JP2012043224A - Wireless device and communication method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a wireless device and a communication method, capable of easily realizing a regional network having many sensors, while securing safety of data transmission in a sensor network.SOLUTION: In order to provide the above-described advantages, the wireless device is connected to a first network to which a sensor having sensing information and manager information showing its own registration destination is connected, and is connected to a second network to which a sensor management device having the registration information and authentication information of the sensor is connected. The wireless device comprises: a sensor communication part connected to the first network and communicating with the sensor; a network communication part connected to the second network and communicating with the sensor management device; a first authentication part acquiring authentication information of the sensor from the sensor management device based on the manager information held by the sensor; and a second authentication part acquiring the sensing information from the sensor by using the acquired authentication information.

Description

  The present invention relates to a wireless device and a communication method for ensuring security in a network.

  In order to realize the basic technology of the new generation network, the AKARI project for establishing and designing the network architecture is underway (Non-Patent Document 1). In that project, a regional information sharing communication network “NerveNet” is proposed in which information and services required by local communities, residents, or people visiting the region are provided at an appropriate timing. In the Net, a managed mesh network provides a packet transmission function, and a sensor network (SN) and a database (DB) functioning as nerve cells for detecting (sensing) the surrounding environment are used for information distribution.

  In a commonly known sensor usage form, the sensor network is directly connected to the communication platform, the sensor detects the personal environment, and the sensor data is collected and stored on a server before being provided to the end user. The In this form, the individual cannot know when and where the personal environment was collected and stored, and who uses this collected information. That is, it is impossible to control private data such as individual location information and photographs.

  On the other hand, in the Net, it can be said that the true value can be exerted only when the sensors are arranged everywhere. Therefore, the larger the number of sensors, the greater the convenience for the user of the sensor network. However, in the current sensor usage form, the sensor network is operated and maintained by a specific provider. That is, the user can use only the sensor network closed between the providers, which is not convenient. Moreover, it is economically difficult from the viewpoint of arranging many sensors.

National Institute of Information and Communications Technology, “Akari Architecture Design Project”, [online], [searched August 12, 2010], Internet <http://akari-project.nict.go.jp/>

  As described above, the conventional sensor usage method has a problem that the user cannot put his / her own data under complete control. Moreover, in the conventional sensor usage method, there is a problem that it is difficult to arrange many sensors. The present invention has been made to solve such a problem, and provides a wireless device and a communication method capable of easily realizing a regional network having many sensors while ensuring the safety of data transmission in the sensor network. The purpose is that.

  In order to solve the above-described problem, a wireless device according to an embodiment of the present invention includes a first network to which a sensor holding sensing information and administrator information indicating its registration destination is connected, and the sensor A wireless communication device connected to a second network to which a sensor management device that holds registration information and authentication information is connected, and is connected to the first network and communicates with the sensor; and a second network A network communication unit that communicates with the sensor management device, a first authentication unit that acquires sensor authentication information from the sensor management device based on administrator information held in the sensor, and the acquired authentication information And a second authentication unit that acquires sensing information from the sensor.

  ADVANTAGE OF THE INVENTION According to this invention, the radio | wireless apparatus and communication method which can implement | achieve the regional network with many sensors easily can be provided, ensuring the safety | security of the data transmission in a sensor network.

It is a conceptual diagram explaining the regional network which distribute | circulates sensor information so that self-control is possible. It is a conceptual diagram explaining the regional network which can collect sensor information extensively. It is a block diagram explaining the structure of the radio | wireless system which concerns on 1st Embodiment. It is a figure explaining operation | movement of the radio | wireless system which concerns on 1st Embodiment. It is a figure explaining operation | movement of the radio | wireless system which concerns on 1st Embodiment. It is a block diagram explaining the structure of the radio | wireless system which concerns on 2nd Embodiment. It is a figure which shows an example of a policy tree. It is a figure which shows the example of the registration content of the sensor in SNSP. It is a figure explaining operation | movement of the radio | wireless system which concerns on 2nd Embodiment. It is a figure explaining operation | movement of the radio | wireless system which concerns on 2nd Embodiment.

(Outline of regional network)
With reference to FIG. 1, a regional network including a sensor network that is an element of a wireless system according to the embodiment will be described. As shown in FIG. 1, the sensor network (hereinafter referred to as “SN”) is a network including sensors S that sense the surrounding environment. The surrounding environment information sensed by the sensor includes all information related to the place / object where the sensor is located, such as position information and climate information. The sensor is configured to be able to transmit environmental information, for example, wirelessly, and a sensor network user (hereinafter referred to as “SNU”) can receive the environmental information when approaching the sensor.

  The SNU is an individual who receives environmental information transmitted from the sensor, but as a position in the wireless system, the SNU becomes a wireless terminal capable of communicating with the sensor. The SNU can determine whether to receive environmental information from surrounding sensors, where to store the received information, and the like. A wireless line (first line) that performs communication between the sensor and the SNU is configured to perform direct communication at a relatively short distance. The first line may be capable of bidirectional communication such as Bluetooth (registered trademark), or may be one-way from the sensor to the SNU like RFID.

  Further, the SNU is configured to be able to communicate with a specific server via a base station (hereinafter referred to as “BS”) via a line such as a radio (second line). The SNU belongs to the regional network RN provided by the regional network provider RNP that manages the logical network via the second line and the BS. The BS forms a managed mesh network and transmits data. A server (hereinafter referred to as “SV”) that communicates with an SNU is, for example, a regional service gateway that provides a database and application services. The SV may be managed by the SNU itself or under the control of a service provider or the like, but is configured to be logically separated from the existing public communication network. In the regional network RN including the second line, the communication between the SNU / SV / BS is secured by the function provided by the provider RNP. On the other hand, the SN is composed of a first line independent from the second line forming the mesh network, and therefore the SN is connected to the regional network RN via the SNU.

  Here, each SN is managed by a different sensor administrator (sensor network owner: SNO). This means that the individual sensors are not well protected. On the other hand, the environmental information received from the sensor by the SNU is information that the SNU receives directly from the sensor, and can therefore include the privacy of the individual who is the SNU. For example, if the environmental information is position information, it indicates the whereabouts of the SNU, and if the environmental information is a tag of a product at a grocery store, it indicates an article purchased by the individual who is the SNU. That is, the environmental information emitted from the sensor is associated with the SNU, thereby causing a privacy problem.

  Therefore, in order to protect the privacy of the individual who is the SNU, the SN made up of sensors arranged in various places is logically separated from communication platforms such as 3G lines and wireless LANs. That is, the SNU is configured to communicate with the sensor directly via the first line to receive environmental information. The SNU transfers the received environment information to the server SV selected by the user using the second line. That is, using a first line that is a short distance between the sensor and the SNU, and using a second line that is logically independent of other lines between the SNU and the server or the like, it is possible to secure environmental information. It can be transferred to the server.

  As described above, the wireless system according to the embodiment configures a network connecting an SN having a plurality of sensors, an SNU that receives information from the SN sensor, and an SNO that manages the SN. Further, a storage server that stores information received by the SNU may be provided in addition to the SV, or an application server that provides a service using the received information may be provided. If communication between the SNU, the storage server, and the application server uses the second line logically separated from the communication platform as described above, the privacy problem from the SNU to the SV is solved. That is, the SNU can keep environmental information related to the privacy of the SNU completely under the control of the other lines and can protect the privacy.

(Sensor network security)
Next, with reference to FIG. 2, SN security when there are a plurality of sensor managers will be described.

  It is economically difficult for a single administrator to arrange a large number of sensors, and the convenience for the user is also lowered. Therefore, it is desirable that there are a plurality of administrators who arrange sensors. That is, if the SNU moves to a new location, it is desirable that the SNU can communicate with sensors maintained and managed by different sensor administrators (SNO) at that location. The SNO is a person who maintains and manages the sensors, but the position in the wireless system is a server that manages the subordinate sensors.

For example, consider a case where the SNU moves along an arrow as shown in FIG. When the SNU moves within the network range (RN _X ) to which the SNU belongs and is located around the SN ₁ managed by the SNO ₁ , the SNU can access sensors belonging to the SN ₁ . Subsequently, when the SNU moves and moves to the vicinity of the SN ₂ managed by the SNO ₂ , the SNU can access sensors belonging to the SN ₂ . Further, when the SNU moves out of the network RN _X area to which the SNU belongs and moves to the vicinity of the SN ₃ managed by the SNO _{3 in the} network RN _Y area, the sensor belonging to the SN ₃ can be accessed.

As the SNU moves around, it goes through several SNs, such as SN ₁ , SN ₂ , SN ₃ . These SNs belong to different SNOs, that is, SNO ₁ , SNO ₂ , SNO ₃ . Here, it is assumed that SN ₁ and SN ₂ are in the area of the regional network RN _X , and SN ₃ is also in the area of RN _Y. If the SNU is within the range of these SNs, the SNU can receive information about the individual and the environment from the sensors that make up the SN. For example, the SNU can receive information directly from sensor 1 belonging to SN ₁ , sensor 2 belonging to SN ₂ , and sensor 3 belonging to SN ₃ . When accessing these sensors, the SNU must obtain permission from each sensor network owner, ie SNO ₁ , SNO ₂ and SNO ₃ .

  As described above, when the communication between the SNU and the sensor is temporary, that is, when the SNU moves across different SNs, various security threats can be considered. For example, it is conceivable that an attacker impersonates a legitimate sensor or provides false information to a SNU using a forged ID. That is, the attacker attacks the user via the sensor. On the other hand, it is also conceivable that an attacker impersonates a legitimate SNU and obtains information from a sensor. Further, it is conceivable to tamper authentication assertion authorization in transmission. When considering defense against such attacks at the architecture level, it is necessary to consider that communication between the sensor network user and the sensor is established on demand, and that the sensor cannot have many functions.

  As threats generated in communication between the sensor and the SNU on the assumption that the SNU moves, an ID-oriented attack and a MIMA (man-in-the-middle attack) can be considered. ID-oriented attacks are defined as the use of falsification, spoofing, and identification counterfeit.

  Typical ID-oriented attacks on sensors include civil attacks, spoofing attacks, counterfeit ID attacks, and counterfeit owner attacks. In a cyber attack, an attacker provides incorrect information by acting as multiple identities at one or more locations at a particular point in time. In a spoofing attack, an attacker duplicates the ID of an existing sensor and provides incorrect information using this ID. In a counterfeit owner attack, an attacker pretends to be the owner, although it is not actually the owner. In the forged ID attack, the attacker uses the forged ID to provide incorrect information to the SNU.

  On the other hand, from the viewpoint of the SNU, an ID-oriented attack is described as a forged ID attack or a forged privilege attack of the SNU. In the SNU counterfeit ID attack, the attacker receives sensor information using the counterfeit ID. In a counterfeit privilege attack, the attacker forges privileges on the sensor element and receives information beyond actual conditions.

  The message from the SNU to the sensor can also traverse several intermediate sensors in a multi-hop form. The attacker impersonates as performing MIMA and changes the approval condition.

To prevent these attacks, it is necessary to specify the following security requirements:
(S1) Assertion Authorization: Assertion is used to represent SNU privileges. For example, it refers to a condition that a certain SNU is authorized to access a sensor and acquire local information for a certain period of time on a specific day.
(S2) Assertion Authorization Integrity: Ensures that assertion authorization cannot be modified by an intermediate element such as an SNU or an intermediate transfer sensor. It prevents MIMA.
(S3) Flexible Authorization: The SNU is authorized to freely access the sensor group. This satisfies the SNU request to access the sensor group.
(S4) Sensor Ownership Authentication: Ensures that the sensor owner is correctly certified. This prevents an ID-oriented attack on the sensor.
(S5) SNU identity authentication: SNU identity is guaranteed to the communicating sensor. This prevents SNU forgery ID attacks.

(Configuration of the first embodiment)
Next, the wireless system of this embodiment will be described in detail with reference to FIG. 3 and FIG. As shown in FIG. 3, the wireless system of this embodiment includes a sensor 1, a sensor network user (SNU) 2, a base station (BS) 3, a sensor network owner (SNO) 4, a regional network provider (RNP) 5, and It has a server (SV) 6. The sensor 1 and the SNU 2 constitute a first network using the above-described first line. On the other hand, SNU2, BS3, SNO4, RNP5 and SV6 constitute a second network using the above-described second line. The first line (first network) and the second line (second network) are physically independent. In the following description, functional elements common to those in FIGS. 1 and 2 are indicated by using common abbreviations and symbols, and redundant description is omitted.

  The sensor 1 has a function of a wireless device that senses the surrounding environment, and includes an antenna 112, a sensor wireless unit 114, an authentication unit 116, a sensor 118a, and a memory 118b. The antenna 112 and the sensor wireless unit 114 function as a wireless unit that communicates between the sensor 1 and the SNU 2. The sensor unit 118 a is a sensor element that senses the surrounding environment of the sensor 1, and the memory 118 b is a memory element that stores predetermined information related to the surrounding environment of the sensor 1. The sensor unit 118a and the memory 118b can be appropriately selected depending on the type of environmental information provided by the sensor 1.

  The SNU 2 is a wireless terminal that receives environmental information transmitted from the sensor, and includes an antenna 121, a sensor wireless unit 122, an authentication unit 123, a memory 124, an antenna 125, a network (NW) wireless unit 126, and a modem unit 127. Yes. The antenna 121 and the sensor radio unit 122 are radio units corresponding to the antenna 112 and the sensor radio unit 114 in the sensor 1, and constitute the first line (first network) described above. The authentication unit 123 is a processor that performs authentication for authenticating the sensor 1 and receiving SNU authentication. The memory unit 124 is a memory that stores an encryption key and the like used by the authentication unit 123 for calculation. The antenna 125 and the NW radio unit 126 are radio units for constructing the above-described second line (second network) with the regional network to which the SNU 2 belongs. The antenna 125 and the NW radio unit 126 constitute a line (network) independent of the antenna 112 and the sensor radio unit 114. The modem unit 127 is a modem that performs communication through the second line, and provides functions such as a mobile phone.

  BS3 is a base station that connects SNU2 to a regional network using SNU2 and a second line. The BS 3 includes an antenna 131, an NW radio unit 132, and an interface (I / F) unit 133. The antenna 131 and the NW radio unit 132 are radio units corresponding to the antenna 125 and the NW radio unit 126 of the SNU 2, and communicate with the SNU 2 through the second line. The I / F unit 133 is an interface that sends or receives information sent from the SNU 2 via the antenna 131 and the NW radio unit 132 and information to be sent to the SNU 2 to the regional network (RN). That is, BS3 functions as a wireless interface that connects SNU2 and RN.

  SNO4 is a management device that manages the sensor network (SN) that the sensor 1 configures. The SNO 4 includes an interface (I / F) unit 141, a sensor authentication unit 142, and a database (DB) 143. The I / F unit 141 is a network interface connected to the RN. The sensor authentication unit 142 is a processor that authenticates the sensor 1 via the SNU 2. The DB 143 is a database that registers sensors managed by the SNO4.

  The regional network provider (RNP) 5 is a management device that manages the regional network RN to which the SNU 2 belongs. The RNP 5 includes an interface (I / F) unit 151, a network (NW) authentication unit 152, and a database (DB) 153. The I / F unit 151 is a network interface connected to the RN. The NW authentication unit 152 is a processor that authenticates the identity of SNU2. The DB 153 is a database that registers SNUs managed by the RNP 5.

  The server (SV) 6 is a network server used by the SNU 2. The SV 6 includes an interface (I / F) unit 161, an authentication unit 162, and a database (DB) 163. The I / F unit 161 is a network interface connected to the RN. The authentication unit 162 is a processor for constructing a second line logically with the SNU 2. The DB 163 is a storage unit that stores environment information received from the sensor 1 by the SNU 2.

(Operation of the first embodiment)
Next, the operation of the wireless system of this embodiment will be described with reference to FIGS. In this embodiment, the SNO and the sensor hold the common key (K _{sensor 1-SNO1} ) generated by the SNO. In the following description, in order to simplify the description, among the plurality of SNOs shown in FIG. 5, “SNO ₁ ” is accessed as SNO _{4 and} “Sensor ₁ ” is accessed as sensor 1. To do.

  When the SNU 2 receives information from the sensor 1, the sensor wireless unit 122 of the SNU 2 requests the wireless unit 114 of the sensor 1 to acquire environmental information (step 101, hereinafter referred to as “S 101”).

  Upon receiving the environmental information acquisition request, the authentication unit 116 of the sensor 1 reads the information of the SNO 4 that is the manager of the sensor 1 from its own storage area, and transmits it to the SNU 2 via the sensor wireless unit 114 (S102).

  Upon receiving the information of SNO4, the authentication unit 123 of the SNU2 issues a service request, that is, an access request to the sensor 1, to the SNO4 via the NW wireless unit 126 (S103).

  When receiving the service request from SNU2, the sensor authentication unit 142 of SNO4 inquires of RNP5 that manages SNU2 whether there is a user whose SNU2 identity, that is, SNU2 is correctly managed by RNP5 (S104).

  When receiving an inquiry about SNU2, the NW authentication unit 152 of the RNP 5 confirms in the DB 153 whether the SNU2 is an authorized network user. When the confirmation is obtained, the NW authentication unit 152 of the RNP 5 replies to SNO4 that the result of the identity authentication is OK (S105).

When the result of the identification authentication OK is obtained, SNO4 gives an assertion (access permission of sensor 1) to SNU2 (S106). SNO4 generates a session key (SK1) between the SNU 2 and the sensor 1, and adds it after the assertion expressing the authority of the SNU. Specifically, the sensor authentication unit 142 of SNO4 encrypts the assertion, SK1 and their hash values using a shared key ( _Ksensor-SNO ), and adds SK1 to the encrypted message. Transmit to SNU2. Here, “assertion, SK1 and a message obtained by encrypting these hash values using a shared key” are expressed as “{Assertion, SK1, H (Assertion, SK1)} _{K sensor-SNO} ”, and the assertion authorization. Call it. Note that SK1 is safely distributed to the SNU.

Upon receiving the message and SK1 from SNO4, the authentication unit 123 of the SNU2 generates a random number _{N SNU,} send by adding _{N SNU} the sensor 1 to the message sent from the SNO4 (assertion authorization) (S107).

Upon receiving the message with the N _SNU added, the authentication unit 116 of the sensor 1 decrypts the message using the shared key with SNO4, extracts the assertion, SK1, and hash value, checks the hash value, and corrects the assertion. Make sure you are not getting an assertion. Upon obtaining the assertion, the authentication unit 116 of the sensor 1 generates a random number N _sensor . Next, the authentication unit 116 encrypts the received N _SNU with SK1, adds a random number N _sensor to the encrypted message, and transmits it to the SNU 2 via the sensor wireless unit 114 (S108).

When receiving the message with the random number N _sensor added from the sensor 1, the authentication unit 123 of the SNU 2 knows that the sensor 1 has been authenticated by SNO4. That is, the manager of this sensor is guaranteed. Therefore, the authentication unit 123 of the SNU 2 encrypts the random number N _sensor with SK1 and transmits it to the sensor 1 via the sensor wireless unit 122 (S109).

Upon receiving the encrypted random number N _sensor , the authentication unit 116 of the sensor 1 knows that the identity authentication of the SNU 2 has been obtained. That is, the sensor 1 can know that the identity of the SNU can be trusted. The sensor wireless unit 114 of the sensor 1 reads out environmental information from the sensor 118a and the memory 118b and transmits it to the SNU 2 (S110).

Upon receiving the environmental information, the NW radio unit 126 of the SNU 2 transfers the environmental information to the SV 6 via the BS 3 (S111). The SV6 I / F unit 161 stores the received environment information in the DB 163.
If the sensor belongs to a different regional network RN _Y , an assertion authorization is given to the SNU through the route of steps 101 ^* to 107 ^* in FIG.

Thus, in the wireless system of this embodiment, the authentication problem when the SNU accesses the sensor can be solved. Here, the SNU has been described as accessing the sensor ₁ illustrated in FIG. 5, but when the SNU accesses the sensor ₃ illustrated in FIG. 5, the authentication destination is SNO ₃ that manages the sensor ₃ . Also, if the SNU does not exist in its own regional network RN _X shown in FIG. 5 (if it exists in RN _Y shown in FIG. 5), an inquiry to the RNP that authenticates the SNU makes an RNP that constructs the location RN _Y Not to _Y , but to RNP _X , the home base.

(Second Embodiment)
In the wireless system according to the first embodiment, assertion authorization is used, and access authority from the SNU to the sensor is defined using the assertion. In the wireless system according to the first embodiment, a shared key is used between each sensor and the corresponding SNO. By using such a method, the SNU obtains an assertion authorization each time it is required for access to the sensor from the SNO.

  The wireless system according to the second embodiment includes a sensor network service provider (SNSP) as an element. The SNSP shares sensors belonging to different SNOs and provides flexible sensor access authority to the SNU. In order to enable sharing of sensors, different SNSPs use different master keys kept secret, and the sensor holds one secret key for one SNSP.

  For issuing a flexible assertion authorization, Ciphertext-Policy Attribute Based Encryption (CP-ABE) is used in order to authorize the SNU to have flexible access authority of the sensor. When the SNU requests information receipt, the SNU sends a query to the SNSP. The SNSP searches for a preferred sensor for the SNU and issues an access authorization approval for the selected sensor to the SNU.

(Configuration of Second Embodiment)
With reference to FIG. 6, the structure of the radio | wireless system which concerns on 2nd Embodiment is demonstrated. The wireless system of this embodiment further includes a sensor network service provider (SNSP) in addition to the wireless system of the first embodiment. In the following description, components that are the same as those in the first embodiment are denoted by the same reference numerals, and redundant descriptions are omitted.

  As shown in FIG. 6, the wireless system of this embodiment includes a sensor 1, a sensor network user (SNU) 2, a base station (BS) 3, a sensor network owner (SNO) 4, a regional network provider (RNP) 5, and a server (SV) 6 and sensor network service provider (SNSP) 7. Among these, the sensor 1, SNU2, BS3, SNO4, RNP5, and SV6 are common to the first embodiment.

  The SNSP 7 is a service provider that provides services to the SNU by sharing sensors managed by various SNOs. The SNSP 7 includes an interface (I / F) unit 171, an authentication unit 172, and a database (DB) 173. The I / F unit 171 is a network interface connected to the RN that is the second network. The authentication unit 172 is a processor that performs sensor registration, sensor communication inspection, sensor information notification and query processing, and approval. The DB 173 is a storage unit that stores sensor information sent from the SNO4.

  The sensor information registration function by the authentication unit 172 is a function for registering information on a sensor under management sent from the SNO in the DB 173 and setting an authorization policy. The sensor communication inspection function by the authentication unit 172 is a function that is requested from the SNO to provide better service to the SNU. The sensor information notification and query processing function by the authentication unit 172 is a function for selecting a sensor that matches the SNU request from the DB 173. The authorization function by the authentication unit 172 is a function for authorizing the flexible access authority of the sensor selected from the DB 173 to the SNU.

(Access control in the second embodiment)
CP-ABE that enables flexible access control is used to generate a sensor secret key and issue an assertion authorization to the SNU. That is, each sensor holds a secret key corresponding to the attribute. CP-ABE can identify the sensor by encrypting the message using different attribute policy trees.

  In CP-ABE, one unique random number is used for each sensor in the secret key generation procedure. That is, even if there are two sensors having exactly the same attributes, each has a different secret key. The SNSP also allows sensors to be shared using different master keys and different parameters. If a sensor is shared by multiple SNSPs, the sensor will hold a secret key corresponding to each SNSP.

  When using CP-ABE to realize flexible approval, there are several problems to be solved.

1. Attribute selection In the future, all sensors may be placed to belong to different SNOs. Even with the same attribute, different SNOs may have different values. As the number of attributes increases, it becomes difficult to manage. The inventors have found that known attribute values do not affect the security of CP-ABE. Therefore, an attribute server that stores attributes extracted from the SNSP is used. When the SNSP approves the SNU, the SNSP downloads the attribute from the attribute server, generates a policy tree, and encrypts the assertion.

  Following the generation of attributes, the type of attribute becomes a problem. Attributes can be divided into static attributes and dynamic attributes. The static attribute of the sensor is, for example, a sensor type such as position sensing or photo sensing. The dynamic attribute of the sensor is, for example, the position of the sensor because the sensor is movable.

  Location is an important attribute of the sensor and can be used to identify the sensor. When the SNU requests service from sensors, these sensors are searched using attributes such as location. There are two methods for indicating the position of the sensor as the position attribute. One is a method using an actual physical address, and the other is a method using a logical address. Since it is not easy to track the physical address for each sensor and the boundary line of the physical area, a logical address is used as a position attribute.

2. Mobility The sensor can move. Therefore, the position attribute must be updated. When the location attribute is changed, the secret key held by the sensor is also changed. Since the sensor is not directly connected to the network platform, it is not easy for the sensor to connect to the SNSP to update the secret key. Therefore, the attribute is not frequently changed by using a granularity that hides the mobility. “Mobility” is set as one attribute.

3. Decommissioning When a sensor fails, the sensor must be decommissioned. If it becomes clear that a certain sensor is unreliable, processing that is not included in the policy tree is performed. As a result, the SNU cannot access the sensor and does not provide incorrect information to the SNU.

4). Multiple authorizations for sensors belonging to different SNOs For a given SNO, if the SNSP gives an assertion authorization to the SNU, the SNU must distinguish this authorization and give the correct certificate to the correct sensor. Setting a certain attribute of a sensor to a certain SNO combines different policy trees for several SNOs.

FIG. 7 shows an example of a policy tree. The policy tree PT is information indicating a range of access rights having a two-dimensional spread. The SNU approved for assertion encrypted by the policy tree shown in FIG. 7 is a position sensor managed by SNO ₁ and placed in the Shibuya area and Shinjuku area, and a photo sensor managed by SNO ₂ and placed in the Osaka area. Can be accessed.

  Hereinafter, an attribute key encryption system for authorization will be described. The SNSP functions as a sensor key server. The SNO installs a secret key associated with the attribute on the sensor. The sensor decrypts the message using the secret key.

  1) Setup: The SNSP selects a group of two lines, a master key (master key: MK), and a public key (public key: PK). The SNO registers sensor information with the SNSP. FIG. 8 is an example of recording of sensor information. The SNSP checks whether all attributes are present in the attribute server. If a new attribute exists, the attribute is extracted and stored in the attribute server.

  2) Key generation: The SNSP generates a sensor secret key based on the attribute S using the function KeyGen (MK, S). If a sensor is a movable sensor, several secret keys are assigned. Each secret key is generated with a different granularity. For example, if a sensor currently exists in (BSZ, ClusterY, NerveNetX), one secret key is assigned with granularity 1 based on location (BSZ, ClusterY, NerveNetX) and one secret based on location (ClusterY, NerveNetX) Keys are assigned with granularity 2 and one private key is assigned with granularity 3 based on location (NerveNetX). When this sensor moves out of the BSZ area, only a granularity 2 secret key is used. Similarly, when this sensor moves out of the ClusterY domain, only a secret key with granularity 3 is used. After these secret keys are generated, the SNSP sends these secret keys to the SNO that is the manager of the sensor. The SNO installs these secret keys on the corresponding sensors.

  The SNSP uses different random numbers when generating secret keys for different sensors. If SNO registers subordinate sensors with several SNSPs, and these SNSPs share these sensors, each SNSP uses its master key to generate a secret key for these sensors. Thus, each sensor holds one secret key for each SNSP, which is registered in the SNSP.

  3) Encryption: After searching for sensors, the SNSP generates a policy tree PT based on the attributes of these sensors. Then, the SNSP downloads the attribute from the attribute server. These attributes include SNO, position, and other attributes. SNO encrypts the assertion using the function Encryption (PK, M, T). Here, M (message) is an assertion and SK. The SNSP maintains a blacklist of sensors so that when generating a policy tree, these sensors are not included in the policy tree.

  4) Decryption: The sensor decrypts the message using the private key held by itself by the function Decrypt (CT, PrivateKey). Only sensors with attributes that satisfy the PT can correctly decode the message. Adding some granularity in the key generation procedure, each sensor may be provided with multiple corresponding SNSP private keys, but the basis of CP-ABE remains the same. The flexible assertion approval procedure is secured by CP-ABE.

  As described above, in this embodiment, the sensor holds one or more secret keys corresponding to attributes and having a pairing function or a hash function. A movable sensor will hold several secret keys with different granularities. The SNSP holds a pairing function, a public key, and a master key.

(Operation of Second Embodiment)
Hereinafter, a specific operation will be described with reference to FIGS. In the following description, in order to simplify the description, among the plurality of SNOs shown in FIG. 5, “SNO ₁ ” as SNO _{4 and} “Sensor 1” as sensor ₁ are respectively referred to as SNO 4 and sensor 1. explain.

  SNO4 registers the sensor information regarding the sensor belonging to the subordinate SN via the second line in SNSP7, and sets the authorization policy in SNSP7 (S200). Upon receiving the sensor information and the authorization policy, the SNSP 7 extracts sensor attributes and stores them in the DB 173 that functions as an attribute server.

  Next, the SNSP 7 generates a secret key for each sensor according to each attribute and sends it to the corresponding SNO 4 via the second line (S201). The SNO 4 that has received the secret key installs (installs) the received secret key in the corresponding sensor (S202). The private key may be introduced through a third line connecting the sensor and the SNO or may be introduced directly.

  When the SNU 2 receives information from a sensor group having an attribute such as the sensor 1, the sensor wireless unit 121 of the SNU 2 queries interest item information including the attribute of the sensor group based on the user's interest via the NW wireless unit 126. To the SNSP 7 (S203). The SNSP 7 that has received the query selects a sensor related to the attribute of the sensor included in the query from the DB 173 that also functions as a sensor information database.

  When the sensor is selected, the authentication unit 172 of the SNSP 7 inquires of the RNP 5 that manages the SNU 2 whether or not there is an identity of the SNU 2, that is, a user who is correctly managed by the RNP 5 (S204).

  When receiving an inquiry about SNU2, the NW authentication unit 152 of the RNP 5 confirms in the DB 153 whether the SNU2 is an authorized network user. When the confirmation is obtained, the NW authentication unit 152 of the RNP 5 replies to the SNSP 7 that the result of the identity authentication is OK (S205).

When obtaining the result of the identity authentication OK, the SNSP 7 gives an assertion (access permission of the sensor 1) to the SNU 2 (S206). First, the SNSP 7 generates a policy tree PT as shown in FIG. 7, for example, based on the attribute of the selected sensor group. In the example shown in FIG. 7, since a specific sensor under the control of SNO ₁ and a specific sensor under the control of SNO ₂ are included in the PT, these sensors receive messages encrypted using the PT. Decryption is possible using the secret key introduced in step 202. On the other hand, for example, since SNO ₃ or the like is not included, the sensor under the management of SNO ₃ cannot decrypt the message encrypted using the PT.
Subsequently, the SNSP 7 generates a session key (SK1) between the SNU 2 and the sensor 1 and adds it after the assertion expressing the authority of the SNU. Specifically, the authentication unit 172 of the SNSP 7 encrypts the assertion, SK1, and their hash values using the public key of the SNSP 7 and the generated policy tree, and adds SK1 to the encrypted message. To SNU2. Here, “assertion, SK1 and a message obtained by encrypting these hash values using a public key and a policy tree” are referred to as “{Assertion, SK1, H (Assertion, SK1)} _{(PK, PT)} ”. To express. Note that SK1 is safely distributed to the SNU. In this state, the SNU 2 is ready to receive information from the sensor 1.
If the selected sensor belongs to a different regional network RN _Y , it asserts to the SNU via the SNSP (SNSP _{3 in} the example of FIG. 10) belonging to the RN _Y and the route of steps 205a, 205b, and 206a of FIG. Authorization is given.

  The sensor wireless unit 121 of the SNU 2 requests the wireless unit 114 of the sensor 1 to acquire environmental information (S207). At this time, the sensor 1 may be shared by a plurality of SNSPs.

  Upon receiving the environmental information acquisition request, the authentication unit 116 of the sensor 1 reads the information of the SNSP 7 in which the sensor 1 is registered from its own storage area, and transmits it to the SNU 2 via the sensor wireless unit 114 (S208).

Upon receiving the information of SNSP 7, the authentication unit 123 of SNU 2 searches for the assertion authorization received from SNSP 7 corresponding to the information. Then, the authentication unit 123 generates a random number _{N SNU,} send by adding information of the random number _{N SNU} and corresponding SNSP7 to the sensor 1 to the message assertion authorization sent in step 206 from SNSP7 (S209).

Upon receiving the message with the information of the random number N _SNU and SNSP7, the authentication unit 116 of the sensor 1 decrypts the message using the secret key, extracts the assertion / SK1 / hash value, checks the hash value, and performs the assertion. Check to see if it is fixed and get an assertion. As described above, if the sensor 1 is included in the policy tree PT used by the SNSP 7 for encryption, the decryption is successful. Upon obtaining the assertion, the authentication unit 116 of the sensor 1 generates a random number N _sensor . Next, the authentication unit 116 encrypts the received random number N _SNU with SK1, adds the random number N _sensor to the encrypted message, and transmits the encrypted message to the _{SNU 2} via the sensor wireless unit 114 (S210).

When receiving the message with the random number N _sensor added from the sensor 1, the authentication unit 123 of the SNU 2 knows that it has been authenticated by the SNSP 7. That is, the manager SNO of this sensor is guaranteed via the SNSP. Therefore, the authentication unit 123 of the SNU 2 encrypts the random number N _sensor with SK1 and transmits it to the sensor 1 via the sensor wireless unit 122 (S211).

Upon receiving the encrypted random number N _sensor , the authentication unit 116 of the sensor 1 knows that the identity authentication of the SNU 2 has been obtained. That is, the sensor 1 can know that the identity of the SNU can be trusted. The sensor wireless unit 114 of the sensor 1 reads out environmental information from the sensor 118a and the memory 118b and transmits it to the SNU 2 (S212).

Upon receiving the environmental information, the NW radio unit 126 of the SNU 2 transfers the environmental information to the SV 6 via the BS 3 (S213). The SV6 I / F unit 161 stores the received environment information in the DB 163.
Note that once an assertion is given from the SNSP 7, information requests can be continuously made to the sensor selected by the SNSP and defined in the policy tree PT by the assertion. That is, by performing steps 207 to 212 within the scope of the policy tree, information request and information acquisition can be performed continuously.

  The difference between the first embodiment and the second embodiment is an assertion authorization encryption method. In the first embodiment, the shared key between the SNO and the sensor is used for encryption, but in the second embodiment, the public key PK and the policy tree PT are used. In the wireless system of the second embodiment, each sensor holds a different secret key, and a desired sensor group can decrypt the message.

  In this embodiment, in order to ensure the identity of the assertion, the hash value H (Assertion, SK1) of the assertion and SK1 is used. If an intermediate sensor or an attacker located in the middle alters this message, the hash value of the assertion and SK1 will not be the same. In other words, it is possible to confirm the presence or absence of tampering in the middle.

  In the message, SK1 assigned by the SNSP is used as a session key. Since the SNSP notifies the SNU together with SK1, this allows the SNU to know SK1. Also, after decoding the assertion, the target sensor can also know this SK1.

  A flexible (flexible) group of sensors is set by the policy tree PT, which is used during encryption of the assertion authorization.

The assertion is encrypted with PK and PT. The assertion and SK1 are encrypted with the public key PK and the policy tree PT. Thereby, only the sensor having the attribute defined in PT can decode the message. Here, the random number N _SNU helps to authenticate the sensor administrator. Only the sensor that was able to decrypt the assertion authorization can obtain the session key SK1. That is, if the sensor returns a random number N _SNU correctly encrypted by SK1, the attribute will satisfy PT. This means that sensor administrator authentication has been achieved.

The random number N _sensor helps to authenticate the identity of the SNU. Only the SNU authenticated by the provider RNP of the regional network to which it belongs can know SK1. That is, if the SNU returns a random number N _sensor correctly encrypted by SK1, the SNU is a genuine SNU.

  As described above, in the first embodiment, a common key is used between the sensor and the SNO, and the identity of the SNU is secured by the RNP. When a certain SNU wants to obtain information from the sensor, the SNU first obtains an assertion authorization from the SNO, and the SNU presents this authorization to the sensor to realize information acquisition. Therefore, authentication of SNO and SNU which are a sensor and its manager can be realized comparatively easily.

  On the other hand, in the second embodiment, access approval to the sensor is obtained in advance using CP-ABE. An SNSP functioning as a key server that generates a sensor secret key based on the attribute is arranged, and the SNSP generates a secret key of each sensor using a master key, thereby enabling sharing of the same sensor. When a certain SNU wants to obtain information from the sensor, the SNU sends a desired service to the SNSP as a query, and the SNP selects an appropriate sensor group from sensors registered in advance by SNO, generates a policy tree, and performs assertion authorization. Encrypt and return to SNU. The SNU acquires environmental information directly from the sensor using the sent assertion authorization. Accordingly, since the authentication is completed prior to the acquisition of information from the sensor, the assertion authorization process for each sensor is omitted when information is continuously acquired from a plurality of sensors, and high-speed processing is possible. In addition, it takes the form of a service provision request consisting of a desired sensor group instead of an information request designating a specific sensor, and the SNSP selects a sensor group appropriately selected according to the service. improves.

Thus, in the embodiment described above, it is possible to easily realize a regional sensor network having many sensors while ensuring the safety of data transmission in the sensor network. In addition, when there are a plurality of service providers, sensors belonging to different sensor administrators can be shared.
Although several embodiments of the present invention have been described, these embodiments are presented by way of example and are not intended to limit the scope of the invention. These novel embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made without departing from the scope of the invention. These embodiments and modifications thereof are included in the scope and gist of the invention, and are included in the invention described in the claims and the equivalents thereof.

  DESCRIPTION OF SYMBOLS 1 ... Sensor, 2 ... Sensor network user, 3 ... Base station, 4 ... Sensor network owner, 5 ... Regional network provider, 6 ... Server, 7 ... Sensor network service provider.

Claims (6)

A first network to which a sensor holding sensing information and administrator information indicating its registration destination is connected, and a second network to which a sensor management apparatus holding registration information and authentication information of the sensor is connected A wireless device connected to
A sensor communication unit connected to the first network and communicating with the sensor;
A network communication unit connected to the second network and communicating with the sensor management device;
A first authentication unit that acquires authentication information of the sensor from the sensor management device based on the administrator information held in the sensor;
A wireless device comprising: a second authentication unit that acquires sensing information from the sensor using the acquired authentication information. The first authentication unit acquires authentication information encrypted by the sensor management device using a common key with the sensor,
The wireless device according to claim 1, wherein the second authentication unit acquires sensing information from the sensor using the authentication information and predetermined random number information. A first network to which a sensor holding sensing information and administrator information indicating its registration destination is connected, and a second network to which a sensor management apparatus holding registration information and authentication information of the sensor is connected A wireless device connected to
A sensor communication unit connected to the first network and communicating with the sensor;
A network communication unit connected to the second network and communicating with the sensor management device;
A first authentication unit for acquiring authentication information of the sensor from the sensor management device;
A wireless device comprising: a second authentication unit that acquires sensing information from the sensor using the authentication information and the administrator information acquired from the sensor corresponding to the authentication information. The first authentication unit acquires authentication information encrypted by the sensor management device using a policy tree indicating a range of the public key and authority of the sensor management device;
The second authentication unit detects sensing information from the sensor using the authentication information encrypted using the policy tree included in the authentication information and the public key of the sensor management device, and predetermined random number information. The wireless device according to claim 3, wherein the wireless device is acquired. A first network to which a sensor holding sensing information and administrator information indicating its registration destination is connected, and a second network to which a sensor management apparatus holding registration information and authentication information of the sensor is connected A communication method by a wireless device connected to
Based on the administrator information held in the sensor, obtain authentication information of the sensor from the sensor management device,
Sensing information is acquired from the sensor using the acquired authentication information. A first network to which a sensor holding sensing information and administrator information indicating its registration destination is connected, and a second network to which a sensor management apparatus holding registration information and authentication information of the sensor is connected A communication method by a wireless device connected to
Obtain authentication information of the sensor from the sensor management device,
Sensing information is acquired from the sensor using the authentication information and the administrator information acquired from the sensor corresponding to the authentication information.

Images