessary. This is to facilitate understanding of some of the technical features that the present invention can employ and combinations thereof, and the technical features that can be employed by the present invention and combinations thereof are limited to the following embodiments. Should not be interpreted. That is, it should be construed that it is not impeded to appropriately extract and employ the technical features described in the present specification as technical features of the present invention although they are not described in the following embodiments.

  Further, describing each section in the form of quoting the numbers of the other sections does not necessarily prevent the technical features described in each section from being separated from the technical features described in the other sections. It should not be construed as meaning, but it should be construed that the technical features described in each section can be appropriately made independent depending on the nature.

(1) A wireless LAN access point having a function of constructing a wireless LAN (Local Area Network) in cooperation with a plurality of terminals and relaying a signal between the plurality of terminals,
Including a plurality of logical or physical sub-access points, each having a unique identifier, identifiable from each other, and each operable independently of each other;
These sub access points include a plurality of normal sub access points,
Each normal sub-access point has at least one encryption scheme that each normal sub-access point can support during its use;
Each normal sub-access point is pre-assigned such that the at least one encryption method is different for each normal sub-access point in the type of encryption method having the highest security level for each normal sub-access point. Wireless LAN access point.

  This wireless LAN access point has a plurality of normal sub-access points that are independent from each other with respect to the types of encryption methods that can be employed, and each of the normal sub-access points has a different encryption capability from each other. An encryption method that can be supported by the sub access point during use (that is, an encryption method that each normal sub access point can support when the user views each normal sub access point, and each normal sub access point The access point is not assigned an encryption method that is potentially compatible before shipping).

  Therefore, an encryption method that is finally adopted by a certain terminal (for example, a new terminal that is going to participate in the wireless LAN to which the wireless LAN access point belongs) will be shared by the wireless LAN access point. When selecting an encryption method, the one having the encryption capability corresponding to the encryption capability of the terminal among the plurality of normal sub access points is selected as the normal sub access point to be wirelessly connected by the terminal can do.

  If the user selects the normal sub access point for other terminals in the same manner, it is possible to avoid a plurality of terminals having greatly different encryption capabilities from being connected to the same normal sub access point. As a result, when it is necessary to connect a plurality of terminals to the wireless LAN access point, the security level of the encryption method that each terminal finally adopts is the encryption level of those terminals. Although the encryption capability is the lowest, the security level corresponding to the encryption capability is not lowered.

  In addition, when it is necessary for a user to connect a plurality of terminals having greatly different encryption capabilities to the access point for the wireless LAN, the user can identify the encryption capabilities based on the respective encryption capabilities. Can be assigned to a plurality of normal sub-access points different from each other. In this way, it is possible to connect a plurality of terminals to the wireless LAN access point (one master unit) without unnecessarily sacrificing the encryption capability of each terminal.

  The number of encryption schemes that each normal sub access point can support during its use may be one or more. When the number of encryption schemes that can be handled is one, the types of terminals that can be connected to the normal sub-access point are limited with respect to the types of encryption schemes. On the other hand, it is avoided that the security level that is normally adopted by the normal sub access point is lowered due to the security level of the terminal connected to the normal sub access point.

(2) For each normal sub-access point, the security level of the encryption method that is finally adopted by at least one terminal to be wirelessly connected to each normal sub-access point is set to another normal sub-access point. The access point for wireless LAN according to item (1), including a selector that is selected regardless of the security level of the encryption method that can be supported by other terminals belonging to.

  According to this wireless LAN access point, the security level of the encryption method that is finally adopted by a terminal belonging to a certain normal sub access point can be handled by other terminals belonging to that normal sub access point. Although it depends on the level, it is selected without depending on the security level that can be supported by other terminals belonging to other normal sub-access points.

  Therefore, according to this wireless LAN access point, the security level of the encryption method that the terminal belonging to each normal sub access point will eventually adopt corresponds to the other terminals belonging to other normal sub access points. It is prevented that the security level is lowered due to a low possible security level.

(3) For each normal sub-access point, the selector includes at least one security level that can be supported by each normal sub-access point and a security level that can be supported by the at least one terminal. Negotiation is performed between the terminal and the wireless LAN access point, thereby selecting the security level of the encryption method that the at least one terminal will eventually adopt for each normal sub-access point. And
The plurality of sub-access points further includes a special sub-access point that exchanges encryption keys with the at least one terminal in order to perform the negotiation,
The special sub access point is a wireless LAN access point according to item (2), which is used in common for the plurality of normal sub access points.

  This wireless LAN access point has a plurality of sub-access points that can operate independently of each other, and in addition to a plurality of normal sub-access points mainly for data communication, these sub-access points It is configured to have a special sub access point mainly for key exchange.

  Since the special sub-access point can operate independently of the normal sub-access point, in order to perform key exchange between the new terminal to join the wireless LAN and the wireless LAN access point, Usually, it is not necessary to use a sub-access point. Therefore, data communication by any normal sub access point is not temporarily interrupted for key exchange.

(4) In response to a user making a first request to the wireless LAN access point to establish a connection between the wireless LAN access point and at least one terminal, the plurality of The normal sub-access point includes start / stop means for starting the one having a terminal that can be connected to the sub-access point, and stopping the one that does not exist, according to any one of (1) to (3) Wireless LAN access point.

  According to this wireless LAN access point, among the plurality of normal sub-access points, those that do not have a connectable terminal are stopped, so that the inconvenience resulting from the operation of the normal sub-access point that does not require operation ( For example, it is easy to avoid a useless load imposed on the wireless LAN access point and a decrease in data communication security.

(5) After the connection between the wireless LAN access point and the at least one terminal is established, for each normal sub access point, is no terminal connected to the normal sub access point? The wireless LAN access point according to item (4), including stop means for determining whether or not to stop one of the plurality of normal sub-access points that is not connected to any terminal.

  According to this wireless LAN access point, for example, when a normal sub access point that is not connected to any terminal occurs due to a terminal leaving the wireless LAN after joining the wireless LAN, Usually the sub-access point is stopped.

(6) After the connection between the wireless LAN access point and the at least one terminal is established, at least one terminal different from the at least one terminal and the wireless LAN access point In response to the user making a second request to the wireless LAN access point to establish a connection between the plurality of normal sub-access points, a part of the plurality of normal sub-access points specified by the user The access point for wireless LAN according to (4) or (5), including activation means for activating normal sub-access points or all normal sub-access points.

  According to this wireless LAN access point, for example, when it is necessary to join a certain terminal to the wireless LAN, the user activates a normal sub-access point that has the possibility of connecting the terminal, It is possible to reliably establish a connection between these terminals and the normal sub access point.

(7) including one physical MAC (Media Access Control) as a physical entity,
The physical MAC is made to function as a plurality of virtual MACs by performing encrypted communication at different security levels in a time-sharing manner,
The plurality of virtual MACs are assigned different identifiers in advance,
The wireless LAN access point according to any one of (1) to (6), wherein the plurality of logical sub-access points are configured to include the plurality of virtual MACs, respectively.

  According to this wireless LAN access point, the increase in scale and complexity of the hardware configuration associated with the multiplexing of the MAC can be avoided.

(8) Enable the selector described in (2) or (3), the start / stop means described in (4), the stop means described in (5), or the start means described in (6) A program executed by a computer for.

  The program according to this section can be interpreted so as to include not only a combination of instructions executed by a computer to fulfill its function, but also files and data processed in accordance with each instruction.

  In addition, this program may achieve its intended purpose by being executed by a computer alone, or may be intended to achieve its intended purpose by being executed by a computer together with other programs. it can. In the latter case, the program according to this section can be mainly composed of data.

(9) A recording medium on which the program according to item (8) is recorded so as to be readable by a computer.

  This recording medium can adopt various formats, for example, a magnetic recording medium such as a flexible disk, an optical recording medium such as a CD and a CD-ROM, a magneto-optical recording medium such as an MO, and an unremovable storage such as a ROM. Any of these may be adopted.

1 is a perspective view showing a wireless LAN system using a wireless LAN access point according to an embodiment of the present invention together with the Internet, which is an example of a global network. FIG. 2 is a block diagram conceptually showing a hardware configuration of a wireless LAN access point shown in FIG. 1. FIG. 3A is a perspective view showing the wireless LAN access point shown in FIG. 1, and FIG. 3B is a diagram showing a representative of a plurality of terminals shown in FIG. It is a perspective view shown with the adapter for LAN connection, and FIG.3 (c) is a block diagram which represents notionally the hardware constitutions of the computer which comprises the main body of the terminal shown in FIG.3 (b). The wireless LAN access point shown in FIG. 1 is configured as a plurality of virtual sub-APs multiplexed with respect to the type of encryption method, and a state in which a plurality of terminals are wirelessly connected to these sub-APs. It is a block diagram for demonstrating. The plurality of sub APs shown in FIG. 4 are different from each other in terms of the security levels that can be handled, and the security adopted by each sub AP according to the security level that can be handled by each wirelessly connected terminal for each sub AP. It is a table | surface in order to demonstrate a mode that a level is set. 6A is a flowchart conceptually showing a connection establishment program executed in each terminal shown in FIG. 1, and FIG. 6B is a connection executed in the wireless LAN access point shown in FIG. It is a flowchart which represents an establishment program notionally. 7 is a flowchart conceptually showing details of step S201 in FIG. 6. FIG. 8A is a flowchart conceptually showing details of step S106 in FIG. 6, and FIG. 8B is a flowchart conceptually showing details of step S203 in FIG. 7 is a flowchart conceptually showing details of step S206 in FIG. 6. 2 is a flowchart conceptually showing a sub AP start program executed in a wireless LAN access point shown in FIG. 3 is a flowchart conceptually showing a sub AP stop program executed in the wireless LAN access point shown in FIG. 1.

  Hereinafter, some of more specific embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a perspective view showing a hardware configuration of a wireless LAN system 12 having a wireless LAN access point (hereinafter abbreviated as “AP”) 10 according to an embodiment of the present invention.

<Configuration of wireless LAN>

  In this wireless LAN system 12, a plurality of terminals (wireless terminals) 20, 22, and 24 are connected to each other wirelessly via the AP 10, whereby a wireless LAN 30 is constructed. As will be described later, the wireless LAN 30 is connected to a WAN (Wide Area Network) or the Internet 34 as a global network via a router 32.

<AP functions>

  As is well known, the AP 10 is a radio base station and is also referred to as a parent device. As is well known, the AP 10 has a function of controlling access authority for each terminal 20, 22, 24 to wirelessly communicate with other terminals in the wireless LAN 30 to which the AP 10 belongs, an encryption key (for example, a WEP key, It has a function of controlling a security level (encryption strength) for encrypted wireless communication using a TKIP key or an AES key.

<Terminal functions>

  Each of the terminals 20, 22, and 24 has a function of performing wireless communication with other terminals belonging to the same wireless LAN 30, and a station (“STA” in each figure is related to the AP 10 belonging to the same wireless LAN 30. Abbreviated) or called a slave. Each terminal 20, 22, 24 can employ various methods, for example, a personal computer PC, a portable information terminal PDA, or an information processing apparatus incorporating a computer. .

<AP hardware configuration>

  As shown in FIG. 1, the AP 10 includes a housing 40. Various hardware components are accommodated in the housing 40. FIG. 2 conceptually shows the hardware configuration of the AP 10 in a block diagram. As shown in FIG. 2, the AP 10 is composed mainly of a computer. As is well known, the CPU 50, ROM 52, RAM 54, and a storage device 56 capable of storing data in a nonvolatile manner such as a hard disk are electrically connected to each other via a bus 58. It is configured by being.

  As shown in FIG. 2, the AP 10 further includes a wireless communication interface 60 for wireless connection with each terminal 20, 22, 24, a WAN port 62 for connection with a WAN (for example, the Internet 34), A LAN port 64 for connection to a wired LAN (not shown) is provided in a state where each is connected to the bus 58.

  A transmitter 66 that transmits radio waves and a receiver 68 that receives radio waves are connected to the wireless communication interface 60. The transmitter 66 and the receiver 68 are built in the AP 10 in a state where transmission of radio waves to the outside and reception of radio waves from the outside are possible.

  The AP 10 further includes an input / output controller 70 that enables input / output of information from the user, and a display controller 72 that enables display of information to the user, each connected to the bus 58. Yes.

  A push-type one-touch registration button 80 is connected to the input / output controller 70. As shown in FIG. 3A, the one-touch registration button 80 is attached to the housing 40 so as to have an operation portion 81 exposed on the surface of the housing 40 of the AP 10. Although the function of the one-touch registration button 80 will be described later, the pressed state of the one-touch registration button 80 can be detected by the CPU 50 via the input / output controller 70. In FIG. 3A, reference numeral 82 indicates an antenna used for the transmitter 66 and the receiver 68.

  On the other hand, as shown in FIG. 2, the display controller 72 is connected with various display lamps 84 for displaying the connection state and communication state of the wireless LAN 30 by lighting or blinking.

  As shown in FIG. 1, a router 32 with a built-in modem is connected to the WAN port 62 of the AP 10 via a cable 33. The router 32 can identify each terminal 20, 22, 24 based on a MAC address previously assigned to each terminal 20, 22, 24.

  The user of each terminal 20, 22, 24 connects his / her terminal to the Internet 34 through the AP 10 and the provider 90 with which the user contracts, and receives various information such as desired web contents from the server 92 on the Internet 34. Can be acquired.

<Virtual multiplexing of MAC>

  As will be described in detail later, the AP 10 is designed to be capable of supporting a plurality of encryption methods for signals communicated on the wireless LAN 30 and having a plurality of different security levels. Yes.

  Therefore, in the AP 10, software (program) for realizing MAC (Media Access Control) to be executed by the CPU 50 is stored in the ROM 52, so that as conceptually shown in a block diagram in FIG. 4, The MAC 100 as a hardware component is realized.

  As shown in FIG. 4, in this embodiment, there is only one MAC 100, but a plurality of MACs that can perform encrypted communication at a plurality of different security levels in a time division manner. 4 (in the example shown in FIG. 4, the number of virtual MACs is three, hereinafter referred to as “MAC1”, “MAC2”, and “MAC3”). These virtual MACs 1 to 3 are operated substantially in parallel by the CPU 50. Of course, the housing 40 is provided in common to these virtual MACs 1 to 3.

  Therefore, as shown in FIG. 4, the AP 10 apparently operates as a plurality of virtual sub-access points (hereinafter referred to as “sub-APs”) by implementing the above-described MAC realization software. Designed to work as. That is, in the present embodiment, in order for the AP 10 to perform substantial communication with each of the terminals 20, 22, and 24, it is virtually assumed as a plurality of sub APs that can differentiate the types of encryption methods. Are multiplexed.

  The number of sub APs (three in the example shown in FIG. 4 and hereinafter referred to as “sub AP1”, “sub AP2”, and “sub AP3”) is the above-described virtual MACs 1 to 3. It is the same number.

  Furthermore, in this embodiment, as will be described later, in order to acquire information necessary for selecting an encryption method for each sub AP, each terminal 20, 22, 24 and AP 10 Information on the security level is exchanged between the two.

In order to exchange the security level information, it is more convenient that the number of access points that can be seen from the same terminal is single. Therefore, in this embodiment, one dedicated to security level information exchange (key exchange) is used. The sub AP is additionally used as a special sub AP _Z for key exchange. This key exchange special sub AP _Z is commonly used in the key exchange procedure for the plurality of sub APs 1 to 3. The key exchange special sub AP _Z is operated by a virtual MAC _{Z (} not shown).

<Individual selection of encryption method>

  As shown in FIG. 4, an SSID (Service Set ID) that is a unique identification number is assigned in advance to each sub AP. Further, for each sub AP, the type of encryption method adopted by each sub AP (indicated by “SecType” in FIG. 4) and the value of the encryption key adopted by each sub AP (in FIG. 4, "Represented by" SecKey "). Similarly, for each terminal, the SSID of the sub AP to be used by each terminal 20, 22, 24, the type of encryption method employed by each terminal 20, 22, 24, and the encryption key employed by each terminal Associated with a value.

  In the example shown in FIG. 4, the sub-AP 1 that uses the virtual MAC 1 has one terminal No. 1 and the sub-AP 2 using the virtual MAC 2 has one terminal No. 2 and the sub-AP 3 using the virtual MAC 3 has two terminal numbers No. 1 having different security levels. 3 and no. 4 is assigned.

  As will be described in detail later, the AP 10 corresponds to each of the sub APs (that is, for each virtual MAC), prior to establishment of the wireless LAN communication with each of the terminals 20, 22, and 24. It is designed to select an encryption method adopted by each virtual MAC 1, 2, 3 so as to be compatible with a possible encryption method.

  Specifically, each of the virtual MACs 1, 2, and 3 has a plurality of selectable encryption methods having different security levels, and is selective with respect to the security level of the encryption method to be finally adopted. Assuming that, the AP 10 is wirelessly connected to each of the virtual MACs 1, 2, 3 for each of the sub APs (ie, for each virtual MAC). The terminal is designed to be selected according to the security level of the encryption method that can be supported by the terminal.

  As the plurality of encryption methods, for example, AES, TKIP, WEP128, and WEP64, all defined in the standard IEEE 802.11, are used. Each encryption method is an encryption technique of a secret key encryption method (a method using an encryption key common to data encryption and decryption of encrypted data). These four types of encryption schemes are defined such that the security level decreases in the order listed. That is, the vulnerability of data transmitted / received increases as it approaches WEP64, and conversely, the confidentiality of data transmitted / received improves as it approaches AES.

  In the present embodiment, a plurality of sub-APs 1 to 3 are pre-assigned corresponding encryption methods so that the types of encryption methods having the highest security level for each sub-AP are different among the sub-APs. It has been.

  In one example, as shown in FIG. 5, only the AES (encryption scheme with the highest security level) is supported for the sub-AP1, and the sub-AP2 is compatible with TKIP (encryption scheme). Only the highest security level encryption method) is assigned in advance to the sub-AP 3 as two encryption methods, WEP128 and WEP64 (WEP128 is the highest security level encryption method).

  Thus, in the example shown in FIG. 5, it is possible to cope with the sub APs 1 to 3 so that the types of encryption methods having the highest security level for each sub AP are different among the sub APs 1 to 3. Various encryption methods are assigned in advance.

  However, the method of assigning the encryption method to the plurality of sub APs is not limited to this, and, for example, a plurality of sub APs that are a part of the sub APs 1 to 3 may have a plurality of security levels different from each other. A set of encryption schemes (for example, AES, TKIP, WEP128, and WEP64) can be pre-assigned as compatible encryption schemes.

  In the example shown in FIG. 5, four terminals to be wirelessly connected to the AP 10 are arranged from the top to the bottom in the order in which the encryption capability decreases, and according to the order, the three terminals in which the encryption capability decreases in order. Assigned to each sub AP. In this embodiment, this assignment is performed by the user, but may be automatically performed by the CPU 50 executing a specific program.

  Specifically, the terminal No. having the highest encryption capability is selected. 1 is assigned to the sub-AP 1 having the highest encryption capability and is assigned the terminal No. 1 having the second highest encryption capability. 2 is assigned to the sub-AP 2 having the second highest encryption capability and is assigned the terminal No. 2 having the third highest encryption capability. 3 and the terminal No. having the lowest encryption capability. 4 is assigned to the sub AP 3 having the lowest encryption capability.

  In the example shown in FIG. 1 is the security level that is finally adopted (in FIG. 5, it is surrounded by a square frame). 2 to No. 4 is determined regardless of the security level that can be handled. Similarly, the security level that will eventually be adopted by other terminal No. 1, no. 3 and no. 4 is determined independently of the security levels that can be supported. Because of these terminal numbers. 1 and no. This is because both 2 do not share the same sub AP with other terminals.

  On the other hand, as shown in FIG. The security level that will eventually be adopted by terminal 3 is the terminal number. 1 and no. 2 is determined regardless of the security level that can be handled. 4 must be determined in consideration of the security level that can be supported.

  Similarly, the terminal No. The security level that will eventually be adopted by the terminal 4 is the terminal number. 1 and no. 2 is determined regardless of the security level that can be handled. 3 must be determined in consideration of the security level that can be supported. Because of these terminal numbers. 3 and no. 4 is because the same sub-AP is shared, and the sub-AP has two types of encryption methods that can be supported.

  Some specific examples of methods for determining the security level to be finally adopted for each of the terminals 20, 22, 24 are Japanese Unexamined Patent Publication Nos. 2005-175524 and 2005-2005. This is disclosed in detail in Japanese Patent No. 3116653. Therefore, the duplicate description about the method is omitted here. These publications are incorporated herein by reference in their entirety.

<AP software configuration>

  The ROM 52 shown in FIG. 2 stores in advance various programs relating to communication with the terminals 20, 22, and 24 in the wireless LAN 30 and connection to the Internet 34, and data necessary for executing the programs.

  Specifically, the programs stored in the ROM 52 in advance are (a) the above-described MAC implementation program (not shown) and (b) the CPU 50 to establish a connection with each of the terminals 20, 22, and 24. A connection establishment program to be executed (see FIG. 6), and (c) a MAC address registration program (to be executed by the CPU 50 for registering a MAC address previously assigned to each terminal 20, 22, 24 for each sub AP ( (Not shown).

  The connection establishment program shown in FIG. 6 will be described in detail later. (A) An encryption method selection module executed by the CPU 50 to select an encryption method for each sub AP as described above, and (b) ) An encryption key setting module executed by the CPU 50 to set the encryption key to be finally adopted for each sub AP; and (c) the CPU 50 to control activation / deactivation of each sub AP. And a start / stop module to be executed.

<Terminal hardware configuration>

  As shown in FIG. 3C, each of the terminals 20, 22, and 24 is configured with a computer 108 as a main body, as is well known. As is well known, the computer 108 includes a CPU 110, a ROM 112, and a RAM 114 connected to each other via a bus 116. Each of the terminals 20, 22, and 24 further includes a hard disk or a CD-ROM drive as the storage device 118.

  As shown in FIG. 1 and FIG. 3B representatively showing only one terminal 20, each terminal 20, 22, 24 includes a wireless LAN that enables transmission and reception of radio waves with the AP 10. Wireless LAN adapters 120, 122, and 124 are detachably attached as connection devices.

  The device driver of each wireless LAN adapter 120, 122, 124 is installed in the corresponding terminal 20, 22, 24, so that each terminal 20, 22, 24 installs the attached wireless LAN adapter 120, 122, 124. It becomes possible to recognize and control the wireless LAN adapters 120, 122, and 124. Each of the wireless LAN adapters 120, 122, and 124 is previously assigned a MAC address that is a unique identification number.

  As shown in FIG. 3B, one-touch registration buttons 130, 132, and 134 are attached to the wireless LAN adapters 120, 122, and 124, respectively. Although the functions of the one-touch registration buttons 130, 132, and 134 will be described later, the respective push-down states can be detected by the CPU 110 of the corresponding terminals 20, 22, and 24.

<Terminal software configuration>

  A specific utility program is installed in the ROM 112 of each terminal 20, 22, 24 prior to use of the wireless LAN 30. The utility program includes: (a) an encryption method selection module executed by the CPU 110 to select an encryption method to be finally adopted from a plurality of compatible encryption methods; b) having an encryption key setting module executed by the CPU 110 to set an encryption key to be finally adopted.

  Next, referring to the two flowcharts shown in FIGS. 6 (a) and 6 (b), in order to establish a connection between the AP 10 and each terminal 20, 22, 24, the AP 10 and each terminal 20, 22 , 24 will be described in detail.

  The flowchart shown in FIG. 6A is a connection process executed in each terminal 20, 22, and 24. This is because the CPU 110 of each terminal 20, 22, and 24 sets the encryption method selection module and the encryption key setting. This corresponds to the process of executing a module. On the other hand, the flowchart shown in FIG. 6 (b) is a connection process executed in the AP 10, which is performed by the CPU 50 of the AP 10 with the encryption method selection module, the encryption key setting module, and the start / stop module. It corresponds to the processing to execute.

  If the user of each terminal 20, 22, 24 wants to connect to the AP 10, prior to the connection, the user of the terminal 20, 22 or 24, among the one-touch registration button 80 and the plurality of one-touch registration buttons 130, 132, 134 of the AP 10, Are operated together with those corresponding to the wireless LAN adapters 120, 122, and 124 attached to the terminal (hereinafter referred to as “target terminal”).

  When the CPU 110 of the target terminal detects an operation by the user of the corresponding one-touch registration buttons 130, 132, and 134 in step S100 shown in FIG. 6, next, in step S101, the one-touch registration mode is started.

  When the one-touch registration mode is started, the target terminal identifies the MAC addresses of the corresponding wireless LAN adapters 120, 122, and 124, and adds the MAC address as header information to data requesting to participate in the wireless LAN 30. Then, the packet is transmitted to the access point so that it can be connected. The access point that has received the MAC address registers the MAC address.

  Subsequently, in step S102, it is determined whether or not a predetermined time has elapsed since the end of execution of step S101. This time, if it is assumed that the predetermined time has not elapsed, the determination is NO, and an access point that has shifted to the one-touch registration mode is searched for in step S103.

Assuming that the AP 10 is the only access point that can communicate with the target terminal this time, in this step S103, it is finally determined whether or not the AP 10 has shifted to the one-touch registration mode. However, in the present embodiment, the AP 10 virtually functions as one key exchange special sub AP _Z , and the key exchange special sub AP _Z transmits a specific beacon.

When the delivery beacon is target terminal receives, the target terminal, (this time, AP 10 (= key exchange special sub AP _Z)) migrated access point to one-touch register mode is judged that there exists, in step S103 The determination is YES. If the determination in step S103 is no, the process returns to step S102. If the determination in step S103 is YES before the elapsed time from the end of execution of step S101 exceeds the predetermined time, the process proceeds to step S104. If not, the process proceeds to step S112, and the one-touch registration mode is entered. Is interrupted. In this case, the current connection process is completed.

  In step S104, the target terminal attempts to connect to the AP 10 that has shifted to the one-touch registration mode. Thereafter, in step S105, it is determined whether or not the retry should be terminated because the number of connection attempts exceeds a predetermined number. If the number of trials exceeds the predetermined number, the determination in step S105 is YES, and the one-touch registration mode is interrupted in step S112 as in the case where the determination in step S102 is NO.

  If the target terminal succeeds in connecting to the AP 10 that has shifted to the one-touch registration mode without the number of trials exceeding the predetermined number, the determination in step S105 is YES, and the process proceeds to step S106.

In step S106, as will be described in detail later, the target terminal exchanges packets representing information regarding the security level with the AP 10 (more precisely, the key exchange special sub AP _Z ). In other words, the target terminal negotiates with the AP 10 regarding the type of encryption method, that is, encryption capability.

  Subsequently, in step S107, it is determined whether or not a series of packet exchange processing is completed. If not completed, the process returns to step S106, and if completed, the process proceeds to step S108. Therefore, a series of packet exchange processing is completed by performing the repetitive execution of step S106 as many times as necessary.

  By the way, since the user of the target terminal operates the one-touch registration button 80 of the AP 10 at almost the same time as the one-touch registration buttons 130, 132, and 134 of the target terminal, the connection process is started in the AP 10 as well. Is done.

  At this time, the user operates the one-touch registration button 80 after selecting one of a plurality of sub APs in which the AP 10 is virtualized as a target sub AP by operating an operation unit (not shown). Then, the user can request the target sub AP to connect to only one terminal 20, 22 or 24 at a time.

  Therefore, when it is necessary to connect a plurality of terminals 20, 22, 24 to the same target sub AP as a result, the user can select one of the one-touch registration button 80 and the plurality of terminals 20, 22, 24. Each time the user operates both the one-touch registration button 130 of one terminal selected by the user, the selected terminal 20, 22 or 24 is connected to the same target sub AP one by one.

  However, when the one-touch registration button 80 is operated, the user can implement the present invention in a mode in which the user can request the target sub AP to connect to a plurality of terminals 20, 22, 24 at a time. is there.

  In addition, in the present embodiment, as described above, a plurality of sub APs can be handled so that the type of encryption method having the highest security level for each sub AP is different among the sub APs. Possible encryption schemes are pre-assigned. Therefore, the user selects one of the sub APs as the target sub AP based on the security level suitable for the target terminal, that is, the encryption capability of the target terminal, according to the method illustrated in FIG. Will do.

  Specifically, in the connection process, first, when the CPU 50 of the AP 10 detects the operation of the one-touch registration button 80 by the user in step S200, the one-touch registration mode is started in step S201.

When the one-touch registration mode is started, as shown in FIG. 7, the operation of the key exchange special sub AP _Z is started in step S601. Specifically, the key exchange special sub-AP _Z is validated, the key exchange special sub-AP _Z sends out the specific beacon, and the key exchange special sub-AP _Z is transmitted from the target terminal. , Receive a packet containing its MAC address and register the received packet.

  Subsequently, in step S202 shown in FIG. 6B, it is determined whether or not a predetermined time has elapsed since the end of execution of step S101. If it is assumed that the predetermined time has not elapsed this time, the determination is NO, and step S203 is executed at substantially the same time as step S106. On the other hand, this time, if it is assumed that the elapsed time from the end of execution of step S101 has passed the predetermined time, the determination in step S202 is NO, the process proceeds to step S208, and the one-touch registration mode is interrupted. In this case, the current connection process is completed.

In step S203, as will be described in detail later, the AP 10 (specifically, the key exchange special sub AP _Z ) exchanges packets representing information on the security level with the target terminal. That is, the AP 10 negotiates with the target terminal regarding the type of encryption method that the AP 10 can handle, that is, the encryption capability.

  Subsequently, in step S204, it is determined whether or not a series of packet exchange processing is completed. If not completed, the process returns to step S202, and if completed, the process proceeds to step S205. Therefore, a series of packet exchange processing is completed by performing the repetitive execution of step S203 as many times as necessary.

As described above, steps S106 and S203 are executed at approximately the same time in the target terminal and the AP 10 (more precisely, the key exchange special sub AP _Z ), so that the target terminal and the AP 10 In the meantime, packets representing information on the security level are exchanged.

<Exchange of security level information>

  Here, in step S106 and S203, the packet exchange process executed for exchanging information on the security level between the target terminal and the AP 10 will be described in more detail in time series. The details of step S106 are shown in the flowchart of FIG. 8A, and the details of step S203 are shown in the flowchart of FIG. 8B.

Substep 1

  First, a request for requesting the AP 10 to create security information is sent from the target terminal to the AP 10.

Substep 2

  Next, a reply indicating a response to the request is sent from the AP 10 to the target terminal. At this time, when the AP 10 first receives the security information creation request, the AP 10 individually encrypts each of the plurality of encryption methods that the AP 10 can support during use. SecType, which is the type of method, and SecKey, which is the value of the encryption key, are determined. As a result, security information, that is, information on the types of encryption methods that can be supported is created.

  In the present embodiment, as described above, the AP 10 is configured as a plurality of sub APs capable of differentiating the types of encryption methods in order to perform substantial communication with each of the terminals 20, 22, and 24 as described above. Virtually multiplexed. That is, the AP 10 is designed to be operable as a multi-AP mode.

Substep 3

  Subsequently, data representing at least one type of encryption method that can be supported by the target terminal is transmitted from the target terminal to the AP 10. For example, if the target terminal is a terminal No. As shown by 1, when AES, TKIP, WEP124, and WEP64 can be supported, data representing the types of these four encryption methods is transmitted to AP10.

Substep 4

  Thereafter, the AP 10 identifies an encryption method that can be supported by the target terminal based on the received data, and based on that, the AP 10 narrows down the encryption methods that can be supported for each sub AP.

Specifically, as shown in FIG. 5, the encryption method that can be supported by the current sub AP is only AES, and the target terminal is the terminal No. As shown in FIG. 1, when AES, TKIP, WEP168, and WEP64 can be supported, the encryption method that allows the target sub AP and the target terminal to support each other in common is only AES. Therefore, in this case, the encryption method that can be supported by the target sub AP is narrowed down to only AES for the convenience of the target terminal.

Also, as shown in FIG. 5, there are three types of encryption schemes that can be supported by the current sub-AP: TKIP, WEP128, and WEP64, and the target terminal in FIG. 3, a terminal that can support TKIP, WEP168, and WEP64; As shown in FIG. 4, when a terminal that can support WEP128 and WEP64 is included, the encryption method that allows the target sub-AP and the two target terminals to support each other in common is WEP128. And WEP64. Therefore, in this case, the encryption methods that can be handled by the target sub-AP are narrowed down to two types, WEP128 and WEP64, for the convenience of the target terminal.

  The above-described processing is security information packet exchange processing performed by executing step S106 in the target terminal and step S203 in AP10. During this packet exchange process, the target terminal and the AP 10 communicate with each other by performing encryption after specifying the counterpart MAC address.

  When a series of packet exchange processing is completed, as shown in FIG. 6 (b), the AP 10 is to be connected to the target terminal among the plurality of sub APs (hereinafter referred to as “target sub AP”) in step S205. For the security level is set.

  In step S205, as shown in detail in FIG. 8B, first, in step S401, the AP 10 (more precisely, the target sub-AP) is selected from the types of encryption methods notified from the target terminal. The one with the highest security level is selected as a candidate encryption method that is a candidate for the encryption method to be finally adopted.

  When this step S401 is executed, for example, when AES, TKIP, WEP128, and WEP64 are notified from the target terminal as the encryption method, the encryption method with the highest security level is AES, This is selected as a candidate encryption method.

  Thereafter, in step S402, the target sub AP compares the security level of the candidate encryption method selected in step S401 with the current highest security level. Here, the “current highest security level” refers to at least one encryption method that can be supported by the target sub AP based on the encryption method that can be supported by the target terminal as described above. This means the highest security level among encryption methods.

  In addition, if the target terminal is a terminal for which the target sub-AP first exchanged security information packets, the encryption method adopted by the target sub-AP at the time of the exchange process is The security level in the encryption method notified from the target terminal matches the highest one.

  However, if the target terminal is not the terminal for which the target sub-AP first exchanged security information packets, the encryption method employed by the target sub-AP has been wirelessly connected in the past at the time of the exchange process. Since the security level may be lowered under an encryption method that can be supported by another terminal, the security level of the encryption method notified from the target terminal matches the highest one Not always.

  This time, assuming that the security level of the candidate encryption method is higher than the current maximum security level, the determination in step S402 is YES, and in step S403, the encryption method employed by the target sub AP is the same as before. As a result, the security level of the target sub AP is maintained at the current highest security level.

  On the other hand, this time, assuming that the security level of the candidate encryption method matches or is lower than the current maximum security level, the determination in step S402 is NO, and in step S404, the candidate encryption method is determined. However, it is adopted as an encryption method adopted by the target sub AP.

  In addition, since the execution contents of these steps S402 to S404 reflect an example of a policy when the user sets the security level, it is not limited to this.

When the security information packet exchange processing on the AP 10 side is completed, as shown in FIG. 6 , in step S205, the security information is set so that the execution result of step S203 is reflected.

  Specifically, the type of encryption method determined by the execution of step S403 or S404 shown in FIG. 8 is finally adopted in (a) encrypted communication between the target sub AP and the target terminal. And (b) the ID of the target terminal corresponding to the encryption method (that is, the station ID) and the value of the encryption key are encrypted for subsequent wireless communication. And information to be adopted for decryption are set.

  Thereafter, in step S206 shown in FIG. 6, the operation is started or stopped for each sub AP.

  Details of step S206 are conceptually shown in the flowchart of FIG. In step S206, first, in step S501, it is determined whether there is information on a terminal that can be connected to the sub AP1. If it exists, the operation of the sub AP1 is started in step S502. If it does not exist, the operation of the sub AP1 is stopped in step S503.

  In any case, after that, in step S504, it is determined whether there is information on a terminal connectable to the sub AP2. If it exists, the operation of the sub AP2 is started in step S505. If it does not exist, the operation of the sub AP2 is stopped in step S506.

  In any case, after that, in step S507, it is determined whether there is information on a terminal that can be connected to the sub AP3. If it exists, the operation of the sub AP 3 is started in step S508. If it does not exist, the operation of the sub AP 3 is stopped in step S509.

  When the execution of step S206 shown in FIG. 6 is completed as described above, subsequently, in step S207, the operation mode of the AP 10 is switched from the one-touch registration mode to the normal wireless communication mode for each sub AP that is operating. Similarly, when the determination in step S202 is YES, the one-touch registration mode is ended in step S208. In this case, the one-touch registration is performed in a state where neither packet communication nor security level registration is completed. The mode is terminated.

  On the other hand, when a series of packet exchanges are completed on the target terminal side, in step S108, it is determined whether or not the elapsed time from the time when the determination in step S107 is YES exceeds a predetermined time. This time, assuming that the predetermined time has not been exceeded, it is determined in step S109 whether or not a sub AP in operation and in the wireless communication mode has been found from the security information received from the AP 10.

  Specifically, first, the target terminal acquires the SSID of the accessible sub AP. This procedure is executed in accordance with the specifications related to communication defined in the standard IEEE 802.11, and the target terminal receives a specific beacon transmitted from the sub AP, thereby allowing the currently accessible sub AP to be accessed. SSID can be acquired. This is because the SSID of the sub AP is embedded in the specific beacon. Further, the obtained SSID of the sub AP and the previously received security information are compared with each other. By the comparison, the encryption method and the encryption key value that the sub AP employs for communication (encryption and decryption) with the target terminal are specified.

If it is not possible to find an operating sub AP that is in the wireless communication mode before the predetermined time has elapsed since the time when the determination in step S107 is YES, Step S108 is YES after step S109 is NO
Then, in step S112, the current one-touch registration mode is interrupted.

  On the other hand, when the elapsed sub-AP from the time when the determination in step S107 is YES does not exceed the predetermined time, a sub-AP that is operating and in the wireless communication mode can be found. The determination in step S109 becomes YES before the determination in step S108 becomes YES, and as a result, the process proceeds to step S110.

  In step S110, security information received from the sub AP is set in the target terminal in accordance with the state of the discovered sub AP. As a result, in the target terminal, the type of encryption method and the value of the encryption key included in the security information received from the sub AP are used for subsequent encryption and decryption in the target terminal.

  Thereafter, in step S111, the target terminal is connected to the discovered sub AP. Subsequently, the target terminal starts the connection monitoring mode in order to periodically monitor the connection state with the sub AP.

  Some specific examples of the method in which the target terminal periodically monitors the connection state with the AP 10 are disclosed in detail in Japanese Patent Application Laid-Open Nos. 2005-175524 and 2005-311653. ing. Therefore, the duplicate description about the method is omitted here. These publications are incorporated herein by reference in their entirety.

<Stop of sub AP after initial setting>

  In the present embodiment, after the AP 10 establishes a connection with at least one terminal 20, 22, 24 in response to the first operation of the one-touch registration button 80, that is, the encryption method to be adopted by each AP. It is designed to periodically monitor the connection state with each of the terminals 20, 22, and 24 for each sub AP after the end of the initial negotiation regarding the type. The AP 10 is further designed to stop the operation of the sub AP that is not connected to any of the terminals 20, 22, and 24 during the connection monitoring.

  For this purpose, the sub AP stop program is executed by the CPU 50 of the AP 10. The sub AP stop program is stored in the ROM 52 in advance.

FIG. 10 conceptually shows the sub AP stop program in a flowchart. When the sub AP stop program is activated, first, in step S601, it is determined whether or not at least one terminal 20, 22, 24 is connected to the sub AP1. If it is assumed that none of the terminals 20, 22, and 24 are connected to the sub AP1 this time, the determination in step S601 is NO, and the operation of the sub AP1 is stopped in step S602.

  On the other hand, this time, if it is assumed that at least one terminal 20, 22, 24 is connected to the sub AP1, the determination in step S601 is YES, step S602 is skipped, and then the process proceeds to step S603. .

  In step S603, it is determined whether or not at least one terminal 20, 22, 24 is connected to the sub AP2. If it is assumed that none of the terminals 20, 22, and 24 are connected to the sub AP 2 this time, the determination in step S603 is NO, and the operation of the sub AP 2 is stopped in step S604.

  On the other hand, this time, if it is assumed that at least one terminal 20, 22, 24 is connected to the sub AP 2, the determination in step S603 is YES, step S604 is skipped, and the process proceeds to step S605. .

In step S605, it is determined whether or not at least one terminal 20, 22, 24 is connected to the sub AP 3. If it is assumed that none of the terminals 20, 22, 24 is connected to the sub AP 3 this time, the determination in step S605 is NO, and the operation of the sub AP 3 is stopped in step S606.

  On the other hand, this time, if it is assumed that at least one terminal 20, 22, 24 is connected to the sub AP 3, the determination in step S605 is YES, step S606 is skipped, and the process proceeds to step S607. .

  In step S607, it is awaited that a certain time has elapsed. Thereafter, the second execution of steps S601 to S606 is performed. The execution of these steps S601 to S607 is repeated until the power supply of the AP 10 is turned off, and as a result, the connection state with each terminal 20, 22, 24 is periodically monitored for each sub AP.

  Thanks to the execution of the sub-AP stop program, at least one terminal 20, after the connection is established between the AP 10 and the plurality of terminals 20, 22, 24 in response to the first operation of the one-touch registration button 80. When the sub APs 22 and 24 withdraw from the wireless LAN 30 and the operation becomes unnecessary along with the withdrawal, the sub AP is prevented from being unnecessarily maintained in the operating state. On the other hand, stopping the sub-AP that no longer requires operation is desirable from the viewpoint of improving the security of the AP 10 and reducing the load imposed on the AP 10 to operate the AP 10.

<Activation of sub AP after initial setting>

  In the present embodiment, after the AP 10 establishes a connection with at least one terminal 20, 22, 24 in response to the first operation of the one-touch registration button 80, that is, the encryption method to be adopted by each AP. In response to each operation every time the one-touch registration button 80 is operated again by the user or every time an operation member different from the one-touch registration button 80 is operated by the user after the end of the initial negotiation regarding the type, Designed to start the operation of all sub APs.

  For this purpose, the sub AP start program is executed by the CPU 50 of the AP 10. The sub AP start program is stored in the ROM 52 in advance.

FIG. 11 conceptually shows the sub AP start program in a flowchart. When the sub AP start program is activated, the operations of all sub APs, that is, sub APs 1 to 3 in this embodiment, are started in step S701.

  Thanks to the execution of the sub-AP start program, another terminal is connected to the wireless LAN 30 after the connection between the AP 10 and at least one terminal 20, 22, 24 is established in response to the first operation of the one-touch registration button 80. When a sub AP that tries to join and needs to be operated along with the joining appears, the sub AP is maintained in a stopped state, and the entire resource of the wireless LAN 30 cannot be efficiently used. Is prevented.

  In this embodiment, the one-touch registration button 80 is operated again by the user after the initial negotiation for determining the type of encryption method to be adopted by each of the plurality of sub APs and the plurality of terminals 20, 22, and 24 is completed. (An example of the “second request” in the item (6)) or an operation member different from the one-touch registration button 80 is operated by the user (the “second request” in the item (6)). Another example) and the execution of the sub AP start program start the operations of all the sub APs.

  In addition, in the present embodiment, in order to make the above-mentioned “first request” and “second request” to the AP 10 in the present embodiment, the one-touch registration button 80 as a physical existence or a separate one from it. The one-touch registration button 80 and another operation member are changed to virtual buttons displayed on the screen of a PC connected to the same network, and respond to the operation of the button. In response to the AP 10 receiving a specific signal transmitted from the PC, the AP 10 may start a corresponding operation. That is, it is not indispensable for carrying out the present invention to prepare the one-touch registration button 80 or another operation member as a physical existence for causing the AP 10 to perform a specific operation.

  Thereafter, a second negotiation for determining the type of encryption method between the sub APs and the terminals 20, 22, and 24 that are currently connected to or will be connected to the sub APs is performed as shown in FIG. The procedure is as shown in As a result, for each sub AP, the type of encryption scheme to be adopted by each terminal 20, 22, 24 is determined anew. That is, the security level of the encryption method adopted for the sub AP is updated so that the latest connection state between each sub AP and the terminal is reflected.

  As is clear from the above description, in this embodiment, the AP 10 is virtualized into a plurality of sub APs multiplexed with respect to the security levels that can be handled, and each of the plurality of sub APs is Independent of security level settings that can be handled.

  Therefore, according to the present embodiment, when a plurality of terminals respectively connected to a plurality of different sub-APs are different from each other with respect to security levels that can be handled, terminals that belong to a certain sub-AP are finally adopted. The security level to be determined does not depend on the security level that can be handled by terminals belonging to other sub APs.

  As a result, for example, when determining the security level that a terminal belonging to a certain sub AP will eventually adopt, the security level that can be handled by a terminal belonging to another sub AP is low. It is possible to prevent the terminal belonging to the sub AP from being pulled to the side with the lower security level that will eventually be adopted.

  By the way, conventionally, when an encryption key exchange is performed between the AP 10 and each terminal in order to select an optimal encryption method commonly used by the AP 10 and each terminal, it is used for data communication. An SSID different from the SSID of the AP 10 to be used is used. Since the SSID needs to be switched, the data communication is temporarily interrupted due to the execution of the encryption key exchange.

  On the other hand, in the present embodiment, the plurality of sub APs are independent of each other in operation, and the sub AP for data communication with each terminal and the encryption key exchange with each terminal are performed. Sub APs are separated from each other. Therefore, the occurrence of a situation where data communication is temporarily interrupted due to execution of encryption key exchange is avoided.

  As is clear from the above description, in this embodiment, for the sake of convenience of explanation, each of the sub APs 1 to 3 constitutes an example of the “normal sub access point” in the above section (1) and 8 can be considered to constitute an example of the “selector” in the item (2).

Furthermore, in this embodiment, for convenience of explanation, the key exchange special sub AP _Z constitutes an example of the “special sub access point” in the above section (3), and among the computers of the AP 10, the steps shown in FIG. It can be considered that the part that executes S206 (see FIG. 9) constitutes an example of the “start / stop means” in the section (4).

  Further, in the present embodiment, for convenience of explanation, a part of the computer of the AP 10 that executes the sub AP stop program shown in FIG. 10 constitutes an example of the “stop means” in the section (5), and the AP 10 It can be considered that the portion of the computer that executes the sub-AP start program shown in FIG. 11 constitutes an example of the “starting means” in the section (6).

  Further, in the present embodiment, for convenience of explanation, the MAC 100 constitutes an example of “one physical MAC” in the item (7), and each of the virtual MACs 1, 2, and 3 corresponds to the “virtual MAC” in the item. It can be considered that an SSID of each virtual MAC 1, 2, 3 constitutes an example of an “identifier” in the same section.

  In addition, in this embodiment, the “plurality of sub-access points” in the above section (1) is specifically represented as a virtual sub-AP in which there is physically only one but there are a plurality of logical sub-APs. However, the present invention is not limited to this, and may be embodied as, for example, a plurality of physical sub-access points accommodated in the housing 40. In this case, each of the plurality of physical sub-access points is configured to have a corresponding physical MAC.

  As described above, some of the embodiments of the present invention have been described in detail with reference to the drawings. However, these are exemplifications, and are based on the knowledge of those skilled in the art including the aspects described in the section of [Disclosure of the Invention]. The present invention can be implemented in other forms with various modifications and improvements.

Claims (7)

A wireless LAN access point having a function of relaying a signal between the plurality of terminals by constructing a wireless LAN (Local Area Network) in cooperation with the plurality of terminals,
Including a plurality of logical or physical sub-access points, each having a unique identifier, identifiable from each other, and each operable independently of each other;
The sub-access points include a plurality of normal sub-access points and special sub-access points that are commonly used for the normal sub-access points,
Each normal sub-access point has at least one encryption scheme that each normal sub-access point can support during its use;
Each normal sub-access point is pre-assigned such that the at least one encryption method is different for each normal sub-access point in the type of encryption method having the highest security level for each normal sub-access point. And
When the wireless LAN access point is connected to the target terminal specified by the user as a request to join the wireless LAN among the plurality of terminals, the special sub access point is activated, The special sub access point exchanges security information regarding the security level with the target terminal,
When the exchange of the security information is completed, based on the security information, the security level of the encryption method that the target terminal will eventually adopt when it is selected from among the plurality of normal sub-access points Is selected as the target normal sub-access point,
Based on the security information, an encryption method common to the selected target normal sub-access point and the target terminal is selected,
Based on the selected encryption method, the target normal sub access point is a wireless LAN access point capable of communicating with the target terminal . The wireless LAN access point includes: a first operation on a target terminal by a user for specifying, as the target terminal, a request for participation in the wireless LAN among the plurality of terminals; In response to the user's second operation on the LAN access point, connected to the target terminal,
2. The wireless LAN access point according to claim 1 , wherein after the connection, the special sub access point is activated, and the special sub access point exchanges security information regarding a security level with the target terminal . When the exchange of the security information is completed, among the plurality of normal sub access points, the identifier of the accessible normal sub access point that is currently operating and is in the radio communication mode is transmitted to the target terminal,
The target terminal employs the accessible normal sub-access point identified by the received identifier for communication with the target terminal by comparing the identifier received from the wireless LAN access point with the security information. The wireless LAN access point according to claim 1 or 2 , wherein an encryption method and an encryption key value to be specified are specified . During the connection between each normal sub access point and the at least one terminal, the connection state with the at least one terminal is periodically monitored for each normal sub access point;
Based on the monitoring result, it is determined whether or not a non-connected normal sub-access point that is not connected to any of the plurality of terminals appears among the plurality of normal sub-access points, and the non-connected normal sub-access When a point appears, the operation of that non-connected normal sub access point is stopped,
4. The wireless LAN access point according to claim 1 , wherein after the operation is stopped, the non-connected normal sub access point resumes operation when a user operation is performed on the wireless LAN access point. 5. The plurality of normal sub-access points include a first normal sub-access point that can handle one security level and a second normal sub-access point that can handle a plurality of security levels. 5. The wireless LAN access point according to claim 1, further comprising: A program executed by a computer to cause the wireless LAN access point according to claim 1 to function. The recording medium which recorded the program of Claim 6 so that computer reading was possible.

Images